@bedrock/vc-verifier 22.0.0 → 22.1.0

package/lib/config.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2019-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import {config} from '@bedrock/core';
 import '@bedrock/app-identity';
@@ -35,7 +35,8 @@ cfg.supportedSuites = [
   'eddsa-rdfc-2022',
   'ecdsa-jcs-2019',
   'eddsa-jcs-2022',
-  'ecdsa-sd-2023'
+  'ecdsa-sd-2023',
+  'ecdsa-xi-2023'
 ];
 
 cfg.routes = {

package/lib/di.js

@@ -1,14 +1,16 @@
 /*!
- * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as vc from '@digitalbazaar/vc';
 import {checkStatus as _checkStatus} from './status.js';
 import {createDocumentLoader} from './documentLoader.js';
 import {createSuites} from './suites.js';
 
-export async function verifyCredential({config, credential, checks} = {}) {
+export async function verifyCredential({
+  config, credential, options, checks
+} = {}) {
   const documentLoader = await createDocumentLoader({config});
-  const suite = createSuites();
+  const suite = createSuites({options});
 
   // only check credential status when option is set
   const checkStatus = checks.includes('credentialStatus') ?

package/lib/documentLoader.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2019-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import {
@@ -9,13 +9,13 @@ import {
 } from '@bedrock/jsonld-document-loader';
 import {createContextDocumentLoader} from '@bedrock/service-context-store';
 import {didIo} from '@bedrock/did-io';
-import {klona} from 'klona';
 import '@bedrock/credentials-context';
 import '@bedrock/data-integrity-context';
 import '@bedrock/did-context';
 import '@bedrock/did-io';
 import '@bedrock/multikey-context';
 import '@bedrock/security-context';
+import '@bedrock/vc-barcodes-context';
 import '@bedrock/vc-revocation-list-context';
 import '@bedrock/vc-status-list-context';
 import '@bedrock/veres-one-context';
@@ -151,7 +151,7 @@ function _getNode({didDocument, id}) {
   }
 
   return {
-    '@context': klona(didDocument['@context']),
-    ...klona(match)
+    '@context': structuredClone(didDocument['@context']),
+    ...structuredClone(match)
   };
 }

package/lib/envelopes.js

@@ -1,30 +1,55 @@
 /*
- * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2019-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as vcb from './vcb.js';
 import * as vcjwt from './vcjwt.js';
 
 const {util: {BedrockError}} = bedrock;
 
-export async function verifyEnvelopedCredential({envelopedCredential} = {}) {
+export async function verifyEnvelopedCredential({
+  config, envelopedCredential, checks
+} = {}) {
+  let format;
   try {
-    const {contents: jwt} = _parseEnvelope({
-      envelope: envelopedCredential
-    });
-    return vcjwt.verifyEnvelopedCredential({jwt});
+    const parseResult = _parseEnvelope({envelope: envelopedCredential});
+    const {contents} = parseResult;
+    format = parseResult.format;
+
+    let result;
+    if(format.typeAndSubType === 'application/jwt') {
+      result = await vcjwt.verifyEnvelopedCredential({jwt: contents});
+    } else if(format.typeAndSubType === 'application/vcb') {
+      result = await vcb.verifyEnvelopedCredential({
+        config, contents, format, checks
+      });
+    } else {
+      _throwUnknownFormat(format);
+    }
+    return {...result, format};
   } catch(error) {
-    return {verified: false, error};
+    return {verified: false, error, format};
   }
 }
 
 export async function verifyEnvelopedPresentation({
   envelopedPresentation, challenge, domain
 } = {}) {
+  let format;
   try {
-    const {contents: jwt} = _parseEnvelope({
-      envelope: envelopedPresentation
-    });
-    return vcjwt.verifyEnvelopedPresentation({jwt, challenge, domain});
+    const parseResult = _parseEnvelope({envelope: envelopedPresentation});
+    const {contents} = parseResult;
+    format = parseResult.format;
+
+    let result;
+    if(format.typeAndSubType === 'application/jwt') {
+      result = await vcjwt.verifyEnvelopedPresentation({
+        jwt: contents, challenge, domain
+      });
+    } else {
+      _throwUnknownFormat(format);
+    }
+    return {...result, format};
   } catch(error) {
     return {verified: false, error};
   }
@@ -32,20 +57,28 @@ export async function verifyEnvelopedPresentation({
 
