@bifold/core 2.4.5 → 2.5.0

package/src/modules/openid/metadata.tsx

@@ -1,59 +0,0 @@
-import type { W3cCredentialRecord, SdJwtVcRecord, MdocRecord } from '@credo-ts/core'
-import type { OpenId4VciCredentialSupported, OpenId4VciIssuerMetadataDisplay } from '@credo-ts/openid4vc'
-import type { MetadataDisplay } from '@sphereon/oid4vci-common'
-import { CredentialSubjectRecord } from './types'
-
-export interface OpenId4VcCredentialMetadata {
-  credential: {
-    display?: OpenId4VciCredentialSupported['display']
-    order?: OpenId4VciCredentialSupported['order']
-    credential_subject?: CredentialSubjectRecord
-  }
-  issuer: {
-    display?: OpenId4VciIssuerMetadataDisplay[]
-    id: string
-  }
-}
-
-export type OpenId4VcCredentialMetadataExtended = Partial<
-  OpenId4VciCredentialSupported & { credential_subject: CredentialSubjectRecord }
->
-const openId4VcCredentialMetadataKey = '_bifold/openId4VcCredentialMetadata'
-
-export function extractOpenId4VcCredentialMetadata(
-  credentialMetadata: Partial<OpenId4VciCredentialSupported & { credential_subject: CredentialSubjectRecord }>,
-  serverMetadata: { display?: MetadataDisplay[]; id: string }
-): OpenId4VcCredentialMetadata {
-  return {
-    credential: {
-      display: credentialMetadata.display,
-      order: credentialMetadata.order,
-      credential_subject: credentialMetadata.credential_subject,
-    },
-    issuer: {
-      display: serverMetadata.display,
-      id: serverMetadata.id,
-    },
-  }
-}
-
-/**
- * Gets the OpenId4Vc credential metadata from the given W3C credential record.
- */
-export function getOpenId4VcCredentialMetadata(
-  credentialRecord: W3cCredentialRecord | SdJwtVcRecord | MdocRecord
-): OpenId4VcCredentialMetadata | null {
-  return credentialRecord.metadata.get(openId4VcCredentialMetadataKey)
-}
-
-/**
- * Sets the OpenId4Vc credential metadata on the given W3cCredentialRecord or SdJwtVcRecord.
- *
- * NOTE: this does not save the record.
- */
-export function setOpenId4VcCredentialMetadata(
-  credentialRecord: W3cCredentialRecord | SdJwtVcRecord | MdocRecord,
-  metadata: OpenId4VcCredentialMetadata
-) {
-  credentialRecord.metadata.set(openId4VcCredentialMetadataKey, metadata)
-}

package/src/modules/openid/offerResolve.tsx

@@ -1,281 +0,0 @@
-import {
-  OpenId4VcCredentialHolderBinding,
-  OpenId4VciCredentialBindingOptions,
-  OpenId4VciCredentialFormatProfile,
-  OpenId4VciCredentialSupportedWithId,
-  OpenId4VciRequestTokenResponse,
-  OpenId4VciResolvedCredentialOffer,
-} from '@credo-ts/openid4vc'
-import {
-  Agent,
-  DidJwk,
-  DidKey,
-  getJwkFromKey,
-  JwaSignatureAlgorithm,
-  JwkDidCreateOptions,
-  KeyBackend,
-  KeyDidCreateOptions,
-  Mdoc,
-  MdocRecord,
-  SdJwtVcRecord,
-  W3cCredentialRecord,
-  W3cJsonLdVerifiableCredential,
-  W3cJwtVerifiableCredential,
-} from '@credo-ts/core'
-import { extractOpenId4VcCredentialMetadata, setOpenId4VcCredentialMetadata } from './metadata'
-
-export const resolveOpenId4VciOffer = async ({
-  agent,
-  data,
-  uri,
-  authorization,
-}: {
-  agent: Agent
-  // Either data itself (the offer) or uri can be passed
-  data?: string
-  uri?: string
-  fetchAuthorization?: boolean
