Package detail

@sphereon/ssi-sdk-ext.did-utils

Sphereon-OpenSource31.9kApache-2.00.29.0

DID Utils

readme

Sphereon SSI SDK Crypto Extensions

BBS+, RSA, JWK, EBSI DID and key management support

This mono repository, contains packages that add different crypto keys and signature suites as well as different DID methods to the SSI-SDK. The packages are also compatible with Veramo.

Key Management

Plugin	Description
Key Manager	The Key Manager orchestrates the various implementations of Key Management Systems, using a KeyStore to remember the link between a key reference, its metadata, and the respective key management system that provides the actual cryptographic capabilities. The methods of this plugin are used automatically by other plugins, such as DIDManager, CredentialPlugin, or DIDComm to perform their required cryptographic operations using the managed keys. You will need this version if you want to use BLS/BBS+ keys
Local Key Management System	SSI-SDK and Veramo compatible Key Management System that stores keys in a local key store. It has support for RSA, BLS/BBS+ signatures, next to ed25519, es256k1, es256r1
Mnemonic Seed Manager	SSI-SDK and Veramo compatible Mnemonic Seed manager. Allows to create and persist Mnemonic Seeds, which you can use to derive keys
Key Utils	SSI-SDK and Veramo compatible Key Utility and generation functions
DID Utils	SSI-SDK and Veramo compatible DID functions

DID Methods

The below packages can be used both in our SSI-SDK and Veramo. The below packages extend did:key and support did:jwk.

DID methods	Description
DIF did:key resolver	DIF DID resolver compatible did:key resolver with support for BLS/BBS+, JWK (EBSI natural persons), ed25519, es256k1, es256r1, es384r1, es521r1.
did:key provider	SSI-SDK and Veramo compatible did:key provider, allows you to manage keys and DIDs with support for BLS/BBS+, JWK (EBSI natural persons), ed25519, es256k1, es256r1, es384r1, es521r1
DIF did:jwk resolver	DIF DID resolver compatible did:jwk resolver with support for ed25519, es256k1, es256r1, RSA keys.
did:jwk provider	SSI-SDK and Veramo compatible did:jwk provider, allows you to manage JWK keys and DIDs
DIF did:ebsi resolver	DIF DID resolver compatible did:ebsi v1 Legal Entity resolver
did:ebsi provider	SSI-SDK and Veramo compatible did:ebsi v1 Legal Entity provider, allows you to manage ebsi v1 keys and DIDs

DID resolution

Note: DID resolution is not part of this SDK. We do provide a Universal DID client you can use in Veramo, simply by using the below code when setting up the Agent:

Using the Universal resolver for all DID methods:

export const agent = createAgent<IDIDManager & CredentialIssuerLD & IKeyManager & IDataStore & IDataStoreORM & IResolver>({
  plugins: [
    // Other plugins
    new DIDResolverPlugin({
      resolver: new UniResolver({ resolveURL: 'https://dev.uniresolver.io/1.0/identifiers' })
    })
  ]
})

Using the Universal resolver for specific DID methods and DID-key:

export const agent = createAgent<IDIDManager & CredentialIssuerLD & IKeyManager & IDataStore & IDataStoreORM & IResolver>({
  plugins: [
    // Other plugins
    new DIDResolverPlugin({
      resolver: new Resolver({
        ...getDidKeyResolver(),
        ...getUniResolver('lto', { resolveUrl: 'https://uniresolver.test.sphereon.io/1.0/identifiers' }),
        ...getUniResolver('factom', { resolveUrl: 'https://dev.uniresolver.io/1.0/identifiers' }),
      }),
    }),
  ]
})

Building and testing

Lerna

This package makes use of Lerna for managing multiple packages. Lerna is a tool that optimizes the workflow around managing multi-package repositories with git and npm / pnpm.

Build

The below command builds all packages for you

pnpm build

Test

The test command runs:

jest
coverage

You can also run only a single section of these tests, using for example pnpm test:watch.

pnpm test

Utility scripts

There are other utility scripts that help with development.

pnpm prettier - runs prettier to fix code style.