 function _parseEnvelope({envelope}) {
   const {id} = envelope;
-  let format;
+  const format = {};
   const comma = id.indexOf(',');
   if(id.startsWith('data:') && comma !== -1) {
-    format = id.slice('data:'.length, comma);
-  }
-  if(format !== 'application/jwt') {
-    throw new BedrockError(
-      `Unknown envelope format "${format}".`, {
-        name: 'DataError',
-        details: {
-          httpStatusCode: 400,
-          public: true
-        },
-      });
+    const mediaType = id.slice('data:'.length, comma);
+    const parts = mediaType.split(';');
+    format.mediaType = mediaType;
+    format.typeAndSubType = parts.shift();
+    const [type, subType] = format.typeAndSubType.split('/');
+    format.type = type;
+    format.subType = subType;
+    format.parameters = new Map(parts.map(s => s.trim().split('=')));
   }
   return {contents: id.slice(comma + 1), format};
 }
+
+function _throwUnknownFormat(format) {
+  throw new BedrockError(
+    `Unknown envelope format "${format.mediaType}".`, {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true
+      },
+    });
+}

package/lib/index.js

@@ -1,14 +1,13 @@
 /*!
- * Copyright (c) 2021-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import {createService, schemas} from '@bedrock/service-core';
 import {
-  addRoutes as addContextStoreRoutes
+  addCborldRoutes, addContextRoutes
 } from '@bedrock/service-context-store';
+import {createService, schemas} from '@bedrock/service-core';
 import {addRoutes} from './http.js';
 import {initializeServiceAgent} from '@bedrock/service-agent';
-import {klona} from 'klona';
 import {verifyOptions} from '../schemas/bedrock-vc-verifier.js';
 
 // load config defaults
@@ -18,8 +17,8 @@ const serviceType = 'vc-verifier';
 
 bedrock.events.on('bedrock.init', async () => {
   // add customizations to config validators...
-  const createConfigBody = klona(schemas.createConfigBody);
-  const updateConfigBody = klona(schemas.updateConfigBody);
+  const createConfigBody = structuredClone(schemas.createConfigBody);
+  const updateConfigBody = structuredClone(schemas.updateConfigBody);
   const schemasToUpdate = [createConfigBody, updateConfigBody];
   for(const schema of schemasToUpdate) {
     // verify options
@@ -52,7 +51,8 @@ bedrock.events.on('bedrock.init', async () => {
   });
 
   bedrock.events.on('bedrock-express.configure.routes', async app => {
-    await addContextStoreRoutes({app, service});
+    await addCborldRoutes({app, service});
+    await addContextRoutes({app, service});
     await addRoutes({app, service});
   });
 

package/lib/suites.js

@@ -11,6 +11,9 @@ import {
 import {
   createVerifyCryptosuite as createEcdsaSd2023VerifyCryptosuite
 } from '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import {
+  createCryptosuite as createEcdsaXi2023Cryptosuite
+} from '@digitalbazaar/ecdsa-xi-2023-cryptosuite';
 import {
   createVerifyCryptosuite as createEddsaJcs2022VerifyCryptoSuite
 } from '@digitalbazaar/eddsa-jcs-2022-cryptosuite';
@@ -32,12 +35,13 @@ import {
 
