@arcblock/vc 1.29.19 → 1.29.21

package/esm/index.d.mts

@@ -2,18 +2,15 @@ import { WalletObject } from "@ocap/wallet";
 import stringify from "json-stable-stringify";
 
 //#region src/index.d.ts
-interface VerificationMethod {
-  id: string;
-  type: string;
-  controller: string;
-  publicKeyMultibase: string;
-}
 interface Proof {
   type: string;
   created: string;
   proofPurpose: string;
   jws: string;
+  id?: string;
+  signer?: string;
   pk?: string;
+  previousProof?: string | string[];
   verificationMethod?: string;
 }
 interface Issuer {
@@ -38,7 +35,6 @@ interface VerifiableCredential {
   issuanceDate: string;
   expirationDate?: string;
   credentialSubject: CredentialSubject;
-  verificationMethod?: VerificationMethod[];
   proof: Proof | Proof[];
   tag?: string;
   credentialStatus?: CredentialStatus;
@@ -58,12 +54,10 @@ interface Credential {
   id: string;
   issued: string;
   issuer: Issuer;
-  verificationMethod?: VerificationMethod[];
   proof: Proof | Proof[];
   claim: unknown;
 }
 declare const proofTypes: Record<number, string>;
-declare const verificationKeyTypes: Record<number, string>;
 /**
  * Create a valid verifiable credential
  *
@@ -120,6 +114,25 @@ declare function verify({
   trustedIssuers: string | string[];
   ignoreExpired?: boolean;
 }): Promise<boolean>;
+/**
+ * Counter-sign an existing verifiable credential
+ * Adds a new proof from a different signer to the VC
+ *
+ * @param params
+ * @param params.vc - The already-signed verifiable credential
+ * @param params.wallet - The counter-signer's wallet
+ * @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+ * @returns Promise<VerifiableCredential>
+ */
+declare function counterSign({
+  vc,
+  wallet,
+  mode
+}: {
+  vc: VerifiableCredential;
+  wallet: WalletObject;
+  mode?: 'set' | 'chain';
+}): Promise<VerifiableCredential>;
 /**
  * Verify that the Presentation is valid
  *  - It is signed by VC's owner
@@ -162,4 +175,4 @@ declare function verifyCredentialList({
 }): Promise<unknown[]>;
 declare const stableStringify: typeof stringify;
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verificationKeyTypes, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/esm/index.mjs

@@ -22,18 +22,6 @@ const proofTypes = {
 	[types.KeyType.SECP256K1]: "Secp256k1Signature",
 	[types.KeyType.ETHEREUM]: "EthereumSignature"
 };
-const verificationKeyTypes = {
-	[types.KeyType.ED25519]: "Ed25519VerificationKey2020",
-	[types.KeyType.SECP256K1]: "EcdsaSecp256k1VerificationKey2019",
-	[types.KeyType.ETHEREUM]: "EcdsaSecp256k1VerificationKey2019"
-};
-function resolvePublicKey(proof, verificationMethods, fallbackPk) {
-	if (proof.verificationMethod && verificationMethods?.length) {
-		const keyEntry = verificationMethods.find((k) => k.id === proof.verificationMethod);
-		if (keyEntry?.publicKeyMultibase) return keyEntry.publicKeyMultibase;
-	}
-	return fallbackPk;
-}
 /**
 * Create a valid verifiable credential
 *
@@ -68,7 +56,6 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const issuanceDateValue = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const issuerPk = toBase58(wallet.publicKey);
-	const keyId = `did:abt:${issuerDid}#key-1`;
 	const vcObj = {
 		"@context": ["https://www.w3.org/2018/credentials/v1", "https://schema.arcblock.io/v0.1/context.jsonld"],
 		id: vcDid,
@@ -80,13 +67,7 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		},
 		issuanceDate: issuanceDateValue,
 		expirationDate,
-		credentialSubject: subject,
-		verificationMethod: [{
-			id: keyId,
-			type: verificationKeyTypes[pkType],
-			controller: `did:abt:${issuerDid}`,
-			publicKeyMultibase: issuerPk
-		}]
+		credentialSubject: subject
 	};
 	if (tag) vcObj.tag = tag;
 	if (endpoint) vcObj.credentialStatus = {
@@ -100,7 +81,9 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 			type: proofTypes[pkType],
 			created: issuanceDateValue,
 			proofPurpose: "assertionMethod",
-			verificationMethod: keyId,
