@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-next.84

package/src/agent/IdentifierResolution.ts

@@ -0,0 +1,92 @@
+import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
+import { schema } from '..'
+import { getManagedIdentifier, resolveExternalIdentifier } from '../functions'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  IIdentifierResolution,
+  ManagedIdentifierDidOpts,
+  ManagedIdentifierDidResult,
+  ManagedIdentifierJwkOpts,
+  ManagedIdentifierJwkResult,
+  ManagedIdentifierKidOpts,
+  ManagedIdentifierKidResult,
+  ManagedIdentifierOpts,
+  ManagedIdentifierResult,
+  ManagedIdentifierX5cOpts,
+  ManagedIdentifierX5cResult,
+} from '../types'
+
+/**
+ * @public
+ */
+export class IdentifierResolution implements IAgentPlugin {
+  private readonly _crypto: Crypto
+
+  readonly schema = schema.IMnemonicInfoGenerator
+  readonly methods: IIdentifierResolution = {
+    identifierManagedGet: this.identifierGetManaged.bind(this),
+    identifierManagedGetByDid: this.identifierGetManagedByDid.bind(this),
+    identifierManagedGetByKid: this.identifierGetManagedByKid.bind(this),
+    identifierManagedGetByJwk: this.identifierGetManagedByJwk.bind(this),
+    identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
+
+    identifierExternalResolve: this.identifierResolveExternal.bind(this),
+    identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
+    identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+
+    // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
+  }
+
+  /**
+   * TODO: Add a cache, as we are retrieving the same keys/info quite often
+   */
+  constructor(opts?: { crypto?: Crypto }) {
+    this._crypto = opts?.crypto ?? global.crypto
+  }
+
+  /**
+   * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
+   * @param args
+   * @param context
+   * @private
+   */
+  private async identifierGetManaged(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult> {
+    return await getManagedIdentifier({ ...args, crypto: this._crypto }, context)
+  }
+
+  private async identifierGetManagedByDid(
+    args: ManagedIdentifierDidOpts,
+    context: IAgentContext<IKeyManager & IDIDManager>
+  ): Promise<ManagedIdentifierDidResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'did' }, context)) as ManagedIdentifierDidResult
+  }
+
+  private async identifierGetManagedByKid(args: ManagedIdentifierKidOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKidResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'kid' }, context)) as ManagedIdentifierKidResult
+  }
+
+  private async identifierGetManagedByJwk(args: ManagedIdentifierJwkOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierJwkResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'jwk' }, context)) as ManagedIdentifierJwkResult
+  }
+
+  private async identifierGetManagedByX5c(args: ManagedIdentifierX5cOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierX5cResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
+  }
+
+  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ExternalIdentifierResult> {
+    return await resolveExternalIdentifier({ ...args, crypto: this._crypto }, context)
+  }
+
+  private async identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'did' }, context)) as ExternalIdentifierDidResult
+  }
+
+  private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
+  }
+}

