@sphereon/ssi-sdk-ext.key-utils 0.26.1-next.11 → 0.26.1-next.14

package/src/functions.ts

@@ -1,22 +1,37 @@
-import { randomBytes } from '@ethersproject/random'
-import { generateRSAKeyAsPEM, hexToBase64, hexToPEM, PEMToJwk, privateKeyHexFromPEM } from '@sphereon/ssi-sdk-ext.x509-utils'
-import { JoseCurve, JoseSignatureAlgorithm, JwkKeyType, JWK, Loggers } from '@sphereon/ssi-types'
-import { generateKeyPair as generateSigningKeyPair } from '@stablelib/ed25519'
-import { IAgentContext, IKey, IKeyManager, ManagedKeyInfo, MinimalImportableKey } from '@veramo/core'
-
-import { JsonWebKey } from 'did-resolver'
+import {randomBytes} from '@ethersproject/random'
+import {bls12_381} from "@noble/curves/bls12-381";
+import {ed25519} from '@noble/curves/ed25519';
+import {p256} from '@noble/curves/p256';
+import {p384} from "@noble/curves/p384";
+import {p521} from "@noble/curves/p521";
+import {secp256k1} from '@noble/curves/secp256k1';
+import {sha256, sha384, sha512} from '@noble/hashes/sha2'
+import {
+    generateRSAKeyAsPEM,
+    hexToBase64,
+    hexToPEM,
+    PEMToJwk,
+    privateKeyHexFromPEM
+} from '@sphereon/ssi-sdk-ext.x509-utils'
+import {JoseCurve, JoseSignatureAlgorithm, JWK, JwkKeyType, Loggers} from '@sphereon/ssi-types'
+import {generateKeyPair as generateSigningKeyPair} from '@stablelib/ed25519'
+import {IAgentContext, IKey, IKeyManager, ManagedKeyInfo, MinimalImportableKey} from '@veramo/core'
+
+import {JsonWebKey} from 'did-resolver'
 import elliptic from 'elliptic'
+import * as rsa from 'micro-rsa-dsa-dh/rsa.js';
 import * as u8a from 'uint8arrays'
-import { digestMethodParams } from './digest-methods'
+import {digestMethodParams} from './digest-methods'
+import {validateJwk} from "./jwk-jcs";
 import {
-  ENC_KEY_ALGS,
-  IImportProvidedOrGeneratedKeyArgs,
-  JwkKeyUse,
-  KeyTypeFromCryptographicSuiteArgs,
-  SIG_KEY_ALGS,
-  SignatureAlgorithmFromKeyArgs,
-  SignatureAlgorithmFromKeyTypeArgs,
-  TKeyType,
+    ENC_KEY_ALGS,
+    IImportProvidedOrGeneratedKeyArgs,
+    JwkKeyUse,
+    KeyTypeFromCryptographicSuiteArgs,
+    SIG_KEY_ALGS,
+    SignatureAlgorithmFromKeyArgs,
+    SignatureAlgorithmFromKeyTypeArgs,
+    TKeyType,
 } from './types'
 
 export const logger = Loggers.DEFAULT.get('sphereon:key-utils')
@@ -28,13 +43,13 @@ export const logger = Loggers.DEFAULT.get('sphereon:key-utils')
  * @param kms. Optional KMS to use. If provided will be the returned name. Otherwise the default KMS will be returned
  */
 export const getKms = async (context: IAgentContext<any>, kms?: string): Promise<string> => {
-  if (kms) {
-    return kms
-  }
-  if (!context.agent.availableMethods().includes('keyManagerGetDefaultKeyManagementSystem')) {
-    throw Error('Cannot determine default KMS if not provided and a non Sphereon Key Manager is being used')
-  }
-  return context.agent.keyManagerGetDefaultKeyManagementSystem()
+    if (kms) {
+        return kms
+    }
+    if (!context.agent.availableMethods().includes('keyManagerGetDefaultKeyManagementSystem')) {
+        throw Error('Cannot determine default KMS if not provided and a non Sphereon Key Manager is being used')
+    }
+    return context.agent.keyManagerGetDefaultKeyManagementSystem()
 }
 
 /**
@@ -43,41 +58,41 @@ export const getKms = async (context: IAgentContext<any>, kms?: string): Promise
  * @return The private key in Hex form
  */
 export const generatePrivateKeyHex = async (type: TKeyType): Promise<string> => {
-  switch (type) {
-    case 'Ed25519': {
-      const keyPairEd25519 = generateSigningKeyPair()
-      return u8a.toString(keyPairEd25519.secretKey, 'base16')
+    switch (type) {
+        case 'Ed25519': {
+            const keyPairEd25519 = generateSigningKeyPair()
+            return u8a.toString(keyPairEd25519.secretKey, 'base16')
+        }
+        // The Secp256 types use the same method to generate the key
+        case 'Secp256r1':
+        case 'Secp256k1': {
+            const privateBytes = randomBytes(32)
+            return u8a.toString(privateBytes, 'base16')
+        }
+        case 'RSA': {
+            const pem = await generateRSAKeyAsPEM('RSA-PSS', 'SHA-256', 2048)
+            return privateKeyHexFromPEM(pem)
+        }
+        default:
+            throw Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`)
     }
-    // The Secp256 types use the same method to generate the key
-    case 'Secp256r1':
-    case 'Secp256k1': {
-      const privateBytes = randomBytes(32)
-      return u8a.toString(privateBytes, 'base16')
-    }
-    case 'RSA': {
-      const pem = await generateRSAKeyAsPEM('RSA-PSS', 'SHA-256', 2048)
-      return privateKeyHexFromPEM(pem)
-    }
-    default:
-      throw Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`)
-  }
 }
 
 const keyMetaAlgorithmsFromKeyType = (type: string | TKeyType) => {
-  switch (type) {
-    case 'Ed25519':
-      return ['Ed25519', 'EdDSA']
-    case 'ES256K':
-    case 'Secp256k1':
-      return ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign']
-    case 'Secp256r1':
-      return ['ES256']
-    case 'X25519':
-      return ['ECDH', 'ECDH-ES', 'ECDH-1PU']
-    case 'RSA':
-      return ['RS256', 'RS512', 'PS256', 'PS512']
-  }
-  return [type]
+    switch (type) {
+        case 'Ed25519':
+            return ['Ed25519', 'EdDSA']
+        case 'ES256K':
+        case 'Secp256k1':
+            return ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign']
+        case 'Secp256r1':
+            return ['ES256']
+        case 'X25519':
+            return ['ECDH', 'ECDH-ES', 'ECDH-1PU']
+        case 'RSA':
+            return ['RS256', 'RS512', 'PS256', 'PS512']
+    }
+    return [type]
 }
 
