@credo-ts/openid4vc 0.6.0-pr-2134-20241217213340 → 0.6.0-pr-2195-20250217170804
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts +61 -11
- package/build/openid4vc-holder/OpenId4VcHolderApi.js +17 -19
- package/build/openid4vc-holder/OpenId4VcHolderApi.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VcHolderModule.js +1 -1
- package/build/openid4vc-holder/OpenId4VcHolderModule.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.d.ts +7 -8
- package/build/openid4vc-holder/OpenId4VciHolderService.js +60 -45
- package/build/openid4vc-holder/OpenId4VciHolderService.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts +3 -3
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js.map +1 -1
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.d.ts +59 -13
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js +232 -172
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js.map +1 -1
- package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.d.ts +18 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +196 -46
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +8 -19
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +3 -3
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts +13 -13
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js +19 -40
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +198 -48
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js +45 -37
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +8 -3
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +26 -12
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js +19 -22
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js.map +1 -1
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js +11 -9
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +17 -6
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.js +1 -1
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/credentialEndpoint.js +11 -9
- package/build/openid4vc-issuer/router/credentialEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.js +7 -3
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/util/txCode.js +2 -3
- package/build/openid4vc-issuer/util/txCode.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.d.ts +21 -7
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js +499 -263
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts +23 -3
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +3 -3
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +11 -18
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +3 -3
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.js +11 -8
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.js.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.d.ts +23 -4
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.js +25 -29
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.js.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartySessionManager.js +4 -6
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartySessionManager.js.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js +11 -6
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.js +7 -5
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.js.map +1 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.js +5 -104
- package/build/openid4vc-verifier/router/authorizationEndpoint.js.map +1 -1
- package/build/shared/callbacks.d.ts +16 -5
- package/build/shared/callbacks.js +120 -24
- package/build/shared/callbacks.js.map +1 -1
- package/build/shared/issuerMetadataUtils.d.ts +102 -144
- package/build/shared/models/index.d.ts +10 -8
- package/build/shared/models/index.js +5 -5
- package/build/shared/models/index.js.map +1 -1
- package/build/shared/router/context.d.ts +2 -2
- package/build/shared/router/context.js +5 -5
- package/build/shared/router/context.js.map +1 -1
- package/build/shared/router/tenants.js +1 -2
- package/build/shared/router/tenants.js.map +1 -1
- package/build/shared/utils.d.ts +6 -6
- package/build/shared/utils.js +22 -61
- package/build/shared/utils.js.map +1 -1
- package/package.json +7 -6
- package/build/shared/transform.d.ts +0 -5
- package/build/shared/transform.js +0 -73
- package/build/shared/transform.js.map +0 -1
|
@@ -4,13 +4,12 @@ exports.OpenId4VcVerificationSessionRecord = void 0;
|
|
|
4
4
|
const core_1 = require("@credo-ts/core");
|
|
5
5
|
class OpenId4VcVerificationSessionRecord extends core_1.BaseRecord {
|
|
6
6
|
constructor(props) {
|
|
7
|
-
var _a, _b, _c;
|
|
8
7
|
super();
|
|
9
8
|
this.type = OpenId4VcVerificationSessionRecord.type;
|
|
10
9
|
if (props) {
|
|
11
|
-
this.id =
|
|
12
|
-
this.createdAt =
|
|
13
|
-
this._tags =
|
|
10
|
+
this.id = props.id ?? core_1.utils.uuid();
|
|
11
|
+
this.createdAt = props.createdAt ?? new Date();
|
|
12
|
+
this._tags = props.tags ?? {};
|
|
14
13
|
this.verifierId = props.verifierId;
|
|
15
14
|
this.state = props.state;
|
|
16
15
|
this.errorMessage = props.errorMessage;
|
|
@@ -36,9 +35,15 @@ class OpenId4VcVerificationSessionRecord extends core_1.BaseRecord {
|
|
|
36
35
|
const payloadState = parsedAuthorizationRequest.payload.additionalClaims.state;
|
|
37
36
|
if (!payloadState || typeof payloadState !== 'string')
|
|
38
37
|
throw new core_1.CredoError('Expected state in authorization request payload');
|
|
39
|
-
return
|
|
38
|
+
return {
|
|
39
|
+
...this._tags,
|
|
40
|
+
verifierId: this.verifierId,
|
|
41
|
+
state: this.state,
|
|
42
|
+
nonce,
|
|
40
43
|
// FIXME: how do we call this property so it doesn't conflict with the record state?
