@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-unstable.93 → 0.25.1-feature.OIDF.69.39

package/src/agent/IdentifierResolution.ts

@@ -1,6 +1,7 @@
 import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
-import { ManagedIdentifierKeyOpts, ManagedIdentifierKeyResult, schema } from '..'
-import { getManagedIdentifier, resolveExternalIdentifier } from '../functions'
+import { ExternalIdentifierOIDFEntityIdOpts, ExternalIdentifierOIDFEntityIdResult } from '../types'
+import { schema } from '..'
+import { resolveExternalIdentifier, ensureManagedIdentifierResult } from '../functions'
 import {
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
@@ -8,18 +9,29 @@ import {
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   IIdentifierResolution,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
+  ManagedIdentifierOID4VCIssuerResult,
+  ManagedIdentifierKeyOpts,
+  ManagedIdentifierKeyResult,
+  ManagedIdentifierOptsOrResult,
+  ManagedIdentifierOID4VCIssuerOpts
 } from '../types'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
 
 /**
  * @public
@@ -35,10 +47,15 @@ export class IdentifierResolution implements IAgentPlugin {
     identifierManagedGetByJwk: this.identifierGetManagedByJwk.bind(this),
     identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
     identifierManagedGetByKey: this.identifierGetManagedByKey.bind(this),
+    identifierManagedGetByCoseKey: this.identifierGetManagedByCoseKey.bind(this),
+    identifierManagedGetByOID4VCIssuer: this.identifierGetManagedByOID4VCIssuer.bind(this),
 
     identifierExternalResolve: this.identifierResolveExternal.bind(this),
     identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
     identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+    identifierExternalResolveByJwk: this.identifierExternalResolveByJwk.bind(this),
+    identifierExternalResolveByCoseKey: this.identifierExternalResolveByCoseKey.bind(this),
+    identifierExternalResolveByOIDFEntityId: this.identifierExternalResolveByOIDFEntityId.bind(this),
 
     // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
   }
@@ -57,34 +74,63 @@ export class IdentifierResolution implements IAgentPlugin {
    * @param context
    * @private
    */
-  private async identifierGetManaged(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult> {
-    return await getManagedIdentifier({ ...args, crypto: this._crypto }, context)
+  private async identifierGetManaged(
+    args: ManagedIdentifierOptsOrResult,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierResult> {
+    return await ensureManagedIdentifierResult({ ...args, crypto: this._crypto }, context)
   }
 
   private async identifierGetManagedByDid(
     args: ManagedIdentifierDidOpts,
-    context: IAgentContext<IKeyManager & IDIDManager>
+    context: IAgentContext<IKeyManager & IDIDManager & IIdentifierResolution>
   ): Promise<ManagedIdentifierDidResult> {
     return (await this.identifierGetManaged({ ...args, method: 'did' }, context)) as ManagedIdentifierDidResult
   }
 
-  private async identifierGetManagedByKid(args: ManagedIdentifierKidOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKidResult> {
+  private async identifierGetManagedByKid(
+    args: ManagedIdentifierKidOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKidResult> {
     return (await this.identifierGetManaged({ ...args, method: 'kid' }, context)) as ManagedIdentifierKidResult
   }
 
-  private async identifierGetManagedByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult> {
+  private async identifierGetManagedByKey(
+    args: ManagedIdentifierKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKeyResult> {
     return (await this.identifierGetManaged({ ...args, method: 'key' }, context)) as ManagedIdentifierKeyResult
   }
 
-  private async identifierGetManagedByJwk(args: ManagedIdentifierJwkOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierJwkResult> {
+  private async identifierGetManagedByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'cose_key' }, context)) as ManagedIdentifierCoseKeyResult
+  }
+
+  private async identifierGetManagedByOID4VCIssuer(
+      args: ManagedIdentifierOID4VCIssuerOpts,
+      context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierOID4VCIssuerResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'oid4vci-issuer' }, context)) as ManagedIdentifierOID4VCIssuerResult
+  }
+
+  private async identifierGetManagedByJwk(
+      args: ManagedIdentifierJwkOpts,
+      context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierJwkResult> {
     return (await this.identifierGetManaged({ ...args, method: 'jwk' }, context)) as ManagedIdentifierJwkResult
   }
 
-  private async identifierGetManagedByX5c(args: ManagedIdentifierX5cOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierX5cResult> {
+  private async identifierGetManagedByX5c(
+    args: ManagedIdentifierX5cOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierX5cResult> {
     return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
   }
 
