npm - @credo-ts/anoncreds - Versions diffs - 0.6.1-pr-2091-20241119140918 → 0.6.1 - Mend

@credo-ts/anoncreds 0.6.1-pr-2091-20241119140918 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (837) hide show

package/build/formats/DataIntegrityDidCommCredentialFormatService.mjs ADDED Viewed

@@ -0,0 +1,587 @@
+import { AnonCredsCredentialDefinitionRepository } from "../repository/AnonCredsCredentialDefinitionRepository.mjs";
+import { AnonCredsRevocationRegistryState } from "../repository/AnonCredsRevocationRegistryDefinitionPrivateRecord.mjs";
+import { AnonCredsRevocationRegistryDefinitionPrivateRepository } from "../repository/AnonCredsRevocationRegistryDefinitionPrivateRepository.mjs";
+import "../repository/index.mjs";
+import { AnonCredsHolderServiceSymbol } from "../services/AnonCredsHolderService.mjs";
+import { AnonCredsIssuerServiceSymbol } from "../services/AnonCredsIssuerService.mjs";
+import "../services/index.mjs";
+import { fetchCredentialDefinition, fetchRevocationRegistryDefinition, fetchRevocationStatusList, fetchSchema } from "../utils/anonCredsObjects.mjs";
+import { assertAttributesMatch, convertAttributesToCredentialValues } from "../utils/credential.mjs";
+import { dateToTimestamp } from "../utils/timestamp.mjs";
+import { AnonCredsCredentialMetadataKey, AnonCredsCredentialRequestMetadataKey } from "../utils/metadata.mjs";
+import { getAnonCredsTagsFromRecord } from "../utils/w3cAnonCredsUtils.mjs";
+import "../utils/index.mjs";
+import { ClaimFormat, CredoError, DidsApi, JsonEncoder, JsonTransformer, JwsService, JwtPayload, Kms, SignatureSuiteRegistry, TypedArrayEncoder, W3cCredential, W3cCredentialRecord, W3cCredentialService, W3cCredentialSubject, W3cJsonLdVerifiableCredential, deepEquality, getPublicJwkFromVerificationMethod, parseDid } from "@credo-ts/core";
+import { DataIntegrityCredentialOffer, DidCommAttachment, DidCommAttachmentData, DidCommCredentialFormatSpec, DidCommCredentialPreviewAttribute, DidCommCredentialProblemReportReason, DidCommProblemReportError } from "@credo-ts/didcomm";
+//#region src/formats/DataIntegrityDidCommCredentialFormatService.ts
+const W3C_DATA_INTEGRITY_CREDENTIAL_OFFER = "didcomm/w3c-di-vc-offer@v0.1";
+const W3C_DATA_INTEGRITY_CREDENTIAL_REQUEST = "didcomm/w3c-di-vc-request@v0.1";
+const W3C_DATA_INTEGRITY_CREDENTIAL = "didcomm/w3c-di-vc@v0.1";
+var DataIntegrityDidCommCredentialFormatService = class {
+	constructor() {
+		this.formatKey = "dataIntegrity";
+		this.credentialRecordType = "w3c";
+	}
+	/**
+	* Create a {@link AttachmentFormats} object dependent on the message type.
+	*
+	* @param options The object containing all the options for the proposed credential
+	* @returns object containing associated attachment, format and optionally the credential preview
+	*
+	*/
+	async createProposal(_agentContext, options) {
+		throw new CredoError("Not defined");
+	}
+	async processProposal(_agentContext, options) {
+		throw new CredoError("Not defined");
+	}
+	async acceptProposal(_agentContext, _input) {
+		throw new CredoError("Not defined");
+	}
+	/**
+	* Create a credential attachment format for a credential request.
+	*
+	* @param options The object containing all the options for the credential offer
+	* @returns object containing associated attachment, formats and offersAttach elements
+	*
+	*/
+	async createOffer(agentContext, { credentialFormats, credentialExchangeRecord, attachmentId }) {
+		const dataIntegrityFormat = credentialFormats.dataIntegrity;
+		if (!dataIntegrityFormat) throw new CredoError("Missing data integrity credential format data");
+		const format = new DidCommCredentialFormatSpec({
+			attachmentId,
+			format: W3C_DATA_INTEGRITY_CREDENTIAL_OFFER
+		});
+		if ("proof" in dataIntegrityFormat.credential) throw new CredoError("The offered credential MUST NOT contain any proofs.");
+		const { dataIntegrityCredentialOffer, previewAttributes } = await this.createDataIntegrityCredentialOffer(agentContext, credentialExchangeRecord, dataIntegrityFormat);
+		return {
+			format,
+			attachment: this.getFormatData(JsonTransformer.toJSON(dataIntegrityCredentialOffer), format.attachmentId),
+			previewAttributes
+		};
+	}
+	getCredentialVersion(credentialJson) {
+		const context = credentialJson["@context"];
+		if (!context || !Array.isArray(context)) throw new CredoError("Invalid @context in credential offer");
+		const isV1Credential = context.find((c) => c === "https://www.w3.org/2018/credentials/v1");