|
|
41
|
-
payloadState,
|
|
44
|
+
payloadState,
|
|
45
|
+
authorizationRequestUri: this.authorizationRequestUri,
|
|
46
|
+
};
|
|
42
47
|
}
|
|
43
48
|
}
|
|
44
49
|
exports.OpenId4VcVerificationSessionRecord = OpenId4VcVerificationSessionRecord;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerificationSessionRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"names":[],"mappings":";;;AAIA,yCAAmE;AAiCnE,MAAa,kCAAmC,SAAQ,iBAAyD;IAyC/G,YAAmB,KAA8C
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerificationSessionRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"names":[],"mappings":";;;AAIA,yCAAmE;AAiCnE,MAAa,kCAAmC,SAAQ,iBAAyD;IAyC/G,YAAmB,KAA8C;QAC/D,KAAK,EAAE,CAAA;QAxCO,SAAI,GAAG,kCAAkC,CAAC,IAAI,CAAA;QA0C5D,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,YAAK,CAAC,IAAI,EAAE,CAAA;YAClC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,IAAI,EAAE,CAAA;YAE7B,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAA;YAClC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAA;YACxB,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAA;YACtC,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC,uBAAuB,CAAA;YAC5D,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC,uBAAuB,CAAA;YAC5D,IAAI,CAAC,4BAA4B,GAAG,KAAK,CAAC,4BAA4B,CAAA;YAEtE,IAAI,CAAC,iCAAiC,GAAG,KAAK,CAAC,iCAAiC,CAAA;QAClF,CAAC;IACH,CAAC;IAEM,WAAW,CAAC,cAAuF;QACxG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,cAAc,GAAG,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,iBAAU,CAClB,0DAA0D,IAAI,CAAC,KAAK,uBAAuB,cAAc,CAAC,IAAI,CAC5G,IAAI,CACL,GAAG,CACL,CAAA;QACH,CAAC;IACH,CAAC;IAEM,OAAO;QACZ,MAAM,0BAA0B,GAAG,UAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;QAEtF,MAAM,KAAK,GAAG,0BAA0B,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAA;QACvE,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,MAAM,IAAI,iBAAU,CAAC,iDAAiD,CAAC,CAAA;QAEhH,MAAM,YAAY,GAAG,0BAA0B,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAA;QAC9E,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ;YACnD,MAAM,IAAI,iBAAU,CAAC,iDAAiD,CAAC,CAAA;QAEzE,OAAO;YACL,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK;YACL,oFAAoF;YACpF,YAAY;YACZ,uBAAuB,EAAE,IAAI,CAAC,uBAAuB;SACtD,CAAA;IACH,CAAC;;AA7FH,gFA8FC;AA7FwB,uCAAI,GAAG,oCAAoC,AAAvC,CAAuC"}
|
|
@@ -9,19 +9,21 @@ const core_1 = require("@credo-ts/core");
|
|
|
9
9
|
* */
|
|
10
10
|
class OpenId4VcVerifierRecord extends core_1.BaseRecord {
|
|
11
11
|
constructor(props) {
|
|
12
|
-
var _a, _b, _c;
|
|
13
12
|
super();
|
|
14
13
|
this.type = OpenId4VcVerifierRecord.type;
|
|
15
14
|
if (props) {
|
|
16
|
-
this.id =
|
|
17
|
-
this.createdAt =
|
|
18
|
-
this._tags =
|
|
15
|
+
this.id = props.id ?? core_1.utils.uuid();
|
|
16
|
+
this.createdAt = props.createdAt ?? new Date();
|
|
17
|
+
this._tags = props.tags ?? {};
|
|
19
18
|
this.verifierId = props.verifierId;
|
|
20
19
|
this.clientMetadata = props.clientMetadata;
|
|
21
20
|
}
|
|
22
21
|
}
|
|
23
22
|
getTags() {
|
|
24
|
-
return
|
|
23
|
+
return {
|
|
24
|
+
...this._tags,
|
|
25
|
+
verifierId: this.verifierId,
|
|
26
|
+
};
|
|
25
27
|
}
|
|
26
28
|
}
|
|
27
29
|
exports.OpenId4VcVerifierRecord = OpenId4VcVerifierRecord;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerifierRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"names":[],"mappings":";;;AAGA,yCAAkD;AAkBlD;;;;KAIK;AACL,MAAa,uBAAwB,SAAQ,iBAA8C;IAOzF,YAAmB,KAAmC
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerifierRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"names":[],"mappings":";;;AAGA,yCAAkD;AAkBlD;;;;KAIK;AACL,MAAa,uBAAwB,SAAQ,iBAA8C;IAOzF,YAAmB,KAAmC;QACpD,KAAK,EAAE,CAAA;QANO,SAAI,GAAG,uBAAuB,CAAC,IAAI,CAAA;QAQjD,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,YAAK,CAAC,IAAI,EAAE,CAAA;YAClC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,IAAI,EAAE,CAAA;YAE7B,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAA;YAClC,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,cAAc,CAAA;QAC5C,CAAC;IACH,CAAC;IAEM,OAAO;QACZ,OAAO;YACL,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAA;IACH,CAAC;;AAzBH,0DA0BC;AAzBwB,4BAAI,GAAG,yBAAyB,AAA5B,CAA4B"}
|
|
@@ -1,120 +1,21 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.configureAuthorizationEndpoint = configureAuthorizationEndpoint;
|
|
4
|
-
const oauth2_1 = require("@
|
|
5
|
-
const core_1 = require("@credo-ts/core");
|
|
6
|
-
const did_auth_siop_1 = require("@sphereon/did-auth-siop");
|
|
4
|
+
const oauth2_1 = require("@openid4vc/oauth2");
|
|
7
5
|
const router_1 = require("../../shared/router");
|
|
8
6
|
const OpenId4VcSiopVerifierService_1 = require("../OpenId4VcSiopVerifierService");
|
|
9
|
-
async function getVerificationSession(agentContext, options) {
|
|
10
|
-
const { verifierId, state, nonce } = options;
|
|
11
|
-
const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VcSiopVerifierService_1.OpenId4VcSiopVerifierService);
|
|
12
|
-
const session = await openId4VcVerifierService.findVerificationSessionForAuthorizationResponse(agentContext, {
|
|
13
|
-
authorizationResponseParams: { state, nonce },
|
|
14
|
-
verifierId,
|
|
15
|
-
});
|
|
16
|
-
if (!session) {
|
|
17
|
-
agentContext.config.logger.warn(`No verification session found for incoming authorization response for verifier ${verifierId}`);
|
|
18
|
-
throw new core_1.CredoError(`No state or nonce provided in authorization response for verifier ${verifierId}`);
|
|
19
|
-
}
|
|
20
|
-
return session;
|
|
21
|
-
}
|
|
22
|
-
const decryptJarmResponse = (agentContext) => {
|
|
23
|
-
return async (input) => {
|
|
24
|
-
