@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-unstable.93 → 0.25.1-feature.SDK.41.oidf.support.11

package/src/functions/managedIdentifierFunctions.ts

@@ -1,26 +1,34 @@
-import {getFirstKeyWithRelation} from '@sphereon/ssi-sdk-ext.did-utils'
-import {calculateJwkThumbprint, JWK, toJwk} from '@sphereon/ssi-sdk-ext.key-utils'
-import {pemOrDerToX509Certificate} from '@sphereon/ssi-sdk-ext.x509-utils'
-import {contextHasDidManager, contextHasKeyManager} from '@sphereon/ssi-sdk.agent-config'
-import {IAgentContext, IIdentifier, IKey, IKeyManager} from '@veramo/core'
-import {CryptoEngine, setEngine} from 'pkijs'
+import { getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, coseKeyToJwk, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
+import { pemOrDerToX509Certificate } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasDidManager, contextHasKeyManager } from '@sphereon/ssi-sdk.agent-config'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
+import { IAgentContext, IIdentifier, IKey, IKeyManager } from '@veramo/core'
+import { CryptoEngine, setEngine } from 'pkijs'
 import {
   IIdentifierResolution,
+  isManagedIdentifierCoseKeyOpts,
   isManagedIdentifierDidOpts,
   isManagedIdentifierDidResult,
+  isManagedIdentifierOID4VCIssuerOpts,
   isManagedIdentifierJwkOpts,
+  isManagedIdentifierJwkResult,
   isManagedIdentifierKeyOpts,
+  isManagedIdentifierKeyResult,
   isManagedIdentifierKidOpts,
   isManagedIdentifierX5cOpts,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
+  ManagedIdentifierOID4VCIssuerOpts,
+  ManagedIdentifierOID4VCIssuerResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKeyOpts,
   ManagedIdentifierKeyResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
@@ -34,6 +42,8 @@ export async function getManagedKidIdentifier(
   const method = 'kid'
   if (!contextHasKeyManager(context)) {
     return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  } else if (opts.identifier.startsWith('did:')) {
+    return Promise.reject(Error(`managed kid resolution called but a did url was passed in. Please call the did resolution method`))
   }
   const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
   const jwk = toJwk(key.publicKeyHex, key.type, { key })
@@ -43,27 +53,39 @@ export async function getManagedKidIdentifier(
   return {
     method,
     key,
+    identifier: opts.identifier,
     jwk,
     jwkThumbprint,
     kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     issuer,
     kmsKeyRef: key.kid,
     opts,
   } satisfies ManagedIdentifierKidResult
 }
 
+export function isManagedIdentifierResult(
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  }
+): identifier is ManagedIdentifierResult {
+  return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && 'opts' in identifier && 'jwkThumbprint' in identifier
+}
+
 /**
  * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
  * @param identifier
  * @param context
  */
 export async function ensureManagedIdentifierResult(
-  identifier: ManagedIdentifierOptsOrResult,
-  context: IAgentContext<IIdentifierResolution>
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
 ): Promise<ManagedIdentifierResult> {
-  return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && 'opts' in identifier
-    ? identifier
-    : await context.agent.identifierManagedGet(identifier)
+  const { lazyDisabled = false } = identifier
+  return !lazyDisabled && isManagedIdentifierResult(identifier) ? identifier : await getManagedIdentifier(identifier, context)
 }
 
 /**
@@ -84,15 +106,52 @@ export async function getManagedKeyIdentifier(opts: ManagedIdentifierKeyOpts, _c
   return {
     method,
     key,
+    identifier: key,
     jwk,
     jwkThumbprint,
     kid,
     issuer,
     kmsKeyRef: key.kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierKeyResult
 }
 