+		const isV2Credential = context.find((c) => c === "https://www.w3.org/ns/credentials/v2");
+		if (isV1Credential) return "1.1";
+		if (isV2Credential) throw new CredoError("Received w3c credential with unsupported version 2.0.");
+		throw new CredoError("Cannot determine credential version from @context");
+	}
+	async processOffer(agentContext, { attachment, credentialExchangeRecord }) {
+		agentContext.config.logger.debug(`Processing data integrity credential offer for credential record ${credentialExchangeRecord.id}`);
+		const dataIntegrityCredentialOffer = JsonTransformer.fromJSON(attachment.getDataAsJson(), DataIntegrityCredentialOffer);
+		const credentialJson = dataIntegrityCredentialOffer.credential;
+		const credentialVersion = this.getCredentialVersion(credentialJson);
+		const credentialToBeValidated = {
+			...credentialJson,
+			issuer: credentialJson.issuer ?? "https://example.com",
+			...credentialVersion === "1.1" ? { issuanceDate: (/* @__PURE__ */ new Date()).toISOString() } : { validFrom: (/* @__PURE__ */ new Date()).toISOString() }
+		};
+		JsonTransformer.fromJSON(credentialToBeValidated, W3cCredential);
+		if (dataIntegrityCredentialOffer.bindingRequired && !dataIntegrityCredentialOffer.bindingMethod?.anoncredsLinkSecret && !dataIntegrityCredentialOffer.bindingMethod?.didcommSignedAttachment) throw new DidCommProblemReportError("Invalid credential offer. Missing binding method.", { problemCode: DidCommCredentialProblemReportReason.IssuanceAbandoned });
+	}
+	async createSignedAttachment(agentContext, data, options, issuerSupportedAlgs) {
+		const { alg, kid } = options;
+		if (!kid.startsWith("did:")) throw new CredoError(`kid '${kid}' is not a DID. Only dids are supported for kid`);
+		if (!kid.includes("#")) throw new CredoError(`kid '${kid}' does not contain a fragment. kid MUST point to a specific key in the did document.`);
+		const parsedDid = parseDid(kid);
+		const { didDocument, keys } = await agentContext.dependencyManager.resolve(DidsApi).resolveCreatedDidDocumentWithKeys(parsedDid.did);
+		const publicJwk = getPublicJwkFromVerificationMethod(didDocument.dereferenceKey(kid));
+		const keyId = keys?.find(({ didDocumentRelativeKeyId }) => didDocumentRelativeKeyId === `#${parsedDid.fragment}`)?.kmsKeyId ?? publicJwk.legacyKeyId;
+		if (alg && !publicJwk.supportedSignatureAlgorithms.includes(alg)) throw new CredoError(`jwk ${publicJwk.jwkTypeHumanDescription}, does not support the JWS signature alg '${alg}'`);
+		const signingAlg = issuerSupportedAlgs.find((supportedAlg) => publicJwk.supportedSignatureAlgorithms.includes(supportedAlg) && (alg === void 0 || alg === supportedAlg));
+		if (!signingAlg) throw new CredoError("No signing algorithm supported by the issuer found");
+		const jws = await agentContext.dependencyManager.resolve(JwsService).createJws(agentContext, {
+			keyId,
+			header: {},
+			payload: new JwtPayload({ additionalClaims: { nonce: data.nonce } }),
+			protectedHeaderOptions: {
+				alg: signingAlg,
+				kid
+			}
+		});
+		const signedAttach = new DidCommAttachment({
+			mimeType: "application/json",
+			data: new DidCommAttachmentData({ base64: jws.payload })
+		});
+		signedAttach.addJws(jws);
+		return signedAttach;
+	}
+	async getSignedAttachmentPayload(agentContext, signedAttachment) {
+		const jws = signedAttachment.data.jws;
+		if (!jws) throw new CredoError("Missing jws in signed attachment");
+		if (!jws.protected) throw new CredoError("Missing protected header in signed attachment");
+		if (!signedAttachment.data.base64) throw new CredoError("Missing payload in signed attachment");
+		const { isValid } = await agentContext.dependencyManager.resolve(JwsService).verifyJws(agentContext, {
+			jws: {
+				header: jws.header,
+				protected: jws.protected,
+				signature: jws.signature,
+				payload: signedAttachment.data.base64
+			},
+			allowedJwsSignerMethods: ["did"],
+			resolveJwsSigner: async ({ protectedHeader: { kid, alg } }) => {
+				if (!kid || typeof kid !== "string") throw new CredoError("Missing kid in protected header.");
+				if (!kid.startsWith("did:")) throw new CredoError("Only did is supported for kid identifier");
+				return {
+					alg,
+					method: "did",
+					didUrl: kid,
+					jwk: getPublicJwkFromVerificationMethod((await agentContext.dependencyManager.resolve(DidsApi).resolveDidDocument(kid)).dereferenceKey(kid))
+				};
+			}
+		});
+		if (!isValid) throw new CredoError("Failed to validate signature of signed attachment");
