@credo-ts/openid4vc 0.6.0-pr-2392-20251010173905 → 0.6.0-pr-2457-20251016083534

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. package/build/OpenId4VcApi.d.mts +1 -1
  2. package/build/OpenId4VcApi.d.ts +1 -1
  3. package/build/OpenId4VcApi.js +2 -2
  4. package/build/OpenId4VcApi.mjs +2 -2
  5. package/build/OpenId4VcModule.d.mts +1 -1
  6. package/build/OpenId4VcModule.d.ts +1 -1
  7. package/build/OpenId4VcModule.js +2 -2
  8. package/build/OpenId4VcModule.mjs +2 -2
  9. package/build/OpenId4VcModuleConfig.js +1 -1
  10. package/build/OpenId4VcModuleConfig.mjs +1 -1
  11. package/build/index.d.mts +15 -14
  12. package/build/index.d.ts +15 -14
  13. package/build/index.js +22 -15
  14. package/build/index.mjs +18 -17
  15. package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts.map +1 -1
  16. package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts.map +1 -1
  17. package/build/openid4vc-holder/OpenId4VcHolderApi.mjs.map +1 -1
  18. package/build/openid4vc-holder/OpenId4VciHolderService.d.mts.map +1 -1
  19. package/build/openid4vc-holder/OpenId4VciHolderService.d.ts.map +1 -1
  20. package/build/openid4vc-holder/OpenId4VciHolderService.js +11 -8
  21. package/build/openid4vc-holder/OpenId4VciHolderService.mjs +11 -8
  22. package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map +1 -1
  23. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map +1 -1
  24. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts.map +1 -1
  25. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map +1 -1
  26. package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map +1 -1
  27. package/build/openid4vc-holder/OpenId4vpHolderService.d.ts.map +1 -1
  28. package/build/openid4vc-holder/OpenId4vpHolderService.js +4 -4
  29. package/build/openid4vc-holder/OpenId4vpHolderService.mjs +4 -4
  30. package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map +1 -1
  31. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts +5 -214
  32. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts.map +1 -1
  33. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +5 -214
  34. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts.map +1 -1
  35. package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +1 -1
  36. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs +1 -1
  37. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs.map +1 -1
  38. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts.map +1 -1
  39. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.ts.map +1 -1
  40. package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +7 -7
  41. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs +7 -7
  42. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs.map +1 -1
  43. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map +1 -1
  44. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts.map +1 -1
  45. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map +1 -1
  46. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts +8 -218
  47. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map +1 -1
  48. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +8 -218
  49. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts.map +1 -1
  50. package/build/openid4vc-issuer/OpenId4VcIssuerService.js +18 -18
  51. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs +19 -19
  52. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs.map +1 -1
  53. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts +1 -1
  54. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +1 -1
  55. package/build/openid4vc-issuer/index.js +2 -2
  56. package/build/openid4vc-issuer/index.mjs +2 -2
  57. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts +1 -1
  58. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts.map +1 -1
  59. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +1 -1
  60. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts.map +1 -1
  61. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +1 -1
  62. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs +1 -1
  63. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs.map +1 -1
  64. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js +1 -1
  65. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs +1 -1
  66. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map +1 -1
  67. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map +1 -1
  68. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts.map +1 -1
  69. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map +1 -1
  70. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js +1 -1
  71. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs +1 -1
  72. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map +1 -1
  73. package/build/openid4vc-issuer/repository/index.js +2 -2
  74. package/build/openid4vc-issuer/repository/index.mjs +2 -2
  75. package/build/openid4vc-issuer/router/accessTokenEndpoint.js +3 -4
  76. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs +3 -4
  77. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map +1 -1
  78. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +5 -6
  79. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs +6 -7
  80. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map +1 -1
  81. package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map +1 -1
  82. package/build/openid4vc-issuer/router/credentialEndpoint.js +5 -6
  83. package/build/openid4vc-issuer/router/credentialEndpoint.mjs +5 -6
  84. package/build/openid4vc-issuer/router/credentialEndpoint.mjs.map +1 -1
  85. package/build/openid4vc-issuer/router/credentialOfferEndpoint.js +2 -4
  86. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs +3 -4
  87. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map +1 -1
  88. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.js +2 -4
  89. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs +3 -4
  90. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map +1 -1
  91. package/build/openid4vc-issuer/router/index.js +4 -4
  92. package/build/openid4vc-issuer/router/index.mjs +4 -4
  93. package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map +1 -1
  94. package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map +1 -1
  95. package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map +1 -1
  96. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts +1 -1
  97. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts.map +1 -1
  98. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +1 -1
  99. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts.map +1 -1
  100. package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +1 -1
  101. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs +1 -1
  102. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs.map +1 -1
  103. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts.map +1 -1
  104. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.ts.map +1 -1
  105. package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +2 -2
  106. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs +2 -2
  107. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs.map +1 -1
  108. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts +3 -3
  109. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts.map +1 -1
  110. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts +3 -3
  111. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts.map +1 -1
  112. package/build/openid4vc-verifier/OpenId4VpVerifierService.js +17 -17
  113. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs +17 -17
  114. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map +1 -1
  115. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts +1 -1
  116. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts +1 -1
  117. package/build/openid4vc-verifier/index.js +3 -3
  118. package/build/openid4vc-verifier/index.mjs +3 -3
  119. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts +1 -1
  120. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map +1 -1
  121. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +1 -1
  122. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts.map +1 -1
  123. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs.map +1 -1
  124. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js +1 -1
  125. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs +1 -1
  126. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs.map +1 -1
  127. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts.map +1 -1
  128. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.ts.map +1 -1
  129. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs.map +1 -1
  130. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js +1 -1
  131. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs +1 -1
  132. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs.map +1 -1
  133. package/build/openid4vc-verifier/repository/index.js +2 -2
  134. package/build/openid4vc-verifier/repository/index.mjs +2 -2
  135. package/build/openid4vc-verifier/router/authorizationEndpoint.js +1 -1
  136. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs +1 -1
  137. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs.map +1 -1
  138. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js +1 -1
  139. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs +1 -1
  140. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs.map +1 -1
  141. package/build/shared/callbacks.d.mts +46 -0
  142. package/build/shared/callbacks.d.mts.map +1 -0
  143. package/build/shared/callbacks.d.ts +46 -0
  144. package/build/shared/callbacks.d.ts.map +1 -0
  145. package/build/shared/callbacks.js +5 -1
  146. package/build/shared/callbacks.mjs +1 -1
  147. package/build/shared/callbacks.mjs.map +1 -1
  148. package/build/shared/index.js +2 -1
  149. package/build/shared/index.mjs +2 -1
  150. package/build/shared/issuerMetadataUtils.d.mts +2 -258
  151. package/build/shared/issuerMetadataUtils.d.mts.map +1 -1
  152. package/build/shared/issuerMetadataUtils.d.ts +2 -258
  153. package/build/shared/issuerMetadataUtils.d.ts.map +1 -1
  154. package/build/shared/issuerMetadataUtils.mjs.map +1 -1
  155. package/build/shared/models/index.d.ts +1 -1
  156. package/build/shared/router/context.mjs.map +1 -1
  157. package/build/shared/router/index.js +1 -1
  158. package/build/shared/router/index.mjs +1 -1
  159. package/build/shared/router/tenants.mjs.map +1 -1
  160. package/build/shared/utils.js +0 -8
  161. package/build/shared/utils.mjs +1 -7
  162. package/build/shared/utils.mjs.map +1 -1
  163. package/package.json +8 -8
package/build/openid4vc-holder/OpenId4VciHolderService.js CHANGED
@@ -1,13 +1,13 @@
1
1
  const require_rolldown_runtime = require('../_virtual/rolldown_runtime.js');
2
- const require_OpenId4VciCredentialFormatProfile = require('../shared/models/OpenId4VciCredentialFormatProfile.js');
3
- const require_issuerMetadataUtils = require('../shared/issuerMetadataUtils.js');
4
- require('../shared/index.js');
5
2
  const require_utils = require('../shared/utils.js');
6
3
  const require_callbacks = require('../shared/callbacks.js');
7
- const require_OpenId4VciHolderServiceOptions = require('./OpenId4VciHolderServiceOptions.js');
8
4
  const require_decorateMetadata = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
9
- const require_decorateParam = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
10
5
  const require_decorate = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
6
+ const require_decorateParam = require('../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
7
+ const require_issuerMetadataUtils = require('../shared/issuerMetadataUtils.js');
8
+ const require_OpenId4VciCredentialFormatProfile = require('../shared/models/OpenId4VciCredentialFormatProfile.js');
9
+ require('../shared/index.js');
10
+ const require_OpenId4VciHolderServiceOptions = require('./OpenId4VciHolderServiceOptions.js');
11
11
  let __credo_ts_core = require("@credo-ts/core");
12
12
  __credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
13
13
  let __openid4vc_oauth2 = require("@openid4vc/oauth2");
@@ -115,10 +115,13 @@ let OpenId4VciHolderService = class OpenId4VciHolderService$1 {
115
115
  nonce
116
116
  };
117
117
  }
118
- const alg = dpopSigningAlgValuesSupported.find((alg$1) => {
118
+ const alg = dpopSigningAlgValuesSupported.find((algorithm) => {
119
119
  try {
120
- __credo_ts_core.Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(alg$1);
121
- return true;
120
+ __credo_ts_core.Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(algorithm);
121
+ return kms.supportedBackendsForOperation({
122
+ operation: "sign",
123
+ algorithm
124
+ }).length > 0;
122
125
  } catch {
123
126
  return false;
124
127
  }
package/build/openid4vc-holder/OpenId4VciHolderService.mjs CHANGED
@@ -1,12 +1,12 @@
1
- import { OpenId4VciCredentialFormatProfile } from "../shared/models/OpenId4VciCredentialFormatProfile.mjs";
2
- import { getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../shared/issuerMetadataUtils.mjs";
3
- import "../shared/index.mjs";
4
1
  import { getSupportedJwaSignatureAlgorithms } from "../shared/utils.mjs";
5
2
  import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
6
- import { openId4VciSupportedCredentialFormats } from "./OpenId4VciHolderServiceOptions.mjs";
7
3
  import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
8
- import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
9
4
  import { __decorate } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
5
+ import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
6
+ import { getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../shared/issuerMetadataUtils.mjs";
7
+ import { OpenId4VciCredentialFormatProfile } from "../shared/models/OpenId4VciCredentialFormatProfile.mjs";
8
+ import "../shared/index.mjs";
9
+ import { openId4VciSupportedCredentialFormats } from "./OpenId4VciHolderServiceOptions.mjs";
10
10
  import { AgentContext, CredoError, DidsApi, InjectionSymbols, Kms, Mdoc, MdocApi, SdJwtVcApi, SignatureSuiteRegistry, W3cCredentialService, W3cJsonLdVerifiableCredential, W3cJwtVerifiableCredential, W3cV2CredentialService, W3cV2SdJwtVerifiableCredential, inject, injectable, parseDid, replaceError } from "@credo-ts/core";
11
11
  import { Oauth2Client, authorizationCodeGrantIdentifier, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationNone, getAuthorizationServerMetadataFromList, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier } from "@openid4vc/oauth2";
12
12
  import { AuthorizationFlow, Openid4vciClient, Openid4vciDraftVersion, Openid4vciRetrieveCredentialsError, determineAuthorizationServerForCredentialOffer, parseKeyAttestationJwt } from "@openid4vc/openid4vci";
@@ -111,10 +111,13 @@ let OpenId4VciHolderService = class OpenId4VciHolderService$1 {
111
111
  nonce
112
112
  };
113
113
  }
114
- const alg = dpopSigningAlgValuesSupported.find((alg$1) => {
114
+ const alg = dpopSigningAlgValuesSupported.find((algorithm) => {
115
115
  try {
116
- Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(alg$1);
117
- return true;
116
+ Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(algorithm);
117
+ return kms.supportedBackendsForOperation({
118
+ operation: "sign",
119
+ algorithm
120
+ }).length > 0;
118
121
  } catch {
119
122
  return false;
120
123
  }
package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VciHolderService.mjs","names":["OpenId4VciHolderService","logger: Logger","alg","receivedCredentials: Array<OpenId4VciCredentialResponse>","deferredCredentials: Array<OpenId4VciDeferredCredentialResponse>","deferredCredential: OpenId4VciDeferredCredentialResponse","algorithm","proofTypes: OpenId4VciProofOfPossessionRequirements['proofTypes']","signatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]","result"],"sources":["../../src/openid4vc-holder/OpenId4VciHolderService.ts"],"sourcesContent":["import { AgentContext, DidsApi, W3cV2CredentialService, W3cV2SdJwtVerifiableCredential } from '@credo-ts/core'\nimport {\n CredoError,\n InjectionSymbols,\n Kms,\n type Logger,\n Mdoc,\n MdocApi,\n SdJwtVcApi,\n SignatureSuiteRegistry,\n W3cCredentialService,\n W3cJsonLdVerifiableCredential,\n W3cJwtVerifiableCredential,\n inject,\n injectable,\n parseDid,\n} from '@credo-ts/core'\nimport {\n type AccessTokenResponse,\n type CallbackContext,\n type Jwk,\n Oauth2Client,\n type RequestDpopOptions,\n authorizationCodeGrantIdentifier,\n clientAuthenticationAnonymous,\n clientAuthenticationClientAttestationJwt,\n clientAuthenticationNone,\n getAuthorizationServerMetadataFromList,\n preAuthorizedCodeGrantIdentifier,\n refreshTokenGrantIdentifier,\n} from '@openid4vc/oauth2'\nimport {\n type DeferredCredentialResponse,\n determineAuthorizationServerForCredentialOffer,\n parseKeyAttestationJwt,\n} from '@openid4vc/openid4vci'\nimport {\n AuthorizationFlow,\n type CredentialResponse,\n type IssuerMetadataResult,\n Openid4vciClient,\n Openid4vciDraftVersion,\n Openid4vciRetrieveCredentialsError,\n} from '@openid4vc/openid4vci'\nimport type { OpenId4VciCredentialConfigurationSupportedWithFormats, OpenId4VciMetadata } from '../shared'\nimport type {\n OpenId4VciAcceptCredentialOfferOptions,\n OpenId4VciAuthCodeFlowOptions,\n OpenId4VciCredentialBindingResolver,\n OpenId4VciCredentialResponse,\n OpenId4VciDeferredCredentialRequestOptions,\n OpenId4VciDeferredCredentialResponse,\n OpenId4VciDpopRequestOptions,\n OpenId4VciProofOfPossessionRequirements,\n OpenId4VciResolvedAuthorizationRequest,\n OpenId4VciResolvedCredentialOffer,\n OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions,\n OpenId4VciSendNotificationOptions,\n OpenId4VciSupportedCredentialFormats,\n OpenId4VciTokenRefreshOptions,\n OpenId4VciTokenRequestOptions,\n} from './OpenId4VciHolderServiceOptions'\n\nimport { OpenId4VciCredentialFormatProfile } from '../shared'\nimport { getOid4vcCallbacks } from '../shared/callbacks'\nimport { getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from '../shared/issuerMetadataUtils'\nimport { getSupportedJwaSignatureAlgorithms } from '../shared/utils'\n\nimport { replaceError } from '@credo-ts/core'\nimport { openId4VciSupportedCredentialFormats } from './OpenId4VciHolderServiceOptions'\n\n@injectable()\nexport class OpenId4VciHolderService {\n private logger: Logger\n private w3cCredentialService: W3cCredentialService\n private w3cV2CredentialService: W3cV2CredentialService\n\n public constructor(\n @inject(InjectionSymbols.Logger) logger: Logger,\n w3cCredentialService: W3cCredentialService,\n w3cV2CredentialService: W3cV2CredentialService\n ) {\n this.w3cCredentialService = w3cCredentialService\n this.w3cV2CredentialService = w3cV2CredentialService\n this.logger = logger\n }\n\n public async resolveIssuerMetadata(\n agentContext: AgentContext,\n credentialIssuer: string\n ): Promise<OpenId4VciMetadata> {\n const client = this.getClient(agentContext)\n\n const metadata = await client.resolveIssuerMetadata(credentialIssuer)\n this.logger.debug('fetched credential issuer metadata', { metadata })\n\n return metadata\n }\n\n public async resolveCredentialOffer(\n agentContext: AgentContext,\n credentialOffer: string\n ): Promise<OpenId4VciResolvedCredentialOffer> {\n const client = this.getClient(agentContext)\n\n const credentialOfferObject = await client.resolveCredentialOffer(credentialOffer)\n const metadata = await client.resolveIssuerMetadata(credentialOfferObject.credential_issuer)\n this.logger.debug('fetched credential offer and issuer metadata', { metadata, credentialOfferObject })\n\n const credentialConfigurationsSupported = getOfferedCredentials(\n credentialOfferObject.credential_configuration_ids,\n client.getKnownCredentialConfigurationsSupported(metadata.credentialIssuer),\n // We only filter for known configurations, so it's ok if not found\n { ignoreNotFoundIds: true }\n )\n\n return {\n metadata,\n offeredCredentialConfigurations: credentialConfigurationsSupported,\n credentialOfferPayload: credentialOfferObject,\n }\n }\n\n public async resolveAuthorizationRequest(\n agentContext: AgentContext,\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer,\n authCodeFlowOptions: OpenId4VciAuthCodeFlowOptions\n ): Promise<OpenId4VciResolvedAuthorizationRequest> {\n const { clientId, redirectUri } = authCodeFlowOptions\n const { metadata, credentialOfferPayload, offeredCredentialConfigurations } = resolvedCredentialOffer\n\n const oauth2Client = this.getOauth2Client(agentContext)\n const client = this.getClient(agentContext, {\n clientId: authCodeFlowOptions.clientId,\n clientAttestation: authCodeFlowOptions.walletAttestationJwt,\n })\n\n // If scope is not provided, we request scope for all offered credentials\n const scope =\n authCodeFlowOptions.scope ?? getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations)\n\n if (!credentialOfferPayload.grants?.[authorizationCodeGrantIdentifier]) {\n throw new CredoError(`Provided credential offer does not include the 'authorization_code' grant.`)\n }\n\n const authorizationCodeGrant = credentialOfferPayload.grants[authorizationCodeGrantIdentifier]\n const authorizationServer = determineAuthorizationServerForCredentialOffer({\n issuerMetadata: metadata,\n grantAuthorizationServer: authorizationCodeGrant.authorization_server,\n })\n\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n metadata.authorizationServers,\n authorizationServer\n )\n\n // TODO: should we allow key reuse between dpop and wallet attestation?