@bedrock/vc-verifier 20.0.0 → 20.1.1

package/lib/di.js

@@ -0,0 +1,63 @@
+/*!
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as vc from '@digitalbazaar/vc';
+import {checkStatus} from './status.js';
+import {createDocumentLoader} from './documentLoader.js';
+import {createSuites} from './suites.js';
+
+export async function verifyCredential({config, credential, checks} = {}) {
+  const documentLoader = await createDocumentLoader({config});
+  const suite = createSuites();
+
+  const result = await vc.verifyCredential({
+    credential,
+    documentLoader,
+    suite,
+    // only check credential status when option is set
+    checkStatus: checks.includes('credentialStatus') ?
+      checkStatus : () => ({verified: true})
+  });
+  // if proof should have been checked but wasn't due to an error,
+  // try to run the check again using the VC's issuance date
+  if(checks.includes('proof') &&
+    result.error && !result.proof && result.results?.[0] &&
+    typeof credential.issuanceDate === 'string') {
+    const proofResult = await vc.verifyCredential({
+      credential,
+      documentLoader,
+      suite,
+      now: new Date(credential.issuanceDate),
+      // only check credential status when option is set
+      checkStatus: checks.includes('credentialStatus') ?
+        checkStatus : () => ({verified: true})
+    });
+    if(proofResult.verified) {
+      // overlay original (failed) results on top of proof results
+      result.results[0] = {
+        ...proofResult.results[0],
+        ...result.results[0],
+        proofVerified: true
+      };
+    }
+  }
+  // ensure all proofs are verified in order to return `verified`
+  let {verified} = result;
+  verified = !!(verified && result?.results?.every(({verified}) => verified));
+  return {...result, verified};
+}
+
+export async function verifyPresentation({
+  config, presentation, challenge, domain, checks
+} = {}) {
+  const verifyOptions = {
+    challenge,
+    domain,
+    presentation,
+    documentLoader: await createDocumentLoader({config}),
+    suite: createSuites(),
+    unsignedPresentation: !checks.includes('proof'),
+    checkStatus
+  };
+  return vc.verify(verifyOptions);
+}

package/lib/envelopes.js

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import * as vcjwt from './vcjwt.js';
+
+const {util: {BedrockError}} = bedrock;
+
+export async function verifyEnvelopedCredential({envelopedCredential} = {}) {
+  try {
+    const {contents: jwt} = _parseEnvelope({
+      envelope: envelopedCredential
+    });
+    return vcjwt.verifyEnvelopedCredential({jwt});
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+export async function verifyEnvelopedPresentation({
+  envelopedPresentation, challenge, domain
+} = {}) {
+  try {
+    const {contents: jwt} = _parseEnvelope({
+      envelope: envelopedPresentation
+    });
+    return vcjwt.verifyEnvelopedPresentation({jwt, challenge, domain});
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+function _parseEnvelope({envelope}) {
+  const {id} = envelope;
+  let format;
+  const comma = id.indexOf(',');
+  if(id.startsWith('data:') && comma !== -1) {
+    format = id.slice('data:'.length, comma);
+  }
+  if(format !== 'application/jwt') {
+    throw new BedrockError(
+      `Unknown envelope format "${format}".`, {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        },
+      });
+  }
+  return {contents: id.slice(comma + 1), format};
+}

package/lib/http.js

@@ -1,8 +1,7 @@
 /*!
- * Copyright (c) 2018-2022 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as vc from '@digitalbazaar/vc';
 import {createChallenge, verifyChallenge} from './challenges.js';
 import {
   createChallengeBody,
@@ -10,12 +9,10 @@ import {
   verifyPresentationBody
 } from '../schemas/bedrock-vc-verifier.js';
 import {metering, middleware} from '@bedrock/service-core';
+import {verifyCredential, verifyPresentation} from './verify.js';
 import {asyncHandler} from '@bedrock/express';
 import bodyParser from 'body-parser';
-import {checkStatus} from './status.js';
 import cors from 'cors';
-import {createDocumentLoader} from './documentLoader.js';
-import {createSuites} from './suites.js';
 import {serializeError} from 'serialize-error';
 import {createValidateMiddleware as validate} from '@bedrock/validation';
 