+		const payload = JsonEncoder.fromBase64(signedAttachment.data.base64);
+		if (!payload.nonce || typeof payload.nonce !== "string") throw new CredoError("Invalid payload in signed attachment");
+		return payload;
+	}
+	async acceptOffer(agentContext, { credentialExchangeRecord, attachmentId, offerAttachment, credentialFormats }) {
+		const dataIntegrityFormat = credentialFormats?.dataIntegrity;
+		const credentialOffer = JsonTransformer.fromJSON(offerAttachment.getDataAsJson(), DataIntegrityCredentialOffer);
+		let anonCredsLinkSecretDataIntegrityBindingProof;
+		const autoAcceptOfferWithAnonCredsLinkSecretMethod = credentialOffer.bindingRequired && !dataIntegrityFormat?.didCommSignedAttachment && credentialOffer.bindingMethod?.anoncredsLinkSecret;
+		if (dataIntegrityFormat?.anonCredsLinkSecret || autoAcceptOfferWithAnonCredsLinkSecretMethod) {
+			if (!credentialOffer.bindingMethod?.anoncredsLinkSecret) throw new CredoError("Cannot request credential with a binding method that was not offered.");
+			const anonCredsHolderService = agentContext.dependencyManager.resolve(AnonCredsHolderServiceSymbol);
+			const credentialDefinitionId = credentialOffer.bindingMethod.anoncredsLinkSecret.credentialDefinitionId;
+			const credentialDefinitionReturn = await fetchCredentialDefinition(agentContext, credentialDefinitionId);
+			const { credentialRequest: anonCredsCredentialRequest, credentialRequestMetadata: anonCredsCredentialRequestMetadata } = await anonCredsHolderService.createCredentialRequest(agentContext, {
+				credentialOffer: {
+					schema_id: credentialDefinitionReturn.credentialDefinition.schemaId,
+					cred_def_id: credentialOffer.bindingMethod.anoncredsLinkSecret.credentialDefinitionId,
+					key_correctness_proof: credentialOffer.bindingMethod.anoncredsLinkSecret.keyCorrectnessProof,
+					nonce: credentialOffer.bindingMethod.anoncredsLinkSecret.nonce
+				},
+				credentialDefinition: credentialDefinitionReturn.credentialDefinition,
+				linkSecretId: dataIntegrityFormat?.anonCredsLinkSecret?.linkSecretId
+			});
+			if (!anonCredsCredentialRequest.entropy) throw new CredoError("Missing entropy for anonCredsCredentialRequest");
+			anonCredsLinkSecretDataIntegrityBindingProof = anonCredsCredentialRequest;
+			credentialExchangeRecord.metadata.set(AnonCredsCredentialMetadataKey, {
+				credentialDefinitionId: credentialOffer.bindingMethod.anoncredsLinkSecret.credentialDefinitionId,
+				schemaId: credentialDefinitionReturn.credentialDefinition.schemaId
+			});
+			credentialExchangeRecord.metadata.set(AnonCredsCredentialRequestMetadataKey, anonCredsCredentialRequestMetadata);
+		}
+		let didCommSignedAttachmentBindingProof;
+		let didCommSignedAttachment;
+		if (dataIntegrityFormat?.didCommSignedAttachment) {
+			if (!credentialOffer.bindingMethod?.didcommSignedAttachment) throw new CredoError("Cannot request credential with a binding method that was not offered.");
+			didCommSignedAttachment = await this.createSignedAttachment(agentContext, { nonce: credentialOffer.bindingMethod.didcommSignedAttachment.nonce }, dataIntegrityFormat.didCommSignedAttachment, credentialOffer.bindingMethod.didcommSignedAttachment.algsSupported);
+			didCommSignedAttachmentBindingProof = { attachment_id: didCommSignedAttachment.id };
+		}
+		const bindingProof = !anonCredsLinkSecretDataIntegrityBindingProof && !didCommSignedAttachmentBindingProof ? void 0 : {
+			anoncreds_link_secret: anonCredsLinkSecretDataIntegrityBindingProof,
+			didcomm_signed_attachment: didCommSignedAttachmentBindingProof
+		};
+		if (credentialOffer.bindingRequired && !bindingProof) throw new CredoError("Missing required binding proof");
+		const dataModelVersion = dataIntegrityFormat?.dataModelVersion ?? credentialOffer.dataModelVersionsSupported[0];
+		if (!credentialOffer.dataModelVersionsSupported.includes(dataModelVersion)) throw new CredoError("Cannot request credential with a data model version that was not offered.");
+		const credentialRequest = {
+			data_model_version: dataModelVersion,
+			binding_proof: bindingProof
+		};
+		const format = new DidCommCredentialFormatSpec({
+			attachmentId,
+			format: W3C_DATA_INTEGRITY_CREDENTIAL_REQUEST
+		});
+		return {
+			format,
+			attachment: this.getFormatData(credentialRequest, format.attachmentId),
+			appendAttachments: didCommSignedAttachment ? [didCommSignedAttachment] : void 0
+		};
+	}
+	/**
+	* Starting from a request is not supported for anoncreds credentials, this method only throws an error.
