@credo-ts/openid4vc 0.5.0-alpha.115

package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts

@@ -0,0 +1,153 @@
+import type { OpenId4VcCredentialHolderBinding, OpenId4VciCredentialOfferPayload, OpenId4VciCredentialSupportedWithId, OpenId4VciIssuerMetadata } from '../shared';
+import type { JwaSignatureAlgorithm, KeyType } from '@credo-ts/core';
+import type { AuthorizationServerMetadata, EndpointMetadataResult, OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+import { OpenId4VciCredentialFormatProfile } from '../shared/models/OpenId4VciCredentialFormatProfile';
+export type OpenId4VciSupportedCredentialFormats = OpenId4VciCredentialFormatProfile.JwtVcJson | OpenId4VciCredentialFormatProfile.JwtVcJsonLd | OpenId4VciCredentialFormatProfile.SdJwtVc | OpenId4VciCredentialFormatProfile.LdpVc;
+export declare const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[];
+export interface OpenId4VciResolvedCredentialOffer {
+    metadata: EndpointMetadataResult & {
+        credentialIssuerMetadata: Partial<AuthorizationServerMetadata> & OpenId4VciIssuerMetadata;
+    };
+    credentialOfferPayload: OpenId4VciCredentialOfferPayload;
+    offeredCredentials: OpenId4VciCredentialSupportedWithId[];
+    version: OpenId4VCIVersion;
+}
+export interface OpenId4VciResolvedAuthorizationRequest extends OpenId4VciAuthCodeFlowOptions {
+    codeVerifier: string;
+    authorizationRequestUri: string;
+}
+export interface OpenId4VciResolvedAuthorizationRequestWithCode extends OpenId4VciResolvedAuthorizationRequest {
+    code: string;
+}
+/**
+ * Options that are used to accept a credential offer for both the pre-authorized code flow and authorization code flow.
+ */
+export interface OpenId4VciAcceptCredentialOfferOptions {
+    /**
+     * String value containing a user PIN. This value MUST be present if user_pin_required was set to true in the Credential Offer.
+     * This parameter MUST only be used, if the grant_type is urn:ietf:params:oauth:grant-type:pre-authorized_code.
+     */
+    userPin?: string;
+    /**
+     * This is the list of credentials that will be requested from the issuer.
+     * Should be a list of ids of the credentials that are included in the credential offer.
+     * If not provided all offered credentials will be requested.
+     */
+    credentialsToRequest?: string[];
+    verifyCredentialStatus?: boolean;
+    /**
+     * A list of allowed proof of possession signature algorithms in order of preference.
+     *
+     * Note that the signature algorithms must be supported by the wallet implementation.
+     * Signature algorithms that are not supported by the wallet will be ignored.
+     *
+     * The proof of possession (pop) signature algorithm is used in the credential request
+     * to bind the credential to a did. In most cases the JWA signature algorithm
+     * that is used in the pop will determine the cryptographic suite that is used
+     * for signing the credential, but this not a requirement for the spec. E.g. if the
+     * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020.
+     */
+    allowedProofOfPossessionSignatureAlgorithms?: JwaSignatureAlgorithm[];
+    /**
+     * A function that should resolve key material for binding the to-be-issued credential
+     * to the holder based on the options passed. This key material will be used for signing
+     * the proof of possession included in the credential request.
+     *
+     * This method will be called once for each of the credentials that are included
+     * in the credential offer.
+     *
+     * Based on the credential format, JWA signature algorithm, verification method types
+     * and binding methods (did methods, jwk), the resolver must return an object
+     * conformant to the `CredentialHolderBinding` interface, which will be used
+     * for the proof of possession signature.
+     */
+    credentialBindingResolver: OpenId4VciCredentialBindingResolver;
+}
+/**
+ * Options that are used for the authorization code flow.
+ * Extends the pre-authorized code flow options.
+ */
+export interface OpenId4VciAuthCodeFlowOptions {
+    clientId: string;
+    redirectUri: string;
+    scope?: string[];
+}
+export interface OpenId4VciCredentialBindingOptions {
+    /**
+     * The credential format that will be requested from the issuer.
+     * E.g. `jwt_vc` or `ldp_vc`.
+     */
+    credentialFormat: OpenId4VciSupportedCredentialFormats;
+    /**
+     * The JWA Signature Algorithm that will be used in the proof of possession.
+     * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed
+     * to the request credential method, and the supported signature algorithms.
+     */
+    signatureAlgorithm: JwaSignatureAlgorithm;
+    /**
+     * This is a list of verification methods types that are supported
+     * for creating the proof of possession signature. The returned
+     * verification method type must be of one of these types.
+     */
+    supportedVerificationMethods: string[];
+    /**
+     * The key type that will be used to create the proof of possession signature.
+     * This is related to the verification method and the signature algorithm, and
+     * is added for convenience.
+     */
+    keyType: KeyType;
+    /**
+     * The credential type that will be requested from the issuer. This is
+     * based on the credential types that are included the credential offer.
+     *
+     * If the offered credential is an inline credential offer, the value
+     * will be `undefined`.
+     */
+    supportedCredentialId?: string;
+    /**
+     * Whether the issuer supports the `did` cryptographic binding method,
+     * indicating they support all did methods. In most cases, they do not
+     * support all did methods, and it means we have to make an assumption
+     * about the did methods they support.
+     *
+     * If this value is `false`, the `supportedDidMethods` property will
+     * contain a list of supported did methods.
+     */
+    supportsAllDidMethods: boolean;
+    /**
+     * A list of supported did methods. This is only used if the `supportsAllDidMethods`
+     * property is `false`. When this array is populated, the returned verification method
+     * MUST be based on one of these did methods.
+     *
+     * The did methods are returned in the format `did:<method>`, e.g. `did:web`.
+     *
+     * The value is undefined in the case the supported did methods could not be extracted.
+     * This is the case when an inline credential was used, or when the issuer didn't include
+     * the supported did methods in the issuer metadata.
+     *
+     * NOTE: an empty array (no did methods supported) has a different meaning from the value
+     * being undefined (the supported did methods could not be extracted). If `supportsAllDidMethods`
+     * is true, the value of this property MUST be ignored.
+     */
+    supportedDidMethods?: string[];
+    /**
+     * Whether the issuer supports the `jwk` cryptographic binding method,
+     * indicating they support proof of possession signatures bound to a jwk.
+     */
+    supportsJwk: boolean;
+}
+/**
+ * The proof of possession verification method resolver is a function that can be passed by the
+ * user of the framework and allows them to determine which verification method should be used
+ * for the proof of possession signature.
+ */
+export type OpenId4VciCredentialBindingResolver = (options: OpenId4VciCredentialBindingOptions) => Promise<OpenId4VcCredentialHolderBinding> | OpenId4VcCredentialHolderBinding;
+/**
+ * @internal
+ */
+export interface OpenId4VciProofOfPossessionRequirements {
+    signatureAlgorithm: JwaSignatureAlgorithm;
+    supportedDidMethods?: string[];
+    supportsAllDidMethods: boolean;
+    supportsJwk: boolean;
+}