-  authorization?: { clientId: string; redirectUri: string }
-}): Promise<OpenId4VciResolvedCredentialOffer> => {
-  let offerUri = uri
-
-  if (!offerUri && data) {
-    // FIXME: Credo only support credential offer string, but we already parsed it before. So we construct an offer here
-    // but in the future we need to support the parsed offer in Credo directly
-    offerUri = `openid-credential-offer://credential_offer=${encodeURIComponent(JSON.stringify(data))}`
-  } else if (!offerUri) {
-    throw new Error('either data or uri must be provided')
-  }
-
-  agent.config.logger.info(`Receiving openid uri ${offerUri}`, {
-    offerUri,
-    data: data,
-    uri: offerUri,
-  })
-
-  const resolvedCredentialOffer = await agent.modules.openId4VcHolder.resolveCredentialOffer(offerUri)
-
-  if (authorization) {
-    throw new Error('Authorization flow is not supported yet as of Credo 0.5.13')
-  }
-
-  return resolvedCredentialOffer
-}
-
-export async function acquirePreAuthorizedAccessToken({
-  agent,
-  resolvedCredentialOffer,
-  txCode,
-}: {
-  agent: Agent
-  resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer
-  txCode?: string
-}) {
-  return await agent.modules.openId4VcHolder.requestToken({
-    resolvedCredentialOffer,
-    txCode,
-  })
-}
-
-export const customCredentialBindingResolver = async ({
-  agent,
-  supportedDidMethods,
-  keyType,
-  supportsAllDidMethods,
-  supportsJwk,
-  credentialFormat,
-  supportedCredentialId,
-  resolvedCredentialOffer,
-  pidSchemes,
-}: Partial<OpenId4VciCredentialBindingOptions> & {
-  agent: Agent
-  resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer
-  pidSchemes?: { sdJwtVcVcts: Array<string>; msoMdocDoctypes: Array<string> }
-}): Promise<OpenId4VcCredentialHolderBinding> => {
-  // First, we try to pick a did method
-  // Prefer did:jwk, otherwise use did:key, otherwise use undefined
-  let didMethod: 'key' | 'jwk' | undefined =
-    supportsAllDidMethods || supportedDidMethods?.includes('did:jwk')
-      ? 'jwk'
-      : supportedDidMethods?.includes('did:key')
-      ? 'key'
-      : undefined
-
-  // If supportedDidMethods is undefined, and supportsJwk is false, we will default to did:key
-  // this is important as part of MATTR launchpad support which MUST use did:key but doesn't
-  // define which did methods they support
-  if (!supportedDidMethods && !supportsJwk) {
-    didMethod = 'key'
-  }
-
-  const offeredCredentialConfiguration = supportedCredentialId
-    ? resolvedCredentialOffer.offeredCredentialConfigurations[supportedCredentialId]
-    : undefined
-
-  const shouldKeyBeHardwareBackedForMsoMdoc =
-    offeredCredentialConfiguration?.format === OpenId4VciCredentialFormatProfile.MsoMdoc &&
-    pidSchemes?.msoMdocDoctypes.includes(offeredCredentialConfiguration.doctype)
-
-  const shouldKeyBeHardwareBackedForSdJwtVc =
-    offeredCredentialConfiguration?.format === 'vc+sd-jwt' &&
-    pidSchemes?.sdJwtVcVcts.includes(offeredCredentialConfiguration.vct)
-
-  const shouldKeyBeHardwareBacked = shouldKeyBeHardwareBackedForSdJwtVc || shouldKeyBeHardwareBackedForMsoMdoc
-
-  if (!keyType) {
-    throw new Error('keyType is required!')