-  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ExternalIdentifierResult> {
+  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager | IOIDFClient>): Promise<ExternalIdentifierResult> {
     return await resolveExternalIdentifier({ ...args, crypto: this._crypto }, context)
   }
 
@@ -95,4 +141,19 @@ export class IdentifierResolution implements IAgentPlugin {
   private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
     return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
   }
+
+  private async identifierExternalResolveByCoseKey(
+    args: ExternalIdentifierCoseKeyOpts,
+    context: IAgentContext<any>
+  ): Promise<ExternalIdentifierCoseKeyResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'cose_key' }, context)) as ExternalIdentifierCoseKeyResult
+  }
+  
+  private async identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'jwk' }, context)) as ExternalIdentifierJwkResult
+  }
+  
+  private async identifierExternalResolveByOIDFEntityId(args: ExternalIdentifierOIDFEntityIdOpts, context: IAgentContext<any>): Promise<ExternalIdentifierOIDFEntityIdResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'entity_id' }, context)) as ExternalIdentifierOIDFEntityIdResult
+  }
 }

package/src/functions/LegacySupport.ts

@@ -0,0 +1,54 @@
+import { IIdentifier } from '@veramo/core'
+import { ManagedIdentifierDidOpts, ManagedIdentifierOptsOrResult } from '../types'
+
+/**
+ * Converts legacy id opts key refs to the new ManagedIdentifierOpts
+ * @param opts
+ */
+export function legacyKeyRefsToIdentifierOpts(opts: {
+  idOpts?: ManagedIdentifierOptsOrResult
+  iss?: string
+  keyRef?: string
+  didOpts?: any
+}): ManagedIdentifierOptsOrResult {
+  if (!opts.idOpts) {
+    console.warn(
+      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+    )
+    // legacy way
+    let kmsKeyRef =
+      opts.keyRef ??
+      opts.didOpts?.idOpts?.kmsKeyRef ??
+      opts.didOpts?.kid ??
+      opts.didOpts?.idOpts?.kid ??
+      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
+    if (!kmsKeyRef) {
+      throw Error('Key ref is needed for access token signer')
+    }
+    let identifier = (opts.didOpts?.identifier ?? opts.didOpts?.idOpts?.identifier) as IIdentifier | undefined
+
+    return {
+      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
+      identifier: identifier ?? kmsKeyRef,
+      issuer: opts.iss,
+    } satisfies ManagedIdentifierDidOpts
+  } else {
+    const idOpts = opts.idOpts
+    if (opts.keyRef && !idOpts.kmsKeyRef) {
+      // legacy way
+      console.warn(
+        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.kmsKeyRef = opts.keyRef
+    }
+    if (opts.iss && !idOpts.issuer) {
+      // legacy way
+      console.warn(
+        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.issuer = opts.iss
+    }
+
+    return idOpts
+  }
+}

package/src/functions/externalIdentifierFunctions.ts

@@ -1,5 +1,5 @@
-import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { didDocumentToJwks, getAgentResolver, jwkTtoPublicKeyHex } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, coseKeyToJwk } from '@sphereon/ssi-sdk-ext.key-utils'
 import {
   getSubjectDN,
   pemOrDerToX509Certificate,
@@ -8,25 +8,34 @@ import {
   X509ValidationResult,
 } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
-import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IParsedDID, JWK, parseDid } from '@sphereon/ssi-types'
 import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
 import { isDefined } from '@veramo/utils'
 import { CryptoEngine, setEngine } from 'pkijs'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierMethod,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
   ExternalJwkInfo,
+  isExternalIdentifierCoseKeyOpts,
   isExternalIdentifierDidOpts,
+  isExternalIdentifierJwkOpts,
   isExternalIdentifierJwksUrlOpts,
   isExternalIdentifierKidOpts,
   isExternalIdentifierOidcDiscoveryOpts,
+  isExternalIdentifierOIDFEntityIdOpts,
   isExternalIdentifierX5cOpts,
 } from '../types'
+import { resolveExternalOIDFEntityIdIdentifier } from '.'
+
 
 export async function resolveExternalIdentifier(
   opts: ExternalIdentifierOpts & {
@@ -39,13 +48,19 @@ export async function resolveExternalIdentifier(
     return resolveExternalDidIdentifier(opts, context)
   } else if (isExternalIdentifierX5cOpts(opts)) {
     return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierJwkOpts(opts)) {
+    return resolveExternalJwkIdentifier(opts, context)
+  } else if (isExternalIdentifierCoseKeyOpts(opts)) {
+    return resolveExternalCoseKeyIdentifier(opts, context)
+  } else if (isExternalIdentifierOIDFEntityIdOpts(opts)) {
+    return resolveExternalOIDFEntityIdIdentifier(opts, context)
   } else if (isExternalIdentifierKidOpts(opts)) {
     method = 'kid'
   } else if (isExternalIdentifierJwksUrlOpts(opts)) {
     method = 'jwks-url'
   } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
     method = 'oidc-discovery'
-  }
+  } 
   throw Error(`External resolution method ${method} is not yet implemented`)
 }
 
