@credo-ts/core 0.6.2-alpha-20251211125338 → 0.6.2-alpha-20251211125344

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. package/build/agent/Agent.mjs +2 -2
  2. package/build/agent/AgentConfig.d.mts +2 -0
  3. package/build/agent/AgentConfig.d.mts.map +1 -1
  4. package/build/agent/AgentConfig.mjs +4 -0
  5. package/build/agent/AgentConfig.mjs.map +1 -1
  6. package/build/agent/context/DefaultAgentContextProvider.mjs +1 -1
  7. package/build/crypto/JwsService.mjs +4 -4
  8. package/build/crypto/KmsKeyPair.mjs +1 -1
  9. package/build/crypto/index.mjs +1 -1
  10. package/build/crypto/jose/jwt/Jwt.mjs +1 -1
  11. package/build/crypto/jose/jwt/JwtPayload.d.mts +5 -0
  12. package/build/crypto/jose/jwt/JwtPayload.d.mts.map +1 -1
  13. package/build/crypto/jose/jwt/JwtPayload.mjs +10 -8
  14. package/build/crypto/jose/jwt/JwtPayload.mjs.map +1 -1
  15. package/build/index.mjs +12 -12
  16. package/build/modules/cache/CachedStorageService.mjs +2 -2
  17. package/build/modules/dcql/DcqlService.mjs +1 -1
  18. package/build/modules/dids/DidsApi.mjs +1 -1
  19. package/build/modules/dids/domain/DidDocument.mjs +2 -2
  20. package/build/modules/dids/domain/service/DidCommV1Service.mjs +2 -2
  21. package/build/modules/dids/domain/service/DidCommV2Service.mjs +2 -2
  22. package/build/modules/dids/domain/service/IndyAgentService.mjs +2 -2
  23. package/build/modules/dids/domain/service/LegacyDidCommV2Service.mjs +2 -2
  24. package/build/modules/dids/services/DidResolverService.mjs +2 -2
  25. package/build/modules/dif-presentation-exchange/DifPresentationExchangeService.mjs +2 -2
  26. package/build/modules/kms/jwk/PublicJwk.mjs +1 -1
  27. package/build/modules/kms/jwk/alg/encryption.mjs +1 -1
  28. package/build/modules/kms/jwk/alg/signing.mjs +1 -1
  29. package/build/modules/kms/jwk/kty/ec/ecPublicKey.mjs +1 -1
  30. package/build/modules/kms/jwk/kty/rsa/RsaPublicJwk.mjs +1 -1
  31. package/build/modules/kms/legacy.mjs +1 -1
  32. package/build/modules/mdoc/Mdoc.mjs +2 -2
  33. package/build/modules/mdoc/Mdoc.mjs.map +1 -1
  34. package/build/modules/mdoc/MdocDeviceResponse.mjs +2 -2
  35. package/build/modules/mdoc/MdocDeviceResponse.mjs.map +1 -1
  36. package/build/modules/mdoc/mdocSupportedAlgs.d.mts +2 -2
  37. package/build/modules/mdoc/mdocSupportedAlgs.mjs +3 -3
  38. package/build/modules/mdoc/mdocSupportedAlgs.mjs.map +1 -1
  39. package/build/modules/sd-jwt-vc/SdJwtVcService.mjs +6 -6
  40. package/build/modules/sd-jwt-vc/SdJwtVcService.mjs.map +1 -1
  41. package/build/modules/sd-jwt-vc/utils.mjs +1 -1
  42. package/build/modules/vc/data-integrity/W3cJsonLdCredentialService.mjs +3 -3
  43. package/build/modules/vc/data-integrity/models/DataIntegrityProof.mjs +2 -2
  44. package/build/modules/vc/data-integrity/models/LinkedDataProof.mjs +2 -2
  45. package/build/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.mjs +2 -2
  46. package/build/modules/vc/data-integrity/models/W3cJsonLdVerifiablePresentation.mjs +2 -2
  47. package/build/modules/vc/jwt-vc/W3cJwtCredentialService.d.mts.map +1 -1
  48. package/build/modules/vc/jwt-vc/W3cJwtCredentialService.mjs +5 -5
  49. package/build/modules/vc/jwt-vc/W3cJwtCredentialService.mjs.map +1 -1
  50. package/build/modules/vc/jwt-vc/W3cV2JwtCredentialService.d.mts.map +1 -1
  51. package/build/modules/vc/jwt-vc/W3cV2JwtCredentialService.mjs +5 -5
  52. package/build/modules/vc/jwt-vc/W3cV2JwtCredentialService.mjs.map +1 -1
  53. package/build/modules/vc/jwt-vc/credentialTransformer.mjs +1 -1
  54. package/build/modules/vc/jwt-vc/presentationTransformer.mjs +1 -1
  55. package/build/modules/vc/models/credential/W3cCredential.mjs +2 -2
  56. package/build/modules/vc/models/credential/W3cCredentialSchema.mjs +1 -1
  57. package/build/modules/vc/models/credential/W3cCredentialStatus.mjs +1 -1
  58. package/build/modules/vc/models/credential/W3cIssuer.mjs +1 -1
  59. package/build/modules/vc/models/credential/W3cV2Credential.mjs +2 -2
  60. package/build/modules/vc/models/credential/W3cV2CredentialSchema.mjs +2 -2
  61. package/build/modules/vc/models/credential/W3cV2CredentialStatus.mjs +2 -2
  62. package/build/modules/vc/models/credential/W3cV2CredentialSubject.mjs +2 -2
  63. package/build/modules/vc/models/credential/W3cV2Evidence.mjs +2 -2
  64. package/build/modules/vc/models/credential/W3cV2Issuer.mjs +2 -2
  65. package/build/modules/vc/models/presentation/W3cHolder.mjs +1 -1
  66. package/build/modules/vc/models/presentation/W3cPresentation.mjs +2 -2
  67. package/build/modules/vc/models/presentation/W3cV2Holder.mjs +2 -2
  68. package/build/modules/vc/models/presentation/W3cV2Presentation.mjs +2 -2
  69. package/build/modules/vc/sd-jwt-vc/W3cV2SdJwtCredentialService.d.mts.map +1 -1
  70. package/build/modules/vc/sd-jwt-vc/W3cV2SdJwtCredentialService.mjs +7 -7
  71. package/build/modules/vc/sd-jwt-vc/W3cV2SdJwtCredentialService.mjs.map +1 -1
  72. package/build/modules/vc/v2-jwt-utils.mjs +1 -1
  73. package/build/storage/BaseRecord.mjs +2 -2
  74. package/build/types.d.mts +17 -0
  75. package/build/types.d.mts.map +1 -1
  76. package/build/types.mjs.map +1 -1
  77. package/package.json +1 -1
package/build/modules/mdoc/MdocDeviceResponse.mjs CHANGED
@@ -8,7 +8,7 @@ import { ClaimFormat } from "../vc/models/ClaimFormat.mjs";
8
8
  import "../vc/index.mjs";
9
9
  import { getMdocContext } from "./MdocContext.mjs";
10
10
  import { MdocError } from "./MdocError.mjs";
11
- import { isMdocSupportedSignatureAlgorithm, mdocSupporteSignatureAlgorithms } from "./mdocSupportedAlgs.mjs";
11
+ import { isMdocSupportedSignatureAlgorithm, mdocSupportedSignatureAlgorithms } from "./mdocSupportedAlgs.mjs";
12
12
  import { Mdoc } from "./Mdoc.mjs";
13
13
  import { nameSpacesRecordToMap } from "./mdocUtil.mjs";
14
14
  import { DataItem, DeviceRequest, DeviceResponse, DeviceSignedDocument, MDoc, MDocStatus, Verifier, cborEncode, defaultCallback, limitDisclosureToInputDescriptor, parseDeviceResponse, parseIssuerSigned } from "@animo-id/mdoc";
@@ -225,7 +225,7 @@ var MdocDeviceResponse = class MdocDeviceResponse {
225
225
  }
226
226
  static getAlgForDeviceKeyJwk(jwk) {
227
227
  const signatureAlgorithm = jwk.supportedSignatureAlgorithms.find(isMdocSupportedSignatureAlgorithm);
228
- if (!signatureAlgorithm) throw new MdocError(`Unable to create mdoc device response. No supported signature algorithm found to sign device response for jwk ${jwk.jwkTypeHumanDescription}. Key supports algs ${jwk.supportedSignatureAlgorithms.join(", ")}. mdoc supports algs ${mdocSupporteSignatureAlgorithms.join(", ")}`);
228
+ if (!signatureAlgorithm) throw new MdocError(`Unable to create mdoc device response. No supported signature algorithm found to sign device response for jwk ${jwk.jwkTypeHumanDescription}. Key supports algs ${jwk.supportedSignatureAlgorithms.join(", ")}. mdoc supports algs ${mdocSupportedSignatureAlgorithms.join(", ")}`);
229
229
  return signatureAlgorithm;
230
230
  }
231
231
  };
package/build/modules/mdoc/MdocDeviceResponse.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"MdocDeviceResponse.mjs","names":["base64Url: string","documents: Mdoc[]","deviceResponses: MdocDeviceResponse[]","mdocLimitDisclosureToInputDescriptor","nonMdocPresentationDefinition: DifPresentationExchangeDefinition","this"],"sources":["../../../src/modules/mdoc/MdocDeviceResponse.ts"],"sourcesContent":["import type { MdocContext, PresentationDefinition } from '@animo-id/mdoc'\nimport {\n cborEncode,\n DataItem,\n DeviceRequest,\n DeviceResponse,\n DeviceSignedDocument,\n MDoc,\n MDocStatus,\n limitDisclosureToInputDescriptor as mdocLimitDisclosureToInputDescriptor,\n defaultCallback as onCheck,\n parseDeviceResponse,\n parseIssuerSigned,\n Verifier,\n} from '@animo-id/mdoc'\nimport type { InputDescriptorV2 } from '@sphereon/pex-models'\nimport type { AgentContext } from '../../agent'\nimport { TypedArrayEncoder } from './../../utils'\nimport { uuid } from '../../utils/uuid'\nimport type { DifPresentationExchangeDefinition } from '../dif-presentation-exchange'\nimport { PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc'\nimport { Mdoc } from './Mdoc'\nimport { getMdocContext } from './MdocContext'\nimport { MdocError } from './MdocError'\nimport type {\n MdocDeviceResponseOptions,\n MdocDeviceResponsePresentationDefinitionOptions,\n MdocDeviceResponseVerifyOptions,\n MdocSessionTranscriptOptions,\n} from './MdocOptions'\nimport { isMdocSupportedSignatureAlgorithm, mdocSupporteSignatureAlgorithms } from './mdocSupportedAlgs'\nimport { nameSpacesRecordToMap } from './mdocUtil'\n\nexport class MdocDeviceResponse {\n private constructor(\n public base64Url: string,\n public documents: Mdoc[]\n ) {}\n\n /**\n * claim format is convenience method added to all credential instances\n */\n public get claimFormat() {\n return ClaimFormat.MsoMdoc as const\n }\n\n /**\n * Encoded is convenience method added to all credential instances\n */\n public get encoded() {\n return this.base64Url\n }\n\n /**\n * To support a single DeviceResponse with multiple documents in OpenID4VP\n */\n public splitIntoSingleDocumentResponses(): MdocDeviceResponse[] {\n const deviceResponses: MdocDeviceResponse[] = []\n\n if (this.documents.length === 0) {\n throw new MdocError('mdoc device response does not contain any mdocs')\n }\n\n for (const document of this.documents) {\n const deviceResponse = new MDoc()\n\n deviceResponse.addDocument(document.issuerSignedDocument)\n\n deviceResponses.push(MdocDeviceResponse.fromDeviceResponse(deviceResponse))\n }\n\n return deviceResponses\n }\n\n private static fromDeviceResponse(mdoc: MDoc) {\n const documents = mdoc.documents.map((doc) => {\n const prepared = doc.prepare()\n const docType = prepared.get('docType') as string\n const issuerSigned = cborEncode(prepared.get('issuerSigned'))\n const deviceSigned = cborEncode(prepared.get('deviceSigned'))\n\n return Mdoc.fromDeviceSignedDocument(\n TypedArrayEncoder.toBase64URL(issuerSigned),\n TypedArrayEncoder.toBase64URL(deviceSigned),\n docType\n )\n })\n\n return new MdocDeviceResponse(TypedArrayEncoder.toBase64URL(mdoc.encode()), documents)\n }\n\n public static fromBase64Url(base64Url: string) {\n const parsed = parseDeviceResponse(TypedArrayEncoder.fromBase64(base64Url))\n if (parsed.status !== MDocStatus.OK) {\n throw new MdocError('Parsing Mdoc Device Response failed.')\n }\n\n return MdocDeviceResponse.fromDeviceResponse(parsed)\n }\n\n private static assertMdocInputDescriptor(inputDescriptor: InputDescriptorV2) {\n if (!inputDescriptor.format || !inputDescriptor.format.mso_mdoc) {\n throw new MdocError(`Input descriptor must contain 'mso_mdoc' format property`)\n }\n\n if (!inputDescriptor.format.mso_mdoc.alg) {\n throw new MdocError(`Input descriptor mso_mdoc must contain 'alg' property`)\n }\n\n if (!inputDescriptor.constraints?.limit_disclosure || inputDescriptor.constraints.limit_disclosure !== 'required') {\n throw new MdocError(\n `Input descriptor must contain 'limit_disclosure' constraints property which is set to required`\n )\n }\n\n if (!inputDescriptor.constraints?.fields?.every((field) => field.intent_to_retain !== undefined)) {\n throw new MdocError(`Input descriptor must contain 'intent_to_retain' constraints property`)\n }\n\n return {\n ...inputDescriptor,\n format: {\n mso_mdoc: inputDescriptor.format.mso_mdoc,\n },\n constraints: {\n ...inputDescriptor.constraints,\n limit_disclosure: 'required',\n fields: (inputDescriptor.constraints.fields ?? []).map((field) => {\n return {\n ...field,\n intent_to_retain: field.intent_to_retain ?? false,\n }\n }),\n },\n } satisfies PresentationDefinition['input_descriptors'][number]\n }\n\n public static partitionPresentationDefinition = (pd: DifPresentationExchangeDefinition) => {\n const nonMdocPresentationDefinition: DifPresentationExchangeDefinition = {\n ...pd,\n input_descriptors: pd.input_descriptors.filter(\n (id) => !Object.keys((id as InputDescriptorV2).format ?? {}).includes('mso_mdoc')\n ),\n } as DifPresentationExchangeDefinition\n\n const mdocPresentationDefinition = {\n ...pd,\n format: { mso_mdoc: pd.format?.mso_mdoc },\n input_descriptors: (pd.input_descriptors as InputDescriptorV2[])\n .filter((id) => Object.keys(id.format ?? {}).includes('mso_mdoc'))\n .map(this.assertMdocInputDescriptor),\n }\n\n return { mdocPresentationDefinition, nonMdocPresentationDefinition }\n }\n\n private static createPresentationSubmission(input: {\n id: string\n presentationDefinition: {\n id: string\n input_descriptors: ReturnType<typeof MdocDeviceResponse.assertMdocInputDescriptor>[]\n }\n }) {\n const { id, presentationDefinition } = input\n if (presentationDefinition.input_descriptors.length !== 1) {\n throw new MdocError('Currently Mdoc Presentation Submissions can only be created for a sigle input descriptor')\n }\n return {\n id,\n definition_id: presentationDefinition.id,\n descriptor_map: [\n {\n id: presentationDefinition.input_descriptors[0].id,\n format: 'mso_mdoc',\n path: '$',\n },\n ],\n }\n }\n\n public static limitDisclosureToInputDescriptor(options: { inputDescriptor: InputDescriptorV2; mdoc: Mdoc }) {\n const { mdoc } = options\n\n const inputDescriptor = MdocDeviceResponse.assertMdocInputDescriptor(options.inputDescriptor)\n const _mdoc = parseIssuerSigned(TypedArrayEncoder.fromBase64(mdoc.base64Url), mdoc.docType)\n\n const disclosure = mdocLimitDisclosureToInputDescriptor(_mdoc, inputDescriptor)\n const disclosedPayloadAsRecord = Object.fromEntries(\n Array.from(disclosure.entries()).map(([namespace, issuerSignedItem]) => {\n return [\n namespace,\n Object.fromEntries(issuerSignedItem.map((item) => [item.elementIdentifier, item.elementValue])),\n ]\n })\n )\n\n return disclosedPayloadAsRecord\n }\n\n public static async createPresentationDefinitionDeviceResponse(\n agentContext: AgentContext,\n options: MdocDeviceResponsePresentationDefinitionOptions\n ) {\n const presentationDefinition = MdocDeviceResponse.partitionPresentationDefinition(\n options.presentationDefinition\n ).mdocPresentationDefinition\n\n const docTypes = options.mdocs.map((i) => i.docType)\n\n const combinedDeviceResponseMdoc = new MDoc()\n\n for (const document of options.mdocs) {\n const deviceKeyJwk = document.deviceKey\n if (!deviceKeyJwk) throw new MdocError(`Device key is missing in mdoc with doctype ${document.docType}`)\n\n // Set keyId to legacy key id if it doesn't have a key id set\n if (!deviceKeyJwk.hasKeyId) {\n deviceKeyJwk.keyId = deviceKeyJwk.legacyKeyId\n }\n\n const alg = MdocDeviceResponse.getAlgForDeviceKeyJwk(deviceKeyJwk)\n\n // We do PEX filtering on a different layer, so we only include the needed input descriptor here\n const presentationDefinitionForDocument = {\n ...presentationDefinition,\n input_descriptors: presentationDefinition.input_descriptors.filter(\n (inputDescriptor) => inputDescriptor.id === document.docType\n ),\n }\n\n const mdocContext = getMdocContext(agentContext)\n const issuerSignedDocument = parseIssuerSigned(TypedArrayEncoder.fromBase64(document.base64Url), document.docType)\n const deviceResponseBuilder = DeviceResponse.from(new MDoc([issuerSignedDocument]))\n .usingPresentationDefinition(presentationDefinitionForDocument)\n .authenticateWithSignature(deviceKeyJwk.toJson(), alg)\n .usingSessionTranscriptBytes(\n await MdocDeviceResponse.getSessionTranscriptBytesForOptions(mdocContext, options.sessionTranscriptOptions)\n )\n\n for (const [nameSpace, nameSpaceValue] of Object.entries(options.deviceNameSpaces ?? {})) {\n deviceResponseBuilder.addDeviceNameSpace(nameSpace, nameSpaceValue)\n }\n\n const deviceResponseMdoc = await deviceResponseBuilder.sign(mdocContext)\n combinedDeviceResponseMdoc.addDocument(deviceResponseMdoc.documents[0])\n }\n\n return {\n deviceResponseBase64Url: TypedArrayEncoder.toBase64URL(combinedDeviceResponseMdoc.encode()),\n presentationSubmission: MdocDeviceResponse.createPresentationSubmission({\n id: `MdocPresentationSubmission ${uuid()}`,\n presentationDefinition: {\n ...presentationDefinition,\n input_descriptors: presentationDefinition.input_descriptors.filter((i) => docTypes.includes(i.id)),\n },\n }),\n }\n }\n\n public static async createDeviceResponse(agentContext: AgentContext, options: MdocDeviceResponseOptions) {\n const combinedDeviceResponseMdoc = new MDoc()\n\n for (const document of options.mdocs) {\n const deviceKeyJwk = document.deviceKey\n if (!deviceKeyJwk) throw new MdocError(`Device key is missing in mdoc with doctype ${document.docType}`)\n const alg = MdocDeviceResponse.getAlgForDeviceKeyJwk(deviceKeyJwk)\n\n // Set keyId to legacy key id if it doesn't have a key id set\n if (!deviceKeyJwk.hasKeyId) {\n deviceKeyJwk.keyId = deviceKeyJwk.legacyKeyId\n }\n\n const issuerSignedDocument = parseIssuerSigned(TypedArrayEncoder.fromBase64(document.base64Url), document.docType)\n\n const deviceRequestForDocument = DeviceRequest.from(\n '1.0',\n options.documentRequests\n .filter((request) => request.docType === issuerSignedDocument.docType)\n .map((request) => ({\n itemsRequestData: {\n docType: request.docType,\n nameSpaces: nameSpacesRecordToMap(request.nameSpaces),\n },\n }))\n )\n\n const mdocContext = getMdocContext(agentContext)\n const deviceResponseBuilder = DeviceResponse.from(new MDoc([issuerSignedDocument]))\n .authenticateWithSignature(deviceKeyJwk.toJson(), alg)\n .usingDeviceRequest(deviceRequestForDocument)\n .usingSessionTranscriptBytes(\n await MdocDeviceResponse.getSessionTranscriptBytesForOptions(mdocContext, options.sessionTranscriptOptions)\n )\n\n for (const [nameSpace, nameSpaceValue] of Object.entries(options.deviceNameSpaces ?? {})) {\n deviceResponseBuilder.addDeviceNameSpace(nameSpace, nameSpaceValue)\n }\n\n const deviceResponseMdoc = await deviceResponseBuilder.sign(mdocContext)\n combinedDeviceResponseMdoc.addDocument(deviceResponseMdoc.documents[0])\n }\n\n return combinedDeviceResponseMdoc.encode()\n }\n\n public async verify(agentContext: AgentContext, options: Omit<MdocDeviceResponseVerifyOptions, 'deviceResponse'>) {\n const verifier = new Verifier()\n const mdocContext = getMdocContext(agentContext)\n\n onCheck({\n status: this.documents.length > 0 ? 'PASSED' : 'FAILED',\n check: 'Device Response must include at least one document.',\n category: 'DOCUMENT_FORMAT',\n })\n\n const deviceResponse = parseDeviceResponse(TypedArrayEncoder.fromBase64(this.base64Url))\n\n // NOTE: we do not use the verification from mdoc library, as it checks all documents\n // based on the same trusted certificates\n for (const documentIndex of this.documents.keys()) {\n const rawDocument = deviceResponse.documents[documentIndex]\n const document = this.documents[documentIndex]\n\n const verificationResult = await document.verify(agentContext, {\n now: options.now,\n trustedCertificates: options.trustedCertificates,\n })\n\n if (!verificationResult.isValid) {\n throw new MdocError(`Mdoc at index ${documentIndex} is not valid. ${verificationResult.error}`)\n }\n\n if (!(rawDocument instanceof DeviceSignedDocument)) {\n onCheck({\n status: 'FAILED',\n category: 'DEVICE_AUTH',\n check: `The document is not signed by the device. ${document.docType}`,\n })\n continue\n }\n\n await verifier.verifyDeviceSignature(\n {\n sessionTranscriptBytes: await MdocDeviceResponse.getSessionTranscriptBytesForOptions(\n mdocContext,\n options.sessionTranscriptOptions\n ),\n deviceSigned: rawDocument,\n },\n mdocContext\n )\n }\n\n if (deviceResponse.documentErrors.length > 1) {\n throw new MdocError('Device response verification failed.')\n }\n\n if (deviceResponse.status !== MDocStatus.OK) {\n throw new MdocError('Device response verification failed. An unknown error occurred.')\n }\n\n return this.documents\n }\n\n private static async getSessionTranscriptBytesForOptions(\n context: MdocContext,\n options: MdocSessionTranscriptOptions\n ) {\n if (options.type === 'sesionTranscriptBytes') {\n return options.sessionTranscriptBytes\n }\n\n // NOTE: temporary until we have updated to the new major version of mdoc\n // Based on https://github.com/animo/mdoc/blob/main/src/mdoc/models/session-transcript.ts#L84\n if (options.type === 'openId4Vp') {\n return cborEncode(\n DataItem.fromData([\n null,\n null,\n [\n 'OpenID4VPHandover',\n await context.crypto.digest({\n digestAlgorithm: 'SHA-256',\n bytes: cborEncode([\n options.clientId,\n options.verifierGeneratedNonce,\n options.encryptionJwk?.getJwkThumbprint('sha-256') ?? null,\n options.responseUri,\n ]),\n }),\n ],\n ])\n )\n }\n\n if (options.type === 'openId4VpDraft18') {\n return await DeviceResponse.calculateSessionTranscriptBytesForOID4VP({\n ...options,\n context,\n })\n }\n\n // NOTE: temporary until we have updated to the new major version of mdoc\n // Based on https://github.com/animo/mdoc/blob/main/src/mdoc/models/session-transcript.ts#L65\n if (options.type === 'openId4VpDcApi') {\n return cborEncode(\n DataItem.fromData([\n null,\n null,\n [\n 'OpenID4VPDCAPIHandover',\n await context.crypto.digest({\n digestAlgorithm: 'SHA-256',\n bytes: cborEncode([\n options.origin,\n options.verifierGeneratedNonce,\n options.encryptionJwk?.getJwkThumbprint('sha-256') ?? null,\n ]),\n }),\n ],\n ])\n )\n }\n\n if (options.type === 'openId4VpDcApiDraft24') {\n return await DeviceResponse.calculateSessionTranscriptBytesForOID4VPDCApi({\n ...options,\n context,\n })\n }\n\n throw new MdocError('Unsupported session transcript option')\n }\n\n private static getAlgForDeviceKeyJwk(jwk: PublicJwk) {\n const signatureAlgorithm = jwk.supportedSignatureAlgorithms.find(isMdocSupportedSignatureAlgorithm)\n if (!signatureAlgorithm) {\n throw new MdocError(\n `Unable to create mdoc device response. No supported signature algorithm found to sign device response for jwk ${\n jwk.jwkTypeHumanDescription\n }. Key supports algs ${jwk.supportedSignatureAlgorithms.join(\n ', '\n )}. mdoc supports algs ${mdocSupporteSignatureAlgorithms.join(', ')}`\n )\n }\n\n return signatureAlgorithm\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAkCA,IAAa,qBAAb,MAAa,mBAAmB;CAC9B,AAAQ,YACN,AAAOA,WACP,AAAOC,WACP;EAFO;EACA;;;;;CAMT,IAAW,cAAc;AACvB,SAAO,YAAY;;;;;CAMrB,IAAW,UAAU;AACnB,SAAO,KAAK;;;;;CAMd,AAAO,mCAAyD;EAC9D,MAAMC,kBAAwC,EAAE;AAEhD,MAAI,KAAK,UAAU,WAAW,EAC5B,OAAM,IAAI,UAAU,kDAAkD;AAGxE,OAAK,MAAM,YAAY,KAAK,WAAW;GACrC,MAAM,iBAAiB,IAAI,MAAM;AAEjC,kBAAe,YAAY,SAAS,qBAAqB;AAEzD,mBAAgB,KAAK,mBAAmB,mBAAmB,eAAe,CAAC;;AAG7E,SAAO;;CAGT,OAAe,mBAAmB,MAAY;EAC5C,MAAM,YAAY,KAAK,UAAU,KAAK,QAAQ;GAC5C,MAAM,WAAW,IAAI,SAAS;GAC9B,MAAM,UAAU,SAAS,IAAI,UAAU;GACvC,MAAM,eAAe,WAAW,SAAS,IAAI,eAAe,CAAC;GAC7D,MAAM,eAAe,WAAW,SAAS,IAAI,eAAe,CAAC;AAE7D,UAAO,KAAK,yBACV,kBAAkB,YAAY,aAAa,EAC3C,kBAAkB,YAAY,aAAa,EAC3C,QACD;IACD;AAEF,SAAO,IAAI,mBAAmB,kBAAkB,YAAY,KAAK,QAAQ,CAAC,EAAE,UAAU;;CAGxF,OAAc,cAAc,WAAmB;EAC7C,MAAM,SAAS,oBAAoB,kBAAkB,WAAW,UAAU,CAAC;AAC3E,MAAI,OAAO,WAAW,WAAW,GAC/B,OAAM,IAAI,UAAU,uCAAuC;AAG7D,SAAO,mBAAmB,mBAAmB,OAAO;;CAGtD,OAAe,0BAA0B,iBAAoC;AAC3E,MAAI,CAAC,gBAAgB,UAAU,CAAC,gBAAgB,OAAO,SACrD,OAAM,IAAI,UAAU,2DAA2D;AAGjF,MAAI,CAAC,gBAAgB,OAAO,SAAS,IACnC,OAAM,IAAI,UAAU,wDAAwD;AAG9E,MAAI,CAAC,gBAAgB,aAAa,oBAAoB,gBAAgB,YAAY,qBAAqB,WACrG,OAAM,IAAI,UACR,iGACD;AAGH,MAAI,CAAC,gBAAgB,aAAa,QAAQ,OAAO,UAAU,MAAM,qBAAqB,OAAU,CAC9F,OAAM,IAAI,UAAU,wEAAwE;AAG9F,SAAO;GACL,GAAG;GACH,QAAQ,EACN,UAAU,gBAAgB,OAAO,UAClC;GACD,aAAa;IACX,GAAG,gBAAgB;IACnB,kBAAkB;IAClB,SAAS,gBAAgB,YAAY,UAAU,EAAE,EAAE,KAAK,UAAU;AAChE,YAAO;MACL,GAAG;MACH,kBAAkB,MAAM,oBAAoB;MAC7C;MACD;IACH;GACF;;CAsBH,OAAe,6BAA6B,OAMzC;EACD,MAAM,EAAE,IAAI,2BAA2B;AACvC,MAAI,uBAAuB,kBAAkB,WAAW,EACtD,OAAM,IAAI,UAAU,2FAA2F;AAEjH,SAAO;GACL;GACA,eAAe,uBAAuB;GACtC,gBAAgB,CACd;IACE,IAAI,uBAAuB,kBAAkB,GAAG;IAChD,QAAQ;IACR,MAAM;IACP,CACF;GACF;;CAGH,OAAc,iCAAiC,SAA6D;EAC1G,MAAM,EAAE,SAAS;EAEjB,MAAM,kBAAkB,mBAAmB,0BAA0B,QAAQ,gBAAgB;EAG7F,MAAM,aAAaC,iCAFL,kBAAkB,kBAAkB,WAAW,KAAK,UAAU,EAAE,KAAK,QAAQ,EAE5B,gBAAgB;AAU/E,SATiC,OAAO,YACtC,MAAM,KAAK,WAAW,SAAS,CAAC,CAAC,KAAK,CAAC,WAAW,sBAAsB;AACtE,UAAO,CACL,WACA,OAAO,YAAY,iBAAiB,KAAK,SAAS,CAAC,KAAK,mBAAmB,KAAK,aAAa,CAAC,CAAC,CAChG;IACD,CACH;;CAKH,aAAoB,2CAClB,cACA,SACA;EACA,MAAM,yBAAyB,mBAAmB,gCAChD,QAAQ,uBACT,CAAC;EAEF,MAAM,WAAW,QAAQ,MAAM,KAAK,MAAM,EAAE,QAAQ;EAEpD,MAAM,6BAA6B,IAAI,MAAM;AAE7C,OAAK,MAAM,YAAY,QAAQ,OAAO;GACpC,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,aAAc,OAAM,IAAI,UAAU,8CAA8C,SAAS,UAAU;AAGxG,OAAI,CAAC,aAAa,SAChB,cAAa,QAAQ,aAAa;GAGpC,MAAM,MAAM,mBAAmB,sBAAsB,aAAa;GAGlE,MAAM,oCAAoC;IACxC,GAAG;IACH,mBAAmB,uBAAuB,kBAAkB,QACzD,oBAAoB,gBAAgB,OAAO,SAAS,QACtD;IACF;GAED,MAAM,cAAc,eAAe,aAAa;GAChD,MAAM,uBAAuB,kBAAkB,kBAAkB,WAAW,SAAS,UAAU,EAAE,SAAS,QAAQ;GAClH,MAAM,wBAAwB,eAAe,KAAK,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAChF,4BAA4B,kCAAkC,CAC9D,0BAA0B,aAAa,QAAQ,EAAE,IAAI,CACrD,4BACC,MAAM,mBAAmB,oCAAoC,aAAa,QAAQ,yBAAyB,CAC5G;AAEH,QAAK,MAAM,CAAC,WAAW,mBAAmB,OAAO,QAAQ,QAAQ,oBAAoB,EAAE,CAAC,CACtF,uBAAsB,mBAAmB,WAAW,eAAe;GAGrE,MAAM,qBAAqB,MAAM,sBAAsB,KAAK,YAAY;AACxE,8BAA2B,YAAY,mBAAmB,UAAU,GAAG;;AAGzE,SAAO;GACL,yBAAyB,kBAAkB,YAAY,2BAA2B,QAAQ,CAAC;GAC3F,wBAAwB,mBAAmB,6BAA6B;IACtE,IAAI,8BAA8B,MAAM;IACxC,wBAAwB;KACtB,GAAG;KACH,mBAAmB,uBAAuB,kBAAkB,QAAQ,MAAM,SAAS,SAAS,EAAE,GAAG,CAAC;KACnG;IACF,CAAC;GACH;;CAGH,aAAoB,qBAAqB,cAA4B,SAAoC;EACvG,MAAM,6BAA6B,IAAI,MAAM;AAE7C,OAAK,MAAM,YAAY,QAAQ,OAAO;GACpC,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,aAAc,OAAM,IAAI,UAAU,8CAA8C,SAAS,UAAU;GACxG,MAAM,MAAM,mBAAmB,sBAAsB,aAAa;AAGlE,OAAI,CAAC,aAAa,SAChB,cAAa,QAAQ,aAAa;GAGpC,MAAM,uBAAuB,kBAAkB,kBAAkB,WAAW,SAAS,UAAU,EAAE,SAAS,QAAQ;GAElH,MAAM,2BAA2B,cAAc,KAC7C,OACA,QAAQ,iBACL,QAAQ,YAAY,QAAQ,YAAY,qBAAqB,QAAQ,CACrE,KAAK,aAAa,EACjB,kBAAkB;IAChB,SAAS,QAAQ;IACjB,YAAY,sBAAsB,QAAQ,WAAW;IACtD,EACF,EAAE,CACN;GAED,MAAM,cAAc,eAAe,aAAa;GAChD,MAAM,wBAAwB,eAAe,KAAK,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAChF,0BAA0B,aAAa,QAAQ,EAAE,IAAI,CACrD,mBAAmB,yBAAyB,CAC5C,4BACC,MAAM,mBAAmB,oCAAoC,aAAa,QAAQ,yBAAyB,CAC5G;AAEH,QAAK,MAAM,CAAC,WAAW,mBAAmB,OAAO,QAAQ,QAAQ,oBAAoB,EAAE,CAAC,CACtF,uBAAsB,mBAAmB,WAAW,eAAe;GAGrE,MAAM,qBAAqB,MAAM,sBAAsB,KAAK,YAAY;AACxE,8BAA2B,YAAY,mBAAmB,UAAU,GAAG;;AAGzE,SAAO,2BAA2B,QAAQ;;CAG5C,MAAa,OAAO,cAA4B,SAAkE;EAChH,MAAM,WAAW,IAAI,UAAU;EAC/B,MAAM,cAAc,eAAe,aAAa;AAEhD,kBAAQ;GACN,QAAQ,KAAK,UAAU,SAAS,IAAI,WAAW;GAC/C,OAAO;GACP,UAAU;GACX,CAAC;EAEF,MAAM,iBAAiB,oBAAoB,kBAAkB,WAAW,KAAK,UAAU,CAAC;AAIxF,OAAK,MAAM,iBAAiB,KAAK,UAAU,MAAM,EAAE;GACjD,MAAM,cAAc,eAAe,UAAU;GAC7C,MAAM,WAAW,KAAK,UAAU;GAEhC,MAAM,qBAAqB,MAAM,SAAS,OAAO,cAAc;IAC7D,KAAK,QAAQ;IACb,qBAAqB,QAAQ;IAC9B,CAAC;AAEF,OAAI,CAAC,mBAAmB,QACtB,OAAM,IAAI,UAAU,iBAAiB,cAAc,iBAAiB,mBAAmB,QAAQ;AAGjG,OAAI,EAAE,uBAAuB,uBAAuB;AAClD,oBAAQ;KACN,QAAQ;KACR,UAAU;KACV,OAAO,6CAA6C,SAAS;KAC9D,CAAC;AACF;;AAGF,SAAM,SAAS,sBACb;IACE,wBAAwB,MAAM,mBAAmB,oCAC/C,aACA,QAAQ,yBACT;IACD,cAAc;IACf,EACD,YACD;;AAGH,MAAI,eAAe,eAAe,SAAS,EACzC,OAAM,IAAI,UAAU,uCAAuC;AAG7D,MAAI,eAAe,WAAW,WAAW,GACvC,OAAM,IAAI,UAAU,kEAAkE;AAGxF,SAAO,KAAK;;CAGd,aAAqB,oCACnB,SACA,SACA;AACA,MAAI,QAAQ,SAAS,wBACnB,QAAO,QAAQ;AAKjB,MAAI,QAAQ,SAAS,YACnB,QAAO,WACL,SAAS,SAAS;GAChB;GACA;GACA,CACE,qBACA,MAAM,QAAQ,OAAO,OAAO;IAC1B,iBAAiB;IACjB,OAAO,WAAW;KAChB,QAAQ;KACR,QAAQ;KACR,QAAQ,eAAe,iBAAiB,UAAU,IAAI;KACtD,QAAQ;KACT,CAAC;IACH,CAAC,CACH;GACF,CAAC,CACH;AAGH,MAAI,QAAQ,SAAS,mBACnB,QAAO,MAAM,eAAe,yCAAyC;GACnE,GAAG;GACH;GACD,CAAC;AAKJ,MAAI,QAAQ,SAAS,iBACnB,QAAO,WACL,SAAS,SAAS;GAChB;GACA;GACA,CACE,0BACA,MAAM,QAAQ,OAAO,OAAO;IAC1B,iBAAiB;IACjB,OAAO,WAAW;KAChB,QAAQ;KACR,QAAQ;KACR,QAAQ,eAAe,iBAAiB,UAAU,IAAI;KACvD,CAAC;IACH,CAAC,CACH;GACF,CAAC,CACH;AAGH,MAAI,QAAQ,SAAS,wBACnB,QAAO,MAAM,eAAe,8CAA8C;GACxE,GAAG;GACH;GACD,CAAC;AAGJ,QAAM,IAAI,UAAU,wCAAwC;;CAG9D,OAAe,sBAAsB,KAAgB;EACnD,MAAM,qBAAqB,IAAI,6BAA6B,KAAK,kCAAkC;AACnG,MAAI,CAAC,mBACH,OAAM,IAAI,UACR,kHACE,IAAI,wBACL,sBAAsB,IAAI,6BAA6B,KACtD,KACD,CAAC,uBAAuB,gCAAgC,KAAK,KAAK,GACpE;AAGH,SAAO;;;;mBArTK,mCAAmC,OAA0C;CACzF,MAAMC,gCAAmE;EACvE,GAAG;EACH,mBAAmB,GAAG,kBAAkB,QACrC,OAAO,CAAC,OAAO,KAAM,GAAyB,UAAU,EAAE,CAAC,CAAC,SAAS,WAAW,CAClF;EACF;AAUD,QAAO;EAAE,4BAR0B;GACjC,GAAG;GACH,QAAQ,EAAE,UAAU,GAAG,QAAQ,UAAU;GACzC,mBAAoB,GAAG,kBACpB,QAAQ,OAAO,OAAO,KAAK,GAAG,UAAU,EAAE,CAAC,CAAC,SAAS,WAAW,CAAC,CACjE,IAAIC,oBAAK,0BAA0B;GACvC;EAEoC;EAA+B"}