@@ -33,7 +30,6 @@ bedrock.events.on('bedrock-express.configure.bodyParser', app => {
 
 export async function addRoutes({app, service} = {}) {
   const {routePrefix} = service;
-  const suite = createSuites();
   const cfg = bedrock.config['vc-verifier'];
   const baseUrl = `${routePrefix}/:localId`;
   const routes = {
@@ -70,12 +66,11 @@ export async function addRoutes({app, service} = {}) {
   app.post(
     routes.credentialsVerify,
     cors(),
-    validate({bodySchema: verifyCredentialBody}),
+    validate({bodySchema: verifyCredentialBody()}),
     getConfigMiddleware,
     middleware.authorizeServiceObjectRequest(),
     asyncHandler(async (req, res) => {
       const {config} = req.serviceObject;
-      const documentLoader = await createDocumentLoader({config});
 
       let response;
       try {
@@ -86,37 +81,7 @@ export async function addRoutes({app, service} = {}) {
 
         const {checks} = options;
         _validateChecks({checks});
-        const result = await vc.verifyCredential({
-          credential,
-          documentLoader,
-          suite,
-          // only check credential status when option is set
-          checkStatus: checks.includes('credentialStatus') ?
-            checkStatus : () => ({verified: true})
-        });
-        // if proof should have been checked but wasn't due to an error,
-        // try to run the check again using the VC's issuance date
-        if(checks.includes('proof') &&
-          result.error && !result.proof && result.results[0] &&
-          typeof credential.issuanceDate === 'string') {
-          const proofResult = await vc.verifyCredential({
-            credential,
-            documentLoader,
-            suite,
-            now: new Date(credential.issuanceDate),
-            // only check credential status when option is set
-            checkStatus: checks.includes('credentialStatus') ?
-              checkStatus : () => ({verified: true})
-          });
-          if(proofResult.verified) {
-            // overlay original (failed) results on top of proof results
-            result.results[0] = {
-              ...proofResult.results[0],
-              ...result.results[0],
-              proofVerified: true
-            };
-          }
-        }
+        const result = await verifyCredential({config, credential, checks});
         response = _createResponse({credential, result, checks});
       } catch(e) {
         response = _createResponse({error: e});
@@ -150,17 +115,16 @@ export async function addRoutes({app, service} = {}) {
   app.post(
     routes.presentationsVerify,
     cors(),
-    validate({bodySchema: verifyPresentationBody}),
+    validate({bodySchema: verifyPresentationBody()}),
     getConfigMiddleware,
     middleware.authorizeServiceObjectRequest(),
     asyncHandler(async (req, res) => {
       const {config} = req.serviceObject;
-      const documentLoader = await createDocumentLoader({config});
 
       let response;
       try {
         const {
-          verifiablePresentation,
+          verifiablePresentation: presentation,
           options = {}
         } = req.body;
 
@@ -174,7 +138,6 @@ export async function addRoutes({app, service} = {}) {
         }
 
         _validateChecks({checks});
-        const unsignedPresentation = !checks.includes('proof');
 
         // allow for `checks` to indicate whether or not the challenge
         // should be checked
@@ -190,20 +153,12 @@ export async function addRoutes({app, service} = {}) {
           ({uses: challengeUses} = result);
         }
 
-        const verifyOptions = {
-          challenge,
-          presentation: verifiablePresentation,
-          documentLoader,
-          suite,
-          unsignedPresentation,
-          checkStatus
-        };
-        const {proof} = verifiablePresentation;
-        if(proof && proof.domain) {
-          // FIXME: do not set a default
-          verifyOptions.domain = domain || 'issuer.example.com';
-        }
-        const result = await vc.verify(verifyOptions);
+        // FIXME: do not set a default domain
+        const expectedDomain = domain ??
+          (presentation?.proof?.domain && 'issuer.example.com');
+        const result = await verifyPresentation({
+          config, presentation, challenge, domain: expectedDomain, checks
+        });
         response = _createResponse({result, challengeUses, checks});
       } catch(e) {
         response = _createResponse({error: e});

