npm - @animo-id/eudi-wallet-functionality - Versions diffs - 0.0.0-alpha-20250604122408 → 0.0.0-alpha-20260108162340 - Mend

@animo-id/eudi-wallet-functionality 0.0.0-alpha-20250604122408 → 0.0.0-alpha-20260108162340

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,207 +1,409 @@
-// src/verifyOpenid4VpAuthorizationRequest.ts
-import { JwsService, Jwt, X509Certificate } from "@credo-ts/core";
-import z from "zod";
+import z$1, { z } from "zod";
+import { JwsService, Jwt, X509Certificate, equalsIgnoreOrder, equalsWithOrder } from "@credo-ts/core";
-// src/isDcqlQueryEqualOrSubset.ts
-import { equalsIgnoreOrder, equalsWithOrder } from "@credo-ts/core";
+//#region src/error.ts
+var EudiWalletExtensionsError = class EudiWalletExtensionsError extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "EudiWalletExtensionsError";
+		if (Error.captureStackTrace) Error.captureStackTrace(this, EudiWalletExtensionsError);
+	}
+};
+var Ts12IntegrityError = class Ts12IntegrityError extends EudiWalletExtensionsError {
+	constructor(uri, integrity) {
+		super(`Invalid integrity for ${uri}, expected ${integrity}`);
+		this.name = "Ts12IntegrityError";
+		if (Error.captureStackTrace) Error.captureStackTrace(this, Ts12IntegrityError);
+	}
+};
+//#endregion
+//#region src/validation/z-sca-attestation-ext.ts
+const zScaTransactionDataTypeClaims = z.array(z.object({
+	path: z.array(z.string()),
+	visualisation: z.union([
+		z.literal(1),
+		z.literal(2),
+		z.literal(3),
+		z.literal(4)
+	]).default(3),
+	display: z.array(z.object({
+		name: z.string(),
+		locale: z.string().optional(),
+		logo: z.string().optional()
+	})).min(1)
+}));
+const zScaTransactionDataTypeUiLabels = z.object({
+	affirmative_action_label: z.array(z.object({
+		lang: z.string(),
+		value: z.string().max(30)
+	})).min(1),
+	denial_action_label: z.array(z.object({
+		lang: z.string(),
+		value: z.string().max(30)
+	})).min(1).optional(),
+	transaction_title: z.array(z.object({
+		lang: z.string(),
+		value: z.string().max(50)
+	})).min(1).optional(),
+	security_hint: z.array(z.object({
+		lang: z.string(),
+		value: z.string().max(250)
+	})).min(1).optional()
+}).catchall(z.array(z.object({
+	lang: z.string(),
+	value: z.string()
+})));
+/**
+* @name zScaAttestationExt
+* @version EUDI TS12 v1.0 (05 December 2025)
+* @description Defines metadata for SCA Attestations, including transaction types and UI localization.
+* @see [EUDI TS12, Section 3] for VC Type Metadata requirements.
+* @see [EUDI TS12, Section 4.1] for Metadata structure.
+*/
+const zScaAttestationExt = z.object({
+	category: z.string().optional(),
+	transaction_data_types: z.record(z.string().describe("Transaction Type URI (e.g., urn:eudi:sca:payment:1). Must be collision resistant."), z.intersection(z.union([z.object({ schema: z.string() }), z.object({
+		schema_uri: z.url(),
+		"schema_uri#integrity": z.string().optional()
+	})]), z.intersection(z.union([z.object({ claims: zScaTransactionDataTypeClaims }), z.object({
+		claims_uri: z.url(),
+		"claims_uri#integrity": z.string().optional()
+	})]), z.union([z.object({ ui_labels: zScaTransactionDataTypeUiLabels }), z.object({
+		ui_labels_uri: z.string().url(),
+		"ui_labels_uri#integrity": z.string().optional()
+	})]))))
+});
+//#endregion
+//#region src/validation/z-transaction-data-common.ts
+/**
+* **OpenID4VP Common Fields**
+* Fields required by the transport protocol.
+*/
+const zBaseTransaction = z.object({
+	type: z.string(),
+	credential_ids: z.tuple([z.string()]).rest(z.string()),
+	transaction_data_hashes_alg: z.tuple([z.string()]).rest(z.string()).optional()
+});
+//#endregion
+//#region src/validation/z-transaction-data-funke.ts
+/**
+* **Funke (German) QES Authorization Data**
+* * Profile used by the SPRIND/Bundesdruckerei EUDI Wallet.