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: toBase64(signature)
 		},
 		...vcObj
@@ -135,16 +118,72 @@ async function verify({ vc, ownerDid, trustedIssuers, ignoreExpired = false }) {
 	if (vc.issuanceDate === void 0) throw Error("Invalid verifiable credential issue date");
 	if (new Date(vc.issuanceDate).getTime() > Date.now()) throw Error("Verifiable credential has not take effect");
 	if (!ignoreExpired && vc.expirationDate !== void 0 && new Date(vc.expirationDate).getTime() < Date.now()) throw Error("Verifiable credential has expired");
-	const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((x) => x === vc.issuer.id);
-	if (!issuerDid) throw new Error("Verifiable credential not issued by trusted issuers");
-	if (!isFromPublicKey(issuerDid, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
+	const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+	if (!isFromPublicKey(vc.issuer.id, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
 	if (ownerDid !== vc.credentialSubject.id) throw new Error("Verifiable credential not owned by specified owner did");
+	for (const proof of proofList) {
+		const proofPk = proof.pk || vc.issuer.pk;
+		const proofSigner = proof.signer || vc.issuer.id;
+		if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+		if (proof.signer && proof.pk && !isFromPublicKey(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+		const clone = cloneDeep(vc);
+		delete clone.signature;
+		const prevProofRefs = proof.previousProof;
+		if (prevProofRefs && (typeof prevProofRefs === "string" || Array.isArray(prevProofRefs) && prevProofRefs.length > 0)) {
+			const prevIds = Array.isArray(prevProofRefs) ? prevProofRefs : [prevProofRefs];
+			const matchingProofs = proofList.filter((p) => p.id && prevIds.includes(p.id));
+			if (matchingProofs.length !== prevIds.length) throw new Error("Referenced previous proof not found");
+			clone.proof = matchingProofs;
+		} else delete clone.proof;
+		const signedContent = stringify(clone);
+		if (await fromPublicKey(proofPk, toTypeInfo(proofSigner)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
+	}
+	return true;
+}
+/**
+* Counter-sign an existing verifiable credential
+* Adds a new proof from a different signer to the VC
+*
+* @param params
+* @param params.vc - The already-signed verifiable credential
+* @param params.wallet - The counter-signer's wallet
+* @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+* @returns Promise<VerifiableCredential>
+*/
+async function counterSign({ vc, wallet, mode = "set" }) {
+	if (!vc) throw new Error("Cannot counter-sign empty verifiable credential");
+	const existingProofs = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (existingProofs.length === 0) throw new Error("Cannot counter-sign verifiable credential without existing proof");
+	const signerDid = wallet.address;
+	const pkType = toTypeInfo(signerDid).pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when counter-signing verifiable credential");
+	const signerPk = toBase58(wallet.publicKey);
+	const proofsWithIds = existingProofs.map((p) => p.id ? p : {
+		...p,
+		id: crypto.randomUUID()
+	});
 	const clone = cloneDeep(vc);
-	delete clone.proof;
 	delete clone.signature;
+	const newProof = {
+		type: proofTypes[pkType],
+		created: (/* @__PURE__ */ new Date()).toISOString(),
+		proofPurpose: "assertionMethod",
+		id: crypto.randomUUID(),
+		signer: signerDid,
+		pk: signerPk,
+		jws: ""
+	};
+	if (mode === "chain") {
+		clone.proof = proofsWithIds;
+		const prevIds = proofsWithIds.map((p) => p.id);
+		newProof.previousProof = prevIds.length === 1 ? prevIds[0] : prevIds;
+	} else delete clone.proof;
 	const signedContent = stringify(clone);
-	for (const proof of proofList) if (await fromPublicKey(resolvePublicKey(proof, vc.verificationMethod, vc.issuer.pk), toTypeInfo(issuerDid)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
-	return true;
+	newProof.jws = toBase64(await wallet.sign(signedContent));
+	return {
+		...vc,