-  }
-
-  const key = await agent.wallet.createKey({
-    keyType,
-    keyBackend: shouldKeyBeHardwareBacked ? KeyBackend.SecureElement : KeyBackend.Software,
-  })
-
-  if (didMethod) {
-    const didResult = await agent.dids.create<JwkDidCreateOptions | KeyDidCreateOptions>({
-      method: didMethod,
-      options: {
-        key,
-      },
-    })
-
-    if (didResult.didState.state !== 'finished') {
-      throw new Error('DID creation failed.')
-    }
-
-    let verificationMethodId: string
-    if (didMethod === 'jwk') {
-      const didJwk = DidJwk.fromDid(didResult.didState.did)
-      verificationMethodId = didJwk.verificationMethodId
-    } else {
-      const didKey = DidKey.fromDid(didResult.didState.did)
-      verificationMethodId = `${didKey.did}#${didKey.key.fingerprint}`
-    }
-
-    return {
-      didUrl: verificationMethodId,
-      method: 'did',
-    }
-  }
-
-  // Otherwise we also support plain jwk for sd-jwt only
-  if (
-    supportsJwk &&
-    (credentialFormat === OpenId4VciCredentialFormatProfile.SdJwtVc ||
-      credentialFormat === OpenId4VciCredentialFormatProfile.MsoMdoc)
-  ) {
-    return {
-      method: 'jwk',
-      jwk: getJwkFromKey(key),
-    }
-  }
-
-  throw new Error(
-    `No supported binding method could be found. Supported methods are did:key and did:jwk, or plain jwk for sd-jwt/mdoc. Issuer supports ${
-      supportsJwk ? 'jwk, ' : ''
-    }${supportedDidMethods?.join(', ') ?? 'Unknown'}`
-  )
-}
-
-export const receiveCredentialFromOpenId4VciOffer = async ({
-  agent,
-  resolvedCredentialOffer,
-  accessToken,
-  credentialConfigurationIdsToRequest,
-  clientId,
-  pidSchemes,
-}: {
-  agent: Agent
-  resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer
-  accessToken: OpenId4VciRequestTokenResponse
-  credentialConfigurationIdsToRequest?: string[]
-  clientId?: string
-  pidSchemes?: { sdJwtVcVcts: Array<string>; msoMdocDoctypes: Array<string> }
-}) => {
-  const offeredCredentialsToRequest = credentialConfigurationIdsToRequest
-    ? resolvedCredentialOffer.offeredCredentials.filter((offered) =>
-        credentialConfigurationIdsToRequest.includes(offered.id)
-      )
-    : [resolvedCredentialOffer.offeredCredentials[0]]
-
-  if (offeredCredentialsToRequest.length === 0) {
-    throw new Error(
-      `Parameter 'credentialConfigurationIdsToRequest' with values ${credentialConfigurationIdsToRequest} is not a credential_configuration_id in the credential offer.`
-    )
-  }
-
-  const credentials = await agent.modules.openId4VcHolder.requestCredentials({
-    resolvedCredentialOffer,
-    ...accessToken,
-    clientId,
-    credentialsToRequest: credentialConfigurationIdsToRequest,
-    verifyCredentialStatus: false,
-    allowedProofOfPossessionSignatureAlgorithms: [
-      // NOTE: MATTR launchpad for JFF MUST use EdDSA. So it is important that the default (first allowed one)
-      // is EdDSA. The list is ordered by preference, so if no suites are defined by the issuer, the first one
-      // will be used
-      JwaSignatureAlgorithm.EdDSA,
-      JwaSignatureAlgorithm.ES256,
-    ],
-    credentialBindingResolver: async ({
-      supportedDidMethods,
-      keyType,
-      supportsAllDidMethods,
-      supportsJwk,
-      credentialFormat,
-      supportedCredentialId,
-    }: OpenId4VciCredentialBindingOptions) => {
-      return customCredentialBindingResolver({
-        agent,
-        supportedDidMethods,
-        keyType,
-        supportsAllDidMethods,
-        supportsJwk,
-        credentialFormat,
-        supportedCredentialId,
-        resolvedCredentialOffer,
-        pidSchemes,
-      })
-    },
-  })
-
-  // We only support one credential for now
-  const [firstCredential] = credentials
-  if (!firstCredential)
-    throw new Error('Error retrieving credential using pre authorized flow: firstCredential undefined!.')
