keyresolver

package
v0.5.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: BSD-2-Clause Imports: 17 Imported by: 0

Documentation

Overview

Package keyresolver provides pluggable key resolution for verifiable credentials

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CanResolveLocally 

func CanResolveLocally(verificationMethod string) bool

CanResolveLocally returns true if the verification method can be resolved locally without contacting external services (i.e., self-contained DIDs). This includes did:key, did:jwk, and did:peer methods, as well as raw multikey formats.

func ECDSAToJWK 

func ECDSAToJWK(publicKey *ecdsa.PublicKey) (map[string]any, error)

ECDSAToJWK converts an ECDSA public key to JWK format.

func Ed25519ToJWK 

func Ed25519ToJWK(publicKey ed25519.PublicKey) map[string]any

Ed25519ToJWK converts an Ed25519 public key to JWK format.

func ExtractDIDFromVerificationMethod 

func ExtractDIDFromVerificationMethod(verificationMethod string) string

ExtractDIDFromVerificationMethod extracts the DID from a verification method ID. For example: "did:web:example.com#key-1" -> "did:web:example.com"

func ExtractECDSAFromMetadata 

func ExtractECDSAFromMetadata(metadata any, verificationMethod string) (*ecdsa.PublicKey, error)

ExtractECDSAFromMetadata extracts an ECDSA public key from a DID document or entity configuration returned in the trust_metadata field.

func ExtractEd25519FromMetadata 

func ExtractEd25519FromMetadata(metadata any, verificationMethod string) (ed25519.PublicKey, error)

ExtractEd25519FromMetadata extracts an Ed25519 public key from a DID document or entity configuration returned in the trust_metadata field of an AuthZEN response.

func ExtractFragmentFromVerificationMethod 

func ExtractFragmentFromVerificationMethod(verificationMethod string) string

ExtractFragmentFromVerificationMethod extracts the fragment from a verification method ID. For example: "did:web:example.com#key-1" -> "key-1"

func ExtractX25519FromMetadata 

func ExtractX25519FromMetadata(metadata any, did string) (*ecdh.PublicKey, error)

ExtractX25519FromMetadata extracts an X25519 key agreement key from trust_metadata. It looks for keys in the keyAgreement section of the DID document.

func JWKToECDSA 

func JWKToECDSA(jwk map[string]any) (*ecdsa.PublicKey, error)

JWKToECDSA extracts an ECDSA public key from a JWK.

func JWKToEd25519 

func JWKToEd25519(jwk map[string]any) (ed25519.PublicKey, error)

JWKToEd25519 extracts an Ed25519 public key from a JWK.

func JWKToX25519 

func JWKToX25519(jwk map[string]any) (*ecdh.PublicKey, error)

JWKToX25519 extracts an X25519 public key from a JWK.

Types

type CompositeVC20Resolver 

type CompositeVC20Resolver struct {
	// contains filtered or unexported fields
}

CompositeVC20Resolver combines multiple key resolution strategies.

func NewCompositeVC20Resolver 

func NewCompositeVC20Resolver(resolvers ...openid4vp.VC20KeyResolver) *CompositeVC20Resolver

NewCompositeVC20Resolver creates a resolver that tries multiple resolvers in order.

func (*CompositeVC20Resolver) ResolveKey 

func (c *CompositeVC20Resolver) ResolveKey(ctx context.Context, verificationMethod string) (crypto.PublicKey, error)

ResolveKey tries each resolver until one succeeds.

type DIDCommService 

type DIDCommService struct {
	// ID is the service ID
	ID string
	// ServiceEndpoint is the URI for message delivery
	ServiceEndpoint string
	// RoutingKeys are the keys to use for routing/mediation
	RoutingKeys []string
	// Accept lists the accepted media types
	Accept []string
}

DIDCommService represents a DIDCommMessaging service endpoint from a DID document.

func ExtractServiceFromMetadata 

func ExtractServiceFromMetadata(metadata any, did string) (*DIDCommService, error)

ExtractServiceFromMetadata extracts a DIDCommMessaging service from trust_metadata.

type ECDSAOnlyAdapter 

type ECDSAOnlyAdapter struct {
	// contains filtered or unexported fields
}

ECDSAOnlyAdapter adapts ECDSAResolver to VC20KeyResolver for ECDSA-only resolution.

func NewECDSAOnlyAdapter 

func NewECDSAOnlyAdapter(resolver ECDSAResolver) *ECDSAOnlyAdapter

NewECDSAOnlyAdapter creates an adapter that only resolves ECDSA keys.