@@ -61,7 +76,7 @@ export async function resolveExternalX5cIdentifier(
   const verify = opts.verify ?? true
   const x5c = opts.identifier.map((derOrPem) => (derOrPem.includes('CERTIFICATE') ? PEMToDer(derOrPem) : derOrPem))
   if (x5c.length === 0) {
-    return Promise.reject('Empty certification chain is now allowed')
+    return Promise.reject('Empty certification chain is not allowed')
   }
   const certificates = x5c.map(pemOrDerToX509Certificate)
 
@@ -82,6 +97,7 @@ export async function resolveExternalX5cIdentifier(
         chain: opts.identifier,
         trustAnchors: opts.trustAnchors ?? [],
         verificationTime: opts.verificationTime,
+        opts,
       })
     }
     if (verificationResult.certificateChain) {
@@ -90,6 +106,7 @@ export async function resolveExternalX5cIdentifier(
           jwk: cert.publicKeyJWK,
           kid: cert.subject.dn.DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+          publicKeyHex: jwkTtoPublicKeyHex(cert.publicKeyJWK),
         } satisfies ExternalJwkInfo
       })
     }
@@ -108,6 +125,7 @@ export async function resolveExternalX5cIdentifier(
           jwk,
           kid: getSubjectDN(cert).DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
         } satisfies ExternalJwkInfo
       })
     )
@@ -129,6 +147,78 @@ export async function resolveExternalX5cIdentifier(
   }
 }
 
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalJwkIdentifier(
+  opts: ExternalIdentifierJwkOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierJwkResult> {
+  if (!isExternalIdentifierJwkOpts(opts)) {
+    return Promise.reject('External JWK Identifier args need to be provided')
+  }
+  const jwk = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (jwk.x5c) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: jwk.x5c }, context)
+  }
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'jwk',
+    jwk,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: jwk.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierJwkResult
+}
+
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalCoseKeyIdentifier(
+  opts: ExternalIdentifierCoseKeyOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierCoseKeyResult> {
+  if (!isExternalIdentifierCoseKeyOpts(opts)) {
+    return Promise.reject('External Cose Key args need to be provided')
+  }
+  // TODO: We need to do cbor conversion here as well.
+  const coseKey = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (coseKey.x5chain) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: coseKey.x5chain }, context)
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'cose_key',
+    coseKey,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: coseKey.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierCoseKeyResult
+}
+
 export async function resolveExternalDidIdentifier(
   opts: ExternalIdentifierDidOpts,
   context: IAgentContext<IResolver & IDIDManager>
@@ -163,7 +253,12 @@ export async function resolveExternalDidIdentifier(
             .flatMap((jwks) => jwks)
         )
       ).map((jwk) => {
-        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+        return {
+          jwk,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          kid: jwk.kid,
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
+        }
       })
     : []
 

