@credo-ts/openid4vc 0.6.0-pr-2392-20251010173905 → 0.6.0-pr-2457-20251016083534

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. package/build/OpenId4VcApi.d.mts +1 -1
  2. package/build/OpenId4VcApi.d.ts +1 -1
  3. package/build/OpenId4VcApi.js +2 -2
  4. package/build/OpenId4VcApi.mjs +2 -2
  5. package/build/OpenId4VcModule.d.mts +1 -1
  6. package/build/OpenId4VcModule.d.ts +1 -1
  7. package/build/OpenId4VcModule.js +2 -2
  8. package/build/OpenId4VcModule.mjs +2 -2
  9. package/build/OpenId4VcModuleConfig.js +1 -1
  10. package/build/OpenId4VcModuleConfig.mjs +1 -1
  11. package/build/index.d.mts +15 -14
  12. package/build/index.d.ts +15 -14
  13. package/build/index.js +22 -15
  14. package/build/index.mjs +18 -17
  15. package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts.map +1 -1
  16. package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts.map +1 -1
  17. package/build/openid4vc-holder/OpenId4VcHolderApi.mjs.map +1 -1
  18. package/build/openid4vc-holder/OpenId4VciHolderService.d.mts.map +1 -1
  19. package/build/openid4vc-holder/OpenId4VciHolderService.d.ts.map +1 -1
  20. package/build/openid4vc-holder/OpenId4VciHolderService.js +11 -8
  21. package/build/openid4vc-holder/OpenId4VciHolderService.mjs +11 -8
  22. package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map +1 -1
  23. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map +1 -1
  24. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts.map +1 -1
  25. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map +1 -1
  26. package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map +1 -1
  27. package/build/openid4vc-holder/OpenId4vpHolderService.d.ts.map +1 -1
  28. package/build/openid4vc-holder/OpenId4vpHolderService.js +4 -4
  29. package/build/openid4vc-holder/OpenId4vpHolderService.mjs +4 -4
  30. package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map +1 -1
  31. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts +5 -214
  32. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts.map +1 -1
  33. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +5 -214
  34. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts.map +1 -1
  35. package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +1 -1
  36. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs +1 -1
  37. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs.map +1 -1
  38. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts.map +1 -1
  39. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.ts.map +1 -1
  40. package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +7 -7
  41. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs +7 -7
  42. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs.map +1 -1
  43. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map +1 -1
  44. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts.map +1 -1
  45. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map +1 -1
  46. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts +8 -218
  47. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map +1 -1
  48. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +8 -218
  49. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts.map +1 -1
  50. package/build/openid4vc-issuer/OpenId4VcIssuerService.js +18 -18
  51. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs +19 -19
  52. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs.map +1 -1
  53. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts +1 -1
  54. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +1 -1
  55. package/build/openid4vc-issuer/index.js +2 -2
  56. package/build/openid4vc-issuer/index.mjs +2 -2
  57. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts +1 -1
  58. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts.map +1 -1
  59. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +1 -1
  60. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts.map +1 -1
  61. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +1 -1
  62. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs +1 -1
  63. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs.map +1 -1
  64. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js +1 -1
  65. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs +1 -1
  66. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map +1 -1
  67. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map +1 -1
  68. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts.map +1 -1
  69. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map +1 -1
  70. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js +1 -1
  71. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs +1 -1
  72. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map +1 -1
  73. package/build/openid4vc-issuer/repository/index.js +2 -2
  74. package/build/openid4vc-issuer/repository/index.mjs +2 -2
  75. package/build/openid4vc-issuer/router/accessTokenEndpoint.js +3 -4
  76. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs +3 -4
  77. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map +1 -1
  78. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +5 -6
  79. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs +6 -7
  80. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map +1 -1
  81. package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map +1 -1
  82. package/build/openid4vc-issuer/router/credentialEndpoint.js +5 -6
  83. package/build/openid4vc-issuer/router/credentialEndpoint.mjs +5 -6
  84. package/build/openid4vc-issuer/router/credentialEndpoint.mjs.map +1 -1
  85. package/build/openid4vc-issuer/router/credentialOfferEndpoint.js +2 -4
  86. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs +3 -4
  87. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map +1 -1
  88. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.js +2 -4
  89. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs +3 -4
  90. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map +1 -1
  91. package/build/openid4vc-issuer/router/index.js +4 -4
  92. package/build/openid4vc-issuer/router/index.mjs +4 -4
  93. package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map +1 -1
  94. package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map +1 -1
  95. package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map +1 -1
  96. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts +1 -1
  97. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts.map +1 -1
  98. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +1 -1
  99. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts.map +1 -1
  100. package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +1 -1
  101. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs +1 -1
  102. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs.map +1 -1
  103. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts.map +1 -1
  104. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.ts.map +1 -1
  105. package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +2 -2
  106. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs +2 -2
  107. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs.map +1 -1
  108. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts +3 -3
  109. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts.map +1 -1
  110. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts +3 -3
  111. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts.map +1 -1
  112. package/build/openid4vc-verifier/OpenId4VpVerifierService.js +17 -17
  113. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs +17 -17
  114. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map +1 -1
  115. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts +1 -1
  116. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts +1 -1
  117. package/build/openid4vc-verifier/index.js +3 -3
  118. package/build/openid4vc-verifier/index.mjs +3 -3
  119. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts +1 -1
  120. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map +1 -1
  121. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +1 -1
  122. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts.map +1 -1
  123. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs.map +1 -1
  124. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js +1 -1
  125. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs +1 -1
  126. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs.map +1 -1
  127. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts.map +1 -1
  128. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.ts.map +1 -1
  129. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs.map +1 -1
  130. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js +1 -1
  131. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs +1 -1
  132. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs.map +1 -1
  133. package/build/openid4vc-verifier/repository/index.js +2 -2
  134. package/build/openid4vc-verifier/repository/index.mjs +2 -2
  135. package/build/openid4vc-verifier/router/authorizationEndpoint.js +1 -1
  136. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs +1 -1
  137. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs.map +1 -1
  138. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js +1 -1
  139. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs +1 -1
  140. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs.map +1 -1
  141. package/build/shared/callbacks.d.mts +46 -0
  142. package/build/shared/callbacks.d.mts.map +1 -0
  143. package/build/shared/callbacks.d.ts +46 -0
  144. package/build/shared/callbacks.d.ts.map +1 -0
  145. package/build/shared/callbacks.js +5 -1
  146. package/build/shared/callbacks.mjs +1 -1
  147. package/build/shared/callbacks.mjs.map +1 -1
  148. package/build/shared/index.js +2 -1
  149. package/build/shared/index.mjs +2 -1
  150. package/build/shared/issuerMetadataUtils.d.mts +2 -258
  151. package/build/shared/issuerMetadataUtils.d.mts.map +1 -1
  152. package/build/shared/issuerMetadataUtils.d.ts +2 -258
  153. package/build/shared/issuerMetadataUtils.d.ts.map +1 -1
  154. package/build/shared/issuerMetadataUtils.mjs.map +1 -1
  155. package/build/shared/models/index.d.ts +1 -1
  156. package/build/shared/router/context.mjs.map +1 -1
  157. package/build/shared/router/index.js +1 -1
  158. package/build/shared/router/index.mjs +1 -1
  159. package/build/shared/router/tenants.mjs.map +1 -1
  160. package/build/shared/utils.js +0 -8
  161. package/build/shared/utils.mjs +1 -7
  162. package/build/shared/utils.mjs.map +1 -1
  163. package/package.json +8 -8
package/build/openid4vc-verifier/OpenId4VpVerifierService.js CHANGED
@@ -1,19 +1,19 @@
1
1
  const require_rolldown_runtime = require('../_virtual/rolldown_runtime.js');
2
- const require_utils = require('../shared/utils.js');
3
- const require_callbacks = require('../shared/callbacks.js');
4
- const require_decorateMetadata = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
5
- const require_decorateParam = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
6
- const require_decorate = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
7
2
  const require_tenants = require('../shared/router/tenants.js');
8
3
  require('../shared/router/index.js');
4
+ const require_OpenId4VcVerificationSessionState = require('./OpenId4VcVerificationSessionState.js');
9
5
  const require_OpenId4VcVerifierModuleConfig = require('./OpenId4VcVerifierModuleConfig.js');
6
+ const require_utils = require('../shared/utils.js');
7
+ const require_callbacks = require('../shared/callbacks.js');
10
8
  const require_transactionData = require('../shared/transactionData.js');
11
- const require_OpenId4VcVerificationSessionState = require('./OpenId4VcVerificationSessionState.js');
12
9
  const require_OpenId4VcVerifierEvents = require('./OpenId4VcVerifierEvents.js');
13
- const require_OpenId4VcVerifierRecord = require('./repository/OpenId4VcVerifierRecord.js');
14
- const require_OpenId4VcVerifierRepository = require('./repository/OpenId4VcVerifierRepository.js');
10
+ const require_decorateMetadata = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
11
+ const require_decorate = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
15
12
  const require_OpenId4VcVerificationSessionRecord = require('./repository/OpenId4VcVerificationSessionRecord.js');
13
+ const require_decorateParam = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
16
14
  const require_OpenId4VcVerificationSessionRepository = require('./repository/OpenId4VcVerificationSessionRepository.js');
15
+ const require_OpenId4VcVerifierRecord = require('./repository/OpenId4VcVerifierRecord.js');
16
+ const require_OpenId4VcVerifierRepository = require('./repository/OpenId4VcVerifierRepository.js');
17
17
  require('./repository/index.js');
18
18
  let __credo_ts_core = require("@credo-ts/core");
19
19
  __credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
@@ -131,7 +131,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
131
131
  authorizationRequestId,
132
132
  state: require_OpenId4VcVerificationSessionState.OpenId4VcVerificationSessionState.RequestCreated,
133
133
  verifierId: options.verifier.verifierId,
134
- expiresAt: require_utils.addSecondsToDate(/* @__PURE__ */ new Date(), this.config.authorizationRequestExpiresInSeconds),
134
+ expiresAt: __credo_ts_core.utils.addSecondsToDate(/* @__PURE__ */ new Date(), this.config.authorizationRequestExpiresInSeconds),
135
135
  openId4VpVersion: version
136
136
  });
137
137
  await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession);
@@ -163,7 +163,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
163
163
  async parseAuthorizationResponse(agentContext, options) {
164
164
  const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
165
165
  const { authorizationResponse, verificationSession, origin } = options;
166
- let parsedAuthorizationResponse = void 0;
166
+ let parsedAuthorizationResponse;
167
167
  try {
168
168
  parsedAuthorizationResponse = await openid4vpVerifier.parseOpenid4vpAuthorizationResponse({
169
169
  authorizationResponse,
@@ -212,9 +212,9 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
212
212
  });
213
213
  const encryptionJwk = authorizationRequest.client_metadata?.jwks?.keys.find((key) => key.use === "enc");
214
214
  const encryptionPublicJwk = encryptionJwk ? __credo_ts_core.Kms.PublicJwk.fromUnknown(encryptionJwk) : void 0;
215
- let dcqlResponse = void 0;
216
- let pexResponse = void 0;
217
- let transactionData = void 0;
215
+ let dcqlResponse;
216
+ let pexResponse;
217
+ let transactionData;
218
218
  try {
219
219
  const clientId = (0, __openid4vc_openid4vp.getOpenid4vpClientId)({
220
220
  responseMode: authorizationRequest.response_mode,
@@ -356,7 +356,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
356
356
  authorizationRequestPayload: verificationSession.requestPayload,
357
357
  authorizationResponsePayload: openid4vpAuthorizationResponsePayload
358
358
  });
359
- let presentationExchange = void 0;
359
+ let presentationExchange;
360
360
  const dcql = result.type === "dcql" ? await this.getDcqlVerifiedResponse(agentContext, authorizationRequestPayload.dcql_query, result.dcql.presentations) : void 0;
361
361
  if (result.type === "pex") {
362
362
  const presentationDefinition = authorizationRequestPayload.presentation_definition;
@@ -536,13 +536,13 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
536
536
  try {
537
537
  this.logger.trace("Presentation response", __credo_ts_core.JsonTransformer.toJSON(presentation));
538
538
  let isValid;
539
- let cause = void 0;
539
+ let cause;
540
540
  let verifiablePresentation;
541
541
  if (format === __credo_ts_core.ClaimFormat.SdJwtDc) {
542
542
  if (typeof presentation !== "string") throw new __credo_ts_core.CredoError(`Expected vp_token entry for format ${format} to be of type string`);
543
543
  const sdJwtVc = sdJwtVcApi.fromCompact(presentation);
544
544
  const certificateChain = (0, __credo_ts_core.extractX509CertificatesFromJwt)(__credo_ts_core.Jwt.fromSerializedJwt(presentation.split("~")[0]));
545
- let trustedCertificates = void 0;
545
+ let trustedCertificates;
546
546
  if (certificateChain && x509Config.getTrustedCertificatesForVerification) trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {
547
547
  certificateChain,
548
548
  verification: {
@@ -560,7 +560,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
560
560
  },
561
561
  trustedCertificates
562
562
  });
563
- isValid = verificationResult.verification.isValid;
563
+ isValid = verificationResult.isValid;
564
564
  cause = verificationResult.isValid ? void 0 : verificationResult.error;
565
565
  verifiablePresentation = sdJwtVc;
566
566
  } else if (format === __credo_ts_core.ClaimFormat.MsoMdoc) {
package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs CHANGED
@@ -1,18 +1,18 @@
1
- import { addSecondsToDate, dcqlCredentialQueryToPresentationFormat, getSupportedJwaSignatureAlgorithms, requestSignerToJwtIssuer } from "../shared/utils.mjs";
2
- import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
3
- import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
4
- import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
5
- import { __decorate } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
6
1
  import { storeActorIdForContextCorrelationId } from "../shared/router/tenants.mjs";
7
2
  import "../shared/router/index.mjs";
3
+ import { OpenId4VcVerificationSessionState } from "./OpenId4VcVerificationSessionState.mjs";
8
4
  import { OpenId4VcVerifierModuleConfig } from "./OpenId4VcVerifierModuleConfig.mjs";
5
+ import { dcqlCredentialQueryToPresentationFormat, getSupportedJwaSignatureAlgorithms, requestSignerToJwtIssuer } from "../shared/utils.mjs";
6
+ import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
9
7
  import { getSdJwtVcTransactionDataHashes } from "../shared/transactionData.mjs";
10
- import { OpenId4VcVerificationSessionState } from "./OpenId4VcVerificationSessionState.mjs";
11
8
  import { OpenId4VcVerifierEvents } from "./OpenId4VcVerifierEvents.mjs";
12
- import { OpenId4VcVerifierRecord } from "./repository/OpenId4VcVerifierRecord.mjs";
13
- import { OpenId4VcVerifierRepository } from "./repository/OpenId4VcVerifierRepository.mjs";
9
+ import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
10
+ import { __decorate } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
14
11
  import { OpenId4VcVerificationSessionRecord } from "./repository/OpenId4VcVerificationSessionRecord.mjs";
12
+ import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
15
13
  import { OpenId4VcVerificationSessionRepository } from "./repository/OpenId4VcVerificationSessionRepository.mjs";
14
+ import { OpenId4VcVerifierRecord } from "./repository/OpenId4VcVerifierRecord.mjs";
15
