@sphereon/ssi-sdk-ext.identifier-resolution 0.25.0 → 0.25.1-feature.SDK.41.oidf.support.12

package/plugin.schema.json

@@ -136,6 +136,27 @@
               "required": [
                 "identifier"
               ]
+            },
+            {
+              "type": "object",
+              "properties": {
+                "method": {
+                  "type": "string",
+                  "const": "entity_id"
+                },
+                "identifier": {
+                  "$ref": "#/components/schemas/ExternalIdentifierType"
+                },
+                "trustAnchors": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "required": [
+                "identifier"
+              ]
             }
           ]
         },
@@ -606,6 +627,41 @@
                 "method"
               ]
             },
+            {
+              "type": "object",
+              "properties": {
+                "method": {
+                  "$ref": "#/components/schemas/ExternalIdentifierMethod"
+                },
+                "jwks": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/ExternalJwkInfo"
+                  }
+                },
+                "trustedAnchors": {
+                  "type": "object",
+                  "additionalProperties": {
+                    "$ref": "#/components/schemas/PublicKeyHex"
+                  }
+                },
+                "errorList": {
+                  "type": "object",
+                  "additionalProperties": {
+                    "$ref": "#/components/schemas/ErrorMessage"
+                  }
+                },
+                "trustEstablished": {
+                  "type": "boolean"
+                }
+              },
+              "required": [
+                "jwks",
+                "method",
+                "trustEstablished",
+                "trustedAnchors"
+              ]
+            },
             {
               "type": "object",
               "properties": {
@@ -643,7 +699,8 @@
             "cose_key",
             "oidc-discovery",
             "jwks-url",
-            "oid4vci-issuer"
+            "oid4vci-issuer",
+            "entity_id"
           ]
         },
         "ExternalJwkInfo": {
@@ -1295,6 +1352,12 @@
             "x5c"
           ]
         },
+        "PublicKeyHex": {
+          "type": "string"
+        },
+        "ErrorMessage": {
+          "type": "string"
+        },
         "ICoseKeyJson": {
           "type": "object",
           "properties": {
@@ -1577,6 +1640,63 @@
             "method"
           ]
         },
+        "ExternalIdentifierOIDFEntityIdOpts": {
+          "type": "object",
+          "properties": {
+            "method": {
+              "type": "string",
+              "const": "entity_id"
+            },
+            "identifier": {
+              "$ref": "#/components/schemas/ExternalIdentifierType"
+            },
+            "trustAnchors": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          },
+          "required": [
+            "identifier"
+          ]
+        },
+        "ExternalIdentifierOIDFEntityIdResult": {
+          "type": "object",
+          "properties": {
+            "method": {
+              "type": "string",
+              "const": "entity_id"
+            },
+            "jwks": {
+              "type": "array",
+              "items": {
+                "$ref": "#/components/schemas/ExternalJwkInfo"
+              }
+            },
+            "trustedAnchors": {
+              "type": "object",
+              "additionalProperties": {
+                "$ref": "#/components/schemas/PublicKeyHex"
+              }
+            },
+            "errorList": {
+              "type": "object",
+              "additionalProperties": {
+                "$ref": "#/components/schemas/ErrorMessage"
+              }
+            },
+            "trustEstablished": {
+              "type": "boolean"
+            }
+          },
+          "required": [
+            "jwks",
+            "method",
+            "trustEstablished",
+            "trustedAnchors"
+          ]
+        },
         "ManagedIdentifierOptsOrResult": {
           "anyOf": [
             {
@@ -4116,6 +4236,15 @@
             "$ref": "#/components/schemas/ExternalIdentifierJwkResult"
           }
         },
+        "identifierExternalResolveByOIDFEntityId": {
+          "description": "",
+          "arguments": {
+            "$ref": "#/components/schemas/ExternalIdentifierOIDFEntityIdOpts"
+          },
+          "returnType": {
+            "$ref": "#/components/schemas/ExternalIdentifierOIDFEntityIdResult"
+          }
+        },
         "identifierExternalResolveByX5c": {
           "description": "",
           "arguments": {

package/src/agent/IdentifierResolution.ts

@@ -1,5 +1,5 @@
 import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
-import { schema } from '..'
+import { ExternalIdentifierOIDFEntityIdOpts, ExternalIdentifierOIDFEntityIdResult, schema } from '..'
 import { resolveExternalIdentifier, ensureManagedIdentifierResult } from '../functions'
 import {
   ExternalIdentifierDidOpts,
@@ -30,6 +30,7 @@ import {
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierOID4VCIssuerOpts
 } from '../types'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
 