package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openId4VciSupportedCredentialFormats = void 0;
+const OpenId4VciCredentialFormatProfile_1 = require("../shared/models/OpenId4VciCredentialFormatProfile");
+exports.openId4VciSupportedCredentialFormats = [
+    OpenId4VciCredentialFormatProfile_1.OpenId4VciCredentialFormatProfile.JwtVcJson,
+    OpenId4VciCredentialFormatProfile_1.OpenId4VciCredentialFormatProfile.JwtVcJsonLd,
+    OpenId4VciCredentialFormatProfile_1.OpenId4VciCredentialFormatProfile.SdJwtVc,
+    OpenId4VciCredentialFormatProfile_1.OpenId4VciCredentialFormatProfile.LdpVc,
+];
+//# sourceMappingURL=OpenId4VciHolderServiceOptions.js.map

package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VciHolderServiceOptions.js","sourceRoot":"","sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"names":[],"mappings":";;;AASA,0GAAsG;AAQzF,QAAA,oCAAoC,GAA2C;IAC1F,qEAAiC,CAAC,SAAS;IAC3C,qEAAiC,CAAC,WAAW;IAC7C,qEAAiC,CAAC,OAAO;IACzC,qEAAiC,CAAC,KAAK;CACxC,CAAA"}

package/build/openid4vc-holder/OpenId4vcSiopHolderService.d.ts

@@ -0,0 +1,18 @@
+import type { OpenId4VcSiopAcceptAuthorizationRequestOptions, OpenId4VcSiopResolvedAuthorizationRequest } from './OpenId4vcSiopHolderServiceOptions';
+import type { AgentContext } from '@credo-ts/core';
+import { DifPresentationExchangeService } from '@credo-ts/core';
+export declare class OpenId4VcSiopHolderService {
+    private presentationExchangeService;
+    constructor(presentationExchangeService: DifPresentationExchangeService);
+    resolveAuthorizationRequest(agentContext: AgentContext, requestJwtOrUri: string): Promise<OpenId4VcSiopResolvedAuthorizationRequest>;
+    acceptAuthorizationRequest(agentContext: AgentContext, options: OpenId4VcSiopAcceptAuthorizationRequestOptions): Promise<{
+        serverResponse: {
+            status: number;
+            body: string | Record<string, unknown> | undefined;
+        };
+        submittedResponse: import("@sphereon/did-auth-siop").AuthorizationResponsePayload;
+    }>;
+    private getOpenIdProvider;
+    private getOpenIdTokenIssuerFromVerifiablePresentation;
+    private assertValidTokenIssuer;
+}

