@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-unstable.93 → 0.25.0

package/src/agent/IdentifierResolution.ts

@@ -1,6 +1,6 @@
 import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
-import { ManagedIdentifierKeyOpts, ManagedIdentifierKeyResult, schema } from '..'
-import { getManagedIdentifier, resolveExternalIdentifier } from '../functions'
+import { schema } from '..'
+import { resolveExternalIdentifier, ensureManagedIdentifierResult } from '../functions'
 import {
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
@@ -8,17 +8,27 @@ import {
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   IIdentifierResolution,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
+  ManagedIdentifierOID4VCIssuerResult,
+  ManagedIdentifierKeyOpts,
+  ManagedIdentifierKeyResult,
+  ManagedIdentifierOptsOrResult,
+  ManagedIdentifierOID4VCIssuerOpts
 } from '../types'
 
 /**
@@ -35,10 +45,14 @@ export class IdentifierResolution implements IAgentPlugin {
     identifierManagedGetByJwk: this.identifierGetManagedByJwk.bind(this),
     identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
     identifierManagedGetByKey: this.identifierGetManagedByKey.bind(this),
+    identifierManagedGetByCoseKey: this.identifierGetManagedByCoseKey.bind(this),
+    identifierManagedGetByOID4VCIssuer: this.identifierGetManagedByOID4VCIssuer.bind(this),
 
     identifierExternalResolve: this.identifierResolveExternal.bind(this),
     identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
     identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+    identifierExternalResolveByJwk: this.identifierExternalResolveByJwk.bind(this),
+    identifierExternalResolveByCoseKey: this.identifierExternalResolveByCoseKey.bind(this),
 
     // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
   }
@@ -57,30 +71,59 @@ export class IdentifierResolution implements IAgentPlugin {
    * @param context
    * @private
    */
-  private async identifierGetManaged(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult> {
-    return await getManagedIdentifier({ ...args, crypto: this._crypto }, context)
+  private async identifierGetManaged(
+    args: ManagedIdentifierOptsOrResult,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierResult> {
+    return await ensureManagedIdentifierResult({ ...args, crypto: this._crypto }, context)
   }
 
   private async identifierGetManagedByDid(
     args: ManagedIdentifierDidOpts,
-    context: IAgentContext<IKeyManager & IDIDManager>
+    context: IAgentContext<IKeyManager & IDIDManager & IIdentifierResolution>
   ): Promise<ManagedIdentifierDidResult> {
     return (await this.identifierGetManaged({ ...args, method: 'did' }, context)) as ManagedIdentifierDidResult
   }
 
-  private async identifierGetManagedByKid(args: ManagedIdentifierKidOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKidResult> {
+  private async identifierGetManagedByKid(
+    args: ManagedIdentifierKidOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKidResult> {
     return (await this.identifierGetManaged({ ...args, method: 'kid' }, context)) as ManagedIdentifierKidResult
   }
 
-  private async identifierGetManagedByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult> {
+  private async identifierGetManagedByKey(
+    args: ManagedIdentifierKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKeyResult> {
     return (await this.identifierGetManaged({ ...args, method: 'key' }, context)) as ManagedIdentifierKeyResult
   }
 
-  private async identifierGetManagedByJwk(args: ManagedIdentifierJwkOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierJwkResult> {
+  private async identifierGetManagedByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'cose_key' }, context)) as ManagedIdentifierCoseKeyResult
+  }
+
+  private async identifierGetManagedByOID4VCIssuer(
+      args: ManagedIdentifierOID4VCIssuerOpts,
+      context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierOID4VCIssuerResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'oid4vci-issuer' }, context)) as ManagedIdentifierOID4VCIssuerResult
+  }
+
+  private async identifierGetManagedByJwk(
+      args: ManagedIdentifierJwkOpts,
+      context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierJwkResult> {
     return (await this.identifierGetManaged({ ...args, method: 'jwk' }, context)) as ManagedIdentifierJwkResult
   }
 
-  private async identifierGetManagedByX5c(args: ManagedIdentifierX5cOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierX5cResult> {
+  private async identifierGetManagedByX5c(
+    args: ManagedIdentifierX5cOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierX5cResult> {
     return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
   }
 
