{"id":45811472,"url":"https://github.com/swiyu-admin-ch/didtoolbox-java","last_synced_at":"2026-02-26T16:53:11.487Z","repository":{"id":279812207,"uuid":"940055973","full_name":"swiyu-admin-ch/didtoolbox-java","owner":"swiyu-admin-ch","description":"DID toolbox built for swiyu, the Swiss e-ID Trust Infrastructure","archived":false,"fork":false,"pushed_at":"2026-02-23T16:01:18.000Z","size":1692,"stargazers_count":12,"open_issues_count":4,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-23T18:03:48.961Z","etag":null,"topics":["did","eid"],"latest_commit_sha":null,"homepage":"https://www.eid.admin.ch","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swiyu-admin-ch.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":"publiccode.yml","codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-02-27T14:44:20.000Z","updated_at":"2026-02-23T09:17:44.000Z","dependencies_parsed_at":"2026-02-13T15:07:45.663Z","dependency_job_id":null,"html_url":"https://github.com/swiyu-admin-ch/didtoolbox-java","commit_stats":null,"previous_names":["swiyu-admin-ch/didtoolbox-java"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/swiyu-admin-ch/didtoolbox-java","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swiyu-admin-ch%2Fdidtoolbox-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swiyu-admin-ch%2Fdidtoolbox-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swiyu-admin-ch%2Fdidtoolbox-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swiyu-admin-ch%2Fdidtoolbox-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swiyu-admin-ch","download_url":"https://codeload.github.com/swiyu-admin-ch/didtoolbox-java/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swiyu-admin-ch%2Fdidtoolbox-java/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29865400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T16:38:37.846Z","status":"ssl_error","status_checked_at":"2026-02-26T16:37:58.932Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["did","eid"],"created_at":"2026-02-26T16:53:06.262Z","updated_at":"2026-02-26T16:53:11.450Z","avatar_url":"https://github.com/swiyu-admin-ch.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"![swiyu GitHub banner](https://github.com/swiyu-admin-ch/swiyu-admin-ch.github.io/blob/main/assets/images/github-banner.jpg)\n\n# DID-Toolbox\n\n[![Pull Request Check](https://github.com/swiyu-admin-ch/didtoolbox-java/actions/workflows/pull-request-check.yml/badge.svg)](https://github.com/swiyu-admin-ch/didtoolbox-java/actions/workflows/pull-request-check.yml)\n\nAn official Swiss Government project made by\nthe [Federal Office of Information Technology, Systems and Telecommunication FOITT](https://www.bit.admin.ch/)\nas part of the electronic identity (e-ID) project.\n\nThis project implements the DID-Toolbox, a helper utility for the purpose of creation, update or deactivation of DIDs\nwith respect to one of the following specifications:\n* [Trust DID Web (`did:tdw`) - v0.3](https://identity.foundation/didwebvh/v0.3/) (optional)\n* [DID Web + Verifiable History (`did:webvh`) - v1.0](https://identity.foundation/didwebvh/v1.0/) (default since v1.6.0)\n\n## Table of contents\n\n- [Introduction](#introduction)\n- [Prerequisites](#prerequisites)\n- [CLI Overview](#cli-overview)\n- [Quickstart – Create Your First DID](#quickstart--create-your-first-did)\n- [Update an existing DID](#update-an-existing-did)\n- [Proof of Possession (PoP)](#proof-of-possession-pop)\n  - [PoP Creation](#pop-creation)\n  - [PoP Verification](#pop-verification)\n- [Advanced Usage](#advanced-usage)\n  - [Create](#did-creation)\n  - [Update](#did-update)\n  - [DID Deactivation (Revoke)](#did-deactivation-revoke)\n  - [Key Rotation with Pre-Rotation](#key-rotation-with-pre-rotation)\n- [The DID Toolbox (Java) API](#the-did-toolbox-java-api)\n- [Additional Information](#additional-information)\n- [Missing Features and Known Issues](#missing-features-and-known-issues)\n- [Contributions and Feedback](#contributions-and-feedback)\n- [License](#license)\n\n## Introduction\n\nA **Decentralized Identifier (DID)** is a globally unique identifier that allows individuals and entities to create and manage their own digital identities independently of centralized authorities. To actively participate in the swiyu Public Beta as an issuer or verifier, you must create at least one DID and upload the resulting DID log content to the Identifier Registry. Creating new DIDs involves a set of steps that are error prone or need some time to get familiar with and one might end up with invalid DIDs. The DID-Toolbox supports you with various options for a quick start or advanced usage.\n\n**Currently, the swiyu ecosystem supports the following DID method: did:tdw, version 0.3.**\n\nAs of now, it supports creating and updating DIDs with [verification relationships](https://www.w3.org/TR/did-core/#verification-relationships) of types:\n- authentication \n- assertionMethod\n\nThe DID-Toolbox forces generated DIDs to have at least one key for each verification relationship. One can add multiple keys per verification relationship as well as add and/or remove keys by updating an previously generated DID (see [here](#advanced-usage)).\n\n## Prerequisites\n\nBefore using the DID-Toolbox, ensure your system meets the following requirements:\n\n- **Target Operating System:** Compatible with the following operating systems: Linux (x86-64 \u0026 aarch64), macOS (x86-64 \u0026 aarch64) and Windows (x86-64). Ensure your OS is up to date to avoid compatibility issues. \u003cbr\u003e⚠️ **CAUTION** Beware of the target OS support when running the DID-Toolbox from within a Docker/Podman container. Due to [functional differences between musl and glibc](https://wiki.musl-libc.org/functional-differences-from-glibc.html), it is a known issue that [Alpine](https://hub.docker.com/_/alpine) images require workarounds. Luckily, [\"Distroless\"](https://github.com/GoogleContainerTools/distroless/tree/main/java) images offer pretty useful and viable alternative, as illustrated [here](examples/containerization/README.md).\n- **Java Runtime Environment (JRE) 21 or Higher:** The DID-Toolbox requires Java JRE version 21 or above. Verify that Java is installed on your machine. [JNA](https://javadoc.io/doc/net.java.dev.jna/jna/latest/index.html) support is required, since the DID-Toolbox depends on another, platform dependent library, used to verify the generated DID log outputs.\n- **Internet Connection:** Required for downloading the tool.