package/build/openid4vc-holder/OpenId4vcSiopHolderService.js

@@ -0,0 +1,228 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenId4VcSiopHolderService = void 0;
+const core_1 = require("@credo-ts/core");
+const did_auth_siop_1 = require("@sphereon/did-auth-siop");
+const transform_1 = require("../shared/transform");
+const utils_1 = require("../shared/utils");
+let OpenId4VcSiopHolderService = class OpenId4VcSiopHolderService {
+    constructor(presentationExchangeService) {
+        this.presentationExchangeService = presentationExchangeService;
+    }
+    async resolveAuthorizationRequest(agentContext, requestJwtOrUri) {
+        var _a, _b;
+        const openidProvider = await this.getOpenIdProvider(agentContext, {});
+        // parsing happens automatically in verifyAuthorizationRequest
+        const verifiedAuthorizationRequest = await openidProvider.verifyAuthorizationRequest(requestJwtOrUri, {
+            verification: {
+                // FIXME: we want custom verification, but not supported currently
+                // https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/55
+                mode: did_auth_siop_1.VerificationMode.INTERNAL,
+                resolveOpts: { resolver: (0, utils_1.getSphereonDidResolver)(agentContext), noUniversalResolverFallback: true },
+            },
+        });
+        agentContext.config.logger.debug(`verified SIOP Authorization Request for issuer '${verifiedAuthorizationRequest.issuer}'`);
+        agentContext.config.logger.debug(`requestJwtOrUri '${requestJwtOrUri}'`);
+        if (verifiedAuthorizationRequest.presentationDefinitions &&
+            verifiedAuthorizationRequest.presentationDefinitions.length > 1) {
+            throw new core_1.CredoError('Only a single presentation definition is supported.');
+        }
+        const presentationDefinition = (_b = (_a = verifiedAuthorizationRequest.presentationDefinitions) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.definition;
+        return {
+            authorizationRequest: verifiedAuthorizationRequest,
+            // Parameters related to DIF Presentation Exchange
+            presentationExchange: presentationDefinition
+                ? {
+                    definition: presentationDefinition,
+                    credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest(agentContext, presentationDefinition),
+                }
+                : undefined,
+        };
+    }
+    async acceptAuthorizationRequest(agentContext, options) {
+        const { authorizationRequest, presentationExchange } = options;
+        let openIdTokenIssuer = options.openIdTokenIssuer;
+        let presentationExchangeOptions = undefined;
+        // Handle presentation exchange part
+        if (authorizationRequest.presentationDefinitions && authorizationRequest.presentationDefinitions.length > 0) {
+            if (!presentationExchange) {
+                throw new core_1.CredoError('Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.');
+            }
+            const nonce = await authorizationRequest.authorizationRequest.getMergedProperty('nonce');
+            if (!nonce) {
+                throw new core_1.CredoError("Unable to extract 'nonce' from authorization request");
+            }
+            const clientId = await authorizationRequest.authorizationRequest.getMergedProperty('client_id');
+            if (!clientId) {
+                throw new core_1.CredoError("Unable to extract 'client_id' from authorization request");
+            }
+            const { verifiablePresentations, presentationSubmission } = await this.presentationExchangeService.createPresentation(agentContext, {
+                credentialsForInputDescriptor: presentationExchange.credentials,
+                presentationDefinition: authorizationRequest.presentationDefinitions[0].definition,
+                challenge: nonce,
+                domain: clientId,
+                presentationSubmissionLocation: core_1.DifPresentationExchangeSubmissionLocation.EXTERNAL,
+            });
+            presentationExchangeOptions = {
+                verifiablePresentations: verifiablePresentations.map((vp) => (0, transform_1.getSphereonVerifiablePresentation)(vp)),
+                presentationSubmission,
+                vpTokenLocation: did_auth_siop_1.VPTokenLocation.AUTHORIZATION_RESPONSE,
+            };
+            if (!openIdTokenIssuer) {
+                openIdTokenIssuer = this.getOpenIdTokenIssuerFromVerifiablePresentation(verifiablePresentations[0]);
+            }
+        }
+        else if (options.presentationExchange) {
+            throw new core_1.CredoError('`presentationExchange` was supplied, but no presentation definition was found in the presentation request.');
+        }
+        if (!openIdTokenIssuer) {
+            throw new core_1.CredoError('Unable to create authorization response. openIdTokenIssuer MUST be supplied when no presentation is active.');
+        }
+        this.assertValidTokenIssuer(authorizationRequest, openIdTokenIssuer);
+        const openidProvider = await this.getOpenIdProvider(agentContext, {
+            openIdTokenIssuer,
+        });
+        const suppliedSignature = await (0, utils_1.getSphereonSuppliedSignatureFromJwtIssuer)(agentContext, openIdTokenIssuer);
+        const authorizationResponseWithCorrelationId = await openidProvider.createAuthorizationResponse(authorizationRequest, {
+            signature: suppliedSignature,
+            issuer: suppliedSignature.did,
+            verification: {
+                resolveOpts: { resolver: (0, utils_1.getSphereonDidResolver)(agentContext), noUniversalResolverFallback: true },
+                mode: did_auth_siop_1.VerificationMode.INTERNAL,
+            },
+            presentationExchange: presentationExchangeOptions,
+            // https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#name-aud-of-a-request-object
+            audience: authorizationRequest.authorizationRequestPayload.client_id,
+        });
+        const response = await openidProvider.submitAuthorizationResponse(authorizationResponseWithCorrelationId);
+        let responseDetails = undefined;