+* * This type bridges OpenID4VP with ETSI TS 119 432 (Remote Signing).
+* * @see German National EUDI Wallet Architecture (Appendix 07)
+*/
+const zFunkeQesTransaction = zBaseTransaction.extend({
+	signatureQualifier: z.enum(["eu_eidas_qes", "eu_eidas_aes"]).describe("eu_eidas_qes (Qualified) or eu_eidas_aes (Advanced)"),
+	documentDigests: z.array(z.object({
+		label: z.string().describe("Filename (e.g. 'Contract.pdf')"),
+		hash: z.string().describe("Base64 encoded hash"),
+		hashAlgorithmOID: z.string().optional().describe("OID of the hash algorithm")
+	})).min(1)
+});
+//#endregion
+//#region src/validation/z-transaction-data-ts12.ts
+/**
+* **TS12 Payment Payload**
+* * The business data strictly defined for Payments.
+* * @see EUDI TS12 Section 4.3.1 "Payment Confirmation"
+*/
+const zPaymentPayload = z.object({
+	transaction_id: z.string().min(1).max(36).describe("Unique identifier of the Relying Party's interaction"),
+	date_time: z.iso.datetime().optional(),
+	payee: z.object({
+		name: z.string(),
+		id: z.string(),
+		logo: z.url().optional(),
+		website: z.url().optional()
+	}),
+	currency: z.string().regex(/^[A-Z]{3}$/),
+	amount: z.number(),
+	amount_estimated: z.boolean().optional(),
+	amount_earmarked: z.boolean().optional(),
+	sct_inst: z.boolean().optional(),
+	pisp: z.object({
+		legal_name: z.string(),
+		brand_name: z.string(),
+		domain_name: z.string()
+	}).optional(),
+	execution_date: z.iso.datetime().optional().refine((date) => {
+		if (!date) return true;
+		return new Date(date) >= /* @__PURE__ */ new Date();
+	}, { message: "Execution date must not be in the past" }),
+	recurrence: z.object({
+		start_date: z.iso.datetime().optional(),
+		end_date: z.iso.datetime().optional(),
+		number: z.number().int().optional(),
+		frequency: z.enum([
+			"INDA",
+			"DAIL",
+			"WEEK",
+			"TOWK",
+			"TWMN",
+			"MNTH",
+			"TOMN",
+			"QUTR",
+			"FOMN",
+			"SEMI",
+			"YEAR",
+			"TYEA"
+		]),
+		mit_options: z.object({
+			amount_variable: z.boolean().optional(),
+			min_amount: z.number().optional(),
+			max_amount: z.number().optional(),
+			total_amount: z.number().optional(),
+			initial_amount: z.number().optional(),
+			initial_amount_number: z.number().int().optional(),
+			apr: z.number().optional()
+		}).optional()
+	}).optional()
+}).refine((data) => !(data.recurrence && data.execution_date), {
+	message: "Execution date must not be present when recurrence is present",
+	path: ["execution_date"]
+});
+/**
+* **TS12 Login / Risk Payload**
+* * @see EUDI TS12 Section 4.3.2
+*/
+const zLoginPayload = z.object({
+	transaction_id: z.string().min(1).max(36),
+	date_time: z.iso.datetime().optional(),
+	service: z.string().max(100).optional(),
+	action: z.string().max(140).describe("Description of the action to be authorized")
+});
+/**
+* **TS12 Account Access Payload**
+* * @see EUDI TS12 Section 4.3.3
+*/
+const zAccountAccessPayload = z.object({
+	transaction_id: z.string().min(1).max(36),
+	date_time: z.iso.datetime().optional(),
+	aisp: z.object({
+		legal_name: z.string(),
+		brand_name: z.string(),
+		domain_name: z.string()
+	}).optional(),
+	description: z.string().max(140).optional()
+});
+/**
+* **TS12 E-Mandate Payload**
+* * @see EUDI TS12 Section 4.3.4
+*/
+const zEMandatePayload = z.object({
+	transaction_id: z.string().min(1).max(36),
+	date_time: z.iso.datetime().optional(),
+	start_date: z.iso.datetime().optional(),
+	end_date: z.iso.datetime().optional(),
+	reference_number: z.string().min(1).max(50).optional(),
+	creditor_id: z.string().min(1).max(50).optional(),
+	purpose: z.string().max(1e3).optional(),
+	payment_payload: zPaymentPayload.optional()
+}).refine((data) => data.payment_payload || data.purpose, {
+	message: "Purpose is required if payment_payload is missing",
+	path: ["purpose"]
+});
