@bedrock/vc-delivery 4.8.0 → 5.0.1

package/lib/helpers.js

@@ -2,6 +2,7 @@
  * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as vcjwt from './vcjwt.js';
 import {decodeId, generateId} from 'bnid';
 import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
 import {httpsAgent} from '@bedrock/https-agent';
@@ -9,7 +10,7 @@ import jsonata from 'jsonata';
 import {serviceAgents} from '@bedrock/service-agent';
 import {ZcapClient} from '@digitalbazaar/ezcap';
 
-const {config} = bedrock;
+const {config, util: {BedrockError}} = bedrock;
 
 export async function evaluateTemplate({
   workflow, exchange, typedTemplate
@@ -102,3 +103,67 @@ export function decodeLocalId({localId} = {}) {
     expectedSize: 16
   }));
 }
+
+export async function unenvelopeCredential({
+  envelopedCredential, format
+} = {}) {
+  const result = _getEnvelope({envelope: envelopedCredential, format});
+
+  // only supported format is VC-JWT at this time
+  const credential = vcjwt.decodeVCJWTCredential({jwt: result.envelope});
+  return {credential, ...result};
+}
+
+export async function unenvelopePresentation({
+  envelopedPresentation, format
+} = {}) {
+  const result = _getEnvelope({envelope: envelopedPresentation, format});
+
+  // only supported format is VC-JWT at this time
+  const presentation = vcjwt.decodeVCJWTPresentation({jwt: result.envelope});
+
+  // unenvelope any VCs in the presentation
+  let {verifiableCredential = []} = presentation;
+  if(!Array.isArray(verifiableCredential)) {
+    verifiableCredential = [verifiableCredential];
+  }
+  if(verifiableCredential.length > 0) {
+    presentation.verifiableCredential = await Promise.all(
+      verifiableCredential.map(async vc => {
+        if(vc?.type !== 'EnvelopedVerifiableCredential') {
+          return vc;
+        }
+        const {credential} = await unenvelopeCredential({
+          envelopedCredential: vc
+        });
+        return credential;
+      }));
+  }
+  return {presentation, ...result};
+}
+
+function _getEnvelope({envelope, format}) {
+  const isString = typeof envelope === 'string';
+  if(isString) {
+    // supported formats
+    if(format === 'application/jwt' || format === 'jwt_vc_json-ld') {
+      format = 'application/jwt';
+    }
+  } else {
+    const {id} = envelope;
+    if(id?.startsWith('data:application/jwt,')) {
+      format = 'application/jwt';
+      envelope = id.slice('data:application/jwt,'.length);
+    }
+  }
+
+  if(format === 'application/jwt' && envelope !== undefined) {
+    return {envelope, format};
+  }
+
+  throw new BedrockError(
+    `Unsupported credential or presentation envelope format "${format}".`, {
+      name: 'NotSupportedError',
+      details: {httpStatusCode: 400, public: true}
+    });
+}

package/lib/openId.js

@@ -4,16 +4,19 @@
 import * as bedrock from '@bedrock/core';
 import * as exchanges from './exchanges.js';
 import {
-  compile, schemas, createValidateMiddleware as validate
+  compile, createValidateMiddleware as validate
 } from '@bedrock/validation';
-import {evaluateTemplate, getWorkflowIssuerInstances} from './helpers.js';
+import {
+  evaluateTemplate, getWorkflowIssuerInstances, unenvelopePresentation
+} from './helpers.js';
 import {importJWK, SignJWT} from 'jose';
 import {
   openIdAuthorizationResponseBody,
   openIdBatchCredentialBody,
   openIdCredentialBody,
   openIdTokenBody,
-  presentationSubmission as presentationSubmissionSchema
+  presentationSubmission as presentationSubmissionSchema,
+  verifiablePresentation as verifiablePresentationSchema
 } from '../schemas/bedrock-vc-workflow.js';
 import {verify, verifyDidProofJwt} from './verify.js';
 import {asyncHandler} from '@bedrock/express';
@@ -56,6 +59,8 @@ instantiating a new authorization server instance per VC exchange. */
 const PRE_AUTH_GRANT_TYPE =
   'urn:ietf:params:oauth:grant-type:pre-authorized_code';
 