+        try {
+            responseDetails = await response.text();
+            if (responseDetails.includes('{')) {
+                responseDetails = JSON.parse(responseDetails);
+            }
+        }
+        catch (error) {
+            // no-op
+        }
+        return {
+            serverResponse: {
+                status: response.status,
+                body: responseDetails,
+            },
+            submittedResponse: authorizationResponseWithCorrelationId.response.payload,
+        };
+    }
+    async getOpenIdProvider(agentContext, options = {}) {
+        const { openIdTokenIssuer } = options;
+        const builder = did_auth_siop_1.OP.builder()
+            .withExpiresIn(6000)
+            .withIssuer(did_auth_siop_1.ResponseIss.SELF_ISSUED_V2)
+            .withResponseMode(did_auth_siop_1.ResponseMode.POST)
+            .withSupportedVersions([did_auth_siop_1.SupportedVersion.SIOPv2_D11, did_auth_siop_1.SupportedVersion.SIOPv2_D12_OID4VP_D18])
+            .withCustomResolver((0, utils_1.getSphereonDidResolver)(agentContext))
+            .withCheckLinkedDomain(did_auth_siop_1.CheckLinkedDomain.NEVER)
+            .withHasher(core_1.Hasher.hash);
+        if (openIdTokenIssuer) {
+            const suppliedSignature = await (0, utils_1.getSphereonSuppliedSignatureFromJwtIssuer)(agentContext, openIdTokenIssuer);
+            builder.withSignature(suppliedSignature);
+        }
+        // Add did methods
+        const supportedDidMethods = agentContext.dependencyManager.resolve(core_1.DidsApi).supportedResolverMethods;
+        for (const supportedDidMethod of supportedDidMethods) {
+            builder.addDidMethod(supportedDidMethod);
+        }
+        const openidProvider = builder.build();
+        return openidProvider;
+    }
+    getOpenIdTokenIssuerFromVerifiablePresentation(verifiablePresentation) {
+        let openIdTokenIssuer;
+        if (verifiablePresentation instanceof core_1.W3cJsonLdVerifiablePresentation) {
+            const [firstProof] = (0, core_1.asArray)(verifiablePresentation.proof);
+            if (!firstProof)
+                throw new core_1.CredoError('Verifiable presentation does not contain a proof');
+            if (!firstProof.verificationMethod.startsWith('did:')) {
+                throw new core_1.CredoError('Verifiable presentation proof verificationMethod is not a did. Unable to extract openIdTokenIssuer from verifiable presentation');
+            }
+            openIdTokenIssuer = {
+                method: 'did',
+                didUrl: firstProof.verificationMethod,
+            };
+        }
+        else if (verifiablePresentation instanceof core_1.W3cJwtVerifiablePresentation) {
+            const kid = verifiablePresentation.jwt.header.kid;
+            if (!kid)
+                throw new core_1.CredoError('Verifiable Presentation does not contain a kid in the jwt header');
+            if (kid.startsWith('#') && verifiablePresentation.presentation.holderId) {
+                openIdTokenIssuer = {
+                    didUrl: `${verifiablePresentation.presentation.holderId}${kid}`,
+                    method: 'did',
+                };
+            }
+            else if (kid.startsWith('did:')) {
+                openIdTokenIssuer = {
+                    didUrl: kid,
+                    method: 'did',
+                };
+            }
+            else {
+                throw new core_1.CredoError("JWT W3C Verifiable presentation does not include did in JWT header 'kid'. Unable to extract openIdTokenIssuer from verifiable presentation");
+            }
+        }
+        else {
+            const cnf = verifiablePresentation.payload.cnf;
+            // FIXME: SD-JWT VC should have better payload typing, so this doesn't become so ugly
+            if (!cnf ||
+                typeof cnf !== 'object' ||
+                !('kid' in cnf) ||
+                typeof cnf.kid !== 'string' ||
+                !cnf.kid.startsWith('did:') ||
+                !cnf.kid.includes('#')) {
+                throw new core_1.CredoError("SD-JWT Verifiable presentation has no 'cnf' claim or does not include 'cnf' claim where 'kid' is a didUrl pointing to a key. Unable to extract openIdTokenIssuer from verifiable presentation");
+            }
+            openIdTokenIssuer = {
+                didUrl: cnf.kid,
+                method: 'did',
+            };
+        }
+        return openIdTokenIssuer;
+    }
+    assertValidTokenIssuer(authorizationRequest, openIdTokenIssuer) {
+        // TODO: jwk thumbprint support
+        const subjectSyntaxTypesSupported = authorizationRequest.registrationMetadataPayload.subject_syntax_types_supported;
+        if (!subjectSyntaxTypesSupported) {
+            throw new core_1.CredoError('subject_syntax_types_supported is not supplied in the registration metadata. subject_syntax_types is REQUIRED.');
+        }
+        let allowedSubjectSyntaxTypes = [];
+        if (openIdTokenIssuer.method === 'did') {
+            const parsedDid = (0, core_1.parseDid)(openIdTokenIssuer.didUrl);
+            // Either did:<method> or did (for all did methods) is allowed
+            allowedSubjectSyntaxTypes = [`did:${parsedDid.method}`, 'did'];
+        }
+        else {
+            throw new core_1.CredoError("Only 'did' is supported as openIdTokenIssuer at the moment");
+        }
+        // At least one of the allowed subject syntax types must be supported by the RP
+        if (!allowedSubjectSyntaxTypes.some((allowed) => subjectSyntaxTypesSupported.includes(allowed))) {
+            throw new core_1.CredoError([
+                'The provided openIdTokenIssuer is not supported by the relying party.',
+                `Supported subject syntax types: '${subjectSyntaxTypesSupported.join(', ')}'`,
+            ].join('\n'));
+        }
+    }
+};
+OpenId4VcSiopHolderService = __decorate([
+    (0, core_1.injectable)(),
+    __metadata("design:paramtypes", [core_1.DifPresentationExchangeService])
+], OpenId4VcSiopHolderService);
+exports.OpenId4VcSiopHolderService = OpenId4VcSiopHolderService;
+//# sourceMappingURL=OpenId4vcSiopHolderService.js.map