1
+ {"version":3,"file":"MdocDeviceResponse.mjs","names":["base64Url: string","documents: Mdoc[]","deviceResponses: MdocDeviceResponse[]","mdocLimitDisclosureToInputDescriptor","nonMdocPresentationDefinition: DifPresentationExchangeDefinition","this"],"sources":["../../../src/modules/mdoc/MdocDeviceResponse.ts"],"sourcesContent":["import type { MdocContext, PresentationDefinition } from '@animo-id/mdoc'\nimport {\n cborEncode,\n DataItem,\n DeviceRequest,\n DeviceResponse,\n DeviceSignedDocument,\n MDoc,\n MDocStatus,\n limitDisclosureToInputDescriptor as mdocLimitDisclosureToInputDescriptor,\n defaultCallback as onCheck,\n parseDeviceResponse,\n parseIssuerSigned,\n Verifier,\n} from '@animo-id/mdoc'\nimport type { InputDescriptorV2 } from '@sphereon/pex-models'\nimport type { AgentContext } from '../../agent'\nimport { TypedArrayEncoder } from './../../utils'\nimport { uuid } from '../../utils/uuid'\nimport type { DifPresentationExchangeDefinition } from '../dif-presentation-exchange'\nimport { PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc'\nimport { Mdoc } from './Mdoc'\nimport { getMdocContext } from './MdocContext'\nimport { MdocError } from './MdocError'\nimport type {\n MdocDeviceResponseOptions,\n MdocDeviceResponsePresentationDefinitionOptions,\n MdocDeviceResponseVerifyOptions,\n MdocSessionTranscriptOptions,\n} from './MdocOptions'\nimport { isMdocSupportedSignatureAlgorithm, mdocSupportedSignatureAlgorithms } from './mdocSupportedAlgs'\nimport { nameSpacesRecordToMap } from './mdocUtil'\n\nexport class MdocDeviceResponse {\n private constructor(\n public base64Url: string,\n public documents: Mdoc[]\n ) {}\n\n /**\n * claim format is convenience method added to all credential instances\n */\n public get claimFormat() {\n return ClaimFormat.MsoMdoc as const\n }\n\n /**\n * Encoded is convenience method added to all credential instances\n */\n public get encoded() {\n return this.base64Url\n }\n\n /**\n * To support a single DeviceResponse with multiple documents in OpenID4VP\n */\n public splitIntoSingleDocumentResponses(): MdocDeviceResponse[] {\n const deviceResponses: MdocDeviceResponse[] = []\n\n if (this.documents.length === 0) {\n throw new MdocError('mdoc device response does not contain any mdocs')\n }\n\n for (const document of this.documents) {\n const deviceResponse = new MDoc()\n\n deviceResponse.addDocument(document.issuerSignedDocument)\n\n deviceResponses.push(MdocDeviceResponse.fromDeviceResponse(deviceResponse))\n }\n\n return deviceResponses\n }\n\n private static fromDeviceResponse(mdoc: MDoc) {\n const documents = mdoc.documents.map((doc) => {\n const prepared = doc.prepare()\n const docType = prepared.get('docType') as string\n const issuerSigned = cborEncode(prepared.get('issuerSigned'))\n const deviceSigned = cborEncode(prepared.get('deviceSigned'))\n\n return Mdoc.fromDeviceSignedDocument(\n TypedArrayEncoder.toBase64URL(issuerSigned),\n TypedArrayEncoder.toBase64URL(deviceSigned),\n docType\n )\n })\n\n return new MdocDeviceResponse(TypedArrayEncoder.toBase64URL(mdoc.encode()), documents)\n }\n\n public static fromBase64Url(base64Url: string) {\n const parsed = parseDeviceResponse(TypedArrayEncoder.fromBase64(base64Url))\n if (parsed.status !== MDocStatus.OK) {\n throw new MdocError('Parsing Mdoc Device Response failed.')\n }\n\n return MdocDeviceResponse.fromDeviceResponse(parsed)\n }\n\n private static assertMdocInputDescriptor(inputDescriptor: InputDescriptorV2) {\n if (!inputDescriptor.format || !inputDescriptor.format.mso_mdoc) {\n throw new MdocError(`Input descriptor must contain 'mso_mdoc' format property`)\n }\n\n if (!inputDescriptor.format.mso_mdoc.alg) {\n throw new MdocError(`Input descriptor mso_mdoc must contain 'alg' property`)\n }\n\n if (!inputDescriptor.constraints?.limit_disclosure || inputDescriptor.constraints.limit_disclosure !== 'required') {\n throw new MdocError(\n `Input descriptor must contain 'limit_disclosure' constraints property which is set to required`\n )\n }\n\n if (!inputDescriptor.constraints?.fields?.every((field) => field.intent_to_retain !== undefined)) {\n throw new MdocError(`Input descriptor must contain 'intent_to_retain' constraints property`)\n }\n\n return {\n ...inputDescriptor,\n format: {\n mso_mdoc: inputDescriptor.format.mso_mdoc,\n },\n constraints: {\n ...inputDescriptor.constraints,\n limit_disclosure: 'required',\n fields: (inputDescriptor.constraints.fields ?? []).map((field) => {\n return {\n ...field,\n intent_to_retain: field.intent_to_retain ?? false,\n }\n }),\n },\n } satisfies PresentationDefinition['input_descriptors'][number]\n }\n\n public static partitionPresentationDefinition = (pd: DifPresentationExchangeDefinition) => {\n const nonMdocPresentationDefinition: DifPresentationExchangeDefinition = {\n ...pd,\n input_descriptors: pd.input_descriptors.filter(\n (id) => !Object.keys((id as InputDescriptorV2).format ?? {}).includes('mso_mdoc')\n ),\n } as DifPresentationExchangeDefinition\n\n const mdocPresentationDefinition = {\n ...pd,\n format: { mso_mdoc: pd.format?.mso_mdoc },\n input_descriptors: (pd.input_descriptors as InputDescriptorV2[])\n .filter((id) => Object.keys(id.format ?? {}).includes('mso_mdoc'))\n .map(this.assertMdocInputDescriptor),\n }\n\n return { mdocPresentationDefinition, nonMdocPresentationDefinition }\n }\n\n private static createPresentationSubmission(input: {\n id: string\n presentationDefinition: {\n id: string\n input_descriptors: ReturnType<typeof MdocDeviceResponse.assertMdocInputDescriptor>[]\n }\n }) {\n const { id, presentationDefinition } = input\n if (presentationDefinition.input_descriptors.length !== 1) {\n throw new MdocError('Currently Mdoc Presentation Submissions can only be created for a sigle input descriptor')\n }\n return {\n id,\n definition_id: presentationDefinition.id,\n descriptor_map: [\n {\n id: presentationDefinition.input_descriptors[0].id,\n format: 'mso_mdoc',\n path: '$',\n },\n ],\n }\n }\n\n public static limitDisclosureToInputDescriptor(options: { inputDescriptor: InputDescriptorV2; mdoc: Mdoc }) {\n const { mdoc } = options\n\n const inputDescriptor = MdocDeviceResponse.assertMdocInputDescriptor(options.inputDescriptor)\n const _mdoc = parseIssuerSigned(TypedArrayEncoder.fromBase64(mdoc.base64Url), mdoc.docType)\n\n const disclosure = mdocLimitDisclosureToInputDescriptor(_mdoc, inputDescriptor)\n const disclosedPayloadAsRecord = Object.fromEntries(\n Array.from(disclosure.entries()).map(([namespace, issuerSignedItem]) => {\n return [\n namespace,\n Object.fromEntries(issuerSignedItem.map((item) => [item.elementIdentifier, item.elementValue])),\n ]\n })\n )\n\n return disclosedPayloadAsRecord\n }\n\n public static async createPresentationDefinitionDeviceResponse(\n agentContext: AgentContext,\n options: MdocDeviceResponsePresentationDefinitionOptions\n ) {\n const presentationDefinition = MdocDeviceResponse.partitionPresentationDefinition(\n options.presentationDefinition\n ).mdocPresentationDefinition\n\n const docTypes = options.mdocs.map((i) => i.docType)\n\n const combinedDeviceResponseMdoc = new MDoc()\n\n for (const document of options.mdocs) {\n const deviceKeyJwk = document.deviceKey\n if (!deviceKeyJwk) throw new MdocError(`Device key is missing in mdoc with doctype ${document.docType}`)\n\n // Set keyId to legacy key id if it doesn't have a key id set\n if (!deviceKeyJwk.hasKeyId) {\n deviceKeyJwk.keyId = deviceKeyJwk.legacyKeyId\n }\n\n const alg = MdocDeviceResponse.getAlgForDeviceKeyJwk(deviceKeyJwk)\n\n // We do PEX filtering on a different layer, so we only include the needed input descriptor here\n const presentationDefinitionForDocument = {\n ...presentationDefinition,\n input_descriptors: presentationDefinition.input_descriptors.filter(\n (inputDescriptor) => inputDescriptor.id === document.docType\n ),\n }\n\n const mdocContext = getMdocContext(agentContext)\n const issuerSignedDocument = parseIssuerSigned(TypedArrayEncoder.fromBase64(document.base64Url), document.docType)\n const deviceResponseBuilder = DeviceResponse.from(new MDoc([issuerSignedDocument]))\n .usingPresentationDefinition(presentationDefinitionForDocument)\n .authenticateWithSignature(deviceKeyJwk.toJson(), alg)\n .usingSessionTranscriptBytes(\n await MdocDeviceResponse.getSessionTranscriptBytesForOptions(mdocContext, options.sessionTranscriptOptions)\n )\n\n for (const [nameSpace, nameSpaceValue] of Object.entries(options.deviceNameSpaces ?? {})) {\n deviceResponseBuilder.addDeviceNameSpace(nameSpace, nameSpaceValue)\n }\n\n const deviceResponseMdoc = await deviceResponseBuilder.sign(mdocContext)\n combinedDeviceResponseMdoc.addDocument(deviceResponseMdoc.documents[0])\n }\n\n return {\n deviceResponseBase64Url: TypedArrayEncoder.toBase64URL(combinedDeviceResponseMdoc.encode()),\n presentationSubmission: MdocDeviceResponse.createPresentationSubmission({\n id: `MdocPresentationSubmission ${uuid()}`,\n presentationDefinition: {\n ...presentationDefinition,\n input_descriptors: presentationDefinition.input_descriptors.filter((i) => docTypes.includes(i.id)),\n },\n }),\n }\n }\n\n public static async createDeviceResponse(agentContext: AgentContext, options: MdocDeviceResponseOptions) {\n const combinedDeviceResponseMdoc = new MDoc()\n\n for (const document of options.mdocs) {\n const deviceKeyJwk = document.deviceKey\n if (!deviceKeyJwk) throw new MdocError(`Device key is missing in mdoc with doctype ${document.docType}`)\n const alg = MdocDeviceResponse.getAlgForDeviceKeyJwk(deviceKeyJwk)\n\n // Set keyId to legacy key id if it doesn't have a key id set\n if (!deviceKeyJwk.hasKeyId) {\n deviceKeyJwk.keyId = deviceKeyJwk.legacyKeyId\n }\n\n const issuerSignedDocument = parseIssuerSigned(TypedArrayEncoder.fromBase64(document.base64Url), document.docType)\n\n const deviceRequestForDocument = DeviceRequest.from(\n '1.0',\n options.documentRequests\n .filter((request) => request.docType === issuerSignedDocument.docType)\n .map((request) => ({\n itemsRequestData: {\n docType: request.docType,\n nameSpaces: nameSpacesRecordToMap(request.nameSpaces),\n },\n }))\n )\n\n const mdocContext = getMdocContext(agentContext)\n const deviceResponseBuilder = DeviceResponse.from(new MDoc([issuerSignedDocument]))\n .authenticateWithSignature(deviceKeyJwk.toJson(), alg)\n .usingDeviceRequest(deviceRequestForDocument)\n .usingSessionTranscriptBytes(\n await MdocDeviceResponse.getSessionTranscriptBytesForOptions(mdocContext, options.sessionTranscriptOptions)\n )\n\n for (const [nameSpace, nameSpaceValue] of Object.entries(options.deviceNameSpaces ?? {})) {\n deviceResponseBuilder.addDeviceNameSpace(nameSpace, nameSpaceValue)\n }\n\n const deviceResponseMdoc = await deviceResponseBuilder.sign(mdocContext)\n combinedDeviceResponseMdoc.addDocument(deviceResponseMdoc.documents[0])\n }\n\n return combinedDeviceResponseMdoc.encode()\n }\n\n public async verify(agentContext: AgentContext, options: Omit<MdocDeviceResponseVerifyOptions, 'deviceResponse'>) {\n const verifier = new Verifier()\n const mdocContext = getMdocContext(agentContext)\n\n onCheck({\n status: this.documents.length > 0 ? 'PASSED' : 'FAILED',\n check: 'Device Response must include at least one document.',\n category: 'DOCUMENT_FORMAT',\n })\n\n const deviceResponse = parseDeviceResponse(TypedArrayEncoder.fromBase64(this.base64Url))\n\n // NOTE: we do not use the verification from mdoc library, as it checks all documents\n // based on the same trusted certificates\n for (const documentIndex of this.documents.keys()) {\n const rawDocument = deviceResponse.documents[documentIndex]\n const document = this.documents[documentIndex]\n\n const verificationResult = await document.verify(agentContext, {\n now: options.now,\n trustedCertificates: options.trustedCertificates,\n })\n\n if (!verificationResult.isValid) {\n throw new MdocError(`Mdoc at index ${documentIndex} is not valid. ${verificationResult.error}`)\n }\n\n if (!(rawDocument instanceof DeviceSignedDocument)) {\n onCheck({\n status: 'FAILED',\n category: 'DEVICE_AUTH',\n check: `The document is not signed by the device. ${document.docType}`,\n })\n continue\n }\n\n await verifier.verifyDeviceSignature(\n {\n sessionTranscriptBytes: await MdocDeviceResponse.getSessionTranscriptBytesForOptions(\n mdocContext,\n options.sessionTranscriptOptions\n ),\n deviceSigned: rawDocument,\n },\n mdocContext\n )\n }\n\n if (deviceResponse.documentErrors.length > 1) {\n throw new MdocError('Device response verification failed.')\n }\n\n if (deviceResponse.status !== MDocStatus.OK) {\n throw new MdocError('Device response verification failed. An unknown error occurred.')\n }\n\n return this.documents\n }\n\n private static async getSessionTranscriptBytesForOptions(\n context: MdocContext,\n options: MdocSessionTranscriptOptions\n ) {\n if (options.type === 'sesionTranscriptBytes') {\n return options.sessionTranscriptBytes\n }\n\n // NOTE: temporary until we have updated to the new major version of mdoc\n // Based on https://github.com/animo/mdoc/blob/main/src/mdoc/models/session-transcript.ts#L84\n if (options.type === 'openId4Vp') {\n return cborEncode(\n DataItem.fromData([\n null,\n null,\n [\n 'OpenID4VPHandover',\n await context.crypto.digest({\n digestAlgorithm: 'SHA-256',\n bytes: cborEncode([\n options.clientId,\n options.verifierGeneratedNonce,\n options.encryptionJwk?.getJwkThumbprint('sha-256') ?? null,\n options.responseUri,\n ]),\n }),\n ],\n ])\n )\n }\n\n if (options.type === 'openId4VpDraft18') {\n return await DeviceResponse.calculateSessionTranscriptBytesForOID4VP({\n ...options,\n context,\n })\n }\n\n // NOTE: temporary until we have updated to the new major version of mdoc\n // Based on https://github.com/animo/mdoc/blob/main/src/mdoc/models/session-transcript.ts#L65\n if (options.type === 'openId4VpDcApi') {\n return cborEncode(\n DataItem.fromData([\n null,\n null,\n [\n 'OpenID4VPDCAPIHandover',\n await context.crypto.digest({\n digestAlgorithm: 'SHA-256',\n bytes: cborEncode([\n options.origin,\n options.verifierGeneratedNonce,\n options.encryptionJwk?.getJwkThumbprint('sha-256') ?? null,\n ]),\n }),\n ],\n ])\n )\n }\n\n if (options.type === 'openId4VpDcApiDraft24') {\n return await DeviceResponse.calculateSessionTranscriptBytesForOID4VPDCApi({\n ...options,\n context,\n })\n }\n\n throw new MdocError('Unsupported session transcript option')\n }\n\n private static getAlgForDeviceKeyJwk(jwk: PublicJwk) {\n const signatureAlgorithm = jwk.supportedSignatureAlgorithms.find(isMdocSupportedSignatureAlgorithm)\n if (!signatureAlgorithm) {\n throw new MdocError(\n `Unable to create mdoc device response. No supported signature algorithm found to sign device response for jwk ${\n jwk.jwkTypeHumanDescription\n }. Key supports algs ${jwk.supportedSignatureAlgorithms.join(\n ', '\n )}. mdoc supports algs ${mdocSupportedSignatureAlgorithms.join(', ')}`\n )\n }\n\n return signatureAlgorithm\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAkCA,IAAa,qBAAb,MAAa,mBAAmB;CAC9B,AAAQ,YACN,AAAOA,WACP,AAAOC,WACP;EAFO;EACA;;;;;CAMT,IAAW,cAAc;AACvB,SAAO,YAAY;;;;;CAMrB,IAAW,UAAU;AACnB,SAAO,KAAK;;;;;CAMd,AAAO,mCAAyD;EAC9D,MAAMC,kBAAwC,EAAE;AAEhD,MAAI,KAAK,UAAU,WAAW,EAC5B,OAAM,IAAI,UAAU,kDAAkD;AAGxE,OAAK,MAAM,YAAY,KAAK,WAAW;GACrC,MAAM,iBAAiB,IAAI,MAAM;AAEjC,kBAAe,YAAY,SAAS,qBAAqB;AAEzD,mBAAgB,KAAK,mBAAmB,mBAAmB,eAAe,CAAC;;AAG7E,SAAO;;CAGT,OAAe,mBAAmB,MAAY;EAC5C,MAAM,YAAY,KAAK,UAAU,KAAK,QAAQ;GAC5C,MAAM,WAAW,IAAI,SAAS;GAC9B,MAAM,UAAU,SAAS,IAAI,UAAU;GACvC,MAAM,eAAe,WAAW,SAAS,IAAI,eAAe,CAAC;GAC7D,MAAM,eAAe,WAAW,SAAS,IAAI,eAAe,CAAC;AAE7D,UAAO,KAAK,yBACV,kBAAkB,YAAY,aAAa,EAC3C,kBAAkB,YAAY,aAAa,EAC3C,QACD;IACD;AAEF,SAAO,IAAI,mBAAmB,kBAAkB,YAAY,KAAK,QAAQ,CAAC,EAAE,UAAU;;CAGxF,OAAc,cAAc,WAAmB;EAC7C,MAAM,SAAS,oBAAoB,kBAAkB,WAAW,UAAU,CAAC;AAC3E,MAAI,OAAO,WAAW,WAAW,GAC/B,OAAM,IAAI,UAAU,uCAAuC;AAG7D,SAAO,mBAAmB,mBAAmB,OAAO;;CAGtD,OAAe,0BAA0B,iBAAoC;AAC3E,MAAI,CAAC,gBAAgB,UAAU,CAAC,gBAAgB,OAAO,SACrD,OAAM,IAAI,UAAU,2DAA2D;AAGjF,MAAI,CAAC,gBAAgB,OAAO,SAAS,IACnC,OAAM,IAAI,UAAU,wDAAwD;AAG9E,MAAI,CAAC,gBAAgB,aAAa,oBAAoB,gBAAgB,YAAY,qBAAqB,WACrG,OAAM,IAAI,UACR,iGACD;AAGH,MAAI,CAAC,gBAAgB,aAAa,QAAQ,OAAO,UAAU,MAAM,qBAAqB,OAAU,CAC9F,OAAM,IAAI,UAAU,wEAAwE;AAG9F,SAAO;GACL,GAAG;GACH,QAAQ,EACN,UAAU,gBAAgB,OAAO,UAClC;GACD,aAAa;IACX,GAAG,gBAAgB;IACnB,kBAAkB;IAClB,SAAS,gBAAgB,YAAY,UAAU,EAAE,EAAE,KAAK,UAAU;AAChE,YAAO;MACL,GAAG;MACH,kBAAkB,MAAM,oBAAoB;MAC7C;MACD;IACH;GACF;;CAsBH,OAAe,6BAA6B,OAMzC;EACD,MAAM,EAAE,IAAI,2BAA2B;AACvC,MAAI,uBAAuB,kBAAkB,WAAW,EACtD,OAAM,IAAI,UAAU,2FAA2F;AAEjH,SAAO;GACL;GACA,eAAe,uBAAuB;GACtC,gBAAgB,CACd;IACE,IAAI,uBAAuB,kBAAkB,GAAG;IAChD,QAAQ;IACR,MAAM;IACP,CACF;GACF;;CAGH,OAAc,iCAAiC,SAA6D;EAC1G,MAAM,EAAE,SAAS;EAEjB,MAAM,kBAAkB,mBAAmB,0BAA0B,QAAQ,gBAAgB;EAG7F,MAAM,aAAaC,iCAFL,kBAAkB,kBAAkB,WAAW,KAAK,UAAU,EAAE,KAAK,QAAQ,EAE5B,gBAAgB;AAU/E,SATiC,OAAO,YACtC,MAAM,KAAK,WAAW,SAAS,CAAC,CAAC,KAAK,CAAC,WAAW,sBAAsB;AACtE,UAAO,CACL,WACA,OAAO,YAAY,iBAAiB,KAAK,SAAS,CAAC,KAAK,mBAAmB,KAAK,aAAa,CAAC,CAAC,CAChG;IACD,CACH;;CAKH,aAAoB,2CAClB,cACA,SACA;EACA,MAAM,yBAAyB,mBAAmB,gCAChD,QAAQ,uBACT,CAAC;EAEF,MAAM,WAAW,QAAQ,MAAM,KAAK,MAAM,EAAE,QAAQ;EAEpD,MAAM,6BAA6B,IAAI,MAAM;AAE7C,OAAK,MAAM,YAAY,QAAQ,OAAO;GACpC,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,aAAc,OAAM,IAAI,UAAU,8CAA8C,SAAS,UAAU;AAGxG,OAAI,CAAC,aAAa,SAChB,cAAa,QAAQ,aAAa;GAGpC,MAAM,MAAM,mBAAmB,sBAAsB,aAAa;GAGlE,MAAM,oCAAoC;IACxC,GAAG;IACH,mBAAmB,uBAAuB,kBAAkB,QACzD,oBAAoB,gBAAgB,OAAO,SAAS,QACtD;IACF;GAED,MAAM,cAAc,eAAe,aAAa;GAChD,MAAM,uBAAuB,kBAAkB,kBAAkB,WAAW,SAAS,UAAU,EAAE,SAAS,QAAQ;GAClH,MAAM,wBAAwB,eAAe,KAAK,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAChF,4BAA4B,kCAAkC,CAC9D,0BAA0B,aAAa,QAAQ,EAAE,IAAI,CACrD,4BACC,MAAM,mBAAmB,oCAAoC,aAAa,QAAQ,yBAAyB,CAC5G;AAEH,QAAK,MAAM,CAAC,WAAW,mBAAmB,OAAO,QAAQ,QAAQ,oBAAoB,EAAE,CAAC,CACtF,uBAAsB,mBAAmB,WAAW,eAAe;GAGrE,MAAM,qBAAqB,MAAM,sBAAsB,KAAK,YAAY;AACxE,8BAA2B,YAAY,mBAAmB,UAAU,GAAG;;AAGzE,SAAO;GACL,yBAAyB,kBAAkB,YAAY,2BAA2B,QAAQ,CAAC;GAC3F,wBAAwB,mBAAmB,6BAA6B;IACtE,IAAI,8BAA8B,MAAM;IACxC,wBAAwB;KACtB,GAAG;KACH,mBAAmB,uBAAuB,kBAAkB,QAAQ,MAAM,SAAS,SAAS,EAAE,GAAG,CAAC;KACnG;IACF,CAAC;GACH;;CAGH,aAAoB,qBAAqB,cAA4B,SAAoC;EACvG,MAAM,6BAA6B,IAAI,MAAM;AAE7C,OAAK,MAAM,YAAY,QAAQ,OAAO;GACpC,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,aAAc,OAAM,IAAI,UAAU,8CAA8C,SAAS,UAAU;GACxG,MAAM,MAAM,mBAAmB,sBAAsB,aAAa;AAGlE,OAAI,CAAC,aAAa,SAChB,cAAa,QAAQ,aAAa;GAGpC,MAAM,uBAAuB,kBAAkB,kBAAkB,WAAW,SAAS,UAAU,EAAE,SAAS,QAAQ;GAElH,MAAM,2BAA2B,cAAc,KAC7C,OACA,QAAQ,iBACL,QAAQ,YAAY,QAAQ,YAAY,qBAAqB,QAAQ,CACrE,KAAK,aAAa,EACjB,kBAAkB;IAChB,SAAS,QAAQ;IACjB,YAAY,sBAAsB,QAAQ,WAAW;IACtD,EACF,EAAE,CACN;GAED,MAAM,cAAc,eAAe,aAAa;GAChD,MAAM,wBAAwB,eAAe,KAAK,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAChF,0BAA0B,aAAa,QAAQ,EAAE,IAAI,CACrD,mBAAmB,yBAAyB,CAC5C,4BACC,MAAM,mBAAmB,oCAAoC,aAAa,QAAQ,yBAAyB,CAC5G;AAEH,QAAK,MAAM,CAAC,WAAW,mBAAmB,OAAO,QAAQ,QAAQ,oBAAoB,EAAE,CAAC,CACtF,uBAAsB,mBAAmB,WAAW,eAAe;GAGrE,MAAM,qBAAqB,MAAM,sBAAsB,KAAK,YAAY;AACxE,8BAA2B,YAAY,mBAAmB,UAAU,GAAG;;AAGzE,SAAO,2BAA2B,QAAQ;;CAG5C,MAAa,OAAO,cAA4B,SAAkE;EAChH,MAAM,WAAW,IAAI,UAAU;EAC/B,MAAM,cAAc,eAAe,aAAa;AAEhD,kBAAQ;GACN,QAAQ,KAAK,UAAU,SAAS,IAAI,WAAW;GAC/C,OAAO;GACP,UAAU;GACX,CAAC;EAEF,MAAM,iBAAiB,oBAAoB,kBAAkB,WAAW,KAAK,UAAU,CAAC;AAIxF,OAAK,MAAM,iBAAiB,KAAK,UAAU,MAAM,EAAE;GACjD,MAAM,cAAc,eAAe,UAAU;GAC7C,MAAM,WAAW,KAAK,UAAU;GAEhC,MAAM,qBAAqB,MAAM,SAAS,OAAO,cAAc;IAC7D,KAAK,QAAQ;IACb,qBAAqB,QAAQ;IAC9B,CAAC;AAEF,OAAI,CAAC,mBAAmB,QACtB,OAAM,IAAI,UAAU,iBAAiB,cAAc,iBAAiB,mBAAmB,QAAQ;AAGjG,OAAI,EAAE,uBAAuB,uBAAuB;AAClD,oBAAQ;KACN,QAAQ;KACR,UAAU;KACV,OAAO,6CAA6C,SAAS;KAC9D,CAAC;AACF;;AAGF,SAAM,SAAS,sBACb;IACE,wBAAwB,MAAM,mBAAmB,oCAC/C,aACA,QAAQ,yBACT;IACD,cAAc;IACf,EACD,YACD;;AAGH,MAAI,eAAe,eAAe,SAAS,EACzC,OAAM,IAAI,UAAU,uCAAuC;AAG7D,MAAI,eAAe,WAAW,WAAW,GACvC,OAAM,IAAI,UAAU,kEAAkE;AAGxF,SAAO,KAAK;;CAGd,aAAqB,oCACnB,SACA,SACA;AACA,MAAI,QAAQ,SAAS,wBACnB,QAAO,QAAQ;AAKjB,MAAI,QAAQ,SAAS,YACnB,QAAO,WACL,SAAS,SAAS;GAChB;GACA;GACA,CACE,qBACA,MAAM,QAAQ,OAAO,OAAO;IAC1B,iBAAiB;IACjB,OAAO,WAAW;KAChB,QAAQ;KACR,QAAQ;KACR,QAAQ,eAAe,iBAAiB,UAAU,IAAI;KACtD,QAAQ;KACT,CAAC;IACH,CAAC,CACH;GACF,CAAC,CACH;AAGH,MAAI,QAAQ,SAAS,mBACnB,QAAO,MAAM,eAAe,yCAAyC;GACnE,GAAG;GACH;GACD,CAAC;AAKJ,MAAI,QAAQ,SAAS,iBACnB,QAAO,WACL,SAAS,SAAS;GAChB;GACA;GACA,CACE,0BACA,MAAM,QAAQ,OAAO,OAAO;IAC1B,iBAAiB;IACjB,OAAO,WAAW;KAChB,QAAQ;KACR,QAAQ;KACR,QAAQ,eAAe,iBAAiB,UAAU,IAAI;KACvD,CAAC;IACH,CAAC,CACH;GACF,CAAC,CACH;AAGH,MAAI,QAAQ,SAAS,wBACnB,QAAO,MAAM,eAAe,8CAA8C;GACxE,GAAG;GACH;GACD,CAAC;AAGJ,QAAM,IAAI,UAAU,wCAAwC;;CAG9D,OAAe,sBAAsB,KAAgB;EACnD,MAAM,qBAAqB,IAAI,6BAA6B,KAAK,kCAAkC;AACnG,MAAI,CAAC,mBACH,OAAM,IAAI,UACR,kHACE,IAAI,wBACL,sBAAsB,IAAI,6BAA6B,KACtD,KACD,CAAC,uBAAuB,iCAAiC,KAAK,KAAK,GACrE;AAGH,SAAO;;;;mBArTK,mCAAmC,OAA0C;CACzF,MAAMC,gCAAmE;EACvE,GAAG;EACH,mBAAmB,GAAG,kBAAkB,QACrC,OAAO,CAAC,OAAO,KAAM,GAAyB,UAAU,EAAE,CAAC,CAAC,SAAS,WAAW,CAClF;EACF;AAUD,QAAO;EAAE,4BAR0B;GACjC,GAAG;GACH,QAAQ,EAAE,UAAU,GAAG,QAAQ,UAAU;GACzC,mBAAoB,GAAG,kBACpB,QAAQ,OAAO,OAAO,KAAK,GAAG,UAAU,EAAE,CAAC,CAAC,SAAS,WAAW,CAAC,CACjE,IAAIC,oBAAK,0BAA0B;GACvC;EAEoC;EAA+B"}
package/build/modules/mdoc/mdocSupportedAlgs.d.mts CHANGED
@@ -2,8 +2,8 @@ import { KnownJwaSignatureAlgorithm } from "../kms/jwk/jwa.mjs";
2
2
  import "../kms/index.mjs";
3
3
 
