npm - @credo-ts/openid4vc - Versions diffs - 0.6.0-pr-2134-20241217213340 → 0.6.0-pr-2195-20250217170804 - Mend

@credo-ts/openid4vc 0.6.0-pr-2134-20241217213340 → 0.6.0-pr-2195-20250217170804

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js CHANGED Viewed

@@ -11,24 +11,26 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 var __param = (this && this.__param) || function (paramIndex, decorator) {
     return function (target, key) { decorator(target, key, paramIndex); }
 };
+var OpenId4VcSiopVerifierService_1;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenId4VcSiopVerifierService = void 0;
+const oid4vp_1 = require("@openid4vc/oid4vp");
 const core_1 = require("@credo-ts/core");
 const did_auth_siop_1 = require("@sphereon/did-auth-siop");
 const OpenID4VP_1 = require("@sphereon/did-auth-siop/dist/authorization-response/OpenID4VP");
-const rxjs_1 = require("rxjs");
 const router_1 = require("../shared/router");
-const transform_1 = require("../shared/transform");
 const utils_1 = require("../shared/utils");
+const callbacks_1 = require("../shared/callbacks");
 const OpenId4VcVerificationSessionState_1 = require("./OpenId4VcVerificationSessionState");
 const OpenId4VcVerifierModuleConfig_1 = require("./OpenId4VcVerifierModuleConfig");
 const repository_1 = require("./repository");
 const OpenId4VcRelyingPartyEventEmitter_1 = require("./repository/OpenId4VcRelyingPartyEventEmitter");
-const OpenId4VcRelyingPartySessionManager_1 = require("./repository/OpenId4VcRelyingPartySessionManager");
+const oauth2_1 = require("@openid4vc/oauth2");
+const oid4vp_2 = require("@openid4vc/oid4vp");
 /**
  * @internal
  */
-let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
+let OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService_1 = class OpenId4VcSiopVerifierService {
     constructor(logger, w3cCredentialService, openId4VcVerifierRepository, config, openId4VcVerificationSessionRepository) {
         this.logger = logger;
         this.w3cCredentialService = w3cCredentialService;
@@ -36,8 +38,12 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
         this.config = config;
         this.openId4VcVerificationSessionRepository = openId4VcVerificationSessionRepository;
     }
+    getOpenid4vpVerifier(agentContext) {
+        const callbacks = (0, callbacks_1.getOid4vcCallbacks)(agentContext);
+        const openid4vpClient = new oid4vp_1.Oid4vcVerifier({ callbacks });
+        return openid4vpClient;
+    }
     async createAuthorizationRequest(agentContext, options) {
-        var _a;
         const nonce = await agentContext.wallet.generateNonce();
         const state = await agentContext.wallet.generateNonce();
         // Correlation id will be the id of the verification session record
@@ -47,7 +53,10 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
             this.config.authorizationEndpoint.endpointPath,
         ]);
         const jwtIssuer = options.requestSigner.method === 'x5c'
-            ? await (0, utils_1.openIdTokenIssuerToJwtIssuer)(agentContext, Object.assign(Object.assign({}, options.requestSigner), { issuer: authorizationResponseUrl }))
+            ? await (0, utils_1.openIdTokenIssuerToJwtIssuer)(agentContext, {
+                ...options.requestSigner,
+                issuer: authorizationResponseUrl,
+            })
             : await (0, utils_1.openIdTokenIssuerToJwtIssuer)(agentContext, options.requestSigner);
         let clientIdScheme;
         let clientId;
@@ -77,13 +86,6 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
         else {
             throw new core_1.CredoError(`Unsupported jwt issuer method '${options.requestSigner.method}'. Only 'did' and 'x5c' are supported.`);
         }
-        const relyingParty = await this.getRelyingParty(agentContext, options.verifier, {
-            presentationDefinition: (_a = options.presentationExchange) === null || _a === void 0 ? void 0 : _a.definition,
-            authorizationResponseUrl,
-            clientId,
-            clientIdScheme,
-            responseMode: options.responseMode,
-        });
         // We always use shortened URIs currently
         const hostedAuthorizationRequestUri = (0, core_1.joinUriParts)(this.config.baseUrl, [
             options.verifier.verifierId,
@@ -91,147 +93,312 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
             // It doesn't really matter what the url is, as long as it's unique
             core_1.utils.uuid(),
         ]);
-        // This is very unfortunate, but storing state in sphereon's SiOP-OID4VP library
-        // is done async, so we can't be certain yet that the verification session record
-        // is created already when we have created the authorization request. So we need to
-        // wait for a short while before we can be certain that the verification session record
-        // is created. To not use arbitrary timeouts, we wait for the specific RecordSavedEvent
-        // that is emitted when the verification session record is created.