+const URN_SCA_PAYMENT = "urn:eudi:sca:payment:1";
+const URN_SCA_LOGIN_RISK = "urn:eudi:sca:login_risk_transaction:1";
+const URN_SCA_ACCOUNT_ACCESS = "urn:eudi:sca:account_access:1";
+const URN_SCA_EMANDATE = "urn:eudi:sca:emandate:1";
+/**
+* **TS12 Transaction**
+* @see TS12 Section 4.3
+*/
+const zTs12Transaction = zBaseTransaction.extend({ payload: z.union([
+	zPaymentPayload,
+	zLoginPayload,
+	zAccountAccessPayload,
+	zEMandatePayload,
+	z.unknown()
+]) });
+//#endregion
+//#region src/validation/z-transaction-data.ts
+const zTransactionDataEntry = zTs12Transaction.or(zFunkeQesTransaction);
+const zTransactionData = z.array(zTransactionDataEntry);
+const ts12BuiltinSchemaValidators = {
+	[URN_SCA_PAYMENT]: zPaymentPayload,
+	[URN_SCA_LOGIN_RISK]: zLoginPayload,
+	[URN_SCA_ACCOUNT_ACCESS]: zAccountAccessPayload,
+	[URN_SCA_EMANDATE]: zEMandatePayload
+};
+//#endregion
+//#region src/validation/ts12.ts
+async function fetchVerified(uri, schema, integrity, validateIntegrity) {
+	const response = await fetch(uri);
+	if (!response.ok) throw new Error(`Failed to fetch URI: ${uri}`);
+	if (integrity && validateIntegrity && !validateIntegrity(await response.clone().arrayBuffer(), integrity)) throw new Ts12IntegrityError(uri, integrity);
+	return schema.parse(await response.json());
+}
+async function resolveTs12TransactionDisplayMetadata(metadata, type, validateIntegrity) {
+	if (!metadata.transaction_data_types || !metadata.transaction_data_types[type]) return;
+	const typeMetadata = metadata.transaction_data_types[type];
+	const resolved = {};
+	if ("schema" in typeMetadata && typeMetadata.schema) {
+		if (!(typeMetadata.schema in ts12BuiltinSchemaValidators)) throw new Error(`unknown builtin schema: ${typeMetadata.schema}`);
+		resolved.schema = typeMetadata.schema;
+	} else if ("schema_uri" in typeMetadata && typeMetadata.schema_uri) resolved.schema = await fetchVerified(typeMetadata.schema_uri, z.object({}), typeMetadata["schema_uri#integrity"], validateIntegrity);
+	else throw new Error(`Unknown schema type for ${typeMetadata}`);
+	if ("claims" in typeMetadata && typeMetadata.claims) resolved.claims = typeMetadata.claims;
+	else if ("claims_uri" in typeMetadata && typeMetadata.claims_uri) resolved.claims = await fetchVerified(typeMetadata.claims_uri, zScaTransactionDataTypeClaims, typeMetadata["claims_uri#integrity"], validateIntegrity);
+	else throw new Error(`Unknown claims for ${typeMetadata}`);
+	if ("ui_labels" in typeMetadata && typeMetadata.ui_labels) resolved.ui_labels = typeMetadata.ui_labels;
+	else if ("ui_labels_uri" in typeMetadata && typeMetadata.ui_labels_uri) resolved.ui_labels = await fetchVerified(typeMetadata.ui_labels_uri, zScaTransactionDataTypeUiLabels, typeMetadata["ui_labels_uri#integrity"], validateIntegrity);
+	else throw new Error(`Unknown ui_labels for ${typeMetadata}`);
+	return resolved;
+}
+//#endregion
+//#region src/isDcqlQueryEqualOrSubset.ts
 function isDcqlQueryEqualOrSubset(arq, rcq) {
-  if (rcq.credential_sets) {
-    return false;
-  }
-  if (rcq.credentials.some((c) => c.id)) {
-    return false;
-  }
-  if (arq.credentials.some((c) => c.format !== "mso_mdoc" && c.format !== "vc+sd-jwt" && c.format !== "dc+sd-jwt")) {
-    return false;
-  }
-  credentialQueryLoop: for (const credentialQuery of arq.credentials) {
-    const matchingRcqCredentialQueriesBasedOnFormat = rcq.credentials.filter((c) => c.format === credentialQuery.format);
-    if (matchingRcqCredentialQueriesBasedOnFormat.length === 0) return false;
-    switch (credentialQuery.format) {
-      case "mso_mdoc": {
-        const doctypeValue = credentialQuery.meta?.doctype_value;
-        if (!doctypeValue) return false;
-        if (typeof credentialQuery.meta?.doctype_value !== "string") return false;
-        const foundMatchingRequests = matchingRcqCredentialQueriesBasedOnFormat.filter(