+		proof: [...proofsWithIds, newProof]
+	};
 }
 /**
 * Verify that the Presentation is valid
@@ -194,7 +233,6 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 	const issued = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const pkType = typeInfo.pk;
 	const issuerPk = toBase58(wallet.publicKey);
-	const keyId = `did:abt:${issuerDid}#key-1`;
 	return await Promise.all(claims.map(async (x) => {
 		const vc = { claim: x };
 		vc.id = fromPublicKeyHash(wallet.hash(stringify(vc.claim)), vcType);
@@ -204,18 +242,14 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 			pk: issuerPk,
 			name: name$1 || issuerDid
 		};
-		vc.verificationMethod = [{
-			id: keyId,
-			type: verificationKeyTypes[pkType],
-			controller: `did:abt:${issuerDid}`,
-			publicKeyMultibase: issuerPk
-		}];
 		const signature = await wallet.sign(stringify(vc));
 		vc.proof = {
 			type: proofTypes[pkType],
 			created: issued,
 			proofPurpose: "assertionMethod",
-			verificationMethod: keyId,
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: toBase64(signature)
 		};
 		return vc;
@@ -224,7 +258,8 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 async function verifyCredentialList({ credentials, trustedIssuers }) {
 	if (!credentials || !Array.isArray(credentials)) throw new Error("Can not verify with empty credentials list");
 	return Promise.all(credentials.map(async (x) => {
-		const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((d) => d === x.issuer.id);
+		const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+		const issuerDid = issuers.find((d) => d === x.issuer.id);
 		if (!issuerDid) throw new Error("Credential not issued by trusted issuers");
 		if (!isFromPublicKey(issuerDid, x.issuer.pk)) throw new Error("Credential not issuer pk not match with issuer did");
 		const proofList = Array.isArray(x.proof) ? x.proof : x.proof ? [x.proof] : [];
@@ -232,11 +267,17 @@ async function verifyCredentialList({ credentials, trustedIssuers }) {
 		const clone = cloneDeep(x);
 		delete clone.proof;
 		const signedContent = stringify(clone);
-		for (const proof of proofList) if (await fromPublicKey(resolvePublicKey(proof, x.verificationMethod, x.issuer.pk), toTypeInfo(issuerDid)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		for (const proof of proofList) {
+			const proofPk = proof.pk || x.issuer.pk;
+			const proofSigner = proof.signer || x.issuer.id;
+			if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+			if (proof.signer && proof.pk && !isFromPublicKey(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+			if (await fromPublicKey(proofPk, toTypeInfo(proofSigner)).verify(signedContent, fromBase64(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		}
 		return x.claim;
 	}));
 }
 const stableStringify = stringify;
 
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verificationKeyTypes, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/lib/index.cjs

@@ -27,18 +27,6 @@ const proofTypes = {
 	[_ocap_mcrypto.types.KeyType.SECP256K1]: "Secp256k1Signature",
 	[_ocap_mcrypto.types.KeyType.ETHEREUM]: "EthereumSignature"
 };
-const verificationKeyTypes = {
-	[_ocap_mcrypto.types.KeyType.ED25519]: "Ed25519VerificationKey2020",
-	[_ocap_mcrypto.types.KeyType.SECP256K1]: "EcdsaSecp256k1VerificationKey2019",
-	[_ocap_mcrypto.types.KeyType.ETHEREUM]: "EcdsaSecp256k1VerificationKey2019"
-};
-function resolvePublicKey(proof, verificationMethods, fallbackPk) {
-	if (proof.verificationMethod && verificationMethods?.length) {
-		const keyEntry = verificationMethods.find((k) => k.id === proof.verificationMethod);
-		if (keyEntry?.publicKeyMultibase) return keyEntry.publicKeyMultibase;
-	}
-	return fallbackPk;
-}
 /**
 * Create a valid verifiable credential
 *
@@ -73,7 +61,6 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when create verifiable credential");
 	const issuanceDateValue = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const issuerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