\n- **Sufficient Disk Space:** Allocate enough disk space for the tool and the generated key materials. 100 MB should suffice, depending on the number of DIDs you intend to generate.\n- **Third-party JCE provider library (OPTIONAL, only in case of Securosys Primus HSM as the source of signing/verifying key pair):** \nIn this case, the required JCE provider (JAR) library is available for download [here](https://nexus.bit.admin.ch/#browse/browse:bit-pki-raw-hosted:securosys%2Fjce) or (alternatively) [here](https://docs.securosys.com/jce/Downloads/).\nOnce downloaded, the relevant JAR file (`primusX-java8.jar` or `primusX-java11.jar`) is then expected to be stored on the system alongside the DID-Toolbox in the `lib` subdirectory (e.g. as `lib/primusX-java11.jar`).\nBeware that running the DID-Toolbox with `--primus-*` CLI parameters supplied will inevitably/unconditionally fail if none of these libraries is available on the system. \n\n## CLI Overview\n\n```text\n$ java -jar didtoolbox.jar -h\n\nUsage: didtoolbox [options] [command] [command options]\n  Options:\n    --help, -h    Display help for the DID toolbox\n    --version, -V Display version (default: false)\n  Commands:\n    create      Create a DID and sign the initial DID log entry with the provided private key. To supply a signing/verifying key pair, always rely on \n            one of the three available command parameter sets exclusively, each of then denoting a whole another source of such key material: PEM \n            files, a Java KeyStore (PKCS12) or a Securosys Primus (HSM) connection. In case of a Securosys Primus (HSM) connection, the required JCE \n            provider (JAR) library (primusX-java8.jar or primusX-java11.jar) is by-convention expected to be stored on the system alongside the \n            DID-Toolbox in the lib subdirectory (e.g. as lib/primusX-java11.jar). Alternatively, you may also use \n            -Xbootclasspath/a:directories|zip|JAR-files option of the java command for the purpose\n      Usage: create [options]\n        Options:\n          --assert, -a\n            One or more assertion method parameter(s) - each parameter consists of a (comma-separated) key name and a PEM file containing EC P-256 \n            public/verifying key\n          --auth, -t\n            One or more authentication method parameter(s) - each parameter consists of a (comma-separated) key name and a PEM file containing EC \n            P-256 public/verifying key\n          --force-overwrite, -f\n            Overwrite existing PEM key files, if any\n            Default: false\n          --help, -h\n            Display help for the DID toolbox command\n        * --identifier-registry-url, -u\n            A HTTP(S) DID URL (to did.jsonl) to create a DID log for\n          --jks-alias\n            Java KeyStore alias name of the entry to process. This CLI parameter should always be used exclusively alongside all the other --jks-* \n            CLI parameters\n          --jks-file, -j\n            Java KeyStore (PKCS12) file to read the (signing/verifying) keys from. This CLI parameter should always be used exclusively alongside all \n            the other --jks-* CLI parameters\n          --jks-password\n            Java KeyStore password used to check the integrity of the keystore, the password used to unlock the keystore. This CLI parameter should \n            always be used exclusively alongside all the other --jks-* CLI parameters\n          --method-version, -m\n            Defines the DID method specification version to use when generating a DID log. Case-insensitive. Valid values: 'did:tdw:0.3', \n            'did:webvh:1.0' \n            Default: did:webvh:1.0\n            Possible Values: [TDW_0_3, WEBVH_1_0]\n          --primus-credentials, -p\n            A safely stored credentials file required when using (signing/verifying) keys available in the Securosys Primus (HSM) Keystore. It should \n            feature a quartet of the following properties: securosys_primus_host, securosys_primus_port, securosys_primus_user and \n            securosys_primus_password. Any credential missing in this file will simply fallback to its system environment counterpart (if set) - the \n            relevant envvars in this case are: SECUROSYS_PRIMUS_HOST, SECUROSYS_PRIMUS_PORT, SECUROSYS_PRIMUS_USER and SECUROSYS_PRIMUS_PASSWORD. \n            This CLI parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-alias, -q\n            An alias the (signing/verifying) key pair (stored in the Securosys Primus (HSM) Keystore) is associated with. This CLI parameter should \n            always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-password\n            An optional password required for recovering the (signing/verifying) key pair (stored in Securosys Primus (HSM) Keystore). This CLI \n            parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --signing-key-file, -s\n            The ed25519 private key file required for signing a DID log entry or a PoP JWT. In PEM Format. This CLI parameter cannot be used in \n            conjunction with any of --jks-* or --primus-* CLI parameters\n          --verifying-key-files, -v\n            One or more ed25519 public key file(s) for the DID Document’s verification method. In PEM format.\n          --verifying-key-files-next, -w\n            One or more ed25519 public key file(s) to be used as 'pre-rotation' keys. In PEM format. Using the CLI option activates 'key \n            pre-rotation'. Analogously, deactivating 'key pre-rotation' goes simply by omitting this option altogether\n\n    update      Update a DID log by replacing the existing verification material in DID document. To supply a signing/verifying key pair, always rely \n            on one of the three available command parameter sets exclusively, each of then denoting a whole another source of such key material: PEM \n            files, a Java KeyStore (PKCS12) or a Securosys Primus (HSM) connection. In case of a Securosys Primus (HSM) connection, the required JCE \n            provider (JAR) library (primusX-java8.jar or primusX-java11.jar) is by-convention expected to be stored on the system alongside the \n            DID-Toolbox in the lib subdirectory (e.g. as lib/primusX-java11.jar). Alternatively, you may also use \n            -Xbootclasspath/a:directories|zip|JAR-files option of the java command for the purpose\n      Usage: update [options]\n        Options:\n          --assert, -a\n            One or more assertion method parameter(s) - each parameter consists of a (comma-separated) key name and a PEM file containing EC P-256 \n            public/verifying key\n          --auth, -t\n            One or more authentication method parameter(s) - each parameter consists of a (comma-separated) key name and a PEM file containing EC \n            P-256 public/verifying key\n        * --did-log-file, -d\n            The file containing a valid DID log to update\n          --help, -h\n            Display help for the DID toolbox command\n          --jks-alias\n            Java KeyStore alias name of the entry to process. This CLI parameter should always be used exclusively alongside all the other --jks-* \n            CLI parameters\n          --jks-file, -j\n            Java KeyStore (PKCS12) file to read the (signing/verifying) keys from. This CLI parameter should always be used exclusively alongside all \n            the other --jks-* CLI parameters\n          --jks-password\n            Java KeyStore password used to check the integrity of the keystore, the password used to unlock the keystore. This CLI parameter should \n            always be used exclusively alongside all the other --jks-* CLI parameters\n          --primus-credentials, -p\n            A safely stored credentials file required when using (signing/verifying) keys available in the Securosys Primus (HSM) Keystore. It should \n            feature a quartet of the following properties: securosys_primus_host, securosys_primus_port, securosys_primus_user and \n            securosys_primus_password. Any credential missing in this file will simply fallback to its system environment counterpart (if set) - the \n            relevant envvars in this case are: SECUROSYS_PRIMUS_HOST, SECUROSYS_PRIMUS_PORT, SECUROSYS_PRIMUS_USER and SECUROSYS_PRIMUS_PASSWORD. \n            This CLI parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-alias, -q\n            An alias the (signing/verifying) key pair (stored in the Securosys Primus (HSM) Keystore) is associated with. This CLI parameter should \n            always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-password\n            An optional password required for recovering the (signing/verifying) key pair (stored in Securosys Primus (HSM) Keystore). This CLI \n            parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --signing-key-file, -s\n            The ed25519 private key file required for signing a DID log entry or a PoP JWT. In PEM Format. This CLI parameter cannot be used in \n            conjunction with any of --jks-* or --primus-* CLI parameters\n          --verifying-key-files, -v\n            One or more ed25519 public key file(s) for the DID Document’s verification method. In PEM format.\n          --verifying-key-files-next, -w\n            One or more ed25519 public key file(s) to be used as 'pre-rotation' keys. In PEM format. Using the CLI option activates 'key \n            pre-rotation'. Analogously, deactivating 'key pre-rotation' goes simply by omitting this option altogether\n\n    deactivate      Deactivate (revoke) a DID log. To supply a signing/verifying key pair, always rely on one of the three available command \n            parameter sets exclusively, each of then denoting a whole another source of such key material: PEM files, a Java KeyStore (PKCS12) or a \n            Securosys Primus (HSM) connection. In case of a Securosys Primus (HSM) connection, the required JCE provider (JAR) library \n            (primusX-java8.jar or primusX-java11.jar) is by-convention expected to be stored on the system alongside the DID-Toolbox in the lib \n            subdirectory (e.g. as lib/primusX-java11.jar). Alternatively, you may also use -Xbootclasspath/a:directories|zip|JAR-files option of the \n            java command for the purpose\n      Usage: deactivate [options]\n        Options:\n        * --did-log-file, -d\n            The file containing a valid DID log to deactivate\n          --help, -h\n            Display help for the DID toolbox command\n          --jks-alias\n            Java KeyStore alias name of the entry to process. This CLI parameter should always be used exclusively alongside all the other --jks-* \n            CLI parameters\n          --jks-file, -j\n            Java KeyStore (PKCS12) file to read the (signing/verifying) keys from. This CLI parameter should always be used exclusively alongside all \n            the other --jks-* CLI parameters\n          --jks-password\n            Java KeyStore password used to check the integrity of the keystore, the password used to unlock the keystore. This CLI parameter should \n            always be used exclusively alongside all the other --jks-* CLI parameters\n          --primus-credentials, -p\n            A safely stored credentials file required when using (signing/verifying) keys available in the Securosys Primus (HSM) Keystore. It should \n            feature a quartet of the following properties: securosys_primus_host, securosys_primus_port, securosys_primus_user and \n            securosys_primus_password. Any credential missing in this file will simply fallback to its system environment counterpart (if set) - the \n            relevant envvars in this case are: SECUROSYS_PRIMUS_HOST, SECUROSYS_PRIMUS_PORT, SECUROSYS_PRIMUS_USER and SECUROSYS_PRIMUS_PASSWORD. \n            This CLI parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-alias, -q\n            An alias the (signing/verifying) key pair (stored in the Securosys Primus (HSM) Keystore) is associated with. This CLI parameter should \n            always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-password\n            An optional password required for recovering the (signing/verifying) key pair (stored in Securosys Primus (HSM) Keystore). This CLI \n            parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --signing-key-file, -s\n            The ed25519 private key file required for signing a DID log entry or a PoP JWT. In PEM Format. This CLI parameter cannot be used in \n            conjunction with any of --jks-* or --primus-* CLI parameters\n\n    create-pop      Create a proof of possession JWT signed with the provided private key that expires after 24 hours. To supply a signing/verifying \n            key pair, always rely on one of the three available command parameter sets