+ import { OpenId4VcVerifierRepository } from "./repository/OpenId4VcVerifierRepository.mjs";
16
16
  import "./repository/index.mjs";
17
17
  import { AgentContext, ClaimFormat, CredoError, DcqlService, DifPresentationExchangeService, EventEmitter, InjectionSymbols, JsonEncoder, JsonTransformer, Jwt, Kms, MdocDeviceResponse, SdJwtVcApi, SignatureSuiteRegistry, TypedArrayEncoder, W3cCredentialService, W3cJsonLdVerifiablePresentation, W3cJwtVerifiablePresentation, W3cV2CredentialService, W3cV2SdJwtVerifiablePresentation, X509Certificate, X509ModuleConfig, X509Service, extractPresentationsWithDescriptorsFromSubmission, extractX509CertificatesFromJwt, getDomainFromUrl, inject, injectable, isMdocSupportedSignatureAlgorithm, joinUriParts, mapNonEmptyArray, utils } from "@credo-ts/core";
18
18
  import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
@@ -127,7 +127,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
127
127
  authorizationRequestId,
128
128
  state: OpenId4VcVerificationSessionState.RequestCreated,
129
129
  verifierId: options.verifier.verifierId,
130
- expiresAt: addSecondsToDate(/* @__PURE__ */ new Date(), this.config.authorizationRequestExpiresInSeconds),
130
+ expiresAt: utils.addSecondsToDate(/* @__PURE__ */ new Date(), this.config.authorizationRequestExpiresInSeconds),
131
131
  openId4VpVersion: version
132
132
  });
133
133
  await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession);
@@ -159,7 +159,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
159
159
  async parseAuthorizationResponse(agentContext, options) {
160
160
  const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
161
161
  const { authorizationResponse, verificationSession, origin } = options;
162
- let parsedAuthorizationResponse = void 0;
162
+ let parsedAuthorizationResponse;
163
163
  try {
164
164
  parsedAuthorizationResponse = await openid4vpVerifier.parseOpenid4vpAuthorizationResponse({
165
165
  authorizationResponse,
@@ -208,9 +208,9 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
208
208
  });
209
209
  const encryptionJwk = authorizationRequest.client_metadata?.jwks?.keys.find((key) => key.use === "enc");
210
210
  const encryptionPublicJwk = encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : void 0;
211
- let dcqlResponse = void 0;
212
- let pexResponse = void 0;
213
- let transactionData = void 0;
211
+ let dcqlResponse;
212
+ let pexResponse;
213
+ let transactionData;
214
214
  try {
215
215
  const clientId = getOpenid4vpClientId({
216
216
  responseMode: authorizationRequest.response_mode,
@@ -352,7 +352,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
352
352
  authorizationRequestPayload: verificationSession.requestPayload,
353
353
  authorizationResponsePayload: openid4vpAuthorizationResponsePayload
354
354
  });
355
- let presentationExchange = void 0;
355
+ let presentationExchange;
356
356
  const dcql = result.type === "dcql" ? await this.getDcqlVerifiedResponse(agentContext, authorizationRequestPayload.dcql_query, result.dcql.presentations) : void 0;
357
357
  if (result.type === "pex") {
358
358
  const presentationDefinition = authorizationRequestPayload.presentation_definition;
@@ -532,13 +532,13 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
532
532
  try {
533
533
  this.logger.trace("Presentation response", JsonTransformer.toJSON(presentation));
534
534
  let isValid;
535
- let cause = void 0;
535
+ let cause;
536
536
  let verifiablePresentation;
537
537
  if (format === ClaimFormat.SdJwtDc) {
538
538
  if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
539
539
  const sdJwtVc = sdJwtVcApi.fromCompact(presentation);
540
540
  const certificateChain = extractX509CertificatesFromJwt(Jwt.fromSerializedJwt(presentation.split("~")[0]));
541
- let trustedCertificates = void 0;
541
+ let trustedCertificates;
542
542
  if (certificateChain && x509Config.getTrustedCertificatesForVerification) trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {
543
543
  certificateChain,
544
544
  verification: {
@@ -556,7 +556,7 @@ let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
556
556
  },
557
557
  trustedCertificates
558
558
  });
559
- isValid = verificationResult.verification.isValid;
559
+ isValid = verificationResult.isValid;
560
560
  cause = verificationResult.isValid ? void 0 : verificationResult.error;
561
561
  verifiablePresentation = sdJwtVc;
562
562
  } else if (format === ClaimFormat.MsoMdoc) {
package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VpVerifierService.mjs","names":["OpenId4VpVerifierService","logger: Logger","w3cCredentialService: W3cCredentialService","w3cV2CredentialService: W3cV2CredentialService","openId4VcVerifierRepository: OpenId4VcVerifierRepository","config: OpenId4VcVerifierModuleConfig","openId4VcVerificationSessionRepository: OpenId4VcVerificationSessionRepository","clientIdPrefix: ClientIdPrefix","clientId: string | undefined","presentations","parsedAuthorizationResponse: ParsedOpenid4vpAuthorizationResponse | undefined","dcqlResponse: OpenId4VpVerifiedAuthorizationResponseDcql | undefined","pexResponse: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined","transactionData: OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined","result","presentationExchange: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined","transactionDataHashesCredentials: TransactionDataHashesCredentials","jarmEncryptionJwk: JarmEncryptionJwk | undefined","jarmClientMetadata:\n | Pick<\n ClientMetadata,\n | 'jwks'\n | 'encrypted_response_enc_values_supported'\n | 'authorization_encrypted_response_alg'\n | 'authorization_encrypted_response_enc'\n >\n | undefined","isValid: boolean","cause: Error | undefined","verifiablePresentation: VerifiablePresentation","trustedCertificates: string[] | undefined","mdocDeviceResponse","sessionTranscriptOptions: MdocSessionTranscriptOptions"],"sources":["../../src/openid4vc-verifier/OpenId4VpVerifierService.ts"],"sourcesContent":["import {\n AgentContext,\n ClaimFormat,\n type DcqlEncodedPresentations,\n type DcqlQuery,\n type DifPresentationExchangeDefinition,\n type DifPresentationExchangeSubmission,\n type HashName,\n Kms,\n type MdocSessionTranscriptOptions,\n type MdocSupportedSignatureAlgorithm,\n type Query,\n type QueryOptions,\n type VerifiablePresentation,\n W3cV2CredentialService,\n W3cV2SdJwtVerifiablePresentation,\n} from '@credo-ts/core'\nimport {\n CredoError,\n DcqlService,\n DifPresentationExchangeService,\n EventEmitter,\n InjectionSymbols,\n JsonEncoder,\n JsonTransformer,\n Jwt,\n type Logger,\n MdocDeviceResponse,\n SdJwtVcApi,\n SignatureSuiteRegistry,\n TypedArrayEncoder,\n W3cCredentialService,\n W3cJsonLdVerifiablePresentation,\n W3cJwtVerifiablePresentation,\n X509Certificate,\n X509ModuleConfig,\n X509Service,\n extractPresentationsWithDescriptorsFromSubmission,\n extractX509CertificatesFromJwt,\n getDomainFromUrl,\n inject,\n injectable,\n isMdocSupportedSignatureAlgorithm,\n joinUriParts,\n utils,\n} from '@credo-ts/core'\nimport { type NonEmptyArray, mapNonEmptyArray } from '@credo-ts/core'\nimport { type Jwk, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport {\n type ClientIdPrefix,\n type ClientMetadata,\n JarmMode,\n Openid4vpVerifier,\n type ParsedOpenid4vpAuthorizationResponse,\n type TransactionDataHashesCredentials,\n getOpenid4vpClientId,\n isJarmResponseMode,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationResponse,\n} from '@openid4vc/openid4vp'\nimport { getOid4vcCallbacks } from '../shared/callbacks'\nimport type { OpenId4VpAuthorizationRequestPayload } from '../shared/index'\nimport { storeActorIdForContextCorrelationId } from '../shared/router'\nimport { getSdJwtVcTransactionDataHashes } from '../shared/transactionData'\nimport {\n addSecondsToDate,\n dcqlCredentialQueryToPresentationFormat,\n getSupportedJwaSignatureAlgorithms,\n requestSignerToJwtIssuer,\n} from '../shared/utils'\nimport { OpenId4VcVerificationSessionState } from './OpenId4VcVerificationSessionState'\nimport { type OpenId4VcVerificationSessionStateChangedEvent, OpenId4VcVerifierEvents } from './OpenId4VcVerifierEvents'\nimport { OpenId4VcVerifierModuleConfig } from './OpenId4VcVerifierModuleConfig'\nimport type {\n OpenId4VpCreateAuthorizationRequestOptions,\n OpenId4VpCreateAuthorizationRequestReturn,\n OpenId4VpCreateVerifierOptions,\n OpenId4VpVerifiedAuthorizationResponse,\n OpenId4VpVerifiedAuthorizationResponseDcql,\n OpenId4VpVerifiedAuthorizationResponsePresentationExchange,\n OpenId4VpVerifiedAuthorizationResponseTransactionData,\n OpenId4VpVerifyAuthorizationResponseOptions,\n OpenId4VpVersion,\n ResponseMode,\n} from './OpenId4VpVerifierServiceOptions'\nimport {\n OpenId4VcVerificationSessionRecord,\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerifierRecord,\n OpenId4VcVerifierRepository,\n} from './repository'\n\n/**\n * @internal\n */\n@injectable()\nexport class OpenId4VpVerifierService {\n public constructor(\n @inject(InjectionSymbols.Logger) private logger: Logger,\n private w3cCredentialService: W3cCredentialService,\n private w3cV2CredentialService: W3cV2CredentialService,\n private openId4VcVerifierRepository: OpenId4VcVerifierRepository,\n private config: OpenId4VcVerifierModuleConfig,\n private openId4VcVerificationSessionRepository: OpenId4VcVerificationSessionRepository\n ) {}\n\n private getOpenid4vpVerifier(agentContext: AgentContext) {\n const callbacks = getOid4vcCallbacks(agentContext)\n const openid4vpClient = new Openid4vpVerifier({ callbacks })\n\n return openid4vpClient\n }\n\n public async createAuthorizationRequest(\n agentContext: AgentContext,\n options: OpenId4VpCreateAuthorizationRequestOptions & { verifier: OpenId4VcVerifierRecord }\n ): Promise<OpenId4VpCreateAuthorizationRequestReturn> {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const nonce = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n const state = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n\n const responseMode = options.responseMode ?? 'direct_post.jwt'\n const isDcApiRequest = responseMode === 'dc_api' || responseMode === 'dc_api.jwt'\n\n const version = options.version ?? 'v1'\n if (version === 'v1.draft21' && isDcApiRequest) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with responseMode '${options.responseMode}'. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version === 'v1.draft21' && options.transactionData) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with transactionData. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version === 'v1.draft21' && options.dcql) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with dcql. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version !== 'v1' && options.verifierInfo) {\n throw new CredoError(`OpenID4VP version '${version}' cannot be used with verifierInfo. Use version 'v1' instead.`)\n }\n if (version === 'v1' && options.presentationExchange) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with presentationExchange. Use dcql instead (recommended), or use older versions 'v1.draft24' and 'v1.draft21'.`\n )\n }\n\n // For now we only support presentations with holder binding.\n if (options.dcql?.query.credentials.some((c) => c.require_cryptographic_holder_binding === false)) {\n throw new CredoError(\n `Setting 'require_cryptographic_holder_binding' to false in DCQL Query is not supported by Credo at the moment. Only presentations with cryptographic holder binding are supported.`\n )\n }\n\n if (isDcApiRequest && options.authorizationResponseRedirectUri) {\n throw new CredoError(\n \"'authorizationResponseRedirectUri' cannot be be used with response mode 'dc_api' and 'dc_api.jwt'.\"\n )\n }\n\n // Check to prevent direct_post from being used with mDOC\n const hasMdocRequest =\n options.presentationExchange?.definition.input_descriptors.some((i) => i.format?.mso_mdoc) ||\n options.dcql?.query.credentials.some((c) => c.format === 'mso_mdoc')\n // Up to draft 24 we use the 18013-7 mdoc session transcript which needs values from APU/APV\n if ((version === 'v1.draft21' || version === 'v1.draft24') && responseMode === 'direct_post' && hasMdocRequest) {\n throw new CredoError(\n \"Unable to create authorization request with response mode 'direct_post' containing mDOC credentials. ISO 18013-7 requires the usage of response mode 'direct_post.jwt', and needs parameters from the encrypted response header to verify the mDOC sigature. Either use version 'v1', or update the response mode to 'direct_post.jwt'\"\n )\n }\n\n if (options.verifierInfo) {\n const queryIds =\n options?.dcql?.query.credentials.map(({ id }) => id) ??\n options?.presentationExchange?.definition.input_descriptors.map(({ id }) => id) ??\n []\n\n const hasValidCredentialIds = options.verifierInfo.every(\n (vi) => !vi.credential_ids || vi.credential_ids.every((credentialId) => queryIds.includes(credentialId))\n )\n\n if (!hasValidCredentialIds) {\n throw new CredoError(\n 'Verifier info (attestations) were provided, but the verifier info used credential ids that are not present in the query'\n )\n }\n }\n\n const authorizationRequestId = utils.uuid()\n // We include the `session=` in the url so we can still easily\n // find the session an encrypted response\n const authorizationResponseUrl = `${joinUriParts(this.config.baseUrl, [options.verifier.verifierId, this.config.authorizationEndpoint])}?session=${authorizationRequestId}`\n\n const jwtIssuer =\n options.requestSigner.method === 'none'\n ? undefined\n : options.requestSigner.method === 'x5c'\n ? await requestSignerToJwtIssuer(agentContext, {\n ...options.requestSigner,\n issuer: authorizationResponseUrl,\n })\n : await requestSignerToJwtIssuer(agentContext, options.requestSigner)\n\n let clientIdPrefix: ClientIdPrefix\n let clientId: string | undefined\n\n if (!jwtIssuer) {\n if (isDcApiRequest) {\n clientIdPrefix = version === 'v1' ? 'origin' : 'web-origin'\n clientId = undefined\n } else {\n clientIdPrefix = 'redirect_uri'\n clientId = authorizationResponseUrl\n }\n } else if (jwtIssuer?.method === 'x5c') {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: jwtIssuer.x5c })\n\n if (leafCertificate.sanDnsNames.includes(getDomainFromUrl(jwtIssuer.issuer))) {\n clientIdPrefix = 'x509_san_dns'\n clientId = getDomainFromUrl(jwtIssuer.issuer)\n } else {\n throw new CredoError(\n `With jwtIssuer method 'x5c' the jwtIssuer's 'issuer' field must match a sanDnsName (FQDN) in the leaf x509 chain's leaf certificate.`\n )\n }\n } else if (jwtIssuer?.method === 'did') {\n clientId = jwtIssuer.didUrl.split('#')[0]\n clientIdPrefix = version === 'v1' ? 'decentralized_identifier' : 'did'\n } else {\n throw new CredoError(\n `Unsupported jwt issuer method '${options.requestSigner.method}'. Only 'did' and 'x5c' are supported.`\n )\n }\n\n // We always use shortened URIs currently\n const hostedAuthorizationRequestUri =\n !isDcApiRequest && jwtIssuer\n ? joinUriParts(this.config.baseUrl, [\n options.verifier.verifierId,\n this.config.authorizationRequestEndpoint,\n authorizationRequestId,\n ])\n : // No hosted request needed when using DC API or using unsigned request\n undefined\n\n const client_id =\n // For did/https and draft 21 the client id has no special prefix\n clientIdPrefix === 'did' || (clientIdPrefix as string) === 'https' || version === 'v1.draft21'\n ? clientId\n : `${clientIdPrefix}:${clientId}`\n\n // for did the client_id is same in draft 21 and 24 so we could support both at the same time\n const legacyClientIdScheme =\n version === 'v1.draft21' &&\n clientIdPrefix !== 'web-origin' &&\n clientIdPrefix !== 'origin' &&\n clientIdPrefix !== 'decentralized_identifier'\n ? clientIdPrefix\n : undefined\n\n const client_metadata = await this.getClientMetadata(agentContext, {\n responseMode,\n verifier: options.verifier,\n authorizationResponseUrl,\n version,\n\n // TODO: we don't validate the DCQL query when creating a request i think?\n dcqlQuery: options.dcql?.query,\n })\n\n const requestParamsBase = {\n nonce,\n presentation_definition: options.presentationExchange?.definition,\n dcql_query: options.dcql?.query,\n transaction_data: options.transactionData?.map((entry) => JsonEncoder.toBase64URL(entry)),\n response_mode: responseMode,\n response_type: 'vp_token',\n client_metadata,\n verifier_info: options.verifierInfo,\n } as const\n\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n const authorizationRequest = await openid4vpVerifier.createOpenId4vpAuthorizationRequest({\n jar: jwtIssuer\n ? {\n jwtSigner: jwtIssuer,\n requestUri: hostedAuthorizationRequestUri,\n expiresInSeconds: this.config.authorizationRequestExpiresInSeconds,\n }\n : undefined,\n authorizationRequestPayload:\n requestParamsBase.response_mode === 'dc_api.jwt' || requestParamsBase.response_mode === 'dc_api'\n ? {\n ...requestParamsBase,\n // No client_id for unsigned DC API requests\n client_id: jwtIssuer ? client_id : undefined,\n response_mode: requestParamsBase.response_mode,\n expected_origins: options.expectedOrigins,\n }\n : {\n ...requestParamsBase,\n response_mode: requestParamsBase.response_mode,\n client_id: client_id as string,\n state,\n response_uri: authorizationResponseUrl,\n client_id_scheme: legacyClientIdScheme,\n },\n })\n\n const verificationSession = new OpenId4VcVerificationSessionRecord({\n authorizationResponseRedirectUri: options.authorizationResponseRedirectUri,\n\n // Only store payload for unsiged requests\n authorizationRequestPayload: authorizationRequest.jar\n ? undefined\n : authorizationRequest.authorizationRequestPayload,\n authorizationRequestJwt: authorizationRequest.jar?.authorizationRequestJwt,\n authorizationRequestUri: hostedAuthorizationRequestUri,\n authorizationRequestId,\n state: OpenId4VcVerificationSessionState.RequestCreated,\n verifierId: options.verifier.verifierId,\n expiresAt: addSecondsToDate(new Date(), this.config.authorizationRequestExpiresInSeconds),\n openId4VpVersion: version,\n })\n await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession)\n this.emitStateChangedEvent(agentContext, verificationSession, null)\n\n return {\n authorizationRequest: authorizationRequest.authorizationRequest,\n verificationSession,\n authorizationRequestObject: authorizationRequest.authorizationRequestObject,\n }\n }\n\n private async getDcqlVerifiedResponse(\n agentContext: AgentContext,\n _dcqlQuery: unknown,\n presentations: DcqlEncodedPresentations\n ) {\n const dcqlService = agentContext.dependencyManager.resolve(DcqlService)\n const dcqlQuery = dcqlService.validateDcqlQuery(_dcqlQuery)\n\n const dcqlPresentationEntries = Object.entries(presentations)\n const dcqlPresentation = Object.fromEntries(\n dcqlPresentationEntries.map(([credentialId, presentations]) => {\n const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId)\n if (!queryCredential) {\n throw new CredoError(\n `vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`\n )\n }\n\n return [\n credentialId,\n mapNonEmptyArray(presentations, (presentation) =>\n this.decodePresentation(agentContext, {\n presentation,\n format: dcqlCredentialQueryToPresentationFormat(queryCredential),\n })\n ),\n ]\n })\n )\n\n const dcqlPresentationResult = await dcqlService.assertValidDcqlPresentation(\n agentContext,\n dcqlPresentation,\n dcqlQuery\n )\n\n return {\n query: dcqlQuery,\n presentations: dcqlPresentation,\n presentationResult: dcqlPresentationResult,\n } satisfies OpenId4VpVerifiedAuthorizationResponseDcql\n }\n\n private async parseAuthorizationResponse(\n agentContext: AgentContext,\n options: {\n authorizationResponse: Record<string, unknown>\n origin?: string\n verificationSession: OpenId4VcVerificationSessionRecord\n }\n ): Promise<ParsedOpenid4vpAuthorizationResponse & { verificationSession: OpenId4VcVerificationSessionRecord }> {\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n\n const { authorizationResponse, verificationSession, origin } = options\n let parsedAuthorizationResponse: ParsedOpenid4vpAuthorizationResponse | undefined = undefined\n\n try {\n parsedAuthorizationResponse = await openid4vpVerifier.parseOpenid4vpAuthorizationResponse({\n authorizationResponse,\n origin,\n authorizationRequestPayload: verificationSession.requestPayload,\n callbacks: getOid4vcCallbacks(agentContext),\n })\n\n if (parsedAuthorizationResponse.jarm && parsedAuthorizationResponse.jarm.type !