@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs

@@ -0,0 +1,714 @@
+import { OpenId4VcVerifierModuleConfig } from "./OpenId4VcVerifierModuleConfig.mjs";
+import { storeActorIdForContextCorrelationId } from "../shared/router/tenants.mjs";
+import "../shared/router/index.mjs";
+import { credoJwtIssuerToOpenId4VcJwtIssuer, dcqlCredentialQueryToPresentationFormat, getSupportedJwaSignatureAlgorithms } from "../shared/utils.mjs";
+import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
+import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
+import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateParam.mjs";
+import { __decorate } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
+import { OpenId4VcVerificationSessionState } from "./OpenId4VcVerificationSessionState.mjs";
+import { getSdJwtVcTransactionDataHashes } from "../shared/transactionData.mjs";
+import { OpenId4VcVerifierEvents } from "./OpenId4VcVerifierEvents.mjs";
+import { OpenId4VcVerificationSessionRecord } from "./repository/OpenId4VcVerificationSessionRecord.mjs";
+import { OpenId4VcVerificationSessionRepository } from "./repository/OpenId4VcVerificationSessionRepository.mjs";
+import { OpenId4VcVerifierRecord } from "./repository/OpenId4VcVerifierRecord.mjs";
+import { OpenId4VcVerifierRepository } from "./repository/OpenId4VcVerifierRepository.mjs";
+import "./repository/index.mjs";
+import { AgentContext, ClaimFormat, CredoError, DcqlService, DifPresentationExchangeService, EventEmitter, Hasher, InjectionSymbols, JsonEncoder, JsonTransformer, Jwt, Kms, MdocDeviceResponse, SdJwtVcApi, SignatureSuiteRegistry, TypedArrayEncoder, W3cCredentialService, W3cJsonLdVerifiablePresentation, W3cJwtVerifiablePresentation, W3cV2CredentialService, W3cV2SdJwtVerifiablePresentation, X509Certificate, X509ModuleConfig, X509Service, extractPresentationsWithDescriptorsFromSubmission, extractX509CertificatesFromJwt, getDomainFromUrl, inject, injectable, isMdocSupportedSignatureAlgorithm, joinUriParts, mapNonEmptyArray, utils } from "@credo-ts/core";
+import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
+import { JarmMode, Openid4vpVerifier, calculateX509HashClientIdPrefixValue, getOpenid4vpClientId, isJarmResponseMode, isOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationResponse } from "@openid4vc/openid4vp";
+
+//#region src/openid4vc-verifier/OpenId4VpVerifierService.ts
+var _ref, _ref2, _ref3, _ref4, _ref5;
+let OpenId4VpVerifierService = class OpenId4VpVerifierService$1 {
+	constructor(logger, w3cCredentialService, w3cV2CredentialService, openId4VcVerifierRepository, config, openId4VcVerificationSessionRepository) {
+		this.logger = logger;
+		this.w3cCredentialService = w3cCredentialService;
+		this.w3cV2CredentialService = w3cV2CredentialService;
+		this.openId4VcVerifierRepository = openId4VcVerifierRepository;
+		this.config = config;
+		this.openId4VcVerificationSessionRepository = openId4VcVerificationSessionRepository;
+	}
+	getOpenid4vpVerifier(agentContext) {
+		return new Openid4vpVerifier({ callbacks: getOid4vcCallbacks(agentContext) });
+	}
+	async createAuthorizationRequest(agentContext, options) {
+		const kms = agentContext.resolve(Kms.KeyManagementApi);
+		const nonce = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
+		const state = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
+		const responseMode = options.responseMode ?? "direct_post.jwt";
+		const isDcApiRequest = responseMode === "dc_api" || responseMode === "dc_api.jwt";
+		const version = options.version ?? "v1";
+		if (version === "v1.draft21" && isDcApiRequest) throw new CredoError(`OpenID4VP version '${version}' cannot be used with responseMode '${options.responseMode}'. Use version 'v1' or 'v1.draft24' instead.`);
+		if (version === "v1.draft21" && options.transactionData) throw new CredoError(`OpenID4VP version '${version}' cannot be used with transactionData. Use version 'v1' or 'v1.draft24' instead.`);
+		if (version === "v1.draft21" && options.dcql) throw new CredoError(`OpenID4VP version '${version}' cannot be used with dcql. Use version 'v1' or 'v1.draft24' instead.`);
+		if (version !== "v1" && options.verifierInfo) throw new CredoError(`OpenID4VP version '${version}' cannot be used with verifierInfo. Use version 'v1' instead.`);
+		if (version === "v1" && options.presentationExchange) throw new CredoError(`OpenID4VP version '${version}' cannot be used with presentationExchange. Use dcql instead (recommended), or use older versions 'v1.draft24' and 'v1.draft21'.`);
+		if (options.dcql?.query.credentials.some((c) => c.require_cryptographic_holder_binding === false)) throw new CredoError(`Setting 'require_cryptographic_holder_binding' to false in DCQL Query is not supported by Credo at the moment. Only presentations with cryptographic holder binding are supported.`);