exclusively, each of then denoting a whole another source of \n            such key material: PEM files, a Java KeyStore (PKCS12) or a Securosys Primus (HSM) connection. In case of a Securosys Primus (HSM) \n            connection, the required JCE provider (JAR) library (primusX-java8.jar or primusX-java11.jar) is by-convention expected to be stored on \n            the system alongside the DID-Toolbox in the lib subdirectory (e.g. as lib/primusX-java11.jar). Alternatively, you may also use \n            -Xbootclasspath/a:directories|zip|JAR-files option of the java command for the purpose\n      Usage: create-pop [options]\n        Options:\n          --help, -h\n            Display help for the DID toolbox command\n          --jks-alias\n            Java KeyStore alias name of the entry to process. This CLI parameter should always be used exclusively alongside all the other --jks-* \n            CLI parameters\n          --jks-file, -j\n            Java KeyStore (PKCS12) file to read the (signing/verifying) keys from. This CLI parameter should always be used exclusively alongside all \n            the other --jks-* CLI parameters\n          --jks-password\n            Java KeyStore password used to check the integrity of the keystore, the password used to unlock the keystore. This CLI parameter should \n            always be used exclusively alongside all the other --jks-* CLI parameters\n        * --nonce, -n\n            Possession which will be proven by the JWT\n          --primus-credentials, -p\n            A safely stored credentials file required when using (signing/verifying) keys available in the Securosys Primus (HSM) Keystore. It should \n            feature a quartet of the following properties: securosys_primus_host, securosys_primus_port, securosys_primus_user and \n            securosys_primus_password. Any credential missing in this file will simply fallback to its system environment counterpart (if set) - the \n            relevant envvars in this case are: SECUROSYS_PRIMUS_HOST, SECUROSYS_PRIMUS_PORT, SECUROSYS_PRIMUS_USER and SECUROSYS_PRIMUS_PASSWORD. \n            This CLI parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-alias, -q\n            An alias the (signing/verifying) key pair (stored in the Securosys Primus (HSM) Keystore) is associated with. This CLI parameter should \n            always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --primus-keystore-password\n            An optional password required for recovering the (signing/verifying) key pair (stored in Securosys Primus (HSM) Keystore). This CLI \n            parameter should always be used exclusively alongside all the other --primus-* CLI parameters, related to Securosys Primus (HSM)\n          --signing-key-file, -s\n            The ed25519 private key file required for signing a DID log entry or a PoP JWT. In PEM Format. This CLI parameter cannot be used in \n            conjunction with any of --jks-* or --primus-* CLI parameters\n          --verifying-key-file, -v\n            An ed25519 public key file matching the supplied ed25519 private key file, required for signing the PoP JWT. In PEM format. This CLI \n            parameter cannot be used in conjunction with any of --jks-* or --primus-* CLI parameters\n\n    verify-pop      Verifies the validity of the provided proof of possession JWT.\n      Usage: verify-pop [options]\n        Options:\n        * --did-log-file, -d\n            The file containing a valid DID log of the owner.\n          --help, -h\n            Display help for the DID toolbox command\n        * --jwt, -j\n            JWT to be verified\n        * --nonce, -n\n            Text representation of the possession to be included in the proof\n\n$ java -jar didtoolbox.jar -V\n\ndidtoolbox 1.7.0\n```\n\n## Quickstart – Create Your First DID\n\nThe quickstart option is designed for users who want to rapidly create one or multiple DIDs without getting too much into the DID method internals. This automates the generation of necessary asymmetric key pairs and builds the initial DID log content, which can be uploaded to the swiyu Identifier Registry.\n\n### Command Syntax\n\nTo run the DID-Toolbox using the Quickstart option, use the following command structure:\n\n```shell\n$ java -jar didtoolbox.jar create --identifier-registry-url \u003cidentifier_registry_url\u003e\n\n# Example\n$ java -jar didtoolbox.jar create --identifier-registry-url https://identifier-reg.trust-infra.swiyu-int.admin.ch/api/v1/did/18fa7c77-9dd1-4e20-a147-fb1bec146085\n```\n- **create**: Command to create a new DID (with `did:webvh:1.0` as default DID method since v1.6.0)\n- **\u003cidentifier_registry_url\u003e**: URL where the DID is rooted (absolute URL, /did.jsonl is optional)\n\n#### What Happens Upon Execution\n\n- Key Pair Generation: Three key pairs are created and stored in the .didtoolbox directory (output directory, will be created automatically) in PEM format.\n**Take good care of the generated key material. You will need it again later on (e.g. to configure it in your Issuers and/or Verifiers**):\n  - DID Update Key Pair (required to update the DID at a later point in time):\n    - id_ed25519: Private key (not password protected)\n    - id_ed25519.pem: Public key\n  - DID Authentication Key Pair:\n    - auth-key-01: Private key (not password protected)\n    - auth-key-01.pem: Public key\n  - DID Assertion Key Pair:\n    - assert-key-01: Private key (not password protected)\n    - assert-key-01.pem: Public key\n- DID Log Generation: A DID log line is generated and output to the standard console (stdout). You can redirect this output to a file if necessary. This is the output that needs to be uploaded to the swiyu Identifier Registry.\n\n#### DID Log Content\nThe generated DID log content should look similar as shown below. After creation, it consists of a single, albeit lengthy, line.