-	const keyId = `did:abt:${issuerDid}#key-1`;
 	const vcObj = {
 		"@context": ["https://www.w3.org/2018/credentials/v1", "https://schema.arcblock.io/v0.1/context.jsonld"],
 		id: vcDid,
@@ -85,13 +72,7 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 		},
 		issuanceDate: issuanceDateValue,
 		expirationDate,
-		credentialSubject: subject,
-		verificationMethod: [{
-			id: keyId,
-			type: verificationKeyTypes[pkType],
-			controller: `did:abt:${issuerDid}`,
-			publicKeyMultibase: issuerPk
-		}]
+		credentialSubject: subject
 	};
 	if (tag) vcObj.tag = tag;
 	if (endpoint) vcObj.credentialStatus = {
@@ -105,7 +86,9 @@ async function create({ type, subject, issuer, issuanceDate, expirationDate, tag
 			type: proofTypes[pkType],
 			created: issuanceDateValue,
 			proofPurpose: "assertionMethod",
-			verificationMethod: keyId,
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: (0, _ocap_util.toBase64)(signature)
 		},
 		...vcObj
@@ -140,16 +123,72 @@ async function verify({ vc, ownerDid, trustedIssuers, ignoreExpired = false }) {
 	if (vc.issuanceDate === void 0) throw Error("Invalid verifiable credential issue date");
 	if (new Date(vc.issuanceDate).getTime() > Date.now()) throw Error("Verifiable credential has not take effect");
 	if (!ignoreExpired && vc.expirationDate !== void 0 && new Date(vc.expirationDate).getTime() < Date.now()) throw Error("Verifiable credential has expired");
-	const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((x) => x === vc.issuer.id);
-	if (!issuerDid) throw new Error("Verifiable credential not issued by trusted issuers");
-	if (!(0, _arcblock_did.isFromPublicKey)(issuerDid, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
+	const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+	if (!(0, _arcblock_did.isFromPublicKey)(vc.issuer.id, vc.issuer.pk)) throw new Error("Verifiable credential not issuer pk not match with issuer did");
 	if (ownerDid !== vc.credentialSubject.id) throw new Error("Verifiable credential not owned by specified owner did");
+	for (const proof of proofList) {
+		const proofPk = proof.pk || vc.issuer.pk;
+		const proofSigner = proof.signer || vc.issuer.id;
+		if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+		if (proof.signer && proof.pk && !(0, _arcblock_did.isFromPublicKey)(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+		const clone = (0, lodash_cloneDeep.default)(vc);
+		delete clone.signature;
+		const prevProofRefs = proof.previousProof;
+		if (prevProofRefs && (typeof prevProofRefs === "string" || Array.isArray(prevProofRefs) && prevProofRefs.length > 0)) {
+			const prevIds = Array.isArray(prevProofRefs) ? prevProofRefs : [prevProofRefs];
+			const matchingProofs = proofList.filter((p) => p.id && prevIds.includes(p.id));
+			if (matchingProofs.length !== prevIds.length) throw new Error("Referenced previous proof not found");
+			clone.proof = matchingProofs;
+		} else delete clone.proof;
+		const signedContent = (0, json_stable_stringify.default)(clone);
+		if (await (0, _ocap_wallet.fromPublicKey)(proofPk, (0, _arcblock_did.toTypeInfo)(proofSigner)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
+	}
+	return true;
+}
+/**
+* Counter-sign an existing verifiable credential
+* Adds a new proof from a different signer to the VC
+*
+* @param params
+* @param params.vc - The already-signed verifiable credential
+* @param params.wallet - The counter-signer's wallet
+* @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+* @returns Promise<VerifiableCredential>
+*/
+async function counterSign({ vc, wallet, mode = "set" }) {
+	if (!vc) throw new Error("Cannot counter-sign empty verifiable credential");
+	const existingProofs = Array.isArray(vc.proof) ? vc.proof : vc.proof ? [vc.proof] : [];
+	if (existingProofs.length === 0) throw new Error("Cannot counter-sign verifiable credential without existing proof");
+	const signerDid = wallet.address;
+	const pkType = (0, _arcblock_did.toTypeInfo)(signerDid).pk;