-        const eventEmitter = agentContext.dependencyManager.resolve(core_1.EventEmitter);
-        const verificationSessionCreatedPromise = (0, rxjs_1.firstValueFrom)(eventEmitter
-            .observable(core_1.RepositoryEventTypes.RecordSaved)
-            .pipe((0, rxjs_1.filter)((e) => e.metadata.contextCorrelationId === agentContext.contextCorrelationId), (0, rxjs_1.filter)((e) => e.payload.record.id === correlationId && e.payload.record.verifierId === options.verifier.verifierId), (0, rxjs_1.first)(), (0, rxjs_1.timeout)({
-            first: 10000,
-            meta: 'OpenId4VcSiopVerifierService.createAuthorizationRequest',
-        }), (0, rxjs_1.map)((e) => e.payload.record)));
-        const authorizationRequest = await relyingParty.createAuthorizationRequest({
+        const transaction_data = (options.dcql?.transactionData ?? options.presentationExchange?.transactionData)?.map((tdEntry) => core_1.JsonEncoder.toBase64URL(tdEntry)) ?? undefined;
+        const client_id = clientIdScheme === 'did' || clientIdScheme === 'https' ? clientId : `${clientIdScheme}:${clientId}`;
+        const client_metadata = {
+            ...(await this.getClientMetadata(agentContext, {
+                responseMode: options.responseMode ?? 'direct_post',
+                verifier: options.verifier,
+                clientId,
+                authorizationResponseUrl,
+            })),
+        };
+        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
+        const authorizationRequest = await openid4vpVerifier.createOpenId4vpAuthorizationRequest({
+            jar: { jwtSigner: jwtIssuer, requestUri: hostedAuthorizationRequestUri },
+            requestParams: {
+                client_id,
+                nonce,
+                state,
+                presentation_definition: options.presentationExchange?.definition,
+                dcql_query: options.dcql?.query,
+                transaction_data,
+                response_uri: authorizationResponseUrl,
+                response_mode: options.responseMode ?? 'direct_post',
+                response_type: 'vp_token',
+                client_metadata,
+                expected_origins: options.expectedOrigins,
+            },
+        });
+        const verificationSession = await agentContext.dependencyManager
+            .resolve(OpenId4VcRelyingPartyEventEmitter_1.OpenId4VcRelyingPartyEventHandler)
+            .authorizationRequestCreatedSuccess(agentContext, {
+            verifierId: options.verifier.verifierId,
             correlationId,
-            nonce,
-            state,
-            requestByReferenceURI: hostedAuthorizationRequestUri,
-            jwtIssuer,
+            authorizationRequestJwt: authorizationRequest.jar?.requestObjectJwt,
+            authorizationRequestUri: authorizationRequest.jar?.requestUri,
         });
-        // NOTE: it's not possible to set the uri scheme when using the RP to create an auth request, only lower level
-        // functions allow this. So we need to replace the uri scheme manually.
-        let authorizationRequestUri = (await authorizationRequest.uri()).encodedUri;
-        if (options.presentationExchange && !options.idToken) {
-            authorizationRequestUri = authorizationRequestUri.replace('openid://', 'openid4vp://');
+        return {
+            authorizationRequest: authorizationRequest.authRequest,
+            verificationSession,
+        };
+    }
+    getDcqlVerifiedResponse(agentContext, _dcqlQuery, presentation) {
+        const dcqlService = agentContext.dependencyManager.resolve(core_1.DcqlService);
+        const dcqlQuery = dcqlService.validateDcqlQuery(_dcqlQuery);
+        const dcqlPresentationEntries = Object.entries(presentation);
+        const dcqlPresentation = Object.fromEntries(dcqlPresentationEntries.map((presentation) => {
+            const [credentialId, vpTokenPresentationParseResult] = presentation;
+            return [credentialId, this.decodePresentation(agentContext, { vpTokenPresentationParseResult })];
+        }));
+        const dcqlPresentationResult = dcqlService.assertValidDcqlPresentation(dcqlPresentation, dcqlQuery);
+        if (dcqlPresentationResult.canBeSatisfied) {
+            throw new core_1.CredoError('The dcql query cannot be satisfied.');
         }
-        else {
-            authorizationRequestUri = authorizationRequestUri.replace('openid4vp://', 'openid://');
+        return {
+            query: dcqlQuery,
+            presentation: dcqlPresentation,
+            presentationResult: dcqlPresentationResult,
+        };
+    }
+    async parseAuthorizationResponse(agentContext, options) {
+        const { verifierId, responsePayload } = options;
+        let verificationSession;
+        let parsedAuthResponse;
+        let rawResponsePayload = responsePayload;
+        try {
+            parsedAuthResponse = await (0, oid4vp_1.parseOpenid4vpAuthorizationResponse)({
+                responsePayload,
+                callbacks: {
+                    ...(0, callbacks_1.getOid4vcCallbacks)(agentContext),
+                    getOpenid4vpAuthorizationRequest: async (responsePayload) => {
+                        const { state, nonce } = responsePayload;
+                        rawResponsePayload = responsePayload;
+                        const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VcSiopVerifierService_1);
+                        const session = await openId4VcVerifierService.findVerificationSessionForAuthorizationResponse(agentContext, { authorizationResponseParams: { state, nonce }, verifierId });
+                        if (!session) {
+                            agentContext.config.logger.warn(`No verification session found for incoming authorization response for verifier ${verifierId}`);
+                            throw new core_1.CredoError(`No state or nonce provided in authorization response for verifier ${verifierId}`);
+                        }
+                        verificationSession = session;
+                        const authorizationRequest = (0, oid4vp_1.parseOpenid4vpAuthorizationRequestPayload)({ requestPayload: verificationSession.authorizationRequestJwt });
+                        if (authorizationRequest.type !== 'openid4vp') {
+                            throw new core_1.CredoError(`Invalid authorization request jwt. Expected 'openid4vp' request, received '${authorizationRequest.type}'.`);
+                        }
+                        return { authRequest: authorizationRequest.params };
+                    },
+                },
+            });
+        }
+        catch (error) {
+            if (options.setResponseState &&
+                verificationSession &&
+                (verificationSession.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestUriRetrieved ||
+                    verificationSession.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestCreated)) {
+                const parsed = oid4vp_2.zOpenid4vpAuthorizationResponse.safeParse(rawResponsePayload);
+                if (!parsed.success)
+                    throw new error;
+                await agentContext.dependencyManager
+                    .resolve(OpenId4VcRelyingPartyEventEmitter_1.OpenId4VcRelyingPartyEventHandler)
+                    .authorizationResponseReceivedFailed(agentContext, {
+                    verifierId,
+                    correlationId: verificationSession.id,
+                    authorizationResponsePayload: parsed.data,
+                    errorMessage: error.message,
+                });
+            }
+            throw error;
+        }
+        if (parsedAuthResponse.authResponsePayload.presentation_submission &&
+            typeof parsedAuthResponse.authResponsePayload.presentation_submission === 'string') {
+            const decoded = decodeURIComponent(parsedAuthResponse.authResponsePayload.presentation_submission);
+            const parsed = JSON.parse(decoded);
