@arcblock/vc 1.29.18 → 1.29.20

package/esm/index.d.mts

@@ -7,7 +7,11 @@ interface Proof {
   created: string;
   proofPurpose: string;
   jws: string;
+  id?: string;
+  signer?: string;
   pk?: string;
+  previousProof?: string | string[];
+  verificationMethod?: string;
 }
 interface Issuer {
   id: string;
@@ -24,14 +28,14 @@ interface CredentialStatus {
   scope: string;
 }
 interface VerifiableCredential {
-  '@context': string;
+  '@context': string | string[];
   id: string;
-  type: string;
+  type: string | string[];
   issuer: Issuer;
   issuanceDate: string;
   expirationDate?: string;
   credentialSubject: CredentialSubject;
-  proof: Proof;
+  proof: Proof | Proof[];
   tag?: string;
   credentialStatus?: CredentialStatus;
   signature?: unknown;
@@ -50,7 +54,7 @@ interface Credential {
   id: string;
   issued: string;
   issuer: Issuer;
-  proof: Proof;
+  proof: Proof | Proof[];
   claim: unknown;
 }
 declare const proofTypes: Record<number, string>;
@@ -77,7 +81,7 @@ declare function create({
   endpoint,
   endpointScope
 }: {
-  type: string;
+  type: string | string[];
   subject: CredentialSubject;
   issuer: IssuerInfo;
   issuanceDate?: string;
@@ -110,6 +114,25 @@ declare function verify({
   trustedIssuers: string | string[];
   ignoreExpired?: boolean;
 }): Promise<boolean>;
+/**
+ * Counter-sign an existing verifiable credential
+ * Adds a new proof from a different signer to the VC
+ *
+ * @param params
+ * @param params.vc - The already-signed verifiable credential
+ * @param params.wallet - The counter-signer's wallet
+ * @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+ * @returns Promise<VerifiableCredential>
+ */
+declare function counterSign({
+  vc,
+  wallet,
+  mode
+}: {
+  vc: VerifiableCredential;
+  wallet: WalletObject;
+  mode?: 'set' | 'chain';
+}): Promise<VerifiableCredential>;
 /**
  * Verify that the Presentation is valid
  *  - It is signed by VC's owner
@@ -152,4 +175,4 @@ declare function verifyCredentialList({
 }): Promise<unknown[]>;
 declare const stableStringify: typeof stringify;
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/esm/index.mjs

@@ -36,7 +36,9 @@ const proofTypes = {
 * @returns Promise<object>
 */
 async function create({ type, subject, issuer, issuanceDate, expirationDate, tag = "", endpoint = "", endpointScope = "public" }) {
-	if (!type) throw new Error("Can not create verifiable credential without empty type");
+	const typeArray = Array.isArray(type) ? [...type] : type ? [type] : [];
+	if (typeArray.length === 0 || typeArray.some((t) => !t)) throw new Error("Can not create verifiable credential without empty type");
+	if (!typeArray.includes("VerifiableCredential")) typeArray.unshift("VerifiableCredential");
 	if (!subject) throw new Error("Can not create verifiable credential from empty subject");
 	if (!subject.id) throw new Error("Can not create verifiable credential without holder");
 	if (!isValid(subject.id)) throw new Error("Can not create verifiable credential invalid holder did");
@@ -50,14 +52,17 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		role: types.RoleType.ROLE_VC
 	};
 	const vcDid = fromPublicKeyHash(wallet.hash(stringify(subject)), vcType);
+	const pkType = typeInfo.pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const issuanceDateValue = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
+	const issuerPk = toBase58(wallet.publicKey);
 	const vcObj = {
-		"@context": "https://schema.arcblock.io/v0.1/context.jsonld",
+		"@context": ["https://www.w3.org/2018/credentials/v1", "https://schema.arcblock.io/v0.1/context.jsonld"],
 		id: vcDid,
-		type,
+		type: typeArray,
 		issuer: {
 			id: issuerDid,
-			pk: toBase58(wallet.publicKey),
+			pk: issuerPk,
 			name: issuerName || issuerDid
 		},
 		issuanceDate: issuanceDateValue,
@@ -70,14 +75,15 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		type: "NFTStatusList2021",
 		scope: endpointScope || "public"
 	};
-	const pkType = typeInfo.pk;
-	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const signature = await wallet.sign(stringify(vcObj));
 	const result = {
 		proof: {
 			type: proofTypes[pkType],