+	*/
+	async createRequest() {
+		throw new CredoError("Starting from a request is not supported for w3c credentials");
+	}
+	/**
+	* We don't have any models to validate an anoncreds request object, for now this method does nothing
+	*/
+	async processRequest(_agentContext, _options) {}
+	async createCredentialWithAnonCredsDataIntegrityProof(agentContext, input) {
+		const { credentialExchangeRecord, anonCredsLinkSecretBindingMethod, anonCredsLinkSecretBindingProof, linkSecretMetadata, credentialSubjectId } = input;
+		const credentialAttributes = credentialExchangeRecord.credentialAttributes;
+		if (!credentialAttributes) throw new CredoError(`Missing required credential attribute values on credential record with id ${credentialExchangeRecord.id}`);
+		const credentialSubjectIdAttribute = credentialAttributes.find((ca) => ca.name === "id");
+		if (credentialSubjectId && credentialSubjectIdAttribute && credentialSubjectIdAttribute.value !== credentialSubjectId) throw new CredoError("Invalid credential subject id.");
+		if (!credentialSubjectIdAttribute && credentialSubjectId) credentialAttributes.push(new DidCommCredentialPreviewAttribute({
+			name: "id",
+			value: credentialSubjectId
+		}));
+		const anonCredsIssuerService = agentContext.dependencyManager.resolve(AnonCredsIssuerServiceSymbol);
+		const credentialDefinition = (await agentContext.dependencyManager.resolve(AnonCredsCredentialDefinitionRepository).getByCredentialDefinitionId(agentContext, linkSecretMetadata.credentialDefinitionId)).credentialDefinition.value;
+		let revocationRegistryDefinitionId;
+		let revocationRegistryIndex;
+		let revocationStatusList;
+		if (credentialDefinition.revocation) {
+			const { credentialRevocationId, revocationRegistryId } = linkSecretMetadata;
+			if (!credentialRevocationId || !revocationRegistryId) throw new CredoError("Revocation registry definition id and revocation index are mandatory to issue AnonCreds revocable credentials");
+			revocationRegistryDefinitionId = revocationRegistryId;
+			revocationRegistryIndex = Number(credentialRevocationId);
+			const revocationRegistryDefinitionPrivateRecord = await agentContext.dependencyManager.resolve(AnonCredsRevocationRegistryDefinitionPrivateRepository).getByRevocationRegistryDefinitionId(agentContext, revocationRegistryDefinitionId);
+			if (revocationRegistryDefinitionPrivateRecord.state !== AnonCredsRevocationRegistryState.Active) throw new CredoError(`Revocation registry ${revocationRegistryDefinitionId} is in ${revocationRegistryDefinitionPrivateRecord.state} state`);
+			revocationStatusList = (await fetchRevocationStatusList(agentContext, revocationRegistryDefinitionId, dateToTimestamp(/* @__PURE__ */ new Date()))).revocationStatusList;
+		}
+		const { credential } = await anonCredsIssuerService.createCredential(agentContext, {
+			credentialOffer: {
+				schema_id: linkSecretMetadata.schemaId,
+				cred_def_id: anonCredsLinkSecretBindingMethod.credentialDefinitionId,
+				key_correctness_proof: anonCredsLinkSecretBindingMethod.keyCorrectnessProof,
+				nonce: anonCredsLinkSecretBindingMethod.nonce
+			},
+			credentialRequest: anonCredsLinkSecretBindingProof,
+			credentialValues: convertAttributesToCredentialValues(credentialAttributes),
+			revocationRegistryDefinitionId,
+			revocationRegistryIndex,
+			revocationStatusList
+		});
+		const { credentialDefinition: anoncredsCredentialDefinition } = await fetchCredentialDefinition(agentContext, credential.cred_def_id);
+		return await agentContext.dependencyManager.resolve(AnonCredsHolderServiceSymbol).legacyToW3cCredential(agentContext, {
+			credential,
+			issuerId: anoncredsCredentialDefinition.issuerId
+		});
+	}
+	async getSignatureMetadata(agentContext, offeredCredential, issuerVerificationMethod) {
+		const didDocument = await agentContext.dependencyManager.resolve(DidsApi).resolveDidDocument(offeredCredential.issuerId);
+		let verificationMethod;
+		if (issuerVerificationMethod) verificationMethod = didDocument.dereferenceKey(issuerVerificationMethod, ["authentication", "assertionMethod"]);
+		else {
+			const vms = didDocument.authentication ?? didDocument.assertionMethod ?? didDocument.verificationMethod;
+			if (!vms || vms.length === 0) throw new CredoError("Missing authenticationMethod, assertionMethod, and verificationMethods in did document");
+			if (typeof vms[0] === "string") verificationMethod = didDocument.dereferenceVerificationMethod(vms[0]);
+			else verificationMethod = vms[0];
+		}
+		const signatureSuite = agentContext.dependencyManager.resolve(SignatureSuiteRegistry).getByVerificationMethodType(verificationMethod.type);
+		if (!signatureSuite) throw new CredoError(`Could not find signature suite for verification method type ${verificationMethod.type}`);
+		return {
+			verificationMethod,
+			signatureSuite,
+			offeredCredential
+		};
+	}
+	async assertAndSetCredentialSubjectId(credential, credentialSubjectId) {
+		if (!credentialSubjectId) return credential;
+		if (Array.isArray(credential.credentialSubject)) throw new CredoError("Invalid credential subject relation. Cannot determine the subject to be updated.");