 /**
@@ -88,78 +103,78 @@ const keyMetaAlgorithmsFromKeyType = (type: string | TKeyType) => {
  * @private
  */
 export async function importProvidedOrGeneratedKey(
-  args: IImportProvidedOrGeneratedKeyArgs & {
-    kms: string
-  },
-  context: IAgentContext<IKeyManager>
+    args: IImportProvidedOrGeneratedKeyArgs & {
+        kms: string
+    },
+    context: IAgentContext<IKeyManager>
 ): Promise<IKey> {
-  // @ts-ignore
-  const type = args.options?.type ?? args.options?.key?.type ?? args.options?.keyType ?? 'Secp256r1'
-  const key = args?.options?.key
-  // Make sure x509 options are also set on the metadata as that is what the kms will look for
-  if (args.options?.x509 && key) {
-    key.meta = {
-      ...key.meta,
-      x509: {
-        ...args.options.x509,
-        ...key.meta?.x509,
-      },
-    }
-  }
-
-  if (args.options && args.options?.use === JwkKeyUse.Encryption && !ENC_KEY_ALGS.includes(type)) {
-    throw new Error(`${type} keys are not valid for encryption`)
-  }
-
-  let privateKeyHex: string | undefined = undefined
-  if (key) {
-    privateKeyHex = key.privateKeyHex ?? key.meta?.x509?.privateKeyHex
-    if ((!privateKeyHex || privateKeyHex.trim() === '') && key?.meta?.x509?.privateKeyPEM) {
-      // If we do not have a privateKeyHex but do have a PEM
-      privateKeyHex = privateKeyHexFromPEM(key.meta.x509.privateKeyPEM)
-    }
-  }
-  if (privateKeyHex) {
-    return context.agent.keyManagerImport({
-      ...key,
-      kms: args.kms,
-      type,
-      privateKeyHex: privateKeyHex!,
+    // @ts-ignore
+    const type = args.options?.type ?? args.options?.key?.type ?? args.options?.keyType ?? 'Secp256r1'
+    const key = args?.options?.key
+    // Make sure x509 options are also set on the metadata as that is what the kms will look for
+    if (args.options?.x509 && key) {
+        key.meta = {
+            ...key.meta,
+            x509: {
+                ...args.options.x509,
+                ...key.meta?.x509,
+            },
+        }
+    }
+
+    if (args.options && args.options?.use === JwkKeyUse.Encryption && !ENC_KEY_ALGS.includes(type)) {
+        throw new Error(`${type} keys are not valid for encryption`)
+    }
+
+    let privateKeyHex: string | undefined = undefined
+    if (key) {
+        privateKeyHex = key.privateKeyHex ?? key.meta?.x509?.privateKeyHex
+        if ((!privateKeyHex || privateKeyHex.trim() === '') && key?.meta?.x509?.privateKeyPEM) {
+            // If we do not have a privateKeyHex but do have a PEM
+            privateKeyHex = privateKeyHexFromPEM(key.meta.x509.privateKeyPEM)
+        }
+    }
+    if (privateKeyHex) {
+        return context.agent.keyManagerImport({
+            ...key,
+            kms: args.kms,
+            type,
+            privateKeyHex: privateKeyHex!,
+        })
+    }
+
+    return context.agent.keyManagerCreate({
+        type,
+        kms: args.kms,
+        meta: {
+            ...key?.meta,
+            algorithms: keyMetaAlgorithmsFromKeyType(type),
+            keyAlias: args.alias,
+        },
     })
-  }
-
-  return context.agent.keyManagerCreate({
-    type,
-    kms: args.kms,
-    meta: {
-      ...key?.meta,
-      algorithms: keyMetaAlgorithmsFromKeyType(type),
-      keyAlias: args.alias,
-    },
-  })
 }
 
 export const calculateJwkThumbprintForKey = (args: {
-  key: IKey | MinimalImportableKey | ManagedKeyInfo
-  digestAlgorithm?: 'sha256' | 'sha512'
+    key: IKey | MinimalImportableKey | ManagedKeyInfo
+    digestAlgorithm?: 'sha256' | 'sha512'
 }): string => {
-  const { key } = args
-
-  const jwk = key.publicKeyHex
-    ? toJwk(key.publicKeyHex, key.type, { key: key, isPrivateKey: false })
-    : 'privateKeyHex' in key && key.privateKeyHex
-    ? toJwk(key.privateKeyHex, key.type, { isPrivateKey: true })
-    : undefined
-  if (!jwk) {
-    throw Error(`Could not determine jwk from key ${key.kid}`)
-  }
-  return calculateJwkThumbprint({ jwk, digestAlgorithm: args.digestAlgorithm })
+    const {key} = args
+
+    const jwk = key.publicKeyHex
+        ? toJwk(key.publicKeyHex, key.type, {key: key, isPrivateKey: false})
+        : 'privateKeyHex' in key && key.privateKeyHex
+            ? toJwk(key.privateKeyHex, key.type, {isPrivateKey: true})
+            : undefined
+    if (!jwk) {
+        throw Error(`Could not determine jwk from key ${key.kid}`)
+    }
+    return calculateJwkThumbprint({jwk, digestAlgorithm: args.digestAlgorithm})
 }
 
 const assertJwkClaimPresent = (value: unknown, description: string) => {
-  if (typeof value !== 'string' || !value) {
-    throw new Error(`${description} missing or invalid`)
-  }
+    if (typeof value !== 'string' || !value) {
+        throw new Error(`${description} missing or invalid`)
+    }
 }
 export const toBase64url = (input: string): string => u8a.toString(u8a.fromString(input), 'base64url')
 
