@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-unstable.92 → 0.25.0

package/src/functions/managedIdentifierFunctions.ts

@@ -1,26 +1,34 @@
-import { IRequiredContext } from '@sphereon/ssi-sdk-ext.did-provider-jwk'
 import { getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
+import { calculateJwkThumbprint, coseKeyToJwk, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
 import { pemOrDerToX509Certificate } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasDidManager, contextHasKeyManager } from '@sphereon/ssi-sdk.agent-config'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IAgentContext, IIdentifier, IKey, IKeyManager } from '@veramo/core'
 import { CryptoEngine, setEngine } from 'pkijs'
 import {
+  IIdentifierResolution,
+  isManagedIdentifierCoseKeyOpts,
   isManagedIdentifierDidOpts,
   isManagedIdentifierDidResult,
+  isManagedIdentifierOID4VCIssuerOpts,
   isManagedIdentifierJwkOpts,
+  isManagedIdentifierJwkResult,
   isManagedIdentifierKeyOpts,
+  isManagedIdentifierKeyResult,
   isManagedIdentifierKidOpts,
   isManagedIdentifierX5cOpts,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
+  ManagedIdentifierOID4VCIssuerOpts,
+  ManagedIdentifierOID4VCIssuerResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKeyOpts,
   ManagedIdentifierKeyResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
@@ -34,6 +42,8 @@ export async function getManagedKidIdentifier(
   const method = 'kid'
   if (!contextHasKeyManager(context)) {
     return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  } else if (opts.identifier.startsWith('did:')) {
+    return Promise.reject(Error(`managed kid resolution called but a did url was passed in. Please call the did resolution method`))
   }
   const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
   const jwk = toJwk(key.publicKeyHex, key.type, { key })
@@ -43,27 +53,39 @@ export async function getManagedKidIdentifier(
   return {
     method,
     key,
+    identifier: opts.identifier,
     jwk,
     jwkThumbprint,
     kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     issuer,
     kmsKeyRef: key.kid,
     opts,
   } satisfies ManagedIdentifierKidResult
 }
 
+export function isManagedIdentifierResult(
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  }
+): identifier is ManagedIdentifierResult {
+  return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && 'opts' in identifier && 'jwkThumbprint' in identifier
+}
+
 /**
  * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
  * @param identifier
  * @param context
  */
 export async function ensureManagedIdentifierResult(
-  identifier: ManagedIdentifierOptsOrResult,
-  context: IRequiredContext
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
 ): Promise<ManagedIdentifierResult> {
-  return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && !('identifier' in identifier)
-    ? identifier
-    : await context.agent.identifierManagedGet(identifier)
+  const { lazyDisabled = false } = identifier
+  return !lazyDisabled && isManagedIdentifierResult(identifier) ? identifier : await getManagedIdentifier(identifier, context)
 }
 
 /**
@@ -84,15 +106,52 @@ export async function getManagedKeyIdentifier(opts: ManagedIdentifierKeyOpts, _c
   return {
     method,
     key,
+    identifier: key,
     jwk,
     jwkThumbprint,
     kid,
     issuer,
     kmsKeyRef: key.kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierKeyResult
 }
 
+/**
+ * This function is just a convenience function to get a common result. The user already apparently had a key, so could have called the kid version as well
+ * @param opts
+ * @param context
+ */
+export async function getManagedCoseKeyIdentifier(
+  opts: ManagedIdentifierCoseKeyOpts,
+  context: IAgentContext<any>
+): Promise<ManagedIdentifierCoseKeyResult> {
+  const method = 'cose_key'
+  const coseKey: ICoseKeyJson = opts.identifier
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Cose Key identifier if KeyManager plugin is not enabled!`))
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
+  const kid = opts.kid ?? coseKey.kid ?? jwkThumbprint
+  const issuer = opts.issuer
+  return {
+    method,
+    key,
+    identifier: opts.identifier,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
+    opts,
+  } satisfies ManagedIdentifierCoseKeyResult
+}
+
 export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, context: IAgentContext<any>): Promise<ManagedIdentifierDidResult> {
   const method = 'did'
   if (!contextHasDidManager(context)) {
@@ -139,6 +198,8 @@ export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, co
     keys,
     issuer,
     identifier,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   }
 }
@@ -160,10 +221,13 @@ export async function getManagedJwkIdentifier(
     method,
     key,
     kmsKeyRef: key.kid,
+    identifier: jwk,
     jwk,
     jwkThumbprint,
     kid,
     issuer,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierJwkResult
 }
@@ -195,6 +259,7 @@ export async function getManagedX5cIdentifier(
   return {
     method,
     x5c,
+    identifier: x5c,
     certificate,
     jwk,
     jwkThumbprint,
@@ -202,17 +267,65 @@ export async function getManagedX5cIdentifier(
     kmsKeyRef: key.kid,
     kid,
     issuer,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierX5cResult
 }
 
