npm - @credo-ts/core - Versions diffs - 0.6.2-alpha-20251211115250 → 0.6.2-alpha-20251211125338 - Mend

@credo-ts/core 0.6.2-alpha-20251211115250 → 0.6.2-alpha-20251211125338

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/build/modules/sd-jwt-vc/SdJwtVcService.d.mts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Query, QueryOptions } from "../../storage/StorageService.mjs";
 import { JsonObject } from "../../types.mjs";
 import { ClaimFormat } from "../vc/models/ClaimFormat.mjs";
-import { SdJwtVcHeader, SdJwtVcPayload, SdJwtVcPresentOptions, SdJwtVcSignOptions, SdJwtVcStoreOptions, SdJwtVcVerifyOptions } from "./SdJwtVcOptions.mjs";
+import { SdJwtVcHeader, SdJwtVcHolderBinding, SdJwtVcPayload, SdJwtVcPresentOptions, SdJwtVcSignOptions, SdJwtVcStoreOptions, SdJwtVcVerifyOptions } from "./SdJwtVcOptions.mjs";
 import { SdJwtVcTypeMetadata } from "./typeMetadata.mjs";
 import { SdJwtVcRecord } from "./repository/SdJwtVcRecord.mjs";
 import { SdJwtVcRepository } from "./repository/SdJwtVcRepository.mjs";
@@ -22,6 +22,10 @@ interface SdJwtVc<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends
   encoded: string;
   compact: string;
   header: Header;
+  /**
+   * The holder of the credential
+   */
+  holder: SdJwtVcHolderBinding | undefined;
   payload: Payload;
   prettyClaims: Payload;
   kbJwt?: {

package/build/modules/sd-jwt-vc/SdJwtVcService.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"SdJwtVcService.d.mts","names":[],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;~~UA4CiB~~,uBACA,gBAAgB,+BACf,iBAAiB;;;;eAKpB,WAAA,CAAY;;;;EAPV,OAAA,EAAA,MAAO;EACP,OAAA,EAAA,MAAA;EAAgB,MAAA,EAYvB,MAZuB;EACf,OAAA,~~EAcP~~,~~OAdO~~;~~EAAiB~~,YAAA,~~EAenB~~,~~OAfmB~~;~~EAKpB~~,KAAA,CAAA,EAAA;~~IAML~~,MAAA,~~EAOE~~,~~MAPF~~,CAAA,MAAA,EAAA,OAAA,CAAA;~~IAGC~~,OAAA,~~EAKE~~,~~MALF~~,CAAA,MAAA,EAAA,OAAA,CAAA;~~EACK~~,CAAA;~~EAGJ;;;;AAcZ~~;~~EAiBa~~,QAAA,CAAA,EAAA,~~MAAc~~;~~EAGa~~,YAAA,CAAA,~~EAvBvB~~,~~mBAuBuB~~;;~~AAKtB~~,~~UAzBD~~,kBAAA,~~CAyBC~~;~~EACc~~,OAAA,EAAA,OAAA;~~EAAnB~~,iBAAA,CAAA,EAAA,OAAA;~~EACA~~,gBAAA,CAAA,EAAA,OAAA;~~EAAR~~,aAAA,CAAA,EAAA,OAAA;~~EA4D+B~~,gBAAA,CAAA,EAAA,OAAA;~~EAAgB~~,iBAAA,CAAA,EAAA,OAAA;~~EAA+B~~,yBAAA,CAAA,EAAA,OAAA;~~EAAiB~~,iBAAA,CAAA,EAAA,OAAA;~~EAEjF~~,0BAAA,CAAA,EAAA,OAAA;~~EACN~~,4BAAA,CAAA,EAAA,OAAA;;;;;~~AAgC0B~~,~~cAzG1B~~,cAAA,~~CAyG0B~~;~~EAAiB~~,QAAA,iBAAA;~~EACtC~~,WAAA,CAAA,iBAAA,~~EAvGsB~~,~~iBAuGtB~~;~~EACZ~~,IAAA,CAAA,~~gBApG8B~~,~~cAoG9B~~,CAAA,CAAA,YAAA,~~EAnGY~~,~~YAmGZ~~,EAAA,OAAA,~~EAlGO~~,~~kBAkGP~~,~~CAlG0B~~,~~OAkG1B~~,CAAA,CAAA,~~EAjGD~~,~~OAiGC~~,~~CAjGO~~,~~OAiGP~~,CAAA;~~EAAS~~,WAAA,CAAA,~~eArCqB~~,~~aAqCrB~~,~~GArCqC~~,~~aAqCrC~~,EAAA,~~gBArCoE~~,~~cAqCpE~~,~~GArCqF~~,~~cAqCrF~~,CAAA,CAAA,cAAA,EAAA,MAAA,EAAA,YAAA,CAAA,~~EAnCI~~,~~mBAmCJ~~,CAAA,~~EAlCV~~,~~OAkCU~~,~~CAlCF~~,~~MAkCE~~,~~EAlCM~~,~~OAkCN~~,CAAA;~~EAAmB~~,0BAAA,CAAA,cAAA,EAAA,MAAA,EAAA,gBAAA,~~EA9B4C~~,~~UA8B5C~~,CAAA,~~EA9ByD~~,~~OA8BzD~~;~~EAAkB~~,OAAA,CAAA,~~gBAFb~~,~~cAEa~~,~~GAFI~~,~~cAEJ~~,CAAA,CAAA,YAAA,~~EADlC~~,~~YACkC~~,EAAA;IAAA,OAAA;IAAA,iBAAA;IAAA,gBAAA;IAAA;EAAA,CAAA,~~EAAqB~~,~~qBAArB~~,~~CAA2C~~,~~OAA3C~~,CAAA,CAAA,~~EAC/C~~,~~OAD+C~~,CAAA,MAAA,CAAA;~~EAA2C~~,QAAA,uBAAA;~~EAAtB~~,MAAA,CAAA,~~eA0DpC~~,~~aA1DoC~~,~~GA0DpB~~,~~aA1DoB~~,EAAA,~~gBA0DW~~,~~cA1DX~~,~~GA0D4B~~,~~cA1D5B~~,CAAA,CAAA,YAAA,~~EA2DvD~~,~~YA3DuD~~,EAAA;IAAA,cAAA;IAAA,UAAA;IAAA,iBAAA;IAAA,iBAAA;IAAA,mBAAA;IAAA;EAAA,CAAA,~~EA4D2B~~,~~oBA5D3B~~,CAAA,~~EA6DpE~~,~~OA7DoE~~,CAAA;~~IACpE~~,OAAA,EAAA,IAAA;~~IAyDgC~~,OAAA,~~EAIL~~,~~OAJK~~,~~CAIG~~,~~MAJH~~,~~EAIW~~,~~OAJX~~,CAAA;~~EAAgB~~,CAAA,GAAA;~~IAA+B~~,OAAA,EAAA,KAAA;~~IAAiB~~,OAAA,CAAA,~~EAKnE~~,~~OALmE~~,~~CAK3D~~,~~MAL2D~~,~~EAKnD~~,~~OALmD~~,CAAA;~~IACnF~~,KAAA,~~EAIiD~~,~~KAJjD~~;~~EACZ~~,CAAA,CAAA;~~EAAgB~~,iBAAA,CAAA,YAAA,~~EAqIJ~~,~~YArII~~,EAAA,OAAA,~~EAsIT~~,~~OAtIS~~,EAAA;IAAA,sBAAA;IAAA;~~EAAkD~~,CAAA,~~CAAlD~~,EAAA;~~IAAY~~,sBAAA,CAAA,EAAA,OAAA;~~IAAmB~~,+BAAA,CAAA,EAAA,OAAA;~~EAAmB~~,CAAA,CAAA,~~EA0ImB~~,~~OA1InB~~,~~CA0ImB~~,~~mBA1InB~~,GAAA,SAAA,CAAA;~~EAAqB~~,KAAA,CAAA,YAAA,~~EAoM1D~~,~~YApM0D~~,EAAA,OAAA,~~EAoMnC~~,~~mBApMmC~~,CAAA,~~EAoMhB~~,~~OApMgB~~,~~CAoMhB~~,~~aApMgB~~,CAAA;~~EAAO~~,OAAA,CAAA,YAAA,~~EAyM/D~~,~~YAzM+D~~,EAAA,EAAA,EAAA,MAAA,CAAA,~~EAyMpC~~,~~OAzMoC~~,~~CAyM5B~~,~~aAzM4B~~,CAAA;~~EAE5D~~,MAAA,CAAA,YAAA,~~EA2MJ~~,~~YA3MI~~,CAAA,~~EA2MW~~,~~OA3MX~~,~~CA2MmB~~,~~KA3MnB~~,~~CA2MyB~~,~~aA3MzB~~,CAAA,CAAA;EAAQ,WAAA,CAAA,YAAA,~~EAgN9B~~,~~YAhN8B~~,EAAA,KAAA,~~EAiNrC~~,~~KAjNqC~~,~~CAiN/B~~,~~aAjN+B~~,CAAA,EAAA,YAAA,CAAA,~~EAkN7B~~,~~YAlN6B~~,CAAA,~~EAmN3C~~,~~OAnN2C~~,~~CAmNnC~~,~~KAnNmC~~,~~CAmN7B~~,~~aAnN6B~~,CAAA,CAAA;EAAhB,UAAA,CAAA,YAAA,~~EAuNQ~~,~~YAvNR~~,EAAA,EAAA,EAAA,MAAA,CAAA,~~EAuNgC~~,~~OAvNhC~~,CAAA,IAAA,CAAA;~~EACU~~,MAAA,CAAA,YAAA,~~EA0NN~~,~~YA1NM~~,EAAA,aAAA,~~EA0NuB~~,~~aA1NvB~~,CAAA,~~EA0NoC~~,~~OA1NpC~~,CAAA,IAAA,CAAA;~~EAAQ~~,QAAA,oBAAA;~~EAAhB~~,QAAA,yBAAA;~~EAAiC~~,QAAA,kBAAA;~~EAF9D~~,QAAA,oBAAA"}
1	+ {"version":3,"file":"SdJwtVcService.d.mts","names":[],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;UA6CiB,uBACA,gBAAgB,+BACf,iBAAiB;;;;eAKpB,WAAA,CAAY;;;;EAPV,OAAA,EAAA,MAAO;EACP,OAAA,EAAA,MAAA;EAAgB,MAAA,EAYvB,MAZuB;EACf;;;EAWR,MAAA,EAKA,oBALA,GAAA,SAAA;EAKA,OAAA,EAGC,OAHD;EAGC,YAAA,EACK,OADL;EACK,KAAA,CAAA,EAAA;IAGJ,MAAA,EAAA,MAAA,CAAA,MAAA,EAAA,OAAA,CAAA;IACC,OAAA,EAAA,MAAA,CAAA,MAAA,EAAA,OAAA,CAAA;EAUI,CAAA;EAAmB;AAGpC;AAgBA;;;EASkB,QAAA,CAAA,EAAA,MAAA;EACc,YAAA,CAAA,EA7Bf,mBA6Be;;AACnB,UA3BI,kBAAA,CA2BJ;EAAR,OAAA,EAAA,OAAA;EA6D+B,iBAAA,CAAA,EAAA,OAAA;EAAgB,gBAAA,CAAA,EAAA,OAAA;EAA+B,aAAA,CAAA,EAAA,OAAA;EAAiB,gBAAA,CAAA,EAAA,OAAA;EAEjF,iBAAA,CAAA,EAAA,OAAA;EACN,yBAAA,CAAA,EAAA,OAAA;EAAQ,iBAAA,CAAA,EAAA,OAAA;EAAhB,0BAAA,CAAA,EAAA,OAAA;EAIyE,4BAAA,CAAA,EAAA,OAAA;;;;;AA8BxE,cA5GO,cAAA,CA4GP;EAAS,QAAA,iBAAA;EAAmB,WAAA,CAAA,iBAAA,EAzGM,iBAyGN;EAAkB,IAAA,CAAA,gBArGhB,cAqGgB,CAAA,CAAA,YAAA,EApGlC,YAoGkC,EAAA,OAAA,EAnGvC,kBAmGuC,CAnGpB,OAmGoB,CAAA,CAAA,EAlG/C,OAkG+C,CAlGvC,OAkGuC,CAAA;EAA2C,WAAA,CAAA,eArC3D,aAqC2D,GArC3C,aAqC2C,EAAA,gBArCZ,cAqCY,GArCK,cAqCL,CAAA,CAAA,cAAA,EAAA,MAAA,EAAA,YAAA,CAAA,EAnC5E,mBAmC4E,CAAA,EAlC1F,OAkC0F,CAlClF,MAkCkF,EAlC1E,OAkC0E,CAAA;EAAtB,0BAAA,CAAA,cAAA,EAAA,MAAA,EAAA,gBAAA,EA9BK,UA8BL,CAAA,EA9BkB,OA8BlB;EACpE,OAAA,CAAA,gBAHkC,cAGlC,GAHmD,cAGnD,CAAA,CAAA,YAAA,EAFa,YAEb,EAAA;IAAA,OAAA;IAAA,iBAAA;IAAA,gBAAA;IAAA;EAAA,CAAA,EADoE,qBACpE,CAD0F,OAC1F,CAAA,CAAA,EAAA,OAAA,CAAA,MAAA,CAAA;EAyDgC,QAAA,uBAAA;EAAgB,MAAA,CAAA,eAAhB,aAAgB,GAAA,aAAA,EAAA,gBAA+B,cAA/B,GAAgD,cAAhD,CAAA,CAAA,YAAA,EACnC,YADmC,EAAA;IAAA,cAAA;IAAA,UAAA;IAAA,iBAAA;IAAA,iBAAA;IAAA,mBAAA;IAAA;EAAA,CAAA,EAE+C,oBAF/C,CAAA,EAGhD,OAHgD,CAAA;IAA+B,OAAA,EAAA,IAAA;IAAiB,OAAA,EAIrE,OAJqE,CAI7D,MAJ6D,EAIrD,OAJqD,CAAA;EACnF,CAAA,GAAA;IACZ,OAAA,EAAA,KAAA;IAAgB,OAAA,CAAA,EAGY,OAHZ,CAGoB,MAHpB,EAG4B,OAH5B,CAAA;IAAY,KAAA,EAGiC,KAHjC;EAAmB,CAAA,CAAA;EAAmB,iBAAA,CAAA,YAAA,EAyItD,YAzIsD,EAAA,OAAA,EA0I3D,OA1I2D,EAAA;IAAA,sBAAA;IAAA;EAEhC,CAAA,CAFgC,EAAA;IAAqB,sBAAA,CAAA,EAAA,OAAA;IAAO,+BAAA,CAAA,EAAA,OAAA;EAE5D,CAAA,CAAA,EA4ImD,OA5InD,CA4ImD,mBA5InD,GAAA,SAAA,CAAA;EAAQ,KAAA,CAAA,YAAA,EAsMb,YAtMa,EAAA,OAAA,EAsMU,mBAtMV,CAAA,EAsM6B,OAtM7B,CAsM6B,aAtM7B,CAAA;EAAhB,OAAA,CAAA,YAAA,EA2MK,YA3ML,EAAA,EAAA,EAAA,MAAA,CAAA,EA2MgC,OA3MhC,CA2MwC,aA3MxC,CAAA;EACU,MAAA,CAAA,YAAA,EA8MN,YA9MM,CAAA,EA8MS,OA9MT,CA8MiB,KA9MjB,CA8MuB,aA9MvB,CAAA,CAAA;EAAQ,WAAA,CAAA,YAAA,EAmNhC,YAnNgC,EAAA,KAAA,EAoNvC,KApNuC,CAoNjC,aApNiC,CAAA,EAAA,YAAA,CAAA,EAqN/B,YArN+B,CAAA,EAsN7C,OAtN6C,CAsNrC,KAtNqC,CAsN/B,aAtN+B,CAAA,CAAA;EAAhB,UAAA,CAAA,YAAA,EA0NM,YA1NN,EAAA,EAAA,EAAA,MAAA,CAAA,EA0N8B,OA1N9B,CAAA,IAAA,CAAA;EAAiC,MAAA,CAAA,YAAA,EA8N/B,YA9N+B,EAAA,aAAA,EA8NF,aA9NE,CAAA,EA8NW,OA9NX,CAAA,IAAA,CAAA;EAF9D,QAAA,oBAAA;EAwIa,QAAA,yBAAA;EACL,QAAA,kBAAA;EAEP,QAAA,oBAAA"}

package/build/modules/sd-jwt-vc/SdJwtVcService.mjs CHANGED Viewed

@@ -53,28 +53,29 @@ let SdJwtVcService = class SdJwtVcService$1 {
 			kid: issuer.kid,
 			x5c: issuer.x5c?.map((cert) => cert.toString("base64"))
 		};
-		const sdjwt = new SDJwtVcInstance({
+		const sdJwt = new SDJwtVcInstance({
 			...this.getBaseSdJwtConfig(agentContext),
 			signer: getSdJwtSigner(agentContext, issuer.publicJwk),
 			hashAlg: "sha-256",
 			signAlg: issuer.alg
 		});
 		if (!payload.vct || typeof payload.vct !== "string") throw new SdJwtVcError("Missing required parameter 'vct'");
-		const compact = await sdjwt.issue({
+		const compact = await sdJwt.issue({
 			...payload,
 			cnf: holderBinding?.cnf,
 			iss: issuer.iss,
 			iat: nowInSeconds(),
 			vct: payload.vct
 		}, disclosureFrame, { header });
-		const prettyClaims = await sdjwt.getClaims(compact);
-		const sdjwtPayload = (await sdjwt.decode(compact)).jwt?.payload;
-		if (!sdjwtPayload) throw new SdJwtVcError("Invalid sd-jwt-vc state.");
+		const prettyClaims = await sdJwt.getClaims(compact);
+		const sdJwtPayload = (await sdJwt.decode(compact)).jwt?.payload;
+		if (!sdJwtPayload) throw new SdJwtVcError("Invalid sd-jwt-vc state.");
 		return {
 			compact,
 			prettyClaims,
 			header,
-			payload: sdjwtPayload,
+			holder: options.holder,
+			payload: sdJwtPayload,
 			claimFormat: ClaimFormat.SdJwtDc,
 			encoded: compact
 		};