4
4
  //#region src/modules/mdoc/mdocSupportedAlgs.d.ts
5
- type MdocSupportedSignatureAlgorithm = (typeof mdocSupporteSignatureAlgorithms)[number];
6
- declare const mdocSupporteSignatureAlgorithms: ("ES256" | "ES384" | "ES512" | "EdDSA")[];
5
+ type MdocSupportedSignatureAlgorithm = (typeof mdocSupportedSignatureAlgorithms)[number];
6
+ declare const mdocSupportedSignatureAlgorithms: ("ES256" | "ES384" | "ES512" | "EdDSA")[];
7
7
  declare function isMdocSupportedSignatureAlgorithm(alg: KnownJwaSignatureAlgorithm): alg is MdocSupportedSignatureAlgorithm;
8
8
  //#endregion
9
9
  export { MdocSupportedSignatureAlgorithm, isMdocSupportedSignatureAlgorithm };
package/build/modules/mdoc/mdocSupportedAlgs.mjs CHANGED
@@ -4,16 +4,16 @@ import { KnownJwaSignatureAlgorithms } from "../kms/jwk/jwa.mjs";
4
4
  import "../kms/index.mjs";
5
5
 
6
6
  //#region src/modules/mdoc/mdocSupportedAlgs.ts
7
- const mdocSupporteSignatureAlgorithms = [
7
+ const mdocSupportedSignatureAlgorithms = [
8
8
  KnownJwaSignatureAlgorithms.ES256,
9
9
  KnownJwaSignatureAlgorithms.ES384,
10
10
  KnownJwaSignatureAlgorithms.ES512,
11
11
  KnownJwaSignatureAlgorithms.EdDSA
12
12
  ];
13
13
  function isMdocSupportedSignatureAlgorithm(alg) {
14
- return mdocSupporteSignatureAlgorithms.includes(alg);
14
+ return mdocSupportedSignatureAlgorithms.includes(alg);
15
15
  }
16
16
 
17
17
  //#endregion
18
- export { isMdocSupportedSignatureAlgorithm, mdocSupporteSignatureAlgorithms };
18
+ export { isMdocSupportedSignatureAlgorithm, mdocSupportedSignatureAlgorithms };
19
19
  //# sourceMappingURL=mdocSupportedAlgs.mjs.map
package/build/modules/mdoc/mdocSupportedAlgs.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"mdocSupportedAlgs.mjs","names":[],"sources":["../../../src/modules/mdoc/mdocSupportedAlgs.ts"],"sourcesContent":["import { type KnownJwaSignatureAlgorithm, KnownJwaSignatureAlgorithms } from '../kms'\n\nexport type MdocSupportedSignatureAlgorithm = (typeof mdocSupporteSignatureAlgorithms)[number]\nexport const mdocSupporteSignatureAlgorithms = [\n KnownJwaSignatureAlgorithms.ES256,\n KnownJwaSignatureAlgorithms.ES384,\n KnownJwaSignatureAlgorithms.ES512,\n KnownJwaSignatureAlgorithms.EdDSA,\n] satisfies KnownJwaSignatureAlgorithm[]\n\nexport function isMdocSupportedSignatureAlgorithm(\n alg: KnownJwaSignatureAlgorithm\n): alg is MdocSupportedSignatureAlgorithm {\n return mdocSupporteSignatureAlgorithms.includes(alg as MdocSupportedSignatureAlgorithm)\n}\n"],"mappings":";;;;;;AAGA,MAAa,kCAAkC;CAC7C,4BAA4B;CAC5B,4BAA4B;CAC5B,4BAA4B;CAC5B,4BAA4B;CAC7B;AAED,SAAgB,kCACd,KACwC;AACxC,QAAO,gCAAgC,SAAS,IAAuC"}
1
+ {"version":3,"file":"mdocSupportedAlgs.mjs","names":[],"sources":["../../../src/modules/mdoc/mdocSupportedAlgs.ts"],"sourcesContent":["import { type KnownJwaSignatureAlgorithm, KnownJwaSignatureAlgorithms } from '../kms'\n\nexport type MdocSupportedSignatureAlgorithm = (typeof mdocSupportedSignatureAlgorithms)[number]\nexport const mdocSupportedSignatureAlgorithms = [\n KnownJwaSignatureAlgorithms.ES256,\n KnownJwaSignatureAlgorithms.ES384,\n KnownJwaSignatureAlgorithms.ES512,\n KnownJwaSignatureAlgorithms.EdDSA,\n] satisfies KnownJwaSignatureAlgorithm[]\n\nexport function isMdocSupportedSignatureAlgorithm(\n alg: KnownJwaSignatureAlgorithm\n): alg is MdocSupportedSignatureAlgorithm {\n return mdocSupportedSignatureAlgorithms.includes(alg as MdocSupportedSignatureAlgorithm)\n}\n"],"mappings":";;;;;;AAGA,MAAa,mCAAmC;CAC9C,4BAA4B;CAC5B,4BAA4B;CAC5B,4BAA4B;CAC5B,4BAA4B;CAC7B;AAED,SAAgB,kCACd,KACwC;AACxC,QAAO,iCAAiC,SAAS,IAAuC"}
package/build/modules/sd-jwt-vc/SdJwtVcService.mjs CHANGED
@@ -2,21 +2,21 @@
2
2
 