-          (c) => !!(c.format === "mso_mdoc" && c.meta && c.meta.doctype_value === doctypeValue)
-        );
-        if (foundMatchingRequests.length === 0) return false;
-        let foundFullyMatching = false;
-        for (const matchedRequest of foundMatchingRequests) {
-          if (!matchedRequest.claims) continue credentialQueryLoop;
-          if (!credentialQuery.claims) continue credentialQueryLoop;
-          const isEveryClaimAllowedToBeRequested = credentialQuery.claims.every(
-            (c) => "path" in c && matchedRequest.claims?.some(
-              (mrc) => "path" in mrc && c.path[0] === mrc.path[0] && c.path[1] === mrc.path[1]
-            )
-          );
-          if (isEveryClaimAllowedToBeRequested) {
-            foundFullyMatching = true;
-          }
-        }
-        if (!foundFullyMatching) return false;
-        break;
-      }
-      case "dc+sd-jwt":
-      case "vc+sd-jwt": {
-        const vctValues = credentialQuery.meta?.vct_values;
-        if (!vctValues) return false;
-        if (credentialQuery.meta?.vct_values?.length === 0) return false;
-        const foundMatchingRequests = matchingRcqCredentialQueriesBasedOnFormat.filter(
-          (c) => !!((c.format === "dc+sd-jwt" || c.format === "vc+sd-jwt") && c.meta?.vct_values && equalsIgnoreOrder(c.meta.vct_values, vctValues))
-        );
-        if (foundMatchingRequests.length === 0) return false;
-        let foundFullyMatching = false;
-        for (const matchedRequest of foundMatchingRequests) {
-          if (!matchedRequest.claims) continue credentialQueryLoop;
-          if (!credentialQuery.claims) continue credentialQueryLoop;
-          const isEveryClaimAllowedToBeRequested = credentialQuery.claims.every(
-            (c) => "path" in c && matchedRequest.claims?.some((mrc) => "path" in mrc && equalsWithOrder(c.path, mrc.path))
-          );
-          if (isEveryClaimAllowedToBeRequested) {
-            foundFullyMatching = true;
-          }
-        }
-        if (!foundFullyMatching) return false;
-        break;
-      }
-      default:
-        return false;
-    }
-  }
-  return true;
+	if (rcq.credential_sets) return false;
+	if (rcq.credentials.some((c) => c.id)) return false;
+	if (arq.credentials.some((c) => c.format !== "mso_mdoc" && c.format !== "vc+sd-jwt" && c.format !== "dc+sd-jwt")) return false;
+	credentialQueryLoop: for (const credentialQuery of arq.credentials) {
+		const matchingRcqCredentialQueriesBasedOnFormat = rcq.credentials.filter((c) => c.format === credentialQuery.format);
+		if (matchingRcqCredentialQueriesBasedOnFormat.length === 0) return false;
+		switch (credentialQuery.format) {
+			case "mso_mdoc": {
+				const doctypeValue = credentialQuery.meta?.doctype_value;
+				if (!doctypeValue) return false;
+				if (typeof credentialQuery.meta?.doctype_value !== "string") return false;
+				const foundMatchingRequests = matchingRcqCredentialQueriesBasedOnFormat.filter((c) => !!(c.format === "mso_mdoc" && c.meta && c.meta.doctype_value === doctypeValue));
+				if (foundMatchingRequests.length === 0) return false;
+				let foundFullyMatching = false;
+				for (const matchedRequest of foundMatchingRequests) {
+					if (!matchedRequest.claims) continue credentialQueryLoop;
+					if (!credentialQuery.claims) continue credentialQueryLoop;
+					if (credentialQuery.claims.every((c) => "path" in c && matchedRequest.claims?.some((mrc) => "path" in mrc && c.path[0] === mrc.path[0] && c.path[1] === mrc.path[1]))) foundFullyMatching = true;
+				}
+				if (!foundFullyMatching) return false;
+				break;
+			}
+			case "dc+sd-jwt": {
+				const vctValues = credentialQuery.meta?.vct_values;
+				if (!vctValues || vctValues.length === 0) return false;
