@credo-ts/openid4vc 0.6.0-pr-2195-20250226092707 → 0.6.0-pr-2209-20250321171013

package/build/openid4vc-holder/OpenId4vcSiopHolderService.js

@@ -11,296 +11,290 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenId4VcSiopHolderService = void 0;
 const core_1 = require("@credo-ts/core");
-const openid4vp_1 = require("@openid4vc/openid4vp");
-const callbacks_1 = require("../shared/callbacks");
+const did_auth_siop_1 = require("@sphereon/did-auth-siop");
+const transform_1 = require("../shared/transform");
+const utils_1 = require("../shared/utils");
 let OpenId4VcSiopHolderService = class OpenId4VcSiopHolderService {
-    constructor(presentationExchangeService, dcqlService) {
+    constructor(presentationExchangeService) {
         this.presentationExchangeService = presentationExchangeService;
-        this.dcqlService = dcqlService;
     }
-    getOpenid4vpClient(agentContext, trustedCertificates) {
-        const callbacks = (0, callbacks_1.getOid4vcCallbacks)(agentContext, trustedCertificates);
-        return new openid4vp_1.Openid4vpClient({ callbacks });
-    }
-    async handlePresentationExchangeRequest(agentContext, _presentationDefinition, transactionData) {
-        const presentationDefinition = _presentationDefinition;
-        this.presentationExchangeService.validatePresentationDefinition(presentationDefinition);
-        const presentationExchange = {
-            definition: presentationDefinition,
-            credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest(agentContext, presentationDefinition),
-        };
-        let credentialsForTransactionData = undefined;
-        // for each transaction data entry, get all submission entries that can be used to sign the respective transaction
-        if (transactionData) {
-            credentialsForTransactionData = [];
-            for (const transactionDataEntry of transactionData) {
-                for (const requirement of presentationExchange.credentialsForRequest.requirements) {
-                    const recordSet = new Set();
-                    const filtered = requirement.submissionEntry.filter((submission) => transactionDataEntry.credential_ids.includes(submission.inputDescriptorId));
-                    for (const submission of filtered) {
-                        for (const credential of submission.verifiableCredentials) {
-                            recordSet.add(credential);
-                        }
-                    }
-                    if (recordSet.size === 0) {
-                        continue;
-                    }
-                    credentialsForTransactionData.push({
-                        transactionDataEntry,
-                        submissionEntry: { ...filtered[0], verifiableCredentials: Array.from(recordSet) },
-                    });
-                }
-            }
-        }
-        return { pex: { ...presentationExchange, transactionData: credentialsForTransactionData } };
-    }
-    async handleDcqlRequest(agentContext, dcql, transactionData) {
-        const dcqlQuery = this.dcqlService.validateDcqlQuery(dcql);
-        const dcqlQueryResult = await this.dcqlService.getCredentialsForRequest(agentContext, dcqlQuery);
-        let credentialsForTransactionData = undefined;
-        // for each transaction data entry, get all submission entries that can be used to sign the respective transaction
-        if (transactionData) {
-            credentialsForTransactionData = [];
-            for (const transactionDataEntry of transactionData) {
-                const result = transactionDataEntry.credential_ids
-                    .map((credentialId) => {
-                    const match = dcqlQueryResult.credential_matches[credentialId];
-                    if (!match.success)
-                        return undefined;
-                    return {
-                        transactionDataEntry,
-                        dcql: {
-                            record: match.record,
-                            credentialQueryId: match.input_credential_index,
-                            claimSetId: match.claim_set_index,
-                        },
-                    };
-                })
-                    .filter((r) => r !== undefined);
-                credentialsForTransactionData.push(...result);
-            }
-        }
-        return { dcql: { queryResult: dcqlQueryResult, transactionData: credentialsForTransactionData } };
-    }
-    async resolveAuthorizationRequest(agentContext, 
-    /**
-     * Can be:
-     * - JWT
-     * - URI containing request or request_uri param
-     * - Request payload
-     */
-    request, options) {
-        const openid4vpClient = this.getOpenid4vpClient(agentContext, options?.trustedCertificates);
-        const { params } = openid4vpClient.parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest: request });
-        const verifiedAuthRequest = await openid4vpClient.resolveOpenId4vpAuthorizationRequest({
-            request: params,
-            origin: options?.origin,
-        });
-        const { client, pex, transactionData, dcql } = verifiedAuthRequest;
-        if (client.scheme !== 'x509_san_dns' &&
-            client.scheme !== 'x509_san_uri' &&
-            client.scheme !== 'did' &&
-            client.scheme !== 'web-origin') {
-            throw new core_1.CredoError(`Client scheme '${client.scheme}' is not supported`);
+    async resolveAuthorizationRequest(agentContext, requestJwtOrUri, trustedCertificates) {
+        const openidProvider = await this.getOpenIdProvider(agentContext, trustedCertificates);
+        // parsing happens automatically in verifyAuthorizationRequest
+        const verifiedAuthorizationRequest = await openidProvider.verifyAuthorizationRequest(requestJwtOrUri);
+        agentContext.config.logger.debug(`verified SIOP Authorization Request for issuer '${verifiedAuthorizationRequest.issuer}'`);
+        agentContext.config.logger.debug(`requestJwtOrUri '${requestJwtOrUri}'`);
+        if (verifiedAuthorizationRequest.presentationDefinitions &&
+            verifiedAuthorizationRequest.presentationDefinitions.length > 1) {
+            throw new core_1.CredoError('Only a single presentation definition is supported.');
         }
-        const { pex: pexResult } = pex?.presentation_definition
-            ? await this.handlePresentationExchangeRequest(agentContext, pex.presentation_definition, transactionData)