3
3
  import { CredoError } from "../../error/CredoError.mjs";
4
4
  import "../../error/index.mjs";
5
- import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
6
- import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
7
- import "../../agent/index.mjs";
8
5
  import { TypedArrayEncoder } from "../../utils/TypedArrayEncoder.mjs";
9
6
  import { Hasher } from "../../crypto/hashes/Hasher.mjs";
10
7
  import { IntegrityVerifier } from "../../utils/IntegrityVerifier.mjs";
11
8
  import { dateToSeconds, nowInSeconds } from "../../utils/timestamp.mjs";
12
9
  import "../../utils/index.mjs";
10
+ import { JwtPayload } from "../../crypto/jose/jwt/JwtPayload.mjs";
11
+ import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
12
+ import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
13
+ import "../../agent/index.mjs";
13
14
  import { KeyManagementApi } from "../kms/KeyManagementApi.mjs";
14
15
  import "../kms/index.mjs";
15
16
  import { X509Certificate } from "../x509/X509Certificate.mjs";
16
17
  import { X509ModuleConfig } from "../x509/X509ModuleConfig.mjs";
17
18
  import { X509Service } from "../x509/X509Service.mjs";
18
19
  import "../x509/index.mjs";
19
- import { JwtPayload } from "../../crypto/jose/jwt/JwtPayload.mjs";
20
20
  import { parseDid } from "../dids/domain/parse.mjs";
21
21
  import { getPublicJwkFromVerificationMethod } from "../dids/domain/key-type/keyDidMapping.mjs";
22
22
  import "../dids/index.mjs";
@@ -165,7 +165,7 @@ let SdJwtVcService = class SdJwtVcService$1 {
165
165
  requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, "vct"] : ["vct"],
166
166
  keyBindingNonce: keyBinding?.nonce,
167
167
  currentDate: dateToSeconds(now ?? /* @__PURE__ */ new Date()),
168
- skewSeconds: 0
168
+ skewSeconds: agentContext.config.validitySkewSeconds
169
169
  });
170
170
  } catch (error) {
171
171
  return {
@@ -182,7 +182,7 @@ let SdJwtVcService = class SdJwtVcService$1 {
182
182
  try {
183
183
  JwtPayload.fromJson(returnSdJwtVc.payload).validate({
184
184
  now: dateToSeconds(now ?? /* @__PURE__ */ new Date()),
185
- skewTime: 0
185
+ skewSeconds: agentContext.config.validitySkewSeconds
186
186
  });
187
187
  } catch (error) {
188
188
  return {
package/build/modules/sd-jwt-vc/SdJwtVcService.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"SdJwtVcService.mjs","names":["SdJwtVcService","sdJwtVc: SDJwt","holderBinding: SdJwtVcHolderBinding | undefined","returnSdJwtVc: SdJwtVc<Header, Payload>","firstError: Error | undefined","publicJwk: PublicJwk","didUrl: string"],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":["import type { SDJwt } from '@sd-jwt/core'\nimport { decodeSdJwtSync } from '@sd-jwt/decode'\nimport { selectDisclosures } from '@sd-jwt/present'\nimport { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, PresentationFrame } from '@sd-jwt/types'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { Hasher, JwtPayload } from '../../crypto'\nimport { CredoError } from '../../error'\nimport { X509Service } from '../../modules/x509/X509Service'\nimport type { Query, QueryOptions } from '../../storage/StorageService'\nimport type { JsonObject } from '../../types'\nimport { dateToSeconds, IntegrityVerifier, nowInSeconds, TypedArrayEncoder } from '../../utils'\nimport { getDomainFromUrl } from '../../utils/domain'\nimport { fetchWithTimeout } from '../../utils/fetch'\nimport { getPublicJwkFromVerificationMethod, parseDid } from '../dids'\nimport { KeyManagementApi, PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc/index'\nimport { type EncodedX509Certificate, X509Certificate, X509ModuleConfig } from '../x509'\nimport { decodeSdJwtVc, sdJwtVcHasher } from './decodeSdJwtVc'\nimport { buildDisclosureFrameForPayload } from './disclosureFrame'\nimport { SdJwtVcRecord, SdJwtVcRepository } from './repository'\nimport { SdJwtVcError } from './SdJwtVcError'\nimport type {\n SdJwtVcHeader,\n SdJwtVcHolderBinding,\n SdJwtVcIssuer,\n SdJwtVcPayload,\n SdJwtVcPresentOptions,\n SdJwtVcSignOptions,\n SdJwtVcStoreOptions,\n SdJwtVcVerifyOptions,\n} from './SdJwtVcOptions'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\nimport {\n extractKeyFromHolderBinding,\n getSdJwtSigner,\n getSdJwtVerifier,\n parseHolderBindingFromCredential,\n resolveDidUrl,\n resolveSigningPublicJwkFromDidUrl,\n} from './utils'\n\ntype SdJwtVcConfig = SDJwtVcInstance['userConfig']\n\nexport interface SdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n> {\n /**\n * claim format is convenience method added to all credential instances\n */\n claimFormat: ClaimFormat.SdJwtDc\n /**\n * encoded is convenience method added to all credential instances\n */\n encoded: string\n compact: string\n header: Header\n\n /**\n * The holder of the credential\n */\n holder: SdJwtVcHolderBinding | undefined\n\n // TODO: payload type here is a lie, as it is the signed payload (so fields replaced with _sd)\n payload: Payload\n prettyClaims: Payload\n\n kbJwt?: {\n header: Record<string, unknown>\n payload: Record<string, unknown>\n }\n\n /**\n * The key id in the KMS bound to this SD-JWT VC, used for presentations.\n *\n * This will only be set on the holder side if defined on the SdJwtVcRecord\n */\n kmsKeyId?: string\n\n typeMetadata?: SdJwtVcTypeMetadata\n}\n\nexport interface VerificationResult {\n isValid: boolean\n isValidJwtPayload?: boolean\n isSignatureValid?: boolean\n isStatusValid?: boolean\n isNotBeforeValid?: boolean\n isExpiryTimeValid?: boolean\n areRequiredClaimsIncluded?: boolean\n isKeyBindingValid?: boolean\n containsExpectedKeyBinding?: boolean\n containsRequiredVcProperties?: boolean\n}\n\n/**\n * @internal\n */\n@injectable()\nexport class SdJwtVcService {\n private sdJwtVcRepository: SdJwtVcRepository\n\n public constructor(sdJwtVcRepository: SdJwtVcRepository) {\n this.sdJwtVcRepository = sdJwtVcRepository\n }\n\n public async sign<Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n options: SdJwtVcSignOptions<Payload>\n ): Promise<SdJwtVc> {\n const { payload, disclosureFrame, hashingAlgorithm } = options\n\n // default is sha-256\n if (hashingAlgorithm && hashingAlgorithm !== 'sha-256') {\n throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`)\n }\n\n const issuer = await this.extractKeyFromIssuer(agentContext, options.issuer, true)\n\n // holer binding is optional\n const holderBinding = options.holder ? await extractKeyFromHolderBinding(agentContext, options.holder) : undefined\n\n const header = {\n alg: issuer.alg,\n typ: options.headerType ?? 'dc+sd-jwt',\n kid: issuer.kid,\n x5c: issuer.x5c?.map((cert) => cert.toString('base64')),\n } as const\n\n const sdJwt = new SDJwtVcInstance({\n ...this.getBaseSdJwtConfig(agentContext),\n signer: getSdJwtSigner(agentContext, issuer.publicJwk),\n hashAlg: 'sha-256',\n signAlg: issuer.alg,\n })\n\n if (!payload.vct || typeof payload.vct !== 'string') {\n throw new SdJwtVcError(\"Missing required parameter 'vct'\")\n }\n\n const compact = await sdJwt.issue(\n {\n ...payload,\n cnf: holderBinding?.cnf,\n iss: issuer.iss,\n iat: nowInSeconds(),\n vct: payload.vct,\n },\n disclosureFrame as DisclosureFrame<Payload>,\n { header }\n )\n\n const prettyClaims = (await sdJwt.getClaims(compact)) as Payload\n const decoded = await sdJwt.decode(compact)\n const sdJwtPayload = decoded.jwt?.payload as Payload | undefined\n if (!sdJwtPayload) {\n throw new SdJwtVcError('Invalid sd-jwt-vc state.')\n }\n\n return {\n compact,\n prettyClaims,\n header: header,\n holder: options.holder,\n payload: sdJwtPayload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compact,\n } satisfies SdJwtVc<typeof header, Payload>\n }\n\n public fromCompact<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n compactSdJwtVc: string,\n typeMetadata?: SdJwtVcTypeMetadata\n ): SdJwtVc<Header, Payload> {\n return decodeSdJwtVc(compactSdJwtVc, typeMetadata)\n }\n\n public applyDisclosuresForPayload(compactSdJwtVc: string, requestedPayload: JsonObject): SdJwtVc {\n const decoded = decodeSdJwtSync(compactSdJwtVc, Hasher.hash)\n const presentationFrame = buildDisclosureFrameForPayload(requestedPayload) ?? {}\n\n if (decoded.kbJwt) {\n throw new SdJwtVcError('Cannot apply limit disclosure on an sd-jwt with key binding jwt')\n }\n\n const requiredDisclosures = selectDisclosures(\n decoded.jwt.payload,\n // Map to sd-jwt disclosure format\n decoded.disclosures.map((d) => ({\n digest: d.digestSync({ alg: 'sha-256', hasher: Hasher.hash }),\n encoded: d.encode(),\n key: d.key,\n salt: d.salt,\n value: d.value,\n })),\n presentationFrame as { [key: string]: boolean }\n )\n const [jwt] = compactSdJwtVc.split('~')\n const disclosuresString =\n requiredDisclosures.length > 0 ? `${requiredDisclosures.map((d) => d.encoded).join('~')}~` : ''\n const sdJwt = `${jwt}~${disclosuresString}`\n const disclosedDecoded = decodeSdJwtVc(sdJwt)\n return disclosedDecoded\n }\n\n public async present<Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { sdJwtVc, presentationFrame, verifierMetadata, additionalPayload }: SdJwtVcPresentOptions<Payload>\n ): Promise<string> {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n const compactSdJwtVc = typeof sdJwtVc === 'string' ? sdJwtVc : sdJwtVc.compact\n const sdJwtVcInstance = await sdjwt.decode(compactSdJwtVc)\n\n const holderBinding = parseHolderBindingFromCredential(sdJwtVcInstance.jwt?.payload)\n if (!holderBinding && verifierMetadata) {\n throw new SdJwtVcError(\"Verifier metadata provided, but credential has no 'cnf' claim to create a KB-JWT from\")\n }\n\n const holder = holderBinding\n ? await extractKeyFromHolderBinding(agentContext, holderBinding, {\n forSigning: true,\n jwkKeyId: typeof sdJwtVc !== 'string' ? sdJwtVc.kmsKeyId : undefined,\n })\n : undefined\n sdjwt.config({\n kbSigner: holder ? getSdJwtSigner(agentContext, holder.publicJwk) : undefined,\n kbSignAlg: holder?.alg,\n })\n\n const compactDerivedSdJwtVc = await sdjwt.present(compactSdJwtVc, presentationFrame as PresentationFrame<Payload>, {\n kb: verifierMetadata\n ? {\n payload: {\n iat: verifierMetadata.issuedAt,\n nonce: verifierMetadata.nonce,\n aud: verifierMetadata.audience,\n ...additionalPayload,\n },\n }\n : undefined,\n })\n\n return compactDerivedSdJwtVc\n }\n\n private assertValidX5cJwtIssuer(\n agentContext: AgentContext,\n iss: string | undefined,\n leafCertificate: X509Certificate\n ) {\n // No 'iss' is allowed for X509\n if (!iss) return\n\n // If iss is present it MUST be an HTTPS url\n if (!iss.startsWith('https://') && !(iss.startsWith('http://') && agentContext.config.allowInsecureHttpUrls)) {\n throw new SdJwtVcError('The X509 certificate issuer must be a HTTPS URI.')\n }\n\n if (!leafCertificate.sanUriNames?.includes(iss) && !leafCertificate.sanDnsNames?.includes(getDomainFromUrl(iss))) {\n throw new SdJwtVcError(\n `The 'iss' claim in the payload does not match a 'SAN-URI' name and the domain extracted from the HTTPS URI does not match a 'SAN-DNS' name in the x5c certificate. Either remove the 'iss' claim or make it match with at least one SAN-URI or DNS-URI entry`\n )\n }\n }\n\n public async verify<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { compactSdJwtVc, keyBinding, requiredClaimKeys, fetchTypeMetadata, trustedCertificates, now }: SdJwtVcVerifyOptions\n ): Promise<\n | { isValid: true; sdJwtVc: SdJwtVc<Header, Payload> }\n | { isValid: false; sdJwtVc?: SdJwtVc<Header, Payload>; error: Error }\n > {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n let sdJwtVc: SDJwt\n let holderBinding: SdJwtVcHolderBinding | undefined\n\n try {\n sdJwtVc = await sdjwt.decode(compactSdJwtVc)\n if (!sdJwtVc.jwt) throw new CredoError('Invalid sd-jwt-vc')\n holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload) ?? undefined\n } catch (error) {\n return {\n isValid: false,\n error,\n }\n }\n\n const returnSdJwtVc: SdJwtVc<Header, Payload> = {\n payload: sdJwtVc.jwt.payload as Payload,\n header: sdJwtVc.jwt.header as Header,\n compact: compactSdJwtVc,\n prettyClaims: await sdJwtVc.getClaims(sdJwtVcHasher),\n holder: holderBinding,\n\n kbJwt: sdJwtVc.kbJwt\n ? {\n payload: sdJwtVc.kbJwt.payload as Record<string, unknown>,\n header: sdJwtVc.kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n } satisfies SdJwtVc<Header, Payload>\n\n try {\n const credentialIssuer = await this.parseIssuerFromCredential(\n agentContext,\n sdJwtVc,\n returnSdJwtVc,\n trustedCertificates\n )\n const issuer = await this.extractKeyFromIssuer(agentContext, credentialIssuer)\n const holder = returnSdJwtVc.holder\n ? await extractKeyFromHolderBinding(agentContext, returnSdJwtVc.holder)\n : undefined\n\n sdjwt.config({\n verifier: getSdJwtVerifier(agentContext, issuer.publicJwk),\n kbVerifier: holder ? getSdJwtVerifier(agentContext, holder.publicJwk) : undefined,\n })\n\n try {\n await sdjwt.verify(compactSdJwtVc, {\n requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct'],\n keyBindingNonce: keyBinding?.nonce,\n currentDate: dateToSeconds(now ?? new Date()),\n skewSeconds: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (sdJwtVc.jwt.header?.typ !== 'vc+sd-jwt' && sdJwtVc.jwt.header?.typ !== 'dc+sd-jwt') {\n return {\n error: new SdJwtVcError(`SD-JWT VC header 'typ' must be 'dc+sd-jwt' or 'vc+sd-jwt'`),\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n try {\n JwtPayload.fromJson(returnSdJwtVc.payload).validate({\n now: dateToSeconds(now ?? new Date()),\n skewTime: 0,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n // If keyBinding is present, verify the key binding\n try {\n if (keyBinding) {\n if (!sdJwtVc.kbJwt || !sdJwtVc.kbJwt.payload) {\n throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc')\n }\n\n // Assert `aud` and `nonce` claims\n if (sdJwtVc.kbJwt.payload.aud !== keyBinding.audience) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected audience')\n }\n\n if (sdJwtVc.kbJwt.payload.nonce !== keyBinding.nonce) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected nonce')\n }\n }\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (fetchTypeMetadata) {\n // We allow vct without type metadata for now (and don't fail if the retrieval fails)\n // Integrity check must pass though.\n returnSdJwtVc.typeMetadata = await this.fetchTypeMetadata(agentContext, returnSdJwtVc, {\n throwErrorOnFetchError: false,\n throwErrorOnUnsupportedVctValue: false,\n })\n }\n } catch (error) {\n return {\n isValid: false,\n error,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n return {\n isValid: true,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n public async fetchTypeMetadata(\n agentContext: AgentContext,\n sdJwtVc: SdJwtVc,\n {\n throwErrorOnFetchError = true,\n throwErrorOnUnsupportedVctValue = true,\n }: { throwErrorOnFetchError?: boolean; throwErrorOnUnsupportedVctValue?: boolean } = {}\n ) {\n const vct = sdJwtVc.payload.vct\n const vctIntegrity = sdJwtVc.payload['vct#integrity']\n if (!vct || typeof vct !== 'string' || !vct.startsWith('https://')) {\n if (!throwErrorOnUnsupportedVctValue) return undefined\n throw new SdJwtVcError(`Unable to resolve type metadata for vct '${vct}'. Only https supported`)\n }\n\n let firstError: Error | undefined\n\n // Fist try the new type metadata URL\n // We add a catch, so that if e.g. the request fails due to CORS (which throws an error\n // we will still continue trying the legacy url)\n const firstResponse = await agentContext.config.agentDependencies.fetch(vct).catch((error) => {\n firstError = error\n return undefined\n })\n let response = firstResponse\n\n // If the response is not ok, try the legacy URL (will be removed in 0.7)\n if (!response || !response?.ok) {\n // modify the uri based on https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#section-6.3.1\n const vctElements = vct.split('/')\n vctElements.splice(3, 0, '.well-known/vct')\n const legacyVctUrl = vctElements.join('/')\n\n response = await agentContext.config.agentDependencies.fetch(legacyVctUrl).catch(() => undefined)\n }\n\n if (!response?.ok) {\n if (!throwErrorOnFetchError) return undefined\n\n if (firstResponse) {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful ${firstResponse.status} response. ${await firstResponse.text()}.`,\n { cause: firstError }\n )\n } else {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful response.`,\n { cause: firstError }\n )\n }\n }\n\n const typeMetadata = (await response.clone().json()) as SdJwtVcTypeMetadata\n if (vctIntegrity) {\n if (typeof vctIntegrity !== 'string') {\n throw new SdJwtVcError(`Found 'vct#integrity' with value '${vctIntegrity}' but value was not of type 'string'.`)\n }\n\n IntegrityVerifier.verifyIntegrity(new Uint8Array(await response.arrayBuffer()), vctIntegrity)\n }\n\n return typeMetadata\n }\n\n public async store(agentContext: AgentContext, options: SdJwtVcStoreOptions) {\n await this.sdJwtVcRepository.save(agentContext, options.record)\n return options.record\n }\n\n public async getById(agentContext: AgentContext, id: string): Promise<SdJwtVcRecord> {\n return await this.sdJwtVcRepository.getById(agentContext, id)\n }\n\n public async getAll(agentContext: AgentContext): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.getAll(agentContext)\n }\n\n public async findByQuery(\n agentContext: AgentContext,\n query: Query<SdJwtVcRecord>,\n queryOptions?: QueryOptions\n ): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async deleteById(agentContext: AgentContext, id: string) {\n await this.sdJwtVcRepository.deleteById(agentContext, id)\n }\n\n public async update(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) {\n await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord)\n }\n\n private async extractKeyFromIssuer(agentContext: AgentContext, issuer: SdJwtVcIssuer, forSigning = false) {\n if (issuer.method === 'did') {\n const parsedDid = parseDid(issuer.didUrl)\n if (!parsedDid.fragment) {\n throw new SdJwtVcError(\n `didUrl '${issuer.didUrl}' does not contain a '#'. Unable to derive key from did document`\n )\n }\n\n let publicJwk: PublicJwk\n if (forSigning) {\n publicJwk = await resolveSigningPublicJwkFromDidUrl(agentContext, issuer.didUrl)\n } else {\n const { verificationMethod } = await resolveDidUrl(agentContext, issuer.didUrl)\n publicJwk = getPublicJwkFromVerificationMethod(verificationMethod)\n }\n\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n return {\n alg,\n publicJwk,\n iss: parsedDid.did,\n kid: `#${parsedDid.fragment}`,\n }\n }\n\n if (issuer.method === 'x5c') {\n const leafCertificate = issuer.x5c[0]\n if (!leafCertificate) {\n throw new SdJwtVcError(\"Empty 'x5c' array provided\")\n }\n\n if (forSigning && !leafCertificate.publicJwk.hasKeyId) {\n throw new SdJwtVcError(\"Expected leaf certificate in 'x5c' array to have a key id configured.\")\n }\n\n const publicJwk = leafCertificate.publicJwk\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n this.assertValidX5cJwtIssuer(agentContext, issuer.issuer, leafCertificate)\n\n return {\n publicJwk,\n iss: issuer.issuer,\n x5c: issuer.x5c,\n alg,\n }\n }\n\n throw new SdJwtVcError(\"Unsupported credential issuer. Only 'did' and 'x5c' is supported at the moment.\")\n }\n\n private async parseIssuerFromCredential<Header extends SdJwtVcHeader, Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n sdJwtVc: SDJwt<Header, Payload>,\n credoSdJwtVc: SdJwtVc<Header, Payload>,\n _trustedCertificates?: EncodedX509Certificate[]\n ): Promise<SdJwtVcIssuer> {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n if (!sdJwtVc.jwt?.payload) {\n throw new SdJwtVcError('Credential not exist')\n }\n\n const iss = sdJwtVc.jwt.payload.iss as string | undefined\n\n if (sdJwtVc.jwt.header?.x5c) {\n if (!Array.isArray(sdJwtVc.jwt.header.x5c)) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array.')\n }\n if (sdJwtVc.jwt.header.x5c.length === 0) {\n throw new SdJwtVcError('Invalid x5c header in credential. Empty array.')\n }\n if (sdJwtVc.jwt.header.x5c.some((x5c) => typeof x5c !== 'string')) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array of strings.')\n }\n\n let trustedCertificates = _trustedCertificates\n const certificateChain = sdJwtVc.jwt.header.x5c.