 			created: issuanceDateValue,
 			proofPurpose: "assertionMethod",
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: toBase64(signature)
 		},
 		...vcObj
@@ -107,21 +113,77 @@ async function verify({ vc, ownerDid, trustedIssuers, ignoreExpired = false }) {
 	if (!vc) throw new Error("Empty verifiable credential object");
 	if (!vc.issuer || !vc.issuer.id || !vc.issuer.pk || !isValid(vc.issuer.id)) throw new Error("Invalid verifiable credential issuer");
 	if (!vc.credentialSubject || !vc.credentialSubject.id || !isValid(vc.credentialSubject.id)) throw new Error("Invalid verifiable credential subject");
-	if (!vc.proof || !vc.proof.jws) throw new Error("Invalid verifiable credential proof");
+	const proofList = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (proofList.length === 0 || proofList.some((p) => !p || !p.jws)) throw new Error("Invalid verifiable credential proof");
 	if (vc.issuanceDate === void 0) throw Error("Invalid verifiable credential issue date");
 	if (new Date(vc.issuanceDate).getTime() > Date.now()) throw Error("Verifiable credential has not take effect");
 	if (!ignoreExpired && vc.expirationDate !== void 0 && new Date(vc.expirationDate).getTime() < Date.now()) throw Error("Verifiable credential has expired");
-	const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((x) => x === vc.issuer.id);
-	if (!issuerDid) throw new Error("Verifiable credential not issued by trusted issuers");
-	if (!isFromPublicKey(issuerDid, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
+	const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+	if (!isFromPublicKey(vc.issuer.id, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
 	if (ownerDid !== vc.credentialSubject.id) throw new Error("Verifiable credential not owned by specified owner did");
-	const issuerWallet = fromPublicKey(vc.issuer.pk, toTypeInfo(issuerDid));
+	for (const proof of proofList) {
+		const proofPk = proof.pk || vc.issuer.pk;
+		const proofSigner = proof.signer || vc.issuer.id;
+		if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+		if (proof.signer && proof.pk && !isFromPublicKey(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+		const clone = cloneDeep(vc);
+		delete clone.signature;
+		const prevProofRefs = proof.previousProof;
+		if (prevProofRefs && (typeof prevProofRefs === "string" || Array.isArray(prevProofRefs) && prevProofRefs.length > 0)) {
+			const prevIds = Array.isArray(prevProofRefs) ? prevProofRefs : [prevProofRefs];
+			const matchingProofs = proofList.filter((p) => p.id && prevIds.includes(p.id));
+			if (matchingProofs.length !== prevIds.length) throw new Error("Referenced previous proof not found");
+			clone.proof = matchingProofs;
+		} else delete clone.proof;
+		const signedContent = stringify(clone);
+		if (await fromPublicKey(proofPk, toTypeInfo(proofSigner)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
+	}
+	return true;
+}
+/**
+* Counter-sign an existing verifiable credential
+* Adds a new proof from a different signer to the VC
+*
+* @param params
+* @param params.vc - The already-signed verifiable credential
+* @param params.wallet - The counter-signer's wallet
+* @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+* @returns Promise<VerifiableCredential>
+*/
+async function counterSign({ vc, wallet, mode = "set" }) {
+	if (!vc) throw new Error("Cannot counter-sign empty verifiable credential");
+	const existingProofs = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (existingProofs.length === 0) throw new Error("Cannot counter-sign verifiable credential without existing proof");
+	const signerDid = wallet.address;
+	const pkType = toTypeInfo(signerDid).pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when counter-signing verifiable credential");
+	const signerPk = toBase58(wallet.publicKey);
+	const proofsWithIds = existingProofs.map((p) => p.id ? p : {
+		...p,
+		id: crypto.randomUUID()
+	});
 	const clone = cloneDeep(vc);
-	const signatureStr = clone.proof.jws;
-	delete clone.proof;
 	delete clone.signature;
-	if (await issuerWallet.verify(stringify(clone), fromBase64(signatureStr)) !== true) throw Error("Verifiable credential signature not valid");
