decentralized-identity · mirceanis · Jul 24, 2023 · Jul 20, 2023
diff --git a/packages/credential-w3c/src/__tests__/action-handler.test.ts b/packages/credential-w3c/src/__tests__/action-handler.test.ts
@@ -45,7 +45,13 @@ const mockIdentifiers: IIdentifier[] = [
     controllerKeyId: 'kid2',
     keys: [
       {
-        kid: 'kid2',
+        kid: 'kid2a',
+        publicKeyHex: 'pub',
+        type: 'Ed25519',
+        kms: 'mock',
+      },
+      {
+        kid: 'kid2b',
         publicKeyHex: 'pub',
         type: 'Secp256k1',
         kms: 'mock',
@@ -98,8 +104,18 @@ let agent = {
 } as any as TAgent<IResolver & IDIDManager & IKeyManager & ICredentialPlugin & IDataStore>
 
 describe('@veramo/credential-w3c', () => {
+  const keyManagerSign = agent.keyManagerSign as
+    | jest.Mock<(args: { algorithm: string; keyRef: string}) => Promise<string>>
+
+  beforeEach(() => {
+    keyManagerSign.mockClear()
+  });
+
   test.each(mockIdentifiers)('handles createVerifiableCredential', async (mockIdentifier) => {
-    expect.assertions(3)
+    expect.assertions(6)
+
+    const keyRef = mockIdentifier.keys[1]?.kid // Second key or undefined
+    const expectedKey = mockIdentifier.keys[mockIdentifier.keys.length - 1]
 
     agent.didManagerGet = jest.fn(async (args): Promise<IIdentifier> => mockIdentifier)
     const context = { agent }
@@ -126,13 +142,18 @@ describe('@veramo/credential-w3c', () => {
         credential,
         save: false,
         proofFormat: 'jwt',
+        keyRef,
       },
       context,
     )
     // TODO Update these after refactoring did-jwt-vc
     expect(context.agent.didManagerGet).toBeCalledWith({ did: mockIdentifier.did })
     expect(context.agent.dataStoreSaveVerifiableCredential).not.toBeCalled()
     expect(vc.id).toEqual('vc1')
+
+    expect(keyManagerSign).toBeCalled()
+    expect(keyManagerSign.mock.calls[0][0].keyRef).toEqual(expectedKey.kid)
+    expect(keyManagerSign.mock.calls[0][0].algorithm).toEqual(expectedKey.type === 'Ed25519' ? 'EdDSA' : 'ES256K')
   })
 
   test.each(mockIdentifiers)('handles createVerifiablePresentation', async (mockIdentifier) => {

diff --git a/packages/credential-w3c/src/action-handler.ts b/packages/credential-w3c/src/action-handler.ts
@@ -129,9 +129,7 @@ export class CredentialPlugin implements IAgentPlugin {
     } catch (e) {
       throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')
     }
-    //FIXME: `args` should allow picking a key or key type
-    const key = identifier.keys.find((k) => k.type === 'Secp256k1' || k.type === 'Ed25519' || k.type === 'Secp256r1')
-    if (!key) throw Error('key_not_found: No signing key for ' + identifier.did)
+    const key = pickSigningKey(identifier, keyRef)
 
     let verifiablePresentation: VerifiablePresentation
 
@@ -237,9 +235,7 @@ export class CredentialPlugin implements IAgentPlugin {
           )
         }
       } else {
-        //FIXME: `args` should allow picking a key or key type
-        const key = identifier.keys.find((k) => k.type === 'Secp256k1' || k.type === 'Ed25519' || k.type === 'Secp256r1')
-        if (!key) throw Error('No signing key for ' + identifier.did)
+        const key = pickSigningKey(identifier, keyRef)
 
         debug('Signing VC with', identifier.did)
         let alg = 'ES256K'
@@ -480,6 +476,20 @@ export class CredentialPlugin implements IAgentPlugin {
   }
 }
 
+function pickSigningKey(identifier: IIdentifier, keyRef?: string): IKey {
+  let key: IKey | undefined
+
+  if (!keyRef) {
+    key = identifier.keys.find((k) => k.type === 'Secp256k1' || k.type === 'Ed25519' || k.type === 'Secp256r1')
+    if (!key) throw Error('key_not_found: No signing key for ' + identifier.did)
+  } else {
+    key = identifier.keys.find((k) => k.kid === keyRef)
+    if (!key) throw Error('key_not_found: No signing key for ' + identifier.did + ' with kid ' + keyRef)
+  }
+
+  return key as IKey
+}
+
 function wrapSigner(
   context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>,
   key: IKey,