@@ -168,48 +183,48 @@ export const toBase64url = (input: string): string => u8a.toString(u8a.fromStrin
  * @param args
  */
 export const calculateJwkThumbprint = (args: { jwk: JWK; digestAlgorithm?: 'sha256' | 'sha512' }): string => {
-  const { jwk, digestAlgorithm = 'sha256' } = args
-  let components
-  switch (jwk.kty) {
-    case 'EC':
-      assertJwkClaimPresent(jwk.crv, '"crv" (Curve) Parameter')
-      assertJwkClaimPresent(jwk.x, '"x" (X Coordinate) Parameter')
-      assertJwkClaimPresent(jwk.y, '"y" (Y Coordinate) Parameter')
-      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }
-      break
-    case 'OKP':
-      assertJwkClaimPresent(jwk.crv, '"crv" (Subtype of Key Pair) Parameter')
-      assertJwkClaimPresent(jwk.x, '"x" (Public Key) Parameter')
-      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }
-      break
-    case 'RSA':
-      assertJwkClaimPresent(jwk.e, '"e" (Exponent) Parameter')
-      assertJwkClaimPresent(jwk.n, '"n" (Modulus) Parameter')
-      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }
-      break
-    case 'oct':
-      assertJwkClaimPresent(jwk.k, '"k" (Key Value) Parameter')
-      components = { k: jwk.k, kty: jwk.kty }
-      break
-    default:
-      throw new Error('"kty" (Key Type) Parameter missing or unsupported')
-  }
-  const data = JSON.stringify(components)
-
-  return digestAlgorithm === 'sha512'
-    ? digestMethodParams('SHA-512').digestMethod(data, 'base64url')
-    : digestMethodParams('SHA-256').digestMethod(data, 'base64url')
+    const {jwk, digestAlgorithm = 'sha256'} = args
+    let components
+    switch (jwk.kty) {
+        case 'EC':
+            assertJwkClaimPresent(jwk.crv, '"crv" (Curve) Parameter')
+            assertJwkClaimPresent(jwk.x, '"x" (X Coordinate) Parameter')
+            assertJwkClaimPresent(jwk.y, '"y" (Y Coordinate) Parameter')
+            components = {crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y}
+            break
+        case 'OKP':
+            assertJwkClaimPresent(jwk.crv, '"crv" (Subtype of Key Pair) Parameter')
+            assertJwkClaimPresent(jwk.x, '"x" (Public Key) Parameter')
+            components = {crv: jwk.crv, kty: jwk.kty, x: jwk.x}
+            break
+        case 'RSA':
+            assertJwkClaimPresent(jwk.e, '"e" (Exponent) Parameter')
+            assertJwkClaimPresent(jwk.n, '"n" (Modulus) Parameter')
+            components = {e: jwk.e, kty: jwk.kty, n: jwk.n}
+            break
+        case 'oct':
+            assertJwkClaimPresent(jwk.k, '"k" (Key Value) Parameter')
+            components = {k: jwk.k, kty: jwk.kty}
+            break
+        default:
+            throw new Error('"kty" (Key Type) Parameter missing or unsupported')
+    }
+    const data = JSON.stringify(components)
+
+    return digestAlgorithm === 'sha512'
+        ? digestMethodParams('SHA-512').digestMethod(data, 'base64url')
+        : digestMethodParams('SHA-256').digestMethod(data, 'base64url')
 }
 
 export const toJwkFromKey = (
-  key: IKey | MinimalImportableKey | ManagedKeyInfo,
-  opts?: {
-    use?: JwkKeyUse
-    noKidThumbprint?: boolean
-  }
+    key: IKey | MinimalImportableKey | ManagedKeyInfo,
+    opts?: {
+        use?: JwkKeyUse
+        noKidThumbprint?: boolean
+    }
 ): JWK => {
-  const isPrivateKey = 'privateKeyHex' in key
-  return toJwk(key.publicKeyHex!, key.type, { ...opts, key, isPrivateKey })
+    const isPrivateKey = 'privateKeyHex' in key
+    return toJwk(key.publicKeyHex!, key.type, {...opts, key, isPrivateKey})
 }
 
