feat: update to new keyRefs instead of kids

package.json

@@ -8,7 +8,7 @@
   "license": "Apache-2.0",
   "scripts": {
     "preinstall": "npx only-allow pnpm",
-    "build": "rimraf --glob ./packages/*/tsconfig.tsbuildinfo && pnpm build:js && pnpm build:copyfiles && pnpm build:api && pnpm build:schema",
+    "build": "rimraf --glob ./packages/*/tsconfig.tsbudinfo && pnpm build:js && pnpm build:copyfiles && pnpm build:api && pnpm build:schema",
     "build:clean": "lerna clean -y && pnpm install && lerna run build:clean --concurrency 1 && pnpm build:copyfiles && pnpm build:schema",
     "build:js": "pnpm -r --stream build",
     "build:api": "pnpm -r --stream extract-api",

packages/contact-manager-rest-api/package.json

@@ -12,8 +12,8 @@
   },
   "dependencies": {
     "@sphereon/ssi-express-support": "workspace:*",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.contact-manager": "workspace:*",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-sdk.data-store": "workspace:*",

packages/data-store/package.json

@@ -14,8 +14,8 @@
     "typeorm-postgres:migration:run": "pnpm run typeorm -- migration:run -c migration-postgres"
   },
   "dependencies": {
-    "@sphereon/pex": "^4.0.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/pex": "^4.0.1",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-types": "workspace:*",
     "@veramo/core": "4.2.0",

packages/ebsi-support/package.json

@@ -16,11 +16,11 @@
   "dependencies": {
     "@ethersproject/random": "^5.7.0",
     "@sphereon/did-auth-siop": "0.6.4",
-    "@sphereon/pex": "^4.0.0",
+    "@sphereon/pex": "^4.0.1",
     "@sphereon/pex-models": "^2.2.4",
-    "@sphereon/ssi-sdk-ext.did-resolver-ebsi": "0.23.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-resolver-ebsi": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.contact-manager": "workspace:*",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-sdk.oid4vci-holder": "workspace:*",
@@ -44,8 +44,8 @@
     "@sphereon/oid4vci-client": "0.14.0",
     "@sphereon/oid4vci-common": "0.14.0",
     "@sphereon/ssi-express-support": "workspace:*",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.23.0",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.23.0",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.23.1-next.3",
     "@sphereon/ssi-sdk.agent-config": "workspace:*",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
     "@sphereon/ssi-sdk.public-key-hosting": "workspace:*",

packages/ebsi-support/src/functions/AttestationHeadlessCallbacks.ts

@@ -227,7 +227,7 @@ export const authorizationCodeUrlCallback = (
       const kid = authReqResult.authKey.meta?.jwkThumbprint
         ? `${authReqResult.identifier.did}#${authReqResult.authKey.meta.jwkThumbprint}`
         : authReqResult.authKey.kid
-      await vpLinkHandler.handle(openidUri, { idOpts: { identifier: authReqResult.identifier, kid } })
+      await vpLinkHandler.handle(openidUri, { idOpts: { identifier: authReqResult.identifier, kmsKeyRef: kid } })
     }
     await onOpenAuthorizationUrl(url)
   }

packages/oid4vci-holder/package.json

@@ -16,7 +16,7 @@
   "dependencies": {
     "@sphereon/oid4vci-client": "0.14.0",
     "@sphereon/oid4vci-common": "0.14.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.contact-manager": "workspace:*",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
@@ -32,7 +32,7 @@
     "xstate": "^4.38.3"
   },
   "devDependencies": {
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.1-next.3",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/uuid": "^9.0.8",

packages/oid4vci-holder/src/agent/OID4VCIHolder.ts

@@ -114,16 +114,16 @@ export function signCallback(client: OpenID4VCIClient, idOpts: IIdentifierOpts,
       kid = jwt.header.kid
     }
     if (!kid) {
-      kid = idOpts.kid
+      kid = idOpts.kmsKeyRef
     }
 
     if (kid) {
       // sync back to id opts
-      idOpts.kid = kid
+      idOpts.kmsKeyRef = kid
     }
 