+/**
+ * This function is just a convenience function to get a common result. The user already apparently had a key, so could have called the kid version as well
+ * @param opts
+ * @param context
+ */
+export async function getManagedCoseKeyIdentifier(
+  opts: ManagedIdentifierCoseKeyOpts,
+  context: IAgentContext<any>
+): Promise<ManagedIdentifierCoseKeyResult> {
+  const method = 'cose_key'
+  const coseKey: ICoseKeyJson = opts.identifier
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Cose Key identifier if KeyManager plugin is not enabled!`))
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
+  const kid = opts.kid ?? coseKey.kid ?? jwkThumbprint
+  const issuer = opts.issuer
+  return {
+    method,
+    key,
+    identifier: opts.identifier,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
+    opts,
+  } satisfies ManagedIdentifierCoseKeyResult
+}
+
 export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, context: IAgentContext<any>): Promise<ManagedIdentifierDidResult> {
   const method = 'did'
   if (!contextHasDidManager(context)) {
@@ -139,6 +198,8 @@ export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, co
     keys,
     issuer,
     identifier,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   }
 }
@@ -160,10 +221,13 @@ export async function getManagedJwkIdentifier(
     method,
     key,
     kmsKeyRef: key.kid,
+    identifier: jwk,
     jwk,
     jwkThumbprint,
     kid,
     issuer,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierJwkResult
 }
@@ -195,6 +259,7 @@ export async function getManagedX5cIdentifier(
   return {
     method,
     x5c,
+    identifier: x5c,
     certificate,
     jwk,
     jwkThumbprint,
@@ -202,17 +267,65 @@ export async function getManagedX5cIdentifier(
     kmsKeyRef: key.kid,
     kid,
     issuer,
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
     opts,
   } satisfies ManagedIdentifierX5cResult
 }
 
+export async function getManagedOID4VCIssuerIdentifier(
+    opts: ManagedIdentifierOID4VCIssuerOpts,
+    context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierOID4VCIssuerResult> {
+  const { identifier } = opts
+  const method = 'oid4vci-issuer'
+  // FIXME: We need to eventually determine the JWK based on the issuer. Using a dummy JWK for now
+  const jwk = {
+    "kty" : "RSA",
+    "kid" : "dummy-jwk-for-vci-issuer-signing",
+    "use" : "sig",
+    "n"   : "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
+    "e"   : "AQAB",
+    "d"   : "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
+    "p"   : "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
+    "q"   : "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
+    "dp"  : "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
+    "dq"  : "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
+    "qi"  : "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
+  } as JWK
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+
+  const key = {
+    kid: 'dummy-key-for-vci-issuer-signing',
+    kms: 'local',
+    type: "RSA",
+    publicKeyHex: '9a3f75b2e4d8b91128fc6e9a8f6782e5a4f1cba3718e58b5d0a789d6e5f52b3a'
+  } as IKey
+
+  return {
+    method,
+    identifier,
+    jwk,
+    jwkThumbprint,
+    key, // FIXME: We need construct a key as soon as we have the external VCI Issuer resolution
+    kmsKeyRef: identifier, // FIXME: We need use kmsKeyRef as soon as we have the external VCI Issuer resolution
+    issuer: identifier.replace('/.well-known/openid-credential-issuer', ''),
+    clientId: opts.clientId,
+    clientIdScheme: opts.clientIdScheme,
+    opts,
+  } satisfies ManagedIdentifierOID4VCIssuerResult
+}
+
 export async function getManagedIdentifier(
-  opts: ManagedIdentifierOpts & {
+  opts: ManagedIdentifierOptsOrResult & {
     crypto?: Crypto
   },
   context: IAgentContext<IKeyManager>
 ): Promise<ManagedIdentifierResult> {
   let resolutionResult: ManagedIdentifierResult
+  if (isManagedIdentifierResult(opts)) {
+    opts
+  }
   if (isManagedIdentifierKidOpts(opts)) {
     resolutionResult = await getManagedKidIdentifier(opts, context)
   } else if (isManagedIdentifierDidOpts(opts)) {
@@ -223,13 +336,48 @@ export async function getManagedIdentifier(
     resolutionResult = await getManagedX5cIdentifier(opts, context)
   } else if (isManagedIdentifierKeyOpts(opts)) {
     resolutionResult = await getManagedKeyIdentifier(opts, context)
+  } else if (isManagedIdentifierCoseKeyOpts(opts)) {
+    resolutionResult = await getManagedCoseKeyIdentifier(opts, context)
+  } else if (isManagedIdentifierOID4VCIssuerOpts(opts)) {
+    resolutionResult = await getManagedOID4VCIssuerIdentifier(opts, context)
   } else {
     return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
   }
   const { key } = resolutionResult
-  if (!key || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
+  if ((!key && !isManagedIdentifierOID4VCIssuerOpts(opts)) || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
     console.log(`Cannot find identifier`, opts.identifier)
     return Promise.reject(`Cannot find identifier ${opts.identifier}`)
   }
   return resolutionResult
 }
+
+export async function managedIdentifierToKeyResult(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierKeyResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierKeyResult(resolved)) {
+    return resolved
+  }
+
+  return {
+    ...resolved,
+    method: 'key',
+    identifier: resolved.key,
+  } satisfies ManagedIdentifierKeyResult
+}
+
+export async function managedIdentifierToJwk(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierJwkResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierJwkResult(resolved)) {
+    return resolved
+  }
+  return {
+    ...resolved,
+    method: 'jwk',
+    identifier: resolved.jwk,
+  } satisfies ManagedIdentifierJwkResult
+}