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
 // creates OID4VCI Authorization Server + Credential Delivery Server
 // endpoints for each individual exchange
 export async function createRoutes({
@@ -84,7 +89,7 @@ export async function createRoutes({
 
   // create validators for x-www-form-urlencoded parsed data
   const validatePresentation = compile(
-    {schema: schemas.verifiablePresentation()});
+    {schema: verifiablePresentationSchema()});
   const validatePresentationSubmission = compile(
     {schema: presentationSubmissionSchema});
 
@@ -378,14 +383,33 @@ export async function createRoutes({
       const {vp_token, presentation_submission} = req.body;
 
       // JSON parse and validate `vp_token` and `presentation_submission`
-      const presentation = _jsonParse(vp_token, 'vp_token');
+      let presentation = _jsonParse(vp_token, 'vp_token');
       const presentationSubmission = _jsonParse(
         presentation_submission, 'presentation_submission');
       _validate(validatePresentationSubmission, presentationSubmission);
-      _validate(validatePresentation, presentation);
-
-      const result = await _processAuthorizationResponse(
-        {req, presentation, presentationSubmission});
+      let envelope;
+      if(typeof presentation === 'string') {
+        // handle enveloped presentation
+        const {
+          envelope: raw, presentation: contents, format
+        } = await unenvelopePresentation({
+          envelopedPresentation: presentation,
+          // FIXME: check presentationSubmission for VP format
+          format: 'jwt_vc_json-ld'
+        });
+        _validate(validatePresentation, contents);
+        presentation = {
+          '@context': VC_CONTEXT_2,
+          id: `data:${format},${raw}`,
+          type: 'EnvelopedVerifiablePresentation'
+        };
+        envelope = {raw, contents, format};
+      } else {
+        _validate(validatePresentation, presentation);
+      }
+      const result = await _processAuthorizationResponse({
+        req, presentation, envelope, presentationSubmission
+      });
       res.json(result);
     }));
 
@@ -905,7 +929,7 @@ function _matchCredentialRequest(expected, cr) {
 }
 
 async function _processAuthorizationResponse({
-  req, presentation, presentationSubmission
+  req, presentation, envelope, presentationSubmission
 }) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
@@ -916,18 +940,17 @@ async function _processAuthorizationResponse({
   const {authorizationRequest, step} = arRequest;
   ({exchange} = arRequest);
 
-  // FIXME: if the VP is enveloped, remove the envelope to validate or
-  // run validation code after verification if necessary
-
   // FIXME: check the VP against the presentation submission if requested
   // FIXME: check the VP against "trustedIssuer" in VPR, if provided
   const {presentationSchema} = step;
   if(presentationSchema) {
-    // validate the received VP
-    console.log('run presentation schema');
+    // if the VP is enveloped, validate the contents of the envelope
+    const toValidate = envelope ? envelope.contents : presentation;
+
+    // validate the received VP / envelope contents
     const {jsonSchema: schema} = presentationSchema;
     const validate = compile({schema});
-    const {valid, error} = validate(presentation);
+    const {valid, error} = validate(toValidate);
     if(!valid) {
       throw error;
     }
@@ -937,20 +960,21 @@ async function _processAuthorizationResponse({
   const {verifiablePresentationRequest} = await oid4vp.toVpr(
     {authorizationRequest});
   const {allowUnprotectedPresentation = false} = step;
-  const {verificationMethod} = await verify({
+  const verifyResult = await verify({
     workflow,
     verifiablePresentationRequest,
     presentation,
     allowUnprotectedPresentation,
     expectedChallenge: authorizationRequest.nonce
   });
+  const {verificationMethod} = verifyResult;
 
