@credo-ts/openid4vc 0.6.0-pr-2195-20250226100854 → 0.6.0-pr-2195-20250321180923

package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js

@@ -1,806 +0,0 @@
-"use strict";
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OpenId4VcSiopVerifierService = void 0;
-const core_1 = require("@credo-ts/core");
-const oauth2_1 = require("@openid4vc/oauth2");
-const openid4vp_1 = require("@openid4vc/openid4vp");
-const callbacks_1 = require("../shared/callbacks");
-const router_1 = require("../shared/router");
-const utils_1 = require("../shared/utils");
-const OpenId4VcVerificationSessionState_1 = require("./OpenId4VcVerificationSessionState");
-const OpenId4VcVerifierEvents_1 = require("./OpenId4VcVerifierEvents");
-const OpenId4VcVerifierModuleConfig_1 = require("./OpenId4VcVerifierModuleConfig");
-const repository_1 = require("./repository");
-/**
- * @internal
- */
-let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService {
-    constructor(logger, w3cCredentialService, openId4VcVerifierRepository, config, openId4VcVerificationSessionRepository) {
-        this.logger = logger;
-        this.w3cCredentialService = w3cCredentialService;
-        this.openId4VcVerifierRepository = openId4VcVerifierRepository;
-        this.config = config;
-        this.openId4VcVerificationSessionRepository = openId4VcVerificationSessionRepository;
-    }
-    getOpenid4vpVerifier(agentContext) {
-        const callbacks = (0, callbacks_1.getOid4vcCallbacks)(agentContext);
-        const openid4vpClient = new openid4vp_1.Openid4vpVerifier({ callbacks });
-        return openid4vpClient;
-    }
-    async createAuthorizationRequest(agentContext, options) {
-        const nonce = await agentContext.wallet.generateNonce();
-        const state = await agentContext.wallet.generateNonce();
-        const isDcApiRequest = options.responseMode === 'dc_api' || options.responseMode === 'dc_api.jwt';
-        const responseMode = options.responseMode ?? 'direct_post.jwt';
-        // No response url for DC API
-        let authorizationResponseUrl = (0, core_1.joinUriParts)(this.config.baseUrl, [
-            options.verifier.verifierId,
-            this.config.authorizationEndpoint.endpointPath,
-        ]);
-        const jwtIssuer = options.requestSigner.method === 'none'
-            ? undefined
-            : options.requestSigner.method === 'x5c'
-                ? await (0, utils_1.requestSignerToJwtIssuer)(agentContext, {
-                    ...options.requestSigner,
-                    issuer: authorizationResponseUrl,
-                })
-                : await (0, utils_1.requestSignerToJwtIssuer)(agentContext, options.requestSigner);
-        let clientIdScheme;
-        let clientId;
-        if (!jwtIssuer) {
-            if (!isDcApiRequest) {
-                throw new Error("requestSigner method 'none' is only supported for response mode 'dc_api' and 'dc_api.jwt'");
-            }
-            clientIdScheme = 'web-origin';
-            clientId = undefined;
-        }
-        else if (jwtIssuer?.method === 'x5c') {
-            const leafCertificate = core_1.X509Service.getLeafCertificate(agentContext, { certificateChain: jwtIssuer.x5c });
-            if (leafCertificate.sanDnsNames.includes((0, core_1.getDomainFromUrl)(jwtIssuer.issuer))) {
-                clientIdScheme = 'x509_san_dns';
-                clientId = (0, core_1.getDomainFromUrl)(jwtIssuer.issuer);
-                authorizationResponseUrl = jwtIssuer.issuer;
-            }
-            else if (leafCertificate.sanUriNames.includes(jwtIssuer.issuer)) {
-                clientIdScheme = 'x509_san_uri';
-                clientId = jwtIssuer.issuer;
-                authorizationResponseUrl = clientId;
-            }
-            else {
-                throw new core_1.CredoError(`With jwtIssuer 'method' 'x5c' the jwtIssuer's 'issuer' field must either match the match a sanDnsName (FQDN) or sanUriName in the leaf x509 chain's leaf certificate.`);
-            }
-        }
-        else if (jwtIssuer?.method === 'did') {
-            clientId = jwtIssuer.didUrl.split('#')[0];
-            clientIdScheme = 'did';
-        }
-        else {
-            throw new core_1.CredoError(`Unsupported jwt issuer method '${options.requestSigner.method}'. Only 'did' and 'x5c' are supported.`);
-        }
-        // We always use shortened URIs currently
-        const hostedAuthorizationRequestUri = !isDcApiRequest
-            ? (0, core_1.joinUriParts)(this.config.baseUrl, [
-                options.verifier.verifierId,
-                this.config.authorizationRequestEndpoint.endpointPath,
-                // It doesn't really matter what the url is, as long as it's unique
-                core_1.utils.uuid(),
-            ])
-            : // No hosted request needed when using DC API
-                undefined;
-        const client_id = clientIdScheme === 'did' || clientIdScheme === 'https' ? clientId : `${clientIdScheme}:${clientId}`;
-        const client_metadata = await this.getClientMetadata(agentContext, {
-            responseMode,
-            verifier: options.verifier,
-            authorizationResponseUrl,
-        });
-        const requestParamsBase = {
-            nonce,
-            presentation_definition: options.presentationExchange?.definition,
-            dcql_query: options.dcql?.query,
-            transaction_data: options.transactionData?.map((entry) => core_1.JsonEncoder.toBase64URL(entry)),