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n if (!trustedCertificates) {\n trustedCertificates =\n (await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: credoSdJwtVc,\n },\n })) ?? x509Config.trustedCertificates\n }\n\n if (!trustedCertificates) {\n throw new SdJwtVcError(\n 'No trusted certificates configured for X509 certificate chain validation. Issuer cannot be verified.'\n )\n }\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain: sdJwtVc.jwt.header.x5c,\n trustedCertificates,\n })\n\n return {\n method: 'x5c',\n x5c: certificateChain,\n issuer: iss,\n }\n }\n\n if (iss?.startsWith('did:')) {\n // If `did` is used, we require a relative KID to be present to identify\n // the key used by issuer to sign the sd-jwt-vc\n\n if (!sdJwtVc.jwt?.header) {\n throw new SdJwtVcError('Credential does not contain a header')\n }\n\n if (!sdJwtVc.jwt.header.kid) {\n throw new SdJwtVcError('Credential does not contain a kid in the header')\n }\n\n const issuerKid = sdJwtVc.jwt.header.kid as string\n\n let didUrl: string\n if (issuerKid.startsWith('#')) {\n didUrl = `${iss}${issuerKid}`\n } else if (issuerKid.startsWith('did:')) {\n const didFromKid = parseDid(issuerKid)\n if (didFromKid.did !== iss) {\n throw new SdJwtVcError(\n `kid in header is an absolute DID URL, but the did (${didFromKid.did}) does not match with the 'iss' did (${iss})`\n )\n }\n\n didUrl = issuerKid\n } else {\n throw new SdJwtVcError(\n 'Invalid issuer kid for did. Only absolute or relative (starting with #) did urls are supported.'\n )\n }\n\n return {\n method: 'did',\n didUrl,\n }\n }\n\n throw new SdJwtVcError('Unsupported signing method for SD-JWT VC. Only did and x5c are supported at the moment.')\n }\n\n private getBaseSdJwtConfig(agentContext: AgentContext): SdJwtVcConfig {\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n hasher: sdJwtVcHasher,\n statusListFetcher: this.getStatusListFetcher(agentContext),\n saltGenerator: (length) => TypedArrayEncoder.toBase64URL(kms.randomBytes({ length })).slice(0, length),\n }\n }\n\n private getStatusListFetcher(agentContext: AgentContext) {\n return async (uri: string) => {\n const response = await fetchWithTimeout(agentContext.config.agentDependencies.fetch, uri, {\n headers: {\n Accept: 'application/statuslist+jwt',\n },\n })\n\n if (!response.ok) {\n throw new CredoError(\n `Received invalid response with status ${\n response.status\n } when fetching status list from ${uri}. ${await response.text()}`\n )\n }\n\n return await response.text()\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqGO,2BAAMA,iBAAe;CAG1B,AAAO,YAAY,mBAAsC;AACvD,OAAK,oBAAoB;;CAG3B,MAAa,KACX,cACA,SACkB;EAClB,MAAM,EAAE,SAAS,iBAAiB,qBAAqB;AAGvD,MAAI,oBAAoB,qBAAqB,UAC3C,OAAM,IAAI,aAAa,uCAAuC,mBAAmB;EAGnF,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,QAAQ,QAAQ,KAAK;EAGlF,MAAM,gBAAgB,QAAQ,SAAS,MAAM,4BAA4B,cAAc,QAAQ,OAAO,GAAG;EAEzG,MAAM,SAAS;GACb,KAAK,OAAO;GACZ,KAAK,QAAQ,cAAc;GAC3B,KAAK,OAAO;GACZ,KAAK,OAAO,KAAK,KAAK,SAAS,KAAK,SAAS,SAAS,CAAC;GACxD;EAED,MAAM,QAAQ,IAAI,gBAAgB;GAChC,GAAG,KAAK,mBAAmB,aAAa;GACxC,QAAQ,eAAe,cAAc,OAAO,UAAU;GACtD,SAAS;GACT,SAAS,OAAO;GACjB,CAAC;AAEF,MAAI,CAAC,QAAQ,OAAO,OAAO,QAAQ,QAAQ,SACzC,OAAM,IAAI,aAAa,mCAAmC;EAG5D,MAAM,UAAU,MAAM,MAAM,MAC1B;GACE,GAAG;GACH,KAAK,eAAe;GACpB,KAAK,OAAO;GACZ,KAAK,cAAc;GACnB,KAAK,QAAQ;GACd,EACD,iBACA,EAAE,QAAQ,CACX;EAED,MAAM,eAAgB,MAAM,MAAM,UAAU,QAAQ;EAEpD,MAAM,gBADU,MAAM,MAAM,OAAO,QAAQ,EACd,KAAK;AAClC,MAAI,CAAC,aACH,OAAM,IAAI,aAAa,2BAA2B;AAGpD,SAAO;GACL;GACA;GACQ;GACR,QAAQ,QAAQ;GAChB,SAAS;GACT,aAAa,YAAY;GACzB,SAAS;GACV;;CAGH,AAAO,YACL,gBACA,cAC0B;AAC1B,SAAO,cAAc,gBAAgB,aAAa;;CAGpD,AAAO,2BAA2B,gBAAwB,kBAAuC;EAC/F,MAAM,UAAU,gBAAgB,gBAAgB,OAAO,KAAK;EAC5D,MAAM,oBAAoB,+BAA+B,iBAAiB,IAAI,EAAE;AAEhF,MAAI,QAAQ,MACV,OAAM,IAAI,aAAa,kEAAkE;EAG3F,MAAM,sBAAsB,kBAC1B,QAAQ,IAAI,SAEZ,QAAQ,YAAY,KAAK,OAAO;GAC9B,QAAQ,EAAE,WAAW;IAAE,KAAK;IAAW,QAAQ,OAAO;IAAM,CAAC;GAC7D,SAAS,EAAE,QAAQ;GACnB,KAAK,EAAE;GACP,MAAM,EAAE;GACR,OAAO,EAAE;GACV,EAAE,EACH,kBACD;EACD,MAAM,CAAC,OAAO,eAAe,MAAM,IAAI;AAKvC,SADyB,cADX,GAAG,IAAI,GADnB,oBAAoB,SAAS,IAAI,GAAG,oBAAoB,KAAK,MAAM,EAAE,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,KAElD;;CAI/C,MAAa,QACX,cACA,EAAE,SAAS,mBAAmB,kBAAkB,qBAC/B;EACjB,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,MAAM,iBAAiB,OAAO,YAAY,WAAW,UAAU,QAAQ;EAGvE,MAAM,gBAAgB,kCAFE,MAAM,MAAM,OAAO,eAAe,EAEa,KAAK,QAAQ;AACpF,MAAI,CAAC,iBAAiB,iBACpB,OAAM,IAAI,aAAa,wFAAwF;EAGjH,MAAM,SAAS,gBACX,MAAM,4BAA4B,cAAc,eAAe;GAC7D,YAAY;GACZ,UAAU,OAAO,YAAY,WAAW,QAAQ,WAAW;GAC5D,CAAC,GACF;AACJ,QAAM,OAAO;GACX,UAAU,SAAS,eAAe,cAAc,OAAO,UAAU,GAAG;GACpE,WAAW,QAAQ;GACpB,CAAC;AAeF,SAb8B,MAAM,MAAM,QAAQ,gBAAgB,mBAAiD,EACjH,IAAI,mBACA,EACE,SAAS;GACP,KAAK,iBAAiB;GACtB,OAAO,iBAAiB;GACxB,KAAK,iBAAiB;GACtB,GAAG;GACJ,EACF,GACD,QACL,CAAC;;CAKJ,AAAQ,wBACN,cACA,KACA,iBACA;AAEA,MAAI,CAAC,IAAK;AAGV,MAAI,CAAC,IAAI,WAAW,WAAW,IAAI,EAAE,IAAI,WAAW,UAAU,IAAI,aAAa,OAAO,uBACpF,OAAM,IAAI,aAAa,mDAAmD;AAG5E,MAAI,CAAC,gBAAgB,aAAa,SAAS,IAAI,IAAI,CAAC,gBAAgB,aAAa,SAAS,iBAAiB,IAAI,CAAC,CAC9G,OAAM,IAAI,aACR,+PACD;;CAIL,MAAa,OACX,cACA,EAAE,gBAAgB,YAAY,mBAAmB,mBAAmB,qBAAqB,OAIzF;EACA,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,IAAIC;EACJ,IAAIC;AAEJ,MAAI;AACF,aAAU,MAAM,MAAM,OAAO,eAAe;AAC5C,OAAI,CAAC,QAAQ,IAAK,OAAM,IAAI,WAAW,oBAAoB;AAC3D,mBAAgB,iCAAiC,QAAQ,IAAI,QAAQ,IAAI;WAClE,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACD;;EAGH,MAAMC,gBAA0C;GAC9C,SAAS,QAAQ,IAAI;GACrB,QAAQ,QAAQ,IAAI;GACpB,SAAS;GACT,cAAc,MAAM,QAAQ,UAAU,cAAc;GACpD,QAAQ;GAER,OAAO,QAAQ,QACX;IACE,SAAS,QAAQ,MAAM;IACvB,QAAQ,QAAQ,MAAM;IACvB,GACD;GACJ,aAAa,YAAY;GACzB,SAAS;GACV;AAED,MAAI;GACF,MAAM,mBAAmB,MAAM,KAAK,0BAClC,cACA,SACA,eACA,oBACD;GACD,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,iBAAiB;GAC9E,MAAM,SAAS,cAAc,SACzB,MAAM,4BAA4B,cAAc,cAAc,OAAO,GACrE;AAEJ,SAAM,OAAO;IACX,UAAU,iBAAiB,cAAc,OAAO,UAAU;IAC1D,YAAY,SAAS,iBAAiB,cAAc,OAAO,UAAU,GAAG;IACzE,CAAC;AAEF,OAAI;AACF,UAAM,MAAM,OAAO,gBAAgB;KACjC,mBAAmB,oBAAoB,CAAC,GAAG,mBAAmB,MAAM,GAAG,CAAC,MAAM;KAC9E,iBAAiB,YAAY;KAC7B,aAAa,cAAc,uBAAO,IAAI,MAAM,CAAC;KAC7C,aAAa;KACd,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,QAAQ,IAAI,QAAQ,QAAQ,eAAe,QAAQ,IAAI,QAAQ,QAAQ,YACzE,QAAO;IACL,OAAO,IAAI,aAAa,4DAA4D;IACpF,SAAS;IACT,SAAS;IACV;AAGH,OAAI;AACF,eAAW,SAAS,cAAc,QAAQ,CAAC,SAAS;KAClD,KAAK,cAAc,uBAAO,IAAI,MAAM,CAAC;KACrC,UAAU;KACX,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAIH,OAAI;AACF,QAAI,YAAY;AACd,SAAI,CAAC,QAAQ,SAAS,CAAC,QAAQ,MAAM,QACnC,OAAM,IAAI,aAAa,2DAA2D;AAIpF,SAAI,QAAQ,MAAM,QAAQ,QAAQ,WAAW,SAC3C,OAAM,IAAI,aAAa,6DAA6D;AAGtF,SAAI,QAAQ,MAAM,QAAQ,UAAU,WAAW,MAC7C,OAAM,IAAI,aAAa,0DAA0D;;YAG9E,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,kBAGF,eAAc,eAAe,MAAM,KAAK,kBAAkB,cAAc,eAAe;IACrF,wBAAwB;IACxB,iCAAiC;IAClC,CAAC;WAEG,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACA,SAAS;IACV;;AAGH,SAAO;GACL,SAAS;GACT,SAAS;GACV;;CAGH,MAAa,kBACX,cACA,SACA,EACE,yBAAyB,MACzB,kCAAkC,SACiD,EAAE,EACvF;EACA,MAAM,MAAM,QAAQ,QAAQ;EAC5B,MAAM,eAAe,QAAQ,QAAQ;AACrC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,WAAW,WAAW,EAAE;AAClE,OAAI,CAAC,gCAAiC,QAAO;AAC7C,SAAM,IAAI,aAAa,4CAA4C,IAAI,yBAAyB;;EAGlG,IAAIC;EAKJ,MAAM,gBAAgB,MAAM,aAAa,OAAO,kBAAkB,MAAM,IAAI,CAAC,OAAO,UAAU;AAC5F,gBAAa;IAEb;EACF,IAAI,WAAW;AAGf,MAAI,CAAC,YAAY,CAAC,UAAU,IAAI;GAE9B,MAAM,cAAc,IAAI,MAAM,IAAI;AAClC,eAAY,OAAO,GAAG,GAAG,kBAAkB;GAC3C,MAAM,eAAe,YAAY,KAAK,IAAI;AAE1C,cAAW,MAAM,aAAa,OAAO,kBAAkB,MAAM,aAAa,CAAC,YAAY,OAAU;;AAGnG,MAAI,CAAC,UAAU,IAAI;AACjB,OAAI,CAAC,uBAAwB,QAAO;AAEpC,OAAI,cACF,OAAM,IAAI,aACR,wCAAwC,IAAI,qCAAqC,cAAc,OAAO,aAAa,MAAM,cAAc,MAAM,CAAC,IAC9I,EAAE,OAAO,YAAY,CACtB;OAED,OAAM,IAAI,aACR,wCAAwC,IAAI,+CAC5C,EAAE,OAAO,YAAY,CACtB;;EAIL,MAAM,eAAgB,MAAM,SAAS,OAAO,CAAC,MAAM;AACnD,MAAI,cAAc;AAChB,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,aAAa,qCAAqC,aAAa,uCAAuC;AAGlH,qBAAkB,gBAAgB,IAAI,WAAW,MAAM,SAAS,aAAa,CAAC,EAAE,aAAa;;AAG/F,SAAO;;CAGT,MAAa,MAAM,cAA4B,SAA8B;AAC3E,QAAM,KAAK,kBAAkB,KAAK,cAAc,QAAQ,OAAO;AAC/D,SAAO,QAAQ;;CAGjB,MAAa,QAAQ,cAA4B,IAAoC;AACnF,SAAO,MAAM,KAAK,kBAAkB,QAAQ,cAAc,GAAG;;CAG/D,MAAa,OAAO,cAA2D;AAC7E,SAAO,MAAM,KAAK,kBAAkB,OAAO,aAAa;;CAG1D,MAAa,YACX,cACA,OACA,cAC+B;AAC/B,SAAO,MAAM,KAAK,kBAAkB,YAAY,cAAc,OAAO,aAAa;;CAGpF,MAAa,WAAW,cAA4B,IAAY;AAC9D,QAAM,KAAK,kBAAkB,WAAW,cAAc,GAAG;;CAG3D,MAAa,OAAO,cAA4B,eAA8B;AAC5E,QAAM,KAAK,kBAAkB,OAAO,cAAc,cAAc;;CAGlE,MAAc,qBAAqB,cAA4B,QAAuB,aAAa,OAAO;AACxG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,YAAY,SAAS,OAAO,OAAO;AACzC,OAAI,CAAC,UAAU,SACb,OAAM,IAAI,aACR,WAAW,OAAO,OAAO,kEAC1B;GAGH,IAAIC;AACJ,OAAI,WACF,aAAY,MAAM,kCAAkC,cAAc,OAAO,OAAO;QAC3E;IACL,MAAM,EAAE,uBAAuB,MAAM,cAAc,cAAc,OAAO,OAAO;AAC/E,gBAAY,mCAAmC,mBAAmB;;GAGpE,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;AAIH,UAAO;IACL,KAHU,6BAA6B;IAIvC;IACA,KAAK,UAAU;IACf,KAAK,IAAI,UAAU;IACpB;;AAGH,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,OAAO,IAAI;AACnC,OAAI,CAAC,gBACH,OAAM,IAAI,aAAa,6BAA6B;AAGtD,OAAI,cAAc,CAAC,gBAAgB,UAAU,SAC3C,OAAM,IAAI,aAAa,wEAAwE;GAGjG,MAAM,YAAY,gBAAgB;GAClC,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;GAEH,MAAM,MAAM,6BAA6B;AAEzC,QAAK,wBAAwB,cAAc,OAAO,QAAQ,gBAAgB;AAE1E,UAAO;IACL;IACA,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ;IACD;;AAGH,QAAM,IAAI,aAAa,kFAAkF;;CAG3G,MAAc,0BACZ,cACA,SACA,cACA,sBACwB;EACxB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;AAC3E,MAAI,CAAC,QAAQ,KAAK,QAChB,OAAM,IAAI,aAAa,uBAAuB;EAGhD,MAAM,MAAM,QAAQ,IAAI,QAAQ;AAEhC,MAAI,QAAQ,IAAI,QAAQ,KAAK;AAC3B,OAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,OAAO,IAAI,CACxC,OAAM,IAAI,aAAa,kDAAkD;AAE3E,OAAI,QAAQ,IAAI,OAAO,IAAI,WAAW,EACpC,OAAM,IAAI,aAAa,iDAAiD;AAE1E,OAAI,QAAQ,IAAI,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,SAAS,CAC/D,OAAM,IAAI,aAAa,6DAA6D;GAGtF,IAAI,sBAAsB;GAC1B,MAAM,mBAAmB,QAAQ,IAAI,OAAO,IAAI,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAE3G,OAAI,CAAC,oBACH,uBACG,MAAM,WAAW,wCAAwC,cAAc;IACtE;IACA,cAAc;KACZ,MAAM;KACN,YAAY;KACb;IACF,CAAC,IAAK,WAAW;AAGtB,OAAI,CAAC,oBACH,OAAM,IAAI,aACR,uGACD;AAGH,SAAM,YAAY,yBAAyB,cAAc;IACvD,kBAAkB,QAAQ,IAAI,OAAO;IACrC;IACD,CAAC;AAEF,UAAO;IACL,QAAQ;IACR,KAAK;IACL,QAAQ;IACT;;AAGH,MAAI,KAAK,WAAW,OAAO,EAAE;AAI3B,OAAI,CAAC,QAAQ,KAAK,OAChB,OAAM,IAAI,aAAa,uCAAuC;AAGhE,OAAI,CAAC,QAAQ,IAAI,OAAO,IACtB,OAAM,IAAI,aAAa,kDAAkD;GAG3E,MAAM,YAAY,QAAQ,IAAI,OAAO;GAErC,IAAIC;AACJ,OAAI,UAAU,WAAW,IAAI,CAC3B,UAAS,GAAG,MAAM;YACT,UAAU,WAAW,OAAO,EAAE;IACvC,MAAM,aAAa,SAAS,UAAU;AACtC,QAAI,WAAW,QAAQ,IACrB,OAAM,IAAI,aACR,sDAAsD,WAAW,IAAI,uCAAuC,IAAI,GACjH;AAGH,aAAS;SAET,OAAM,IAAI,aACR,kGACD;AAGH,UAAO;IACL,QAAQ;IACR;IACD;;AAGH,QAAM,IAAI,aAAa,0FAA0F;;CAGnH,AAAQ,mBAAmB,cAA2C;EACpE,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,SAAO;GACL,QAAQ;GACR,mBAAmB,KAAK,qBAAqB,aAAa;GAC1D,gBAAgB,WAAW,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,GAAG,OAAO;GACvG;;CAGH,AAAQ,qBAAqB,cAA4B;AACvD,SAAO,OAAO,QAAgB;GAC5B,MAAM,WAAW,MAAM,iBAAiB,aAAa,OAAO,kBAAkB,OAAO,KAAK,EACxF,SAAS,EACP,QAAQ,8BACT,EACF,CAAC;AAEF,OAAI,CAAC,SAAS,GACZ,OAAM,IAAI,WACR,yCACE,SAAS,OACV,kCAAkC,IAAI,IAAI,MAAM,SAAS,MAAM,GACjE;AAGH,UAAO,MAAM,SAAS,MAAM;;;;6BA1kBjC,YAAY"}
1
+ {"version":3,"file":"SdJwtVcService.mjs","names":["SdJwtVcService","sdJwtVc: SDJwt","holderBinding: SdJwtVcHolderBinding | undefined","returnSdJwtVc: SdJwtVc<Header, Payload>","firstError: Error | undefined","publicJwk: PublicJwk","didUrl: string"],"sources":["../../../src/modules/sd-jwt-vc/SdJwtVcService.ts"],"sourcesContent":["import type { SDJwt } from '@sd-jwt/core'\nimport { decodeSdJwtSync } from '@sd-jwt/decode'\nimport { selectDisclosures } from '@sd-jwt/present'\nimport { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, PresentationFrame } from '@sd-jwt/types'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { Hasher, JwtPayload } from '../../crypto'\nimport { CredoError } from '../../error'\nimport { X509Service } from '../../modules/x509/X509Service'\nimport type { Query, QueryOptions } from '../../storage/StorageService'\nimport type { JsonObject } from '../../types'\nimport { dateToSeconds, IntegrityVerifier, nowInSeconds, TypedArrayEncoder } from '../../utils'\nimport { getDomainFromUrl } from '../../utils/domain'\nimport { fetchWithTimeout } from '../../utils/fetch'\nimport { getPublicJwkFromVerificationMethod, parseDid } from '../dids'\nimport { KeyManagementApi, PublicJwk } from '../kms'\nimport { ClaimFormat } from '../vc/index'\nimport { type EncodedX509Certificate, X509Certificate, X509ModuleConfig } from '../x509'\nimport { decodeSdJwtVc, sdJwtVcHasher } from './decodeSdJwtVc'\nimport { buildDisclosureFrameForPayload } from './disclosureFrame'\nimport { SdJwtVcRecord, SdJwtVcRepository } from './repository'\nimport { SdJwtVcError } from './SdJwtVcError'\nimport type {\n SdJwtVcHeader,\n SdJwtVcHolderBinding,\n SdJwtVcIssuer,\n SdJwtVcPayload,\n SdJwtVcPresentOptions,\n SdJwtVcSignOptions,\n SdJwtVcStoreOptions,\n SdJwtVcVerifyOptions,\n} from './SdJwtVcOptions'\nimport type { SdJwtVcTypeMetadata } from './typeMetadata'\nimport {\n extractKeyFromHolderBinding,\n getSdJwtSigner,\n getSdJwtVerifier,\n parseHolderBindingFromCredential,\n resolveDidUrl,\n resolveSigningPublicJwkFromDidUrl,\n} from './utils'\n\ntype SdJwtVcConfig = SDJwtVcInstance['userConfig']\n\nexport interface SdJwtVc<\n Header extends SdJwtVcHeader = SdJwtVcHeader,\n Payload extends SdJwtVcPayload = SdJwtVcPayload,\n> {\n /**\n * claim format is convenience method added to all credential instances\n */\n claimFormat: ClaimFormat.SdJwtDc\n /**\n * encoded is convenience method added to all credential instances\n */\n encoded: string\n compact: string\n header: Header\n\n /**\n * The holder of the credential\n */\n holder: SdJwtVcHolderBinding | undefined\n\n // TODO: payload type here is a lie, as it is the signed payload (so fields replaced with _sd)\n payload: Payload\n prettyClaims: Payload\n\n kbJwt?: {\n header: Record<string, unknown>\n payload: Record<string, unknown>\n }\n\n /**\n * The key id in the KMS bound to this SD-JWT VC, used for presentations.\n *\n * This will only be set on the holder side if defined on the SdJwtVcRecord\n */\n kmsKeyId?: string\n\n typeMetadata?: SdJwtVcTypeMetadata\n}\n\nexport interface VerificationResult {\n isValid: boolean\n isValidJwtPayload?: boolean\n isSignatureValid?: boolean\n isStatusValid?: boolean\n isNotBeforeValid?: boolean\n isExpiryTimeValid?: boolean\n areRequiredClaimsIncluded?: boolean\n isKeyBindingValid?: boolean\n containsExpectedKeyBinding?: boolean\n containsRequiredVcProperties?: boolean\n}\n\n/**\n * @internal\n */\n@injectable()\nexport class SdJwtVcService {\n private sdJwtVcRepository: SdJwtVcRepository\n\n public constructor(sdJwtVcRepository: SdJwtVcRepository) {\n this.sdJwtVcRepository = sdJwtVcRepository\n }\n\n public async sign<Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n options: SdJwtVcSignOptions<Payload>\n ): Promise<SdJwtVc> {\n const { payload, disclosureFrame, hashingAlgorithm } = options\n\n // default is sha-256\n if (hashingAlgorithm && hashingAlgorithm !== 'sha-256') {\n throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`)\n }\n\n const issuer = await this.extractKeyFromIssuer(agentContext, options.issuer, true)\n\n // holer binding is optional\n const holderBinding = options.holder ? await extractKeyFromHolderBinding(agentContext, options.holder) : undefined\n\n const header = {\n alg: issuer.alg,\n typ: options.headerType ?? 'dc+sd-jwt',\n kid: issuer.kid,\n x5c: issuer.x5c?.map((cert) => cert.toString('base64')),\n } as const\n\n const sdJwt = new SDJwtVcInstance({\n ...this.getBaseSdJwtConfig(agentContext),\n signer: getSdJwtSigner(agentContext, issuer.publicJwk),\n hashAlg: 'sha-256',\n signAlg: issuer.alg,\n })\n\n if (!payload.vct || typeof payload.vct !== 'string') {\n throw new SdJwtVcError(\"Missing required parameter 'vct'\")\n }\n\n const compact = await sdJwt.issue(\n {\n ...payload,\n cnf: holderBinding?.cnf,\n iss: issuer.iss,\n iat: nowInSeconds(),\n vct: payload.vct,\n },\n disclosureFrame as DisclosureFrame<Payload>,\n { header }\n )\n\n const prettyClaims = (await sdJwt.getClaims(compact)) as Payload\n const decoded = await sdJwt.decode(compact)\n const sdJwtPayload = decoded.jwt?.payload as Payload | undefined\n if (!sdJwtPayload) {\n throw new SdJwtVcError('Invalid sd-jwt-vc state.')\n }\n\n return {\n compact,\n prettyClaims,\n header: header,\n holder: options.holder,\n payload: sdJwtPayload,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compact,\n } satisfies SdJwtVc<typeof header, Payload>\n }\n\n public fromCompact<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n compactSdJwtVc: string,\n typeMetadata?: SdJwtVcTypeMetadata\n ): SdJwtVc<Header, Payload> {\n return decodeSdJwtVc(compactSdJwtVc, typeMetadata)\n }\n\n public applyDisclosuresForPayload(compactSdJwtVc: string, requestedPayload: JsonObject): SdJwtVc {\n const decoded = decodeSdJwtSync(compactSdJwtVc, Hasher.hash)\n const presentationFrame = buildDisclosureFrameForPayload(requestedPayload) ?? {}\n\n if (decoded.kbJwt) {\n throw new SdJwtVcError('Cannot apply limit disclosure on an sd-jwt with key binding jwt')\n }\n\n const requiredDisclosures = selectDisclosures(\n decoded.jwt.payload,\n // Map to sd-jwt disclosure format\n decoded.disclosures.map((d) => ({\n digest: d.digestSync({ alg: 'sha-256', hasher: Hasher.hash }),\n encoded: d.encode(),\n key: d.key,\n salt: d.salt,\n value: d.value,\n })),\n presentationFrame as { [key: string]: boolean }\n )\n const [jwt] = compactSdJwtVc.split('~')\n const disclosuresString =\n requiredDisclosures.length > 0 ? `${requiredDisclosures.map((d) => d.encoded).join('~')}~` : ''\n const sdJwt = `${jwt}~${disclosuresString}`\n const disclosedDecoded = decodeSdJwtVc(sdJwt)\n return disclosedDecoded\n }\n\n public async present<Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { sdJwtVc, presentationFrame, verifierMetadata, additionalPayload }: SdJwtVcPresentOptions<Payload>\n ): Promise<string> {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n const compactSdJwtVc = typeof sdJwtVc === 'string' ? sdJwtVc : sdJwtVc.compact\n const sdJwtVcInstance = await sdjwt.decode(compactSdJwtVc)\n\n const holderBinding = parseHolderBindingFromCredential(sdJwtVcInstance.jwt?.payload)\n if (!holderBinding && verifierMetadata) {\n throw new SdJwtVcError(\"Verifier metadata provided, but credential has no 'cnf' claim to create a KB-JWT from\")\n }\n\n const holder = holderBinding\n ? await extractKeyFromHolderBinding(agentContext, holderBinding, {\n forSigning: true,\n jwkKeyId: typeof sdJwtVc !== 'string' ? sdJwtVc.kmsKeyId : undefined,\n })\n : undefined\n sdjwt.config({\n kbSigner: holder ? getSdJwtSigner(agentContext, holder.publicJwk) : undefined,\n kbSignAlg: holder?.alg,\n })\n\n const compactDerivedSdJwtVc = await sdjwt.present(compactSdJwtVc, presentationFrame as PresentationFrame<Payload>, {\n kb: verifierMetadata\n ? {\n payload: {\n iat: verifierMetadata.issuedAt,\n nonce: verifierMetadata.nonce,\n aud: verifierMetadata.audience,\n ...additionalPayload,\n },\n }\n : undefined,\n })\n\n return compactDerivedSdJwtVc\n }\n\n private assertValidX5cJwtIssuer(\n agentContext: AgentContext,\n iss: string | undefined,\n leafCertificate: X509Certificate\n ) {\n // No 'iss' is allowed for X509\n if (!iss) return\n\n // If iss is present it MUST be an HTTPS url\n if (!iss.startsWith('https://') && !(iss.startsWith('http://') && agentContext.config.allowInsecureHttpUrls)) {\n throw new SdJwtVcError('The X509 certificate issuer must be a HTTPS URI.')