@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-unstable.75 → 0.24.1-unstable.77

package/src/agent/IdentifierResolution.ts

@@ -1,8 +1,14 @@
 import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
-import { getManagedIdentifier } from '../functions'
-
+import { schema } from '..'
+import { getManagedIdentifier, resolveExternalIdentifier } from '../functions'
 import {
-  ManagedIdentifierResult,
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  IIdentifierResolution,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
@@ -10,11 +16,10 @@ import {
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
   ManagedIdentifierOpts,
+  ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
-  schema,
-} from '../index'
-import { ExternalIdentifierOpts, IIdentifierResolution } from '../types/IIdentifierResolution'
+} from '../types'
 
 /**
  * @public
@@ -31,6 +36,10 @@ export class IdentifierResolution implements IAgentPlugin {
     identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
 
     identifierExternalResolve: this.identifierResolveExternal.bind(this),
+    identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
+    identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+
+    // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
   }
 
   /**
@@ -40,6 +49,12 @@ export class IdentifierResolution implements IAgentPlugin {
     this._crypto = cryptoArg ?? global.crypto
   }
 
+  /**
+   * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
+   * @param args
+   * @param context
+   * @private
+   */
   private async identifierGetManaged(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult> {
     return await getManagedIdentifier({ ...args, crypto: this._crypto }, context)
   }
@@ -63,7 +78,15 @@ export class IdentifierResolution implements IAgentPlugin {
     return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
   }
 
-  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<any> {
-    return await getManagedIdentifier({ ...args, crypto: this._crypto }, context)
+  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ExternalIdentifierResult> {
+    return await resolveExternalIdentifier({ ...args, crypto: this._crypto }, context)
+  }
+
+  private async identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'did' }, context)) as ExternalIdentifierDidResult
+  }
+
+  private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
   }
 }

package/src/functions/externalIdentifierFunctions.ts

@@ -0,0 +1,183 @@
+import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import {
+  getSubjectDN,
+  pemOrDerToX509Certificate,
+  PEMToDer,
+  validateX509CertificateChain,
+  X509ValidationResult,
+} from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
+import { isDefined } from '@veramo/utils'
+import { CryptoEngine, setEngine } from 'pkijs'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierMethod,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  ExternalJwkInfo,
+  isExternalIdentifierDidOpts,
+  isExternalIdentifierJwksUrlOpts,
+  isExternalIdentifierKidOpts,
+  isExternalIdentifierOidcDiscoveryOpts,
+  isExternalIdentifierX5cOpts,
+} from '../types'
+
+export async function resolveExternalIdentifier(
+  opts: ExternalIdentifierOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierResult> {
+  let method: ExternalIdentifierMethod | undefined
+  if (isExternalIdentifierDidOpts(opts)) {
+    return resolveExternalDidIdentifier(opts, context)
+  } else if (isExternalIdentifierX5cOpts(opts)) {
+    return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierKidOpts(opts)) {
+    method = 'kid'
+  } else if (isExternalIdentifierJwksUrlOpts(opts)) {
+    method = 'jwks-url'
+  } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
+    method = 'oidc-discovery'
+  }
+  throw Error(`External resolution method ${method} is not yet implemented`)
+}
+
+export async function resolveExternalX5cIdentifier(
+  opts: ExternalIdentifierX5cOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierX5cResult> {