-            response_mode: responseMode,
-            response_type: 'vp_token',
-            client_metadata,
-        };
-        const authorizationRequestPayload = requestParamsBase.response_mode === 'dc_api.jwt' || requestParamsBase.response_mode === 'dc_api'
-            ? {
-                ...requestParamsBase,
-                // No client_id for unsigned requests
-                client_id: jwtIssuer ? client_id : undefined,
-                response_mode: requestParamsBase.response_mode,
-                expected_origins: options.expectedOrigins,
-            }
-            : {
-                ...requestParamsBase,
-                client_id: client_id,
-                state,
-                response_uri: authorizationResponseUrl,
-            };
-        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
-        const authorizationRequest = await openid4vpVerifier.createOpenId4vpAuthorizationRequest({
-            jar: jwtIssuer
-                ? {
-                    jwtSigner: jwtIssuer,
-                    // FIXME: cast can be removed when PR 41 is merged in oid4vc-ts
-                    requestUri: hostedAuthorizationRequestUri,
-                }
-                : undefined,
-            requestParams: authorizationRequestPayload,
-        });
-        const verificationSession = new repository_1.OpenId4VcVerificationSessionRecord({
-            // Only store payload for unsiged requests
-            authorizationRequestPayload: authorizationRequest.jar ? undefined : authorizationRequestPayload,
-            authorizationRequestJwt: authorizationRequest.jar?.requestObjectJwt,
-            authorizationRequestUri: authorizationRequest.jar?.requestUri,
-            state: OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestCreated,
-            verifierId: options.verifier.verifierId,
-        });
-        await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession);
-        this.emitStateChangedEvent(agentContext, verificationSession, null);
-        return {
-            authorizationRequest: authorizationRequest.authRequest,
-            verificationSession,
-            authorizationRequestObject: authorizationRequest.authRequestObject,
-        };
-    }
-    getDcqlVerifiedResponse(agentContext, _dcqlQuery, presentation) {
-        const dcqlService = agentContext.dependencyManager.resolve(core_1.DcqlService);
-        const dcqlQuery = dcqlService.validateDcqlQuery(_dcqlQuery);
-        const dcqlPresentationEntries = Object.entries(presentation);
-        const dcqlPresentation = Object.fromEntries(dcqlPresentationEntries.map((presentation) => {
-            const [credentialId, vpTokenPresentationParseResult] = presentation;
-            return [credentialId, this.decodePresentation(agentContext, { vpTokenPresentationParseResult })];
-        }));
-        const dcqlPresentationResult = dcqlService.assertValidDcqlPresentation(dcqlPresentation, dcqlQuery);
-        return {
-            query: dcqlQuery,
-            presentation: dcqlPresentation,
-            presentationResult: dcqlPresentationResult,
-        };
-    }
-    async parseAuthorizationResponse(agentContext, options) {
-        const { verifierId, responsePayload } = options;
-        if (!options.verificationSession && !options.verifierId) {
-            throw new core_1.CredoError('Either verificationSession or verifierId needs to be provided');
-        }
-        let verificationSession = options.verificationSession;
-        let parsedAuthResponse;
-        let rawResponsePayload = responsePayload;
-        try {
-            parsedAuthResponse = await (0, openid4vp_1.parseOpenid4vpAuthorizationResponse)({
-                responsePayload,
-                callbacks: {
-                    ...(0, callbacks_1.getOid4vcCallbacks)(agentContext),
-                    getOpenid4vpAuthorizationRequest: async (responsePayload) => {
-                        if (!verificationSession) {
-                            const { state, nonce } = responsePayload;
-                            rawResponsePayload = responsePayload;
-                            const session = await this.findVerificationSessionForAuthorizationResponse(agentContext, {
-                                authorizationResponseParams: { state, nonce },
-                                verifierId,
-                            });
-                            if (!session) {
-                                agentContext.config.logger.warn(`No verification session found for incoming authorization response for verifier ${verifierId}`);
-                                throw new core_1.CredoError(`No state or nonce provided in authorization response for verifier ${verifierId}`);
-                            }
-                            verificationSession = session;
-                        }
-                        const authorizationRequest = (0, openid4vp_1.parseOpenid4vpAuthorizationRequestPayload)({
-                            authorizationRequest: verificationSession.request,
-                        });
-                        if (authorizationRequest.type !== 'openid4vp' && authorizationRequest.type !== 'openid4vp_dc_api') {
-                            throw new core_1.CredoError(`Invalid authorization request jwt. Expected 'openid4vp' or 'openid4vp_dc_api' request, received '${authorizationRequest.type}'.`);
-                        }
-                        if (authorizationRequest.params.client_id) {
-                            return {