\n }\n\n if (!leafCertificate.sanUriNames?.includes(iss) && !leafCertificate.sanDnsNames?.includes(getDomainFromUrl(iss))) {\n throw new SdJwtVcError(\n `The 'iss' claim in the payload does not match a 'SAN-URI' name and the domain extracted from the HTTPS URI does not match a 'SAN-DNS' name in the x5c certificate. Either remove the 'iss' claim or make it match with at least one SAN-URI or DNS-URI entry`\n )\n }\n }\n\n public async verify<Header extends SdJwtVcHeader = SdJwtVcHeader, Payload extends SdJwtVcPayload = SdJwtVcPayload>(\n agentContext: AgentContext,\n { compactSdJwtVc, keyBinding, requiredClaimKeys, fetchTypeMetadata, trustedCertificates, now }: SdJwtVcVerifyOptions\n ): Promise<\n | { isValid: true; sdJwtVc: SdJwtVc<Header, Payload> }\n | { isValid: false; sdJwtVc?: SdJwtVc<Header, Payload>; error: Error }\n > {\n const sdjwt = new SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext))\n let sdJwtVc: SDJwt\n let holderBinding: SdJwtVcHolderBinding | undefined\n\n try {\n sdJwtVc = await sdjwt.decode(compactSdJwtVc)\n if (!sdJwtVc.jwt) throw new CredoError('Invalid sd-jwt-vc')\n holderBinding = parseHolderBindingFromCredential(sdJwtVc.jwt.payload) ?? undefined\n } catch (error) {\n return {\n isValid: false,\n error,\n }\n }\n\n const returnSdJwtVc: SdJwtVc<Header, Payload> = {\n payload: sdJwtVc.jwt.payload as Payload,\n header: sdJwtVc.jwt.header as Header,\n compact: compactSdJwtVc,\n prettyClaims: await sdJwtVc.getClaims(sdJwtVcHasher),\n holder: holderBinding,\n\n kbJwt: sdJwtVc.kbJwt\n ? {\n payload: sdJwtVc.kbJwt.payload as Record<string, unknown>,\n header: sdJwtVc.kbJwt.header as Record<string, unknown>,\n }\n : undefined,\n claimFormat: ClaimFormat.SdJwtDc,\n encoded: compactSdJwtVc,\n } satisfies SdJwtVc<Header, Payload>\n\n try {\n const credentialIssuer = await this.parseIssuerFromCredential(\n agentContext,\n sdJwtVc,\n returnSdJwtVc,\n trustedCertificates\n )\n const issuer = await this.extractKeyFromIssuer(agentContext, credentialIssuer)\n const holder = returnSdJwtVc.holder\n ? await extractKeyFromHolderBinding(agentContext, returnSdJwtVc.holder)\n : undefined\n\n sdjwt.config({\n verifier: getSdJwtVerifier(agentContext, issuer.publicJwk),\n kbVerifier: holder ? getSdJwtVerifier(agentContext, holder.publicJwk) : undefined,\n })\n\n try {\n await sdjwt.verify(compactSdJwtVc, {\n requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct'],\n keyBindingNonce: keyBinding?.nonce,\n currentDate: dateToSeconds(now ?? new Date()),\n skewSeconds: agentContext.config.validitySkewSeconds,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (sdJwtVc.jwt.header?.typ !== 'vc+sd-jwt' && sdJwtVc.jwt.header?.typ !== 'dc+sd-jwt') {\n return {\n error: new SdJwtVcError(`SD-JWT VC header 'typ' must be 'dc+sd-jwt' or 'vc+sd-jwt'`),\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n try {\n JwtPayload.fromJson(returnSdJwtVc.payload).validate({\n now: dateToSeconds(now ?? new Date()),\n skewSeconds: agentContext.config.validitySkewSeconds,\n })\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n // If keyBinding is present, verify the key binding\n try {\n if (keyBinding) {\n if (!sdJwtVc.kbJwt || !sdJwtVc.kbJwt.payload) {\n throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc')\n }\n\n // Assert `aud` and `nonce` claims\n if (sdJwtVc.kbJwt.payload.aud !== keyBinding.audience) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected audience')\n }\n\n if (sdJwtVc.kbJwt.payload.nonce !== keyBinding.nonce) {\n throw new SdJwtVcError('The key binding JWT does not contain the expected nonce')\n }\n }\n } catch (error) {\n return {\n error,\n isValid: false,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n if (fetchTypeMetadata) {\n // We allow vct without type metadata for now (and don't fail if the retrieval fails)\n // Integrity check must pass though.\n returnSdJwtVc.typeMetadata = await this.fetchTypeMetadata(agentContext, returnSdJwtVc, {\n throwErrorOnFetchError: false,\n throwErrorOnUnsupportedVctValue: false,\n })\n }\n } catch (error) {\n return {\n isValid: false,\n error,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n return {\n isValid: true,\n sdJwtVc: returnSdJwtVc,\n }\n }\n\n public async fetchTypeMetadata(\n agentContext: AgentContext,\n sdJwtVc: SdJwtVc,\n {\n throwErrorOnFetchError = true,\n throwErrorOnUnsupportedVctValue = true,\n }: { throwErrorOnFetchError?: boolean; throwErrorOnUnsupportedVctValue?: boolean } = {}\n ) {\n const vct = sdJwtVc.payload.vct\n const vctIntegrity = sdJwtVc.payload['vct#integrity']\n if (!vct || typeof vct !== 'string' || !vct.startsWith('https://')) {\n if (!throwErrorOnUnsupportedVctValue) return undefined\n throw new SdJwtVcError(`Unable to resolve type metadata for vct '${vct}'. Only https supported`)\n }\n\n let firstError: Error | undefined\n\n // Fist try the new type metadata URL\n // We add a catch, so that if e.g. the request fails due to CORS (which throws an error\n // we will still continue trying the legacy url)\n const firstResponse = await agentContext.config.agentDependencies.fetch(vct).catch((error) => {\n firstError = error\n return undefined\n })\n let response = firstResponse\n\n // If the response is not ok, try the legacy URL (will be removed in 0.7)\n if (!response || !response?.ok) {\n // modify the uri based on https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#section-6.3.1\n const vctElements = vct.split('/')\n vctElements.splice(3, 0, '.well-known/vct')\n const legacyVctUrl = vctElements.join('/')\n\n response = await agentContext.config.agentDependencies.fetch(legacyVctUrl).catch(() => undefined)\n }\n\n if (!response?.ok) {\n if (!throwErrorOnFetchError) return undefined\n\n if (firstResponse) {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful ${firstResponse.status} response. ${await firstResponse.text()}.`,\n { cause: firstError }\n )\n } else {\n throw new SdJwtVcError(\n `Unable to resolve type metadata vct '${vct}'. Fetch returned a non-successful response.`,\n { cause: firstError }\n )\n }\n }\n\n const typeMetadata = (await response.clone().json()) as SdJwtVcTypeMetadata\n if (vctIntegrity) {\n if (typeof vctIntegrity !== 'string') {\n throw new SdJwtVcError(`Found 'vct#integrity' with value '${vctIntegrity}' but value was not of type 'string'.`)\n }\n\n IntegrityVerifier.verifyIntegrity(new Uint8Array(await response.arrayBuffer()), vctIntegrity)\n }\n\n return typeMetadata\n }\n\n public async store(agentContext: AgentContext, options: SdJwtVcStoreOptions) {\n await this.sdJwtVcRepository.save(agentContext, options.record)\n return options.record\n }\n\n public async getById(agentContext: AgentContext, id: string): Promise<SdJwtVcRecord> {\n return await this.sdJwtVcRepository.getById(agentContext, id)\n }\n\n public async getAll(agentContext: AgentContext): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.getAll(agentContext)\n }\n\n public async findByQuery(\n agentContext: AgentContext,\n query: Query<SdJwtVcRecord>,\n queryOptions?: QueryOptions\n ): Promise<Array<SdJwtVcRecord>> {\n return await this.sdJwtVcRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async deleteById(agentContext: AgentContext, id: string) {\n await this.sdJwtVcRepository.deleteById(agentContext, id)\n }\n\n public async update(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) {\n await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord)\n }\n\n private async extractKeyFromIssuer(agentContext: AgentContext, issuer: SdJwtVcIssuer, forSigning = false) {\n if (issuer.method === 'did') {\n const parsedDid = parseDid(issuer.didUrl)\n if (!parsedDid.fragment) {\n throw new SdJwtVcError(\n `didUrl '${issuer.didUrl}' does not contain a '#'. Unable to derive key from did document`\n )\n }\n\n let publicJwk: PublicJwk\n if (forSigning) {\n publicJwk = await resolveSigningPublicJwkFromDidUrl(agentContext, issuer.didUrl)\n } else {\n const { verificationMethod } = await resolveDidUrl(agentContext, issuer.didUrl)\n publicJwk = getPublicJwkFromVerificationMethod(verificationMethod)\n }\n\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n return {\n alg,\n publicJwk,\n iss: parsedDid.did,\n kid: `#${parsedDid.fragment}`,\n }\n }\n\n if (issuer.method === 'x5c') {\n const leafCertificate = issuer.x5c[0]\n if (!leafCertificate) {\n throw new SdJwtVcError(\"Empty 'x5c' array provided\")\n }\n\n if (forSigning && !leafCertificate.publicJwk.hasKeyId) {\n throw new SdJwtVcError(\"Expected leaf certificate in 'x5c' array to have a key id configured.\")\n }\n\n const publicJwk = leafCertificate.publicJwk\n const supportedSignatureAlgorithms = publicJwk.supportedSignatureAlgorithms\n if (supportedSignatureAlgorithms.length === 0) {\n throw new SdJwtVcError(\n `No supported JWA signature algorithms found for key ${publicJwk.jwkTypeHumanDescription}`\n )\n }\n const alg = supportedSignatureAlgorithms[0]\n\n this.assertValidX5cJwtIssuer(agentContext, issuer.issuer, leafCertificate)\n\n return {\n publicJwk,\n iss: issuer.issuer,\n x5c: issuer.x5c,\n alg,\n }\n }\n\n throw new SdJwtVcError(\"Unsupported credential issuer. Only 'did' and 'x5c' is supported at the moment.\")\n }\n\n private async parseIssuerFromCredential<Header extends SdJwtVcHeader, Payload extends SdJwtVcPayload>(\n agentContext: AgentContext,\n sdJwtVc: SDJwt<Header, Payload>,\n credoSdJwtVc: SdJwtVc<Header, Payload>,\n _trustedCertificates?: EncodedX509Certificate[]\n ): Promise<SdJwtVcIssuer> {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n if (!sdJwtVc.jwt?.payload) {\n throw new SdJwtVcError('Credential not exist')\n }\n\n const iss = sdJwtVc.jwt.payload.iss as string | undefined\n\n if (sdJwtVc.jwt.header?.x5c) {\n if (!Array.isArray(sdJwtVc.jwt.header.x5c)) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array.')\n }\n if (sdJwtVc.jwt.header.x5c.length === 0) {\n throw new SdJwtVcError('Invalid x5c header in credential. Empty array.')\n }\n if (sdJwtVc.jwt.header.x5c.some((x5c) => typeof x5c !== 'string')) {\n throw new SdJwtVcError('Invalid x5c header in credential. Not an array of strings.')\n }\n\n let trustedCertificates = _trustedCertificates\n const certificateChain = sdJwtVc.jwt.header.x5c.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n if (!trustedCertificates) {\n trustedCertificates =\n (await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: credoSdJwtVc,\n },\n })) ?? x509Config.trustedCertificates\n }\n\n if (!trustedCertificates) {\n throw new SdJwtVcError(\n 'No trusted certificates configured for X509 certificate chain validation. Issuer cannot be verified.'\n )\n }\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain: sdJwtVc.jwt.header.x5c,\n trustedCertificates,\n })\n\n return {\n method: 'x5c',\n x5c: certificateChain,\n issuer: iss,\n }\n }\n\n if (iss?.startsWith('did:')) {\n // If `did` is used, we require a relative KID to be present to identify\n // the key used by issuer to sign the sd-jwt-vc\n\n if (!sdJwtVc.jwt?.header) {\n throw new SdJwtVcError('Credential does not contain a header')\n }\n\n if (!sdJwtVc.jwt.header.kid) {\n throw new SdJwtVcError('Credential does not contain a kid in the header')\n }\n\n const issuerKid = sdJwtVc.jwt.header.kid as string\n\n let didUrl: string\n if (issuerKid.startsWith('#')) {\n didUrl = `${iss}${issuerKid}`\n } else if (issuerKid.startsWith('did:')) {\n const didFromKid = parseDid(issuerKid)\n if (didFromKid.did !== iss) {\n throw new SdJwtVcError(\n `kid in header is an absolute DID URL, but the did (${didFromKid.did}) does not match with the 'iss' did (${iss})`\n )\n }\n\n didUrl = issuerKid\n } else {\n throw new SdJwtVcError(\n 'Invalid issuer kid for did. Only absolute or relative (starting with #) did urls are supported.'\n )\n }\n\n return {\n method: 'did',\n didUrl,\n }\n }\n\n throw new SdJwtVcError('Unsupported signing method for SD-JWT VC. Only did and x5c are supported at the moment.')\n }\n\n private getBaseSdJwtConfig(agentContext: AgentContext): SdJwtVcConfig {\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n hasher: sdJwtVcHasher,\n statusListFetcher: this.getStatusListFetcher(agentContext),\n saltGenerator: (length) => TypedArrayEncoder.toBase64URL(kms.randomBytes({ length })).slice(0, length),\n }\n }\n\n private getStatusListFetcher(agentContext: AgentContext) {\n return async (uri: string) => {\n const response = await fetchWithTimeout(agentContext.config.agentDependencies.fetch, uri, {\n headers: {\n Accept: 'application/statuslist+jwt',\n },\n })\n\n if (!response.ok) {\n throw new CredoError(\n `Received invalid response with status ${\n response.status\n } when fetching status list from ${uri}. ${await response.text()}`\n )\n }\n\n return await response.text()\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqGO,2BAAMA,iBAAe;CAG1B,AAAO,YAAY,mBAAsC;AACvD,OAAK,oBAAoB;;CAG3B,MAAa,KACX,cACA,SACkB;EAClB,MAAM,EAAE,SAAS,iBAAiB,qBAAqB;AAGvD,MAAI,oBAAoB,qBAAqB,UAC3C,OAAM,IAAI,aAAa,uCAAuC,mBAAmB;EAGnF,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,QAAQ,QAAQ,KAAK;EAGlF,MAAM,gBAAgB,QAAQ,SAAS,MAAM,4BAA4B,cAAc,QAAQ,OAAO,GAAG;EAEzG,MAAM,SAAS;GACb,KAAK,OAAO;GACZ,KAAK,QAAQ,cAAc;GAC3B,KAAK,OAAO;GACZ,KAAK,OAAO,KAAK,KAAK,SAAS,KAAK,SAAS,SAAS,CAAC;GACxD;EAED,MAAM,QAAQ,IAAI,gBAAgB;GAChC,GAAG,KAAK,mBAAmB,aAAa;GACxC,QAAQ,eAAe,cAAc,OAAO,UAAU;GACtD,SAAS;GACT,SAAS,OAAO;GACjB,CAAC;AAEF,MAAI,CAAC,QAAQ,OAAO,OAAO,QAAQ,QAAQ,SACzC,OAAM,IAAI,aAAa,mCAAmC;EAG5D,MAAM,UAAU,MAAM,MAAM,MAC1B;GACE,GAAG;GACH,KAAK,eAAe;GACpB,KAAK,OAAO;GACZ,KAAK,cAAc;GACnB,KAAK,QAAQ;GACd,EACD,iBACA,EAAE,QAAQ,CACX;EAED,MAAM,eAAgB,MAAM,MAAM,UAAU,QAAQ;EAEpD,MAAM,gBADU,MAAM,MAAM,OAAO,QAAQ,EACd,KAAK;AAClC,MAAI,CAAC,aACH,OAAM,IAAI,aAAa,2BAA2B;AAGpD,SAAO;GACL;GACA;GACQ;GACR,QAAQ,QAAQ;GAChB,SAAS;GACT,aAAa,YAAY;GACzB,SAAS;GACV;;CAGH,AAAO,YACL,gBACA,cAC0B;AAC1B,SAAO,cAAc,gBAAgB,aAAa;;CAGpD,AAAO,2BAA2B,gBAAwB,kBAAuC;EAC/F,MAAM,UAAU,gBAAgB,gBAAgB,OAAO,KAAK;EAC5D,MAAM,oBAAoB,+BAA+B,iBAAiB,IAAI,EAAE;AAEhF,MAAI,QAAQ,MACV,OAAM,IAAI,aAAa,kEAAkE;EAG3F,MAAM,sBAAsB,kBAC1B,QAAQ,IAAI,SAEZ,QAAQ,YAAY,KAAK,OAAO;GAC9B,QAAQ,EAAE,WAAW;IAAE,KAAK;IAAW,QAAQ,OAAO;IAAM,CAAC;GAC7D,SAAS,EAAE,QAAQ;GACnB,KAAK,EAAE;GACP,MAAM,EAAE;GACR,OAAO,EAAE;GACV,EAAE,EACH,kBACD;EACD,MAAM,CAAC,OAAO,eAAe,MAAM,IAAI;AAKvC,SADyB,cADX,GAAG,IAAI,GADnB,oBAAoB,SAAS,IAAI,GAAG,oBAAoB,KAAK,MAAM,EAAE,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,KAElD;;CAI/C,MAAa,QACX,cACA,EAAE,SAAS,mBAAmB,kBAAkB,qBAC/B;EACjB,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,MAAM,iBAAiB,OAAO,YAAY,WAAW,UAAU,QAAQ;EAGvE,MAAM,gBAAgB,kCAFE,MAAM,MAAM,OAAO,eAAe,EAEa,KAAK,QAAQ;AACpF,MAAI,CAAC,iBAAiB,iBACpB,OAAM,IAAI,aAAa,wFAAwF;EAGjH,MAAM,SAAS,gBACX,MAAM,4BAA4B,cAAc,eAAe;GAC7D,YAAY;GACZ,UAAU,OAAO,YAAY,WAAW,QAAQ,WAAW;GAC5D,CAAC,GACF;AACJ,QAAM,OAAO;GACX,UAAU,SAAS,eAAe,cAAc,OAAO,UAAU,GAAG;GACpE,WAAW,QAAQ;GACpB,CAAC;AAeF,SAb8B,MAAM,MAAM,QAAQ,gBAAgB,mBAAiD,EACjH,IAAI,mBACA,EACE,SAAS;GACP,KAAK,iBAAiB;GACtB,OAAO,iBAAiB;GACxB,KAAK,iBAAiB;GACtB,GAAG;GACJ,EACF,GACD,QACL,CAAC;;CAKJ,AAAQ,wBACN,cACA,KACA,iBACA;AAEA,MAAI,CAAC,IAAK;AAGV,MAAI,CAAC,IAAI,WAAW,WAAW,IAAI,EAAE,IAAI,WAAW,UAAU,IAAI,aAAa,OAAO,uBACpF,OAAM,IAAI,aAAa,mDAAmD;AAG5E,MAAI,CAAC,gBAAgB,aAAa,SAAS,IAAI,IAAI,CAAC,gBAAgB,aAAa,SAAS,iBAAiB,IAAI,CAAC,CAC9G,OAAM,IAAI,aACR,+PACD;;CAIL,MAAa,OACX,cACA,EAAE,gBAAgB,YAAY,mBAAmB,mBAAmB,qBAAqB,OAIzF;EACA,MAAM,QAAQ,IAAI,gBAAgB,KAAK,mBAAmB,aAAa,CAAC;EACxE,IAAIC;EACJ,IAAIC;AAEJ,MAAI;AACF,aAAU,MAAM,MAAM,OAAO,eAAe;AAC5C,OAAI,CAAC,QAAQ,IAAK,OAAM,IAAI,WAAW,oBAAoB;AAC3D,mBAAgB,iCAAiC,QAAQ,IAAI,QAAQ,IAAI;WAClE,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACD;;EAGH,MAAMC,gBAA0C;GAC9C,SAAS,QAAQ,IAAI;GACrB,QAAQ,QAAQ,IAAI;GACpB,SAAS;GACT,cAAc,MAAM,QAAQ,UAAU,cAAc;GACpD,QAAQ;GAER,OAAO,QAAQ,QACX;IACE,SAAS,QAAQ,MAAM;IACvB,QAAQ,QAAQ,MAAM;IACvB,GACD;GACJ,aAAa,YAAY;GACzB,SAAS;GACV;AAED,MAAI;GACF,MAAM,mBAAmB,MAAM,KAAK,0BAClC,cACA,SACA,eACA,oBACD;GACD,MAAM,SAAS,MAAM,KAAK,qBAAqB,cAAc,iBAAiB;GAC9E,MAAM,SAAS,cAAc,SACzB,MAAM,4BAA4B,cAAc,cAAc,OAAO,GACrE;AAEJ,SAAM,OAAO;IACX,UAAU,iBAAiB,cAAc,OAAO,UAAU;IAC1D,YAAY,SAAS,iBAAiB,cAAc,OAAO,UAAU,GAAG;IACzE,CAAC;AAEF,OAAI;AACF,UAAM,MAAM,OAAO,gBAAgB;KACjC,mBAAmB,oBAAoB,CAAC,GAAG,mBAAmB,MAAM,GAAG,CAAC,MAAM;KAC9E,iBAAiB,YAAY;KAC7B,aAAa,cAAc,uBAAO,IAAI,MAAM,CAAC;KAC7C,aAAa,aAAa,OAAO;KAClC,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,QAAQ,IAAI,QAAQ,QAAQ,eAAe,QAAQ,IAAI,QAAQ,QAAQ,YACzE,QAAO;IACL,OAAO,IAAI,aAAa,4DAA4D;IACpF,SAAS;IACT,SAAS;IACV;AAGH,OAAI;AACF,eAAW,SAAS,cAAc,QAAQ,CAAC,SAAS;KAClD,KAAK,cAAc,uBAAO,IAAI,MAAM,CAAC;KACrC,aAAa,aAAa,OAAO;KAClC,CAAC;YACK,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAIH,OAAI;AACF,QAAI,YAAY;AACd,SAAI,CAAC,QAAQ,SAAS,CAAC,QAAQ,MAAM,QACnC,OAAM,IAAI,aAAa,2DAA2D;AAIpF,SAAI,QAAQ,MAAM,QAAQ,QAAQ,WAAW,SAC3C,OAAM,IAAI,aAAa,6DAA6D;AAGtF,SAAI,QAAQ,MAAM,QAAQ,UAAU,WAAW,MAC7C,OAAM,IAAI,aAAa,0DAA0D;;YAG9E,OAAO;AACd,WAAO;KACL;KACA,SAAS;KACT,SAAS;KACV;;AAGH,OAAI,kBAGF,eAAc,eAAe,MAAM,KAAK,kBAAkB,cAAc,eAAe;IACrF,wBAAwB;IACxB,iCAAiC;IAClC,CAAC;WAEG,OAAO;AACd,UAAO;IACL,SAAS;IACT;IACA,SAAS;IACV;;AAGH,SAAO;GACL,SAAS;GACT,SAAS;GACV;;CAGH,MAAa,kBACX,cACA,SACA,EACE,yBAAyB,MACzB,kCAAkC,SACiD,EAAE,EACvF;EACA,MAAM,MAAM,QAAQ,QAAQ;EAC5B,MAAM,eAAe,QAAQ,QAAQ;AACrC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,WAAW,WAAW,EAAE;AAClE,OAAI,CAAC,gCAAiC,QAAO;AAC7C,SAAM,IAAI,aAAa,4CAA4C,IAAI,yBAAyB;;EAGlG,IAAIC;EAKJ,MAAM,gBAAgB,MAAM,aAAa,OAAO,kBAAkB,MAAM,IAAI,CAAC,OAAO,UAAU;AAC5F,gBAAa;IAEb;EACF,IAAI,WAAW;AAGf,MAAI,CAAC,YAAY,CAAC,UAAU,IAAI;GAE9B,MAAM,cAAc,IAAI,MAAM,IAAI;AAClC,eAAY,OAAO,GAAG,GAAG,kBAAkB;GAC3C,MAAM,eAAe,YAAY,KAAK,IAAI;AAE1C,cAAW,MAAM,aAAa,OAAO,kBAAkB,MAAM,aAAa,CAAC,YAAY,OAAU;;AAGnG,MAAI,CAAC,UAAU,IAAI;AACjB,OAAI,CAAC,uBAAwB,QAAO;AAEpC,OAAI,cACF,OAAM,IAAI,aACR,wCAAwC,IAAI,qCAAqC,cAAc,OAAO,aAAa,MAAM,cAAc,MAAM,CAAC,IAC9I,EAAE,OAAO,YAAY,CACtB;OAED,OAAM,IAAI,aACR,wCAAwC,IAAI,+CAC5C,EAAE,OAAO,YAAY,CACtB;;EAIL,MAAM,eAAgB,MAAM,SAAS,OAAO,CAAC,MAAM;AACnD,MAAI,cAAc;AAChB,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,aAAa,qCAAqC,aAAa,uCAAuC;AAGlH,qBAAkB,gBAAgB,IAAI,WAAW,MAAM,SAAS,aAAa,CAAC,EAAE,aAAa;;AAG/F,SAAO;;CAGT,MAAa,MAAM,cAA4B,SAA8B;AAC3E,QAAM,KAAK,kBAAkB,KAAK,cAAc,QAAQ,OAAO;AAC/D,SAAO,QAAQ;;CAGjB,MAAa,QAAQ,cAA4B,IAAoC;AACnF,SAAO,MAAM,KAAK,kBAAkB,QAAQ,cAAc,GAAG;;CAG/D,MAAa,OAAO,cAA2D;AAC7E,SAAO,MAAM,KAAK,kBAAkB,OAAO,aAAa;;CAG1D,MAAa,YACX,cACA,OACA,cAC+B;AAC/B,SAAO,MAAM,KAAK,kBAAkB,YAAY,cAAc,OAAO,aAAa;;CAGpF,MAAa,WAAW,cAA4B,IAAY;AAC9D,QAAM,KAAK,kBAAkB,WAAW,cAAc,GAAG;;CAG3D,MAAa,OAAO,cAA4B,eAA8B;AAC5E,QAAM,KAAK,kBAAkB,OAAO,cAAc,cAAc;;CAGlE,MAAc,qBAAqB,cAA4B,QAAuB,aAAa,OAAO;AACxG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,YAAY,SAAS,OAAO,OAAO;AACzC,OAAI,CAAC,UAAU,SACb,OAAM,IAAI,aACR,WAAW,OAAO,OAAO,kEAC1B;GAGH,IAAIC;AACJ,OAAI,WACF,aAAY,MAAM,kCAAkC,cAAc,OAAO,OAAO;QAC3E;IACL,MAAM,EAAE,uBAAuB,MAAM,cAAc,cAAc,OAAO,OAAO;AAC/E,gBAAY,mCAAmC,mBAAmB;;GAGpE,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;AAIH,UAAO;IACL,KAHU,6BAA6B;IAIvC;IACA,KAAK,UAAU;IACf,KAAK,IAAI,UAAU;IACpB;;AAGH,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,OAAO,IAAI;AACnC,OAAI,CAAC,gBACH,OAAM,IAAI,aAAa,6BAA6B;AAGtD,OAAI,cAAc,CAAC,gBAAgB,UAAU,SAC3C,OAAM,IAAI,aAAa,wEAAwE;GAGjG,MAAM,YAAY,gBAAgB;GAClC,MAAM,+BAA+B,UAAU;AAC/C,OAAI,6BAA6B,WAAW,EAC1C,OAAM,IAAI,aACR,uDAAuD,UAAU,0BAClE;GAEH,MAAM,MAAM,6BAA6B;AAEzC,QAAK,wBAAwB,cAAc,OAAO,QAAQ,gBAAgB;AAE1E,UAAO;IACL;IACA,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ;IACD;;AAGH,QAAM,IAAI,aAAa,kFAAkF;;CAG3G,MAAc,0BACZ,cACA,SACA,cACA,sBACwB;EACxB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;AAC3E,MAAI,CAAC,QAAQ,KAAK,QAChB,OAAM,IAAI,aAAa,uBAAuB;EAGhD,MAAM,MAAM,QAAQ,IAAI,QAAQ;AAEhC,MAAI,QAAQ,IAAI,QAAQ,KAAK;AAC3B,OAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,OAAO,IAAI,CACxC,OAAM,IAAI,aAAa,kDAAkD;AAE3E,OAAI,QAAQ,IAAI,OAAO,IAAI,WAAW,EACpC,OAAM,IAAI,aAAa,iDAAiD;AAE1E,OAAI,QAAQ,IAAI,OAAO,IAAI,MAAM,QAAQ,OAAO,QAAQ,SAAS,CAC/D,OAAM,IAAI,aAAa,6DAA6D;GAGtF,IAAI,sBAAsB;GAC1B,MAAM,mBAAmB,QAAQ,IAAI,OAAO,IAAI,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAE3G,OAAI,CAAC,oBACH,uBACG,MAAM,WAAW,wCAAwC,cAAc;IACtE;IACA,cAAc;KACZ,MAAM;KACN,YAAY;KACb;IACF,CAAC,IAAK,WAAW;AAGtB,OAAI,CAAC,oBACH,OAAM,IAAI,aACR,uGACD;AAGH,SAAM,YAAY,yBAAyB,cAAc;IACvD,kBAAkB,QAAQ,IAAI,OAAO;IACrC;IACD,CAAC;AAEF,UAAO;IACL,QAAQ;IACR,KAAK;IACL,QAAQ;IACT;;AAGH,MAAI,KAAK,WAAW,OAAO,EAAE;AAI3B,OAAI,CAAC,QAAQ,KAAK,OAChB,OAAM,IAAI,aAAa,uCAAuC;AAGhE,OAAI,CAAC,QAAQ,IAAI,OAAO,IACtB,OAAM,IAAI,aAAa,kDAAkD;GAG3E,MAAM,YAAY,QAAQ,IAAI,OAAO;GAErC,IAAIC;AACJ,OAAI,UAAU,WAAW,IAAI,CAC3B,UAAS,GAAG,MAAM;YACT,UAAU,WAAW,OAAO,EAAE;IACvC,MAAM,aAAa,SAAS,UAAU;AACtC,QAAI,WAAW,QAAQ,IACrB,OAAM,IAAI,aACR,sDAAsD,WAAW,IAAI,uCAAuC,IAAI,GACjH;AAGH,aAAS;SAET,OAAM,IAAI,aACR,kGACD;AAGH,UAAO;IACL,QAAQ;IACR;IACD;;AAGH,QAAM,IAAI,aAAa,0FAA0F;;CAGnH,AAAQ,mBAAmB,cAA2C;EACpE,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,SAAO;GACL,QAAQ;GACR,mBAAmB,KAAK,qBAAqB,aAAa;GAC1D,gBAAgB,WAAW,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,GAAG,OAAO;GACvG;;CAGH,AAAQ,qBAAqB,cAA4B;AACvD,SAAO,OAAO,QAAgB;GAC5B,MAAM,WAAW,MAAM,iBAAiB,aAAa,OAAO,kBAAkB,OAAO,KAAK,EACxF,SAAS,EACP,QAAQ,8BACT,EACF,CAAC;AAEF,OAAI,CAAC,SAAS,GACZ,OAAM,IAAI,WACR,yCACE,SAAS,OACV,kCAAkC,IAAI,IAAI,MAAM,SAAS,MAAM,GACjE;AAGH,UAAO,MAAM,SAAS,MAAM;;;;6BA1kBjC,YAAY"}
package/build/modules/sd-jwt-vc/utils.mjs CHANGED
@@ -2,9 +2,9 @@
2
2
 