\n const isDpopSupported = oauth2Client.isDpopSupported({ authorizationServerMetadata })\n const dpop = isDpopSupported.supported\n ? await this.getDpopOptions(agentContext, {\n dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported,\n })\n : undefined\n\n const authorizationResult = await client.initiateAuthorization({\n clientId,\n issuerMetadata: metadata,\n credentialOffer: credentialOfferPayload,\n scope: scope.join(' '),\n redirectUri,\n dpop,\n })\n\n if (authorizationResult.authorizationFlow === AuthorizationFlow.PresentationDuringIssuance) {\n return {\n authorizationFlow: AuthorizationFlow.PresentationDuringIssuance,\n openid4vpRequestUrl: authorizationResult.openid4vpRequestUrl,\n authSession: authorizationResult.authSession,\n // FIXME: return dpop result from this endpoint (dpop nonce)\n dpop: dpop\n ? {\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n // Normal Oauth2Redirect flow\n return {\n authorizationFlow: AuthorizationFlow.Oauth2Redirect,\n codeVerifier: authorizationResult.pkce?.codeVerifier,\n authorizationRequestUrl: authorizationResult.authorizationRequestUrl,\n // FIXME: return dpop result from this endpoint (dpop nonce)\n dpop: dpop\n ? {\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async sendNotification(agentContext: AgentContext, options: OpenId4VciSendNotificationOptions) {\n const client = this.getClient(agentContext)\n await client.sendNotification({\n accessToken: options.accessToken,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n issuerMetadata: options.metadata,\n notification: {\n event: options.notificationEvent,\n notificationId: options.notificationId,\n },\n })\n }\n\n private async getDpopOptions(\n agentContext: AgentContext,\n {\n jwk,\n dpopSigningAlgValuesSupported,\n nonce,\n }: { dpopSigningAlgValuesSupported: string[]; jwk?: Kms.PublicJwk; nonce?: string }\n ): Promise<RequestDpopOptions> {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n\n if (jwk) {\n const alg = dpopSigningAlgValuesSupported.find((alg) =>\n jwk.supportedSignatureAlgorithms.includes(alg as Kms.KnownJwaSignatureAlgorithm)\n )\n\n if (!alg) {\n throw new CredoError(\n `No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(\n ', '\n )}' matching jwk ${jwk.jwkTypehumanDescription}`\n )\n }\n\n return {\n signer: {\n method: 'jwk',\n alg,\n publicJwk: jwk.toJson() as Jwk,\n },\n nonce,\n }\n }\n\n const alg = dpopSigningAlgValuesSupported.find((alg): alg is Kms.KnownJwaSignatureAlgorithm => {\n try {\n Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(alg as Kms.KnownJwaSignatureAlgorithm)\n return true\n } catch {\n return false\n }\n })\n\n if (!alg) {\n throw new CredoError(\n `No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(\n ', '\n )}'`\n )\n }\n\n const key = await kms.createKeyForSignatureAlgorithm({ algorithm: alg })\n return {\n signer: {\n method: 'jwk',\n alg,\n publicJwk: key.publicJwk as Jwk,\n },\n nonce,\n }\n }\n\n public async retrieveAuthorizationCodeUsingPresentation(\n agentContext: AgentContext,\n options: OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions\n ): Promise<{\n authorizationCode: string\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const client = this.getClient(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n })\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined\n\n const { authorizationChallengeResponse, dpop: dpopResult } =\n await client.retrieveAuthorizationCodeUsingPresentation({\n authSession: options.authSession,\n presentationDuringIssuanceSession: options.presentationDuringIssuanceSession,\n credentialOffer: options.resolvedCredentialOffer.credentialOfferPayload,\n issuerMetadata: options.resolvedCredentialOffer.metadata,\n dpop,\n })\n\n return {\n authorizationCode: authorizationChallengeResponse.authorization_code,\n dpop: dpop\n ? {\n ...dpopResult,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async requestAccessToken(\n agentContext: AgentContext,\n options: OpenId4VciTokenRequestOptions\n ): Promise<{\n authorizationServer: string\n accessTokenResponse: AccessTokenResponse\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const { metadata, credentialOfferPayload } = options.resolvedCredentialOffer\n const client = this.getClient(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n clientId: 'clientId' in options ? options.clientId : undefined,\n })\n const oauth2Client = this.getOauth2Client(agentContext)\n\n const authorizationServer = options.code\n ? credentialOfferPayload.grants?.authorization_code?.authorization_server\n : credentialOfferPayload.grants?.[preAuthorizedCodeGrantIdentifier]?.authorization_server\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n metadata.authorizationServers,\n authorizationServer ?? metadata.authorizationServers[0].issuer\n )\n\n const isDpopSupported = oauth2Client.isDpopSupported({\n authorizationServerMetadata,\n })\n\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : // We should be careful about this case. It could just be the user didn't correctly\n // provide the DPoP from the auth response. In which case different DPoP will be used\n // However it might be that they only use DPoP for the token request (esp in pre-auth case)\n isDpopSupported.supported\n ? await this.getDpopOptions(agentContext, {\n dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported,\n })\n : undefined\n\n const result = options.code\n ? await client.retrieveAuthorizationCodeAccessTokenFromOffer({\n issuerMetadata: metadata,\n credentialOffer: credentialOfferPayload,\n authorizationCode: options.code,\n dpop,\n pkceCodeVerifier: options.codeVerifier,\n redirectUri: options.redirectUri,\n })\n : await client.retrievePreAuthorizedCodeAccessTokenFromOffer({\n credentialOffer: credentialOfferPayload,\n issuerMetadata: metadata,\n dpop,\n txCode: options.txCode,\n })\n\n return {\n ...result,\n dpop: dpop\n ? {\n ...result.dpop,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async refreshAccessToken(\n agentContext: AgentContext,\n options: OpenId4VciTokenRefreshOptions\n ): Promise<\n // FIXME: export type in oid4vc library\n Omit<Awaited<ReturnType<Oauth2Client['retrieveRefreshTokenAccessToken']>>, 'dpop'> & {\n dpop?: OpenId4VciDpopRequestOptions\n }\n > {\n const oauth2Client = this.getOauth2Client(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n clientId: options.clientId,\n })\n\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined\n\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n options.issuerMetadata.authorizationServers,\n options.authorizationServer ?? options.issuerMetadata.authorizationServers[0].issuer\n )\n\n const result = await oauth2Client.retrieveRefreshTokenAccessToken({\n authorizationServerMetadata,\n refreshToken: options.refreshToken,\n dpop,\n resource: options.issuerMetadata.credentialIssuer.credential_issuer,\n })\n\n return {\n ...result,\n dpop: dpop\n ? {\n ...result.dpop,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async acceptCredentialOffer(\n agentContext: AgentContext,\n options: {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n acceptCredentialOfferOptions: OpenId4VciAcceptCredentialOfferOptions\n accessToken: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n clientId?: string\n }\n ): Promise<{\n credentials: OpenId4VciCredentialResponse[]\n deferredCredentials: OpenId4VciDeferredCredentialResponse[]\n dpop?: OpenId4VciDpopRequestOptions\n cNonce?: string\n }> {\n const { resolvedCredentialOffer, acceptCredentialOfferOptions } = options\n const { metadata, offeredCredentialConfigurations } = resolvedCredentialOffer\n const {\n credentialConfigurationIds,\n credentialBindingResolver,\n verifyCredentialStatus,\n allowedProofOfPossessionSignatureAlgorithms,\n } = acceptCredentialOfferOptions\n const client = this.getClient(agentContext)\n\n if (credentialConfigurationIds?.length === 0) {\n throw new CredoError(`'credentialConfigurationIds' may not be empty`)\n }\n\n const receivedCredentials: Array<OpenId4VciCredentialResponse> = []\n const deferredCredentials: Array<OpenId4VciDeferredCredentialResponse> = []\n let cNonce = options.cNonce\n let dpopNonce = options.dpop?.nonce\n\n const credentialConfigurationsToRequest =\n credentialConfigurationIds?.map((id) => {\n if (!offeredCredentialConfigurations[id]) {\n const offeredCredentialIds = Object.keys(offeredCredentialConfigurations).join(', ')\n throw new CredoError(\n `Credential to request '${id}' is not present in offered credentials. Offered credentials are ${offeredCredentialIds}`\n )\n }\n return [id, offeredCredentialConfigurations[id]] as const\n }) ?? Object.entries(offeredCredentialConfigurations)\n\n // If we don't have a nonce yet, we need to first get one\n if (!cNonce) {\n // Best option is to use nonce endpoint (draft 14+)\n if (metadata.credentialIssuer.nonce_endpoint) {\n const nonceResponse = await client.requestNonce({ issuerMetadata: metadata })\n cNonce = nonceResponse.c_nonce\n } else {\n // Otherwise we will send a dummy request\n await client\n .retrieveCredentials({\n issuerMetadata: metadata,\n accessToken: options.accessToken,\n credentialConfigurationId: credentialConfigurationsToRequest[0][0],\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n })\n .catch((e) => {\n if (e instanceof Openid4vciRetrieveCredentialsError && e.response.credentialErrorResponseResult?.success) {\n cNonce = e.response.credentialErrorResponseResult.data.c_nonce\n }\n })\n }\n }\n\n if (!cNonce) {\n throw new CredoError('No cNonce provided and unable to acquire cNonce from the credential issuer')\n }\n\n for (const [offeredCredentialId, offeredCredentialConfiguration] of credentialConfigurationsToRequest) {\n const proofs = await this.getCredentialRequestOptions(agentContext, {\n allowedProofOfPossessionAlgorithms:\n allowedProofOfPossessionSignatureAlgorithms ?? getSupportedJwaSignatureAlgorithms(agentContext),\n metadata,\n offeredCredential: {\n id: offeredCredentialId,\n configuration: offeredCredentialConfiguration,\n },\n clientId: options.clientId,\n // We already checked whether nonce exists above\n cNonce: cNonce as string,\n credentialBindingResolver,\n })\n\n this.logger.debug('Generated credential request proof of possession', { proofs })\n\n const proof =\n // Draft 11 ALWAYS uses proof\n (metadata.originalDraftVersion === Openid4vciDraftVersion.Draft11 ||\n // Draft 14 allows both proof and proofs. Try to use proof when it makes to improve interoperability\n (metadata.originalDraftVersion === Openid4vciDraftVersion.Draft14 &&\n metadata.credentialIssuer.batch_credential_issuance === undefined)) &&\n proofs.jwt?.length === 1\n ? ({\n proof_type: 'jwt',\n jwt: proofs.jwt[0],\n } as const)\n : undefined\n\n const { credentialResponse, dpop } = await client.retrieveCredentials({\n issuerMetadata: metadata,\n accessToken: options.accessToken,\n credentialConfigurationId: offeredCredentialId,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n // Only include proofs if we don't add proof\n proofs: !proof ? proofs : undefined,\n proof,\n })\n\n // Set new nonce values\n cNonce = credentialResponse.c_nonce\n dpopNonce = dpop?.nonce\n\n if (credentialResponse.transaction_id) {\n const deferredCredential = {\n credentialConfigurationId: offeredCredentialId,\n credentialConfiguration: offeredCredentialConfiguration,\n transactionId: credentialResponse.transaction_id,\n interval: credentialResponse.interval,\n notificationId: credentialResponse.notification_id,\n }\n\n this.logger.debug('received deferred credential', deferredCredential)\n deferredCredentials.push(deferredCredential)\n } else {\n // Create credential, but we don't store it yet (only after the user has accepted the credential)\n const credential = await this.handleCredentialResponse(agentContext, credentialResponse, {\n verifyCredentialStatus: verifyCredentialStatus ?? false,\n format: offeredCredentialConfiguration.format as OpenId4VciCredentialFormatProfile,\n credentialConfigurationId: offeredCredentialId,\n credentialConfiguration: offeredCredentialConfiguration,\n })\n\n this.logger.debug(\n 'received credential',\n credential.credentials.map((c) =>\n c instanceof Mdoc ? { issuerSignedNamespaces: c.issuerSignedNamespaces, base64Url: c.base64Url } : c\n )\n )\n receivedCredentials.push(credential)\n }\n }\n\n return {\n credentials: receivedCredentials,\n deferredCredentials,\n dpop: options.dpop\n ? {\n ...options.dpop,\n nonce: dpopNonce,\n }\n : undefined,\n cNonce,\n }\n }\n\n public async retrieveDeferredCredentials(\n agentContext: AgentContext,\n options: OpenId4VciDeferredCredentialRequestOptions\n ): Promise<{\n credentials: OpenId4VciCredentialResponse[]\n deferredCredentials: OpenId4VciDeferredCredentialResponse[]\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const {\n issuerMetadata,\n transactionId,\n credentialConfigurationId,\n credentialConfiguration,\n verifyCredentialStatus,\n accessToken,\n } = options\n const client = this.getClient(agentContext)\n\n const receivedCredentials: Array<OpenId4VciCredentialResponse> = []\n const deferredCredentials: Array<OpenId4VciDeferredCredentialResponse> = []\n let dpopNonce = options.dpop?.nonce\n\n const { deferredCredentialResponse, dpop } = await client.retrieveDeferredCredentials({\n issuerMetadata,\n accessToken,\n transactionId,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n })\n\n // Set new nonce values\n dpopNonce = dpop?.nonce\n\n if (deferredCredentialResponse.interval) {\n const deferredCredential: OpenId4VciDeferredCredentialResponse = {\n credentialConfigurationId,\n credentialConfiguration,\n transactionId,\n interval: deferredCredentialResponse.interval,\n notificationId: deferredCredentialResponse.notification_id,\n }\n\n this.logger.debug('received deferred credential', deferredCredential)\n deferredCredentials.push(deferredCredential)\n } else {\n // Create credential, but we don't store it yet (only after the user has accepted the credential)\n const credential = await this.handleCredentialResponse(agentContext, deferredCredentialResponse, {\n verifyCredentialStatus: verifyCredentialStatus ?? false,\n format: credentialConfiguration.format as OpenId4VciCredentialFormatProfile,\n credentialConfigurationId: credentialConfigurationId,\n credentialConfiguration: credentialConfiguration,\n })\n\n this.logger.debug(\n 'received credential',\n credential.credentials.map((c) =>\n c instanceof Mdoc ? { issuerSignedNamespaces: c.issuerSignedNamespaces, base64Url: c.base64Url } : c\n )\n )\n receivedCredentials.push(credential)\n }\n\n return {\n credentials: receivedCredentials,\n deferredCredentials,\n dpop: options.dpop\n ? {\n ...options.dpop,\n nonce: dpopNonce,\n }\n : undefined,\n }\n }\n\n /**\n * Get the options for the credential request. Internally this will resolve the proof of possession\n * requirements, and based on that it will call the proofOfPossessionVerificationMethodResolver to\n * allow the caller to select the correct verification method based on the requirements for the proof\n * of possession.\n */\n private async getCredentialRequestOptions(\n agentContext: AgentContext,\n options: {\n metadata: OpenId4VciResolvedCredentialOffer['metadata']\n credentialBindingResolver: OpenId4VciCredentialBindingResolver\n allowedProofOfPossessionAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n clientId?: string\n cNonce: string\n offeredCredential: {\n id: string\n configuration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n }\n ) {\n const dids = agentContext.resolve(DidsApi)\n const { allowedProofOfPossessionAlgorithms, offeredCredential } = options\n const { configuration, id: configurationId } = offeredCredential\n const supportedJwaSignatureAlgorithms = getSupportedJwaSignatureAlgorithms(agentContext)\n\n const possibleProofOfPossessionSignatureAlgorithms = allowedProofOfPossessionAlgorithms\n ? allowedProofOfPossessionAlgorithms.filter((algorithm) => supportedJwaSignatureAlgorithms.includes(algorithm))\n : supportedJwaSignatureAlgorithms\n\n if (possibleProofOfPossessionSignatureAlgorithms.length === 0) {\n throw new CredoError(\n [\n 'No possible proof of possession signature algorithm found.',\n `Signature algorithms supported by the Agent '${supportedJwaSignatureAlgorithms.join(', ')}'`,\n `Allowed Signature algorithms '${allowedProofOfPossessionAlgorithms?.join(', ')}'`,\n ].join('\\n')\n )\n }\n\n const { proofTypes, supportedDidMethods, supportsAllDidMethods, supportsJwk } =\n this.getProofOfPossessionRequirements(agentContext, {\n credentialToRequest: options.offeredCredential,\n metadata: options.metadata,\n possibleProofOfPossessionSignatureAlgorithms,\n })\n\n const format = configuration.format satisfies `${OpenId4VciSupportedCredentialFormats}`\n const supportsAnyMethod = supportedDidMethods !== undefined || supportsAllDidMethods || supportsJwk\n const issuerMaxBatchSize = options.metadata.credentialIssuer.batch_credential_issuance?.batch_size ?? 1\n\n // Now we need to determine how the credential will be bound to us\n const credentialBinding = await options.credentialBindingResolver({\n agentContext,\n credentialFormat: format as OpenId4VciSupportedCredentialFormats,\n credentialConfigurationId: configurationId,\n credentialConfiguration: configuration,\n metadata: options.metadata,\n issuerMaxBatchSize,\n proofTypes,\n supportsAllDidMethods,\n supportedDidMethods,\n supportsJwk,\n })\n\n const client = this.getClient(agentContext)\n\n // Make sure the issuer of proof of possession is valid according to openid issuer metadata\n if (credentialBinding.method === 'did') {\n if (!proofTypes.jwt) {\n throw new CredoError(\n `JWT proof type is not supported for configuration '${configurationId}', which is required for did based credential binding.`\n )\n }\n\n if (proofTypes.jwt.keyAttestationsRequired) {\n throw new CredoError(\n `Credential binding returned list of DID urls, but credential configuration '${configurationId}' requires key attestations. Key attestations and DIDs are not compatible.`\n )\n }\n\n if (credentialBinding.didUrls.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.didUrls.length} DID urls. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n if (credentialBinding.didUrls.length === 0) {\n throw new CredoError('Credential binding with method did returned empty didUrls list')\n }\n\n const firstDid = parseDid(credentialBinding.didUrls[0])\n if (!credentialBinding.didUrls.every((didUrl) => parseDid(didUrl).method === firstDid.method)) {\n throw new CredoError('Expected all did urls for binding method did to use the same did method')\n }\n\n if (\n !supportsAllDidMethods &&\n // If supportedDidMethods is undefined, it means the issuer didn't include the binding methods in the metadata\n // The user can still select a verification method, but we can't validate it\n supportedDidMethods !== undefined &&\n !supportedDidMethods.find(\n (supportedDidMethod) => firstDid.did.startsWith(supportedDidMethod) && supportsAnyMethod\n )\n ) {\n // Test binding method\n const supportedDidMethodsString = supportedDidMethods.join(', ')\n throw new CredoError(\n `Resolved credential binding for proof of possession uses did method '${firstDid.method}', but issuer only supports '${supportedDidMethodsString}'`\n )\n }\n\n const { publicJwk: firstKey } = await dids.resolveVerificationMethodFromCreatedDidRecord(firstDid.didUrl)\n const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm) =>\n firstKey.supportedSignatureAlgorithms.includes(algorithm)\n )\n if (!algorithm) {\n throw new CredoError(\n `Credential binding returned did url that points to key '${firstKey.jwkTypehumanDescription}' that supports signature algorithms ${firstKey.supportedSignatureAlgorithms.join(', ')}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(', ')}' was expected`\n )\n }\n\n // This will/should leverage the caching, so it's ok to resolve the did here\n const keys = await Promise.all(\n credentialBinding.didUrls.map(async (didUrl, index) =>\n index === 0\n ? // We already fetched the first did\n { jwk: firstKey, didUrl: firstDid.didUrl }\n : { jwk: (await dids.resolveVerificationMethodFromCreatedDidRecord(didUrl)).publicJwk, didUrl }\n )\n )\n if (!keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.jwk.toJson(), firstKey.toJson()))) {\n throw new CredoError('Expected all did urls to point to the same key type')\n }\n\n return {\n jwt: await Promise.all(\n keys.map((key) =>\n client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'did',\n didUrl: key.didUrl,\n alg: algorithm,\n kid: key.jwk.keyId,\n },\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt)\n )\n ),\n }\n }\n\n if (credentialBinding.method === 'jwk') {\n if (!supportsJwk && supportsAnyMethod) {\n throw new CredoError(\n `Resolved credential binding for proof of possession uses jwk, but openid issuer does not support 'jwk' or 'cose_key' cryptographic binding method`\n )\n }\n\n if (!proofTypes.jwt) {\n throw new CredoError(\n `JWT proof type is not supported for configuration '${configurationId}', which is required for jwk based credential binding.`\n )\n }\n\n if (proofTypes.jwt.keyAttestationsRequired) {\n throw new CredoError(\n `Credential binding returned list of JWK keys, but credential configuration '${configurationId}' requires key attestations. Return a key attestation with binding method 'attestation'.`\n )\n }\n\n if (credentialBinding.keys.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.keys.length} keys. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n if (credentialBinding.keys.length === 0) {\n throw new CredoError('Credential binding with method jwk returned empty keys list')\n }\n\n const firstJwk = credentialBinding.keys[0]\n\n if (!credentialBinding.keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.toJson(), firstJwk.toJson()))) {\n throw new CredoError('Expected all keys for binding method jwk to use the same key type')\n }\n\n const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm) =>\n firstJwk.supportedSignatureAlgorithms.includes(algorithm)\n )\n if (!algorithm) {\n throw new CredoError(\n `Credential binding returned jwk that points to key '${firstJwk.jwkTypehumanDescription}' that supports signature algorithms ${firstJwk.supportedSignatureAlgorithms.join(', ')}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(', ')}' was expected`\n )\n }\n\n return {\n jwt: await Promise.all(\n credentialBinding.keys.map((jwk) =>\n client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'jwk',\n publicJwk: jwk.toJson() as Jwk,\n alg: algorithm,\n },\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt)\n )\n ),\n }\n }\n\n if (credentialBinding.method === 'attestation') {\n const { payload } = parseKeyAttestationJwt({ keyAttestationJwt: credentialBinding.keyAttestationJwt })\n\n // TODO: check client_id matches in payload\n\n if (payload.attested_keys.