-                                authorizationRequest: {
-                                    ...authorizationRequest.params,
-                                    client_id: authorizationRequest.params.client_id,
-                                },
-                            };
-                        }
-                        if (!options.origin) {
-                            throw new core_1.CredoError('Origin must be provided when client id is not set.');
-                        }
-                        return {
-                            authorizationRequest: {
-                                ...authorizationRequest.params,
-                                client_id: authorizationRequest.params.client_id ?? `web-origin:${options.origin}`,
-                            },
-                        };
-                    },
-                },
-            });
-        }
-        catch (error) {
-            if (verificationSession?.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestUriRetrieved ||
-                verificationSession?.state === OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestCreated) {
-                const parsed = openid4vp_1.zOpenid4vpAuthorizationResponse.safeParse(rawResponsePayload);
-                verificationSession.authorizationResponsePayload = parsed.success ? parsed.data : undefined;
-                verificationSession.errorMessage = error.message;
-                await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.Error);
-            }
-            throw error;
-        }
-        if (parsedAuthResponse.authResponsePayload.presentation_submission &&
-            typeof parsedAuthResponse.authResponsePayload.presentation_submission === 'string') {
-            const decoded = decodeURIComponent(parsedAuthResponse.authResponsePayload.presentation_submission);
-            const parsed = JSON.parse(decoded);
-            parsedAuthResponse.authResponsePayload.presentation_submission = parsed;
-            if (parsedAuthResponse.type === 'pex') {
-                parsedAuthResponse.pex.presentationSubmission = parsed;
-            }
-        }
-        if (!verificationSession) {
-            throw new core_1.CredoError('Missing verification session, cannot verify authorization response.');
-        }
-        // FIXME: export JarmMode from openid4vp
-        if (parsedAuthResponse.jarm && `${parsedAuthResponse.jarm.type}` !== 'Encrypted') {
-            throw new oauth2_1.Oauth2ServerErrorResponseError({
-                error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
-                error_description: `Only encrypted JARM responses are supported, received '${parsedAuthResponse.jarm.type}'.`,
-            });
-        }
-        return {
-            ...parsedAuthResponse,
-            verificationSession,
-        };
-    }
-    async verifyAuthorizationResponse(agentContext, options) {
-        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
-        const result = await this.parseAuthorizationResponse(agentContext, {
-            verifierId: options.verifierId,
-            verificationSession: options.verificationSession,
-            responsePayload: options.authorizationResponse,
-            origin: options.origin,
-        });
-        result.verificationSession.assertState([
-            OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestUriRetrieved,
-            OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.RequestCreated,
-        ]);
-        const authorizationRequest = result.authRequestPayload;
-        let requestClientId = authorizationRequest.client_id;
-        const responseUri = 'response_uri' in authorizationRequest ? authorizationRequest.response_uri : undefined;
-        const transactionData = authorizationRequest.transaction_data
-            ? openid4vpVerifier.parseTransactionData({ transactionData: authorizationRequest.transaction_data })
-            : undefined;
-        const isDcApiRequest = authorizationRequest.response_mode === 'dc_api' || authorizationRequest.response_mode === 'dc_api.jwt';
-        if (isDcApiRequest) {
-            if (!options.origin)
-                throw new core_1.CredoError('origin is required for Digital Credentials API');
-            if (!requestClientId)
-                requestClientId = `web-origin:${options.origin}`;
-        }
-        else if (!requestClientId) {
-            throw new core_1.CredoError('Missing required client_id');
-        }
-        // validating the id token
-        // verifying the presentations
-        // validating the presentations against the presentation definition
-        // checking the revocation status of the presentations
-        // checking the nonce of the presentations matches the nonce of the request
-        let presentationVerificationResults = [];
-        if (result.type === 'dcql') {
-            const dcqlPresentationEntries = Object.entries(result.dcql.presentation);
-            const presentationVerificationPromises = dcqlPresentationEntries.map(async (presentation) => {
-                const [credentialId, vpTokenPresentationParseResult] = presentation;
-                return await this.verifyPresentations(agentContext, {
-                    correlationId: result.verificationSession.id,
-                    transactionData,
-                    nonce: authorizationRequest.nonce,
-                    audience: requestClientId,
-                    origin: options.origin,