+		if (isDcApiRequest && options.authorizationResponseRedirectUri) throw new CredoError("'authorizationResponseRedirectUri' cannot be be used with response mode 'dc_api' and 'dc_api.jwt'.");
+		const hasMdocRequest = options.presentationExchange?.definition.input_descriptors.some((i) => i.format?.mso_mdoc) || options.dcql?.query.credentials.some((c) => c.format === "mso_mdoc");
+		if ((version === "v1.draft21" || version === "v1.draft24") && responseMode === "direct_post" && hasMdocRequest) throw new CredoError("Unable to create authorization request with response mode 'direct_post' containing mDOC credentials. ISO 18013-7 requires the usage of response mode 'direct_post.jwt', and needs parameters from the encrypted response header to verify the mDOC sigature. Either use version 'v1', or update the response mode to 'direct_post.jwt'");
+		if (options.verifierInfo) {
+			const queryIds = options?.dcql?.query.credentials.map(({ id }) => id) ?? options?.presentationExchange?.definition.input_descriptors.map(({ id }) => id) ?? [];
+			if (!options.verifierInfo.every((vi) => !vi.credential_ids || vi.credential_ids.every((credentialId) => queryIds.includes(credentialId)))) throw new CredoError("Verifier info (attestations) were provided, but the verifier info used credential ids that are not present in the query");
+		}
+		const authorizationRequestId = utils.uuid();
+		const authorizationResponseUrl = `${joinUriParts(this.config.baseUrl, [options.verifier.verifierId, this.config.authorizationEndpoint])}?session=${authorizationRequestId}`;
+		const jwtIssuer = options.requestSigner.method !== "none" ? await credoJwtIssuerToOpenId4VcJwtIssuer(agentContext, options.requestSigner) : void 0;
+		let clientIdPrefix;
+		let clientId;
+		if (!jwtIssuer) if (isDcApiRequest) {
+			clientIdPrefix = version === "v1" ? "origin" : "web-origin";
+			clientId = void 0;
+		} else {
+			clientIdPrefix = "redirect_uri";
+			clientId = authorizationResponseUrl;
+		}
+		else if (jwtIssuer?.method === "x5c") {
+			const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: jwtIssuer.x5c });
+			if (!authorizationResponseUrl.startsWith("https://") && !(authorizationResponseUrl.startsWith("http://") && agentContext.config.allowInsecureHttpUrls)) throw new CredoError("The X509 certificate issuer must be a HTTPS URI.");
+			if (options.requestSigner.method === "x5c" && options.requestSigner.clientIdPrefix === "x509_hash") {
+				clientIdPrefix = "x509_hash";
+				clientId = await calculateX509HashClientIdPrefixValue({
+					x509Certificate: leafCertificate.rawCertificate,
+					hash: Hasher.hash
+				});
+			} else {
+				if (!leafCertificate.sanDnsNames.includes(getDomainFromUrl(authorizationResponseUrl))) {
+					const sanDnsMessage = leafCertificate.sanDnsNames.length > 0 ? `SAN-DNS names are ${leafCertificate.sanDnsNames.join(", ")}` : "there are no SAN-DNS names";
+					throw new CredoError(`The domain of the OpenID4VCI issuer does not match a SAN DNS name in the x5c certificate. The OpenID4VCI domain is '${getDomainFromUrl(authorizationResponseUrl)}', $${sanDnsMessage}`);
+				}
+				clientIdPrefix = "x509_san_dns";
+				clientId = getDomainFromUrl(authorizationResponseUrl);
+			}
+		} else if (jwtIssuer?.method === "did") {
+			clientId = jwtIssuer.didUrl.split("#")[0];
+			clientIdPrefix = version === "v1" ? "decentralized_identifier" : "did";
+		} else throw new CredoError(`Unsupported jwt issuer method '${options.requestSigner.method}'. Only 'did' and 'x5c' are supported.`);
+		const hostedAuthorizationRequestUri = !isDcApiRequest && jwtIssuer ? joinUriParts(this.config.baseUrl, [
+			options.verifier.verifierId,
+			this.config.authorizationRequestEndpoint,
+			authorizationRequestId
+		]) : void 0;
+		const client_id = clientIdPrefix === "did" || clientIdPrefix === "https" || version === "v1.draft21" ? clientId : `${clientIdPrefix}:${clientId}`;
+		const legacyClientIdScheme = version === "v1.draft21" && clientIdPrefix !== "web-origin" && clientIdPrefix !== "origin" && clientIdPrefix !== "decentralized_identifier" ? clientIdPrefix : void 0;
+		const client_metadata = await this.getClientMetadata(agentContext, {
+			responseMode,
+			verifier: options.verifier,
+			authorizationResponseUrl,
+			version,
+			dcqlQuery: options.dcql?.query
+		});
+		const requestParamsBase = {
+			nonce,
+			presentation_definition: options.presentationExchange?.definition,
+			dcql_query: options.dcql?.query,
+			transaction_data: options.transactionData?.map((entry) => JsonEncoder.toBase64URL(entry)),
+			response_mode: responseMode,
+			response_type: "vp_token",
+			client_metadata,
+			verifier_info: options.verifierInfo
+		};
+		const authorizationRequest = await this.getOpenid4vpVerifier(agentContext).createOpenId4vpAuthorizationRequest({
+			jar: jwtIssuer ? {
+				jwtSigner: jwtIssuer,