 /**
@@ -220,38 +235,122 @@ export const toJwkFromKey = (
  * @return The JWK
  */
 export const toJwk = (
-  publicKeyHex: string,
-  type: TKeyType,
-  opts?: { use?: JwkKeyUse; key?: IKey | MinimalImportableKey; isPrivateKey?: boolean; noKidThumbprint?: boolean }
+    publicKeyHex: string,
+    type: TKeyType,
+    opts?: { use?: JwkKeyUse; key?: IKey | MinimalImportableKey; isPrivateKey?: boolean; noKidThumbprint?: boolean }
 ): JWK => {
-  const { key, noKidThumbprint = false } = opts ?? {}
-  if (key && key.publicKeyHex !== publicKeyHex && opts?.isPrivateKey !== true) {
-    throw Error(`Provided key with id ${key.kid}, has a different public key hex ${key.publicKeyHex} than supplied public key ${publicKeyHex}`)
-  }
-  let jwk: JWK
-  switch (type) {
-    case 'Ed25519':
-      jwk = toEd25519OrX25519Jwk(publicKeyHex, { ...opts, crv: JoseCurve.Ed25519 })
-      break
-    case 'X25519':
-      jwk = toEd25519OrX25519Jwk(publicKeyHex, { ...opts, crv: JoseCurve.X25519 })
-      break
-    case 'Secp256k1':
-      jwk = toSecp256k1Jwk(publicKeyHex, opts)
-      break
-    case 'Secp256r1':
-      jwk = toSecp256r1Jwk(publicKeyHex, opts)
-      break
-    case 'RSA':
-      jwk = toRSAJwk(publicKeyHex, opts)
-      break
-    default:
-      throw new Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`)
-  }
-  if (!jwk.kid && !noKidThumbprint) {
-    jwk['kid'] = calculateJwkThumbprint({ jwk })
-  }
-  return jwk
+    const {key, noKidThumbprint = false} = opts ?? {}
+    if (key && key.publicKeyHex !== publicKeyHex && opts?.isPrivateKey !== true) {
+        throw Error(`Provided key with id ${key.kid}, has a different public key hex ${key.publicKeyHex} than supplied public key ${publicKeyHex}`)
+    }
+    let jwk: JWK
+    switch (type) {
+        case 'Ed25519':
+            jwk = toEd25519OrX25519Jwk(publicKeyHex, {...opts, crv: JoseCurve.Ed25519})
+            break
+        case 'X25519':
+            jwk = toEd25519OrX25519Jwk(publicKeyHex, {...opts, crv: JoseCurve.X25519})
+            break
+        case 'Secp256k1':
+            jwk = toSecp256k1Jwk(publicKeyHex, opts)
+            break
+        case 'Secp256r1':
+            jwk = toSecp256r1Jwk(publicKeyHex, opts)
+            break
+        case 'RSA':
+            jwk = toRSAJwk(publicKeyHex, opts)
+            break
+        default:
+            throw new Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`)
+    }
+    if (!jwk.kid && !noKidThumbprint) {
+        jwk['kid'] = calculateJwkThumbprint({jwk})
+    }
+    return jwk
+}
+
+/**
+ * Convert a JWK to a raw hex key.
+ * Currently supports `RSA` and `EC` keys. Extendable for other key types.
+ * @param jwk - The JSON Web Key object.
+ * @returns A string representing the key in raw hexadecimal format.
+ */
+export const jwkToRawHexKey = async (jwk: JWK): Promise<string> => {
+    // TODO: Probably makes sense to have an option to do the same for private keys
+    if (jwk.kty === 'RSA') {
+        return rsaJwkToRawHexKey(jwk);
+    } else if (jwk.kty === 'EC') {
+        return "04" + ecJwkToRawHexKey(jwk);
+    } else if (jwk.kty === 'OKP') {
+        return okpJwkToRawHexKey(jwk);
+    } else if (jwk.kty === 'oct') {
+        return octJwkToRawHexKey(jwk);
+    } else {
+        throw new Error(`Unsupported key type: ${jwk.kty}`);
+    }
+}
+
+/**
+ * Convert an RSA JWK to a raw hex key.
+ * @param jwk - The RSA JWK object.
+ * @returns A string representing the RSA key in raw hexadecimal format.
+ */
+function rsaJwkToRawHexKey(jwk: JsonWebKey): string {
+    if (!jwk.n || !jwk.e) {
+        throw new Error("RSA JWK must contain 'n' and 'e' properties.");
+    }
+
+    const modulus = u8a.fromString(jwk.n, 'base64url'); // 'n' is the modulus
+    const exponent = u8a.fromString(jwk.e, 'base64url'); // 'e' is the exponent
+
+    return u8a.toString(modulus, 'hex') + u8a.toString(exponent, 'hex');
+}
+
+/**
+ * Convert an EC JWK to a raw hex key.
+ * @param jwk - The EC JWK object.
+ * @returns A string representing the EC key in raw hexadecimal format.
+ */
+function ecJwkToRawHexKey(jwk: JsonWebKey): string {
+    if (!jwk.x || !jwk.y) {
+        throw new Error("EC JWK must contain 'x' and 'y' properties.");
+    }
+
+    const x = u8a.fromString(jwk.x, 'base64url');
+    const y = u8a.fromString(jwk.y, 'base64url');
+
+    return u8a.toString(x, 'hex') + u8a.toString(y, 'hex');
+}
+
+/**
+ * Convert an EC JWK to a raw hex key.
+ * @param jwk - The EC JWK object.
+ * @returns A string representing the EC key in raw hexadecimal format.
+ */
+function okpJwkToRawHexKey(jwk: JsonWebKey): string {
+    if (!jwk.x) {
+        throw new Error("OKP JWK must contain 'x' property.");
+    }
+
+    const x = u8a.fromString(jwk.x, 'base64url');;
+
+    return u8a.toString(x, 'hex');
+}
+
+
+/**
+ * Convert an octet JWK to a raw hex key.
+ * @param jwk - The octet JWK object.
+ * @returns A string representing the octet key in raw hexadecimal format.
+ */
+function octJwkToRawHexKey(jwk: JsonWebKey): string {
+    if (!jwk.k) {
+        throw new Error("Octet JWK must contain 'k' property.");
+    }
+
+    const key = u8a.fromString(jwk.k, 'base64url');
+
+    return u8a.toString(key, 'hex');
 }
 
 /**
@@ -261,13 +360,13 @@ export const toJwk = (
  * @param suppliedUse A supplied use. Will be used in case it is present
  */
 export const jwkDetermineUse = (type: TKeyType, suppliedUse?: JwkKeyUse): JwkKeyUse | undefined => {
-  return suppliedUse
-    ? suppliedUse
-    : SIG_KEY_ALGS.includes(type)
-    ? JwkKeyUse.Signature
-    : ENC_KEY_ALGS.includes(type)
-    ? JwkKeyUse.Encryption
-    : undefined
+    return suppliedUse
+        ? suppliedUse
+        : SIG_KEY_ALGS.includes(type)
+            ? JwkKeyUse.Signature
+            : ENC_KEY_ALGS.includes(type)
+                ? JwkKeyUse.Encryption
+                : undefined
 }
 
 /**
@@ -277,17 +376,17 @@ export const jwkDetermineUse = (type: TKeyType, suppliedUse?: JwkKeyUse): JwkKey
  * @param expectedKeyLength Expected key length(s)
  */
 const assertProperKeyLength = (keyHex: string, expectedKeyLength: number | number[]) => {
-  if (Array.isArray(expectedKeyLength)) {
-    if (!expectedKeyLength.includes(keyHex.length)) {
-      throw Error(
-        `Invalid key length. Needs to be a hex string with length from ${JSON.stringify(expectedKeyLength)} instead of ${
-          keyHex.length
-        }. Input: ${keyHex}`
-      )
+    if (Array.isArray(expectedKeyLength)) {
+        if (!expectedKeyLength.includes(keyHex.length)) {
+            throw Error(
+                `Invalid key length. Needs to be a hex string with length from ${JSON.stringify(expectedKeyLength)} instead of ${
+                    keyHex.length
+                }. Input: ${keyHex}`
+            )
+        }
+    } else if (keyHex.length !== expectedKeyLength) {
+        throw Error(`Invalid key length. Needs to be a hex string with length ${expectedKeyLength} instead of ${keyHex.length}. Input: ${keyHex}`)
     }
-  } else if (keyHex.length !== expectedKeyLength) {
-    throw Error(`Invalid key length. Needs to be a hex string with length ${expectedKeyLength} instead of ${keyHex.length}. Input: ${keyHex}`)
-  }
 }
 