   // store VP results in variables associated with current step
   const currentStep = exchange.step;
   if(!exchange.variables.results) {
     exchange.variables.results = {};
   }
-  exchange.variables.results[currentStep] = {
+  const results = {
     // common use case of DID Authentication; provide `did` for ease
     // of use in template
     did: verificationMethod?.controller || null,
@@ -961,6 +985,13 @@ async function _processAuthorizationResponse({
       presentationSubmission
     }
   };
+  if(envelope) {
+    // normalize VP from inside envelope to `verifiablePresentation`
+    results.envelopedPresentation = presentation;
+    results.verifiablePresentation = verifyResult
+      .presentationResult.presentation;
+  }
+  exchange.variables.results[currentStep] = results;
   exchange.sequence++;
 
   // if there is something to issue, update exchange, do not complete it

package/lib/vcapi.js

@@ -4,8 +4,8 @@
 import * as bedrock from '@bedrock/core';
 import * as exchanges from './exchanges.js';
 import {createChallenge as _createChallenge, verify} from './verify.js';
+import {evaluateTemplate, unenvelopePresentation} from './helpers.js';
 import {compile} from '@bedrock/validation';
-import {evaluateTemplate} from './helpers.js';
 import {issue} from './issue.js';
 import {klona} from 'klona';
 import {logger} from './logger.js';
@@ -96,15 +96,22 @@ export async function processExchange({req, res, workflow, exchange}) {
         return;
       }
 
-      // FIXME: if the VP is enveloped, remove the envelope to validate or
-      // run validation code after verification if necessary
-
       const {presentationSchema} = step;
       if(presentationSchema) {
+        // if the VP is enveloped, get the presentation from the envelope
+        let presentation;
+        if(receivedPresentation?.type === 'EnvelopedVerifiablePresentation') {
+          ({presentation} = await unenvelopePresentation({
+            envelopedPresentation: receivedPresentation
+          }));
+        } else {
+          presentation = receivedPresentation;
+        }
+
         // validate the received VP
         const {jsonSchema: schema} = presentationSchema;
         const validate = compile({schema});
-        const {valid, error} = validate(receivedPresentation);
+        const {valid, error} = validate(presentation);
         if(!valid) {
           throw error;
         }