== JarmMode.Encrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Only encrypted JARM responses are supported, received '${parsedAuthorizationResponse.jarm.type}'.`,\n })\n }\n\n return {\n ...parsedAuthorizationResponse,\n verificationSession,\n }\n } catch (error) {\n if (\n verificationSession?.state === OpenId4VcVerificationSessionState.RequestUriRetrieved ||\n verificationSession?.state === OpenId4VcVerificationSessionState.RequestCreated\n ) {\n const parsed = zOpenid4vpAuthorizationResponse.safeParse(\n parsedAuthorizationResponse?.authorizationResponsePayload\n )\n\n verificationSession.authorizationResponsePayload = parsed.success ? parsed.data : undefined\n verificationSession.errorMessage = error.message\n await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error)\n }\n\n throw error\n }\n }\n\n public async verifyAuthorizationResponse(\n agentContext: AgentContext,\n options: OpenId4VpVerifyAuthorizationResponseOptions & {\n /**\n * The verification session associated with the response\n */\n verificationSession: OpenId4VcVerificationSessionRecord\n }\n ): Promise<OpenId4VpVerifiedAuthorizationResponse> {\n const { verificationSession, authorizationResponse, origin } = options\n const authorizationRequest = verificationSession.requestPayload\n const openid4vpVersion =\n verificationSession.openId4VpVersion ??\n (authorizationRequest.client_id_scheme !== undefined ? 'v1.draft21' : 'v1.draft24')\n\n if (\n verificationSession.state !== OpenId4VcVerificationSessionState.RequestUriRetrieved &&\n verificationSession.state !== OpenId4VcVerificationSessionState.RequestCreated\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid session',\n })\n }\n\n if (verificationSession.expiresAt && Date.now() > verificationSession.expiresAt.getTime()) {\n verificationSession.errorMessage = 'session expired'\n await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error)\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'session expired',\n })\n }\n\n const result = await this.parseAuthorizationResponse(agentContext, {\n verificationSession,\n authorizationResponse,\n origin,\n })\n\n // NOTE: we always currently include only one key, and also use 'use=enc'. If we change\n // that, we should change this. I think we should return the jarm key in the openid4vp lib\n // and match against that (and also ensure then it's present in client_metadata -> should not conflict with federation)\n const encryptionJwk = authorizationRequest.client_metadata?.jwks?.keys.find((key) => key.use === 'enc')\n const encryptionPublicJwk = encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : undefined\n\n let dcqlResponse: OpenId4VpVerifiedAuthorizationResponseDcql | undefined = undefined\n let pexResponse: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined = undefined\n let transactionData: OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined = undefined\n\n try {\n const parsedClientId = getOpenid4vpClientId({\n responseMode: authorizationRequest.response_mode,\n clientId: authorizationRequest.client_id,\n legacyClientIdScheme: authorizationRequest.client_id_scheme,\n origin: options.origin,\n version: openid4vpVersion === 'v1' ? 100 : openid4vpVersion === 'v1.draft24' ? 24 : 21,\n })\n\n const clientId = parsedClientId.effectiveClientId\n const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest)\n\n // TODO: we should return the effectiveAudience in the returned value of openid4vp lib\n // Since it differs based on the version of openid4vp used\n // NOTE: in v1 DC API request the audience is always origin: (not the client id)\n const audience = openid4vpVersion === 'v1' && isDcApiRequest ? `origin:${options.origin}` : clientId\n\n const responseUri = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest)\n ? undefined\n : authorizationRequest.response_uri\n\n // NOTE: apu is needed for mDOC over OID4VP without DC API up to draft 24\n const mdocGeneratedNonce = result.jarm?.jarmHeader.apu\n ? TypedArrayEncoder.toUtf8String(TypedArrayEncoder.fromBase64(result.jarm?.jarmHeader.apu))\n : undefined\n\n if (result.type === 'dcql') {\n const dcqlPresentationEntries = Object.entries(result.dcql.presentations)\n if (!authorizationRequest.dcql_query) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'DCQL response provided but no dcql_query found in the authorization request.',\n })\n }\n\n const dcql = agentContext.dependencyManager.resolve(DcqlService)\n const dcqlQuery = dcql.validateDcqlQuery(authorizationRequest.dcql_query)\n\n const presentationVerificationResults = await Promise.all(\n dcqlPresentationEntries.map(async ([credentialId, presentations]) => {\n const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId)\n if (!queryCredential) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`,\n })\n }\n\n const verifiedPresentations = await Promise.all(\n mapNonEmptyArray(presentations, (presentation) =>\n this.verifyPresentation(agentContext, {\n format: dcqlCredentialQueryToPresentationFormat(queryCredential),\n nonce: authorizationRequest.nonce,\n audience,\n version: openid4vpVersion,\n clientId,\n encryptionJwk: encryptionPublicJwk,\n origin: options.origin,\n responseUri,\n mdocGeneratedNonce,\n verificationSessionId: result.verificationSession.id,\n presentation,\n })\n )\n )\n return [credentialId, verifiedPresentations] as const\n })\n )\n\n const errorMessages = presentationVerificationResults\n .flatMap(([credentialId, presentations], index) =>\n presentations.map((result) =>\n !result.verified ? `\\t- ${credentialId}[${index}]: ${result.reason}` : undefined\n )\n )\n .filter((i) => i !== undefined)\n if (errorMessages.length > 0) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'One or more presentations failed verification.',\n },\n { internalMessage: errorMessages.join('\\n') }\n )\n }\n\n // We can be certain here that all presentations passed verification\n const presentations = Object.fromEntries(\n presentationVerificationResults.map(\n ([credentialId, presentations]) =>\n [\n credentialId,\n presentations\n .map((p) => (p.verified ? p.presentation : undefined))\n // NOTE: we add NonEmpty cast here since it's needed for DCQL, and because we\n // previously ensured all items are valid, we can be sure this arary is non empty\n // even after the filter.\n .filter((p) => p !== undefined) as NonEmptyArray<VerifiablePresentation>,\n ] as const\n )\n )\n\n const presentationResult = await dcql.assertValidDcqlPresentation(agentContext, presentations, dcqlQuery)\n\n dcqlResponse = {\n presentations,\n presentationResult,\n query: dcqlQuery,\n }\n }\n\n if (result.type === 'pex') {\n const pex = agentContext.dependencyManager.resolve(DifPresentationExchangeService)\n\n const encodedPresentations = result.pex.presentations\n const submission = result.pex.presentationSubmission as DifPresentationExchangeSubmission\n const definition = result.pex.presentationDefinition as unknown as DifPresentationExchangeDefinition\n\n pex.validatePresentationDefinition(definition)\n\n try {\n pex.validatePresentationSubmission(submission)\n } catch (error) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid presentation submission.',\n },\n { cause: error }\n )\n }\n\n const presentationsArray = Array.isArray(encodedPresentations) ? encodedPresentations : [encodedPresentations]\n const presentationVerificationResults = await Promise.all(\n presentationsArray.map((presentation) => {\n return this.verifyPresentation(agentContext, {\n nonce: authorizationRequest.nonce,\n audience,\n clientId,\n version: openid4vpVersion,\n encryptionJwk: encryptionPublicJwk,\n responseUri,\n mdocGeneratedNonce,\n verificationSessionId: result.verificationSession.id,\n presentation,\n format: this.claimFormatFromEncodedPresentation(presentation),\n origin: options.origin,\n })\n })\n )\n\n const errorMessages = presentationVerificationResults\n .map((result, index) => (!result.verified ? `\\t- [${index}]: ${result.reason}` : undefined))\n .filter((i) => i !== undefined)\n if (errorMessages.length > 0) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'One or more presentations failed verification.',\n },\n { internalMessage: errorMessages.join('\\n') }\n )\n }\n\n const verifiablePresentations = presentationVerificationResults\n .map((p) => (p.verified ? p.presentation : undefined))\n .filter((p) => p !== undefined)\n\n try {\n pex.validatePresentation(\n definition,\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission\n )\n } catch (error) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Presentation submission does not satisy presentation request.',\n },\n { cause: error }\n )\n }\n\n const descriptors = extractPresentationsWithDescriptorsFromSubmission(\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission,\n definition\n )\n\n pexResponse = {\n definition,\n descriptors,\n presentations: verifiablePresentations,\n submission,\n }\n }\n\n transactionData = await this.getVerifiedTransactionData(agentContext, {\n authorizationRequest,\n dcql: dcqlResponse,\n presentationExchange: pexResponse,\n })\n } catch (error) {\n result.verificationSession.errorMessage = error.message\n await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.Error)\n throw error\n }\n\n result.verificationSession.authorizationResponsePayload = result.authorizationResponsePayload\n await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.ResponseVerified)\n\n return {\n presentationExchange: pexResponse,\n dcql: dcqlResponse,\n transactionData,\n verificationSession: result.verificationSession,\n }\n }\n\n /**\n * Get the format based on an encoded presentation. This is mostly leveraged for\n * PEX where it's not known based on the request which format to expect\n */\n private claimFormatFromEncodedPresentation(\n presentation: string | Record<string, unknown>\n ): ClaimFormat.JwtVp | ClaimFormat.LdpVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc {\n if (typeof presentation === 'object') return ClaimFormat.LdpVp\n if (presentation.includes('~')) return ClaimFormat.SdJwtDc\n if (Jwt.format.test(presentation)) return ClaimFormat.JwtVp\n\n // Fallback, we tried all other formats\n return ClaimFormat.MsoMdoc\n }\n\n public async getVerifiedAuthorizationResponse(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord\n ): Promise<OpenId4VpVerifiedAuthorizationResponse> {\n verificationSession.assertState(OpenId4VcVerificationSessionState.ResponseVerified)\n\n if (!verificationSession.authorizationResponsePayload) {\n throw new CredoError('No authorization response payload found in the verification session.')\n }\n\n const authorizationRequestPayload = verificationSession.requestPayload\n const openid4vpAuthorizationResponsePayload = verificationSession.authorizationResponsePayload\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n\n const result = openid4vpVerifier.validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: verificationSession.requestPayload,\n authorizationResponsePayload: openid4vpAuthorizationResponsePayload,\n })\n\n let presentationExchange: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined = undefined\n const dcql =\n result.type === 'dcql'\n ? await this.getDcqlVerifiedResponse(\n agentContext,\n authorizationRequestPayload.dcql_query,\n result.dcql.presentations\n )\n : undefined\n\n if (result.type === 'pex') {\n const presentationDefinition =\n authorizationRequestPayload.presentation_definition as unknown as DifPresentationExchangeDefinition\n const submission = openid4vpAuthorizationResponsePayload.presentation_submission as\n | DifPresentationExchangeSubmission\n | undefined\n\n if (!submission) {\n throw new CredoError('Unable to extract submission from the response.')\n }\n\n const verifiablePresentations = result.pex.presentations.map((presentation) =>\n this.decodePresentation(agentContext, {\n presentation,\n format: this.claimFormatFromEncodedPresentation(presentation),\n })\n )\n\n presentationExchange = {\n definition: presentationDefinition,\n submission,\n presentations: verifiablePresentations,\n descriptors: extractPresentationsWithDescriptorsFromSubmission(\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission,\n presentationDefinition\n ),\n }\n }\n\n if (!presentationExchange && !dcql) {\n throw new CredoError('No presentationExchange or dcql found in the response.')\n }\n\n const transactionData = await this.getVerifiedTransactionData(agentContext, {\n authorizationRequest: authorizationRequestPayload,\n dcql,\n presentationExchange,\n })\n\n return {\n presentationExchange,\n dcql,\n transactionData,\n verificationSession,\n }\n }\n\n private async getVerifiedTransactionData(\n agentContext: AgentContext,\n {\n authorizationRequest,\n presentationExchange,\n dcql,\n }: {\n dcql?: OpenId4VpVerifiedAuthorizationResponseDcql\n presentationExchange?: OpenId4VpVerifiedAuthorizationResponsePresentationExchange\n authorizationRequest: OpenId4VpAuthorizationRequestPayload\n }\n ): Promise<OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined> {\n if (!authorizationRequest.transaction_data) return undefined\n\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n const transactionDataHashesCredentials: TransactionDataHashesCredentials = {}\n\n // Extract presentations with credentialId\n const idToCredential = dcql\n ? Object.entries(dcql.presentations)\n : (presentationExchange?.descriptors.map(\n (descriptor) => [descriptor.descriptor.id, [descriptor.presentation]] as const\n ) ?? [])\n\n for (const [credentialId, presentations] of idToCredential) {\n // Only SD-JWT VC supported for now\n const transactionDataHashes = presentations.map((presentation) =>\n presentation.claimFormat === ClaimFormat.SdJwtDc ? getSdJwtVcTransactionDataHashes(presentation) : undefined\n )\n\n const firstHasHash = transactionDataHashes[0] !== undefined\n if (!transactionDataHashes.every((hash) => (firstHasHash ? hash !== undefined : hash === undefined))) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Multipe presentations were submitted for credential query ${credentialId} but not all presentations includes a transaction data hash. Either all or none of the presentations for a credential query id should include a transaction data hash.`,\n })\n }\n\n if (!firstHasHash) continue\n\n transactionDataHashesCredentials[credentialId] = transactionDataHashes as [\n Exclude<(typeof transactionDataHashes)[number], undefined>,\n ]\n }\n\n // Verify the transaction data\n const transactionData = await openid4vpVerifier.verifyTransactionData({\n credentials: transactionDataHashesCredentials,\n transactionData: authorizationRequest.transaction_data,\n })\n\n return transactionData.map(({ credentialId, transactionDataEntry, presentations }) => ({\n credentialId,\n encoded: transactionDataEntry.encoded,\n decoded: transactionDataEntry.transactionData,\n transactionDataIndex: transactionDataEntry.transactionDataIndex,\n presentations: presentations.map((presentation) => ({\n presentationHashIndex: presentation.credentialHashIndex,\n hash: presentation.hash,\n // We only support the values supported by Credo hasher, so it can't be any other value than those.\n hashAlg: presentation.hashAlg as HashName,\n })) as OpenId4VpVerifiedAuthorizationResponseTransactionData['presentations'],\n }))\n }\n\n public async getAllVerifiers(agentContext: AgentContext) {\n return this.openId4VcVerifierRepository.getAll(agentContext)\n }\n\n public async getVerifierByVerifierId(agentContext: AgentContext, verifierId: string) {\n return this.openId4VcVerifierRepository.getByVerifierId(agentContext, verifierId)\n }\n\n public async updateVerifier(agentContext: AgentContext, verifier: OpenId4VcVerifierRecord) {\n return this.openId4VcVerifierRepository.update(agentContext, verifier)\n }\n\n public async createVerifier(agentContext: AgentContext, options?: OpenId4VpCreateVerifierOptions) {\n const openId4VcVerifier = new OpenId4VcVerifierRecord({\n verifierId: options?.verifierId ?? utils.uuid(),\n clientMetadata: options?.clientMetadata,\n })\n\n await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier)\n await storeActorIdForContextCorrelationId(agentContext, openId4VcVerifier.verifierId)\n return openId4VcVerifier\n }\n\n public async findVerificationSessionsByQuery(\n agentContext: AgentContext,\n query: Query<OpenId4VcVerificationSessionRecord>,\n queryOptions?: QueryOptions\n ) {\n return this.openId4VcVerificationSessionRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async getVerificationSessionById(agentContext: AgentContext, verificationSessionId: string) {\n return this.openId4VcVerificationSessionRepository.getById(agentContext, verificationSessionId)\n }\n\n private async getClientMetadata(\n agentContext: AgentContext,\n options: {\n responseMode: ResponseMode\n verifier: OpenId4VcVerifierRecord\n authorizationResponseUrl: string\n dcqlQuery?: DcqlQuery\n version: NonNullable<OpenId4VpCreateAuthorizationRequestOptions['version']>\n }\n ): Promise<ClientMetadata> {\n const { responseMode, verifier } = options\n\n const signatureSuiteRegistry = agentContext.resolve(SignatureSuiteRegistry)\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const supportedAlgs = getSupportedJwaSignatureAlgorithms(agentContext) as [\n Kms.KnownJwaSignatureAlgorithm,\n ...Kms.KnownJwaSignatureAlgorithm[],\n ]\n const supportedMdocAlgs = supportedAlgs.filter(isMdocSupportedSignatureAlgorithm) as [\n MdocSupportedSignatureAlgorithm,\n ...MdocSupportedSignatureAlgorithm[],\n ]\n const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes\n\n type JarmEncryptionJwk = Kms.Jwk & { kid: string; use: 'enc' }\n let jarmEncryptionJwk: JarmEncryptionJwk | undefined\n\n if (isJarmResponseMode(responseMode)) {\n const key = await kms.createKey({ type: { crv: 'P-256', kty: 'EC' } })\n jarmEncryptionJwk = { ...key.publicJwk, use: 'enc' }\n }\n\n const jarmClientMetadata:\n | Pick<\n ClientMetadata,\n | 'jwks'\n | 'encrypted_response_enc_values_supported'\n | 'authorization_encrypted_response_alg'\n | 'authorization_encrypted_response_enc'\n >\n | undefined = jarmEncryptionJwk\n ? {\n jwks: { keys: [jarmEncryptionJwk as Jwk] },\n\n ...