+		const subjectId = credential.credentialSubject.id;
+		if (subjectId && credentialSubjectId !== subjectId) throw new CredoError("Invalid credential subject id.");
+		if (!subjectId) credential.credentialSubject.id = credentialSubjectId;
+		return credential;
+	}
+	async signCredential(agentContext, credential, issuerVerificationMethod) {
+		const { signatureSuite, verificationMethod } = await this.getSignatureMetadata(agentContext, credential, issuerVerificationMethod);
+		const w3cCredentialService = agentContext.dependencyManager.resolve(W3cCredentialService);
+		let credentialToBeSigned = credential;
+		if (credential instanceof W3cJsonLdVerifiableCredential) {
+			const { proof, ..._credentialToBeSigned } = credential;
+			credentialToBeSigned = _credentialToBeSigned;
+		}
+		const w3cJsonLdVerifiableCredential = await w3cCredentialService.signCredential(agentContext, {
+			format: ClaimFormat.LdpVc,
+			credential: credentialToBeSigned,
+			proofType: signatureSuite.proofType,
+			verificationMethod: verificationMethod.id
+		});
+		if (Array.isArray(w3cJsonLdVerifiableCredential.proof)) throw new CredoError("A newly signed credential can not have multiple proofs");
+		if (credential instanceof W3cJsonLdVerifiableCredential) {
+			const combinedProofs = Array.isArray(credential.proof) ? credential.proof : [credential.proof];
+			combinedProofs.push(w3cJsonLdVerifiableCredential.proof);
+			w3cJsonLdVerifiableCredential.proof = combinedProofs;
+		}
+		return w3cJsonLdVerifiableCredential;
+	}
+	async acceptRequest(agentContext, { credentialFormats, credentialExchangeRecord, attachmentId, offerAttachment, requestAttachment, requestAppendAttachments }) {
+		const dataIntegrityFormat = credentialFormats?.dataIntegrity;
+		const credentialOffer = JsonTransformer.fromJSON(offerAttachment?.getDataAsJson(), DataIntegrityCredentialOffer);
+		const assertedCredential = await this.assertAndSetCredentialSubjectId(JsonTransformer.fromJSON(credentialOffer.credential, W3cCredential), dataIntegrityFormat?.credentialSubjectId);
+		const credentialRequest = requestAttachment.getDataAsJson();
+		if (!credentialRequest) throw new CredoError("Missing data integrity credential request in createCredential");
+		let signedCredential;
+		if (credentialRequest.binding_proof?.anoncreds_link_secret) {
+			if (!credentialOffer.bindingMethod?.anoncredsLinkSecret) throw new CredoError("Cannot issue credential with a binding method that was not offered");
+			const linkSecretMetadata = credentialExchangeRecord.metadata.get(AnonCredsCredentialMetadataKey);
+			if (!linkSecretMetadata) throw new CredoError("Missing anoncreds link secret metadata");
+			signedCredential = await this.createCredentialWithAnonCredsDataIntegrityProof(agentContext, {
+				credentialExchangeRecord,
+				anonCredsLinkSecretBindingMethod: credentialOffer.bindingMethod.anoncredsLinkSecret,
+				linkSecretMetadata,
+				anonCredsLinkSecretBindingProof: credentialRequest.binding_proof.anoncreds_link_secret,
+				credentialSubjectId: dataIntegrityFormat?.credentialSubjectId
+			});
+		}
+		if (credentialRequest.binding_proof?.didcomm_signed_attachment) {
+			if (!credentialOffer.bindingMethod?.didcommSignedAttachment) throw new CredoError("Cannot issue credential with a binding method that was not offered");
+			const bindingProofAttachment = requestAppendAttachments?.find((attachments) => attachments.id === credentialRequest.binding_proof?.didcomm_signed_attachment?.attachment_id);
+			if (!bindingProofAttachment) throw new CredoError("Missing binding proof attachment");
+			const { nonce } = await this.getSignedAttachmentPayload(agentContext, bindingProofAttachment);
+			if (nonce !== credentialOffer.bindingMethod.didcommSignedAttachment.nonce) throw new CredoError("Invalid nonce in signed attachment");
+			signedCredential = await this.signCredential(agentContext, signedCredential ?? assertedCredential, dataIntegrityFormat?.issuerVerificationMethod);
+		}
+		if (!credentialRequest.binding_proof?.anoncreds_link_secret && !credentialRequest.binding_proof?.didcomm_signed_attachment) signedCredential = await this.signCredential(agentContext, assertedCredential);
+		const format = new DidCommCredentialFormatSpec({
+			attachmentId,
+			format: W3C_DATA_INTEGRITY_CREDENTIAL
+		});
+		return {
+			format,
+			attachment: this.getFormatData({ credential: JsonTransformer.toJSON(signedCredential) }, format.attachmentId)
+		};
+	}
+	async storeAnonCredsCredential(agentContext, credentialJson, credentialExchangeRecord, linkSecretRequestMetadata) {
+		if (!credentialExchangeRecord.credentialAttributes) throw new CredoError("Missing credential attributes on credential record. Unable to check credential attributes");
+		const anonCredsHolderService = agentContext.dependencyManager.resolve(AnonCredsHolderServiceSymbol);
+		const legacyAnonCredsCredential = await anonCredsHolderService.w3cToLegacyCredential(agentContext, { credential: JsonTransformer.fromJSON(credentialJson, W3cJsonLdVerifiableCredential) });