 /**
@@ -297,28 +396,28 @@ const assertProperKeyLength = (keyHex: string, expectedKeyLength: number | numbe
  * @return The JWK
  */
 const toSecp256k1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?: boolean }): JWK => {
-  const { use } = opts ?? {}
-  logger.debug(`toSecp256k1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`)
-  if (opts?.isPrivateKey) {
-    assertProperKeyLength(keyHex, [64])
-  } else {
-    assertProperKeyLength(keyHex, [66, 130])
-  }
-
-  const secp256k1 = new elliptic.ec('secp256k1')
-  const keyBytes = u8a.fromString(keyHex, 'base16')
-  const keyPair = opts?.isPrivateKey ? secp256k1.keyFromPrivate(keyBytes) : secp256k1.keyFromPublic(keyBytes)
-  const pubPoint = keyPair.getPublic()
-
-  return {
-    alg: JoseSignatureAlgorithm.ES256K,
-    ...(use !== undefined && { use }),
-    kty: JwkKeyType.EC,
-    crv: JoseCurve.secp256k1,
-    x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
-    y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
-    ...(opts?.isPrivateKey && { d: hexToBase64(keyPair.getPrivate('hex'), 'base64url') }),
-  }
+    const {use} = opts ?? {}
+    logger.debug(`toSecp256k1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`)
+    if (opts?.isPrivateKey) {
+        assertProperKeyLength(keyHex, [64])
+    } else {
+        assertProperKeyLength(keyHex, [66, 130])
+    }
+
+    const secp256k1 = new elliptic.ec('secp256k1')
+    const keyBytes = u8a.fromString(keyHex, 'base16')
+    const keyPair = opts?.isPrivateKey ? secp256k1.keyFromPrivate(keyBytes) : secp256k1.keyFromPublic(keyBytes)
+    const pubPoint = keyPair.getPublic()
+
+    return {
+        alg: JoseSignatureAlgorithm.ES256K,
+        ...(use !== undefined && {use}),
+        kty: JwkKeyType.EC,
+        crv: JoseCurve.secp256k1,
+        x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
+        y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
+        ...(opts?.isPrivateKey && {d: hexToBase64(keyPair.getPrivate('hex'), 'base64url')}),
+    }
 }
 
 /**
@@ -328,28 +427,28 @@ const toSecp256k1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?:
  * @return The JWK
  */
 const toSecp256r1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?: boolean }): JWK => {
-  const { use } = opts ?? {}
-  logger.debug(`toSecp256r1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`)
-  if (opts?.isPrivateKey) {
-    assertProperKeyLength(keyHex, [64])
-  } else {
-    assertProperKeyLength(keyHex, [66, 130])
-  }
-
-  const secp256r1 = new elliptic.ec('p256')
-  const keyBytes = u8a.fromString(keyHex, 'base16')
-  logger.debug(`keyBytes length: ${keyBytes}`)
-  const keyPair = opts?.isPrivateKey ? secp256r1.keyFromPrivate(keyBytes) : secp256r1.keyFromPublic(keyBytes)
-  const pubPoint = keyPair.getPublic()
-  return {
-    alg: JoseSignatureAlgorithm.ES256,
-    ...(use !== undefined && { use }),
-    kty: JwkKeyType.EC,
-    crv: JoseCurve.P_256,
-    x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
-    y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
-    ...(opts?.isPrivateKey && { d: hexToBase64(keyPair.getPrivate('hex'), 'base64url') }),
-  }
+    const {use} = opts ?? {}
+    logger.debug(`toSecp256r1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`)
+    if (opts?.isPrivateKey) {
+        assertProperKeyLength(keyHex, [64])
+    } else {
+        assertProperKeyLength(keyHex, [66, 130])
+    }
+
+    const secp256r1 = new elliptic.ec('p256')
+    const keyBytes = u8a.fromString(keyHex, 'base16')
+    logger.debug(`keyBytes length: ${keyBytes}`)
+    const keyPair = opts?.isPrivateKey ? secp256r1.keyFromPrivate(keyBytes) : secp256r1.keyFromPublic(keyBytes)
+    const pubPoint = keyPair.getPublic()
+    return {
+        alg: JoseSignatureAlgorithm.ES256,
+        ...(use !== undefined && {use}),
+        kty: JwkKeyType.EC,
+        crv: JoseCurve.P_256,
+        x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
+        y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
+        ...(opts?.isPrivateKey && {d: hexToBase64(keyPair.getPrivate('hex'), 'base64url')}),
+    }
 }
 
 /**
@@ -359,237 +458,335 @@ const toSecp256r1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?:
  * @return The JWK
  */
 const toEd25519OrX25519Jwk = (
-  publicKeyHex: string,
-  opts: {
-    use?: JwkKeyUse
-    crv: JoseCurve.Ed25519 | JoseCurve.X25519
-  }
+    publicKeyHex: string,
+    opts: {
+        use?: JwkKeyUse
+        crv: JoseCurve.Ed25519 | JoseCurve.X25519
+    }
 ): JWK => {
-  assertProperKeyLength(publicKeyHex, 64)
-  const { use } = opts ?? {}
-  return {
-    alg: JoseSignatureAlgorithm.EdDSA,
-    ...(use !== undefined && { use }),
-    kty: JwkKeyType.OKP,
-    crv: opts?.crv ?? JoseCurve.Ed25519,
-    x: hexToBase64(publicKeyHex, 'base64url'),
-  }
+    assertProperKeyLength(publicKeyHex, 64)
+    const {use} = opts ?? {}
+    return {
+        alg: JoseSignatureAlgorithm.EdDSA,
+        ...(use !== undefined && {use}),
+        kty: JwkKeyType.OKP,
+        crv: opts?.crv ?? JoseCurve.Ed25519,
+        x: hexToBase64(publicKeyHex, 'base64url'),
+    }
 }
 
 const toRSAJwk = (publicKeyHex: string, opts?: { use?: JwkKeyUse; key?: IKey | MinimalImportableKey }): JWK => {
-  const { key } = opts ?? {}
-  // const publicKey = publicKeyHex
-  // assertProperKeyLength(publicKey, [2048, 3072, 4096])
+    const meta = opts?.key?.meta
+    if (meta?.publicKeyJwk || meta?.publicKeyPEM) {
+        if (meta?.publicKeyJwk) {
+            return meta.publicKeyJwk as JWK
+        }
+        const publicKeyPEM = meta?.publicKeyPEM ?? hexToPEM(publicKeyHex, 'public')
+        return PEMToJwk(publicKeyPEM, 'public') as JWK
+    }
 