+				const foundMatchingRequests = matchingRcqCredentialQueriesBasedOnFormat.filter((c) => !!(c.format === "dc+sd-jwt" && c.meta?.vct_values && equalsIgnoreOrder(c.meta.vct_values, vctValues)));
+				if (foundMatchingRequests.length === 0) return false;
+				let foundFullyMatching = false;
+				for (const matchedRequest of foundMatchingRequests) {
+					if (!matchedRequest.claims) continue credentialQueryLoop;
+					if (!credentialQuery.claims) continue credentialQueryLoop;
+					if (credentialQuery.claims.every((c) => "path" in c && matchedRequest.claims?.some((mrc) => "path" in mrc && equalsWithOrder(c.path, mrc.path)))) foundFullyMatching = true;
+				}
+				if (!foundFullyMatching) return false;
+				break;
+			}
+			default: return false;
+		}
+	}
+	return true;
 }
-// src/verifyOpenid4VpAuthorizationRequest.ts
-var verifyOpenid4VpAuthorizationRequest = async (agentContext, {
-  resolvedAuthorizationRequest: { authorizationRequestPayload, signedAuthorizationRequest, dcql },
-  trustedCertificates,
-  allowUntrustedSigned
-}) => {
-  const results = [];
-  if (!authorizationRequestPayload.verifier_attestations) return;
-  for (const va of authorizationRequestPayload.verifier_attestations) {
-    if (va.format === "jwt") {
-      if (typeof va.data !== "string") {
-        throw new Error("Only inline JWTs are supported");
-      }
-      const jwsService = agentContext.dependencyManager.resolve(JwsService);
-      let isValidButUntrusted = false;
-      let isValidAndTrusted = false;
-      const jwt = Jwt.fromSerializedJwt(va.data);
-      try {
-        const { isValid } = await jwsService.verifyJws(agentContext, {
-          jws: va.data,
-          trustedCertificates
-        });
-        isValidAndTrusted = isValid;
-      } catch {
-        if (allowUntrustedSigned) {
-          const { isValid } = await jwsService.verifyJws(agentContext, {
-            jws: va.data,
-            trustedCertificates: jwt.header.x5c ?? []
-          });
-          isValidButUntrusted = isValid;
-        }
-      }
-      if (jwt.header.typ !== "rc-rp+jwt") {
-        throw new Error(`only 'rc-rp+jwt' is supported as header typ. Request included: ${jwt.header.typ}`);
-      }
-      if (!signedAuthorizationRequest) {
-        throw new Error("Request must be signed for the registration certificate");
-      }
-      if (signedAuthorizationRequest.signer.method !== "x5c") {
-        throw new Error("x5c is only supported for registration certificate");
-      }
-      const registrationCertificateHeaderSchema = z.object({
-        typ: z.literal("rc-rp+jwt"),
-        alg: z.string(),
-        // sprin-d did not define this
-        x5u: z.string().url().optional(),
-        // sprin-d did not define this
-        "x5t#s256": z.string().optional()
-      }).passthrough();
-      const registrationCertificatePayloadSchema = z.object({
-        credentials: z.array(
-          z.object({
-            format: z.string(),
-            multiple: z.boolean().default(false),
-            meta: z.object({
-              vct_values: z.array(z.string()).optional(),
-              doctype_value: z.string().optional()
-            }).optional(),
-            trusted_authorities: z.array(z.object({ type: z.string(), values: z.array(z.string()) })).nonempty().optional(),
-            require_cryptographic_holder_binding: z.boolean().default(true),
-            claims: z.array(
-              z.object({
-                id: z.string().optional(),
-                path: z.array(z.string()).nonempty().nonempty(),
-                values: z.array(z.number().or(z.boolean())).optional()
-              })
-            ).nonempty().optional(),
-            claim_sets: z.array(z.array(z.string())).nonempty().optional()
-          })
-        ),
-        contact: z.object({
-          website: z.string().url(),
-          "e-mail": z.string().email(),