+		const { schema_id: schemaId, cred_def_id: credentialDefinitionId, rev_reg_id: revocationRegistryId } = legacyAnonCredsCredential;
+		const schemaReturn = await fetchSchema(agentContext, schemaId);
+		const credentialDefinitionReturn = await fetchCredentialDefinition(agentContext, credentialDefinitionId);
+		const revocationRegistryDefinitionReturn = revocationRegistryId ? await fetchRevocationRegistryDefinition(agentContext, revocationRegistryId) : void 0;
+		const w3cJsonLdVerifiableCredential = await anonCredsHolderService.legacyToW3cCredential(agentContext, {
+			credential: legacyAnonCredsCredential,
+			issuerId: credentialJson.issuer,
+			processOptions: {
+				credentialRequestMetadata: linkSecretRequestMetadata,
+				credentialDefinition: credentialDefinitionReturn.credentialDefinition,
+				revocationRegistryDefinition: revocationRegistryDefinitionReturn?.revocationRegistryDefinition
+			}
+		});
+		const w3cCredentialRecordId = await anonCredsHolderService.storeCredential(agentContext, {
+			credential: w3cJsonLdVerifiableCredential,
+			schema: schemaReturn.schema,
+			credentialDefinitionId,
+			credentialDefinition: credentialDefinitionReturn.credentialDefinition,
+			credentialRequestMetadata: linkSecretRequestMetadata,
+			revocationRegistry: revocationRegistryDefinitionReturn ? {
+				id: revocationRegistryId,
+				definition: revocationRegistryDefinitionReturn?.revocationRegistryDefinition
+			} : void 0
+		});
+		const w3cCredentialRecord = await agentContext.dependencyManager.resolve(W3cCredentialService).getCredentialRecordById(agentContext, w3cCredentialRecordId);
+		if (revocationRegistryId) {
+			const linkSecretMetadata = credentialExchangeRecord.metadata.get(AnonCredsCredentialMetadataKey);
+			if (!linkSecretMetadata) throw new CredoError("Missing link secret metadata");
+			const anonCredsTags = await getAnonCredsTagsFromRecord(w3cCredentialRecord);
+			if (!anonCredsTags) throw new CredoError("Missing anoncreds tags on credential record.");
+			linkSecretMetadata.revocationRegistryId = revocationRegistryDefinitionReturn?.revocationRegistryDefinitionId;
+			linkSecretMetadata.credentialRevocationId = anonCredsTags.anonCredsCredentialRevocationId?.toString();
+			credentialExchangeRecord.metadata.set(AnonCredsCredentialMetadataKey, linkSecretMetadata);
+		}
+		return w3cCredentialRecord;
+	}
+	/**
+	* Processes an incoming credential - retrieve metadata, retrieve payload and store it in wallet
+	* @param options the issue credential message wrapped inside this object
+	* @param credentialExchangeRecord the credential exchange record for this credential
+	*/
+	async processCredential(agentContext, { credentialExchangeRecord, attachment, requestAttachment, offerAttachment }) {
+		const offeredCredentialJson = JsonTransformer.fromJSON(offerAttachment.getDataAsJson(), DataIntegrityCredentialOffer).credential;
+		const credentialRequest = requestAttachment.getDataAsJson();
+		if (!credentialRequest) throw new CredoError("Missing data integrity credential request in createCredential");
+		if (!credentialExchangeRecord.credentialAttributes) throw new CredoError("Missing credential attributes on credential record.");
+		const { credential: credentialJson } = attachment.getDataAsJson();
+		if (Array.isArray(offeredCredentialJson.credentialSubject)) throw new CredoError("Invalid credential subject. Multiple credential subjects are not yet supported.");
+		if (!Object.entries(offeredCredentialJson.credentialSubject).every(([key, offeredValue]) => {
+			const receivedValue = credentialJson.credentialSubject[key];
+			if (!offeredValue || !receivedValue) return false;
+			if (typeof offeredValue === "number" || typeof receivedValue === "number") return offeredValue.toString() === receivedValue.toString();
+			return deepEquality(offeredValue, receivedValue);
+		})) throw new CredoError("Received invalid credential. Received credential subject does not match the offered credential subject.");
+		const credentialVersion = this.getCredentialVersion(credentialJson);
+		if (!deepEquality(credentialJson, {
+			...offeredCredentialJson,
+			"@context": credentialJson["@context"],
+			issuer: offeredCredentialJson.issuer ?? credentialJson.issuer,
+			credentialSubject: credentialJson.credentialSubject,
+			...credentialVersion === "1.1" && { issuanceDate: credentialJson.issuanceDate },
+			...credentialVersion === "2.0" && { validFrom: credentialJson.validFrom },
+			...offeredCredentialJson.credentialStatus && { credentialStatus: credentialJson.credentialStatus },
+			proof: credentialJson.proof
+		})) throw new CredoError("Received invalid credential. Received credential does not match the offered credential");
+		let w3cCredentialRecord;
+		if (credentialRequest.binding_proof?.anoncreds_link_secret) {
+			const linkSecretRequestMetadata = credentialExchangeRecord.metadata.get(AnonCredsCredentialRequestMetadataKey);
+			if (!linkSecretRequestMetadata) throw new CredoError("Missing link secret request metadata");
+			const integrityProtectedFields = [