-  if (key?.meta?.publicKeyJwk) {
-    return key.meta.publicKeyJwk as JWK
-  }
 
-  const publicKeyPEM = key?.meta?.publicKeyPEM ?? hexToPEM(publicKeyHex, 'public')
-  return PEMToJwk(publicKeyPEM, 'public') as JWK
+    // exponent (e) is 5 chars long, rest is modulus (n)
+    // const publicKey = publicKeyHex
+    // assertProperKeyLength(publicKey, [2048, 3072, 4096])
+    const exponent = publicKeyHex.slice(-5)
+    const modulus = publicKeyHex.slice(0, -5)
+    // const modulusBitLength  = (modulus.length / 2) * 8
+
+    // const alg = modulusBitLength === 2048 ? JoseSignatureAlgorithm.RS256 : modulusBitLength === 3072 ? JoseSignatureAlgorithm.RS384 : modulusBitLength === 4096 ? JoseSignatureAlgorithm.RS512 : undefined
+    return {
+        kty: 'RSA',
+        n: hexToBase64(modulus, 'base64url'),
+        e: hexToBase64(exponent, 'base64url'),
+        // ...(alg && { alg }),
+    }
 }
 
 export const padLeft = (args: { data: string; size?: number; padString?: string }): string => {
-  const { data } = args
-  const size = args.size ?? 32
-  const padString = args.padString ?? '0'
-  if (data.length >= size) {
-    return data
-  }
+    const {data} = args
+    const size = args.size ?? 32
+    const padString = args.padString ?? '0'
+    if (data.length >= size) {
+        return data
+    }
 
-  if (padString && padString.length === 0) {
-    throw Error(`Pad string needs to have at least a length of 1`)
-  }
-  const length = padString.length
-  return padString.repeat((size - data.length) / length) + data
+    if (padString && padString.length === 0) {
+        throw Error(`Pad string needs to have at least a length of 1`)
+    }
+    const length = padString.length
+    return padString.repeat((size - data.length) / length) + data
 }
 
 enum OIDType {
-  Secp256k1,
-  Secp256r1,
-  Ed25519,
+    Secp256k1,
+    Secp256r1,
+    Ed25519,
 }
 
 const OID: Record<OIDType, Uint8Array> = {
-  [OIDType.Secp256k1]: new Uint8Array([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]),
-  [OIDType.Secp256r1]: new Uint8Array([0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]),
-  [OIDType.Ed25519]: new Uint8Array([0x06, 0x03, 0x2b, 0x65, 0x70]),
+    [OIDType.Secp256k1]: new Uint8Array([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]),
+    [OIDType.Secp256r1]: new Uint8Array([0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]),
+    [OIDType.Ed25519]: new Uint8Array([0x06, 0x03, 0x2b, 0x65, 0x70]),
 }
 
 const compareUint8Arrays = (a: Uint8Array, b: Uint8Array): boolean => {
-  if (a.length !== b.length) {
-    return false
-  }
-  for (let i = 0; i < a.length; i++) {
-    if (a[i] !== b[i]) {
-      return false
+    if (a.length !== b.length) {
+        return false
     }
-  }
-  return true
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i]) {
+            return false
+        }
+    }
+    return true
 }
 
 const findSubarray = (haystack: Uint8Array, needle: Uint8Array): number => {
-  for (let i = 0; i <= haystack.length - needle.length; i++) {
-    if (compareUint8Arrays(haystack.subarray(i, i + needle.length), needle)) {
-      return i
+    for (let i = 0; i <= haystack.length - needle.length; i++) {
+        if (compareUint8Arrays(haystack.subarray(i, i + needle.length), needle)) {
+            return i
+        }
     }
-  }
-  return -1
+    return -1
 }
 
 const getTargetOID = (keyType: TKeyType) => {
-  switch (keyType) {
-    case 'Secp256k1':
-      return OID[OIDType.Secp256k1]
-    case 'Secp256r1':
-      return OID[OIDType.Secp256r1]
-    case 'Ed25519':
-      return OID[OIDType.Ed25519]
-    default:
-      throw new Error(`Unsupported key type: ${keyType}`)
-  }
+    switch (keyType) {
+        case 'Secp256k1':
+            return OID[OIDType.Secp256k1]
+        case 'Secp256r1':
+            return OID[OIDType.Secp256r1]
+        case 'Ed25519':
+            return OID[OIDType.Ed25519]
+        default:
+            throw new Error(`Unsupported key type: ${keyType}`)
+    }
 }
 
 export const isAsn1Der = (key: Uint8Array): boolean => key[0] === 0x30
 
 export const asn1DerToRawPublicKey = (derKey: Uint8Array, keyType: TKeyType): Uint8Array => {
-  if (!isAsn1Der(derKey)) {
-    throw new Error('Invalid DER encoding: Expected to start with sequence tag')
-  }
-
-  let index = 2
-  if (derKey[1] & 0x80) {
-    const lengthBytesCount = derKey[1] & 0x7f
-    index += lengthBytesCount
-  }
-  const targetOid = getTargetOID(keyType)
-  const oidIndex = findSubarray(derKey, targetOid)
-  if (oidIndex === -1) {
-    throw new Error(`OID for ${keyType} not found in DER encoding`)
-  }
-
-  index = oidIndex + targetOid.length
-
-  while (index < derKey.length && derKey[index] !== 0x03) {
-    index++
-  }
+    if (!isAsn1Der(derKey)) {
+        throw new Error('Invalid DER encoding: Expected to start with sequence tag')
+    }
+
+    let index = 2
+    if (derKey[1] & 0x80) {
+        const lengthBytesCount = derKey[1] & 0x7f
+        index += lengthBytesCount
+    }
+    const targetOid = getTargetOID(keyType)
+    const oidIndex = findSubarray(derKey, targetOid)
+    if (oidIndex === -1) {
+        throw new Error(`OID for ${keyType} not found in DER encoding`)
+    }
 