 /**
  * @public
@@ -53,6 +54,7 @@ export class IdentifierResolution implements IAgentPlugin {
     identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
     identifierExternalResolveByJwk: this.identifierExternalResolveByJwk.bind(this),
     identifierExternalResolveByCoseKey: this.identifierExternalResolveByCoseKey.bind(this),
+    identifierExternalResolveByOIDFEntityId: this.identifierExternalResolveByOIDFEntityId.bind(this),
 
     // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
   }
@@ -127,7 +129,7 @@ export class IdentifierResolution implements IAgentPlugin {
     return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
   }
 
-  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ExternalIdentifierResult> {
+  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager | IOIDFClient>): Promise<ExternalIdentifierResult> {
     return await resolveExternalIdentifier({ ...args, crypto: this._crypto }, context)
   }
 
@@ -145,7 +147,12 @@ export class IdentifierResolution implements IAgentPlugin {
   ): Promise<ExternalIdentifierCoseKeyResult> {
     return (await this.identifierResolveExternal({ ...args, method: 'cose_key' }, context)) as ExternalIdentifierCoseKeyResult
   }
+  
   private async identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult> {
     return (await this.identifierResolveExternal({ ...args, method: 'jwk' }, context)) as ExternalIdentifierJwkResult
   }
+  
+  private async identifierExternalResolveByOIDFEntityId(args: ExternalIdentifierOIDFEntityIdOpts, context: IAgentContext<IOIDFClient>): Promise<ExternalIdentifierOIDFEntityIdResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'entity_id' }, context)) as ExternalIdentifierOIDFEntityIdResult
+  }
 }

package/src/functions/LegacySupport.ts

@@ -20,7 +20,7 @@ export function legacyKeyRefsToIdentifierOpts(opts: {
       opts.keyRef ??
       opts.didOpts?.idOpts?.kmsKeyRef ??
       opts.didOpts?.kid ??
-      opts.didOpts.idOpts?.kid ??
+      opts.didOpts?.idOpts?.kid ??
       (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
     if (!kmsKeyRef) {
       throw Error('Key ref is needed for access token signer')

package/src/functions/externalIdentifierFunctions.ts

@@ -31,8 +31,11 @@ import {
   isExternalIdentifierJwksUrlOpts,
   isExternalIdentifierKidOpts,
   isExternalIdentifierOidcDiscoveryOpts,
+  isExternalIdentifierOIDFEntityIdOpts,
   isExternalIdentifierX5cOpts,
 } from '../types'
+import { resolveExternalOIDFEntityIdIdentifier } from '.'
+
 
 export async function resolveExternalIdentifier(
   opts: ExternalIdentifierOpts & {
@@ -49,13 +52,15 @@ export async function resolveExternalIdentifier(
     return resolveExternalJwkIdentifier(opts, context)
   } else if (isExternalIdentifierCoseKeyOpts(opts)) {
     return resolveExternalCoseKeyIdentifier(opts, context)
+  } else if (isExternalIdentifierOIDFEntityIdOpts(opts)) {
+    return resolveExternalOIDFEntityIdIdentifier(opts, context)
   } else if (isExternalIdentifierKidOpts(opts)) {
     method = 'kid'
   } else if (isExternalIdentifierJwksUrlOpts(opts)) {
     method = 'jwks-url'
   } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
     method = 'oidc-discovery'
-  }
+  } 
   throw Error(`External resolution method ${method} is not yet implemented`)
 }
 