-
-  let record: SdJwtVcRecord | W3cCredentialRecord | MdocRecord
-
-  if (typeof firstCredential === 'string') {
-    throw new Error('Error retrieving credential using pre authorized flow: firstCredential is string.')
-  }
-
-  if ('compact' in firstCredential.credential) {
-    // TODO: add claimFormat to SdJwtVc
-    record = new SdJwtVcRecord({
-      compactSdJwtVc: firstCredential.credential.compact,
-    })
-  } else if (firstCredential.credential instanceof Mdoc) {
-    record = new MdocRecord({
-      mdoc: firstCredential.credential,
-    })
-  } else {
-    record = new W3cCredentialRecord({
-      credential: firstCredential.credential as W3cJwtVerifiableCredential | W3cJsonLdVerifiableCredential,
-      // We don't support expanded types right now, but would become problem when we support JSON-LD
-      tags: {},
-    })
-  }
-
-  const openId4VcMetadata = extractOpenId4VcCredentialMetadata(
-    resolvedCredentialOffer.offeredCredentials[0] as OpenId4VciCredentialSupportedWithId,
-    {
-      id: resolvedCredentialOffer.metadata.issuer,
-      display: resolvedCredentialOffer.metadata.credentialIssuerMetadata.display,
-    }
-  )
-
-  setOpenId4VcCredentialMetadata(record, openId4VcMetadata)
-
-  return record
-}

package/src/modules/openid/resolverProof.tsx

@@ -1,286 +0,0 @@
-import { Agent, DifPexCredentialsForRequest, Jwt, X509ModuleConfig } from '@credo-ts/core'
-import { ParseInvitationResult } from '../../utils/parsers'
-import q from 'query-string'
-import { OpenId4VPRequestRecord } from './types'
-import { getHostNameFromUrl } from './utils/utils'
-import { OpenId4VcSiopVerifiedAuthorizationRequest } from '@credo-ts/openid4vc'
-import { Linking } from 'react-native'
-
-function handleTextResponse(text: string): ParseInvitationResult {
-  // If the text starts with 'ey' we assume it's a JWT and thus an OpenID authorization request
-  if (text.startsWith('ey')) {
-    return {
-      success: true,
-      result: {
-        format: 'parsed',
-        type: 'openid-authorization-request',
-        data: text,
-      },
-    }
-  }
-
-  // Otherwise we still try to parse it as JSON
-  try {
-    const json: unknown = JSON.parse(text)
-    return handleJsonResponse(json)
-
-    // handel like above
-  } catch (error) {
-    throw new Error(`[handleTextResponse] Error:${error}`)
-  }
-}
-
-function handleJsonResponse(json: unknown): ParseInvitationResult {
-  // We expect a JSON object
-  if (!json || typeof json !== 'object' || Array.isArray(json)) {
-    throw new Error('[handleJsonResponse] Invitation not recognized.')
-  }
-
-  if ('@type' in json) {
-    return {
-      success: true,
-      result: {
-        format: 'parsed',
-        type: 'didcomm',
-        data: json,
-      },
-    }
-  }
-
-  if ('credential_issuer' in json) {
-    return {
-      success: true,
-      result: {
-        format: 'parsed',
-        type: 'openid-credential-offer',
-        data: json,
-      },
-    }
-  }
-
-  throw new Error('[handleJsonResponse] Invitation not recognized.')
-}
-
-export async function fetchInvitationDataUrl(dataUrl: string): Promise<ParseInvitationResult> {
-  // If we haven't had a response after 10 seconds, we will handle as if the invitation is not valid.