package/src/functions/externalIdentifierFunctions.ts

@@ -0,0 +1,183 @@
+import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import {
+  getSubjectDN,
+  pemOrDerToX509Certificate,
+  PEMToDer,
+  validateX509CertificateChain,
+  X509ValidationResult,
+} from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
+import { isDefined } from '@veramo/utils'
+import { CryptoEngine, setEngine } from 'pkijs'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierMethod,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  ExternalJwkInfo,
+  isExternalIdentifierDidOpts,
+  isExternalIdentifierJwksUrlOpts,
+  isExternalIdentifierKidOpts,
+  isExternalIdentifierOidcDiscoveryOpts,
+  isExternalIdentifierX5cOpts,
+} from '../types'
+
+export async function resolveExternalIdentifier(
+  opts: ExternalIdentifierOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierResult> {
+  let method: ExternalIdentifierMethod | undefined
+  if (isExternalIdentifierDidOpts(opts)) {
+    return resolveExternalDidIdentifier(opts, context)
+  } else if (isExternalIdentifierX5cOpts(opts)) {
+    return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierKidOpts(opts)) {
+    method = 'kid'
+  } else if (isExternalIdentifierJwksUrlOpts(opts)) {
+    method = 'jwks-url'
+  } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
+    method = 'oidc-discovery'
+  }
+  throw Error(`External resolution method ${method} is not yet implemented`)
+}
+
+export async function resolveExternalX5cIdentifier(
+  opts: ExternalIdentifierX5cOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierX5cResult> {
+  if (!isExternalIdentifierX5cOpts(opts)) {
+    return Promise.reject('External x5c Identifier args need to be provided')
+  }
+  const verify = opts.verify ?? true
+  const x5c = opts.identifier.map((derOrPem) => (derOrPem.includes('CERTIFICATE') ? PEMToDer(derOrPem) : derOrPem))
+  if (x5c.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  const certificates = x5c.map(pemOrDerToX509Certificate)
+
+  let verificationResult: X509ValidationResult | undefined
+  let issuerJWK: JWK | undefined
+  let jwks: ExternalJwkInfo[] = []
+
+  if (verify) {
+    // We use the agent plugin if it is available as that is more powerful, but revert to the function otherwise
+    if (contextHasPlugin(context, 'verifyCertificateChain')) {
+      verificationResult = (await context.agent.verifyCertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })) as X509ValidationResult // We need to cast, as we know this is the value and we do not want to rely on the x509 plugin perse
+    } else {
+      verificationResult = await validateX509CertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })
+    }
+    if (verificationResult.certificateChain) {
+      jwks = verificationResult.certificateChain.map((cert) => {
+        return {
+          jwk: cert.publicKeyJWK,
+          kid: cert.subject.dn.DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+        } satisfies ExternalJwkInfo
+      })
+    }
+  }
+  if (!jwks || jwks.length === 0) {
+    const cryptoEngine = new CryptoEngine({
+      name: 'identifier_resolver_external',
+      crypto: opts.crypto ?? global.crypto,
+    })
+    setEngine(cryptoEngine.name, cryptoEngine)
+    jwks = await Promise.all(
+      certificates.map(async (cert) => {
+        const pk = await cert.getPublicKey(undefined, cryptoEngine)
+        const jwk = (await cryptoEngine.exportKey('jwk', pk)) as JWK
+        return {
+          jwk,
+          kid: getSubjectDN(cert).DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+        } satisfies ExternalJwkInfo
+      })
+    )
+  }
+  if (jwks.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  if (!issuerJWK) {
+    issuerJWK = jwks[0].jwk
+  }
+
+  return {
+    method: 'x5c',
+    verificationResult,
+    issuerJWK,
+    jwks,
+    certificates,
+    x5c,
+  }
+}
+
+export async function resolveExternalDidIdentifier(
+  opts: ExternalIdentifierDidOpts,
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierDidResult> {
+  if (!isExternalIdentifierDidOpts(opts)) {
+    return Promise.reject('External DID Identifier args need to be provided')
+  } else if (!contextHasPlugin<IResolver & IDIDManager>(context, 'resolveDid')) {
+    return Promise.reject(Error(`Cannot get external DID identifier if DID resolver plugin is not enabled!`))
+  }
+  const { uniresolverResolution = false, localResolution = true, resolverResolution = true } = opts
+  const did = opts.identifier
+  let parsed: IParsedDID
+  try {
+    parsed = parseDid(did)
+  } catch (error: unknown) {
+    // Error from did resolution spec
+    return Promise.reject(error)
+  }
+  const didParsed = parsed
+  const didResolutionResult = await getAgentResolver(context, {
+    uniresolverResolution,
+    localResolution,
+    resolverResolution,
+  }).resolve(did)
+  const didDocument = didResolutionResult.didDocument ?? undefined
+  const didJwks = didDocument ? didDocumentToJwks(didDocument) : undefined
+  const jwks = didJwks
+    ? Array.from(
+        new Set(
+          Object.values(didJwks)
+            .filter((jwks) => isDefined(jwks) && jwks.length > 0)
+            .flatMap((jwks) => jwks)
+        )
+      ).map((jwk) => {
+        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+      })
+    : []
+
+  if (didResolutionResult?.didDocument) {
+    // @ts-ignore // Mandatory on the original object, but we already provide it directly
+    delete didResolutionResult['didDocument']
+  }
+  return {
+    method: 'did',
+    did,
+    jwks,
+    didJwks,
+    didDocument,
+    didResolutionResult,
+    didParsed,
+  }
+}