+	if (!proofTypes[pkType]) throw new Error("Unsupported signer type when counter-signing verifiable credential");
+	const signerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
+	const proofsWithIds = existingProofs.map((p) => p.id ? p : {
+		...p,
+		id: crypto.randomUUID()
+	});
 	const clone = (0, lodash_cloneDeep.default)(vc);
-	delete clone.proof;
 	delete clone.signature;
+	const newProof = {
+		type: proofTypes[pkType],
+		created: (/* @__PURE__ */ new Date()).toISOString(),
+		proofPurpose: "assertionMethod",
+		id: crypto.randomUUID(),
+		signer: signerDid,
+		pk: signerPk,
+		jws: ""
+	};
+	if (mode === "chain") {
+		clone.proof = proofsWithIds;
+		const prevIds = proofsWithIds.map((p) => p.id);
+		newProof.previousProof = prevIds.length === 1 ? prevIds[0] : prevIds;
+	} else delete clone.proof;
 	const signedContent = (0, json_stable_stringify.default)(clone);
-	for (const proof of proofList) if (await (0, _ocap_wallet.fromPublicKey)(resolvePublicKey(proof, vc.verificationMethod, vc.issuer.pk), (0, _arcblock_did.toTypeInfo)(issuerDid)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Verifiable credential signature not valid");
-	return true;
+	newProof.jws = (0, _ocap_util.toBase64)(await wallet.sign(signedContent));
+	return {
+		...vc,
+		proof: [...proofsWithIds, newProof]
+	};
 }
 /**
 * Verify that the Presentation is valid
@@ -199,7 +238,6 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 	const issued = issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
 	const pkType = typeInfo.pk;
 	const issuerPk = (0, _ocap_util.toBase58)(wallet.publicKey);
-	const keyId = `did:abt:${issuerDid}#key-1`;
 	return await Promise.all(claims.map(async (x) => {
 		const vc = { claim: x };
 		vc.id = (0, _arcblock_did.fromPublicKeyHash)(wallet.hash((0, json_stable_stringify.default)(vc.claim)), vcType);
@@ -209,18 +247,14 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 			pk: issuerPk,
 			name: name$1 || issuerDid
 		};
-		vc.verificationMethod = [{
-			id: keyId,
-			type: verificationKeyTypes[pkType],
-			controller: `did:abt:${issuerDid}`,
-			publicKeyMultibase: issuerPk
-		}];
 		const signature = await wallet.sign((0, json_stable_stringify.default)(vc));
 		vc.proof = {
 			type: proofTypes[pkType],
 			created: issued,
 			proofPurpose: "assertionMethod",
-			verificationMethod: keyId,
+			id: crypto.randomUUID(),
+			signer: issuerDid,
+			pk: issuerPk,
 			jws: (0, _ocap_util.toBase64)(signature)
 		};
 		return vc;
@@ -229,7 +263,8 @@ async function createCredentialList({ claims, issuer, issuanceDate }) {
 async function verifyCredentialList({ credentials, trustedIssuers }) {
 	if (!credentials || !Array.isArray(credentials)) throw new Error("Can not verify with empty credentials list");
 	return Promise.all(credentials.map(async (x) => {
-		const issuerDid = (Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers]).find((d) => d === x.issuer.id);
+		const issuers = Array.isArray(trustedIssuers) ? trustedIssuers : [trustedIssuers];
+		const issuerDid = issuers.find((d) => d === x.issuer.id);
 		if (!issuerDid) throw new Error("Credential not issued by trusted issuers");
 		if (!(0, _arcblock_did.isFromPublicKey)(issuerDid, x.issuer.pk)) throw new Error("Credential not issuer pk not match with issuer did");
 		const proofList = Array.isArray(x.proof) ? x.proof : x.proof ? [x.proof] : [];
@@ -237,18 +272,24 @@ async function verifyCredentialList({ credentials, trustedIssuers }) {
 		const clone = (0, lodash_cloneDeep.default)(x);
 		delete clone.proof;
 		const signedContent = (0, json_stable_stringify.default)(clone);
-		for (const proof of proofList) if (await (0, _ocap_wallet.fromPublicKey)(resolvePublicKey(proof, x.verificationMethod, x.issuer.pk), (0, _arcblock_did.toTypeInfo)(issuerDid)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		for (const proof of proofList) {
+			const proofPk = proof.pk || x.issuer.pk;
+			const proofSigner = proof.signer || x.issuer.id;