     const identifier = await getIdentifier(idOpts, context)
-    const key = await getKey(identifier, undefined, context, kid)
+    const key = await getKey({ identifier, vmRelationship: idOpts.verificationMethodSection, kmsKeyRef: kid }, context)
     if (key?.meta?.jwkThumbprint && kid === key.publicKeyHex) {
       kid = key.meta.jwkThumbprint
     }

packages/oid4vci-holder/src/agent/OID4VCIHolderService.ts

@@ -572,7 +572,7 @@ export const getSigner = async (args: GetSignerArgs): Promise<Signer> => {
   const { idOpts, context } = args
 
   const identifier = await getIdentifierFromOpts(idOpts, context)
-  const key = await getKey(identifier, idOpts.verificationMethodSection, context, idOpts.kid)
+  const key = await getKey({ identifier, vmRelationship: idOpts.verificationMethodSection, kmsKeyRef: idOpts.kmsKeyRef }, context)
   const algorithm = await signatureAlgorithmFromKey({ key })
 
   return async (data: string | Uint8Array): Promise<string> => {

packages/oid4vci-issuer-rest-api/package.json

@@ -36,10 +36,10 @@
     "@sphereon/did-uni-client": "^0.6.3",
     "@sphereon/pex": "3.3.3",
     "@sphereon/pex-models": "^2.2.4",
-    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.23.0",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.23.1-next.3",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
     "@sphereon/ssi-sdk.vc-handler-ld-local": "workspace:*",
     "@types/body-parser": "^1.19.5",

packages/oid4vci-issuer-rest-api/src/OID4VCIRestAPI.ts

@@ -47,7 +47,7 @@ export class OID4VCIRestAPI {
         iss: opts.endpointOpts.tokenEndpointOpts.accessTokenIssuer ?? instance.metadataOptions.credentialIssuer,
         didOpts: instance.issuerOptions.didOpts,
       }
-      if (!tokenOpts.didOpts.identifierOpts?.kid || tokenOpts.didOpts.identifierOpts?.kid?.startsWith('did:')) {
+      if (!tokenOpts.didOpts.identifierOpts?.kmsKeyRef || tokenOpts.didOpts.identifierOpts?.kmsKeyRef?.startsWith('did:')) {
         keyRef = await getAccessTokenKeyRef(tokenOpts, context)
       }
 

packages/oid4vci-issuer-store/package.json

@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "@sphereon/oid4vci-common": "0.14.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.kv-store-temp": "workspace:*",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",

packages/oid4vci-issuer/package.json

@@ -16,7 +16,7 @@
   "dependencies": {
     "@sphereon/oid4vci-common": "0.14.0",
     "@sphereon/oid4vci-issuer": "0.14.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-sdk.kv-store-temp": "workspace:*",
     "@sphereon/ssi-sdk.oid4vci-issuer-store": "workspace:*",

packages/oid4vci-issuer/src/functions.ts

@@ -53,12 +53,8 @@ export async function getAccessTokenKeyRef(
 ) {
   let keyRef =
     opts.keyRef ??
-    opts.didOpts?.identifierOpts?.kid ??
-    (typeof opts.didOpts?.identifierOpts.identifier === 'object'
-      ? (opts.didOpts?.identifierOpts.identifier as IIdentifier).keys[0].kid
-      : !!opts.didOpts?.identifierOpts.kid
-        ? opts.didOpts?.identifierOpts.kid
-        : undefined)
+    opts.didOpts?.identifierOpts?.kmsKeyRef ??
+    (typeof opts.didOpts?.identifierOpts.identifier === 'object' ? (opts.didOpts?.identifierOpts.identifier as IIdentifier).keys[0].kid : undefined)
   if (!keyRef) {
     throw Error('Key ref is needed for access token signer')
   }
@@ -71,14 +67,11 @@ export async function getAccessTokenKeyRef(
     const identifier = await getIdentifier({ identifier: did }, context)
     let key: IKey | undefined
     if (vm) {
-      key = await getKey(identifier, 'assertionMethod', context, vm)
+      key = await getKey({ identifier, vmRelationship: 'assertionMethod', kmsKeyRef: vm }, context)
       keyRef = key?.kid
     }
     if (!key) {
-      key = await getFirstKeyWithRelation({ identifier, vmRelationship: 'assertionMethod', errorOnNotFound: false }, context)
-      if (!key) {
-        key = await getFirstKeyWithRelation({ identifier, vmRelationship: 'verificationMethod', errorOnNotFound: true }, context)
-      }
+      key = await getFirstKeyWithRelation({ identifier, vmRelationship: 'assertionMethod', offlineWhenNoDIDRegistered: true }, context)
       keyRef = key?.kid
     }
   }
@@ -95,7 +88,7 @@ export function getAccessTokenSignerCallback(
 ) {
   const signer = (data: string | Uint8Array) => {
     let dataString, encoding: 'base64' | undefined
-    const keyRef = opts.keyRef ?? opts?.didOpts?.identifierOpts?.kid
+    const keyRef = opts.keyRef ?? opts?.didOpts?.identifierOpts?.kmsKeyRef
     if (!keyRef) {
       throw Error('Cannot sign access tokens without a key ref')
     }