const { jwe: compactJwe, jwk: jwkJson } = input;
|
|
25
|
-
const key = core_1.Key.fromFingerprint(jwkJson.kid);
|
|
26
|
-
if (!agentContext.wallet.directDecryptCompactJweEcdhEs) {
|
|
27
|
-
throw new core_1.CredoError('Cannot decrypt Jarm Response, wallet does not support directDecryptCompactJweEcdhEs');
|
|
28
|
-
}
|
|
29
|
-
const { data, header } = await agentContext.wallet.directDecryptCompactJweEcdhEs({ compactJwe, recipientKey: key });
|
|
30
|
-
const decryptedPayload = core_1.TypedArrayEncoder.toUtf8String(data);
|
|
31
|
-
return {
|
|
32
|
-
plaintext: decryptedPayload,
|
|
33
|
-
protectedHeader: header,
|
|
34
|
-
};
|
|
35
|
-
};
|
|
36
|
-
};
|
|
37
7
|
function configureAuthorizationEndpoint(router, config) {
|
|
38
8
|
router.post(config.endpointPath, async (request, response, next) => {
|
|
39
9
|
const { agentContext, verifier } = (0, router_1.getRequestContext)(request);
|
|
40
|
-
let jarmResponseType;
|
|
41
10
|
try {
|
|
42
11
|
const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VcSiopVerifierService_1.OpenId4VcSiopVerifierService);
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
if (request.body.response) {
|
|
47
|
-
const res = await did_auth_siop_1.RP.processJarmAuthorizationResponse(request.body.response, {
|
|
48
|
-
getAuthRequestPayload: async (input) => {
|
|
49
|
-
var _a;
|
|
50
|
-
verificationSession = await getVerificationSession(agentContext, {
|
|
51
|
-
verifierId: verifier.verifierId,
|
|
52
|
-
state: input.state,
|
|
53
|
-
nonce: input.nonce,
|
|
54
|
-
});
|
|
55
|
-
const req = await did_auth_siop_1.AuthorizationRequest.fromUriOrJwt(verificationSession.authorizationRequestJwt);
|
|
56
|
-
const requestObjectPayload = await ((_a = req.requestObject) === null || _a === void 0 ? void 0 : _a.getPayload());
|
|
57
|
-
if (!requestObjectPayload) {
|
|
58
|
-
throw new core_1.CredoError('No request object payload found.');
|
|
59
|
-
}
|
|
60
|
-
return { authRequestParams: requestObjectPayload };
|
|
61
|
-
},
|
|
62
|
-
decryptCompact: decryptJarmResponse(agentContext),
|
|
63
|
-
hasher: core_1.Hasher.hash,
|
|
64
|
-
});
|
|
65
|
-
jarmResponseType = res.type;
|
|
66
|
-
const [header] = request.body.response.split('.');
|
|
67
|
-
jarmHeader = core_1.JsonEncoder.fromBase64(header);
|
|
68
|
-
// FIXME: verify the apv matches the nonce of the authorization reuqest
|
|
69
|
-
authorizationResponsePayload = res.authResponseParams;
|
|
70
|
-
}
|
|
71
|
-
else {
|
|
72
|
-
authorizationResponsePayload = request.body;
|
|
73
|
-
verificationSession = await getVerificationSession(agentContext, {
|
|
74
|
-
verifierId: verifier.verifierId,
|
|
75
|
-
state: authorizationResponsePayload.state,
|
|
76
|
-
nonce: authorizationResponsePayload.nonce,
|
|
77
|
-
});
|
|
78
|
-
}
|
|
79
|
-
if (typeof authorizationResponsePayload.presentation_submission === 'string') {
|
|
80
|
-
authorizationResponsePayload.presentation_submission = JSON.parse(request.body.presentation_submission);
|
|
81
|
-
}
|
|
82
|
-
// This feels hacky, and should probably be moved to OID4VP lib. However the OID4VP spec allows either object, string, or array...
|
|
83
|
-
if (typeof authorizationResponsePayload.vp_token === 'string' &&
|
|
84
|
-
(authorizationResponsePayload.vp_token.startsWith('{') || authorizationResponsePayload.vp_token.startsWith('['))) {
|
|
85
|
-
authorizationResponsePayload.vp_token = JSON.parse(authorizationResponsePayload.vp_token);
|
|
86
|
-
}
|
|
87
|
-
if (!verificationSession) {
|
|
88
|
-
throw new core_1.CredoError('Missing verification session, cannot verify authorization response.');
|
|
89
|
-
}
|
|
90
|
-
const authorizationRequest = await did_auth_siop_1.AuthorizationRequest.fromUriOrJwt(verificationSession.authorizationRequestJwt);
|
|
91
|
-
const response_mode = await authorizationRequest.getMergedProperty('response_mode');
|
|
92
|
-
if ((response_mode === null || response_mode === void 0 ? void 0 : response_mode.includes('jwt')) && !jarmResponseType) {
|
|
93
|
-
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
94
|
-
error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
|
|
95
|
-
error_description: `JARM response is required for JWT response mode '${response_mode}'.`,
|
|
96
|
-
});
|
|
97
|
-
}
|
|
98
|
-
if (!(response_mode === null || response_mode === void 0 ? void 0 : response_mode.includes('jwt')) && jarmResponseType) {
|
|
99
|
-
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
100
|
-
error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
|
|
101
|
-
error_description: `Recieved JARM response which is incompatible with response mode '${response_mode}'.`,
|
|
102
|
-
});
|
|
103
|
-
}
|
|
104
|
-
if (jarmResponseType && jarmResponseType !== 'encrypted') {
|
|
105
|
-
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
106
|
-
error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
|
|
107
|
-
error_description: `Only encrypted JARM responses are supported, received '${jarmResponseType}'.`,
|
|
108
|
-
});
|
|
109
|
-
}
|
|
110
|
-
await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, {
|
|
111
|
-
authorizationResponse: authorizationResponsePayload,
|
|
112
|
-
verificationSession,
|
|
113
|
-
jarmHeader,
|
|
12
|
+
const result = await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, {
|
|
13
|
+
authorizationResponse: request.body,
|
|
14
|
+
verifierId: verifier.verifierId,
|
|
114
15
|
});
|
|
115
16
|
return (0, router_1.sendJsonResponse)(response, next, {
|
|
116
17
|
// Used only for presentation during issuance flow, to prevent session fixation.