\n\n```json\n{\"versionId\":\"1-QmUHs3qtWUdAX5cDWGET3cwEPWx1pbiMNRvZMM8niBYM5r\",\"versionTime\":\"2025-09-16T08:28:33Z\",\"parameters\":{\"method\":\"did:webvh:1.0\",\"scid\":\"QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn\",\"updateKeys\":[\"z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh\"],\"portable\":false},\"state\":{\"@context\":[\"https://www.w3.org/ns/did/v1\",\"https://w3id.org/security/jwk/v1\"],\"id\":\"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\"authentication\":[\"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"],\"assertionMethod\":[\"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\"],\"verificationMethod\":[{\"id\":\"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"_yaER4Zd_knfeAvNEbbLSU6EYXQmmwyUPd3_Ow03XWM\",\"y\":\"Qg24PtsFEjubwIaPllkiD53fp9P5KlkWykA-yH3zWHc\",\"kid\":\"auth-key-01\"}},{\"id\":\"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"oj9V39ywyS7kcRd1ByhTjHbr_VJm1VYa6yXM67d_IDk\",\"y\":\"bRX0IrfBBhZ9Y0k9QNgRYRCjT8NK5KmsozXP1usxesI\",\"kid\":\"assert-key-01\"}}]},\"proof\":[{\"type\":\"DataIntegrityProof\",\"cryptosuite\":\"eddsa-jcs-2022\",\"created\":\"2025-09-16T08:28:33Z\",\"verificationMethod\":\"did:key:z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh#z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh\",\"proofPurpose\":\"assertionMethod\",\"proofValue\":\"z5CHhr58M9wbzN3MaXzaCWskPtyXe2GiCWTFA2s2fEapPVqLjH5DLJqN3rwDqyvp67CQyKjkP58sVANHEmR6DTha5\"}]}\n```\n\nPrettified version of the DID log content above.\n\n```json\n{\n  \"versionId\": \"1-QmUHs3qtWUdAX5cDWGET3cwEPWx1pbiMNRvZMM8niBYM5r\",\n  \"versionTime\": \"2025-09-16T08:28:33Z\",\n  \"parameters\": {\n    \"method\": \"did:webvh:1.0\",\n    \"scid\": \"QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn\",\n    \"updateKeys\": [\n      \"z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh\"\n    ],\n    \"portable\": false\n  },\n  \"state\": {\n    \"@context\": [\n      \"https://www.w3.org/ns/did/v1\",\n      \"https://w3id.org/security/jwk/v1\"\n    ],\n    \"id\": \"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\n    \"authentication\": [\n      \"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"\n    ],\n    \"assertionMethod\": [\n      \"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\"\n    ],\n    \"verificationMethod\": [\n      {\n        \"id\": \"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"x\": \"_yaER4Zd_knfeAvNEbbLSU6EYXQmmwyUPd3_Ow03XWM\",\n          \"y\": \"Qg24PtsFEjubwIaPllkiD53fp9P5KlkWykA-yH3zWHc\",\n          \"kid\": \"auth-key-01\"\n        }\n      },\n      {\n        \"id\": \"did:webvh:QmW3H4phgD2bKKWb1GcmtNbFhxVD3bonRLmsf9XdMrUnzn:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"x\": \"oj9V39ywyS7kcRd1ByhTjHbr_VJm1VYa6yXM67d_IDk\",\n          \"y\": \"bRX0IrfBBhZ9Y0k9QNgRYRCjT8NK5KmsozXP1usxesI\",\n          \"kid\": \"assert-key-01\"\n        }\n      }\n    ]\n  },\n  \"proof\": [\n    {\n      \"type\": \"DataIntegrityProof\",\n      \"cryptosuite\": \"eddsa-jcs-2022\",\n      \"created\": \"2025-09-16T08:28:33Z\",\n      \"verificationMethod\": \"did:key:z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh#z6Mku4WkTingBAr4jNDUVfavPWghiFQztsBGJXox5kjj7Lhh\",\n      \"proofPurpose\": \"assertionMethod\",\n      \"proofValue\": \"z5CHhr58M9wbzN3MaXzaCWskPtyXe2GiCWTFA2s2fEapPVqLjH5DLJqN3rwDqyvp67CQyKjkP58sVANHEmR6DTha5\"\n    }\n  ]\n}\n```\n\n## Update an existing DID\nCurrently, we can't guarantee, that a DID generated without the help of the DID-Toolbox can be updated successfully. To keep matters simple, a user needs to supply all the key material (assertion and authentication public keys) that should be contained in the updated version of a DID.\nFor illustration purposes, we will generate a new DID and perform an assert key rotation by removing the initial assertion key and adding a new one.\n\n```shell\n# Step 1 - Generate new DID and redirect stdout to v01_did.jsonl file (contains the created DID log)\n$ java -jar didtoolbox.jar create -u https://identifier-reg.trust-infra.swiyu-int.admin.ch/api/v1/did/18fa7c77-9dd1-4e20-a147-fb1bec146085 \u003e v01_did.jsonl\n\n# Step 2 - Rename the generated .didtoobox folder to make sure the initially generated key material remains accessible\n$ mv .didtoolbox .didtoolbox_keys_v01\n\n# Step 3 - To keep it simple, create a new dummy DID so that we get a new set of key material (we're interested in the assertion key for the sake of this example). No stdout redirect required, since we're only aiming for the key material that will be generated in the .didtoolbox directory.\n$ java -jar didtoolbox.jar create -u https://example.com\n\n# Step 4 - Update the DID from step 1, so that the assert key is rotated to a new one while the previous one is removed. We'll keep the authentication key. Redirect stdout to v02_did.jsonl file (contains the updated DID log, now with two versions)\n$ java -jar didtoolbox.jar update -d v01_did.jsonl -s .didtoolbox_keys_v01/id_ed25519 -v .didtoolbox_keys_v01/id_ed25519.pub -a assert-key-02,.didtoolbox/assert-key-01.pub -t auth-key-01,.didtoolbox_keys_v01/assert-key-01.pub \u003e v02_did.jsonl\n# -d to supply the initial DID log file of the DID to be updated (v01_did.jsonl)\n# -s to supply a valid updateKey private keyfile (PEM) required to generate the proof of the new DID log line (.didtoolbox_keys_v01/id_ed25519)\n# -v to supply a the matching updateKey public keyfile (PEM) (.didtoolbox_keys_v01/id_ed25519.pub)\n# -a to supply the fragment name and assertion public key that the updated DID should contain (.didtoolbox/assert-key-01.pub)\n# -t to keep the authentication public key (auth-key-01,.didtoolbox_keys_v01/assert-key-01.pub) in the updated DID\n\n```\n\nThe updated DID log file (v02_did.jsonl) should contain two lines, each containing one DID version\n\n```\n{\"versionId\":\"1-QmczXqfpHo3bn7Et1CbHRX6XpAvtqvCHbWsrciEpntf3WS\",\"versionTime\":\"2025-09-16T08:33:55Z\",\"parameters\":{\"method\":\"did:webvh:1.0\",\"scid\":\"QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg\",\"updateKeys\":[\"z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\"],\"portable\":false},\"state\":{\"@context\":[\"https://www.w3.org/ns/did/v1\",\"https://w3id.org/security/jwk/v1\"],\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\"authentication\":[\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"],\"assertionMethod\":[\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\"],\"verificationMethod\":[{\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"hmIMtNewEglkDSsVNmQPmkwLKLmZ97Gygoy7fmqlySc\",\"y\":\"G_Bi6AtN8QfJ0P3K0AMsNiLZMacUNjBFD_BDyOG0uNQ\",\"kid\":\"auth-key-01\"}},{\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"ge1bBnzmdDtOCv5OXQrnYvudMryuro8VaIOoV4pmTmw\",\"y\":\"Y8fl9USMdlDYZeP_eH9o1z5rnJqe2QKezX4locUf2es\",\"kid\":\"assert-key-01\"}}]},\"proof\":[{\"type\":\"DataIntegrityProof\",\"cryptosuite\":\"eddsa-jcs-2022\",\"created\":\"2025-09-16T08:33:55Z\",\"verificationMethod\":\"did:key:z