-	return true;
+	const newProof = {
+		type: proofTypes[pkType],
+		created: (/* @__PURE__ */ new Date()).toISOString(),
+		proofPurpose: "assertionMethod",
+		id: crypto.randomUUID(),
+		signer: signerDid,
+		pk: signerPk,
+		jws: ""
+	};
+	if (mode === "chain") {
+		clone.proof = proofsWithIds;
+		const prevIds = proofsWithIds.map((p) => p.id);
+		newProof.previousProof = prevIds.length === 1 ? prevIds[0] : prevIds;
+	} else delete clone.proof;
+	const signedContent = stringify(clone);
+	newProof.jws = toBase64(await wallet.sign(signedContent));
+	return {
+		...vc,
+		proof: [...proofsWithIds, newProof]
+	};
 }
 /**
 * Verify that the Presentation is valid
@@ -170,13 +232,14 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 	};
 	const issued = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const pkType = typeInfo.pk;
+	const issuerPk = toBase58(wallet.publicKey);
 	return await Promise.all(claims.map(async (x) => {
 		const vc = { claim: x };
 		vc.id = fromPublicKeyHash(wallet.hash(stringify(vc.claim)), vcType);
 		vc.issued = issued;
 		vc.issuer = {
 			id: issuerDid,
-			pk: toBase58(wallet.publicKey),
+			pk: issuerPk,
 			name: name$1 || issuerDid
 		};
 		const signature = await wallet.sign(stringify(vc));
@@ -184,6 +247,9 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 			type: proofTypes[pkType],
 			created: issued,
 			proofPurpose: "assertionMethod",
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: toBase64(signature)
 		};
 		return vc;
@@ -192,18 +258,26 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 async function verifyCredentialList({ credentials, trustedIssuers }) {
 	if (!credentials || !Array.isArray(credentials)) throw new Error("Can not verify with empty credentials list");
 	return Promise.all(credentials.map(async (x) => {
-		const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((d) => d === x.issuer.id);
+		const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+		const issuerDid = issuers.find((d) => d === x.issuer.id);
 		if (!issuerDid) throw new Error("Credential not issued by trusted issuers");
 		if (!isFromPublicKey(issuerDid, x.issuer.pk)) throw new Error("Credential not issuer pk not match with issuer did");
-		const issuerWallet = fromPublicKey(x.issuer.pk, toTypeInfo(issuerDid));
+		const proofList = Array.isArray(x.proof) ? x.proof : x.proof ? [x.proof] : [];
+		if (proofList.length === 0 || proofList.some((p) => !p || !p.jws)) throw new Error("Invalid credential proof");
 		const clone = cloneDeep(x);
-		const signatureStr = clone.proof.jws;
 		delete clone.proof;
-		if (await issuerWallet.verify(stringify(clone), fromBase64(signatureStr)) !== true) throw Error("Status credential signature not valid");
+		const signedContent = stringify(clone);
+		for (const proof of proofList) {
+			const proofPk = proof.pk || x.issuer.pk;
+			const proofSigner = proof.signer || x.issuer.id;
+			if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+			if (proof.signer && proof.pk && !isFromPublicKey(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+			if (await fromPublicKey(proofPk, toTypeInfo(proofSigner)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		}
 		return x.claim;
 	}));
 }
 const stableStringify = stringify;
 
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/lib/index.cjs

@@ -41,7 +41,9 @@ const proofTypes = {
 * @returns Promise<object>
 */
 async function create({ type, subject, issuer, issuanceDate, expirationDate, tag = "", endpoint = "", endpointScope = "public" }) {
-	if (!type) throw new Error("Can not create verifiable credential without empty type");
+	const typeArray = Array.isArray(type) ? [...type] : type ? [type] : [];
+	if (typeArray.length === 0 || typeArray.some((t) => !t)) throw new Error("Can not create verifiable credential without empty type");
+	if (!typeArray.includes("VerifiableCredential")) typeArray.unshift("VerifiableCredential");
 	if (!subject) throw new Error("Can not create verifiable credential from empty subject");
 	if (!subject.id) throw new Error("Can not create verifiable credential without holder");