Publish

There are scripts that can publish the following versions:

latest
next
unstable

pnpm publish:[version]

changelog

Change Log

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

0.29.0 (2025-05-22)

Bug Fixes

Add missing key type lookup for EcdsaSecp256k1RecoveryMethod2020 (3b45295)
commonjs import (5582cc4)
commonjs import (0824bc3)
commonjs import (71682ea)
const OYDID_REGISTRAR_URL (0b1c529)
Ensure OYD DID provider is using keys that can be used with all our supported KMS-es (d4f5d24)
Ensure we also do offline did resolution in case a managed DID is being resolved using the identifier resolution service (7210d74)
kms handling (14ff81a)
Make sure we always compare RSA keys as raw keys, as they can be expressed as raw, or as X.509 keys (d413275)
oidf client (24ca549)
oidf imports (52b2065)
oyd test (7c3cf5a)
plugin schemas (4c162d1)
plugin schemas (5e3162c)
plugin schemas (2798b8a)
RSA related signature creation and validation fixes (1aa66d6)
Skip ethereum account id VMs in a DID when converting to JWKs (da01a63)
use Secp256r1 as default and formatting (a827a47)

Features

Add support to lookup by kmsKeyRef when mapping did VMs (bd5b8cb)
Ensure OYD now also is build as esm and cjs module and uses vitest for testing (3b27367)
move to esm-js (bcd26c1)
move to vitest (211a3f3)
move to vitest (558ed35)

0.28.0 (2025-03-14)

Bug Fixes

Fixed jwt decoding (8c2ba79)
Fixed jwt type (67b5af1)
merging issue (f1862bf)
potential undefined idOpts in legacy conversion (7161cdc)

Features

Improve managed kid resolution in case we encounter a DID (83d966d)

0.27.0 (2024-12-05)

Bug Fixes

add some additional tests for did:key (59b1161)
default crypto engine (503768f)
make sure we return the chain back in the original order (683ddb7)
Move away from using crypto.subtle for signature verifications, as it is too problematic in React-native. Replaced with audited noble implementations (69ec9a6)
remove random uuid (b968166)
update x.509 test with latest cert (175cd80)
update x.509 x5c order (3dbfe73)

Features

Allow non trusted certs (b1c6ff7)
Allow non trusted certs (8416546)
implement azure keyvault rest client (dc69703)
make sure we convert JWK claims from base64 to base64url if they are not spec compliant (918677b)
New x.509 validation implementation. Less features than previous version, but should work on RN (c11d735)

0.26.0 (2024-11-26)

Bug Fixes

Add support for P-384/521 external JWKs (7f4a809)
Make sure we can use thumbprints for signing (679d3e7)
Make sure we can use thumbprints for signing (e64b326)

Features

Add OYD DID support in enum (01fe1d0)
create kms-azure plugin structure (61e1a61)

0.25.0 (2024-10-28)

Bug Fixes

added @trust/keyto to dependencies of key-utils (bc5d6f6)
added @trust/keyto to dependencies of key-utils (6bb8d9e)
applied importProvidedOrGeneratedKey in KeyDidProvider (841a1da)
fixed didManagerCreate test (b3b6756)
lockfile (73415ed)
musapKMS improved determineAlgorithm handling (24d8218)
reverted dependency update of ssi-types in key-utils module (4150b25)
reverted dependency update of ssi-types in key-utils module (1741bda)
u8aintarrays do not work with REST (8c68022)
workaround: Workaround (downgrade) for nist-weierstrauss being ESM only. refs #19 (should have a proper solution soon) (aff05cf)

Features

Add JWS signature verification; Add cose key conversions and resolution (managed and external) (9f76393)
Add support for setting or inferring kid and issuer. Which will be handy for JWS signing. Also split managed functions into separate functions, like we do for the external identifier resolution. (c17edaf)
Add support to convert any identifier resolution to JWK and Key resolution (60da6b8)
added calculation and querying based on jwk thumbprints (5ce83cc)
added managed issuer identifier resolution (d5ca58e)
added MusapKeyManagerSystem (5841d67)
Added x509 validateX5cCertificateChain & validatePEMCertificateChain functions (3706e31)
Allow main managed identifier get method to be lazy when a resolved identifier is passed in (28fb763)
Allow main managed identifier get method to be lazy when a resolved identifier is passed in (7d4fa81)
Allow to cleanup keys and have ephemeral keys. Remove dep on kms-local from KMS. Always calculate jwkThumbprints no matter the KMS used (94414ff)
also allow passing in a resolved identifier next to identifier opts, so we do not have to resolve twice (70d2d15)
Create seperate function to handle KMS managed identifiers of different types as the assumption always was DIDs (944b425)
Expose managed identifier lazy result method, as we are using lazy resolution more and more (b2c8065)
Expose subject alternative names. Make getting the public key JWK more resilient. Allow to blindly trust certificates for testing purposes (only when x5c has 1 element!) as we perform all kinds of checks including CA certificate extension verifications in the chain (675d6cb)
External resolution of keys and validations for DIDs and x5c (01db327)
Have a method on the Key Management System as well as a separate function to get a named or the default KMS. Remove dep/enum for kms local. We only have KMSs names at runtime. We should not rely on static KMS names ever! (c0ca69f)
JWE JWT compact agent methods (6324f97)
New JWS signature service that makes use of the managed identifier resolution, allowing for easier and more flexible JWT signing. (941996e)