-  const abortController = new AbortController()
-  const timeout = setTimeout(() => abortController.abort(), 10000)
-
-  try {
-    // If we still don't know what type of invitation it is, we assume it is a URL that we need to fetch to retrieve the invitation.
-    const response = await fetch(dataUrl, {
-      headers: {
-        // for DIDComm out of band invitations we should include application/json
-        // but we are flexible and also want to support other types of invitations
-        // as e.g. the OpenID SIOP request is a signed encoded JWT string
-        Accept: 'application/json, text/plain, */*',
-      },
-    })
-    clearTimeout(timeout)
-    if (!response.ok) {
-      throw new Error('[retrieve_invitation_error] Unable to retrieve invitation.')
-    }
-
-    const contentType = response.headers.get('content-type')
-    if (contentType?.includes('application/json')) {
-      const json: unknown = await response.json()
-      return handleJsonResponse(json)
-    }
-    const text = await response.text()
-    return handleTextResponse(text)
-  } catch (error) {
-    clearTimeout(timeout)
-    throw new Error(`[retrieve_invitation_error] Unable to retrieve invitation: ${error}`)
-  }
-}
-
-const extractCertificateFromJwt = (jwt: string) => {
-  const jwtHeader = Jwt.fromSerializedJwt(jwt).header
-  return Array.isArray(jwtHeader.x5c) && typeof jwtHeader.x5c[0] === 'string' ? jwtHeader.x5c[0] : null
-}
-
-/**
- * This is a temp method to allow for untrusted certificates to still work with the wallet.
- */
-export const extractCertificateFromAuthorizationRequest = async ({
-  data,
-  uri,
-}: {
-  data?: string
-  uri?: string
-}): Promise<{ data: string | null; certificate: string | null }> => {
-  try {
-    if (data) {
-      return {
-        data,
-        certificate: extractCertificateFromJwt(data),
-      }
-    }
-
-    if (uri) {
-      const query = q.parseUrl(uri).query
-      if (query.request_uri && typeof query.request_uri === 'string') {
-        const result = await fetchInvitationDataUrl(query.request_uri)
-        if (
-          result.success &&
-          result.result.type === 'openid-authorization-request' &&
-          typeof result.result.data === 'string'
-        ) {
-          return {
-            data: result.result.data,
-            certificate: extractCertificateFromJwt(result.result.data),
-          }
-        }
-      } else if (query.request && typeof query.request === 'string') {
-        const _res = {
-          data: query.request,
-          certificate: extractCertificateFromJwt(query.request),
-        }
-        return _res
-      }
-    }
-    return { data: null, certificate: null }
-  } catch (error) {
-    return { data: null, certificate: null }
-  }
-}
-
-export async function withTrustedCertificate<T>(
-  agent: Agent,
-  certificate: string | null,
-  method: () => Promise<T> | T
-): Promise<T> {
-  const x509ModuleConfig = agent.dependencyManager.resolve(X509ModuleConfig)
-  const currentTrustedCertificates = x509ModuleConfig.trustedCertificates
-    ? [...x509ModuleConfig.trustedCertificates]
-    : []
-
-  try {
-    if (certificate) agent.x509.addTrustedCertificate(certificate)
-    return await method()
-  } finally {
-    if (certificate) x509ModuleConfig.setTrustedCertificates(currentTrustedCertificates as [string])
-  }
-}
-
-//This settings should be moved to an injectable config
-const allowUntrustedCertificates = false
-
-export const getCredentialsForProofRequest = async ({
-  agent,
-  data,
-  uri,
-}: {
-  agent: Agent
-  // Either data itself (the offer) or uri can be passed
-  data?: string
-  uri?: string
-  fetchAuthorization?: boolean
-  authorization?: { clientId: string; redirectUri: string }
-}): Promise<OpenId4VPRequestRecord | undefined> => {
-  let requestUri = uri
-
-  try {
-    const { certificate = null, data: newData = null } = allowUntrustedCertificates
-      ? await extractCertificateFromAuthorizationRequest({ data, uri })
-      : {}
-
-    if (newData) {
-      // FIXME: Credo only support request string, but we already parsed it before. So we construct an request here
-      // but in the future we need to support the parsed request in Credo directly
-      requestUri = `openid://?request=${encodeURIComponent(newData)}`
-    } else if (uri) {
-      requestUri = uri
-    } else {
-      throw new Error('Either data or uri must be provided')
-    }
-
-    agent.config.logger.info(`$$Receiving openid uri ${requestUri}`)
-
-    // Temp solution to add and remove the trusted certificate
-    const resolved = await withTrustedCertificate(agent, certificate, () => {
-      return agent.modules.openId4VcHolder.resolveSiopAuthorizationRequest(requestUri)
-    })
-
-    if (!resolved.presentationExchange) {
-      throw new Error('No presentation exchange found in authorization request.')