|
|
117
|
-
presentation_during_issuance_session: verificationSession.presentationDuringIssuanceSession,
|
|
18
|
+
presentation_during_issuance_session: result.verificationSession.presentationDuringIssuanceSession,
|
|
118
19
|
});
|
|
119
20
|
}
|
|
120
21
|
catch (error) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorizationEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/router/authorizationEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"authorizationEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-verifier/router/authorizationEndpoint.ts"],"names":[],"mappings":";;AAkBA,wEAwBC;AAvCD,8CAAkE;AAElE,gDAAqH;AACrH,kFAA8E;AAY9E,SAAgB,8BAA8B,CAAC,MAAc,EAAE,MAAgD;IAC7G,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,EAAE,OAAqC,EAAE,QAAkB,EAAE,IAAI,EAAE,EAAE;QACzG,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QAE7D,IAAI,CAAC;YACH,MAAM,wBAAwB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,2DAA4B,CAAC,CAAA;YAErG,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC,2BAA2B,CAAC,YAAY,EAAE;gBACtF,qBAAqB,EAAE,OAAO,CAAC,IAAW;gBAC1C,UAAU,EAAE,QAAQ,CAAC,UAAU;aAChC,CAAC,CAAA;YAEF,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE;gBACtC,gFAAgF;gBAChF,oCAAoC,EAAE,MAAM,CAAC,mBAAmB,CAAC,iCAAiC;aACnG,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YAED,OAAO,IAAA,0BAAiB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,CAAC,CAAA;QACrG,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -1,15 +1,26 @@
|
|
|
1
|
-
import type {
|
|
2
|
-
import type { ClientAuthenticationCallback, SignJwtCallback, VerifyJwtCallback } from '@animo-id/oauth2';
|
|
1
|
+
import type { ClientAuthenticationCallback, SignJwtCallback, VerifyJwtCallback } from '@openid4vc/oauth2';
|
|
3
2
|
import type { AgentContext } from '@credo-ts/core';
|
|
4
|
-
|
|
3
|
+
import type { OpenId4VcIssuerRecord } from '../openid4vc-issuer/repository';
|
|
4
|
+
import { DecryptJweCallback, EncryptJweCallback } from '@openid4vc/oauth2';
|
|
5
|
+
export declare function getOid4vciJwtVerifyCallback(agentContext: AgentContext, trustedCertificates?: string[]): VerifyJwtCallback;
|
|
6
|
+
export declare function getOid4vciEncryptJwtCallback(agentContext: AgentContext): EncryptJweCallback;
|
|
7
|
+
export declare function getOid4vciDecryptJweCallback(agentContext: AgentContext): DecryptJweCallback;
|
|
5
8
|
export declare function getOid4vciJwtSignCallback(agentContext: AgentContext): SignJwtCallback;
|
|
6
|
-
export declare function
|
|
7
|
-
hash: (data: Uint8Array, alg: import("@
|
|
9
|
+
export declare function getOid4vcCallbacks(agentContext: AgentContext, trustedCertificates?: string[]): {
|
|
10
|
+
hash: (data: Uint8Array, alg: import("@openid4vc/oauth2").HashAlgorithm) => Uint8Array;
|
|
8
11
|
generateRandom: (length: number) => Uint8Array;
|
|
9
12
|
signJwt: SignJwtCallback;
|
|
10
13
|
clientAuthentication: () => void;
|
|
11
14
|
verifyJwt: VerifyJwtCallback;
|
|
12
15
|
fetch: typeof fetch;
|
|
16
|
+
encryptJwe: EncryptJweCallback;
|
|
17
|
+
decryptJwe: DecryptJweCallback;
|
|
18
|
+
};
|
|
19
|
+
export declare function getOid4vpX509Callbacks(agentContext: AgentContext): {
|
|
20
|
+
getX509CertificateMetadata: (certificate: string) => {
|
|
21
|
+
sanDnsNames: string[];
|
|
22
|
+
sanUriNames: string[];
|
|
23
|
+
};
|
|
13
24
|
};
|
|
14
25
|
/**
|
|
15
26
|
* Allows us to authenticate when making requests to an external
|
|
@@ -1,59 +1,156 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.getOid4vciJwtVerifyCallback = getOid4vciJwtVerifyCallback;
|
|
4
|
+
exports.getOid4vciEncryptJwtCallback = getOid4vciEncryptJwtCallback;
|
|
5
|
+
exports.getOid4vciDecryptJweCallback = getOid4vciDecryptJweCallback;
|
|
4
6
|
exports.getOid4vciJwtSignCallback = getOid4vciJwtSignCallback;
|
|
5
|
-
exports.