Reverts

Revert "chore: Allow default values for kms as kms is not optional in Veramo APIs" (708742c)

0.24.0 (2024-08-01)

Bug Fixes

added createKey functionality (fcb9e82)
added enable sscd to musap react native kms (da8a411)
breaking: Remove BLS crypto from Mattr for now. It is not very well maintained, and is proving to be very difficult in both Windows and React-Native environments. Will be replaced later with a different implementation (e097e25)
Fix key usages for jwks when importing keys (c473572)
fixed the sign function for musap rn kms (e3318e6)
modified the decoding for sign in the musap module (8561b0d)
modified the decoding for sign in the musap module (64a53c5)
modified the decoding for sign in the musap module (34bba55)
modified the decoding for sign in the musap module (e2a76a7)
modified the decoding for sign in the musap module (7b6e68f)
updated musap kms with recent changes from the musap react native lib (b1518de)

Features

(WIP) added MusapKeyManagerSystem (f55926f)
(WIP) added MusapKeyManagerSystem (809846d)
added build script and android directory to musap-rn-kms module (9be5fb0)
added delete function (ab72368)
added mapper function for create key in musap kms and added the option to enable certain sscd's in the constructor (db5c8d3)
added sign function (62dc3ab)
Improve kid determination. Rename most kid arguments to kmsKeyRef, as these are only the internal KMS kids. Preventing confusion. Improve did functions to accept object args. (22f465c)
remove isomorphic-webcrypto (1adc1fe)

0.23.0 (2024-07-23)

Bug Fixes

Did web keys and services options/args were not taken into account (fb37ba0)
did web resolution from identifier was not taking keys into account that had no purpose set (8447426)
did web resolution from identifier was not taking keys into account that had no purpose set (980075b)
get or create primary identifier was incorrectly constructing the identifier provider from the DID method (d89542e)
get or create primary identifier was not searching for the correct DID methods (8b1aad7)

Features

generate key when private keys is not provided (090b8fa)
Make key/vm from identifier/did functions more future proof and add option to search for controller keys and key types (f691789)

0.22.0 (2024-07-02)

Bug Fixes

better local DID Document conversion from identifiers (e332562)
determine kid function can have a null verification method which was not taken into account (d80a945)
getKey method was not looking at existing vms or purpose metadata values (36619d6)
getKey method was not working well with did#vm or #vm key ids (b04eb3f)
Key metadata was switched for Secp256k1 and Secp256r1 keys (ae174aa)
kid determination of a key should look for jwk thumbprint as well (d00e984)
our exported JWK depended on another lib, which is not needed. Also was not compatible with Jose, which is heavily used (8b20d61)
x5c is an array in a JWK (58f607f)

chore

remove did-provider-ebsi in favor of ebsi-support, which can also handle everything the old provider did (5299044)

Features

Add service and key for EBSI DIDs (4ec6f18)
Add support to find keys by thumbprint, and not have to resolve to DID resolution in all cases (d37c772)
Added getAuthenticationKey getPrimaryIdentifier & createIdentifier to did-utils (7360ab6)

BREAKING CHANGES

remove @sphereon/ssi-sdk-ext.did-provider-ebsi, which has been replaced with @sphereon/ssi-sdk.ebsi-support

0.21.0 (2024-06-19)

Bug Fixes

Multiple DID EBSI fixes (131faa0)

Features

Ensure we can actually pass in bearer tokens & misc cleanups (4abc507)

0.20.0 (2024-06-13)

Bug Fixes

added a few fixes and type definitions (7040799)
added keyManagerListKeys binding (e2f723b)
Bugfix creating eth transactions (1d2e04d)
fix base64url sanitizing (473c028)
Fixed broken tests (07d320a)

Features

(wip) added list keys functionality. the kms-local function works but we face error on key-manager level (bde93d3)
Added secp256r1 key to createIdentifier() method (81fff51)
Implemented conversion of public keys, rpc service and documentation (b0ac3b5)
Implemented integration of the ebsi rpc service with the ebsi did provider (3c1ef0d)

0.19.0 (2024-04-25)

Features

Added secp256r1 key to createIdentifier() method (f8da68d)

0.18.2 (2024-04-24)

Note: Version bump only for package @sphereon/ssi-sdk-ext.workspace

0.18.1 (2024-04-04)

Bug Fixes

Padding had incorrect length comparison (d141050)

0.18.0 (2024-03-19)

Bug Fixes

Key did provider fixes for invalid did:key encodings (194c480)
Make sure bbs-sig packages are peer deps, because of heir poor Windows and RN support (32d6bd9)
Make sure secp256k1 keys are compressed (15493c1)
unknown point format (b25d6de)