 	if (!(0, _arcblock_did.isValid)(subject.id)) throw new Error("Can not create verifiable credential invalid holder did");
@@ -55,14 +57,17 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		role: _ocap_mcrypto.types.RoleType.ROLE_VC
 	};
 	const vcDid = (0, _arcblock_did.fromPublicKeyHash)(wallet.hash((0, json_stable_stringify.default)(subject)), vcType);
+	const pkType = typeInfo.pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const issuanceDateValue = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
+	const issuerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
 	const vcObj = {
-		"@context": "https://schema.arcblock.io/v0.1/context.jsonld",
+		"@context": ["https://www.w3.org/2018/credentials/v1", "https://schema.arcblock.io/v0.1/context.jsonld"],
 		id: vcDid,
-		type,
+		type: typeArray,
 		issuer: {
 			id: issuerDid,
-			pk: (0, _ocap_util.toBase58)(wallet.publicKey),
+			pk: issuerPk,
 			name: issuerName || issuerDid
 		},
 		issuanceDate: issuanceDateValue,
@@ -75,14 +80,15 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		type: "NFTStatusList2021",
 		scope: endpointScope || "public"
 	};
-	const pkType = typeInfo.pk;
-	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const signature = await wallet.sign((0, json_stable_stringify.default)(vcObj));
 	const result = {
 		proof: {
 			type: proofTypes[pkType],
 			created: issuanceDateValue,
 			proofPurpose: "assertionMethod",
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: (0, _ocap_util.toBase64)(signature)
 		},
 		...vcObj
@@ -112,21 +118,77 @@ async function verify({ vc, ownerDid, trustedIssuers, ignoreExpired = false }) {
 	if (!vc) throw new Error("Empty verifiable credential object");
 	if (!vc.issuer || !vc.issuer.id || !vc.issuer.pk || !(0, _arcblock_did.isValid)(vc.issuer.id)) throw new Error("Invalid verifiable credential issuer");
 	if (!vc.credentialSubject || !vc.credentialSubject.id || !(0, _arcblock_did.isValid)(vc.credentialSubject.id)) throw new Error("Invalid verifiable credential subject");
-	if (!vc.proof || !vc.proof.jws) throw new Error("Invalid verifiable credential proof");
+	const proofList = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (proofList.length === 0 || proofList.some((p) => !p || !p.jws)) throw new Error("Invalid verifiable credential proof");
 	if (vc.issuanceDate === void 0) throw Error("Invalid verifiable credential issue date");
 	if (new Date(vc.issuanceDate).getTime() > Date.now()) throw Error("Verifiable credential has not take effect");
 	if (!ignoreExpired && vc.expirationDate !== void 0 && new Date(vc.expirationDate).getTime() < Date.now()) throw Error("Verifiable credential has expired");
-	const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((x) => x === vc.issuer.id);
-	if (!issuerDid) throw new Error("Verifiable credential not issued by trusted issuers");
-	if (!(0, _arcblock_did.isFromPublicKey)(issuerDid, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
+	const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+	if (!(0, _arcblock_did.isFromPublicKey)(vc.issuer.id, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
 	if (ownerDid !== vc.credentialSubject.id) throw new Error("Verifiable credential not owned by specified owner did");
-	const issuerWallet = (0, _ocap_wallet.fromPublicKey)(vc.issuer.pk, (0, _arcblock_did.toTypeInfo)(issuerDid));
+	for (const proof of proofList) {
+		const proofPk = proof.pk || vc.issuer.pk;
+		const proofSigner = proof.signer || vc.issuer.id;
+		if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+		if (proof.signer && proof.pk && !(0, _arcblock_did.isFromPublicKey)(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+		const clone = (0, lodash_cloneDeep.default)(vc);
+		delete clone.signature;
+		const prevProofRefs = proof.previousProof;
+		if (prevProofRefs && (typeof prevProofRefs === "string" || Array.isArray(prevProofRefs) && prevProofRefs.length > 0)) {
+			const prevIds = Array.isArray(prevProofRefs) ? prevProofRefs : [prevProofRefs];
+			const matchingProofs = proofList.filter((p) => p.id && prevIds.includes(p.id));