-                    responseUri,
-                    mdocGeneratedNonce: result.jarm?.mdocGeneratedNonce,
-                    verificationSessionRecordId: result.verificationSession.id,
-                    vpTokenPresentationParseResult,
-                    credentialId,
-                });
-            });
-            presentationVerificationResults = await Promise.all(presentationVerificationPromises);
-        }
-        if (result.type === 'pex') {
-            const presentations = result.pex.presentations;
-            const pex = agentContext.dependencyManager.resolve(core_1.DifPresentationExchangeService);
-            pex.validatePresentationDefinition(result.pex.presentationDefinition);
-            pex.validatePresentationSubmission(result.pex.presentationSubmission);
-            const presentationsArray = Array.isArray(presentations) ? presentations : [presentations];
-            const presentationVerificationPromises = presentationsArray.map((presentation) => {
-                const inputDescriptor = result.pex.presentationSubmission.descriptor_map.find((descriptorMapEntry) => descriptorMapEntry.path === presentation.path);
-                if (!inputDescriptor) {
-                    throw new core_1.CredoError(`Could not map transaction data entry to input descriptor.`);
-                }
-                return this.verifyPresentations(agentContext, {
-                    correlationId: result.verificationSession.id,
-                    transactionData,
-                    nonce: authorizationRequest.nonce,
-                    audience: requestClientId,
-                    responseUri,
-                    mdocGeneratedNonce: result.jarm?.mdocGeneratedNonce,
-                    verificationSessionRecordId: result.verificationSession.id,
-                    vpTokenPresentationParseResult: presentation,
-                    credentialId: inputDescriptor.id,
-                });
-            });
-            presentationVerificationResults = await Promise.all(presentationVerificationPromises);
-        }
-        try {
-            const errorMessages = presentationVerificationResults
-                .map((result, index) => (!result.verified ? `\t- [${index}]: ${result.reason}` : undefined))
-                .filter((i) => i !== undefined);
-            if (errorMessages.length > 0) {
-                throw new core_1.CredoError(`One or more presentations failed verification. \n\t${errorMessages.join('\n')}`);
-            }
-            // Validate the presentations against the query
-            if (result.type === 'pex') {
-                const pex = agentContext.dependencyManager.resolve(core_1.DifPresentationExchangeService);
-                const presentations = presentationVerificationResults
-                    .map((p) => (p.verified ? p.presentation : undefined))
-                    .filter((p) => p !== undefined);
-                pex.validatePresentation(
-                // FIXME: type. it should always be an object as we created it
-                result.pex.presentationDefinition, presentations, result.pex.presentationSubmission);
-            }
-            else {
-                const dcql = agentContext.dependencyManager.resolve(core_1.DcqlService);
-                const presentations = presentationVerificationResults.reduce((all, p) => (p.verified ? { ...all, [p.credentialId]: p.presentation } : all), {});
-                // FIXME: type for this parameter
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any
-                dcql.assertValidDcqlPresentation(presentations, result.dcql.query);
-            }
-            const transactionDataMeta = [];
-            for (const result of presentationVerificationResults) {
-                if (result.verified && result.transactionDataMeta) {
-                    transactionDataMeta.push([result.transactionDataMeta.credentialId, result.transactionDataMeta]);
-                }
-            }
-            if (transactionData) {
-                const inputDescriptorToTransactionDataMeta = Object.fromEntries(transactionDataMeta);
-                if (!transactionData.every((tdEntry) => {
-                    return tdEntry.credential_ids.some((credentialId) => inputDescriptorToTransactionDataMeta[credentialId]);
-                })) {
-                    throw new core_1.CredoError('One ore more required transaction data entries were not found in the signed transaction data.');
-                }
-            }
-        }
-        catch (error) {
-            result.verificationSession.errorMessage = error.message;
-            await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.Error);
-            throw error;
-        }
-        result.verificationSession.authorizationResponsePayload = result.authResponsePayload;
-        await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.ResponseVerified);
-        const verifiedAuthorizationResponse = await this.getVerifiedAuthorizationResponse(agentContext, result.verificationSession);
-        return { ...verifiedAuthorizationResponse, verificationSession: result.verificationSession };
-    }
-    async getVerifiedAuthorizationResponse(agentContext, verificationSession) {
-        verificationSession.assertState(OpenId4VcVerificationSessionState_1.OpenId4VcVerificationSessionState.ResponseVerified);
-        if (!verificationSession.authorizationResponsePayload) {
-            throw new core_1.CredoError('No authorization response payload found in the verification session.');