+				requestUri: hostedAuthorizationRequestUri,
+				expiresInSeconds: this.config.authorizationRequestExpiresInSeconds
+			} : void 0,
+			authorizationRequestPayload: requestParamsBase.response_mode === "dc_api.jwt" || requestParamsBase.response_mode === "dc_api" ? {
+				...requestParamsBase,
+				client_id: jwtIssuer ? client_id : void 0,
+				response_mode: requestParamsBase.response_mode,
+				expected_origins: options.expectedOrigins
+			} : {
+				...requestParamsBase,
+				response_mode: requestParamsBase.response_mode,
+				client_id,
+				state,
+				response_uri: authorizationResponseUrl,
+				client_id_scheme: legacyClientIdScheme
+			}
+		});
+		const verificationSession = new OpenId4VcVerificationSessionRecord({
+			authorizationResponseRedirectUri: options.authorizationResponseRedirectUri,
+			authorizationRequestPayload: authorizationRequest.jar ? void 0 : authorizationRequest.authorizationRequestPayload,
+			authorizationRequestJwt: authorizationRequest.jar?.authorizationRequestJwt,
+			authorizationRequestUri: hostedAuthorizationRequestUri,
+			authorizationRequestId,
+			state: OpenId4VcVerificationSessionState.RequestCreated,
+			verifierId: options.verifier.verifierId,
+			expiresAt: utils.addSecondsToDate(/* @__PURE__ */ new Date(), this.config.authorizationRequestExpiresInSeconds),
+			openId4VpVersion: version
+		});
+		await this.openId4VcVerificationSessionRepository.save(agentContext, verificationSession);
+		this.emitStateChangedEvent(agentContext, verificationSession, null);
+		return {
+			authorizationRequest: authorizationRequest.authorizationRequest,
+			verificationSession,
+			authorizationRequestObject: authorizationRequest.authorizationRequestObject
+		};
+	}
+	async getDcqlVerifiedResponse(agentContext, _dcqlQuery, presentations) {
+		const dcqlService = agentContext.dependencyManager.resolve(DcqlService);
+		const dcqlQuery = dcqlService.validateDcqlQuery(_dcqlQuery);
+		const dcqlPresentationEntries = Object.entries(presentations);
+		const dcqlPresentation = Object.fromEntries(dcqlPresentationEntries.map(([credentialId, presentations$1]) => {
+			const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId);
+			if (!queryCredential) throw new CredoError(`vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`);
+			return [credentialId, mapNonEmptyArray(presentations$1, (presentation) => this.decodePresentation(agentContext, {
+				presentation,
+				format: dcqlCredentialQueryToPresentationFormat(queryCredential)
+			}))];
+		}));
+		return {
+			query: dcqlQuery,
+			presentations: dcqlPresentation,
+			presentationResult: await dcqlService.assertValidDcqlPresentation(agentContext, dcqlPresentation, dcqlQuery)
+		};
+	}
+	async parseAuthorizationResponse(agentContext, options) {
+		const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
+		const { authorizationResponse, verificationSession, origin } = options;
+		let parsedAuthorizationResponse;
+		try {
+			parsedAuthorizationResponse = await openid4vpVerifier.parseOpenid4vpAuthorizationResponse({
+				authorizationResponse,
+				origin,
+				authorizationRequestPayload: verificationSession.requestPayload,
+				callbacks: getOid4vcCallbacks(agentContext)
+			});
+			if (parsedAuthorizationResponse.jarm && parsedAuthorizationResponse.jarm.type !== JarmMode.Encrypted) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidRequest,
+				error_description: `Only encrypted JARM responses are supported, received '${parsedAuthorizationResponse.jarm.type}'.`
+			});
+			return {
+				...parsedAuthorizationResponse,
+				verificationSession
+			};
+		} catch (error) {
+			if (verificationSession?.state === OpenId4VcVerificationSessionState.RequestUriRetrieved || verificationSession?.state === OpenId4VcVerificationSessionState.RequestCreated) {
+				const parsed = zOpenid4vpAuthorizationResponse.safeParse(parsedAuthorizationResponse?.authorizationResponsePayload);
+				verificationSession.authorizationResponsePayload = parsed.success ? parsed.data : void 0;
+				verificationSession.errorMessage = error.message;
+				await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error);
+			}
+			throw error;
+		}
+	}
+	async verifyAuthorizationResponse(agentContext, options) {
+		const { verificationSession, authorizationResponse, origin } = options;
+		const authorizationRequest = verificationSession.requestPayload;
+		const openid4vpVersion = verificationSession.openId4VpVersion ?? (authorizationRequest.client_id_scheme !== void 0 ? "v1.draft21" : "v1.draft24");
+		if (verificationSession.state !== OpenId4VcVerificationSessionState.RequestUriRetrieved && verificationSession.state !== OpenId4VcVerificationSessionState.RequestCreated) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: "Invalid session"
+		});
+		if (verificationSession.expiresAt && Date.now() > verificationSession.expiresAt.getTime()) {