package/src/functions/externalOIDFIdentifier.ts

@@ -0,0 +1,95 @@
+import {
+  ErrorMessage,
+  ExternalIdentifierOIDFEntityIdOpts,
+  ExternalIdentifierOIDFEntityIdResult, ExternalJwkInfo,
+  PublicKeyHex,
+  TrustedAnchor,
+} from '../types'
+import { IAgentContext } from '@veramo/core'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { JWK } from '@sphereon/ssi-types'
+import { IJwsValidationResult, VerifyJwsArgs } from '../types/IJwtService'
+
+/**
+ * Resolves an OIDF Entity ID against multiple trust anchors to establish trusted relationships
+ *
+ * @param opts Configuration options containing the identifier to resolve and trust anchors to validate against
+ * @param context Agent context that must include the OIDF client plugin and JWT verification capabilities
+ *
+ * @returns Promise resolving to an ExternalIdentifierOIDFEntityIdResult containing:
+ *  - trustedAnchors: Record mapping trust anchors to their public key hexes
+ *  - errorList: Optional record of errors encountered per trust anchor
+ *  - jwks: Array of JWK information from the trust chain
+ *  - trustEstablished: Boolean indicating if any trust relationships were established
+ *
+ * @throws Error if trust anchors are missing or JWT verification plugin is not enabled
+ */
+export async function resolveExternalOIDFEntityIdIdentifier(
+  opts: ExternalIdentifierOIDFEntityIdOpts,
+  context: IAgentContext<IOIDFClient>
+): Promise<ExternalIdentifierOIDFEntityIdResult> {
+  let { trustAnchors, identifier } = opts
+
+  if (!trustAnchors || trustAnchors.length === 0) {
+    return Promise.reject(Error('ExternalIdentifierOIDFEntityIdOpts is missing the trustAnchors'))
+  }
+
+  if (!contextHasPlugin(context, 'jwtVerifyJwsSignature')) {
+    return Promise.reject(Error('For OIDFEntityId resolving the agent needs to have the JwtService plugin enabled'))
+  }
+
+  const trustedAnchors: Record<TrustedAnchor, PublicKeyHex> = {}
+  const errorList: Record<TrustedAnchor, ErrorMessage> = {}
+  const jwkInfos: Array<ExternalJwkInfo> = []
+
+  for (const trustAnchor of trustAnchors) {
+    const resolveResult = await context.agent.resolveTrustChain({
+      entityIdentifier: identifier,
+      trustAnchors: [trustAnchor]
+    })
+
+    if (resolveResult.error || !resolveResult.trustChain) {
+      errorList[trustAnchor] = resolveResult.errorMessage ?? 'unspecified'
+    } else {
+      const trustChain: ReadonlyArray<string> = resolveResult.trustChain.asJsReadonlyArrayView()
+      let authorityJWK:JWK | undefined = undefined
+      for (const [i, jwt] of [...trustChain].reverse().entries()) {
+        const isLast = i === trustChain.length - 1
+
+        const verifyArgs:VerifyJwsArgs = {jws: jwt}
+        if(authorityJWK && !isLast) {
+          verifyArgs.jwk = authorityJWK
+        }
+        const jwtVerifyResult:IJwsValidationResult = await context.agent.jwtVerifyJwsSignature(verifyArgs)
+        if(jwtVerifyResult.error || jwtVerifyResult.critical) {
+          errorList[trustAnchor] = jwtVerifyResult.message
+          break
+        }
+        if(jwtVerifyResult.jws.signatures.length === 0) {
+          errorList[trustAnchor] = 'No signature was present in the trust anchor JWS'
+          break
+        }
+        const signature = jwtVerifyResult.jws.signatures[0]
+        if(signature.identifier.jwks.length === 0) {
+          errorList[trustAnchor] = 'No JWK was present in the trust anchor signature'
+          break
+        }
+        const jwkInfo:ExternalJwkInfo = signature.identifier.jwks[0]
+        if(!authorityJWK) {
+          authorityJWK = jwkInfo.jwk
+          jwkInfos.push(jwkInfo)
+          trustedAnchors[trustAnchor] = signature.publicKeyHex // When we have multiple hits from different trust anchor authorities the caller can infer which signature came from which trust anchor  
+        }
+      }
+    }
+  }
+
+  return {
+    method: 'entity_id',
+    trustedAnchors,
+    ...(Object.keys(errorList).length > 0 && { errorList }),
+    jwks: jwkInfos,
+    trustEstablished: Object.keys(trustedAnchors).length > 0
+  }
+}