@@ -95,4 +138,14 @@ export class IdentifierResolution implements IAgentPlugin {
   private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
     return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
   }
+
+  private async identifierExternalResolveByCoseKey(
+    args: ExternalIdentifierCoseKeyOpts,
+    context: IAgentContext<any>
+  ): Promise<ExternalIdentifierCoseKeyResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'cose_key' }, context)) as ExternalIdentifierCoseKeyResult
+  }
+  private async identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'jwk' }, context)) as ExternalIdentifierJwkResult
+  }
 }

package/src/functions/LegacySupport.ts

@@ -0,0 +1,54 @@
+import { IIdentifier } from '@veramo/core'
+import { ManagedIdentifierDidOpts, ManagedIdentifierOptsOrResult } from '../types'
+
+/**
+ * Converts legacy id opts key refs to the new ManagedIdentifierOpts
+ * @param opts
+ */
+export function legacyKeyRefsToIdentifierOpts(opts: {
+  idOpts?: ManagedIdentifierOptsOrResult
+  iss?: string
+  keyRef?: string
+  didOpts?: any
+}): ManagedIdentifierOptsOrResult {
+  if (!opts.idOpts) {
+    console.warn(
+      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+    )
+    // legacy way
+    let kmsKeyRef =
+      opts.keyRef ??
+      opts.didOpts?.idOpts?.kmsKeyRef ??
+      opts.didOpts?.kid ??
+      opts.didOpts.idOpts?.kid ??
+      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
+    if (!kmsKeyRef) {
+      throw Error('Key ref is needed for access token signer')
+    }
+    let identifier = (opts.didOpts?.identifier ?? opts.didOpts?.idOpts?.identifier) as IIdentifier | undefined
+
+    return {
+      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
+      identifier: identifier ?? kmsKeyRef,
+      issuer: opts.iss,
+    } satisfies ManagedIdentifierDidOpts
+  } else {
+    const idOpts = opts.idOpts
+    if (opts.keyRef && !idOpts.kmsKeyRef) {
+      // legacy way
+      console.warn(
+        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.kmsKeyRef = opts.keyRef
+    }
+    if (opts.iss && !idOpts.issuer) {
+      // legacy way
+      console.warn(
+        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.issuer = opts.iss
+    }
+
+    return idOpts
+  }
+}

package/src/functions/externalIdentifierFunctions.ts

@@ -1,5 +1,5 @@
-import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { didDocumentToJwks, getAgentResolver, jwkTtoPublicKeyHex } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, coseKeyToJwk } from '@sphereon/ssi-sdk-ext.key-utils'
 import {
   getSubjectDN,
   pemOrDerToX509Certificate,
@@ -8,20 +8,26 @@ import {
   X509ValidationResult,
 } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
-import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IParsedDID, JWK, parseDid } from '@sphereon/ssi-types'
 import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
 import { isDefined } from '@veramo/utils'
 import { CryptoEngine, setEngine } from 'pkijs'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierMethod,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
   ExternalJwkInfo,
+  isExternalIdentifierCoseKeyOpts,
   isExternalIdentifierDidOpts,
+  isExternalIdentifierJwkOpts,
   isExternalIdentifierJwksUrlOpts,
   isExternalIdentifierKidOpts,
   isExternalIdentifierOidcDiscoveryOpts,
@@ -39,6 +45,10 @@ export async function resolveExternalIdentifier(
     return resolveExternalDidIdentifier(opts, context)
   } else if (isExternalIdentifierX5cOpts(opts)) {
     return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierJwkOpts(opts)) {
+    return resolveExternalJwkIdentifier(opts, context)
+  } else if (isExternalIdentifierCoseKeyOpts(opts)) {
+    return resolveExternalCoseKeyIdentifier(opts, context)
   } else if (isExternalIdentifierKidOpts(opts)) {
     method = 'kid'
   } else if (isExternalIdentifierJwksUrlOpts(opts)) {
@@ -61,7 +71,7 @@ export async function resolveExternalX5cIdentifier(
   const verify = opts.verify ?? true
   const x5c = opts.identifier.map((derOrPem) => (derOrPem.includes('CERTIFICATE') ? PEMToDer(derOrPem) : derOrPem))
   if (x5c.length === 0) {
-    return Promise.reject('Empty certification chain is now allowed')
+    return Promise.reject('Empty certification chain is not allowed')
   }
   const certificates = x5c.map(pemOrDerToX509Certificate)
 