+			verificationSession.errorMessage = "session expired";
+			await this.updateState(agentContext, verificationSession, OpenId4VcVerificationSessionState.Error);
+			throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidRequest,
+				error_description: "session expired"
+			});
+		}
+		const result = await this.parseAuthorizationResponse(agentContext, {
+			verificationSession,
+			authorizationResponse,
+			origin
+		});
+		const encryptionJwk = authorizationRequest.client_metadata?.jwks?.keys.find((key) => key.use === "enc");
+		const encryptionPublicJwk = encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : void 0;
+		let dcqlResponse;
+		let pexResponse;
+		let transactionData;
+		try {
+			const clientId = getOpenid4vpClientId({
+				responseMode: authorizationRequest.response_mode,
+				clientId: authorizationRequest.client_id,
+				legacyClientIdScheme: authorizationRequest.client_id_scheme,
+				origin: options.origin,
+				version: openid4vpVersion === "v1" ? 100 : openid4vpVersion === "v1.draft24" ? 24 : 21
+			}).effectiveClientId;
+			const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest);
+			const audience = openid4vpVersion === "v1" && isDcApiRequest ? `origin:${options.origin}` : clientId;
+			const responseUri = isOpenid4vpAuthorizationRequestDcApi(authorizationRequest) ? void 0 : authorizationRequest.response_uri;
+			const mdocGeneratedNonce = result.jarm?.jarmHeader.apu ? TypedArrayEncoder.toUtf8String(TypedArrayEncoder.fromBase64(result.jarm?.jarmHeader.apu)) : void 0;
+			if (result.type === "dcql") {
+				const dcqlPresentationEntries = Object.entries(result.dcql.presentations);
+				if (!authorizationRequest.dcql_query) throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidRequest,
+					error_description: "DCQL response provided but no dcql_query found in the authorization request."
+				});
+				const dcql = agentContext.dependencyManager.resolve(DcqlService);
+				const dcqlQuery = dcql.validateDcqlQuery(authorizationRequest.dcql_query);
+				const presentationVerificationResults = await Promise.all(dcqlPresentationEntries.map(async ([credentialId, presentations$1]) => {
+					const queryCredential = dcqlQuery.credentials.find((c) => c.id === credentialId);
+					if (!queryCredential) throw new Oauth2ServerErrorResponseError({
+						error: Oauth2ErrorCodes.InvalidRequest,
+						error_description: `vp_token contains presentation for credential query id '${credentialId}', but this credential is not present in the dcql query.`
+					});
+					return [credentialId, await Promise.all(mapNonEmptyArray(presentations$1, (presentation) => this.verifyPresentation(agentContext, {
+						format: dcqlCredentialQueryToPresentationFormat(queryCredential),
+						nonce: authorizationRequest.nonce,
+						audience,
+						version: openid4vpVersion,
+						clientId,
+						encryptionJwk: encryptionPublicJwk,
+						origin: options.origin,
+						responseUri,
+						mdocGeneratedNonce,
+						verificationSessionId: result.verificationSession.id,
+						presentation
+					})))];
+				}));
+				const errorMessages = presentationVerificationResults.flatMap(([credentialId, presentations$1], index) => presentations$1.map((result$1) => !result$1.verified ? `\t- ${credentialId}[${index}]: ${result$1.reason}` : void 0)).filter((i) => i !== void 0);
+				if (errorMessages.length > 0) throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidRequest,
+					error_description: "One or more presentations failed verification."
+				}, { internalMessage: errorMessages.join("\n") });
+				const presentations = Object.fromEntries(presentationVerificationResults.map(([credentialId, presentations$1]) => [credentialId, presentations$1.map((p) => p.verified ? p.presentation : void 0).filter((p) => p !== void 0)]));
+				try {
+					dcqlResponse = {
+						presentations,
+						presentationResult: await dcql.assertValidDcqlPresentation(agentContext, presentations, dcqlQuery),
+						query: dcqlQuery
+					};
+				} catch (error) {
+					throw new Oauth2ServerErrorResponseError({
+						error: Oauth2ErrorCodes.InvalidRequest,
+						error_description: "Presentation submission does not satisfy presentation request."
+					}, { cause: error });
+				}
+			}
+			if (result.type === "pex") {
+				const pex = agentContext.dependencyManager.resolve(DifPresentationExchangeService);
+				const encodedPresentations = result.pex.presentations;
+				const submission = result.pex.presentationSubmission;
+				const definition = result.pex.presentationDefinition;
+				pex.validatePresentationDefinition(definition);
+				try {
+					pex.validatePresentationSubmission(submission);
+				} catch (error) {
+					throw new Oauth2ServerErrorResponseError({
+						error: Oauth2ErrorCodes.InvalidRequest,
+						error_description: "Invalid presentation submission."