+            parsedAuthResponse.authResponsePayload.presentation_submission = parsed;
+            if (parsedAuthResponse.type === 'pex') {
+                parsedAuthResponse.pex.presentationSubmission = parsed;
+            }
+        }
+        if (!verificationSession) {
+            throw new core_1.CredoError('Missing verification session, cannot verify authorization response.');
+        }
+        if (parsedAuthResponse.jarm && parsedAuthResponse.jarm.type !== 'encrypted') {
+            throw new oauth2_1.Oauth2ServerErrorResponseError({
+                error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
+                error_description: `Only encrypted JARM responses are supported, received '${parsedAuthResponse.jarm.type}'.`,
+            });
         }
-        const verificationSession = await verificationSessionCreatedPromise;
         return {
-            authorizationRequest: authorizationRequestUri,
+            ...parsedAuthResponse,
             verificationSession,
         };
     }
     async verifyAuthorizationResponse(agentContext, options) {
-        var _a, _b;
-        // Assert state
-        options.verificationSession.assertState([
+        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
+        const openId4VcRelyingPartyEventHandler = await agentContext.dependencyManager.resolve(OpenId4VcRelyingPartyEventEmitter_1.OpenId4VcRelyingPartyEventHandler);
+        const result = await this.parseAuthorizationResponse(agentContext, {
+            verifierId: options.verifierId,
+            responsePayload: options.authorizationResponse,
+            setResponseState: true,
+        });
+        result.verificationSession.assertState([
             OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestUriRetrieved,
             OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestCreated,
         ]);
-        const authorizationRequest = await did_auth_siop_1.AuthorizationRequest.fromUriOrJwt(options.verificationSession.authorizationRequestJwt);
-        const verifier = await this.getVerifierByVerifierId(agentContext, options.verificationSession.verifierId);
-        const requestClientId = await authorizationRequest.getMergedProperty('client_id');
-        const requestNonce = await authorizationRequest.getMergedProperty('nonce');
-        const requestState = await authorizationRequest.getMergedProperty('state');
-        const responseUri = await authorizationRequest.getMergedProperty('response_uri');
-        const presentationDefinitionsWithLocation = await authorizationRequest.getPresentationDefinitions();
-        if (!requestNonce || !requestClientId || !requestState) {
-            throw new core_1.CredoError(`Unable to find nonce, state, or client_id in authorization request for verification session '${options.verificationSession.id}'`);
-        }
-        const authorizationResponseUrl = (0, core_1.joinUriParts)(this.config.baseUrl, [
-            options.verificationSession.verifierId,
-            this.config.authorizationEndpoint.endpointPath,
-        ]);
-        const relyingParty = await this.getRelyingParty(agentContext, verifier, {
-            presentationDefinition: (_a = presentationDefinitionsWithLocation === null || presentationDefinitionsWithLocation === void 0 ? void 0 : presentationDefinitionsWithLocation[0]) === null || _a === void 0 ? void 0 : _a.definition,
-            authorizationResponseUrl,
-            clientId: requestClientId,
-        });
-        // This is very unfortunate, but storing state in sphereon's SiOP-OID4VP library
-        // is done async, so we can't be certain yet that the verification session record
-        // is updated already when we have verified the authorization response. So we need to
-        // wait for a short while before we can be certain that the verification session record
-        // is updated. To not use arbitrary timeouts, we wait for the specific RecordUpdatedEvent
-        // that is emitted when the verification session record is updated.
-        const eventEmitter = agentContext.dependencyManager.resolve(core_1.EventEmitter);
-        const verificationSessionUpdatedPromise = (0, rxjs_1.firstValueFrom)(eventEmitter
-            .observable(core_1.RepositoryEventTypes.RecordUpdated)
-            .pipe((0, rxjs_1.filter)((e) => e.metadata.contextCorrelationId === agentContext.contextCorrelationId), (0, rxjs_1.filter)((e) => e.payload.record.id === options.verificationSession.id &&
-            e.payload.record.verifierId === options.verificationSession.verifierId &&
-            (e.payload.record.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.ResponseVerified ||
-                e.payload.record.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.Error)), (0, rxjs_1.first)(), (0, rxjs_1.timeout)({
-            first: 10000,
-            meta: 'OpenId4VcSiopVerifierService.verifyAuthorizationResponse',
-        }), (0, rxjs_1.map)((e) => e.payload.record)));
-        await relyingParty.verifyAuthorizationResponse(options.authorizationResponse, {
-            audience: requestClientId,
-            correlationId: options.verificationSession.id,
-            state: requestState,
-            presentationDefinitions: presentationDefinitionsWithLocation,
-            verification: {
-                presentationVerificationCallback: this.getPresentationVerificationCallback(agentContext, {
-                    correlationId: options.verificationSession.id,
+        const authorizationRequest = result.authRequestPayload;
+        const { client_id: requestClientId, nonce: requestNonce, response_uri: responseUri } = authorizationRequest;
+        const transactionData = authorizationRequest.transaction_data
+            ? openid4vpVerifier.parseTransactionData({ transactionData: authorizationRequest.transaction_data })
+            : undefined;
+        // validating the id token
+        // verifying the presentations
+        // validating the presentations against the presentation definition
+        // checking the revocation status of the presentations
+        // checking the nonce of the presentations matches the nonce of the request
+        let presentationVerificationResults = [];
+        if (result.type === 'dcql') {
+            const dcqlPresentationEntries = Object.entries(result.dcql.presentation);
+            const presentationVerificationPromises = dcqlPresentationEntries.map(async (presentation) => {
+                const [credentialId, vpTokenPresentationParseResult] = presentation;
+                return await this.verifyPresentations(agentContext, {
+                    correlationId: result.verificationSession.id,
+                    transactionData,
                     nonce: requestNonce,
                     audience: requestClientId,
                     responseUri,
-                    mdocGeneratedNonce: ((_b = options.jarmHeader) === null || _b === void 0 ? void 0 : _b.apu)
-                        ? core_1.TypedArrayEncoder.toUtf8String(core_1.TypedArrayEncoder.fromBase64(options.jarmHeader.apu))
-                        : undefined,
-                }),
-            },
+                    mdocGeneratedNonce: result.jarm?.mdocGeneratedNonce,
+                    verificationSessionRecordId: result.verificationSession.id,
+                    vpTokenPresentationParseResult,
+                    credentialId,
+                });
+            });
+            presentationVerificationResults = await Promise.all(presentationVerificationPromises);
+        }
+        if (result.type === 'pex') {
+            const presentations = result.pex.presentations;
+            const pex = agentContext.dependencyManager.resolve(core_1.DifPresentationExchangeService);
+            pex.validatePresentationDefinition(result.pex.presentationDefinition);
+            pex.validatePresentationSubmission(result.pex.presentationSubmission);
+            // This should be provided by pex-light!