 // DataIntegrityProof should work for multiple cryptosuites
 const SUPPORTED_CRYPTOSUITES = new Map([
-  ['bbs-2023', createBbs2023VerifyCryptosuite()],
-  ['ecdsa-rdfc-2019', ecdsaRdfc2019CryptoSuite],
-  ['eddsa-rdfc-2022', eddsaRdfc2022CryptoSuite],
-  ['ecdsa-jcs-2019', createEcdsaJcs2019VerifyCryptoSuite()],
-  ['eddsa-jcs-2022', createEddsaJcs2022VerifyCryptoSuite()],
-  ['ecdsa-sd-2023', createEcdsaSd2023VerifyCryptosuite()]
+  ['bbs-2023', () => createBbs2023VerifyCryptosuite()],
+  ['ecdsa-rdfc-2019', () => ecdsaRdfc2019CryptoSuite],
+  ['eddsa-rdfc-2022', () => eddsaRdfc2022CryptoSuite],
+  ['ecdsa-jcs-2019', () => createEcdsaJcs2019VerifyCryptoSuite()],
+  ['eddsa-jcs-2022', () => createEddsaJcs2022VerifyCryptoSuite()],
+  ['ecdsa-sd-2023', () => createEcdsaSd2023VerifyCryptosuite()],
+  ['ecdsa-xi-2023', options => createEcdsaXi2023Cryptosuite(options)]
 ]);
 
 const SUPPORTED_LEGACY_CRYPTOSUITES = new Map([
@@ -50,10 +54,15 @@ const SUPPORTED_LEGACY_SUITES = new Map([
   ['Ed25519Signature2020', Ed25519Signature2020]
 ]);
 
-export function createSuites() {
+export function createSuites({options} = {}) {
   const cfg = bedrock.config['vc-verifier'];
   const {supportedSuites} = cfg;
   const suite = supportedSuites.map(supportedSuite => {
+    const createCryptosuite = SUPPORTED_CRYPTOSUITES.get(supportedSuite);
+    if(createCryptosuite) {
+      const cryptosuite = createCryptosuite(options);
+      return new DataIntegrityProof({cryptosuite});
+    }
     const LegacySuite = SUPPORTED_LEGACY_SUITES.get(supportedSuite);
     if(LegacySuite) {
       return new LegacySuite();
@@ -64,10 +73,6 @@ export function createSuites() {
         cryptosuite: LegacyCryptosuite, legacyContext: true
       });
     }
-    const cryptosuite = SUPPORTED_CRYPTOSUITES.get(supportedSuite);
-    if(cryptosuite) {
-      return new DataIntegrityProof({cryptosuite});
-    }
     throw new Error(`Unsupported suite ${supportedSuite}`);
   });
   return suite;