(options.version === 'v1'\n ? {\n encrypted_response_enc_values_supported: ['A128GCM', 'A256GCM', 'A128CBC-HS256'],\n }\n : {\n authorization_encrypted_response_alg: 'ECDH-ES',\n\n // NOTE: pre draft 24 we could only include one version. To maximize compatiblity we use\n // - A128GCM for draft 24 (HAIP)\n // - A256GCM for draft 21 (18013-7)\n authorization_encrypted_response_enc: options.version === 'v1.draft24' ? 'A128GCM' : 'A256GCM',\n }),\n }\n : undefined\n\n const dclqQueryFormats = new Set(options.dcqlQuery?.credentials.map((c) => c.format))\n\n return {\n ...jarmClientMetadata,\n ...verifier.clientMetadata,\n response_types_supported: ['vp_token'],\n\n // for v1 version we only include the vp_formats_supported for formats we're\n // requesting.\n ...(options.version === 'v1'\n ? {\n vp_formats_supported: {\n ...(dclqQueryFormats.has('dc+sd-jwt')\n ? {\n 'dc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('mso_mdoc')\n ? {\n mso_mdoc: {\n // TODO: we need to add some generic utils for fully specified COSE algorithms\n deviceauth_alg_values: [/* P-256 */ -9, /* P-384 */ -51, /* Ed25519 */ -19],\n issuerauth_alg_values: [/* P-256 */ -9, /* P-384 */ -51, /* Ed25519 */ -19],\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('jwt_vc_json')\n ? {\n jwt_vc_json: {\n alg_values: supportedAlgs,\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('ldp_vc')\n ? {\n ldp_vc: {\n proof_type_values: supportedProofTypes as [string, ...string[]],\n },\n }\n : {}),\n },\n }\n : {\n vp_formats: {\n mso_mdoc: {\n alg: supportedMdocAlgs,\n },\n jwt_vc: {\n alg: supportedAlgs,\n },\n jwt_vc_json: {\n alg: supportedAlgs,\n },\n jwt_vp_json: {\n alg: supportedAlgs,\n },\n jwt_vp: {\n alg: supportedAlgs,\n },\n ldp_vc: {\n proof_type: supportedProofTypes,\n },\n ldp_vp: {\n proof_type: supportedProofTypes,\n },\n 'vc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n 'dc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n },\n }),\n }\n }\n\n private decodePresentation(\n agentContext: AgentContext,\n options: {\n presentation: string | Record<string, unknown>\n format: ClaimFormat.JwtVp | ClaimFormat.LdpVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc | ClaimFormat.SdJwtW3cVp\n }\n ): VerifiablePresentation {\n const { presentation, format } = options\n\n if (format === ClaimFormat.SdJwtDc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n\n const sdJwtVc = sdJwtVcApi.fromCompact(presentation)\n return sdJwtVc\n }\n if (format === ClaimFormat.MsoMdoc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n const mdocDeviceResponse = MdocDeviceResponse.fromBase64Url(presentation)\n return mdocDeviceResponse\n }\n if (format === ClaimFormat.JwtVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n return W3cJwtVerifiablePresentation.fromSerializedJwt(presentation)\n }\n if (format === ClaimFormat.SdJwtW3cVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n return W3cV2SdJwtVerifiablePresentation.fromCompact(presentation)\n }\n\n return JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation)\n }\n\n private async verifyPresentation(\n agentContext: AgentContext,\n options: {\n nonce: string\n audience: string\n clientId: string\n responseUri?: string\n mdocGeneratedNonce?: string\n origin?: string\n verificationSessionId: string\n presentation: string | Record<string, unknown>\n format: ClaimFormat.LdpVp | ClaimFormat.JwtVp | ClaimFormat.SdJwtW3cVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc\n version: OpenId4VpVersion\n encryptionJwk?: Kms.PublicJwk\n }\n ): Promise<\n | {\n verified: true\n presentation: VerifiablePresentation\n transactionData?: TransactionDataHashesCredentials[string]\n }\n | { verified: false; reason: string }\n > {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n\n const { presentation, format } = options\n\n try {\n this.logger.trace('Presentation response', JsonTransformer.toJSON(presentation))\n\n let isValid: boolean\n let cause: Error | undefined = undefined\n let verifiablePresentation: VerifiablePresentation\n\n if (format === ClaimFormat.SdJwtDc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n const sdJwtVc = sdJwtVcApi.fromCompact(presentation)\n const jwt = Jwt.fromSerializedJwt(presentation.split('~')[0])\n const certificateChain = extractX509CertificatesFromJwt(jwt)\n\n let trustedCertificates: string[] | undefined = undefined\n if (certificateChain && x509Config.getTrustedCertificatesForVerification) {\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: sdJwtVc,\n openId4VcVerificationSessionId: options.verificationSessionId,\n },\n })\n }\n\n if (!trustedCertificates) {\n // We also take from the config here to avoid the callback being called again\n trustedCertificates = x509Config.trustedCertificates ?? []\n }\n\n const verificationResult = await sdJwtVcApi.verify({\n compactSdJwtVc: presentation,\n keyBinding: {\n audience: options.audience,\n nonce: options.nonce,\n },\n trustedCertificates,\n })\n\n isValid = verificationResult.verification.isValid\n cause = verificationResult.isValid ? undefined : verificationResult.error\n verifiablePresentation = sdJwtVc\n } else if (format === ClaimFormat.MsoMdoc) {\n if (typeof presentation !== 'string') {\n throw new CredoError('Expected vp_token entry for format mso_mdoc to be of type string')\n }\n const mdocDeviceResponse = MdocDeviceResponse.fromBase64Url(presentation)\n if (mdocDeviceResponse.documents.length === 0) {\n throw new CredoError('mdoc device response does not contain any mdocs')\n }\n\n const deviceResponses = mdocDeviceResponse.splitIntoSingleDocumentResponses()\n\n for (const deviceResponseIndex of deviceResponses.keys()) {\n const mdocDeviceResponse = deviceResponses[deviceResponseIndex]\n\n const document = mdocDeviceResponse.documents[0]\n const certificateChain = document.issuerSignedCertificateChain.map((cert) =>\n X509Certificate.fromRawCertificate(cert)\n )\n\n const trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: document,\n openId4VcVerificationSessionId: options.verificationSessionId,\n },\n })\n\n let sessionTranscriptOptions: MdocSessionTranscriptOptions\n if (options.origin && options.version === 'v1') {\n sessionTranscriptOptions = {\n type: 'openId4VpDcApi',\n verifierGeneratedNonce: options.nonce,\n origin: options.origin,\n encryptionJwk: options.encryptionJwk,\n }\n } else if (options.origin) {\n sessionTranscriptOptions = {\n type: 'openId4VpDcApiDraft24',\n clientId: options.clientId,\n verifierGeneratedNonce: options.nonce,\n origin: options.origin,\n }\n } else if (options.version === 'v1') {\n if (!options.responseUri) {\n throw new CredoError('responseUri is required for mdoc openid4vp session transcript calculation')\n }\n\n sessionTranscriptOptions = {\n type: 'openId4Vp',\n clientId: options.clientId,\n responseUri: options.responseUri,\n verifierGeneratedNonce: options.nonce,\n encryptionJwk: options.encryptionJwk,\n }\n } else {\n if (!options.mdocGeneratedNonce || !options.responseUri) {\n throw new CredoError(\n 'mdocGeneratedNonce and responseUri are required for mdoc openid4vp session transcript calculation'\n )\n }\n\n sessionTranscriptOptions = {\n type: 'openId4VpDraft18',\n clientId: options.clientId,\n mdocGeneratedNonce: options.mdocGeneratedNonce,\n responseUri: options.responseUri,\n verifierGeneratedNonce: options.nonce,\n }\n }\n\n await mdocDeviceResponse.verify(agentContext, {\n sessionTranscriptOptions,\n trustedCertificates,\n })\n }\n // TODO: extract transaction data hashes once https://github.com/openid/OpenID4VP/pull/330 is resolved\n\n isValid = true\n verifiablePresentation = mdocDeviceResponse\n } else if (format === ClaimFormat.JwtVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n verifiablePresentation = W3cJwtVerifiablePresentation.fromSerializedJwt(presentation)\n const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {\n presentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n } else if (format === ClaimFormat.SdJwtW3cVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n verifiablePresentation = W3cV2SdJwtVerifiablePresentation.fromCompact(presentation)\n const verificationResult = await this.w3cV2CredentialService.verifyPresentation(agentContext, {\n presentation: verifiablePresentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n } else {\n verifiablePresentation = JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation)\n const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {\n presentation: verifiablePresentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n }\n\n if (!isValid) {\n throw new CredoError(`Error occured during verification of presentation.${cause ? ` ${cause.message}` : ''}`, {\n cause,\n })\n }\n\n return {\n verified: true,\n presentation: verifiablePresentation,\n }\n } catch (error) {\n agentContext.config.logger.warn('Error occurred during verification of presentation', {\n error,\n })\n return {\n verified: false,\n reason: error.message,\n }\n }\n }\n\n /**\n * Update the record to a new state and emit an state changed event. Also updates the record\n * in storage.\n */\n public async updateState(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord,\n newState: OpenId4VcVerificationSessionState\n ) {\n agentContext.config.logger.debug(\n `Updating openid4vc verification session record ${verificationSession.id} to state ${newState} (previous=${verificationSession.state})`\n )\n\n const previousState = verificationSession.state\n verificationSession.state = newState\n await this.openId4VcVerificationSessionRepository.update(agentContext, verificationSession)\n\n this.emitStateChangedEvent(agentContext, verificationSession, previousState)\n }\n\n protected emitStateChangedEvent(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord,\n previousState: OpenId4VcVerificationSessionState | null\n ) {\n const eventEmitter = agentContext.dependencyManager.resolve(EventEmitter)\n\n eventEmitter.emit<OpenId4VcVerificationSessionStateChangedEvent>(agentContext, {\n type: OpenId4VcVerifierEvents.VerificationSessionStateChanged,\n payload: {\n verificationSession: verificationSession.clone(),\n previousState,\n },\n })\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAgGO,qCAAMA,2BAAyB;CACpC,AAAO,YACL,AAAyCC,QACzC,AAAQC,sBACR,AAAQC,wBACR,AAAQC,6BACR,AAAQC,QACR,AAAQC,wCACR;EANyC;EACjC;EACA;EACA;EACA;EACA;;CAGV,AAAQ,qBAAqB,cAA4B;AAIvD,SAFwB,IAAI,kBAAkB,EAAE,WAD9B,mBAAmB,aAAa,EACS,CAAC;;CAK9D,MAAa,2BACX,cACA,SACoD;EACpD,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;EACtD,MAAM,QAAQ,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;EAC5E,MAAM,QAAQ,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;EAE5E,MAAM,eAAe,QAAQ,gBAAgB;EAC7C,MAAM,iBAAiB,iBAAiB,YAAY,iBAAiB;EAErE,MAAM,UAAU,QAAQ,WAAW;AACnC,MAAI,YAAY,gBAAgB,eAC9B,OAAM,IAAI,WACR,sBAAsB,QAAQ,sCAAsC,QAAQ,aAAa,8CAC1F;AAEH,MAAI,YAAY,gBAAgB,QAAQ,gBACtC,OAAM,IAAI,WACR,sBAAsB,QAAQ,kFAC/B;AAEH,MAAI,YAAY,gBAAgB,QAAQ,KACtC,OAAM,IAAI,WACR,sBAAsB,QAAQ,uEAC/B;AAEH,MAAI,YAAY,QAAQ,QAAQ,aAC9B,OAAM,IAAI,WAAW,sBAAsB,QAAQ,+DAA+D;AAEpH,MAAI,YAAY,QAAQ,QAAQ,qBAC9B,OAAM,IAAI,WACR,sBAAsB,QAAQ,kIAC/B;AAIH,MAAI,QAAQ,MAAM,MAAM,YAAY,MAAM,MAAM,EAAE,yCAAyC,MAAM,CAC/F,OAAM,IAAI,WACR,qLACD;AAGH,MAAI,kBAAkB,QAAQ,iCAC5B,OAAM,IAAI,WACR,qGACD;EAIH,MAAM,iBACJ,QAAQ,sBAAsB,WAAW,kBAAkB,MAAM,MAAM,EAAE,QAAQ,SAAS,IAC1F,QAAQ,MAAM,MAAM,YAAY,MAAM,MAAM,EAAE,WAAW,WAAW;AAEtE,OAAK,YAAY,gBAAgB,YAAY,iBAAiB,iBAAiB,iBAAiB,eAC9F,OAAM,IAAI,WACR,yUACD;AAGH,MAAI,QAAQ,cAAc;GACxB,MAAM,WACJ,SAAS,MAAM,MAAM,YAAY,KAAK,EAAE,SAAS,GAAG,IACpD,SAAS,sBAAsB,WAAW,kBAAkB,KAAK,EAAE,SAAS,GAAG,IAC/E,EAAE;AAMJ,OAAI,CAJ0B,QAAQ,aAAa,OAChD,OAAO,CAAC,GAAG,kBAAkB,GAAG,eAAe,OAAO,iBAAiB,SAAS,SAAS,aAAa,CAAC,CACzG,CAGC,OAAM,IAAI,WACR,0HACD;;EAIL,MAAM,yBAAyB,MAAM,MAAM;EAG3C,MAAM,2BAA2B,GAAG,aAAa,KAAK,OAAO,SAAS,CAAC,QAAQ,SAAS,YAAY,KAAK,OAAO,sBAAsB,CAAC,CAAC,WAAW;EAEnJ,MAAM,YACJ,QAAQ,cAAc,WAAW,SAC7B,SACA,QAAQ,cAAc,WAAW,QAC/B,MAAM,yBAAyB,cAAc;GAC3C,GAAG,QAAQ;GACX,QAAQ;GACT,CAAC,GACF,MAAM,yBAAyB,cAAc,QAAQ,cAAc;EAE3E,IAAIC;EACJ,IAAIC;AAEJ,MAAI,CAAC,UACH,KAAI,gBAAgB;AAClB,oBAAiB,YAAY,OAAO,WAAW;AAC/C,cAAW;SACN;AACL,oBAAiB;AACjB,cAAW;;WAEJ,WAAW,WAAW,MAG/B,KAFwB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,UAAU,KAAK,CAAC,CAErF,YAAY,SAAS,iBAAiB,UAAU,OAAO,CAAC,EAAE;AAC5E,oBAAiB;AACjB,cAAW,iBAAiB,UAAU,OAAO;QAE7C,OAAM,IAAI,WACR,uIACD;WAEM,WAAW,WAAW,OAAO;AACtC,cAAW,UAAU,OAAO,MAAM,IAAI,CAAC;AACvC,oBAAiB,YAAY,OAAO,6BAA6B;QAEjE,OAAM,IAAI,WACR,kCAAkC,QAAQ,cAAc,OAAO,wCAChE;EAIH,MAAM,gCACJ,CAAC,kBAAkB,YACf,aAAa,KAAK,OAAO,SAAS;GAChC,QAAQ,SAAS;GACjB,KAAK,OAAO;GACZ;GACD,CAAC,GAEF;EAEN,MAAM,YAEJ,mBAAmB,SAAU,mBAA8B,WAAW,YAAY,eAC9E,WACA,GAAG,eAAe,GAAG;EAG3B,MAAM,uBACJ,YAAY,gBACZ,mBAAmB,gBACnB,mBAAmB,YACnB,mBAAmB,6BACf,iBACA;EAEN,MAAM,kBAAkB,MAAM,KAAK,kBAAkB,cAAc;GACjE;GACA,UAAU,QAAQ;GAClB;GACA;GAGA,WAAW,QAAQ,MAAM;GAC1B,CAAC;EAEF,MAAM,oBAAoB;GACxB;GACA,yBAAyB,QAAQ,sBAAsB;GACvD,YAAY,QAAQ,MAAM;GAC1B,kBAAkB,QAAQ,iBAAiB,KAAK,UAAU,YAAY,YAAY,MAAM,CAAC;GACzF,eAAe;GACf,eAAe;GACf;GACA,eAAe,QAAQ;GACxB;EAGD,MAAM,uBAAuB,MADH,KAAK,qBAAqB,aAAa,CACZ,oCAAoC;GACvF,KAAK,YACD;IACE,WAAW;IACX,YAAY;IACZ,kBAAkB,KAAK,OAAO;IAC/B,GACD;GACJ,6BACE,kBAAkB,kBAAkB,gBAAgB,kBAAkB,kBAAkB,WACpF;IACE,GAAG;IAEH,WAAW,YAAY,YAAY;IACnC,eAAe,kBAAkB;IACjC,kBAAkB,QAAQ;IAC3B,GACD;IACE,GAAG;IACH,eAAe,kBAAkB;IACtB;IACX;IACA,cAAc;IACd,kBAAkB;IACnB;GACR,CAAC;EAEF,MAAM,sBAAsB,IAAI,mCAAmC;GACjE,kCAAkC,QAAQ;GAG1C,6BAA6B,qBAAqB,MAC9C,SACA,qBAAqB;GACzB,yBAAyB,qBAAqB,KAAK;GACnD,yBAAyB;GACzB;GACA,OAAO,kCAAkC;GACzC,YAAY,QAAQ,SAAS;GAC7B,WAAW,iCAAiB,IAAI,MAAM,EAAE,KAAK,OAAO,qCAAqC;GACzF,kBAAkB;GACnB,CAAC;AACF,QAAM,KAAK,uCAAuC,KAAK,cAAc,oBAAoB;AACzF,OAAK,sBAAsB,cAAc,qBAAqB,KAAK;AAEnE,SAAO;GACL,sBAAsB,qBAAqB;GAC3C;GACA,4BAA4B,qBAAqB;GAClD;;CAGH,MAAc,wBACZ,cACA,YACA,eACA;EACA,MAAM,cAAc,aAAa,kBAAkB,QAAQ,YAAY;EACvE,MAAM,YAAY,YAAY,kBAAkB,WAAW;EAE3D,MAAM,0BAA0B,OAAO,QAAQ,cAAc;EAC7D,MAAM,mBAAmB,OAAO,YAC9B,wBAAwB,KAAK,CAAC,cAAcC,qBAAmB;GAC7D,MAAM,kBAAkB,UAAU,YAAY,MAAM,MAAM,EAAE,OAAO,aAAa;AAChF,OAAI,CAAC,gBACH,OAAM,IAAI,WACR,2DAA2D,aAAa,0DACzE;AAGH,UAAO,CACL,cACA,iBAAiBA,kBAAgB,iBAC/B,KAAK,mBAAmB,cAAc;IACpC;IACA,QAAQ,wCAAwC,gBAAgB;IACjE,CAAC,CACH,CACF;IACD,CACH;AAQD,SAAO;GACL,OAAO;GACP,eAAe;GACf,oBAT6B,MAAM,YAAY,4BAC/C,cACA,kBACA,UACD;GAMA;;CAGH,MAAc,2BACZ,cACA,SAK6G;EAC7G,MAAM,oBAAoB,KAAK,qBAAqB,aAAa;EAEjE,MAAM,EAAE,uBAAuB,qBAAqB,WAAW;EAC/D,IAAIC,8BAAgF;AAEpF,MAAI;AACF,iCAA8B,MAAM,kBAAkB,oCAAoC;IACxF;IACA;IACA,6BAA6B,oBAAoB;IACjD,WAAW,mBAAmB,aAAa;IAC5C,CAAC;AAEF,OAAI,4BAA4B,QAAQ,4BAA4B,KAAK,SAAS,SAAS,UACzF,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0DAA0D,4BAA4B,KAAK,KAAK;IACpH,CAAC;AAGJ,UAAO;IACL,GAAG;IACH;IACD;WACM,OAAO;AACd,OACE,qBAAqB,UAAU,kCAAkC,uBACjE,qBAAqB,UAAU,kCAAkC,gBACjE;IACA,MAAM,SAAS,gCAAgC,UAC7C,6BAA6B,6BAC9B;AAED,wBAAoB,+BAA+B,OAAO,UAAU,OAAO,OAAO;AAClF,wBAAoB,eAAe,MAAM;AACzC,UAAM,KAAK,YAAY,cAAc,qBAAqB,kCAAkC,MAAM;;AAGpG,SAAM;;;CAIV,MAAa,4BACX,cACA,SAMiD;EACjD,MAAM,EAAE,qBAAqB,uBAAuB,WAAW;EAC/D,MAAM,uBAAuB,oBAAoB;EACjD,MAAM,mBACJ,oBAAoB,qBACnB,qBAAqB,qBAAqB,SAAY,eAAe;AAExE,MACE,oBAAoB,UAAU,kCAAkC,uBAChE,oBAAoB,UAAU,kCAAkC,eAEhE,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,oBAAoB,aAAa,KAAK,KAAK,GAAG,oBAAoB,UAAU,SAAS,EAAE;AACzF,uBAAoB,eAAe;AACnC,SAAM,KAAK,YAAY,cAAc,qBAAqB,kCAAkC,MAAM;AAClG,SAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;;EAGJ,MAAM,SAAS,MAAM,KAAK,2BAA2B,cAAc;GACjE;GACA;GACA;GACD,CAAC;EAKF,MAAM,gBAAgB,qBAAqB,iBAAiB,MAAM,KAAK,MAAM,QAAQ,IAAI,QAAQ,MAAM;EACvG,MAAM,sBAAsB,gBAAgB,IAAI,UAAU,YAAY,cAAc,GAAG;EAEvF,IAAIC,eAAuE;EAC3E,IAAIC,cAAsF;EAC1F,IAAIC,kBAAuF;AAE3F,MAAI;GASF,MAAM,WARiB,qBAAqB;IAC1C,cAAc,qBAAqB;IACnC,UAAU,qBAAqB;IAC/B,sBAAsB,qBAAqB;IAC3C,QAAQ,QAAQ;IAChB,SAAS,qBAAqB,OAAO,MAAM,qBAAqB,eAAe,KAAK;IACrF,CAAC,CAE8B;GAChC,MAAM,iBAAiB,qCAAqC,qBAAqB;GAKjF,MAAM,WAAW,qBAAqB,QAAQ,iBAAiB,UAAU,QAAQ,WAAW;GAE5F,MAAM,cAAc,qCAAqC,qBAAqB,GAC1E,SACA,qBAAqB;GAGzB,MAAM,qBAAqB,OAAO,MAAM,WAAW,MAC/C,kBAAkB,aAAa,kBAAkB,WAAW,OAAO,MAAM,WAAW,IAAI,CAAC,GACzF;AAEJ,OAAI,OAAO,SAAS,QAAQ;IAC1B,MAAM,0BAA0B,OAAO,QAAQ,OAAO,KAAK,cAAc;AACzE,QAAI,CAAC,qBAAqB,WACxB,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;IAGJ,MAAM,OAAO,aAAa,kBAAkB,QAAQ,YAAY;IAChE,MAAM,YAAY,KAAK,kBAAkB,qBAAqB,WAAW;IAEzE,MAAM,kCAAkC,MAAM,QAAQ,IACpD,wBAAwB,IAAI,OAAO,CAAC,cAAcJ,qBAAmB;KACnE,MAAM,kBAAkB,UAAU,YAAY,MAAM,MAAM,EAAE,OAAO,aAAa;AAChF,SAAI,CAAC,gBACH,OAAM,IAAI,+BAA+B;MACvC,OAAO,iBAAiB;MACxB,mBAAmB,2DAA2D,aAAa;MAC5F,CAAC;AAoBJ,YAAO,CAAC,cAjBsB,MAAM,QAAQ,IAC1C,iBAAiBA,kBAAgB,iBAC/B,KAAK,mBAAmB,cAAc;MACpC,QAAQ,wCAAwC,gBAAgB;MAChE,OAAO,qBAAqB;MAC5B;MACA,SAAS;MACT;MACA,eAAe;MACf,QAAQ,QAAQ;MAChB;MACA;MACA,uBAAuB,OAAO,oBAAoB;MAClD;MACD,CAAC,CACH,CACF,CAC2C;MAC5C,CACH;IAED,MAAM,gBAAgB,gCACnB,SAAS,CAAC,cAAcA,kBAAgB,UACvCA,gBAAc,KAAK,aACjB,CAACK,SAAO,WAAW,OAAO,aAAa,GAAG,MAAM,KAAKA,SAAO,WAAW,OACxE,CACF,CACA,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAI,cAAc,SAAS,EACzB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EAAE,iBAAiB,cAAc,KAAK,KAAK,EAAE,CAC9C;IAIH,MAAM,gBAAgB,OAAO,YAC3B,gCAAgC,KAC7B,CAAC,cAAcL,qBACd,CACE,cACAA,gBACG,KAAK,MAAO,EAAE,WAAW,EAAE,eAAe,OAAW,CAIrD,QAAQ,MAAM,MAAM,OAAU,CAClC,CACJ,CACF;AAID,mBAAe;KACb;KACA,oBAJyB,MAAM,KAAK,4BAA4B,cAAc,eAAe,UAAU;KAKvG,OAAO;KACR;;AAGH,OAAI,OAAO,SAAS,OAAO;IACzB,MAAM,MAAM,aAAa,kBAAkB,QAAQ,+BAA+B;IAElF,MAAM,uBAAuB,OAAO,IAAI;IACxC,MAAM,aAAa,OAAO,IAAI;IAC9B,MAAM,aAAa,OAAO,IAAI;AAE9B,QAAI,+BAA+B,WAAW;AAE9C,QAAI;AACF,SAAI,+BAA+B,WAAW;aACvC,OAAO;AACd,WAAM,IAAI,+BACR;MACE,OAAO,iBAAiB;MACxB,mBAAmB;MACpB,EACD,EAAE,OAAO,OAAO,CACjB;;IAGH,MAAM,qBAAqB,MAAM,QAAQ,qBAAqB,GAAG,uBAAuB,CAAC,qBAAqB;IAC9G,MAAM,kCAAkC,MAAM,QAAQ,IACpD,mBAAmB,KAAK,iBAAiB;AACvC,YAAO,KAAK,mBAAmB,cAAc;MAC3C,OAAO,qBAAqB;MAC5B;MACA;MACA,SAAS;MACT,eAAe;MACf;MACA;MACA,uBAAuB,OAAO,oBAAoB;MAClD;MACA,QAAQ,KAAK,mCAAmC,aAAa;MAC7D,QAAQ,QAAQ;MACjB,CAAC;MACF,CACH;IAED,MAAM,gBAAgB,gCACnB,KAAK,UAAQ,UAAW,CAACK,SAAO,WAAW,QAAQ,MAAM,KAAKA,SAAO,WAAW,OAAW,CAC3F,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAI,cAAc,SAAS,EACzB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EAAE,iBAAiB,cAAc,KAAK,KAAK,EAAE,CAC9C;IAGH,MAAM,0BAA0B,gCAC7B,KAAK,MAAO,EAAE,WAAW,EAAE,eAAe,OAAW,CACrD,QAAQ,MAAM,MAAM,OAAU;AAEjC,QAAI;AACF,SAAI,qBACF,YAEA,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,WACD;aACM,OAAO;AACd,WAAM,IAAI,+BACR;MACE,OAAO,iBAAiB;MACxB,mBAAmB;MACpB,EACD,EAAE,OAAO,OAAO,CACjB;;AAUH,kBAAc;KACZ;KACA,aATkB,kDAElB,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,YACA,WACD;KAKC,eAAe;KACf;KACD;;AAGH,qBAAkB,MAAM,KAAK,2BAA2B,cAAc;IACpE;IACA,MAAM;IACN,sBAAsB;IACvB,CAAC;WACK,OAAO;AACd,UAAO,oBAAoB,eAAe,MAAM;AAChD,SAAM,KAAK,YAAY,cAAc,OAAO,qBAAqB,kCAAkC,MAAM;AACzG,SAAM;;AAGR,SAAO,oBAAoB,+BAA+B,OAAO;AACjE,QAAM,KAAK,YAAY,cAAc,OAAO,qBAAqB,kCAAkC,iBAAiB;AAEpH,SAAO;GACL,sBAAsB;GACtB,MAAM;GACN;GACA,qBAAqB,OAAO;GAC7B;;;;;;CAOH,AAAQ,mCACN,cACmF;AACnF,MAAI,OAAO,iBAAiB,SAAU,QAAO,YAAY;AACzD,MAAI,aAAa,SAAS,IAAI,CAAE,QAAO,YAAY;AACnD,MAAI,IAAI,OAAO,KAAK,aAAa,CAAE,QAAO,YAAY;AAGtD,SAAO,YAAY;;CAGrB,MAAa,iCACX,cACA,qBACiD;AACjD,sBAAoB,YAAY,kCAAkC,iBAAiB;AAEnF,MAAI,CAAC,oBAAoB,6BACvB,OAAM,IAAI,WAAW,uEAAuE;EAG9F,MAAM,8BAA8B,oBAAoB;EACxD,MAAM,wCAAwC,oBAAoB;EAGlE,MAAM,SAFoB,KAAK,qBAAqB,aAAa,CAEhC,8CAA8C;GAC7E,6BAA6B,oBAAoB;GACjD,8BAA8B;GAC/B,CAAC;EAEF,IAAIC,uBAA+F;EACnG,MAAM,OACJ,OAAO,SAAS,SACZ,MAAM,KAAK,wBACT,cACA,4BAA4B,YAC5B,OAAO,KAAK,cACb,GACD;AAEN,MAAI,OAAO,SAAS,OAAO;GACzB,MAAM,yBACJ,4BAA4B;GAC9B,MAAM,aAAa,sCAAsC;AAIzD,OAAI,CAAC,WACH,OAAM,IAAI,WAAW,kDAAkD;GAGzE,MAAM,0BAA0B,OAAO,IAAI,cAAc,KAAK,iBAC5D,KAAK,mBAAmB,cAAc;IACpC;IACA,QAAQ,KAAK,mCAAmC,aAAa;IAC9D,CAAC,CACH;AAED,0BAAuB;IACrB,YAAY;IACZ;IACA,eAAe;IACf,aAAa,kDAEX,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,YACA,uBACD;IACF;;AAGH,MAAI,CAAC,wBAAwB,CAAC,KAC5B,OAAM,IAAI,WAAW,yDAAyD;EAGhF,MAAM,kBAAkB,MAAM,KAAK,2BAA2B,cAAc;GAC1E,sBAAsB;GACtB;GACA;GACD,CAAC;AAEF,SAAO;GACL;GACA;GACA;GACA;GACD;;CAGH,MAAc,2BACZ,cACA,EACE,sBACA,sBACA,QAM4E;AAC9E,MAAI,CAAC,qBAAqB,iBAAkB,QAAO;EAEnD,MAAM,oBAAoB,KAAK,qBAAqB,aAAa;EACjE,MAAMC,mCAAqE,EAAE;EAG7E,MAAM,iBAAiB,OACnB,OAAO,QAAQ,KAAK,cAAc,GACjC,sBAAsB,YAAY,KAChC,eAAe,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,aAAa,CAAC,CACtE,IAAI,EAAE;AAEX,OAAK,MAAM,CAAC,cAAc,kBAAkB,gBAAgB;GAE1D,MAAM,wBAAwB,cAAc,KAAK,iBAC/C,aAAa,gBAAgB,YAAY,UAAU,gCAAgC,aAAa,GAAG,OACpG;GAED,MAAM,eAAe,sBAAsB,OAAO;AAClD,OAAI,CAAC,sBAAsB,OAAO,SAAU,eAAe,SAAS,SAAY,SAAS,OAAW,CAClG,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,6DAA6D,aAAa;IAC9F,CAAC;AAGJ,OAAI,CAAC,aAAc;AAEnB,oCAAiC,gBAAgB;;AAWnD,UALwB,MAAM,kBAAkB,sBAAsB;GACpE,aAAa;GACb,iBAAiB,qBAAqB;GACvC,CAAC,EAEqB,KAAK,EAAE,cAAc,sBAAsB,qBAAqB;GACrF;GACA,SAAS,qBAAqB;GAC9B,SAAS,qBAAqB;GAC9B,sBAAsB,qBAAqB;GAC3C,eAAe,cAAc,KAAK,kBAAkB;IAClD,uBAAuB,aAAa;IACpC,MAAM,aAAa;IAEnB,SAAS,aAAa;IACvB,EAAE;GACJ,EAAE;;CAGL,MAAa,gBAAgB,cAA4B;AACvD,SAAO,KAAK,4BAA4B,OAAO,aAAa;;CAG9D,MAAa,wBAAwB,cAA4B,YAAoB;AACnF,SAAO,KAAK,4BAA4B,gBAAgB,cAAc,WAAW;;CAGnF,MAAa,eAAe,cAA4B,UAAmC;AACzF,SAAO,KAAK,4BAA4B,OAAO,cAAc,SAAS;;CAGxE,MAAa,eAAe,cAA4B,SAA0C;EAChG,MAAM,oBAAoB,IAAI,wBAAwB;GACpD,YAAY,SAAS,cAAc,MAAM,MAAM;GAC/C,gBAAgB,SAAS;GAC1B,CAAC;AAEF,QAAM,KAAK,4BAA4B,KAAK,cAAc,kBAAkB;AAC5E,QAAM,oCAAoC,cAAc,kBAAkB,WAAW;AACrF,SAAO;;CAGT,MAAa,gCACX,cACA,OACA,cACA;AACA,SAAO,KAAK,uCAAuC,YAAY,cAAc,OAAO,aAAa;;CAGnG,MAAa,2BAA2B,cAA4B,uBAA+B;AACjG,SAAO,KAAK,uCAAuC,QAAQ,cAAc,sBAAsB;;CAGjG,MAAc,kBACZ,cACA,SAOyB;EACzB,MAAM,EAAE,cAAc,aAAa;EAEnC,MAAM,yBAAyB,aAAa,QAAQ,uBAAuB;EAC3E,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;EACtD,MAAM,gBAAgB,mCAAmC,aAAa;EAItE,MAAM,oBAAoB,cAAc,OAAO,kCAAkC;EAIjF,MAAM,sBAAsB,uBAAuB;EAGnD,IAAIC;AAEJ,MAAI,mBAAmB,aAAa,CAElC,qBAAoB;GAAE,IADV,MAAM,IAAI,UAAU,EAAE,MAAM;IAAE,KAAK;IAAS,KAAK;IAAM,EAAE,CAAC,EACzC;GAAW,KAAK;GAAO;EAGtD,MAAMC,qBAQU,oBACZ;GACE,MAAM,EAAE,MAAM,CAAC,kBAAyB,EAAE;GAE1C,GAAI,QAAQ,YAAY,OACpB,EACE,yCAAyC;IAAC;IAAW;IAAW;IAAgB,EACjF,GACD;IACE,sCAAsC;IAKtC,sCAAsC,QAAQ,YAAY,eAAe,YAAY;IACtF;GACN,GACD;EAEJ,MAAM,mBAAmB,IAAI,IAAI,QAAQ,WAAW,YAAY,KAAK,MAAM,EAAE,OAAO,CAAC;AAErF,SAAO;GACL,GAAG;GACH,GAAG,SAAS;GACZ,0BAA0B,CAAC,WAAW;GAItC,GAAI,QAAQ,YAAY,OACpB,EACE,sBAAsB;IACpB,GAAI,iBAAiB,IAAI,YAAY,GACjC,EACE,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,WAAW,GAChC,EACE,UAAU;KAER,uBAAuB;MAAa;MAAgB;MAAmB;MAAI;KAC3E,uBAAuB;MAAa;MAAgB;MAAmB;MAAI;KAC5E,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,cAAc,GACnC,EACE,aAAa,EACX,YAAY,eACb,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,SAAS,GAC9B,EACE,QAAQ,EACN,mBAAmB,qBACpB,EACF,GACD,EAAE;IACP,EACF,GACD,EACE,YAAY;IACV,UAAU,EACR,KAAK,mBACN;IACD,QAAQ,EACN,KAAK,eACN;IACD,aAAa,EACX,KAAK,eACN;IACD,aAAa,EACX,KAAK,eACN;IACD,QAAQ,EACN,KAAK,eACN;IACD,QAAQ,EACN,YAAY,qBACb;IACD,QAAQ,EACN,YAAY,qBACb;IACD,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB;IACD,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB;IACF,EACF;GACN;;CAGH,AAAQ,mBACN,cACA,SAIwB;EACxB,MAAM,EAAE,cAAc,WAAW;AAEjC,MAAI,WAAW,YAAY,SAAS;AAClC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAK3F,UAHmB,aAAa,kBAAkB,QAAQ,WAAW,CAE1C,YAAY,aAAa;;AAGtD,MAAI,WAAW,YAAY,SAAS;AAClC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,UAD2B,mBAAmB,cAAc,aAAa;;AAG3E,MAAI,WAAW,YAAY,OAAO;AAChC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAE3F,UAAO,6BAA6B,kBAAkB,aAAa;;AAErE,MAAI,WAAW,YAAY,YAAY;AACrC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAE3F,UAAO,iCAAiC,YAAY,aAAa;;AAGnE,SAAO,gBAAgB,SAAS,cAAc,gCAAgC;;CAGhF,MAAc,mBACZ,cACA,SAoBA;EACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;EAC3E,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;EAErE,MAAM,EAAE,cAAc,WAAW;AAEjC,MAAI;AACF,QAAK,OAAO,MAAM,yBAAyB,gBAAgB,OAAO,aAAa,CAAC;GAEhF,IAAIC;GACJ,IAAIC,QAA2B;GAC/B,IAAIC;AAEJ,OAAI,WAAW,YAAY,SAAS;AAClC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;IAG3F,MAAM,UAAU,WAAW,YAAY,aAAa;IAEpD,MAAM,mBAAmB,+BADb,IAAI,kBAAkB,aAAa,MAAM,IAAI,CAAC,GAAG,CACD;IAE5D,IAAIC,sBAA4C;AAChD,QAAI,oBAAoB,WAAW,sCACjC,uBAAsB,MAAM,WAAW,sCAAsC,cAAc;KACzF;KACA,cAAc;MACZ,MAAM;MACN,YAAY;MACZ,gCAAgC,QAAQ;MACzC;KACF,CAAC;AAGJ,QAAI,CAAC,oBAEH,uBAAsB,WAAW,uBAAuB,EAAE;IAG5D,MAAM,qBAAqB,MAAM,WAAW,OAAO;KACjD,gBAAgB;KAChB,YAAY;MACV,UAAU,QAAQ;MAClB,OAAO,QAAQ;MAChB;KACD;KACD,CAAC;AAEF,cAAU,mBAAmB,aAAa;AAC1C,YAAQ,mBAAmB,UAAU,SAAY,mBAAmB;AACpE,6BAAyB;cAChB,WAAW,YAAY,SAAS;AACzC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,mEAAmE;IAE1F,MAAM,qBAAqB,mBAAmB,cAAc,aAAa;AACzE,QAAI,mBAAmB,UAAU,WAAW,EAC1C,OAAM,IAAI,WAAW,kDAAkD;IAGzE,MAAM,kBAAkB,mBAAmB,kCAAkC;AAE7E,SAAK,MAAM,uBAAuB,gBAAgB,MAAM,EAAE;KACxD,MAAMC,uBAAqB,gBAAgB;KAE3C,MAAM,WAAWA,qBAAmB,UAAU;KAC9C,MAAM,mBAAmB,SAAS,6BAA6B,KAAK,SAClE,gBAAgB,mBAAmB,KAAK,CACzC;KAED,MAAM,sBAAsB,MAAM,WAAW,wCAAwC,cAAc;MACjG;MACA,cAAc;OACZ,MAAM;OACN,YAAY;OACZ,gCAAgC,QAAQ;OACzC;MACF,CAAC;KAEF,IAAIC;AACJ,SAAI,QAAQ,UAAU,QAAQ,YAAY,KACxC,4BAA2B;MACzB,MAAM;MACN,wBAAwB,QAAQ;MAChC,QAAQ,QAAQ;MAChB,eAAe,QAAQ;MACxB;cACQ,QAAQ,OACjB,4BAA2B;MACzB,MAAM;MACN,UAAU,QAAQ;MAClB,wBAAwB,QAAQ;MAChC,QAAQ,QAAQ;MACjB;cACQ,QAAQ,YAAY,MAAM;AACnC,UAAI,CAAC,QAAQ,YACX,OAAM,IAAI,WAAW,4EAA4E;AAGnG,iCAA2B;OACzB,MAAM;OACN,UAAU,QAAQ;OAClB,aAAa,QAAQ;OACrB,wBAAwB,QAAQ;OAChC,eAAe,QAAQ;OACxB;YACI;AACL,UAAI,CAAC,QAAQ,sBAAsB,CAAC,QAAQ,YAC1C,OAAM,IAAI,WACR,oGACD;AAGH,iCAA2B;OACzB,MAAM;OACN,UAAU,QAAQ;OAClB,oBAAoB,QAAQ;OAC5B,aAAa,QAAQ;OACrB,wBAAwB,QAAQ;OACjC;;AAGH,WAAMD,qBAAmB,OAAO,cAAc;MAC5C;MACA;MACD,CAAC;;AAIJ,cAAU;AACV,6BAAyB;cAChB,WAAW,YAAY,OAAO;AACvC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,6BAAyB,6BAA6B,kBAAkB,aAAa;IACrF,MAAM,qBAAqB,MAAM,KAAK,qBAAqB,mBAAmB,cAAc;KAC1F;KACA,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;cAClB,WAAW,YAAY,YAAY;AAC5C,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,6BAAyB,iCAAiC,YAAY,aAAa;IACnF,MAAM,qBAAqB,MAAM,KAAK,uBAAuB,mBAAmB,cAAc;KAC5F,cAAc;KACd,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;UACtB;AACL,6BAAyB,gBAAgB,SAAS,cAAc,gCAAgC;IAChG,MAAM,qBAAqB,MAAM,KAAK,qBAAqB,mBAAmB,cAAc;KAC1F,cAAc;KACd,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;;AAG7B,OAAI,CAAC,QACH,OAAM,IAAI,WAAW,qDAAqD,QAAQ,IAAI,MAAM,YAAY,MAAM,EAC5G,OACD,CAAC;AAGJ,UAAO;IACL,UAAU;IACV,cAAc;IACf;WACM,OAAO;AACd,gBAAa,OAAO,OAAO,KAAK,sDAAsD,EACpF,OACD,CAAC;AACF,UAAO;IACL,UAAU;IACV,QAAQ,MAAM;IACf;;;;;;;CAQL,MAAa,YACX,cACA,qBACA,UACA;AACA,eAAa,OAAO,OAAO,MACzB,kDAAkD,oBAAoB,GAAG,YAAY,SAAS,aAAa,oBAAoB,MAAM,GACtI;EAED,MAAM,gBAAgB,oBAAoB;AAC1C,sBAAoB,QAAQ;AAC5B,QAAM,KAAK,uCAAuC,OAAO,cAAc,oBAAoB;AAE3F,OAAK,sBAAsB,cAAc,qBAAqB,cAAc;;CAG9E,AAAU,sBACR,cACA,qBACA,eACA;AAGA,EAFqB,aAAa,kBAAkB,QAAQ,aAAa,CAE5D,KAAoD,cAAc;GAC7E,MAAM,wBAAwB;GAC9B,SAAS;IACP,qBAAqB,oBAAoB,OAAO;IAChD;IACD;GACF,CAAC;;;;CA9sCL,YAAY;oBAGR,OAAO,iBAAiB,OAAO"}
1
+ {"version":3,"file":"OpenId4VpVerifierService.mjs","names":["OpenId4VpVerifierService","logger: Logger","w3cCredentialService: W3cCredentialService","w3cV2CredentialService: W3cV2CredentialService","openId4VcVerifierRepository: OpenId4VcVerifierRepository","config: OpenId4VcVerifierModuleConfig","openId4VcVerificationSessionRepository: OpenId4VcVerificationSessionRepository","clientIdPrefix: ClientIdPrefix","clientId: string | undefined","presentations","parsedAuthorizationResponse: ParsedOpenid4vpAuthorizationResponse | undefined","dcqlResponse: OpenId4VpVerifiedAuthorizationResponseDcql | undefined","pexResponse: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined","transactionData: OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined","result","presentationExchange: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined","transactionDataHashesCredentials: TransactionDataHashesCredentials","jarmEncryptionJwk: JarmEncryptionJwk | undefined","jarmClientMetadata:\n | Pick<\n ClientMetadata,\n | 'jwks'\n | 'encrypted_response_enc_values_supported'\n | 'authorization_encrypted_response_alg'\n | 'authorization_encrypted_response_enc'\n >\n | undefined","isValid: boolean","cause: Error | undefined","verifiablePresentation: VerifiablePresentation","trustedCertificates: string[] | undefined","mdocDeviceResponse","sessionTranscriptOptions: MdocSessionTranscriptOptions"],"sources":["../../src/openid4vc-verifier/OpenId4VpVerifierService.ts"],"sourcesContent":["import {\n AgentContext,\n ClaimFormat,\n CredoError,\n type DcqlEncodedPresentations,\n type DcqlQuery,\n DcqlService,\n type DifPresentationExchangeDefinition,\n DifPresentationExchangeService,\n type DifPresentationExchangeSubmission,\n EventEmitter,\n extractPresentationsWithDescriptorsFromSubmission,\n extractX509CertificatesFromJwt,\n getDomainFromUrl,\n type HashName,\n InjectionSymbols,\n inject,\n injectable,\n isMdocSupportedSignatureAlgorithm,\n JsonEncoder,\n JsonTransformer,\n Jwt,\n joinUriParts,\n Kms,\n type Logger,\n MdocDeviceResponse,\n type MdocSessionTranscriptOptions,\n type MdocSupportedSignatureAlgorithm,\n mapNonEmptyArray,\n type NonEmptyArray,\n type Query,\n type QueryOptions,\n SdJwtVcApi,\n SignatureSuiteRegistry,\n TypedArrayEncoder,\n utils,\n type VerifiablePresentation,\n W3cCredentialService,\n W3cJsonLdVerifiablePresentation,\n W3cJwtVerifiablePresentation,\n W3cV2CredentialService,\n W3cV2SdJwtVerifiablePresentation,\n X509Certificate,\n X509ModuleConfig,\n X509Service,\n} from '@credo-ts/core'\nimport { type Jwk, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport {\n type ClientIdPrefix,\n type ClientMetadata,\n getOpenid4vpClientId,\n isJarmResponseMode,\n isOpenid4vpAuthorizationRequestDcApi,\n JarmMode,\n Openid4vpVerifier,\n type ParsedOpenid4vpAuthorizationResponse,\n type TransactionDataHashesCredentials,\n zOpenid4vpAuthorizationResponse,\n} from '@openid4vc/openid4vp'\nimport { getOid4vcCallbacks } from '../shared/callbacks'\nimport type { OpenId4VpAuthorizationRequestPayload } from '../shared/index'\nimport { storeActorIdForContextCorrelationId } from '../shared/router'\nimport { getSdJwtVcTransactionDataHashes } from '../shared/transactionData'\nimport {\n dcqlCredentialQueryToPresentationFormat,\n getSupportedJwaSignatureAlgorithms,\n requestSignerToJwtIssuer,\n} from '../shared/utils'\nimport { OpenId4VcVerificationSessionState } from './OpenId4VcVerificationSessionState'\nimport { type OpenId4VcVerificationSessionStateChangedEvent, OpenId4VcVerifierEvents } from './OpenId4VcVerifierEvents'\nimport { OpenId4VcVerifierModuleConfig } from './OpenId4VcVerifierModuleConfig'\nimport type {\n OpenId4VpCreateAuthorizationRequestOptions,\n OpenId4VpCreateAuthorizationRequestReturn,\n OpenId4VpCreateVerifierOptions,\n OpenId4VpVerifiedAuthorizationResponse,\n OpenId4VpVerifiedAuthorizationResponseDcql,\n OpenId4VpVerifiedAuthorizationResponsePresentationExchange,\n OpenId4VpVerifiedAuthorizationResponseTransactionData,\n OpenId4VpVerifyAuthorizationResponseOptions,\n OpenId4VpVersion,\n ResponseMode,\n} from './OpenId4VpVerifierServiceOptions'\nimport {\n OpenId4VcVerificationSessionRecord,\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerifierRecord,\n OpenId4VcVerifierRepository,\n} from './repository'\n\n/**\n * @internal\n */\n@injectable()\nexport class OpenId4VpVerifierService {\n public constructor(\n @inject(InjectionSymbols.Logger) private logger: Logger,\n private w3cCredentialService: W3cCredentialService,\n private w3cV2CredentialService: W3cV2CredentialService,\n private openId4VcVerifierRepository: OpenId4VcVerifierRepository,\n private config: OpenId4VcVerifierModuleConfig,\n private openId4VcVerificationSessionRepository: OpenId4VcVerificationSessionRepository\n ) {}\n\n private getOpenid4vpVerifier(agentContext: AgentContext) {\n const callbacks = getOid4vcCallbacks(agentContext)\n const openid4vpClient = new Openid4vpVerifier({ callbacks })\n\n return openid4vpClient\n }\n\n public async createAuthorizationRequest(\n agentContext: AgentContext,\n options: OpenId4VpCreateAuthorizationRequestOptions & { verifier: OpenId4VcVerifierRecord }\n ): Promise<OpenId4VpCreateAuthorizationRequestReturn> {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const nonce = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n const state = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n\n const responseMode = options.responseMode ?? 'direct_post.jwt'\n const isDcApiRequest = responseMode === 'dc_api' || responseMode === 'dc_api.jwt'\n\n const version = options.version ?? 'v1'\n if (version === 'v1.draft21' && isDcApiRequest) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with responseMode '${options.responseMode}'. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version === 'v1.draft21' && options.transactionData) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with transactionData. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version === 'v1.draft21' && options.dcql) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with dcql. Use version 'v1' or 'v1.draft24' instead.`\n )\n }\n if (version !== 'v1' && options.verifierInfo) {\n throw new CredoError(`OpenID4VP version '${version}' cannot be used with verifierInfo. Use version 'v1' instead.`)\n }\n if (version === 'v1' && options.presentationExchange) {\n throw new CredoError(\n `OpenID4VP version '${version}' cannot be used with presentationExchange. Use dcql instead (recommended), or use older versions 'v1.draft24' and 'v1.draft21'.`\n )\n }\n\n // For now we only support presentations with holder binding.\n if (options.dcql?.query.credentials.some((c) => c.require_cryptographic_holder_binding === false)) {\n throw new CredoError(\n `Setting 'require_cryptographic_holder_binding' to false in DCQL Query is not supported by Credo at the moment. Only presentations with cryptographic holder binding are supported.`\n )\n }\n\n if (isDcApiRequest && options.authorizationResponseRedirectUri) {\n throw new CredoError(\n \"'authorizationResponseRedirectUri' cannot be be used with response mode 'dc_api' and 'dc_api.jwt'.\"\n )\n }\n\n // Check to prevent direct_post from being used with mDOC\n const hasMdocRequest =\n options.presentationExchange?.definition.input_descriptors.some((i) => i.format?.mso_mdoc) ||\n options.dcql?.query.credentials.some((c) => c.format === 'mso_mdoc')\n // Up to draft 24 we use the 18013-7 mdoc session transcript which needs values from APU/APV\n if ((version === 'v1.draft21' || version === 'v1.draft24') && responseMode === 'direct_post' && hasMdocRequest) {\n throw new CredoError(\n \"Unable to create authorization request with response mode 'direct_post' containing mDOC credentials. ISO 18013-7 requires the usage of response mode 'direct_post.jwt', and needs parameters from the encrypted response header to verify the mDOC sigature. Either use version 'v1', or update the response mode to 'direct_post.jwt'\"\n )\n }\n\n if (options.verifierInfo) {\n const queryIds =\n options?.dcql?.query.credentials.map(({ id }) => id) ??\n options?.presentationExchange?.definition.input_descriptors.map(({ id }) => id) ??\n []\n\n const hasValidCredentialIds = options.verifierInfo.every(\n (vi) => !vi.credential_ids || vi.credential_ids.every((credentialId) => queryIds.includes(credentialId))\n )\n\n if (!hasValidCredentialIds) {\n throw new CredoError(\n 'Verifier info (attestations) were provided, but the verifier info used credential ids that are not present in the query'\n )\n }\n }\n\n const authorizationRequestId = utils.uuid()\n // We include the `session=` in the url so we can still easily\n // find the session an encrypted response\n const authorizationResponseUrl = `${joinUriParts(this.config.baseUrl, [options.verifier.verifierId, this.config.authorizationEndpoint])}?session=${authorizationRequestId}`\n\n const jwtIssuer =\n options.requestSigner.method === 'none'\n ? undefined\n : options.requestSigner.method === 'x5c'\n ? await requestSignerToJwtIssuer(agentContext, {\n ...options.requestSigner,\n issuer: authorizationResponseUrl,\n })\n : await requestSignerToJwtIssuer(agentContext, options.requestSigner)\n\n let clientIdPrefix: ClientIdPrefix\n let clientId: string | undefined\n\n if (!jwtIssuer) {\n if (isDcApiRequest) {\n clientIdPrefix = version === 'v1' ? 'origin' : 'web-origin'\n clientId = undefined\n } else {\n clientIdPrefix = 'redirect_uri'\n clientId = authorizationResponseUrl\n }\n } else if (jwtIssuer?.method === 'x5c') {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: jwtIssuer.x5c })\n\n if (leafCertificate.sanDnsNames.includes(getDomainFromUrl(jwtIssuer.issuer))) {\n clientIdPrefix = 'x509_san_dns'\n clientId = getDomainFromUrl(jwtIssuer.issuer)\n } else {\n throw new CredoError(\n `With jwtIssuer method 'x5c' the jwtIssuer's 'issuer' field must match a sanDnsName (FQDN) in the leaf x509 chain's leaf certificate.`\n )\n }\n } else if (jwtIssuer?.method === 'did') {\n clientId = jwtIssuer.didUrl.split('#')[0]\n clientIdPrefix = version === 'v1' ? 'decentralized_identifier' : 'did'\n } else {\n throw new CredoError(\n `Unsupported jwt issuer method '${options.requestSigner.method}'. Only 'did' and 'x5c' are supported.`\n )\n }\n\n // We always use shortened URIs currently\n const hostedAuthorizationRequestUri =\n !isDcApiRequest && jwtIssuer\n ? joinUriParts(this.config.baseUrl, [\n options.verifier.verifierId,\n this.config.authorizationRequestEndpoint,\n authorizationRequestId,\n ])\n : // No hosted request needed when using DC API or using unsigned request\n undefined\n\n const client_id =\n // For did/https and draft 21 the client id has no special prefix\n clientIdPrefix === 'did' || (clientIdPrefix as string) === 'https' || version === 'v1.draft21'\n ? clientId\n : `${clientIdPrefix}:${clientId}`\n\n // for did the client_id is same in draft 21 and 24 so we could support both at the same time\n const legacyClientIdScheme =\n version === 'v1.draft21' &&\n clientIdPrefix !