package/lib/vcjwt.js

@@ -0,0 +1,537 @@
+/*
+ * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
+import * as Ed25519Multikey from '@digitalbazaar/ed25519-multikey';
+import {importJWK, jwtVerify} from 'jose';
+import {didIo} from '@bedrock/did-io';
+
+const {util: {BedrockError}} = bedrock;
+
+// supported JWT algs
+const ECDSA_ALGS = ['ES256', 'ES384'];
+const EDDSA_ALGS = ['Ed25519', 'EdDSA'];
+
+const VC_CONTEXT_1 = 'https://www.w3.org/2018/credentials/v1';
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
+export async function verifyEnvelopedCredential({jwt} = {}) {
+  try {
+    const {
+      verified, controller, verificationMethod, verifyResult
+    } = await _verifyJwt({jwt, proofPurpose: 'assertionMethod'});
+    // if verified, parse credential from payload...
+    let credential;
+    if(verified) {
+      credential = _jwtPayloadToCredential({verifyResult});
+    }
+    const results = [{
+      verified,
+      verificationMethod,
+      controller,
+      verifyResult,
+      credential
+    }];
+    return {verified, controller, results, credential};
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+export async function verifyEnvelopedPresentation({
+  jwt, challenge, domain
+} = {}) {
+  try {
+    const {
+      verified, controller, verificationMethod, verifyResult
+    } = await _verifyJwt({
+      jwt, proofPurpose: 'authentication', audience: domain
+    });
+    // if verified, parse presentation from payload...
+    let presentation;
+    if(verified) {
+      presentation = _jwtPayloadToPresentation({
+        verifyResult, challenge
+      });
+    }
+    const results = [{
+      verified,
+      verificationMethod,
+      controller,
+      verifyResult,
+      presentation
+    }];
+    return {verified, controller, results, presentation};
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+async function _verifyJwt({jwt, proofPurpose, audience} = {}) {
+  let verificationMethod;
+  let controller;
+  // `resolveKey` is passed `protectedHeader`
+  const resolveKey = async ({alg, kid}) => {
+    const isEcdsa = ECDSA_ALGS.includes(alg);
+    const isEddsa = !isEcdsa && EDDSA_ALGS.includes(alg);
+    if(!(isEcdsa || isEddsa)) {
+      throw new BedrockError(
+        `Unsupported JWT "alg": "${alg}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+
+    const vm = await didIo.get({url: kid});
+    // `vm.controller` must be the issuer of the JWT; also ensure that
+    // the specified controller authorized `vm` for the given proof purpose
+    ({controller} = vm);
+    verificationMethod = vm;
+    const didDoc = await didIo.get({url: controller});
+    let match = didDoc?.authentication?.find?.(
+      e => e === vm.id || e.id === vm.id);
+    if(typeof match === 'string') {
+      match = didDoc?.verificationMethod?.find?.(e => e.id === vm.id);
+    }
+    if(!(match && Array.isArray(match.controller) ?
+      match.controller.includes(vm.controller) :
+      match.controller === vm.controller)) {
+      throw new BedrockError(
+        `Verification method controller "${controller}" did not authorize ` +
+        `verification method "${vm.id}" for the purpose ` +
+        `of "${proofPurpose}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    let jwk;
+    if(isEcdsa) {
+      const keyPair = await EcdsaMultikey.from(vm);
+      jwk = await EcdsaMultikey.toJwk({keyPair});
+      jwk.alg = alg;
+    } else {
+      const keyPair = await Ed25519Multikey.from(vm);
+      jwk = await Ed25519Multikey.toJwk({keyPair});
+      jwk.alg = 'EdDSA';
+    }
+    return importJWK(jwk);
+  };
+
+  // FIXME: enable allowed algorithms to be configurable per instance
+  const allowedAlgorithms = ['EdDSA', 'Ed25519', 'ES256', 'ES256K', 'ES384'];
+  // FIXME: enable `maxClockSkew` to be configurable per instance
+  // default is 300 secs
+  const maxClockSkew = 300;
+
+  // use `jose` lib (for now) to verify JWT and return `payload`;
+  // pass optional supported algorithms as allow list ... note
+  // that `jose` *always* prohibits the `none` algorithm
+  let verifyResult;
+  try {
+    // `jwtVerify` checks claims: `aud`, `exp`, `nbf`
+    const {payload, protectedHeader} = await jwtVerify(jwt, resolveKey, {
+      algorithms: allowedAlgorithms,
+      clockTolerance: maxClockSkew,
+      audience
+    });
+    verifyResult = {payload, protectedHeader};
+  } catch(e) {
+    const details = {
+      httpStatusCode: 403,
+      public: true,
+      code: e.code,
+      reason: e.message
+    };
+    if(e.claim) {
+      details.claim = e.claim;
+    }
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details
+    });
+  }
+
+  // check `iss` claim