+					}, { cause: error });
+				}
+				const presentationsArray = Array.isArray(encodedPresentations) ? encodedPresentations : [encodedPresentations];
+				const presentationVerificationResults = await Promise.all(presentationsArray.map((presentation) => {
+					return this.verifyPresentation(agentContext, {
+						nonce: authorizationRequest.nonce,
+						audience,
+						clientId,
+						version: openid4vpVersion,
+						encryptionJwk: encryptionPublicJwk,
+						responseUri,
+						mdocGeneratedNonce,
+						verificationSessionId: result.verificationSession.id,
+						presentation,
+						format: this.claimFormatFromEncodedPresentation(presentation),
+						origin: options.origin
+					});
+				}));
+				const errorMessages = presentationVerificationResults.map((result$1, index) => !result$1.verified ? `\t- [${index}]: ${result$1.reason}` : void 0).filter((i) => i !== void 0);
+				if (errorMessages.length > 0) throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidRequest,
+					error_description: "One or more presentations failed verification."
+				}, { internalMessage: errorMessages.join("\n") });
+				const verifiablePresentations = presentationVerificationResults.map((p) => p.verified ? p.presentation : void 0).filter((p) => p !== void 0);
+				try {
+					pex.validatePresentation(definition, verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations, submission);
+				} catch (error) {
+					throw new Oauth2ServerErrorResponseError({
+						error: Oauth2ErrorCodes.InvalidRequest,
+						error_description: "Presentation submission does not satisfy presentation request."
+					}, { cause: error });
+				}
+				pexResponse = {
+					definition,
+					descriptors: extractPresentationsWithDescriptorsFromSubmission(verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations, submission, definition),
+					presentations: verifiablePresentations,
+					submission
+				};
+			}
+			transactionData = await this.getVerifiedTransactionData(agentContext, {
+				authorizationRequest,
+				dcql: dcqlResponse,
+				presentationExchange: pexResponse
+			});
+		} catch (error) {
+			result.verificationSession.errorMessage = error.message;
+			await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.Error);
+			throw error;
+		}
+		result.verificationSession.authorizationResponsePayload = result.authorizationResponsePayload;
+		await this.updateState(agentContext, result.verificationSession, OpenId4VcVerificationSessionState.ResponseVerified);
+		return {
+			presentationExchange: pexResponse,
+			dcql: dcqlResponse,
+			transactionData,
+			verificationSession: result.verificationSession
+		};
+	}
+	/**
+	* Get the format based on an encoded presentation. This is mostly leveraged for
+	* PEX where it's not known based on the request which format to expect
+	*/
+	claimFormatFromEncodedPresentation(presentation) {
+		if (typeof presentation === "object") return ClaimFormat.LdpVp;
+		if (presentation.includes("~")) return ClaimFormat.SdJwtDc;
+		if (Jwt.format.test(presentation)) return ClaimFormat.JwtVp;
+		return ClaimFormat.MsoMdoc;
+	}
+	async getVerifiedAuthorizationResponse(agentContext, verificationSession) {
+		verificationSession.assertState(OpenId4VcVerificationSessionState.ResponseVerified);
+		if (!verificationSession.authorizationResponsePayload) throw new CredoError("No authorization response payload found in the verification session.");
+		const authorizationRequestPayload = verificationSession.requestPayload;
+		const openid4vpAuthorizationResponsePayload = verificationSession.authorizationResponsePayload;
+		const result = this.getOpenid4vpVerifier(agentContext).validateOpenid4vpAuthorizationResponsePayload({
+			authorizationRequestPayload: verificationSession.requestPayload,
+			authorizationResponsePayload: openid4vpAuthorizationResponsePayload
+		});
+		let presentationExchange;
+		const dcql = result.type === "dcql" ? await this.getDcqlVerifiedResponse(agentContext, authorizationRequestPayload.dcql_query, result.dcql.presentations) : void 0;
+		if (result.type === "pex") {
+			const presentationDefinition = authorizationRequestPayload.presentation_definition;
+			const submission = openid4vpAuthorizationResponsePayload.presentation_submission;
+			if (!submission) throw new CredoError("Unable to extract submission from the response.");
+			const verifiablePresentations = result.pex.presentations.map((presentation) => this.decodePresentation(agentContext, {
+				presentation,
+				format: this.claimFormatFromEncodedPresentation(presentation)
+			}));
+			presentationExchange = {
+				definition: presentationDefinition,
+				submission,
+				presentations: verifiablePresentations,
+				descriptors: extractPresentationsWithDescriptorsFromSubmission(verifiablePresentations.length === 1 ? verifiablePresentations[0] : verifiablePresentations, submission, presentationDefinition)
+			};
+		}