package/lib/vcb.js

@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 2024-2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import * as cborld from '@digitalbazaar/cborld';
+import * as di from './di.js';
+import {aamva} from '@digitalbazaar/pdf417-dl-canonicalizer';
+import {createCborldTypeTableLoader} from '@bedrock/service-context-store';
+import {createDocumentLoader} from './documentLoader.js';
+import {util} from '@digitalbazaar/vpqr';
+
+const {util: {BedrockError}} = bedrock;
+
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+const VCB_CONTEXT_1 = 'https://w3id.org/vc-barcodes/v1';
+
+// map of AAMVA issuer identification number to VCB location
+const AAMVA_IIN_TO_VCB_LOCATION = new Map([
+  // VCB spec, i.e., test vector intentionally invalid issuer
+  ['000000', {subfile: 'ZZ', field: 'ZZA', encoding: 'base64url'}],
+  // US state of CA
+  ['636014', {subfile: 'ZC', field: 'ZCE', encoding: 'base64'}],
+]);
+
+const SUPPORTED_BARCODE_FORMATS = new Set([
+  'qr_code',
+  'pdf417'
+]);
+
+export async function verifyEnvelopedCredential({
+  config, contents, format, checks
+} = {}) {
+  // handle base64 encoding
+  let {parameters} = format;
+  if(parameters.has('base64')) {
+    contents = new Uint8Array(Buffer.from(contents, 'base64'));
+    parameters = new Map(parameters);
+    parameters.delete('base64');
+  }
+
+  // only parameter understood is `barcode-format` with values of:
+  // 'qr_code' (default) or 'pdf417'
+  const barcodeFormat = parameters.size === 1 ?
+    parameters.get('barcode-format') : (parameters.size === 0 && 'qr_code');
+  if(!SUPPORTED_BARCODE_FORMATS.has(barcodeFormat)) {
+    _throwUnknownFormat(format);
+  }
+
+  // create loaders for JSON-LD contexts and CBOR-LD type tables
+  const documentLoader = await createDocumentLoader({config});
+  const typeTableLoader = await createCborldTypeTableLoader({
+    config, serviceType: 'vc-verifier'
+  });
+
+  // parse credential and any verification options from contents...
+  let credential;
+  let options;
+  if(barcodeFormat === 'qr_code') {
+    ({credential, options} = await _parseQrCodeEnvelope({
+      contents, documentLoader, typeTableLoader
+    }));
+  }
+  if(barcodeFormat === 'pdf417') {
+    ({credential, options} = await _parsePdf417Envelope({
+      contents, documentLoader, typeTableLoader
+    }));
+  }
+
+  // verify VC
+  const result = await di.verifyCredential({
+    config, credential, options, checks
+  });
+  return {...result, credential};
+}
+
+async function _parseQrCodeEnvelope({
+  contents, documentLoader, typeTableLoader
+}) {
+  const {jsonldDocument: credential} = await util.fromQrCode({
+    text: contents,
+    documentLoader,
+    typeTableLoader,
+    expectedHeader: 'VC1-'
+  });
+  return {credential};
+}
+
+async function _parsePdf417Envelope({
+  contents, documentLoader, typeTableLoader
+}) {
+  // parse AAMVA object from scanned PDF417 data; if contents are a string,
+  // presume UTF-8 encoding
+  const object = aamva.decode({data: contents, encoding: 'utf8'});
+
+  // find VCB in AAMVA object
+  const credential = await findVcb({object, documentLoader, typeTableLoader});
+  const componentIndex = credential.credentialSubject?.protectedComponentIndex;
+
+  // select AAMVA DL or ID document
+  const document = await aamva.select({
+    object,
+    selector: {
+      subfile: ['DL', 'ID'],
+      componentIndex
+    }
+  });
+  // hash document and store it as `extraInformation` for verification
+  const options = {
+    extraInformation: await aamva.hash({document})
+  };
+
+  return {credential, options};
+}
+
+async function findVcb({object, documentLoader, typeTableLoader}) {
+  const {issuerIdentificationNumber} = object;
+  const location = AAMVA_IIN_TO_VCB_LOCATION.get(issuerIdentificationNumber);
+  if(!location) {
+    throw new BedrockError(
+      'Unknown envelope format; verifiable credential barcode not found.', {
+        name: 'DataError',
+        details: {httpStatusCode: 400, public: true}
+      });
+  }
+
+  const selection = await aamva.select({
+    object,
+    selector: {
+      subfile: [location.subfile],
+      fields: [location.field]
+    }
+  });
+
+  const encoded = selection.get(location.field);
+  if(!encoded) {
+    throw new BedrockError('Verifiable credential barcode not found.', {
+      name: 'DataError',
+      details: {httpStatusCode: 400, public: true}
+    });
+  }
+
+  const cborldBytes = new Uint8Array(Buffer.from(encoded, location.encoding));
+
+  // decode CBOR-LD bytes into JSON-LD VCB
+  const credential = await cborld.decode({
+    cborldBytes,
+    documentLoader,
+    typeTableLoader
+  });
+  const contexts = credential['@context'];
+  if(!Array.isArray(contexts) &&
+    contexts[0] === VC_CONTEXT_2 &&
+    contexts.includes(VCB_CONTEXT_1)) {
+    throw new BedrockError('Verifiable credential barcode not found.', {
+      name: 'DataError',
+      details: {httpStatusCode: 400, public: true}
+    });
+  }
+
+  return credential;
+}
+
+function _throwUnknownFormat(format) {
+  throw new BedrockError(
+    `Unknown envelope format "${format.mediaType}".`, {
+      name: 'DataError',
+      details: {
+        httpStatusCode: 400,
+        public: true
+      },
+    });
+}

package/lib/verify.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as di from './di.js';
 import {
@@ -12,11 +12,14 @@ export async function verifyCredential({config, credential, checks} = {}) {
   }
 
