EBSI DID Resolver
This library is intended to use EBSI Besu addresses as fully self managed Decentralized Identifiers and wrap them in a DID Document
It supports the proposed Decentralized Identifiers spec from the W3C Credentials Community Group.
It requires the did-resolver
library, which is the primary interface for resolving DIDs.
The DID method relies on the ethr-did-registry.
Table of Contents
Installation
// with npm
npm install --save @cef-ebsi/did-resolver
// with yarn
yarn add @cef-ebsi/did-resolver
In order to use the library, you will also need to install ethers v5
and did-resolver v2
.
// with npm
npm install --save ethers^5.0.0 did-resolver^2.0.0
// with yarn
yarn add ethers^5.0.0 did-resolver^2.0.0
Note that we also provide a standalone UMD bundle which already contains ethers
and did-resolver
in dist/ebsi-did-resolver.standalone.umd.js
.
DID method
To encode a DID for an EBSI Besu address, simply prepend did:ebsi:
.
For example: did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74
DID Document
The DID resolver takes the Ethereum address, checks for the current controller, looks at contract events and builds a simple DID document.
The minimal DID document for a an ethereum address 0xb9c5714089478a327f09197987f16f9e5d936e8a
with no transactions to the registry looks like this:
{
'@context': 'https://w3id.org/did/v1',
id: 'did:ebsi:0xb9c5714089478a327f09197987f16f9e5d936e8a',
publicKey: [{
id: 'did:ebsi:0xb9c5714089478a327f09197987f16f9e5d936e8a#controller',
type: 'Secp256k1VerificationKey2018',
controller: 'did:ebsi:0xb9c5714089478a327f09197987f16f9e5d936e8a',
ethereumAddress: '0xb9c5714089478a327f09197987f16f9e5d936e8a'}],
authentication: [{
type: 'Secp256k1SignatureAuthentication2018',
publicKey: 'did:ebsi:0xb9c5714089478a327f09197987f16f9e5d936e8a#controller'}]
}
Note this uses the Secp256k1VerificationKey2018
type and an ethereumAddress
instead of a publicKeyHex
.
Building a DID document
The DID document is built by using read only functions and contract events on the ebsi-did-registry
BESU smart contract.
Any value from the registry that returns an ethereum address will be added to the publicKey
array of the DID document with type Secp256k1VerificationKey2018
and an ethereumAddress
attribute containing the address.
Owner Address
Each identity always has a controller address. By default it's the same as the identity address, but check the read only contract function identityOwner(address identity)
on the deployed version of the EthrDIDRegistry contract.
The Identity controller will always have a publicKey
with the id set as the DID with the fragment #controller
appended.
An entry is also added to the authentication
array of the DID document with type Secp256k1SignatureAuthentication2018
.
Enumerating contract events for an identity
The EthereumDIDRegistry
contract publishes 3 types of events for each identity.
DIDOwnerChanged
DIDDelegateChanged
DIDAttributeChanged
If a change has ever been made for an identity the block number is stored in the changed
mapping.
The latest event can be efficiently looked up by checking for one of the 3 above events at that exact block.
Each event contains a previousChange
value which contains the block number of the previous change (if any)
To see all changes in history for an identity use the following pseudo code:
- call
changed(address identity)
contract - if result is null return
- filter for events for all the above types with the contracts address on the specified block
- if event has a previous change then go to 3
Delegate Keys
Delegate Keys are ethereum addresses that can either be general signing keys or optionally also perform authentication.
They are also verifiable from solidity (see ethr-did-registry for more info).
A DIDDelegateChanged
event is published that is used to build a DID.
event DIDDelegateChanged(
address indexed identity,
bytes32 delegateType,
address delegate,
uint validTo,
uint previousChange
);
The only 2 delegateTypes that are currently published in the DID Document are:
-
veriKey
Which adds aSecp256k1VerificationKey2018
to thepublicKey
section of document -
sigAuth
Which adds aSecp256k1SignatureAuthentication2018
to thepublicKey
section of document. An entry is also added to theauthentication
section of document.