+			if (matchingProofs.length !== prevIds.length) throw new Error("Referenced previous proof not found");
+			clone.proof = matchingProofs;
+		} else delete clone.proof;
+		const signedContent = (0, json_stable_stringify.default)(clone);
+		if (await (0, _ocap_wallet.fromPublicKey)(proofPk, (0, _arcblock_did.toTypeInfo)(proofSigner)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
+	}
+	return true;
+}
+/**
+* Counter-sign an existing verifiable credential
+* Adds a new proof from a different signer to the VC
+*
+* @param params
+* @param params.vc - The already-signed verifiable credential
+* @param params.wallet - The counter-signer's wallet
+* @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+* @returns Promise<VerifiableCredential>
+*/
+async function counterSign({ vc, wallet, mode = "set" }) {
+	if (!vc) throw new Error("Cannot counter-sign empty verifiable credential");
+	const existingProofs = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (existingProofs.length === 0) throw new Error("Cannot counter-sign verifiable credential without existing proof");
+	const signerDid = wallet.address;
+	const pkType = (0, _arcblock_did.toTypeInfo)(signerDid).pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when counter-signing verifiable credential");
+	const signerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
+	const proofsWithIds = existingProofs.map((p) => p.id ? p : {
+		...p,
+		id: crypto.randomUUID()
+	});
 	const clone = (0, lodash_cloneDeep.default)(vc);
-	const signatureStr = clone.proof.jws;
-	delete clone.proof;
 	delete clone.signature;
-	if (await issuerWallet.verify((0, json_stable_stringify.default)(clone), (0, _ocap_util.fromBase64)(signatureStr)) !== true) throw Error("Verifiable credential signature not valid");
-	return true;
+	const newProof = {
+		type: proofTypes[pkType],
+		created: (/* @__PURE__ */ new Date()).toISOString(),
+		proofPurpose: "assertionMethod",
+		id: crypto.randomUUID(),
+		signer: signerDid,
+		pk: signerPk,
+		jws: ""
+	};
+	if (mode === "chain") {
+		clone.proof = proofsWithIds;
+		const prevIds = proofsWithIds.map((p) => p.id);
+		newProof.previousProof = prevIds.length === 1 ? prevIds[0] : prevIds;
+	} else delete clone.proof;
+	const signedContent = (0, json_stable_stringify.default)(clone);
+	newProof.jws = (0, _ocap_util.toBase64)(await wallet.sign(signedContent));
+	return {
+		...vc,
+		proof: [...proofsWithIds, newProof]
+	};
 }
 /**
 * Verify that the Presentation is valid
@@ -175,13 +237,14 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 	};
 	const issued = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const pkType = typeInfo.pk;
+	const issuerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
 	return await Promise.all(claims.map(async (x) => {
 		const vc = { claim: x };
 		vc.id = (0, _arcblock_did.fromPublicKeyHash)(wallet.hash((0, json_stable_stringify.default)(vc.claim)), vcType);
 		vc.issued = issued;
 		vc.issuer = {
 			id: issuerDid,
-			pk: (0, _ocap_util.toBase58)(wallet.publicKey),
+			pk: issuerPk,
 			name: name$1 || issuerDid
 		};
 		const signature = await wallet.sign((0, json_stable_stringify.default)(vc));
@@ -189,6 +252,9 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 			type: proofTypes[pkType],
 			created: issued,
 			proofPurpose: "assertionMethod",
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: (0, _ocap_util.toBase64)(signature)
 		};
 		return vc;
@@ -197,20 +263,29 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 async function verifyCredentialList({ credentials, trustedIssuers }) {
 	if (!credentials || !Array.isArray(credentials)) throw new Error("Can not verify with empty credentials list");
 	return Promise.all(credentials.map(async (x) => {
-		const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((d) => d === x.issuer.id);
+		const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+		const issuerDid = issuers.find((d) => d === x.issuer.id);
 		if (!issuerDid) throw new Error("Credential not issued by trusted issuers");
 		if (!(0, _arcblock_did.isFromPublicKey)(issuerDid, x.issuer.pk)) throw new Error("Credential not issuer pk not match with issuer did");