+  if (!isExternalIdentifierX5cOpts(opts)) {
+    return Promise.reject('External x5c Identifier args need to be provided')
+  }
+  const verify = opts.verify ?? true
+  const x5c = opts.identifier.map((derOrPem) => (derOrPem.includes('CERTIFICATE') ? PEMToDer(derOrPem) : derOrPem))
+  if (x5c.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  const certificates = x5c.map(pemOrDerToX509Certificate)
+
+  let verificationResult: X509ValidationResult | undefined
+  let issuerJWK: JWK | undefined
+  let jwks: ExternalJwkInfo[] = []
+
+  if (verify) {
+    // We use the agent plugin if it is available as that is more powerful, but revert to the function otherwise
+    if (contextHasPlugin(context, 'verifyCertificateChain')) {
+      verificationResult = (await context.agent.verifyCertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })) as X509ValidationResult // We need to cast, as we know this is the value and we do not want to rely on the x509 plugin perse
+    } else {
+      verificationResult = await validateX509CertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })
+    }
+    if (verificationResult.certificateChain) {
+      jwks = verificationResult.certificateChain.map((cert) => {
+        return {
+          jwk: cert.publicKeyJWK,
+          kid: cert.subject.dn.DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+        } satisfies ExternalJwkInfo
+      })
+    }
+  }
+  if (!jwks || jwks.length === 0) {
+    const cryptoEngine = new CryptoEngine({
+      name: 'identifier_resolver_external',
+      crypto: opts.crypto ?? global.crypto,
+    })
+    setEngine(cryptoEngine.name, cryptoEngine)
+    jwks = await Promise.all(
+      certificates.map(async (cert) => {
+        const pk = await cert.getPublicKey(undefined, cryptoEngine)
+        const jwk = (await cryptoEngine.exportKey('jwk', pk)) as JWK
+        return {
+          jwk,
+          kid: getSubjectDN(cert).DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+        } satisfies ExternalJwkInfo
+      })
+    )
+  }
+  if (jwks.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  if (!issuerJWK) {
+    issuerJWK = jwks[0].jwk
+  }
+
+  return {
+    method: 'x5c',
+    verificationResult,
+    issuerJWK,
+    jwks,
+    certificates,
+    x5c,
+  }
+}
+
+export async function resolveExternalDidIdentifier(
+  opts: ExternalIdentifierDidOpts,
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierDidResult> {
+  if (!isExternalIdentifierDidOpts(opts)) {
+    return Promise.reject('External DID Identifier args need to be provided')
+  } else if (!contextHasPlugin<IResolver & IDIDManager>(context, 'resolveDid')) {
+    return Promise.reject(Error(`Cannot get external DID identifier if DID resolver plugin is not enabled!`))
+  }
+  const { uniresolverResolution = false, localResolution = true, resolverResolution = true } = opts
+  const did = opts.identifier
+  let parsed: IParsedDID
+  try {
+    parsed = parseDid(did)
+  } catch (error: unknown) {
+    // Error from did resolution spec
+    return Promise.reject(error)
+  }
+  const didParsed = parsed
+  const didResolutionResult = await getAgentResolver(context, {
+    uniresolverResolution,
+    localResolution,
+    resolverResolution,
+  }).resolve(did)
+  const didDocument = didResolutionResult.didDocument ?? undefined
+  const didJwks = didDocument ? didDocumentToJwks(didDocument) : undefined
+  const jwks = didJwks
+    ? Array.from(
+        new Set(
+          Object.values(didJwks)
+            .filter((jwks) => isDefined(jwks) && jwks.length > 0)
+            .flatMap((jwks) => jwks)
+        )
+      ).map((jwk) => {
+        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+      })
+    : []
+
+  if (didResolutionResult?.didDocument) {
+    // @ts-ignore // Mandatory on the original object, but we already provide it directly
+    delete didResolutionResult['didDocument']
+  }
+  return {
+    method: 'did',
+    did,
+    jwks,
+    didJwks,
+    didDocument,
+    didResolutionResult,
+    didParsed,
+  }
+}