package/src/functions/index.ts

@@ -1,3 +1,4 @@
 export * from './managedIdentifierFunctions'
 export * from './externalIdentifierFunctions'
+export * from './externalOIDFIdentifier'
 export * from './LegacySupport'

package/src/types/IIdentifierResolution.ts

@@ -3,7 +3,7 @@ import {
   ExternalIdentifierCoseKeyOpts,
   ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
-  ExternalIdentifierDidResult,
+  ExternalIdentifierDidResult, ExternalIdentifierOIDFEntityIdOpts, ExternalIdentifierOIDFEntityIdResult,
   ExternalIdentifierJwkOpts,
   ExternalIdentifierJwkResult,
   ExternalIdentifierOpts,
@@ -29,6 +29,7 @@ import {
   ManagedIdentifierX5cOpts,
   ManagedIdentifierX5cResult,
 } from './managedIdentifierTypes'
+import { IOIDFClient } from '@sphereon/ssi-sdk.oidf-client'
 
 // Exposing the methods here for any REST implementation
 export const identifierResolutionContextMethods: Array<string> = [
@@ -45,6 +46,7 @@ export const identifierResolutionContextMethods: Array<string> = [
   'identifierExternalResolveByX5c',
   'identifierExternalResolveByJwk',
   'identifierExternalResolveByCoseKey',
+  'identifierExternalResolveByOIDFEntityId',
 ]
 
 /**
@@ -99,4 +101,6 @@ export interface IIdentifierResolution extends IPluginMethodMap {
   identifierExternalResolveByCoseKey(args: ExternalIdentifierCoseKeyOpts, context: IAgentContext<any>): Promise<ExternalIdentifierCoseKeyResult>
 
   identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
+  
+  identifierExternalResolveByOIDFEntityId(args: ExternalIdentifierOIDFEntityIdOpts, context: IAgentContext<IOIDFClient>): Promise<ExternalIdentifierOIDFEntityIdResult>
 }