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned key attestation with ${payload.attested_keys.length} attested keys. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n // TODO: check nonce matches cNonce\n if (proofTypes.attestation && payload.nonce) {\n // If attestation is supported and the attestation contains a nonce, we can use the attestation directly\n return {\n attestation: [credentialBinding.keyAttestationJwt],\n }\n }\n\n if (proofTypes.jwt) {\n const jwk = Kms.PublicJwk.fromUnknown(payload.attested_keys[0])\n\n return {\n jwt: [\n await client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'jwk',\n publicJwk: payload.attested_keys[0],\n // TODO: we should probably use the 'alg' from the jwk\n alg: jwk.supportedSignatureAlgorithms[0],\n },\n keyAttestationJwt: credentialBinding.keyAttestationJwt,\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt),\n ],\n }\n }\n\n throw new CredoError(\n `Unable to create credential request proofs. Configuration supports 'attestation' proof type, but attestation did not contain a 'nonce' value`\n )\n }\n\n // @ts-expect-error currently if/else if exhaustive, but once we add new option it will give ts error\n throw new CredoError(`Unsupported credential binding method ${credentialBinding.method}`)\n }\n\n /**\n * Get the requirements for creating the proof of possession. Based on the allowed\n * credential formats, the allowed proof of possession signature algorithms, and the\n * credential type, this method will select the best credential format and signature\n * algorithm to use, based on the order of preference.\n */\n private getProofOfPossessionRequirements(\n agentContext: AgentContext,\n options: {\n metadata: IssuerMetadataResult\n credentialToRequest: {\n id: string\n configuration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n possibleProofOfPossessionSignatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n }\n ): OpenId4VciProofOfPossessionRequirements {\n const { credentialToRequest, possibleProofOfPossessionSignatureAlgorithms, metadata } = options\n const { configuration, id: configurationId } = credentialToRequest\n\n if (!openId4VciSupportedCredentialFormats.includes(configuration.format as OpenId4VciSupportedCredentialFormats)) {\n throw new CredoError(\n [\n `Requested credential with format '${credentialToRequest.configuration.format}',`,\n `for the credential with id '${credentialToRequest.id},`,\n `but the wallet only supports the following formats '${openId4VciSupportedCredentialFormats.join(', ')}'`,\n ].join('\\n')\n )\n }\n\n // For each of the supported algs, find the key types, then find the proof types\n const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry)\n\n let proofTypesSupported = configuration.proof_types_supported\n if (!proofTypesSupported) {\n // For draft above 11 we do not allow no proof_type (we do not support no key binding for now)\n if (metadata.originalDraftVersion !== Openid4vciDraftVersion.Draft11) {\n throw new CredoError(\n `Credential configuration '${configurationId}' does not specifcy proof_types_supported. Credentials not bound to keys are not supported at the moment`\n )\n }\n\n // For draft 11 we fall back to jwt proof type\n proofTypesSupported = {\n jwt: {\n proof_signing_alg_values_supported: possibleProofOfPossessionSignatureAlgorithms,\n },\n }\n }\n\n const proofTypes: OpenId4VciProofOfPossessionRequirements['proofTypes'] = {\n jwt: undefined,\n attestation: undefined,\n }\n\n for (const [proofType, proofTypeConfig] of Object.entries(proofTypesSupported)) {\n if (proofType !== 'jwt' && proofType !== 'attestation') continue\n\n let signatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[] = []\n\n const proofSigningAlgsSupported = proofTypeConfig?.proof_signing_alg_values_supported\n if (proofSigningAlgsSupported === undefined) {\n // If undefined, it means the issuer didn't include the cryptographic suites in the metadata\n // We just guess that the first one is supported\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms\n } else {\n switch (credentialToRequest.configuration.format) {\n case OpenId4VciCredentialFormatProfile.JwtVcJson:\n case OpenId4VciCredentialFormatProfile.JwtVcJsonLd:\n case OpenId4VciCredentialFormatProfile.SdJwtVc:\n case OpenId4VciCredentialFormatProfile.SdJwtDc:\n case OpenId4VciCredentialFormatProfile.MsoMdoc:\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) =>\n proofSigningAlgsSupported.includes(signatureAlgorithm)\n )\n break\n // FIXME: this is wrong, as the proof type is separate from the credential signing alg\n // But there might be some draft 11 logic that depends on this, can be removed soon\n case OpenId4VciCredentialFormatProfile.LdpVc:\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) => {\n try {\n const jwkClass = Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(signatureAlgorithm)\n const matchingSuites = signatureSuiteRegistry.getAllByPublicJwkType(jwkClass)\n if (matchingSuites.length === 0) return false\n\n return proofSigningAlgsSupported.includes(matchingSuites[0].proofType)\n } catch {\n return false\n }\n })\n break\n default:\n throw new CredoError('Unsupported credential format.')\n }\n }\n\n proofTypes[proofType] = {\n supportedSignatureAlgorithms: signatureAlgorithms,\n keyAttestationsRequired: proofTypeConfig.key_attestations_required\n ? {\n keyStorage: proofTypeConfig.key_attestations_required.key_storage,\n userAuthentication: proofTypeConfig.key_attestations_required.user_authentication,\n }\n : undefined,\n }\n }\n\n const { jwt, attestation } = proofTypes\n if (!jwt && !attestation) {\n const supported = Object.keys(proofTypesSupported).join(', ')\n throw new CredoError(`Unsupported proof type(s) ${supported}. Supported proof type(s) are: jwt, attestation`)\n }\n\n const issuerSupportedBindingMethods = credentialToRequest.configuration.cryptographic_binding_methods_supported\n const supportsAllDidMethods = issuerSupportedBindingMethods?.includes('did') ?? false\n const supportedDidMethods = issuerSupportedBindingMethods?.filter((method) => method.startsWith('did:'))\n\n // The cryptographic_binding_methods_supported describe the cryptographic key material that the issued Credential is bound to.\n const supportsCoseKey = issuerSupportedBindingMethods?.includes('cose_key') ?? false\n const supportsJwk = issuerSupportedBindingMethods?.includes('jwk') || supportsCoseKey\n\n return {\n proofTypes,\n supportedDidMethods,\n supportsAllDidMethods,\n supportsJwk,\n }\n }\n\n private async handleCredentialResponse(\n agentContext: AgentContext,\n credentialResponse: CredentialResponse | DeferredCredentialResponse,\n options: {\n verifyCredentialStatus: boolean\n format: OpenId4VciCredentialFormatProfile\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n ): Promise<OpenId4VciCredentialResponse> {\n const { verifyCredentialStatus, credentialConfigurationId, credentialConfiguration } = options\n this.logger.debug('Credential response', credentialResponse)\n\n const credentials = credentialResponse.credentials\n ? credentialResponse.credentials.every((c) => typeof c === 'object' && c !== null && 'credential' in c)\n ? credentialResponse.credentials.map((c) => (c as { credential: string | Record<string, unknown> }).credential)\n : (credentialResponse.credentials as (string | Record<string, unknown>)[])\n : credentialResponse.credential\n ? [credentialResponse.credential as CredentialResponse['credential']]\n : undefined\n\n if (!credentials) {\n throw new CredoError(`Credential response returned neither 'credentials' nor 'credential' parameter.`)\n }\n\n const notificationId = credentialResponse.notification_id\n\n const format = options.format\n if (format === OpenId4VciCredentialFormatProfile.SdJwtVc || format === OpenId4VciCredentialFormatProfile.SdJwtDc) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n\n if (format === OpenId4VciCredentialFormatProfile.SdJwtDc || credentialConfiguration.vct) {\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n const verificationResults = await Promise.all(\n credentials.map((compactSdJwtVc, index) =>\n sdJwtVcApi.verify({\n compactSdJwtVc,\n // Only load and verify it for the first instance\n fetchTypeMetadata: index === 0,\n })\n )\n )\n\n if (!verificationResults.every((result) => result.isValid)) {\n agentContext.config.logger.error('Failed to validate credential(s)', { verificationResults })\n throw new CredoError(\n `Failed to validate sd-jwt-vc credentials. Results = ${JSON.stringify(verificationResults, replaceError)}`\n )\n }\n\n return {\n credentials: verificationResults.map((result) => result.sdJwtVc),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cV2SdJwtVerifiableCredential.fromCompact(c)\n const result = await this.w3cV2CredentialService.verifyCredential(agentContext, {\n credential,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (\n options.format === OpenId4VciCredentialFormatProfile.JwtVcJson ||\n options.format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd\n ) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cJwtVerifiableCredential.fromSerializedJwt(c)\n const result = await this.w3cCredentialService.verifyCredential(agentContext, {\n credential,\n verifyCredentialStatus,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (format === OpenId4VciCredentialFormatProfile.LdpVc) {\n if (!credentials.every((c) => typeof c === 'object' && c !== null)) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are an object. ${JSON.stringify(\n credentials\n )}`\n )\n }\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cJsonLdVerifiableCredential.fromJson(c)\n const result = await this.w3cCredentialService.verifyCredential(agentContext, {\n credential,\n verifyCredentialStatus,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (format === OpenId4VciCredentialFormatProfile.MsoMdoc) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n const mdocApi = agentContext.dependencyManager.resolve(MdocApi)\n const result = await Promise.all(\n credentials.map(async (credential) => {\n const mdoc = Mdoc.fromBase64Url(credential)\n const result = await mdocApi.verify(mdoc, {})\n return {\n result,\n mdoc,\n }\n })\n )\n\n if (!result.every((r) => r.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate mdoc credential(s). \\n - ${result\n .map((r, i) => (r.result.isValid ? undefined : `(${i}) ${r.result.error}`))\n .filter(Boolean)\n .join('\\n - ')}`\n )\n }\n\n return {\n credentials: result.map((c) => c.mdoc),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n\n throw new CredoError(`Unsupported credential format ${options.format}`)\n }\n\n private getCallbacks(\n agentContext: AgentContext,\n { clientAttestation, clientId }: { clientAttestation?: string; clientId?: string } = {}\n ) {\n const callbacks = getOid4vcCallbacks(agentContext)\n\n return {\n ...callbacks,\n clientAuthentication: (options) => {\n const { authorizationServerMetadata, url, body } = options\n const oauth2Client = this.getOauth2Client(agentContext)\n const clientAttestationSupported = oauth2Client.isClientAttestationSupported({\n authorizationServerMetadata,\n })\n\n // Client attestations\n if (clientAttestation && clientAttestationSupported) {\n return clientAuthenticationClientAttestationJwt({\n clientAttestationJwt: clientAttestation,\n callbacks,\n })(options)\n }\n\n // Pre auth flow\n if (\n url === authorizationServerMetadata.token_endpoint &&\n authorizationServerMetadata['pre-authorized_grant_anonymous_access_supported'] &&\n body.grant_type === preAuthorizedCodeGrantIdentifier\n ) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // Just a client id (no auth)\n if (clientId) {\n return clientAuthenticationNone({ clientId })(options)\n }\n\n // NOTE: we fall back to anonymous authentication for pre-auth for now, as there's quite some\n // issuers that do not have pre-authorized_grant_anonymous_access_supported defined\n if (\n url === authorizationServerMetadata.token_endpoint &&\n body.grant_type === preAuthorizedCodeGrantIdentifier\n ) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // Refresh token flow defaults to anonymous auth if there is neither a client attestation or client id\n // is present.\n if (body.grant_type === refreshTokenGrantIdentifier) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // TODO: We should still look at auth_methods_supported\n // If there is an auth session for the auth challenge endpoint, we don't have to include the client_id\n if (url === authorizationServerMetadata.authorization_challenge_endpoint && body.auth_session) {\n return clientAuthenticationAnonymous()(options)\n }\n\n throw new CredoError('Unable to perform client authentication.')\n },\n } satisfies Partial<CallbackContext>\n }\n\n private getClient(agentContext: AgentContext, options: { clientAttestation?: string; clientId?: string } = {}) {\n return new Openid4vciClient({\n callbacks: this.getCallbacks(agentContext, options),\n })\n }\n\n private getOauth2Client(agentContext: AgentContext, options?: { clientAttestation?: string; clientId?: string }) {\n return new Oauth2Client({\n callbacks: options ? this.getCallbacks(agentContext, options) : getOid4vcCallbacks(agentContext),\n })\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AAwEO,oCAAMA,0BAAwB;CAKnC,AAAO,YACL,AAAiCC,QACjC,sBACA,wBACA;AACA,OAAK,uBAAuB;AAC5B,OAAK,yBAAyB;AAC9B,OAAK,SAAS;;CAGhB,MAAa,sBACX,cACA,kBAC6B;EAG7B,MAAM,WAAW,MAFF,KAAK,UAAU,aAAa,CAEb,sBAAsB,iBAAiB;AACrE,OAAK,OAAO,MAAM,sCAAsC,EAAE,UAAU,CAAC;AAErE,SAAO;;CAGT,MAAa,uBACX,cACA,iBAC4C;EAC5C,MAAM,SAAS,KAAK,UAAU,aAAa;EAE3C,MAAM,wBAAwB,MAAM,OAAO,uBAAuB,gBAAgB;EAClF,MAAM,WAAW,MAAM,OAAO,sBAAsB,sBAAsB,kBAAkB;AAC5F,OAAK,OAAO,MAAM,gDAAgD;GAAE;GAAU;GAAuB,CAAC;AAStG,SAAO;GACL;GACA,iCATwC,sBACxC,sBAAsB,8BACtB,OAAO,0CAA0C,SAAS,iBAAiB,EAE3E,EAAE,mBAAmB,MAAM,CAC5B;GAKC,wBAAwB;GACzB;;CAGH,MAAa,4BACX,cACA,yBACA,qBACiD;EACjD,MAAM,EAAE,UAAU,gBAAgB;EAClC,MAAM,EAAE,UAAU,wBAAwB,oCAAoC;EAE9E,MAAM,eAAe,KAAK,gBAAgB,aAAa;EACvD,MAAM,SAAS,KAAK,UAAU,cAAc;GAC1C,UAAU,oBAAoB;GAC9B,mBAAmB,oBAAoB;GACxC,CAAC;EAGF,MAAM,QACJ,oBAAoB,SAAS,+CAA+C,gCAAgC;AAE9G,MAAI,CAAC,uBAAuB,SAAS,kCACnC,OAAM,IAAI,WAAW,6EAA6E;EAGpG,MAAM,yBAAyB,uBAAuB,OAAO;EAC7D,MAAM,sBAAsB,+CAA+C;GACzE,gBAAgB;GAChB,0BAA0B,uBAAuB;GAClD,CAAC;EAEF,MAAM,8BAA8B,uCAClC,SAAS,sBACT,oBACD;EAGD,MAAM,kBAAkB,aAAa,gBAAgB,EAAE,6BAA6B,CAAC;EACrF,MAAM,OAAO,gBAAgB,YACzB,MAAM,KAAK,eAAe,cAAc,EACtC,+BAA+B,gBAAgB,+BAChD,CAAC,GACF;EAEJ,MAAM,sBAAsB,MAAM,OAAO,sBAAsB;GAC7D;GACA,gBAAgB;GAChB,iBAAiB;GACjB,OAAO,MAAM,KAAK,IAAI;GACtB;GACA;GACD,CAAC;AAEF,MAAI,oBAAoB,sBAAsB,kBAAkB,2BAC9D,QAAO;GACL,mBAAmB,kBAAkB;GACrC,qBAAqB,oBAAoB;GACzC,aAAa,oBAAoB;GAEjC,MAAM,OACF;IACE,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;AAIH,SAAO;GACL,mBAAmB,kBAAkB;GACrC,cAAc,oBAAoB,MAAM;GACxC,yBAAyB,oBAAoB;GAE7C,MAAM,OACF;IACE,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,iBAAiB,cAA4B,SAA4C;AAEpG,QADe,KAAK,UAAU,aAAa,CAC9B,iBAAiB;GAC5B,aAAa,QAAQ;GACrB,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACJ,gBAAgB,QAAQ;GACxB,cAAc;IACZ,OAAO,QAAQ;IACf,gBAAgB,QAAQ;IACzB;GACF,CAAC;;CAGJ,MAAc,eACZ,cACA,EACE,KACA,+BACA,SAE2B;EAC7B,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,MAAI,KAAK;GACP,MAAMC,QAAM,8BAA8B,MAAM,UAC9C,IAAI,6BAA6B,SAASA,MAAsC,CACjF;AAED,OAAI,CAACA,MACH,OAAM,IAAI,WACR,sFAAsF,8BAA8B,KAClH,KACD,CAAC,iBAAiB,IAAI,0BACxB;AAGH,UAAO;IACL,QAAQ;KACN,QAAQ;KACR;KACA,WAAW,IAAI,QAAQ;KACxB;IACD;IACD;;EAGH,MAAM,MAAM,8BAA8B,MAAM,UAA+C;AAC7F,OAAI;AACF,QAAI,UAAU,6CAA6CA,MAAsC;AACjG,WAAO;WACD;AACN,WAAO;;IAET;AAEF,MAAI,CAAC,IACH,OAAM,IAAI,WACR,sFAAsF,8BAA8B,KAClH,KACD,CAAC,GACH;AAIH,SAAO;GACL,QAAQ;IACN,QAAQ;IACR;IACA,YALQ,MAAM,IAAI,+BAA+B,EAAE,WAAW,KAAK,CAAC,EAKrD;IAChB;GACD;GACD;;CAGH,MAAa,2CACX,cACA,SAIC;EACD,MAAM,SAAS,KAAK,UAAU,cAAc,EAC1C,mBAAmB,QAAQ,sBAC5B,CAAC;EACF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GACF;EAEJ,MAAM,EAAE,gCAAgC,MAAM,eAC5C,MAAM,OAAO,2CAA2C;GACtD,aAAa,QAAQ;GACrB,mCAAmC,QAAQ;GAC3C,iBAAiB,QAAQ,wBAAwB;GACjD,gBAAgB,QAAQ,wBAAwB;GAChD;GACD,CAAC;AAEJ,SAAO;GACL,mBAAmB,+BAA+B;GAClD,MAAM,OACF;IACE,GAAG;IACH,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,mBACX,cACA,SAKC;EACD,MAAM,EAAE,UAAU,2BAA2B,QAAQ;EACrD,MAAM,SAAS,KAAK,UAAU,cAAc;GAC1C,mBAAmB,QAAQ;GAC3B,UAAU,cAAc,UAAU,QAAQ,WAAW;GACtD,CAAC;EACF,MAAM,eAAe,KAAK,gBAAgB,aAAa;EAEvD,MAAM,sBAAsB,QAAQ,OAChC,uBAAuB,QAAQ,oBAAoB,uBACnD,uBAAuB,SAAS,mCAAmC;EACvE,MAAM,8BAA8B,uCAClC,SAAS,sBACT,uBAAuB,SAAS,qBAAqB,GAAG,OACzD;EAED,MAAM,kBAAkB,aAAa,gBAAgB,EACnD,6BACD,CAAC;EAEF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GAIF,gBAAgB,YACd,MAAM,KAAK,eAAe,cAAc,EACtC,+BAA+B,gBAAgB,+BAChD,CAAC,GACF;EAEN,MAAM,SAAS,QAAQ,OACnB,MAAM,OAAO,8CAA8C;GACzD,gBAAgB;GAChB,iBAAiB;GACjB,mBAAmB,QAAQ;GAC3B;GACA,kBAAkB,QAAQ;GAC1B,aAAa,QAAQ;GACtB,CAAC,GACF,MAAM,OAAO,8CAA8C;GACzD,iBAAiB;GACjB,gBAAgB;GAChB;GACA,QAAQ,QAAQ;GACjB,CAAC;AAEN,SAAO;GACL,GAAG;GACH,MAAM,OACF;IACE,GAAG,OAAO;IACV,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,mBACX,cACA,SAMA;EACA,MAAM,eAAe,KAAK,gBAAgB,cAAc;GACtD,mBAAmB,QAAQ;GAC3B,UAAU,QAAQ;GACnB,CAAC;EAEF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GACF;EAEJ,MAAM,8BAA8B,uCAClC,QAAQ,eAAe,sBACvB,QAAQ,uBAAuB,QAAQ,eAAe,qBAAqB,GAAG,OAC/E;EAED,MAAM,SAAS,MAAM,aAAa,gCAAgC;GAChE;GACA,cAAc,QAAQ;GACtB;GACA,UAAU,QAAQ,eAAe,iBAAiB;GACnD,CAAC;AAEF,SAAO;GACL,GAAG;GACH,MAAM,OACF;IACE,GAAG,OAAO;IACV,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,sBACX,cACA,SAaC;EACD,MAAM,EAAE,yBAAyB,iCAAiC;EAClE,MAAM,EAAE,UAAU,oCAAoC;EACtD,MAAM,EACJ,4BACA,2BACA,wBACA,gDACE;EACJ,MAAM,SAAS,KAAK,UAAU,aAAa;AAE3C,MAAI,4BAA4B,WAAW,EACzC,OAAM,IAAI,WAAW,gDAAgD;EAGvE,MAAMC,sBAA2D,EAAE;EACnE,MAAMC,sBAAmE,EAAE;EAC3E,IAAI,SAAS,QAAQ;EACrB,IAAI,YAAY,QAAQ,MAAM;EAE9B,MAAM,oCACJ,4BAA4B,KAAK,OAAO;AACtC,OAAI,CAAC,gCAAgC,IAEnC,OAAM,IAAI,WACR,0BAA0B,GAAG,mEAFF,OAAO,KAAK,gCAAgC,CAAC,KAAK,KAAK,GAGnF;AAEH,UAAO,CAAC,IAAI,gCAAgC,IAAI;IAChD,IAAI,OAAO,QAAQ,gCAAgC;AAGvD,MAAI,CAAC,OAEH,KAAI,SAAS,iBAAiB,eAE5B,WADsB,MAAM,OAAO,aAAa,EAAE,gBAAgB,UAAU,CAAC,EACtD;MAGvB,OAAM,OACH,oBAAoB;GACnB,gBAAgB;GAChB,aAAa,QAAQ;GACrB,2BAA2B,kCAAkC,GAAG;GAChE,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,OAAO;IACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACL,CAAC,CACD,OAAO,MAAM;AACZ,OAAI,aAAa,sCAAsC,EAAE,SAAS,+BAA+B,QAC/F,UAAS,EAAE,SAAS,8BAA8B,KAAK;IAEzD;AAIR,MAAI,CAAC,OACH,OAAM,IAAI,WAAW,6EAA6E;AAGpG,OAAK,MAAM,CAAC,qBAAqB,mCAAmC,mCAAmC;GACrG,MAAM,SAAS,MAAM,KAAK,4BAA4B,cAAc;IAClE,oCACE,+CAA+C,mCAAmC,aAAa;IACjG;IACA,mBAAmB;KACjB,IAAI;KACJ,eAAe;KAChB;IACD,UAAU,QAAQ;IAEV;IACR;IACD,CAAC;AAEF,QAAK,OAAO,MAAM,oDAAoD,EAAE,QAAQ,CAAC;GAEjF,MAAM,SAEH,SAAS,yBAAyB,uBAAuB,WAEvD,SAAS,yBAAyB,uBAAuB,WACxD,SAAS,iBAAiB,8BAA8B,WAC5D,OAAO,KAAK,WAAW,IAClB;IACC,YAAY;IACZ,KAAK,OAAO,IAAI;IACjB,GACD;GAEN,MAAM,EAAE,oBAAoB,SAAS,MAAM,OAAO,oBAAoB;IACpE,gBAAgB;IAChB,aAAa,QAAQ;IACrB,2BAA2B;IAC3B,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;KACtC,GAAG,QAAQ;KACX,OAAO;KACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;KAClD,CAAC,GACF;IAEJ,QAAQ,CAAC,QAAQ,SAAS;IAC1B;IACD,CAAC;AAGF,YAAS,mBAAmB;AAC5B,eAAY,MAAM;AAElB,OAAI,mBAAmB,gBAAgB;IACrC,MAAM,qBAAqB;KACzB,2BAA2B;KAC3B,yBAAyB;KACzB,eAAe,mBAAmB;KAClC,UAAU,mBAAmB;KAC7B,gBAAgB,mBAAmB;KACpC;AAED,SAAK,OAAO,MAAM,gCAAgC,mBAAmB;AACrE,wBAAoB,KAAK,mBAAmB;UACvC;IAEL,MAAM,aAAa,MAAM,KAAK,yBAAyB,cAAc,oBAAoB;KACvF,wBAAwB,0BAA0B;KAClD,QAAQ,+BAA+B;KACvC,2BAA2B;KAC3B,yBAAyB;KAC1B,CAAC;AAEF,SAAK,OAAO,MACV,uBACA,WAAW,YAAY,KAAK,MAC1B,aAAa,OAAO;KAAE,wBAAwB,EAAE;KAAwB,WAAW,EAAE;KAAW,GAAG,EACpG,CACF;AACD,wBAAoB,KAAK,WAAW;;;AAIxC,SAAO;GACL,aAAa;GACb;GACA,MAAM,QAAQ,OACV;IACE,GAAG,QAAQ;IACX,OAAO;IACR,GACD;GACJ;GACD;;CAGH,MAAa,4BACX,cACA,SAKC;EACD,MAAM,EACJ,gBACA,eACA,2BACA,yBACA,wBACA,gBACE;EACJ,MAAM,SAAS,KAAK,UAAU,aAAa;EAE3C,MAAMD,sBAA2D,EAAE;EACnE,MAAMC,sBAAmE,EAAE;EAC3E,IAAI,YAAY,QAAQ,MAAM;EAE9B,MAAM,EAAE,4BAA4B,SAAS,MAAM,OAAO,4BAA4B;GACpF;GACA;GACA;GACA,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,OAAO;IACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACL,CAAC;AAGF,cAAY,MAAM;AAElB,MAAI,2BAA2B,UAAU;GACvC,MAAMC,qBAA2D;IAC/D;IACA;IACA;IACA,UAAU,2BAA2B;IACrC,gBAAgB,2BAA2B;IAC5C;AAED,QAAK,OAAO,MAAM,gCAAgC,mBAAmB;AACrE,uBAAoB,KAAK,mBAAmB;SACvC;GAEL,MAAM,aAAa,MAAM,KAAK,yBAAyB,cAAc,4BAA4B;IAC/F,wBAAwB,0BAA0B;IAClD,QAAQ,wBAAwB;IACL;IACF;IAC1B,CAAC;AAEF,QAAK,OAAO,MACV,uBACA,WAAW,YAAY,KAAK,MAC1B,aAAa,OAAO;IAAE,wBAAwB,EAAE;IAAwB,WAAW,EAAE;IAAW,GAAG,EACpG,CACF;AACD,uBAAoB,KAAK,WAAW;;AAGtC,SAAO;GACL,aAAa;GACb;GACA,MAAM,QAAQ,OACV;IACE,GAAG,QAAQ;IACX,OAAO;IACR,GACD;GACL;;;;;;;;CASH,MAAc,4BACZ,cACA,SAWA;EACA,MAAM,OAAO,aAAa,QAAQ,QAAQ;EAC1C,MAAM,EAAE,oCAAoC,sBAAsB;EAClE,MAAM,EAAE,eAAe,IAAI,oBAAoB;EAC/C,MAAM,kCAAkC,mCAAmC,aAAa;EAExF,MAAM,+CAA+C,qCACjD,mCAAmC,QAAQ,cAAc,gCAAgC,SAAS,UAAU,CAAC,GAC7G;AAEJ,MAAI,6CAA6C,WAAW,EAC1D,OAAM,IAAI,WACR;GACE;GACA,gDAAgD,gCAAgC,KAAK,KAAK,CAAC;GAC3F,iCAAiC,oCAAoC,KAAK,KAAK,CAAC;GACjF,CAAC,KAAK,KAAK,CACb;EAGH,MAAM,EAAE,YAAY,qBAAqB,uBAAuB,gBAC9D,KAAK,iCAAiC,cAAc;GAClD,qBAAqB,QAAQ;GAC7B,UAAU,QAAQ;GAClB;GACD,CAAC;EAEJ,MAAM,SAAS,cAAc;EAC7B,MAAM,oBAAoB,wBAAwB,UAAa,yBAAyB;EACxF,MAAM,qBAAqB,QAAQ,SAAS,iBAAiB,2BAA2B,cAAc;EAGtG,MAAM,oBAAoB,MAAM,QAAQ,0BAA0B;GAChE;GACA,kBAAkB;GAClB,2BAA2B;GAC3B,yBAAyB;GACzB,UAAU,QAAQ;GAClB;GACA;GACA;GACA;GACA;GACD,CAAC;EAEF,MAAM,SAAS,KAAK,UAAU,aAAa;AAG3C,MAAI,kBAAkB,WAAW,OAAO;AACtC,OAAI,CAAC,WAAW,IACd,OAAM,IAAI,WACR,sDAAsD,gBAAgB,wDACvE;AAGH,OAAI,WAAW,IAAI,wBACjB,OAAM,IAAI,WACR,+EAA+E,gBAAgB,4EAChG;AAGH,OAAI,kBAAkB,QAAQ,SAAS,mBACrC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,4CAA4C,kBAAkB,QAAQ,OAAO,iFAC/I;AAGH,OAAI,kBAAkB,QAAQ,WAAW,EACvC,OAAM,IAAI,WAAW,iEAAiE;GAGxF,MAAM,WAAW,SAAS,kBAAkB,QAAQ,GAAG;AACvD,OAAI,CAAC,kBAAkB,QAAQ,OAAO,WAAW,SAAS,OAAO,CAAC,WAAW,SAAS,OAAO,CAC