+export async function getManagedOID4VCIssuerIdentifier(
+    opts: ManagedIdentifierOID4VCIssuerOpts,
+    context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierOID4VCIssuerResult> {
+  const { identifier } = opts
+  const method = 'oid4vci-issuer'
+  // FIXME: We need to eventually determine the JWK based on the issuer. Using a dummy JWK for now
+  const jwk = {
+    "kty" : "RSA",
+    "kid" : "dummy-jwk-for-vci-issuer-signing",
+    "use" : "sig",
+    "n"   : "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
+    "e"   : "AQAB",
+    "d"   : "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
+    "p"   : "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
+    "q"   : "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
+    "dp"  : "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
+    "dq"  : "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
+    "qi"  : "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
+  } as JWK
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+
+  const key = {
+    kid: 'dummy-key-for-vci-issuer-signing',
+    kms: 'local',
+    type: "RSA",
+    publicKeyHex: '9a3f75b2e4d8b91128fc6e9a8f6782e5a4f1cba3718e58b5d0a789d6e5f52b3a'
+  } as IKey
+
+  return {
+    method,
+    identifier,
+    jwk,
+    jwkThumbprint,
+    key, // FIXME: We need construct a key as soon as we have the external VCI Issuer resolution
+    kmsKeyRef: identifier, // FIXME: We need use kmsKeyRef as soon as we have the external VCI Issuer resolution
+    issuer: identifier.replace('/.well-known/openid-credential-issuer', ''),
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
+    opts,
+  } satisfies ManagedIdentifierOID4VCIssuerResult
+}
+
 export async function getManagedIdentifier(
-  opts: ManagedIdentifierOpts & {
+  opts: ManagedIdentifierOptsOrResult & {
     crypto?: Crypto
   },
   context: IAgentContext<IKeyManager>
 ): Promise<ManagedIdentifierResult> {
   let resolutionResult: ManagedIdentifierResult
+  if (isManagedIdentifierResult(opts)) {
+    opts
+  }
   if (isManagedIdentifierKidOpts(opts)) {
     resolutionResult = await getManagedKidIdentifier(opts, context)
   } else if (isManagedIdentifierDidOpts(opts)) {
@@ -223,13 +336,48 @@ export async function getManagedIdentifier(
     resolutionResult = await getManagedX5cIdentifier(opts, context)
   } else if (isManagedIdentifierKeyOpts(opts)) {
     resolutionResult = await getManagedKeyIdentifier(opts, context)
+  } else if (isManagedIdentifierCoseKeyOpts(opts)) {
+    resolutionResult = await getManagedCoseKeyIdentifier(opts, context)
+  } else if (isManagedIdentifierOID4VCIssuerOpts(opts)) {
+    resolutionResult = await getManagedOID4VCIssuerIdentifier(opts, context)
   } else {
     return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
   }
   const { key } = resolutionResult
-  if (!key || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
+  if ((!key && !isManagedIdentifierOID4VCIssuerOpts(opts)) || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
     console.log(`Cannot find identifier`, opts.identifier)
     return Promise.reject(`Cannot find identifier ${opts.identifier}`)
   }
   return resolutionResult
 }
+
+export async function managedIdentifierToKeyResult(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierKeyResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierKeyResult(resolved)) {
+    return resolved
+  }
+
+  return {
+    ...resolved,
+    method: 'key',
+    identifier: resolved.key,
+  } satisfies ManagedIdentifierKeyResult
+}
+
+export async function managedIdentifierToJwk(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierJwkResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierJwkResult(resolved)) {
+    return resolved
+  }
+  return {
+    ...resolved,
+    method: 'jwk',
+    identifier: resolved.jwk,
+  } satisfies ManagedIdentifierJwkResult
+}

package/src/types/IIdentifierResolution.ts

@@ -1,27 +1,52 @@
 import { IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap } from '@veramo/core'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
 } from './externalIdentifierTypes'
 import {
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
+  ManagedIdentifierOID4VCIssuerOpts,
+  ManagedIdentifierOID4VCIssuerResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKeyOpts,
   ManagedIdentifierKeyResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
+  ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
 } from './managedIdentifierTypes'
 