@@ -127,9 +128,11 @@ let SdJwtVcService = class SdJwtVcService$1 {
 	async verify(agentContext, { compactSdJwtVc, keyBinding, requiredClaimKeys, fetchTypeMetadata, trustedCertificates, now }) {
 		const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext));
 		let sdJwtVc;
+		let holderBinding;
 		try {
 			sdJwtVc = await sdjwt.decode(compactSdJwtVc);
 			if (!sdJwtVc.jwt) throw new CredoError("Invalid sd-jwt-vc");
+			holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload) ?? void 0;
 		} catch (error) {
 			return {
 				isValid: false,
@@ -141,6 +144,7 @@ let SdJwtVcService = class SdJwtVcService$1 {
 			header: sdJwtVc.jwt.header,
 			compact: compactSdJwtVc,
 			prettyClaims: await sdJwtVc.getClaims(sdJwtVcHasher),
+			holder: holderBinding,
 			kbJwt: sdJwtVc.kbJwt ? {
 				payload: sdJwtVc.kbJwt.payload,
 				header: sdJwtVc.kbJwt.header
@@ -151,8 +155,7 @@ let SdJwtVcService = class SdJwtVcService$1 {
 		try {
 			const credentialIssuer = await this.parseIssuerFromCredential(agentContext, sdJwtVc, returnSdJwtVc, trustedCertificates);
 			const issuer = await this.extractKeyFromIssuer(agentContext, credentialIssuer);
-			const holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload);
-			const holder = holderBinding ? await extractKeyFromHolderBinding(agentContext, holderBinding) : void 0;
+			const holder = returnSdJwtVc.holder ? await extractKeyFromHolderBinding(agentContext, returnSdJwtVc.holder) : void 0;
 			sdjwt.config({
 				verifier: getSdJwtVerifier(agentContext, issuer.publicJwk),
 				kbVerifier: holder ? getSdJwtVerifier(agentContext, holder.publicJwk) : void 0

package/build/modules/sd-jwt-vc/SdJwtVcService.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"SdJwtVcService.mjs","names":["SdJwtVcService","sdJwtVc: SDJwt","returnSdJwtVc: SdJwtVc<Header, Payload>","firstError: Error \| undefined","publicJwk: PublicJwk","didUrl: string"],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":["import type { SDJwt } from '@sd-jwt/core'\nimport { decodeSdJwtSync } from '@sd-jwt/decode'\nimport { selectDisclosures } from '@sd-jwt/present'\nimport { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, PresentationFrame } from '@sd-jwt/types'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { Hasher, JwtPayload } from '../../crypto'\nimport { CredoError } from '../../error'\nimport { X509Service } from '../../modules/x509/X509Service'\nimport type { Query, QueryOptions } from '../../storage/StorageService'\nimport type { JsonObject } from '../../types'\nimport { dateToSeconds, IntegrityVerifier, nowInSeconds, TypedArrayEncoder } from '../../utils'\nimport { getDomainFromUrl } from '../../utils/domain'\nimport { fetchWithTimeout } from '../../utils/fetch'\nimport { getPublicJwkFromVerificationMethod, parseDid } from '../dids'\nimport { KeyManagementApi, PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc/index'\nimport { type EncodedX509Certificate, X509Certificate, X509ModuleConfig } from '../x509'\nimport { decodeSdJwtVc, sdJwtVcHasher } from './decodeSdJwtVc'\nimport { buildDisclosureFrameForPayload } from './disclosureFrame'\nimport { SdJwtVcRecord, SdJwtVcRepository } from './repository'\nimport { SdJwtVcError } from './SdJwtVcError'\nimport type {\n SdJwtVcHeader,\n SdJwtVcIssuer,\n SdJwtVcPayload,\n SdJwtVcPresentOptions,\n SdJwtVcSignOptions,\n SdJwtVcStoreOptions,\n SdJwtVcVerifyOptions,\n} from './SdJwtVcOptions'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\nimport {\n extractKeyFromHolderBinding,\n getSdJwtSigner,\n getSdJwtVerifier,\n parseHolderBindingFromCredential,\n resolveDidUrl,\n resolveSigningPublicJwkFromDidUrl,\n} from './utils'\n\ntype SdJwtVcConfig = SDJwtVcInstance['userConfig']\n\nexport interface SdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n> {\n /*\n claim format is convenience method added to all credential instances\n /\n claimFormat: ClaimFormat.SdJwtDc\n /\n encoded is convenience method added to all credential instances\n /\n encoded: string\n compact: string\n header: Header\n\n // TODO: payload type here is a lie, as it is the signed payload (so fields replaced with _sd)\n payload: Payload\n prettyClaims: Payload\n\n kbJwt?: {\n header: Record<string, unknown>\n payload: Record<string, unknown>\n }\n\n /\n The key id in the KMS bound to this SD-JWT VC, used for presentations.\n \n This will only be set on the holder side if defined on the SdJwtVcRecord\n /\n kmsKeyId?: string\n\n typeMetadata?: SdJwtVcTypeMetadata\n}\n\nexport interface VerificationResult {\n isValid: boolean\n isValidJwtPayload?: boolean\n isSignatureValid?: boolean\n isStatusValid?: boolean\n isNotBeforeValid?: boolean\n isExpiryTimeValid?: boolean\n areRequiredClaimsIncluded?: boolean\n isKeyBindingValid?: boolean\n containsExpectedKeyBinding?: boolean\n containsRequiredVcProperties?: boolean\n}\n\n/\n @internal\n */\n@injectable()\nexport class SdJwtVcService {\n private sdJwtVcRepository: SdJwtVcRepository\n\n public constructor(sdJwtVcRepository: SdJwtVcRepository) {\n this.sdJwtVcRepository = sdJwtVcRepository\n }\n\n public async sign<Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n options: SdJwtVcSignOptions<Payload>\n ): Promise<SdJwtVc> {\n const { payload, disclosureFrame, hashingAlgorithm } = options\n\n // default is sha-256\n if (hashingAlgorithm && hashingAlgorithm !== 'sha-256') {\n throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`)\n }\n\n const issuer = await this.extractKeyFromIssuer(agentContext, options.issuer, true)\n\n // holer binding is optional\n const holderBinding = options.holder ? await extractKeyFromHolderBinding(agentContext, options.holder) : undefined\n\n const header = {\n alg: issuer.alg,\n typ: options.headerType ?? 'dc+sd-jwt',\n kid: issuer.kid,\n x5c: issuer.x5c?.map((cert) => cert.toString('base64')),\n } as const\n\n const sdjwt = new SDJwtVcInstance({\n ...this.getBaseSdJwtConfig(agentContext),\n signer: getSdJwtSigner(agentContext, issuer.publicJwk),\n hashAlg: 'sha-256',\n signAlg: issuer.alg,\n })\n\n if (!payload.vct \|\| typeof payload.vct !== 'string') {\n throw new SdJwtVcError(\"Missing required parameter 'vct'\")\n }\n\n const compact = await sdjwt.issue(\n {\n ...payload,\n cnf: holderBinding?.cnf,\n iss: issuer.iss,\n iat: nowInSeconds(),\n vct: payload.vct,\n },\n disclosureFrame as DisclosureFrame<Payload>,\n { header }\n )\n\n const prettyClaims = (await sdjwt.getClaims(compact)) as Payload\n const a = await sdjwt.decode(compact)\n const sdjwtPayload = a.jwt?.payload as Payload \| undefined\n if (!sdjwtPayload) {\n throw new SdJwtVcError('Invalid sd-jwt-vc state.')\n }\n\n return {\n compact,\n prettyClaims,\n header: header,\n payload: sdjwtPayload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compact,\n } satisfies SdJwtVc<typeof header, Payload>\n }\n\n public fromCompact<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n compactSdJwtVc: string,\n typeMetadata?: SdJwtVcTypeMetadata\n ): SdJwtVc<Header, Payload> {\n return decodeSdJwtVc(compactSdJwtVc, typeMetadata)\n }\n\n public applyDisclosuresForPayload(compactSdJwtVc: string, requestedPayload: JsonObject): SdJwtVc {\n const decoded = decodeSdJwtSync(compactSdJwtVc, Hasher.hash)\n const presentationFrame = buildDisclosureFrameForPayload(requestedPayload) ?? {}\n\n if (decoded.kbJwt) {\n throw new SdJwtVcError('Cannot apply limit disclosure on an sd-jwt with key binding jwt')\n }\n\n const requiredDisclosures = selectDisclosures(\n decoded.jwt.payload,\n // Map to sd-jwt disclosure format\n decoded.disclosures.map((d) => ({\n digest: d.digestSync({ alg: 'sha-256', hasher: Hasher.hash }),\n encoded: d.encode(),\n key: d.key,\n salt: d.salt,\n value: d.value,\n })),\n presentationFrame as { [key: string]: boolean }\n )\n const [jwt] = compactSdJwtVc.split('~')\n const disclosuresString =\n requiredDisclosures.length > 0 ? `${requiredDisclosures.map((d) => d.encoded).join('~')}~` : ''\n const sdJwt = `${jwt}~${disclosuresString}`\n const disclosedDecoded = decodeSdJwtVc(sdJwt)\n return disclosedDecoded\n }\n\n public async present<Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { sdJwtVc, presentationFrame, verifierMetadata, additionalPayload }: SdJwtVcPresentOptions<Payload>\n ): Promise<string> {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n const compactSdJwtVc = typeof sdJwtVc === 'string' ? sdJwtVc : sdJwtVc.compact\n const sdJwtVcInstance = await sdjwt.decode(compactSdJwtVc)\n\n const holderBinding = parseHolderBindingFromCredential(sdJwtVcInstance.jwt?.payload)\n if (!holderBinding && verifierMetadata) {\n throw new SdJwtVcError(\"Verifier metadata provided, but credential has no 'cnf' claim to create a KB-JWT from\")\n }\n\n const holder = holderBinding\n ? await extractKeyFromHolderBinding(agentContext, holderBinding, {\n forSigning: true,\n jwkKeyId: typeof sdJwtVc !