package/lib/vcjwt.js

@@ -0,0 +1,375 @@
+/*!
+ * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {decodeJwt} from 'jose';
+
+const {util: {BedrockError}} = bedrock;
+
+const VC_CONTEXT_1 = 'https://www.w3.org/2018/credentials/v1';
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
+export function decodeVCJWTCredential({jwt} = {}) {
+  const payload = decodeJwt(jwt);
+
+  /* Example:
+  {
+    "alg": <signer.algorithm>,
+    "kid": <signer.id>
+  }.
+  {
+    "iss": <verifiableCredential.issuer>,
+    "jti": <verifiableCredential.id>
+    "sub": <verifiableCredential.credentialSubject>
+    "nbf": <verifiableCredential.[issuanceDate | validFrom]>
+    "exp": <verifiableCredential.[expirationDate | validUntil]>
+    "vc": <verifiableCredential>
+  }
+  */
+  const {vc} = payload;
+  if(!(vc && typeof vc === 'object')) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "vc" claim value.',
+        claim: 'vc'
+      }
+    });
+  }
+
+  let {'@context': context = []} = vc;
+  if(!Array.isArray(context)) {
+    context = [context];
+  }
+  const isVersion1 = context.includes(VC_CONTEXT_1);
+  const isVersion2 = context.includes(VC_CONTEXT_2);
+  if(!(isVersion1 ^ isVersion2)) {
+    throw new BedrockError(
+      'Verifiable credential is neither version "1.x" nor "2.x".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  const credential = {...vc};
+  const {iss, jti, sub, nbf, exp} = payload;
+
+  // inject `issuer` value
+  if(vc.issuer === undefined) {
+    vc.issuer = iss;
+  } else if(vc.issuer && typeof vc.issuer === 'object' &&
+    vc.issuer.id === undefined) {
+    vc.issuer = {id: iss, ...vc.issuer};
+  } else if(iss !== vc.issuer && iss !== vc.issuer?.id) {
+    throw new BedrockError(
+      'VC-JWT "iss" claim does not equal nor does it exclusively ' +
+      'provide verifiable credential "issuer" / "issuer.id".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  if(jti !== undefined && jti !== vc.id) {
+    // inject `id` value
+    if(vc.id === undefined) {
+      vc.id = jti;
+    } else {
+      throw new BedrockError(
+        'VC-JWT "jti" claim does not equal nor does it exclusively ' +
+        'provide verifiable credential "id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(sub !== undefined && sub !== vc.credentialSubject?.id) {
+    // inject `credentialSubject.id` value
+    if(!vc.credentialSubject) {
+      throw new BedrockError(
+        'Verifiable credential has no "credentialSubject".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    if(Array.isArray(vc.credentialSubject)) {
+      throw new BedrockError(
+        'Verifiable credential has multiple credential subjects, which is ' +
+        'not supported in VC-JWT.', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    if(vc.credentialSubject?.id === undefined) {
+      vc.credentialSubject = {id: sub, ...vc.credentialSubject};
+    } else {
+      throw new BedrockError(
+        'VC-JWT "sub" claim does not equal nor does it exclusively ' +
+        'provide verifiable credential "credentialSubject.id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(nbf === undefined && isVersion1) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing "nbf" claim value.',
+        claim: 'nbf'
+      }
+    });
+  }
+
+  if(nbf !== undefined) {
+    // fuzzy convert `nbf` into `issuanceDate` / `validFrom`, only require
+    // second-level precision
+    const dateString = new Date(nbf * 1000).toISOString().slice(0, -5);
+    const dateProperty = isVersion1 ? 'issuanceDate' : 'validFrom';
+    // inject dateProperty value
+    if(vc[dateProperty] === undefined) {
+      vc[dateProperty] = dateString + 'Z';
+    } else if(!(vc[dateProperty].startsWith(dateString) &&
+      vc[dateProperty].endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "nbf" claim does not equal nor does it exclusively provide ' +
+        `verifiable credential "${dateProperty}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(exp !== undefined) {
+    // fuzzy convert `exp` into `expirationDate` / `validUntil`, only require
+    // second-level precision
+    const dateString = new Date(exp * 1000).toISOString().slice(0, -5);
+    const dateProperty = isVersion1 ? 'expirationDate' : 'validUntil';
+    // inject dateProperty value
+    if(vc[dateProperty] === undefined) {
+      vc[dateProperty] = dateString + 'Z';
+    } else if(!(vc[dateProperty].startsWith(dateString) &&
+      vc[dateProperty].endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "exp" claim does not equal nor does it exclusively provide ' +
