@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-next.97 → 0.24.1-unstable.111

package/src/types/IIdentifierResolution.ts

@@ -1,13 +1,19 @@
 import { IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap } from '@veramo/core'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
 } from './externalIdentifierTypes'
 import {
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
@@ -16,7 +22,7 @@ import {
   ManagedIdentifierKeyResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
+  ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
@@ -30,9 +36,12 @@ export const identifierResolutionContextMethods: Array<string> = [
   'identifierManagedGetByJwk',
   'identifierManagedGetByX5c',
   'identifierManagedGetByKey',
+  'identifierGetManagedByCoseKey',
   'identifierExternalResolve',
   'identifierExternalResolveByDid',
   'identifierExternalResolveByX5c',
+  'identifierExternalResolveByJwk',
+  'identifierExternalResolveByCoseKey',
 ]
 
 /**
@@ -43,11 +52,15 @@ export interface IIdentifierResolution extends IPluginMethodMap {
    * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
    *
    * The end result of all these methods is a common baseline response that allows to use a key from the registered KMS systems. It also provides kid and iss(uer) values that can be used in a JWT/JWS for instance
+   * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
+   *
+   * We use the opts or result type almost everywhere, as it allows for just in time resolution whenever this method is called and afterwards we have the result, so resolution doesn't have to hit the DB, or external endpoints.
+   * Also use this method in the local agent, not using REST. If case the identifier needs to be resolved, you can always have the above methods using REST
    * @param args
    * @param context
    * @public
    */
-  identifierManagedGet(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
+  identifierManagedGet(args: ManagedIdentifierOptsOrResult, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
 
   identifierManagedGetByDid(args: ManagedIdentifierDidOpts, context: IAgentContext<IKeyManager & IDIDManager>): Promise<ManagedIdentifierDidResult>
 
@@ -59,6 +72,11 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierManagedGetByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult>
 
+  identifierManagedGetByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult>
+
   // TODO: We can create a custom managed identifier method allowing developers to register a callback function to get their implementation hooked up. Needs more investigation as it would also impact the KMS
 
   /**
@@ -71,5 +89,9 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult>
 
+  identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult>
+
+  identifierExternalResolveByCoseKey(args: ExternalIdentifierCoseKeyOpts, context: IAgentContext<any>): Promise<ExternalIdentifierCoseKeyResult>
+
   identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
 }

package/src/types/common.ts

@@ -1,4 +1,4 @@
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IIdentifier, IKey } from '@veramo/core'
 import { ExternalIdentifierType } from './externalIdentifierTypes'
 import { ManagedIdentifierType } from './managedIdentifierTypes'
@@ -42,6 +42,10 @@ export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier i
   )
 }
 
+export function isCoseKeyIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'object' && `kty` in identifier && ('baseIV' in identifier || 'x5chain' in identifier) && !('x5c' in identifier)
+}
+
 export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
   return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
 }

package/src/types/externalIdentifierTypes.ts

@@ -1,9 +1,18 @@
 import { DidDocumentJwks } from '@sphereon/ssi-sdk-ext.did-utils'
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
-import { X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
+import { X509CertificateChainValidationOpts, X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { IParsedDID } from '@sphereon/ssi-types'
 import { DIDDocument, DIDDocumentSection, DIDResolutionResult } from '@veramo/core'
-import { isDidIdentifier, isJwkIdentifier, isJwksUrlIdentifier, isKidIdentifier, isOidcDiscoveryIdentifier, isX5cIdentifier, JwkInfo } from './common'
+import {
+  isCoseKeyIdentifier,
+  isDidIdentifier,
+  isJwkIdentifier,
+  isJwksUrlIdentifier,
+  isKidIdentifier,
+  isOidcDiscoveryIdentifier,
+  isX5cIdentifier,
+  JwkInfo,
+} from './common'
 
 /**
  * Use whenever we need to resolve an external identifier. We can pass in kids, DIDs, and x5chains
@@ -32,7 +41,13 @@ export function isExternalIdentifierDidOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'did') || isDidIdentifier(identifier)
 }
 
-export type ExternalIdentifierOpts = (ExternalIdentifierJwkOpts | ExternalIdentifierX5cOpts | ExternalIdentifierDidOpts | ExternalIdentifierKidOpts) &
+export type ExternalIdentifierOpts = (
+  | ExternalIdentifierJwkOpts
+  | ExternalIdentifierX5cOpts
+  | ExternalIdentifierDidOpts
+  | ExternalIdentifierKidOpts
+  | ExternalIdentifierCoseKeyOpts
+) &
   ExternalIdentifierOptsBase
 
 export type ExternalIdentifierKidOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
@@ -48,6 +63,7 @@ export function isExternalIdentifierKidOpts(opts: ExternalIdentifierOptsBase): o
 export type ExternalIdentifierJwkOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'jwk'
   identifier: JWK
+  x5c?: ExternalIdentifierX5cOpts
 }
 
 export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierJwkOpts {
@@ -55,6 +71,16 @@ export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'jwk') || isJwkIdentifier(identifier)
 }
 
+export type ExternalIdentifierCoseKeyOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
+  method?: 'cose_key'
+  identifier: ICoseKeyJson
+}
+
+export function isExternalIdentifierCoseKeyOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierCoseKeyOpts {
+  const { identifier } = opts
+  return ('method' in opts && opts.method === 'cose_key') || isCoseKeyIdentifier(identifier)
+}
+
 export type ExternalIdentifierOidcDiscoveryOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'oidc-discovery'
   identifier: string
@@ -75,28 +101,42 @@ export function isExternalIdentifierJwksUrlOpts(opts: ExternalIdentifierOptsBase
   return ('method' in opts && opts.method === 'oidc-discovery') || isJwksUrlIdentifier(identifier)
 }
 
-export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
-  method?: 'x5c'
-  identifier: string[]
-  verify?: boolean // defaults to true
-  verificationTime?: Date
-  trustAnchors?: string[]
-}
+export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> &
+  X509CertificateChainValidationOpts & {
+    method?: 'x5c'
+    identifier: string[]
+    verify?: boolean // defaults to true
+    verificationTime?: Date
+    trustAnchors?: string[]
+  }
 
 export function isExternalIdentifierX5cOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierX5cOpts {
   const { identifier } = opts
   return ('method' in opts && opts.method === 'x5c') || isX5cIdentifier(identifier)
 }
 
-export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
+export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'cose_key' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
 
-export type ExternalIdentifierResult = ExternalIdentifierDidResult | ExternalIdentifierX5cResult
+export type ExternalIdentifierResult = IExternalIdentifierResultBase &
+  (ExternalIdentifierDidResult | ExternalIdentifierX5cResult | ExternalIdentifierJwkResult | ExternalIdentifierCoseKeyResult)
 
 export interface IExternalIdentifierResultBase {
   method: ExternalIdentifierMethod
   jwks: Array<ExternalJwkInfo>
 }
 
+export interface ExternalIdentifierJwkResult extends IExternalIdentifierResultBase {
+  method: 'jwk'
+  jwk: JWK
+  x5c?: ExternalIdentifierX5cResult
+}
+
+export interface ExternalIdentifierCoseKeyResult extends IExternalIdentifierResultBase {
+  method: 'cose_key'
+  coseKey: ICoseKeyJson
+  x5c?: ExternalIdentifierX5cResult
+}
+
 export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBase {
   method: 'x5c'
   x5c: string[]
@@ -107,6 +147,7 @@ export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBa
 
 export interface ExternalJwkInfo extends JwkInfo {
   kid?: string
+  publicKeyHex: string
 }
 
 export interface ExternalIdentifierDidResult extends IExternalIdentifierResultBase {

package/src/types/managedIdentifierTypes.ts

@@ -1,13 +1,14 @@
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { ClientIdScheme } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { DIDDocumentSection, IIdentifier, IKey, TKeyType } from '@veramo/core'
-import { isDidIdentifier, isJwkIdentifier, isKeyIdentifier, isKidIdentifier, isX5cIdentifier, JwkInfo } from './common'
+import { isCoseKeyIdentifier, isDidIdentifier, isJwkIdentifier, isKeyIdentifier, isKidIdentifier, isX5cIdentifier, JwkInfo } from './common'
 
 /**
  * Use whenever we need to pass in an identifier. We can pass in kids, DIDs, IIdentifier objects and x5chains
  *
  * The functions below can be used to check the type, and they also provide the proper 'runtime' types
  */
-export type ManagedIdentifierType = IIdentifier /*did*/ | string /*did or kid*/ | string[] /*x5c*/ | JWK | IKey
+export type ManagedIdentifierType = IIdentifier /*did*/ | string /*did or kid*/ | string[] /*x5c*/ | JWK | IKey | ICoseKeyJson
 
 export type ManagedIdentifierOpts = (
   | ManagedIdentifierJwkOpts
@@ -15,6 +16,7 @@ export type ManagedIdentifierOpts = (
   | ManagedIdentifierDidOpts
   | ManagedIdentifierKidOpts
   | ManagedIdentifierKeyOpts
+  | ManagedIdentifierCoseKeyOpts
 ) &
   ManagedIdentifierOptsBase
 