package/src/functions/index.ts

@@ -1,267 +1,2 @@
-import { didDocumentToJwks, getAgentResolver, getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
-import { getSubjectDN, pemOrDerToX509Certificate, validateX509CertificateChain, X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
-import { contextHasDidManager, contextHasKeyManager, contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
-import { IParsedDID, parseDid } from '@sphereon/ssi-types'
-import { IAgentContext, IDIDManager, IIdentifier, IKey, IKeyManager, IResolver } from '@veramo/core'
-import { Certificate, CryptoEngine, setEngine } from 'pkijs'
-import {
-  ExternalIdentifierDidOpts,
-  ExternalIdentifierDidResult,
-  ExternalIdentifierMethod,
-  ExternalIdentifierOpts,
-  ExternalIdentifierResult,
-  ExternalIdentifierX5cOpts,
-  ExternalIdentifierX5cResult,
-  ExternalJwkInfo,
-  isExternalIdentifierDidOpts,
-  isExternalIdentifierJwksUrlOpts,
-  isExternalIdentifierKidOpts,
-  isExternalIdentifierOidcDiscoveryOpts,
-  isExternalIdentifierX5cOpts,
-  isManagedIdentifierDidOpts,
-  isManagedIdentifierJwkOpts,
-  isManagedIdentifierKidOpts,
-  isManagedIdentifierX5cOpts,
-  ManagedIdentifierOpts,
-  ManagedIdentifierResult,
-} from '../types/IIdentifierResolution'
-
-export async function resolveExternalIdentifier(
-  opts: ExternalIdentifierOpts & {
-    crypto?: Crypto
-  },
-  context: IAgentContext<any>
-): Promise<ExternalIdentifierResult> {
-  let method: ExternalIdentifierMethod | undefined
-  if (isExternalIdentifierDidOpts(opts)) {
-    return resolveExternalDidIdentifier(opts, context)
-  } else if (isExternalIdentifierX5cOpts(opts)) {
-    return resolveExternalX5cIdentifier(opts, context)
-  } else if (isExternalIdentifierKidOpts(opts)) {
-    method = 'kid'
-  } else if (isExternalIdentifierJwksUrlOpts(opts)) {
-    method = 'jwks-url'
-  } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
-    method = 'oidc-discovery'
-  }
-  throw Error(`External resolution method ${method} is not yet implemented`)
-}
-
-export async function resolveExternalX5cIdentifier(
-  opts: ExternalIdentifierX5cOpts & {
-    crypto?: Crypto
-  },
-  context: IAgentContext<IResolver & IDIDManager>
-): Promise<ExternalIdentifierX5cResult> {
-  if (!isExternalIdentifierX5cOpts(opts)) {
-    return Promise.reject('External x5c Identifier args need to be provided')
-  }
-  const verify = opts.verify ?? true
-  const x5c = opts.identifier
-  if (x5c.length === 0) {
-    return Promise.reject('Empty certification chain is now allowed')
-  }
-  const certificates = x5c.map(pemOrDerToX509Certificate)
-
-  let verificationResult: X509ValidationResult | undefined
-  let issuerJWK: JWK | undefined
-  let jwks: ExternalJwkInfo[] = []
-
-  if (verify) {
-    // We use the agent plugin if it is available as that is more powerful, but revert to the function otherwise
-    if (contextHasPlugin(context, 'verifyCertificateChain')) {
-      verificationResult = (await context.agent.verifyCertificateChain({
-        chain: opts.identifier,
-        trustAnchors: opts.trustAnchors ?? [],
-        verificationTime: opts.verificationTime,
-      })) as X509ValidationResult // We need to cast, as we know this is the value and we do not want to rely on the x509 plugin perse
-    } else {
-      verificationResult = await validateX509CertificateChain({
-        chain: opts.identifier,
-        trustAnchors: opts.trustAnchors ?? [],
-        verificationTime: opts.verificationTime,
-      })
-    }
-    if (verificationResult.certificateChain) {
-      jwks = verificationResult.certificateChain.map((cert) => {
-        return {
-          jwk: cert.publicKeyJWK,
-          kid: cert.subject.dn.DN,
-          jwkThumbprint: calculateJwkThumbprint(cert.publicKeyJWK),
-        } satisfies ExternalJwkInfo
-      })
-    }
-  }
-  if (!jwks) {
-    const cryptoEngine = new CryptoEngine({
-      name: 'identifier_resolver_external',
-      crypto: opts.crypto ?? global.crypto,
-    })
-    setEngine(cryptoEngine.name, cryptoEngine)
-    jwks = await Promise.all(
-      certificates.map(async (cert) => {
-        const pk = await cert.getPublicKey(undefined, cryptoEngine)
-        const jwk = (await cryptoEngine.exportKey('jwk', pk)) as JWK
-        return {
-          jwk,
-          kid: getSubjectDN(cert).DN,
-          jwkThumbprint: calculateJwkThumbprint({ jwk }),
-        } satisfies ExternalJwkInfo
-      })
-    )
-  }
-  if (jwks.length === 0) {
-    return Promise.reject('Empty certification chain is now allowed')
-  }
-  if (!issuerJWK) {
-    issuerJWK = jwks[0].jwk
-  }
-
-  return {
-    method: 'x5c',
-    verificationResult,
-    issuerJWK,
-    jwks,
-    certificates,
-    x5c,
-  }
-}
-
-export async function resolveExternalDidIdentifier(
-  opts: ExternalIdentifierDidOpts,
-  context: IAgentContext<IResolver & IDIDManager>
-): Promise<ExternalIdentifierDidResult> {
-  if (!isExternalIdentifierDidOpts(opts)) {
-    return Promise.reject('External DID Identifier args need to be provided')
-  } else if (!contextHasPlugin<IResolver & IDIDManager>(context, 'resolveDid')) {