== 'string' ? sdJwtVc.kmsKeyId : undefined,\n })\n : undefined\n sdjwt.config({\n kbSigner: holder ? getSdJwtSigner(agentContext, holder.publicJwk) : undefined,\n kbSignAlg: holder?.alg,\n })\n\n const compactDerivedSdJwtVc = await sdjwt.present(compactSdJwtVc, presentationFrame as PresentationFrame<Payload>, {\n kb: verifierMetadata\n ? {\n payload: {\n iat: verifierMetadata.issuedAt,\n nonce: verifierMetadata.nonce,\n aud: verifierMetadata.audience,\n ...additionalPayload,\n },\n }\n : undefined,\n })\n\n return compactDerivedSdJwtVc\n }\n\n private assertValidX5cJwtIssuer(\n agentContext: AgentContext,\n iss: string \| undefined,\n leafCertificate: X509Certificate\n ) {\n // No 'iss' is allowed for X509\n if (!iss) return\n\n // If iss is present it MUST be an HTTPS url\n if (!iss.startsWith('https://') && !(iss.startsWith('http://') && agentContext.config.allowInsecureHttpUrls)) {\n throw new SdJwtVcError('The X509 certificate issuer must be a HTTPS URI.')\n }\n\n if (!leafCertificate.sanUriNames?.includes(iss) && !leafCertificate.sanDnsNames?.includes(getDomainFromUrl(iss))) {\n throw new SdJwtVcError(\n `The 'iss' claim in the payload does not match a 'SAN-URI' name and the domain extracted from the HTTPS URI does not match a 'SAN-DNS' name in the x5c certificate. Either remove the 'iss' claim or make it match with at least one SAN-URI or DNS-URI entry`\n )\n }\n }\n\n public async verify<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { compactSdJwtVc, keyBinding, requiredClaimKeys, fetchTypeMetadata, trustedCertificates, now }: SdJwtVcVerifyOptions\n ): Promise<\n \| { isValid: true; sdJwtVc: SdJwtVc<Header, Payload> }\n \| { isValid: false; sdJwtVc?: SdJwtVc<Header, Payload>; error: Error }\n > {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n let sdJwtVc: SDJwt\n\n try {\n sdJwtVc = await sdjwt.decode(compactSdJwtVc)\n if (!sdJwtVc.jwt) throw new CredoError('Invalid sd-jwt-vc')\n } catch (error) {\n return {\n isValid: false,\n error,\n }\n }\n\n const returnSdJwtVc: SdJwtVc<Header, Payload> = {\n payload: sdJwtVc.jwt.payload as Payload,\n header: sdJwtVc.jwt.header as Header,\n compact: compactSdJwtVc,\n prettyClaims: await sdJwtVc.getClaims(sdJwtVcHasher),\n\n kbJwt: sdJwtVc.kbJwt\n ? {\n payload: sdJwtVc.kbJwt.payload as Record<string, unknown>,\n header: sdJwtVc.kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n } satisfies SdJwtVc<Header, Payload>\n\n try {\n const credentialIssuer = await this.parseIssuerFromCredential(\n agentContext,\n sdJwtVc,\n returnSdJwtVc,\n trustedCertificates\n )\n const issuer = await this.extractKeyFromIssuer(agentContext, credentialIssuer)\n const holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload)\n const holder = holderBinding ? await extractKeyFromHolderBinding(agentContext, holderBinding) : undefined\n\n sdjwt.config({\n verifier: getSdJwtVerifier(agentContext, issuer.publicJwk),\n kbVerifier: holder ? getSdJwtVerifier(agentContext, holder.publicJwk) : undefined,\n })\n\n try {\n await sdjwt.verify(compactSdJwtVc, {\n requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct'],\n keyBindingNonce: keyBinding?.nonce,\n currentDate: dateToSeconds(now ?? new Date()),\n skewSeconds: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (sdJwtVc.jwt.header?.typ !== 'vc+sd-jwt' && sdJwtVc.jwt.header?.typ !== 'dc+sd-jwt') {\n return {\n error: new SdJwtVcError(`SD-JWT VC header 'typ' must be 'dc+sd-jwt' or 'vc+sd-jwt'`),\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n try {\n JwtPayload.fromJson(returnSdJwtVc.payload).validate({\n now: dateToSeconds(now ?? new Date()),\n skewTime: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n // If keyBinding is present, verify the key binding\n try {\n if (keyBinding) {\n if (!sdJwtVc.kbJwt \|\| !sdJwtVc.kbJwt.payload) {\n throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc')\n }\n\n // Assert `aud` and `nonce` claims\n if (sdJwtVc.kbJwt.payload.aud !== keyBinding.audience) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected audience')\n }\n\n if (sdJwtVc.kbJwt.payload.nonce !== keyBinding.nonce) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected nonce')\n }\n }\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (fetchTypeMetadata) {\n // We allow vct without type metadata for now (and don't fail if the retrieval fails)\n // Integrity check must pass though.\n returnSdJwtVc.typeMetadata = await this.fetchTypeMetadata(agentContext, returnSdJwtVc, {\n throwErrorOnFetchError: false,\n throwErrorOnUnsupportedVctValue: false,\n })\n }\n } catch (error) {\n return {\n isValid: false,\n error,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n return {\n isValid: true,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n public async fetchTypeMetadata(\n agentContext: AgentContext,\n sdJwtVc: SdJwtVc,\n {\n throwErrorOnFetchError = true,\n throwErrorOnUnsupportedVctValue = true,\n }: { throwErrorOnFetchError?: boolean; throwErrorOnUnsupportedVctValue?: boolean } = {}\n ) {\n const vct = sdJwtVc.payload.vct\n const vctIntegrity = sdJwtVc.payload['vct#integrity']\n if (!vct \|\| typeof vct !== 'string' \|\| !vct.startsWith('https://')) {\n if (!throwErrorOnUnsupportedVctValue) return undefined\n throw new SdJwtVcError(`Unable to resolve type metadata for vct '${vct}'. Only https supported`)\n }\n\n let firstError: Error \| undefined\n\n // Fist try the new type metadata URL\n // We add a catch, so that if e.g. the request fails due to CORS (which throws an error\n // we will still continue trying the legacy url)\n const firstResponse = await agentContext.config.agentDependencies.fetch(vct).catch((error) => {\n firstError = error\n return undefined\n })\n let response = firstResponse\n\n // If the response is not ok, try the legacy URL (will be removed in 0.7)\n if (!response \|\| !response?.ok) {\n // modify the uri based on https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#section-6.3.1\n const vctElements = vct.split('/')\n vctElements.splice(3, 0, '.well-known/vct')\n const legacyVctUrl = vctElements.join('/')\n\n response = await agentContext.config.agentDependencies.fetch(legacyVctUrl).catch(() => undefined)\n }\n\n if (!response?.ok) {\n if (!throwErrorOnFetchError) return undefined\n\n if (firstResponse) {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful ${firstResponse.status} response. ${await firstResponse.text()}.`,\n { cause: firstError }\n )\n } else {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful response.`,\n { cause: firstError }\n )\n }\n }\n\n const typeMetadata = (await response.clone().json()) as SdJwtVcTypeMetadata\n if (vctIntegrity) {\n if (typeof vctIntegrity !== 'string') {\n throw new SdJwtVcError(`Found 'vct#integrity' with value '${vctIntegrity}' but value was not of type 'string'.`)\n }\n\n IntegrityVerifier.verifyIntegrity(new Uint8Array(await response.arrayBuffer()), vctIntegrity)\n }\n\n return typeMetadata\n }\n\n public async store(agentContext: AgentContext, options: SdJwtVcStoreOptions) {\n await this.sdJwtVcRepository.save(agentContext, options.record)\n return options.record\n }\n\n public async getById(agentContext: AgentContext, id: string): Promise<SdJwtVcRecord> {\n return await this.sdJwtVcRepository.getById(agentContext, id)\n }\n\n public async getAll(agentContext: AgentContext): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.getAll(agentContext)\n }\n\n public async findByQuery(\n agentContext: AgentContext,\n query: Query<SdJwtVcRecord>,\n queryOptions?: QueryOptions\n ): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async deleteById(agentContext: AgentContext, id: string) {\n await this.sdJwtVcRepository.deleteById(agentContext, id)\n }\n\n public async update(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) {\n await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord)\n }\n\n private async extractKeyFromIssuer(agentContext: AgentContext, issuer: SdJwtVcIssuer, forSigning = false) {\n if (issuer.method === 'did') {\n const parsedDid = parseDid(issuer.didUrl)\n if (!parsedDid.fragment) {\n throw new SdJwtVcError(\n `didUrl '${issuer.didUrl}' does not contain a '#'. Unable to derive key from did document`\n )\n }\n\n let publicJwk: PublicJwk\n if (forSigning) {\n publicJwk = await resolveSigningPublicJwkFromDidUrl(agentContext, issuer.didUrl)\n } else {\n const { verificationMethod } = await resolveDidUrl(agentContext, issuer.didUrl)\n publicJwk = getPublicJwkFromVerificationMethod(verificationMethod)\n }\n\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n return {\n alg,\n publicJwk,\n iss: parsedDid.did,\n kid: `#${parsedDid.fragment}`,\n }\n }\n\n if (issuer.method === 'x5c') {\n const leafCertificate = issuer.x5c[0]\n if (!leafCertificate) {\n throw new SdJwtVcError(\"Empty 'x5c' array provided\")\n }\n\n if (forSigning && !leafCertificate.publicJwk.hasKeyId) {\n throw new SdJwtVcError(\"Expected leaf certificate in 'x5c' array to have a key id configured.\")\n }\n\n const publicJwk = leafCertificate.publicJwk\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n this.assertValidX5cJwtIssuer(agentContext, issuer.issuer, leafCertificate)\n\n return {\n publicJwk,\n iss: issuer.issuer,\n x5c: issuer.x5c,\n alg,\n }\n }\n\n throw new SdJwtVcError(\"Unsupported credential issuer. Only 'did' and 'x5c' is supported at the moment.