+			if (!issuers.includes(proofSigner)) throw new Error("Proof signer not in trusted issuers");
+			if (proof.signer && proof.pk && !(0, _arcblock_did.isFromPublicKey)(proof.signer, proof.pk)) throw new Error("Proof pk does not match signer");
+			if (await (0, _ocap_wallet.fromPublicKey)(proofPk, (0, _arcblock_did.toTypeInfo)(proofSigner)).verify(signedContent, (0, _ocap_util.fromBase64)(proof.jws)) !== true) throw Error("Status credential signature not valid");
+		}
 		return x.claim;
 	}));
 }
 const stableStringify = json_stable_stringify.default;
 
 //#endregion
+exports.counterSign = counterSign;
 exports.create = create;
 exports.createCredentialList = createCredentialList;
 exports.proofTypes = proofTypes;
 exports.stableStringify = stableStringify;
-exports.verificationKeyTypes = verificationKeyTypes;
 exports.verify = verify;
 exports.verifyCredentialList = verifyCredentialList;
 exports.verifyPresentation = verifyPresentation;

package/lib/index.d.cts

@@ -2,18 +2,15 @@ import { WalletObject } from "@ocap/wallet";
 import stringify from "json-stable-stringify";
 
 //#region src/index.d.ts
-interface VerificationMethod {
-  id: string;
-  type: string;
-  controller: string;
-  publicKeyMultibase: string;
-}
 interface Proof {
   type: string;
   created: string;
   proofPurpose: string;
   jws: string;
+  id?: string;
+  signer?: string;
   pk?: string;
+  previousProof?: string | string[];
   verificationMethod?: string;
 }
 interface Issuer {
@@ -38,7 +35,6 @@ interface VerifiableCredential {
   issuanceDate: string;
   expirationDate?: string;
   credentialSubject: CredentialSubject;
-  verificationMethod?: VerificationMethod[];
   proof: Proof | Proof[];
   tag?: string;
   credentialStatus?: CredentialStatus;
@@ -58,12 +54,10 @@ interface Credential {
   id: string;
   issued: string;
   issuer: Issuer;
-  verificationMethod?: VerificationMethod[];
   proof: Proof | Proof[];
   claim: unknown;
 }
 declare const proofTypes: Record<number, string>;
-declare const verificationKeyTypes: Record<number, string>;
 /**
  * Create a valid verifiable credential
  *
@@ -120,6 +114,25 @@ declare function verify({
   trustedIssuers: string | string[];
   ignoreExpired?: boolean;
 }): Promise<boolean>;
+/**
+ * Counter-sign an existing verifiable credential
+ * Adds a new proof from a different signer to the VC
+ *
+ * @param params
+ * @param params.vc - The already-signed verifiable credential
+ * @param params.wallet - The counter-signer's wallet
+ * @param params.mode - 'set' (independent proof) or 'chain' (references previous proofs)
+ * @returns Promise<VerifiableCredential>
+ */
+declare function counterSign({
+  vc,
+  wallet,
+  mode
+}: {
+  vc: VerifiableCredential;
+  wallet: WalletObject;
+  mode?: 'set' | 'chain';
+}): Promise<VerifiableCredential>;
 /**
  * Verify that the Presentation is valid
  *  - It is signed by VC's owner
@@ -162,4 +175,4 @@ declare function verifyCredentialList({
 }): Promise<unknown[]>;
 declare const stableStringify: typeof stringify;
 //#endregion
-export { create, createCredentialList, proofTypes, stableStringify, verificationKeyTypes, verify, verifyCredentialList, verifyPresentation };
+export { counterSign, create, createCredentialList, proofTypes, stableStringify, verify, verifyCredentialList, verifyPresentation };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcblock/vc",
-  "version": "1.29.19",
+  "version": "1.29.21",
   "description": "TypeScript lib to work with ArcBlock Verifiable Credentials",
   "keywords": [
     "arcblock",
@@ -72,10 +72,10 @@
     "url": "https://github.com/ArcBlock/blockchain/issues"
   },
   "dependencies": {
-    "@arcblock/did": "1.29.19",
-    "@ocap/mcrypto": "1.29.19",
-    "@ocap/util": "1.29.19",
-    "@ocap/wallet": "1.29.19",
+    "@arcblock/did": "1.29.21",
+    "@ocap/mcrypto": "1.29.21",
+    "@ocap/util": "1.29.21",
+    "@ocap/wallet": "1.29.21",
     "debug": "^4.4.3",
     "is-absolute-url": "^3.0.3",
     "json-stable-stringify": "^1.0.1",