func (*ECDSAOnlyAdapter) ResolveKey 

func (a *ECDSAOnlyAdapter) ResolveKey(ctx context.Context, verificationMethod string) (crypto.PublicKey, error)

ResolveKey implements openid4vp.VC20KeyResolver.

type ECDSAResolver 

type ECDSAResolver interface {
	Resolver
	// ResolveECDSA resolves an ECDSA public key from a verification method identifier
	ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)
}

ECDSAResolver extends Resolver with ECDSA key resolution capability. Resolvers that support ECDSA keys should implement this interface.

type ECDSATrustEvaluator 

type ECDSATrustEvaluator interface {
	TrustEvaluator
	// EvaluateTrustECDSA checks if the given ECDSA public key is authorized
	EvaluateTrustECDSA(subjectID string, publicKey *ecdsa.PublicKey, role string) (bool, error)
}

ECDSATrustEvaluator extends TrustEvaluator with ECDSA support

type Ed25519OnlyAdapter 

type Ed25519OnlyAdapter struct {
	// contains filtered or unexported fields
}

Ed25519OnlyAdapter adapts Resolver to VC20KeyResolver for Ed25519-only resolution.

func NewEd25519OnlyAdapter 

func NewEd25519OnlyAdapter(resolver Resolver) *Ed25519OnlyAdapter

NewEd25519OnlyAdapter creates an adapter that only resolves Ed25519 keys.

func (*Ed25519OnlyAdapter) ResolveKey 

func (a *Ed25519OnlyAdapter) ResolveKey(ctx context.Context, verificationMethod string) (crypto.PublicKey, error)

ResolveKey implements openid4vp.VC20KeyResolver.

type FullResolver 

type FullResolver interface {
	Resolver
	ECDSAResolver
	X25519Resolver
	ServiceResolver
}

FullResolver combines all resolution capabilities.

type GoTrustEvaluator 

type GoTrustEvaluator struct {
	// contains filtered or unexported fields
}

GoTrustEvaluator uses go-trust authzenclient for trust evaluation. This is the recommended implementation for new code.

func NewGoTrustEvaluator 

func NewGoTrustEvaluator(baseURL string) *GoTrustEvaluator

NewGoTrustEvaluator creates a trust evaluator using go-trust authzenclient.

func NewGoTrustEvaluatorWithClient 

func NewGoTrustEvaluatorWithClient(client *authzenclient.Client) *GoTrustEvaluator

NewGoTrustEvaluatorWithClient creates a trust evaluator with an existing client.

func NewGoTrustEvaluatorWithDiscovery 

func NewGoTrustEvaluatorWithDiscovery(ctx context.Context, baseURL string) (*GoTrustEvaluator, error)

NewGoTrustEvaluatorWithDiscovery creates a trust evaluator using AuthZEN discovery.

func (*GoTrustEvaluator) EvaluateTrust 

func (g *GoTrustEvaluator) EvaluateTrust(subjectID string, publicKey ed25519.PublicKey, role string) (bool, error)

EvaluateTrust validates the name-to-key binding via go-trust authzenclient.

func (*GoTrustEvaluator) EvaluateTrustECDSA 

func (g *GoTrustEvaluator) EvaluateTrustECDSA(subjectID string, publicKey *ecdsa.PublicKey, role string) (bool, error)

EvaluateTrustECDSA validates an ECDSA key binding.

func (*GoTrustEvaluator) EvaluateTrustECDSAWithContext 

func (g *GoTrustEvaluator) EvaluateTrustECDSAWithContext(ctx context.Context, subjectID string, publicKey *ecdsa.PublicKey, role string) (bool, error)

EvaluateTrustECDSAWithContext validates an ECDSA key with context.

func (*GoTrustEvaluator) EvaluateTrustWithContext 

func (g *GoTrustEvaluator) EvaluateTrustWithContext(ctx context.Context, subjectID string, publicKey ed25519.PublicKey, role string) (bool, error)

EvaluateTrustWithContext validates trust with a provided context.

func (*GoTrustEvaluator) GetClient 

func (g *GoTrustEvaluator) GetClient() *authzenclient.Client

GetClient returns the underlying authzenclient.Client.

type GoTrustResolver 

type GoTrustResolver struct {
	// contains filtered or unexported fields
}

GoTrustResolver uses go-trust authzenclient for key resolution via AuthZEN protocol. It implements the Resolver interface and provides both resolution-only requests (to fetch DID documents/entity configurations) and full trust evaluation.