3F,OAAM,IAAI,WAAW,0EAA0E;AAGjG,OACE,CAAC,yBAGD,wBAAwB,UACxB,CAAC,oBAAoB,MAClB,uBAAuB,SAAS,IAAI,WAAW,mBAAmB,IAAI,kBACxE,EACD;IAEA,MAAM,4BAA4B,oBAAoB,KAAK,KAAK;AAChE,UAAM,IAAI,WACR,wEAAwE,SAAS,OAAO,+BAA+B,0BAA0B,GAClJ;;GAGH,MAAM,EAAE,WAAW,aAAa,MAAM,KAAK,8CAA8C,SAAS,OAAO;GACzG,MAAM,YAAY,WAAW,IAAI,6BAA6B,MAAM,gBAClE,SAAS,6BAA6B,SAASC,YAAU,CAC1D;AACD,OAAI,CAAC,UACH,OAAM,IAAI,WACR,2DAA2D,SAAS,wBAAwB,uCAAuC,SAAS,6BAA6B,KAAK,KAAK,CAAC,gBAAgB,WAAW,IAAI,6BAA6B,KAAK,KAAK,CAAC,gBAC5P;GAIH,MAAM,OAAO,MAAM,QAAQ,IACzB,kBAAkB,QAAQ,IAAI,OAAO,QAAQ,UAC3C,UAAU,IAEN;IAAE,KAAK;IAAU,QAAQ,SAAS;IAAQ,GAC1C;IAAE,MAAM,MAAM,KAAK,8CAA8C,OAAO,EAAE;IAAW;IAAQ,CAClG,CACF;AACD,OAAI,CAAC,KAAK,OAAO,QAAQ,IAAI,4BAA4B,IAAI,IAAI,QAAQ,EAAE,SAAS,QAAQ,CAAC,CAAC,CAC5F,OAAM,IAAI,WAAW,sDAAsD;AAG7E,UAAO,EACL,KAAK,MAAM,QAAQ,IACjB,KAAK,KAAK,QACR,OACG,gCAAgC;IAC/B,2BAA2B;IAC3B,gBAAgB,QAAQ;IACxB,QAAQ;KACN,QAAQ;KACR,QAAQ,IAAI;KACZ,KAAK;KACL,KAAK,IAAI,IAAI;KACd;IACD,OAAO,QAAQ;IACf,UAAU,QAAQ;IACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,CACF,EACF;;AAGH,MAAI,kBAAkB,WAAW,OAAO;AACtC,OAAI,CAAC,eAAe,kBAClB,OAAM,IAAI,WACR,oJACD;AAGH,OAAI,CAAC,WAAW,IACd,OAAM,IAAI,WACR,sDAAsD,gBAAgB,wDACvE;AAGH,OAAI,WAAW,IAAI,wBACjB,OAAM,IAAI,WACR,+EAA+E,gBAAgB,0FAChG;AAGH,OAAI,kBAAkB,KAAK,SAAS,mBAClC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,4CAA4C,kBAAkB,KAAK,OAAO,6EAC5I;AAGH,OAAI,kBAAkB,KAAK,WAAW,EACpC,OAAM,IAAI,WAAW,8DAA8D;GAGrF,MAAM,WAAW,kBAAkB,KAAK;AAExC,OAAI,CAAC,kBAAkB,KAAK,OAAO,QAAQ,IAAI,4BAA4B,IAAI,QAAQ,EAAE,SAAS,QAAQ,CAAC,CAAC,CAC1G,OAAM,IAAI,WAAW,oEAAoE;GAG3F,MAAM,YAAY,WAAW,IAAI,6BAA6B,MAAM,gBAClE,SAAS,6BAA6B,SAASA,YAAU,CAC1D;AACD,OAAI,CAAC,UACH,OAAM,IAAI,WACR,uDAAuD,SAAS,wBAAwB,uCAAuC,SAAS,6BAA6B,KAAK,KAAK,CAAC,gBAAgB,WAAW,IAAI,6BAA6B,KAAK,KAAK,CAAC,gBACxP;AAGH,UAAO,EACL,KAAK,MAAM,QAAQ,IACjB,kBAAkB,KAAK,KAAK,QAC1B,OACG,gCAAgC;IAC/B,2BAA2B;IAC3B,gBAAgB,QAAQ;IACxB,QAAQ;KACN,QAAQ;KACR,WAAW,IAAI,QAAQ;KACvB,KAAK;KACN;IACD,OAAO,QAAQ;IACf,UAAU,QAAQ;IACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,CACF,EACF;;AAGH,MAAI,kBAAkB,WAAW,eAAe;GAC9C,MAAM,EAAE,YAAY,uBAAuB,EAAE,mBAAmB,kBAAkB,mBAAmB,CAAC;AAItG,OAAI,QAAQ,cAAc,SAAS,mBACjC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,iEAAiE,QAAQ,cAAc,OAAO,sFAChK;AAIH,OAAI,WAAW,eAAe,QAAQ,MAEpC,QAAO,EACL,aAAa,CAAC,kBAAkB,kBAAkB,EACnD;AAGH,OAAI,WAAW,KAAK;IAClB,MAAM,MAAM,IAAI,UAAU,YAAY,QAAQ,cAAc,GAAG;AAE/D,WAAO,EACL,KAAK,CACH,MAAM,OACH,gCAAgC;KAC/B,2BAA2B;KAC3B,gBAAgB,QAAQ;KACxB,QAAQ;MACN,QAAQ;MACR,WAAW,QAAQ,cAAc;MAEjC,KAAK,IAAI,6BAA6B;MACvC;KACD,mBAAmB,kBAAkB;KACrC,OAAO,QAAQ;KACf,UAAU,QAAQ;KACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,EACF;;AAGH,SAAM,IAAI,WACR,+IACD;;AAIH,QAAM,IAAI,WAAW,yCAAyC,kBAAkB,SAAS;;;;;;;;CAS3F,AAAQ,iCACN,cACA,SAQyC;EACzC,MAAM,EAAE,qBAAqB,8CAA8C,aAAa;EACxF,MAAM,EAAE,eAAe,IAAI,oBAAoB;AAE/C,MAAI,CAAC,qCAAqC,SAAS,cAAc,OAA+C,CAC9G,OAAM,IAAI,WACR;GACE,qCAAqC,oBAAoB,cAAc,OAAO;GAC9E,+BAA+B,oBAAoB,GAAG;GACtD,uDAAuD,qCAAqC,KAAK,KAAK,CAAC;GACxG,CAAC,KAAK,KAAK,CACb;EAIH,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;EAE7F,IAAI,sBAAsB,cAAc;AACxC,MAAI,CAAC,qBAAqB;AAExB,OAAI,SAAS,yBAAyB,uBAAuB,QAC3D,OAAM,IAAI,WACR,6BAA6B,gBAAgB,0GAC9C;AAIH,yBAAsB,EACpB,KAAK,EACH,oCAAoC,8CACrC,EACF;;EAGH,MAAMC,aAAoE;GACxE,KAAK;GACL,aAAa;GACd;AAED,OAAK,MAAM,CAAC,WAAW,oBAAoB,OAAO,QAAQ,oBAAoB,EAAE;AAC9E,OAAI,cAAc,SAAS,cAAc,cAAe;GAExD,IAAIC,sBAAwD,EAAE;GAE9D,MAAM,4BAA4B,iBAAiB;AACnD,OAAI,8BAA8B,OAGhC,uBAAsB,QAAQ;OAE9B,SAAQ,oBAAoB,cAAc,QAA1C;IACE,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;AACrC,2BAAsB,QAAQ,6CAA6C,QAAQ,uBACjF,0BAA0B,SAAS,mBAAmB,CACvD;AACD;IAGF,KAAK,kCAAkC;AACrC,2BAAsB,QAAQ,6CAA6C,QAAQ,uBAAuB;AACxG,UAAI;OACF,MAAM,WAAW,IAAI,UAAU,6CAA6C,mBAAmB;OAC/F,MAAM,iBAAiB,uBAAuB,sBAAsB,SAAS;AAC7E,WAAI,eAAe,WAAW,EAAG,QAAO;AAExC,cAAO,0BAA0B,SAAS,eAAe,GAAG,UAAU;cAChE;AACN,cAAO;;OAET;AACF;IACF,QACE,OAAM,IAAI,WAAW,iCAAiC;;AAI5D,cAAW,aAAa;IACtB,8BAA8B;IAC9B,yBAAyB,gBAAgB,4BACrC;KACE,YAAY,gBAAgB,0BAA0B;KACtD,oBAAoB,gBAAgB,0BAA0B;KAC/D,GACD;IACL;;EAGH,MAAM,EAAE,KAAK,gBAAgB;AAC7B,MAAI,CAAC,OAAO,CAAC,YAEX,OAAM,IAAI,WAAW,6BADH,OAAO,KAAK,oBAAoB,CAAC,KAAK,KAAK,CACD,iDAAiD;EAG/G,MAAM,gCAAgC,oBAAoB,cAAc;EACxE,MAAM,wBAAwB,+BAA+B,SAAS,MAAM,IAAI;EAChF,MAAM,sBAAsB,+BAA+B,QAAQ,WAAW,OAAO,WAAW,OAAO,CAAC;EAGxG,MAAM,kBAAkB,+BAA+B,SAAS,WAAW,IAAI;AAG/E,SAAO;GACL;GACA;GACA;GACA,aANkB,+BAA+B,SAAS,MAAM,IAAI;GAOrE;;CAGH,MAAc,yBACZ,cACA,oBACA,SAMuC;EACvC,MAAM,EAAE,wBAAwB,2BAA2B,4BAA4B;AACvF,OAAK,OAAO,MAAM,uBAAuB,mBAAmB;EAE5D,MAAM,cAAc,mBAAmB,cACnC,mBAAmB,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,MAAM,QAAQ,gBAAgB,EAAE,GACnG,mBAAmB,YAAY,KAAK,MAAO,EAAuD,WAAW,GAC5G,mBAAmB,cACtB,mBAAmB,aACjB,CAAC,mBAAmB,WAA+C,GACnE;AAEN,MAAI,CAAC,YACH,OAAM,IAAI,WAAW,iFAAiF;EAGxG,MAAM,iBAAiB,mBAAmB;EAE1C,MAAM,SAAS,QAAQ;AACvB,MAAI,WAAW,kCAAkC,WAAW,WAAW,kCAAkC,SAAS;AAChH,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;AAGH,OAAI,WAAW,kCAAkC,WAAW,wBAAwB,KAAK;IACvF,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;IACrE,MAAM,sBAAsB,MAAM,QAAQ,IACxC,YAAY,KAAK,gBAAgB,UAC/B,WAAW,OAAO;KAChB;KAEA,mBAAmB,UAAU;KAC9B,CAAC,CACH,CACF;AAED,QAAI,CAAC,oBAAoB,OAAO,aAAWC,SAAO,QAAQ,EAAE;AAC1D,kBAAa,OAAO,OAAO,MAAM,oCAAoC,EAAE,qBAAqB,CAAC;AAC7F,WAAM,IAAI,WACR,uDAAuD,KAAK,UAAU,qBAAqB,aAAa,GACzG;;AAGH,WAAO;KACL,aAAa,oBAAoB,KAAK,aAAWA,SAAO,QAAQ;KAChE;KACA;KACA;KACD;;GAGH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,+BAA+B,YAAY,EAAE;AAKhE,WAAO;KAAE;KAAY,QAJN,MAAM,KAAK,uBAAuB,iBAAiB,cAAc,EAC9E,YACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MACE,QAAQ,WAAW,kCAAkC,aACrD,QAAQ,WAAW,kCAAkC,aACrD;AACA,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;GAGH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,2BAA2B,kBAAkB,EAAE;AAMlE,WAAO;KAAE;KAAY,QALN,MAAM,KAAK,qBAAqB,iBAAiB,cAAc;MAC5E;MACA;MACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MAAI,WAAW,kCAAkC,OAAO;AACtD,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,MAAM,KAAK,CAChE,OAAM,IAAI,WACR,oCAAoC,OAAO,6CAA6C,KAAK,UAC3F,YACD,GACF;GAEH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,8BAA8B,SAAS,EAAE;AAM5D,WAAO;KAAE;KAAY,QALN,MAAM,KAAK,qBAAqB,iBAAiB,cAAc;MAC5E;MACA;MACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MAAI,WAAW,kCAAkC,SAAS;AACxD,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;GAEH,MAAM,UAAU,aAAa,kBAAkB,QAAQ,QAAQ;GAC/D,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,eAAe;IACpC,MAAM,OAAO,KAAK,cAAc,WAAW;AAE3C,WAAO;KACL,QAFa,MAAM,QAAQ,OAAO,MAAM,EAAE,CAAC;KAG3C;KACD;KACD,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,+CAA+C,OAC5C,KAAK,GAAG,MAAO,EAAE,OAAO,UAAU,SAAY,IAAI,EAAE,IAAI,EAAE,OAAO,QAAS,CAC1E,OAAO,QAAQ,CACf,KAAK,QAAQ,GACjB;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,KAAK;IACtC;IACA;IACA;IACD;;AAGH,QAAM,IAAI,WAAW,iCAAiC,QAAQ,SAAS;;CAGzE,AAAQ,aACN,cACA,EAAE,mBAAmB,aAAgE,EAAE,EACvF;EACA,MAAM,YAAY,mBAAmB,aAAa;AAElD,SAAO;GACL,GAAG;GACH,uBAAuB,YAAY;IACjC,MAAM,EAAE,6BAA6B,KAAK,SAAS;IAEnD,MAAM,6BADe,KAAK,gBAAgB,aAAa,CACP,6BAA6B,EAC3E,6BACD,CAAC;AAGF,QAAI,qBAAqB,2BACvB,QAAO,yCAAyC;KAC9C,sBAAsB;KACtB;KACD,CAAC,CAAC,QAAQ;AAIb,QACE,QAAQ,4BAA4B,kBACpC,4BAA4B,sDAC5B,KAAK,eAAe,iCAEpB,QAAO,+BAA+B,CAAC,QAAQ;AAIjD,QAAI,SACF,QAAO,yBAAyB,EAAE,UAAU,CAAC,CAAC,QAAQ;AAKxD,QACE,QAAQ,4BAA4B,kBACpC,KAAK,eAAe,iCAEpB,QAAO,+BAA+B,CAAC,QAAQ;AAKjD,QAAI,KAAK,eAAe,4BACtB,QAAO,+BAA+B,CAAC,QAAQ;AAKjD,QAAI,QAAQ,4BAA4B,oCAAoC,KAAK,aAC/E,QAAO,+BAA+B,CAAC,QAAQ;AAGjD,UAAM,IAAI,WAAW,2CAA2C;;GAEnE;;CAGH,AAAQ,UAAU,cAA4B,UAA6D,EAAE,EAAE;AAC7G,SAAO,IAAI,iBAAiB,EAC1B,WAAW,KAAK,aAAa,cAAc,QAAQ,EACpD,CAAC;;CAGJ,AAAQ,gBAAgB,cAA4B,SAA6D;AAC/G,SAAO,IAAI,aAAa,EACtB,WAAW,UAAU,KAAK,aAAa,cAAc,QAAQ,GAAG,mBAAmB,aAAa,EACjG,CAAC;;;;CAnxCL,YAAY;oBAOR,OAAO,iBAAiB,OAAO"}
1
+ {"version":3,"file":"OpenId4VciHolderService.mjs","names":["OpenId4VciHolderService","logger: Logger","alg","receivedCredentials: Array<OpenId4VciCredentialResponse>","deferredCredentials: Array<OpenId4VciDeferredCredentialResponse>","deferredCredential: OpenId4VciDeferredCredentialResponse","algorithm","proofTypes: OpenId4VciProofOfPossessionRequirements['proofTypes']","signatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]","result"],"sources":["../../src/openid4vc-holder/OpenId4VciHolderService.ts"],"sourcesContent":["import {\n AgentContext,\n CredoError,\n DidsApi,\n InjectionSymbols,\n inject,\n injectable,\n Kms,\n type Logger,\n Mdoc,\n MdocApi,\n parseDid,\n replaceError,\n SdJwtVcApi,\n SignatureSuiteRegistry,\n W3cCredentialService,\n W3cJsonLdVerifiableCredential,\n W3cJwtVerifiableCredential,\n W3cV2CredentialService,\n W3cV2SdJwtVerifiableCredential,\n} from '@credo-ts/core'\nimport {\n type AccessTokenResponse,\n authorizationCodeGrantIdentifier,\n type CallbackContext,\n clientAuthenticationAnonymous,\n clientAuthenticationClientAttestationJwt,\n clientAuthenticationNone,\n getAuthorizationServerMetadataFromList,\n type Jwk,\n Oauth2Client,\n preAuthorizedCodeGrantIdentifier,\n type RequestDpopOptions,\n refreshTokenGrantIdentifier,\n} from '@openid4vc/oauth2'\nimport {\n AuthorizationFlow,\n type CredentialResponse,\n type DeferredCredentialResponse,\n determineAuthorizationServerForCredentialOffer,\n type IssuerMetadataResult,\n Openid4vciClient,\n Openid4vciDraftVersion,\n Openid4vciRetrieveCredentialsError,\n parseKeyAttestationJwt,\n} from '@openid4vc/openid4vci'\nimport type { OpenId4VciCredentialConfigurationSupportedWithFormats, OpenId4VciMetadata } from '../shared'\n\nimport { OpenId4VciCredentialFormatProfile } from '../shared'\nimport { getOid4vcCallbacks } from '../shared/callbacks'\nimport { getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from '../shared/issuerMetadataUtils'\nimport { getSupportedJwaSignatureAlgorithms } from '../shared/utils'\nimport type {\n OpenId4VciAcceptCredentialOfferOptions,\n OpenId4VciAuthCodeFlowOptions,\n OpenId4VciCredentialBindingResolver,\n OpenId4VciCredentialResponse,\n OpenId4VciDeferredCredentialRequestOptions,\n OpenId4VciDeferredCredentialResponse,\n OpenId4VciDpopRequestOptions,\n OpenId4VciProofOfPossessionRequirements,\n OpenId4VciResolvedAuthorizationRequest,\n OpenId4VciResolvedCredentialOffer,\n OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions,\n OpenId4VciSendNotificationOptions,\n OpenId4VciSupportedCredentialFormats,\n OpenId4VciTokenRefreshOptions,\n OpenId4VciTokenRequestOptions,\n} from './OpenId4VciHolderServiceOptions'\nimport { openId4VciSupportedCredentialFormats } from './OpenId4VciHolderServiceOptions'\n\n@injectable()\nexport class OpenId4VciHolderService {\n private logger: Logger\n private w3cCredentialService: W3cCredentialService\n private w3cV2CredentialService: W3cV2CredentialService\n\n public constructor(\n @inject(InjectionSymbols.Logger) logger: Logger,\n w3cCredentialService: W3cCredentialService,\n w3cV2CredentialService: W3cV2CredentialService\n ) {\n this.w3cCredentialService = w3cCredentialService\n this.w3cV2CredentialService = w3cV2CredentialService\n this.logger = logger\n }\n\n public async resolveIssuerMetadata(\n agentContext: AgentContext,\n credentialIssuer: string\n ): Promise<OpenId4VciMetadata> {\n const client = this.getClient(agentContext)\n\n const metadata = await client.resolveIssuerMetadata(credentialIssuer)\n this.logger.debug('fetched credential issuer metadata', { metadata })\n\n return metadata\n }\n\n public async resolveCredentialOffer(\n agentContext: AgentContext,\n credentialOffer: string\n ): Promise<OpenId4VciResolvedCredentialOffer> {\n const client = this.getClient(agentContext)\n\n const credentialOfferObject = await client.resolveCredentialOffer(credentialOffer)\n const metadata = await client.resolveIssuerMetadata(credentialOfferObject.credential_issuer)\n this.logger.debug('fetched credential offer and issuer metadata', { metadata, credentialOfferObject })\n\n const credentialConfigurationsSupported = getOfferedCredentials(\n credentialOfferObject.credential_configuration_ids,\n client.getKnownCredentialConfigurationsSupported(metadata.credentialIssuer),\n // We only filter for known configurations, so it's ok if not found\n { ignoreNotFoundIds: true }\n )\n\n return {\n metadata,\n offeredCredentialConfigurations: credentialConfigurationsSupported,\n credentialOfferPayload: credentialOfferObject,\n }\n }\n\n public async resolveAuthorizationRequest(\n agentContext: AgentContext,\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer,\n authCodeFlowOptions: OpenId4VciAuthCodeFlowOptions\n ): Promise<OpenId4VciResolvedAuthorizationRequest> {\n const { clientId, redirectUri } = authCodeFlowOptions\n const { metadata, credentialOfferPayload, offeredCredentialConfigurations } = resolvedCredentialOffer\n\n const oauth2Client = this.getOauth2Client(agentContext)\n const client = this.getClient(agentContext, {\n clientId: authCodeFlowOptions.clientId,\n clientAttestation: authCodeFlowOptions.walletAttestationJwt,\n })\n\n // If scope is not provided, we request scope for all offered credentials\n const scope =\n authCodeFlowOptions.scope ?? getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations)\n\n if (!credentialOfferPayload.grants?.[authorizationCodeGrantIdentifier]) {\n throw new CredoError(`Provided credential offer does not include the 'authorization_code' grant.`)\n }\n\n const authorizationCodeGrant = credentialOfferPayload.grants[authorizationCodeGrantIdentifier]\n const authorizationServer = determineAuthorizationServerForCredentialOffer({\n issuerMetadata: metadata,\n grantAuthorizationServer: authorizationCodeGrant.authorization_server,\n })\n\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n metadata.authorizationServers,\n authorizationServer\n )\n\n // TODO: should we allow key reuse between dpop and wallet attestation?\n const isDpopSupported = oauth2Client.isDpopSupported({ authorizationServerMetadata })\n const dpop = isDpopSupported.supported\n ? await this.getDpopOptions(agentContext, {\n dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported,\n })\n : undefined\n\n const authorizationResult = await client.initiateAuthorization({\n clientId,\n issuerMetadata: metadata,\n credentialOffer: credentialOfferPayload,\n scope: scope.join(' '),\n redirectUri,\n dpop,\n })\n\n if (authorizationResult.authorizationFlow === AuthorizationFlow.PresentationDuringIssuance) {\n return {\n authorizationFlow: AuthorizationFlow.PresentationDuringIssuance,\n openid4vpRequestUrl: authorizationResult.openid4vpRequestUrl,\n authSession: authorizationResult.authSession,\n // FIXME: return dpop result from this endpoint (dpop nonce)\n dpop: dpop\n ? {\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n // Normal Oauth2Redirect flow\n return {\n authorizationFlow: AuthorizationFlow.Oauth2Redirect,\n codeVerifier: authorizationResult.pkce?.codeVerifier,\n authorizationRequestUrl: authorizationResult.authorizationRequestUrl,\n // FIXME: return dpop result from this endpoint (dpop nonce)\n dpop: dpop\n ? {\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async sendNotification(agentContext: AgentContext, options: OpenId4VciSendNotificationOptions) {\n const client = this.getClient(agentContext)\n await client.sendNotification({\n accessToken: options.accessToken,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n issuerMetadata: options.metadata,\n notification: {\n event: options.notificationEvent,\n notificationId: options.notificationId,\n },\n })\n }\n\n private async getDpopOptions(\n agentContext: AgentContext,\n {\n jwk,\n dpopSigningAlgValuesSupported,\n nonce,\n }: { dpopSigningAlgValuesSupported: string[]; jwk?: Kms.PublicJwk; nonce?: string }\n ): Promise<RequestDpopOptions> {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n\n if (jwk) {\n const alg = dpopSigningAlgValuesSupported.find((alg) =>\n jwk.supportedSignatureAlgorithms.includes(alg as Kms.KnownJwaSignatureAlgorithm)\n )\n\n if (!alg) {\n throw new CredoError(\n `No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(\n ', '\n )}' matching jwk ${jwk.jwkTypehumanDescription}`\n )\n }\n\n return {\n signer: {\n method: 'jwk',\n alg,\n publicJwk: jwk.toJson() as Jwk,\n },\n nonce,\n }\n }\n\n const alg = dpopSigningAlgValuesSupported.find((algorithm): algorithm is Kms.KnownJwaSignatureAlgorithm => {\n try {\n Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(algorithm as Kms.KnownJwaSignatureAlgorithm)\n\n // TODO: we should allow providing allowed backends to OID4VC API so you can limit which\n // KMS backends can be used for DPOP\n const supportedBackends = kms.supportedBackendsForOperation({\n operation: 'sign',\n algorithm: algorithm as Kms.KnownJwaSignatureAlgorithm,\n })\n return supportedBackends.length > 0\n } catch {\n return false\n }\n })\n\n if (!alg) {\n throw new CredoError(\n `No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(\n ', '\n )}'`\n )\n }\n\n const key = await kms.createKeyForSignatureAlgorithm({ algorithm: alg })\n return {\n signer: {\n method: 'jwk',\n alg,\n publicJwk: key.publicJwk as Jwk,\n },\n nonce,\n }\n }\n\n public async retrieveAuthorizationCodeUsingPresentation(\n agentContext: AgentContext,\n options: OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions\n ): Promise<{\n authorizationCode: string\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const client = this.getClient(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n })\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined\n\n const { authorizationChallengeResponse, dpop: dpopResult } =\n await client.retrieveAuthorizationCodeUsingPresentation({\n authSession: options.authSession,\n presentationDuringIssuanceSession: options.presentationDuringIssuanceSession,\n credentialOffer: options.resolvedCredentialOffer.credentialOfferPayload,\n issuerMetadata: options.resolvedCredentialOffer.metadata,\n dpop,\n })\n\n return {\n authorizationCode: authorizationChallengeResponse.authorization_code,\n dpop: dpop\n ? {\n ...dpopResult,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async requestAccessToken(\n agentContext: AgentContext,\n options: OpenId4VciTokenRequestOptions\n ): Promise<{\n authorizationServer: string\n accessTokenResponse: AccessTokenResponse\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const { metadata, credentialOfferPayload } = options.resolvedCredentialOffer\n const client = this.getClient(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n clientId: 'clientId' in options ? options.clientId : undefined,\n })\n const oauth2Client = this.getOauth2Client(agentContext)\n\n const authorizationServer = options.code\n ? credentialOfferPayload.grants?.authorization_code?.authorization_server\n : credentialOfferPayload.grants?.[preAuthorizedCodeGrantIdentifier]?.authorization_server\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n metadata.authorizationServers,\n authorizationServer ?? metadata.authorizationServers[0].issuer\n )\n\n const isDpopSupported = oauth2Client.isDpopSupported({\n authorizationServerMetadata,\n })\n\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : // We should be careful about this case. It could just be the user didn't correctly\n // provide the DPoP from the auth response. In which case different DPoP will be used\n // However it might be that they only use DPoP for the token request (esp in pre-auth case)\n isDpopSupported.supported\n ? await this.getDpopOptions(agentContext, {\n dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported,\n })\n : undefined\n\n const result = options.code\n ? await client.retrieveAuthorizationCodeAccessTokenFromOffer({\n issuerMetadata: metadata,\n credentialOffer: credentialOfferPayload,\n authorizationCode: options.code,\n dpop,\n pkceCodeVerifier: options.codeVerifier,\n redirectUri: options.redirectUri,\n })\n : await client.retrievePreAuthorizedCodeAccessTokenFromOffer({\n credentialOffer: credentialOfferPayload,\n issuerMetadata: metadata,\n dpop,\n txCode: options.txCode,\n })\n\n return {\n ...result,\n dpop: dpop\n ? {\n ...result.dpop,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async refreshAccessToken(\n agentContext: AgentContext,\n options: OpenId4VciTokenRefreshOptions\n ): Promise<\n // FIXME: export type in oid4vc library\n Omit<Awaited<ReturnType<Oauth2Client['retrieveRefreshTokenAccessToken']>>, 'dpop'> & {\n dpop?: OpenId4VciDpopRequestOptions\n }\n > {\n const oauth2Client = this.getOauth2Client(agentContext, {\n clientAttestation: options.walletAttestationJwt,\n clientId: options.clientId,\n })\n\n const dpop = options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined\n\n const authorizationServerMetadata = getAuthorizationServerMetadataFromList(\n options.issuerMetadata.authorizationServers,\n options.authorizationServer ?? options.issuerMetadata.authorizationServers[0].issuer\n )\n\n const result = await oauth2Client.retrieveRefreshTokenAccessToken({\n authorizationServerMetadata,\n refreshToken: options.refreshToken,\n dpop,\n resource: options.issuerMetadata.credentialIssuer.credential_issuer,\n })\n\n return {\n ...result,\n dpop: dpop\n ? {\n ...result.dpop,\n alg: dpop.signer.alg as Kms.KnownJwaSignatureAlgorithm,\n jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk),\n }\n : undefined,\n }\n }\n\n public async acceptCredentialOffer(\n agentContext: AgentContext,\n options: {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n acceptCredentialOfferOptions: OpenId4VciAcceptCredentialOfferOptions\n accessToken: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n clientId?: string\n }\n ): Promise<{\n credentials: OpenId4VciCredentialResponse[]\n deferredCredentials: OpenId4VciDeferredCredentialResponse[]\n dpop?: OpenId4VciDpopRequestOptions\n cNonce?: string\n }> {\n const { resolvedCredentialOffer, acceptCredentialOfferOptions } = options\n const { metadata, offeredCredentialConfigurations } = resolvedCredentialOffer\n const {\n credentialConfigurationIds,\n credentialBindingResolver,\n verifyCredentialStatus,\n allowedProofOfPossessionSignatureAlgorithms,\n } = acceptCredentialOfferOptions\n const client = this.getClient(agentContext)\n\n if (credentialConfigurationIds?.length === 0) {\n throw new CredoError(`'credentialConfigurationIds' may not be empty`)\n }\n\n const