package/src/types/IJwtService.d.ts

@@ -0,0 +1,226 @@
+
+// Copy of jwt-service typings since we cannot include that as devDependency due to cyclic dep
+
+import { ExternalIdentifierDidOpts, ExternalIdentifierResult, ExternalIdentifierX5cOpts, IIdentifierResolution, ManagedIdentifierOptsOrResult, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution';
+import { ClientIdScheme } from '@sphereon/ssi-sdk-ext.x509-utils';
+import { BaseJWK, IValidationResult, JoseSignatureAlgorithm, JoseSignatureAlgorithmString, JWK } from '@sphereon/ssi-types';
+import { IAgentContext, IKeyManager, IPluginMethodMap } from '@veramo/core';
+export type IRequiredContext = IAgentContext<IIdentifierResolution & IKeyManager>;
+export declare const jwtServiceContextMethods: Array<string>;
+export interface IJwtService extends IPluginMethodMap {
+    jwtPrepareJws(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject>;
+    jwtCreateJwsJsonGeneralSignature(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<JwsJsonGeneral>;
+    jwtCreateJwsJsonFlattenedSignature(args: CreateJwsFlattenedArgs, context: IRequiredContext): Promise<JwsJsonFlattened>;
+    jwtCreateJwsCompactSignature(args: CreateJwsCompactArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+    jwtVerifyJwsSignature(args: VerifyJwsArgs, context: IRequiredContext): Promise<IJwsValidationResult>;
+    jwtEncryptJweCompactJwt(args: EncryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+    jwtDecryptJweCompactJwt(args: DecryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult>;
+}
+export type IJwsValidationResult = IValidationResult & {
+    jws: JwsJsonGeneralWithIdentifiers;
+};
+export interface PreparedJws {
+    protectedHeader: JwsHeader;
+    payload: Uint8Array;
+    unprotectedHeader?: JwsHeader;
+    existingSignatures?: Array<JwsJsonSignature>;
+}
+export interface JwsJsonSignature {
+    protected: string;
+    header?: JwsHeader;
+    signature: string;
+}
+/**
+ * The JWK representation of an ephemeral public key.
+ * See https://www.rfc-editor.org/rfc/rfc7518.html#section-6
+ */
+export type EphemeralPublicKey = Omit<BaseJWK, 'alg'>;
+export interface JweHeader extends Omit<BaseJwtHeader, 'alg'> {
+    alg: string;
+    enc: string;
+    jku?: string;
+    jwk?: BaseJWK;
+    epk?: EphemeralPublicKey;
+    x5u?: string;
+    x5c?: string[];
+    x5t?: string;
+    cty?: string;
+    crit?: string[];
+    [k: string]: any;
+}
+export interface JweRecipientUnprotectedHeader {
+    alg: string;
+    iv: string;
+    tag: string;
+    epk?: EphemeralPublicKey;
+    kid?: string;
+    apv?: string;
+    apu?: string;
+}
+export interface JweProtectedHeader extends Partial<JweHeader> {
+    zip?: 'DEF' | string;
+}
+export type Jws = JwsCompact | JwsJsonFlattened | JwsJsonGeneral;
+export type JwsCompact = string;
+export interface JwsJsonFlattened {
+    payload: string;
+    protected: string;
+    header?: JwsHeader;
+    signature: string;
+}
+export interface JwsJsonGeneral {
+    payload: string;
+    signatures: Array<JwsJsonSignature>;
+}
+export interface JwsJsonGeneralWithIdentifiers extends JwsJsonGeneral {
+    signatures: Array<JwsJsonSignatureWithIdentifier>;
+}
+export interface JwsJsonSignatureWithIdentifier extends JwsJsonSignature {
+    identifier: ExternalIdentifierResult;
+    publicKeyHex: string;
+}
+export type Jwe = JweCompact | JweJsonFlattened | JweJsonGeneral;
+export type JweCompact = string;
+export interface JweJsonFlattened {
+    protected: string;
+    unprotected: JweHeader;
+    header: JweHeader | JweRecipientUnprotectedHeader;
+    encrypted_key?: string;
+    aad?: string;
+    iv: string;
+    ciphertext: string;
+    tag?: string;
+}
+export interface JweRecipient {
+    header?: JweRecipientUnprotectedHeader;
+    encrypted_key?: string;
+}
+export interface JweJsonGeneral {
+    protected: string;
+    unprotected?: JweHeader;
+    recipients: Array<JweRecipient>;
+    aad?: string;
+    iv: string;
+    ciphertext: string;
+    tag?: string;
+}
+export interface PreparedJwsObject {
+    jws: PreparedJws;
+    b64: {
+        payload: string;
+        protectedHeader: string;
+    };
+    identifier: ManagedIdentifierResult;
+}
+export interface BaseJwtHeader {
+    typ?: string;
+    alg?: string;