package/src/types/IIdentifierResolution.ts

@@ -1,26 +1,53 @@
 import { IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap } from '@veramo/core'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
-  ExternalIdentifierDidResult,
+  ExternalIdentifierDidResult, ExternalIdentifierOIDFEntityIdOpts, ExternalIdentifierOIDFEntityIdResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
 } from './externalIdentifierTypes'
 import {
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
+  ManagedIdentifierOID4VCIssuerOpts,
+  ManagedIdentifierOID4VCIssuerResult,
   ManagedIdentifierJwkOpts,
   ManagedIdentifierJwkResult,
   ManagedIdentifierKeyOpts,
   ManagedIdentifierKeyResult,
   ManagedIdentifierKidOpts,
   ManagedIdentifierKidResult,
-  ManagedIdentifierOpts,
+  ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
 } from './managedIdentifierTypes'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
+
+// Exposing the methods here for any REST implementation
+export const identifierResolutionContextMethods: Array<string> = [
+  'identifierManagedGet',
+  'identifierManagedGetByDid',
+  'identifierManagedGetByKid',
+  'identifierManagedGetByJwk',
+  'identifierManagedGetByX5c',
+  'identifierManagedGetByKey',
+  'identifierManagedGetByOID4VCIssuer',
+  'identifierGetManagedByCoseKey',
+  'identifierExternalResolve',
+  'identifierExternalResolveByDid',
+  'identifierExternalResolveByX5c',
+  'identifierExternalResolveByJwk',
+  'identifierExternalResolveByCoseKey',
+  'identifierExternalResolveByOIDFEntityId',
+]
 
 /**
  * @public
@@ -30,11 +57,15 @@ export interface IIdentifierResolution extends IPluginMethodMap {
    * Main method for managed identifiers. We always go through this method (also the others) as we want to integrate a plugin for anomaly detection. Having a single method helps
    *
    * The end result of all these methods is a common baseline response that allows to use a key from the registered KMS systems. It also provides kid and iss(uer) values that can be used in a JWT/JWS for instance
+   * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
+   *
+   * We use the opts or result type almost everywhere, as it allows for just in time resolution whenever this method is called and afterwards we have the result, so resolution doesn't have to hit the DB, or external endpoints.
+   * Also use this method in the local agent, not using REST. If case the identifier needs to be resolved, you can always have the above methods using REST
    * @param args
    * @param context
    * @public
    */
-  identifierManagedGet(args: ManagedIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
+  identifierManagedGet(args: ManagedIdentifierOptsOrResult, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierResult>
 
   identifierManagedGetByDid(args: ManagedIdentifierDidOpts, context: IAgentContext<IKeyManager & IDIDManager>): Promise<ManagedIdentifierDidResult>
 