== 'web-origin' &&\n clientIdPrefix !== 'origin' &&\n clientIdPrefix !== 'decentralized_identifier'\n ? clientIdPrefix\n : undefined\n\n const client_metadata = await this.getClientMetadata(agentContext, {\n responseMode,\n verifier: options.verifier,\n authorizationResponseUrl,\n version,\n\n // TODO: we don't validate the DCQL query when creating a request i think?\n dcqlQuery: options.dcql?.query,\n })\n\n const requestParamsBase = {\n nonce,\n presentation_definition: options.presentationExchange?.definition,\n dcql_query: options.dcql?.query,\n transaction_data: options.transactionData?.map((entry) => JsonEncoder.toBase64URL(entry)),\n response_mode: responseMode,\n response_type: 'vp_token',\n client_metadata,\n verifier_info: options.verifierInfo,\n } as const\n\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n const authorizationRequest = await openid4vpVerifier.createOpenId4vpAuthorizationRequest({\n jar: jwtIssuer\n ? {\n jwtSigner: jwtIssuer,\n requestUri: hostedAuthorizationRequestUri,\n expiresInSeconds: this.config.authorizationRequestExpiresInSeconds,\n }\n : undefined,\n authorizationRequestPayload:\n requestParamsBase.response_mode === 'dc_api.jwt' || requestParamsBase.response_mode === 'dc_api'\n ? {\n ...requestParamsBase,\n // No client_id for unsigned DC API requests\n client_id: jwtIssuer ? client_id : undefined,\n response_mode: requestParamsBase.response_mode,\n expected_origins: options.expectedOrigins,\n }\n : {\n ...requestParamsBase,\n response_mode: requestParamsBase.response_mode,\n client_id: client_id as string,\n state,\n response_uri: authorizationResponseUrl,\n client_id_scheme: legacyClientIdScheme,\n },\n })\n\n const verificationSession = new OpenId4VcVerificationSessionRecord({\n authorizationResponseRedirectUri: options.authorizationResponseRedirectUri,\n\n // Only store payload for unsiged requests\n authorizationRequestPayload: authorizationRequest.jar\n ? undefined\n : authorizationRequest.authorizationRequestPayload,\n authorizationRequestJwt: authorizationRequest.jar?.authorizationRequestJwt,\n authorizationRequestUri: hostedAuthorizationRequestUri,\n authorizationRequestId,\n state: OpenId4VcVerificationSessionState.RequestCreated,\n verifierId: options.verifier.verifierId,\n expiresAt: utils.addSecondsToDate(new Date(), this.config.authorizationRequestExpiresInSeconds),\n openId4VpVersion: version,\n })\n await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession)\n this.emitStateChangedEvent(agentContext, verificationSession, null)\n\n return {\n authorizationRequest: authorizationRequest.authorizationRequest,\n verificationSession,\n authorizationRequestObject: authorizationRequest.authorizationRequestObject,\n }\n }\n\n private async getDcqlVerifiedResponse(\n agentContext: AgentContext,\n _dcqlQuery: unknown,\n presentations: DcqlEncodedPresentations\n ) {\n const dcqlService = agentContext.dependencyManager.resolve(DcqlService)\n const dcqlQuery = dcqlService.validateDcqlQuery(_dcqlQuery)\n\n const dcqlPresentationEntries = Object.entries(presentations)\n const dcqlPresentation = Object.fromEntries(\n dcqlPresentationEntries.map(([credentialId, presentations]) => {\n const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId)\n if (!queryCredential) {\n throw new CredoError(\n `vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`\n )\n }\n\n return [\n credentialId,\n mapNonEmptyArray(presentations, (presentation) =>\n this.decodePresentation(agentContext, {\n presentation,\n format: dcqlCredentialQueryToPresentationFormat(queryCredential),\n })\n ),\n ]\n })\n )\n\n const dcqlPresentationResult = await dcqlService.assertValidDcqlPresentation(\n agentContext,\n dcqlPresentation,\n dcqlQuery\n )\n\n return {\n query: dcqlQuery,\n presentations: dcqlPresentation,\n presentationResult: dcqlPresentationResult,\n } satisfies OpenId4VpVerifiedAuthorizationResponseDcql\n }\n\n private async parseAuthorizationResponse(\n agentContext: AgentContext,\n options: {\n authorizationResponse: Record<string, unknown>\n origin?: string\n verificationSession: OpenId4VcVerificationSessionRecord\n }\n ): Promise<ParsedOpenid4vpAuthorizationResponse & { verificationSession: OpenId4VcVerificationSessionRecord }> {\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n\n const { authorizationResponse, verificationSession, origin } = options\n let parsedAuthorizationResponse: ParsedOpenid4vpAuthorizationResponse | undefined\n\n try {\n parsedAuthorizationResponse = await openid4vpVerifier.parseOpenid4vpAuthorizationResponse({\n authorizationResponse,\n origin,\n authorizationRequestPayload: verificationSession.requestPayload,\n callbacks: getOid4vcCallbacks(agentContext),\n })\n\n if (parsedAuthorizationResponse.jarm && parsedAuthorizationResponse.jarm.type !== JarmMode.Encrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Only encrypted JARM responses are supported, received '${parsedAuthorizationResponse.jarm.type}'.`,\n })\n }\n\n return {\n ...parsedAuthorizationResponse,\n verificationSession,\n }\n } catch (error) {\n if (\n verificationSession?.state === OpenId4VcVerificationSessionState.RequestUriRetrieved ||\n verificationSession?.state === OpenId4VcVerificationSessionState.RequestCreated\n ) {\n const parsed = zOpenid4vpAuthorizationResponse.safeParse(\n parsedAuthorizationResponse?.authorizationResponsePayload\n )\n\n verificationSession.authorizationResponsePayload = parsed.success ? parsed.data : undefined\n verificationSession.errorMessage = error.message\n await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error)\n }\n\n throw error\n }\n }\n\n public async verifyAuthorizationResponse(\n agentContext: AgentContext,\n options: OpenId4VpVerifyAuthorizationResponseOptions & {\n /**\n * The verification session associated with the response\n */\n verificationSession: OpenId4VcVerificationSessionRecord\n }\n ): Promise<OpenId4VpVerifiedAuthorizationResponse> {\n const { verificationSession, authorizationResponse, origin } = options\n const authorizationRequest = verificationSession.requestPayload\n const openid4vpVersion =\n verificationSession.openId4VpVersion ??\n (authorizationRequest.client_id_scheme !== undefined ? 'v1.draft21' : 'v1.draft24')\n\n if (\n verificationSession.state !== OpenId4VcVerificationSessionState.RequestUriRetrieved &&\n verificationSession.state !== OpenId4VcVerificationSessionState.RequestCreated\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid session',\n })\n }\n\n if (verificationSession.expiresAt && Date.now() > verificationSession.expiresAt.getTime()) {\n verificationSession.errorMessage = 'session expired'\n await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error)\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'session expired',\n })\n }\n\n const result = await this.parseAuthorizationResponse(agentContext, {\n verificationSession,\n authorizationResponse,\n origin,\n })\n\n // NOTE: we always currently include only one key, and also use 'use=enc'. If we change\n // that, we should change this. I think we should return the jarm key in the openid4vp lib\n // and match against that (and also ensure then it's present in client_metadata -> should not conflict with federation)\n const encryptionJwk = authorizationRequest.client_metadata?.jwks?.keys.find((key) => key.use === 'enc')\n const encryptionPublicJwk = encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : undefined\n\n let dcqlResponse: OpenId4VpVerifiedAuthorizationResponseDcql | undefined\n let pexResponse: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined\n let transactionData: OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined\n\n try {\n const parsedClientId = getOpenid4vpClientId({\n responseMode: authorizationRequest.response_mode,\n clientId: authorizationRequest.client_id,\n legacyClientIdScheme: authorizationRequest.client_id_scheme,\n origin: options.origin,\n version: openid4vpVersion === 'v1' ? 100 : openid4vpVersion === 'v1.draft24' ? 24 : 21,\n })\n\n const clientId = parsedClientId.effectiveClientId\n const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest)\n\n // TODO: we should return the effectiveAudience in the returned value of openid4vp lib\n // Since it differs based on the version of openid4vp used\n // NOTE: in v1 DC API request the audience is always origin: (not the client id)\n const audience = openid4vpVersion === 'v1' && isDcApiRequest ? `origin:${options.origin}` : clientId\n\n const responseUri = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest)\n ? undefined\n : authorizationRequest.response_uri\n\n // NOTE: apu is needed for mDOC over OID4VP without DC API up to draft 24\n const mdocGeneratedNonce = result.jarm?.jarmHeader.apu\n ? TypedArrayEncoder.toUtf8String(TypedArrayEncoder.fromBase64(result.jarm?.jarmHeader.apu))\n : undefined\n\n if (result.type === 'dcql') {\n const dcqlPresentationEntries = Object.entries(result.dcql.presentations)\n if (!authorizationRequest.dcql_query) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'DCQL response provided but no dcql_query found in the authorization request.',\n })\n }\n\n const dcql = agentContext.dependencyManager.resolve(DcqlService)\n const dcqlQuery = dcql.validateDcqlQuery(authorizationRequest.dcql_query)\n\n const presentationVerificationResults = await Promise.all(\n dcqlPresentationEntries.map(async ([credentialId, presentations]) => {\n const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId)\n if (!queryCredential) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`,\n })\n }\n\n const verifiedPresentations = await Promise.all(\n mapNonEmptyArray(presentations, (presentation) =>\n this.verifyPresentation(agentContext, {\n format: dcqlCredentialQueryToPresentationFormat(queryCredential),\n nonce: authorizationRequest.nonce,\n audience,\n version: openid4vpVersion,\n clientId,\n encryptionJwk: encryptionPublicJwk,\n origin: options.origin,\n responseUri,\n mdocGeneratedNonce,\n verificationSessionId: result.verificationSession.id,\n presentation,\n })\n )\n )\n return [credentialId, verifiedPresentations] as const\n })\n )\n\n const errorMessages = presentationVerificationResults\n .flatMap(([credentialId, presentations], index) =>\n presentations.map((result) =>\n !result.verified ? `\\t- ${credentialId}[${index}]: ${result.reason}` : undefined\n )\n )\n .filter((i) => i !== undefined)\n if (errorMessages.length > 0) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'One or more presentations failed verification.',\n },\n { internalMessage: errorMessages.join('\\n') }\n )\n }\n\n // We can be certain here that all presentations passed verification\n const presentations = Object.fromEntries(\n presentationVerificationResults.map(\n ([credentialId, presentations]) =>\n [\n credentialId,\n presentations\n .map((p) => (p.verified ? p.presentation : undefined))\n // NOTE: we add NonEmpty cast here since it's needed for DCQL, and because we\n // previously ensured all items are valid, we can be sure this arary is non empty\n // even after the filter.\n .filter((p) => p !== undefined) as NonEmptyArray<VerifiablePresentation>,\n ] as const\n )\n )\n\n const presentationResult = await dcql.assertValidDcqlPresentation(agentContext, presentations, dcqlQuery)\n\n dcqlResponse = {\n presentations,\n presentationResult,\n query: dcqlQuery,\n }\n }\n\n if (result.type === 'pex') {\n const pex = agentContext.dependencyManager.resolve(DifPresentationExchangeService)\n\n const encodedPresentations = result.pex.presentations\n const submission = result.pex.presentationSubmission as DifPresentationExchangeSubmission\n const definition = result.pex.presentationDefinition as unknown as DifPresentationExchangeDefinition\n\n pex.validatePresentationDefinition(definition)\n\n try {\n pex.validatePresentationSubmission(submission)\n } catch (error) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid presentation submission.',\n },\n { cause: error }\n )\n }\n\n const presentationsArray = Array.isArray(encodedPresentations) ? encodedPresentations : [encodedPresentations]\n const presentationVerificationResults = await Promise.all(\n presentationsArray.map((presentation) => {\n return this.verifyPresentation(agentContext, {\n nonce: authorizationRequest.nonce,\n audience,\n clientId,\n version: openid4vpVersion,\n encryptionJwk: encryptionPublicJwk,\n responseUri,\n mdocGeneratedNonce,\n verificationSessionId: result.verificationSession.id,\n presentation,\n format: this.claimFormatFromEncodedPresentation(presentation),\n origin: options.origin,\n })\n })\n )\n\n const errorMessages = presentationVerificationResults\n .map((result, index) => (!result.verified ? `\\t- [${index}]: ${result.reason}` : undefined))\n .filter((i) => i !== undefined)\n if (errorMessages.length > 0) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'One or more presentations failed verification.',\n },\n { internalMessage: errorMessages.join('\\n') }\n )\n }\n\n const verifiablePresentations = presentationVerificationResults\n .map((p) => (p.verified ? p.presentation : undefined))\n .filter((p) => p !== undefined)\n\n try {\n pex.validatePresentation(\n definition,\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission\n )\n } catch (error) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Presentation submission does not satisy presentation request.',\n },\n { cause: error }\n )\n }\n\n const descriptors = extractPresentationsWithDescriptorsFromSubmission(\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission,\n definition\n )\n\n pexResponse = {\n definition,\n descriptors,\n presentations: verifiablePresentations,\n submission,\n }\n }\n\n transactionData = await this.getVerifiedTransactionData(agentContext, {\n authorizationRequest,\n dcql: dcqlResponse,\n presentationExchange: pexResponse,\n })\n } catch (error) {\n result.verificationSession.errorMessage = error.message\n await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.Error)\n throw error\n }\n\n result.verificationSession.authorizationResponsePayload = result.authorizationResponsePayload\n await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.ResponseVerified)\n\n return {\n presentationExchange: pexResponse,\n dcql: dcqlResponse,\n transactionData,\n verificationSession: result.verificationSession,\n }\n }\n\n /**\n * Get the format based on an encoded presentation. This is mostly leveraged for\n * PEX where it's not known based on the request which format to expect\n */\n private claimFormatFromEncodedPresentation(\n presentation: string | Record<string, unknown>\n ): ClaimFormat.JwtVp | ClaimFormat.LdpVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc {\n if (typeof presentation === 'object') return ClaimFormat.LdpVp\n if (presentation.includes('~')) return ClaimFormat.SdJwtDc\n if (Jwt.format.test(presentation)) return ClaimFormat.JwtVp\n\n // Fallback, we tried all other formats\n return ClaimFormat.MsoMdoc\n }\n\n public async getVerifiedAuthorizationResponse(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord\n ): Promise<OpenId4VpVerifiedAuthorizationResponse> {\n verificationSession.assertState(OpenId4VcVerificationSessionState.ResponseVerified)\n\n if (!verificationSession.authorizationResponsePayload) {\n throw new CredoError('No authorization response payload found in the verification session.')\n }\n\n const authorizationRequestPayload = verificationSession.requestPayload\n const openid4vpAuthorizationResponsePayload = verificationSession.authorizationResponsePayload\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n\n const result = openid4vpVerifier.validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: verificationSession.requestPayload,\n authorizationResponsePayload: openid4vpAuthorizationResponsePayload,\n })\n\n let presentationExchange: OpenId4VpVerifiedAuthorizationResponsePresentationExchange | undefined\n const dcql =\n result.type === 'dcql'\n ? await this.getDcqlVerifiedResponse(\n agentContext,\n authorizationRequestPayload.dcql_query,\n result.dcql.presentations\n )\n : undefined\n\n if (result.type === 'pex') {\n const presentationDefinition =\n authorizationRequestPayload.presentation_definition as unknown as DifPresentationExchangeDefinition\n const submission = openid4vpAuthorizationResponsePayload.presentation_submission as\n | DifPresentationExchangeSubmission\n | undefined\n\n if (!submission) {\n throw new CredoError('Unable to extract submission from the response.')\n }\n\n const verifiablePresentations = result.pex.presentations.map((presentation) =>\n this.decodePresentation(agentContext, {\n presentation,\n format: this.claimFormatFromEncodedPresentation(presentation),\n })\n )\n\n presentationExchange = {\n definition: presentationDefinition,\n submission,\n presentations: verifiablePresentations,\n descriptors: extractPresentationsWithDescriptorsFromSubmission(\n // vp_token MUST not be an array if only one entry\n verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations,\n submission,\n presentationDefinition\n ),\n }\n }\n\n if (!presentationExchange && !dcql) {\n throw new CredoError('No presentationExchange or dcql found in the response.')\n }\n\n const transactionData = await this.getVerifiedTransactionData(agentContext, {\n authorizationRequest: authorizationRequestPayload,\n dcql,\n presentationExchange,\n })\n\n return {\n presentationExchange,\n dcql,\n transactionData,\n verificationSession,\n }\n }\n\n private async getVerifiedTransactionData(\n agentContext: AgentContext,\n {\n authorizationRequest,\n presentationExchange,\n dcql,\n }: {\n dcql?: OpenId4VpVerifiedAuthorizationResponseDcql\n presentationExchange?: OpenId4VpVerifiedAuthorizationResponsePresentationExchange\n authorizationRequest: OpenId4VpAuthorizationRequestPayload\n }\n ): Promise<OpenId4VpVerifiedAuthorizationResponseTransactionData[] | undefined> {\n if (!authorizationRequest.transaction_data) return undefined\n\n const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext)\n const transactionDataHashesCredentials: TransactionDataHashesCredentials = {}\n\n // Extract presentations with credentialId\n const idToCredential = dcql\n ? Object.entries(dcql.presentations)\n : (presentationExchange?.descriptors.map(\n (descriptor) => [descriptor.descriptor.id, [descriptor.presentation]] as const\n ) ?? [])\n\n for (const [credentialId, presentations] of idToCredential) {\n // Only SD-JWT VC supported for now\n const transactionDataHashes = presentations.map((presentation) =>\n presentation.claimFormat === ClaimFormat.SdJwtDc ? getSdJwtVcTransactionDataHashes(presentation) : undefined\n )\n\n const firstHasHash = transactionDataHashes[0] !== undefined\n if (!transactionDataHashes.every((hash) => (firstHasHash ? hash !