-    return Promise.reject(Error(`Cannot get external DID identifier if DID resolver plugin is not enabled!`))
-  }
-  const { uniresolverResolution = false, localResolution = true, resolverResolution = true } = opts
-  const did = opts.identifier
-  let parsed: IParsedDID
-  try {
-    parsed = parseDid(did)
-  } catch (error: unknown) {
-    // Error from did resolution spec
-    return Promise.reject(error)
-  }
-  const didParsed = parsed
-  const didResolutionResult = await getAgentResolver(context, {
-    uniresolverResolution,
-    localResolution,
-    resolverResolution,
-  }).resolve(did)
-  const didDocument = didResolutionResult.didDocument ?? undefined
-  const didJwks = didDocument ? didDocumentToJwks(didDocument) : undefined
-  const jwks = didJwks
-    ? Array.from(new Set(Object.values(didJwks).flatMap((jwks) => jwks))).map((jwk) => {
-        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
-      })
-    : []
-
-  if (didResolutionResult?.didDocument) {
-    // @ts-ignore // Mandatory on the original object, but we already provide it directly
-    delete didResolutionResult['didDocument']
-  }
-  return {
-    method: 'did',
-    did,
-    jwks,
-    didJwks,
-    didDocument,
-    didResolutionResult,
-    didParsed,
-  }
-}
-
-export async function getManagedIdentifier(
-  opts: ManagedIdentifierOpts & {
-    crypto?: Crypto
-  },
-  context: IAgentContext<IKeyManager>
-): Promise<ManagedIdentifierResult> {
-  let { method } = opts
-  let identifier: IIdentifier | undefined = undefined
-  let keys: IKey[] | undefined = undefined
-  let key: IKey | undefined = undefined
-  let certificate: Certificate | undefined = undefined
-  let jwk: JWK | undefined = undefined
-  let jwkThumbprint: string | undefined = undefined
-  let x5c: string[] | undefined
-  let controllerKeyId: string | undefined = undefined
-  let did: string | undefined = undefined
-  const cryptoImpl = opts.crypto ?? crypto
-  if (isManagedIdentifierKidOpts(opts)) {
-    method = 'kid'
-    if (!contextHasKeyManager(context)) {
-      return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
-    }
-    key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
-  } else if (isManagedIdentifierDidOpts(opts)) {
-    method = 'did'
-    if (!contextHasDidManager(context)) {
-      return Promise.reject(Error(`Cannot get DID identifier if DID Manager plugin is not enabled!`))
-    }
-
-    if (typeof opts.identifier === 'string') {
-      identifier = await context.agent.didManagerGet({ did: opts.identifier.split('#')[0] })
-    } else {
-      identifier = opts.identifier
-    }
-    if (identifier) {
-      did = identifier.did
-      keys = identifier?.keys // fixme: We really want to return the vmRelationship keys here actually
-      key = await getFirstKeyWithRelation(
-        {
-          ...opts,
-          identifier,
-          vmRelationship: opts.vmRelationship ?? 'verificationMethod',
-        },
-        context
-      )
-      controllerKeyId = identifier.controllerKeyId
-    }
-  } else if (isManagedIdentifierJwkOpts(opts)) {
-    method = 'jwk'
-    if (!contextHasKeyManager(context)) {
-      return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
-    }
-    key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? calculateJwkThumbprint({ jwk: opts.identifier }) })
-  } else if (isManagedIdentifierX5cOpts(opts)) {
-    method = 'x5c'
-    x5c = opts.identifier
-    if (x5c.length === 0) {
-      return Promise.reject(`Cannot resolve x5c when an empty x5c is passed in`)
-    } else if (!contextHasKeyManager(context)) {
-      return Promise.reject(Error(`Cannot get X5c identifier if KeyManager plugin is not enabled!`))
-    }
-    certificate = pemOrDerToX509Certificate(x5c[0])
-    const cryptoEngine = new CryptoEngine({ name: 'identifier_resolver_managed', crypto: cryptoImpl })
-    setEngine(cryptoEngine.name, cryptoEngine)
-    const pk = await certificate.getPublicKey(undefined, cryptoEngine)
-    jwk = (await cryptoEngine.subtle.exportKey('jwk', pk)) as JWK
-    jwkThumbprint = calculateJwkThumbprint({ jwk })
-    key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
-  } else {
-    return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
-  }
-  if (!key || (isManagedIdentifierDidOpts(opts) && !identifier)) {
-    console.log(`Cannot find identifier`, opts.identifier)
-    return Promise.reject(`Cannot find identifier ${opts.identifier}`)
-  }
-  jwk = jwk ?? toJwk(key.publicKeyHex, key.type, { key })
-  const thumbprint = jwkThumbprint ?? key.meta?.jwkThumbprint ?? calculateJwkThumbprint({ jwk })
-  return {
-    method,
-    jwk,
-    jwkThumbprint: thumbprint,
-    ...(identifier && { identifier }),
-    ...(did && { did }),
-    ...(controllerKeyId && { controllerKeyId }),
-    ...(keys && { keys }),
-    ...(certificate && { certificate: certificate.toJSON() }),
-    key,
-    kmsKeyRef: key.kid,
-  } as ManagedIdentifierResult
-}
+export * from './managedIdentifierFunctions'
+export * from './externalIdentifierFunctions'