-          phone: z.string()
-        }),
-        sub: z.string(),
-        // Should be service
-        services: z.array(z.object({ lang: z.string(), name: z.string() })),
-        public_body: z.boolean().default(false),
-        entitlements: z.array(z.any()),
-        provided_attestations: z.array(
-          z.object({
-            format: z.string(),
-            meta: z.any()
-          })
-        ).optional(),
-        privacy_policy: z.string().url(),
-        iat: z.number().optional(),
-        exp: z.number().optional(),
-        purpose: z.array(
-          z.object({
-            locale: z.string().optional(),
-            lang: z.string().optional(),
-            name: z.string()
-          })
-        ).optional(),
-        status: z.any()
-      }).passthrough();
-      registrationCertificateHeaderSchema.parse(jwt.header);
-      const parsedPayload = registrationCertificatePayloadSchema.parse(jwt.payload.toJson());
-      const [rpCertEncoded] = signedAuthorizationRequest.signer.x5c;
-      const rpCert = X509Certificate.fromEncodedCertificate(rpCertEncoded);
-      if (rpCert.subject !== parsedPayload.sub) {
-        throw new Error(
-          `Subject in the certificate of the auth request: '${rpCert.subject}' is not equal to the subject of the registration certificate: '${parsedPayload.sub}'`
-        );
-      }
-      if (parsedPayload.iat && (/* @__PURE__ */ new Date()).getTime() / 1e3 <= parsedPayload.iat) {
-        throw new Error("Issued at timestamp of the registration certificate is in the future");
-      }
-      if (!dcql) {
-        throw new Error("DCQL must be used when working registration certificates");
-      }
-      if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
-        throw new Error("Presentation Exchange is not supported for the registration certificate");
-      }
-      const isValidDcqlQuery = isDcqlQueryEqualOrSubset(dcql.queryResult, parsedPayload);
-      if (!isValidDcqlQuery) {
-        throw new Error(
-          "DCQL query in the authorization request is not equal or a valid subset of the DCQl query provided in the registration certificate"
-        );
-      }
-      results.push({ isValidButUntrusted, isValidAndTrusted, x509RegistrationCertificate: rpCert });
-    } else {
-      throw new Error(`only format of 'jwt' is supported`);
-    }
-  }
-  return results;
-};
-export {
-  verifyOpenid4VpAuthorizationRequest
+//#endregion
+//#region src/verifyOpenid4VpAuthorizationRequest.ts
+const verifyOpenid4VpAuthorizationRequest = async (agentContext, { resolvedAuthorizationRequest: { authorizationRequestPayload, signedAuthorizationRequest, dcql }, trustedCertificates, allowUntrustedSigned }) => {
+	const results = [];
+	if (!authorizationRequestPayload.verifier_attestations) return;
+	for (const va of authorizationRequestPayload.verifier_attestations) if (va.format === "jwt") {
+		if (typeof va.data !== "string") throw new Error("Only inline JWTs are supported");
+		const jwsService = agentContext.dependencyManager.resolve(JwsService);
+		let isValidButUntrusted = false;
+		let isValidAndTrusted = false;
+		const jwt = Jwt.fromSerializedJwt(va.data);
+		try {
+			const { isValid } = await jwsService.verifyJws(agentContext, {
+				jws: va.data,
+				trustedCertificates
+			});
+			isValidAndTrusted = isValid;
+		} catch {
+			if (allowUntrustedSigned) {
+				const { isValid } = await jwsService.verifyJws(agentContext, {
+					jws: va.data,
+					trustedCertificates: jwt.header.x5c ?? []
+				});
+				isValidButUntrusted = isValid;
+			}
+		}
+		if (jwt.header.typ !== "rc-rp+jwt") throw new Error(`only 'rc-rp+jwt' is supported as header typ. Request included: ${jwt.header.typ}`);
+		if (!signedAuthorizationRequest) throw new Error("Request must be signed for the registration certificate");