Note The delegateType
is a bytes32
type for Ethereum gas efficiency reasons and not a string. This restricts us to 32 bytes, which is why we use the short hand versions above.
Only events with a validTo
in seconds greater or equal to current time should be included in the DID document.
Non Ethereum Attributes
Non ethereum keys, service elements etc can be added using attributes. Attributes only exist on the blockchain as contract events of type DIDAttributeChanged
and can thus not be queried from within solidity code.
event DIDAttributeChanged(
address indexed identity,
bytes32 name,
bytes value,
uint validTo,
uint previousChange
);
Note The name
is a bytes32
type for Ethereum gas efficiency reasons and not a string. This restricts us to 32 bytes, which is why we use the short hand attribute versions below.
While any attribute can be stored. For the DID document we currently support adding to each of these sections of the DID document:
Public Keys
The name of the attribute should follow this format:
did/pub/(Secp256k1|RSA|Ed25519)/(veriKey|sigAuth)/(hex|base64)
Hex encoded Secp256k1 Verification Key
A DIDAttributeChanged
event for the identity 0xf3beac30c498d9e26865f34fcaa57dbb935b0d74
with the name did/pub/Secp256k1/veriKey/hex
and the value of 0x02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71
generates a PublicKey
entry like this:
{
id: "did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74#delegate-1",
type: "Secp256k1VerificationKey2018",
controller: "did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74",
publicKeyHex: '02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71'
}
Base64 encoded Ed25519 Verification Key
A DIDAttributeChanged
event for the identity 0xf3beac30c498d9e26865f34fcaa57dbb935b0d74
with the name did/pub/Ed25519/veriKey/base64
and the value of 0xb97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71
generates a PublicKey
entry like this:
{
id: "did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74#delegate-1",
type: "Ed25519VerificationKey2018",
controller: "did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74",
publicKeyBase64: "uXww3nZ/CEzjCAFo7ikwU7ozsjXXEWoyY9KfFFCTa3E="
}
We are looking for people to submit support for pem
, base58
and jwk
key formats as well.
Service Endpoints
The name of the attribute should follow this format:
did/svc/[ServiceName]
Hex encoded Secp256k1 Verification Key
A DIDAttributeChanged
event for the identity 0xf3beac30c498d9e26865f34fcaa57dbb935b0d74
with the name did/svc/HubService
and value of the url https://hubs.ebsi.me
hex encoded as 0x68747470733a2f2f687562732e75706f72742e6d65
generates a Service
entry like this:
{
type: "HubService",
serviceEndpoint: "https://hubs.ebsi.me"
}
Resolving a DID document
The resolver presents a simple resolver()
function that returns a ES6 Promise returning the DID document.
import { Resolver } from "did-resolver";
import { getResolver } from "@cef-ebsi/did-resolver";
// You can set a rpc endpoint to be used by the web3 provider
// You can also set an address for your own ebsi-did-registry contract
const providerConfig = {
rpcUrl: "https://api.intebsi.xyz/blockchain/besu",
registry: registry.address,
};
// getResolver will return an object with a key/value pair of { "ebsi": resolver } where resolver is a function used by the generic DID resolver.
const ebsiDidResolver = getResolver(providerConfig);
const didResolver = Resolver(ebsiDidResolver);
didResolver
.resolve("did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74")
.then((doc) => console.log);
// You can also use ES7 async/await syntax
const doc = await didResolver.resolve(
"did:ebsi:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74"
);
Licensing
Copyright (c) 2019 European Commission
Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European Commission - subsequent versions of the EUPL (the "Licence");
You may not use this work except in compliance with the Licence.
You may obtain a copy of the Licence at:
Unless required by applicable law or agreed to in writing, software distributed under the Licence is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licence for the specific language governing permissions and limitations under the Licence.