package/build/openid4vc-holder/OpenId4vcSiopHolderService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4vcSiopHolderService.js","sourceRoot":"","sources":["../../src/openid4vc-holder/OpenId4vcSiopHolderService.ts"],"names":[],"mappings":";;;;;;;;;;;;AAQA,yCAWuB;AACvB,2DAQgC;AAEhC,mDAAuE;AACvE,2CAAmG;AAG5F,IAAM,0BAA0B,GAAhC,MAAM,0BAA0B;IACrC,YAA2B,2BAA2D;QAA3D,gCAA2B,GAA3B,2BAA2B,CAAgC;IAAG,CAAC;IAEnF,KAAK,CAAC,2BAA2B,CACtC,YAA0B,EAC1B,eAAuB;;QAEvB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,EAAE,CAAC,CAAA;QAErE,8DAA8D;QAC9D,MAAM,4BAA4B,GAAG,MAAM,cAAc,CAAC,0BAA0B,CAAC,eAAe,EAAE;YACpG,YAAY,EAAE;gBACZ,kEAAkE;gBAClE,+DAA+D;gBAC/D,IAAI,EAAE,gCAAgB,CAAC,QAAQ;gBAC/B,WAAW,EAAE,EAAE,QAAQ,EAAE,IAAA,8BAAsB,EAAC,YAAY,CAAC,EAAE,2BAA2B,EAAE,IAAI,EAAE;aACnG;SACF,CAAC,CAAA;QAEF,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAC9B,mDAAmD,4BAA4B,CAAC,MAAM,GAAG,CAC1F,CAAA;QACD,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,eAAe,GAAG,CAAC,CAAA;QAExE,IACE,4BAA4B,CAAC,uBAAuB;YACpD,4BAA4B,CAAC,uBAAuB,CAAC,MAAM,GAAG,CAAC,EAC/D;YACA,MAAM,IAAI,iBAAU,CAAC,qDAAqD,CAAC,CAAA;SAC5E;QAED,MAAM,sBAAsB,GAAG,MAAA,MAAA,4BAA4B,CAAC,uBAAuB,0CAAG,CAAC,CAAC,0CAAE,UAAU,CAAA;QAEpG,OAAO;YACL,oBAAoB,EAAE,4BAA4B;YAElD,kDAAkD;YAClD,oBAAoB,EAAE,sBAAsB;gBAC1C,CAAC,CAAC;oBACE,UAAU,EAAE,sBAAsB;oBAClC,qBAAqB,EAAE,MAAM,IAAI,CAAC,2BAA2B,CAAC,wBAAwB,CACpF,YAAY,EACZ,sBAAsB,CACvB;iBACF;gBACH,CAAC,CAAC,SAAS;SACd,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,0BAA0B,CACrC,YAA0B,EAC1B,OAAuD;QAEvD,MAAM,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAA;QAC9D,IAAI,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAA;QACjD,IAAI,2BAA2B,GAAiD,SAAS,CAAA;QAEzF,oCAAoC;QACpC,IAAI,oBAAoB,CAAC,uBAAuB,IAAI,oBAAoB,CAAC,uBAAuB,CAAC,MAAM,GAAG,CAAC,EAAE;YAC3G,IAAI,CAAC,oBAAoB,EAAE;gBACzB,MAAM,IAAI,iBAAU,CAClB,mIAAmI,CACpI,CAAA;aACF;YAED,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,OAAO,CAAC,CAAA;YAChG,IAAI,CAAC,KAAK,EAAE;gBACV,MAAM,IAAI,iBAAU,CAAC,sDAAsD,CAAC,CAAA;aAC7E;YAED,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,WAAW,CAAC,CAAA;YACvG,IAAI,CAAC,QAAQ,EAAE;gBACb,MAAM,IAAI,iBAAU,CAAC,0DAA0D,CAAC,CAAA;aACjF;YAED,MAAM,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,GACvD,MAAM,IAAI,CAAC,2BAA2B,CAAC,kBAAkB,CAAC,YAAY,EAAE;gBACtE,6BAA6B,EAAE,oBAAoB,CAAC,WAAW;gBAC/D,sBAAsB,EAAE,oBAAoB,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,UAAU;gBAClF,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,QAAQ;gBAChB,8BAA8B,EAAE,gDAAyC,CAAC,QAAQ;aACnF,CAAC,CAAA;YAEJ,2BAA2B,GAAG;gBAC5B,uBAAuB,EAAE,uBAAuB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAA,6CAAiC,EAAC,EAAE,CAAC,CAAC;gBACnG,sBAAsB;gBACtB,eAAe,EAAE,+BAAe,CAAC,sBAAsB;aACxD,CAAA;YAED,IAAI,CAAC,iBAAiB,EAAE;gBACtB,iBAAiB,GAAG,IAAI,CAAC,8CAA8C,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAA;aACpG;SACF;aAAM,IAAI,OAAO,CAAC,oBAAoB,EAAE;YACvC,MAAM,IAAI,iBAAU,CAClB,4GAA4G,CAC7G,CAAA;SACF;QAED,IAAI,CAAC,iBAAiB,EAAE;YACtB,MAAM,IAAI,iBAAU,CAClB,6GAA6G,CAC9G,CAAA;SACF;QAED,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,iBAAiB,CAAC,CAAA;QACpE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE;YAChE,iBAAiB;SAClB,CAAC,CAAA;QAEF,MAAM,iBAAiB,GAAG,MAAM,IAAA,iDAAyC,EAAC,YAAY,EAAE,iBAAiB,CAAC,CAAA;QAC1G,MAAM,sCAAsC,GAAG,MAAM,cAAc,CAAC,2BAA2B,CAC7F,oBAAoB,EACpB;YACE,SAAS,EAAE,iBAAiB;YAC5B,MAAM,EAAE,iBAAiB,CAAC,GAAG;YAC7B,YAAY,EAAE;gBACZ,WAAW,EAAE,EAAE,QAAQ,EAAE,IAAA,8BAAsB,EAAC,YAAY,CAAC,EAAE,2BAA2B,EAAE,IAAI,EAAE;gBAClG,IAAI,EAAE,gCAAgB,CAAC,QAAQ;aAChC;YACD,oBAAoB,EAAE,2BAA2B;YACjD,+FAA+F;YAC/F,QAAQ,EAAE,oBAAoB,CAAC,2BAA2B,CAAC,SAAS;SACrE,CACF,CAAA;QAED,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,2BAA2B,CAAC,sCAAsC,CAAC,CAAA;QACzG,IAAI,eAAe,GAAiD,SAAS,CAAA;QAC7E,IAAI;YACF,eAAe,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;YACvC,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBACjC,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;aAC9C;SACF;QAAC,OAAO,KAAK,EAAE;YACd,QAAQ;SACT;QAED,OAAO;YACL,cAAc,EAAE;gBACd,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,eAAe;aACtB;YACD,iBAAiB,EAAE,sCAAsC,CAAC,QAAQ,CAAC,OAAO;SAC3E,CAAA;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAC7B,YAA0B,EAC1B,UAEI,EAAE;QAEN,MAAM,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAA;QAErC,MAAM,OAAO,GAAG,kBAAE,CAAC,OAAO,EAAE;aACzB,aAAa,CAAC,IAAI,CAAC;aACnB,UAAU,CAAC,2BAAW,CAAC,cAAc,CAAC;aACtC,gBAAgB,CAAC,4BAAY,CAAC,IAAI,CAAC;aACnC,qBAAqB,CAAC,CAAC,gCAAgB,CAAC,UAAU,EAAE,gCAAgB,CAAC,qBAAqB,CAAC,CAAC;aAC5F,kBAAkB,CAAC,IAAA,8BAAsB,EAAC,YAAY,CAAC,CAAC;aACxD,qBAAqB,CAAC,iCAAiB,CAAC,KAAK,CAAC;aAC9C,UAAU,CAAC,aAAM,CAAC,IAAI,CAAC,CAAA;QAE1B,IAAI,iBAAiB,EAAE;YACrB,MAAM,iBAAiB,GAAG,MAAM,IAAA,iDAAyC,EAAC,YAAY,EAAE,iBAAiB,CAAC,CAAA;YAC1G,OAAO,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAA;SACzC;QAED,kBAAkB;QAClB,MAAM,mBAAmB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,cAAO,CAAC,CAAC,wBAAwB,CAAA;QACpG,KAAK,MAAM,kBAAkB,IAAI,mBAAmB,EAAE;YACpD,OAAO,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAA;SACzC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,EAAE,CAAA;QAEtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAEO,8CAA8C,CACpD,sBAA8C;QAE9C,IAAI,iBAAqC,CAAA;QAEzC,IAAI,sBAAsB,YAAY,sCAA+B,EAAE;YACrE,MAAM,CAAC,UAAU,CAAC,GAAG,IAAA,cAAO,EAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;YAC1D,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,iBAAU,CAAC,kDAAkD,CAAC,CAAA;YAEzF,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;gBACrD,MAAM,IAAI,iBAAU,CAClB,iIAAiI,CAClI,CAAA;aACF;YAED,iBAAiB,GAAG;gBAClB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU,CAAC,kBAAkB;aACtC,CAAA;SACF;aAAM,IAAI,sBAAsB,YAAY,mCAA4B,EAAE;YACzE,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAA;YAEjD,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,iBAAU,CAAC,kEAAkE,CAAC,CAAA;YAClG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,sBAAsB,CAAC,YAAY,CAAC,QAAQ,EAAE;gBACvE,iBAAiB,GAAG;oBAClB,MAAM,EAAE,GAAG,sBAAsB,CAAC,YAAY,CAAC,QAAQ,GAAG,GAAG,EAAE;oBAC/D,MAAM,EAAE,KAAK;iBACd,CAAA;aACF;iBAAM,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;gBACjC,iBAAiB,GAAG;oBAClB,MAAM,EAAE,GAAG;oBACX,MAAM,EAAE,KAAK;iBACd,CAAA;aACF;iBAAM;gBACL,MAAM,IAAI,iBAAU,CAClB,4IAA4I,CAC7I,CAAA;aACF;SACF;aAAM;YACL,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,GAAG,CAAA;YAC9C,qFAAqF;YACrF,IACE,CAAC,GAAG;gBACJ,OAAO,GAAG,KAAK,QAAQ;gBACvB,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC;gBACf,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;gBAC3B,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC3B,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EACtB;gBACA,MAAM,IAAI,iBAAU,CAClB,+LAA+L,CAChM,CAAA;aACF;YAED,iBAAiB,GAAG;gBAClB,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK;aACd,CAAA;SACF;QAED,OAAO,iBAAiB,CAAA;IAC1B,CAAC;IAEO,sBAAsB,CAC5B,oBAAkD,EAClD,iBAAqC;QAErC,+BAA+B;QAC/B,MAAM,2BAA2B,GAAG,oBAAoB,CAAC,2BAA2B,CAAC,8BAA8B,CAAA;QACnH,IAAI,CAAC,2BAA2B,EAAE;YAChC,MAAM,IAAI,iBAAU,CAClB,gHAAgH,CACjH,CAAA;SACF;QAED,IAAI,yBAAyB,GAAa,EAAE,CAAA;QAC5C,IAAI,iBAAiB,CAAC,MAAM,KAAK,KAAK,EAAE;YACtC,MAAM,SAAS,GAAG,IAAA,eAAQ,EAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAEpD,8DAA8D;YAC9D,yBAAyB,GAAG,CAAC,OAAO,SAAS,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,CAAA;SAC/D;aAAM;YACL,MAAM,IAAI,iBAAU,CAAC,4DAA4D,CAAC,CAAA;SACnF;QAED,+EAA+E;QAC/E,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,2BAA2B,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE;YAC/F,MAAM,IAAI,iBAAU,CAClB;gBACE,uEAAuE;gBACvE,oCAAoC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;aAC9E,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAA;SACF;IACH,CAAC;CACF,CAAA;AAlRY,0BAA0B;IADtC,IAAA,iBAAU,GAAE;qCAE6C,qCAA8B;GAD3E,0BAA0B,CAkRtC;AAlRY,gEAA0B"}