+		if (signedAuthorizationRequest.signer.method !== "x5c") throw new Error("x5c is only supported for registration certificate");
+		const registrationCertificateHeaderSchema = z$1.object({
+			typ: z$1.literal("rc-rp+jwt"),
+			alg: z$1.string(),
+			x5u: z$1.string().url().optional(),
+			"x5t#s256": z$1.string().optional()
+		}).passthrough();
+		const registrationCertificatePayloadSchema = z$1.object({
+			credentials: z$1.array(z$1.object({
+				format: z$1.string(),
+				multiple: z$1.boolean().default(false),
+				meta: z$1.object({
+					vct_values: z$1.array(z$1.string()).optional(),
+					doctype_value: z$1.string().optional()
+				}).optional(),
+				trusted_authorities: z$1.array(z$1.object({
+					type: z$1.string(),
+					values: z$1.array(z$1.string())
+				})).nonempty().optional(),
+				require_cryptographic_holder_binding: z$1.boolean().default(true),
+				claims: z$1.array(z$1.object({
+					id: z$1.string().optional(),
+					path: z$1.array(z$1.string()).nonempty().nonempty(),
+					values: z$1.array(z$1.number().or(z$1.boolean())).optional()
+				})).nonempty().optional(),
+				claim_sets: z$1.array(z$1.array(z$1.string())).nonempty().optional()
+			})),
+			contact: z$1.object({
+				website: z$1.string().url(),
+				"e-mail": z$1.string().email(),
+				phone: z$1.string()
+			}),
+			sub: z$1.string(),
+			services: z$1.array(z$1.object({
+				lang: z$1.string(),
+				name: z$1.string()
+			})),
+			public_body: z$1.boolean().default(false),
+			entitlements: z$1.array(z$1.any()),
+			provided_attestations: z$1.array(z$1.object({
+				format: z$1.string(),
+				meta: z$1.any()
+			})).optional(),
+			privacy_policy: z$1.string().url(),
+			iat: z$1.number().optional(),
+			exp: z$1.number().optional(),
+			purpose: z$1.array(z$1.object({
+				locale: z$1.string().optional(),
+				lang: z$1.string().optional(),
+				name: z$1.string()
+			})).optional(),
+			status: z$1.any()
+		}).passthrough();
+		registrationCertificateHeaderSchema.parse(jwt.header);
+		const parsedPayload = registrationCertificatePayloadSchema.parse(jwt.payload.toJson());
+		const [rpCertEncoded] = signedAuthorizationRequest.signer.x5c;
+		const rpCert = X509Certificate.fromEncodedCertificate(rpCertEncoded);
+		if (rpCert.subject !== parsedPayload.sub) throw new Error(`Subject in the certificate of the auth request: '${rpCert.subject}' is not equal to the subject of the registration certificate: '${parsedPayload.sub}'`);
+		if (parsedPayload.iat && Date.now() / 1e3 <= parsedPayload.iat) throw new Error("Issued at timestamp of the registration certificate is in the future");
+		if (!dcql) throw new Error("DCQL must be used when working registration certificates");
+		if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) throw new Error("Presentation Exchange is not supported for the registration certificate");
+		if (!isDcqlQueryEqualOrSubset(dcql.queryResult, parsedPayload)) throw new Error("DCQL query in the authorization request is not equal or a valid subset of the DCQl query provided in the registration certificate");
+		results.push({
+			isValidButUntrusted,
+			isValidAndTrusted,
+			x509RegistrationCertificate: rpCert
+		});
+	} else throw new Error(`only format of 'jwt' is supported`);
+	return results;
 };
+//#endregion
+export { EudiWalletExtensionsError, Ts12IntegrityError, URN_SCA_ACCOUNT_ACCESS, URN_SCA_EMANDATE, URN_SCA_LOGIN_RISK, URN_SCA_PAYMENT, resolveTs12TransactionDisplayMetadata, ts12BuiltinSchemaValidators, verifyOpenid4VpAuthorizationRequest, zAccountAccessPayload, zEMandatePayload, zFunkeQesTransaction, zLoginPayload, zPaymentPayload, zScaAttestationExt, zScaTransactionDataTypeClaims, zScaTransactionDataTypeUiLabels, zTransactionData, zTransactionDataEntry, zTs12Transaction };
 //# sourceMappingURL=index.mjs.map