-        }
-        const openid4vpAuthorizationResponsePayload = verificationSession.authorizationResponsePayload;
-        const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
-        const authorizationRequest = openid4vpVerifier.parseOpenid4vpAuthorizationRequestPayload({
-            authorizationRequest: verificationSession.request,
-        });
-        if ((authorizationRequest.provided !== 'jwt' && authorizationRequest.provided !== 'params') ||
-            authorizationRequest.type === 'jar') {
-            throw new core_1.CredoError('Invalid authorization request');
-        }
-        const result = openid4vpVerifier.validateOpenid4vpAuthorizationResponse({
-            authorizationRequest: authorizationRequest.params,
-            authorizationResponse: openid4vpAuthorizationResponsePayload,
-        });
-        const transactionData = authorizationRequest.params.transaction_data
-            ? openid4vpVerifier.parseTransactionData({ transactionData: authorizationRequest.params.transaction_data })
-            : undefined;
-        let presentationExchange = undefined;
-        const dcql = result.type === 'dcql'
-            ? this.getDcqlVerifiedResponse(agentContext, authorizationRequest.params.dcql_query, result.dcql.presentation)
-            : undefined;
-        const vpToken = (0, utils_1.parseIfJson)(openid4vpAuthorizationResponsePayload.vp_token);
-        const presentationDefinition = authorizationRequest.params
-            .presentation_definition;
-        if (presentationDefinition) {
-            if (!vpToken) {
-                throw new core_1.CredoError('Missing vp_token in the openid4vp authorization response.');
-            }
-            const rawPresentations = openid4vpVerifier.parsePresentationsFromVpToken({ vpToken });
-            const submission = openid4vpAuthorizationResponsePayload.presentation_submission;
-            if (!submission) {
-                throw new core_1.CredoError('Unable to extract submission from the response.');
-            }
-            const verifiablePresentations = rawPresentations.map((presentation) => this.getPresentationFromVpTokenParseResult(agentContext, presentation));
-            presentationExchange = {
-                definition: presentationDefinition,
-                submission,
-                presentations: verifiablePresentations,
-                descriptors: (0, core_1.extractPresentationsWithDescriptorsFromSubmission)(verifiablePresentations, submission, presentationDefinition),
-            };
-        }
-        if (!presentationExchange && !dcql) {
-            throw new core_1.CredoError('No presentationExchange or dcql found in the response.');
-        }
-        return {
-            presentationExchange,
-            dcql,
-            transactionData,
-        };
-    }
-    /**
-     * Find the verification session associated with an authorization response. You can optionally provide a verifier id
-     * if the verifier that the response is associated with is already known.
-     */
-    async findVerificationSessionForAuthorizationResponse(agentContext, { authorizationResponse, authorizationResponseParams, verifierId, }) {
-        let nonce;
-        let state;
-        if (authorizationResponse) {
-            const state = authorizationResponse.state;
-            if (!state) {
-                throw new core_1.CredoError('Could not extract nonce or state from authorization response. Unable to find OpenId4VcVerificationSession.');
-            }
-        }
-        else {
-            if (!authorizationResponseParams?.nonce && !authorizationResponseParams?.state) {
-                throw new core_1.CredoError('Either nonce or state must be provided if no authorization response is provided. Unable to find OpenId4VcVerificationSession.');
-            }
-            nonce = authorizationResponseParams?.nonce;
-            state = authorizationResponseParams?.state;
-        }
-        const verificationSession = await this.openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {
-            nonce,
-            payloadState: state,
-            verifierId,
-        });
-        return verificationSession;
-    }
-    async getAllVerifiers(agentContext) {
-        return this.openId4VcVerifierRepository.getAll(agentContext);
-    }
-    async getVerifierByVerifierId(agentContext, verifierId) {
-        return this.openId4VcVerifierRepository.getByVerifierId(agentContext, verifierId);
-    }
-    async updateVerifier(agentContext, verifier) {
-        return this.openId4VcVerifierRepository.update(agentContext, verifier);
-    }
-    async createVerifier(agentContext, options) {
-        const openId4VcVerifier = new repository_1.OpenId4VcVerifierRecord({
-            verifierId: options?.verifierId ?? core_1.utils.uuid(),
-            clientMetadata: options?.clientMetadata,
-        });
-        await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier);
-        await (0, router_1.storeActorIdForContextCorrelationId)(agentContext, openId4VcVerifier.verifierId);
-        return openId4VcVerifier;
-    }
-    async findVerificationSessionsByQuery(agentContext, query, queryOptions) {
-        return this.openId4VcVerificationSessionRepository.findByQuery(agentContext, query, queryOptions);
-    }
-    async getVerificationSessionById(agentContext, verificationSessionId) {
-        return this.openId4VcVerificationSessionRepository.getById(agentContext, verificationSessionId);