+		if (!presentationExchange && !dcql) throw new CredoError("No presentationExchange or dcql found in the response.");
+		const transactionData = await this.getVerifiedTransactionData(agentContext, {
+			authorizationRequest: authorizationRequestPayload,
+			dcql,
+			presentationExchange
+		});
+		return {
+			presentationExchange,
+			dcql,
+			transactionData,
+			verificationSession
+		};
+	}
+	async getVerifiedTransactionData(agentContext, { authorizationRequest, presentationExchange, dcql }) {
+		if (!authorizationRequest.transaction_data) return void 0;
+		const openid4vpVerifier = this.getOpenid4vpVerifier(agentContext);
+		const transactionDataHashesCredentials = {};
+		const idToCredential = dcql ? Object.entries(dcql.presentations) : presentationExchange?.descriptors.map((descriptor) => [descriptor.descriptor.id, [descriptor.presentation]]) ?? [];
+		for (const [credentialId, presentations] of idToCredential) {
+			const transactionDataHashes = presentations.map((presentation) => presentation.claimFormat === ClaimFormat.SdJwtDc ? getSdJwtVcTransactionDataHashes(presentation) : void 0);
+			const firstHasHash = transactionDataHashes[0] !== void 0;
+			if (!transactionDataHashes.every((hash) => firstHasHash ? hash !== void 0 : hash === void 0)) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidTransactionData,
+				error_description: `Multipe presentations were submitted for credential query ${credentialId} but not all presentations includes a transaction data hash. Either all or none of the presentations for a credential query id should include a transaction data hash.`
+			});
+			if (!firstHasHash) continue;
+			transactionDataHashesCredentials[credentialId] = transactionDataHashes;
+		}
+		return (await openid4vpVerifier.verifyTransactionData({
+			credentials: transactionDataHashesCredentials,
+			transactionData: authorizationRequest.transaction_data
+		})).map(({ credentialId, transactionDataEntry, presentations }) => ({
+			credentialId,
+			encoded: transactionDataEntry.encoded,
+			decoded: transactionDataEntry.transactionData,
+			transactionDataIndex: transactionDataEntry.transactionDataIndex,
+			presentations: presentations.map((presentation) => ({
+				presentationHashIndex: presentation.credentialHashIndex,
+				hash: presentation.hash,
+				hashAlg: presentation.hashAlg
+			}))
+		}));
+	}
+	async getAllVerifiers(agentContext) {
+		return this.openId4VcVerifierRepository.getAll(agentContext);
+	}
+	async getVerifierByVerifierId(agentContext, verifierId) {
+		return this.openId4VcVerifierRepository.getByVerifierId(agentContext, verifierId);
+	}
+	async updateVerifier(agentContext, verifier) {
+		return this.openId4VcVerifierRepository.update(agentContext, verifier);
+	}
+	async createVerifier(agentContext, options) {
+		const openId4VcVerifier = new OpenId4VcVerifierRecord({
+			verifierId: options?.verifierId ?? utils.uuid(),
+			clientMetadata: options?.clientMetadata
+		});
+		await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier);
+		await storeActorIdForContextCorrelationId(agentContext, openId4VcVerifier.verifierId);
+		return openId4VcVerifier;
+	}
+	async findVerificationSessionsByQuery(agentContext, query, queryOptions) {
+		return this.openId4VcVerificationSessionRepository.findByQuery(agentContext, query, queryOptions);
+	}
+	async getVerificationSessionById(agentContext, verificationSessionId) {
+		return this.openId4VcVerificationSessionRepository.getById(agentContext, verificationSessionId);
+	}
+	async getClientMetadata(agentContext, options) {
+		const { responseMode, verifier } = options;
+		const signatureSuiteRegistry = agentContext.resolve(SignatureSuiteRegistry);
+		const kms = agentContext.resolve(Kms.KeyManagementApi);
+		const supportedAlgs = getSupportedJwaSignatureAlgorithms(agentContext);
+		const supportedMdocAlgs = supportedAlgs.filter(isMdocSupportedSignatureAlgorithm);
+		const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes;
+		let jarmEncryptionJwk;
+		if (isJarmResponseMode(responseMode)) jarmEncryptionJwk = {
+			...(await kms.createKey({ type: {
+				crv: "P-256",
+				kty: "EC"
+			} })).publicJwk,
+			use: "enc"
+		};
+		const jarmClientMetadata = jarmEncryptionJwk ? {
+			jwks: { keys: [jarmEncryptionJwk] },
+			...options.version === "v1" ? { encrypted_response_enc_values_supported: [
+				"A128GCM",
+				"A256GCM",
+				"A128CBC-HS256"
+			] } : {
+				authorization_encrypted_response_alg: "ECDH-ES",
+				authorization_encrypted_response_enc: options.version === "v1.draft24" ? "A128GCM" : "A256GCM"
+			}
+		} : void 0;
+		const dclqQueryFormats = new Set(options.dcqlQuery?.credentials.map((c) => c.format));
+		return {
+			...jarmClientMetadata,
+			...verifier.clientMetadata,
+			response_types_supported: ["vp_token"],
+			...options.version === "v1" ? { vp_formats_supported: {
+				...dclqQueryFormats.has("dc+sd-jwt") ? { "dc+sd-jwt": {
+					"kb-jwt_alg_values": supportedAlgs,