+    kid?: string;
+}
+export interface BaseJwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+export interface JwsHeader extends BaseJwtHeader {
+    kid?: string;
+    jwk?: JWK;
+    x5c?: string[];
+    [key: string]: unknown;
+}
+export interface JwsPayload extends BaseJwtPayload {
+    [key: string]: unknown;
+}
+export interface JwsHeaderOpts {
+    alg: JoseSignatureAlgorithm | JoseSignatureAlgorithmString;
+}
+export type JwsIdentifierMode = 'x5c' | 'kid' | 'jwk' | 'did' | 'auto';
+export type EncryptJweCompactJwtArgs = {
+    payload: JwsPayload;
+    protectedHeader?: JweProtectedHeader | undefined;
+    aad?: Uint8Array | undefined;
+    recipientKey: ExternalIdentifierResult & {
+        kid?: string;
+    };
+    alg?: JweAlg;
+    enc?: JweEnc;
+    apu?: string;
+    apv?: string;
+    expirationTime?: number | string | Date;
+    issuer?: string;
+    audience?: string | string[];
+};
+export type DecryptJweCompactJwtArgs = {
+    jwe: JweCompact;
+    idOpts: ManagedIdentifierOptsOrResult;
+};
+export type CreateJwsArgs = {
+    mode?: JwsIdentifierMode;
+    issuer: ManagedIdentifierOptsOrResult & {
+        noIssPayloadUpdate?: boolean;
+        noIdentifierInHeader?: boolean;
+    };
+    clientId?: string;
+    clientIdScheme?: ClientIdScheme | 'did' | string;
+    protectedHeader: JwsHeader;
+    payload: JwsPayload | Uint8Array | string;
+};
+export type CreateJweArgs = {
+    mode?: JwsIdentifierMode;
+    issuer: ManagedIdentifierOptsOrResult & {
+        noIssPayloadUpdate?: boolean;
+        noIdentifierInHeader?: boolean;
+    };
+    protectedHeader: JweProtectedHeader;
+    encryptedKey: string | EphemeralPublicKey;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+};
+export type CreateJwsCompactArgs = CreateJwsArgs;
+export type CreateJwsFlattenedArgs = Exclude<CreateJwsJsonArgs, 'existingSignatures'>;
+export type VerifyJwsArgs = {
+    jws: Jws;
+    jwk?: JWK;
+    opts?: {
+        x5c?: Omit<ExternalIdentifierX5cOpts, 'identifier'>;
+        did?: Omit<ExternalIdentifierDidOpts, 'identifier'>;
+    };
+};
+/**
+ * @public
+ */
+export type CreateJwsJsonArgs = CreateJwsArgs & {
+    unprotectedHeader?: JwsHeader;
+    existingSignatures?: Array<JwsJsonSignature>;
+};
+export type CreateJweJsonArgs = CreateJweArgs & {
+    unprotectedHeader?: JweHeader;
+};
+/**
+ * @public
+ */
+export interface JwtCompactResult {
+    jwt: JwsCompact | JweCompact;
+}
+export declare function isJwsCompact(jws: Jws): jws is JwsCompact;
+export declare function isJweCompact(jwe: Jwe): jwe is JweCompact;
+export declare function isJwsJsonFlattened(jws: Jws): jws is JwsJsonFlattened;
+export declare function isJwsJsonGeneral(jws: Jws): jws is JwsJsonGeneral;
+export declare function isJweJsonFlattened(jwe: Jwe): jwe is JweJsonFlattened;
+export declare function isJweJsonGeneral(jwe: Jwe): jwe is JweJsonGeneral;
+export declare function isJwsHeader(header: BaseJwtHeader & Record<string, any>): header is JwsHeader;
+export declare function isJweHeader(header: BaseJwtHeader & Record<string, any>): header is JweHeader;
+export declare const COMPACT_JWS_REGEX: RegExp;
+export declare const COMPACT_JWE_REGEX: RegExp;
+export declare const JweAlgs: readonly ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "dir", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW"];
+export type JweAlg = typeof JweAlgs[number];
+export declare function jweAlg(alg?: string | JweAlg): JweAlg | undefined;
+export declare const JweEncs: readonly ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"];
+export type JweEnc = typeof JweEncs[number];
+export declare function jweEnc(alg?: string | JweEnc): JweEnc | undefined;
+//# sourceMappingURL=IJwtService.d.ts.map

package/src/types/common.ts

@@ -50,6 +50,10 @@ export function isCoseKeyIdentifier(identifier: ManagedIdentifierType): identifi
   return typeof identifier === 'object' && `kty` in identifier && ('baseIV' in identifier || 'x5chain' in identifier) && !('x5c' in identifier)
 }
 
+export function isOIDFEntityIdIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'string' && identifier.startsWith('https://') 
+}
+
 export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
   return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
 }