+				"@context",
+				"issuer",
+				"type",
+				"credentialSubject",
+				"validFrom",
+				"issuanceDate"
+			];
+			if (Object.keys(offeredCredentialJson).some((key) => !integrityProtectedFields.includes(key) && key !== "proof")) throw new CredoError("Credential offer contains non anoncreds integrity protected fields.");
+			if (!Array.isArray(offeredCredentialJson.type) || offeredCredentialJson?.type.length !== 1) throw new CredoError(`Invalid credential type. Only single credential type 'VerifiableCredential' is supported`);
+			w3cCredentialRecord = await this.storeAnonCredsCredential(agentContext, credentialJson, credentialExchangeRecord, linkSecretRequestMetadata);
+			await this.assertCredentialAttributesMatchSchemaAttributes(agentContext, w3cCredentialRecord.firstCredential, getAnonCredsTagsFromRecord(w3cCredentialRecord)?.anonCredsSchemaId, true);
+		} else {
+			const w3cCredentialService = agentContext.dependencyManager.resolve(W3cCredentialService);
+			const w3cJsonLdVerifiableCredential = JsonTransformer.fromJSON(credentialJson, W3cJsonLdVerifiableCredential);
+			w3cCredentialRecord = await w3cCredentialService.storeCredential(agentContext, { record: W3cCredentialRecord.fromCredential(w3cJsonLdVerifiableCredential) });
+		}
+		credentialExchangeRecord.credentials.push({
+			credentialRecordType: this.credentialRecordType,
+			credentialRecordId: w3cCredentialRecord.id
+		});
+	}
+	supportsFormat(format) {
+		return [
+			W3C_DATA_INTEGRITY_CREDENTIAL_REQUEST,
+			W3C_DATA_INTEGRITY_CREDENTIAL_OFFER,
+			W3C_DATA_INTEGRITY_CREDENTIAL
+		].includes(format);
+	}
+	/**
+	* Gets the attachment object for a given attachmentId. We need to get out the correct attachmentId for
+	* anoncreds and then find the corresponding attachment (if there is one)
+	* @param formats the formats object containing the attachmentId
+	* @param messageAttachments the attachments containing the payload
+	* @returns The DidCommAttachment if found or undefined
+	*
+	*/
+	getAttachment(formats, messageAttachments) {
+		const supportedAttachmentIds = formats.filter((f) => this.supportsFormat(f.format)).map((f) => f.attachmentId);
+		return messageAttachments.find((attachment) => supportedAttachmentIds.includes(attachment.id));
+	}
+	async deleteCredentialById(agentContext, credentialRecordId) {
+		await agentContext.dependencyManager.resolve(AnonCredsHolderServiceSymbol).deleteCredential(agentContext, credentialRecordId);
+	}
+	async shouldAutoRespondToProposal(_agentContext, options) {
+		throw new CredoError("Not implemented");
+	}
+	async shouldAutoRespondToOffer(_agentContext, { offerAttachment }) {
+		if (!JsonTransformer.fromJSON(offerAttachment.getDataAsJson(), DataIntegrityCredentialOffer).bindingRequired) return true;
+		return false;
+	}
+	async shouldAutoRespondToRequest(_agentContext, { offerAttachment, requestAttachment }) {
+		const credentialOffer = JsonTransformer.fromJSON(offerAttachment?.getDataAsJson(), DataIntegrityCredentialOffer);
+		const credentialRequest = requestAttachment.getDataAsJson();
+		if (!credentialOffer.bindingRequired && !credentialRequest.binding_proof?.anoncreds_link_secret && !credentialRequest.binding_proof?.didcomm_signed_attachment) return true;
+		if (credentialOffer.bindingRequired && !credentialRequest.binding_proof?.anoncreds_link_secret && !credentialRequest.binding_proof?.didcomm_signed_attachment) return false;
+		if (credentialRequest.binding_proof?.didcomm_signed_attachment) try {
+			const subjectJson = credentialOffer.credential.credentialSubject;
+			if (JsonTransformer.fromJSON(subjectJson, W3cCredentialSubject).id === void 0) return false;
+		} catch (_e) {
+			return false;
+		}
+		const validLinkSecretRequest = !credentialRequest.binding_proof?.anoncreds_link_secret || credentialRequest.binding_proof?.anoncreds_link_secret && credentialOffer.bindingMethod?.anoncredsLinkSecret;
+		const validDidCommSignedAttachmetRequest = !credentialRequest.binding_proof?.didcomm_signed_attachment || credentialRequest.binding_proof?.didcomm_signed_attachment && credentialOffer.bindingMethod?.didcommSignedAttachment;
+		return Boolean(validLinkSecretRequest && validDidCommSignedAttachmetRequest);
+	}
+	async shouldAutoRespondToCredential(_agentContext, options) {
+		return true;
+	}
+	async createDataIntegrityCredentialOffer(agentContext, credentialExchangeRecord, options) {
+		const { bindingRequired, credential, anonCredsLinkSecretBinding: anonCredsLinkSecretBindingMethodOptions, didCommSignedAttachmentBinding: didCommSignedAttachmentBindingMethodOptions } = options;
+		const dataModelVersionsSupported = ["1.1"];
+		const credentialJson = credential instanceof W3cCredential ? JsonTransformer.toJSON(credential) : credential;
+		const validW3cCredential = JsonTransformer.fromJSON(credentialJson, W3cCredential);
+		const previewAttributes = this.previewAttributesFromCredential(validW3cCredential);
+		let anonCredsLinkSecretBindingMethod;
+		if (anonCredsLinkSecretBindingMethodOptions) {