packages/pd-manager/package.json

@@ -15,7 +15,7 @@
     "generate-plugin-schema": "ts-node ../../packages/dev/bin/sphereon.js dev generate-plugin-schema"
   },
   "dependencies": {
-    "@sphereon/pex": "^4.0.0",
+    "@sphereon/pex": "^4.0.1",
     "@sphereon/pex-models": "^2.2.4",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
     "cross-fetch": "^3.1.8",

packages/presentation-exchange/package.json

@@ -14,9 +14,9 @@
     "build:clean": "tsc --build --clean && tsc --build"
   },
   "dependencies": {
-    "@sphereon/pex": "^4.0.0",
+    "@sphereon/pex": "^4.0.1",
     "@sphereon/pex-models": "^2.2.4",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
     "@sphereon/ssi-types": "workspace:*",
     "@veramo/core": "4.2.0"

packages/presentation-exchange/src/functions.ts

@@ -63,16 +63,20 @@ export async function createPEXPresentationSignCallback(
     let key: IKey | undefined
 
     if (args.skipDidResolution) {
-      if (!idOpts.kid) {
+      if (!idOpts.kmsKeyRef) {
         key = id.keys.find((key) => key.meta?.purpose?.includes(idOpts.verificationMethodSection ?? 'authentication') === true)
       }
       if (!key) {
         key = id.keys.find(
-          (key) => !idOpts.kid || key.kid === idOpts.kid || key.meta?.jwkThumbprint === idOpts.kid || `${id.did}#${key.kid}` === idOpts.kid,
+          (key) =>
+            !idOpts.kmsKeyRef ||
+            key.kid === idOpts.kmsKeyRef ||
+            key.meta?.jwkThumbprint === idOpts.kmsKeyRef ||
+            `${id.did}#${key.kid}` === idOpts.kmsKeyRef,
         )
       }
     } else {
-      key = await getKey(id, 'authentication', context, idOpts.kid)
+      key = await getKey({ identifier: id, vmRelationship: 'authentication', kmsKeyRef: idOpts.kmsKeyRef }, context)
     }
 
     if (!key) {

packages/public-key-hosting/package.json

@@ -12,9 +12,9 @@
   },
   "dependencies": {
     "@sphereon/ssi-express-support": "workspace:*",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.23.0",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.23.0",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.23.1-next.3",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-types": "workspace:*",
     "@veramo/core": "4.2.0",
@@ -32,8 +32,8 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.0",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.1-next.3",
     "@sphereon/ssi-sdk.agent-config": "workspace:*",
     "@types/body-parser": "^1.19.5",
     "@types/cookie-parser": "^1.4.7",

packages/sd-jwt/package.json

@@ -17,18 +17,18 @@
   "dependencies": {
     "@sd-jwt/core": "^0.6.1",
     "@sd-jwt/sd-jwt-vc": "^0.6.1",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@veramo/utils": "4.2.0",
     "debug": "^4.3.5"
   },
   "devDependencies": {
     "@sd-jwt/decode": "^0.6.1",
     "@sd-jwt/types": "^0.6.1",
     "@sd-jwt/utils": "^0.6.1",
-    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.0",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.0",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.23.0",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.23.1-next.3",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.23.1-next.3",
     "@types/node": "18.15.3",
     "@veramo/core": "4.2.0",
     "@veramo/data-store": "4.2.0",