+        `verifiable credential "${dateProperty}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  return credential;
+}
+
+export function decodeVCJWTPresentation({jwt, challenge} = {}) {
+  /* Example:
+  {
+    "alg": <signer.algorithm>,
+    "kid": <signer.id>
+  }.
+  {
+    "iss": <verifiablePresentation.holder>,
+    "aud": <verifiablePresentation.domain>,
+    "nonce": <verifiablePresentation.nonce>,
+    "jti": <verifiablePresentation.id>
+    "nbf": <verifiablePresentation.[validFrom]>
+    "exp": <verifiablePresentation.[validUntil]>
+    "vp": <verifiablePresentation>
+  }
+  */
+  const payload = decodeJwt(jwt);
+
+  const {vp} = payload;
+  if(!(vp && typeof vp === 'object')) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "vp" claim value.',
+        claim: 'vp'
+      }
+    });
+  }
+
+  let {'@context': context = []} = vp;
+  if(!Array.isArray(context)) {
+    context = [context];
+  }
+  const isVersion1 = context.includes(VC_CONTEXT_1);
+  const isVersion2 = context.includes(VC_CONTEXT_2);
+  if(!(isVersion1 ^ isVersion2)) {
+    throw new BedrockError(
+      'Verifiable presentation is not either version "1.x" or "2.x".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  const presentation = {...vp};
+  const {iss, nonce, jti, nbf, exp} = payload;
+
+  // inject `holder` value
+  if(vp.holder === undefined) {
+    vp.holder = iss;
+  } else if(vp.holder && typeof vp.holder === 'object' &&
+    vp.holder.id === undefined) {
+    vp.holder = {id: iss, ...vp.holder};
+  } else if(iss !== vp.holder && iss !== vp.holder?.id) {
+    throw new BedrockError(
+      'VC-JWT "iss" claim does not equal nor does it exclusively ' +
+      'provide verifiable presentation "holder" / "holder.id".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  if(jti !== undefined && jti !== vp.id) {
+    // inject `id` value
+    if(vp.id === undefined) {
+      vp.id = jti;
+    } else {
+      throw new BedrockError(
+        'VC-JWT "jti" claim does not equal nor does it exclusively ' +
+        'provide verifiable presentation "id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  // version 1.x VPs do not support `validFrom`/`validUntil`
+  if(nbf !== undefined && isVersion2) {
+    // fuzzy convert `nbf` into `validFrom`, only require
+    // second-level precision
+    const dateString = new Date(nbf * 1000).toISOString().slice(0, -5);
+
+    // inject `validFrom` value
+    if(vp.validFrom === undefined) {
+      vp.validFrom = dateString + 'Z';
+    } else if(!(vp.validFrom?.startsWith(dateString) &&
+      vp.validFrom.endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "nbf" claim does not equal nor does it exclusively provide ' +
+        'verifiable presentation "validFrom".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+  if(exp !== undefined && isVersion2) {
+    // fuzzy convert `exp` into `validUntil`, only require
+    // second-level precision
+    const dateString = new Date(exp * 1000).toISOString().slice(0, -5);
+
+    // inject `validUntil` value
+    if(vp.validUntil === undefined) {
+      vp.validUntil = dateString + 'Z';
+    } else if(!(vp.validUntil?.startsWith(dateString) &&
+      vp.validUntil?.endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "exp" claim does not equal nor does it exclusively provide ' +
+        'verifiable presentation "validUntil".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(challenge !== undefined && nonce !== challenge) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "nonce" claim value.',
+        claim: 'nonce'
+      }
+    });
+  }
+
+  // do some validation on `verifiableCredential`
+  let {verifiableCredential = []} = presentation;
+  if(!Array.isArray(verifiableCredential)) {
+    verifiableCredential = [verifiableCredential];
+  }
+
+  // ensure version 2 VPs only have objects in `verifiableCredential`
+  const hasVCJWTs = verifiableCredential.some(vc => typeof vc !== 'object');
+  if(isVersion2 && hasVCJWTs) {
+    throw new BedrockError(
+      'Version 2.x verifiable presentations must only use objects in the ' +
+      '"verifiableCredential" field.', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  // transform any VC-JWT VCs to enveloped VCs
+  if(presentation.verifiableCredential && hasVCJWTs) {
+    presentation.verifiableCredential = verifiableCredential.map(vc => {
+      if(typeof vc !== 'string') {
+        return vc;
+      }
+      return {
+        '@context': VC_CONTEXT_2,
+        id: `data:application/jwt,${vc}`,
+        type: 'EnvelopedVerifiableCredential',
+      };
+    });
+  }
+
+  return presentation;
+}

