npm - @bedrock/vc-delivery - Versions diffs - 7.14.1 → 7.15.0 - Mend

@bedrock/vc-delivery 7.14.1 → 7.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/lib/helpers.js +1 -1
package/lib/oid4/oid4vci.js +22 -13
package/lib/oid4/oid4vciDraft13.js +28 -19
package/lib/verify.js +47 -0
package/package.json +2 -2
package/schemas/bedrock-vc-workflow.js +52 -20

package/lib/helpers.js CHANGED Viewed

@@ -304,7 +304,7 @@ export function createVerifyOptions({
   // update `checks` with anything additional from `verifyPresentationOptions`
   const checkSet = new Set(checks);
-  if(verifyPresentationOptions.checks) {
+  if(verifyPresentationOptions?.checks) {
     Object.entries(verifyPresentationOptions.checks)
       .forEach(([check, enabled]) => enabled && checkSet.add(check));
   }

package/lib/oid4/oid4vci.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
 import * as bedrock from '@bedrock/core';
 import * as draft13 from './oid4vciDraft13.js';
@@ -14,7 +14,7 @@ import {checkAccessToken} from '@bedrock/oauth2-verifier';
 import {compile} from '@bedrock/validation';
 import {ExchangeProcessor} from '../ExchangeProcessor.js';
 import {getStepAuthorizationRequest} from './oid4vp.js';
-import {verifyDidProofJwt} from '../verify.js';
+import {verifyCredentialRequestProof} from '../verify.js';
 const {util: {BedrockError}} = bedrock;
@@ -430,23 +430,32 @@ export async function processCredentialRequests({req, res, isBatchRequest}) {
       }
       // check to see if step requires a DID proof
-      if(step.jwtDidProofRequest) {
-        // handle OID4VCI specialized JWT DID Proof request...
+      if(step.divpDidProofRequest || step.jwtDidProofRequest) {
+        // handle OID4VCI specialized DI VP / JWT DID Proof request...
         // `proof` must be in every credential request; if any request is
         // missing `proof` then request a DID proof
-        if(credentialRequests.some(cr => !cr.proofs?.jwt)) {
+        const acceptableProofTypes = new Set();
+        if(step.divpDidProofRequest) {
+          acceptableProofTypes.add('di_vp');
+        }
+        if(step.jwtDidProofRequest) {
+          acceptableProofTypes.add('jwt');
+        }
+        const hasAcceptableProofType =
+          cr => Object.keys(cr.proofs ?? {}).some(
+            k => acceptableProofTypes.has(k));
+        if(credentialRequests.some(cr => !hasAcceptableProofType(cr))) {
           didProofRequired = true;
           return _requestDidProof({res, exchangeRecord});
         }
         // verify every DID proof and get resulting DIDs
         const results = await Promise.all(
-          credentialRequests.map(async cr => {
-            // FIXME: do not support more than one proof at this time
-            const {proofs: {jwt: [jwt]}} = cr;
-            const {did} = await verifyDidProofJwt({workflow, exchange, jwt});
-            return did;
+          credentialRequests.map(async credentialRequest => {
+            return verifyCredentialRequestProof({
+              credentialRequest, workflow, exchange
+            });
           }));
         // require `did` to be the same for every proof
         // FIXME: determine if this needs to be more flexible
@@ -497,7 +506,7 @@ export async function processCredentialRequests({req, res, isBatchRequest}) {
       }
       // otherwise, input is required if:
-      // 1. a `jwtDidProofRequest` is required and hasn't been provided
+      // 1. a `divp|jwtDidProofRequest` is required and hasn't been provided
       // 2. OID4VP is enabled and no OID4VP result has been stored yet
       return didProofRequired || (step.openId && !exchange.variables
         .results[exchange.step]?.openId?.authorizationRequest);
@@ -617,7 +626,7 @@ function _createSupportedCredentialRequests({
   if(isDraft13) {
     supportedCredentialRequests =
       draft13.createSupportedCredentialRequests({
-        workflow, exchange, issueRequestsParams
+        workflow, exchange, issueRequestsParams, step
       });
   } else {
     supportedCredentialRequests = [];
@@ -712,7 +721,7 @@ function _getSupportedCredentialConfigurations({workflow, exchange, step}) {
   // no explicit IDs; create legacy supported credential configurations
   return draft13.createSupportedCredentialConfigurations({
-    exchange, issuerInstances
+    exchange, issuerInstances, step
   });
 }