func NewGoTrustResolver 

func NewGoTrustResolver(baseURL string) *GoTrustResolver

NewGoTrustResolver creates a resolver using go-trust authzenclient with a known PDP URL.

func NewGoTrustResolverWithClient 

func NewGoTrustResolverWithClient(client *authzenclient.Client) *GoTrustResolver

NewGoTrustResolverWithClient creates a resolver using an existing authzenclient.Client. This allows for custom configuration of the underlying client.

func NewGoTrustResolverWithDiscovery 

func NewGoTrustResolverWithDiscovery(ctx context.Context, baseURL string) (*GoTrustResolver, error)

NewGoTrustResolverWithDiscovery creates a resolver using AuthZEN discovery. It fetches the PDP configuration from .well-known/authzen-configuration.

func (*GoTrustResolver) EvaluateTrustECDSA 

func (g *GoTrustResolver) EvaluateTrustECDSA(ctx context.Context, subjectID string, publicKey *ecdsa.PublicKey, role string) (bool, error)

EvaluateTrustECDSA validates an ECDSA key binding via go-trust.

func (*GoTrustResolver) EvaluateTrustEd25519 

func (g *GoTrustResolver) EvaluateTrustEd25519(ctx context.Context, subjectID string, publicKey ed25519.PublicKey, role string) (bool, error)

EvaluateTrustEd25519 validates an Ed25519 key binding via go-trust. This sends a full trust evaluation request (not resolution-only).

func (*GoTrustResolver) GetClient 

func (g *GoTrustResolver) GetClient() *authzenclient.Client

GetClient returns the underlying authzenclient.Client for advanced usage.

func (*GoTrustResolver) ResolveECDSA 

func (g *GoTrustResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA resolves an ECDSA public key from a verification method identifier.

func (*GoTrustResolver) ResolveECDSAWithContext 

func (g *GoTrustResolver) ResolveECDSAWithContext(ctx context.Context, verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSAWithContext resolves an ECDSA key with a provided context.

func (*GoTrustResolver) ResolveEd25519 

func (g *GoTrustResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 resolves an Ed25519 public key from a verification method identifier. It sends a resolution-only request to the PDP and extracts the key from the returned trust_metadata (DID document or entity configuration).

func (*GoTrustResolver) ResolveEd25519WithContext 

func (g *GoTrustResolver) ResolveEd25519WithContext(ctx context.Context, verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519WithContext resolves an Ed25519 key with a provided context.

func (*GoTrustResolver) ResolveMetadata 

func (g *GoTrustResolver) ResolveMetadata(ctx context.Context, did string) (map[string]any, error)

ResolveMetadata resolves the full trust_metadata for a DID. This is useful when you need access to the full DID document or entity configuration.

func (*GoTrustResolver) ResolveService 

func (g *GoTrustResolver) ResolveService(did string) (*DIDCommService, error)

ResolveService resolves a DIDCommMessaging service endpoint via go-trust. This extracts service endpoints from the trust_metadata returned by the PDP.

func (*GoTrustResolver) ResolveServiceWithContext 

func (g *GoTrustResolver) ResolveServiceWithContext(ctx context.Context, did string) (*DIDCommService, error)

ResolveServiceWithContext resolves a service with a provided context.

func (*GoTrustResolver) ResolveX25519 

func (g *GoTrustResolver) ResolveX25519(did string) (*ecdh.PublicKey, error)

ResolveX25519 resolves an X25519 key agreement key via go-trust. This extracts the keyAgreement keys from the trust_metadata returned by the PDP.

func (*GoTrustResolver) ResolveX25519WithContext 

func (g *GoTrustResolver) ResolveX25519WithContext(ctx context.Context, did string) (*ecdh.PublicKey, error)

ResolveX25519WithContext resolves an X25519 key with a provided context.

type LocalResolver 

type LocalResolver struct{}

LocalResolver resolves keys from local data (multikey, did:key, did:jwk)

func NewLocalOnlyResolver 

func NewLocalOnlyResolver() *LocalResolver

NewLocalOnlyResolver creates a resolver that only handles local DIDs. Use this when operating in "allow all" mode without a PDP.

func NewLocalResolver 

func NewLocalResolver() *LocalResolver

NewLocalResolver creates a resolver that handles local key formats

func (*LocalResolver) ResolveECDSA 

func (l *LocalResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA extracts ECDSA keys from local formats (did:key, did:jwk, did:peer, multikey)

func (*LocalResolver) ResolveEd25519 

func (l *LocalResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 extracts Ed25519 keys from local formats

func (*LocalResolver) ResolveService 

func (l *LocalResolver) ResolveService(did string) (*DIDCommService, error)