|
|
7
|
+
exports.getOid4vcCallbacks = getOid4vcCallbacks;
|
|
8
|
+
exports.getOid4vpX509Callbacks = getOid4vpX509Callbacks;
|
|
6
9
|
exports.dynamicOid4vciClientAuthentication = dynamicOid4vciClientAuthentication;
|
|
7
|
-
const oauth2_1 = require("@animo-id/oauth2");
|
|
8
10
|
const core_1 = require("@credo-ts/core");
|
|
11
|
+
const oauth2_1 = require("@openid4vc/oauth2");
|
|
12
|
+
const core_2 = require("@credo-ts/core");
|
|
9
13
|
const utils_1 = require("./utils");
|
|
10
|
-
function getOid4vciJwtVerifyCallback(agentContext) {
|
|
11
|
-
const jwsService = agentContext.dependencyManager.resolve(
|
|
14
|
+
function getOid4vciJwtVerifyCallback(agentContext, trustedCertificates) {
|
|
15
|
+
const jwsService = agentContext.dependencyManager.resolve(core_2.JwsService);
|
|
12
16
|
return async (signer, { compact }) => {
|
|
13
|
-
const { isValid } = await jwsService.verifyJws(agentContext, {
|
|
17
|
+
const { isValid, signerKeys } = await jwsService.verifyJws(agentContext, {
|
|
14
18
|
jws: compact,
|
|
19
|
+
trustedCertificates,
|
|
15
20
|
// Only handles kid as did resolution. JWK is handled by jws service
|
|
16
21
|
jwkResolver: async () => {
|
|
17
22
|
if (signer.method === 'jwk') {
|
|
18
|
-
return (0,
|
|
23
|
+
return (0, core_2.getJwkFromJson)(signer.publicJwk);
|
|
19
24
|
}
|
|
20
25
|
else if (signer.method === 'did') {
|
|
21
26
|
const key = await (0, utils_1.getKeyFromDid)(agentContext, signer.didUrl);
|
|
22
|
-
return (0,
|
|
27
|
+
return (0, core_2.getJwkFromKey)(key);
|
|
23
28
|
}
|
|
24
|
-
throw new
|
|
29
|
+
throw new core_2.CredoError(`Unexpected call to jwk resolver for signer method ${signer.method}`);
|
|
25
30
|
},
|
|
26
31
|
});
|
|
27
|
-
|
|
32
|
+
if (!isValid) {
|
|
33
|
+
return { verified: false, signerJwk: undefined };
|
|
34
|
+
}
|
|
35
|
+
const signerKey = signerKeys[0];
|
|
36
|
+
const signerJwk = (0, core_2.getJwkFromKey)(signerKey).toJson();
|
|
37
|
+
if (signer.method === 'did') {
|
|
38
|
+
signerJwk.kid = signer.didUrl;
|
|
39
|
+
}
|
|
40
|
+
return { verified: true, signerJwk };
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
function getOid4vciEncryptJwtCallback(agentContext) {
|
|
44
|
+
return async (jwtEncryptor, compact) => {
|
|
45
|
+
if (jwtEncryptor.method !== 'jwk') {
|
|
46
|
+
throw new core_2.CredoError(`Jwt encryption method '${jwtEncryptor.method}' is not supported for jwt signer. Only 'jwk' is supported.`);
|
|
47
|
+
}
|
|
48
|
+
const jwk = (0, core_2.getJwkFromJson)(jwtEncryptor.publicJwk);
|
|
49
|
+
const key = jwk.key;
|
|
50
|
+
if (jwtEncryptor.alg !== 'ECDH-ES') {
|
|
51
|
+
throw new core_2.CredoError("Only 'ECDH-ES' is supported as 'alg' value for JARM response encryption");
|
|
52
|
+
}
|
|
53
|
+
if (jwtEncryptor.enc !== 'A256GCM') {
|
|
54
|
+
throw new core_2.CredoError("Only 'A256GCM' is supported as 'enc' value for JARM response encryption");
|
|
55
|
+
}
|
|
56
|
+
if (key.keyType !== core_2.KeyType.P256) {
|
|
57
|
+
throw new core_2.CredoError(`Only '${core_2.KeyType.P256}' key type is supported for JARM response encryption`);
|
|
58
|
+
}
|
|
59
|
+
if (!agentContext.wallet.directEncryptCompactJweEcdhEs) {
|
|
60
|
+
throw new core_2.CredoError('Cannot decrypt Jarm Response, wallet does not support directEncryptCompactJweEcdhEs. You need to upgrade your wallet implementation.');
|
|
61
|
+
}
|
|
62
|
+
const jwe = await agentContext.wallet.directEncryptCompactJweEcdhEs({
|
|
63
|
+
data: core_1.Buffer.from(compact),
|
|
64
|
+
recipientKey: key,
|
|
65
|
+
header: { kid: jwtEncryptor.publicJwk.kid },
|
|
66
|
+
encryptionAlgorithm: jwtEncryptor.enc,
|
|
67
|
+
apu: jwtEncryptor.apu ? core_1.TypedArrayEncoder.toBase64URL(core_1.TypedArrayEncoder.fromString(jwtEncryptor.apu)) : undefined,
|
|
68
|
+
apv: jwtEncryptor.apv ? core_1.TypedArrayEncoder.toBase64URL(core_1.TypedArrayEncoder.fromString(jwtEncryptor.apv)) : undefined,
|
|
69
|
+
});
|
|
70
|
+
return { encryptionJwk: jwtEncryptor.publicJwk, jwe };
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
function getOid4vciDecryptJweCallback(agentContext) {
|
|
74
|
+
return async (jwe, options) => {
|
|
75
|
+
const [header] = jwe.split('.');
|
|
76
|
+
const decodedHeader = core_2.JsonEncoder.fromBase64(header);
|
|
77
|
+
const key = core_1.Key.fromFingerprint(options?.jwk.kid ?? decodedHeader.kid);
|
|
78
|
+
if (!agentContext.wallet.directDecryptCompactJweEcdhEs) {
|
|
79
|
+
