baseid_did/methods/

key.rs

//! `did:key` method implementation.
//!
//! `did:key` is a self-contained DID method where the DID itself encodes
//! the public key. No network resolution is needed.
//!
//! Reference: <https://w3c-ccg.github.io/did-method-key/>

use baseid_core::error::DidError;
use baseid_crypto::{Jwk, PublicKey};

use crate::document::{DidDocument, VerificationMethod, VerificationRelationship};
use crate::resolution::{DidResolver, ResolutionMetadata, ResolutionResult};
use crate::url::DidUrl;

/// W3C DID context.
const DID_CONTEXT: &str = "https://www.w3.org/ns/did/v1";
/// Multikey verification method context.
const MULTIKEY_CONTEXT: &str = "https://w3id.org/security/multikey/v1";
/// JWK verification method context.
const JWS_CONTEXT: &str = "https://w3id.org/security/suites/jws-2020/v1";

/// Resolver for `did:key` method.
pub struct DidKeyResolver;

impl DidResolver for DidKeyResolver {
    fn method(&self) -> &str {
        "key"
    }

    async fn resolve(&self, did: &str) -> baseid_core::Result<ResolutionResult> {
        let url = DidUrl::parse(did)?;
        if url.method != "key" {
            return Err(DidError::UnsupportedMethod.into());
        }

        // The method-specific identifier is the multibase-encoded public key.
        let public_key =
            PublicKey::from_multibase(&url.method_id).map_err(|_| DidError::ResolutionFailed)?;

        let document = Self::create(&public_key)?;

        Ok(ResolutionResult {
            document: Some(document),
            metadata: ResolutionMetadata {
                content_type: Some("application/did+ld+json".to_string()),
                error: None,
            },
        })
    }
}

impl DidKeyResolver {
    /// Create a new `did:key` DID Document from a public key.
    ///
    /// Encodes the public key as multibase, constructs a DID Document with
    /// a Multikey verification method and a JsonWebKey2020 verification method.
    pub fn create(public_key: &PublicKey) -> baseid_core::Result<DidDocument> {
        let multibase = public_key.to_multibase();
        let did = format!("did:key:{multibase}");

        // Primary verification method: Multikey with publicKeyMultibase
        let vm_id_multikey = format!("{did}#{multibase}");
        let vm_multikey = VerificationMethod {
            id: vm_id_multikey.clone(),
            r#type: "Multikey".to_string(),
            controller: did.clone(),
            public_key_jwk: None,
            public_key_multibase: Some(multibase),
        };

        // Secondary verification method: JsonWebKey2020 with publicKeyJwk
        let jwk = Jwk::from_public_key(public_key)?;
        let jwk_value = serde_json::to_value(&jwk).map_err(|_| DidError::ResolutionFailed)?;
        let vm_id_jwk = format!("{did}#jwk");
        let vm_jwk = VerificationMethod {
            id: vm_id_jwk.clone(),
            r#type: "JsonWebKey2020".to_string(),
            controller: did.clone(),
            public_key_jwk: Some(jwk_value),
            public_key_multibase: None,
        };

        Ok(DidDocument {
            id: did,
            context: vec![
                DID_CONTEXT.to_string(),
                MULTIKEY_CONTEXT.to_string(),
                JWS_CONTEXT.to_string(),
            ],
            verification_method: vec![vm_multikey, vm_jwk],
            authentication: vec![VerificationRelationship::Reference(vm_id_multikey.clone())],
            assertion_method: vec![VerificationRelationship::Reference(vm_id_multikey)],
            key_agreement: vec![],
            service: vec![],
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;

    #[test]
    fn create_ed25519() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        assert!(doc.id.starts_with("did:key:z6Mk"));
        assert_eq!(doc.context.len(), 3);
        assert_eq!(doc.context[0], DID_CONTEXT);
        assert_eq!(doc.verification_method.len(), 2);
        assert_eq!(doc.verification_method[0].r#type, "Multikey");
        assert_eq!(doc.verification_method[1].r#type, "JsonWebKey2020");
        assert_eq!(doc.authentication.len(), 1);
        assert_eq!(doc.assertion_method.len(), 1);
    }

    #[test]
    fn create_p256() {
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        assert!(doc.id.starts_with("did:key:z"));
        assert_eq!(doc.verification_method.len(), 2);

        // Check that the JWK has the right curve
        let jwk_vm = &doc.verification_method[1];
        let jwk = jwk_vm.public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "P-256");
        assert_eq!(jwk["kty"], "EC");
    }