ResolveService resolves a DIDCommMessaging service from a local DID. For did:peer:2, this extracts inline service endpoints (S purpose).

func (*LocalResolver) ResolveX25519 

func (l *LocalResolver) ResolveX25519(did string) (*ecdh.PublicKey, error)

ResolveX25519 resolves an X25519 key agreement key from a local DID. For did:peer:2, this extracts the E (encryption) purpose key. For did:key with Ed25519, this converts to X25519. If a fragment is provided (e.g., did:peer:2...#key-1), it selects the specific key.

type MultiResolver 

type MultiResolver struct {
	// contains filtered or unexported fields
}

MultiResolver combines multiple resolvers with fallback behavior

func NewMultiResolver 

func NewMultiResolver(resolvers ...Resolver) *MultiResolver

NewMultiResolver creates a resolver that tries each resolver in order

func (*MultiResolver) ResolveECDSA 

func (m *MultiResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA tries each resolver that supports ECDSA until one succeeds

func (*MultiResolver) ResolveEd25519 

func (m *MultiResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 tries each resolver until one succeeds

type Resolver 

type Resolver interface {
	// ResolveEd25519 resolves an Ed25519 public key from a verification method identifier
	ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)
}

Resolver provides methods to resolve public keys from verification methods. Implementations may support one or both key types.

func NewResolverFromConfig 

func NewResolverFromConfig(cfg ResolverConfig) (Resolver, error)

NewResolverFromConfig creates a key resolver based on configuration. If a PDP URL is configured, creates a SmartResolver that uses LocalResolver for self-contained DIDs (did:key, did:jwk) and GoTrustResolver for everything else. If no PDP URL is configured, creates a LocalResolver that only handles self-contained DIDs.

type ResolverConfig 

type ResolverConfig struct {
	// PDPURL is the URL of the AuthZEN PDP service for trust evaluation.
	// When set, operates in "default deny" mode - trust decisions require PDP approval.
	// When empty, operates in "allow all" mode - resolved keys are always considered trusted.
	PDPURL string

	// LocalDIDMethods specifies additional DID methods to resolve locally.
	// did:key and did:jwk are always resolved locally.
	LocalDIDMethods []string
}

ResolverConfig holds configuration for creating a key resolver. This mirrors the TrustConfig from the application config.

type ServiceResolver 

type ServiceResolver interface {
	// ResolveService resolves a DIDCommMessaging service endpoint for a DID
	ResolveService(did string) (*DIDCommService, error)
}

ServiceResolver provides service endpoint resolution from DID documents.

type SmartResolver 

type SmartResolver struct {
	// contains filtered or unexported fields
}

SmartResolver intelligently routes key resolution requests based on the DID method: - Self-contained DIDs (did:key, did:jwk) are resolved locally without external calls - All other DIDs are resolved via go-trust for both key resolution and trust evaluation

func NewResolverWithPDP 

func NewResolverWithPDP(pdpURL string) *SmartResolver

NewResolverWithPDP creates a SmartResolver with PDP integration. This is a convenience function for common use cases.

func NewSmartResolver 

func NewSmartResolver(remote Resolver) *SmartResolver

NewSmartResolver creates a resolver that routes based on DID method. The remote resolver is used for all non-local DIDs (did:web, did:ebsi, etc.).

func (*SmartResolver) GetLocalResolver 

func (s *SmartResolver) GetLocalResolver() *LocalResolver

GetLocalResolver returns the local resolver for direct access if needed.

func (*SmartResolver) GetRemoteResolver 

func (s *SmartResolver) GetRemoteResolver() Resolver

GetRemoteResolver returns the remote resolver for direct access if needed.

func (*SmartResolver) ResolveECDSA 

func (s *SmartResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA routes to local or remote resolver based on the DID method.

func (*SmartResolver) ResolveEd25519 

func (s *SmartResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 routes to local or remote resolver based on the DID method.

func (*SmartResolver) ResolveService 

func (s *SmartResolver) ResolveService(did string) (*DIDCommService, error)

ResolveService resolves DIDCommMessaging service endpoints. Local DIDs (did:peer) can have inline services; network DIDs delegate to go-trust.

func (*SmartResolver) ResolveX25519 

func (s *SmartResolver) ResolveX25519(did string) (*ecdh.PublicKey, error)

ResolveX25519 resolves an X25519 key agreement key. Local DIDs are resolved locally; all network DIDs delegate to go-trust.