package/lib/verify.js

@@ -2,6 +2,7 @@
  * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as Ed25519Multikey from '@digitalbazaar/ed25519-multikey';
 import {importJWK, jwtVerify} from 'jose';
 import {didIo} from '@bedrock/did-io';
@@ -9,6 +10,10 @@ import {getZcapClient} from './helpers.js';
 
 const {util: {BedrockError}} = bedrock;
 
+// supported JWT algs
+const ECDSA_ALGS = ['ES256', 'ES384'];
+const EDDSA_ALGS = ['Ed25519', 'EdDSA'];
+
 export async function createChallenge({workflow} = {}) {
   // create zcap client for creating challenges
   const {zcapClient, zcaps} = await getZcapClient({workflow});
@@ -82,9 +87,13 @@ export async function verify({
 
     // generate useful error to return to client
     const {name, errors, message} = cause.data.error;
+    const causeError = _stripStacktrace({...cause.data.error});
+    delete causeError.errors;
     const error = new BedrockError(message ?? 'Verification error.', {
-      name: name === 'VerificationError' ? 'DataError' : 'OperationError',
+      name: (name === 'VerificationError' || name === 'DataError') ?
+        'DataError' : 'OperationError',
       details: {
+        error: causeError,
         verified,
         credentialResults,
         presentationResult,
@@ -134,23 +143,50 @@ export async function verifyDidProofJwt({workflow, exchange, jwt} = {}) {
   const audience = exchangeId;
 
   let issuer;
-  const resolveKey = async protectedHeader => {
-    const vm = await didIo.get({url: protectedHeader.kid});
+  // `resolveKey` is passed `protectedHeader`
+  const resolveKey = async ({alg, kid}) => {
+    const isEcdsa = ECDSA_ALGS.includes(alg);
+    const isEddsa = !isEcdsa && EDDSA_ALGS.includes(alg);
+    if(!(isEcdsa || isEddsa)) {
+      throw new BedrockError(
+        `Unsupported JWT "alg": "${alg}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+
+    const vm = await didIo.get({url: kid});
     // `vm.controller` must be the issuer of the DID JWT; also ensure that
     // the specified controller authorized `vm` for the purpose of
     // authentication
     issuer = vm.controller;
     const didDoc = await didIo.get({url: issuer});
-    if(!(didDoc?.authentication?.some(e => e === vm.id || e.id === vm.id))) {
+    let match = didDoc?.authentication?.find?.(
+      e => e === vm.id || e.id === vm.id);
+    if(typeof match === 'string') {
+      match = didDoc?.verificationMethod?.find?.(e => e.id === vm.id);
+    }
+    if(!(match && Array.isArray(match.controller) ?
+      match.controller.includes(vm.controller) :
+      match.controller === vm.controller)) {
       throw new BedrockError(
         `Verification method controller "${issuer}" did not authorize ` +
         `verification method "${vm.id}" for the purpose of "authentication".`,
         {name: 'NotAllowedError'});
     }
-    // FIXME: support other key types
-    const keyPair = await Ed25519Multikey.from(vm);
-    const jwk = await Ed25519Multikey.toJwk({keyPair});
-    jwk.alg = 'EdDSA';
+    let jwk;
+    if(isEcdsa) {
+      const keyPair = await EcdsaMultikey.from(vm);
+      jwk = await EcdsaMultikey.toJwk({keyPair});
+      jwk.alg = alg;
+    } else {
+      const keyPair = await Ed25519Multikey.from(vm);
+      jwk = await Ed25519Multikey.toJwk({keyPair});
+      jwk.alg = 'EdDSA';
+    }
     return importJWK(jwk);
   };
 
@@ -186,7 +222,7 @@ export async function verifyDidProofJwt({workflow, exchange, jwt} = {}) {
   }
 
   // check `iss` claim
-  if(!(verifyResult?.payload?.iss === issuer)) {
+  if(!(issuer && verifyResult?.payload?.iss === issuer)) {
     throw new BedrockError('DID proof JWT validation failed.', {
       name: 'NotAllowedError',
       details: {
@@ -200,7 +236,7 @@ export async function verifyDidProofJwt({workflow, exchange, jwt} = {}) {
   }
 