    #[test]
    fn create_p384() {
        let kp = KeyPair::generate(KeyType::P384).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        assert!(doc.id.starts_with("did:key:z"));
        let jwk_vm = &doc.verification_method[1];
        let jwk = jwk_vm.public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "P-384");
    }

    #[test]
    fn create_secp256k1() {
        let kp = KeyPair::generate(KeyType::Secp256k1).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        assert!(doc.id.starts_with("did:key:z"));
        let jwk_vm = &doc.verification_method[1];
        let jwk = jwk_vm.public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "secp256k1");
    }

    #[tokio::test]
    async fn resolve_ed25519() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let created = DidKeyResolver::create(&kp.public).unwrap();

        let resolver = DidKeyResolver;
        let result = resolver.resolve(&created.id).await.unwrap();
        let resolved = result.document.unwrap();

        assert_eq!(resolved.id, created.id);
        assert_eq!(resolved.verification_method.len(), 2);
        assert_eq!(
            result.metadata.content_type.as_deref(),
            Some("application/did+ld+json")
        );
    }

    #[tokio::test]
    async fn resolve_roundtrip_all_key_types() {
        for key_type in [
            KeyType::Ed25519,
            KeyType::P256,
            KeyType::P384,
            KeyType::Secp256k1,
        ] {
            let kp = KeyPair::generate(key_type).unwrap();
            let created = DidKeyResolver::create(&kp.public).unwrap();

            let resolver = DidKeyResolver;
            let result = resolver.resolve(&created.id).await.unwrap();
            let resolved = result.document.unwrap();

            assert_eq!(resolved.id, created.id);
            assert_eq!(resolved.verification_method.len(), 2);

            // Verify the multibase key in the document decodes to the original key
            let mb = resolved.verification_method[0]
                .public_key_multibase
                .as_ref()
                .unwrap();
            let decoded = PublicKey::from_multibase(mb).unwrap();
            assert_eq!(decoded.bytes, kp.public.bytes);
            assert_eq!(decoded.key_type, kp.public.key_type);
        }
    }

    #[tokio::test]
    async fn resolve_known_test_vector() {
        // From baseid-test-vectors
        let did = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK";
        let resolver = DidKeyResolver;
        let result = resolver.resolve(did).await.unwrap();
        let doc = result.document.unwrap();

        assert_eq!(doc.id, did);
        assert_eq!(doc.verification_method[0].r#type, "Multikey");
        assert_eq!(
            doc.verification_method[0].public_key_multibase.as_deref(),
            Some("z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK")
        );
    }

    #[tokio::test]
    async fn resolve_wrong_method_fails() {
        let resolver = DidKeyResolver;
        let result = resolver.resolve("did:web:example.com").await;
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn resolve_invalid_did_fails() {
        let resolver = DidKeyResolver;
        assert!(resolver.resolve("not-a-did").await.is_err());
    }

    #[tokio::test]
    async fn resolve_invalid_multibase_fails() {
        let resolver = DidKeyResolver;
        assert!(resolver.resolve("did:key:invalid!!!").await.is_err());
    }

    #[test]
    fn document_serializes_to_json() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        let json = serde_json::to_string_pretty(&doc).unwrap();
        assert!(json.contains("\"@context\""));
        assert!(json.contains("\"verificationMethod\""));
        assert!(json.contains("\"authentication\""));
        assert!(json.contains("\"assertionMethod\""));
        assert!(json.contains("\"Multikey\""));
        assert!(json.contains("\"JsonWebKey2020\""));
    }

    #[test]
    fn document_json_roundtrip() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();

        let json = serde_json::to_string(&doc).unwrap();
        let deserialized: DidDocument = serde_json::from_str(&json).unwrap();

        assert_eq!(deserialized.id, doc.id);
        assert_eq!(deserialized.verification_method.len(), 2);
    }

    // --- B1: Deterministic test vector verification ---

    /// Verify that a known secret key produces the expected did:key string
    /// and that resolving it recovers the original public key bytes.
    fn verify_did_key_vector(
        key_type: KeyType,
        secret: &[u8],
        expected_public: &[u8],
        expected_multibase: &str,
        expected_did: &str,
    ) {
        // 1. Derive key pair from secret
        let kp = KeyPair::from_bytes(key_type, secret).unwrap();
        assert_eq!(&kp.public.bytes, expected_public, "public key mismatch");

        // 2. Verify multibase encoding
        let multibase = kp.public.to_multibase();
        assert_eq!(multibase, expected_multibase, "multibase mismatch");

        // 3. Create DID Document and verify DID string
        let doc = DidKeyResolver::create(&kp.public).unwrap();
        assert_eq!(doc.id, expected_did, "DID string mismatch");