package/src/functions/index.ts

@@ -0,0 +1,53 @@
+import { IIdentifier } from '@veramo/core'
+import { ManagedIdentifierDidOpts, ManagedIdentifierOpts } from '../types'
+
+export * from './managedIdentifierFunctions'
+export * from './externalIdentifierFunctions'
+
+/**
+ * Converts legacy id opts key refs to the new ManagedIdentifierOpts
+ * @param opts
+ */
+export function legacyKeyRefsToIdentifierOpts(opts: {
+  idOpts?: ManagedIdentifierOpts
+  iss?: string
+  keyRef?: string
+  didOpts?: any
+}): ManagedIdentifierOpts {
+  if (!opts.idOpts) {
+    console.warn(
+      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+    )
+    // legacy way
+    let kmsKeyRef =
+      opts.keyRef ??
+      opts.didOpts?.idOpts?.kmsKeyRef ??
+      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
+    if (!kmsKeyRef) {
+      throw Error('Key ref is needed for access token signer')
+    }
+    return {
+      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
+      identifier: kmsKeyRef,
+      issuer: opts.iss,
+    } satisfies ManagedIdentifierDidOpts
+  } else {
+    const idOpts = opts.idOpts
+    if (opts.keyRef && !idOpts.kmsKeyRef) {
+      // legacy way
+      console.warn(
+        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.kmsKeyRef = opts.keyRef
+    }
+    if (opts.iss && !idOpts.issuer) {
+      // legacy way
+      console.warn(
+        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.issuer = opts.iss
+    }
+
+    return idOpts
+  }
+}