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h#z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\",\"proofPurpose\":\"assertionMethod\",\"proofValue\":\"ziGJYAVvWUdevzJBrpeZG97E56bu5Tk3pyN78CymGS3Ttf6a1GdHmC3TPzNNY2CtAttcBZ5WxoNyggMnyMWb8Lm8\"}]}\n{\"versionId\":\"2-QmeqibtMt2LoSW1uvTLJ22pUbRsnM2UPPo2TAm9PDXnbhB\",\"versionTime\":\"2025-09-16T08:34:24Z\",\"parameters\":{},\"state\":{\"@context\":[\"https://www.w3.org/ns/did/v1\",\"https://w3id.org/security/jwk/v1\"],\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\"authentication\":[\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"],\"assertionMethod\":[\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-02\"],\"verificationMethod\":[{\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"kid\":\"auth-key-01\",\"x\":\"ge1bBnzmdDtOCv5OXQrnYvudMryuro8VaIOoV4pmTmw\",\"y\":\"Y8fl9USMdlDYZeP_eH9o1z5rnJqe2QKezX4locUf2es\"}},{\"id\":\"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-02\",\"type\":\"JsonWebKey2020\",\"publicKeyJwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"kid\":\"assert-key-02\",\"x\":\"olUnQEfh8IgyUhqrs6ILzZlwPsxV-aJpeOZQyxvV0mk\",\"y\":\"ndiqwn8wHB2ewgVk5TqpQZu2IiGO0ZylLoHl4M9Otco\"}}]},\"proof\":[{\"type\":\"DataIntegrityProof\",\"cryptosuite\":\"eddsa-jcs-2022\",\"created\":\"2025-09-16T08:34:24Z\",\"verificationMethod\":\"did:key:z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h#z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\",\"proofPurpose\":\"assertionMethod\",\"proofValue\":\"z41PJxWHXsPP5bc5VEReki9voZYiou2wKh9iFq7RbD2eqv6Xy7GSWPbgNp77XbKLQhLxAfq2A1dV2nmFTae7R11Tb\"}]}\n```\n\nPrettified initial version (version 1) of the created DID (line #1 of v02_did.jsonl)\n\n```json\n{\n  \"versionId\": \"1-QmczXqfpHo3bn7Et1CbHRX6XpAvtqvCHbWsrciEpntf3WS\",\n  \"versionTime\": \"2025-09-16T08:33:55Z\",\n  \"parameters\": {\n    \"method\": \"did:webvh:1.0\",\n    \"scid\": \"QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg\",\n    \"updateKeys\": [\n      \"z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\"\n    ],\n    \"portable\": false\n  },\n  \"state\": {\n    \"@context\": [\n      \"https://www.w3.org/ns/did/v1\",\n      \"https://w3id.org/security/jwk/v1\"\n    ],\n    \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\n    \"authentication\": [\n      \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"\n    ],\n    \"assertionMethod\": [\n      \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\"\n    ],\n    \"verificationMethod\": [\n      {\n        \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"x\": \"hmIMtNewEglkDSsVNmQPmkwLKLmZ97Gygoy7fmqlySc\",\n          \"y\": \"G_Bi6AtN8QfJ0P3K0AMsNiLZMacUNjBFD_BDyOG0uNQ\",\n          \"kid\": \"auth-key-01\"\n        }\n      },\n      {\n        \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-01\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"x\": \"ge1bBnzmdDtOCv5OXQrnYvudMryuro8VaIOoV4pmTmw\",\n          \"y\": \"Y8fl9USMdlDYZeP_eH9o1z5rnJqe2QKezX4locUf2es\",\n          \"kid\": \"assert-key-01\"\n        }\n      }\n    ]\n  },\n  \"proof\": [\n    {\n      \"type\": \"DataIntegrityProof\",\n      \"cryptosuite\": \"eddsa-jcs-2022\",\n      \"created\": \"2025-09-16T08:33:55Z\",\n      \"verificationMethod\": \"did:key:z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h#z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\",\n      \"proofPurpose\": \"assertionMethod\",\n      \"proofValue\": \"ziGJYAVvWUdevzJBrpeZG97E56bu5Tk3pyN78CymGS3Ttf6a1GdHmC3TPzNNY2CtAttcBZ5WxoNyggMnyMWb8Lm8\"\n    }\n  ]\n}\n```\n\nPrettified version 2 of the DID (line #2 of v02_did.jsonl)\n\n```json\n{\n  \"versionId\": \"2-QmeqibtMt2LoSW1uvTLJ22pUbRsnM2UPPo2TAm9PDXnbhB\",\n  \"versionTime\": \"2025-09-16T08:34:24Z\",\n  \"parameters\": {},\n  \"state\": {\n    \"@context\": [\n      \"https://www.w3.org/ns/did/v1\",\n      \"https://w3id.org/security/jwk/v1\"\n    ],\n    \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085\",\n    \"authentication\": [\n      \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\"\n    ],\n    \"assertionMethod\": [\n      \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-02\"\n    ],\n    \"verificationMethod\": [\n      {\n        \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"kid\": \"auth-key-01\",\n          \"x\": \"ge1bBnzmdDtOCv5OXQrnYvudMryuro8VaIOoV4pmTmw\",\n          \"y\": \"Y8fl9USMdlDYZeP_eH9o1z5rnJqe2QKezX4locUf2es\"\n        }\n      },\n      {\n        \"id\": \"did:webvh:QmacfmG8oFVFpKheaFMgKXyWpL163m9JUD5Zd2yi8UY8hg:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:18fa7c77-9dd1-4e20-a147-fb1bec146085#assert-key-02\",\n        \"type\": \"JsonWebKey2020\",\n        \"publicKeyJwk\": {\n          \"kty\": \"EC\",\n          \"crv\": \"P-256\",\n          \"kid\": \"assert-key-02\",\n          \"x\": \"olUnQEfh8IgyUhqrs6ILzZlwPsxV-aJpeOZQyxvV0mk\",\n          \"y\": \"ndiqwn8wHB2ewgVk5TqpQZu2IiGO0ZylLoHl4M9Otco\"\n        }\n      }\n    ]\n  },\n  \"proof\": [\n    {\n      \"type\": \"DataIntegrityProof\",\n      \"cryptosuite\": \"eddsa-jcs-2022\",\n      \"created\": \"2025-09-16T08:34:24Z\",\n      \"verificationMethod\": \"did:key:z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h#z6MkjWDPEwWPrvvtrcUvtAvYSF5ovuHvqaA493uuPPdGGS4h\",\n      \"proofPurpose\": \"assertionMethod\",\n      \"proofValue\": \"z41PJxWHXsPP5bc5VEReki9voZYiou2wKh9iFq7RbD2eqv6Xy7GSWPbgNp77XbKLQhLxAfq2A1dV2nmFTae7R11Tb\"\n    }\n  ]\n}\n```\n\n## Proof of Possession (PoP)\n\nThe DID-Toolbox also offers various other options not closely related to DID. One of those is possibility to generate\na [Proof-of-Possession (PoP)](https://www.rfc-editor.org/rfc/rfc7800.html) using the very same Ed25519 signing/verifying key pair used while creating/updating DID logs.\n\nA PoP is nothing but a [JSON Web Token (JWT)](https://www.rfc-editor.org/rfc/rfc7519), signed cryptographically to ensure authenticity -\nsuch JWT can declare that the _presenter_ of the JWT possesses a particular proof-of-possession (PoP) key.\nIn addition, the _recipient_ would consequently be able to cryptographically confirm proof of possession of the key \nby the _presenter_. Being able to prove possession of a key is also sometimes described as the _presenter_ being a _holder-of-key_.\n\n### PoP Creation\n\nTo create a PoP using the DID-Toolbox, the very same Ed25519 signing key used for DID creation/update is required, alongside a \n_possession_ ([nonce](https://datatracker.ietf.org/doc/html/rfc7800#section-3.6)), as illustrated by the following script:\n\n```shell\n# Create quickstart to generate an initial DID log along the required signing/verifying key pair\nrm -fr .didtoolbox\njava -jar didtoolbox.jar create -u https://example.com -f \u003e did.jsonl\n# The previous command should also generated a Ed25519 key pair: .didtoolbox/id_ed25519 (private) and .didtoolbox/id_ed25519.pub (public)\n\n# Create proof of possession JWT and store it for later\njava -jar didtoolbox.jar create-pop -s .didtoolbox/id_ed25519 -v .didtoolbox/id_ed25519.pub -n \"Your Nonce\" \u003e jwt\n```\n\nThe result is valid JWT token that looks like this:\n\n```\neyJraWQiOiJkaWQ6a2V5Ono2TWt0ZEFyM2lVUmVVN0hzQ2Y3Sm5vQ2pRNXVycEtUeFpTQzQ5S25qRVZzQTVDQSN6Nk1rdGRBcjNpVVJlVTdIc0NmN0pub0NqUTV1cnBLVHhaU0M0OUtuakVWc0E1Q0EiLCJhbGciOiJFZDI1NTE5In0.eyJleHAiOjE3NTM4NjUyNjcsIm5vbmNlIjoiWW91ciBOb25jZSJ9.Kn5o175IDYBjR8Vw_DId5DkaScildD9sVFg7ear9ujAfYQCsxGbqlaNTO2leg-NA9mDY5q_07YbodcJvhaGADQ\n```\n\nTo decode the information contained within such JWT, the [JWT.io](https://www.jwt.io/) can be used:\n\n```json lines\n{\n  \"kid\": \"did:key:z6MktdAr3iUReU7HsCf7JnoCjQ5urpKTxZSC49KnjEVsA5CA#z6MktdAr3iUReU7HsCf7JnoCjQ5urpKTxZSC49KnjEVsA5CA\",\n  \"alg\": \"Ed25519\"\n}\n{\n  \"exp\": 1753865267,\n  \"nonce\": \"Your Nonce\"\n}\n```\n\nBasically, any PoP JWT features quite a few (header/payload) claims, all of them being essential in the process of PoP verification.  \n\n### PoP Verification\n\nA proof of possession can claim ownership over anything. For it to matter it first needs to be verified. \n\n```shell\n# Create quickstart to generate an initial DID log along the required signing/verifying key pair\nrm -fr .didtoolbox\njava -jar didtoolbox.jar create -u https://example.com -f \u003e did.jsonl\n# The previous command should also generated a Ed25519 key pair: .didtoolbox/id_ed25519 (private) and .didtoolbox/id_ed25519.pub (public)\n\n# Create proof of possession JWT and store it for later\njava -jar didtoolbox.jar create-pop -s .didtoolbox/id_ed25519 -v .didtoolbox/id_ed25519.pub -n \"Your Nonce\" \u003e jwt\n\n# verify created proof\njava -jar didtoolbox.jar verify-pop -d did.jsonl -n \"Your Nonce\" -j $(cat jwt)\n# the previous command should produce output like:\n# Provided JWT is valid.\n```\n\n## Advanced Usage\n\n### DID Creation\n\nFor more control over the DID creation process, you can use specific CLI options to supply your own key material. This repository includes some keys intended for testing purposes. You can use them as follows (**DON'T use DIDs created with those keys, this is only for educational purposes**):\n\n```shell\n$ java -jar didtoolbox.jar create \\\n    -a my-assert-key-01,src/test/data/assert-key-01.pub \\\n    -t my-auth-key-01,src/test/data/auth-key-01.pub \\\n    -u https://domain.com/path1/path2 \\\n    -j src/test/data/mykeystore.jks \\\n    --jks-password changeit \\\n    --jks-alias myalias                                              \n```\n\n Alternatively, besides Java KeyStore (PKCS #12) also PEM format of signing/verifying key is supported:\n\n```shell\n$ java -jar didtoolbox.jar create \\\n    -a my-assert-key-01,src/test/data/assert-key-01.pub \\\n    -t my-auth-key-01,src/test/data/auth-key-01.pub \\\n    -u https://domain.com/path1/path2 \\\n    -s src/test/data/private.pem \\\n    -v src/test/data/public.pem                                              \n```\n\n### DID Update\n\nOnce a newly created `did.jsonl` file is available, you may use the `update` subcommand at any point to **completely**\nreplace the existing [verification material](https://www.w3.org/TR/did-core/#verification-material) in DID document:\n\n```shell\njava -jar didtoolbox.jar create \\\n    -u https://identifier-reg.trust-infra.swiyu-int.admin.ch/api/v1/did18fa7c77-9dd1-4e20-a147-fb1bec146085 \u003e /tmp/my-did.jsonl\n\n# bear in mind, the command above will store the generated (auth/assert) keys in the .didtoolbox directory\n\njava -jar didtoolbox.jar update \\\n    -d /tmp/did.jsonl \\\n    -a my-assert-key-01,.didtoolbox/assert-key-01.pub \\\n    -t my-auth-key-01,.didtoolbox/auth-key-01.pub \\\n    -s .didtoolbox/id_ed25519 \\\n    -v .didtoolbox/id_ed25519.pub \u003e /tmp/did-2.jsonl\n```\n\n### DID Deactivation (Revoke)\n\nOnce a created `did.jsonl` file is available, you may also use the `deactivate` subcommand at any point to \n[**deactivate (revoke)**](https://identity.foundation/didwebvh/v0.3/#deactivate-revoke) this DID:\n\n```shell\njava -jar didtoolbox.jar create \\\n    -u https://identifier-reg.trust-infra.swiyu-int.admin.ch/api/v1/did18fa7c77-9dd1-4e20-a147-fb1bec146085 \u003e /tmp/my-did.jsonl\n\n# bear in mind, the command above will store the generated (auth/assert) keys in the .didtoolbox directory\n\njava -jar didtoolbox.jar deactivate \\\n    -d /tmp/my-did.jsonl \\\n    -s .didtoolbox/id_ed25519 \u003e /tmp/my-did-deactivated.jsonl\n```\n\nThe _deactivated_ DID log file should now contain another DID log entry denoting deactivation (via DID parameter `{\"deactivated\":true}`) and featuring no key material whatsoever: \n\n```json\n{\"versionId\":\"2-QmQ789n4M1GJNmqJrZc5mh31A6qTWQhGvXBswThav1cEoS\",\"versionTime\":\"2025-09-16T08:38:57Z\",\"parameters\":{\"deactivated\":true,\"updateKeys\":[]},\"state\":{\"@context\":[\"https://www.w3.org/ns/did/v1\",\"https://w3id.org/security/jwk/v1\"],\"id\":\"did:webvh:QmawSKWDN3LNMMokezM1jwGFeZzroSnuayx4mGmS7WTtiP:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did18fa7c77-9dd1-4e20-a147-fb1bec146085\"},\"proof\":[{\"type\":\"DataIntegrityProof\",\"cryptosuite\":\"eddsa-jcs-2022\",\"created\":\"2025-09-16T08:38:57Z\",\"verificationMethod\":\"did:key:z6Mkr4vcVTZGzinKrfRQisUAa79rCSFrBG5qzf2QatPaZ9Ag#z6Mkr4vcVTZGzinKrfRQisUAa79rCSFrBG5qzf2QatPaZ9Ag\",\"proofPurpose\":\"assertionMethod\",\"proofValue\":\"z67KCC9BQzLebaJYQZgNbyKLrGZf7Hpt1Th8pXUTbaFRiJj2nBFwNEqiUadXxpAVw2My9GZp2EhDhKH67PHgHaA6Y\"}]}\n```\n\n### Key Rotation with Pre-Rotation\n\nThe DID Toolbox also supports a [_post-quantum safe_](https://didwebvh.info/latest/implementers-guide/prerotation-keys/#post-quantum-attacks)\ntechnique called [Key Rotation with Pre-Rotation](https://didwebvh.info/latest/implementers-guide/prerotation-keys).