+  if(!(controller && verifyResult?.payload?.iss === controller)) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'unexpected "iss" claim value.',
+        claim: 'iss'
+      }
+    });
+  }
+
+  return {verified: true, verificationMethod, controller, verifyResult};
+}
+
+function _jwtPayloadToCredential({verifyResult} = {}) {
+  /* Example:
+  {
+    "alg": <signer.algorithm>,
+    "kid": <signer.id>
+  }.
+  {
+    "iss": <verifiableCredential.issuer>,
+    "jti": <verifiableCredential.id>
+    "sub": <verifiableCredential.credentialSubject>
+    "nbf": <verifiableCredential.[issuanceDate | validFrom]>
+    "exp": <verifiableCredential.[expirationDate | validUntil]>
+    "vc": <verifiableCredential>
+  }
+  */
+  const {vc} = verifyResult.payload;
+  if(!(vc && typeof vc === 'object')) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "vc" claim value.',
+        claim: 'vc'
+      }
+    });
+  }
+
+  let {'@context': context = []} = vc;
+  if(!Array.isArray(context)) {
+    context = [context];
+  }
+  const isVersion1 = context.includes(VC_CONTEXT_1);
+  const isVersion2 = context.includes(VC_CONTEXT_2);
+  if(!(isVersion1 ^ isVersion2)) {
+    throw new BedrockError(
+      'Verifiable credential is neither version "1.x" nor "2.x".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  const credential = {...vc};
+  const {iss, jti, sub, nbf, exp} = verifyResult.payload;
+
+  // inject `issuer` value
+  if(vc.issuer === undefined) {
+    vc.issuer = iss;
+  } else if(vc.issuer && typeof vc.issuer === 'object' &&
+    vc.issuer.id === undefined) {
+    vc.issuer.id = iss;
+  } else if(iss !== vc.issuer && iss !== vc.issuer?.id) {
+    throw new BedrockError(
+      'VC-JWT "iss" claim does not equal nor does it exclusively ' +
+      'provide verifiable credential "issuer" / "issuer.id".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  if(jti !== undefined && jti !== vc.id) {
+    // inject `id` value
+    if(vc.id === undefined) {
+      vc.id = jti;
+    } else {
+      throw new BedrockError(
+        'VC-JWT "jti" claim does not equal nor does it exclusively ' +
+        'provide verifiable credential "id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(sub !== undefined && sub !== vc.credentialSubject?.id) {
+    // inject `credentialSubject.id` value
+    if(!vc.credentialSubject) {
+      throw new BedrockError(
+        'Verifiable credential has no "credentialSubject".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    if(Array.isArray(vc.credentialSubject)) {
+      throw new BedrockError(
+        'Verifiable credential has multiple credential subjects, which is ' +
+        'not supported in VC-JWT.', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    if(vc.credentialSubject?.id === undefined) {
+      vc.credentialSubject.id = sub;
+    } else {
+      throw new BedrockError(
+        'VC-JWT "sub" claim does not equal nor does it exclusively ' +
+        'provide verifiable credential "credentialSubject.id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(nbf === undefined && isVersion1) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing "nbf" claim value.',
+        claim: 'nbf'
+      }
+    });
+  }
+
+  if(nbf !== undefined) {
+    // fuzzy convert `nbf` into `issuanceDate` / `validFrom`, only require
+    // second-level precision
+    const dateString = new Date(nbf * 1000).toISOString().slice(0, -5);
+    const dateProperty = isVersion1 ? 'issuanceDate' : 'validFrom';
+    // inject dateProperty value
+    if(vc[dateProperty] === undefined) {
+      vc[dateProperty] = dateString + 'Z';
+    } else if(!(vc[dateProperty].startsWith(dateString) &&
+      vc[dateProperty].endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "nbf" claim does not equal nor does it exclusively provide ' +
+        `verifiable credential "${dateProperty}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(exp !== undefined) {
+    // fuzzy convert `exp` into `expirationDate` / `validUntil`, only require
+    // second-level precision
+    const dateString = new Date(exp * 1000).toISOString().slice(0, -5);
+    const dateProperty = isVersion1 ? 'expirationDate' : 'validUntil';
+    // inject dateProperty value
+    if(vc[dateProperty] === undefined) {
+      vc[dateProperty] = dateString + 'Z';
+    } else if(!(vc[dateProperty].startsWith(dateString) &&
+      vc[dateProperty].endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "exp" claim does not equal nor does it exclusively provide ' +
+        `verifiable credential "${dateProperty}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  return credential;
+}
+