\")\n }\n\n private async parseIssuerFromCredential<Header extends SdJwtVcHeader, Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n sdJwtVc: SDJwt<Header, Payload>,\n credoSdJwtVc: SdJwtVc<Header, Payload>,\n _trustedCertificates?: EncodedX509Certificate[]\n ): Promise<SdJwtVcIssuer> {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n if (!sdJwtVc.jwt?.payload) {\n throw new SdJwtVcError('Credential not exist')\n }\n\n const iss = sdJwtVc.jwt.payload.iss as string \| undefined\n\n if (sdJwtVc.jwt.header?.x5c) {\n if (!Array.isArray(sdJwtVc.jwt.header.x5c)) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array.')\n }\n if (sdJwtVc.jwt.header.x5c.length === 0) {\n throw new SdJwtVcError('Invalid x5c header in credential. Empty array.')\n }\n if (sdJwtVc.jwt.header.x5c.some((x5c) => typeof x5c !== 'string')) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array of strings.')\n }\n\n let trustedCertificates = _trustedCertificates\n const certificateChain = sdJwtVc.jwt.header.x5c.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n if (!trustedCertificates) {\n trustedCertificates =\n (await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: credoSdJwtVc,\n },\n })) ?? x509Config.trustedCertificates\n }\n\n if (!trustedCertificates) {\n throw new SdJwtVcError(\n 'No trusted certificates configured for X509 certificate chain validation. Issuer cannot be verified.'\n )\n }\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain: sdJwtVc.jwt.header.x5c,\n trustedCertificates,\n })\n\n return {\n method: 'x5c',\n x5c: certificateChain,\n issuer: iss,\n }\n }\n\n if (iss?.startsWith('did:')) {\n // If `did` is used, we require a relative KID to be present to identify\n // the key used by issuer to sign the sd-jwt-vc\n\n if (!sdJwtVc.jwt?.header) {\n throw new SdJwtVcError('Credential does not contain a header')\n }\n\n if (!sdJwtVc.jwt.header.kid) {\n throw new SdJwtVcError('Credential does not contain a kid in the header')\n }\n\n const issuerKid = sdJwtVc.jwt.header.kid as string\n\n let didUrl: string\n if (issuerKid.startsWith('#')) {\n didUrl = `${iss}${issuerKid}`\n } else if (issuerKid.startsWith('did:')) {\n const didFromKid = parseDid(issuerKid)\n if (didFromKid.did !== iss) {\n throw new SdJwtVcError(\n `kid in header is an absolute DID URL, but the did (${didFromKid.did}) does not match with the 'iss' did (${iss})`\n )\n }\n\n didUrl = issuerKid\n } else {\n throw new SdJwtVcError(\n 'Invalid issuer kid for did. Only absolute or relative (starting with #) did urls are supported.'\n )\n }\n\n return {\n method: 'did',\n didUrl,\n }\n }\n\n throw new SdJwtVcError('Unsupported signing method for SD-JWT VC. Only did and x5c are supported at the moment.')\n }\n\n private getBaseSdJwtConfig(agentContext: AgentContext): SdJwtVcConfig {\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n hasher: sdJwtVcHasher,\n statusListFetcher: this.getStatusListFetcher(agentContext),\n saltGenerator: (length) => TypedArrayEncoder.toBase64URL(kms.randomBytes({ length })).slice(0, length),\n }\n }\n\n private getStatusListFetcher(agentContext: AgentContext) {\n return async (uri: string) => {\n const response = await fetchWithTimeout(agentContext.config.agentDependencies.fetch, uri, {\n headers: {\n Accept: 'application/statuslist+jwt',\n },\n })\n\n if (!response.ok) {\n throw new CredoError(\n `Received invalid response with status ${\n response.status\n } when fetching status list from ${uri}. ${await response.text()}`\n )\n }\n\n return await response.text()\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+FO,2BAAMA,iBAAe;CAG1B,AAAO,YAAY,mBAAsC;AACvD,OAAK,oBAAoB;;CAG3B,MAAa,KACX,cACA,SACkB;EAClB,MAAM,EAAE,SAAS,iBAAiB,qBAAqB;AAGvD,MAAI,oBAAoB,qBAAqB,UAC3C,OAAM,IAAI,aAAa,uCAAuC,mBAAmB;EAGnF,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,QAAQ,QAAQ,KAAK;EAGlF,MAAM,gBAAgB,QAAQ,SAAS,MAAM,4BAA4B,cAAc,QAAQ,OAAO,GAAG;EAEzG,MAAM,SAAS;GACb,KAAK,OAAO;GACZ,KAAK,QAAQ,cAAc;GAC3B,KAAK,OAAO;GACZ,KAAK,OAAO,KAAK,KAAK,SAAS,KAAK,SAAS,SAAS,CAAC;GACxD;EAED,MAAM,QAAQ,IAAI,gBAAgB;GAChC,GAAG,KAAK,mBAAmB,aAAa;GACxC,QAAQ,eAAe,cAAc,OAAO,UAAU;GACtD,SAAS;GACT,SAAS,OAAO;GACjB,CAAC;AAEF,MAAI,CAAC,QAAQ,OAAO,OAAO,QAAQ,QAAQ,SACzC,OAAM,IAAI,aAAa,mCAAmC;EAG5D,MAAM,UAAU,MAAM,MAAM,MAC1B;GACE,GAAG;GACH,KAAK,eAAe;GACpB,KAAK,OAAO;GACZ,KAAK,cAAc;GACnB,KAAK,QAAQ;GACd,EACD,iBACA,EAAE,QAAQ,CACX;EAED,MAAM,eAAgB,MAAM,MAAM,UAAU,QAAQ;EAEpD,MAAM,gBADI,MAAM,MAAM,OAAO,QAAQ,EACd,KAAK;AAC5B,MAAI,CAAC,aACH,OAAM,IAAI,aAAa,2BAA2B;AAGpD,SAAO;GACL;GACA;GACQ;GACR,SAAS;GACT,aAAa,YAAY;GACzB,SAAS;GACV;;CAGH,AAAO,YACL,gBACA,cAC0B;AAC1B,SAAO,cAAc,gBAAgB,aAAa;;CAGpD,AAAO,2BAA2B,gBAAwB,kBAAuC;EAC/F,MAAM,UAAU,gBAAgB,gBAAgB,OAAO,KAAK;EAC5D,MAAM,oBAAoB,+BAA+B,iBAAiB,IAAI,EAAE;AAEhF,MAAI,QAAQ,MACV,OAAM,IAAI,aAAa,kEAAkE;EAG3F,MAAM,sBAAsB,kBAC1B,QAAQ,IAAI,SAEZ,QAAQ,YAAY,KAAK,OAAO;GAC9B,QAAQ,EAAE,WAAW;IAAE,KAAK;IAAW,QAAQ,OAAO;IAAM,CAAC;GAC7D,SAAS,EAAE,QAAQ;GACnB,KAAK,EAAE;GACP,MAAM,EAAE;GACR,OAAO,EAAE;GACV,EAAE,EACH,kBACD;EACD,MAAM,CAAC,OAAO,eAAe,MAAM,IAAI;AAKvC,SADyB,cADX,GAAG,IAAI,GADnB,oBAAoB,SAAS,IAAI,GAAG,oBAAoB,KAAK,MAAM,EAAE,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,KAElD;;CAI/C,MAAa,QACX,cACA,EAAE,SAAS,mBAAmB,kBAAkB,qBAC/B;EACjB,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,MAAM,iBAAiB,OAAO,YAAY,WAAW,UAAU,QAAQ;EAGvE,MAAM,gBAAgB,kCAFE,MAAM,MAAM,OAAO,eAAe,EAEa,KAAK,QAAQ;AACpF,MAAI,CAAC,iBAAiB,iBACpB,OAAM,IAAI,aAAa,wFAAwF;EAGjH,MAAM,SAAS,gBACX,MAAM,4BAA4B,cAAc,eAAe;GAC7D,YAAY;GACZ,UAAU,OAAO,YAAY,WAAW,QAAQ,WAAW;GAC5D,CAAC,GACF;AACJ,QAAM,OAAO;GACX,UAAU,SAAS,eAAe,cAAc,OAAO,UAAU,GAAG;GACpE,WAAW,QAAQ;GACpB,CAAC;AAeF,SAb8B,MAAM,MAAM,QAAQ,gBAAgB,mBAAiD,EACjH,IAAI,mBACA,EACE,SAAS;GACP,KAAK,iBAAiB;GACtB,OAAO,iBAAiB;GACxB,KAAK,iBAAiB;GACtB,GAAG;GACJ,EACF,GACD,QACL,CAAC;;CAKJ,AAAQ,wBACN,cACA,KACA,iBACA;AAEA,MAAI,CAAC,IAAK;AAGV,MAAI,CAAC,IAAI,WAAW,WAAW,IAAI,EAAE,IAAI,WAAW,UAAU,IAAI,aAAa,OAAO,uBACpF,OAAM,IAAI,aAAa,mDAAmD;AAG5E,MAAI,CAAC,gBAAgB,aAAa,SAAS,IAAI,IAAI,CAAC,gBAAgB,aAAa,SAAS,iBAAiB,IAAI,CAAC,CAC9G,OAAM,IAAI,aACR,+PACD;;CAIL,MAAa,OACX,cACA,EAAE,gBAAgB,YAAY,mBAAmB,mBAAmB,qBAAqB,OAIzF;EACA,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,IAAIC;AAEJ,MAAI;AACF,aAAU,MAAM,MAAM,OAAO,eAAe;AAC5C,OAAI,CAAC,QAAQ,IAAK,OAAM,IAAI,WAAW,oBAAoB;WACpD,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACD;;EAGH,MAAMC,gBAA0C;GAC9C,SAAS,QAAQ,IAAI;GACrB,QAAQ,QAAQ,IAAI;GACpB,SAAS;GACT,cAAc,MAAM,QAAQ,UAAU,cAAc;GAEpD,OAAO,QAAQ,QACX;IACE,SAAS,QAAQ,MAAM;IACvB,QAAQ,QAAQ,MAAM;IACvB,GACD;GACJ,aAAa,YAAY;GACzB,SAAS;GACV;AAED,MAAI;GACF,MAAM,mBAAmB,MAAM,KAAK,0BAClC,cACA,SACA,eACA,oBACD;GACD,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,iBAAiB;GAC9E,MAAM,gBAAgB,iCAAiC,QAAQ,IAAI,QAAQ;GAC3E,MAAM,SAAS,gBAAgB,MAAM,4BAA4B,cAAc,cAAc,GAAG;AAEhG,SAAM,OAAO;IACX,UAAU,iBAAiB,cAAc,OAAO,UAAU;IAC1D,YAAY,SAAS,iBAAiB,cAAc,OAAO,UAAU,GAAG;IACzE,CAAC;AAEF,OAAI;AACF,UAAM,MAAM,OAAO,gBAAgB;KACjC,mBAAmB,oBAAoB,CAAC,GAAG,mBAAmB,MAAM,GAAG,CAAC,MAAM;KAC9E,iBAAiB,YAAY;KAC7B,aAAa,cAAc,uBAAO,IAAI,MAAM,CAAC;KAC7C,aAAa;KACd,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,QAAQ,IAAI,QAAQ,QAAQ,eAAe,QAAQ,IAAI,QAAQ,QAAQ,YACzE,QAAO;IACL,OAAO,IAAI,aAAa,4DAA4D;IACpF,SAAS;IACT,SAAS;IACV;AAGH,OAAI;AACF,eAAW,SAAS,cAAc,QAAQ,CAAC,SAAS;KAClD,KAAK,cAAc,uBAAO,IAAI,MAAM,CAAC;KACrC,UAAU;KACX,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAIH,OAAI;AACF,QAAI,YAAY;AACd,SAAI,CAAC,QAAQ,SAAS,CAAC,QAAQ,MAAM,QACnC,OAAM,IAAI,aAAa,2DAA2D;AAIpF,SAAI,QAAQ,MAAM,QAAQ,QAAQ,WAAW,SAC3C,OAAM,IAAI,aAAa,6DAA6D;AAGtF,SAAI,QAAQ,MAAM,QAAQ,UAAU,WAAW,MAC7C,OAAM,IAAI,aAAa,0DAA0D;;YAG9E,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,kBAGF,eAAc,eAAe,MAAM,KAAK,kBAAkB,cAAc,eAAe;IACrF,wBAAwB;IACxB,iCAAiC;IAClC,CAAC;WAEG,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACA,SAAS;IACV;;AAGH,SAAO;GACL,SAAS;GACT,SAAS;GACV;;CAGH,MAAa,kBACX,cACA,SACA,EACE,yBAAyB,MACzB,kCAAkC,SACiD,EAAE,EACvF;EACA,MAAM,MAAM,QAAQ,QAAQ;EAC5B,MAAM,eAAe,QAAQ,QAAQ;AACrC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,WAAW,WAAW,EAAE;AAClE,OAAI,CAAC,gCAAiC,QAAO;AAC7C,SAAM,IAAI,aAAa,4CAA4C,IAAI,yBAAyB;;EAGlG,IAAIC;EAKJ,MAAM,gBAAgB,MAAM,aAAa,OAAO,kBAAkB,MAAM,IAAI,CAAC,OAAO,UAAU;AAC5F,gBAAa;IAEb;EACF,IAAI,WAAW;AAGf,MAAI,CAAC,YAAY,CAAC,UAAU,IAAI;GAE9B,MAAM,cAAc,IAAI,MAAM,IAAI;AAClC,eAAY,OAAO,GAAG,GAAG,kBAAkB;GAC3C,MAAM,eAAe,YAAY,KAAK,IAAI;AAE1C,cAAW,MAAM,aAAa,OAAO,kBAAkB,MAAM,aAAa,CAAC,YAAY,OAAU;;AAGnG,MAAI,CAAC,UAAU,IAAI;AACjB,OAAI,CAAC,uBAAwB,QAAO;AAEpC,OAAI,cACF,OAAM,IAAI,aACR,wCAAwC,IAAI,qCAAqC,cAAc,OAAO,aAAa,MAAM,cAAc,MAAM,CAAC,IAC9I,EAAE,OAAO,YAAY,CACtB;OAED,OAAM,IAAI,aACR,wCAAwC,IAAI,+CAC5C,EAAE,OAAO,YAAY,CACtB;;EAIL,MAAM,eAAgB,MAAM,SAAS,OAAO,CAAC,MAAM;AACnD,MAAI,cAAc;AAChB,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,aAAa,qCAAqC,aAAa,uCAAuC;AAGlH,qBAAkB,gBAAgB,IAAI,WAAW,MAAM,SAAS,aAAa,CAAC,EAAE,aAAa;;AAG/F,SAAO;;CAGT,MAAa,MAAM,cAA4B,SAA8B;AAC3E,QAAM,KAAK,kBAAkB,KAAK,cAAc,QAAQ,OAAO;AAC/D,SAAO,QAAQ;;CAGjB,MAAa,QAAQ,cAA4B,IAAoC;AACnF,SAAO,MAAM,KAAK,kBAAkB,QAAQ,cAAc,GAAG;;CAG/D,MAAa,OAAO,cAA2D;AAC7E,SAAO,MAAM,KAAK,kBAAkB,OAAO,aAAa;;CAG1D,MAAa,YACX,cACA,OACA,cAC+B;AAC/B,SAAO,MAAM,KAAK,kBAAkB,YAAY,cAAc,OAAO,aAAa;;CAGpF,MAAa,WAAW,cAA4B,IAAY;AAC9D,QAAM,KAAK,kBAAkB,WAAW,cAAc,GAAG;;CAG3D,MAAa,OAAO,cAA4B,eAA8B;AAC5E,QAAM,KAAK,kBAAkB,OAAO,cAAc,cAAc;;CAGlE,MAAc,qBAAqB,cAA4B,QAAuB,aAAa,OAAO;AACxG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,YAAY,SAAS,OAAO,OAAO;AACzC,OAAI,CAAC,UAAU,SACb,OAAM,IAAI,aACR,WAAW,OAAO,OAAO,kEAC1B;GAGH,IAAIC;AACJ,OAAI,WACF,aAAY,MAAM,kCAAkC,cAAc,OAAO,OAAO;QAC3E;IACL,MAAM,EAAE,uBAAuB,MAAM,cAAc,cAAc,OAAO,OAAO;AAC/E,gBAAY,mCAAmC,mBAAmB;;GAGpE,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;AAIH,UAAO;IACL,KAHU,6BAA6B;IAIvC;IACA,KAAK,UAAU;IACf,KAAK,IAAI,UAAU;IACpB;;AAGH,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,OAAO,IAAI;AACnC,OAAI,CAAC,gBACH,OAAM,IAAI,aAAa,6BAA6B;AAGtD,OAAI,cAAc,CAAC,gBAAgB,UAAU,SAC3C,OAAM,IAAI,aAAa,wEAAwE;GAGjG,MAAM,YAAY,gBAAgB;GAClC,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;GAEH,MAAM,MAAM,6BAA6B;AAEzC,QAAK,wBAAwB,cAAc,OAAO,QAAQ,gBAAgB;AAE1E,UAAO;IACL;IACA,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ;IACD;;AAGH,QAAM,IAAI,aAAa,kFAAkF;;CAG3G,MAAc,0BACZ,cACA,SACA,cACA,sBACwB;EACxB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;AAC3E,MAAI,CAAC,QAAQ,KAAK,QAChB,OAAM,IAAI,aAAa,uBAAuB;EAGhD,MAAM,MAAM,QAAQ,IAAI,QAAQ;AAEhC,MAAI,QAAQ,IAAI,QAAQ,KAAK;AAC3B,OAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,OAAO,IAAI,CACxC,OAAM,IAAI,aAAa,kDAAkD;AAE3E,OAAI,QAAQ,IAAI,OAAO,IAAI,WAAW,EACpC,OAAM,IAAI,aAAa,iDAAiD;AAE1E,OAAI,QAAQ,IAAI,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,SAAS,CAC/D,OAAM,IAAI,aAAa,6DAA6D;GAGtF,IAAI,sBAAsB;GAC1B,MAAM,mBAAmB,QAAQ,IAAI,OAAO,IAAI,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAE3G,OAAI,CAAC,oBACH,uBACG,MAAM,WAAW,wCAAwC,cAAc;IACtE;IACA,cAAc;KACZ,MAAM;KACN,YAAY;KACb;IACF,CAAC,IAAK,WAAW;AAGtB,OAAI,CAAC,oBACH,OAAM,IAAI,aACR,uGACD;AAGH,SAAM,YAAY,yBAAyB,cAAc;IACvD,kBAAkB,QAAQ,IAAI,OAAO;IACrC;IACD,CAAC;AAEF,UAAO;IACL,QAAQ;IACR,KAAK;IACL,QAAQ;IACT;;AAGH,MAAI,KAAK,WAAW,OAAO,EAAE;AAI3B,OAAI,CAAC,QAAQ,KAAK,OAChB,OAAM,IAAI,aAAa,uCAAuC;AAGhE,OAAI,CAAC,QAAQ,IAAI,OAAO,IACtB,OAAM,IAAI,aAAa,kDAAkD;GAG3E,MAAM,YAAY,QAAQ,IAAI,OAAO;GAErC,IAAIC;AACJ,OAAI,UAAU,WAAW,IAAI,CAC3B,UAAS,GAAG,MAAM;YACT,UAAU,WAAW,OAAO,EAAE;IACvC,MAAM,aAAa,SAAS,UAAU;AACtC,QAAI,WAAW,QAAQ,IACrB,OAAM,IAAI,aACR,sDAAsD,WAAW,IAAI,uCAAuC,IAAI,GACjH;AAGH,aAAS;SAET,OAAM,IAAI,aACR,kGACD;AAGH,UAAO;IACL,QAAQ;IACR;IACD;;AAGH,QAAM,IAAI,aAAa,0FAA0F;;CAGnH,AAAQ,mBAAmB,cAA2C;EACpE,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,SAAO;GACL,QAAQ;GACR,mBAAmB,KAAK,qBAAqB,aAAa;GAC1D,gBAAgB,WAAW,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,GAAG,OAAO;GACvG;;CAGH,AAAQ,qBAAqB,cAA4B;AACvD,SAAO,OAAO,QAAgB;GAC5B,MAAM,WAAW,MAAM,iBAAiB,aAAa,OAAO,kBAAkB,OAAO,KAAK,EACxF,SAAS,EACP,QAAQ,8BACT,EACF,CAAC;AAEF,OAAI,CAAC,SAAS,GACZ,OAAM,IAAI,WACR,yCACE,SAAS,OACV,kCAAkC,IAAI,IAAI,MAAM,SAAS,MAAM,GACjE;AAGH,UAAO,MAAM,SAAS,MAAM;;;;6BArkBjC,YAAY"}
1	+ {"version":3,"file":"SdJwtVcService.mjs","names":["SdJwtVcService","sdJwtVc: SDJwt","holderBinding: SdJwtVcHolderBinding \| undefined","returnSdJwtVc: SdJwtVc<Header, Payload>","firstError: Error \| undefined","publicJwk: PublicJwk","didUrl: string"],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":["import type { SDJwt } from '@sd-jwt/core'\nimport { decodeSdJwtSync } from '@sd-jwt/decode'\nimport { selectDisclosures } from '@sd-jwt/present'\nimport { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, PresentationFrame } from '@sd-jwt/types'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { Hasher, JwtPayload } from '../../crypto'\nimport { CredoError } from '../../error'\nimport { X509Service } from '../../modules/x509/X509Service'\nimport type { Query, QueryOptions } from '../../storage/StorageService'\nimport type { JsonObject } from '../../types'\nimport { dateToSeconds, IntegrityVerifier, nowInSeconds, TypedArrayEncoder } from '../../utils'\nimport { getDomainFromUrl } from '../../utils/domain'\nimport { fetchWithTimeout } from '../../utils/fetch'\nimport { getPublicJwkFromVerificationMethod, parseDid } from '../dids'\nimport { KeyManagementApi, PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc/index'\nimport { type EncodedX509Certificate, X509Certificate, X509ModuleConfig } from '../x509'\nimport { decodeSdJwtVc, sdJwtVcHasher } from './decodeSdJwtVc'\nimport { buildDisclosureFrameForPayload } from './disclosureFrame'\nimport { SdJwtVcRecord, SdJwtVcRepository } from './repository'\nimport { SdJwtVcError } from './SdJwtVcError'\nimport type {\n SdJwtVcHeader,\n SdJwtVcHolderBinding,\n SdJwtVcIssuer,\n SdJwtVcPayload,\n SdJwtVcPresentOptions,\n SdJwtVcSignOptions,\n SdJwtVcStoreOptions,\n SdJwtVcVerifyOptions,\n} from './SdJwtVcOptions'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\nimport {\n extractKeyFromHolderBinding,\n getSdJwtSigner,\n getSdJwtVerifier,\n parseHolderBindingFromCredential,\n resolveDidUrl,\n resolveSigningPublicJwkFromDidUrl,\n} from './utils'\n\ntype SdJwtVcConfig = SDJwtVcInstance['userConfig']\n\nexport interface SdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n> {\n /*\n claim format is convenience method added to all credential instances\n /\n claimFormat: ClaimFormat.SdJwtDc\n /\n encoded is convenience method added to all credential instances\n /\n encoded: string\n compact: string\n header: Header\n\n /\n The holder of the credential\n /\n holder: SdJwtVcHolderBinding \| undefined\n\n // TODO: payload type here is a lie, as it is the signed payload (so fields replaced with _sd)\n payload: Payload\n prettyClaims: Payload\n\n kbJwt?: {\n header: Record<string, unknown>\n payload: Record<string, unknown>\n }\n\n /\n The key id in the KMS bound to this SD-JWT VC, used for presentations.\n \n This will only be set on the holder side if defined on the SdJwtVcRecord\n /\n kmsKeyId?: string\n\n typeMetadata?: SdJwtVcTypeMetadata\n}\n\nexport interface VerificationResult {\n isValid: boolean\n isValidJwtPayload?: boolean\n isSignatureValid?: boolean\n isStatusValid?: boolean\n isNotBeforeValid?: boolean\n isExpiryTimeValid?: boolean\n areRequiredClaimsIncluded?: boolean\n isKeyBindingValid?: boolean\n containsExpectedKeyBinding?: boolean\n containsRequiredVcProperties?: boolean\n}\n\n/\n @internal\n */\n@injectable()\nexport class SdJwtVcService {\n private sdJwtVcRepository: SdJwtVcRepository\n\n public constructor(sdJwtVcRepository: SdJwtVcRepository) {\n this.sdJwtVcRepository = sdJwtVcRepository\n }\n\n public async sign<Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n options: SdJwtVcSignOptions<Payload>\n ): Promise<SdJwtVc> {\n const { payload, disclosureFrame, hashingAlgorithm } = options\n\n // default is sha-256\n if (hashingAlgorithm && hashingAlgorithm !== 'sha-256') {\n throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`)\n }\n\n const issuer = await this.extractKeyFromIssuer(agentContext, options.issuer, true)\n\n // holer binding is optional\n const holderBinding = options.holder ? await extractKeyFromHolderBinding(agentContext, options.holder) : undefined\n\n const header = {\n alg: issuer.alg,\n typ: options.headerType ?? 'dc+sd-jwt',\n kid: issuer.kid,\n x5c: issuer.x5c?.map((cert) => cert.toString('base64')),\n } as const\n\n const sdJwt = new SDJwtVcInstance({\n ...this.getBaseSdJwtConfig(agentContext),\n signer: getSdJwtSigner(agentContext, issuer.publicJwk),\n hashAlg: 'sha-256',\n signAlg: issuer.alg,\n })\n\n if (!payload.vct \|\| typeof payload.vct !== 'string') {\n throw new SdJwtVcError(\"Missing required parameter 'vct'\")\n }\n\n const compact = await sdJwt.issue(\n {\n ...payload,\n cnf: holderBinding?.cnf,\n iss: issuer.iss,\n iat: nowInSeconds(),\n vct: payload.vct,\n },\n disclosureFrame as DisclosureFrame<Payload>,\n { header }\n )\n\n const prettyClaims = (await sdJwt.getClaims(compact)) as Payload\n const decoded = await sdJwt.decode(compact)\n const sdJwtPayload = decoded.jwt?.payload as Payload \| undefined\n if (!sdJwtPayload) {\n throw new SdJwtVcError('Invalid sd-jwt-vc state.')\n }\n\n return {\n compact,\n prettyClaims,\n header: header,\n holder: options.holder,\n payload: sdJwtPayload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compact,\n } satisfies SdJwtVc<typeof header, Payload>\n }\n\n public fromCompact<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n compactSdJwtVc: string,\n typeMetadata?: SdJwtVcTypeMetadata\n ): SdJwtVc<Header, Payload> {\n return decodeSdJwtVc(compactSdJwtVc, typeMetadata)\n }\n\n public applyDisclosuresForPayload(compactSdJwtVc: string, requestedPayload: JsonObject): SdJwtVc {\n const decoded = decodeSdJwtSync(compactSdJwtVc, Hasher.hash)\n const presentationFrame = buildDisclosureFrameForPayload(requestedPayload) ?? {}\n\n if (decoded.kbJwt) {\n throw new SdJwtVcError('Cannot apply limit disclosure on an sd-jwt with key binding jwt')\n }\n\n const requiredDisclosures = selectDisclosures(\n decoded.jwt.payload,\n // Map to sd-jwt disclosure format\n decoded.disclosures.map((d) => ({\n digest: d.digestSync({ alg: 'sha-256', hasher: Hasher.hash }),\n encoded: d.encode(),\n key: d.key,\n salt: d.salt,\n value: d.value,\n })),\n presentationFrame as { [key: string]: boolean }\n )\n const [jwt] = compactSdJwtVc.split('~')\n const disclosuresString =\n requiredDisclosures.length > 0 ? `${requiredDisclosures.map((d) => d.encoded).join('~')}~` : ''\n const sdJwt = `${jwt}~${disclosuresString}`\n const disclosedDecoded = decodeSdJwtVc(sdJwt)\n return disclosedDecoded\n }\n\n public async present<Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { sdJwtVc, presentationFrame, verifierMetadata, additionalPayload }: SdJwtVcPresentOptions<Payload>\n ): Promise<string> {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n const compactSdJwtVc = typeof sdJwtVc === 'string' ? sdJwtVc : sdJwtVc.compact\n const sdJwtVcInstance = await sdjwt.decode(compactSdJwtVc)\n\n const holderBinding = parseHolderBindingFromCredential(sdJwtVcInstance.jwt?.payload)\n if (!holderBinding && verifierMetadata) {\n throw new SdJwtVcError(\"Verifier metadata provided, but credential has no 'cnf' claim to create a KB-JWT from\")\n }\n\n const holder = holderBinding\n ? await extractKeyFromHolderBinding(agentContext, holderBinding, {\n forSigning: true,\n jwkKeyId: typeof sdJwtVc !