@bedrock/vc-verifier 20.1.0 → 20.1.2

package/lib/vcjwt.js

@@ -229,7 +229,7 @@ function _jwtPayloadToCredential({verifyResult} = {}) {
     vc.issuer = iss;
   } else if(vc.issuer && typeof vc.issuer === 'object' &&
     vc.issuer.id === undefined) {
-    vc.issuer.id = iss;
+    vc.issuer.id = {id: iss, ...vc.issuer};
   } else if(iss !== vc.issuer && iss !== vc.issuer?.id) {
     throw new BedrockError(
       'VC-JWT "iss" claim does not equal nor does it exclusively ' +
@@ -283,7 +283,7 @@ function _jwtPayloadToCredential({verifyResult} = {}) {
         });
     }
     if(vc.credentialSubject?.id === undefined) {
-      vc.credentialSubject.id = sub;
+      vc.credentialSubject = {id: sub, ...vc.credentialSubject};
     } else {
       throw new BedrockError(
         'VC-JWT "sub" claim does not equal nor does it exclusively ' +
@@ -412,7 +412,7 @@ function _jwtPayloadToPresentation({verifyResult, challenge} = {}) {
     vp.holder = iss;
   } else if(vp.holder && typeof vp.holder === 'object' &&
     vp.holder.id === undefined) {
-    vp.holder.id = iss;
+    vp.holder.id = {id: iss, ...vp.holder};
   } else if(iss !== vp.holder && iss !== vp.holder?.id) {
     throw new BedrockError(
       'VC-JWT "iss" claim does not equal nor does it exclusively ' +

package/lib/verify.js

@@ -30,9 +30,40 @@ export async function verifyPresentation({
   config, presentation, challenge, domain, checks
 } = {}) {
   if(presentation?.type !== 'EnvelopedVerifiablePresentation') {
-    return di.verifyPresentation({
+    const result = await di.verifyPresentation({
       config, presentation, challenge, domain, checks
     });
+    if(result.verified || !result.presentationResult?.verified) {
+      // the whole VP and all its VCs were verified or the VP itself failed
+      // verification, so no extra work needed below
+      return result;
+    }
+
+    // note that the presentation itself verified, but the VCs therein might
+    // not because some of them might be enveloped VCs and the underlying
+    // `vc` library doesn't support this; therefore only use the presentation
+    // result and let the code below check VCs to ensure any enveloped VCs
+    // will also be checked
+    let {verifiableCredential = []} = presentation;
+    if(!Array.isArray(verifiableCredential)) {
+      verifiableCredential = [verifiableCredential];
+    }
+    const hasEnvelopedCredential = verifiableCredential.some(
+      vc => vc?.type === 'EnvelopedVerifiableCredential');
+    if(!hasEnvelopedCredential) {
+      // no enveloped VCs, return result
+      return result;
+    }
+
+    // try to verify each VC in the VP again but with envelope support
+    const credentialResults = await Promise.all(verifiableCredential.map(
+      credential => verifyCredential({config, credential, checks})));
+    const verified = credentialResults.every(({verified}) => verified);
+    if(verified) {
+      result.verified = true;
+    }
+    result.credentialResults = credentialResults;
+    return result;
   }
 
   const presentationResult = await verifyEnvelopedPresentation({
@@ -43,39 +74,25 @@ export async function verifyPresentation({
   let credentialResults;
   if(!verified) {
     credentialResults = [];
+  } else if(presentationResult.presentation?.proof) {
+    // presentation in the envelope has a `proof`, so recurse to check it
+    const proofResult = await verifyPresentation({
+      config, presentation: presentationResult.presentation,
+      challenge, domain, checks
+    });
+    verified = !!(verified && proofResult.presentationResult?.verified);
+    presentationResult.proofResult = proofResult;
+    ({credentialResults} = proofResult);
   } else {
-    // if the presentation has a `proof` field, do DI verification, but
-    // note that the presentation itself may verify but the VCs therein might
-    // not because some of them might be enveloped VCs and the underlying
-    // `vc` library doesn't support this; therefore only use the presentation
-    // result and let the code below check VCs to ensure any enveloped VCs
-    // will also be checked
-    if(presentationResult.presentation.proof) {
-      const proofResult = await di.verifyPresentation({
-        config, presentation: presentationResult.presentation,
-        challenge, domain, checks
-      });
-      presentationResult.proofResult = proofResult;
-      verified = !!(verified && proofResult.presentationResult?.verified);
-      if(proofResult.verified) {
-        // the whole VP was verified, so include the credential results, no
-        // need to repeat below to ensure enveloped credentials are checked
-        // as there aren't any
-        credentialResults = proofResult.credentialResults;
-      }
-    }
-
-    if(!credentialResults) {
-      // verify each VC in the VP
-      let {verifiableCredential = []} = presentationResult.presentation;
-      if(!Array.isArray(verifiableCredential)) {
-        verifiableCredential = [verifiableCredential];
-      }
-      credentialResults = await Promise.all(verifiableCredential.map(
-        credential => verifyCredential({config, credential, checks})));
-      verified = verified && credentialResults.every(
-        ({verified}) => verified);
+    // verify each VC in the VP
+    let {verifiableCredential = []} = presentationResult.presentation;
+    if(!Array.isArray(verifiableCredential)) {
+      verifiableCredential = [verifiableCredential];
     }
+    credentialResults = await Promise.all(verifiableCredential.map(
+      credential => verifyCredential({config, credential, checks})));
+    verified = verified && credentialResults.every(
+      ({verified}) => verified);
   }
   return {
     ...presentationResult,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "20.1.0",
+  "version": "20.1.2",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",