receivedCredentials: Array<OpenId4VciCredentialResponse> = []\n const deferredCredentials: Array<OpenId4VciDeferredCredentialResponse> = []\n let cNonce = options.cNonce\n let dpopNonce = options.dpop?.nonce\n\n const credentialConfigurationsToRequest =\n credentialConfigurationIds?.map((id) => {\n if (!offeredCredentialConfigurations[id]) {\n const offeredCredentialIds = Object.keys(offeredCredentialConfigurations).join(', ')\n throw new CredoError(\n `Credential to request '${id}' is not present in offered credentials. Offered credentials are ${offeredCredentialIds}`\n )\n }\n return [id, offeredCredentialConfigurations[id]] as const\n }) ?? Object.entries(offeredCredentialConfigurations)\n\n // If we don't have a nonce yet, we need to first get one\n if (!cNonce) {\n // Best option is to use nonce endpoint (draft 14+)\n if (metadata.credentialIssuer.nonce_endpoint) {\n const nonceResponse = await client.requestNonce({ issuerMetadata: metadata })\n cNonce = nonceResponse.c_nonce\n } else {\n // Otherwise we will send a dummy request\n await client\n .retrieveCredentials({\n issuerMetadata: metadata,\n accessToken: options.accessToken,\n credentialConfigurationId: credentialConfigurationsToRequest[0][0],\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n })\n .catch((e) => {\n if (e instanceof Openid4vciRetrieveCredentialsError && e.response.credentialErrorResponseResult?.success) {\n cNonce = e.response.credentialErrorResponseResult.data.c_nonce\n }\n })\n }\n }\n\n if (!cNonce) {\n throw new CredoError('No cNonce provided and unable to acquire cNonce from the credential issuer')\n }\n\n for (const [offeredCredentialId, offeredCredentialConfiguration] of credentialConfigurationsToRequest) {\n const proofs = await this.getCredentialRequestOptions(agentContext, {\n allowedProofOfPossessionAlgorithms:\n allowedProofOfPossessionSignatureAlgorithms ?? getSupportedJwaSignatureAlgorithms(agentContext),\n metadata,\n offeredCredential: {\n id: offeredCredentialId,\n configuration: offeredCredentialConfiguration,\n },\n clientId: options.clientId,\n // We already checked whether nonce exists above\n cNonce: cNonce as string,\n credentialBindingResolver,\n })\n\n this.logger.debug('Generated credential request proof of possession', { proofs })\n\n const proof =\n // Draft 11 ALWAYS uses proof\n (metadata.originalDraftVersion === Openid4vciDraftVersion.Draft11 ||\n // Draft 14 allows both proof and proofs. Try to use proof when it makes to improve interoperability\n (metadata.originalDraftVersion === Openid4vciDraftVersion.Draft14 &&\n metadata.credentialIssuer.batch_credential_issuance === undefined)) &&\n proofs.jwt?.length === 1\n ? ({\n proof_type: 'jwt',\n jwt: proofs.jwt[0],\n } as const)\n : undefined\n\n const { credentialResponse, dpop } = await client.retrieveCredentials({\n issuerMetadata: metadata,\n accessToken: options.accessToken,\n credentialConfigurationId: offeredCredentialId,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n // Only include proofs if we don't add proof\n proofs: !proof ? proofs : undefined,\n proof,\n })\n\n // Set new nonce values\n cNonce = credentialResponse.c_nonce\n dpopNonce = dpop?.nonce\n\n if (credentialResponse.transaction_id) {\n const deferredCredential = {\n credentialConfigurationId: offeredCredentialId,\n credentialConfiguration: offeredCredentialConfiguration,\n transactionId: credentialResponse.transaction_id,\n interval: credentialResponse.interval,\n notificationId: credentialResponse.notification_id,\n }\n\n this.logger.debug('received deferred credential', deferredCredential)\n deferredCredentials.push(deferredCredential)\n } else {\n // Create credential, but we don't store it yet (only after the user has accepted the credential)\n const credential = await this.handleCredentialResponse(agentContext, credentialResponse, {\n verifyCredentialStatus: verifyCredentialStatus ?? false,\n format: offeredCredentialConfiguration.format as OpenId4VciCredentialFormatProfile,\n credentialConfigurationId: offeredCredentialId,\n credentialConfiguration: offeredCredentialConfiguration,\n })\n\n this.logger.debug(\n 'received credential',\n credential.credentials.map((c) =>\n c instanceof Mdoc ? { issuerSignedNamespaces: c.issuerSignedNamespaces, base64Url: c.base64Url } : c\n )\n )\n receivedCredentials.push(credential)\n }\n }\n\n return {\n credentials: receivedCredentials,\n deferredCredentials,\n dpop: options.dpop\n ? {\n ...options.dpop,\n nonce: dpopNonce,\n }\n : undefined,\n cNonce,\n }\n }\n\n public async retrieveDeferredCredentials(\n agentContext: AgentContext,\n options: OpenId4VciDeferredCredentialRequestOptions\n ): Promise<{\n credentials: OpenId4VciCredentialResponse[]\n deferredCredentials: OpenId4VciDeferredCredentialResponse[]\n dpop?: OpenId4VciDpopRequestOptions\n }> {\n const {\n issuerMetadata,\n transactionId,\n credentialConfigurationId,\n credentialConfiguration,\n verifyCredentialStatus,\n accessToken,\n } = options\n const client = this.getClient(agentContext)\n\n const receivedCredentials: Array<OpenId4VciCredentialResponse> = []\n const deferredCredentials: Array<OpenId4VciDeferredCredentialResponse> = []\n let dpopNonce = options.dpop?.nonce\n\n const { deferredCredentialResponse, dpop } = await client.retrieveDeferredCredentials({\n issuerMetadata,\n accessToken,\n transactionId,\n dpop: options.dpop\n ? await this.getDpopOptions(agentContext, {\n ...options.dpop,\n nonce: dpopNonce,\n dpopSigningAlgValuesSupported: [options.dpop.alg],\n })\n : undefined,\n })\n\n // Set new nonce values\n dpopNonce = dpop?.nonce\n\n if (deferredCredentialResponse.interval) {\n const deferredCredential: OpenId4VciDeferredCredentialResponse = {\n credentialConfigurationId,\n credentialConfiguration,\n transactionId,\n interval: deferredCredentialResponse.interval,\n notificationId: deferredCredentialResponse.notification_id,\n }\n\n this.logger.debug('received deferred credential', deferredCredential)\n deferredCredentials.push(deferredCredential)\n } else {\n // Create credential, but we don't store it yet (only after the user has accepted the credential)\n const credential = await this.handleCredentialResponse(agentContext, deferredCredentialResponse, {\n verifyCredentialStatus: verifyCredentialStatus ?? false,\n format: credentialConfiguration.format as OpenId4VciCredentialFormatProfile,\n credentialConfigurationId: credentialConfigurationId,\n credentialConfiguration: credentialConfiguration,\n })\n\n this.logger.debug(\n 'received credential',\n credential.credentials.map((c) =>\n c instanceof Mdoc ? { issuerSignedNamespaces: c.issuerSignedNamespaces, base64Url: c.base64Url } : c\n )\n )\n receivedCredentials.push(credential)\n }\n\n return {\n credentials: receivedCredentials,\n deferredCredentials,\n dpop: options.dpop\n ? {\n ...options.dpop,\n nonce: dpopNonce,\n }\n : undefined,\n }\n }\n\n /**\n * Get the options for the credential request. Internally this will resolve the proof of possession\n * requirements, and based on that it will call the proofOfPossessionVerificationMethodResolver to\n * allow the caller to select the correct verification method based on the requirements for the proof\n * of possession.\n */\n private async getCredentialRequestOptions(\n agentContext: AgentContext,\n options: {\n metadata: OpenId4VciResolvedCredentialOffer['metadata']\n credentialBindingResolver: OpenId4VciCredentialBindingResolver\n allowedProofOfPossessionAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n clientId?: string\n cNonce: string\n offeredCredential: {\n id: string\n configuration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n }\n ) {\n const dids = agentContext.resolve(DidsApi)\n const { allowedProofOfPossessionAlgorithms, offeredCredential } = options\n const { configuration, id: configurationId } = offeredCredential\n const supportedJwaSignatureAlgorithms = getSupportedJwaSignatureAlgorithms(agentContext)\n\n const possibleProofOfPossessionSignatureAlgorithms = allowedProofOfPossessionAlgorithms\n ? allowedProofOfPossessionAlgorithms.filter((algorithm) => supportedJwaSignatureAlgorithms.includes(algorithm))\n : supportedJwaSignatureAlgorithms\n\n if (possibleProofOfPossessionSignatureAlgorithms.length === 0) {\n throw new CredoError(\n [\n 'No possible proof of possession signature algorithm found.',\n `Signature algorithms supported by the Agent '${supportedJwaSignatureAlgorithms.join(', ')}'`,\n `Allowed Signature algorithms '${allowedProofOfPossessionAlgorithms?.join(', ')}'`,\n ].join('\\n')\n )\n }\n\n const { proofTypes, supportedDidMethods, supportsAllDidMethods, supportsJwk } =\n this.getProofOfPossessionRequirements(agentContext, {\n credentialToRequest: options.offeredCredential,\n metadata: options.metadata,\n possibleProofOfPossessionSignatureAlgorithms,\n })\n\n const format = configuration.format satisfies `${OpenId4VciSupportedCredentialFormats}`\n const supportsAnyMethod = supportedDidMethods !== undefined || supportsAllDidMethods || supportsJwk\n const issuerMaxBatchSize = options.metadata.credentialIssuer.batch_credential_issuance?.batch_size ?? 1\n\n // Now we need to determine how the credential will be bound to us\n const credentialBinding = await options.credentialBindingResolver({\n agentContext,\n credentialFormat: format as OpenId4VciSupportedCredentialFormats,\n credentialConfigurationId: configurationId,\n credentialConfiguration: configuration,\n metadata: options.metadata,\n issuerMaxBatchSize,\n proofTypes,\n supportsAllDidMethods,\n supportedDidMethods,\n supportsJwk,\n })\n\n const client = this.getClient(agentContext)\n\n // Make sure the issuer of proof of possession is valid according to openid issuer metadata\n if (credentialBinding.method === 'did') {\n if (!proofTypes.jwt) {\n throw new CredoError(\n `JWT proof type is not supported for configuration '${configurationId}', which is required for did based credential binding.`\n )\n }\n\n if (proofTypes.jwt.keyAttestationsRequired) {\n throw new CredoError(\n `Credential binding returned list of DID urls, but credential configuration '${configurationId}' requires key attestations. Key attestations and DIDs are not compatible.`\n )\n }\n\n if (credentialBinding.didUrls.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.didUrls.length} DID urls. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n if (credentialBinding.didUrls.length === 0) {\n throw new CredoError('Credential binding with method did returned empty didUrls list')\n }\n\n const firstDid = parseDid(credentialBinding.didUrls[0])\n if (!credentialBinding.didUrls.every((didUrl) => parseDid(didUrl).method === firstDid.method)) {\n throw new CredoError('Expected all did urls for binding method did to use the same did method')\n }\n\n if (\n !supportsAllDidMethods &&\n // If supportedDidMethods is undefined, it means the issuer didn't include the binding methods in the metadata\n // The user can still select a verification method, but we can't validate it\n supportedDidMethods !== undefined &&\n !supportedDidMethods.find(\n (supportedDidMethod) => firstDid.did.startsWith(supportedDidMethod) && supportsAnyMethod\n )\n ) {\n // Test binding method\n const supportedDidMethodsString = supportedDidMethods.join(', ')\n throw new CredoError(\n `Resolved credential binding for proof of possession uses did method '${firstDid.method}', but issuer only supports '${supportedDidMethodsString}'`\n )\n }\n\n const { publicJwk: firstKey } = await dids.resolveVerificationMethodFromCreatedDidRecord(firstDid.didUrl)\n const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm) =>\n firstKey.supportedSignatureAlgorithms.includes(algorithm)\n )\n if (!algorithm) {\n throw new CredoError(\n `Credential binding returned did url that points to key '${firstKey.jwkTypehumanDescription}' that supports signature algorithms ${firstKey.supportedSignatureAlgorithms.join(', ')}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(', ')}' was expected`\n )\n }\n\n // This will/should leverage the caching, so it's ok to resolve the did here\n const keys = await Promise.all(\n credentialBinding.didUrls.map(async (didUrl, index) =>\n index === 0\n ? // We already fetched the first did\n { jwk: firstKey, didUrl: firstDid.didUrl }\n : { jwk: (await dids.resolveVerificationMethodFromCreatedDidRecord(didUrl)).publicJwk, didUrl }\n )\n )\n if (!keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.jwk.toJson(), firstKey.toJson()))) {\n throw new CredoError('Expected all did urls to point to the same key type')\n }\n\n return {\n jwt: await Promise.all(\n keys.map((key) =>\n client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'did',\n didUrl: key.didUrl,\n alg: algorithm,\n kid: key.jwk.keyId,\n },\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt)\n )\n ),\n }\n }\n\n if (credentialBinding.method === 'jwk') {\n if (!supportsJwk && supportsAnyMethod) {\n throw new CredoError(\n `Resolved credential binding for proof of possession uses jwk, but openid issuer does not support 'jwk' or 'cose_key' cryptographic binding method`\n )\n }\n\n if (!proofTypes.jwt) {\n throw new CredoError(\n `JWT proof type is not supported for configuration '${configurationId}', which is required for jwk based credential binding.`\n )\n }\n\n if (proofTypes.jwt.keyAttestationsRequired) {\n throw new CredoError(\n `Credential binding returned list of JWK keys, but credential configuration '${configurationId}' requires key attestations. Return a key attestation with binding method 'attestation'.`\n )\n }\n\n if (credentialBinding.keys.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.keys.length} keys. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n if (credentialBinding.keys.length === 0) {\n throw new CredoError('Credential binding with method jwk returned empty keys list')\n }\n\n const firstJwk = credentialBinding.keys[0]\n\n if (!credentialBinding.keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.toJson(), firstJwk.toJson()))) {\n throw new CredoError('Expected all keys for binding method jwk to use the same key type')\n }\n\n const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm) =>\n firstJwk.supportedSignatureAlgorithms.includes(algorithm)\n )\n if (!algorithm) {\n throw new CredoError(\n `Credential binding returned jwk that points to key '${firstJwk.jwkTypehumanDescription}' that supports signature algorithms ${firstJwk.supportedSignatureAlgorithms.join(', ')}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(', ')}' was expected`\n )\n }\n\n return {\n jwt: await Promise.all(\n credentialBinding.keys.map((jwk) =>\n client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'jwk',\n publicJwk: jwk.toJson() as Jwk,\n alg: algorithm,\n },\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt)\n )\n ),\n }\n }\n\n if (credentialBinding.method === 'attestation') {\n const { payload } = parseKeyAttestationJwt({ keyAttestationJwt: credentialBinding.keyAttestationJwt })\n\n // TODO: check client_id matches in payload\n\n if (payload.attested_keys.length > issuerMaxBatchSize) {\n throw new CredoError(\n `Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned key attestation with ${payload.attested_keys.length} attested keys. Make sure the returned value does not exceed the max batch issuance.`\n )\n }\n\n // TODO: check nonce matches cNonce\n if (proofTypes.attestation && payload.nonce) {\n // If attestation is supported and the attestation contains a nonce, we can use the attestation directly\n return {\n attestation: [credentialBinding.keyAttestationJwt],\n }\n }\n\n if (proofTypes.jwt) {\n const jwk = Kms.PublicJwk.fromUnknown(payload.attested_keys[0])\n\n return {\n jwt: [\n await client\n .createCredentialRequestJwtProof({\n credentialConfigurationId: configurationId,\n issuerMetadata: options.metadata,\n signer: {\n method: 'jwk',\n publicJwk: payload.attested_keys[0],\n // TODO: we should probably use the 'alg' from the jwk\n alg: jwk.supportedSignatureAlgorithms[0],\n },\n keyAttestationJwt: credentialBinding.keyAttestationJwt,\n nonce: options.cNonce,\n clientId: options.clientId,\n })\n .then(({ jwt }) => jwt),\n ],\n }\n }\n\n throw new CredoError(\n `Unable to create credential request proofs. Configuration supports 'attestation' proof type, but attestation did not contain a 'nonce' value`\n )\n }\n\n // @ts-expect-error currently if/else if exhaustive, but once we add new option it will give ts error\n throw new CredoError(`Unsupported credential binding method ${credentialBinding.method}`)\n }\n\n /**\n * Get the requirements for creating the proof of possession. Based on the allowed\n * credential formats, the allowed proof of possession signature algorithms, and the\n * credential type, this method will select the best credential format and signature\n * algorithm to use, based on the order of preference.\n */\n private getProofOfPossessionRequirements(\n agentContext: AgentContext,\n options: {\n metadata: IssuerMetadataResult\n credentialToRequest: {\n id: string\n configuration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n possibleProofOfPossessionSignatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n }\n ): OpenId4VciProofOfPossessionRequirements {\n const { credentialToRequest, possibleProofOfPossessionSignatureAlgorithms, metadata } = options\n const { configuration, id: configurationId } = credentialToRequest\n\n if (!openId4VciSupportedCredentialFormats.includes(configuration.format as OpenId4VciSupportedCredentialFormats)) {\n throw new CredoError(\n [\n `Requested credential with format '${credentialToRequest.configuration.format}',`,\n `for the credential with id '${credentialToRequest.id},`,\n `but the wallet only supports the following formats '${openId4VciSupportedCredentialFormats.join(', ')}'`,\n ].join('\\n')\n )\n }\n\n // For each of the supported algs, find the key types, then find the proof types\n const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry)\n\n let proofTypesSupported = configuration.proof_types_supported\n if (!proofTypesSupported) {\n // For draft above 11 we do not allow no proof_type (we do not support no key binding for now)\n if (metadata.originalDraftVersion !== Openid4vciDraftVersion.Draft11) {\n throw new CredoError(\n `Credential configuration '${configurationId}' does not specifcy proof_types_supported. Credentials not bound to keys are not supported at the moment`\n )\n }\n\n // For draft 11 we fall back to jwt proof type\n proofTypesSupported = {\n jwt: {\n proof_signing_alg_values_supported: possibleProofOfPossessionSignatureAlgorithms,\n },\n }\n }\n\n const proofTypes: OpenId4VciProofOfPossessionRequirements['proofTypes'] = {\n jwt: undefined,\n attestation: undefined,\n }\n\n for (const [proofType, proofTypeConfig] of Object.entries(proofTypesSupported)) {\n if (proofType !== 'jwt' && proofType !== 'attestation') continue\n\n let signatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[] = []\n\n const proofSigningAlgsSupported = proofTypeConfig?.proof_signing_alg_values_supported\n if (proofSigningAlgsSupported === undefined) {\n // If undefined, it means the issuer didn't include the cryptographic suites in the metadata\n // We just guess that the first one is supported\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms\n } else {\n switch (credentialToRequest.configuration.format) {\n case OpenId4VciCredentialFormatProfile.JwtVcJson:\n case OpenId4VciCredentialFormatProfile.JwtVcJsonLd:\n case OpenId4VciCredentialFormatProfile.SdJwtVc:\n case OpenId4VciCredentialFormatProfile.SdJwtDc:\n case OpenId4VciCredentialFormatProfile.MsoMdoc:\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) =>\n proofSigningAlgsSupported.includes(signatureAlgorithm)\n )\n break\n // FIXME: this is wrong, as the proof type is separate from the credential signing alg\n // But there might be some draft 11 logic that depends on this, can be removed soon\n case OpenId4VciCredentialFormatProfile.LdpVc:\n signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) => {\n try {\n const jwkClass = Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(signatureAlgorithm)\n const matchingSuites = signatureSuiteRegistry.getAllByPublicJwkType(jwkClass)\n if (matchingSuites.length === 0) return false\n\n return proofSigningAlgsSupported.includes(matchingSuites[0].proofType)\n } catch {\n return false\n }\n })\n break\n default:\n throw new CredoError('Unsupported credential format.')\n }\n }\n\n proofTypes[proofType] = {\n supportedSignatureAlgorithms: signatureAlgorithms,\n keyAttestationsRequired: proofTypeConfig.key_attestations_required\n ? {\n keyStorage: proofTypeConfig.key_attestations_required.key_storage,\n userAuthentication: proofTypeConfig.key_attestations_required.user_authentication,\n }\n : undefined,\n }\n }\n\n const { jwt, attestation } = proofTypes\n if (!jwt && !attestation) {\n const supported = Object.keys(proofTypesSupported).join(', ')\n throw new CredoError(`Unsupported proof type(s) ${supported}. Supported proof type(s) are: jwt, attestation`)\n }\n\n const issuerSupportedBindingMethods = credentialToRequest.configuration.cryptographic_binding_methods_supported\n const supportsAllDidMethods = issuerSupportedBindingMethods?.includes('did') ?? false\n const supportedDidMethods = issuerSupportedBindingMethods?.filter((method) => method.startsWith('did:'))\n\n // The cryptographic_binding_methods_supported describe the cryptographic key material that the issued Credential is bound to.\n const supportsCoseKey = issuerSupportedBindingMethods?.includes('cose_key') ?? false\n const supportsJwk = issuerSupportedBindingMethods?.includes('jwk') || supportsCoseKey\n\n return {\n proofTypes,\n supportedDidMethods,\n supportsAllDidMethods,\n supportsJwk,\n }\n }\n\n private async handleCredentialResponse(\n agentContext: AgentContext,\n credentialResponse: CredentialResponse | DeferredCredentialResponse,\n options: {\n verifyCredentialStatus: boolean\n format: OpenId4VciCredentialFormatProfile\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n }\n ): Promise<OpenId4VciCredentialResponse> {\n const { verifyCredentialStatus, credentialConfigurationId, credentialConfiguration } = options\n this.logger.debug('Credential response', credentialResponse)\n\n const credentials = credentialResponse.credentials\n ? credentialResponse.credentials.every((c) => typeof c === 'object' && c !