-		const issuerWallet = (0, _ocap_wallet.fromPublicKey)(x.issuer.pk, (0, _arcblock_did.toTypeInfo)(issuerDid));
+		const proofList = Array.isArray(x.proof) ? x.proof : x.proof ? [x.proof] : [];
+		if (proofList.length === 0 || proofList.some((p) => !p || !p.jws)) throw new Error("Invalid credential proof");
 		const clone = (0, lodash_cloneDeep.default)(x);
-		const signatureStr = clone.proof.jws;
 		delete clone.proof;
-		if (await issuerWallet.verify((0, json_stable_stringify.default)(clone), (0, _ocap_util.fromBase64)(signatureStr)) !== true) throw Error("Status credential signature not valid");
+		const signedContent = (0, json_stable_stringify.default)(clone);
+		for (const proof of proofList) {
+			const proofPk = proof.pk || x.issuer.pk;
+			const proofSigner = proof.signer || x.issuer.id;
+			if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+			if (proof.signer && proof.pk && !(0, _arcblock_did.isFromPublicKey)(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+			if (await (0, _ocap_wallet.fromPublicKey)(proofPk, (0, _arcblock_did.toTypeInfo)(proofSigner)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		}
 		return x.claim;
 	}));
 }
 const stableStringify = json_stable_stringify.default;
 
 //#endregion
+exports.counterSign = counterSign;
 exports.create = create;
 exports.createCredentialList = createCredentialList;
 exports.proofTypes = proofTypes;

package/lib/index.d.cts

@@ -7,7 +7,11 @@ interface Proof {
   created: string;
   proofPurpose: string;
   jws: string;
+  id?: string;
+  signer?: string;
   pk?: string;
+  previousProof?: string | string[];
+  verificationMethod?: string;
 }
 interface Issuer {
   id: string;
@@ -24,14 +28,14 @@ interface CredentialStatus {
   scope: string;
 }
 interface VerifiableCredential {
-  '@context': string;
+  '@context': string | string[];
   id: string;
-  type: string;
+  type: string | string[];
   issuer: Issuer;
   issuanceDate: string;
   expirationDate?: string;
   credentialSubject: CredentialSubject;
-  proof: Proof;
+  proof: Proof | Proof[];
   tag?: string;
   credentialStatus?: CredentialStatus;
   signature?: unknown;
@@ -50,7 +54,7 @@ interface Credential {
   id: string;
   issued: string;
   issuer: Issuer;
-  proof: Proof;
+  proof: Proof | Proof[];
   claim: unknown;
 }
 declare const proofTypes: Record<number, string>;
@@ -77,7 +81,7 @@ declare function create({
   endpoint,
   endpointScope
 }: {
-  type: string;
+  type: string | string[];
   subject: CredentialSubject;
   issuer: IssuerInfo;
   issuanceDate?: string;
@@ -110,6 +114,25 @@ declare function verify({
   trustedIssuers: string | string[];
   ignoreExpired?: boolean;
 }): Promise<boolean>;
+/**
+ * Counter-sign an existing verifiable credential
+ * Adds a new proof from a different signer to the VC
+ *
+ * @param params
+ * @param params.vc - The already-signed verifiable credential
+ * @param params.wallet - The counter-signer's wallet
+ * @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+ * @returns Promise<VerifiableCredential>
+ */
+declare function counterSign({
+  vc,
+  wallet,
+  mode
+}: {
+  vc: VerifiableCredential;
+  wallet: WalletObject;
+  mode?: 'set' | 'chain';
+}): Promise<VerifiableCredential>;
 /**
  * Verify that the Presentation is valid
  *  - It is signed by VC's owner
@@ -152,4 +175,4 @@ declare function verifyCredentialList({
 }): Promise<unknown[]>;
 declare const stableStringify: typeof stringify;
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcblock/vc",
-  "version": "1.29.18",
+  "version": "1.29.20",
   "description": "TypeScript lib to work with ArcBlock Verifiable Credentials",
   "keywords": [
     "arcblock",
@@ -72,10 +72,10 @@
     "url": "https://github.com/ArcBlock/blockchain/issues"
   },
   "dependencies": {
-    "@arcblock/did": "1.29.18",
-    "@ocap/mcrypto": "1.29.18",
-    "@ocap/util": "1.29.18",
-    "@ocap/wallet": "1.29.18",
+    "@arcblock/did": "1.29.20",
+    "@ocap/mcrypto": "1.29.20",
+    "@ocap/util": "1.29.20",
+    "@ocap/wallet": "1.29.20",
     "debug": "^4.4.3",
     "is-absolute-url": "^3.0.3",
     "json-stable-stringify": "^1.0.1",