package/src/functions/externalOIDFIdentifier.ts

@@ -0,0 +1,93 @@
+import {
+  ErrorMessage,
+  ExternalIdentifierOIDFEntityIdOpts,
+  ExternalIdentifierOIDFEntityIdResult,
+  ExternalJwkInfo,
+  TrustedAnchor,
+} from '../types'
+import { IAgentContext } from '@veramo/core'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { IJwsValidationResult } from '../types/IJwtService'
+
+/**
+ * Resolves an OIDF Entity ID against multiple trust anchors to establish trusted relationships
+ *
+ * @param opts Configuration options containing the identifier to resolve and trust anchors to validate against
+ * @param context Agent context that must include the OIDF client plugin and JWT verification capabilities
+ *
+ * @returns Promise resolving to an ExternalIdentifierOIDFEntityIdResult containing:
+ *  - trustedAnchors: Record mapping trust anchors to their public key hexes
+ *  - errorList: Optional record of errors encountered per trust anchor
+ *  - jwks: Array of JWK information from the trust chain
+ *  - trustEstablished: Boolean indicating if any trust relationships were established
+ *
+ * @throws Error if trust anchors are missing or JWT verification plugin is not enabled
+ */
+export async function resolveExternalOIDFEntityIdIdentifier(
+  opts: ExternalIdentifierOIDFEntityIdOpts,
+  context: IAgentContext<IOIDFClient>
+): Promise<ExternalIdentifierOIDFEntityIdResult> {
+  let { trustAnchors, identifier } = opts
+
+  if (!trustAnchors || trustAnchors.length === 0) {
+    return Promise.reject(Error('ExternalIdentifierOIDFEntityIdOpts is missing the trustAnchors'))
+  }
+
+  if (!contextHasPlugin(context, 'jwtVerifyJwsSignature')) {
+    return Promise.reject(Error('For OIDFEntityId resolving the agent needs to have the JwtService plugin enabled'))
+  }
+
+  const trustedAnchors: Set<TrustedAnchor> = new Set<TrustedAnchor>()
+  const errorList: Record<TrustedAnchor, ErrorMessage> = {}
+  const jwkInfos: Array<ExternalJwkInfo> = []
+
+  for (const trustAnchor of trustAnchors) {
+    const resolveResult = await context.agent.resolveTrustChain({
+      entityIdentifier: identifier,
+      trustAnchors: [trustAnchor]
+    })
+
+    if (resolveResult.error || !resolveResult.trustChain) {
+      errorList[trustAnchor] = resolveResult.errorMessage ?? 'unspecified'
+    } else {
+      const trustChain: ReadonlyArray<string> = resolveResult.trustChain.asJsReadonlyArrayView()
+      if (trustChain.length === 0) {
+        errorList[trustAnchor] = 'Trust chain is empty'
+        continue
+      }
+      
+      const jwt = trustChain[0]
+      const jwtVerifyResult: IJwsValidationResult = await context.agent.jwtVerifyJwsSignature({ jws: jwt })
+
+      if (jwtVerifyResult.error || jwtVerifyResult.critical) {
+        errorList[trustAnchor] = jwtVerifyResult.message
+        continue
+      }
+
+      if (jwtVerifyResult.jws.signatures.length === 0) {
+        errorList[trustAnchor] = 'No signature was present in the trust anchor JWS'
+        continue
+      }
+
+      const signature = jwtVerifyResult.jws.signatures[0]
+      if (signature.identifier.jwks.length === 0) {
+        errorList[trustAnchor] = 'No JWK was present in the trust anchor signature'
+        continue
+      }
+
+      if(jwkInfos.length === 0) { // We need the entity JWK only once
+        jwkInfos.push(...signature.identifier.jwks)
+      }
+      trustedAnchors.add(trustAnchor)
+    }
+  }
+
+  return {
+    method: 'entity_id',
+    trustedAnchors: Array.from(trustedAnchors),
+    ...(Object.keys(errorList).length > 0 && { errorList }),
+    jwks: jwkInfos,
+    trustEstablished: trustedAnchors.size > 0
+  }
+}

package/src/functions/index.ts

@@ -1,53 +1,4 @@
-import { IIdentifier } from '@veramo/core'
-import { ManagedIdentifierDidOpts, ManagedIdentifierOpts } from '../types'
-
 export * from './managedIdentifierFunctions'
 export * from './externalIdentifierFunctions'
-
-/**
- * Converts legacy id opts key refs to the new ManagedIdentifierOpts
- * @param opts
- */
-export function legacyKeyRefsToIdentifierOpts(opts: {
-  idOpts?: ManagedIdentifierOpts
-  iss?: string
-  keyRef?: string
-  didOpts?: any
-}): ManagedIdentifierOpts {
-  if (!opts.idOpts) {
-    console.warn(
-      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-    )
-    // legacy way
-    let kmsKeyRef =
-      opts.keyRef ??
-      opts.didOpts?.idOpts?.kmsKeyRef ??
-      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
-    if (!kmsKeyRef) {
-      throw Error('Key ref is needed for access token signer')
-    }
-    return {
-      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
-      identifier: kmsKeyRef,
-      issuer: opts.iss,
-    } satisfies ManagedIdentifierDidOpts
-  } else {
-    const idOpts = opts.idOpts
-    if (opts.keyRef && !idOpts.kmsKeyRef) {
-      // legacy way
-      console.warn(
-        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.kmsKeyRef = opts.keyRef
-    }
-    if (opts.iss && !idOpts.issuer) {
-      // legacy way
-      console.warn(
-        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.issuer = opts.iss
-    }
-
-    return idOpts
-  }
-}
+export * from './externalOIDFIdentifier'
+export * from './LegacySupport'