+            // It must check if the presentations match the presentation definition
+            (0, OpenID4VP_1.assertValidVerifiablePresentations)({
+                presentationDefinitions: [
+                    {
+                        definition: result.pex.presentationDefinition,
+                        location: did_auth_siop_1.PresentationDefinitionLocation.TOPLEVEL_PRESENTATION_DEF,
+                    },
+                ],
+                verificationCallback: async () => ({ verified: true }),
+                presentations: result.authResponsePayload.vp_token
+                    ? await (0, OpenID4VP_1.extractPresentationsFromVpToken)((0, utils_1.parseIfJson)(result.authResponsePayload.vp_token), {
+                        hasher: core_1.Hasher.hash,
+                    })
+                    : [],
+                opts: {
+                    hasher: core_1.Hasher.hash,
+                    presentationSubmission: result.pex.presentationSubmission,
+                },
+            });
+            const presentationVerificationPromises = (Array.isArray(presentations) ? presentations : [presentations]).map((presentation) => {
+                const inputDescriptor = result.pex.presentationSubmission.descriptor_map.find((descriptorMapEntry) => descriptorMapEntry.path === presentation.path);
+                if (!inputDescriptor) {
+                    throw new core_1.CredoError(`Could not map transaction data entry to input descriptor.`);
+                }
+                return this.verifyPresentations(agentContext, {
+                    correlationId: result.verificationSession.id,
+                    transactionData,
+                    nonce: requestNonce,
+                    audience: requestClientId,
+                    responseUri,
+                    mdocGeneratedNonce: result.jarm?.mdocGeneratedNonce,
+                    verificationSessionRecordId: result.verificationSession.id,
+                    vpTokenPresentationParseResult: presentation,
+                    credentialId: inputDescriptor.id,
+                });
+            });
+            presentationVerificationResults = await Promise.all(presentationVerificationPromises);
+        }
+        try {
+            if (presentationVerificationResults.some((result) => !result.verified)) {
+                throw new core_1.CredoError('One or more presentations failed verification.');
+            }
+            const transactionDataMeta = [];
+            for (const result of presentationVerificationResults) {
+                if (result.verified && result.transactionDataMeta) {
+                    transactionDataMeta.push([result.transactionDataMeta.credentialId, result.transactionDataMeta]);
+                }
+            }
+            if (transactionData) {
+                const inputDescriptorToTransactionDataMeta = Object.fromEntries(transactionDataMeta);
+                if (!transactionData.every((tdEntry) => {
+                    return tdEntry.credential_ids.some((credentialId) => inputDescriptorToTransactionDataMeta[credentialId]);
+                })) {
+                    throw new core_1.CredoError('One ore more required transaction data entries were not found in the signed transaction data.');
+                }
+            }
+        }
+        catch (error) {
+            await openId4VcRelyingPartyEventHandler.authorizationResponseVerifiedFailed(agentContext, {
+                verifierId: options.verifierId,
+                correlationId: result.verificationSession.id,
+                errorMessage: error.message,
+            });
+            throw error;
+        }
+        await openId4VcRelyingPartyEventHandler.authorizationResponseVerifiedSuccess(agentContext, {
+            verifierId: options.verifierId,
+            correlationId: result.verificationSession.id,
+            authorizationResponsePayload: result.authResponsePayload,
         });
-        const verificationSession = await verificationSessionUpdatedPromise;
-        const verifiedAuthorizationResponse = await this.getVerifiedAuthorizationResponse(verificationSession);
-        return Object.assign(Object.assign({}, verifiedAuthorizationResponse), { verificationSession: await verificationSessionUpdatedPromise });
+        const verificationSession = await this.getVerificationSessionById(agentContext, result.verificationSession.id);
+        const verifiedAuthorizationResponse = await this.getVerifiedAuthorizationResponse(agentContext, verificationSession);
+        return { ...verifiedAuthorizationResponse, verificationSession, transactionData };
     }
-    async getVerifiedAuthorizationResponse(verificationSession) {
-        var _a, _b, _c, _d;
+    async getVerifiedAuthorizationResponse(agentContext, verificationSession) {
         verificationSession.assertState(OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.ResponseVerified);
         if (!verificationSession.authorizationResponsePayload) {
             throw new core_1.CredoError('No authorization response payload found in the verification session.');
         }
-        const authorizationResponse = await did_auth_siop_1.AuthorizationResponse.fromPayload(verificationSession.authorizationResponsePayload);
-        const authorizationRequest = await did_auth_siop_1.AuthorizationRequest.fromUriOrJwt(verificationSession.authorizationRequestJwt);
-        const idToken = authorizationResponse.idToken
-            ? { payload: await ((_a = authorizationResponse.idToken) === null || _a === void 0 ? void 0 : _a.payload()) }
+        const openid4vpAuthorizationResponsePayload = (0, oid4vp_1.isOpenid4vpAuthorizationResponseDcApi)(verificationSession.authorizationResponsePayload)
+            ? verificationSession.authorizationResponsePayload.data
+            : verificationSession.authorizationResponsePayload;
+        const idToken = openid4vpAuthorizationResponsePayload.id_token;
+        const idTokenPayload = idToken ? core_1.Jwt.fromSerializedJwt(idToken).payload : undefined;
+        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
+        const authorizationRequest = openid4vpVerifier.parseOpenid4vpAuthorizationRequestPayload({
+            requestPayload: verificationSession.authorizationRequestJwt,
+        });
+        if (authorizationRequest.provided !== 'jwt' || authorizationRequest.type === 'jar') {
+            throw new core_1.CredoError('Invalid authorization request jwt');
+        }
+        const result = openid4vpVerifier.validateOpenid4vpAuthorizationResponse({
+            authorizationRequest: authorizationRequest.params,
+            authorizationResponse: openid4vpAuthorizationResponsePayload,
+        });
+        const transactionData = authorizationRequest.params.transaction_data
+            ? openid4vpVerifier.parseTransactionData({ transactionData: authorizationRequest.params.transaction_data })
             : undefined;
         let presentationExchange = undefined;
-        const presentationDefinitions = await authorizationRequest.getPresentationDefinitions();
-        if (presentationDefinitions && presentationDefinitions.length > 0) {
-            const rawPresentations = authorizationResponse.payload.vp_token
-                ? await (0, OpenID4VP_1.extractPresentationsFromVpToken)(authorizationResponse.payload.vp_token, {