        // 4. Verify the document's multikey VM contains the expected multibase
        assert_eq!(
            doc.verification_method[0].public_key_multibase.as_deref(),
            Some(expected_multibase),
        );

        // 5. Roundtrip: decode multibase back and verify key bytes
        let decoded = PublicKey::from_multibase(expected_multibase).unwrap();
        assert_eq!(decoded.key_type, key_type);
        assert_eq!(decoded.bytes, expected_public);
    }

    #[test]
    fn vector_ed25519() {
        use baseid_test_vectors::did::vectors::ed25519;
        verify_did_key_vector(
            KeyType::Ed25519,
            &ed25519::SECRET,
            &ed25519::PUBLIC,
            ed25519::MULTIBASE,
            ed25519::DID,
        );
    }

    #[test]
    fn vector_p256() {
        use baseid_test_vectors::did::vectors::p256;
        verify_did_key_vector(
            KeyType::P256,
            &p256::SECRET,
            &p256::PUBLIC,
            p256::MULTIBASE,
            p256::DID,
        );
    }

    #[test]
    fn vector_p384() {
        use baseid_test_vectors::did::vectors::p384;
        verify_did_key_vector(
            KeyType::P384,
            &p384::SECRET,
            &p384::PUBLIC,
            p384::MULTIBASE,
            p384::DID,
        );
    }

    #[test]
    fn vector_secp256k1() {
        use baseid_test_vectors::did::vectors::secp256k1;
        verify_did_key_vector(
            KeyType::Secp256k1,
            &secp256k1::SECRET,
            &secp256k1::PUBLIC,
            secp256k1::MULTIBASE,
            secp256k1::DID,
        );
    }

    #[tokio::test]
    async fn resolve_vector_ed25519() {
        use baseid_test_vectors::did::vectors::ed25519;
        let resolver = DidKeyResolver;
        let result = resolver.resolve(ed25519::DID).await.unwrap();
        let doc = result.document.unwrap();
        assert_eq!(doc.id, ed25519::DID);

        // Recovered key matches expected public bytes
        let mb = doc.verification_method[0]
            .public_key_multibase
            .as_ref()
            .unwrap();
        let pk = PublicKey::from_multibase(mb).unwrap();
        assert_eq!(pk.bytes, ed25519::PUBLIC);
        assert_eq!(pk.key_type, KeyType::Ed25519);
    }

    #[tokio::test]
    async fn resolve_vector_p256() {
        use baseid_test_vectors::did::vectors::p256;
        let resolver = DidKeyResolver;
        let result = resolver.resolve(p256::DID).await.unwrap();
        let doc = result.document.unwrap();
        assert_eq!(doc.id, p256::DID);

        let mb = doc.verification_method[0]
            .public_key_multibase
            .as_ref()
            .unwrap();
        let pk = PublicKey::from_multibase(mb).unwrap();
        assert_eq!(pk.bytes, p256::PUBLIC.to_vec());
        assert_eq!(pk.key_type, KeyType::P256);

        // JWK should have correct curve
        let jwk = doc.verification_method[1].public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "P-256");
    }

    #[tokio::test]
    async fn resolve_vector_p384() {
        use baseid_test_vectors::did::vectors::p384;
        let resolver = DidKeyResolver;
        let result = resolver.resolve(p384::DID).await.unwrap();
        let doc = result.document.unwrap();
        assert_eq!(doc.id, p384::DID);

        let mb = doc.verification_method[0]
            .public_key_multibase
            .as_ref()
            .unwrap();
        let pk = PublicKey::from_multibase(mb).unwrap();
        assert_eq!(pk.bytes, p384::PUBLIC.to_vec());

        let jwk = doc.verification_method[1].public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "P-384");
    }

    #[tokio::test]
    async fn resolve_vector_secp256k1() {
        use baseid_test_vectors::did::vectors::secp256k1;
        let resolver = DidKeyResolver;
        let result = resolver.resolve(secp256k1::DID).await.unwrap();
        let doc = result.document.unwrap();
        assert_eq!(doc.id, secp256k1::DID);

        let mb = doc.verification_method[0]
            .public_key_multibase
            .as_ref()
            .unwrap();
        let pk = PublicKey::from_multibase(mb).unwrap();
        assert_eq!(pk.bytes, secp256k1::PUBLIC.to_vec());

        let jwk = doc.verification_method[1].public_key_jwk.as_ref().unwrap();
        assert_eq!(jwk["crv"], "secp256k1");
    }
}