-    }
-    async getClientMetadata(agentContext, options) {
-        const { responseMode, verifier } = options;
-        const signatureSuiteRegistry = agentContext.dependencyManager.resolve(core_1.SignatureSuiteRegistry);
-        const supportedAlgs = (0, utils_1.getSupportedJwaSignatureAlgorithms)(agentContext);
-        const supportedMdocAlgs = supportedAlgs.filter(core_1.isMdocSupportedSignatureAlgorithm);
-        const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes;
-        // FIXME: we now manually remove did:peer, we should probably allow the user to configure this
-        const supportedDidMethods = agentContext.dependencyManager
-            .resolve(core_1.DidsApi)
-            .supportedResolverMethods.filter((m) => m !== 'peer');
-        let jarmEncryptionJwk;
-        if ((0, openid4vp_1.isJarmResponseMode)(responseMode)) {
-            const key = await agentContext.wallet.createKey({ keyType: core_1.KeyType.P256 });
-            jarmEncryptionJwk = { ...(0, core_1.getJwkFromKey)(key).toJson(), kid: key.fingerprint, use: 'enc' };
-        }
-        const jarmClientMetadata = jarmEncryptionJwk
-            ? {
-                jwks: { keys: [jarmEncryptionJwk] },
-                authorization_encrypted_response_alg: 'ECDH-ES',
-                // FIXME: we need to allow setting this, but also to fetch it based on the `request_uri` and
-                // `request_uri_method`
-                authorization_encrypted_response_enc: 'A128GCM',
-            }
-            : undefined;
-        return {
-            ...jarmClientMetadata,
-            ...verifier.clientMetadata,
-            response_types_supported: ['vp_token'],
-            subject_syntax_types_supported: [
-                'urn:ietf:params:oauth:jwk-thumbprint',
-                ...supportedDidMethods.map((m) => `did:${m}`),
-            ],
-            authorization_signed_response_alg: 'RS256',
-            vp_formats: {
-                mso_mdoc: {
-                    alg: supportedMdocAlgs,
-                },
-                jwt_vc: {
-                    alg: supportedAlgs,
-                },
-                jwt_vc_json: {
-                    alg: supportedAlgs,
-                },
-                jwt_vp_json: {
-                    alg: supportedAlgs,
-                },
-                jwt_vp: {
-                    alg: supportedAlgs,
-                },
-                ldp_vc: {
-                    proof_type: supportedProofTypes,
-                },
-                ldp_vp: {
-                    proof_type: supportedProofTypes,
-                },
-                'vc+sd-jwt': {
-                    'kb-jwt_alg_values': supportedAlgs,
-                    'sd-jwt_alg_values': supportedAlgs,
-                },
-                'dc+sd-jwt': {
-                    'kb-jwt_alg_values': supportedAlgs,
-                    'sd-jwt_alg_values': supportedAlgs,
-                },
-            },
-        };
-    }
-    getPresentationFromVpTokenParseResult(agentContext, vpTokenPresentationParseResult) {
-        if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
-            const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
-            return sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
-        }
-        else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
-            return core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
-        }
-        else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
-            return core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
-        }
-        else if (vpTokenPresentationParseResult.format === 'ldp_vp') {
-            return core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
-        }
-        throw new core_1.CredoError(`Unsupported presentation format. ${vpTokenPresentationParseResult.format}`);
-    }
-    getTransactionDataMeta(options) {
-        const { vpTokenPresentationParseResult, transactionData, transactionDataResult, credentialId } = options;
-        if (!transactionData) {
-            throw new core_1.CredoError('Could not map transaction data result to the request');
-        }
-        const hashName = transactionDataResult.hashes_alg ?? 'sha-256';
-        const presentationHashes = transactionDataResult.hashes;
-        const transactionDataEntriesWithHash = transactionData.map((tdEntry) => {
-            const hash = core_1.TypedArrayEncoder.toBase64URL(core_1.Hasher.hash(core_1.JsonEncoder.toBase64URL(tdEntry), hashName));
-            return hash;
-        });
-        for (const [idx, hash] of transactionDataEntriesWithHash.entries()) {
-            if (presentationHashes[idx] !== hash) {
-                throw new core_1.CredoError(`Transaction data entry ${idx} does not match hash ${hash}`);
-            }
-        }
-        return {
-            credentialId,
-            transactionData,
-            transactionDataResult,
-            path: vpTokenPresentationParseResult.path,
-        };
-    }
-    decodePresentation(agentContext, options) {
-        const { vpTokenPresentationParseResult } = options;
-        if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
-            // TODO: it might be better here to look at the presentation submission to know
-            // If presentation includes a ~, we assume it's an SD-JWT-VC
-            const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