+function _jwtPayloadToPresentation({verifyResult, challenge} = {}) {
+  /* Example:
+  {
+    "alg": <signer.algorithm>,
+    "kid": <signer.id>
+  }.
+  {
+    "iss": <verifiablePresentation.holder>,
+    "aud": <verifiablePresentation.domain>,
+    "nonce": <verifiablePresentation.nonce>,
+    "jti": <verifiablePresentation.id>
+    "nbf": <verifiablePresentation.[validFrom]>
+    "exp": <verifiablePresentation.[validUntil]>
+    "vp": <verifiablePresentation>
+  }
+  */
+  const {vp} = verifyResult.payload;
+  if(!(vp && typeof vp === 'object')) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "vp" claim value.',
+        claim: 'vp'
+      }
+    });
+  }
+
+  let {'@context': context = []} = vp;
+  if(!Array.isArray(context)) {
+    context = [context];
+  }
+  const isVersion1 = context.includes(VC_CONTEXT_1);
+  const isVersion2 = context.includes(VC_CONTEXT_2);
+  if(!(isVersion1 ^ isVersion2)) {
+    throw new BedrockError(
+      'Verifiable presentation is not either version "1.x" or "2.x".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  const presentation = {...vp};
+  const {iss, nonce, jti, nbf, exp} = verifyResult.payload;
+
+  // inject `holder` value
+  if(vp.holder === undefined) {
+    vp.holder = iss;
+  } else if(vp.holder && typeof vp.holder === 'object' &&
+    vp.holder.id === undefined) {
+    vp.holder.id = iss;
+  } else if(iss !== vp.holder && iss !== vp.holder?.id) {
+    throw new BedrockError(
+      'VC-JWT "iss" claim does not equal nor does it exclusively ' +
+      'provide verifiable presentation "holder" / "holder.id".', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  if(jti !== undefined && jti !== vp.id) {
+    // inject `id` value
+    if(vp.id === undefined) {
+      vp.id = jti;
+    } else {
+      throw new BedrockError(
+        'VC-JWT "jti" claim does not equal nor does it exclusively ' +
+        'provide verifiable presentation "id".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  // version 1.x VPs do not support `validFrom`/`validUntil`
+  if(nbf !== undefined && isVersion2) {
+    // fuzzy convert `nbf` into `validFrom`, only require
+    // second-level precision
+    const dateString = new Date(nbf * 1000).toISOString().slice(0, -5);
+
+    // inject `validFrom` value
+    if(vp.validFrom === undefined) {
+      vp.validFrom = dateString + 'Z';
+    } else if(!(vp.validFrom?.startsWith(dateString) &&
+      vp.validFrom.endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "nbf" claim does not equal nor does it exclusively provide ' +
+        'verifiable presentation "validFrom".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+  if(exp !== undefined && isVersion2) {
+    // fuzzy convert `exp` into `validUntil`, only require
+    // second-level precision
+    const dateString = new Date(exp * 1000).toISOString().slice(0, -5);
+
+    // inject `validUntil` value
+    if(vp.validUntil === undefined) {
+      vp.validUntil = dateString + 'Z';
+    } else if(!(vp.validUntil?.startsWith(dateString) &&
+      vp.validUntil?.endsWith('Z'))) {
+      throw new BedrockError(
+        'VC-JWT "exp" claim does not equal nor does it exclusively provide ' +
+        'verifiable presentation "validUntil".', {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+  }
+
+  if(challenge !== undefined && nonce !== challenge) {
+    throw new BedrockError('JWT validation failed.', {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true,
+        code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
+        reason: 'missing or unexpected "nonce" claim value.',
+        claim: 'nonce'
+      }
+    });
+  }
+
+  // do some validation on `verifiableCredential`
+  let {verifiableCredential = []} = presentation;
+  if(!Array.isArray(verifiableCredential)) {
+    verifiableCredential = [verifiableCredential];
+  }
+
+  // ensure version 2 VPs only have objects in `verifiableCredential`
+  const hasVCJWTs = verifiableCredential.some(vc => typeof vc !== 'object');
+  if(isVersion2 && hasVCJWTs) {
+    throw new BedrockError(
+      'Version 2.x verifiable presentations must only use objects in the ' +
+      '"verifiableCredential" field.', {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        }
+      });
+  }
+
+  // transform any VC-JWT VCs to enveloped VCs
+  if(presentation.verifiableCredential && hasVCJWTs) {
+    presentation.verifiableCredential = verifiableCredential.map(vc => {
+      if(typeof vc !== 'string') {
+        return vc;
+      }
+      return {
+        '@context': VC_CONTEXT_2,
+        id: `data:application/jwt,${vc}`,
+        type: 'EnvelopedVerifiableCredential',
+      };
+    });
+  }
+
+  return presentation;
+}