package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.d.ts

@@ -0,0 +1,43 @@
+import type { OpenId4VcJwtIssuer, OpenId4VcSiopVerifiedAuthorizationRequest, OpenId4VcSiopAuthorizationResponsePayload } from '../shared';
+import type { DifPexCredentialsForRequest, DifPexInputDescriptorToCredentials, DifPresentationExchangeDefinition } from '@credo-ts/core';
+export interface OpenId4VcSiopResolvedAuthorizationRequest {
+    /**
+     * Parameters related to DIF Presentation Exchange. Only defined when
+     * the request included
+     */
+    presentationExchange?: {
+        definition: DifPresentationExchangeDefinition;
+        credentialsForRequest: DifPexCredentialsForRequest;
+    };
+    /**
+     * The verified authorization request.
+     */
+    authorizationRequest: OpenId4VcSiopVerifiedAuthorizationRequest;
+}
+export interface OpenId4VcSiopAcceptAuthorizationRequestOptions {
+    /**
+     * Parameters related to DIF Presentation Exchange. MUST be present when the resolved
+     * authorization request included a `presentationExchange` parameter.
+     */
+    presentationExchange?: {
+        credentials: DifPexInputDescriptorToCredentials;
+    };
+    /**
+     * The issuer of the ID Token.
+     *
+     * REQUIRED when presentation exchange is not used.
+     *
+     * In case presentation exchange is used, and `openIdTokenIssuer` is not provided, the issuer of the ID Token
+     * will be extracted from the signer of the first verifiable presentation.
+     */
+    openIdTokenIssuer?: OpenId4VcJwtIssuer;
+    /**
+     * The verified authorization request.
+     */
+    authorizationRequest: OpenId4VcSiopVerifiedAuthorizationRequest;
+}
+export interface OpenId4VcSiopAuthorizationResponseSubmission {
+    ok: boolean;
+    status: number;
+    submittedResponse: OpenId4VcSiopAuthorizationResponsePayload;
+}

package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=OpenId4vcSiopHolderServiceOptions.js.map