package/lib/oid4/oid4vciDraft13.js CHANGED Viewed

@@ -8,7 +8,7 @@ import {randomUUID as uuid} from 'node:crypto';
 const {util: {BedrockError}} = bedrock;
 export function createSupportedCredentialConfigurations({
-  exchange, issuerInstances
+  exchange, issuerInstances, step
 } = {}) {
   // get legacy `expectedCredentialRequests`
   const {
@@ -27,7 +27,7 @@ export function createSupportedCredentialConfigurations({
   // supported credential configuration
   for(const credentialRequest of expectedCredentialRequests) {
     const configurations = _createCredentialConfigurations({
-      credentialRequest, supportedFormats
+      credentialRequest, supportedFormats, step
     });
     for(const {id, configuration} of configurations) {
       supported.set(id, configuration);
@@ -38,11 +38,11 @@ export function createSupportedCredentialConfigurations({
 }
 export function createSupportedCredentialRequests({
-  workflow, exchange, issueRequestsParams
+  workflow, exchange, issueRequestsParams, step
 } = {}) {
   const issuerInstances = getWorkflowIssuerInstances({workflow});
   const supported = createSupportedCredentialConfigurations({
-    exchange, issuerInstances
+    exchange, issuerInstances, step
   });
   // for each `issueRequest` params, create a duplicate for each supported
@@ -130,12 +130,15 @@ function _matchCredentialRequests({
           type: 'openid_credential',
           credential_configuration_id
         };
-        // only proof type supported for draft 13 is `jwt` per JSON schema that
-        // has already run
         if(cr.proof) {
-          newRequest.proofs = {
-            jwt: [cr.proof.jwt]
-          };
+          newRequest.proofs = {};
+          for(const [key, value] of Object.entries(cr.proof)) {
+            if(key === 'proof_type') {
+              newRequest.proof_type = value;
+              continue;
+            }
+            newRequest.proofs[key] = [value];
+          }
         }
         return newRequest;
       }
@@ -149,7 +152,7 @@ function _matchCredentialRequests({
 }
 function _createCredentialConfigurations({
-  credentialRequest, supportedFormats
+  credentialRequest, supportedFormats, step
 }) {
   const configurations = [];
@@ -164,17 +167,23 @@ function _createCredentialConfigurations({
       format, credential_definition
     });
     const configuration = {format, credential_definition};
-    // FIXME: if `jwtDidProofRequest` exists in (any) step in the exchange,
-    // then must include:
-    /*
-    "proof_types_supported": {
-      "jwt": {
-        "proof_signing_alg_values_supported": [
-          "ES256"
-        ]
+    if(step.divpDidProofRequest) {
+      configuration.proof_types_supported = {
+        di_vp: {
+          proof_signing_alg_values_supported: [
+            'ecdsa-rdfc-2019', 'eddsa-rdfc-2022'
+          ]
+        }
+      };
+    }
+    if(step.jwtDidProofRequest) {
+      if(!configuration.proof_types_supported) {
+        configuration.proof_types_supported = {};
       }
+      configuration.proof_types_supported.jwt = {
+        proof_signing_alg_values_supported: ['ES256']
+      };
     }
-    */
     configurations.push({id, configuration});
   }

package/lib/verify.js CHANGED Viewed

@@ -148,6 +148,53 @@ export async function verify({
   };
 }
+export async function verifyCredentialRequestProof({
+  credentialRequest, workflow, exchange
+} = {}) {
+  // FIXME: do not support more than one proof of each type at this time
+  const jwt = credentialRequest.proofs.jwt?.[0];
+  const diVp = credentialRequest.proofs.di_vp?.[0];
+  let _did;
+  const dids = [];
+  if(diVp) {
+    const {did} = await verifyDidProofDiVp({workflow, exchange, diVp});
+    dids.push(did);
+    _did = did;
+  }
+  if(jwt) {
+    const {did} = await verifyDidProofJwt({workflow, exchange, jwt});
+    dids.push(did);
+    if(_did === undefined) {
+      _did = did;
+    }
+  }
+  if(dids.some(d => d !== _did)) {
+    // FIXME: improve error
+    throw new Error('every DID must be the same');
+  }
+  return _did;
+}
+export async function verifyDidProofDiVp({workflow, exchange, diVp} = {}) {
+  // domain is always the `exchangeId` and cannot be configured; this
+  // prevents attacks where access tokens could otherwise be generated
+  // if the AS keys were compromised; the `exchangeId` must also be known
+  const exchangeId = `${workflow.id}/exchanges/${exchange.id}`;
+  const verifyResult = await verify({
+    workflow,
+    presentation: diVp,
+    // challenge is always local exchange ID; which is what is returned from
+    // nonce endpoint; VCALM exchanges are short-lived and are capability URLs
+    expectedChallenge: exchange.id,
+    expectedDomain: exchangeId
+  });
+  const did = verifyResult.verificationMethod.controller;
+  return {verified: true, did, verifyResult};
+}
 export async function verifyDidProofJwt({workflow, exchange, jwt} = {}) {
   // optional oauth2 options
   const {oauth2} = exchange.openId;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.14.1",
+  "version": "7.15.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -40,7 +40,7 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
     "@digitalbazaar/http-client": "^4.2.0",
-    "@digitalbazaar/oid4-client": "^5.10.0",
+    "@digitalbazaar/oid4-client": "^5.12.1",
     "@digitalbazaar/vc": "^7.2.0",
     "@digitalbazaar/webkms-client": "^14.2.0",
     "assert-plus": "^1.0.0",