-            const sdJwtVc = sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
-            return sdJwtVc;
-        }
-        else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
-            const mdocDeviceResponse = core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
-            return mdocDeviceResponse;
-        }
-        else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
-            return core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
-        }
-        else {
-            return core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
-        }
-    }
-    async verifyPresentations(agentContext, options) {
-        const { vpTokenPresentationParseResult, transactionData } = options;
-        let transactionDataMeta = undefined;
-        try {
-            this.logger.debug(`Presentation response`, core_1.JsonTransformer.toJSON(vpTokenPresentationParseResult.presentation));
-            if (!vpTokenPresentationParseResult)
-                throw new core_1.CredoError('Did not receive a presentation for verification.');
-            const x509Config = agentContext.dependencyManager.resolve(core_1.X509ModuleConfig);
-            let isValid;
-            let reason = undefined;
-            let verifiablePresentation;
-            if (vpTokenPresentationParseResult.format === 'dc+sd-jwt') {
-                // TODO: it might be better here to look at the presentation submission to know
-                // If presentation includes a ~, we assume it's an SD-JWT-VC
-                const sdJwtVcApi = agentContext.dependencyManager.resolve(core_1.SdJwtVcApi);
-                const jwt = core_1.Jwt.fromSerializedJwt(vpTokenPresentationParseResult.presentation.split('~')[0]);
-                const sdJwtVc = sdJwtVcApi.fromCompact(vpTokenPresentationParseResult.presentation);
-                const certificateChain = (0, core_1.extractX509CertificatesFromJwt)(jwt);
-                let trustedCertificates = undefined;
-                if (certificateChain && x509Config.getTrustedCertificatesForVerification) {
-                    trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {
-                        certificateChain,
-                        verification: {
-                            type: 'credential',
-                            credential: sdJwtVc,
-                            openId4VcVerificationSessionId: options.verificationSessionRecordId,
-                        },
-                    });
-                }
-                if (!trustedCertificates) {
-                    // We also take from the config here to avoid the callback being called again
-                    trustedCertificates = x509Config.trustedCertificates ?? [];
-                }
-                const verificationResult = await sdJwtVcApi.verify({
-                    compactSdJwtVc: vpTokenPresentationParseResult.presentation,
-                    keyBinding: {
-                        audience: options.audience,
-                        nonce: options.nonce,
-                    },
-                    trustedCertificates,
-                });
-                if (verificationResult.sdJwtVc?.transactionData) {
-                    transactionDataMeta = this.getTransactionDataMeta({
-                        vpTokenPresentationParseResult,
-                        transactionData,
-                        transactionDataResult: verificationResult.sdJwtVc.transactionData,
-                        credentialId: options.credentialId,
-                    });
-                }
-                isValid = verificationResult.verification.isValid;
-                reason = verificationResult.isValid ? undefined : verificationResult.error.message;
-                verifiablePresentation = sdJwtVc;
-            }
-            else if (vpTokenPresentationParseResult.format === 'mso_mdoc') {
-                const mdocDeviceResponse = core_1.MdocDeviceResponse.fromBase64Url(vpTokenPresentationParseResult.presentation);
-                const trustedCertificates = (await Promise.all(mdocDeviceResponse.documents.map(async (mdoc) => {
-                    const certificateChain = mdoc.issuerSignedCertificateChain.map((cert) => core_1.X509Certificate.fromRawCertificate(cert));
-                    const trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {
-                        certificateChain,
-                        verification: {
-                            type: 'credential',
-                            credential: mdoc,
-                            openId4VcVerificationSessionId: options.verificationSessionRecordId,
-                        },
-                    });
-                    // TODO: could have some duplication but not a big issue
-                    return trustedCertificates ?? x509Config.trustedCertificates;
-                })))
-                    .filter((c) => c !== undefined)
-                    .flatMap((c) => c);
-                let sessionTranscriptOptions;
-                if (options.origin) {
-                    sessionTranscriptOptions = {
-                        type: 'openId4VpDcApi',
-                        clientId: options.audience,
-                        verifierGeneratedNonce: options.nonce,
-                        origin: options.origin,
-                    };
-                }
-                else {
-                    if (!options.mdocGeneratedNonce || !options.responseUri) {