-                    hasher: core_1.Hasher.hash,
-                })
-                : [];
-            // TODO: Probably wise to check against request for the location of the submission_data
-            const submission = (_d = (_c = (_b = idToken === null || idToken === void 0 ? void 0 : idToken.payload) === null || _b === void 0 ? void 0 : _b._vp_token) === null || _c === void 0 ? void 0 : _c.presentation_submission) !== null && _d !== void 0 ? _d : authorizationResponse.payload.presentation_submission;
+        let dcql = result.type === 'dcql'
+            ? this.getDcqlVerifiedResponse(agentContext, authorizationRequest.params.dcql_query, result.dcql.presentation)
+            : undefined;
+        const vpToken = (0, utils_1.parseIfJson)(openid4vpAuthorizationResponsePayload.vp_token);
+        const presentationDefinition = authorizationRequest.params
+            .presentation_definition;
+        if (presentationDefinition) {
+            if (!vpToken) {
+                throw new core_1.CredoError('Missing vp_token in the openid4vp authorization response.');
+            }
+            const rawPresentations = openid4vpVerifier.parsePresentationsFromVpToken({ vpToken });
+            const submission = openid4vpAuthorizationResponsePayload.presentation_submission;
             if (!submission) {
                 throw new core_1.CredoError('Unable to extract submission from the response.');
             }
-            // FIXME: should return type be an array? As now it doesn't always match the submission
-            const verifiablePresentations = Array.isArray(rawPresentations)
-                ? rawPresentations.map(transform_1.getVerifiablePresentationFromSphereonWrapped)
-                : (0, transform_1.getVerifiablePresentationFromSphereonWrapped)(rawPresentations);
-            const definition = presentationDefinitions[0].definition;
+            const verifiablePresentations = rawPresentations.map((presentation) => this.getPresentationFromVpTokenParseResult(agentContext, presentation));
             presentationExchange = {
-                definition,
+                definition: presentationDefinition,
                 submission,
-                // We always return this as an array
-                presentations: Array.isArray(verifiablePresentations) ? verifiablePresentations : [verifiablePresentations],
-                descriptors: (0, core_1.extractPresentationsWithDescriptorsFromSubmission)(verifiablePresentations, submission, definition),
+                presentations: verifiablePresentations,
+                descriptors: (0, core_1.extractPresentationsWithDescriptorsFromSubmission)(verifiablePresentations, submission, presentationDefinition),
             };
         }
-        if (!idToken && !presentationExchange) {
+        if (!idToken && !presentationExchange && !dcql) {
             throw new core_1.CredoError('No idToken or presentationExchange found in the response.');
         }
         return {
-            idToken,
+            idToken: idTokenPayload ? { payload: idTokenPayload } : undefined,
             presentationExchange,
+            dcql,
+            transactionData,
         };
     }
     /**
@@ -242,25 +409,17 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
         let nonce;
         let state;
         if (authorizationResponse) {
-            const authorizationResponseInstance = await did_auth_siop_1.AuthorizationResponse.fromPayload(authorizationResponse).catch(() => {
-                throw new core_1.CredoError(`Unable to parse authorization response payload. ${JSON.stringify(authorizationResponse)}`);
-            });
-            nonce = await authorizationResponseInstance.getMergedProperty('nonce', {
-                hasher: core_1.Hasher.hash,
-            });
-            state = await authorizationResponseInstance.getMergedProperty('state', {
-                hasher: core_1.Hasher.hash,
-            });
-            if (!nonce && !state) {
+            const state = authorizationResponse.state;
+            if (!state) {
                 throw new core_1.CredoError('Could not extract nonce or state from authorization response. Unable to find OpenId4VcVerificationSession.');
             }
         }
         else {
-            if ((authorizationResponseParams === null || authorizationResponseParams === void 0 ? void 0 : authorizationResponseParams.nonce) && !(authorizationResponseParams === null || authorizationResponseParams === void 0 ? void 0 : authorizationResponseParams.state)) {
+            if (authorizationResponseParams?.nonce && !authorizationResponseParams?.state) {
                 throw new core_1.CredoError('Either nonce or state must be provided if no authorization response is provided. Unable to find OpenId4VcVerificationSession.');
             }
-            nonce = authorizationResponseParams === null || authorizationResponseParams === void 0 ? void 0 : authorizationResponseParams.nonce;
-            state = authorizationResponseParams === null || authorizationResponseParams === void 0 ? void 0 : authorizationResponseParams.state;
+            nonce = authorizationResponseParams?.nonce;
+            state = authorizationResponseParams?.state;
         }
         const verificationSession = await this.openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {
             nonce,
@@ -279,10 +438,9 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
         return this.openId4VcVerifierRepository.update(agentContext, verifier);
     }
     async createVerifier(agentContext, options) {
-        var _a;
         const openId4VcVerifier = new repository_1.OpenId4VcVerifierRecord({
-            verifierId: (_a = options === null || options === void 0 ? void 0 : options.verifierId) !== null && _a !== void 0 ? _a : core_1.utils.uuid(),
-            clientMetadata: options === null || options === void 0 ? void 0 : options.clientMetadata,
+            verifierId: options?.verifierId ?? core_1.utils.uuid(),
+            clientMetadata: options?.clientMetadata,
         });
         await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier);
         await (0, router_1.storeActorIdForContextCorrelationId)(agentContext, openId4VcVerifier.verifierId);
@@ -294,38 +452,20 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
     async getVerificationSessionById(agentContext, verificationSessionId) {
         return this.openId4VcVerificationSessionRepository.getById(agentContext, verificationSessionId);
     }
-    async getRelyingParty(agentContext, verifier, { idToken, presentationDefinition, clientId, clientIdScheme, authorizationResponseUrl, responseMode, }) {
+    async getClientMetadata(agentContext, options) {
+        const { responseMode, verifier, clientId } = options;
         const signatureSuiteRegistry = agentContext.dependencyManager.resolve(core_1.SignatureSuiteRegistry);
         const supportedAlgs = (0, utils_1.getSupportedJwaSignatureAlgorithms)(agentContext);
+        const supportedMdocAlgs = supportedAlgs.filter(core_1.isMdocSupportedSignatureAlgorithm);
         const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes;
-        // Check: audience must be set to the issuer with dynamic disc otherwise self-issued.me/v2.