3
3
  import { CredoError } from "../../error/CredoError.mjs";
4
4
  import "../../error/index.mjs";
5
- import "../../agent/index.mjs";
6
5
  import { TypedArrayEncoder } from "../../utils/TypedArrayEncoder.mjs";
7
6
  import "../../utils/index.mjs";
7
+ import "../../agent/index.mjs";
8
8
  import { PublicJwk } from "../kms/jwk/PublicJwk.mjs";
9
9
  import { KeyManagementApi } from "../kms/KeyManagementApi.mjs";
10
10
  import "../kms/index.mjs";
package/build/modules/vc/data-integrity/W3cJsonLdCredentialService.mjs CHANGED
@@ -2,12 +2,12 @@
2
2
 
3
3
  import { CredoError } from "../../../error/CredoError.mjs";
4
4
  import "../../../error/index.mjs";
5
- import { injectable } from "../../../plugins/index.mjs";
6
- import { __decorateMetadata } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
7
- import { __decorate } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
8
5
  import { asArray } from "../../../utils/array.mjs";
9
6
  import { JsonTransformer } from "../../../utils/JsonTransformer.mjs";
10
7
  import "../../../utils/index.mjs";
8
+ import { injectable } from "../../../plugins/index.mjs";
9
+ import { __decorateMetadata } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
10
+ import { __decorate } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
11
11
  import "../../kms/index.mjs";
12
12
  import { parseDid } from "../../dids/domain/parse.mjs";
13
13
  import { VerificationMethod } from "../../dids/domain/verificationMethod/VerificationMethod.mjs";
package/build/modules/vc/data-integrity/models/DataIntegrityProof.mjs CHANGED
@@ -1,9 +1,9 @@
1
1
 