@@ -46,6 +77,13 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierManagedGetByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult>
 
+  identifierManagedGetByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult>
+
+  identifierManagedGetByOID4VCIssuer(args: ManagedIdentifierOID4VCIssuerOpts, context: IAgentContext<any>): Promise<ManagedIdentifierOID4VCIssuerResult>
+
   // TODO: We can create a custom managed identifier method allowing developers to register a callback function to get their implementation hooked up. Needs more investigation as it would also impact the KMS
 
   /**
@@ -58,5 +96,11 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult>
 
+  identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult>
+
+  identifierExternalResolveByCoseKey(args: ExternalIdentifierCoseKeyOpts, context: IAgentContext<any>): Promise<ExternalIdentifierCoseKeyResult>
+
   identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
+  
+  identifierExternalResolveByOIDFEntityId(args: ExternalIdentifierOIDFEntityIdOpts, context: IAgentContext<IOIDFClient>): Promise<ExternalIdentifierOIDFEntityIdResult>
 }

package/src/types/IJwtService.d.ts

@@ -0,0 +1,226 @@
+
+// Copy of jwt-service typings since we cannot include that as devDependency due to cyclic dep
+
+import { ExternalIdentifierDidOpts, ExternalIdentifierResult, ExternalIdentifierX5cOpts, IIdentifierResolution, ManagedIdentifierOptsOrResult, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution';
+import { ClientIdScheme } from '@sphereon/ssi-sdk-ext.x509-utils';
+import { BaseJWK, IValidationResult, JoseSignatureAlgorithm, JoseSignatureAlgorithmString, JWK } from '@sphereon/ssi-types';
+import { IAgentContext, IKeyManager, IPluginMethodMap } from '@veramo/core';
+export type IRequiredContext = IAgentContext<IIdentifierResolution & IKeyManager>;
+export declare const jwtServiceContextMethods: Array<string>;
+export interface IJwtService extends IPluginMethodMap {
+    jwtPrepareJws(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject>;
+    jwtCreateJwsJsonGeneralSignature(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<JwsJsonGeneral>;
+    jwtCreateJwsJsonFlattenedSignature(args: CreateJwsFlattenedArgs, context: IRequiredContext): Promise<JwsJsonFlattened>;
+    jwtCreateJwsCompactSignature(args: CreateJwsCompactArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+    jwtVerifyJwsSignature(args: VerifyJwsArgs, context: IRequiredContext): Promise<IJwsValidationResult>;
+    jwtEncryptJweCompactJwt(args: EncryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+    jwtDecryptJweCompactJwt(args: DecryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+}
+export type IJwsValidationResult = IValidationResult & {
+    jws: JwsJsonGeneralWithIdentifiers;
+};
+export interface PreparedJws {
+    protectedHeader: JwsHeader;
+    payload: Uint8Array;
+    unprotectedHeader?: JwsHeader;
+    existingSignatures?: Array<JwsJsonSignature>;
+}
+export interface JwsJsonSignature {
+    protected: string;
+    header?: JwsHeader;
+    signature: string;
+}
+/**
+ * The JWK representation of an ephemeral public key.
+ * See https://www.rfc-editor.org/rfc/rfc7518.html#section-6
+ */
+export type EphemeralPublicKey = Omit<BaseJWK, 'alg'>;
+export interface JweHeader extends Omit<BaseJwtHeader, 'alg'> {
+    alg: string;
+    enc: string;
+    jku?: string;
+    jwk?: BaseJWK;
+    epk?: EphemeralPublicKey;
+    x5u?: string;
+    x5c?: string[];
+    x5t?: string;
+    cty?: string;
+    crit?: string[];
+    [k: string]: any;