\nHere is a short script illustrating it:\n\n```shell\n# optionally, get the latest version of DID Toolbox (replace \u003cVERSION\u003e with any of available versions released after 1.6.0)\n# wget https://repo1.maven.org/maven2/io/github/swiyu-admin-ch/didtoolbox/\u003cVERSION\u003e/didtoolbox-\u003cVERSION\u003e-jar-with-dependencies.jar -O didtoolbox.jar\nalias didtoolbox='java -jar didtoolbox.jar'\n\n# generate couple of pre-rotation keys\nrm -fr .didtoolbox*\nfor i in {1..5}; do didtoolbox create -f -m did:webvh:1.0 -u https://domain.com/path1/path2 \u0026\u003e /dev/null; mv .didtoolbox .didtoolbox$(printf \"%03d\" $((i))); done\n\n# initial DID log with a key to be used for pre-rotation \ndidtoolbox create -f -m did:webvh:1.0 \\\n    -u https://domain.com/path1/path2 \\\n    -w .didtoolbox001/id_ed25519.pub \u003e did001.jsonl\n\n# add more DID log entries featuring previously generated pre-rotation keys\nfor i in {1..5}; do didtoolbox update \\\n    -d did$(printf \"%03d\" $((i))).jsonl \\\n    -a my-assert-key-01,.didtoolbox/assert-key-01.pub \\\n    -t my-auth-key-01,.didtoolbox/auth-key-01.pub \\\n    -s .didtoolbox$(printf \"%03d\" $((i)))/id_ed25519 \\\n    -v .didtoolbox$(printf \"%03d\" $((i)))/id_ed25519.pub \\\n    -w .didtoolbox$(printf \"%03d\" $((i+1)))/id_ed25519.pub \u003e did$(printf \"%03d\" $((i+1))).jsonl; done\n\n# checkpoint (print only the pre-rotation keys inside the DID log)\ncat did005.jsonl | jq -c '.|.parameters'\n\n# the command above should produce the following output:\n#\n# {\"method\":\"did:webvh:1.0\",\"scid\":\"QmPQ6QpZ34T2FUN4Qoav4w1UXqRHPEr74Ecthu8Ve1ek3r\",\"updateKeys\":[\"z6MktAwYMZ2DPFwNP9JpJYvZg7DGvUc3rQqoPWVRai8ujUkC\"],\"nextKeyHashes\":[\"Qmcv4wvjmDbowp6ziKanyEnNxwfRGf8gQ7UZXAmAgwSXg2\"],\"portable\":false}\n# {\"nextKeyHashes\":[\"QmXa2irGDLZP2WFiQCSAmuRWpCQVKbKb3NwgUB3EUwFef1\"],\"updateKeys\":[\"z6MkowukYWPGu3y8pVTskco8ziTMnS4U7tVPKkWv1fAd4XS5\"]}\n# {\"nextKeyHashes\":[\"QmaiT2EVB9WZcYae9QS94agPhE5isd96xGe8TMyjbRcinm\"],\"updateKeys\":[\"z6Mki8rv7cMRZ5jiLtGgfbuRvknwfUZbJFjE8SApikXixvVv\"]}\n# {\"nextKeyHashes\":[\"QmZbAEQCaBLYxWz6eWMQas8nfKa3vXhRoMVQD2o35RDZm2\"],\"updateKeys\":[\"z6Mko41raveKqxPg5gUzv2g7Gk9a9rmCNXNn5MCKsQECFQ5E\"]}\n# {\"nextKeyHashes\":[\"QmPjawyNkfnZqNomHMct8zE1QHiqfPPUGfbYyerNuXRxXo\"],\"updateKeys\":[\"z6MkkPDkNqJ2CmVB89gPyJNhC5GJ2PfiPqtLsWvMHUyHS1L5\"]}\n```\n\n## The DID Toolbox (Java) API\n\nThe sole bedrock of DID Toolbox (Java) API are the classes residing in the `ch.admin.bj.swiyu.didtoolbox.context` package:\n* [DidLogCreatorContext](src/main/java/ch/admin/bj/swiyu/didtoolbox/context/DidLogCreatorContext.java)\n* [DidLogUpdaterContext](src/main/java/ch/admin/bj/swiyu/didtoolbox/context/DidLogUpdaterContext.java)\n* [DidLogDeactivatorContext](src/main/java/ch/admin/bj/swiyu/didtoolbox/context/DidLogDeactivatorContext.java)\n\n![didtoolbox-classes-only](src/main/plantuml/didtoolbox-api-classes-only.svg)\n\nEach of these complementary classes are in charge of DID log manipulation in specification-agnostic fashion\ni.e. regardless of DID method specification, whereas currently supported are only `did:tdw:0.3` (legacy) and `did:webvh:1.0` (final).\nBy relying fully on the [Builder (creational) Design Pattern](https://en.wikipedia.org/wiki/Builder_pattern), thus making heavy use of\n[fluent design](https://en.wikipedia.org/wiki/Fluent_interface), these classes are intended to be instantiated exclusively\nvia their static `builder()` methods. The relevant Java documentation also feature some typical usage examples.\n\nFor further details, please see the relevant [PlantUML diagrams](src/main/plantuml/README.md).\n\nTo [configure Apache Maven](https://central.sonatype.org/consume/consume-apache-maven/) to consume a published package from\n[Maven Central Repository](https://repo1.maven.org/maven2/ch/admin/swiyu/didtoolbox),\nedit your `pom.xml` file to include the following entry to `dependencies` section:\n\n```xml\n\u003cdependency\u003e\n    \u003cgroupId\u003ech.admin.swiyu\u003c/groupId\u003e\n    \u003cartifactId\u003edidtoolbox\u003c/artifactId\u003e\n    \u003c!--version\u003e[ANY_AVAILABLE_VERSION]\u003c/version--\u003e\n\u003c/dependency\u003e\n```\n\nTo [configure Gradle](https://central.sonatype.org/consume/consume-gradle/) to consume a published package from\n[Maven Central Repository](https://repo1.maven.org/maven2/ch/admin/swiyu/didtoolbox),\nadd the following entry to `dependencies` section in your `build.gradle.kts` (Kotlin DSL) file:\n\n```kotlin\nimplementation(\"ch.admin.swiyu:didtoolbox:[ANY_AVAILABLE_VERSION]\")\n```\n\nVarious indicative code examples of using the (Java) API are available in the [examples](examples) directory.\n\n## Additional Information\n- **Output Directory**: When creating new DIDs, the `.didtoolbox` directory is automatically created in the current working directory. Ensure you have the necessary permissions to create and write to this directory.\n- **Multiple DIDs**: If you create multiple DIDs, please make sure to rename the `.didtoolbox` directory (or move/rename the files) after each creation run. The DID-Toolbox will prevent you from overwriting existing key pairs by accident and abort with an error.\n- **Security**: Keep your private keys secure. Do not share them or expose them in unsecured environments.\n- **Credentials file (e.g. in case of using Securosys Primus HSM):** Keep such files safely stored on the file system.\nAlternatively, you may also fall back to a system user environment, instead.\n\n## Missing Features and Known Issues\n\nThe swiyu Public Beta Trust Infrastructure was deliberately released at an early stage to enable future ecosystem participants. The [feature roadmap](https://github.com/orgs/swiyu-admin-ch/projects/1/views/7) shows the current discrepancies between Public Beta and the targeted productive Trust Infrastructure. There may still be minor bugs or security vulnerabilities in the test system. These are marked as [‘KnownIssues’](https://github.com/swiyu-admin-ch/didtoolbox-java/issues) in each repository.\n\n## Contributions and feedback\n\nWe welcome any feedback on the code regarding both the implementation and security aspects. Please follow the guidelines for contributing found in [CONTRIBUTING](./CONTRIBUTING.md).\n\n## License\n\nThis project is licensed under the terms of the MIT license. See the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswiyu-admin-ch%2Fdidtoolbox-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswiyu-admin-ch%2Fdidtoolbox-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswiyu-admin-ch%2Fdidtoolbox-java/lists"}