   // check `nonce` claim
-  if(!(verifyResult?.payload?.nonce === exchange.id)) {
+  if(verifyResult?.payload?.nonce !== exchange.id) {
     throw new BedrockError('DID proof JWT validation failed.', {
       name: 'NotAllowedError',
       details: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "4.8.0",
+  "version": "5.0.1",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -9,7 +9,7 @@
     "schemas/**/*.js"
   ],
   "scripts": {
-    "lint": "eslint ."
+    "lint": "eslint --ext .cjs,.js ."
   },
   "repository": {
     "type": "git",
@@ -35,41 +35,40 @@
   },
   "homepage": "https://github.com/digitalbazaar/bedrock-vc-delivery",
   "dependencies": {
+    "@digitalbazaar/ecdsa-multikey": "^1.7.0",
     "@digitalbazaar/ed25519-multikey": "^1.1.0",
-    "@digitalbazaar/ed25519-signature-2020": "^5.2.0",
-    "@digitalbazaar/ezcap": "^4.0.0",
-    "@digitalbazaar/oid4-client": "^3.1.0",
-    "@digitalbazaar/vc": "^6.0.1",
+    "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
+    "@digitalbazaar/ezcap": "^4.1.0",
+    "@digitalbazaar/oid4-client": "^3.4.1",
+    "@digitalbazaar/vc": "^7.0.0",
     "assert-plus": "^1.0.0",
     "bnid": "^3.0.0",
-    "body-parser": "^1.20.1",
+    "body-parser": "^1.20.2",
     "cors": "^2.8.5",
-    "jose": "^4.10.4",
-    "jsonata": "^2.0.3",
-    "klona": "^2.0.5"
+    "jose": "^5.6.3",
+    "jsonata": "^2.0.5",
+    "klona": "^2.0.6"
   },
   "peerDependencies": {
     "@bedrock/app-identity": "4.0.0",
-    "@bedrock/core": "^6.0.1",
-    "@bedrock/did-io": "^10.0.0",
-    "@bedrock/express": "^8.0.0",
-    "@bedrock/https-agent": "^4.0.0",
-    "@bedrock/mongodb": "^10.0.0",
-    "@bedrock/oauth2-verifier": "^2.0.0",
-    "@bedrock/service-agent": "^8.0.0",
-    "@bedrock/service-core": "^9.0.0",
+    "@bedrock/core": "^6.1.3",
+    "@bedrock/did-io": "^10.3.1",
+    "@bedrock/express": "^8.3.1",
+    "@bedrock/https-agent": "^4.1.0",
+    "@bedrock/mongodb": "^10.2.0",
+    "@bedrock/oauth2-verifier": "^2.1.0",
+    "@bedrock/service-agent": "^9.0.2",
+    "@bedrock/service-core": "^10.0.0",
     "@bedrock/validation": "^7.1.0"
   },
   "directories": {
     "lib": "./lib"
   },
   "devDependencies": {
-    "eslint": "^8.41.0",
-    "eslint-config-digitalbazaar": "^5.0.1",
-    "eslint-plugin-jsdoc": "^46.3.0",
-    "eslint-plugin-unicorn": "^47.0.0",
-    "jsdoc": "^4.0.2",
-    "jsdoc-to-markdown": "^8.0.0"
+    "eslint": "^8.57.0",
+    "eslint-config-digitalbazaar": "^5.2.0",
+    "eslint-plugin-jsdoc": "^48.11.0",
+    "eslint-plugin-unicorn": "^55.0.0"
   },
   "engines": {
     "node": ">=18"

package/schemas/bedrock-vc-workflow.js

@@ -4,6 +4,144 @@
 import {MAX_ISSUER_INSTANCES} from '../lib/constants.js';
 import {schemas} from '@bedrock/validation';
 