+}
+export interface JweRecipientUnprotectedHeader {
+    alg: string;
+    iv: string;
+    tag: string;
+    epk?: EphemeralPublicKey;
+    kid?: string;
+    apv?: string;
+    apu?: string;
+}
+export interface JweProtectedHeader extends Partial<JweHeader> {
+    zip?: 'DEF' | string;
+}
+export type Jws = JwsCompact | JwsJsonFlattened | JwsJsonGeneral;
+export type JwsCompact = string;
+export interface JwsJsonFlattened {
+    payload: string;
+    protected: string;
+    header?: JwsHeader;
+    signature: string;
+}
+export interface JwsJsonGeneral {
+    payload: string;
+    signatures: Array<JwsJsonSignature>;
+}
+export interface JwsJsonGeneralWithIdentifiers extends JwsJsonGeneral {
+    signatures: Array<JwsJsonSignatureWithIdentifier>;
+}
+export interface JwsJsonSignatureWithIdentifier extends JwsJsonSignature {
+    identifier: ExternalIdentifierResult;
+    publicKeyHex: string;
+}
+export type Jwe = JweCompact | JweJsonFlattened | JweJsonGeneral;
+export type JweCompact = string;
+export interface JweJsonFlattened {
+    protected: string;
+    unprotected: JweHeader;
+    header: JweHeader | JweRecipientUnprotectedHeader;
+    encrypted_key?: string;
+    aad?: string;
+    iv: string;
+    ciphertext: string;
+    tag?: string;
+}
+export interface JweRecipient {
+    header?: JweRecipientUnprotectedHeader;
+    encrypted_key?: string;
+}
+export interface JweJsonGeneral {
+    protected: string;
+    unprotected?: JweHeader;
+    recipients: Array<JweRecipient>;
+    aad?: string;
+    iv: string;
+    ciphertext: string;
+    tag?: string;
+}
+export interface PreparedJwsObject {
+    jws: PreparedJws;
+    b64: {
+        payload: string;
+        protectedHeader: string;
+    };
+    identifier: ManagedIdentifierResult;
+}
+export interface BaseJwtHeader {
+    typ?: string;
+    alg?: string;
+    kid?: string;
+}
+export interface BaseJwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+export interface JwsHeader extends BaseJwtHeader {
+    kid?: string;
+    jwk?: JWK;
+    x5c?: string[];
+    [key: string]: unknown;
+}
+export interface JwsPayload extends BaseJwtPayload {
+    [key: string]: unknown;
+}
+export interface JwsHeaderOpts {
+    alg: JoseSignatureAlgorithm | JoseSignatureAlgorithmString;
+}
+export type JwsIdentifierMode = 'x5c' | 'kid' | 'jwk' | 'did' | 'auto';
+export type EncryptJweCompactJwtArgs = {
+    payload: JwsPayload;
+    protectedHeader?: JweProtectedHeader | undefined;
+    aad?: Uint8Array | undefined;
+    recipientKey: ExternalIdentifierResult & {
+        kid?: string;
+    };
+    alg?: JweAlg;
+    enc?: JweEnc;
+    apu?: string;
+    apv?: string;
+    expirationTime?: number | string | Date;
+    issuer?: string;
+    audience?: string | string[];
+};
+export type DecryptJweCompactJwtArgs = {
+    jwe: JweCompact;
+    idOpts: ManagedIdentifierOptsOrResult;
+};
+export type CreateJwsArgs = {
+    mode?: JwsIdentifierMode;
+    issuer: ManagedIdentifierOptsOrResult & {
+        noIssPayloadUpdate?: boolean;
+        noIdentifierInHeader?: boolean;
+    };
+    clientId?: string;
+    clientIdScheme?: ClientIdScheme | 'did' | string;
+    protectedHeader: JwsHeader;
+    payload: JwsPayload | Uint8Array | string;
+};
+export type CreateJweArgs = {
+    mode?: JwsIdentifierMode;
+    issuer: ManagedIdentifierOptsOrResult & {
+        noIssPayloadUpdate?: boolean;
+        noIdentifierInHeader?: boolean;
+    };
+    protectedHeader: JweProtectedHeader;
+    encryptedKey: string | EphemeralPublicKey;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+};