-        const builder = did_auth_siop_1.RP.builder();
-        const responseTypes = [];
-        if (!presentationDefinition && idToken === false) {
-            throw new core_1.CredoError('Either `presentationExchange` or `idToken` must be enabled');
-        }
-        if (presentationDefinition) {
-            responseTypes.push(did_auth_siop_1.ResponseType.VP_TOKEN);
-        }
-        if (idToken === true || !presentationDefinition) {
-            responseTypes.push(did_auth_siop_1.ResponseType.ID_TOKEN);
-        }
         // FIXME: we now manually remove did:peer, we should probably allow the user to configure this
         const supportedDidMethods = agentContext.dependencyManager
             .resolve(core_1.DidsApi)
             .supportedResolverMethods.filter((m) => m !== 'peer');
-        // The OpenId4VcRelyingPartyEventHandler is a global event handler that makes sure that
-        // all the events are handled, and that the correct context is used for the events.
-        const sphereonEventEmitter = agentContext.dependencyManager
-            .resolve(OpenId4VcRelyingPartyEventEmitter_1.OpenId4VcRelyingPartyEventHandler)
-            .getEventEmitterForVerifier(agentContext.contextCorrelationId, verifier.verifierId);
-        const mode = !responseMode || responseMode === 'direct_post'
-            ? did_auth_siop_1.ResponseMode.DIRECT_POST
-            : did_auth_siop_1.ResponseMode.DIRECT_POST_JWT;
         let jarmEncryptionJwk;
-        if (mode === did_auth_siop_1.ResponseMode.DIRECT_POST_JWT) {
+        if ((0, oid4vp_1.isJarmResponseMode)(responseMode)) {
             const key = await agentContext.wallet.createKey({ keyType: core_1.KeyType.P256 });
-            jarmEncryptionJwk = Object.assign(Object.assign({}, (0, core_1.getJwkFromKey)(key).toJson()), { kid: key.fingerprint, use: 'enc' });
+            jarmEncryptionJwk = { ...(0, core_1.getJwkFromKey)(key).toJson(), kid: key.fingerprint, use: 'enc' };
         }
         const jarmClientMetadata = jarmEncryptionJwk
             ? {
@@ -334,38 +474,22 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
                 authorization_encrypted_response_enc: 'A256GCM',
             }
             : undefined;
-        builder
-            .withClientId(clientId)
-            .withResponseUri(authorizationResponseUrl)
-            .withIssuer(did_auth_siop_1.ResponseIss.SELF_ISSUED_V2)
-            .withAudience(did_auth_siop_1.RequestAud.SELF_ISSUED_V2)
-            .withIssuer(did_auth_siop_1.ResponseIss.SELF_ISSUED_V2)
-            .withSupportedVersions([
-            did_auth_siop_1.SupportedVersion.SIOPv2_D11,
-            did_auth_siop_1.SupportedVersion.SIOPv2_D12_OID4VP_D18,
-            did_auth_siop_1.SupportedVersion.SIOPv2_D12_OID4VP_D20,
-        ])
-            .withResponseMode(mode)
-            .withHasher(core_1.Hasher.hash)
-            // FIXME: should allow verification of revocation
-            // .withRevocationVerificationCallback()
-            .withRevocationVerification(did_auth_siop_1.RevocationVerification.NEVER)
-            .withSessionManager(new OpenId4VcRelyingPartySessionManager_1.OpenId4VcRelyingPartySessionManager(agentContext, verifier.verifierId))
-            .withEventEmitter(sphereonEventEmitter)
-            .withResponseType(responseTypes)
-            .withCreateJwtCallback((0, utils_1.getCreateJwtCallback)(agentContext))
-            .withVerifyJwtCallback((0, utils_1.getVerifyJwtCallback)(agentContext))
-            // TODO: we should probably allow some dynamic values here
-            .withClientMetadata(Object.assign(Object.assign(Object.assign({}, jarmClientMetadata), verifier.clientMetadata), {
+        return {
+            ...jarmClientMetadata,
+            ...verifier.clientMetadata,
             // FIXME: not passing client_id here means it will not be added
             // to the authorization request url (not the signed payload). Need
             // to fix that in Sphereon lib
-            client_id: clientId, passBy: did_auth_siop_1.PassBy.VALUE, response_types_supported: [did_auth_siop_1.ResponseType.VP_TOKEN], subject_syntax_types_supported: [
+            client_id: clientId,
+            response_types_supported: ['vp_token'],
+            subject_syntax_types_supported: [
                 'urn:ietf:params:oauth:jwk-thumbprint',
                 ...supportedDidMethods.map((m) => `did:${m}`),
-            ], vp_formats: {
+            ],
+            authorization_signed_response_alg: 'RS256',
+            vp_formats: {
                 mso_mdoc: {
-                    alg: supportedAlgs,
+                    alg: supportedMdocAlgs,
                 },
                 jwt_vc: {
                     alg: supportedAlgs,
@@ -389,105 +513,217 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
                     'kb-jwt_alg_values': supportedAlgs,
                     'sd-jwt_alg_values': supportedAlgs,
                 },
-            } }));
-        if (clientIdScheme) {
-            builder.withClientIdScheme(clientIdScheme);
+            },
+        };
+    }
+    getPresentationFromVpTokenParseResult(agentContext, vpTokenPresentationParseResult) {
+        if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
+            const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
+            return sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
         }
-        if (presentationDefinition) {
-            builder.withPresentationDefinition({ definition: presentationDefinition }, [did_auth_siop_1.PropertyTarget.REQUEST_OBJECT]);
+        else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
+            return core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
+        }
+        else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
+            return core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
+        }
+        else if (vpTokenPresentationParseResult.format === 'ldp_vp') {
+            return core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
+        }
+        throw new core_1.CredoError(`Unsupported presentation format. ${vpTokenPresentationParseResult.format}`);
+    }
+    getTransactionDataMeta(options) {
+        const { vpTokenPresentationParseResult, transactionData, transactionDataResult, credentialId } = options;
+        if (!transactionData) {
+            throw new core_1.CredoError('Could not map transaction data result to the request');
+        }
+        const hashName = transactionDataResult.hashes_alg ?? 'sha-256';
+        const presentationHashes = transactionDataResult.hashes;
+        const transactionDataEntriesWithHash = transactionData.map((tdEntry) => {
+            const hash = core_1.TypedArrayEncoder.toBase64URL(core_1.Hasher.hash(core_1.JsonEncoder.toBase64URL(tdEntry), hashName));
+            return hash;
+        });
+        for (const [idx, hash] of transactionDataEntriesWithHash.entries()) {
+            if (presentationHashes[idx] !== hash) {
+                throw new core_1.CredoError(`Transaction data entry ${idx} does not match hash ${hash}`);