package/lib/verify.js

@@ -0,0 +1,103 @@
+/*!
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as di from './di.js';
+import {
+  verifyEnvelopedCredential, verifyEnvelopedPresentation
+} from './envelopes.js';
+
+export async function verifyCredential({config, credential, checks} = {}) {
+  if(credential?.type !== 'EnvelopedVerifiableCredential') {
+    return di.verifyCredential({config, credential, checks});
+  }
+
+  const result = await verifyEnvelopedCredential({
+    envelopedCredential: credential, checks
+  });
+  // if the credential has a `proof` field, do DI verification
+  let {verified} = result;
+  if(verified && result.credential.proof) {
+    const proofResult = await di.verifyCredential({
+      config, credential: result.credential, checks
+    });
+    result.proofResult = proofResult;
+    verified = verified && proofResult.verified;
+  }
+  return {...result, verified};
+}
+
+export async function verifyPresentation({
+  config, presentation, challenge, domain, checks
+} = {}) {
+  if(presentation?.type !== 'EnvelopedVerifiablePresentation') {
+    const result = await di.verifyPresentation({
+      config, presentation, challenge, domain, checks
+    });
+    if(result.verified || !result.presentationResult?.verified) {
+      // the whole VP and all its VCs were verified or the VP itself failed
+      // verification, so no extra work needed below
+      return result;
+    }
+
+    // note that the presentation itself verified, but the VCs therein might
+    // not because some of them might be enveloped VCs and the underlying
+    // `vc` library doesn't support this; therefore only use the presentation
+    // result and let the code below check VCs to ensure any enveloped VCs
+    // will also be checked
+    let {verifiableCredential = []} = presentation;
+    if(!Array.isArray(verifiableCredential)) {
+      verifiableCredential = [verifiableCredential];
+    }
+    const hasEnvelopedCredential = verifiableCredential.some(
+      vc => vc?.type === 'EnvelopedVerifiableCredential');
+    if(!hasEnvelopedCredential) {
+      // no enveloped VCs, return result
+      return result;
+    }
+
+    // try to verify each VC in the VP again but with envelope support
+    const credentialResults = await Promise.all(verifiableCredential.map(
+      credential => verifyCredential({config, credential, checks})));
+    const verified = credentialResults.every(({verified}) => verified);
+    if(verified) {
+      result.verified = true;
+    }
+    result.credentialResults = credentialResults;
+    return result;
+  }
+
+  const presentationResult = await verifyEnvelopedPresentation({
+    envelopedPresentation: presentation, challenge, domain
+  });
+  // verify each `verifiableCredential` in the resulting VP
+  let verified = presentationResult.verified;
+  let credentialResults;
+  if(!verified) {
+    credentialResults = [];
+  } else if(presentationResult.presentation?.proof) {
+    // presentation in the envelope has a `proof`, so recurse to check it
+    const proofResult = await verifyPresentation({
+      config, presentation: presentationResult.presentation,
+      challenge, domain, checks
+    });
+    verified = !!(verified && proofResult.presentationResult?.verified);
+    presentationResult.proofResult = proofResult;
+    ({credentialResults} = proofResult);
+  } else {
+    // verify each VC in the VP
+    let {verifiableCredential = []} = presentationResult.presentation;
+    if(!Array.isArray(verifiableCredential)) {
+      verifiableCredential = [verifiableCredential];
+    }
+    credentialResults = await Promise.all(verifiableCredential.map(
+      credential => verifyCredential({config, credential, checks})));
+    verified = verified && credentialResults.every(
+      ({verified}) => verified);
+  }
+  return {
+    ...presentationResult,
+    verified,
+    presentationResult,
+    credentialResults
+  };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "20.0.0",
+  "version": "20.1.1",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",
@@ -28,8 +28,10 @@
     "@digitalbazaar/bbs-2023-cryptosuite": "^1.2.0",
     "@digitalbazaar/data-integrity": "^2.2.0",
     "@digitalbazaar/ecdsa-2019-cryptosuite": "^2.0.0",
+    "@digitalbazaar/ecdsa-multikey": "^1.7.0",
     "@digitalbazaar/ecdsa-rdfc-2019-cryptosuite": "^1.1.0",
     "@digitalbazaar/ecdsa-sd-2023-cryptosuite": "^3.2.1",
+    "@digitalbazaar/ed25519-multikey": "^1.1.0",
     "@digitalbazaar/ed25519-signature-2018": "^4.0.0",
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/eddsa-2022-cryptosuite": "^1.0.0",
@@ -41,6 +43,7 @@
     "bnid": "^3.0.0",
     "body-parser": "^1.20.2",
     "cors": "^2.8.5",
+    "jose": "^5.6.3",
     "klona": "^2.0.6",
     "serialize-error": "^11.0.3"
   },