package/src/functions/managedIdentifierFunctions.ts

@@ -0,0 +1,178 @@
+import { getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, JWK, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
+import { pemOrDerToX509Certificate } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasDidManager, contextHasKeyManager } from '@sphereon/ssi-sdk.agent-config'
+import { IAgentContext, IIdentifier, IKeyManager } from '@veramo/core'
+import { CryptoEngine, setEngine } from 'pkijs'
+import {
+  isManagedIdentifierDidOpts,
+  isManagedIdentifierDidResult,
+  isManagedIdentifierJwkOpts,
+  isManagedIdentifierKidOpts,
+  isManagedIdentifierX5cOpts,
+  ManagedIdentifierDidOpts,
+  ManagedIdentifierDidResult,
+  ManagedIdentifierJwkOpts,
+  ManagedIdentifierJwkResult,
+  ManagedIdentifierKidOpts,
+  ManagedIdentifierKidResult,
+  ManagedIdentifierOpts,
+  ManagedIdentifierResult,
+  ManagedIdentifierX5cOpts,
+  ManagedIdentifierX5cResult,
+} from '../types'
+
+export async function getManagedKidIdentifier(
+  opts: ManagedIdentifierKidOpts,
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierKidResult> {
+  const method = 'kid'
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  }
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
+  const jwk = toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = (key.meta?.jwkThumbprint as string) ?? calculateJwkThumbprint({ jwk })
+  const kid = opts.kid ?? (key.meta?.verificationMethod?.id as string) ?? jwkThumbprint
+  const issuer = opts.issuer ?? kid // The different identifiers should set the value. Defaults to the kid
+  return {
+    method,
+    key,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+  } satisfies ManagedIdentifierKidResult
+}
+
+export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, context: IAgentContext<any>): Promise<ManagedIdentifierDidResult> {
+  const method = 'did'
+  if (!contextHasDidManager(context)) {
+    return Promise.reject(Error(`Cannot get DID identifier if DID Manager plugin is not enabled!`))
+  }
+
+  let identifier: IIdentifier
+  if (typeof opts.identifier === 'string') {
+    identifier = await context.agent.didManagerGet({ did: opts.identifier.split('#')[0] })
+  } else {
+    identifier = opts.identifier
+  }
+
+  const did = identifier.did
+  const keys = identifier?.keys // fixme: We really want to return the vmRelationship keys here actually
+  const extendedKey = await getFirstKeyWithRelation(
+    {
+      ...opts,
+      identifier,
+      vmRelationship: opts.vmRelationship ?? 'verificationMethod',
+    },
+    context
+  )
+  const key = extendedKey
+  const controllerKeyId = identifier.controllerKeyId
+  const jwk = toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = key.meta?.jwkThumbprint ?? calculateJwkThumbprint({ jwk })
+  const kid = opts.kid ?? extendedKey.meta?.verificationMethod?.id
+  const issuer = opts.issuer ?? did
+  return {
+    method,
+    key,
+    did,
+    kmsKeyRef: key.kid,
+    jwk,
+    jwkThumbprint,
+    controllerKeyId,
+    kid,
+    keys,
+    issuer,
+    identifier,
+  }
+}
+
+export async function getManagedJwkIdentifier(
+  opts: ManagedIdentifierJwkOpts,
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierJwkResult> {
+  const method = 'jwk'
+  const { kid, issuer } = opts
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  }
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? calculateJwkThumbprint({ jwk: opts.identifier }) })
+  const jwk = opts.identifier ?? toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = (key.meta?.jwkThumbprint as string) ?? calculateJwkThumbprint({ jwk })
+  // we explicitly do not set the kid and issuer, meaning it can remain null. Normally you do not provide a kid and issuer with Jwks.
+  return {
+    method,
+    key,
+    kmsKeyRef: key.kid,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+  } satisfies ManagedIdentifierJwkResult
+}
+
+export async function getManagedX5cIdentifier(
+  opts: ManagedIdentifierX5cOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierX5cResult> {
+  const { kid, issuer } = opts
+  const method = 'x5c'
+  const x5c = opts.identifier
+  if (x5c.length === 0) {
+    return Promise.reject(`Cannot resolve x5c when an empty x5c is passed in`)
+  } else if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get X5c identifier if KeyManager plugin is not enabled!`))
+  }
+  const cryptoImpl = opts.crypto ?? crypto
+  const certificate = pemOrDerToX509Certificate(x5c[0])
+  const cryptoEngine = new CryptoEngine({ name: 'identifier_resolver_managed', crypto: cryptoImpl })
+  setEngine(cryptoEngine.name, cryptoEngine)
+  const pk = await certificate.getPublicKey(undefined, cryptoEngine)
+  const jwk = (await cryptoEngine.subtle.exportKey('jwk', pk)) as JWK
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
+  // we explicitly do not set the kid and issuer, meaning it can remain null. Normally you do not provide a kid and issuer with x5c.
+
+  return {
+    method,
+    x5c,
+    certificate,
+    jwk,
+    jwkThumbprint,
+    key,
+    kmsKeyRef: key.kid,
+    kid,
+    issuer,
+  } satisfies ManagedIdentifierX5cResult
+}
+
+export async function getManagedIdentifier(
+  opts: ManagedIdentifierOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierResult> {
+  let resolutionResult: ManagedIdentifierResult
+  if (isManagedIdentifierKidOpts(opts)) {
+    resolutionResult = await getManagedKidIdentifier(opts, context)
+  } else if (isManagedIdentifierDidOpts(opts)) {
+    resolutionResult = await getManagedDidIdentifier(opts, context)
+  } else if (isManagedIdentifierJwkOpts(opts)) {
+    resolutionResult = await getManagedJwkIdentifier(opts, context)
+  } else if (isManagedIdentifierX5cOpts(opts)) {
+    resolutionResult = await getManagedX5cIdentifier(opts, context)
+  } else {
+    return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
+  }
+  const { key } = resolutionResult
+  if (!key || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
+    console.log(`Cannot find identifier`, opts.identifier)
+    return Promise.reject(`Cannot find identifier ${opts.identifier}`)
+  }
+  return resolutionResult
+}