+// Exposing the methods here for any REST implementation
+export const identifierResolutionContextMethods: Array<string> = [
+  'identifierManagedGet',
+  'identifierManagedGetByDid',
+  'identifierManagedGetByKid',
+  'identifierManagedGetByJwk',
+  'identifierManagedGetByX5c',
+  'identifierManagedGetByKey',
+  'identifierManagedGetByOID4VCIssuer',
+  'identifierGetManagedByCoseKey',
+  'identifierExternalResolve',
+  'identifierExternalResolveByDid',
+  'identifierExternalResolveByX5c',
+  'identifierExternalResolveByJwk',
+  'identifierExternalResolveByCoseKey',
+]
+
 /**
  * @public
  */
@@ -30,11 +55,15 @@ export interface IIdentifierResolution extends IPluginMethodMap {
    * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
    *
    * The end result of all these methods is a common baseline response that allows to use a key from the registered KMS systems. It also provides kid and iss(uer) values that can be used in a JWT/JWS for instance
+   * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
+   *
+   * We use the opts or result type almost everywhere, as it allows for just in time resolution whenever this method is called and afterwards we have the result, so resolution doesn't have to hit the DB, or external endpoints.
+   * Also use this method in the local agent, not using REST. If case the identifier needs to be resolved, you can always have the above methods using REST
    * @param args
    * @param context
    * @public
    */
-  identifierManagedGet(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
+  identifierManagedGet(args: ManagedIdentifierOptsOrResult, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
 
   identifierManagedGetByDid(args: ManagedIdentifierDidOpts, context: IAgentContext<IKeyManager & IDIDManager>): Promise<ManagedIdentifierDidResult>
 
@@ -46,6 +75,13 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierManagedGetByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult>
 
+  identifierManagedGetByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult>
+
+  identifierManagedGetByOID4VCIssuer(args: ManagedIdentifierOID4VCIssuerOpts, context: IAgentContext<any>): Promise<ManagedIdentifierOID4VCIssuerResult>
+
   // TODO: We can create a custom managed identifier method allowing developers to register a callback function to get their implementation hooked up. Needs more investigation as it would also impact the KMS
 
   /**
@@ -58,5 +94,9 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult>
 
+  identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult>
+
+  identifierExternalResolveByCoseKey(args: ExternalIdentifierCoseKeyOpts, context: IAgentContext<any>): Promise<ExternalIdentifierCoseKeyResult>
+
   identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
 }

package/src/types/common.ts

@@ -1,4 +1,4 @@
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IIdentifier, IKey } from '@veramo/core'
 import { ExternalIdentifierType } from './externalIdentifierTypes'
 import { ManagedIdentifierType } from './managedIdentifierTypes'
@@ -29,7 +29,11 @@ export function isJwksUrlIdentifier(identifier: ManagedIdentifierType | External
 }
 
 export function isKidIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
-  return typeof identifier === 'string' && !identifier.startsWith('did:')
+  return typeof identifier === 'string' && !identifier.startsWith('did:') && !identifier.startsWith('http')
+}
+
+export function isOID4VCIssuerIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
+  return typeof identifier === 'string' && identifier.startsWith('http') && identifier.endsWith('/.well-known/openid-credential-issuer')
 }
 
 export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier is IKey {
@@ -42,6 +46,10 @@ export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier i
   )
 }
 
+export function isCoseKeyIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'object' && `kty` in identifier && ('baseIV' in identifier || 'x5chain' in identifier) && !('x5c' in identifier)
+}
+
 export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
   return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
 }

package/src/types/externalIdentifierTypes.ts

@@ -1,9 +1,18 @@
 import { DidDocumentJwks } from '@sphereon/ssi-sdk-ext.did-utils'
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
-import { X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
+import { X509CertificateChainValidationOpts, X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { IParsedDID } from '@sphereon/ssi-types'
 import { DIDDocument, DIDDocumentSection, DIDResolutionResult } from '@veramo/core'
-import { isDidIdentifier, isJwkIdentifier, isJwksUrlIdentifier, isKidIdentifier, isOidcDiscoveryIdentifier, isX5cIdentifier, JwkInfo } from './common'
+import {
+  isCoseKeyIdentifier,
+  isDidIdentifier,
+  isJwkIdentifier,
+  isJwksUrlIdentifier,
+  isKidIdentifier,
+  isOidcDiscoveryIdentifier,
+  isX5cIdentifier,
+  JwkInfo,
+} from './common'
 