package/schemas/bedrock-vc-verifier.js

@@ -1,12 +1,177 @@
 /*!
  * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
-const context = {
-  title: '@context',
+import {schemas} from '@bedrock/validation';
+
+const VC_CONTEXT_1 = 'https://www.w3.org/2018/credentials/v1';
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
+const vcContext = {
   type: 'array',
   minItems: 1,
-  items: {
-    type: ['string', 'object']
+  // the first context must be the VC context
+  items: [{
+    oneOf: [{
+      const: VC_CONTEXT_1
+    }, {
+      const: VC_CONTEXT_2
+    }]
+  }],
+  // additional contexts maybe strings or objects
+  additionalItems: {
+    anyOf: [{type: 'string'}, {type: 'object'}]
+  }
+};
+
+function idOrObjectWithId() {
+  return {
+    title: 'identifier or an object with an id',
+    anyOf: [
+      schemas.identifier(),
+      {
+        type: 'object',
+        required: ['id'],
+        additionalProperties: true,
+        properties: {id: schemas.identifier()}
+      }
+    ]
+  };
+}
+
+function verifiableCredential() {
+  return {
+    title: 'Verifiable Credential',
+    type: 'object',
+    required: [
+      '@context',
+      'credentialSubject',
+      'issuer',
+      'type'
+    ],
+    additionalProperties: true,
+    properties: {
+      '@context': vcContext,
+      credentialSubject: {
+        anyOf: [
+          {type: 'object'},
+          {type: 'array', minItems: 1, items: {type: 'object'}}
+        ]
+      },
+      id: {
+        type: 'string'
+      },
+      issuer: idOrObjectWithId(),
+      type: {
+        type: 'array',
+        minItems: 1,
+        // this first type must be VerifiableCredential
+        items: [
+          {const: 'VerifiableCredential'},
+        ],
+        // additional types must be strings
+        additionalItems: {
+          type: 'string'
+        }
+      },
+      proof: schemas.proof()
+    }
+  };
+}
+
+const envelopedVerifiableCredential = {
+  title: 'Enveloped Verifiable Credential',
+  type: 'object',
+  additionalProperties: false,
+  required: ['@context', 'id', 'type'],
+  properties: {
+    '@context': {
+      anyOf: [{
+        const: VC_CONTEXT_2
+      }, {
+        type: 'array',
+        minItems: 1,
+        maxItems: 1,
+        // the first context must be the VC context
+        items: [{
+          const: VC_CONTEXT_2
+        }]
+      }]
+    },
+    id: {
+      type: 'string'
+    },
+    type: {
+      const: 'EnvelopedVerifiableCredential'
+    }
+  }
+};
+
+export function verifiablePresentation() {
+  return {
+    title: 'Verifiable Presentation',
+    type: 'object',
+    required: ['@context', 'type'],
+    additionalProperties: true,
+    properties: {
+      '@context': vcContext,
+      id: {
+        type: 'string'
+      },
+      type: {
+        type: 'array',
+        minItems: 1,
+        // this first type must be VerifiablePresentation
+        items: [