throw new core_2.CredoError('Cannot decrypt Jarm Response, wallet does not support directDecryptCompactJweEcdhEs');
|
|
80
|
+
}
|
|
81
|
+
let decryptedPayload;
|
|
82
|
+
try {
|
|
83
|
+
const decrypted = await agentContext.wallet.directDecryptCompactJweEcdhEs({ compactJwe: jwe, recipientKey: key });
|
|
84
|
+
decryptedPayload = core_1.TypedArrayEncoder.toUtf8String(decrypted.data);
|
|
85
|
+
}
|
|
86
|
+
catch (error) {
|
|
87
|
+
return {
|
|
88
|
+
decrypted: false,
|
|
89
|
+
encryptionJwk: options?.jwk,
|
|
90
|
+
payload: undefined,
|
|
91
|
+
header: decodedHeader,
|
|
92
|
+
};
|
|
93
|
+
}
|
|
94
|
+
return {
|
|
95
|
+
decrypted: true,
|
|
96
|
+
decryptionJwk: (0, core_2.getJwkFromKey)(key).toJson(),
|
|
97
|
+
payload: decryptedPayload,
|
|
98
|
+
header: decodedHeader,
|
|
99
|
+
};
|
|
28
100
|
};
|
|
29
101
|
}
|
|
30
102
|
function getOid4vciJwtSignCallback(agentContext) {
|
|
31
|
-
const jwsService = agentContext.dependencyManager.resolve(
|
|
103
|
+
const jwsService = agentContext.dependencyManager.resolve(core_2.JwsService);
|
|
32
104
|
return async (signer, { payload, header }) => {
|
|
33
|
-
if (signer.method === 'custom' || signer.method === '
|
|
34
|
-
throw new
|
|
105
|
+
if (signer.method === 'custom' || signer.method === 'trustChain') {
|
|
106
|
+
throw new core_2.CredoError(`Jwt signer method 'custom' and 'x5c' are not supported for jwt signer.`);
|
|
35
107
|
}
|
|
36
|
-
|
|
37
|
-
|
|
108
|
+
if (signer.method === 'x5c') {
|
|
109
|
+
const leafCertificate = core_2.X509Service.getLeafCertificate(agentContext, { certificateChain: signer.x5c });
|
|
110
|
+
const jws = await jwsService.createJwsCompact(agentContext, {
|
|
111
|
+
protectedHeaderOptions: { ...header, alg: signer.alg, jwk: undefined },
|
|
112
|
+
payload: core_2.JwtPayload.fromJson(payload),
|
|
113
|
+
key: leafCertificate.publicKey,
|
|
114
|
+
});
|
|
115
|
+
return { jwt: jws, signerJwk: (0, core_2.getJwkFromKey)(leafCertificate.publicKey).toJson() };
|
|
116
|
+
}
|
|
117
|
+
const key = signer.method === 'did' ? await (0, utils_1.getKeyFromDid)(agentContext, signer.didUrl) : (0, core_2.getJwkFromJson)(signer.publicJwk).key;
|
|
118
|
+
const jwk = (0, core_2.getJwkFromKey)(key);
|
|
38
119
|
if (!jwk.supportsSignatureAlgorithm(signer.alg)) {
|
|
39
|
-
throw new
|
|
120
|
+
throw new core_2.CredoError(`key type '${jwk.keyType}', does not support the JWS signature alg '${signer.alg}'`);
|
|
40
121
|
}
|
|
41
122
|
const jwt = await jwsService.createJwsCompact(agentContext, {
|
|
42
|
-
protectedHeaderOptions:
|
|
43
|
-
|
|
123
|
+
protectedHeaderOptions: {
|
|
124
|
+
...header,
|
|
125
|
+
jwk: header.jwk ? (0, core_2.getJwkFromJson)(header.jwk) : undefined,
|
|
126
|
+
},
|
|
127
|
+
payload: core_2.JsonEncoder.toBuffer(payload),
|
|
44
128
|
key,
|
|
45
129
|
});
|
|
46
|
-
return jwt;
|
|
130
|
+
return { jwt, signerJwk: (0, core_2.getJwkFromKey)(key).toJson() };
|
|
47
131
|
};
|
|
48
132
|
}
|
|
49
|
-
function
|
|
133
|
+
function getOid4vcCallbacks(agentContext, trustedCertificates) {
|
|
50
134
|
return {
|
|
51
|
-
hash: (data, alg) =>
|
|
135
|
+
hash: (data, alg) => core_2.Hasher.hash(data, alg.toLowerCase()),
|
|
52
136
|
generateRandom: (length) => agentContext.wallet.getRandomValues(length),
|
|
53
137
|
signJwt: getOid4vciJwtSignCallback(agentContext),
|
|
54
138
|
clientAuthentication: (0, oauth2_1.clientAuthenticationNone)(),
|
|
55
|
-
verifyJwt: getOid4vciJwtVerifyCallback(agentContext),
|
|
139
|
+
verifyJwt: getOid4vciJwtVerifyCallback(agentContext, trustedCertificates),
|
|
56
140
|
fetch: agentContext.config.agentDependencies.fetch,
|
|
141
|
+
encryptJwe: getOid4vciEncryptJwtCallback(agentContext),
|
|
142
|
+
decryptJwe: getOid4vciDecryptJweCallback(agentContext),
|
|
143
|
+
};
|
|
144
|
+
}
|
|
145
|
+
function getOid4vpX509Callbacks(agentContext) {
|
|
146
|
+
return {
|
|
147
|
+
getX509CertificateMetadata: (certificate) => {
|
|
148
|
+
const leafCertificate = core_2.X509Service.getLeafCertificate(agentContext, { certificateChain: [certificate] });
|
|
149
|
+
return {
|
|
150
|
+
sanDnsNames: leafCertificate.sanDnsNames,
|
|
151
|
+
sanUriNames: leafCertificate.sanUriNames,
|
|
152
|
+
};
|
|
153
|
+
},
|
|
57
154
|
};
|
|
58
155
|
}
|
|
59
156
|
/**
|
|
@@ -62,15 +159,14 @@ function getOid4vciCallbacks(agentContext) {
|
|
|
62
159
|
*/
|
|
63
160
|
function dynamicOid4vciClientAuthentication(agentContext, issuerRecord) {