+            }
+        }
+        return {
+            credentialId,
+            transactionData,
+            transactionDataResult,
+            path: vpTokenPresentationParseResult.path,
+        };
+    }
+    decodePresentation(agentContext, options) {
+        const { vpTokenPresentationParseResult } = options;
+        if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
+            // TODO: it might be better here to look at the presentation submission to know
+            // If presentation includes a ~, we assume it's an SD-JWT-VC
+            const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
+            const sdJwtVc = sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
+            return sdJwtVc;
+        }
+        else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
+            const mdocDeviceResponse = core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
+            return mdocDeviceResponse;
         }
-        if (responseTypes.includes(did_auth_siop_1.ResponseType.ID_TOKEN)) {
-            builder.withScope('openid');
+        else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
+            return core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
+        }
+        else {
+            return core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
         }
-        return builder.build();
     }
-    getPresentationVerificationCallback(agentContext, options) {
-        return async (encodedPresentation, presentationSubmission) => {
-            var _a, _b;
-            try {
-                this.logger.debug(`Presentation response`, core_1.JsonTransformer.toJSON(encodedPresentation));
-                this.logger.debug(`Presentation submission`, presentationSubmission);
-                if (!encodedPresentation)
-                    throw new core_1.CredoError('Did not receive a presentation for verification.');
-                let isValid;
-                let reason = undefined;
-                if (typeof encodedPresentation === 'string' && encodedPresentation.includes('~')) {
-                    // TODO: it might be better here to look at the presentation submission to know
-                    // If presentation includes a ~, we assume it's an SD-JWT-VC
-                    const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
-                    const verificationResult = await sdJwtVcApi.verify({
-                        compactSdJwtVc: encodedPresentation,
-                        keyBinding: {
-                            audience: options.audience,
-                            nonce: options.nonce,
+    async verifyPresentations(agentContext, options) {
+        const { vpTokenPresentationParseResult, transactionData } = options;
+        let transactionDataMeta = undefined;
+        try {
+            this.logger.debug(`Presentation response`, core_1.JsonTransformer.toJSON(vpTokenPresentationParseResult.presentation));
+            if (!vpTokenPresentationParseResult)
+                throw new core_1.CredoError('Did not receive a presentation for verification.');
+            const x509Config = agentContext.dependencyManager.resolve(core_1.X509ModuleConfig);
+            let isValid;
+            let reason = undefined;
+            let verifiablePresentation;
+            if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
+                // TODO: it might be better here to look at the presentation submission to know
+                // If presentation includes a ~, we assume it's an SD-JWT-VC
+                const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
+                const jwt = core_1.Jwt.fromSerializedJwt(vpTokenPresentationParseResult.presentation.split('~')[0]);
+                const sdJwtVc = sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
+                const certificateChain = (0, core_1.extractX509CertificatesFromJwt)(jwt);
+                let trustedCertificates = undefined;
+                if (certificateChain && x509Config.getTrustedCertificatesForVerification) {
+                    trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {
+                        certificateChain,
+                        verification: {
+                            type: 'credential',
+                            credential: sdJwtVc,
+                            openId4VcVerificationSessionId: options.verificationSessionRecordId,
                         },
                     });
-                    isValid = verificationResult.verification.isValid;
-                    reason = verificationResult.isValid ? undefined : verificationResult.error.message;
                 }
-                else if (typeof encodedPresentation === 'string' && !core_1.Jwt.format.test(encodedPresentation)) {
-                    if (!options.responseUri || !options.mdocGeneratedNonce) {
-                        isValid = false;
-                        reason = 'Mdoc device response verification failed. Response uri and the mdocGeneratedNonce are not set';
-                    }
-                    else {
-                        const mdocDeviceResponse = core_1.MdocDeviceResponse.fromBase64Url(encodedPresentation);
-                        await mdocDeviceResponse.verify(agentContext, {
-                            sessionTranscriptOptions: {
-                                clientId: options.audience,
-                                mdocGeneratedNonce: options.mdocGeneratedNonce,
-                                responseUri: options.responseUri,
-                                verifierGeneratedNonce: options.nonce,
-                            },
-                            verificationContext: {
-                                openId4VcVerificationSessionId: options.correlationId,
+                if (!trustedCertificates) {
+                    // We also take from the config here to avoid the callback being called again
+                    trustedCertificates = x509Config.trustedCertificates ?? [];
+                }
+                const verificationResult = await sdJwtVcApi.verify({
+                    compactSdJwtVc: vpTokenPresentationParseResult.presentation,
+                    keyBinding: {
+                        audience: options.audience,
+                        nonce: options.nonce,
+                    },
+                    trustedCertificates,
+                });
+                if (verificationResult.sdJwtVc?.transactionData) {
+                    transactionDataMeta = this.getTransactionDataMeta({
+                        vpTokenPresentationParseResult,
+                        transactionData,
+                        transactionDataResult: verificationResult.sdJwtVc.transactionData,
+                        credentialId: options.credentialId,
+                    });
+                }
+                isValid = verificationResult.verification.isValid;
+                reason = verificationResult.isValid ? undefined : verificationResult.error.message;