== null && 'credential' in c)\n ? credentialResponse.credentials.map((c) => (c as { credential: string | Record<string, unknown> }).credential)\n : (credentialResponse.credentials as (string | Record<string, unknown>)[])\n : credentialResponse.credential\n ? [credentialResponse.credential as CredentialResponse['credential']]\n : undefined\n\n if (!credentials) {\n throw new CredoError(`Credential response returned neither 'credentials' nor 'credential' parameter.`)\n }\n\n const notificationId = credentialResponse.notification_id\n\n const format = options.format\n if (format === OpenId4VciCredentialFormatProfile.SdJwtVc || format === OpenId4VciCredentialFormatProfile.SdJwtDc) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n\n if (format === OpenId4VciCredentialFormatProfile.SdJwtDc || credentialConfiguration.vct) {\n const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi)\n const verificationResults = await Promise.all(\n credentials.map((compactSdJwtVc, index) =>\n sdJwtVcApi.verify({\n compactSdJwtVc,\n // Only load and verify it for the first instance\n fetchTypeMetadata: index === 0,\n })\n )\n )\n\n if (!verificationResults.every((result) => result.isValid)) {\n agentContext.config.logger.error('Failed to validate credential(s)', { verificationResults })\n throw new CredoError(\n `Failed to validate sd-jwt-vc credentials. Results = ${JSON.stringify(verificationResults, replaceError)}`\n )\n }\n\n return {\n credentials: verificationResults.map((result) => result.sdJwtVc),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cV2SdJwtVerifiableCredential.fromCompact(c)\n const result = await this.w3cV2CredentialService.verifyCredential(agentContext, {\n credential,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (\n options.format === OpenId4VciCredentialFormatProfile.JwtVcJson ||\n options.format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd\n ) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cJwtVerifiableCredential.fromSerializedJwt(c)\n const result = await this.w3cCredentialService.verifyCredential(agentContext, {\n credential,\n verifyCredentialStatus,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (format === OpenId4VciCredentialFormatProfile.LdpVc) {\n if (!credentials.every((c) => typeof c === 'object' && c !== null)) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are an object. ${JSON.stringify(\n credentials\n )}`\n )\n }\n const result = await Promise.all(\n credentials.map(async (c) => {\n const credential = W3cJsonLdVerifiableCredential.fromJson(c)\n const result = await this.w3cCredentialService.verifyCredential(agentContext, {\n credential,\n verifyCredentialStatus,\n })\n\n return { credential, result }\n })\n )\n\n if (!result.every((c) => c.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate credential, error = ${result\n .map((e) => e.result.error?.message)\n .filter(Boolean)\n .join(', ')}`\n )\n }\n\n return {\n credentials: result.map((r) => r.credential),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n if (format === OpenId4VciCredentialFormatProfile.MsoMdoc) {\n if (!credentials.every((c) => typeof c === 'string')) {\n throw new CredoError(\n `Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(\n credentials\n )}`\n )\n }\n const mdocApi = agentContext.dependencyManager.resolve(MdocApi)\n const result = await Promise.all(\n credentials.map(async (credential) => {\n const mdoc = Mdoc.fromBase64Url(credential)\n const result = await mdocApi.verify(mdoc, {})\n return {\n result,\n mdoc,\n }\n })\n )\n\n if (!result.every((r) => r.result.isValid)) {\n agentContext.config.logger.error('Failed to validate credentials', { result })\n throw new CredoError(\n `Failed to validate mdoc credential(s). \\n - ${result\n .map((r, i) => (r.result.isValid ? undefined : `(${i}) ${r.result.error}`))\n .filter(Boolean)\n .join('\\n - ')}`\n )\n }\n\n return {\n credentials: result.map((c) => c.mdoc),\n notificationId,\n credentialConfigurationId,\n credentialConfiguration,\n }\n }\n\n throw new CredoError(`Unsupported credential format ${options.format}`)\n }\n\n private getCallbacks(\n agentContext: AgentContext,\n { clientAttestation, clientId }: { clientAttestation?: string; clientId?: string } = {}\n ) {\n const callbacks = getOid4vcCallbacks(agentContext)\n\n return {\n ...callbacks,\n clientAuthentication: (options) => {\n const { authorizationServerMetadata, url, body } = options\n const oauth2Client = this.getOauth2Client(agentContext)\n const clientAttestationSupported = oauth2Client.isClientAttestationSupported({\n authorizationServerMetadata,\n })\n\n // Client attestations\n if (clientAttestation && clientAttestationSupported) {\n return clientAuthenticationClientAttestationJwt({\n clientAttestationJwt: clientAttestation,\n callbacks,\n })(options)\n }\n\n // Pre auth flow\n if (\n url === authorizationServerMetadata.token_endpoint &&\n authorizationServerMetadata['pre-authorized_grant_anonymous_access_supported'] &&\n body.grant_type === preAuthorizedCodeGrantIdentifier\n ) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // Just a client id (no auth)\n if (clientId) {\n return clientAuthenticationNone({ clientId })(options)\n }\n\n // NOTE: we fall back to anonymous authentication for pre-auth for now, as there's quite some\n // issuers that do not have pre-authorized_grant_anonymous_access_supported defined\n if (\n url === authorizationServerMetadata.token_endpoint &&\n body.grant_type === preAuthorizedCodeGrantIdentifier\n ) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // Refresh token flow defaults to anonymous auth if there is neither a client attestation or client id\n // is present.\n if (body.grant_type === refreshTokenGrantIdentifier) {\n return clientAuthenticationAnonymous()(options)\n }\n\n // TODO: We should still look at auth_methods_supported\n // If there is an auth session for the auth challenge endpoint, we don't have to include the client_id\n if (url === authorizationServerMetadata.authorization_challenge_endpoint && body.auth_session) {\n return clientAuthenticationAnonymous()(options)\n }\n\n throw new CredoError('Unable to perform client authentication.')\n },\n } satisfies Partial<CallbackContext>\n }\n\n private getClient(agentContext: AgentContext, options: { clientAttestation?: string; clientId?: string } = {}) {\n return new Openid4vciClient({\n callbacks: this.getCallbacks(agentContext, options),\n })\n }\n\n private getOauth2Client(agentContext: AgentContext, options?: { clientAttestation?: string; clientId?: string }) {\n return new Oauth2Client({\n callbacks: options ? this.getCallbacks(agentContext, options) : getOid4vcCallbacks(agentContext),\n })\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AAwEO,oCAAMA,0BAAwB;CAKnC,AAAO,YACL,AAAiCC,QACjC,sBACA,wBACA;AACA,OAAK,uBAAuB;AAC5B,OAAK,yBAAyB;AAC9B,OAAK,SAAS;;CAGhB,MAAa,sBACX,cACA,kBAC6B;EAG7B,MAAM,WAAW,MAFF,KAAK,UAAU,aAAa,CAEb,sBAAsB,iBAAiB;AACrE,OAAK,OAAO,MAAM,sCAAsC,EAAE,UAAU,CAAC;AAErE,SAAO;;CAGT,MAAa,uBACX,cACA,iBAC4C;EAC5C,MAAM,SAAS,KAAK,UAAU,aAAa;EAE3C,MAAM,wBAAwB,MAAM,OAAO,uBAAuB,gBAAgB;EAClF,MAAM,WAAW,MAAM,OAAO,sBAAsB,sBAAsB,kBAAkB;AAC5F,OAAK,OAAO,MAAM,gDAAgD;GAAE;GAAU;GAAuB,CAAC;AAStG,SAAO;GACL;GACA,iCATwC,sBACxC,sBAAsB,8BACtB,OAAO,0CAA0C,SAAS,iBAAiB,EAE3E,EAAE,mBAAmB,MAAM,CAC5B;GAKC,wBAAwB;GACzB;;CAGH,MAAa,4BACX,cACA,yBACA,qBACiD;EACjD,MAAM,EAAE,UAAU,gBAAgB;EAClC,MAAM,EAAE,UAAU,wBAAwB,oCAAoC;EAE9E,MAAM,eAAe,KAAK,gBAAgB,aAAa;EACvD,MAAM,SAAS,KAAK,UAAU,cAAc;GAC1C,UAAU,oBAAoB;GAC9B,mBAAmB,oBAAoB;GACxC,CAAC;EAGF,MAAM,QACJ,oBAAoB,SAAS,+CAA+C,gCAAgC;AAE9G,MAAI,CAAC,uBAAuB,SAAS,kCACnC,OAAM,IAAI,WAAW,6EAA6E;EAGpG,MAAM,yBAAyB,uBAAuB,OAAO;EAC7D,MAAM,sBAAsB,+CAA+C;GACzE,gBAAgB;GAChB,0BAA0B,uBAAuB;GAClD,CAAC;EAEF,MAAM,8BAA8B,uCAClC,SAAS,sBACT,oBACD;EAGD,MAAM,kBAAkB,aAAa,gBAAgB,EAAE,6BAA6B,CAAC;EACrF,MAAM,OAAO,gBAAgB,YACzB,MAAM,KAAK,eAAe,cAAc,EACtC,+BAA+B,gBAAgB,+BAChD,CAAC,GACF;EAEJ,MAAM,sBAAsB,MAAM,OAAO,sBAAsB;GAC7D;GACA,gBAAgB;GAChB,iBAAiB;GACjB,OAAO,MAAM,KAAK,IAAI;GACtB;GACA;GACD,CAAC;AAEF,MAAI,oBAAoB,sBAAsB,kBAAkB,2BAC9D,QAAO;GACL,mBAAmB,kBAAkB;GACrC,qBAAqB,oBAAoB;GACzC,aAAa,oBAAoB;GAEjC,MAAM,OACF;IACE,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;AAIH,SAAO;GACL,mBAAmB,kBAAkB;GACrC,cAAc,oBAAoB,MAAM;GACxC,yBAAyB,oBAAoB;GAE7C,MAAM,OACF;IACE,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,iBAAiB,cAA4B,SAA4C;AAEpG,QADe,KAAK,UAAU,aAAa,CAC9B,iBAAiB;GAC5B,aAAa,QAAQ;GACrB,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACJ,gBAAgB,QAAQ;GACxB,cAAc;IACZ,OAAO,QAAQ;IACf,gBAAgB,QAAQ;IACzB;GACF,CAAC;;CAGJ,MAAc,eACZ,cACA,EACE,KACA,+BACA,SAE2B;EAC7B,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,MAAI,KAAK;GACP,MAAMC,QAAM,8BAA8B,MAAM,UAC9C,IAAI,6BAA6B,SAASA,MAAsC,CACjF;AAED,OAAI,CAACA,MACH,OAAM,IAAI,WACR,sFAAsF,8BAA8B,KAClH,KACD,CAAC,iBAAiB,IAAI,0BACxB;AAGH,UAAO;IACL,QAAQ;KACN,QAAQ;KACR;KACA,WAAW,IAAI,QAAQ;KACxB;IACD;IACD;;EAGH,MAAM,MAAM,8BAA8B,MAAM,cAA2D;AACzG,OAAI;AACF,QAAI,UAAU,6CAA6C,UAA4C;AAQvG,WAJ0B,IAAI,8BAA8B;KAC1D,WAAW;KACA;KACZ,CAAC,CACuB,SAAS;WAC5B;AACN,WAAO;;IAET;AAEF,MAAI,CAAC,IACH,OAAM,IAAI,WACR,sFAAsF,8BAA8B,KAClH,KACD,CAAC,GACH;AAIH,SAAO;GACL,QAAQ;IACN,QAAQ;IACR;IACA,YALQ,MAAM,IAAI,+BAA+B,EAAE,WAAW,KAAK,CAAC,EAKrD;IAChB;GACD;GACD;;CAGH,MAAa,2CACX,cACA,SAIC;EACD,MAAM,SAAS,KAAK,UAAU,cAAc,EAC1C,mBAAmB,QAAQ,sBAC5B,CAAC;EACF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GACF;EAEJ,MAAM,EAAE,gCAAgC,MAAM,eAC5C,MAAM,OAAO,2CAA2C;GACtD,aAAa,QAAQ;GACrB,mCAAmC,QAAQ;GAC3C,iBAAiB,QAAQ,wBAAwB;GACjD,gBAAgB,QAAQ,wBAAwB;GAChD;GACD,CAAC;AAEJ,SAAO;GACL,mBAAmB,+BAA+B;GAClD,MAAM,OACF;IACE,GAAG;IACH,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,mBACX,cACA,SAKC;EACD,MAAM,EAAE,UAAU,2BAA2B,QAAQ;EACrD,MAAM,SAAS,KAAK,UAAU,cAAc;GAC1C,mBAAmB,QAAQ;GAC3B,UAAU,cAAc,UAAU,QAAQ,WAAW;GACtD,CAAC;EACF,MAAM,eAAe,KAAK,gBAAgB,aAAa;EAEvD,MAAM,sBAAsB,QAAQ,OAChC,uBAAuB,QAAQ,oBAAoB,uBACnD,uBAAuB,SAAS,mCAAmC;EACvE,MAAM,8BAA8B,uCAClC,SAAS,sBACT,uBAAuB,SAAS,qBAAqB,GAAG,OACzD;EAED,MAAM,kBAAkB,aAAa,gBAAgB,EACnD,6BACD,CAAC;EAEF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GAIF,gBAAgB,YACd,MAAM,KAAK,eAAe,cAAc,EACtC,+BAA+B,gBAAgB,+BAChD,CAAC,GACF;EAEN,MAAM,SAAS,QAAQ,OACnB,MAAM,OAAO,8CAA8C;GACzD,gBAAgB;GAChB,iBAAiB;GACjB,mBAAmB,QAAQ;GAC3B;GACA,kBAAkB,QAAQ;GAC1B,aAAa,QAAQ;GACtB,CAAC,GACF,MAAM,OAAO,8CAA8C;GACzD,iBAAiB;GACjB,gBAAgB;GAChB;GACA,QAAQ,QAAQ;GACjB,CAAC;AAEN,SAAO;GACL,GAAG;GACH,MAAM,OACF;IACE,GAAG,OAAO;IACV,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,mBACX,cACA,SAMA;EACA,MAAM,eAAe,KAAK,gBAAgB,cAAc;GACtD,mBAAmB,QAAQ;GAC3B,UAAU,QAAQ;GACnB,CAAC;EAEF,MAAM,OAAO,QAAQ,OACjB,MAAM,KAAK,eAAe,cAAc;GACtC,GAAG,QAAQ;GACX,+BAA+B,CAAC,QAAQ,KAAK,IAAI;GAClD,CAAC,GACF;EAEJ,MAAM,8BAA8B,uCAClC,QAAQ,eAAe,sBACvB,QAAQ,uBAAuB,QAAQ,eAAe,qBAAqB,GAAG,OAC/E;EAED,MAAM,SAAS,MAAM,aAAa,gCAAgC;GAChE;GACA,cAAc,QAAQ;GACtB;GACA,UAAU,QAAQ,eAAe,iBAAiB;GACnD,CAAC;AAEF,SAAO;GACL,GAAG;GACH,MAAM,OACF;IACE,GAAG,OAAO;IACV,KAAK,KAAK,OAAO;IACjB,KAAK,IAAI,UAAU,YAAY,KAAK,OAAO,UAAU;IACtD,GACD;GACL;;CAGH,MAAa,sBACX,cACA,SAaC;EACD,MAAM,EAAE,yBAAyB,iCAAiC;EAClE,MAAM,EAAE,UAAU,oCAAoC;EACtD,MAAM,EACJ,4BACA,2BACA,wBACA,gDACE;EACJ,MAAM,SAAS,KAAK,UAAU,aAAa;AAE3C,MAAI,4BAA4B,WAAW,EACzC,OAAM,IAAI,WAAW,gDAAgD;EAGvE,MAAMC,sBAA2D,EAAE;EACnE,MAAMC,sBAAmE,EAAE;EAC3E,IAAI,SAAS,QAAQ;EACrB,IAAI,YAAY,QAAQ,MAAM;EAE9B,MAAM,oCACJ,4BAA4B,KAAK,OAAO;AACtC,OAAI,CAAC,gCAAgC,IAEnC,OAAM,IAAI,WACR,0BAA0B,GAAG,mEAFF,OAAO,KAAK,gCAAgC,CAAC,KAAK,KAAK,GAGnF;AAEH,UAAO,CAAC,IAAI,gCAAgC,IAAI;IAChD,IAAI,OAAO,QAAQ,gCAAgC;AAGvD,MAAI,CAAC,OAEH,KAAI,SAAS,iBAAiB,eAE5B,WADsB,MAAM,OAAO,aAAa,EAAE,gBAAgB,UAAU,CAAC,EACtD;MAGvB,OAAM,OACH,oBAAoB;GACnB,gBAAgB;GAChB,aAAa,QAAQ;GACrB,2BAA2B,kCAAkC,GAAG;GAChE,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,OAAO;IACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACL,CAAC,CACD,OAAO,MAAM;AACZ,OAAI,aAAa,sCAAsC,EAAE,SAAS,+BAA+B,QAC/F,UAAS,EAAE,SAAS,8BAA8B,KAAK;IAEzD;AAIR,MAAI,CAAC,OACH,OAAM,IAAI,WAAW,6EAA6E;AAGpG,OAAK,MAAM,CAAC,qBAAqB,mCAAmC,mCAAmC;GACrG,MAAM,SAAS,MAAM,KAAK,4BAA4B,cAAc;IAClE,oCACE,+CAA+C,mCAAmC,aAAa;IACjG;IACA,mBAAmB;KACjB,IAAI;KACJ,eAAe;KAChB;IACD,UAAU,QAAQ;IAEV;IACR;IACD,CAAC;AAEF,QAAK,OAAO,MAAM,oDAAoD,EAAE,QAAQ,CAAC;GAEjF,MAAM,SAEH,SAAS,yBAAyB,uBAAuB,WAEvD,SAAS,yBAAyB,uBAAuB,WACxD,SAAS,iBAAiB,8BAA8B,WAC5D,OAAO,KAAK,WAAW,IAClB;IACC,YAAY;IACZ,KAAK,OAAO,IAAI;IACjB,GACD;GAEN,MAAM,EAAE,oBAAoB,SAAS,MAAM,OAAO,oBAAoB;IACpE,gBAAgB;IAChB,aAAa,QAAQ;IACrB,2BAA2B;IAC3B,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;KACtC,GAAG,QAAQ;KACX,OAAO;KACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;KAClD,CAAC,GACF;IAEJ,QAAQ,CAAC,QAAQ,SAAS;IAC1B;IACD,CAAC;AAGF,YAAS,mBAAmB;AAC5B,eAAY,MAAM;AAElB,OAAI,mBAAmB,gBAAgB;IACrC,MAAM,qBAAqB;KACzB,2BAA2B;KAC3B,yBAAyB;KACzB,eAAe,mBAAmB;KAClC,UAAU,mBAAmB;KAC7B,gBAAgB,mBAAmB;KACpC;AAED,SAAK,OAAO,MAAM,gCAAgC,mBAAmB;AACrE,wBAAoB,KAAK,mBAAmB;UACvC;IAEL,MAAM,aAAa,MAAM,KAAK,yBAAyB,cAAc,oBAAoB;KACvF,wBAAwB,0BAA0B;KAClD,QAAQ,+BAA+B;KACvC,2BAA2B;KAC3B,yBAAyB;KAC1B,CAAC;AAEF,SAAK,OAAO,MACV,uBACA,WAAW,YAAY,KAAK,MAC1B,aAAa,OAAO;KAAE,wBAAwB,EAAE;KAAwB,WAAW,EAAE;KAAW,GAAG,EACpG,CACF;AACD,wBAAoB,KAAK,WAAW;;;AAIxC,SAAO;GACL,aAAa;GACb;GACA,MAAM,QAAQ,OACV;IACE,GAAG,QAAQ;IACX,OAAO;IACR,GACD;GACJ;GACD;;CAGH,MAAa,4BACX,cACA,SAKC;EACD,MAAM,EACJ,gBACA,eACA,2BACA,yBACA,wBACA,gBACE;EACJ,MAAM,SAAS,KAAK,UAAU,aAAa;EAE3C,MAAMD,sBAA2D,EAAE;EACnE,MAAMC,sBAAmE,EAAE;EAC3E,IAAI,YAAY,QAAQ,MAAM;EAE9B,MAAM,EAAE,4BAA4B,SAAS,MAAM,OAAO,4BAA4B;GACpF;GACA;GACA;GACA,MAAM,QAAQ,OACV,MAAM,KAAK,eAAe,cAAc;IACtC,GAAG,QAAQ;IACX,OAAO;IACP,+BAA+B,CAAC,QAAQ,KAAK,IAAI;IAClD,CAAC,GACF;GACL,CAAC;AAGF,cAAY,MAAM;AAElB,MAAI,2BAA2B,UAAU;GACvC,MAAMC,qBAA2D;IAC/D;IACA;IACA;IACA,UAAU,2BAA2B;IACrC,gBAAgB,2BAA2B;IAC5C;AAED,QAAK,OAAO,MAAM,gCAAgC,mBAAmB;AACrE,uBAAoB,KAAK,mBAAmB;SACvC;GAEL,MAAM,aAAa,MAAM,KAAK,yBAAyB,cAAc,4BAA4B;IAC/F,wBAAwB,0BAA0B;IAClD,QAAQ,wBAAwB;IACL;IACF;IAC1B,CAAC;AAEF,QAAK,OAAO,MACV,uBACA,WAAW,YAAY,KAAK,MAC1B,aAAa,OAAO;IAAE,wBAAwB,EAAE;IAAwB,WAAW,EAAE;IAAW,GAAG,EACpG,CACF;AACD,uBAAoB,KAAK,WAAW;;AAGtC,SAAO;GACL,aAAa;GACb;GACA,MAAM,QAAQ,OACV;IACE,GAAG,QAAQ;IACX,OAAO;IACR,GACD;GACL;;;;;;;;CASH,MAAc,4BACZ,cACA,SAWA;EACA,MAAM,OAAO,aAAa,QAAQ,QAAQ;EAC1C,MAAM,EAAE,oCAAoC,sBAAsB;EAClE,MAAM,EAAE,eAAe,IAAI,oBAAoB;EAC/C,MAAM,kCAAkC,mCAAmC,aAAa;EAExF,MAAM,+CAA+C,qCACjD,mCAAmC,QAAQ,cAAc,gCAAgC,SAAS,UAAU,CAAC,GAC7G;AAEJ,MAAI,6CAA6C,WAAW,EAC1D,OAAM,IAAI,WACR;GACE;GACA,gDAAgD,gCAAgC,KAAK,KAAK,CAAC;GAC3F,iCAAiC,oCAAoC,KAAK,KAAK,CAAC;GACjF,CAAC,KAAK,KAAK,CACb;EAGH,MAAM,EAAE,YAAY,qBAAqB,uBAAuB,gBAC9D,KAAK,iCAAiC,cAAc;GAClD,qBAAqB,QAAQ;GAC7B,UAAU,QAAQ;GAClB;GACD,CAAC;EAEJ,MAAM,SAAS,cAAc;EAC7B,MAAM,oBAAoB,wBAAwB,UAAa,yBAAyB;EACxF,MAAM,qBAAqB,QAAQ,SAAS,iBAAiB,2BAA2B,cAAc;EAGtG,MAAM,oBAAoB,MAAM,QAAQ,0BAA0B;GAChE;GACA,kBAAkB;GAClB,2BAA2B;GAC3B,yBAAyB;GACzB,UAAU,QAAQ;GAClB;GACA;GACA;GACA;GACA;GACD,CAAC;EAEF,MAAM,SAAS,KAAK,UAAU,aAAa;AAG3C,MAAI,kBAAkB,WAAW,OAAO;AACtC,OAAI,CAAC,WAAW,IACd,OAAM,IAAI,WACR,sDAAsD,gBAAgB,wDACvE;AAGH,OAAI,WAAW,IAAI,wBACjB,OAAM,IAAI,WACR,+EAA+E,gBAAgB,4EAChG;AAGH,OAAI,kBAAkB,QAAQ,SAAS,mBACrC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,4CAA4C,kBAAkB,QAAQ,OAAO,iFAC/I;AAGH,OAAI,kBAAkB,QAAQ,WAAW,EACvC,OAAM,IAAI,WAAW,iEAAiE;GAGxF,MAAM,WAAW,SAAS,kBAAkB,QAAQ,GAAG;AACvD,OAAI,CAAC,kBAAkB,QAAQ,OAAO,WAAW,SAAS,OAAO,CAAC,WAAW,SAAS,OAAO,CAC3F,OAAM,IAAI,WAAW,0EAA0E;AAGjG,OACE,CAAC,yBAGD,wBAAwB,UACxB,CAAC,oBAAoB,MAClB,uBAAuB,SAAS,IAAI,WAAW,mBAAmB,IAAI,kBACxE,EACD;IAEA,MAAM,4BAA4B,oBAAoB,KAAK,KAAK;AAChE,UAAM,IAAI,WACR,wEAAwE,SAAS,OAAO,+BAA+B,0BAA0B,GAClJ;;GAGH,MAAM,EAAE,WAAW,aAAa,MAAM,KAAK,8CAA8C,SAAS,OAAO;GACzG,MAAM,YAAY,WAAW,IAAI,6BAA6B,MAAM,gBAClE,SAAS,6BAA6B,SAASC,YAAU,CAC1D;AACD,OAAI,CAAC,UACH,OAAM,IAAI,WACR,2DAA2D,SAAS,wBAAwB,uCAAuC,SAAS,6BAA6B,KAAK,KAAK,CAAC,gBAAgB,WAAW,IAAI,6BAA6B,KAAK,KAAK,CAAC,gBAC5P;GAIH,MAAM,OAAO,MAAM,QAAQ,IACzB,kBAAkB,QAAQ,IAAI,OAAO,QAAQ,UAC3C,UAAU,IAEN;IAAE,KAAK;IAAU,QAAQ,SAAS;IAAQ,GAC1C;IAAE,MAAM,MAAM,KAAK,8CAA8C,OAAO,EAAE;IAAW;IAAQ,CAClG,CACF;AACD,OAAI,CAAC,KAAK,OAAO,QAAQ,IAAI,4BAA4B,IAAI,IAAI,QAAQ,EAAE,SAAS,QAAQ,CAAC,CAAC,CAC5F,OAAM,IAAI,WAAW,sDAAsD;AAG7E,UAAO,EACL,KAAK,MAAM,QAAQ,IACjB,KAAK,KAAK,QACR,OACG,gCAAgC;IAC/B,2BAA2B;IAC3B,gBAAgB,QAAQ;IACxB,QAAQ;KACN,QAAQ;KACR,QAAQ,IAAI;KACZ,KAAK;KACL,KAAK,IAAI,IAAI;KACd;IACD,OAAO,QAAQ;IACf,UAAU,QAAQ;IACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,CACF,EACF;;AAGH,MAAI,kBAAkB,WAAW,OAAO;AACtC,OAAI,CAAC,eAAe,kBAClB,OAAM,IAAI,WACR,oJACD;AAGH,OAAI,CAAC,WAAW,IACd,OAAM,IAAI,WACR,sDAAsD,gBAAgB,wDACvE;AAGH,OAAI,WAAW,IAAI,wBACjB,OAAM,IAAI,WACR,+EAA+E,gBAAgB,0FAChG;AAGH,OAAI,kBAAkB,KAAK,SAAS,mBAClC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,4CAA4C,kBAAkB,KAAK,OAAO,6EAC5I;AAGH,OAAI,kBAAkB,KAAK,WAAW,EACpC,OAAM,IAAI,WAAW,8DAA8D;GAGrF,MAAM,WAAW,kBAAkB,KAAK;AAExC,OAAI,CAAC,kBAAkB,KAAK,OAAO,QAAQ,IAAI,4BAA4B,IAAI,QAAQ,EAAE,SAAS,QAAQ,CAAC,CAAC,CAC1G,OAAM,IAAI,WAAW,oEAAoE;GAG3F,MAAM,YAAY,WAAW,IAAI,6BAA6B,MAAM,gBAClE,SAAS,6BAA6B,SAASA,YAAU,CAC1D;AACD,OAAI,CAAC,UACH,OAAM,IAAI,WACR,uDAAuD,SAAS,wBAAwB,uCAAuC,SAAS,6BAA6B,KAAK,KAAK,CAAC,gBAAgB,WAAW,IAAI,6BAA6B,KAAK,KAAK,CAAC,gBACxP;AAGH,UAAO,EACL,KAAK,MAAM,QAAQ,IACjB,kBAAkB,KAAK,KAAK,QAC1B,OACG,gCAAgC;IAC/B,2BAA2B;IAC3B,gBAAgB,QAAQ;IACxB,QAAQ;KACN,QAAQ;KACR,WAAW,IAAI,QAAQ;KACvB,KAAK;KACN;IACD,OAAO,QAAQ;IACf,UAAU,QAAQ;IACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,CACF,EACF;;AAGH,MAAI,kBAAkB,WAAW,eAAe;GAC9C,MAAM,EAAE,YAAY,uBAAuB,EAAE,mBAAmB,kBAAkB,mBAAmB,CAAC;AAItG,OAAI,QAAQ,cAAc,SAAS,mBACjC,OAAM,IAAI,WACR,8CAA8C,mBAAmB,iEAAiE,QAAQ,cAAc,OAAO,sFAChK;AAIH,OAAI,WAAW,eAAe,QAAQ,MAEpC,QAAO,EACL,aAAa,CAAC,kBAAkB,kBAAkB,EACnD;AAGH,OAAI,WAAW,KAAK;IAClB,MAAM,MAAM,IAAI,UAAU,YAAY,QAAQ,cAAc,GAAG;AAE/D,WAAO,EACL,KAAK,CACH,MAAM,OACH,gCAAgC;KAC/B,2BAA2B;KAC3B,gBAAgB,QAAQ;KACxB,QAAQ;MACN,QAAQ;MACR,WAAW,QAAQ,cAAc;MAEjC,KAAK,IAAI,6BAA6B;MACvC;KACD,mBAAmB,kBAAkB;KACrC,OAAO,QAAQ;KACf,UAAU,QAAQ;KACnB,CAAC,CACD,MAAM,EAAE,UAAU,IAAI,CAC1B,EACF;;AAGH,SAAM,IAAI,WACR,+IACD;;AAIH,QAAM,IAAI,WAAW,yCAAyC,kBAAkB,SAAS;;;;;;;;CAS3F,AAAQ,iCACN,cACA,SAQyC;EACzC,MAAM,EAAE,qBAAqB,8CAA8C,aAAa;EACxF,MAAM,EAAE,eAAe,IAAI,oBAAoB;AAE/C,MAAI,CAAC,qCAAqC,SAAS,cAAc,OAA+C,CAC9G,OAAM,IAAI,WACR;GACE,qCAAqC,oBAAoB,cAAc,OAAO;GAC9E,+BAA+B,oBAAoB,GAAG;GACtD,uDAAuD,qCAAqC,KAAK,KAAK,CAAC;GACxG,CAAC,KAAK,KAAK,CACb;EAIH,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;EAE7F,IAAI,sBAAsB,cAAc;AACxC,MAAI,CAAC,qBAAqB;AAExB,OAAI,SAAS,yBAAyB,uBAAuB,QAC3D,OAAM,IAAI,WACR,6BAA6B,gBAAgB,0GAC9C;AAIH,yBAAsB,EACpB,KAAK,EACH,oCAAoC,8CACrC,EACF;;EAGH,MAAMC,aAAoE;GACxE,KAAK;GACL,aAAa;GACd;AAED,OAAK,MAAM,CAAC,WAAW,oBAAoB,OAAO,QAAQ,oBAAoB,EAAE;AAC9E,OAAI,cAAc,SAAS,cAAc,cAAe;GAExD,IAAIC,sBAAwD,EAAE;GAE9D,MAAM,4BAA4B,iBAAiB;AACnD,OAAI,8BAA8B,OAGhC,uBAAsB,QAAQ;OAE9B,SAAQ,oBAAoB,cAAc,QAA1C;IACE,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;IACvC,KAAK,kCAAkC;AACrC,2BAAsB,QAAQ,6CAA6C,QAAQ,uBACjF,0BAA0B,SAAS,mBAAmB,CACvD;AACD;IAGF,KAAK,kCAAkC;AACrC,2BAAsB,QAAQ,6CAA6C,QAAQ,uBAAuB;AACxG,UAAI;OACF,MAAM,WAAW,IAAI,UAAU,6CAA6C,mBAAmB;OAC/F,MAAM,iBAAiB,uBAAuB,sBAAsB,SAAS;AAC7E,WAAI,eAAe,WAAW,EAAG,QAAO;AAExC,cAAO,0BAA0B,SAAS,eAAe,GAAG,UAAU;cAChE;AACN,cAAO;;OAET;AACF;IACF,QACE,OAAM,IAAI,WAAW,iCAAiC;;AAI5D,cAAW,aAAa;IACtB,8BAA8B;IAC9B,yBAAyB,gBAAgB,4BACrC;KACE,YAAY,gBAAgB,0BAA0B;KACtD,oBAAoB,gBAAgB,0BAA0B;KAC/D,GACD;IACL;;EAGH,MAAM,EAAE,KAAK,gBAAgB;AAC7B,MAAI,CAAC,OAAO,CAAC,YAEX,OAAM,IAAI,WAAW,6BADH,OAAO,KAAK,oBAAoB,CAAC,KAAK,KAAK,CACD,iDAAiD;EAG/G,MAAM,gCAAgC,oBAAoB,cAAc;EACxE,MAAM,wBAAwB,+BAA+B,SAAS,MAAM,IAAI;EAChF,MAAM,sBAAsB,+BAA+B,QAAQ,WAAW,OAAO,WAAW,OAAO,CAAC;EAGxG,MAAM,kBAAkB,+BAA+B,SAAS,WAAW,IAAI;AAG/E,SAAO;GACL;GACA;GACA;GACA,aANkB,+BAA+B,SAAS,MAAM,IAAI;GAOrE;;CAGH,MAAc,yBACZ,cACA,oBACA,SAMuC;EACvC,MAAM,EAAE,wBAAwB,2BAA2B,4BAA4B;AACvF,OAAK,OAAO,MAAM,uBAAuB,mBAAmB;EAE5D,MAAM,cAAc,mBAAmB,cACnC,mBAAmB,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,MAAM,QAAQ,gBAAgB,EAAE,GACnG,mBAAmB,YAAY,KAAK,MAAO,EAAuD,WAAW,GAC5G,mBAAmB,cACtB,mBAAmB,aACjB,CAAC,mBAAmB,WAA+C,GACnE;AAEN,MAAI,CAAC,YACH,OAAM,IAAI,WAAW,iFAAiF;EAGxG,MAAM,iBAAiB,mBAAmB;EAE1C,MAAM,SAAS,QAAQ;AACvB,MAAI,WAAW,kCAAkC,WAAW,WAAW,kCAAkC,SAAS;AAChH,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;AAGH,OAAI,WAAW,kCAAkC,WAAW,wBAAwB,KAAK;IACvF,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;IACrE,MAAM,sBAAsB,MAAM,QAAQ,IACxC,YAAY,KAAK,gBAAgB,UAC/B,WAAW,OAAO;KAChB;KAEA,mBAAmB,UAAU;KAC9B,CAAC,CACH,CACF;AAED,QAAI,CAAC,oBAAoB,OAAO,aAAWC,SAAO,QAAQ,EAAE;AAC1D,kBAAa,OAAO,OAAO,MAAM,oCAAoC,EAAE,qBAAqB,CAAC;AAC7F,WAAM,IAAI,WACR,uDAAuD,KAAK,UAAU,qBAAqB,aAAa,GACzG;;AAGH,WAAO;KACL,aAAa,oBAAoB,KAAK,aAAWA,SAAO,QAAQ;KAChE;KACA;KACA;KACD;;GAGH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,+BAA+B,YAAY,EAAE;AAKhE,WAAO;KAAE;KAAY,QAJN,MAAM,KAAK,uBAAuB,iBAAiB,cAAc,EAC9E,YACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MACE,QAAQ,WAAW,kCAAkC,aACrD,QAAQ,WAAW,kCAAkC,aACrD;AACA,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;GAGH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,2BAA2B,kBAAkB,EAAE;AAMlE,WAAO;KAAE;KAAY,QALN,MAAM,KAAK,qBAAqB,iBAAiB,cAAc;MAC5E;MACA;MACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MAAI,WAAW,kCAAkC,OAAO;AACtD,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,YAAY,MAAM,KAAK,CAChE,OAAM,IAAI,WACR,oCAAoC,OAAO,6CAA6C,KAAK,UAC3F,YACD,GACF;GAEH,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,MAAM;IAC3B,MAAM,aAAa,8BAA8B,SAAS,EAAE;AAM5D,WAAO;KAAE;KAAY,QALN,MAAM,KAAK,qBAAqB,iBAAiB,cAAc;MAC5E;MACA;MACD,CAAC;KAE2B;KAC7B,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,0CAA0C,OACvC,KAAK,MAAM,EAAE,OAAO,OAAO,QAAQ,CACnC,OAAO,QAAQ,CACf,KAAK,KAAK,GACd;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,WAAW;IAC5C;IACA;IACA;IACD;;AAEH,MAAI,WAAW,kCAAkC,SAAS;AACxD,OAAI,CAAC,YAAY,OAAO,MAAM,OAAO,MAAM,SAAS,CAClD,OAAM,IAAI,WACR,oCAAoC,OAAO,4CAA4C,KAAK,UAC1F,YACD,GACF;GAEH,MAAM,UAAU,aAAa,kBAAkB,QAAQ,QAAQ;GAC/D,MAAM,SAAS,MAAM,QAAQ,IAC3B,YAAY,IAAI,OAAO,eAAe;IACpC,MAAM,OAAO,KAAK,cAAc,WAAW;AAE3C,WAAO;KACL,QAFa,MAAM,QAAQ,OAAO,MAAM,EAAE,CAAC;KAG3C;KACD;KACD,CACH;AAED,OAAI,CAAC,OAAO,OAAO,MAAM,EAAE,OAAO,QAAQ,EAAE;AAC1C,iBAAa,OAAO,OAAO,MAAM,kCAAkC,EAAE,QAAQ,CAAC;AAC9E,UAAM,IAAI,WACR,+CAA+C,OAC5C,KAAK,GAAG,MAAO,EAAE,OAAO,UAAU,SAAY,IAAI,EAAE,IAAI,EAAE,OAAO,QAAS,CAC1E,OAAO,QAAQ,CACf,KAAK,QAAQ,GACjB;;AAGH,UAAO;IACL,aAAa,OAAO,KAAK,MAAM,EAAE,KAAK;IACtC;IACA;IACA;IACD;;AAGH,QAAM,IAAI,WAAW,iCAAiC,QAAQ,SAAS;;CAGzE,AAAQ,aACN,cACA,EAAE,mBAAmB,aAAgE,EAAE,EACvF;EACA,MAAM,YAAY,mBAAmB,aAAa;AAElD,SAAO;GACL,GAAG;GACH,uBAAuB,YAAY;IACjC,MAAM,EAAE,6BAA6B,KAAK,SAAS;IAEnD,MAAM,6BADe,KAAK,gBAAgB,aAAa,CACP,6BAA6B,EAC3E,6BACD,CAAC;AAGF,QAAI,qBAAqB,2BACvB,QAAO,yCAAyC;KAC9C,sBAAsB;KACtB;KACD,CAAC,CAAC,QAAQ;AAIb,QACE,QAAQ,4BAA4B,kBACpC,4BAA4B,sDAC5B,KAAK,eAAe,iCAEpB,QAAO,+BAA+B,CAAC,QAAQ;AAIjD,QAAI,SACF,QAAO,yBAAyB,EAAE,UAAU,CAAC,CAAC,QAAQ;AAKxD,QACE,QAAQ,4BAA4B,kBACpC,KAAK,eAAe,iCAEpB,QAAO,+BAA+B,CAAC,QAAQ;AAKjD,QAAI,KAAK,eAAe,4BACtB,QAAO,+BAA+B,CAAC,QAAQ;AAKjD,QAAI,QAAQ,4BAA4B,oCAAoC,KAAK,aAC/E,QAAO,+BAA+B,CAAC,QAAQ;AAGjD,UAAM,IAAI,WAAW,2CAA2C;;GAEnE;;CAGH,AAAQ,UAAU,cAA4B,UAA6D,EAAE,EAAE;AAC7G,SAAO,IAAI,iBAAiB,EAC1B,WAAW,KAAK,aAAa,cAAc,QAAQ,EACpD,CAAC;;CAGJ,AAAQ,gBAAgB,cAA4B,SAA6D;AAC/G,SAAO,IAAI,aAAa,EACtB,WAAW,UAAU,KAAK,aAAa,cAAc,QAAQ,GAAG,mBAAmB,aAAa,EACjG,CAAC;;;;CA1xCL,YAAY;oBAOR,OAAO,iBAAiB,OAAO"}