-            : { pex: undefined };
-        const { dcql: dcqlResult } = dcql?.query
-            ? await this.handleDcqlRequest(agentContext, dcql.query, transactionData)
-            : { dcql: undefined };
-        agentContext.config.logger.debug(`verified Authorization Request`);
-        agentContext.config.logger.debug(`request '${request}'`);
+        const presentationDefinition = verifiedAuthorizationRequest.presentationDefinitions?.[0]?.definition;
         return {
-            authorizationRequest: verifiedAuthRequest,
-            presentationExchange: pexResult,
-            dcql: dcqlResult,
-            origin: options?.origin,
+            authorizationRequest: verifiedAuthorizationRequest,
+            // Parameters related to DIF Presentation Exchange
+            presentationExchange: presentationDefinition
+                ? {
+                    definition: presentationDefinition,
+                    credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest(agentContext, presentationDefinition),
+                }
+                : undefined,
         };
     }
-    async getCredentialQueryIdsToSignTransactionData(dcql, transactionData) {
-        // check if all credentials are present for the transaction data
-        // This needs a deep integration into pex and out pex requirements
-        const dcqlCredentialQueryIds = [];
-        for (const tdEntry of transactionData) {
-            // find a inputDescriptor in the credential_ids which is present in the response
-            // and use it to sign of the transaction
-            const dcqlCredentialForRequest = tdEntry.credential_ids.find((credentialId) => dcql.credentials[credentialId]);
-            if (!dcqlCredentialForRequest) {
-                throw new core_1.CredoError('Cannot create authorization response. No credentials found for signing transaction data.');
-            }
-            dcqlCredentialQueryIds.push(dcqlCredentialForRequest);
-        }
-        return dcqlCredentialQueryIds;
-    }
-    async getInputDescriptorsToSignTransactionData(presentationExchange, transactionData) {
-        // check if all credentials are present for the transaction data
-        // This needs a deep integration into pex and out pex requirements
-        const inputDescriptorsToSignTransactionData = [];
-        for (const tdEntry of transactionData) {
-            // find a inputDescriptor in the credential_ids which is present in the response
-            // and use it to sign of the transaction
-            const inputDescriptorForCredential = tdEntry.credential_ids.find((credentialId) => presentationExchange.credentials[credentialId]);
-            if (!inputDescriptorForCredential) {
-                throw new core_1.CredoError('Cannot create authorization response. No credentials found for signing transaction data.');
-            }
-            inputDescriptorsToSignTransactionData.push(inputDescriptorForCredential);
-        }
-        return inputDescriptorsToSignTransactionData;
-    }
     async acceptAuthorizationRequest(agentContext, options) {
-        const { authorizationRequest, presentationExchange, dcql } = options;
+        const { authorizationRequest, presentationExchange } = options;
+        let openIdTokenIssuer = options.openIdTokenIssuer;
+        let presentationExchangeOptions = undefined;
+        const wantsIdToken = await authorizationRequest.authorizationRequest.containsResponseType(did_auth_siop_1.ResponseType.ID_TOKEN);
         const authorizationResponseNonce = await agentContext.wallet.generateNonce();
-        const nonce = authorizationRequest.payload.nonce;
-        const clientId = authorizationRequest.client.originalValue;
-        let openid4vpOptions;
-        if ((0, openid4vp_1.isOpenid4vpAuthorizationRequestDcApi)(authorizationRequest.payload)) {
-            if (!options.origin) {
-                throw new core_1.CredoError('Missing required parameter `origin` parameter for accepting openid4vp dc api requests.');
-            }
-            openid4vpOptions = { type: 'openId4VpDcApi', clientId, origin: options.origin, verifierGeneratedNonce: nonce };
-        }
-        else {
-            const responseUri = authorizationRequest.payload.response_uri ?? authorizationRequest.payload.redirect_uri;
-            if (!responseUri) {
-                throw new core_1.CredoError('Missing required parameter `response_uri` or `redirect_uri` in the authorization request.');
-            }
-            openid4vpOptions = {
-                type: 'openId4Vp',
-                mdocGeneratedNonce: authorizationResponseNonce,
-                responseUri,
-                clientId,
-                verifierGeneratedNonce: nonce,
-            };
-        }
-        let vpToken;
-        let presentationSubmission = undefined;
         // Handle presentation exchange part
-        if (authorizationRequest.pex || presentationExchange) {
+        if (authorizationRequest.presentationDefinitions && authorizationRequest.presentationDefinitions.length > 0) {
             if (!presentationExchange) {
                 throw new core_1.CredoError('Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.');
             }
-            if (!authorizationRequest.pex) {
-                throw new core_1.CredoError('`presentationExchange` was supplied, but no presentation definition was found in the presentation request.');
+            const nonce = await authorizationRequest.authorizationRequest.getMergedProperty('nonce');
+            if (!nonce) {
+                throw new core_1.CredoError("Unable to extract 'nonce' from authorization request");
+            }
+            const clientId = await authorizationRequest.authorizationRequest.getMergedProperty('client_id');
+            if (!clientId) {
+                throw new core_1.CredoError("Unable to extract 'client_id' from authorization request");
             }
-            const { presentationSubmission: _presentationSubmission, encodedVerifiablePresentations } = await this.presentationExchangeService.createPresentation(agentContext, {
+            const responseUri = (await authorizationRequest.authorizationRequest.getMergedProperty('response_uri')) ??
+                (await authorizationRequest.authorizationRequest.getMergedProperty('redirect_uri'));
+            if (!responseUri) {
+                throw new core_1.CredoError("Unable to extract 'response_uri' from authorization request");
+            }
+            const { verifiablePresentations, presentationSubmission } = await this.presentationExchangeService.createPresentation(agentContext, {
                 credentialsForInputDescriptor: presentationExchange.credentials,
-                transactionDataAuthorization: authorizationRequest.transactionData
-                    ? {
-                        credentials: await this.getInputDescriptorsToSignTransactionData(presentationExchange, authorizationRequest.transactionData),
-                        transactionData: authorizationRequest.transactionData,
-                    }
-                    : undefined,
-                presentationDefinition: authorizationRequest.pex
-                    .presentation_definition,
+                presentationDefinition: authorizationRequest.presentationDefinitions[0].definition,
                 challenge: nonce,
                 domain: clientId,
                 presentationSubmissionLocation: core_1.DifPresentationExchangeSubmissionLocation.EXTERNAL,
-                openid4vp: openid4vpOptions,
+                openid4vp: {
+                    mdocGeneratedNonce: authorizationResponseNonce,
+                    responseUri,
+                },
             });
-            vpToken =
-                encodedVerifiablePresentations.length === 1 && _presentationSubmission?.descriptor_map[0]?.path === '$'
-                    ? encodedVerifiablePresentations[0]
-                    : encodedVerifiablePresentations;
-            presentationSubmission = _presentationSubmission;
-        }
-        else if (authorizationRequest.dcql || dcql) {
-            if (!authorizationRequest.dcql) {
-                throw new core_1.CredoError('`dcql` was supplied, but no dcql request was found in the presentation request.');
-            }
-            if (!dcql) {
-                throw new core_1.CredoError('Authorization request included dcql request. `dcql` MUST be supplied to accept authorization requests.');
+            presentationExchangeOptions = {
+                verifiablePresentations: verifiablePresentations.map((vp) => (0, transform_1.getSphereonVerifiablePresentation)(vp)),
+                presentationSubmission,
+                vpTokenLocation: did_auth_siop_1.VPTokenLocation.AUTHORIZATION_RESPONSE,
+            };
+            if (wantsIdToken && !openIdTokenIssuer) {
+                openIdTokenIssuer = this.getOpenIdTokenIssuerFromVerifiablePresentation(verifiablePresentations[0]);
             }
-            const { encodedDcqlPresentation } = await this.dcqlService.createPresentation(agentContext, {
-                credentialQueryToCredential: dcql.credentials,
-                transactionDataAuthorization: authorizationRequest.transactionData
-                    ? {
-                        credentials: await this.getCredentialQueryIdsToSignTransactionData(dcql, authorizationRequest.transactionData),
-                        transactionData: authorizationRequest.transactionData,
-                    }
-                    : undefined,
-                challenge: nonce,
-                domain: clientId,
-                openid4vp: openid4vpOptions,
-            });
-            vpToken = encodedDcqlPresentation;
         }
-        else {
-            throw new core_1.CredoError('Either pex or dcql must be provided');
+        else if (options.presentationExchange) {
+            throw new core_1.CredoError('`presentationExchange` was supplied, but no presentation definition was found in the presentation request.');
         }
-        const openid4vpClient = this.getOpenid4vpClient(agentContext);
-        const response = await openid4vpClient.createOpenid4vpAuthorizationResponse({
-            requestParams: authorizationRequest.payload,
-            responseParams: {
-                vp_token: vpToken,
-                presentation_submission: presentationSubmission,
-            },
-            jarm: authorizationRequest.payload.response_mode && (0, openid4vp_1.isJarmResponseMode)(authorizationRequest.payload.response_mode)
-                ? {
-                    encryption: { nonce: authorizationResponseNonce },
-                    serverMetadata: {
-                        authorization_signing_alg_values_supported: ['RS256'],
+        if (wantsIdToken) {
+            if (!openIdTokenIssuer) {
+                throw new core_1.CredoError('Unable to create authorization response. openIdTokenIssuer MUST be supplied when no presentation is active and the ResponseType includes id_token.');
+            }
+            this.assertValidTokenIssuer(authorizationRequest, openIdTokenIssuer);
+        }
+        const jwtIssuer = wantsIdToken && openIdTokenIssuer
+            ? await (0, utils_1.openIdTokenIssuerToJwtIssuer)(agentContext, openIdTokenIssuer)
+            : undefined;
+        const openidProvider = await this.getOpenIdProvider(agentContext);
+        const authorizationResponseWithCorrelationId = await openidProvider.createAuthorizationResponse(authorizationRequest, {
+            jwtIssuer,
+            presentationExchange: presentationExchangeOptions,
+            // https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#name-aud-of-a-request-object
+            audience: authorizationRequest.authorizationRequestPayload.client_id,
+        });
+        const getCreateJarmResponseCallback = (authorizationResponseNonce) => {
+            return async (opts) => {
+                const { authorizationResponsePayload, requestObjectPayload } = opts;
+                const jwk = await did_auth_siop_1.OP.extractEncJwksFromClientMetadata(requestObjectPayload.client_metadata);
+                if (!jwk.kty) {
+                    throw new core_1.CredoError('Missing kty in jwk.');
+                }
+                const validatedMetadata = did_auth_siop_1.OP.validateJarmMetadata({
+                    client_metadata: requestObjectPayload.client_metadata,
+                    server_metadata: {
                         authorization_encryption_alg_values_supported: ['ECDH-ES'],
-                        authorization_encryption_enc_values_supported: ['A128GCM', 'A256GCM', 'A128CBC-HS256'],
+                        authorization_encryption_enc_values_supported: ['A256GCM', 'A128CBC-HS256'],
                     },
+                });
+                if (validatedMetadata.type !== 'encrypted') {
+                    throw new core_1.CredoError('Only encrypted JARM responses are supported.');
                 }
-                : undefined,
-        });
-        const authorizationResponsePayload = response.responseParams;
-        const authorizationResponse = response.jarm?.responseJwt
-            ? { response: response.jarm.responseJwt }
-            : authorizationResponsePayload;
-        // TODO: we should include more typing here that the user
-        // still needs to submit the resposne. or as we discussed, split
-        // this method up in create and submit
-        if ((0, openid4vp_1.isOpenid4vpAuthorizationRequestDcApi)(authorizationRequest.payload)) {
-            return {
-                ok: true,
-                authorizationResponse,
-                authorizationResponsePayload,
+                // Extract nonce from the request, we use this as the `apv`
+                const nonce = authorizationRequest.payload?.nonce;
+                if (!nonce || typeof nonce !== 'string') {
+                    throw new core_1.CredoError('Missing nonce in authorization request payload');
+                }
+                const jwe = await this.encryptJarmResponse(agentContext, {
+                    jwkJson: jwk,
+                    payload: authorizationResponsePayload,
+                    authorizationRequestNonce: nonce,
+                    alg: validatedMetadata.client_metadata.authorization_encrypted_response_alg,
+                    enc: validatedMetadata.client_metadata.authorization_encrypted_response_enc,
+                    authorizationResponseNonce,
+                });
+                return { response: jwe };
             };
-        }
-        const result = await openid4vpClient.submitOpenid4vpAuthorizationResponse({
-            request: authorizationRequest.payload,
-            response: response.responseParams,
-            jarm: response.jarm ? { responseJwt: response.jarm.responseJwt } : undefined,
-        });
-        const responseText = await result.response
+        };
+        const response = await openidProvider.submitAuthorizationResponse(authorizationResponseWithCorrelationId, getCreateJarmResponseCallback(authorizationResponseNonce));
+        const responseText = await response
             .clone()
             .text()
             .catch(() => null);
-        const responseJson = (await result.response
+        const responseJson = (await response
             .clone()
             .json()
             .catch(() => null));
-        if (!result.response.ok) {
+        if (!response.ok) {
             return {
                 ok: false,
                 serverResponse: {
-                    status: result.response.status,
+                    status: response.status,
                     body: responseJson ?? responseText,
                 },
-                authorizationResponse,
-                authorizationResponsePayload,
+                submittedResponse: authorizationResponseWithCorrelationId.response.payload,
             };
         }
         return {
             ok: true,
             serverResponse: {
-                status: result.response.status,
+                status: response.status,
                 body: responseJson ?? {},
             },
-            authorizationResponse,
-            authorizationResponsePayload,
+            submittedResponse: authorizationResponseWithCorrelationId.response.payload,
             redirectUri: responseJson?.redirect_uri,
             presentationDuringIssuanceSession: responseJson?.presentation_during_issuance_session,
         };
     }
+    async getOpenIdProvider(agentContext, trustedCertificates) {
+        const builder = did_auth_siop_1.OP.builder()
+            .withExpiresIn(6000)
+            .withIssuer(did_auth_siop_1.ResponseIss.SELF_ISSUED_V2)
+            .withResponseMode(did_auth_siop_1.ResponseMode.POST)
+            .withSupportedVersions([
+            did_auth_siop_1.SupportedVersion.SIOPv2_D11,
+            did_auth_siop_1.SupportedVersion.SIOPv2_D12_OID4VP_D18,
+            did_auth_siop_1.SupportedVersion.SIOPv2_D12_OID4VP_D20,
+        ])
+            .withCreateJwtCallback((0, utils_1.getCreateJwtCallback)(agentContext))
+            .withVerifyJwtCallback((0, utils_1.getVerifyJwtCallback)(agentContext, trustedCertificates))
+            .withHasher(core_1.Hasher.hash);
+        const openidProvider = builder.build();
+        return openidProvider;
+    }
+    getOpenIdTokenIssuerFromVerifiablePresentation(verifiablePresentation) {
+        let openIdTokenIssuer;
+        if (verifiablePresentation instanceof core_1.W3cJsonLdVerifiablePresentation) {
+            const [firstProof] = (0, core_1.asArray)(verifiablePresentation.proof);
+            if (!firstProof)
+                throw new core_1.CredoError('Verifiable presentation does not contain a proof');
+            if (!firstProof.verificationMethod.startsWith('did:')) {
+                throw new core_1.CredoError('Verifiable presentation proof verificationMethod is not a did. Unable to extract openIdTokenIssuer from verifiable presentation');
+            }
+            openIdTokenIssuer = {
+                method: 'did',
+                didUrl: firstProof.verificationMethod,
+            };
+        }
+        else if (verifiablePresentation instanceof core_1.W3cJwtVerifiablePresentation) {
+            const kid = verifiablePresentation.jwt.header.kid;
+            if (!kid)
+                throw new core_1.CredoError('Verifiable Presentation does not contain a kid in the jwt header');
+            if (kid.startsWith('#') && verifiablePresentation.presentation.holderId) {
+                openIdTokenIssuer = {
+                    didUrl: `${verifiablePresentation.presentation.holderId}${kid}`,
+                    method: 'did',
+                };
+            }
+            else if (kid.startsWith('did:')) {
+                openIdTokenIssuer = {
+                    didUrl: kid,
+                    method: 'did',
+                };
+            }
+            else {
+                throw new core_1.CredoError("JWT W3C Verifiable presentation does not include did in JWT header 'kid'. Unable to extract openIdTokenIssuer from verifiable presentation");
+            }
+        }
+        else if (verifiablePresentation instanceof core_1.MdocDeviceResponse) {
+            throw new core_1.CredoError('Mdoc Verifiable Presentations are not yet supported');
+        }
+        else {
+            const cnf = verifiablePresentation.payload.cnf;
+            // FIXME: SD-JWT VC should have better payload typing, so this doesn't become so ugly
+            if (!cnf ||
+                typeof cnf !== 'object' ||
+                !('kid' in cnf) ||
+                typeof cnf.kid !== 'string' ||
+                !cnf.kid.startsWith('did:') ||
+                !cnf.kid.includes('#')) {
+                throw new core_1.CredoError("SD-JWT Verifiable presentation has no 'cnf' claim or does not include 'cnf' claim where 'kid' is a didUrl pointing to a key. Unable to extract openIdTokenIssuer from verifiable presentation");
+            }
+            openIdTokenIssuer = {
+                didUrl: cnf.kid,
+                method: 'did',
+            };
+        }
+        return openIdTokenIssuer;
+    }
+    assertValidTokenIssuer(authorizationRequest, openIdTokenIssuer) {
+        const subjectSyntaxTypesSupported = authorizationRequest.registrationMetadataPayload.subject_syntax_types_supported;
+        if (!subjectSyntaxTypesSupported) {
+            throw new core_1.CredoError('subject_syntax_types_supported is not supplied in the registration metadata. subject_syntax_types is REQUIRED.');
+        }
+        let allowedSubjectSyntaxTypes = [];
+        if (openIdTokenIssuer.method === 'did') {
+            const parsedDid = (0, core_1.parseDid)(openIdTokenIssuer.didUrl);
+            // Either did:<method> or did (for all did methods) is allowed
+            allowedSubjectSyntaxTypes = [`did:${parsedDid.method}`, 'did'];
+        }
+        else if (openIdTokenIssuer.method === 'jwk') {
+            allowedSubjectSyntaxTypes = ['urn:ietf:params:oauth:jwk-thumbprint'];
+        }
+        else {
+            throw new core_1.CredoError("Only 'did' and 'jwk' are supported as openIdTokenIssuer at the moment");
+        }
+        // At least one of the allowed subject syntax types must be supported by the RP
+        if (!allowedSubjectSyntaxTypes.some((allowed) => subjectSyntaxTypesSupported.includes(allowed))) {
+            throw new core_1.CredoError([
+                'The provided openIdTokenIssuer is not supported by the relying party.',
+                `Supported subject syntax types: '${subjectSyntaxTypesSupported.join(', ')}'`,
+            ].join('\n'));
+        }
+    }
+    async encryptJarmResponse(agentContext, options) {
+        const { payload, jwkJson } = options;
+        const jwk = (0, core_1.getJwkFromJson)(jwkJson);
+        const key = jwk.key;
+        if (!agentContext.wallet.directEncryptCompactJweEcdhEs) {
+            throw new core_1.CredoError('Cannot decrypt Jarm Response, wallet does not support directEncryptCompactJweEcdhEs. You need to upgrade your wallet implementation.');
+        }
+        if (options.alg !== 'ECDH-ES') {
+            throw new core_1.CredoError("Only 'ECDH-ES' is supported as 'alg' value for JARM response encryption");
+        }
+        if (options.enc !== 'A256GCM' && options.enc !== 'A128CBC-HS256') {
+            throw new core_1.CredoError("Only 'A256GCM' and 'A128CBC-HS256' are supported as 'enc' value for JARM response encryption");
+        }
+        if (key.keyType !== core_1.KeyType.P256) {
+            throw new core_1.CredoError(`Only '${core_1.KeyType.P256}' key type is supported for JARM response encryption`);
+        }
+        const data = core_1.Buffer.from(JSON.stringify(payload));
+        const jwe = await agentContext.wallet.directEncryptCompactJweEcdhEs({
+            data,
+            recipientKey: key,
+            header: {
+                kid: jwkJson.kid,
+            },
+            encryptionAlgorithm: options.enc,
+            apu: core_1.TypedArrayEncoder.toBase64URL(core_1.TypedArrayEncoder.fromString(options.authorizationResponseNonce)),
+            apv: core_1.TypedArrayEncoder.toBase64URL(core_1.TypedArrayEncoder.fromString(options.authorizationRequestNonce)),
+        });
+        return jwe;
+    }
 };
 exports.OpenId4VcSiopHolderService = OpenId4VcSiopHolderService;
 exports.OpenId4VcSiopHolderService = OpenId4VcSiopHolderService = __decorate([
     (0, core_1.injectable)(),
-    __metadata("design:paramtypes", [core_1.DifPresentationExchangeService,
-        core_1.DcqlService])
+    __metadata("design:paramtypes", [core_1.DifPresentationExchangeService])
 ], OpenId4VcSiopHolderService);
 //# sourceMappingURL=OpenId4vcSiopHolderService.js.map

package/build/openid4vc-holder/OpenId4vcSiopHolderService.js.map

@@ -1 +1 @@
-{"version":3,"file":"OpenId4vcSiopHolderService.js","sourceRoot":"","sources":["../../src/openid4vc-holder/OpenId4vcSiopHolderService.ts"],"names":[],"mappings":";;;;;;;;;;;;AAsBA,yCAMuB;AACvB,oDAAgH;AAEhH,mDAAwD;AAGjD,IAAM,0BAA0B,GAAhC,MAAM,0BAA0B;IACrC,YACU,2BAA2D,EAC3D,WAAwB;QADxB,gCAA2B,GAA3B,2BAA2B,CAAgC;QAC3D,gBAAW,GAAX,WAAW,CAAa;IAC/B,CAAC;IAEI,kBAAkB,CAAC,YAA0B,EAAE,mBAA8C;QACnG,MAAM,SAAS,GAAG,IAAA,8BAAkB,EAAC,YAAY,EAAE,mBAAmB,CAAC,CAAA;QACvE,OAAO,IAAI,2BAAe,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;IAC3C,CAAC;IAEO,KAAK,CAAC,iCAAiC,CAC7C,YAA0B,EAC1B,uBAAgC,EAChC,eAAiC;QAEjC,MAAM,sBAAsB,GAAG,uBAA4D,CAAA;QAC3F,IAAI,CAAC,2BAA2B,CAAC,8BAA8B,CAAC,sBAAsB,CAAC,CAAA;QAEvF,MAAM,oBAAoB,GAAG;YAC3B,UAAU,EAAE,sBAAsB;YAClC,qBAAqB,EAAE,MAAM,IAAI,CAAC,2BAA2B,CAAC,wBAAwB,CACpF,YAAY,EACZ,sBAAsB,CACvB;SACF,CAAA;QAED,IAAI,6BAA6B,GAAuC,SAAS,CAAA;QACjF,kHAAkH;QAClH,IAAI,eAAe,EAAE,CAAC;YACpB,6BAA6B,GAAG,EAAE,CAAA;YAElC,KAAK,MAAM,oBAAoB,IAAI,eAAe,EAAE,CAAC;gBACnD,KAAK,MAAM,WAAW,IAAI,oBAAoB,CAAC,qBAAqB,CAAC,YAAY,EAAE,CAAC;oBAClF,MAAM,SAAS,GAAmC,IAAI,GAAG,EAAE,CAAA;oBAC3D,MAAM,QAAQ,GAAG,WAAW,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CACjE,oBAAoB,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAC3E,CAAA;oBAED,KAAK,MAAM,UAAU,IAAI,QAAQ,EAAE,CAAC;wBAClC,KAAK,MAAM,UAAU,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;4BAC1D,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;wBAC3B,CAAC;oBACH,CAAC;oBAED,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;wBACzB,SAAQ;oBACV,CAAC;oBAED,6BAA6B,CAAC,IAAI,CAAC;wBACjC,oBAAoB;wBACpB,eAAe,EAAE,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;qBAClF,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,GAAG,EAAE,EAAE,GAAG,oBAAoB,EAAE,eAAe,EAAE,6BAA6B,EAAE,EAAE,CAAA;IAC7F,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,YAA0B,EAAE,IAAa,EAAE,eAAiC;QAC1G,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,IAAiB,CAAC,CAAA;QACvE,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,wBAAwB,CAAC,YAAY,EAAE,SAAS,CAAC,CAAA;QAEhG,IAAI,6BAA6B,GAA2C,SAAS,CAAA;QACrF,kHAAkH;QAClH,IAAI,eAAe,EAAE,CAAC;YACpB,6BAA6B,GAAG,EAAE,CAAA;YAElC,KAAK,MAAM,oBAAoB,IAAI,eAAe,EAAE,CAAC;gBACnD,MAAM,MAAM,GAAG,oBAAoB,CAAC,cAAc;qBAC/C,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE;oBACpB,MAAM,KAAK,GAAG,eAAe,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAA;oBAC9D,IAAI,CAAC,KAAK,CAAC,OAAO;wBAAE,OAAO,SAAS,CAAA;oBACpC,OAAO;wBACL,oBAAoB;wBACpB,IAAI,EAAE;4BACJ,MAAM,EAAE,KAAK,CAAC,MAAM;4BACpB,iBAAiB,EAAE,KAAK,CAAC,sBAAsB;4BAC/C,UAAU,EAAE,KAAK,CAAC,eAAe;yBAClC;qBACF,CAAA;gBACH,CAAC,CAAC;qBACD,MAAM,CAAC,CAAC,CAAC,EAA2C,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAA;gBAE1E,6BAA6B,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;YAC/C,CAAC;QACH,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,6BAA6B,EAAE,EAAE,CAAA;IACnG,CAAC;IAEM,KAAK,CAAC,2BAA2B,CACtC,YAA0B;IAC1B;;;;;OAKG;IACH,OAAyC,EACzC,OAAgD;QAEhD,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,YAAY,EAAE,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAC3F,MAAM,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,yCAAyC,CAAC,EAAE,oBAAoB,EAAE,OAAO,EAAE,CAAC,CAAA;QAC/G,MAAM,mBAAmB,GAAG,MAAM,eAAe,CAAC,oCAAoC,CAAC;YACrF,OAAO,EAAE,MAAM;YACf,MAAM,EAAE,OAAO,EAAE,MAAM;SACxB,CAAC,CAAA;QAEF,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAAA;QAElE,IACE,MAAM,CAAC,MAAM,KAAK,cAAc;YAChC,MAAM,CAAC,MAAM,KAAK,cAAc;YAChC,MAAM,CAAC,MAAM,KAAK,KAAK;YACvB,MAAM,CAAC,MAAM,KAAK,YAAY,EAC9B,CAAC;YACD,MAAM,IAAI,iBAAU,CAAC,kBAAkB,MAAM,CAAC,MAAM,oBAAoB,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,GAAG,EAAE,uBAAuB;YACrD,CAAC,CAAC,MAAM,IAAI,CAAC,iCAAiC,CAAC,YAAY,EAAE,GAAG,CAAC,uBAAuB,EAAE,eAAe,CAAC;YAC1G,CAAC,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,CAAA;QAEtB,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,KAAK;YACtC,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,eAAe,CAAC;YACzE,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;QAEvB,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAA;QAClE,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,OAAO,GAAG,CAAC,CAAA;QAExD,OAAO;YACL,oBAAoB,EAAE,mBAAmB;YACzC,oBAAoB,EAAE,SAAS;YAC/B,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,OAAO,EAAE,MAAM;SACxB,CAAA;IACH,CAAC;IAEO,KAAK,CAAC,0CAA0C,CACtD,IAEC,EACD,eAAgC;QAEhC,gEAAgE;QAChE,kEAAkE;QAClE,MAAM,sBAAsB,GAAa,EAAE,CAAA;QAC3C,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,gFAAgF;YAChF,wCAAwC;YACxC,MAAM,wBAAwB,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAA;YAE9G,IAAI,CAAC,wBAAwB,EAAE,CAAC;gBAC9B,MAAM,IAAI,iBAAU,CAAC,0FAA0F,CAAC,CAAA;YAClH,CAAC;YAED,sBAAsB,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAA;QACvD,CAAC;QAED,OAAO,sBAAsB,CAAA;IAC/B,CAAC;IAEO,KAAK,CAAC,wCAAwC,CACpD,oBAEC,EACD,eAAgC;QAEhC,gEAAgE;QAChE,kEAAkE;QAClE,MAAM,qCAAqC,GAAa,EAAE,CAAA;QAC1D,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,gFAAgF;YAChF,wCAAwC;YACxC,MAAM,4BAA4B,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAC9D,CAAC,YAAY,EAAE,EAAE,CAAC,oBAAoB,CAAC,WAAW,CAAC,YAAY,CAAC,CACjE,CAAA;YAED,IAAI,CAAC,4BAA4B,EAAE,CAAC;gBAClC,MAAM,IAAI,iBAAU,CAAC,0FAA0F,CAAC,CAAA;YAClH,CAAC;YAED,qCAAqC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAA;QAC1E,CAAC;QAED,OAAO,qCAAqC,CAAA;IAC9C,CAAC;IAEM,KAAK,CAAC,0BAA0B,CACrC,YAA0B,EAC1B,OAAuD;QAEvD,MAAM,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,IAAI,EAAE,GAAG,OAAO,CAAA;QAEpE,MAAM,0BAA0B,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,CAAA;QAC5E,MAAM,KAAK,GAAG,oBAAoB,CAAC,OAAO,CAAC,KAAK,CAAA;QAChD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,aAAa,CAAA;QAE1D,IAAI,gBAAoG,CAAA;QACxG,IAAI,IAAA,gDAAoC,EAAC,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;YACvE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM,IAAI,iBAAU,CAAC,wFAAwF,CAAC,CAAA;YAChH,CAAC;YACD,gBAAgB,GAAG,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,sBAAsB,EAAE,KAAK,EAAE,CAAA;QAChH,CAAC;aAAM,CAAC;YACN,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,YAAY,IAAI,oBAAoB,CAAC,OAAO,CAAC,YAAY,CAAA;YAC1G,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,iBAAU,CAClB,2FAA2F,CAC5F,CAAA;YACH,CAAC;YAED,gBAAgB,GAAG;gBACjB,IAAI,EAAE,WAAW;gBACjB,kBAAkB,EAAE,0BAA0B;gBAC9C,WAAW;gBACX,QAAQ;gBACR,sBAAsB,EAAE,KAAK;aAC9B,CAAA;QACH,CAAC;QAED,IAAI,OAA2G,CAAA;QAC/G,IAAI,sBAAsB,GAAkD,SAAS,CAAA;QAErF,oCAAoC;QACpC,IAAI,oBAAoB,CAAC,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACrD,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAU,CAClB,mIAAmI,CACpI,CAAA;YACH,CAAC;YACD,IAAI,CAAC,oBAAoB,CAAC,GAAG,EAAE,CAAC;gBAC9B,MAAM,IAAI,iBAAU,CAClB,4GAA4G,CAC7G,CAAA;YACH,CAAC;YAED,MAAM,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,8BAA8B,EAAE,GACvF,MAAM,IAAI,CAAC,2BAA2B,CAAC,kBAAkB,CAAC,YAAY,EAAE;gBACtE,6BAA6B,EAAE,oBAAoB,CAAC,WAAW;gBAC/D,4BAA4B,EAAE,oBAAoB,CAAC,eAAe;oBAChE,CAAC,CAAC;wBACE,WAAW,EAAE,MAAM,IAAI,CAAC,wCAAwC,CAC9D,oBAAoB,EACpB,oBAAoB,CAAC,eAAe,CACrC;wBACD,eAAe,EAAE,oBAAoB,CAAC,eAAe;qBACtD;oBACH,CAAC,CAAC,SAAS;gBACb,sBAAsB,EAAE,oBAAoB,CAAC,GAAG;qBAC7C,uBAAuE;gBAC1E,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,QAAQ;gBAChB,8BAA8B,EAAE,gDAAyC,CAAC,QAAQ;gBAClF,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAA;YAEJ,OAAO;gBACL,8BAA8B,CAAC,MAAM,KAAK,CAAC,IAAI,uBAAuB,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,IAAI,KAAK,GAAG;oBACrG,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC;oBACnC,CAAC,CAAC,8BAA8B,CAAA;YACpC,sBAAsB,GAAG,uBAAuB,CAAA;QAClD,CAAC;aAAM,IAAI,oBAAoB,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;YAC7C,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC;gBAC/B,MAAM,IAAI,iBAAU,CAAC,iFAAiF,CAAC,CAAA;YACzG,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,iBAAU,CAClB,wGAAwG,CACzG,CAAA;YACH,CAAC;YAED,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC,YAAY,EAAE;gBAC1F,2BAA2B,EAAE,IAAI,CAAC,WAAW;gBAC7C,4BAA4B,EAAE,oBAAoB,CAAC,eAAe;oBAChE,CAAC,CAAC;wBACE,WAAW,EAAE,MAAM,IAAI,CAAC,0CAA0C,CAChE,IAAI,EACJ,oBAAoB,CAAC,eAAe,CACrC;wBACD,eAAe,EAAE,oBAAoB,CAAC,eAAe;qBACtD;oBACH,CAAC,CAAC,SAAS;gBACb,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,QAAQ;gBAChB,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAA;YAEF,OAAO,GAAG,uBAAuB,CAAA;QACnC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,iBAAU,CAAC,qCAAqC,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAA;QAC7D,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,oCAAoC,CAAC;YAC1E,aAAa,EAAE,oBAAoB,CAAC,OAAO;YAC3C,cAAc,EAAE;gBACd,QAAQ,EAAE,OAAO;gBACjB,uBAAuB,EAAE,sBAAsB;aAChD;YACD,IAAI,EACF,oBAAoB,CAAC,OAAO,CAAC,aAAa,IAAI,IAAA,8BAAkB,EAAC,oBAAoB,CAAC,OAAO,CAAC,aAAa,CAAC;gBAC1G,CAAC,CAAC;oBACE,UAAU,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE;oBACjD,cAAc,EAAE;wBACd,0CAA0C,EAAE,CAAC,OAAO,CAAC;wBACrD,6CAA6C,EAAE,CAAC,SAAS,CAAC;wBAC1D,6CAA6C,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC;qBACvF;iBACF;gBACH,CAAC,CAAC,SAAS;SAChB,CAAC,CAAA;QAEF,MAAM,4BAA4B,GAAG,QAAQ,CAAC,cAE7C,CAAA;QACD,MAAM,qBAAqB,GAAG,QAAQ,CAAC,IAAI,EAAE,WAAW;YACtD,CAAC,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE;YACzC,CAAC,CAAC,4BAA4B,CAAA;QAEhC,yDAAyD;QACzD,gEAAgE;QAChE,sCAAsC;QACtC,IAAI,IAAA,gDAAoC,EAAC,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;YACvE,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,qBAAqB;gBACrB,4BAA4B;aACpB,CAAA;QACZ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,oCAAoC,CAAC;YACxE,OAAO,EAAE,oBAAoB,CAAC,OAAO;YACrC,QAAQ,EAAE,QAAQ,CAAC,cAAc;YACjC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;SAC7E,CAAC,CAAA;QAEF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,QAAQ;aACvC,KAAK,EAAE;aACP,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;QAEpB,MAAM,YAAY,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ;aACxC,KAAK,EAAE;aACP,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAmC,CAAA;QAEvD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,cAAc,EAAE;oBACd,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;oBAC9B,IAAI,EAAE,YAAY,IAAI,YAAY;iBACnC;gBACD,qBAAqB;gBACrB,4BAA4B;aACpB,CAAA;QACZ,CAAC;QAED,OAAO;YACL,EAAE,EAAE,IAAI;YACR,cAAc,EAAE;gBACd,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;gBAC9B,IAAI,EAAE,YAAY,IAAI,EAAE;aACzB;YACD,qBAAqB;YACrB,4BAA4B;YAC5B,WAAW,EAAE,YAAY,EAAE,YAAkC;YAC7D,iCAAiC,EAAE,YAAY,EAAE,oCAA0D;SACnG,CAAA;IACZ,CAAC;CACF,CAAA;AArXY,gEAA0B;qCAA1B,0BAA0B;IADtC,IAAA,iBAAU,GAAE;qCAG4B,qCAA8B;QAC9C,kBAAW;GAHvB,0BAA0B,CAqXtC"}
+{"version":3,"file":"OpenId4vcSiopHolderService.js","sourceRoot":"","sources":["../../src/openid4vc-holder/OpenId4vcSiopHolderService.ts"],"names":[],"mappings":";;;;;;;;;;;;AAaA,yCAeuB;AACvB,2DAAwH;AAExH,mDAAuE;AACvE,2CAA0G;AAGnG,IAAM,0BAA0B,GAAhC,MAAM,0BAA0B;IACrC,YAA2B,2BAA2D;QAA3D,gCAA2B,GAA3B,2BAA2B,CAAgC;IAAG,CAAC;IAEnF,KAAK,CAAC,2BAA2B,CACtC,YAA0B,EAC1B,eAAuB,EACvB,mBAA8C;QAE9C,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAA;QAEtF,8DAA8D;QAC9D,MAAM,4BAA4B,GAAG,MAAM,cAAc,CAAC,0BAA0B,CAAC,eAAe,CAAC,CAAA;QAErG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAC9B,mDAAmD,4BAA4B,CAAC,MAAM,GAAG,CAC1F,CAAA;QACD,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,eAAe,GAAG,CAAC,CAAA;QAExE,IACE,4BAA4B,CAAC,uBAAuB;YACpD,4BAA4B,CAAC,uBAAuB,CAAC,MAAM,GAAG,CAAC,EAC/D,CAAC;YACD,MAAM,IAAI,iBAAU,CAAC,qDAAqD,CAAC,CAAA;QAC7E,CAAC;QAED,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,uBAAuB,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,CAAA;QAEpG,OAAO;YACL,oBAAoB,EAAE,4BAA4B;YAElD,kDAAkD;YAClD,oBAAoB,EAAE,sBAAsB;gBAC1C,CAAC,CAAC;oBACE,UAAU,EAAE,sBAAsB;oBAClC,qBAAqB,EAAE,MAAM,IAAI,CAAC,2BAA2B,CAAC,wBAAwB,CACpF,YAAY,EACZ,sBAAsB,CACvB;iBACF;gBACH,CAAC,CAAC,SAAS;SACd,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,0BAA0B,CACrC,YAA0B,EAC1B,OAAuD;QAEvD,MAAM,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAA;QAC9D,IAAI,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAA;QACjD,IAAI,2BAA2B,GAAiD,SAAS,CAAA;QAEzF,MAAM,YAAY,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,4BAAY,CAAC,QAAQ,CAAC,CAAA;QAChH,MAAM,0BAA0B,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,CAAA;QAE5E,oCAAoC;QACpC,IAAI,oBAAoB,CAAC,uBAAuB,IAAI,oBAAoB,CAAC,uBAAuB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5G,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAU,CAClB,mIAAmI,CACpI,CAAA;YACH,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,OAAO,CAAC,CAAA;YAChG,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,iBAAU,CAAC,sDAAsD,CAAC,CAAA;YAC9E,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,WAAW,CAAC,CAAA;YACvG,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,iBAAU,CAAC,0DAA0D,CAAC,CAAA;YAClF,CAAC;YAED,MAAM,WAAW,GACf,CAAC,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,cAAc,CAAC,CAAC;gBAC3F,CAAC,MAAM,oBAAoB,CAAC,oBAAoB,CAAC,iBAAiB,CAAS,cAAc,CAAC,CAAC,CAAA;YAC7F,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,iBAAU,CAAC,6DAA6D,CAAC,CAAA;YACrF,CAAC;YAED,MAAM,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,GACvD,MAAM,IAAI,CAAC,2BAA2B,CAAC,kBAAkB,CAAC,YAAY,EAAE;gBACtE,6BAA6B,EAAE,oBAAoB,CAAC,WAAW;gBAC/D,sBAAsB,EAAE,oBAAoB,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,UAAU;gBAClF,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,QAAQ;gBAChB,8BAA8B,EAAE,gDAAyC,CAAC,QAAQ;gBAClF,SAAS,EAAE;oBACT,kBAAkB,EAAE,0BAA0B;oBAC9C,WAAW;iBACZ;aACF,CAAC,CAAA;YAEJ,2BAA2B,GAAG;gBAC5B,uBAAuB,EAAE,uBAAuB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAA,6CAAiC,EAAC,EAAE,CAAC,CAAC;gBACnG,sBAAsB;gBACtB,eAAe,EAAE,+BAAe,CAAC,sBAAsB;aACxD,CAAA;YAED,IAAI,YAAY,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvC,iBAAiB,GAAG,IAAI,CAAC,8CAA8C,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAA;YACrG,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAU,CAClB,4GAA4G,CAC7G,CAAA;QACH,CAAC;QAED,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,IAAI,iBAAU,CAClB,oJAAoJ,CACrJ,CAAA;YACH,CAAC;YAED,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,iBAAiB,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,SAAS,GACb,YAAY,IAAI,iBAAiB;YAC/B,CAAC,CAAC,MAAM,IAAA,oCAA4B,EAAC,YAAY,EAAE,iBAAiB,CAAC;YACrE,CAAC,CAAC,SAAS,CAAA;QAEf,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAA;QACjE,MAAM,sCAAsC,GAAG,MAAM,cAAc,CAAC,2BAA2B,CAC7F,oBAAoB,EACpB;YACE,SAAS;YACT,oBAAoB,EAAE,2BAA2B;YACjD,+FAA+F;YAC/F,QAAQ,EAAE,oBAAoB,CAAC,2BAA2B,CAAC,SAAS;SACrE,CACF,CAAA;QAED,MAAM,6BAA6B,GAAG,CAAC,0BAAkC,EAAE,EAAE;YAC3E,OAAO,KAAK,EAAE,IAGb,EAAE,EAAE;gBACH,MAAM,EAAE,4BAA4B,EAAE,oBAAoB,EAAE,GAAG,IAAI,CAAA;gBAEnE,MAAM,GAAG,GAAG,MAAM,kBAAE,CAAC,gCAAgC,CAAC,oBAAoB,CAAC,eAAe,CAAC,CAAA;gBAC3F,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;oBACb,MAAM,IAAI,iBAAU,CAAC,qBAAqB,CAAC,CAAA;gBAC7C,CAAC;gBAED,MAAM,iBAAiB,GAAG,kBAAE,CAAC,oBAAoB,CAAC;oBAChD,eAAe,EAAE,oBAAoB,CAAC,eAAe;oBACrD,eAAe,EAAE;wBACf,6CAA6C,EAAE,CAAC,SAAS,CAAC;wBAC1D,6CAA6C,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC;qBAC5E;iBACF,CAAC,CAAA;gBAEF,IAAI,iBAAiB,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;oBAC3C,MAAM,IAAI,iBAAU,CAAC,8CAA8C,CAAC,CAAA;gBACtE,CAAC;gBAED,2DAA2D;gBAC3D,MAAM,KAAK,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,CAAA;gBACjD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,IAAI,iBAAU,CAAC,gDAAgD,CAAC,CAAA;gBACxE,CAAC;gBAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE;oBACvD,OAAO,EAAE,GAAc;oBACvB,OAAO,EAAE,4BAA4B;oBACrC,yBAAyB,EAAE,KAAK;oBAChC,GAAG,EAAE,iBAAiB,CAAC,eAAe,CAAC,oCAAoC;oBAC3E,GAAG,EAAE,iBAAiB,CAAC,eAAe,CAAC,oCAAoC;oBAC3E,0BAA0B;iBAC3B,CAAC,CAAA;gBAEF,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;YAC1B,CAAC,CAAA;QACH,CAAC,CAAA;QACD,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,2BAA2B,CAC/D,sCAAsC,EACtC,6BAA6B,CAAC,0BAA0B,CAAC,CAC1D,CAAA;QACD,MAAM,YAAY,GAAG,MAAM,QAAQ;aAChC,KAAK,EAAE;aACP,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;QACpB,MAAM,YAAY,GAAG,CAAC,MAAM,QAAQ;aACjC,KAAK,EAAE;aACP,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAmC,CAAA;QAEvD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,cAAc,EAAE;oBACd,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,IAAI,EAAE,YAAY,IAAI,YAAY;iBACnC;gBACD,iBAAiB,EAAE,sCAAsC,CAAC,QAAQ,CAAC,OAAO;aAClE,CAAA;QACZ,CAAC;QAED,OAAO;YACL,EAAE,EAAE,IAAI;YACR,cAAc,EAAE;gBACd,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,YAAY,IAAI,EAAE;aACzB;YACD,iBAAiB,EAAE,sCAAsC,CAAC,QAAQ,CAAC,OAAO;YAE1E,WAAW,EAAE,YAAY,EAAE,YAAkC;YAC7D,iCAAiC,EAAE,YAAY,EAAE,oCAA0D;SACnG,CAAA;IACZ,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,YAA0B,EAAE,mBAA8C;QACxG,MAAM,OAAO,GAAG,kBAAE,CAAC,OAAO,EAAE;aACzB,aAAa,CAAC,IAAI,CAAC;aACnB,UAAU,CAAC,2BAAW,CAAC,cAAc,CAAC;aACtC,gBAAgB,CAAC,4BAAY,CAAC,IAAI,CAAC;aACnC,qBAAqB,CAAC;YACrB,gCAAgB,CAAC,UAAU;YAC3B,gCAAgB,CAAC,qBAAqB;YACtC,gCAAgB,CAAC,qBAAqB;SACvC,CAAC;aACD,qBAAqB,CAAC,IAAA,4BAAoB,EAAC,YAAY,CAAC,CAAC;aACzD,qBAAqB,CAAC,IAAA,4BAAoB,EAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;aAC9E,UAAU,CAAC,aAAM,CAAC,IAAI,CAAC,CAAA;QAE1B,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,EAAE,CAAA;QAEtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAEO,8CAA8C,CACpD,sBAA8C;QAE9C,IAAI,iBAAqC,CAAA;QAEzC,IAAI,sBAAsB,YAAY,sCAA+B,EAAE,CAAC;YACtE,MAAM,CAAC,UAAU,CAAC,GAAG,IAAA,cAAO,EAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;YAC1D,IAAI,CAAC,UAAU;gBAAE,MAAM,IAAI,iBAAU,CAAC,kDAAkD,CAAC,CAAA;YAEzF,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,iBAAU,CAClB,iIAAiI,CAClI,CAAA;YACH,CAAC;YAED,iBAAiB,GAAG;gBAClB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU,CAAC,kBAAkB;aACtC,CAAA;QACH,CAAC;aAAM,IAAI,sBAAsB,YAAY,mCAA4B,EAAE,CAAC;YAC1E,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAA;YAEjD,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,iBAAU,CAAC,kEAAkE,CAAC,CAAA;YAClG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,sBAAsB,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;gBACxE,iBAAiB,GAAG;oBAClB,MAAM,EAAE,GAAG,sBAAsB,CAAC,YAAY,CAAC,QAAQ,GAAG,GAAG,EAAE;oBAC/D,MAAM,EAAE,KAAK;iBACd,CAAA;YACH,CAAC;iBAAM,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClC,iBAAiB,GAAG;oBAClB,MAAM,EAAE,GAAG;oBACX,MAAM,EAAE,KAAK;iBACd,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,iBAAU,CAClB,4IAA4I,CAC7I,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,YAAY,yBAAkB,EAAE,CAAC;YAChE,MAAM,IAAI,iBAAU,CAAC,qDAAqD,CAAC,CAAA;QAC7E,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,GAAG,CAAA;YAC9C,qFAAqF;YACrF,IACE,CAAC,GAAG;gBACJ,OAAO,GAAG,KAAK,QAAQ;gBACvB,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC;gBACf,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;gBAC3B,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC3B,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EACtB,CAAC;gBACD,MAAM,IAAI,iBAAU,CAClB,+LAA+L,CAChM,CAAA;YACH,CAAC;YAED,iBAAiB,GAAG;gBAClB,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK;aACd,CAAA;QACH,CAAC;QAED,OAAO,iBAAiB,CAAA;IAC1B,CAAC;IAEO,sBAAsB,CAC5B,oBAAkD,EAClD,iBAAqC;QAErC,MAAM,2BAA2B,GAAG,oBAAoB,CAAC,2BAA2B,CAAC,8BAA8B,CAAA;QACnH,IAAI,CAAC,2BAA2B,EAAE,CAAC;YACjC,MAAM,IAAI,iBAAU,CAClB,gHAAgH,CACjH,CAAA;QACH,CAAC;QAED,IAAI,yBAAyB,GAAa,EAAE,CAAA;QAC5C,IAAI,iBAAiB,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,IAAA,eAAQ,EAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAEpD,8DAA8D;YAC9D,yBAAyB,GAAG,CAAC,OAAO,SAAS,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,CAAA;QAChE,CAAC;aAAM,IAAI,iBAAiB,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC9C,yBAAyB,GAAG,CAAC,sCAAsC,CAAC,CAAA;QACtE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,iBAAU,CAAC,uEAAuE,CAAC,CAAA;QAC/F,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,2BAA2B,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAChG,MAAM,IAAI,iBAAU,CAClB;gBACE,uEAAuE;gBACvE,oCAAoC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;aAC9E,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAA;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAC/B,YAA0B,EAC1B,OAOC;QAED,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;QACpC,MAAM,GAAG,GAAG,IAAA,qBAAc,EAAC,OAAO,CAAC,CAAA;QACnC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAA;QAEnB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,6BAA6B,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAU,CAClB,sIAAsI,CACvI,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,IAAI,iBAAU,CAAC,yEAAyE,CAAC,CAAA;QACjG,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,KAAK,eAAe,EAAE,CAAC;YACjE,MAAM,IAAI,iBAAU,CAClB,8FAA8F,CAC/F,CAAA;QACH,CAAC;QAED,IAAI,GAAG,CAAC,OAAO,KAAK,cAAO,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,IAAI,iBAAU,CAAC,SAAS,cAAO,CAAC,IAAI,sDAAsD,CAAC,CAAA;QACnG,CAAC;QAED,MAAM,IAAI,GAAG,aAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAA;QACjD,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,6BAA6B,CAAC;YAClE,IAAI;YACJ,YAAY,EAAE,GAAG;YACjB,MAAM,EAAE;gBACN,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB;YACD,mBAAmB,EAAE,OAAO,CAAC,GAAG;YAChC,GAAG,EAAE,wBAAiB,CAAC,WAAW,CAAC,wBAAiB,CAAC,UAAU,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;YACpG,GAAG,EAAE,wBAAiB,CAAC,WAAW,CAAC,wBAAiB,CAAC,UAAU,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;SACpG,CAAC,CAAA;QAEF,OAAO,GAAG,CAAA;IACZ,CAAC;CACF,CAAA;AA3XY,gEAA0B;qCAA1B,0BAA0B;IADtC,IAAA,iBAAU,GAAE;qCAE6C,qCAA8B;GAD3E,0BAA0B,CA2XtC"}