-    }
-
-    return {
-      ...resolved.presentationExchange,
-      authorizationRequest: resolved.authorizationRequest,
-      verifierHostName: resolved.authorizationRequest.responseURI
-        ? getHostNameFromUrl(resolved.authorizationRequest.responseURI)
-        : undefined,
-      createdAt: new Date(),
-      type: 'OpenId4VPRequestRecord',
-    }
-  } catch (err) {
-    agent.config.logger.error(`Parsing presentation request:  ${(err as Error)?.message ?? err}`)
-    throw err
-  }
-}
-
-export const shareProof = async ({
-  agent,
-  authorizationRequest,
-  credentialsForRequest,
-  selectedCredentials,
-  allowUntrustedCertificate = false,
-}: {
-  agent: Agent
-  authorizationRequest: OpenId4VcSiopVerifiedAuthorizationRequest
-  credentialsForRequest: DifPexCredentialsForRequest
-  selectedCredentials: { [inputDescriptorId: string]: { id: string; claimFormat: string } }
-  allowUntrustedCertificate?: boolean
-}) => {
-  if (!credentialsForRequest.areRequirementsSatisfied) {
-    throw new Error('Requirements from proof request are not satisfied')
-  }
-
-  // Map all requirements and entries to a credential record. If a credential record for an
-  // input descriptor has been provided in `selectedCredentials` we will use that. Otherwise
-  // it will pick the first available credential.
-  const credentials = Object.fromEntries(
-    credentialsForRequest.requirements.flatMap((requirement) =>
-      requirement.submissionEntry.map((entry) => {
-        const credentialId = selectedCredentials[entry.inputDescriptorId].id
-        const credential =
-          entry.verifiableCredentials.find((vc) => vc.credentialRecord.id === credentialId) ??
-          entry.verifiableCredentials[0]
-
-        return [entry.inputDescriptorId, [credential.credentialRecord]]
-      })
-    )
-  )
-
-  try {
-    // Temp solution to add and remove the trusted certicaite
-    const certificate =
-      authorizationRequest.jwt && allowUntrustedCertificate ? extractCertificateFromJwt(authorizationRequest.jwt) : null
-
-    const result = await withTrustedCertificate(agent, certificate, () =>
-      agent.modules.openId4VcHolder.acceptSiopAuthorizationRequest({
-        authorizationRequest,
-        presentationExchange: {
-          credentials,
-        },
-      })
-    )
-
-    // if redirect_uri is provided, open it in the browser
-    // Even if the response returned an error, we must open this uri
-    if (typeof result.serverResponse.body === 'object' && typeof result.serverResponse.body.redirect_uri === 'string') {
-      await Linking.openURL(result.serverResponse.body.redirect_uri)
-    }
-
-    if (result.serverResponse.status < 200 || result.serverResponse.status > 299) {
-      throw new Error(`Error while accepting authorization request. ${result.serverResponse.body as string}`)
-    }
-
-    return result
-  } catch (error) {
-    // Handle biometric authentication errors
-    throw new Error(`Error accepting proof request. ${(error as Error)?.message ?? error}`)
-  }
-}