2
2
 
3
- import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
4
- import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
5
3
  import { IsUri } from "../../../../utils/validators.mjs";
6
4
  import "../../../../utils/index.mjs";
5
+ import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
6
+ import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
7
7
  import { IsEnum, IsOptional, IsString } from "class-validator";
8
8
 
9
9
  //#region src/modules/vc/data-integrity/models/DataIntegrityProof.ts
package/build/modules/vc/data-integrity/models/LinkedDataProof.mjs CHANGED
@@ -1,9 +1,9 @@
1
1
 
2
2
 
3
- import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
4
- import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
5
3
  import { IsUri } from "../../../../utils/validators.mjs";
6
4
  import "../../../../utils/index.mjs";
5
+ import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
6
+ import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
7
7
  import { IsOptional, IsString } from "class-validator";
8
8
 
9
9
  //#region src/modules/vc/data-integrity/models/LinkedDataProof.ts
package/build/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.mjs CHANGED
@@ -1,11 +1,11 @@
1
1
 
2
2
 
3
- import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
4
- import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
5
3
  import { asArray, mapSingleOrArray } from "../../../../utils/array.mjs";
6
4
  import { JsonTransformer } from "../../../../utils/JsonTransformer.mjs";
7
5
  import { IsInstanceOrArrayOfInstances } from "../../../../utils/validators.mjs";
8
6
  import "../../../../utils/index.mjs";
7
+ import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
8
+ import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
9
9
  import { ClaimFormat } from "../../models/ClaimFormat.mjs";
10
10
  import { W3cCredential } from "../../models/credential/W3cCredential.mjs";
11
11
  import { DataIntegrityProof } from "./DataIntegrityProof.mjs";
package/build/modules/vc/data-integrity/models/W3cJsonLdVerifiablePresentation.mjs CHANGED
@@ -1,11 +1,11 @@
1
1
 
2
2
 
3
- import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
4
- import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
5
3
  import { asArray } from "../../../../utils/array.mjs";
6
4
  import { JsonTransformer } from "../../../../utils/JsonTransformer.mjs";
7
5
  import { IsInstanceOrArrayOfInstances } from "../../../../utils/validators.mjs";
8
6
  import "../../../../utils/index.mjs";
7
+ import { __decorateMetadata } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
8
+ import { __decorate } from "../../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
9
9
  import { ClaimFormat } from "../../models/ClaimFormat.mjs";
10
10
  import { DataIntegrityProof } from "./DataIntegrityProof.mjs";
11
11
  import { LinkedDataProof } from "./LinkedDataProof.mjs";
package/build/modules/vc/jwt-vc/W3cJwtCredentialService.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"W3cJwtCredentialService.d.mts","names":[],"sources":["../../../../src/modules/vc/jwt-vc/W3cJwtCredentialService.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;cA+Ba,uBAAA;;EAAA,WAAA,CAAA,UAAA,EAGoB,UAHG;EAGH;;;EAUpB,cAAA,CAAA,YAAA,EAFK,YAEL,EAAA,OAAA,EADA,2BACA,CAAA,EAAR,OAAQ,CAAA,0BAAA,CAAA;EAAR;;;;;;EAgLQ,gBAAA,CAAA,YAAA,EAxIK,YAwIL,EAAA,OAAA,EAvIA,6BAuIA,CAAA,EAtIR,OAsIQ,CAtIA,yBAsIA,CAAA;EACA;;;;;;EAwCD,gBAAA,CAAA,YAAA,EA1CM,YA0CN,EAAA,OAAA,EAzCC,6BAyCD,CAAA,EAxCP,OAwCO,CAxCC,4BAwCD,CAAA;;;;;;;mCAFM,uBACL,kCACR,QAAQ"}
1
+ {"version":3,"file":"W3cJwtCredentialService.d.mts","names":[],"sources":["../../../../src/modules/vc/jwt-vc/W3cJwtCredentialService.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;cA+Ba,uBAAA;;EAAA,WAAA,CAAA,UAAA,EAGoB,UAHG;EAGH;;;EAUpB,cAAA,CAAA,YAAA,EAFK,YAEL,EAAA,OAAA,EADA,2BACA,CAAA,EAAR,OAAQ,CAAA,0BAAA,CAAA;EAAR;;;;;;EAkLQ,gBAAA,CAAA,YAAA,EA1IK,YA0IL,EAAA,OAAA,EAzIA,6BAyIA,CAAA,EAxIR,OAwIQ,CAxIA,yBAwIA,CAAA;EACA;;;;;;EAwCD,gBAAA,CAAA,YAAA,EA1CM,YA0CN,EAAA,OAAA,EAzCC,6BAyCD,CAAA,EAxCP,OAwCO,CAxCC,4BAwCD,CAAA;;;;;;;mCAFM,uBACL,kCACR,QAAQ"}
package/build/modules/vc/jwt-vc/W3cJwtCredentialService.mjs CHANGED
@@ -2,13 +2,13 @@
2
2
 
3
3
  import { CredoError } from "../../../error/CredoError.mjs";
4
4
  import "../../../error/index.mjs";
5
- import { injectable } from "../../../plugins/index.mjs";
6
- import { __decorateMetadata } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
7
- import { __decorate } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
8
5
  import { asArray } from "../../../utils/array.mjs";
9
6
  import { isDid } from "../../../utils/did.mjs";
10
7
  import { MessageValidator } from "../../../utils/MessageValidator.mjs";
11
8
  import "../../../utils/index.mjs";
9
+ import { injectable } from "../../../plugins/index.mjs";
10
+ import { __decorateMetadata } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
11
+ import { __decorate } from "../../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
12
12
  import { PublicJwk } from "../../kms/jwk/PublicJwk.mjs";
13
13
  import "../../kms/index.mjs";
14
14
  import { JwsService } from "../../../crypto/JwsService.mjs";
@@ -66,7 +66,7 @@ let W3cJwtCredentialService = class W3cJwtCredentialService$1 {
66
66
  try {
67
67
  if (options.credential instanceof W3cJwtVerifiableCredential) MessageValidator.validateSync(options.credential.credential);
68
68
  credential = options.credential instanceof W3cJwtVerifiableCredential ? options.credential : W3cJwtVerifiableCredential.fromSerializedJwt(options.credential);
69
- credential.jwt.payload.validate();
69
+ credential.jwt.payload.validate({ skewSeconds: agentContext.config.validitySkewSeconds });
70
70
  validationResults.validations.dataModel = { isValid: true };
71
71
  } catch (error) {
72
72
  validationResults.validations.dataModel = {
@@ -162,7 +162,7 @@ let W3cJwtCredentialService = class W3cJwtCredentialService$1 {
162
162
  try {
163
163
  if (options.presentation instanceof W3cJwtVerifiablePresentation) MessageValidator.validateSync(options.presentation.presentation);
164
164
  presentation = options.presentation instanceof W3cJwtVerifiablePresentation ? options.presentation : W3cJwtVerifiablePresentation.fromSerializedJwt(options.presentation);
165
- presentation.jwt.payload.validate();
165
+ presentation.jwt.payload.validate({ skewSeconds: agentContext.config.validitySkewSeconds });
166
166
  if (options.challenge !== presentation.jwt.payload.additionalClaims.nonce) throw new CredoError(`JWT payload 'nonce' does not match challenge '${options.challenge}'`);
167
167
  const audArray = asArray(presentation.jwt.payload.aud);
168
168
  if (options.domain && !audArray.includes(options.domain)) throw new CredoError(`JWT payload 'aud' does not include domain '${options.domain}'`);