   const result = await verifyEnvelopedCredential({
-    envelopedCredential: credential, checks
+    config, envelopedCredential: credential, checks
   });
-  // if the credential has a `proof` field, do DI verification
+
+  // if credential envelope is verified, credential has a `proof` field, and
+  // format is JWT, do DI verification
   let {verified} = result;
-  if(verified && result.credential.proof) {
+  if(verified && result.credential.proof &&
+    result.format.typeAndSubType === 'application/jwt') {
     const proofResult = await di.verifyCredential({
       config, credential: result.credential, checks
     });
@@ -74,8 +77,10 @@ export async function verifyPresentation({
   let credentialResults;
   if(!verified) {
     credentialResults = [];
-  } else if(presentationResult.presentation?.proof) {
-    // presentation in the envelope has a `proof`, so recurse to check it
+  } else if(presentationResult.presentation?.proof &&
+    presentationResult.format.typeAndSubType === 'application/jwt') {
+    // presentation in the envelope has a `proof` and envelope format is JWT,
+    // so recurse to check `proof` field
     const proofResult = await verifyPresentation({
       config, presentation: presentationResult.presentation,
       challenge, domain, checks

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "22.0.0",
+  "version": "22.1.0",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",
@@ -26,28 +26,31 @@
   "homepage": "https://github.com/digitalbazaar/bedrock-vc-verifier",
   "dependencies": {
     "@digitalbazaar/bbs-2023-cryptosuite": "^2.0.1",
+    "@digitalbazaar/cborld": "^7.2.0",
     "@digitalbazaar/data-integrity": "^2.5.0",
     "@digitalbazaar/ecdsa-2019-cryptosuite": "^2.0.0",
     "@digitalbazaar/ecdsa-jcs-2019-cryptosuite": "^1.0.0",
     "@digitalbazaar/ecdsa-multikey": "^1.8.0",
     "@digitalbazaar/ecdsa-rdfc-2019-cryptosuite": "^1.2.0",
     "@digitalbazaar/ecdsa-sd-2023-cryptosuite": "^3.4.1",
+    "@digitalbazaar/ecdsa-xi-2023-cryptosuite": "^1.1.0",
     "@digitalbazaar/ed25519-multikey": "^1.3.1",
     "@digitalbazaar/ed25519-signature-2018": "^4.1.0",
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/eddsa-2022-cryptosuite": "^1.0.0",
     "@digitalbazaar/eddsa-jcs-2022-cryptosuite": "^1.0.0",
     "@digitalbazaar/eddsa-rdfc-2022-cryptosuite": "^1.2.0",
+    "@digitalbazaar/pdf417-dl-canonicalizer": "^1.2.1",
     "@digitalbazaar/vc": "^7.1.2",
     "@digitalbazaar/vc-bitstring-status-list": "^2.0.1",
     "@digitalbazaar/vc-revocation-list": "^7.0.0",
     "@digitalbazaar/vc-status-list": "^8.0.1",
+    "@digitalbazaar/vpqr": "^5.1.0",
     "assert-plus": "^1.0.0",
     "bnid": "^3.0.0",
     "body-parser": "^1.20.3",
     "cors": "^2.8.5",
     "jose": "^6.0.10",
-    "klona": "^2.0.6",
     "serialize-error": "^12.0.0"
   },
   "peerDependencies": {
@@ -64,9 +67,10 @@
     "@bedrock/multikey-context": "^3.0.0",
     "@bedrock/security-context": "^9.0.0",
     "@bedrock/service-agent": "^10.0.0",
-    "@bedrock/service-context-store": "^13.0.0",
+    "@bedrock/service-context-store": "^13.1.0",
     "@bedrock/service-core": "^11.0.0",
     "@bedrock/validation": "^7.1.1",
+    "@bedrock/vc-barcodes-context": "^1.0.0",
     "@bedrock/vc-revocation-list-context": "^5.0.0",
     "@bedrock/vc-status-list-context": "^6.0.3",
     "@bedrock/veres-one-context": "^16.0.0"