package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VciHolderServiceOptions.d.mts","names":[],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":[],"mappings":";;;;;;;KAeY,oCAAA,GACR,iCAAA,CAAkC,YAClC,iCAAA,CAAkC,cAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,QAClC,iCAAA,CAAkC;AAN1B,cAQC,oCARmC,EAQG,oCARH,EAAA;AAAA,UAiB/B,4BAAA,CAjB+B;KAC5C,EAiBG,GAAA,CAAI,SAjBP;KACA,EAiBG,GAAA,CAAI,0BAjBP;OACA,CAAA,EAAA,MAAA;;;;;AAKJ;AASA;AAA6C,KAWjC,2BAAA,GAXiC,qBAAA,GAAA,oBAAA,GAAA,oBAAA;AACtC,KAYK,8BAAA,GAZD;aACA,EAAA,MAAA;EAA0B,YAAA,CAAA,EAAA,MAAA;EASzB,MAAA,CAAA,EAAA,MAAA;EAEA,IAAA,CAAA,EAIH,4BAJiC;EAAA,mBAAA,CAAA,EAAA,MAAA;qBAIjC,EAGc,6BAHd;;KAOJ,iBAJ+C,CAAA,CAAA,CAAA,GAIxB,CAJwB,SAAA,GAAA,GAIR,CAJQ,EAAA,GAAA,KAAA;AAI/C,UAEY,4BAAA,CAFK;EAAA,yBAAA,EAAA,MAAA;yBAAM,EAID,qDAJC;aAAgB,EAK7B,iBAL6B,CAKX,oBALW,CAAA;EAAC,cAAA,CAAA,EAAA,MAAA;AAE7C;AAA6C,UAO5B,oCAAA,CAP4B;2BAElB,EAAA,MAAA;yBACM,EAMN,qDANM;eAAlB,EAAA,MAAA;EAAiB,QAAA,CAAA,EAAA,MAAA;EAIf,cAAA,CAAA,EAAA,MAAA;AAQjB;AAAkD,UAAjC,iCAAA,CAAiC;UACtC,EAAA,oBAAA;wBACc,EAAA,qBAAA;;;AAQ1B;EAAkD,+BAAA,EAHf,sDAGe;;AASrC,KATD,sCAAA,GASC;qBAIY,EAAA,MAAA;mBAMZ,EAhBY,2BAAA,CAA4B,0BAgBxC;EAA4B,WAAA,EAAA,MAAA;EAGxB;;;MAiBI,CAAA,EA9BR,4BA8BQ;;EAEgB,uBAAA,EAAA,MAAA;EAGpB,iBAAA,EA/BQ,2BAAA,CAA4B,cA+BS;EAAA,YAAA,CAAA,EAAA,MAAA;;;;EA6B7C,IAAA,CAAA,EAtDJ,4BAsDI;CAA0C;AAChC,UApDV,iCAAA,CAoDU;UAQlB,EA3DG,oBA2DH;EAA4B,cAAA,EAAA,MAAA;EAYzB;;;aAER,EAAA,MAAA;EAA6C;AAEjD;;;;;AAkCA;EAA4E,iBAAA,EA7FvD,2BA6FuD;MACjD,CAAA,EA5FlB,4BA4FkB;;AACU,UA1FpB,6CAAA,CA0FoB;EAuBpB,uBAAA,EAhHU,iCAgHyB;EAAA,IAAA,EAAA,MAAA;UAAa,EAAA,MAAA;cACtC,CAAA,EAAA,MAAA;aAGlB,CAAA,EAAA,MAAA;QAJmD,CAAA,EAAA,KAAA;EAAI;AAgBhE;;;;;EA2CiB,IAAA,CAAA,EA7JR,4BA6JQ;EAA0C;;;;;AAa3D;AAgBA;;sBACgB,CAAA,EAAA,MAAA;;AAYI,UAzLH,0CAAA,CAyLG;yBAeN,EAvMa,iCAuMb;QAUa,CAAA,EAAA,MAAA;EAAqD,IAAA,CAAA,EAAA,SAAA;EAmDpE;;;MAEC,CAAA,EA9PJ,4BA8PI;;;;AAEb;;;;EAAwD,oBAAA,CAAA,EAAA,MAAA;AAoCxD;KAxRY,6BAAA,GACR,6CACA;KAEQ,6BAAA;;;;;kBAMM;;;;;;;;SAUT;;;;;;;;;;;;;;;UAkBQ,2DAAA;2BACU;SAClB;;;;;;;;;;;;;;;;;;;UAuBQ,kCAAA,SAA2C,KAAK;2BACtC;;;SAGlB;;;;;;;;;;UAYQ,sCAAA;;;;;;;;;;;;;;;;;;;;gDAsB+B,GAAA,CAAI;;;;;;;;;;;;;;6BAevB;;;;;UAMZ,0CAAA;kBACC;;;2BAGS;;;SAGlB;;;;;UAMQ,6BAAA;;;;;;;;;;;;;UAgBA,kCAAA;gBACD;;;;;YAMJ;;;;;oBAMQ;;;;;;;;;;;;;cAeN;;;;;;;;2BAUa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAmDf,mCAAA,aACD,uCACN,QAAQ,oCAAoC;KAErC,mCAAA,GAAsC;;;;;;;gCASd,GAAA,CAAI;;;;;;;;;;;;;;;;;;;;;;;UA2BvB,uCAAA;cACH"}
1
+ {"version":3,"file":"OpenId4VciHolderServiceOptions.d.mts","names":[],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":[],"mappings":";;;;;;;KAcY,oCAAA,GACR,iCAAA,CAAkC,YAClC,iCAAA,CAAkC,cAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,QAClC,iCAAA,CAAkC;AAN1B,cAQC,oCARmC,EAQG,oCARH,EAAA;AAAA,UAiB/B,4BAAA,CAjB+B;KAC5C,EAiBG,GAAA,CAAI,SAjBP;KACA,EAiBG,GAAA,CAAI,0BAjBP;OACA,CAAA,EAAA,MAAA;;;;;AAKJ;AASA;AAA6C,KAWjC,2BAAA,GAXiC,qBAAA,GAAA,oBAAA,GAAA,oBAAA;AACtC,KAYK,8BAAA,GAZD;aACA,EAAA,MAAA;EAA0B,YAAA,CAAA,EAAA,MAAA;EASzB,MAAA,CAAA,EAAA,MAAA;EAEA,IAAA,CAAA,EAIH,4BAJiC;EAAA,mBAAA,CAAA,EAAA,MAAA;qBAIjC,EAGc,6BAHd;;KAOJ,iBAJ+C,CAAA,CAAA,CAAA,GAIxB,CAJwB,SAAA,GAAA,GAIR,CAJQ,EAAA,GAAA,KAAA;AAI/C,UAEY,4BAAA,CAFK;EAAA,yBAAA,EAAA,MAAA;yBAAM,EAID,qDAJC;aAAgB,EAK7B,iBAL6B,CAKX,oBALW,CAAA;EAAC,cAAA,CAAA,EAAA,MAAA;AAE7C;AAA6C,UAO5B,oCAAA,CAP4B;2BAElB,EAAA,MAAA;yBACM,EAMN,qDANM;eAAlB,EAAA,MAAA;EAAiB,QAAA,CAAA,EAAA,MAAA;EAIf,cAAA,CAAA,EAAA,MAAA;AAQjB;AAAkD,UAAjC,iCAAA,CAAiC;UACtC,EAAA,oBAAA;wBACc,EAAA,qBAAA;;;AAQ1B;EAAkD,+BAAA,EAHf,sDAGe;;AASrC,KATD,sCAAA,GASC;qBAIY,EAAA,MAAA;mBAMZ,EAhBY,2BAAA,CAA4B,0BAgBxC;EAA4B,WAAA,EAAA,MAAA;EAGxB;;;MAiBI,CAAA,EA9BR,4BA8BQ;;EAEgB,uBAAA,EAAA,MAAA;EAGpB,iBAAA,EA/BQ,2BAAA,CAA4B,cA+BS;EAAA,YAAA,CAAA,EAAA,MAAA;;;;EA6B7C,IAAA,CAAA,EAtDJ,4BAsDI;CAA0C;AAChC,UApDV,iCAAA,CAoDU;UAQlB,EA3DG,oBA2DH;EAA4B,cAAA,EAAA,MAAA;EAYzB;;;aAER,EAAA,MAAA;EAA6C;AAEjD;;;;;AAkCA;EAA4E,iBAAA,EA7FvD,2BA6FuD;MACjD,CAAA,EA5FlB,4BA4FkB;;AACU,UA1FpB,6CAAA,CA0FoB;EAuBpB,uBAAA,EAhHU,iCAgHyB;EAAA,IAAA,EAAA,MAAA;UAAa,EAAA,MAAA;cACtC,CAAA,EAAA,MAAA;aAGlB,CAAA,EAAA,MAAA;QAJmD,CAAA,EAAA,KAAA;EAAI;AAgBhE;;;;;EA2CiB,IAAA,CAAA,EA7JR,4BA6JQ;EAA0C;;;;;AAa3D;AAgBA;;sBACgB,CAAA,EAAA,MAAA;;AAYI,UAzLH,0CAAA,CAyLG;yBAeN,EAvMa,iCAuMb;QAUa,CAAA,EAAA,MAAA;EAAqD,IAAA,CAAA,EAAA,SAAA;EAmDpE;;;MAEC,CAAA,EA9PJ,4BA8PI;;;;AAEb;;;;EAAwD,oBAAA,CAAA,EAAA,MAAA;AAoCxD;KAxRY,6BAAA,GACR,6CACA;KAEQ,6BAAA;;;;;kBAMM;;;;;;;;SAUT;;;;;;;;;;;;;;;UAkBQ,2DAAA;2BACU;SAClB;;;;;;;;;;;;;;;;;;;UAuBQ,kCAAA,SAA2C,KAAK;2BACtC;;;SAGlB;;;;;;;;;;UAYQ,sCAAA;;;;;;;;;;;;;;;;;;;;gDAsB+B,GAAA,CAAI;;;;;;;;;;;;;;6BAevB;;;;;UAMZ,0CAAA;kBACC;;;2BAGS;;;SAGlB;;;;;UAMQ,6BAAA;;;;;;;;;;;;;UAgBA,kCAAA;gBACD;;;;;YAMJ;;;;;oBAMQ;;;;;;;;;;;;;cAeN;;;;;;;;2BAUa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAmDf,mCAAA,aACD,uCACN,QAAQ,oCAAoC;KAErC,mCAAA,GAAsC;;;;;;;gCASd,GAAA,CAAI;;;;;;;;;;;;;;;;;;;;;;;UA2BvB,uCAAA;cACH"}
package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VciHolderServiceOptions.d.ts","names":[],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":[],"mappings":";;;;;;;KAeY,oCAAA,GACR,iCAAA,CAAkC,YAClC,iCAAA,CAAkC,cAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,QAClC,iCAAA,CAAkC;AAN1B,cAQC,oCARmC,EAQG,oCARH,EAAA;AAAA,UAiB/B,4BAAA,CAjB+B;KAC5C,EAiBG,GAAA,CAAI,SAjBP;KACA,EAiBG,GAAA,CAAI,0BAjBP;OACA,CAAA,EAAA,MAAA;;;;;AAKJ;AASA;AAA6C,KAWjC,2BAAA,GAXiC,qBAAA,GAAA,oBAAA,GAAA,oBAAA;AACtC,KAYK,8BAAA,GAZD;aACA,EAAA,MAAA;EAA0B,YAAA,CAAA,EAAA,MAAA;EASzB,MAAA,CAAA,EAAA,MAAA;EAEA,IAAA,CAAA,EAIH,4BAJiC;EAAA,mBAAA,CAAA,EAAA,MAAA;qBAIjC,EAGc,6BAHd;;KAOJ,iBAJ+C,CAAA,CAAA,CAAA,GAIxB,CAJwB,SAAA,GAAA,GAIR,CAJQ,EAAA,GAAA,KAAA;AAI/C,UAEY,4BAAA,CAFK;EAAA,yBAAA,EAAA,MAAA;yBAAM,EAID,qDAJC;aAAgB,EAK7B,iBAL6B,CAKX,oBALW,CAAA;EAAC,cAAA,CAAA,EAAA,MAAA;AAE7C;AAA6C,UAO5B,oCAAA,CAP4B;2BAElB,EAAA,MAAA;yBACM,EAMN,qDANM;eAAlB,EAAA,MAAA;EAAiB,QAAA,CAAA,EAAA,MAAA;EAIf,cAAA,CAAA,EAAA,MAAA;AAQjB;AAAkD,UAAjC,iCAAA,CAAiC;UACtC,EAAA,oBAAA;wBACc,EAAA,qBAAA;;;AAQ1B;EAAkD,+BAAA,EAHf,sDAGe;;AASrC,KATD,sCAAA,GASC;qBAIY,EAAA,MAAA;mBAMZ,EAhBY,2BAAA,CAA4B,0BAgBxC;EAA4B,WAAA,EAAA,MAAA;EAGxB;;;MAiBI,CAAA,EA9BR,4BA8BQ;;EAEgB,uBAAA,EAAA,MAAA;EAGpB,iBAAA,EA/BQ,2BAAA,CAA4B,cA+BS;EAAA,YAAA,CAAA,EAAA,MAAA;;;;EA6B7C,IAAA,CAAA,EAtDJ,4BAsDI;CAA0C;AAChC,UApDV,iCAAA,CAoDU;UAQlB,EA3DG,oBA2DH;EAA4B,cAAA,EAAA,MAAA;EAYzB;;;aAER,EAAA,MAAA;EAA6C;AAEjD;;;;;AAkCA;EAA4E,iBAAA,EA7FvD,2BA6FuD;MACjD,CAAA,EA5FlB,4BA4FkB;;AACU,UA1FpB,6CAAA,CA0FoB;EAuBpB,uBAAA,EAhHU,iCAgHyB;EAAA,IAAA,EAAA,MAAA;UAAa,EAAA,MAAA;cACtC,CAAA,EAAA,MAAA;aAGlB,CAAA,EAAA,MAAA;QAJmD,CAAA,EAAA,KAAA;EAAI;AAgBhE;;;;;EA2CiB,IAAA,CAAA,EA7JR,4BA6JQ;EAA0C;;;;;AAa3D;AAgBA;;sBACgB,CAAA,EAAA,MAAA;;AAYI,UAzLH,0CAAA,CAyLG;yBAeN,EAvMa,iCAuMb;QAUa,CAAA,EAAA,MAAA;EAAqD,IAAA,CAAA,EAAA,SAAA;EAmDpE;;;MAEC,CAAA,EA9PJ,4BA8PI;;;;AAEb;;;;EAAwD,oBAAA,CAAA,EAAA,MAAA;AAoCxD;KAxRY,6BAAA,GACR,6CACA;KAEQ,6BAAA;;;;;kBAMM;;;;;;;;SAUT;;;;;;;;;;;;;;;UAkBQ,2DAAA;2BACU;SAClB;;;;;;;;;;;;;;;;;;;UAuBQ,kCAAA,SAA2C,KAAK;2BACtC;;;SAGlB;;;;;;;;;;UAYQ,sCAAA;;;;;;;;;;;;;;;;;;;;gDAsB+B,GAAA,CAAI;;;;;;;;;;;;;;6BAevB;;;;;UAMZ,0CAAA;kBACC;;;2BAGS;;;SAGlB;;;;;UAMQ,6BAAA;;;;;;;;;;;;;UAgBA,kCAAA;gBACD;;;;;YAMJ;;;;;oBAMQ;;;;;;;;;;;;;cAeN;;;;;;;;2BAUa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAmDf,mCAAA,aACD,uCACN,QAAQ,oCAAoC;KAErC,mCAAA,GAAsC;;;;;;;gCASd,GAAA,CAAI;;;;;;;;;;;;;;;;;;;;;;;UA2BvB,uCAAA;cACH"}
1
+ {"version":3,"file":"OpenId4VciHolderServiceOptions.d.ts","names":[],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":[],"mappings":";;;;;;;KAcY,oCAAA,GACR,iCAAA,CAAkC,YAClC,iCAAA,CAAkC,cAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,UAClC,iCAAA,CAAkC,QAClC,iCAAA,CAAkC;AAN1B,cAQC,oCARmC,EAQG,oCARH,EAAA;AAAA,UAiB/B,4BAAA,CAjB+B;KAC5C,EAiBG,GAAA,CAAI,SAjBP;KACA,EAiBG,GAAA,CAAI,0BAjBP;OACA,CAAA,EAAA,MAAA;;;;;AAKJ;AASA;AAA6C,KAWjC,2BAAA,GAXiC,qBAAA,GAAA,oBAAA,GAAA,oBAAA;AACtC,KAYK,8BAAA,GAZD;aACA,EAAA,MAAA;EAA0B,YAAA,CAAA,EAAA,MAAA;EASzB,MAAA,CAAA,EAAA,MAAA;EAEA,IAAA,CAAA,EAIH,4BAJiC;EAAA,mBAAA,CAAA,EAAA,MAAA;qBAIjC,EAGc,6BAHd;;KAOJ,iBAJ+C,CAAA,CAAA,CAAA,GAIxB,CAJwB,SAAA,GAAA,GAIR,CAJQ,EAAA,GAAA,KAAA;AAI/C,UAEY,4BAAA,CAFK;EAAA,yBAAA,EAAA,MAAA;yBAAM,EAID,qDAJC;aAAgB,EAK7B,iBAL6B,CAKX,oBALW,CAAA;EAAC,cAAA,CAAA,EAAA,MAAA;AAE7C;AAA6C,UAO5B,oCAAA,CAP4B;2BAElB,EAAA,MAAA;yBACM,EAMN,qDANM;eAAlB,EAAA,MAAA;EAAiB,QAAA,CAAA,EAAA,MAAA;EAIf,cAAA,CAAA,EAAA,MAAA;AAQjB;AAAkD,UAAjC,iCAAA,CAAiC;UACtC,EAAA,oBAAA;wBACc,EAAA,qBAAA;;;AAQ1B;EAAkD,+BAAA,EAHf,sDAGe;;AASrC,KATD,sCAAA,GASC;qBAIY,EAAA,MAAA;mBAMZ,EAhBY,2BAAA,CAA4B,0BAgBxC;EAA4B,WAAA,EAAA,MAAA;EAGxB;;;MAiBI,CAAA,EA9BR,4BA8BQ;;EAEgB,uBAAA,EAAA,MAAA;EAGpB,iBAAA,EA/BQ,2BAAA,CAA4B,cA+BS;EAAA,YAAA,CAAA,EAAA,MAAA;;;;EA6B7C,IAAA,CAAA,EAtDJ,4BAsDI;CAA0C;AAChC,UApDV,iCAAA,CAoDU;UAQlB,EA3DG,oBA2DH;EAA4B,cAAA,EAAA,MAAA;EAYzB;;;aAER,EAAA,MAAA;EAA6C;AAEjD;;;;;AAkCA;EAA4E,iBAAA,EA7FvD,2BA6FuD;MACjD,CAAA,EA5FlB,4BA4FkB;;AACU,UA1FpB,6CAAA,CA0FoB;EAuBpB,uBAAA,EAhHU,iCAgHyB;EAAA,IAAA,EAAA,MAAA;UAAa,EAAA,MAAA;cACtC,CAAA,EAAA,MAAA;aAGlB,CAAA,EAAA,MAAA;QAJmD,CAAA,EAAA,KAAA;EAAI;AAgBhE;;;;;EA2CiB,IAAA,CAAA,EA7JR,4BA6JQ;EAA0C;;;;;AAa3D;AAgBA;;sBACgB,CAAA,EAAA,MAAA;;AAYI,UAzLH,0CAAA,CAyLG;yBAeN,EAvMa,iCAuMb;QAUa,CAAA,EAAA,MAAA;EAAqD,IAAA,CAAA,EAAA,SAAA;EAmDpE;;;MAEC,CAAA,EA9PJ,4BA8PI;;;;AAEb;;;;EAAwD,oBAAA,CAAA,EAAA,MAAA;AAoCxD;KAxRY,6BAAA,GACR,6CACA;KAEQ,6BAAA;;;;;kBAMM;;;;;;;;SAUT;;;;;;;;;;;;;;;UAkBQ,2DAAA;2BACU;SAClB;;;;;;;;;;;;;;;;;;;UAuBQ,kCAAA,SAA2C,KAAK;2BACtC;;;SAGlB;;;;;;;;;;UAYQ,sCAAA;;;;;;;;;;;;;;;;;;;;gDAsB+B,GAAA,CAAI;;;;;;;;;;;;;;6BAevB;;;;;UAMZ,0CAAA;kBACC;;;2BAGS;;;SAGlB;;;;;UAMQ,6BAAA;;;;;;;;;;;;;UAgBA,kCAAA;gBACD;;;;;YAMJ;;;;;oBAMQ;;;;;;;;;;;;;cAeN;;;;;;;;2BAUa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAmDf,mCAAA,aACD,uCACN,QAAQ,oCAAoC;KAErC,mCAAA,GAAsC;;;;;;;gCASd,GAAA,CAAI;;;;;;;;;;;;;;;;;;;;;;;UA2BvB,uCAAA;cACH"}
package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VciHolderServiceOptions.mjs","names":["openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[]"],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":["import type { AgentContext, Kms, VerifiableCredential } from '@credo-ts/core'\nimport type { CredentialOfferObject, IssuerMetadataResult } from '@openid4vc/openid4vci'\nimport type {\n OpenId4VcCredentialHolderBinding,\n OpenId4VciAccessTokenResponse,\n OpenId4VciCredentialConfigurationSupportedWithFormats,\n OpenId4VciCredentialConfigurationsSupportedWithFormats,\n OpenId4VciMetadata,\n} from '../shared'\n\nimport { AuthorizationFlow as OpenId4VciAuthorizationFlow } from '@openid4vc/openid4vci'\nimport { OpenId4VciCredentialFormatProfile } from '../shared/models/OpenId4VciCredentialFormatProfile'\n\nexport { OpenId4VciAuthorizationFlow }\n\nexport type OpenId4VciSupportedCredentialFormats =\n | OpenId4VciCredentialFormatProfile.JwtVcJson\n | OpenId4VciCredentialFormatProfile.JwtVcJsonLd\n | OpenId4VciCredentialFormatProfile.SdJwtVc\n | OpenId4VciCredentialFormatProfile.SdJwtDc\n | OpenId4VciCredentialFormatProfile.LdpVc\n | OpenId4VciCredentialFormatProfile.MsoMdoc\n\nexport const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[] = [\n OpenId4VciCredentialFormatProfile.JwtVcJson,\n OpenId4VciCredentialFormatProfile.JwtVcJsonLd,\n OpenId4VciCredentialFormatProfile.SdJwtVc,\n OpenId4VciCredentialFormatProfile.SdJwtDc,\n OpenId4VciCredentialFormatProfile.LdpVc,\n OpenId4VciCredentialFormatProfile.MsoMdoc,\n]\n\nexport interface OpenId4VciDpopRequestOptions {\n jwk: Kms.PublicJwk\n alg: Kms.KnownJwaSignatureAlgorithm\n nonce?: string\n}\n\n/**\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\nexport type OpenId4VciNotificationEvent = 'credential_accepted' | 'credential_failure' | 'credential_deleted'\n\nexport type OpenId4VciRequestTokenResponse = {\n accessToken: string\n refreshToken?: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n authorizationServer?: string\n\n accessTokenResponse: OpenId4VciAccessTokenResponse\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: <explanation>\ntype UnionToArrayUnion<T> = T extends any ? T[] : never\n\nexport interface OpenId4VciCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n credentials: UnionToArrayUnion<VerifiableCredential>\n notificationId?: string\n}\n\nexport interface OpenId4VciDeferredCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n transactionId: string\n interval?: number\n notificationId?: string\n}\n\nexport interface OpenId4VciResolvedCredentialOffer {\n metadata: IssuerMetadataResult\n credentialOfferPayload: CredentialOfferObject\n\n /**\n * Offered credential configurations with known formats\n */\n offeredCredentialConfigurations: OpenId4VciCredentialConfigurationsSupportedWithFormats\n}\n\nexport type OpenId4VciResolvedAuthorizationRequest =\n | {\n openid4vpRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.PresentationDuringIssuance\n authSession: string\n\n /**\n * DPoP request options if DPoP was used for the authorization challenge request\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n | {\n authorizationRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.Oauth2Redirect\n codeVerifier?: string\n\n /**\n * DPoP request options if DPoP was used for the pushed authorization reuqest\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n\nexport interface OpenId4VciSendNotificationOptions {\n metadata: IssuerMetadataResult\n\n notificationId: string\n\n /**\n * The access token obtained through @see requestToken\n */\n accessToken: string\n\n /**\n * The notification event\n *\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\n notificationEvent: OpenId4VciNotificationEvent\n\n dpop?: OpenId4VciDpopRequestOptions\n}\n\nexport interface OpenId4VcAuthorizationCodeTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n code: string\n clientId: string\n codeVerifier?: string\n redirectUri?: string\n\n txCode?: never\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n *\n * If DPoP was already used in the initiateAuthorization method, it should be provided\n * here as well and be bound to the same key.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\n// TODO: support wallet attestation for pre-auth flow\nexport interface OpenId4VciPreAuthorizedTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n txCode?: string\n\n code?: undefined\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport type OpenId4VciTokenRequestOptions =\n | OpenId4VciPreAuthorizedTokenRequestOptions\n | OpenId4VcAuthorizationCodeTokenRequestOptions\n\nexport type OpenId4VciTokenRefreshOptions = {\n refreshToken: string\n\n /**\n * The issuer metadata.\n */\n issuerMetadata: IssuerMetadataResult\n\n /**\n * The authorization server where the refresh token was obtained from.\n */\n authorizationServer?: string\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport interface OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n /**\n * auth session returned at an earlier call to the authorization challenge endpoint\n */\n authSession: string\n\n /**\n * Presentation during issuance session returned by the verifier after submitting a valid presentation\n */\n presentationDuringIssuanceSession?: string\n}\n\nexport interface OpenId4VciCredentialRequestOptions extends Omit<OpenId4VciAcceptCredentialOfferOptions, 'userPin'> {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n accessToken: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n}\n\n/**\n * Options that are used to accept a credential offer for both the pre-authorized code flow and authorization code flow.\n * NOTE: Merge with @see OpenId4VciCredentialRequestOptions for 0.6\n */\nexport interface OpenId4VciAcceptCredentialOfferOptions {\n /**\n * This is the list of credentials configuration ids that will be requested from the issuer.\n * Should be a list of ids of the credentials that are included in the credential offer.\n * If not provided all offered credentials will be requested.\n */\n credentialConfigurationIds?: string[]\n\n verifyCredentialStatus?: boolean\n\n /**\n * A list of allowed proof of possession signature algorithms in order of preference.\n *\n * Note that the signature algorithms must be supported by the wallet implementation.\n * Signature algorithms that are not supported by the wallet will be ignored.\n *\n * The proof of possession (pop) signature algorithm is used in the credential request\n * to bind the credential to a did. In most cases the JWA signature algorithm\n * that is used in the pop will determine the cryptographic suite that is used\n * for signing the credential, but this not a requirement for the spec. E.g. if the\n * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020.\n */\n allowedProofOfPossessionSignatureAlgorithms?: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * A function that should resolve key material for binding the to-be-issued credential\n * to the holder based on the options passed. This key material will be used for signing\n * the proof of possession included in the credential request.\n *\n * This method will be called once for each of the credentials that are included\n * in the credential offer.\n *\n * Based on the credential format, JWA signature algorithm, verification method types\n * and binding methods (did methods, jwk), the resolver must return an object\n * conformant to the `CredentialHolderBinding` interface, which will be used\n * for the proof of possession signature.\n */\n credentialBindingResolver: OpenId4VciCredentialBindingResolver\n}\n\n/**\n * Options to request deferred credentials from the issuer.\n */\nexport interface OpenId4VciDeferredCredentialRequestOptions {\n issuerMetadata: IssuerMetadataResult\n transactionId: string\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n verifyCredentialStatus?: boolean\n accessToken: string\n dpop?: OpenId4VciDpopRequestOptions\n}\n\n/**\n * Options that are used for the authorization code flow.\n */\nexport interface OpenId4VciAuthCodeFlowOptions {\n clientId: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations and PAR are supported by the issuer.\n *\n * A Proof of Possesion will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n redirectUri: string\n scope?: string[]\n}\n\nexport interface OpenId4VciCredentialBindingOptions {\n agentContext: AgentContext\n\n /**\n * The OpenID4VCI metadata, consisting of the draft version used,\n * the issuer metadatan and the authorization server metadata\n */\n metadata: OpenId4VciMetadata\n\n /**\n * The credential format that will be requested from the issuer.\n * E.g. `jwt_vc` or `ldp_vc`.\n */\n credentialFormat: OpenId4VciSupportedCredentialFormats\n\n /**\n * The max batch size as configured by the issuer. If the issuer has not indicated support for batch issuance\n * this will be `1`.\n */\n issuerMaxBatchSize: number\n\n /**\n * The proof types supported by the credential issuer that are also supported\n * by credo. Currently `jwt` and `attestation` are supported.\n *\n * Each proof type will list the supported algorithms, key types\n * and whether key attesations are required\n */\n proofTypes: OpenId4VciProofOfPressionProofTypes\n\n /**\n * The id of the credential configuration that will be requested from the issuer.\n */\n credentialConfigurationId: string\n\n /**\n * The credential configuration that will be requested from the issuer.\n */\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n\n /**\n * Whether the issuer supports the `did` cryptographic binding method,\n * indicating they support all did methods. In most cases, they do not\n * support all did methods, and it means we have to make an assumption\n * about the did methods they support.\n *\n * If this value is `false`, the `supportedDidMethods` property will\n * contain a list of supported did methods.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportsAllDidMethods: boolean\n\n /**\n * A list of supported did methods. This is only used if the `supportsAllDidMethods`\n * property is `false`. When this array is populated, the returned verification method\n * MUST be based on one of these did methods.\n *\n * The did methods are returned in the format `did:<method>`, e.g. `did:web`.\n *\n * The value is undefined in the case the supported did methods could not be extracted.\n * This is the case when the issuer didn't include the supported did methods in the issuer metadata.\n *\n * NOTE: an empty array (no did methods supported) has a different meaning from the value\n * being undefined (the supported did methods could not be extracted). If `supportsAllDidMethods`\n * is true, the value of this property MUST be ignored.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportedDidMethods?: string[]\n\n /**\n * Whether the issuer supports the `jwk` cryptographic binding method,\n * indicating they support proof of possession signatures bound to a jwk.\n */\n supportsJwk: boolean\n}\n\n/**\n * The proof of possession verification method resolver is a function that can be passed by the\n * user of the framework and allows them to determine which verification method should be used\n * for the proof of possession signature.\n */\nexport type OpenId4VciCredentialBindingResolver = (\n options: OpenId4VciCredentialBindingOptions\n) => Promise<OpenId4VcCredentialHolderBinding> | OpenId4VcCredentialHolderBinding\n\nexport type OpenId4VciProofOfPressionProofTypes = Record<\n 'jwt' | 'attestation',\n | {\n /**\n * The JWA Signature Algorithm(s) that can be used in the proof of possession.\n * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed\n * to the request credential method, and the supported proof type signature\n * algorithms for the specific credential configuration\n */\n supportedSignatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * Whether key attestations are required and which level needs to be met. If the object\n * is not defined, it can be interpreted that key attestations are not required.\n *\n * OpenID4VCI defined common levels in https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#appendix-D.2, such as:\n * - `iso_18045_high`\n * - `iso_18045_moderate`\n * - `iso_18045_enhanced-basic`\n * - `iso_18045_basic`\n *\n * Other values may be defined and present as well. When key attestations are required you MUST return a key attestation.\n * If `userAuthentication` or `keyStorage` are defined you MUST return a key attestation that reaches the level as required\n * by the `keyStorage` and `userAuthentication` values.\n */\n keyAttestationsRequired?: {\n keyStorage?: string[]\n userAuthentication?: string[]\n }\n }\n | undefined\n>\n\n/**\n * @internal\n */\nexport interface OpenId4VciProofOfPossessionRequirements {\n proofTypes: OpenId4VciProofOfPressionProofTypes\n supportedDidMethods?: string[]\n supportsAllDidMethods: boolean\n supportsJwk: boolean\n}\n"],"mappings":";;;;AAuBA,MAAaA,uCAA+E;CAC1F,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CACnC"}