@@ -82,6 +92,7 @@ export async function resolveExternalX5cIdentifier(
         chain: opts.identifier,
         trustAnchors: opts.trustAnchors ?? [],
         verificationTime: opts.verificationTime,
+        opts,
       })
     }
     if (verificationResult.certificateChain) {
@@ -90,6 +101,7 @@ export async function resolveExternalX5cIdentifier(
           jwk: cert.publicKeyJWK,
           kid: cert.subject.dn.DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+          publicKeyHex: jwkTtoPublicKeyHex(cert.publicKeyJWK),
         } satisfies ExternalJwkInfo
       })
     }
@@ -108,6 +120,7 @@ export async function resolveExternalX5cIdentifier(
           jwk,
           kid: getSubjectDN(cert).DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
         } satisfies ExternalJwkInfo
       })
     )
@@ -129,6 +142,78 @@ export async function resolveExternalX5cIdentifier(
   }
 }
 
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalJwkIdentifier(
+  opts: ExternalIdentifierJwkOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierJwkResult> {
+  if (!isExternalIdentifierJwkOpts(opts)) {
+    return Promise.reject('External JWK Identifier args need to be provided')
+  }
+  const jwk = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (jwk.x5c) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: jwk.x5c }, context)
+  }
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'jwk',
+    jwk,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: jwk.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierJwkResult
+}
+
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalCoseKeyIdentifier(
+  opts: ExternalIdentifierCoseKeyOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierCoseKeyResult> {
+  if (!isExternalIdentifierCoseKeyOpts(opts)) {
+    return Promise.reject('External Cose Key args need to be provided')
+  }
+  // TODO: We need to do cbor conversion here as well.
+  const coseKey = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (coseKey.x5chain) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: coseKey.x5chain }, context)
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'cose_key',
+    coseKey,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: coseKey.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierCoseKeyResult
+}
+
 export async function resolveExternalDidIdentifier(
   opts: ExternalIdentifierDidOpts,
   context: IAgentContext<IResolver & IDIDManager>
@@ -163,7 +248,12 @@ export async function resolveExternalDidIdentifier(
             .flatMap((jwks) => jwks)
         )
       ).map((jwk) => {
-        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+        return {
+          jwk,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          kid: jwk.kid,
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
+        }
       })
     : []
 

package/src/functions/index.ts

@@ -1,53 +1,3 @@
-import { IIdentifier } from '@veramo/core'
-import { ManagedIdentifierDidOpts, ManagedIdentifierOpts } from '../types'
-
 export * from './managedIdentifierFunctions'
 export * from './externalIdentifierFunctions'
-
-/**
- * Converts legacy id opts key refs to the new ManagedIdentifierOpts
- * @param opts
- */
-export function legacyKeyRefsToIdentifierOpts(opts: {
-  idOpts?: ManagedIdentifierOpts
-  iss?: string
-  keyRef?: string
-  didOpts?: any
-}): ManagedIdentifierOpts {
-  if (!opts.idOpts) {
-    console.warn(
-      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-    )
-    // legacy way
-    let kmsKeyRef =
-      opts.keyRef ??
-      opts.didOpts?.idOpts?.kmsKeyRef ??
-      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
-    if (!kmsKeyRef) {
-      throw Error('Key ref is needed for access token signer')
-    }
-    return {
-      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
-      identifier: kmsKeyRef,
-      issuer: opts.iss,
-    } satisfies ManagedIdentifierDidOpts
-  } else {
-    const idOpts = opts.idOpts
-    if (opts.keyRef && !idOpts.kmsKeyRef) {
-      // legacy way
-      console.warn(
-        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.kmsKeyRef = opts.keyRef
-    }
-    if (opts.iss && !idOpts.issuer) {
-      // legacy way
-      console.warn(
-        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.issuer = opts.iss
-    }
-
-    return idOpts
-  }
-}
+export * from './LegacySupport'