|
|
64
161
|
return (callbackOptions) => {
|
|
65
|
-
|
|
66
|
-
const authorizationServer = (_a = issuerRecord.authorizationServerConfigs) === null || _a === void 0 ? void 0 : _a.find((a) => a.issuer === callbackOptions.authorizationServerMetata.issuer);
|
|
162
|
+
const authorizationServer = issuerRecord.authorizationServerConfigs?.find((a) => a.issuer === callbackOptions.authorizationServerMetata.issuer);
|
|
67
163
|
if (!authorizationServer) {
|
|
68
164
|
// No client authentication if authorization server is not configured
|
|
69
165
|
agentContext.config.logger.debug(`Unknown authorization server '${callbackOptions.authorizationServerMetata.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'`);
|
|
70
166
|
return;
|
|
71
167
|
}
|
|
72
168
|
if (!authorizationServer.clientAuthentication) {
|
|
73
|
-
throw new
|
|
169
|
+
throw new core_2.CredoError(`Unable to authenticate to authorization server '${authorizationServer.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'. Make sure to configure a 'clientId' and 'clientSecret' for the authorization server on the issuer record.`);
|
|
74
170
|
}
|
|
75
171
|
return (0, oauth2_1.clientAuthenticationDynamic)({
|
|
76
172
|
clientId: authorizationServer.clientAuthentication.clientId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"callbacks.js","sourceRoot":"","sources":["../../src/shared/callbacks.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"callbacks.js","sourceRoot":"","sources":["../../src/shared/callbacks.ts"],"names":[],"mappings":";;AA0BA,kEAmCC;AAED,oEAwCC;AAED,oEA+BC;AAED,8DAuCC;AAED,gDAWC;AAED,wDAUC;AAMD,gFA4BC;AArOD,yCAA+D;AAG/D,8CAAyF;AACzF,yCAUuB;AAGvB,mCAAuC;AAEvC,SAAgB,2BAA2B,CACzC,YAA0B,EAC1B,mBAA8B;IAE9B,MAAM,UAAU,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,iBAAU,CAAC,CAAA;IAErE,OAAO,KAAK,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;QACnC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,YAAY,EAAE;YACvE,GAAG,EAAE,OAAO;YACZ,mBAAmB;YACnB,oEAAoE;YACpE,WAAW,EAAE,KAAK,IAAI,EAAE;gBACtB,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;oBAC5B,OAAO,IAAA,qBAAc,EAAC,MAAM,CAAC,SAAS,CAAC,CAAA;gBACzC,CAAC;qBAAM,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;oBACnC,MAAM,GAAG,GAAG,MAAM,IAAA,qBAAa,EAAC,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;oBAC5D,OAAO,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAA;gBAC3B,CAAC;gBAED,MAAM,IAAI,iBAAU,CAAC,qDAAqD,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;YAC5F,CAAC;SACF,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAA;QAClD,CAAC;QAED,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;QAC/B,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAA;QACnD,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC5B,SAAS,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,CAAA;QAC/B,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,SAAgB,4BAA4B,CAAC,YAA0B;IACrE,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE;QACrC,IAAI,YAAY,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,iBAAU,CAClB,0BAA0B,YAAY,CAAC,MAAM,6DAA6D,CAC3G,CAAA;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAA,qBAAc,EAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAClD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAA;QAEnB,IAAI,YAAY,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,iBAAU,CAAC,yEAAyE,CAAC,CAAA;QACjG,CAAC;QAED,IAAI,YAAY,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,iBAAU,CAAC,yEAAyE,CAAC,CAAA;QACjG,CAAC;QAED,IAAI,GAAG,CAAC,OAAO,KAAK,cAAO,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,IAAI,iBAAU,CAAC,SAAS,cAAO,CAAC,IAAI,sDAAsD,CAAC,CAAA;QACnG,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,6BAA6B,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAU,CAClB,sIAAsI,CACvI,CAAA;QACH,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,6BAA6B,CAAC;YAClE,IAAI,EAAE,aAAM,CAAC,IAAI,CAAC,OAAO,CAAC;YAC1B,YAAY,EAAE,GAAG;YACjB,MAAM,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,SAAS,CAAC,GAAG,EAAE;YAC3C,mBAAmB,EAAE,YAAY,CAAC,GAAG;YACrC,GAAG,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,wBAAiB,CAAC,WAAW,CAAC,wBAAiB,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;YACjH,GAAG,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,wBAAiB,CAAC,WAAW,CAAC,wBAAiB,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;SAClH,CAAC,CAAA;QAEF,OAAO,EAAE,aAAa,EAAE,YAAY,CAAC,SAAS,EAAE,GAAG,EAAE,CAAA;IACvD,CAAC,CAAA;AACH,CAAC;AAED,SAAgB,4BAA4B,CAAC,YAA0B;IACrE,OAAO,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;QAC5B,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC/B,MAAM,aAAa,GAAG,kBAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;QAEpD,MAAM,GAAG,GAAG,UAAG,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,IAAI,aAAa,CAAC,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,6BAA6B,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAU,CAAC,qFAAqF,CAAC,CAAA;QAC7G,CAAC;QAED,IAAI,gBAAwB,CAAA;QAE5B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,6BAA6B,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAA;YACjH,gBAAgB,GAAG,wBAAiB,CAAC,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QACnE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,aAAa,EAAE,OAAO,EAAE,GAAG;gBAC3B,OAAO,EAAE,SAAS;gBAClB,MAAM,EAAE,aAAa;aACtB,CAAA;QACH,CAAC;QAED,OAAO;YACL,SAAS,EAAE,IAAI;YACf,aAAa,EAAE,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC,MAAM,EAAE;YAC1C,OAAO,EAAE,gBAAgB;YACzB,MAAM,EAAE,aAAa;SACtB,CAAA;IACH,CAAC,CAAA;AACH,CAAC;AAED,SAAgB,yBAAyB,CAAC,YAA0B;IAClE,MAAM,UAAU,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,iBAAU,CAAC,CAAA;IAErE,OAAO,KAAK,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;QAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YACjE,MAAM,IAAI,iBAAU,CAAC,wEAAwE,CAAC,CAAA;QAChG,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC5B,MAAM,eAAe,GAAG,kBAAW,CAAC,kBAAkB,CAAC,YAAY,EAAE,EAAE,gBAAgB,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;YAEtG,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,gBAAgB,CAAC,YAAY,EAAE;gBAC1D,sBAAsB,EAAE,EAAE,GAAG,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE;gBACtE,OAAO,EAAE,iBAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACrC,GAAG,EAAE,eAAe,CAAC,SAAS;aAC/B,CAAC,CAAA;YAEF,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,IAAA,oBAAa,EAAC,eAAe,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;QACnF,CAAC;QAED,MAAM,GAAG,GACP,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,MAAM,IAAA,qBAAa,EAAC,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAA,qBAAc,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAA;QACnH,MAAM,GAAG,GAAG,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAA;QAE9B,IAAI,CAAC,GAAG,CAAC,0BAA0B,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,iBAAU,CAAC,aAAa,GAAG,CAAC,OAAO,8CAA8C,MAAM,CAAC,GAAG,GAAG,CAAC,CAAA;QAC3G,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,gBAAgB,CAAC,YAAY,EAAE;YAC1D,sBAAsB,EAAE;gBACtB,GAAG,MAAM;gBACT,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAA,qBAAc,EAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;aACzD;YACD,OAAO,EAAE,kBAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;YACtC,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;IACxD,CAAC,CAAA;AACH,CAAC;AAED,SAAgB,kBAAkB,CAAC,YAA0B,EAAE,mBAA8B;IAC3F,OAAO;QACL,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,aAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;QACzD,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;QACvE,OAAO,EAAE,yBAAyB,CAAC,YAAY,CAAC;QAChD,oBAAoB,EAAE,IAAA,iCAAwB,GAAE;QAChD,SAAS,EAAE,2BAA2B,CAAC,YAAY,EAAE,mBAAmB,CAAC;QACzE,KAAK,EAAE,YAAY,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK;QAClD,UAAU,EAAE,4BAA4B,CAAC,YAAY,CAAC;QACtD,UAAU,EAAE,4BAA4B,CAAC,YAAY,CAAC;KACpB,CAAA;AACtC,CAAC;AAED,SAAgB,sBAAsB,CAAC,YAA0B;IAC/D,OAAO;QACL,0BAA0B,EAAE,CAAC,WAAmB,EAAE,EAAE;YAClD,MAAM,eAAe,GAAG,kBAAW,CAAC,kBAAkB,CAAC,YAAY,EAAE,EAAE,gBAAgB,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;YACzG,OAAO;gBACL,WAAW,EAAE,eAAe,CAAC,WAAW;gBACxC,WAAW,EAAE,eAAe,CAAC,WAAW;aACzC,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,kCAAkC,CAChD,YAA0B,EAC1B,YAAmC;IAEnC,OAAO,CAAC,eAAe,EAAE,EAAE;QACzB,MAAM,mBAAmB,GAAG,YAAY,CAAC,0BAA0B,EAAE,IAAI,CACvE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,CAAC,yBAAyB,CAAC,MAAM,CACrE,CAAA;QAED,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,qEAAqE;YACrE,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAC9B,iCAAiC,eAAe,CAAC,yBAAyB,CAAC,MAAM,iBAAiB,YAAY,CAAC,QAAQ,qBAAqB,eAAe,CAAC,GAAG,GAAG,CACnK,CAAA;YACD,OAAM;QACR,CAAC;QAED,IAAI,CAAC,mBAAmB,CAAC,oBAAoB,EAAE,CAAC;YAC9C,MAAM,IAAI,iBAAU,CAClB,mDAAmD,mBAAmB,CAAC,MAAM,iBAAiB,YAAY,CAAC,QAAQ,qBAAqB,eAAe,CAAC,GAAG,8GAA8G,CAC1Q,CAAA;QACH,CAAC;QAED,OAAO,IAAA,oCAA2B,EAAC;YACjC,QAAQ,EAAE,mBAAmB,CAAC,oBAAoB,CAAC,QAAQ;YAC3D,YAAY,EAAE,mBAAmB,CAAC,oBAAoB,CAAC,YAAY;SACpE,CAAC,CAAC,eAAe,CAAC,CAAA;IACrB,CAAC,CAAA;AACH,CAAC"}
|