+					"sd-jwt_alg_values": supportedAlgs
+				} } : {},
+				...dclqQueryFormats.has("mso_mdoc") ? { mso_mdoc: {
+					deviceauth_alg_values: [
+						-9,
+						-51,
+						-19
+					],
+					issuerauth_alg_values: [
+						-9,
+						-51,
+						-19
+					]
+				} } : {},
+				...dclqQueryFormats.has("jwt_vc_json") ? { jwt_vc_json: { alg_values: supportedAlgs } } : {},
+				...dclqQueryFormats.has("ldp_vc") ? { ldp_vc: { proof_type_values: supportedProofTypes } } : {}
+			} } : { vp_formats: {
+				mso_mdoc: { alg: supportedMdocAlgs },
+				jwt_vc: { alg: supportedAlgs },
+				jwt_vc_json: { alg: supportedAlgs },
+				jwt_vp_json: { alg: supportedAlgs },
+				jwt_vp: { alg: supportedAlgs },
+				ldp_vc: { proof_type: supportedProofTypes },
+				ldp_vp: { proof_type: supportedProofTypes },
+				"vc+sd-jwt": {
+					"kb-jwt_alg_values": supportedAlgs,
+					"sd-jwt_alg_values": supportedAlgs
+				},
+				"dc+sd-jwt": {
+					"kb-jwt_alg_values": supportedAlgs,
+					"sd-jwt_alg_values": supportedAlgs
+				}
+			} }
+		};
+	}
+	decodePresentation(agentContext, options) {
+		const { presentation, format } = options;
+		if (format === ClaimFormat.SdJwtDc) {
+			if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+			return agentContext.dependencyManager.resolve(SdJwtVcApi).fromCompact(presentation);
+		}
+		if (format === ClaimFormat.MsoMdoc) {
+			if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+			return MdocDeviceResponse.fromBase64Url(presentation);
+		}
+		if (format === ClaimFormat.JwtVp) {
+			if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+			return W3cJwtVerifiablePresentation.fromSerializedJwt(presentation);
+		}
+		if (format === ClaimFormat.SdJwtW3cVp) {
+			if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+			return W3cV2SdJwtVerifiablePresentation.fromCompact(presentation);
+		}
+		return JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation);
+	}
+	async verifyPresentation(agentContext, options) {
+		const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig);
+		const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi);
+		const { presentation, format } = options;
+		try {
+			this.logger.trace("Presentation response", JsonTransformer.toJSON(presentation));
+			let isValid;
+			let cause;
+			let verifiablePresentation;
+			if (format === ClaimFormat.SdJwtDc) {
+				if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+				const sdJwtVc = sdJwtVcApi.fromCompact(presentation);
+				const certificateChain = extractX509CertificatesFromJwt(Jwt.fromSerializedJwt(presentation.split("~")[0]));
+				let trustedCertificates;
+				if (certificateChain && x509Config.getTrustedCertificatesForVerification) trustedCertificates = await x509Config.getTrustedCertificatesForVerification(agentContext, {
+					certificateChain,
+					verification: {
+						type: "credential",
+						credential: sdJwtVc,
+						openId4VcVerificationSessionId: options.verificationSessionId
+					}
+				});
+				if (!trustedCertificates) trustedCertificates = x509Config.trustedCertificates ?? [];
+				const verificationResult = await sdJwtVcApi.verify({
+					compactSdJwtVc: presentation,
+					keyBinding: {
+						audience: options.audience,
+						nonce: options.nonce
+					},
+					trustedCertificates
+				});
+				isValid = verificationResult.isValid;
+				cause = verificationResult.isValid ? void 0 : verificationResult.error;
+				verifiablePresentation = sdJwtVc;
+			} else if (format === ClaimFormat.MsoMdoc) {
+				if (typeof presentation !== "string") throw new CredoError("Expected vp_token entry for format mso_mdoc to be of type string");
+				const mdocDeviceResponse = MdocDeviceResponse.fromBase64Url(presentation);
+				if (mdocDeviceResponse.documents.length === 0) throw new CredoError("mdoc device response does not contain any mdocs");
+				const deviceResponses = mdocDeviceResponse.splitIntoSingleDocumentResponses();
+				for (const deviceResponseIndex of deviceResponses.keys()) {
+					const mdocDeviceResponse$1 = deviceResponses[deviceResponseIndex];
+					const document = mdocDeviceResponse$1.documents[0];
+					const certificateChain = document.issuerSignedCertificateChain.map((cert) => X509Certificate.fromRawCertificate(cert));
+					const trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {
+						certificateChain,
+						verification: {
+							type: "credential",
+							credential: document,
+							openId4VcVerificationSessionId: options.verificationSessionId
+						}
+					});
+					let sessionTranscriptOptions;
+					if (options.origin && options.version === "v1") sessionTranscriptOptions = {
+						type: "openId4VpDcApi",
+						verifierGeneratedNonce: options.nonce,
+						origin: options.origin,
+						encryptionJwk: options.encryptionJwk
+					};
+					else if (options.origin) sessionTranscriptOptions = {
+						type: "openId4VpDcApiDraft24",
+						clientId: options.clientId,