packages/sd-jwt/src/action-handler.ts

@@ -79,7 +79,7 @@ export class SDJwtPlugin implements IAgentPlugin {
     const identifier = await context.agent.didManagerGet({
       did: issuer.split('#')[0],
     })
-    const doc = await mapIdentifierKeysToDocWithJwkSupport(identifier, 'assertionMethod', context)
+    const doc = await mapIdentifierKeysToDocWithJwkSupport({ identifier, vmRelationship: 'assertionMethod' }, context)
     if (!doc || doc.length === 0) {
       throw new Error('No key found for signing')
     }

packages/siopv2-oid4vp-op-auth/package.json

@@ -15,9 +15,9 @@
   },
   "dependencies": {
     "@sphereon/did-auth-siop": "0.6.4",
-    "@sphereon/pex": "^4.0.0",
+    "@sphereon/pex": "^4.0.1",
     "@sphereon/pex-models": "2.2.4",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.23.1-next.3",
     "@sphereon/ssi-sdk.contact-manager": "workspace:*",
     "@sphereon/ssi-sdk.core": "workspace:*",
     "@sphereon/ssi-sdk.data-store": "workspace:*",
@@ -38,7 +38,7 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.0",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.23.1-next.3",
     "@sphereon/ssi-sdk.agent-config": "workspace:*",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",

packages/siopv2-oid4vp-op-auth/src/services/Siopv2MachineService.ts

@@ -9,7 +9,7 @@ import {
 } from '@sphereon/ssi-sdk-ext.did-utils'
 import { ConnectionType } from '@sphereon/ssi-sdk.data-store'
 import { IIdentifier } from '@veramo/core'
-import { DidAgents, SuitableCredentialAgents } from '../types/identifier'
+import { DidAgents, SuitableCredentialAgents } from '../types'
 import { CredentialMapper, IVerifiableCredential, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import {
   LOGGER_NAMESPACE,
@@ -132,11 +132,11 @@ export const siopSendAuthorizationResponse = async (
         })*/
     presentationSubmission = presentationsAndDefs[0].presentationSubmission
   }
-  const key = await getKey(identifier, 'authentication', session.context, idOpts?.kid)
+  const key = await getKey({ identifier, vmRelationship: 'authentication', kmsKeyRef: idOpts?.kmsKeyRef }, session.context)
   if (!idOpts) {
-    idOpts = { identifier, kid: determineKid(key, { identifier }) }
+    idOpts = { identifier, kmsKeyRef: await determineKid({ key, idOpts: { identifier } }, session.context) }
   }
-  const determinedKid = idOpts!.kid?.includes('#') ? idOpts.kid : determineKid(key, idOpts)
+  const determinedKid = idOpts.kmsKeyRef?.includes('#') ? idOpts.kmsKeyRef : await determineKid({ key, idOpts }, session.context)
   const kid: string = determinedKid.startsWith('did:') ? determinedKid : `${identifier.did}#${determinedKid}`
 
   logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentation, null, 2))
@@ -145,7 +145,8 @@ export const siopSendAuthorizationResponse = async (
   return await session.sendAuthorizationResponse({
     ...(presentationsAndDefs && { verifiablePresentations: presentationsAndDefs?.map((pd) => pd.verifiablePresentation) }),
     ...(presentationSubmission && { presentationSubmission }),
-    responseSignerOpts: { identifier, kid },
+    // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+    responseSignerOpts: { identifier, kmsKeyRef: key.kid, kid, issuer: identifier.did },
   })
 }
 

packages/siopv2-oid4vp-op-auth/src/session/OpSession.ts

@@ -109,7 +109,7 @@ export class OpSession {
     let keyType: TKeyType | undefined
     const agentMethods =
       (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? []
-    debug(`agent methods in rp method supported: ${JSON.stringify(agentMethods)}`)
+    debug(`agent methods supported: ${JSON.stringify(agentMethods)}`)
     const authReq = await this.getAuthorizationRequest()
     const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) =>
       convertDidMethod(method, opts.didPrefix),
@@ -257,7 +257,7 @@ export class OpSession {
       context: this.context,
     })
 
-    let issuer = args.responseSignerOpts?.identifier ? getDID(args.responseSignerOpts) : undefined
+    let issuer = args.responseSignerOpts?.issuer ?? (args.responseSignerOpts?.identifier ? getDID(args.responseSignerOpts) : undefined)
     const responseOpts = {
       verification,
       issuer,