-  if (index >= derKey.length) {
-    throw new Error('Invalid DER encoding: Bit string not found')
-  }
+    index = oidIndex + targetOid.length
 
-  // Skip the bit string tag (0x03) and length byte
-  index += 2
+    while (index < derKey.length && derKey[index] !== 0x03) {
+        index++
+    }
 
-  // Skip the unused bits count byte
-  index++
+    if (index >= derKey.length) {
+        throw new Error('Invalid DER encoding: Bit string not found')
+    }
 
-  return derKey.slice(index)
+    // Skip the bit string tag (0x03) and length byte
+    index += 2
+
+    // Skip the unused bits count byte
+    index++
+
+    return derKey.slice(index)
 }
 
 export const isRawCompressedPublicKey = (key: Uint8Array): boolean => key.length === 33 && (key[0] === 0x02 || key[0] === 0x03)
 
 export const toRawCompressedHexPublicKey = (rawPublicKey: Uint8Array, keyType: TKeyType): string => {
-  if (isRawCompressedPublicKey(rawPublicKey)) {
-    return hexStringFromUint8Array(rawPublicKey)
-  }
+    if (isRawCompressedPublicKey(rawPublicKey)) {
+        return hexStringFromUint8Array(rawPublicKey)
+    }
 
-  if (keyType === 'Secp256k1' || keyType === 'Secp256r1') {
-    if (rawPublicKey[0] === 0x04 && rawPublicKey.length === 65) {
-      const xCoordinate = rawPublicKey.slice(1, 33)
-      const yCoordinate = rawPublicKey.slice(33)
-      const prefix = new Uint8Array([yCoordinate[31] % 2 === 0 ? 0x02 : 0x03])
-      const resultKey = hexStringFromUint8Array(new Uint8Array([...prefix, ...xCoordinate]))
-      logger.debug(`converted public key ${hexStringFromUint8Array(rawPublicKey)} to ${resultKey}`)
-      return resultKey
+    if (keyType === 'Secp256k1' || keyType === 'Secp256r1') {
+        if (rawPublicKey[0] === 0x04 && rawPublicKey.length === 65) {
+            const xCoordinate = rawPublicKey.slice(1, 33)
+            const yCoordinate = rawPublicKey.slice(33)
+            const prefix = new Uint8Array([yCoordinate[31] % 2 === 0 ? 0x02 : 0x03])
+            const resultKey = hexStringFromUint8Array(new Uint8Array([...prefix, ...xCoordinate]))
+            logger.debug(`converted public key ${hexStringFromUint8Array(rawPublicKey)} to ${resultKey}`)
+            return resultKey
+        }
+        return u8a.toString(rawPublicKey, 'base16')
+    } else if (keyType === 'Ed25519') {
+        // Ed25519 keys are always in compressed form
+        return u8a.toString(rawPublicKey, 'base16')
     }
-    return u8a.toString(rawPublicKey, 'base16')
-  } else if (keyType === 'Ed25519') {
-    // Ed25519 keys are always in compressed form
-    return u8a.toString(rawPublicKey, 'base16')
-  }
 
-  throw new Error(`Unsupported key type: ${keyType}`)
+    throw new Error(`Unsupported key type: ${keyType}`)
 }
 
 export const hexStringFromUint8Array = (value: Uint8Array): string => u8a.toString(value, 'base16')
 
 export const signatureAlgorithmFromKey = async (args: SignatureAlgorithmFromKeyArgs): Promise<JoseSignatureAlgorithm> => {
-  const { key } = args
-  return signatureAlgorithmFromKeyType({ type: key.type })
+    const {key} = args
+    return signatureAlgorithmFromKeyType({type: key.type})
 }
 
 export const signatureAlgorithmFromKeyType = (args: SignatureAlgorithmFromKeyTypeArgs): JoseSignatureAlgorithm => {
-  const { type } = args
-  switch (type) {
-    case 'Ed25519':
-    case 'X25519':
-      return JoseSignatureAlgorithm.EdDSA
-    case 'Secp256r1':
-      return JoseSignatureAlgorithm.ES256
-    case 'Secp256k1':
-      return JoseSignatureAlgorithm.ES256K
-    default:
-      throw new Error(`Key type '${type}' not supported`)
-  }
+    const {type} = args
+    switch (type) {
+        case 'Ed25519':
+        case 'X25519':
+            return JoseSignatureAlgorithm.EdDSA
+        case 'Secp256r1':
+            return JoseSignatureAlgorithm.ES256
+        case 'Secp384r1':
+            return JoseSignatureAlgorithm.ES384
+        case 'Secp521r1':
+            return JoseSignatureAlgorithm.ES512
+        case 'Secp256k1':
+            return JoseSignatureAlgorithm.ES256K
+        default:
+            throw new Error(`Key type '${type}' not supported`)
+    }
 }
 
 // TODO improve this conversion for jwt and jsonld, not a fan of current structure
 export const keyTypeFromCryptographicSuite = (args: KeyTypeFromCryptographicSuiteArgs): TKeyType => {
-  const { suite } = args
-  switch (suite) {
-    case 'EdDSA':
-    case 'Ed25519Signature2018':
-    case 'Ed25519Signature2020':
-    case 'JcsEd25519Signature2020':
-      return 'Ed25519'
-    case 'JsonWebSignature2020':
-    case 'ES256':
-    case 'ECDSA':
-      return 'Secp256r1'
-    case 'EcdsaSecp256k1Signature2019':
-    case 'ES256K':
-      return 'Secp256k1'
-    default:
-      throw new Error(`Cryptographic suite '${suite}' not supported`)
-  }
-}
-
-export async function verifySignatureWithSubtle({
-  data,
-  signature,
-  key,
-  crypto: cryptoArg,
-}: {
-  data: Uint8Array
-  signature: Uint8Array
-  key: JsonWebKey
-  crypto?: Crypto
+    const {crv, kty, alg} = args
+
+    switch (alg) {
+        case 'RSASSA-PSS':
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            return 'RSA'
+    }
+
+    switch (crv) {
+        case 'EdDSA':
+        case 'Ed25519':
+        case 'Ed25519Signature2018':
+        case 'Ed25519Signature2020':
+        case 'JcsEd25519Signature2020':
+            return 'Ed25519'
+        case 'JsonWebSignature2020':
+        case 'ES256':
+        case 'ECDSA':
+        case 'P-256':
+            return 'Secp256r1'
+        case 'ES384':
+        case 'P-384':
+            return 'Secp384r1'
+        case 'ES512':
+        case 'P-521':
+            return 'Secp521r1'
+        case 'EcdsaSecp256k1Signature2019':
+        case 'secp256k1':
+        case 'ES256K':
+            return 'Secp256k1'
+    }
+    if (kty) {
+        return kty as TKeyType
+    }
+
+
+    throw new Error(`Cryptographic suite '${crv}' not supported`)
+}
+
+export function removeNulls<T>(obj: T | any) {
+    Object.keys(obj).forEach((key) => {
+        if (obj[key] && typeof obj[key] === 'object') removeNulls(obj[key])
+        else if (obj[key] == null) delete obj[key]
+    })
+    return obj
+}
+
+
+/**
+ *
+ */
+export async function verifyRawSignature({
+                                                   data,
+                                                   signature,
+                                                   key: inputKey,
+                                                   opts
+                                               }: {
+    data: Uint8Array
+    signature: Uint8Array
+    key: JWK
+    opts?: {
+        signatureAlg?: JoseSignatureAlgorithm
+    }
 }) {
-  let { alg, crv } = key
-  if (alg === 'ES256' || !alg) {
-    alg = 'ECDSA'
-  }
-
-  const subtle = cryptoArg?.subtle ?? crypto.subtle
-  const publicKey = await subtle.importKey(
-    'jwk',
-    key,
-    {
-      name: alg,
-      namedCurve: crv,
-    } as EcKeyImportParams,
-    true,
-    ['verify']
-  )
-
-  return subtle.verify(
-    {
-      name: alg as string,
-      hash: 'SHA-256', // fixme; make arg
-    },
-    publicKey,
-    signature,
-    data
-  )
+    /**
+     * Converts a Base64URL-encoded JWK property to a BigInt.
+     * @param jwkProp - The Base64URL-encoded string.
+     * @returns The BigInt representation of the decoded value.
+     */
+    function jwkPropertyToBigInt(jwkProp: string): bigint {
+        // Decode Base64URL to Uint8Array
+        const byteArray = u8a.fromString(jwkProp, 'base64url');
+
+        // Convert Uint8Array to hexadecimal string and then to BigInt
+        const hex = u8a.toString(byteArray, 'hex');
+        return BigInt(`0x${hex}`);
+    }
+
+    const key = removeNulls(inputKey)
+    validateJwk(key)
+    const keyType = keyTypeFromCryptographicSuite({crv: key.crv, kty: key.kty, alg: key.alg})
+    const publicKeyHex = (await jwkToRawHexKey(key))
+
+    // TODO: We really should look at the signature alg first if provided! From key type should be the last resort
+    switch (keyType) {
+        case 'Secp256k1':
+            return secp256k1.verify(signature, data, publicKeyHex, {format: "compact", prehash: true})
+        case 'Secp256r1':
+            return p256.verify(signature, data, publicKeyHex, {format: "compact", prehash: true})
+        case 'Secp384r1':
+            return p384.verify(signature, data, publicKeyHex, {format: "compact", prehash: true})
+        case 'Secp521r1':
+            return p521.verify(signature, data, publicKeyHex, {format: "compact", prehash: true})
+        case 'Ed25519':
+            return ed25519.verify(signature, data, u8a.fromString(publicKeyHex, 'hex',))
+        case "Bls12381G1":
+        case "Bls12381G2":
+            return bls12_381.verify(signature, data, u8a.fromString(publicKeyHex, 'hex'))
+        case "RSA": {
+
+            const signatureAlgorithm = opts?.signatureAlg ?? JoseSignatureAlgorithm.PS256
+            const hashAlg = signatureAlgorithm === (JoseSignatureAlgorithm.RS512 || JoseSignatureAlgorithm.PS512) ? sha512 : signatureAlgorithm === (JoseSignatureAlgorithm.RS384 || JoseSignatureAlgorithm.PS384) ? sha384 : sha256
+            switch (signatureAlgorithm) {
+                case JoseSignatureAlgorithm.RS256:
+                    return rsa.PKCS1_SHA256.verify({
+                        n: jwkPropertyToBigInt(key.n),
+                        e: jwkPropertyToBigInt(key.e),
+                    }, data, signature)
+                case JoseSignatureAlgorithm.RS384:
+                    return rsa.PKCS1_SHA384.verify({
+                        n: jwkPropertyToBigInt(key.n),
+                        e: jwkPropertyToBigInt(key.e),
+                    }, data, signature)
+                case JoseSignatureAlgorithm.RS512:
+                    return rsa.PKCS1_SHA512.verify({
+                        n: jwkPropertyToBigInt(key.n),
+                        e: jwkPropertyToBigInt(key.e),
+                    }, data, signature)
+                case JoseSignatureAlgorithm.PS256:
+                case JoseSignatureAlgorithm.PS384:
+                case JoseSignatureAlgorithm.PS512:
+                    return rsa.PSS(hashAlg, rsa.mgf1(hashAlg)).verify({
+                        n: jwkPropertyToBigInt(key.n),
+                        e: jwkPropertyToBigInt(key.e),
+                    }, data, signature)
+            }
+
+        }
+
+    }
+    throw Error(`Unsupported key type for signature validation: ${keyType}`)
 }