+						verifierGeneratedNonce: options.nonce,
+						origin: options.origin
+					};
+					else if (options.version === "v1") {
+						if (!options.responseUri) throw new CredoError("responseUri is required for mdoc openid4vp session transcript calculation");
+						sessionTranscriptOptions = {
+							type: "openId4Vp",
+							clientId: options.clientId,
+							responseUri: options.responseUri,
+							verifierGeneratedNonce: options.nonce,
+							encryptionJwk: options.encryptionJwk
+						};
+					} else {
+						if (!options.mdocGeneratedNonce || !options.responseUri) throw new CredoError("mdocGeneratedNonce and responseUri are required for mdoc openid4vp session transcript calculation");
+						sessionTranscriptOptions = {
+							type: "openId4VpDraft18",
+							clientId: options.clientId,
+							mdocGeneratedNonce: options.mdocGeneratedNonce,
+							responseUri: options.responseUri,
+							verifierGeneratedNonce: options.nonce
+						};
+					}
+					await mdocDeviceResponse$1.verify(agentContext, {
+						sessionTranscriptOptions,
+						trustedCertificates
+					});
+				}
+				isValid = true;
+				verifiablePresentation = mdocDeviceResponse;
+			} else if (format === ClaimFormat.JwtVp) {
+				if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+				verifiablePresentation = W3cJwtVerifiablePresentation.fromSerializedJwt(presentation);
+				const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
+					presentation,
+					challenge: options.nonce,
+					domain: options.audience
+				});
+				isValid = verificationResult.isValid;
+				cause = verificationResult.error;
+			} else if (format === ClaimFormat.SdJwtW3cVp) {
+				if (typeof presentation !== "string") throw new CredoError(`Expected vp_token entry for format ${format} to be of type string`);
+				verifiablePresentation = W3cV2SdJwtVerifiablePresentation.fromCompact(presentation);
+				const verificationResult = await this.w3cV2CredentialService.verifyPresentation(agentContext, {
+					presentation: verifiablePresentation,
+					challenge: options.nonce,
+					domain: options.audience
+				});
+				isValid = verificationResult.isValid;
+				cause = verificationResult.error;
+			} else {
+				verifiablePresentation = JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation);
+				const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, {
+					presentation: verifiablePresentation,
+					challenge: options.nonce,
+					domain: options.audience
+				});
+				isValid = verificationResult.isValid;
+				cause = verificationResult.error;
+			}
+			if (!isValid) throw new CredoError(`Error occured during verification of presentation.${cause ? ` ${cause.message}` : ""}`, { cause });
+			return {
+				verified: true,
+				presentation: verifiablePresentation
+			};
+		} catch (error) {
+			agentContext.config.logger.warn("Error occurred during verification of presentation", { error });
+			return {
+				verified: false,
+				reason: error.message
+			};
+		}
+	}
+	/**
+	* Update the record to a new state and emit an state changed event. Also updates the record
+	* in storage.
+	*/
+	async updateState(agentContext, verificationSession, newState) {
+		agentContext.config.logger.debug(`Updating openid4vc verification session record ${verificationSession.id} to state ${newState} (previous=${verificationSession.state})`);
+		const previousState = verificationSession.state;
+		verificationSession.state = newState;
+		await this.openId4VcVerificationSessionRepository.update(agentContext, verificationSession);
+		this.emitStateChangedEvent(agentContext, verificationSession, previousState);
+	}
+	emitStateChangedEvent(agentContext, verificationSession, previousState) {
+		agentContext.dependencyManager.resolve(EventEmitter).emit(agentContext, {
+			type: OpenId4VcVerifierEvents.VerificationSessionStateChanged,
+			payload: {
+				verificationSession: verificationSession.clone(),
+				previousState
+			}
+		});
+	}
+};
+OpenId4VpVerifierService = __decorate([
+	injectable(),
+	__decorateParam(0, inject(InjectionSymbols.Logger)),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref = typeof W3cCredentialService !== "undefined" && W3cCredentialService) === "function" ? _ref : Object,
+		typeof (_ref2 = typeof W3cV2CredentialService !== "undefined" && W3cV2CredentialService) === "function" ? _ref2 : Object,
+		typeof (_ref3 = typeof OpenId4VcVerifierRepository !== "undefined" && OpenId4VcVerifierRepository) === "function" ? _ref3 : Object,
+		typeof (_ref4 = typeof OpenId4VcVerifierModuleConfig !== "undefined" && OpenId4VcVerifierModuleConfig) === "function" ? _ref4 : Object,
+		typeof (_ref5 = typeof OpenId4VcVerificationSessionRepository !== "undefined" && OpenId4VcVerificationSessionRepository) === "function" ? _ref5 : Object
+	])
+], OpenId4VpVerifierService);
+
+//#endregion
+export { OpenId4VpVerifierService };
+//# sourceMappingURL=OpenId4VpVerifierService.mjs.map