+                verifiablePresentation = sdJwtVc;
+            }
+            else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
+                if (!options.responseUri || !options.mdocGeneratedNonce) {
+                    throw new core_1.CredoError('Mdoc device response verification failed. Response uri and the mdocGeneratedNonce are not set');
+                }
+                else {
+                    const mdocDeviceResponse = core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
+                    const trustedCertificates = (await Promise.all(mdocDeviceResponse.documents.map(async (mdoc) => {
+                        const certificateChain = mdoc.issuerSignedCertificateChain.map((cert) => core_1.X509Certificate.fromRawCertificate(cert));
+                        const trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {
+                            certificateChain,
+                            verification: {
+                                type: 'credential',
+                                credential: mdoc,
+                                openId4VcVerificationSessionId: options.verificationSessionRecordId,
                             },
                         });
-                        isValid = true;
-                    }
-                }
-                else if (typeof encodedPresentation === 'string' && core_1.Jwt.format.test(encodedPresentation)) {
-                    const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
-                        presentation: encodedPresentation,
-                        challenge: options.nonce,
-                        domain: options.audience,
-                        verificationContext: {
-                            openId4VcVerificationSessionId: options.correlationId,
+                        // TODO: could have some duplication but not a big issue
+                        return trustedCertificates ?? x509Config.trustedCertificates;
+                    })))
+                        .filter((c) => c !== undefined)
+                        .flatMap((c) => c);
+                    await mdocDeviceResponse.verify(agentContext, {
+                        sessionTranscriptOptions: {
+                            clientId: options.audience,
+                            mdocGeneratedNonce: options.mdocGeneratedNonce,
+                            responseUri: options.responseUri,
+                            verifierGeneratedNonce: options.nonce,
                         },
+                        trustedCertificates,
                     });
-                    isValid = verificationResult.isValid;
-                    reason = (_a = verificationResult.error) === null || _a === void 0 ? void 0 : _a.message;
+                    isValid = true;
+                    verifiablePresentation = mdocDeviceResponse;
                 }
-                else {
-                    const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
-                        presentation: core_1.JsonTransformer.fromJSON(encodedPresentation, core_1.W3cJsonLdVerifiablePresentation),
-                        challenge: options.nonce,
-                        domain: options.audience,
+            }
+            else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
+                const sdJwtPresentation = core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
+                const certificateChain = (0, core_1.extractX509CertificatesFromJwt)(sdJwtPresentation.jwt);
+                let trustedCertificates = undefined;
+                if (certificateChain && x509Config.getTrustedCertificatesForVerification) {
+                    trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {
+                        certificateChain,
+                        verification: {
+                            type: 'credential',
+                            credential: sdJwtPresentation,
+                            openId4VcVerificationSessionId: options.verificationSessionRecordId,
+                        },
                     });
-                    isValid = verificationResult.isValid;
-                    reason = (_b = verificationResult.error) === null || _b === void 0 ? void 0 : _b.message;
                 }
-                if (!isValid) {
-                    throw new Error(reason);
+                if (!trustedCertificates) {
+                    trustedCertificates = x509Config.trustedCertificates ?? [];
                 }
-                return {
-                    verified: true,
-                };
+                const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
+                    presentation: vpTokenPresentationParseResult.presentation,
+                    challenge: options.nonce,
+                    domain: options.audience,
+                    trustedCertificates,
+                });
+                isValid = verificationResult.isValid;
+                reason = verificationResult.error?.message;
+                verifiablePresentation = core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
             }
-            catch (error) {
-                agentContext.config.logger.warn('Error occurred during verification of presentation', {
-                    error,
+            else {
+                const w3cJsonLdVerifiablePresentation = core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
+                const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
+                    presentation: w3cJsonLdVerifiablePresentation,
+                    challenge: options.nonce,
+                    domain: options.audience,
                 });
-                return {
-                    verified: false,
-                    reason: error.message,
-                };
+                isValid = verificationResult.isValid;
+                reason = verificationResult.error?.message;
+                verifiablePresentation = w3cJsonLdVerifiablePresentation;
             }
-        };
+            if (!isValid) {
+                throw new Error(reason);
+            }
+            return {
+                verified: true,
+                transactionDataMeta,
+                presentation: verifiablePresentation,
+                credentialId: options.credentialId,
+            };
+        }
+        catch (error) {
+            agentContext.config.logger.warn('Error occurred during verification of presentation', {
+                error,
+            });
+            return {
+                verified: false,
+                reason: error.message,
+                credentialId: options.credentialId,
+            };
+        }
     }
 };
 exports.OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService;
-exports.OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService = __decorate([
+exports.OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService_1 = __decorate([
     (0, core_1.injectable)(),
     __param(0, (0, core_1.inject)(core_1.InjectionSymbols.Logger)),
     __metadata("design:paramtypes", [Object, core_1.W3cCredentialService,