== 'string' ? sdJwtVc.kmsKeyId : undefined,\n })\n : undefined\n sdjwt.config({\n kbSigner: holder ? getSdJwtSigner(agentContext, holder.publicJwk) : undefined,\n kbSignAlg: holder?.alg,\n })\n\n const compactDerivedSdJwtVc = await sdjwt.present(compactSdJwtVc, presentationFrame as PresentationFrame<Payload>, {\n kb: verifierMetadata\n ? {\n payload: {\n iat: verifierMetadata.issuedAt,\n nonce: verifierMetadata.nonce,\n aud: verifierMetadata.audience,\n ...additionalPayload,\n },\n }\n : undefined,\n })\n\n return compactDerivedSdJwtVc\n }\n\n private assertValidX5cJwtIssuer(\n agentContext: AgentContext,\n iss: string \| undefined,\n leafCertificate: X509Certificate\n ) {\n // No 'iss' is allowed for X509\n if (!iss) return\n\n // If iss is present it MUST be an HTTPS url\n if (!iss.startsWith('https://') && !(iss.startsWith('http://') && agentContext.config.allowInsecureHttpUrls)) {\n throw new SdJwtVcError('The X509 certificate issuer must be a HTTPS URI.')\n }\n\n if (!leafCertificate.sanUriNames?.includes(iss) && !leafCertificate.sanDnsNames?.includes(getDomainFromUrl(iss))) {\n throw new SdJwtVcError(\n `The 'iss' claim in the payload does not match a 'SAN-URI' name and the domain extracted from the HTTPS URI does not match a 'SAN-DNS' name in the x5c certificate. Either remove the 'iss' claim or make it match with at least one SAN-URI or DNS-URI entry`\n )\n }\n }\n\n public async verify<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { compactSdJwtVc, keyBinding, requiredClaimKeys, fetchTypeMetadata, trustedCertificates, now }: SdJwtVcVerifyOptions\n ): Promise<\n \| { isValid: true; sdJwtVc: SdJwtVc<Header, Payload> }\n \| { isValid: false; sdJwtVc?: SdJwtVc<Header, Payload>; error: Error }\n > {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n let sdJwtVc: SDJwt\n let holderBinding: SdJwtVcHolderBinding \| undefined\n\n try {\n sdJwtVc = await sdjwt.decode(compactSdJwtVc)\n if (!sdJwtVc.jwt) throw new CredoError('Invalid sd-jwt-vc')\n holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload) ?? undefined\n } catch (error) {\n return {\n isValid: false,\n error,\n }\n }\n\n const returnSdJwtVc: SdJwtVc<Header, Payload> = {\n payload: sdJwtVc.jwt.payload as Payload,\n header: sdJwtVc.jwt.header as Header,\n compact: compactSdJwtVc,\n prettyClaims: await sdJwtVc.getClaims(sdJwtVcHasher),\n holder: holderBinding,\n\n kbJwt: sdJwtVc.kbJwt\n ? {\n payload: sdJwtVc.kbJwt.payload as Record<string, unknown>,\n header: sdJwtVc.kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n } satisfies SdJwtVc<Header, Payload>\n\n try {\n const credentialIssuer = await this.parseIssuerFromCredential(\n agentContext,\n sdJwtVc,\n returnSdJwtVc,\n trustedCertificates\n )\n const issuer = await this.extractKeyFromIssuer(agentContext, credentialIssuer)\n const holder = returnSdJwtVc.holder\n ? await extractKeyFromHolderBinding(agentContext, returnSdJwtVc.holder)\n : undefined\n\n sdjwt.config({\n verifier: getSdJwtVerifier(agentContext, issuer.publicJwk),\n kbVerifier: holder ? getSdJwtVerifier(agentContext, holder.publicJwk) : undefined,\n })\n\n try {\n await sdjwt.verify(compactSdJwtVc, {\n requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct'],\n keyBindingNonce: keyBinding?.nonce,\n currentDate: dateToSeconds(now ?? new Date()),\n skewSeconds: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (sdJwtVc.jwt.header?.typ !== 'vc+sd-jwt' && sdJwtVc.jwt.header?.typ !== 'dc+sd-jwt') {\n return {\n error: new SdJwtVcError(`SD-JWT VC header 'typ' must be 'dc+sd-jwt' or 'vc+sd-jwt'`),\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n try {\n JwtPayload.fromJson(returnSdJwtVc.payload).validate({\n now: dateToSeconds(now ?? new Date()),\n skewTime: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n // If keyBinding is present, verify the key binding\n try {\n if (keyBinding) {\n if (!sdJwtVc.kbJwt \|\| !sdJwtVc.kbJwt.payload) {\n throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc')\n }\n\n // Assert `aud` and `nonce` claims\n if (sdJwtVc.kbJwt.payload.aud !== keyBinding.audience) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected audience')\n }\n\n if (sdJwtVc.kbJwt.payload.nonce !== keyBinding.nonce) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected nonce')\n }\n }\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (fetchTypeMetadata) {\n // We allow vct without type metadata for now (and don't fail if the retrieval fails)\n // Integrity check must pass though.\n returnSdJwtVc.typeMetadata = await this.fetchTypeMetadata(agentContext, returnSdJwtVc, {\n throwErrorOnFetchError: false,\n throwErrorOnUnsupportedVctValue: false,\n })\n }\n } catch (error) {\n return {\n isValid: false,\n error,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n return {\n isValid: true,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n public async fetchTypeMetadata(\n agentContext: AgentContext,\n sdJwtVc: SdJwtVc,\n {\n throwErrorOnFetchError = true,\n throwErrorOnUnsupportedVctValue = true,\n }: { throwErrorOnFetchError?: boolean; throwErrorOnUnsupportedVctValue?: boolean } = {}\n ) {\n const vct = sdJwtVc.payload.vct\n const vctIntegrity = sdJwtVc.payload['vct#integrity']\n if (!vct \|\| typeof vct !== 'string' \|\| !vct.startsWith('https://')) {\n if (!throwErrorOnUnsupportedVctValue) return undefined\n throw new SdJwtVcError(`Unable to resolve type metadata for vct '${vct}'. Only https supported`)\n }\n\n let firstError: Error \| undefined\n\n // Fist try the new type metadata URL\n // We add a catch, so that if e.g. the request fails due to CORS (which throws an error\n // we will still continue trying the legacy url)\n const firstResponse = await agentContext.config.agentDependencies.fetch(vct).catch((error) => {\n firstError = error\n return undefined\n })\n let response = firstResponse\n\n // If the response is not ok, try the legacy URL (will be removed in 0.7)\n if (!response \|\| !response?.ok) {\n // modify the uri based on https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#section-6.3.1\n const vctElements = vct.split('/')\n vctElements.splice(3, 0, '.well-known/vct')\n const legacyVctUrl = vctElements.join('/')\n\n response = await agentContext.config.agentDependencies.fetch(legacyVctUrl).catch(() => undefined)\n }\n\n if (!response?.ok) {\n if (!throwErrorOnFetchError) return undefined\n\n if (firstResponse) {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful ${firstResponse.status} response. ${await firstResponse.text()}.`,\n { cause: firstError }\n )\n } else {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful response.`,\n { cause: firstError }\n )\n }\n }\n\n const typeMetadata = (await response.clone().json()) as SdJwtVcTypeMetadata\n if (vctIntegrity) {\n if (typeof vctIntegrity !== 'string') {\n throw new SdJwtVcError(`Found 'vct#integrity' with value '${vctIntegrity}' but value was not of type 'string'.`)\n }\n\n IntegrityVerifier.verifyIntegrity(new Uint8Array(await response.arrayBuffer()), vctIntegrity)\n }\n\n return typeMetadata\n }\n\n public async store(agentContext: AgentContext, options: SdJwtVcStoreOptions) {\n await this.sdJwtVcRepository.save(agentContext, options.record)\n return options.record\n }\n\n public async getById(agentContext: AgentContext, id: string): Promise<SdJwtVcRecord> {\n return await this.sdJwtVcRepository.getById(agentContext, id)\n }\n\n public async getAll(agentContext: AgentContext): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.getAll(agentContext)\n }\n\n public async findByQuery(\n agentContext: AgentContext,\n query: Query<SdJwtVcRecord>,\n queryOptions?: QueryOptions\n ): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async deleteById(agentContext: AgentContext, id: string) {\n await this.sdJwtVcRepository.deleteById(agentContext, id)\n }\n\n public async update(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) {\n await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord)\n }\n\n private async extractKeyFromIssuer(agentContext: AgentContext, issuer: SdJwtVcIssuer, forSigning = false) {\n if (issuer.method === 'did') {\n const parsedDid = parseDid(issuer.didUrl)\n if (!parsedDid.fragment) {\n throw new SdJwtVcError(\n `didUrl '${issuer.didUrl}' does not contain a '#'. Unable to derive key from did document`\n )\n }\n\n let publicJwk: PublicJwk\n if (forSigning) {\n publicJwk = await resolveSigningPublicJwkFromDidUrl(agentContext, issuer.didUrl)\n } else {\n const { verificationMethod } = await resolveDidUrl(agentContext, issuer.didUrl)\n publicJwk = getPublicJwkFromVerificationMethod(verificationMethod)\n }\n\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n return {\n alg,\n publicJwk,\n iss: parsedDid.did,\n kid: `#${parsedDid.fragment}`,\n }\n }\n\n if (issuer.method === 'x5c') {\n const leafCertificate = issuer.x5c[0]\n if (!leafCertificate) {\n throw new SdJwtVcError(\"Empty 'x5c' array provided\")\n }\n\n if (forSigning && !leafCertificate.publicJwk.hasKeyId) {\n throw new SdJwtVcError(\"Expected leaf certificate in 'x5c' array to have a key id configured.