# DID Creation and Registration Flow
# @author Matthew Raymer
# This script implements the creation and registration of Decentralized Identifiers (DIDs)
# with the endorser.ch service. It matches the Python and TypeScript implementations.
# Flow:
# 1. Generate or load mnemonic seed phrase
# 2. Derive Ethereum keys and address
# 3. Create DID identifier
# 4. Initialize account
# 5. Create signed JWT
# 6. Register DID with endorser service
# Constants
# Create temporary directory for operations
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
initialize_account() {
# Generate or load mnemonic
if [ ! -f "mnemonic.txt" ]; then
# Generate entropy and convert to hex
openssl rand -hex 32 > mnemonic.txt
# Read entropy
ENTROPY=$(cat mnemonic.txt)
# Create temporary directory for key operations
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
# Generate secp256k1 private key
openssl ecparam -name secp256k1 -genkey -noout -out "$TMPDIR/private.pem"
# Extract private key in hex format
PRIVATE_KEY=$(openssl ec -in "$TMPDIR/private.pem" -text -noout 2>/dev/null |
grep priv -A 3 | tail -n +2 | tr -d '\n[:space:]:' | cut -c3-)
# Generate public key and address
PUBLIC_KEY=$(openssl ec -in "$TMPDIR/private.pem" -pubout -outform DER 2>/dev/null |
tail -c 65 | xxd -p -c 65)
# Generate Ethereum address (last 20 bytes of keccak256 of public key)
ADDRESS=$(echo -n "$PUBLIC_KEY" | xxd -r -p |
openssl dgst -sha3-256 -binary |
tail -c 20 | xxd -p)
# Create identity JSON
"did": "did:ethr:0x${ADDRESS}",
"keys": [{
"id": "did:ethr:0x${ADDRESS}#keys-1",
"type": "Secp256k1VerificationKey2018",
"controller": "did:ethr:0x${ADDRESS}",
"ethereumAddress": "0x${ADDRESS}",
"publicKeyHex": "${PUBLIC_KEY}",
"privateKeyHex": "${PRIVATE_KEY}"
"services": []
echo "Account initialized:"
echo "$IDENTITY" | jq .
# Export for other functions
create_endorser_jwt() {
local did="$1"
local private_key="$2"
local payload="$3"
local sub_did="$4"
# Create JWT header and payload
local now=$(date +%s)
local exp=$((now + 3600))
local header='{"typ":"JWT","alg":"ES256K"}'
local jwt_payload=$(echo "$payload" | jq --arg iss "$did" \
--arg iat "$now" \
--arg exp "$exp" \
'. + {iss: $iss, iat: ($iat|tonumber), exp: ($exp|tonumber)}')
# Base64URL encode header and payload
local header_b64=$(echo -n "$header" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
local message="$header_b64.$payload_b64"
# Sign using Python eth_keys (matching TypeScript ES256K implementation)
local signature=$(python3 -c "
from eth_keys import keys
import hashlib
import base64
private_key_bytes = bytes.fromhex('$private_key')
private_key = keys.PrivateKey(private_key_bytes)
message_hash = hashlib.sha256('$message'.encode()).digest()
signature = private_key.sign_msg_hash(message_hash)
signature_bytes = signature.r.to_bytes(32, 'big') + signature.s.to_bytes(32, 'big')
echo "$message.$signature"
register() {
local active_did="$1"
echo "Endorser DID: $ENDORSER_DID"
echo "Active DID: $active_did"
# Create registration claim
local vc_payload=$(cat <<EOF
"vc": {
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential"],
"credentialSubject": {
"@context": "https://schema.org",
"@type": "RegisterAction",
"agent": {
"identifier": "$ENDORSER_DID"
"participant": {
"identifier": "$active_did"
"object": "endorser.ch",
"endTime": $(( $(date +%s) + 7*24*60*60 ))
echo "Registration Claim:"
echo "$vc_payload" | jq .
# Create and sign JWT
local jwt_token=$(create_endorser_jwt "$ENDORSER_DID" "$ENDORSER_PRIVATE_KEY" "$vc_payload" "$active_did")
echo "Generated JWT:"
echo "$jwt_token"
# Submit registration
local response=$(curl -s -X POST "$API_SERVER/api/v2/claim" \
-H "Content-Type: application/json" \
-d "{\"jwtEncoded\": \"$jwt_token\"}")
echo "Registration response:"
echo "$response" | jq .
main() {
# Extract DID and private key from identity
local active_did=$(echo "$IDENTITY" | jq -r .did)
local private_key=$(echo "$IDENTITY" | jq -r .keys[0].privateKeyHex)
# Register DID
register "$active_did"
main "$@"