package/src/index.ts

@@ -0,0 +1,11 @@
+/**
+ * @internal
+ */
+const schema = require('../plugin.schema.json')
+export { schema }
+/**
+ * @public
+ */
+export { IdentifierResolution } from './agent/IdentifierResolution'
+export * from './functions'
+export * from './types'

package/src/types/IIdentifierResolution.ts

@@ -0,0 +1,54 @@
+import { IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap } from '@veramo/core'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+} from './externalIdentifierTypes'
+import {
+  ManagedIdentifierDidOpts,
+  ManagedIdentifierDidResult,
+  ManagedIdentifierJwkOpts,
+  ManagedIdentifierJwkResult,
+  ManagedIdentifierKidOpts,
+  ManagedIdentifierKidResult,
+  ManagedIdentifierOpts,
+  ManagedIdentifierResult,
+  ManagedIdentifierX5cOpts,
+  ManagedIdentifierX5cResult,
+} from './managedIdentifierTypes'
+
+/**
+ * @public
+ */
+export interface IIdentifierResolution extends IPluginMethodMap {
+  /**
+   * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
+   * @param args
+   * @param context
+   * @public
+   */
+  identifierManagedGet(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
+
+  identifierManagedGetByDid(args: ManagedIdentifierDidOpts, context: IAgentContext<IKeyManager & IDIDManager>): Promise<ManagedIdentifierDidResult>
+
+  identifierManagedGetByKid(args: ManagedIdentifierKidOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKidResult>
+
+  identifierManagedGetByJwk(args: ManagedIdentifierJwkOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierJwkResult>
+
+  identifierManagedGetByX5c(args: ManagedIdentifierX5cOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierX5cResult>
+
+  /**
+   * Main method for external identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
+   * @param args
+   * @param context
+   * @public
+   */
+  identifierExternalResolve(args: ExternalIdentifierOpts, context: IAgentContext<any>): Promise<ExternalIdentifierResult>
+
+  identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult>
+
+  identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
+}

package/src/types/common.ts

@@ -0,0 +1,37 @@
+import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { IIdentifier } from '@veramo/core'
+import { ExternalIdentifierType } from './externalIdentifierTypes'
+import { ManagedIdentifierType } from './managedIdentifierTypes'
+
+export interface JwkInfo {
+  jwk: JWK
+  jwkThumbprint: string
+}
+
+export function isDidIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is IIdentifier | string {
+  return isIIdentifier(identifier) || (typeof identifier === 'string' && identifier.startsWith('did:'))
+}
+
+export function isIIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is IIdentifier {
+  return typeof identifier === 'object' && !Array.isArray(identifier) && 'did' in identifier && 'keys' in identifier
+}
+
+export function isJwkIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is JWK {
+  return typeof identifier === 'object' && !Array.isArray(identifier) && 'kty' in identifier
+}
+
+export function isOidcDiscoveryIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
+  return typeof identifier === 'string' && identifier.startsWith('http') && identifier.endsWith('/.well-known/openid-configuration')
+}
+
+export function isJwksUrlIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
+  return typeof identifier === 'string' && identifier.startsWith('http') && identifier.endsWith('jwks.json')
+}
+
+export function isKidIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
+  return typeof identifier === 'string' && !identifier.startsWith('did:')
+}
+
+export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
+  return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
+}