package/schemas/bedrock-vc-workflow.js CHANGED Viewed

@@ -195,6 +195,20 @@ const credentialDefinition = {
   }
 };
+const supportedProofTypeConfiguration = {
+  title: 'OID4VCI Supported Proof Type Configuration',
+  type: 'object',
+  required: ['proof_signing_alg_values_supported'],
+  additionalProperties: false,
+  properties: {
+    proof_signing_alg_values_supported: {
+      type: 'array',
+      minItems: 1,
+      items: {type: 'string'}
+    }
+  }
+};
 function credentialConfiguration() {
   return {
     title: 'OID4VCI Credential Configuration',
@@ -209,14 +223,9 @@ function credentialConfiguration() {
       },
       proof_types_supported: {
         type: 'object',
-        required: ['proof_signing_al_values_supported'],
-        additionalProperties: false,
         properties: {
-          proof_signing_alg_values_supported: {
-            type: 'array',
-            minItems: 1,
-            items: {type: 'string'}
-          }
+          di_vp: supportedProofTypeConfiguration,
+          jwt: supportedProofTypeConfiguration
         }
       }
     }
@@ -584,6 +593,31 @@ function computedStep() {
           }
         }
       },
+      divpDidProofRequest: {
+        type: 'object',
+        additionalProperties: false,
+        properties: {
+          acceptedMethods: {
+            title: 'Accepted DID Methods',
+            type: 'array',
+            minItems: 1,
+            items: {
+              title: 'Accepted DID Method',
+              type: 'object',
+              additionalProperties: false,
+              properties: {
+                method: {type: 'string'}
+              }
+            }
+          },
+          allowedCryptosuites: {
+            title: 'Allowed DI Cryptosuites',
+            type: 'array',
+            minItems: 1,
+            items: {type: 'string'}
+          }
+        }
+      },
       nextStep: {type: 'string'},
       // required to support OID4VP
       openId: {
@@ -717,13 +751,17 @@ function openIdCredentialRequestDraft13() {
         title: 'DID Authn Proof JWT',
         type: 'object',
         additionalProperties: false,
-        required: ['proof_type', 'jwt'],
+        anyOf: [
+          {required: ['proof_type', 'jwt']},
+          {required: ['proof_type', 'di_vp']}
+        ],
         properties: {
           proof_type: {
             type: 'string',
-            enum: ['jwt']
+            enum: ['jwt', 'di_vp']
           },
-          jwt: {type: 'string'}
+          jwt: {type: 'string'},
+          di_vp: verifiablePresentation()
         }
       }
     }
@@ -735,21 +773,15 @@ function openIdCredentialRequestVersion1() {
     title: 'OID4VCI-1.0 Credential Request',
     type: 'object',
     additionalProperties: false,
-    oneOf: [
-      // FIXME: only support `credential_identifier`;
-      // `credential_configuration_id` is for scope-identified credentials,
-      // which is not supported
-      {required: ['credential_identifier']}//,
-      //{required: ['credential_configuration_id']}
-    ],
+    // `credential_configuration_id` is for scope-identified credentials,
+    // which is not supported
+    required: ['credential_identifier'],
     properties: {
       credential_identifier: {type: 'string'},
-      // FIXME: remove me
-      //credential_configuration_id: {type: 'string'},
       proofs: {
         type: 'object',
         additionalProperties: false,
-        oneOf: [
+        anyOf: [
           {required: ['jwt']},
           {required: ['di_vp']}
         ],