type StaticResolver 

type StaticResolver struct {
	// contains filtered or unexported fields
}

StaticResolver provides a simple key->value resolver for testing

func NewStaticResolver 

func NewStaticResolver() *StaticResolver

NewStaticResolver creates a resolver with a static key map

func (*StaticResolver) AddECDSAKey 

func (s *StaticResolver) AddECDSAKey(verificationMethod string, publicKey *ecdsa.PublicKey)

AddECDSAKey adds an ECDSA key to the static resolver

func (*StaticResolver) AddKey 

func (s *StaticResolver) AddKey(verificationMethod string, publicKey ed25519.PublicKey)

AddKey adds an Ed25519 key to the static resolver

func (*StaticResolver) ResolveECDSA 

func (s *StaticResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA looks up an ECDSA key in the static map

func (*StaticResolver) ResolveEd25519 

func (s *StaticResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 looks up the key in the static map

type TrustEvaluator 

type TrustEvaluator interface {
	// EvaluateTrust checks if the given public key is authorized for the subject ID
	// Returns true if trusted, false otherwise
	EvaluateTrust(subjectID string, publicKey ed25519.PublicKey, role string) (bool, error)
}

TrustEvaluator validates whether a resolved key should be trusted This is separate from key resolution - it evaluates trust in name-to-key bindings

type TypedKeyResolver 

type TypedKeyResolver struct {
	// contains filtered or unexported fields
}

TypedKeyResolver provides type-safe access to resolved keys.

func NewTypedKeyResolver 

func NewTypedKeyResolver(resolver openid4vp.VC20KeyResolver) *TypedKeyResolver

NewTypedKeyResolver wraps a VC20KeyResolver with type-safe accessors.

func (*TypedKeyResolver) ResolveECDSAKey 

func (t *TypedKeyResolver) ResolveECDSAKey(ctx context.Context, verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSAKey resolves and returns an ECDSA key, or error if wrong type.

func (*TypedKeyResolver) ResolveEd25519Key 

func (t *TypedKeyResolver) ResolveEd25519Key(ctx context.Context, verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519Key resolves and returns an Ed25519 key, or error if wrong type.

func (*TypedKeyResolver) ResolveKey 

func (t *TypedKeyResolver) ResolveKey(ctx context.Context, verificationMethod string) (crypto.PublicKey, error)

ResolveKey implements VC20KeyResolver.

type VC20ResolverAdapter 

type VC20ResolverAdapter struct {
	// contains filtered or unexported fields
}

VC20ResolverAdapter adapts the keyresolver interfaces to openid4vp.VC20KeyResolver. It wraps ECDSAResolver and can resolve both ECDSA and Ed25519 keys.

func NewVC20ResolverAdapter 

func NewVC20ResolverAdapter(resolver Resolver) *VC20ResolverAdapter

NewVC20ResolverAdapter creates an adapter that wraps a keyresolver.Resolver for use with openid4vp.VC20Handler.

func (*VC20ResolverAdapter) ResolveKey 

func (a *VC20ResolverAdapter) ResolveKey(ctx context.Context, verificationMethod string) (crypto.PublicKey, error)

ResolveKey implements openid4vp.VC20KeyResolver. It attempts ECDSA resolution first (if supported), then falls back to Ed25519.

type ValidatingResolver 

type ValidatingResolver struct {
	// contains filtered or unexported fields
}

ValidatingResolver wraps a resolver with trust evaluation It first resolves the key, then validates it via a trust evaluator

func NewValidatingResolver 

func NewValidatingResolver(resolver Resolver, evaluator TrustEvaluator, role string) *ValidatingResolver

NewValidatingResolver creates a resolver that validates trust after resolution

func (*ValidatingResolver) ResolveECDSA 

func (v *ValidatingResolver) ResolveECDSA(verificationMethod string) (*ecdsa.PublicKey, error)

ResolveECDSA resolves an ECDSA key and validates trust if possible.

func (*ValidatingResolver) ResolveEd25519 

func (v *ValidatingResolver) ResolveEd25519(verificationMethod string) (ed25519.PublicKey, error)

ResolveEd25519 resolves the key and validates trust

type X25519Resolver 

type X25519Resolver interface {
	Resolver
	// ResolveX25519 resolves an X25519 key agreement key from a DID or verification method
	ResolveX25519(did string) (*ecdh.PublicKey, error)
}

X25519Resolver extends Resolver with X25519 key agreement key resolution. This is used for DIDComm encryption (ECDH-ES key agreement).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.