Features

Ensure proper key type is used for did:key in case codeName is JCS/EBSI (af11a99)

0.17.0 (2024-02-29)

Bug Fixes

Make sure we are more strict on hex key lengths for Secp256r1/k1 (2f5bf1f)

Features

Add OwnYouData DID plugin (temp until upstream publishes it) (6b428e2)

0.16.0 (2024-01-13)

Bug Fixes

did:key ebsi / jcs codec value was wrong (a71279e)
error handling fixed for did:ebsi (6d37523)

Features

Add private key to JWK support for Secp256k/r1 (f278967)
ebsi resolver. Add support for fallback/multiple registries, so a client isn't required to specify a registry perse (dedd959)

0.15.0 (2023-09-30)

Features

check whether resolution is configured properly (01a693b)

0.14.1 (2023-09-28)

Bug Fixes

decompress comppressed secp256k1 keys when creating JWK (e3c4771)
decompress comppressed secp256k1 keys when creating JWK (bcdd47c)
decompress comppressed secp256k1 keys when creating JWK (31bacfb)
public key mapping updates, fixing ed25519 with multibase encoding (489d4f2)

0.14.0 (2023-08-09)

Bug Fixes

Allow also for local did resolution (0f92566)
Allow also for local did resolution (a678459)
Allow also for local did resolution (91def9c)
RSA import fixes (1e78d70)
RSA import fixes (77704a2)
RSA import fixes (52c560b)
update varint import (c35849c)

Features

Add verification functions to KMS (only RSA for now) (a555f11)
Add verification functions to KMS (only RSA for now) (8f58f23)
Do not resolve DIDs when a DID doc is provided already when matching local keys (b5b7f76)

0.13.0 (2023-07-30)

Features

Add agent resolver method (462b5e3)
Add agent resolver method (3c7b21e)
Add DID web provider, with RSA and multi key import support (8335fbe)
Add support for RSA key generation and RSA to JWK (75ba154)
Allow to define controller key when importing keys for a did:web (89b4916)
Check also for other supported encryption algorithms when JWK use property is used (36a8ae4)
Identifier to DID Document and DID resolution (76e7212)

0.12.1 (2023-06-24)

Bug Fixes

Fix EC handling for DID resolution (5f3d708)
Fix EC handling for JWKs (9061e29)
Fix EC handling for JWKs (b60825b)
Fix EC handling for JWKs (7be20f5)
Fix EC handling for JWKs (dd423f2)
fix GH action (2d8d6aa)
Fixes in JWK handling (f5cd4dd)
Make sure we set the saltLength for RSA PSS (51ae676)
Make sure we set the saltLength for RSA PSS (e19ed6c)

0.12.0 (2023-05-07)

Features

Move mnemonic seed generator to crypto extensions (748a7f9)
Move mnemonic seed generator to crypto extensions (173ef88)

0.11.0 (2023-04-30)

Features

Add 2020 ed25519 support. (50cc65e)
Add EBSI LE DID Provider (does not persist into the registry yet) (7a8cf56)
add ebsi v1 did driver (8869643)
add key utils package for common key functions (0543254)
allow default registry from environment for ebsi v1 did driver (217dfc0)
Move to pnpm from yarn (6ed9bd5)
Reorganize SSI-SDK crypto extensions and DIDs (5578914)

0.10.2 (2023-03-11)

Note: Version bump only for package @sphereon/veramo-BBS-workspace

0.10.1 (2023-03-10)

Note: Version bump only for package @sphereon/veramo-BBS-workspace

0.10.0 (2023-03-09)

Bug Fixes

Fix kms string used when importing keys, whilst we are already the KMS. Fix alias/kid handling for RSA keys (20ed263)
move to maintained isomorphic-webcrypto (feda9d1)
move to maintained isomorphic-webcrypto (53575be)
move to maintained isomorphic-webcrypto (4dbae0a)
move to maintained isomorphic-webcrypto (1d69dd8)
move to maintained isomorphic-webcrypto (d9e5a7e)
move to maintained isomorphic-webcrypto (df0bb7a)
move to maintained isomorphic-webcrypto (fb6b0d9)
move to maintained isomorphic-webcrypto (dc767a3)
move to maintained isomorphic-webcrypto (#2) (b392ca5)

Features

Add RSA support (881d794)
Add RSA support (6bbd283)
fix sigs (5c64585)
make sure signature is base64url and not base64urlpad (3b31a2f)
make sure signature is base64url and not base64urlpad (086d280)
make sure signature is base64url and not base64urlpad (aba391b)
make sure signature is base64url and not only base64 (6a7f915)
replace jsencrypt with isomorphic-webcrypto (4a7ca7a)

0.9.1 (2022-12-16)

Note: Version bump only for package @sphereon/veramo-BBS-workspace