+export type CreateJwsCompactArgs = CreateJwsArgs;
+export type CreateJwsFlattenedArgs = Exclude<CreateJwsJsonArgs, 'existingSignatures'>;
+export type VerifyJwsArgs = {
+    jws: Jws;
+    jwk?: JWK;
+    opts?: {
+        x5c?: Omit<ExternalIdentifierX5cOpts, 'identifier'>;
+        did?: Omit<ExternalIdentifierDidOpts, 'identifier'>;
+    };
+};
+/**
+ * @public
+ */
+export type CreateJwsJsonArgs = CreateJwsArgs & {
+    unprotectedHeader?: JwsHeader;
+    existingSignatures?: Array<JwsJsonSignature>;
+};
+export type CreateJweJsonArgs = CreateJweArgs & {
+    unprotectedHeader?: JweHeader;
+};
+/**
+ * @public
+ */
+export interface JwtCompactResult {
+    jwt: JwsCompact | JweCompact;
+}
+export declare function isJwsCompact(jws: Jws): jws is JwsCompact;
+export declare function isJweCompact(jwe: Jwe): jwe is JweCompact;
+export declare function isJwsJsonFlattened(jws: Jws): jws is JwsJsonFlattened;
+export declare function isJwsJsonGeneral(jws: Jws): jws is JwsJsonGeneral;
+export declare function isJweJsonFlattened(jwe: Jwe): jwe is JweJsonFlattened;
+export declare function isJweJsonGeneral(jwe: Jwe): jwe is JweJsonGeneral;
+export declare function isJwsHeader(header: BaseJwtHeader & Record<string, any>): header is JwsHeader;
+export declare function isJweHeader(header: BaseJwtHeader & Record<string, any>): header is JweHeader;
+export declare const COMPACT_JWS_REGEX: RegExp;
+export declare const COMPACT_JWE_REGEX: RegExp;
+export declare const JweAlgs: readonly ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "dir", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW"];
+export type JweAlg = typeof JweAlgs[number];
+export declare function jweAlg(alg?: string | JweAlg): JweAlg | undefined;
+export declare const JweEncs: readonly ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"];
+export type JweEnc = typeof JweEncs[number];
+export declare function jweEnc(alg?: string | JweEnc): JweEnc | undefined;
+//# sourceMappingURL=IJwtService.d.ts.map

package/src/types/common.ts

@@ -1,4 +1,4 @@
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IIdentifier, IKey } from '@veramo/core'
 import { ExternalIdentifierType } from './externalIdentifierTypes'
 import { ManagedIdentifierType } from './managedIdentifierTypes'
@@ -29,7 +29,11 @@ export function isJwksUrlIdentifier(identifier: ManagedIdentifierType | External
 }
 
 export function isKidIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
-  return typeof identifier === 'string' && !identifier.startsWith('did:')
+  return typeof identifier === 'string' && !identifier.startsWith('did:') && !identifier.startsWith('http')
+}
+
+export function isOID4VCIssuerIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string {
+  return typeof identifier === 'string' && identifier.startsWith('http') && identifier.endsWith('/.well-known/openid-credential-issuer')
 }
 
 export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier is IKey {
@@ -42,6 +46,14 @@ export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier i
   )
 }
 
+export function isCoseKeyIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'object' && `kty` in identifier && ('baseIV' in identifier || 'x5chain' in identifier) && !('x5c' in identifier)
+}
+
+export function isOIDFEntityIdIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'string' && identifier.startsWith('https://') 
+}
+
 export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
   return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
 }