 /**
  * Use whenever we need to resolve an external identifier. We can pass in kids, DIDs, and x5chains
@@ -32,7 +41,13 @@ export function isExternalIdentifierDidOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'did') || isDidIdentifier(identifier)
 }
 
-export type ExternalIdentifierOpts = (ExternalIdentifierJwkOpts | ExternalIdentifierX5cOpts | ExternalIdentifierDidOpts | ExternalIdentifierKidOpts) &
+export type ExternalIdentifierOpts = (
+  | ExternalIdentifierJwkOpts
+  | ExternalIdentifierX5cOpts
+  | ExternalIdentifierDidOpts
+  | ExternalIdentifierKidOpts
+  | ExternalIdentifierCoseKeyOpts
+) &
   ExternalIdentifierOptsBase
 
 export type ExternalIdentifierKidOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
@@ -48,6 +63,7 @@ export function isExternalIdentifierKidOpts(opts: ExternalIdentifierOptsBase): o
 export type ExternalIdentifierJwkOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'jwk'
   identifier: JWK
+  x5c?: ExternalIdentifierX5cOpts
 }
 
 export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierJwkOpts {
@@ -55,6 +71,16 @@ export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'jwk') || isJwkIdentifier(identifier)
 }
 
+export type ExternalIdentifierCoseKeyOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
+  method?: 'cose_key'
+  identifier: ICoseKeyJson
+}
+
+export function isExternalIdentifierCoseKeyOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierCoseKeyOpts {
+  const { identifier } = opts
+  return ('method' in opts && opts.method === 'cose_key') || isCoseKeyIdentifier(identifier)
+}
+
 export type ExternalIdentifierOidcDiscoveryOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'oidc-discovery'
   identifier: string
@@ -75,28 +101,42 @@ export function isExternalIdentifierJwksUrlOpts(opts: ExternalIdentifierOptsBase
   return ('method' in opts && opts.method === 'oidc-discovery') || isJwksUrlIdentifier(identifier)
 }
 
-export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
-  method?: 'x5c'
-  identifier: string[]
-  verify?: boolean // defaults to true
-  verificationTime?: Date
-  trustAnchors?: string[]
-}
+export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> &
+  X509CertificateChainValidationOpts & {
+    method?: 'x5c'
+    identifier: string[]
+    verify?: boolean // defaults to true
+    verificationTime?: Date
+    trustAnchors?: string[]
+  }
 
 export function isExternalIdentifierX5cOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierX5cOpts {
   const { identifier } = opts
   return ('method' in opts && opts.method === 'x5c') || isX5cIdentifier(identifier)
 }
 
-export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
+export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'cose_key' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
 
-export type ExternalIdentifierResult = ExternalIdentifierDidResult | ExternalIdentifierX5cResult
+export type ExternalIdentifierResult = IExternalIdentifierResultBase &
+  (ExternalIdentifierDidResult | ExternalIdentifierX5cResult | ExternalIdentifierJwkResult | ExternalIdentifierCoseKeyResult)
 
 export interface IExternalIdentifierResultBase {
   method: ExternalIdentifierMethod
   jwks: Array<ExternalJwkInfo>
 }
 
+export interface ExternalIdentifierJwkResult extends IExternalIdentifierResultBase {
+  method: 'jwk'
+  jwk: JWK
+  x5c?: ExternalIdentifierX5cResult
+}
+
+export interface ExternalIdentifierCoseKeyResult extends IExternalIdentifierResultBase {
+  method: 'cose_key'
+  coseKey: ICoseKeyJson
+  x5c?: ExternalIdentifierX5cResult
+}
+
 export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBase {
   method: 'x5c'
   x5c: string[]
@@ -107,6 +147,7 @@ export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBa
 
 export interface ExternalJwkInfo extends JwkInfo {
   kid?: string
+  publicKeyHex: string
 }
 
 export interface ExternalIdentifierDidResult extends IExternalIdentifierResultBase {