+          {const: 'VerifiablePresentation'},
+        ],
+        // additional types must be strings
+        additionalItems: {
+          type: 'string'
+        }
+      },
+      verifiableCredential: {
+        anyOf: [
+          verifiableCredential(),
+          envelopedVerifiableCredential, {
+            type: 'array',
+            minItems: 1,
+            items: {
+              anyOf: [verifiableCredential(), envelopedVerifiableCredential]
+            }
+          }
+        ]
+      },
+      holder: idOrObjectWithId(),
+      proof: schemas.proof()
+    }
+  };
+}
+
+const envelopedVerifiablePresentation = {
+  title: 'Enveloped Verifiable Presentation',
+  type: 'object',
+  additionalProperties: false,
+  required: ['@context', 'id', 'type'],
+  properties: {
+    '@context': {
+      anyOf: [{
+        const: VC_CONTEXT_2
+      }, {
+        type: 'array',
+        minItems: 1,
+        maxItems: 1,
+        // the first context must be the VC context
+        items: [{
+          const: VC_CONTEXT_2
+        }]
+      }]
+    },
+    id: {
+      type: 'string'
+    },
+    type: {
+      const: 'EnvelopedVerifiablePresentation'
+    }
   }
 };
 
@@ -54,42 +219,42 @@ export const createChallengeBody = {
   properties: {}
 };
 
-export const verifyCredentialBody = {
-  title: 'Verify Credential Body',
-  type: 'object',
-  required: ['verifiableCredential'],
-  additionalProperties: false,
-  properties: {
-    options: {
-      type: 'object'
-    },
-    verifiableCredential: {
-      type: 'object',
-      additionalProperties: true,
-      required: ['@context'],
-      properties: {
-        '@context': context
+export function verifyCredentialBody() {
+  return {
+    title: 'Verify Credential Body',
+    type: 'object',
+    required: ['verifiableCredential'],
+    additionalProperties: false,
+    properties: {
+      options: {
+        type: 'object'
+      },
+      verifiableCredential: {
+        anyOf: [
+          verifiableCredential(),
+          envelopedVerifiableCredential
+        ]
       }
     }
-  }
-};
+  };
+}
 
-export const verifyPresentationBody = {
-  title: 'Verify Presentation Body',
-  type: 'object',
-  required: ['verifiablePresentation'],
-  additionalProperties: false,
-  properties: {
-    options: {
-      type: 'object'
-    },
-    verifiablePresentation: {
-      type: 'object',
-      additionalProperties: true,
-      required: ['@context'],
-      properties: {
-        '@context': context
+export function verifyPresentationBody() {
+  return {
+    title: 'Verify Presentation Body',
+    type: 'object',
+    required: ['verifiablePresentation'],
+    additionalProperties: false,
+    properties: {
+      options: {
+        type: 'object'
+      },
+      verifiablePresentation: {
+        anyOf: [
+          verifiablePresentation(),
+          envelopedVerifiablePresentation
+        ]
       }
     }
-  }
-};
+  };
+}