+			const { credentialDefinitionId, revocationRegistryDefinitionId, revocationRegistryIndex } = anonCredsLinkSecretBindingMethodOptions;
+			const anoncredsCredentialOffer = await agentContext.dependencyManager.resolve(AnonCredsIssuerServiceSymbol).createCredentialOffer(agentContext, { credentialDefinitionId });
+			const { credentialDefinition } = await agentContext.dependencyManager.resolve(AnonCredsCredentialDefinitionRepository).getByCredentialDefinitionId(agentContext, anoncredsCredentialOffer.cred_def_id);
+			if (credentialDefinition.value.revocation) {
+				if (!revocationRegistryDefinitionId || !revocationRegistryIndex) throw new CredoError("AnonCreds revocable credentials require revocationRegistryDefinitionId and revocationRegistryIndex");
+				credentialExchangeRecord.setTags({
+					anonCredsRevocationRegistryId: revocationRegistryDefinitionId,
+					anonCredsCredentialRevocationId: revocationRegistryIndex.toString()
+				});
+			}
+			await this.assertCredentialAttributesMatchSchemaAttributes(agentContext, validW3cCredential, credentialDefinition.schemaId, false);
+			anonCredsLinkSecretBindingMethod = {
+				credentialDefinitionId: anoncredsCredentialOffer.cred_def_id,
+				keyCorrectnessProof: anoncredsCredentialOffer.key_correctness_proof,
+				nonce: anoncredsCredentialOffer.nonce
+			};
+			credentialExchangeRecord.metadata.set(AnonCredsCredentialMetadataKey, {
+				schemaId: anoncredsCredentialOffer.schema_id,
+				credentialDefinitionId,
+				credentialRevocationId: revocationRegistryIndex?.toString(),
+				revocationRegistryId: revocationRegistryDefinitionId
+			});
+		}
+		let didCommSignedAttachmentBindingMethod;
+		if (didCommSignedAttachmentBindingMethodOptions) {
+			const kms = agentContext.dependencyManager.resolve(Kms.KeyManagementApi);
+			const { didMethodsSupported, algsSupported } = didCommSignedAttachmentBindingMethodOptions;
+			didCommSignedAttachmentBindingMethod = {
+				didMethodsSupported: didMethodsSupported ?? agentContext.dependencyManager.resolve(DidsApi).supportedResolverMethods,
+				algsSupported: algsSupported ?? this.getSupportedJwaSignatureAlgorithms(agentContext),
+				nonce: TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))
+			};
+			if (didCommSignedAttachmentBindingMethod.algsSupported.length === 0) throw new CredoError("No supported JWA signature algorithms found.");
+			if (didCommSignedAttachmentBindingMethod.didMethodsSupported.length === 0) throw new CredoError("No supported DID methods found.");
+		}
+		if (bindingRequired && !anonCredsLinkSecretBindingMethod && !didCommSignedAttachmentBindingMethod) throw new CredoError("Missing required binding method.");
+		return {
+			dataIntegrityCredentialOffer: new DataIntegrityCredentialOffer({
+				dataModelVersionsSupported,
+				bindingRequired,
+				bindingMethod: {
+					anoncredsLinkSecret: anonCredsLinkSecretBindingMethod,
+					didcommSignedAttachment: didCommSignedAttachmentBindingMethod
+				},
+				credential: credentialJson
+			}),
+			previewAttributes
+		};
+	}
+	previewAttributesFromCredential(credential) {
+		if (Array.isArray(credential.credentialSubject)) throw new CredoError("Credential subject must be an object.");
+		const claims = {
+			...credential.credentialSubject.claims,
+			...credential.credentialSubject.id && { id: credential.credentialSubject.id }
+		};
+		return Object.entries(claims).map(([key, value]) => {
+			return {
+				name: key,
+				value: value.toString()
+			};
+		});
+	}
+	async assertCredentialAttributesMatchSchemaAttributes(agentContext, credential, schemaId, credentialSubjectIdMustBeSet) {
+		const attributes = this.previewAttributesFromCredential(credential);
+		const schemaReturn = await fetchSchema(agentContext, schemaId);
+		const enhancedAttributes = [...attributes];
+		if (!credentialSubjectIdMustBeSet && schemaReturn.schema.attrNames.includes("id") && attributes.find((attr) => attr.name === "id") === void 0) enhancedAttributes.push({
+			name: "id",
+			value: "mock"
+		});
+		assertAttributesMatch(schemaReturn.schema, enhancedAttributes);
+		return { attributes };
+	}
+	/**
+	* Returns an object of type {@link DidCommAttachment} for use in credential exchange messages.
+	* It looks up the correct format identifier and encodes the data as a base64 attachment.
+	*
+	* @param data The data to include in the attach object
+	* @param id the attach id from the formats component of the message
+	*/
+	getFormatData(data, id) {
+		return new DidCommAttachment({
+			id,
+			mimeType: "application/json",
+			data: { base64: JsonEncoder.toBase64(data) }
+		});
+	}
+	/**
+	* Returns the JWA Signature Algorithms that are supported by the agent.
+	*/
+	getSupportedJwaSignatureAlgorithms(agentContext) {
+		const kms = agentContext.dependencyManager.resolve(Kms.KeyManagementApi);
+		return Object.values(Kms.KnownJwaSignatureAlgorithms).filter((algorithm) => kms.supportedBackendsForOperation({
+			operation: "sign",
+			algorithm
+		}).length > 0);
+	}
+};
+//#endregion
+export { DataIntegrityDidCommCredentialFormatService };
+//# sourceMappingURL=DataIntegrityDidCommCredentialFormatService.mjs.map