+const VC_CONTEXT_1 = 'https://www.w3.org/2018/credentials/v1';
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
+const vcContext = {
+  type: 'array',
+  minItems: 1,
+  // the first context must be the VC context
+  items: [{
+    oneOf: [{
+      const: VC_CONTEXT_1
+    }, {
+      const: VC_CONTEXT_2
+    }]
+  }],
+  // additional contexts maybe strings or objects
+  additionalItems: {
+    anyOf: [{type: 'string'}, {type: 'object'}]
+  }
+};
+
+function idOrObjectWithId() {
+  return {
+    title: 'identifier or an object with an id',
+    anyOf: [
+      schemas.identifier(),
+      {
+        type: 'object',
+        required: ['id'],
+        additionalProperties: true,
+        properties: {id: schemas.identifier()}
+      }
+    ]
+  };
+}
+
+function verifiableCredential() {
+  return {
+    title: 'Verifiable Credential',
+    type: 'object',
+    required: [
+      '@context',
+      'credentialSubject',
+      'issuer',
+      'type'
+    ],
+    additionalProperties: true,
+    properties: {
+      '@context': vcContext,
+      credentialSubject: {
+        anyOf: [
+          {type: 'object'},
+          {type: 'array', minItems: 1, items: {type: 'object'}}
+        ]
+      },
+      id: {
+        type: 'string'
+      },
+      issuer: idOrObjectWithId(),
+      type: {
+        type: 'array',
+        minItems: 1,
+        // this first type must be VerifiableCredential
+        items: [
+          {const: 'VerifiableCredential'},
+        ],
+        // additional types must be strings
+        additionalItems: {
+          type: 'string'
+        }
+      },
+      proof: schemas.proof()
+    }
+  };
+}
+
+const envelopedVerifiableCredential = {
+  title: 'Enveloped Verifiable Credential',
+  type: 'object',
+  additionalProperties: true,
+  properties: {
+    '@context': {
+      const: VC_CONTEXT_2
+    },
+    id: {
+      type: 'string'
+    },
+    type: {
+      const: 'EnvelopedVerifiableCredential'
+    }
+  },
+  required: [
+    '@context',
+    'id',
+    'type'
+  ]
+};
+
+export function verifiablePresentation() {
+  return {
+    title: 'Verifiable Presentation',
+    type: 'object',
+    required: ['@context', 'type'],
+    additionalProperties: true,
+    properties: {
+      '@context': vcContext,
+      id: {
+        type: 'string'
+      },
+      type: {
+        type: 'array',
+        minItems: 1,
+        // this first type must be VerifiablePresentation
+        items: [
+          {const: 'VerifiablePresentation'},
+        ],
+        // additional types must be strings
+        additionalItems: {
+          type: 'string'
+        }
+      },
+      verifiableCredential: {
+        anyOf: [
+          verifiableCredential(),
+          envelopedVerifiableCredential, {
+            type: 'array',
+            minItems: 1,
+            items: {
+              anyOf: [verifiableCredential(), envelopedVerifiableCredential]
+            }
+          }
+        ]
+      },
+      holder: idOrObjectWithId(),
+      proof: schemas.proof()
+    }
+  };
+}
+
 const credentialDefinition = {
   title: 'OID4VCI Verifiable Credential Definition',
   type: 'object',
@@ -19,7 +157,7 @@ const credentialDefinition = {
     },
     type: {
       type: 'array',
-      minItems: 2,
+      minItems: 1,
       item: {
         type: 'string'
       }
@@ -27,7 +165,7 @@ const credentialDefinition = {
     // allow `types` to be flexible for OID4VCI draft 20 implementers
     types: {
       type: 'array',
-      minItems: 2,
+      minItems: 1,
       item: {
         type: 'string'
       }
@@ -165,7 +303,7 @@ const vcFormats = {
 const issuerInstance = {
   title: 'Issuer Instance',
   type: 'object',
-  required: ['zcapReferenceIds'],
+  required: ['supportedFormats', 'zcapReferenceIds'],
   additionalProperties: false,
   properties: {
     id: {
@@ -327,7 +465,7 @@ export function useExchangeBody() {
     type: 'object',
     additionalProperties: false,
     properties: {
-      verifiablePresentation: schemas.verifiablePresentation()
+      verifiablePresentation: verifiablePresentation()
     }
   };
 }