@@ -24,6 +26,8 @@ export type ManagedIdentifierOptsBase = {
   kmsKeyRef?: string // The key reference for the KMS system. If provided this value will be used to determine the appropriate key. Otherwise it will be inferred
   issuer?: string // can be used when a specific issuer needs to end up, for instance when signing JWTs. Will be returned or inferred if not provided
   kid?: string // can be used when a specific kid value needs to be used. For instance when signing JWTs. Will be returned or inferred if not provided
+  clientId?: string
+  clientIdScheme?: ClientIdScheme | 'did' | string
 }
 
 export type ManagedIdentifierDidOpts = Omit<ManagedIdentifierOptsBase, 'method'> & {
@@ -56,11 +60,21 @@ export type ManagedIdentifierKeyOpts = Omit<ManagedIdentifierOptsBase, 'method'>
   identifier: IKey
 }
 
-export function isManagedIdentifierKeyOpts(opts: ManagedIdentifierOptsBase): opts is ManagedIdentifierKidOpts {
+export function isManagedIdentifierKeyOpts(opts: ManagedIdentifierOptsBase): opts is ManagedIdentifierKeyOpts {
   const { identifier } = opts
   return ('method' in opts && opts.method === 'key') || isKeyIdentifier(identifier)
 }
 
+export type ManagedIdentifierCoseKeyOpts = Omit<ManagedIdentifierOptsBase, 'method'> & {
+  method?: 'cose_key'
+  identifier: ICoseKeyJson
+}
+
+export function isManagedIdentifierCoseKeyOpts(opts: ManagedIdentifierOptsBase): opts is ManagedIdentifierCoseKeyOpts {
+  const { identifier } = opts
+  return ('method' in opts && opts.method === 'cose_key') || isCoseKeyIdentifier(identifier)
+}
+
 export type ManagedIdentifierJwkOpts = Omit<ManagedIdentifierOptsBase, 'method'> & {
   method?: 'jwk'
   identifier: JWK
@@ -91,6 +105,9 @@ export interface IManagedIdentifierResultBase extends ManagedJwkInfo {
   key: IKey
   kid?: string
   issuer?: string
+  clientId?: string
+  clientIdScheme?: ClientIdScheme | 'did' | string
+  identifier: ManagedIdentifierType
 }
 
 export function isManagedIdentifierDidResult(object: IManagedIdentifierResultBase): object is ManagedIdentifierDidResult {
@@ -113,6 +130,10 @@ export function isManagedIdentifierKeyResult(object: IManagedIdentifierResultBas
   return object!! && typeof object === 'object' && 'method' in object && object.method === 'key'
 }
 
+export function isManagedIdentifierCoseKeyResult(object: IManagedIdentifierResultBase): object is ManagedIdentifierCoseKeyResult {
+  return object!! && typeof object === 'object' && 'method' in object && object.method === 'cose_key'
+}
+
 export interface ManagedIdentifierDidResult extends IManagedIdentifierResultBase {
   method: 'did'
   identifier: IIdentifier
@@ -126,27 +147,45 @@ export interface ManagedIdentifierDidResult extends IManagedIdentifierResultBase
 }
 
 export interface ManagedIdentifierJwkResult extends IManagedIdentifierResultBase {
+  identifier: JWK
   method: 'jwk'
 }
 
 export interface ManagedIdentifierKidResult extends IManagedIdentifierResultBase {
   method: 'kid'
+  identifier: string
   kid: string
 }
 
 export interface ManagedIdentifierKeyResult extends IManagedIdentifierResultBase {
   method: 'key'
+  identifier: IKey
+}
+
+export interface ManagedIdentifierCoseKeyResult extends IManagedIdentifierResultBase {
+  method: 'cose_key'
+  identifier: ICoseKeyJson
 }
 
 export interface ManagedIdentifierX5cResult extends IManagedIdentifierResultBase {
   method: 'x5c'
+  identifier: string[]
   x5c: string[]
   certificate: any // Certificate(JSON_, but trips schema generator. Probably want to create our own DTO
 }
 
-export type ManagedIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'key'
+export type ManagedIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'key' | 'cose_key'
 
 export type ManagedIdentifierResult = IManagedIdentifierResultBase &
-  (ManagedIdentifierX5cResult | ManagedIdentifierDidResult | ManagedIdentifierJwkResult | ManagedIdentifierKidResult | ManagedIdentifierKeyResult)
-
-export type ManagedIdentifierOptsOrResult = ManagedIdentifierResult | ManagedIdentifierOpts
+  (
+    | ManagedIdentifierX5cResult
+    | ManagedIdentifierDidResult
+    | ManagedIdentifierJwkResult
+    | ManagedIdentifierKidResult
+    | ManagedIdentifierKeyResult
+    | ManagedIdentifierCoseKeyResult
+  )
+
+export type ManagedIdentifierOptsOrResult = (ManagedIdentifierResult | ManagedIdentifierOpts) & {
+  lazyDisabled?: boolean
+}