-                        throw new core_1.CredoError('mdocGeneratedNonce and responseUri are required for mdoc openid4vp session transcript calculation');
-                    }
-                    sessionTranscriptOptions = {
-                        type: 'openId4Vp',
-                        clientId: options.audience,
-                        mdocGeneratedNonce: options.mdocGeneratedNonce,
-                        responseUri: options.responseUri,
-                        verifierGeneratedNonce: options.nonce,
-                    };
-                }
-                await mdocDeviceResponse.verify(agentContext, {
-                    sessionTranscriptOptions,
-                    trustedCertificates,
-                });
-                isValid = true;
-                verifiablePresentation = mdocDeviceResponse;
-            }
-            else if (vpTokenPresentationParseResult.format === 'jwt_vp_json') {
-                const sdJwtPresentation = core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
-                const certificateChain = (0, core_1.extractX509CertificatesFromJwt)(sdJwtPresentation.jwt);
-                let trustedCertificates = undefined;
-                if (certificateChain && x509Config.getTrustedCertificatesForVerification) {
-                    trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {
-                        certificateChain,
-                        verification: {
-                            type: 'credential',
-                            credential: sdJwtPresentation,
-                            openId4VcVerificationSessionId: options.verificationSessionRecordId,
-                        },
-                    });
-                }
-                if (!trustedCertificates) {
-                    trustedCertificates = x509Config.trustedCertificates ?? [];
-                }
-                const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
-                    presentation: vpTokenPresentationParseResult.presentation,
-                    challenge: options.nonce,
-                    domain: options.audience,
-                    trustedCertificates,
-                });
-                isValid = verificationResult.isValid;
-                reason = verificationResult.error?.message;
-                verifiablePresentation = core_1.W3cJwtVerifiablePresentation.fromSerializedJwt(vpTokenPresentationParseResult.presentation);
-            }
-            else {
-                const w3cJsonLdVerifiablePresentation = core_1.JsonTransformer.fromJSON(vpTokenPresentationParseResult.presentation, core_1.W3cJsonLdVerifiablePresentation);
-                const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
-                    presentation: w3cJsonLdVerifiablePresentation,
-                    challenge: options.nonce,
-                    domain: options.audience,
-                });
-                isValid = verificationResult.isValid;
-                reason = verificationResult.error?.message;
-                verifiablePresentation = w3cJsonLdVerifiablePresentation;
-            }
-            if (!isValid) {
-                throw new Error(reason);
-            }
-            return {
-                verified: true,
-                transactionDataMeta,
-                presentation: verifiablePresentation,
-                credentialId: options.credentialId,
-            };
-        }
-        catch (error) {
-            agentContext.config.logger.warn('Error occurred during verification of presentation', {
-                error,
-            });
-            return {
-                verified: false,
-                reason: error.message,
-                credentialId: options.credentialId,
-            };
-        }
-    }
-    /**
-     * Update the record to a new state and emit an state changed event. Also updates the record
-     * in storage.
-     */
-    async updateState(agentContext, verificationSession, newState) {
-        agentContext.config.logger.debug(`Updating openid4vc verification session record ${verificationSession.id} to state ${newState} (previous=${verificationSession.state})`);
-        const previousState = verificationSession.state;
-        verificationSession.state = newState;
-        await this.openId4VcVerificationSessionRepository.update(agentContext, verificationSession);
-        this.emitStateChangedEvent(agentContext, verificationSession, previousState);
-    }
-    emitStateChangedEvent(agentContext, verificationSession, previousState) {
-        const eventEmitter = agentContext.dependencyManager.resolve(core_1.EventEmitter);
-        eventEmitter.emit(agentContext, {
-            type: OpenId4VcVerifierEvents_1.OpenId4VcVerifierEvents.VerificationSessionStateChanged,
-            payload: {
-                verificationSession: verificationSession.clone(),
-                previousState,
-            },
-        });
-    }
-};
-exports.OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService;
-exports.OpenId4VcSiopVerifierService = OpenId4VcSiopVerifierService = __decorate([
-    (0, core_1.injectable)(),
-    __param(0, (0, core_1.inject)(core_1.InjectionSymbols.Logger)),
-    __metadata("design:paramtypes", [Object, core_1.W3cCredentialService,
-        repository_1.OpenId4VcVerifierRepository,
-        OpenId4VcVerifierModuleConfig_1.OpenId4VcVerifierModuleConfig,
-        repository_1.OpenId4VcVerificationSessionRepository])
-], OpenId4VcSiopVerifierService);
-//# sourceMappingURL=OpenId4VcSiopVerifierService.js.map