package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4vcSiopHolderServiceOptions.js","sourceRoot":"","sources":["../../src/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.ts"],"names":[],"mappings":""}

package/build/openid4vc-holder/index.d.ts

@@ -0,0 +1,6 @@
+export * from './OpenId4VcHolderApi';
+export * from './OpenId4VcHolderModule';
+export * from './OpenId4VciHolderService';
+export * from './OpenId4VciHolderServiceOptions';
+export * from './OpenId4vcSiopHolderService';
+export * from './OpenId4vcSiopHolderServiceOptions';

package/build/openid4vc-holder/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./OpenId4VcHolderApi"), exports);
+__exportStar(require("./OpenId4VcHolderModule"), exports);
+__exportStar(require("./OpenId4VciHolderService"), exports);
+__exportStar(require("./OpenId4VciHolderServiceOptions"), exports);
+__exportStar(require("./OpenId4vcSiopHolderService"), exports);
+__exportStar(require("./OpenId4vcSiopHolderServiceOptions"), exports);
+//# sourceMappingURL=index.js.map

package/build/openid4vc-holder/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/openid4vc-holder/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,uDAAoC;AACpC,0DAAuC;AACvC,4DAAyC;AACzC,mEAAgD;AAChD,+DAA4C;AAC5C,sEAAmD"}

package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts

@@ -0,0 +1,62 @@
+import type { OpenId4VciCreateCredentialResponseOptions, OpenId4VciCreateCredentialOfferOptions, OpenId4VciCreateIssuerOptions } from './OpenId4VcIssuerServiceOptions';
+import type { OpenId4VcIssuerRecordProps } from './repository';
+import type { OpenId4VciCredentialOfferPayload } from '../shared';
+import { AgentContext } from '@credo-ts/core';
+import { OpenId4VcIssuerModuleConfig } from './OpenId4VcIssuerModuleConfig';
+import { OpenId4VcIssuerService } from './OpenId4VcIssuerService';
+/**
+ * @public
+ * This class represents the API for interacting with the OpenID4VC Issuer service.
+ * It provides methods for creating a credential offer, creating a response to a credential issuance request,
+ * and retrieving a credential offer from a URI.
+ */
+export declare class OpenId4VcIssuerApi {
+    readonly config: OpenId4VcIssuerModuleConfig;
+    private agentContext;
+    private openId4VcIssuerService;
+    constructor(config: OpenId4VcIssuerModuleConfig, agentContext: AgentContext, openId4VcIssuerService: OpenId4VcIssuerService);
+    getAllIssuers(): Promise<import("./repository").OpenId4VcIssuerRecord[]>;
+    getByIssuerId(issuerId: string): Promise<import("./repository").OpenId4VcIssuerRecord>;
+    /**
+     * Creates an issuer and stores the corresponding issuer metadata. Multiple issuers can be created, to allow different sets of
+     * credentials to be issued with each issuer.
+     */
+    createIssuer(options: OpenId4VciCreateIssuerOptions): Promise<import("./repository").OpenId4VcIssuerRecord>;
+    /**
+     * Rotate the key used for signing access tokens for the issuer with the given issuerId.
+     */
+    rotateAccessTokenSigningKey(issuerId: string): Promise<void>;
+    getIssuerMetadata(issuerId: string): Promise<import("./OpenId4VcIssuerServiceOptions").OpenId4VcIssuerMetadata>;
+    updateIssuerMetadata(options: Pick<OpenId4VcIssuerRecordProps, 'issuerId' | 'credentialsSupported' | 'display'>): Promise<void>;
+    /**
+     * Creates a credential offer. Either the preAuthorizedCodeFlowConfig or the authorizationCodeFlowConfig must be provided.
+     *
+     * @returns Object containing the payload of the credential offer and the credential offer request, which can be sent to the wallet.
+     */
+    createCredentialOffer(options: OpenId4VciCreateCredentialOfferOptions & {
+        issuerId: string;
+    }): Promise<{
+        credentialOfferPayload: import("@sphereon/oid4vci-common").CredentialOfferPayloadV1_0_11;
+        credentialOffer: string;
+    }>;
+    /**
+     * This function retrieves the credential offer referenced by the given URI.
+     * Retrieving a credential offer from a URI is possible after a credential offer was created with
+     * @see createCredentialOffer and the credentialOfferUri option.
+     *
+     * @throws if no credential offer can found for the given URI.
+     * @param uri - The URI referencing the credential offer.
+     * @returns The credential offer payload associated with the given URI.
+     */
+    getCredentialOfferFromUri(uri: string): Promise<OpenId4VciCredentialOfferPayload>;
+    /**
+     * This function creates a response which can be send to the holder after receiving a credential issuance request.
+     *
+     * @param options.credentialRequest - The credential request, for which to create a response.
+     * @param options.credential - The credential to be issued.
+     * @param options.verificationMethod - The verification method used for signing the credential.
+     */
+    createCredentialResponse(options: OpenId4VciCreateCredentialResponseOptions & {
+        issuerId: string;
+    }): Promise<import("@sphereon/oid4vci-common").CredentialResponse>;
+}