1
+ {"version":3,"file":"OpenId4VciHolderServiceOptions.mjs","names":["openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[]"],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":["import type { AgentContext, Kms, VerifiableCredential } from '@credo-ts/core'\nimport type { CredentialOfferObject, IssuerMetadataResult } from '@openid4vc/openid4vci'\nimport { AuthorizationFlow as OpenId4VciAuthorizationFlow } from '@openid4vc/openid4vci'\nimport type {\n OpenId4VcCredentialHolderBinding,\n OpenId4VciAccessTokenResponse,\n OpenId4VciCredentialConfigurationSupportedWithFormats,\n OpenId4VciCredentialConfigurationsSupportedWithFormats,\n OpenId4VciMetadata,\n} from '../shared'\nimport { OpenId4VciCredentialFormatProfile } from '../shared/models/OpenId4VciCredentialFormatProfile'\n\nexport { OpenId4VciAuthorizationFlow }\n\nexport type OpenId4VciSupportedCredentialFormats =\n | OpenId4VciCredentialFormatProfile.JwtVcJson\n | OpenId4VciCredentialFormatProfile.JwtVcJsonLd\n | OpenId4VciCredentialFormatProfile.SdJwtVc\n | OpenId4VciCredentialFormatProfile.SdJwtDc\n | OpenId4VciCredentialFormatProfile.LdpVc\n | OpenId4VciCredentialFormatProfile.MsoMdoc\n\nexport const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[] = [\n OpenId4VciCredentialFormatProfile.JwtVcJson,\n OpenId4VciCredentialFormatProfile.JwtVcJsonLd,\n OpenId4VciCredentialFormatProfile.SdJwtVc,\n OpenId4VciCredentialFormatProfile.SdJwtDc,\n OpenId4VciCredentialFormatProfile.LdpVc,\n OpenId4VciCredentialFormatProfile.MsoMdoc,\n]\n\nexport interface OpenId4VciDpopRequestOptions {\n jwk: Kms.PublicJwk\n alg: Kms.KnownJwaSignatureAlgorithm\n nonce?: string\n}\n\n/**\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\nexport type OpenId4VciNotificationEvent = 'credential_accepted' | 'credential_failure' | 'credential_deleted'\n\nexport type OpenId4VciRequestTokenResponse = {\n accessToken: string\n refreshToken?: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n authorizationServer?: string\n\n accessTokenResponse: OpenId4VciAccessTokenResponse\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: no explanation\ntype UnionToArrayUnion<T> = T extends any ? T[] : never\n\nexport interface OpenId4VciCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n credentials: UnionToArrayUnion<VerifiableCredential>\n notificationId?: string\n}\n\nexport interface OpenId4VciDeferredCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n transactionId: string\n interval?: number\n notificationId?: string\n}\n\nexport interface OpenId4VciResolvedCredentialOffer {\n metadata: IssuerMetadataResult\n credentialOfferPayload: CredentialOfferObject\n\n /**\n * Offered credential configurations with known formats\n */\n offeredCredentialConfigurations: OpenId4VciCredentialConfigurationsSupportedWithFormats\n}\n\nexport type OpenId4VciResolvedAuthorizationRequest =\n | {\n openid4vpRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.PresentationDuringIssuance\n authSession: string\n\n /**\n * DPoP request options if DPoP was used for the authorization challenge request\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n | {\n authorizationRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.Oauth2Redirect\n codeVerifier?: string\n\n /**\n * DPoP request options if DPoP was used for the pushed authorization reuqest\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n\nexport interface OpenId4VciSendNotificationOptions {\n metadata: IssuerMetadataResult\n\n notificationId: string\n\n /**\n * The access token obtained through @see requestToken\n */\n accessToken: string\n\n /**\n * The notification event\n *\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\n notificationEvent: OpenId4VciNotificationEvent\n\n dpop?: OpenId4VciDpopRequestOptions\n}\n\nexport interface OpenId4VcAuthorizationCodeTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n code: string\n clientId: string\n codeVerifier?: string\n redirectUri?: string\n\n txCode?: never\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n *\n * If DPoP was already used in the initiateAuthorization method, it should be provided\n * here as well and be bound to the same key.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\n// TODO: support wallet attestation for pre-auth flow\nexport interface OpenId4VciPreAuthorizedTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n txCode?: string\n\n code?: undefined\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport type OpenId4VciTokenRequestOptions =\n | OpenId4VciPreAuthorizedTokenRequestOptions\n | OpenId4VcAuthorizationCodeTokenRequestOptions\n\nexport type OpenId4VciTokenRefreshOptions = {\n refreshToken: string\n\n /**\n * The issuer metadata.\n */\n issuerMetadata: IssuerMetadataResult\n\n /**\n * The authorization server where the refresh token was obtained from.\n */\n authorizationServer?: string\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport interface OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n /**\n * auth session returned at an earlier call to the authorization challenge endpoint\n */\n authSession: string\n\n /**\n * Presentation during issuance session returned by the verifier after submitting a valid presentation\n */\n presentationDuringIssuanceSession?: string\n}\n\nexport interface OpenId4VciCredentialRequestOptions extends Omit<OpenId4VciAcceptCredentialOfferOptions, 'userPin'> {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n accessToken: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n}\n\n/**\n * Options that are used to accept a credential offer for both the pre-authorized code flow and authorization code flow.\n * NOTE: Merge with @see OpenId4VciCredentialRequestOptions for 0.6\n */\nexport interface OpenId4VciAcceptCredentialOfferOptions {\n /**\n * This is the list of credentials configuration ids that will be requested from the issuer.\n * Should be a list of ids of the credentials that are included in the credential offer.\n * If not provided all offered credentials will be requested.\n */\n credentialConfigurationIds?: string[]\n\n verifyCredentialStatus?: boolean\n\n /**\n * A list of allowed proof of possession signature algorithms in order of preference.\n *\n * Note that the signature algorithms must be supported by the wallet implementation.\n * Signature algorithms that are not supported by the wallet will be ignored.\n *\n * The proof of possession (pop) signature algorithm is used in the credential request\n * to bind the credential to a did. In most cases the JWA signature algorithm\n * that is used in the pop will determine the cryptographic suite that is used\n * for signing the credential, but this not a requirement for the spec. E.g. if the\n * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020.\n */\n allowedProofOfPossessionSignatureAlgorithms?: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * A function that should resolve key material for binding the to-be-issued credential\n * to the holder based on the options passed. This key material will be used for signing\n * the proof of possession included in the credential request.\n *\n * This method will be called once for each of the credentials that are included\n * in the credential offer.\n *\n * Based on the credential format, JWA signature algorithm, verification method types\n * and binding methods (did methods, jwk), the resolver must return an object\n * conformant to the `CredentialHolderBinding` interface, which will be used\n * for the proof of possession signature.\n */\n credentialBindingResolver: OpenId4VciCredentialBindingResolver\n}\n\n/**\n * Options to request deferred credentials from the issuer.\n */\nexport interface OpenId4VciDeferredCredentialRequestOptions {\n issuerMetadata: IssuerMetadataResult\n transactionId: string\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n verifyCredentialStatus?: boolean\n accessToken: string\n dpop?: OpenId4VciDpopRequestOptions\n}\n\n/**\n * Options that are used for the authorization code flow.\n */\nexport interface OpenId4VciAuthCodeFlowOptions {\n clientId: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations and PAR are supported by the issuer.\n *\n * A Proof of Possesion will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n redirectUri: string\n scope?: string[]\n}\n\nexport interface OpenId4VciCredentialBindingOptions {\n agentContext: AgentContext\n\n /**\n * The OpenID4VCI metadata, consisting of the draft version used,\n * the issuer metadatan and the authorization server metadata\n */\n metadata: OpenId4VciMetadata\n\n /**\n * The credential format that will be requested from the issuer.\n * E.g. `jwt_vc` or `ldp_vc`.\n */\n credentialFormat: OpenId4VciSupportedCredentialFormats\n\n /**\n * The max batch size as configured by the issuer. If the issuer has not indicated support for batch issuance\n * this will be `1`.\n */\n issuerMaxBatchSize: number\n\n /**\n * The proof types supported by the credential issuer that are also supported\n * by credo. Currently `jwt` and `attestation` are supported.\n *\n * Each proof type will list the supported algorithms, key types\n * and whether key attesations are required\n */\n proofTypes: OpenId4VciProofOfPressionProofTypes\n\n /**\n * The id of the credential configuration that will be requested from the issuer.\n */\n credentialConfigurationId: string\n\n /**\n * The credential configuration that will be requested from the issuer.\n */\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n\n /**\n * Whether the issuer supports the `did` cryptographic binding method,\n * indicating they support all did methods. In most cases, they do not\n * support all did methods, and it means we have to make an assumption\n * about the did methods they support.\n *\n * If this value is `false`, the `supportedDidMethods` property will\n * contain a list of supported did methods.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportsAllDidMethods: boolean\n\n /**\n * A list of supported did methods. This is only used if the `supportsAllDidMethods`\n * property is `false`. When this array is populated, the returned verification method\n * MUST be based on one of these did methods.\n *\n * The did methods are returned in the format `did:<method>`, e.g. `did:web`.\n *\n * The value is undefined in the case the supported did methods could not be extracted.\n * This is the case when the issuer didn't include the supported did methods in the issuer metadata.\n *\n * NOTE: an empty array (no did methods supported) has a different meaning from the value\n * being undefined (the supported did methods could not be extracted). If `supportsAllDidMethods`\n * is true, the value of this property MUST be ignored.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportedDidMethods?: string[]\n\n /**\n * Whether the issuer supports the `jwk` cryptographic binding method,\n * indicating they support proof of possession signatures bound to a jwk.\n */\n supportsJwk: boolean\n}\n\n/**\n * The proof of possession verification method resolver is a function that can be passed by the\n * user of the framework and allows them to determine which verification method should be used\n * for the proof of possession signature.\n */\nexport type OpenId4VciCredentialBindingResolver = (\n options: OpenId4VciCredentialBindingOptions\n) => Promise<OpenId4VcCredentialHolderBinding> | OpenId4VcCredentialHolderBinding\n\nexport type OpenId4VciProofOfPressionProofTypes = Record<\n 'jwt' | 'attestation',\n | {\n /**\n * The JWA Signature Algorithm(s) that can be used in the proof of possession.\n * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed\n * to the request credential method, and the supported proof type signature\n * algorithms for the specific credential configuration\n */\n supportedSignatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * Whether key attestations are required and which level needs to be met. If the object\n * is not defined, it can be interpreted that key attestations are not required.\n *\n * OpenID4VCI defined common levels in https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#appendix-D.2, such as:\n * - `iso_18045_high`\n * - `iso_18045_moderate`\n * - `iso_18045_enhanced-basic`\n * - `iso_18045_basic`\n *\n * Other values may be defined and present as well. When key attestations are required you MUST return a key attestation.\n * If `userAuthentication` or `keyStorage` are defined you MUST return a key attestation that reaches the level as required\n * by the `keyStorage` and `userAuthentication` values.\n */\n keyAttestationsRequired?: {\n keyStorage?: string[]\n userAuthentication?: string[]\n }\n }\n | undefined\n>\n\n/**\n * @internal\n */\nexport interface OpenId4VciProofOfPossessionRequirements {\n proofTypes: OpenId4VciProofOfPressionProofTypes\n supportedDidMethods?: string[]\n supportsAllDidMethods: boolean\n supportsJwk: boolean\n}\n"],"mappings":";;;;AAsBA,MAAaA,uCAA+E;CAC1F,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CACnC"}
package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4vpHolderService.d.mts","names":[],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":[],"mappings":";;;;cA6Ca,sBAAA;EAAA,QAAA,2BAAsB;EAAA,QAAA,WAAA;aAEM,CAAA,2BAAA,EAAA,8BAAA,EAAA,WAAA,EAChB,WADgB;UAChB,kBAAA;UAiEP,iCAAA;UAOiB,iBAAA;6BACrB,CAAA,YAAA,EARI,YAQJ;;;;;;;iCADqB,mCACrB,8CACT,QAAQ;;2CAiLK,uBACL,6CAA0C;;;MAkOvB,QAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,SAAA,CAAA,MAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,CAAA;;;;;;;;IAAA,CAAA,GAAA;;;gCAAA;;;;;;MAAA,KAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;;;MAAA,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;gCAAA;;;;;;;IAAA,SAAA,cAAA,EAAA;;;;;;;;MAAA,uBAAA,CAAA,EAAA,GAAA;MAlOuB,aAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAA,UAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;gCAkOvB;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;gCAAA"}
1
+ {"version":3,"file":"OpenId4vpHolderService.d.mts","names":[],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":[],"mappings":";;;;cA2Ca,sBAAA;EAAA,QAAA,2BAAsB;EAAA,QAAA,WAAA;aAEM,CAAA,2BAAA,EAAA,8BAAA,EAAA,WAAA,EAChB,WADgB;UAChB,kBAAA;UAiEP,iCAAA;UAOiB,iBAAA;6BACrB,CAAA,YAAA,EARI,YAQJ;;;;;;;iCADqB,mCACrB,8CACT,QAAQ;;2CAiLK,uBACL,6CAA0C;;;MAkOvB,QAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,SAAA,CAAA,MAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,CAAA;;;;;;;;IAAA,CAAA,GAAA;;;gCAAA;;;;;;MAAA,KAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;;;MAAA,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;gCAAA;;;;;;;IAAA,SAAA,cAAA,EAAA;;;;;;;;MAAA,uBAAA,CAAA,EAAA,GAAA;MAlOuB,aAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAA,UAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;gCAkOvB;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;gCAAA"}
package/build/openid4vc-holder/OpenId4vpHolderService.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4vpHolderService.d.ts","names":[],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":[],"mappings":";;;;cA6Ca,sBAAA;EAAA,QAAA,2BAAsB;EAAA,QAAA,WAAA;aAEM,CAAA,2BAAA,EAAA,8BAAA,EAAA,WAAA,EAChB,WADgB;UAChB,kBAAA;UAiEP,iCAAA;UAOiB,iBAAA;6BACrB,CAAA,YAAA,EARI,YAQJ;;;;;;;iCADqB,mCACrB,8CACT,QAAQ;;2CAiLK,uBACL,6CAA0C;;;MAkOvB,QAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,SAAA,CAAA,MAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,CAAA;;;;;;;;IAAA,CAAA,GAAA;;;gCAAA;;;;;;MAAA,KAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;;;MAAA,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;gCAAA;;;;;;;IAAA,SAAA,cAAA,EAAA;;;;;;;;MAAA,uBAAA,CAAA,EAAA,GAAA;MAlOuB,aAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAA,UAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;gCAkOvB;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;gCAAA"}
1
+ {"version":3,"file":"OpenId4vpHolderService.d.ts","names":[],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":[],"mappings":";;;;cA2Ca,sBAAA;EAAA,QAAA,2BAAsB;EAAA,QAAA,WAAA;aAEM,CAAA,2BAAA,EAAA,8BAAA,EAAA,WAAA,EAChB,WADgB;UAChB,kBAAA;UAiEP,iCAAA;UAOiB,iBAAA;6BACrB,CAAA,YAAA,EARI,YAQJ;;;;;;;iCADqB,mCACrB,8CACT,QAAQ;;2CAiLK,uBACL,6CAA0C;;;MAkOvB,QAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,SAAA,CAAA,MAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,CAAA;;;;;;;;IAAA,CAAA,GAAA;;;gCAAA;;;;;;MAAA,KAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;;;MAAA,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;gCAAA;;;;;;;IAAA,SAAA,cAAA,EAAA;;;;;;;;MAAA,uBAAA,CAAA,EAAA,GAAA;MAlOuB,aAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAA,UAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;;;gCAkOvB;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;gCAAA"}
package/build/openid4vc-holder/OpenId4vpHolderService.js CHANGED
@@ -86,8 +86,8 @@ let OpenId4VpHolderService = class OpenId4VpHolderService$1 {
86
86
  }
87
87
  extendCredentialsWithTransactionDataHashes(selectedCredentials, transactionData, selectedTransactionDataCredentials) {
88
88
  if (!transactionData && !selectedTransactionDataCredentials) return selectedCredentials;
89
- if (!selectedTransactionDataCredentials) throw new __credo_ts_core.CredoError("Autohrization request contains transaction data entries, but no credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method.");
90
- if (!transactionData) throw new __credo_ts_core.CredoError("Autohrization request doe not contains transaction data entries, but credentail ids were provided to sign transaction data hashes in acceptAuthorizationRequest method.");
89
+ if (!selectedTransactionDataCredentials) throw new __credo_ts_core.CredoError("Authorization request contains transaction data entries, but no credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method.");
90
+ if (!transactionData) throw new __credo_ts_core.CredoError("Authorization request doe not contains transaction data entries, but credentail ids were provided to sign transaction data hashes in acceptAuthorizationRequest method.");
91
91
  if (transactionData.length !== selectedTransactionDataCredentials.length) throw new __credo_ts_core.CredoError("Credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method, but the length does not match the number of transaction data entries from the authorization request.");
92
92
  const credentialsToTransactionData = {};
93
93
  transactionData.forEach((transactionDataEntry, transactionDataIndex) => {
@@ -141,7 +141,7 @@ let OpenId4VpHolderService = class OpenId4VpHolderService$1 {
141
141
  const isDcApiRequest = (0, __openid4vc_openid4vp.isOpenid4vpAuthorizationRequestDcApi)(authorizationRequestPayload);
142
142
  const shouldEncryptResponse = authorizationRequestPayload.response_mode && (0, __openid4vc_openid4vp.isJarmResponseMode)(authorizationRequestPayload.response_mode);
143
143
  const audience = openid4vpVersion === "v1" && isDcApiRequest ? `origin:${options.origin}` : clientId;
144
- let encryptionJwk = void 0;
144
+ let encryptionJwk;
145
145
  if (shouldEncryptResponse) {
146
146
  const clientMetadata = authorizationRequestPayload.client_metadata;
147
147
  if (!clientMetadata) throw new __credo_ts_core.CredoError("Authorization request payload does not contain 'client_metadata' needed to extract response encryption JWK.");
@@ -183,7 +183,7 @@ let OpenId4VpHolderService = class OpenId4VpHolderService$1 {
183
183
  };
184
184
  }
185
185
  let vpToken;
186
- let presentationSubmission = void 0;
186
+ let presentationSubmission;
187
187
  const parsedTransactionData = authorizationRequestPayload.transaction_data ? (0, __openid4vc_openid4vp.parseTransactionData)({ transactionData: authorizationRequestPayload.transaction_data }) : void 0;
188
188
  if (authorizationRequestPayload.presentation_definition || presentationExchange) {
189
189
  if (!presentationExchange) throw new __credo_ts_core.CredoError("Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.");