\")\n }\n\n const publicJwk = leafCertificate.publicJwk\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n this.assertValidX5cJwtIssuer(agentContext, issuer.issuer, leafCertificate)\n\n return {\n publicJwk,\n iss: issuer.issuer,\n x5c: issuer.x5c,\n alg,\n }\n }\n\n throw new SdJwtVcError(\"Unsupported credential issuer. Only 'did' and 'x5c' is supported at the moment.\")\n }\n\n private async parseIssuerFromCredential<Header extends SdJwtVcHeader, Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n sdJwtVc: SDJwt<Header, Payload>,\n credoSdJwtVc: SdJwtVc<Header, Payload>,\n _trustedCertificates?: EncodedX509Certificate[]\n ): Promise<SdJwtVcIssuer> {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n if (!sdJwtVc.jwt?.payload) {\n throw new SdJwtVcError('Credential not exist')\n }\n\n const iss = sdJwtVc.jwt.payload.iss as string \| undefined\n\n if (sdJwtVc.jwt.header?.x5c) {\n if (!Array.isArray(sdJwtVc.jwt.header.x5c)) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array.')\n }\n if (sdJwtVc.jwt.header.x5c.length === 0) {\n throw new SdJwtVcError('Invalid x5c header in credential. Empty array.')\n }\n if (sdJwtVc.jwt.header.x5c.some((x5c) => typeof x5c !== 'string')) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array of strings.')\n }\n\n let trustedCertificates = _trustedCertificates\n const certificateChain = sdJwtVc.jwt.header.x5c.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n if (!trustedCertificates) {\n trustedCertificates =\n (await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: credoSdJwtVc,\n },\n })) ?? x509Config.trustedCertificates\n }\n\n if (!trustedCertificates) {\n throw new SdJwtVcError(\n 'No trusted certificates configured for X509 certificate chain validation. Issuer cannot be verified.'\n )\n }\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain: sdJwtVc.jwt.header.x5c,\n trustedCertificates,\n })\n\n return {\n method: 'x5c',\n x5c: certificateChain,\n issuer: iss,\n }\n }\n\n if (iss?.startsWith('did:')) {\n // If `did` is used, we require a relative KID to be present to identify\n // the key used by issuer to sign the sd-jwt-vc\n\n if (!sdJwtVc.jwt?.header) {\n throw new SdJwtVcError('Credential does not contain a header')\n }\n\n if (!sdJwtVc.jwt.header.kid) {\n throw new SdJwtVcError('Credential does not contain a kid in the header')\n }\n\n const issuerKid = sdJwtVc.jwt.header.kid as string\n\n let didUrl: string\n if (issuerKid.startsWith('#')) {\n didUrl = `${iss}${issuerKid}`\n } else if (issuerKid.startsWith('did:')) {\n const didFromKid = parseDid(issuerKid)\n if (didFromKid.did !== iss) {\n throw new SdJwtVcError(\n `kid in header is an absolute DID URL, but the did (${didFromKid.did}) does not match with the 'iss' did (${iss})`\n )\n }\n\n didUrl = issuerKid\n } else {\n throw new SdJwtVcError(\n 'Invalid issuer kid for did. Only absolute or relative (starting with #) did urls are supported.'\n )\n }\n\n return {\n method: 'did',\n didUrl,\n }\n }\n\n throw new SdJwtVcError('Unsupported signing method for SD-JWT VC. Only did and x5c are supported at the moment.')\n }\n\n private getBaseSdJwtConfig(agentContext: AgentContext): SdJwtVcConfig {\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n hasher: sdJwtVcHasher,\n statusListFetcher: this.getStatusListFetcher(agentContext),\n saltGenerator: (length) => TypedArrayEncoder.toBase64URL(kms.randomBytes({ length })).slice(0, length),\n }\n }\n\n private getStatusListFetcher(agentContext: AgentContext) {\n return async (uri: string) => {\n const response = await fetchWithTimeout(agentContext.config.agentDependencies.fetch, uri, {\n headers: {\n Accept: 'application/statuslist+jwt',\n },\n })\n\n if (!response.ok) {\n throw new CredoError(\n `Received invalid response with status ${\n response.status\n } when fetching status list from ${uri}. ${await response.text()}`\n )\n }\n\n return await response.text()\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqGO,2BAAMA,iBAAe;CAG1B,AAAO,YAAY,mBAAsC;AACvD,OAAK,oBAAoB;;CAG3B,MAAa,KACX,cACA,SACkB;EAClB,MAAM,EAAE,SAAS,iBAAiB,qBAAqB;AAGvD,MAAI,oBAAoB,qBAAqB,UAC3C,OAAM,IAAI,aAAa,uCAAuC,mBAAmB;EAGnF,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,QAAQ,QAAQ,KAAK;EAGlF,MAAM,gBAAgB,QAAQ,SAAS,MAAM,4BAA4B,cAAc,QAAQ,OAAO,GAAG;EAEzG,MAAM,SAAS;GACb,KAAK,OAAO;GACZ,KAAK,QAAQ,cAAc;GAC3B,KAAK,OAAO;GACZ,KAAK,OAAO,KAAK,KAAK,SAAS,KAAK,SAAS,SAAS,CAAC;GACxD;EAED,MAAM,QAAQ,IAAI,gBAAgB;GAChC,GAAG,KAAK,mBAAmB,aAAa;GACxC,QAAQ,eAAe,cAAc,OAAO,UAAU;GACtD,SAAS;GACT,SAAS,OAAO;GACjB,CAAC;AAEF,MAAI,CAAC,QAAQ,OAAO,OAAO,QAAQ,QAAQ,SACzC,OAAM,IAAI,aAAa,mCAAmC;EAG5D,MAAM,UAAU,MAAM,MAAM,MAC1B;GACE,GAAG;GACH,KAAK,eAAe;GACpB,KAAK,OAAO;GACZ,KAAK,cAAc;GACnB,KAAK,QAAQ;GACd,EACD,iBACA,EAAE,QAAQ,CACX;EAED,MAAM,eAAgB,MAAM,MAAM,UAAU,QAAQ;EAEpD,MAAM,gBADU,MAAM,MAAM,OAAO,QAAQ,EACd,KAAK;AAClC,MAAI,CAAC,aACH,OAAM,IAAI,aAAa,2BAA2B;AAGpD,SAAO;GACL;GACA;GACQ;GACR,QAAQ,QAAQ;GAChB,SAAS;GACT,aAAa,YAAY;GACzB,SAAS;GACV;;CAGH,AAAO,YACL,gBACA,cAC0B;AAC1B,SAAO,cAAc,gBAAgB,aAAa;;CAGpD,AAAO,2BAA2B,gBAAwB,kBAAuC;EAC/F,MAAM,UAAU,gBAAgB,gBAAgB,OAAO,KAAK;EAC5D,MAAM,oBAAoB,+BAA+B,iBAAiB,IAAI,EAAE;AAEhF,MAAI,QAAQ,MACV,OAAM,IAAI,aAAa,kEAAkE;EAG3F,MAAM,sBAAsB,kBAC1B,QAAQ,IAAI,SAEZ,QAAQ,YAAY,KAAK,OAAO;GAC9B,QAAQ,EAAE,WAAW;IAAE,KAAK;IAAW,QAAQ,OAAO;IAAM,CAAC;GAC7D,SAAS,EAAE,QAAQ;GACnB,KAAK,EAAE;GACP,MAAM,EAAE;GACR,OAAO,EAAE;GACV,EAAE,EACH,kBACD;EACD,MAAM,CAAC,OAAO,eAAe,MAAM,IAAI;AAKvC,SADyB,cADX,GAAG,IAAI,GADnB,oBAAoB,SAAS,IAAI,GAAG,oBAAoB,KAAK,MAAM,EAAE,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,KAElD;;CAI/C,MAAa,QACX,cACA,EAAE,SAAS,mBAAmB,kBAAkB,qBAC/B;EACjB,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,MAAM,iBAAiB,OAAO,YAAY,WAAW,UAAU,QAAQ;EAGvE,MAAM,gBAAgB,kCAFE,MAAM,MAAM,OAAO,eAAe,EAEa,KAAK,QAAQ;AACpF,MAAI,CAAC,iBAAiB,iBACpB,OAAM,IAAI,aAAa,wFAAwF;EAGjH,MAAM,SAAS,gBACX,MAAM,4BAA4B,cAAc,eAAe;GAC7D,YAAY;GACZ,UAAU,OAAO,YAAY,WAAW,QAAQ,WAAW;GAC5D,CAAC,GACF;AACJ,QAAM,OAAO;GACX,UAAU,SAAS,eAAe,cAAc,OAAO,UAAU,GAAG;GACpE,WAAW,QAAQ;GACpB,CAAC;AAeF,SAb8B,MAAM,MAAM,QAAQ,gBAAgB,mBAAiD,EACjH,IAAI,mBACA,EACE,SAAS;GACP,KAAK,iBAAiB;GACtB,OAAO,iBAAiB;GACxB,KAAK,iBAAiB;GACtB,GAAG;GACJ,EACF,GACD,QACL,CAAC;;CAKJ,AAAQ,wBACN,cACA,KACA,iBACA;AAEA,MAAI,CAAC,IAAK;AAGV,MAAI,CAAC,IAAI,WAAW,WAAW,IAAI,EAAE,IAAI,WAAW,UAAU,IAAI,aAAa,OAAO,uBACpF,OAAM,IAAI,aAAa,mDAAmD;AAG5E,MAAI,CAAC,gBAAgB,aAAa,SAAS,IAAI,IAAI,CAAC,gBAAgB,aAAa,SAAS,iBAAiB,IAAI,CAAC,CAC9G,OAAM,IAAI,aACR,+PACD;;CAIL,MAAa,OACX,cACA,EAAE,gBAAgB,YAAY,mBAAmB,mBAAmB,qBAAqB,OAIzF;EACA,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,IAAIC;EACJ,IAAIC;AAEJ,MAAI;AACF,aAAU,MAAM,MAAM,OAAO,eAAe;AAC5C,OAAI,CAAC,QAAQ,IAAK,OAAM,IAAI,WAAW,oBAAoB;AAC3D,mBAAgB,iCAAiC,QAAQ,IAAI,QAAQ,IAAI;WAClE,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACD;;EAGH,MAAMC,gBAA0C;GAC9C,SAAS,QAAQ,IAAI;GACrB,QAAQ,QAAQ,IAAI;GACpB,SAAS;GACT,cAAc,MAAM,QAAQ,UAAU,cAAc;GACpD,QAAQ;GAER,OAAO,QAAQ,QACX;IACE,SAAS,QAAQ,MAAM;IACvB,QAAQ,QAAQ,MAAM;IACvB,GACD;GACJ,aAAa,YAAY;GACzB,SAAS;GACV;AAED,MAAI;GACF,MAAM,mBAAmB,MAAM,KAAK,0BAClC,cACA,SACA,eACA,oBACD;GACD,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,iBAAiB;GAC9E,MAAM,SAAS,cAAc,SACzB,MAAM,4BAA4B,cAAc,cAAc,OAAO,GACrE;AAEJ,SAAM,OAAO;IACX,UAAU,iBAAiB,cAAc,OAAO,UAAU;IAC1D,YAAY,SAAS,iBAAiB,cAAc,OAAO,UAAU,GAAG;IACzE,CAAC;AAEF,OAAI;AACF,UAAM,MAAM,OAAO,gBAAgB;KACjC,mBAAmB,oBAAoB,CAAC,GAAG,mBAAmB,MAAM,GAAG,CAAC,MAAM;KAC9E,iBAAiB,YAAY;KAC7B,aAAa,cAAc,uBAAO,IAAI,MAAM,CAAC;KAC7C,aAAa;KACd,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,QAAQ,IAAI,QAAQ,QAAQ,eAAe,QAAQ,IAAI,QAAQ,QAAQ,YACzE,QAAO;IACL,OAAO,IAAI,aAAa,4DAA4D;IACpF,SAAS;IACT,SAAS;IACV;AAGH,OAAI;AACF,eAAW,SAAS,cAAc,QAAQ,CAAC,SAAS;KAClD,KAAK,cAAc,uBAAO,IAAI,MAAM,CAAC;KACrC,UAAU;KACX,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAIH,OAAI;AACF,QAAI,YAAY;AACd,SAAI,CAAC,QAAQ,SAAS,CAAC,QAAQ,MAAM,QACnC,OAAM,IAAI,aAAa,2DAA2D;AAIpF,SAAI,QAAQ,MAAM,QAAQ,QAAQ,WAAW,SAC3C,OAAM,IAAI,aAAa,6DAA6D;AAGtF,SAAI,QAAQ,MAAM,QAAQ,UAAU,WAAW,MAC7C,OAAM,IAAI,aAAa,0DAA0D;;YAG9E,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,kBAGF,eAAc,eAAe,MAAM,KAAK,kBAAkB,cAAc,eAAe;IACrF,wBAAwB;IACxB,iCAAiC;IAClC,CAAC;WAEG,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACA,SAAS;IACV;;AAGH,SAAO;GACL,SAAS;GACT,SAAS;GACV;;CAGH,MAAa,kBACX,cACA,SACA,EACE,yBAAyB,MACzB,kCAAkC,SACiD,EAAE,EACvF;EACA,MAAM,MAAM,QAAQ,QAAQ;EAC5B,MAAM,eAAe,QAAQ,QAAQ;AACrC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,WAAW,WAAW,EAAE;AAClE,OAAI,CAAC,gCAAiC,QAAO;AAC7C,SAAM,IAAI,aAAa,4CAA4C,IAAI,yBAAyB;;EAGlG,IAAIC;EAKJ,MAAM,gBAAgB,MAAM,aAAa,OAAO,kBAAkB,MAAM,IAAI,CAAC,OAAO,UAAU;AAC5F,gBAAa;IAEb;EACF,IAAI,WAAW;AAGf,MAAI,CAAC,YAAY,CAAC,UAAU,IAAI;GAE9B,MAAM,cAAc,IAAI,MAAM,IAAI;AAClC,eAAY,OAAO,GAAG,GAAG,kBAAkB;GAC3C,MAAM,eAAe,YAAY,KAAK,IAAI;AAE1C,cAAW,MAAM,aAAa,OAAO,kBAAkB,MAAM,aAAa,CAAC,YAAY,OAAU;;AAGnG,MAAI,CAAC,UAAU,IAAI;AACjB,OAAI,CAAC,uBAAwB,QAAO;AAEpC,OAAI,cACF,OAAM,IAAI,aACR,wCAAwC,IAAI,qCAAqC,cAAc,OAAO,aAAa,MAAM,cAAc,MAAM,CAAC,IAC9I,EAAE,OAAO,YAAY,CACtB;OAED,OAAM,IAAI,aACR,wCAAwC,IAAI,+CAC5C,EAAE,OAAO,YAAY,CACtB;;EAIL,MAAM,eAAgB,MAAM,SAAS,OAAO,CAAC,MAAM;AACnD,MAAI,cAAc;AAChB,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,aAAa,qCAAqC,aAAa,uCAAuC;AAGlH,qBAAkB,gBAAgB,IAAI,WAAW,MAAM,SAAS,aAAa,CAAC,EAAE,aAAa;;AAG/F,SAAO;;CAGT,MAAa,MAAM,cAA4B,SAA8B;AAC3E,QAAM,KAAK,kBAAkB,KAAK,cAAc,QAAQ,OAAO;AAC/D,SAAO,QAAQ;;CAGjB,MAAa,QAAQ,cAA4B,IAAoC;AACnF,SAAO,MAAM,KAAK,kBAAkB,QAAQ,cAAc,GAAG;;CAG/D,MAAa,OAAO,cAA2D;AAC7E,SAAO,MAAM,KAAK,kBAAkB,OAAO,aAAa;;CAG1D,MAAa,YACX,cACA,OACA,cAC+B;AAC/B,SAAO,MAAM,KAAK,kBAAkB,YAAY,cAAc,OAAO,aAAa;;CAGpF,MAAa,WAAW,cAA4B,IAAY;AAC9D,QAAM,KAAK,kBAAkB,WAAW,cAAc,GAAG;;CAG3D,MAAa,OAAO,cAA4B,eAA8B;AAC5E,QAAM,KAAK,kBAAkB,OAAO,cAAc,cAAc;;CAGlE,MAAc,qBAAqB,cAA4B,QAAuB,aAAa,OAAO;AACxG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,YAAY,SAAS,OAAO,OAAO;AACzC,OAAI,CAAC,UAAU,SACb,OAAM,IAAI,aACR,WAAW,OAAO,OAAO,kEAC1B;GAGH,IAAIC;AACJ,OAAI,WACF,aAAY,MAAM,kCAAkC,cAAc,OAAO,OAAO;QAC3E;IACL,MAAM,EAAE,uBAAuB,MAAM,cAAc,cAAc,OAAO,OAAO;AAC/E,gBAAY,mCAAmC,mBAAmB;;GAGpE,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;AAIH,UAAO;IACL,KAHU,6BAA6B;IAIvC;IACA,KAAK,UAAU;IACf,KAAK,IAAI,UAAU;IACpB;;AAGH,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,OAAO,IAAI;AACnC,OAAI,CAAC,gBACH,OAAM,IAAI,aAAa,6BAA6B;AAGtD,OAAI,cAAc,CAAC,gBAAgB,UAAU,SAC3C,OAAM,IAAI,aAAa,wEAAwE;GAGjG,MAAM,YAAY,gBAAgB;GAClC,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;GAEH,MAAM,MAAM,6BAA6B;AAEzC,QAAK,wBAAwB,cAAc,OAAO,QAAQ,gBAAgB;AAE1E,UAAO;IACL;IACA,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ;IACD;;AAGH,QAAM,IAAI,aAAa,kFAAkF;;CAG3G,MAAc,0BACZ,cACA,SACA,cACA,sBACwB;EACxB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;AAC3E,MAAI,CAAC,QAAQ,KAAK,QAChB,OAAM,IAAI,aAAa,uBAAuB;EAGhD,MAAM,MAAM,QAAQ,IAAI,QAAQ;AAEhC,MAAI,QAAQ,IAAI,QAAQ,KAAK;AAC3B,OAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,OAAO,IAAI,CACxC,OAAM,IAAI,aAAa,kDAAkD;AAE3E,OAAI,QAAQ,IAAI,OAAO,IAAI,WAAW,EACpC,OAAM,IAAI,aAAa,iDAAiD;AAE1E,OAAI,QAAQ,IAAI,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,SAAS,CAC/D,OAAM,IAAI,aAAa,6DAA6D;GAGtF,IAAI,sBAAsB;GAC1B,MAAM,mBAAmB,QAAQ,IAAI,OAAO,IAAI,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAE3G,OAAI,CAAC,oBACH,uBACG,MAAM,WAAW,wCAAwC,cAAc;IACtE;IACA,cAAc;KACZ,MAAM;KACN,YAAY;KACb;IACF,CAAC,IAAK,WAAW;AAGtB,OAAI,CAAC,oBACH,OAAM,IAAI,aACR,uGACD;AAGH,SAAM,YAAY,yBAAyB,cAAc;IACvD,kBAAkB,QAAQ,IAAI,OAAO;IACrC;IACD,CAAC;AAEF,UAAO;IACL,QAAQ;IACR,KAAK;IACL,QAAQ;IACT;;AAGH,MAAI,KAAK,WAAW,OAAO,EAAE;AAI3B,OAAI,CAAC,QAAQ,KAAK,OAChB,OAAM,IAAI,aAAa,uCAAuC;AAGhE,OAAI,CAAC,QAAQ,IAAI,OAAO,IACtB,OAAM,IAAI,aAAa,kDAAkD;GAG3E,MAAM,YAAY,QAAQ,IAAI,OAAO;GAErC,IAAIC;AACJ,OAAI,UAAU,WAAW,IAAI,CAC3B,UAAS,GAAG,MAAM;YACT,UAAU,WAAW,OAAO,EAAE;IACvC,MAAM,aAAa,SAAS,UAAU;AACtC,QAAI,WAAW,QAAQ,IACrB,OAAM,IAAI,aACR,sDAAsD,WAAW,IAAI,uCAAuC,IAAI,GACjH;AAGH,aAAS;SAET,OAAM,IAAI,aACR,kGACD;AAGH,UAAO;IACL,QAAQ;IACR;IACD;;AAGH,QAAM,IAAI,aAAa,0FAA0F;;CAGnH,AAAQ,mBAAmB,cAA2C;EACpE,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,SAAO;GACL,QAAQ;GACR,mBAAmB,KAAK,qBAAqB,aAAa;GAC1D,gBAAgB,WAAW,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,GAAG,OAAO;GACvG;;CAGH,AAAQ,qBAAqB,cAA4B;AACvD,SAAO,OAAO,QAAgB;GAC5B,MAAM,WAAW,MAAM,iBAAiB,aAAa,OAAO,kBAAkB,OAAO,KAAK,EACxF,SAAS,EACP,QAAQ,8BACT,EACF,CAAC;AAEF,OAAI,CAAC,SAAS,GACZ,OAAM,IAAI,WACR,yCACE,SAAS,OACV,kCAAkC,IAAI,IAAI,MAAM,SAAS,MAAM,GACjE;AAGH,UAAO,MAAM,SAAS,MAAM;;;;6BA1kBjC,YAAY"}

package/build/modules/sd-jwt-vc/decodeSdJwtVc.mjs CHANGED Viewed

@@ -3,6 +3,7 @@
 import { Hasher } from "../../crypto/hashes/Hasher.mjs";
 import { ClaimFormat } from "../vc/models/ClaimFormat.mjs";
 import "../../crypto/index.mjs";
+import { parseHolderBindingFromCredential } from "./utils.mjs";
 import "../vc/index.mjs";
 import { decodeSdJwtSync, getClaimsSync } from "@sd-jwt/decode";
@@ -17,6 +18,7 @@ function decodeSdJwtVc(compactSdJwtVc, typeMetadata) {
 		compact: compactSdJwtVc,
 		header: jwt.header,
 		payload: jwt.payload,
+		holder: parseHolderBindingFromCredential(jwt.payload) ?? void 0,
 		prettyClaims,
 		claimFormat: ClaimFormat.SdJwtDc,
 		encoded: compactSdJwtVc,

package/build/modules/sd-jwt-vc/decodeSdJwtVc.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"decodeSdJwtVc.mjs","names":[],"sources":["../../../src/modules/sd-jwt-vc/decodeSdJwtVc.ts"],"sourcesContent":["import { decodeSdJwtSync, getClaimsSync } from '@sd-jwt/decode'\nimport { Hasher } from '../../crypto'\nimport { ClaimFormat } from '../vc/index'\nimport type { SdJwtVcHeader, SdJwtVcPayload } from './SdJwtVcOptions'\nimport type { SdJwtVc } from './SdJwtVcService'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\n\nexport function sdJwtVcHasher(data: string \| ArrayBufferLike, alg: string) {\n return Hasher.hash(typeof data === 'string' ? data : new Uint8Array(data), alg)\n}\n\nexport function decodeSdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n>(compactSdJwtVc: string, typeMetadata?: SdJwtVcTypeMetadata): SdJwtVc<Header, Payload> {\n // NOTE: we use decodeSdJwtSync so we can make this method sync\n const { jwt, disclosures, kbJwt } = decodeSdJwtSync(compactSdJwtVc, sdJwtVcHasher)\n const prettyClaims = getClaimsSync(jwt.payload, disclosures, sdJwtVcHasher)\n\n return {\n compact: compactSdJwtVc,\n header: jwt.header as Header,\n payload: jwt.payload as Payload,\n prettyClaims: prettyClaims as Payload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n kbJwt: kbJwt\n ? {\n payload: kbJwt.payload as Record<string, unknown>,\n header: kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n ...(typeMetadata && { typeMetadata }),\n }\n}\n"],"mappings":"~~;;;;;;;;;AAOA~~,SAAgB,cAAc,MAAgC,KAAa;AACzE,QAAO,OAAO,KAAK,OAAO,SAAS,WAAW,OAAO,IAAI,WAAW,KAAK,EAAE,IAAI;;AAGjF,SAAgB,cAGd,gBAAwB,cAA8D;CAEtF,MAAM,EAAE,KAAK,aAAa,UAAU,gBAAgB,gBAAgB,cAAc;CAClF,MAAM,eAAe,cAAc,IAAI,SAAS,aAAa,cAAc;AAE3E,QAAO;EACL,SAAS;EACT,QAAQ,IAAI;EACZ,SAAS,IAAI;~~EACC~~;EACd,aAAa,YAAY;EACzB,SAAS;EACT,OAAO,QACH;GACE,SAAS,MAAM;GACf,QAAQ,MAAM;GACf,GACD;EACJ,GAAI,gBAAgB,EAAE,cAAc;EACrC"}
1	+ {"version":3,"file":"decodeSdJwtVc.mjs","names":[],"sources":["../../../src/modules/sd-jwt-vc/decodeSdJwtVc.ts"],"sourcesContent":["import { decodeSdJwtSync, getClaimsSync } from '@sd-jwt/decode'\nimport { Hasher } from '../../crypto'\nimport { ClaimFormat } from '../vc/index'\nimport type { SdJwtVcHeader, SdJwtVcPayload } from './SdJwtVcOptions'\nimport type { SdJwtVc } from './SdJwtVcService'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\nimport { parseHolderBindingFromCredential } from './utils'\n\nexport function sdJwtVcHasher(data: string \| ArrayBufferLike, alg: string) {\n return Hasher.hash(typeof data === 'string' ? data : new Uint8Array(data), alg)\n}\n\nexport function decodeSdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n>(compactSdJwtVc: string, typeMetadata?: SdJwtVcTypeMetadata): SdJwtVc<Header, Payload> {\n // NOTE: we use decodeSdJwtSync so we can make this method sync\n const { jwt, disclosures, kbJwt } = decodeSdJwtSync(compactSdJwtVc, sdJwtVcHasher)\n const prettyClaims = getClaimsSync(jwt.payload, disclosures, sdJwtVcHasher)\n\n return {\n compact: compactSdJwtVc,\n header: jwt.header as Header,\n payload: jwt.payload as Payload,\n holder: parseHolderBindingFromCredential(jwt.payload) ?? undefined,\n prettyClaims: prettyClaims as Payload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n kbJwt: kbJwt\n ? {\n payload: kbJwt.payload as Record<string, unknown>,\n header: kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n ...(typeMetadata && { typeMetadata }),\n }\n}\n"],"mappings":";;;;;;;;;;AAQA,SAAgB,cAAc,MAAgC,KAAa;AACzE,QAAO,OAAO,KAAK,OAAO,SAAS,WAAW,OAAO,IAAI,WAAW,KAAK,EAAE,IAAI;;AAGjF,SAAgB,cAGd,gBAAwB,cAA8D;CAEtF,MAAM,EAAE,KAAK,aAAa,UAAU,gBAAgB,gBAAgB,cAAc;CAClF,MAAM,eAAe,cAAc,IAAI,SAAS,aAAa,cAAc;AAE3E,QAAO;EACL,SAAS;EACT,QAAQ,IAAI;EACZ,SAAS,IAAI;EACb,QAAQ,iCAAiC,IAAI,QAAQ,IAAI;EAC3C;EACd,aAAa,YAAY;EACzB,SAAS;EACT,OAAO,QACH;GACE,SAAS,MAAM;GACf,QAAQ,MAAM;GACf,GACD;EACJ,GAAI,gBAAgB,EAAE,cAAc;EACrC"}

package/package.json CHANGED Viewed

@@ -4,7 +4,7 @@
     ".": "./build/index.mjs",
     "./package.json": "./package.json"
   },
-  "version": "0.6.2-alpha-20251211115250",
+  "version": "0.6.2-alpha-20251211125338",
   "files": [
     "build"
   ],