== undefined : hash === undefined))) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Multipe presentations were submitted for credential query ${credentialId} but not all presentations includes a transaction data hash. Either all or none of the presentations for a credential query id should include a transaction data hash.`,\n })\n }\n\n if (!firstHasHash) continue\n\n transactionDataHashesCredentials[credentialId] = transactionDataHashes as [\n Exclude<(typeof transactionDataHashes)[number], undefined>,\n ]\n }\n\n // Verify the transaction data\n const transactionData = await openid4vpVerifier.verifyTransactionData({\n credentials: transactionDataHashesCredentials,\n transactionData: authorizationRequest.transaction_data,\n })\n\n return transactionData.map(({ credentialId, transactionDataEntry, presentations }) => ({\n credentialId,\n encoded: transactionDataEntry.encoded,\n decoded: transactionDataEntry.transactionData,\n transactionDataIndex: transactionDataEntry.transactionDataIndex,\n presentations: presentations.map((presentation) => ({\n presentationHashIndex: presentation.credentialHashIndex,\n hash: presentation.hash,\n // We only support the values supported by Credo hasher, so it can't be any other value than those.\n hashAlg: presentation.hashAlg as HashName,\n })) as OpenId4VpVerifiedAuthorizationResponseTransactionData['presentations'],\n }))\n }\n\n public async getAllVerifiers(agentContext: AgentContext) {\n return this.openId4VcVerifierRepository.getAll(agentContext)\n }\n\n public async getVerifierByVerifierId(agentContext: AgentContext, verifierId: string) {\n return this.openId4VcVerifierRepository.getByVerifierId(agentContext, verifierId)\n }\n\n public async updateVerifier(agentContext: AgentContext, verifier: OpenId4VcVerifierRecord) {\n return this.openId4VcVerifierRepository.update(agentContext, verifier)\n }\n\n public async createVerifier(agentContext: AgentContext, options?: OpenId4VpCreateVerifierOptions) {\n const openId4VcVerifier = new OpenId4VcVerifierRecord({\n verifierId: options?.verifierId ?? utils.uuid(),\n clientMetadata: options?.clientMetadata,\n })\n\n await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier)\n await storeActorIdForContextCorrelationId(agentContext, openId4VcVerifier.verifierId)\n return openId4VcVerifier\n }\n\n public async findVerificationSessionsByQuery(\n agentContext: AgentContext,\n query: Query<OpenId4VcVerificationSessionRecord>,\n queryOptions?: QueryOptions\n ) {\n return this.openId4VcVerificationSessionRepository.findByQuery(agentContext, query, queryOptions)\n }\n\n public async getVerificationSessionById(agentContext: AgentContext, verificationSessionId: string) {\n return this.openId4VcVerificationSessionRepository.getById(agentContext, verificationSessionId)\n }\n\n private async getClientMetadata(\n agentContext: AgentContext,\n options: {\n responseMode: ResponseMode\n verifier: OpenId4VcVerifierRecord\n authorizationResponseUrl: string\n dcqlQuery?: DcqlQuery\n version: NonNullable<OpenId4VpCreateAuthorizationRequestOptions['version']>\n }\n ): Promise<ClientMetadata> {\n const { responseMode, verifier } = options\n\n const signatureSuiteRegistry = agentContext.resolve(SignatureSuiteRegistry)\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const supportedAlgs = getSupportedJwaSignatureAlgorithms(agentContext) as [\n Kms.KnownJwaSignatureAlgorithm,\n ...Kms.KnownJwaSignatureAlgorithm[],\n ]\n const supportedMdocAlgs = supportedAlgs.filter(isMdocSupportedSignatureAlgorithm) as [\n MdocSupportedSignatureAlgorithm,\n ...MdocSupportedSignatureAlgorithm[],\n ]\n const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes\n\n type JarmEncryptionJwk = Kms.Jwk & { kid: string; use: 'enc' }\n let jarmEncryptionJwk: JarmEncryptionJwk | undefined\n\n if (isJarmResponseMode(responseMode)) {\n const key = await kms.createKey({ type: { crv: 'P-256', kty: 'EC' } })\n jarmEncryptionJwk = { ...key.publicJwk, use: 'enc' }\n }\n\n const jarmClientMetadata:\n | Pick<\n ClientMetadata,\n | 'jwks'\n | 'encrypted_response_enc_values_supported'\n | 'authorization_encrypted_response_alg'\n | 'authorization_encrypted_response_enc'\n >\n | undefined = jarmEncryptionJwk\n ? {\n jwks: { keys: [jarmEncryptionJwk as Jwk] },\n\n ...(options.version === 'v1'\n ? {\n encrypted_response_enc_values_supported: ['A128GCM', 'A256GCM', 'A128CBC-HS256'],\n }\n : {\n authorization_encrypted_response_alg: 'ECDH-ES',\n\n // NOTE: pre draft 24 we could only include one version. To maximize compatiblity we use\n // - A128GCM for draft 24 (HAIP)\n // - A256GCM for draft 21 (18013-7)\n authorization_encrypted_response_enc: options.version === 'v1.draft24' ? 'A128GCM' : 'A256GCM',\n }),\n }\n : undefined\n\n const dclqQueryFormats = new Set(options.dcqlQuery?.credentials.map((c) => c.format))\n\n return {\n ...jarmClientMetadata,\n ...verifier.clientMetadata,\n response_types_supported: ['vp_token'],\n\n // for v1 version we only include the vp_formats_supported for formats we're\n // requesting.\n ...(options.version === 'v1'\n ? {\n vp_formats_supported: {\n ...(dclqQueryFormats.has('dc+sd-jwt')\n ? {\n 'dc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('mso_mdoc')\n ? {\n mso_mdoc: {\n // TODO: we need to add some generic utils for fully specified COSE algorithms\n deviceauth_alg_values: [/* P-256 */ -9, /* P-384 */ -51, /* Ed25519 */ -19],\n issuerauth_alg_values: [/* P-256 */ -9, /* P-384 */ -51, /* Ed25519 */ -19],\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('jwt_vc_json')\n ? {\n jwt_vc_json: {\n alg_values: supportedAlgs,\n },\n }\n : {}),\n\n ...(dclqQueryFormats.has('ldp_vc')\n ? {\n ldp_vc: {\n proof_type_values: supportedProofTypes as [string, ...string[]],\n },\n }\n : {}),\n },\n }\n : {\n vp_formats: {\n mso_mdoc: {\n alg: supportedMdocAlgs,\n },\n jwt_vc: {\n alg: supportedAlgs,\n },\n jwt_vc_json: {\n alg: supportedAlgs,\n },\n jwt_vp_json: {\n alg: supportedAlgs,\n },\n jwt_vp: {\n alg: supportedAlgs,\n },\n ldp_vc: {\n proof_type: supportedProofTypes,\n },\n ldp_vp: {\n proof_type: supportedProofTypes,\n },\n 'vc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n 'dc+sd-jwt': {\n 'kb-jwt_alg_values': supportedAlgs,\n 'sd-jwt_alg_values': supportedAlgs,\n },\n },\n }),\n }\n }\n\n private decodePresentation(\n agentContext: AgentContext,\n options: {\n presentation: string | Record<string, unknown>\n format: ClaimFormat.JwtVp | ClaimFormat.LdpVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc | ClaimFormat.SdJwtW3cVp\n }\n ): VerifiablePresentation {\n const { presentation, format } = options\n\n if (format === ClaimFormat.SdJwtDc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n\n const sdJwtVc = sdJwtVcApi.fromCompact(presentation)\n return sdJwtVc\n }\n if (format === ClaimFormat.MsoMdoc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n const mdocDeviceResponse = MdocDeviceResponse.fromBase64Url(presentation)\n return mdocDeviceResponse\n }\n if (format === ClaimFormat.JwtVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n return W3cJwtVerifiablePresentation.fromSerializedJwt(presentation)\n }\n if (format === ClaimFormat.SdJwtW3cVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n return W3cV2SdJwtVerifiablePresentation.fromCompact(presentation)\n }\n\n return JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation)\n }\n\n private async verifyPresentation(\n agentContext: AgentContext,\n options: {\n nonce: string\n audience: string\n clientId: string\n responseUri?: string\n mdocGeneratedNonce?: string\n origin?: string\n verificationSessionId: string\n presentation: string | Record<string, unknown>\n format: ClaimFormat.LdpVp | ClaimFormat.JwtVp | ClaimFormat.SdJwtW3cVp | ClaimFormat.SdJwtDc | ClaimFormat.MsoMdoc\n version: OpenId4VpVersion\n encryptionJwk?: Kms.PublicJwk\n }\n ): Promise<\n | {\n verified: true\n presentation: VerifiablePresentation\n transactionData?: TransactionDataHashesCredentials[string]\n }\n | { verified: false; reason: string }\n > {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n\n const { presentation, format } = options\n\n try {\n this.logger.trace('Presentation response', JsonTransformer.toJSON(presentation))\n\n let isValid: boolean\n let cause: Error | undefined\n let verifiablePresentation: VerifiablePresentation\n\n if (format === ClaimFormat.SdJwtDc) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n const sdJwtVc = sdJwtVcApi.fromCompact(presentation)\n const jwt = Jwt.fromSerializedJwt(presentation.split('~')[0])\n const certificateChain = extractX509CertificatesFromJwt(jwt)\n\n let trustedCertificates: string[] | undefined\n if (certificateChain && x509Config.getTrustedCertificatesForVerification) {\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: sdJwtVc,\n openId4VcVerificationSessionId: options.verificationSessionId,\n },\n })\n }\n\n if (!trustedCertificates) {\n // We also take from the config here to avoid the callback being called again\n trustedCertificates = x509Config.trustedCertificates ?? []\n }\n\n const verificationResult = await sdJwtVcApi.verify({\n compactSdJwtVc: presentation,\n keyBinding: {\n audience: options.audience,\n nonce: options.nonce,\n },\n trustedCertificates,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.isValid ? undefined : verificationResult.error\n verifiablePresentation = sdJwtVc\n } else if (format === ClaimFormat.MsoMdoc) {\n if (typeof presentation !== 'string') {\n throw new CredoError('Expected vp_token entry for format mso_mdoc to be of type string')\n }\n const mdocDeviceResponse = MdocDeviceResponse.fromBase64Url(presentation)\n if (mdocDeviceResponse.documents.length === 0) {\n throw new CredoError('mdoc device response does not contain any mdocs')\n }\n\n const deviceResponses = mdocDeviceResponse.splitIntoSingleDocumentResponses()\n\n for (const deviceResponseIndex of deviceResponses.keys()) {\n const mdocDeviceResponse = deviceResponses[deviceResponseIndex]\n\n const document = mdocDeviceResponse.documents[0]\n const certificateChain = document.issuerSignedCertificateChain.map((cert) =>\n X509Certificate.fromRawCertificate(cert)\n )\n\n const trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'credential',\n credential: document,\n openId4VcVerificationSessionId: options.verificationSessionId,\n },\n })\n\n let sessionTranscriptOptions: MdocSessionTranscriptOptions\n if (options.origin && options.version === 'v1') {\n sessionTranscriptOptions = {\n type: 'openId4VpDcApi',\n verifierGeneratedNonce: options.nonce,\n origin: options.origin,\n encryptionJwk: options.encryptionJwk,\n }\n } else if (options.origin) {\n sessionTranscriptOptions = {\n type: 'openId4VpDcApiDraft24',\n clientId: options.clientId,\n verifierGeneratedNonce: options.nonce,\n origin: options.origin,\n }\n } else if (options.version === 'v1') {\n if (!options.responseUri) {\n throw new CredoError('responseUri is required for mdoc openid4vp session transcript calculation')\n }\n\n sessionTranscriptOptions = {\n type: 'openId4Vp',\n clientId: options.clientId,\n responseUri: options.responseUri,\n verifierGeneratedNonce: options.nonce,\n encryptionJwk: options.encryptionJwk,\n }\n } else {\n if (!options.mdocGeneratedNonce || !options.responseUri) {\n throw new CredoError(\n 'mdocGeneratedNonce and responseUri are required for mdoc openid4vp session transcript calculation'\n )\n }\n\n sessionTranscriptOptions = {\n type: 'openId4VpDraft18',\n clientId: options.clientId,\n mdocGeneratedNonce: options.mdocGeneratedNonce,\n responseUri: options.responseUri,\n verifierGeneratedNonce: options.nonce,\n }\n }\n\n await mdocDeviceResponse.verify(agentContext, {\n sessionTranscriptOptions,\n trustedCertificates,\n })\n }\n // TODO: extract transaction data hashes once https://github.com/openid/OpenID4VP/pull/330 is resolved\n\n isValid = true\n verifiablePresentation = mdocDeviceResponse\n } else if (format === ClaimFormat.JwtVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n verifiablePresentation = W3cJwtVerifiablePresentation.fromSerializedJwt(presentation)\n const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {\n presentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n } else if (format === ClaimFormat.SdJwtW3cVp) {\n if (typeof presentation !== 'string') {\n throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`)\n }\n\n verifiablePresentation = W3cV2SdJwtVerifiablePresentation.fromCompact(presentation)\n const verificationResult = await this.w3cV2CredentialService.verifyPresentation(agentContext, {\n presentation: verifiablePresentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n } else {\n verifiablePresentation = JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation)\n const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {\n presentation: verifiablePresentation,\n challenge: options.nonce,\n domain: options.audience,\n })\n\n isValid = verificationResult.isValid\n cause = verificationResult.error\n }\n\n if (!isValid) {\n throw new CredoError(`Error occured during verification of presentation.${cause ? ` ${cause.message}` : ''}`, {\n cause,\n })\n }\n\n return {\n verified: true,\n presentation: verifiablePresentation,\n }\n } catch (error) {\n agentContext.config.logger.warn('Error occurred during verification of presentation', {\n error,\n })\n return {\n verified: false,\n reason: error.message,\n }\n }\n }\n\n /**\n * Update the record to a new state and emit an state changed event. Also updates the record\n * in storage.\n */\n public async updateState(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord,\n newState: OpenId4VcVerificationSessionState\n ) {\n agentContext.config.logger.debug(\n `Updating openid4vc verification session record ${verificationSession.id} to state ${newState} (previous=${verificationSession.state})`\n )\n\n const previousState = verificationSession.state\n verificationSession.state = newState\n await this.openId4VcVerificationSessionRepository.update(agentContext, verificationSession)\n\n this.emitStateChangedEvent(agentContext, verificationSession, previousState)\n }\n\n protected emitStateChangedEvent(\n agentContext: AgentContext,\n verificationSession: OpenId4VcVerificationSessionRecord,\n previousState: OpenId4VcVerificationSessionState | null\n ) {\n const eventEmitter = agentContext.dependencyManager.resolve(EventEmitter)\n\n eventEmitter.emit<OpenId4VcVerificationSessionStateChangedEvent>(agentContext, {\n type: OpenId4VcVerifierEvents.VerificationSessionStateChanged,\n payload: {\n verificationSession: verificationSession.clone(),\n previousState,\n },\n })\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA8FO,qCAAMA,2BAAyB;CACpC,AAAO,YACL,AAAyCC,QACzC,AAAQC,sBACR,AAAQC,wBACR,AAAQC,6BACR,AAAQC,QACR,AAAQC,wCACR;EANyC;EACjC;EACA;EACA;EACA;EACA;;CAGV,AAAQ,qBAAqB,cAA4B;AAIvD,SAFwB,IAAI,kBAAkB,EAAE,WAD9B,mBAAmB,aAAa,EACS,CAAC;;CAK9D,MAAa,2BACX,cACA,SACoD;EACpD,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;EACtD,MAAM,QAAQ,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;EAC5E,MAAM,QAAQ,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;EAE5E,MAAM,eAAe,QAAQ,gBAAgB;EAC7C,MAAM,iBAAiB,iBAAiB,YAAY,iBAAiB;EAErE,MAAM,UAAU,QAAQ,WAAW;AACnC,MAAI,YAAY,gBAAgB,eAC9B,OAAM,IAAI,WACR,sBAAsB,QAAQ,sCAAsC,QAAQ,aAAa,8CAC1F;AAEH,MAAI,YAAY,gBAAgB,QAAQ,gBACtC,OAAM,IAAI,WACR,sBAAsB,QAAQ,kFAC/B;AAEH,MAAI,YAAY,gBAAgB,QAAQ,KACtC,OAAM,IAAI,WACR,sBAAsB,QAAQ,uEAC/B;AAEH,MAAI,YAAY,QAAQ,QAAQ,aAC9B,OAAM,IAAI,WAAW,sBAAsB,QAAQ,+DAA+D;AAEpH,MAAI,YAAY,QAAQ,QAAQ,qBAC9B,OAAM,IAAI,WACR,sBAAsB,QAAQ,kIAC/B;AAIH,MAAI,QAAQ,MAAM,MAAM,YAAY,MAAM,MAAM,EAAE,yCAAyC,MAAM,CAC/F,OAAM,IAAI,WACR,qLACD;AAGH,MAAI,kBAAkB,QAAQ,iCAC5B,OAAM,IAAI,WACR,qGACD;EAIH,MAAM,iBACJ,QAAQ,sBAAsB,WAAW,kBAAkB,MAAM,MAAM,EAAE,QAAQ,SAAS,IAC1F,QAAQ,MAAM,MAAM,YAAY,MAAM,MAAM,EAAE,WAAW,WAAW;AAEtE,OAAK,YAAY,gBAAgB,YAAY,iBAAiB,iBAAiB,iBAAiB,eAC9F,OAAM,IAAI,WACR,yUACD;AAGH,MAAI,QAAQ,cAAc;GACxB,MAAM,WACJ,SAAS,MAAM,MAAM,YAAY,KAAK,EAAE,SAAS,GAAG,IACpD,SAAS,sBAAsB,WAAW,kBAAkB,KAAK,EAAE,SAAS,GAAG,IAC/E,EAAE;AAMJ,OAAI,CAJ0B,QAAQ,aAAa,OAChD,OAAO,CAAC,GAAG,kBAAkB,GAAG,eAAe,OAAO,iBAAiB,SAAS,SAAS,aAAa,CAAC,CACzG,CAGC,OAAM,IAAI,WACR,0HACD;;EAIL,MAAM,yBAAyB,MAAM,MAAM;EAG3C,MAAM,2BAA2B,GAAG,aAAa,KAAK,OAAO,SAAS,CAAC,QAAQ,SAAS,YAAY,KAAK,OAAO,sBAAsB,CAAC,CAAC,WAAW;EAEnJ,MAAM,YACJ,QAAQ,cAAc,WAAW,SAC7B,SACA,QAAQ,cAAc,WAAW,QAC/B,MAAM,yBAAyB,cAAc;GAC3C,GAAG,QAAQ;GACX,QAAQ;GACT,CAAC,GACF,MAAM,yBAAyB,cAAc,QAAQ,cAAc;EAE3E,IAAIC;EACJ,IAAIC;AAEJ,MAAI,CAAC,UACH,KAAI,gBAAgB;AAClB,oBAAiB,YAAY,OAAO,WAAW;AAC/C,cAAW;SACN;AACL,oBAAiB;AACjB,cAAW;;WAEJ,WAAW,WAAW,MAG/B,KAFwB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,UAAU,KAAK,CAAC,CAErF,YAAY,SAAS,iBAAiB,UAAU,OAAO,CAAC,EAAE;AAC5E,oBAAiB;AACjB,cAAW,iBAAiB,UAAU,OAAO;QAE7C,OAAM,IAAI,WACR,uIACD;WAEM,WAAW,WAAW,OAAO;AACtC,cAAW,UAAU,OAAO,MAAM,IAAI,CAAC;AACvC,oBAAiB,YAAY,OAAO,6BAA6B;QAEjE,OAAM,IAAI,WACR,kCAAkC,QAAQ,cAAc,OAAO,wCAChE;EAIH,MAAM,gCACJ,CAAC,kBAAkB,YACf,aAAa,KAAK,OAAO,SAAS;GAChC,QAAQ,SAAS;GACjB,KAAK,OAAO;GACZ;GACD,CAAC,GAEF;EAEN,MAAM,YAEJ,mBAAmB,SAAU,mBAA8B,WAAW,YAAY,eAC9E,WACA,GAAG,eAAe,GAAG;EAG3B,MAAM,uBACJ,YAAY,gBACZ,mBAAmB,gBACnB,mBAAmB,YACnB,mBAAmB,6BACf,iBACA;EAEN,MAAM,kBAAkB,MAAM,KAAK,kBAAkB,cAAc;GACjE;GACA,UAAU,QAAQ;GAClB;GACA;GAGA,WAAW,QAAQ,MAAM;GAC1B,CAAC;EAEF,MAAM,oBAAoB;GACxB;GACA,yBAAyB,QAAQ,sBAAsB;GACvD,YAAY,QAAQ,MAAM;GAC1B,kBAAkB,QAAQ,iBAAiB,KAAK,UAAU,YAAY,YAAY,MAAM,CAAC;GACzF,eAAe;GACf,eAAe;GACf;GACA,eAAe,QAAQ;GACxB;EAGD,MAAM,uBAAuB,MADH,KAAK,qBAAqB,aAAa,CACZ,oCAAoC;GACvF,KAAK,YACD;IACE,WAAW;IACX,YAAY;IACZ,kBAAkB,KAAK,OAAO;IAC/B,GACD;GACJ,6BACE,kBAAkB,kBAAkB,gBAAgB,kBAAkB,kBAAkB,WACpF;IACE,GAAG;IAEH,WAAW,YAAY,YAAY;IACnC,eAAe,kBAAkB;IACjC,kBAAkB,QAAQ;IAC3B,GACD;IACE,GAAG;IACH,eAAe,kBAAkB;IACtB;IACX;IACA,cAAc;IACd,kBAAkB;IACnB;GACR,CAAC;EAEF,MAAM,sBAAsB,IAAI,mCAAmC;GACjE,kCAAkC,QAAQ;GAG1C,6BAA6B,qBAAqB,MAC9C,SACA,qBAAqB;GACzB,yBAAyB,qBAAqB,KAAK;GACnD,yBAAyB;GACzB;GACA,OAAO,kCAAkC;GACzC,YAAY,QAAQ,SAAS;GAC7B,WAAW,MAAM,iCAAiB,IAAI,MAAM,EAAE,KAAK,OAAO,qCAAqC;GAC/F,kBAAkB;GACnB,CAAC;AACF,QAAM,KAAK,uCAAuC,KAAK,cAAc,oBAAoB;AACzF,OAAK,sBAAsB,cAAc,qBAAqB,KAAK;AAEnE,SAAO;GACL,sBAAsB,qBAAqB;GAC3C;GACA,4BAA4B,qBAAqB;GAClD;;CAGH,MAAc,wBACZ,cACA,YACA,eACA;EACA,MAAM,cAAc,aAAa,kBAAkB,QAAQ,YAAY;EACvE,MAAM,YAAY,YAAY,kBAAkB,WAAW;EAE3D,MAAM,0BAA0B,OAAO,QAAQ,cAAc;EAC7D,MAAM,mBAAmB,OAAO,YAC9B,wBAAwB,KAAK,CAAC,cAAcC,qBAAmB;GAC7D,MAAM,kBAAkB,UAAU,YAAY,MAAM,MAAM,EAAE,OAAO,aAAa;AAChF,OAAI,CAAC,gBACH,OAAM,IAAI,WACR,2DAA2D,aAAa,0DACzE;AAGH,UAAO,CACL,cACA,iBAAiBA,kBAAgB,iBAC/B,KAAK,mBAAmB,cAAc;IACpC;IACA,QAAQ,wCAAwC,gBAAgB;IACjE,CAAC,CACH,CACF;IACD,CACH;AAQD,SAAO;GACL,OAAO;GACP,eAAe;GACf,oBAT6B,MAAM,YAAY,4BAC/C,cACA,kBACA,UACD;GAMA;;CAGH,MAAc,2BACZ,cACA,SAK6G;EAC7G,MAAM,oBAAoB,KAAK,qBAAqB,aAAa;EAEjE,MAAM,EAAE,uBAAuB,qBAAqB,WAAW;EAC/D,IAAIC;AAEJ,MAAI;AACF,iCAA8B,MAAM,kBAAkB,oCAAoC;IACxF;IACA;IACA,6BAA6B,oBAAoB;IACjD,WAAW,mBAAmB,aAAa;IAC5C,CAAC;AAEF,OAAI,4BAA4B,QAAQ,4BAA4B,KAAK,SAAS,SAAS,UACzF,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0DAA0D,4BAA4B,KAAK,KAAK;IACpH,CAAC;AAGJ,UAAO;IACL,GAAG;IACH;IACD;WACM,OAAO;AACd,OACE,qBAAqB,UAAU,kCAAkC,uBACjE,qBAAqB,UAAU,kCAAkC,gBACjE;IACA,MAAM,SAAS,gCAAgC,UAC7C,6BAA6B,6BAC9B;AAED,wBAAoB,+BAA+B,OAAO,UAAU,OAAO,OAAO;AAClF,wBAAoB,eAAe,MAAM;AACzC,UAAM,KAAK,YAAY,cAAc,qBAAqB,kCAAkC,MAAM;;AAGpG,SAAM;;;CAIV,MAAa,4BACX,cACA,SAMiD;EACjD,MAAM,EAAE,qBAAqB,uBAAuB,WAAW;EAC/D,MAAM,uBAAuB,oBAAoB;EACjD,MAAM,mBACJ,oBAAoB,qBACnB,qBAAqB,qBAAqB,SAAY,eAAe;AAExE,MACE,oBAAoB,UAAU,kCAAkC,uBAChE,oBAAoB,UAAU,kCAAkC,eAEhE,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,oBAAoB,aAAa,KAAK,KAAK,GAAG,oBAAoB,UAAU,SAAS,EAAE;AACzF,uBAAoB,eAAe;AACnC,SAAM,KAAK,YAAY,cAAc,qBAAqB,kCAAkC,MAAM;AAClG,SAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;;EAGJ,MAAM,SAAS,MAAM,KAAK,2BAA2B,cAAc;GACjE;GACA;GACA;GACD,CAAC;EAKF,MAAM,gBAAgB,qBAAqB,iBAAiB,MAAM,KAAK,MAAM,QAAQ,IAAI,QAAQ,MAAM;EACvG,MAAM,sBAAsB,gBAAgB,IAAI,UAAU,YAAY,cAAc,GAAG;EAEvF,IAAIC;EACJ,IAAIC;EACJ,IAAIC;AAEJ,MAAI;GASF,MAAM,WARiB,qBAAqB;IAC1C,cAAc,qBAAqB;IACnC,UAAU,qBAAqB;IAC/B,sBAAsB,qBAAqB;IAC3C,QAAQ,QAAQ;IAChB,SAAS,qBAAqB,OAAO,MAAM,qBAAqB,eAAe,KAAK;IACrF,CAAC,CAE8B;GAChC,MAAM,iBAAiB,qCAAqC,qBAAqB;GAKjF,MAAM,WAAW,qBAAqB,QAAQ,iBAAiB,UAAU,QAAQ,WAAW;GAE5F,MAAM,cAAc,qCAAqC,qBAAqB,GAC1E,SACA,qBAAqB;GAGzB,MAAM,qBAAqB,OAAO,MAAM,WAAW,MAC/C,kBAAkB,aAAa,kBAAkB,WAAW,OAAO,MAAM,WAAW,IAAI,CAAC,GACzF;AAEJ,OAAI,OAAO,SAAS,QAAQ;IAC1B,MAAM,0BAA0B,OAAO,QAAQ,OAAO,KAAK,cAAc;AACzE,QAAI,CAAC,qBAAqB,WACxB,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;IAGJ,MAAM,OAAO,aAAa,kBAAkB,QAAQ,YAAY;IAChE,MAAM,YAAY,KAAK,kBAAkB,qBAAqB,WAAW;IAEzE,MAAM,kCAAkC,MAAM,QAAQ,IACpD,wBAAwB,IAAI,OAAO,CAAC,cAAcJ,qBAAmB;KACnE,MAAM,kBAAkB,UAAU,YAAY,MAAM,MAAM,EAAE,OAAO,aAAa;AAChF,SAAI,CAAC,gBACH,OAAM,IAAI,+BAA+B;MACvC,OAAO,iBAAiB;MACxB,mBAAmB,2DAA2D,aAAa;MAC5F,CAAC;AAoBJ,YAAO,CAAC,cAjBsB,MAAM,QAAQ,IAC1C,iBAAiBA,kBAAgB,iBAC/B,KAAK,mBAAmB,cAAc;MACpC,QAAQ,wCAAwC,gBAAgB;MAChE,OAAO,qBAAqB;MAC5B;MACA,SAAS;MACT;MACA,eAAe;MACf,QAAQ,QAAQ;MAChB;MACA;MACA,uBAAuB,OAAO,oBAAoB;MAClD;MACD,CAAC,CACH,CACF,CAC2C;MAC5C,CACH;IAED,MAAM,gBAAgB,gCACnB,SAAS,CAAC,cAAcA,kBAAgB,UACvCA,gBAAc,KAAK,aACjB,CAACK,SAAO,WAAW,OAAO,aAAa,GAAG,MAAM,KAAKA,SAAO,WAAW,OACxE,CACF,CACA,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAI,cAAc,SAAS,EACzB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EAAE,iBAAiB,cAAc,KAAK,KAAK,EAAE,CAC9C;IAIH,MAAM,gBAAgB,OAAO,YAC3B,gCAAgC,KAC7B,CAAC,cAAcL,qBACd,CACE,cACAA,gBACG,KAAK,MAAO,EAAE,WAAW,EAAE,eAAe,OAAW,CAIrD,QAAQ,MAAM,MAAM,OAAU,CAClC,CACJ,CACF;AAID,mBAAe;KACb;KACA,oBAJyB,MAAM,KAAK,4BAA4B,cAAc,eAAe,UAAU;KAKvG,OAAO;KACR;;AAGH,OAAI,OAAO,SAAS,OAAO;IACzB,MAAM,MAAM,aAAa,kBAAkB,QAAQ,+BAA+B;IAElF,MAAM,uBAAuB,OAAO,IAAI;IACxC,MAAM,aAAa,OAAO,IAAI;IAC9B,MAAM,aAAa,OAAO,IAAI;AAE9B,QAAI,+BAA+B,WAAW;AAE9C,QAAI;AACF,SAAI,+BAA+B,WAAW;aACvC,OAAO;AACd,WAAM,IAAI,+BACR;MACE,OAAO,iBAAiB;MACxB,mBAAmB;MACpB,EACD,EAAE,OAAO,OAAO,CACjB;;IAGH,MAAM,qBAAqB,MAAM,QAAQ,qBAAqB,GAAG,uBAAuB,CAAC,qBAAqB;IAC9G,MAAM,kCAAkC,MAAM,QAAQ,IACpD,mBAAmB,KAAK,iBAAiB;AACvC,YAAO,KAAK,mBAAmB,cAAc;MAC3C,OAAO,qBAAqB;MAC5B;MACA;MACA,SAAS;MACT,eAAe;MACf;MACA;MACA,uBAAuB,OAAO,oBAAoB;MAClD;MACA,QAAQ,KAAK,mCAAmC,aAAa;MAC7D,QAAQ,QAAQ;MACjB,CAAC;MACF,CACH;IAED,MAAM,gBAAgB,gCACnB,KAAK,UAAQ,UAAW,CAACK,SAAO,WAAW,QAAQ,MAAM,KAAKA,SAAO,WAAW,OAAW,CAC3F,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAI,cAAc,SAAS,EACzB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EAAE,iBAAiB,cAAc,KAAK,KAAK,EAAE,CAC9C;IAGH,MAAM,0BAA0B,gCAC7B,KAAK,MAAO,EAAE,WAAW,EAAE,eAAe,OAAW,CACrD,QAAQ,MAAM,MAAM,OAAU;AAEjC,QAAI;AACF,SAAI,qBACF,YAEA,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,WACD;aACM,OAAO;AACd,WAAM,IAAI,+BACR;MACE,OAAO,iBAAiB;MACxB,mBAAmB;MACpB,EACD,EAAE,OAAO,OAAO,CACjB;;AAUH,kBAAc;KACZ;KACA,aATkB,kDAElB,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,YACA,WACD;KAKC,eAAe;KACf;KACD;;AAGH,qBAAkB,MAAM,KAAK,2BAA2B,cAAc;IACpE;IACA,MAAM;IACN,sBAAsB;IACvB,CAAC;WACK,OAAO;AACd,UAAO,oBAAoB,eAAe,MAAM;AAChD,SAAM,KAAK,YAAY,cAAc,OAAO,qBAAqB,kCAAkC,MAAM;AACzG,SAAM;;AAGR,SAAO,oBAAoB,+BAA+B,OAAO;AACjE,QAAM,KAAK,YAAY,cAAc,OAAO,qBAAqB,kCAAkC,iBAAiB;AAEpH,SAAO;GACL,sBAAsB;GACtB,MAAM;GACN;GACA,qBAAqB,OAAO;GAC7B;;;;;;CAOH,AAAQ,mCACN,cACmF;AACnF,MAAI,OAAO,iBAAiB,SAAU,QAAO,YAAY;AACzD,MAAI,aAAa,SAAS,IAAI,CAAE,QAAO,YAAY;AACnD,MAAI,IAAI,OAAO,KAAK,aAAa,CAAE,QAAO,YAAY;AAGtD,SAAO,YAAY;;CAGrB,MAAa,iCACX,cACA,qBACiD;AACjD,sBAAoB,YAAY,kCAAkC,iBAAiB;AAEnF,MAAI,CAAC,oBAAoB,6BACvB,OAAM,IAAI,WAAW,uEAAuE;EAG9F,MAAM,8BAA8B,oBAAoB;EACxD,MAAM,wCAAwC,oBAAoB;EAGlE,MAAM,SAFoB,KAAK,qBAAqB,aAAa,CAEhC,8CAA8C;GAC7E,6BAA6B,oBAAoB;GACjD,8BAA8B;GAC/B,CAAC;EAEF,IAAIC;EACJ,MAAM,OACJ,OAAO,SAAS,SACZ,MAAM,KAAK,wBACT,cACA,4BAA4B,YAC5B,OAAO,KAAK,cACb,GACD;AAEN,MAAI,OAAO,SAAS,OAAO;GACzB,MAAM,yBACJ,4BAA4B;GAC9B,MAAM,aAAa,sCAAsC;AAIzD,OAAI,CAAC,WACH,OAAM,IAAI,WAAW,kDAAkD;GAGzE,MAAM,0BAA0B,OAAO,IAAI,cAAc,KAAK,iBAC5D,KAAK,mBAAmB,cAAc;IACpC;IACA,QAAQ,KAAK,mCAAmC,aAAa;IAC9D,CAAC,CACH;AAED,0BAAuB;IACrB,YAAY;IACZ;IACA,eAAe;IACf,aAAa,kDAEX,wBAAwB,WAAW,IAAI,wBAAwB,KAAK,yBACpE,YACA,uBACD;IACF;;AAGH,MAAI,CAAC,wBAAwB,CAAC,KAC5B,OAAM,IAAI,WAAW,yDAAyD;EAGhF,MAAM,kBAAkB,MAAM,KAAK,2BAA2B,cAAc;GAC1E,sBAAsB;GACtB;GACA;GACD,CAAC;AAEF,SAAO;GACL;GACA;GACA;GACA;GACD;;CAGH,MAAc,2BACZ,cACA,EACE,sBACA,sBACA,QAM4E;AAC9E,MAAI,CAAC,qBAAqB,iBAAkB,QAAO;EAEnD,MAAM,oBAAoB,KAAK,qBAAqB,aAAa;EACjE,MAAMC,mCAAqE,EAAE;EAG7E,MAAM,iBAAiB,OACnB,OAAO,QAAQ,KAAK,cAAc,GACjC,sBAAsB,YAAY,KAChC,eAAe,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,aAAa,CAAC,CACtE,IAAI,EAAE;AAEX,OAAK,MAAM,CAAC,cAAc,kBAAkB,gBAAgB;GAE1D,MAAM,wBAAwB,cAAc,KAAK,iBAC/C,aAAa,gBAAgB,YAAY,UAAU,gCAAgC,aAAa,GAAG,OACpG;GAED,MAAM,eAAe,sBAAsB,OAAO;AAClD,OAAI,CAAC,sBAAsB,OAAO,SAAU,eAAe,SAAS,SAAY,SAAS,OAAW,CAClG,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,6DAA6D,aAAa;IAC9F,CAAC;AAGJ,OAAI,CAAC,aAAc;AAEnB,oCAAiC,gBAAgB;;AAWnD,UALwB,MAAM,kBAAkB,sBAAsB;GACpE,aAAa;GACb,iBAAiB,qBAAqB;GACvC,CAAC,EAEqB,KAAK,EAAE,cAAc,sBAAsB,qBAAqB;GACrF;GACA,SAAS,qBAAqB;GAC9B,SAAS,qBAAqB;GAC9B,sBAAsB,qBAAqB;GAC3C,eAAe,cAAc,KAAK,kBAAkB;IAClD,uBAAuB,aAAa;IACpC,MAAM,aAAa;IAEnB,SAAS,aAAa;IACvB,EAAE;GACJ,EAAE;;CAGL,MAAa,gBAAgB,cAA4B;AACvD,SAAO,KAAK,4BAA4B,OAAO,aAAa;;CAG9D,MAAa,wBAAwB,cAA4B,YAAoB;AACnF,SAAO,KAAK,4BAA4B,gBAAgB,cAAc,WAAW;;CAGnF,MAAa,eAAe,cAA4B,UAAmC;AACzF,SAAO,KAAK,4BAA4B,OAAO,cAAc,SAAS;;CAGxE,MAAa,eAAe,cAA4B,SAA0C;EAChG,MAAM,oBAAoB,IAAI,wBAAwB;GACpD,YAAY,SAAS,cAAc,MAAM,MAAM;GAC/C,gBAAgB,SAAS;GAC1B,CAAC;AAEF,QAAM,KAAK,4BAA4B,KAAK,cAAc,kBAAkB;AAC5E,QAAM,oCAAoC,cAAc,kBAAkB,WAAW;AACrF,SAAO;;CAGT,MAAa,gCACX,cACA,OACA,cACA;AACA,SAAO,KAAK,uCAAuC,YAAY,cAAc,OAAO,aAAa;;CAGnG,MAAa,2BAA2B,cAA4B,uBAA+B;AACjG,SAAO,KAAK,uCAAuC,QAAQ,cAAc,sBAAsB;;CAGjG,MAAc,kBACZ,cACA,SAOyB;EACzB,MAAM,EAAE,cAAc,aAAa;EAEnC,MAAM,yBAAyB,aAAa,QAAQ,uBAAuB;EAC3E,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;EACtD,MAAM,gBAAgB,mCAAmC,aAAa;EAItE,MAAM,oBAAoB,cAAc,OAAO,kCAAkC;EAIjF,MAAM,sBAAsB,uBAAuB;EAGnD,IAAIC;AAEJ,MAAI,mBAAmB,aAAa,CAElC,qBAAoB;GAAE,IADV,MAAM,IAAI,UAAU,EAAE,MAAM;IAAE,KAAK;IAAS,KAAK;IAAM,EAAE,CAAC,EACzC;GAAW,KAAK;GAAO;EAGtD,MAAMC,qBAQU,oBACZ;GACE,MAAM,EAAE,MAAM,CAAC,kBAAyB,EAAE;GAE1C,GAAI,QAAQ,YAAY,OACpB,EACE,yCAAyC;IAAC;IAAW;IAAW;IAAgB,EACjF,GACD;IACE,sCAAsC;IAKtC,sCAAsC,QAAQ,YAAY,eAAe,YAAY;IACtF;GACN,GACD;EAEJ,MAAM,mBAAmB,IAAI,IAAI,QAAQ,WAAW,YAAY,KAAK,MAAM,EAAE,OAAO,CAAC;AAErF,SAAO;GACL,GAAG;GACH,GAAG,SAAS;GACZ,0BAA0B,CAAC,WAAW;GAItC,GAAI,QAAQ,YAAY,OACpB,EACE,sBAAsB;IACpB,GAAI,iBAAiB,IAAI,YAAY,GACjC,EACE,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,WAAW,GAChC,EACE,UAAU;KAER,uBAAuB;MAAa;MAAgB;MAAmB;MAAI;KAC3E,uBAAuB;MAAa;MAAgB;MAAmB;MAAI;KAC5E,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,cAAc,GACnC,EACE,aAAa,EACX,YAAY,eACb,EACF,GACD,EAAE;IAEN,GAAI,iBAAiB,IAAI,SAAS,GAC9B,EACE,QAAQ,EACN,mBAAmB,qBACpB,EACF,GACD,EAAE;IACP,EACF,GACD,EACE,YAAY;IACV,UAAU,EACR,KAAK,mBACN;IACD,QAAQ,EACN,KAAK,eACN;IACD,aAAa,EACX,KAAK,eACN;IACD,aAAa,EACX,KAAK,eACN;IACD,QAAQ,EACN,KAAK,eACN;IACD,QAAQ,EACN,YAAY,qBACb;IACD,QAAQ,EACN,YAAY,qBACb;IACD,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB;IACD,aAAa;KACX,qBAAqB;KACrB,qBAAqB;KACtB;IACF,EACF;GACN;;CAGH,AAAQ,mBACN,cACA,SAIwB;EACxB,MAAM,EAAE,cAAc,WAAW;AAEjC,MAAI,WAAW,YAAY,SAAS;AAClC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAK3F,UAHmB,aAAa,kBAAkB,QAAQ,WAAW,CAE1C,YAAY,aAAa;;AAGtD,MAAI,WAAW,YAAY,SAAS;AAClC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,UAD2B,mBAAmB,cAAc,aAAa;;AAG3E,MAAI,WAAW,YAAY,OAAO;AAChC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAE3F,UAAO,6BAA6B,kBAAkB,aAAa;;AAErE,MAAI,WAAW,YAAY,YAAY;AACrC,OAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAE3F,UAAO,iCAAiC,YAAY,aAAa;;AAGnE,SAAO,gBAAgB,SAAS,cAAc,gCAAgC;;CAGhF,MAAc,mBACZ,cACA,SAoBA;EACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;EAC3E,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;EAErE,MAAM,EAAE,cAAc,WAAW;AAEjC,MAAI;AACF,QAAK,OAAO,MAAM,yBAAyB,gBAAgB,OAAO,aAAa,CAAC;GAEhF,IAAIC;GACJ,IAAIC;GACJ,IAAIC;AAEJ,OAAI,WAAW,YAAY,SAAS;AAClC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;IAG3F,MAAM,UAAU,WAAW,YAAY,aAAa;IAEpD,MAAM,mBAAmB,+BADb,IAAI,kBAAkB,aAAa,MAAM,IAAI,CAAC,GAAG,CACD;IAE5D,IAAIC;AACJ,QAAI,oBAAoB,WAAW,sCACjC,uBAAsB,MAAM,WAAW,sCAAsC,cAAc;KACzF;KACA,cAAc;MACZ,MAAM;MACN,YAAY;MACZ,gCAAgC,QAAQ;MACzC;KACF,CAAC;AAGJ,QAAI,CAAC,oBAEH,uBAAsB,WAAW,uBAAuB,EAAE;IAG5D,MAAM,qBAAqB,MAAM,WAAW,OAAO;KACjD,gBAAgB;KAChB,YAAY;MACV,UAAU,QAAQ;MAClB,OAAO,QAAQ;MAChB;KACD;KACD,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB,UAAU,SAAY,mBAAmB;AACpE,6BAAyB;cAChB,WAAW,YAAY,SAAS;AACzC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,mEAAmE;IAE1F,MAAM,qBAAqB,mBAAmB,cAAc,aAAa;AACzE,QAAI,mBAAmB,UAAU,WAAW,EAC1C,OAAM,IAAI,WAAW,kDAAkD;IAGzE,MAAM,kBAAkB,mBAAmB,kCAAkC;AAE7E,SAAK,MAAM,uBAAuB,gBAAgB,MAAM,EAAE;KACxD,MAAMC,uBAAqB,gBAAgB;KAE3C,MAAM,WAAWA,qBAAmB,UAAU;KAC9C,MAAM,mBAAmB,SAAS,6BAA6B,KAAK,SAClE,gBAAgB,mBAAmB,KAAK,CACzC;KAED,MAAM,sBAAsB,MAAM,WAAW,wCAAwC,cAAc;MACjG;MACA,cAAc;OACZ,MAAM;OACN,YAAY;OACZ,gCAAgC,QAAQ;OACzC;MACF,CAAC;KAEF,IAAIC;AACJ,SAAI,QAAQ,UAAU,QAAQ,YAAY,KACxC,4BAA2B;MACzB,MAAM;MACN,wBAAwB,QAAQ;MAChC,QAAQ,QAAQ;MAChB,eAAe,QAAQ;MACxB;cACQ,QAAQ,OACjB,4BAA2B;MACzB,MAAM;MACN,UAAU,QAAQ;MAClB,wBAAwB,QAAQ;MAChC,QAAQ,QAAQ;MACjB;cACQ,QAAQ,YAAY,MAAM;AACnC,UAAI,CAAC,QAAQ,YACX,OAAM,IAAI,WAAW,4EAA4E;AAGnG,iCAA2B;OACzB,MAAM;OACN,UAAU,QAAQ;OAClB,aAAa,QAAQ;OACrB,wBAAwB,QAAQ;OAChC,eAAe,QAAQ;OACxB;YACI;AACL,UAAI,CAAC,QAAQ,sBAAsB,CAAC,QAAQ,YAC1C,OAAM,IAAI,WACR,oGACD;AAGH,iCAA2B;OACzB,MAAM;OACN,UAAU,QAAQ;OAClB,oBAAoB,QAAQ;OAC5B,aAAa,QAAQ;OACrB,wBAAwB,QAAQ;OACjC;;AAGH,WAAMD,qBAAmB,OAAO,cAAc;MAC5C;MACA;MACD,CAAC;;AAIJ,cAAU;AACV,6BAAyB;cAChB,WAAW,YAAY,OAAO;AACvC,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,6BAAyB,6BAA6B,kBAAkB,aAAa;IACrF,MAAM,qBAAqB,MAAM,KAAK,qBAAqB,mBAAmB,cAAc;KAC1F;KACA,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;cAClB,WAAW,YAAY,YAAY;AAC5C,QAAI,OAAO,iBAAiB,SAC1B,OAAM,IAAI,WAAW,sCAAsC,OAAO,uBAAuB;AAG3F,6BAAyB,iCAAiC,YAAY,aAAa;IACnF,MAAM,qBAAqB,MAAM,KAAK,uBAAuB,mBAAmB,cAAc;KAC5F,cAAc;KACd,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;UACtB;AACL,6BAAyB,gBAAgB,SAAS,cAAc,gCAAgC;IAChG,MAAM,qBAAqB,MAAM,KAAK,qBAAqB,mBAAmB,cAAc;KAC1F,cAAc;KACd,WAAW,QAAQ;KACnB,QAAQ,QAAQ;KACjB,CAAC;AAEF,cAAU,mBAAmB;AAC7B,YAAQ,mBAAmB;;AAG7B,OAAI,CAAC,QACH,OAAM,IAAI,WAAW,qDAAqD,QAAQ,IAAI,MAAM,YAAY,MAAM,EAC5G,OACD,CAAC;AAGJ,UAAO;IACL,UAAU;IACV,cAAc;IACf;WACM,OAAO;AACd,gBAAa,OAAO,OAAO,KAAK,sDAAsD,EACpF,OACD,CAAC;AACF,UAAO;IACL,UAAU;IACV,QAAQ,MAAM;IACf;;;;;;;CAQL,MAAa,YACX,cACA,qBACA,UACA;AACA,eAAa,OAAO,OAAO,MACzB,kDAAkD,oBAAoB,GAAG,YAAY,SAAS,aAAa,oBAAoB,MAAM,GACtI;EAED,MAAM,gBAAgB,oBAAoB;AAC1C,sBAAoB,QAAQ;AAC5B,QAAM,KAAK,uCAAuC,OAAO,cAAc,oBAAoB;AAE3F,OAAK,sBAAsB,cAAc,qBAAqB,cAAc;;CAG9E,AAAU,sBACR,cACA,qBACA,eACA;AAGA,EAFqB,aAAa,kBAAkB,QAAQ,aAAa,CAE5D,KAAoD,cAAc;GAC7E,MAAM,wBAAwB;GAC9B,SAAS;IACP,qBAAqB,oBAAoB,OAAO;IAChD;IACD;GACF,CAAC;;;;CA9sCL,YAAY;oBAGR,OAAO,iBAAiB,OAAO"}
package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { OpenId4VcIssuerX5c, OpenId4VcJwtIssuerDid } from "../shared/models/OpenId4VcJwtIssuer.mjs";
2
- import { OpenId4VcVerifierRecordProps } from "./repository/OpenId4VcVerifierRecord.mjs";
3
2
  import { OpenId4VcVerificationSessionRecord } from "./repository/OpenId4VcVerificationSessionRecord.mjs";
3
+ import { OpenId4VcVerifierRecordProps } from "./repository/OpenId4VcVerifierRecord.mjs";
4
4
  import { DcqlPresentation, DcqlPresentationResult, DcqlQuery, DifPexPresentationWithDescriptor, DifPresentationExchangeDefinition, DifPresentationExchangeDefinitionV2, DifPresentationExchangeSubmission, HashName, VerifiablePresentation } from "@credo-ts/core";
5
5
  import { TransactionDataEntry, VerifierAttestations, createOpenid4vpAuthorizationRequest } from "@openid4vc/openid4vp";
6
6
  import { NonEmptyArray } from "@openid4vc/utils";
package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { OpenId4VcIssuerX5c, OpenId4VcJwtIssuerDid } from "../shared/models/OpenId4VcJwtIssuer.js";
2
- import { OpenId4VcVerifierRecordProps } from "./repository/OpenId4VcVerifierRecord.js";
3
2
  import { OpenId4VcVerificationSessionRecord } from "./repository/OpenId4VcVerificationSessionRecord.js";
3
+ import { OpenId4VcVerifierRecordProps } from "./repository/OpenId4VcVerifierRecord.js";
4
4
  import { DcqlPresentation, DcqlPresentationResult, DcqlQuery, DifPexPresentationWithDescriptor, DifPresentationExchangeDefinition, DifPresentationExchangeDefinitionV2, DifPresentationExchangeSubmission, HashName, VerifiablePresentation } from "@credo-ts/core";
5
5
  import { TransactionDataEntry, VerifierAttestations, createOpenid4vpAuthorizationRequest } from "@openid4vc/openid4vp";
6
6
  import { NonEmptyArray } from "@openid4vc/utils";
package/build/openid4vc-verifier/index.js CHANGED
@@ -1,10 +1,10 @@
1
- const require_OpenId4VcVerifierModuleConfig = require('./OpenId4VcVerifierModuleConfig.js');
2
1
  const require_OpenId4VcVerificationSessionState = require('./OpenId4VcVerificationSessionState.js');
2
+ const require_OpenId4VcVerifierModuleConfig = require('./OpenId4VcVerifierModuleConfig.js');
3
3
  const require_OpenId4VcVerifierEvents = require('./OpenId4VcVerifierEvents.js');
4
- const require_OpenId4VcVerifierRecord = require('./repository/OpenId4VcVerifierRecord.js');
5
- const require_OpenId4VcVerifierRepository = require('./repository/OpenId4VcVerifierRepository.js');
6
4
  const require_OpenId4VcVerificationSessionRecord = require('./repository/OpenId4VcVerificationSessionRecord.js');
7
5
  const require_OpenId4VcVerificationSessionRepository = require('./repository/OpenId4VcVerificationSessionRepository.js');
6
+ const require_OpenId4VcVerifierRecord = require('./repository/OpenId4VcVerifierRecord.js');
7
+ const require_OpenId4VcVerifierRepository = require('./repository/OpenId4VcVerifierRepository.js');
8
8
  require('./repository/index.js');
9
9
  const require_OpenId4VpVerifierService = require('./OpenId4VpVerifierService.js');
10
10
  const require_OpenId4VcVerifierApi = require('./OpenId4VcVerifierApi.js');
package/build/openid4vc-verifier/index.mjs CHANGED
@@ -1,10 +1,10 @@
1
- import { OpenId4VcVerifierModuleConfig } from "./OpenId4VcVerifierModuleConfig.mjs";
2
1
  import { OpenId4VcVerificationSessionState } from "./OpenId4VcVerificationSessionState.mjs";
2
+ import { OpenId4VcVerifierModuleConfig } from "./OpenId4VcVerifierModuleConfig.mjs";
3
3
  import { OpenId4VcVerifierEvents } from "./OpenId4VcVerifierEvents.mjs";
4
- import { OpenId4VcVerifierRecord } from "./repository/OpenId4VcVerifierRecord.mjs";
5
- import { OpenId4VcVerifierRepository } from "./repository/OpenId4VcVerifierRepository.mjs";
6
4
  import { OpenId4VcVerificationSessionRecord } from "./repository/OpenId4VcVerificationSessionRecord.mjs";
7
5
  import { OpenId4VcVerificationSessionRepository } from "./repository/OpenId4VcVerificationSessionRepository.mjs";
6
+ import { OpenId4VcVerifierRecord } from "./repository/OpenId4VcVerifierRecord.mjs";
7
+ import { OpenId4VcVerifierRepository } from "./repository/OpenId4VcVerifierRepository.mjs";
8
8
  import "./repository/index.mjs";
9
9
  import { OpenId4VpVerifierService } from "./OpenId4VpVerifierService.mjs";
10
10
  import { OpenId4VcVerifierApi } from "./OpenId4VcVerifierApi.mjs";
package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { OpenId4VpAuthorizationRequestPayload, OpenId4VpAuthorizationResponsePayload } from "../../shared/models/index.mjs";
2
- import { OpenId4VpVersion } from "../OpenId4VpVerifierServiceOptions.mjs";
3
2
  import { OpenId4VcVerificationSessionState } from "../OpenId4VcVerificationSessionState.mjs";
3
+ import { OpenId4VpVersion } from "../OpenId4VpVerifierServiceOptions.mjs";
4
4
  import { BaseRecord, RecordTags, TagsBase } from "@credo-ts/core";
5
5
 
6
6
  //#region src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts
package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcVerificationSessionRecord.d.mts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAMY,sCAAA,GAAyC,WAAW;KAEpD,6CAAA;EAFA,UAAA,EAAA,MAAA;EAAsC,KAAA,EAIzC,iCAJyC;OAAc,EAAA,MAAA;cAAX,CAAA,EAAA,MAAA;EAAU,uBAAA,CAAA,EAAA,MAAA;EAEnD,sBAAA,CAAA,EAAA,MAAA;EAA6C,gBAAA,CAAA,EAOpC,gBAPoC;;AAOpC,UAGJ,uCAAA,CAHI;EAAgB,EAAA,CAAA,EAAA,MAAA;EAGpB,SAAA,CAAA,EAEH,IAFG;EAAuC,IAAA,CAAA,EAG/C,QAH+C;YAE1C,EAAA,MAAA;OACL,EAGA,iCAHA;cAGA,CAAA,EAAA,MAAA;yBAMuB,CAAA,EAAA,MAAA;yBAInB,CAAA,EAAA,MAAA;wBAEoB,EAAA,MAAA;6BAWb,CAAA,EAjBY,oCAiBZ;EAAgB,gCAAA,CAAA,EAAA,MAAA;EAGvB,SAAA,EAhBA,IAgBA;EAAmC,4BAAA,CAAA,EAdf,qCAce;;;;;mCAiE3B,CAAA,EAAA,MAAA;;;;kBAoDU,EAxHX,gBAwHW;;AAU0C,cA/H5D,kCAAA,SAA2C,UA+HiB,CA/HN,6CA+HM,CAAA,CAAA;;;;;;;;;;SAnHxD;;;;;;;;;;;;gCAesB;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA8BX;;;;;;cAQP;;;;iCAKmB;;;;;;;;;;;;;qBAgBZ;0BAwBK;wBAOF;8BAUM,oCAAoC"}
1
+ {"version":3,"file":"OpenId4VcVerificationSessionRecord.d.mts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAKY,sCAAA,GAAyC,WAAW;KAEpD,6CAAA;EAFA,UAAA,EAAA,MAAA;EAAsC,KAAA,EAIzC,iCAJyC;OAAc,EAAA,MAAA;cAAX,CAAA,EAAA,MAAA;EAAU,uBAAA,CAAA,EAAA,MAAA;EAEnD,sBAAA,CAAA,EAAA,MAAA;EAA6C,gBAAA,CAAA,EAOpC,gBAPoC;;AAOpC,UAGJ,uCAAA,CAHI;EAAgB,EAAA,CAAA,EAAA,MAAA;EAGpB,SAAA,CAAA,EAEH,IAFG;EAAuC,IAAA,CAAA,EAG/C,QAH+C;YAE1C,EAAA,MAAA;OACL,EAGA,iCAHA;cAGA,CAAA,EAAA,MAAA;yBAMuB,CAAA,EAAA,MAAA;yBAInB,CAAA,EAAA,MAAA;wBAEoB,EAAA,MAAA;6BAWb,CAAA,EAjBY,oCAiBZ;EAAgB,gCAAA,CAAA,EAAA,MAAA;EAGvB,SAAA,EAhBA,IAgBA;EAAmC,4BAAA,CAAA,EAdf,qCAce;;;;;mCAiE3B,CAAA,EAAA,MAAA;;;;kBAoDU,EAxHX,gBAwHW;;AAU0C,cA/H5D,kCAAA,SAA2C,UA+HiB,CA/HN,6CA+HM,CAAA,CAAA;;;;;;;;;;SAnHxD;;;;;;;;;;;;gCAesB;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA8BX;;;;;;cAQP;;;;iCAKmB;;;;;;;;;;;;;qBAgBZ;0BAwBK;wBAOF;8BAUM,oCAAoC"}
package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { OpenId4VpAuthorizationRequestPayload, OpenId4VpAuthorizationResponsePayload } from "../../shared/models/index.js";
2
- import { OpenId4VpVersion } from "../OpenId4VpVerifierServiceOptions.js";
3
2
  import { OpenId4VcVerificationSessionState } from "../OpenId4VcVerificationSessionState.js";
3
+ import { OpenId4VpVersion } from "../OpenId4VpVerifierServiceOptions.js";
4
4
  import { BaseRecord, RecordTags, TagsBase } from "@credo-ts/core";
5
5
 
6
6
  //#region src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts