@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

package/build/openid4vc-holder/OpenId4VciHolderService.mjs

@@ -0,0 +1,751 @@
+import { getSupportedJwaSignatureAlgorithms } from "../shared/utils.mjs";
+import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
+import { getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../shared/issuerMetadataUtils.mjs";
+import { OpenId4VciCredentialFormatProfile } from "../shared/models/OpenId4VciCredentialFormatProfile.mjs";
+import "../shared/index.mjs";
+import { openId4VciSupportedCredentialFormats } from "./OpenId4VciHolderServiceOptions.mjs";
+import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
+import { __decorateParam } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateParam.mjs";
+import { __decorate } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
+import { AgentContext, CredoError, DidsApi, InjectionSymbols, Kms, Mdoc, MdocApi, MdocRecord, SdJwtVcApi, SdJwtVcRecord, SignatureSuiteRegistry, TypedArrayEncoder, W3cCredentialRecord, W3cCredentialService, W3cJsonLdCredentialService, W3cJsonLdVerifiableCredential, W3cJwtVerifiableCredential, W3cV2CredentialRecord, W3cV2CredentialService, W3cV2SdJwtVerifiableCredential, inject, injectable, parseDid, replaceError } from "@credo-ts/core";
+import { Oauth2Client, authorizationCodeGrantIdentifier, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationNone, getAuthorizationServerMetadataFromList, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier } from "@openid4vc/oauth2";
+import { AuthorizationFlow, Openid4vciClient, Openid4vciDraftVersion, Openid4vciRetrieveCredentialsError, determineAuthorizationServerForCredentialOffer, parseKeyAttestationJwt } from "@openid4vc/openid4vci";
+
+//#region src/openid4vc-holder/OpenId4VciHolderService.ts
+var _ref, _ref2;
+let OpenId4VciHolderService = class OpenId4VciHolderService$1 {
+	constructor(logger, w3cCredentialService, w3cV2CredentialService) {
+		this.w3cCredentialService = w3cCredentialService;
+		this.w3cV2CredentialService = w3cV2CredentialService;
+		this.logger = logger;
+	}
+	async resolveIssuerMetadata(agentContext, credentialIssuer) {
+		const metadata = await this.getClient(agentContext).resolveIssuerMetadata(credentialIssuer);
+		this.logger.debug("fetched credential issuer metadata", { metadata });
+		return metadata;
+	}
+	async resolveCredentialOffer(agentContext, credentialOffer) {
+		const client = this.getClient(agentContext);
+		const credentialOfferObject = await client.resolveCredentialOffer(credentialOffer);
+		const metadata = await client.resolveIssuerMetadata(credentialOfferObject.credential_issuer);
+		this.logger.debug("fetched credential offer and issuer metadata", {
+			metadata,
+			credentialOfferObject
+		});
+		return {
+			metadata,
+			offeredCredentialConfigurations: getOfferedCredentials(credentialOfferObject.credential_configuration_ids, metadata.knownCredentialConfigurations, { ignoreNotFoundIds: true }),
+			credentialOfferPayload: credentialOfferObject
+		};
+	}
+	async resolveAuthorizationRequest(agentContext, resolvedCredentialOffer, authCodeFlowOptions) {
+		const { clientId, redirectUri } = authCodeFlowOptions;
+		const { metadata, credentialOfferPayload, offeredCredentialConfigurations } = resolvedCredentialOffer;
+		const oauth2Client = this.getOauth2Client(agentContext);
+		const client = this.getClient(agentContext, {
+			clientId: authCodeFlowOptions.clientId,
+			clientAttestation: authCodeFlowOptions.walletAttestationJwt
+		});
+		const scope = authCodeFlowOptions.scope ?? getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations);
+		if (!credentialOfferPayload.grants?.[authorizationCodeGrantIdentifier]) throw new CredoError(`Provided credential offer does not include the 'authorization_code' grant.`);
+		const authorizationCodeGrant = credentialOfferPayload.grants[authorizationCodeGrantIdentifier];
+		const authorizationServer = determineAuthorizationServerForCredentialOffer({
+			issuerMetadata: metadata,
+			grantAuthorizationServer: authorizationCodeGrant.authorization_server
+		});
+		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(metadata.authorizationServers, authorizationServer);
+		const isDpopSupported = oauth2Client.isDpopSupported({ authorizationServerMetadata });
+		const dpop = isDpopSupported.supported ? await this.getDpopOptions(agentContext, { dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported }) : void 0;
+		const authorizationResult = await client.initiateAuthorization({
+			clientId,
+			issuerMetadata: metadata,
+			credentialOffer: credentialOfferPayload,
+			scope: scope.join(" "),
+			redirectUri,
+			dpop
+		});
+		if (authorizationResult.authorizationFlow === AuthorizationFlow.PresentationDuringIssuance) return {
+			authorizationFlow: AuthorizationFlow.PresentationDuringIssuance,
+			openid4vpRequestUrl: authorizationResult.openid4vpRequestUrl,
+			authSession: authorizationResult.authSession,
+			dpop: dpop ? {
+				alg: dpop.signer.alg,
+				jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk)
+			} : void 0
+		};
+		return {
+			authorizationFlow: AuthorizationFlow.Oauth2Redirect,
+			codeVerifier: authorizationResult.pkce?.codeVerifier,
+			authorizationRequestUrl: authorizationResult.authorizationRequestUrl,
+			dpop: dpop ? {
+				alg: dpop.signer.alg,
+				jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk)
+			} : void 0
+		};
+	}
+	async sendNotification(agentContext, options) {
+		await this.getClient(agentContext).sendNotification({
+			accessToken: options.accessToken,
+			dpop: options.dpop ? await this.getDpopOptions(agentContext, {
+				...options.dpop,
+				dpopSigningAlgValuesSupported: [options.dpop.alg]
+			}) : void 0,
+			issuerMetadata: options.metadata,
+			notification: {
+				event: options.notificationEvent,
+				notificationId: options.notificationId
+			}
+		});
+	}
+	async getDpopOptions(agentContext, { jwk, dpopSigningAlgValuesSupported, nonce }) {
+		const kms = agentContext.resolve(Kms.KeyManagementApi);
+		if (jwk) {
+			const alg$1 = dpopSigningAlgValuesSupported.find((alg$2) => jwk.supportedSignatureAlgorithms.includes(alg$2));
+			if (!alg$1) throw new CredoError(`No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(", ")}' matching jwk ${jwk.jwkTypeHumanDescription}`);
+			return {
+				signer: {
+					method: "jwk",
+					alg: alg$1,
+					publicJwk: jwk.toJson()
+				},
+				nonce
+			};
+		}
+		const alg = dpopSigningAlgValuesSupported.find((algorithm) => {
+			try {
+				Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(algorithm);
+				return kms.supportedBackendsForOperation({
+					operation: "sign",
+					algorithm
+				}).length > 0;
+			} catch {
+				return false;
+			}
+		});
+		if (!alg) throw new CredoError(`No supported dpop signature algorithms found in dpop_signing_alg_values_supported '${dpopSigningAlgValuesSupported.join(", ")}'`);
+		return {
+			signer: {
+				method: "jwk",
+				alg,
+				publicJwk: (await kms.createKeyForSignatureAlgorithm({ algorithm: alg })).publicJwk
+			},
+			nonce
+		};
+	}
+	async retrieveAuthorizationCodeUsingPresentation(agentContext, options) {
+		const client = this.getClient(agentContext, { clientAttestation: options.walletAttestationJwt });
+		const dpop = options.dpop ? await this.getDpopOptions(agentContext, {
+			...options.dpop,
+			dpopSigningAlgValuesSupported: [options.dpop.alg]
+		}) : void 0;
+		const { authorizationChallengeResponse, dpop: dpopResult } = await client.retrieveAuthorizationCodeUsingPresentation({
+			authSession: options.authSession,
+			presentationDuringIssuanceSession: options.presentationDuringIssuanceSession,
+			credentialOffer: options.resolvedCredentialOffer.credentialOfferPayload,
+			issuerMetadata: options.resolvedCredentialOffer.metadata,
+			dpop
+		});
+		return {
+			authorizationCode: authorizationChallengeResponse.authorization_code,
+			dpop: dpop ? {
+				...dpopResult,
+				alg: dpop.signer.alg,
+				jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk)
+			} : void 0
+		};
+	}
+	async requestAccessToken(agentContext, options) {
+		const { metadata, credentialOfferPayload } = options.resolvedCredentialOffer;
+		const client = this.getClient(agentContext, {
+			clientAttestation: options.walletAttestationJwt,
+			clientId: "clientId" in options ? options.clientId : void 0
+		});
+		const oauth2Client = this.getOauth2Client(agentContext);
+		const authorizationServer = options.code ? credentialOfferPayload.grants?.authorization_code?.authorization_server : credentialOfferPayload.grants?.[preAuthorizedCodeGrantIdentifier]?.authorization_server;
+		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(metadata.authorizationServers, authorizationServer ?? metadata.authorizationServers[0].issuer);
+		const isDpopSupported = oauth2Client.isDpopSupported({ authorizationServerMetadata });
+		const dpop = options.dpop ? await this.getDpopOptions(agentContext, {
+			...options.dpop,
+			dpopSigningAlgValuesSupported: [options.dpop.alg]
+		}) : isDpopSupported.supported ? await this.getDpopOptions(agentContext, { dpopSigningAlgValuesSupported: isDpopSupported.dpopSigningAlgValuesSupported }) : void 0;
+		const result = options.code ? await client.retrieveAuthorizationCodeAccessTokenFromOffer({
+			issuerMetadata: metadata,
+			credentialOffer: credentialOfferPayload,
+			authorizationCode: options.code,
+			dpop,
+			pkceCodeVerifier: options.codeVerifier,
+			redirectUri: options.redirectUri
+		}) : await client.retrievePreAuthorizedCodeAccessTokenFromOffer({
+			credentialOffer: credentialOfferPayload,
+			issuerMetadata: metadata,
+			dpop,
+			txCode: options.txCode
+		});
+		return {
+			...result,
+			dpop: dpop ? {
+				...result.dpop,
+				alg: dpop.signer.alg,
+				jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk)
+			} : void 0
+		};
+	}
+	async refreshAccessToken(agentContext, options) {
+		const oauth2Client = this.getOauth2Client(agentContext, {
+			clientAttestation: options.walletAttestationJwt,
+			clientId: options.clientId
+		});
+		const dpop = options.dpop ? await this.getDpopOptions(agentContext, {
+			...options.dpop,
+			dpopSigningAlgValuesSupported: [options.dpop.alg]
+		}) : void 0;
+		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(options.issuerMetadata.authorizationServers, options.authorizationServer ?? options.issuerMetadata.authorizationServers[0].issuer);
+		const result = await oauth2Client.retrieveRefreshTokenAccessToken({
+			authorizationServerMetadata,
+			refreshToken: options.refreshToken,
+			dpop,
+			resource: options.issuerMetadata.credentialIssuer.credential_issuer
+		});
+		return {
+			...result,
+			dpop: dpop ? {
+				...result.dpop,
+				alg: dpop.signer.alg,
+				jwk: Kms.PublicJwk.fromUnknown(dpop.signer.publicJwk)
+			} : void 0
+		};
+	}
+	async acceptCredentialOffer(agentContext, options) {
+		const { resolvedCredentialOffer, acceptCredentialOfferOptions } = options;
+		const { metadata, offeredCredentialConfigurations } = resolvedCredentialOffer;
+		const { credentialConfigurationIds, credentialBindingResolver, verifyCredentialStatus, allowedProofOfPossessionSignatureAlgorithms } = acceptCredentialOfferOptions;
+		const client = this.getClient(agentContext);
+		if (credentialConfigurationIds?.length === 0) throw new CredoError(`'credentialConfigurationIds' may not be empty`);
+		const receivedCredentials = [];
+		const deferredCredentials = [];
+		let cNonce = options.cNonce;
+		let dpopNonce = options.dpop?.nonce;
+		const credentialConfigurationsToRequest = credentialConfigurationIds?.map((id) => {
+			if (!offeredCredentialConfigurations[id]) throw new CredoError(`Credential to request '${id}' is not present in offered credentials. Offered credentials are ${Object.keys(offeredCredentialConfigurations).join(", ")}`);
+			return [id, offeredCredentialConfigurations[id]];
+		}) ?? Object.entries(offeredCredentialConfigurations);
+		if (!cNonce) if (metadata.credentialIssuer.nonce_endpoint) cNonce = (await client.requestNonce({ issuerMetadata: metadata })).c_nonce;
+		else await client.retrieveCredentials({
+			issuerMetadata: metadata,
+			accessToken: options.accessToken,
+			credentialConfigurationId: credentialConfigurationsToRequest[0][0],
+			dpop: options.dpop ? await this.getDpopOptions(agentContext, {
+				...options.dpop,
+				nonce: dpopNonce,
+				dpopSigningAlgValuesSupported: [options.dpop.alg]
+			}) : void 0
+		}).catch((e) => {
+			if (e instanceof Openid4vciRetrieveCredentialsError && e.response.credentialErrorResponseResult?.success) cNonce = e.response.credentialErrorResponseResult.data.c_nonce;
+		});
+		if (!cNonce) throw new CredoError("No cNonce provided and unable to acquire cNonce from the credential issuer");
+		for (const [offeredCredentialId, offeredCredentialConfiguration] of credentialConfigurationsToRequest) {
+			const { proofs, jwkThumbprintKmsKeyIdMapping } = await this.getCredentialRequestOptions(agentContext, {
+				allowedProofOfPossessionAlgorithms: allowedProofOfPossessionSignatureAlgorithms ?? getSupportedJwaSignatureAlgorithms(agentContext),
+				metadata,
+				offeredCredential: {
+					id: offeredCredentialId,
+					configuration: offeredCredentialConfiguration
+				},
+				clientId: options.clientId,
+				cNonce,
+				credentialBindingResolver
+			});
+			this.logger.debug("Generated credential request proof of possession", { proofs });
+			const proof = (metadata.originalDraftVersion === Openid4vciDraftVersion.Draft11 || metadata.originalDraftVersion === Openid4vciDraftVersion.Draft14 && metadata.credentialIssuer.batch_credential_issuance === void 0) && proofs.jwt?.length === 1 ? {
+				proof_type: "jwt",
+				jwt: proofs.jwt[0]
+			} : void 0;
+			const { credentialResponse, dpop } = await client.retrieveCredentials({
+				issuerMetadata: metadata,
+				accessToken: options.accessToken,
+				credentialConfigurationId: offeredCredentialId,
+				dpop: options.dpop ? await this.getDpopOptions(agentContext, {
+					...options.dpop,
+					nonce: dpopNonce,
+					dpopSigningAlgValuesSupported: [options.dpop.alg]
+				}) : void 0,
+				proofs: !proof ? proofs : void 0,
+				proof
+			});
+			cNonce = credentialResponse.c_nonce;
+			dpopNonce = dpop?.nonce;
+			if (credentialResponse.transaction_id) {
+				const deferredCredential = {
+					credentialConfigurationId: offeredCredentialId,
+					credentialConfiguration: offeredCredentialConfiguration,
+					transactionId: credentialResponse.transaction_id,
+					interval: credentialResponse.interval,
+					notificationId: credentialResponse.notification_id,
+					jwkThumbprintKmsKeyIdMapping
+				};
+				this.logger.debug("received deferred credential", deferredCredential);
+				deferredCredentials.push(deferredCredential);
+			} else {
+				const credential = await this.handleCredentialResponse(agentContext, credentialResponse, {
+					verifyCredentialStatus: verifyCredentialStatus ?? false,
+					format: offeredCredentialConfiguration.format,
+					credentialConfigurationId: offeredCredentialId,
+					credentialConfiguration: offeredCredentialConfiguration,
+					jwkThumbprintKmsKeyIdMapping
+				});
+				const firstCredential = credential.record.firstCredential;
+				this.logger.debug("received credential response", {
+					firstCredential: firstCredential instanceof Mdoc ? {
+						issuerSignedNamespaces: firstCredential.issuerSignedNamespaces,
+						base64Url: firstCredential.base64Url
+					} : firstCredential,
+					totalNumberOfCredentials: credential.record.credentialInstances.length
+				});
+				receivedCredentials.push(credential);
+			}
+		}
+		return {
+			credentials: receivedCredentials,
+			deferredCredentials,
+			dpop: options.dpop ? {
+				...options.dpop,
+				nonce: dpopNonce
+			} : void 0,
+			cNonce
+		};
+	}
+	async retrieveDeferredCredentials(agentContext, options) {
+		const { issuerMetadata, transactionId, credentialConfigurationId, credentialConfiguration, verifyCredentialStatus, accessToken, jwkThumbprintKmsKeyIdMapping } = options;
+		const client = this.getClient(agentContext);
+		const receivedCredentials = [];
+		const deferredCredentials = [];
+		let dpopNonce = options.dpop?.nonce;
+		const { deferredCredentialResponse, dpop } = await client.retrieveDeferredCredentials({
+			issuerMetadata,
+			accessToken,
+			transactionId,
+			dpop: options.dpop ? await this.getDpopOptions(agentContext, {
+				...options.dpop,
+				nonce: dpopNonce,
+				dpopSigningAlgValuesSupported: [options.dpop.alg]
+			}) : void 0
+		});
+		dpopNonce = dpop?.nonce;
+		if (deferredCredentialResponse.interval) {
+			const deferredCredential = {
+				credentialConfigurationId,
+				credentialConfiguration,
+				transactionId,
+				interval: deferredCredentialResponse.interval,
+				notificationId: deferredCredentialResponse.notification_id
+			};
+			this.logger.debug("received deferred credential", deferredCredential);
+			deferredCredentials.push(deferredCredential);
+		} else {
+			const credential = await this.handleCredentialResponse(agentContext, deferredCredentialResponse, {
+				verifyCredentialStatus: verifyCredentialStatus ?? false,
+				format: credentialConfiguration.format,
+				credentialConfigurationId,
+				credentialConfiguration,
+				jwkThumbprintKmsKeyIdMapping
+			});
+			const firstCredential = credential.record.firstCredential;
+			this.logger.debug("received credential response", {
+				firstCredential: firstCredential instanceof Mdoc ? {
+					issuerSignedNamespaces: firstCredential.issuerSignedNamespaces,
+					base64Url: firstCredential.base64Url
+				} : firstCredential,
+				totalNumberOfCredentials: credential.record.credentialInstances.length
+			});
+			receivedCredentials.push(credential);
+		}
+		return {
+			credentials: receivedCredentials,
+			deferredCredentials,
+			dpop: options.dpop ? {
+				...options.dpop,
+				nonce: dpopNonce
+			} : void 0
+		};
+	}
+	/**
+	* Get the options for the credential request. Internally this will resolve the proof of possession
+	* requirements, and based on that it will call the proofOfPossessionVerificationMethodResolver to
+	* allow the caller to select the correct verification method based on the requirements for the proof
+	* of possession.
+	*/
+	async getCredentialRequestOptions(agentContext, options) {
+		const dids = agentContext.resolve(DidsApi);
+		const { allowedProofOfPossessionAlgorithms, offeredCredential } = options;
+		const { configuration, id: configurationId } = offeredCredential;
+		const supportedJwaSignatureAlgorithms = getSupportedJwaSignatureAlgorithms(agentContext);
+		const possibleProofOfPossessionSignatureAlgorithms = allowedProofOfPossessionAlgorithms ? allowedProofOfPossessionAlgorithms.filter((algorithm) => supportedJwaSignatureAlgorithms.includes(algorithm)) : supportedJwaSignatureAlgorithms;
+		if (possibleProofOfPossessionSignatureAlgorithms.length === 0) throw new CredoError([
+			"No possible proof of possession signature algorithm found.",
+			`Signature algorithms supported by the Agent '${supportedJwaSignatureAlgorithms.join(", ")}'`,
+			`Allowed Signature algorithms '${allowedProofOfPossessionAlgorithms?.join(", ")}'`
+		].join("\n"));
+		const { proofTypes, supportedDidMethods, supportsAllDidMethods, supportsJwk } = this.getProofOfPossessionRequirements(agentContext, {
+			credentialToRequest: options.offeredCredential,
+			metadata: options.metadata,
+			possibleProofOfPossessionSignatureAlgorithms
+		});
+		const format = configuration.format;
+		const supportsAnyMethod = supportedDidMethods !== void 0 || supportsAllDidMethods || supportsJwk;
+		const issuerMaxBatchSize = options.metadata.credentialIssuer.batch_credential_issuance?.batch_size ?? 1;
+		const credentialBinding = await options.credentialBindingResolver({
+			agentContext,
+			credentialFormat: format,
+			credentialConfigurationId: configurationId,
+			credentialConfiguration: configuration,
+			metadata: options.metadata,
+			issuerMaxBatchSize,
+			proofTypes,
+			supportsAllDidMethods,
+			supportedDidMethods,
+			supportsJwk,
+			cNonce: options.cNonce
+		});
+		const client = this.getClient(agentContext);
+		if (credentialBinding.method === "did") {
+			if (!proofTypes.jwt) throw new CredoError(`JWT proof type is not supported for configuration '${configurationId}', which is required for did based credential binding.`);
+			if (proofTypes.jwt.keyAttestationsRequired) throw new CredoError(`Credential binding returned list of DID urls, but credential configuration '${configurationId}' requires key attestations. Key attestations and DIDs are not compatible.`);
+			if (credentialBinding.didUrls.length > issuerMaxBatchSize) throw new CredoError(`Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.didUrls.length} DID urls. Make sure the returned value does not exceed the max batch issuance.`);
+			if (credentialBinding.didUrls.length === 0) throw new CredoError("Credential binding with method did returned empty didUrls list");
+			const firstDid = parseDid(credentialBinding.didUrls[0]);
+			if (!credentialBinding.didUrls.every((didUrl) => parseDid(didUrl).method === firstDid.method)) throw new CredoError("Expected all did urls for binding method did to use the same did method");
+			if (!supportsAllDidMethods && supportedDidMethods !== void 0 && !supportedDidMethods.find((supportedDidMethod) => firstDid.did.startsWith(supportedDidMethod) && supportsAnyMethod)) {
+				const supportedDidMethodsString = supportedDidMethods.join(", ");
+				throw new CredoError(`Resolved credential binding for proof of possession uses did method '${firstDid.method}', but issuer only supports '${supportedDidMethodsString}'`);
+			}
+			if (configuration.format === "mso_mdoc") throw new CredoError("Using a did for credential binding is not supported for the 'mso_mdoc' format.");
+			const { publicJwk: firstKey } = await dids.resolveVerificationMethodFromCreatedDidRecord(firstDid.didUrl);
+			const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm$1) => firstKey.supportedSignatureAlgorithms.includes(algorithm$1));
+			if (!algorithm) throw new CredoError(`Credential binding returned did url that points to key '${firstKey.jwkTypeHumanDescription}' that supports signature algorithms ${firstKey.supportedSignatureAlgorithms.join(", ")}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(", ")}' was expected`);
+			const keys = await Promise.all(credentialBinding.didUrls.map(async (didUrl, index) => index === 0 ? {
+				jwk: firstKey,
+				didUrl: firstDid.didUrl
+			} : {
+				jwk: (await dids.resolveVerificationMethodFromCreatedDidRecord(didUrl)).publicJwk,
+				didUrl
+			}));
+			if (!keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.jwk.toJson(), firstKey.toJson()))) throw new CredoError("Expected all did urls to point to the same key type");
+			return { proofs: { jwt: await Promise.all(keys.map((key) => client.createCredentialRequestJwtProof({
+				credentialConfigurationId: configurationId,
+				issuerMetadata: options.metadata,
+				signer: {
+					method: "did",
+					didUrl: key.didUrl,
+					alg: algorithm,
+					kid: key.jwk.keyId
+				},
+				nonce: options.cNonce,
+				clientId: options.clientId
+			}).then(({ jwt }) => jwt))) } };
+		}
+		if (credentialBinding.method === "jwk") {
+			if (!supportsJwk && supportsAnyMethod) throw new CredoError(`Resolved credential binding for proof of possession uses jwk, but openid issuer does not support 'jwk' or 'cose_key' cryptographic binding method`);
+			if (configuration.format === "jwt_vc_json" || configuration.format === "jwt_vc_json-ld" || configuration.format === "ldp_vc" || configuration.format === "vc+sd-jwt" && !configuration.vct) throw new CredoError(`Using a JWK for credential binding is not supported for the '${configuration.format}' format.`);
+			if (!proofTypes.jwt) throw new CredoError(`JWT proof type is not supported for configuration '${configurationId}', which is required for jwk based credential binding.`);
+			if (proofTypes.jwt.keyAttestationsRequired) throw new CredoError(`Credential binding returned list of JWK keys, but credential configuration '${configurationId}' requires key attestations. Return a key attestation with binding method 'attestation'.`);
+			if (credentialBinding.keys.length > issuerMaxBatchSize) throw new CredoError(`Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned ${credentialBinding.keys.length} keys. Make sure the returned value does not exceed the max batch issuance.`);
+			if (credentialBinding.keys.length === 0) throw new CredoError("Credential binding with method jwk returned empty keys list");
+			const firstJwk = credentialBinding.keys[0];
+			if (!credentialBinding.keys.every((key) => Kms.assymetricJwkKeyTypeMatches(key.toJson(), firstJwk.toJson()))) throw new CredoError("Expected all keys for binding method jwk to use the same key type");
+			const algorithm = proofTypes.jwt.supportedSignatureAlgorithms.find((algorithm$1) => firstJwk.supportedSignatureAlgorithms.includes(algorithm$1));
+			if (!algorithm) throw new CredoError(`Credential binding returned jwk that points to key '${firstJwk.jwkTypeHumanDescription}' that supports signature algorithms ${firstJwk.supportedSignatureAlgorithms.join(", ")}, but one of '${proofTypes.jwt.supportedSignatureAlgorithms.join(", ")}' was expected`);
+			return {
+				jwkThumbprintKmsKeyIdMapping: Object.fromEntries(credentialBinding.keys.map((jwk) => [TypedArrayEncoder.toBase64(jwk.getJwkThumbprint()), jwk.keyId])),
+				proofs: { jwt: await Promise.all(credentialBinding.keys.map((jwk) => client.createCredentialRequestJwtProof({
+					credentialConfigurationId: configurationId,
+					issuerMetadata: options.metadata,
+					signer: {
+						method: "jwk",
+						publicJwk: jwk.toJson(),
+						alg: algorithm
+					},
+					nonce: options.cNonce,
+					clientId: options.clientId
+				}).then(({ jwt }) => jwt))) }
+			};
+		}
+		if (credentialBinding.method === "attestation") {
+			const { payload } = parseKeyAttestationJwt({ keyAttestationJwt: credentialBinding.keyAttestationJwt });
+			if (payload.attested_keys.length > issuerMaxBatchSize) throw new CredoError(`Issuer supports issuing a batch of maximum ${issuerMaxBatchSize} credential(s). Binding resolver returned key attestation with ${payload.attested_keys.length} attested keys. Make sure the returned value does not exceed the max batch issuance.`);
+			const jwkThumbprintKmsKeyIdMapping = Object.fromEntries(payload.attested_keys.map((jwk) => {
+				const jwkInstance = Kms.PublicJwk.fromUnknown(jwk);
+				return [TypedArrayEncoder.toBase64(jwkInstance.getJwkThumbprint()), jwkInstance.keyId];
+			}));
+			if (proofTypes.attestation && payload.nonce) return {
+				proofs: { attestation: [credentialBinding.keyAttestationJwt] },
+				jwkThumbprintKmsKeyIdMapping
+			};
+			if (proofTypes.jwt) {
+				const nonce = payload.nonce ?? options.cNonce;
+				const jwk = Kms.PublicJwk.fromUnknown(payload.attested_keys[0]);
+				return {
+					jwkThumbprintKmsKeyIdMapping,
+					proofs: { jwt: [await client.createCredentialRequestJwtProof({
+						credentialConfigurationId: configurationId,
+						issuerMetadata: options.metadata,
+						signer: {
+							method: "jwk",
+							publicJwk: payload.attested_keys[0],
+							alg: jwk.supportedSignatureAlgorithms[0]
+						},
+						keyAttestationJwt: credentialBinding.keyAttestationJwt,
+						nonce,
+						clientId: options.clientId
+					}).then(({ jwt }) => jwt)] }
+				};
+			}
+			throw new CredoError(`Unable to create credential request proofs. Configuration supports 'attestation' proof type, but attestation did not contain a 'nonce' value`);
+		}
+		throw new CredoError(`Unsupported credential binding method ${credentialBinding.method}`);
+	}
+	/**
+	* Get the requirements for creating the proof of possession. Based on the allowed
+	* credential formats, the allowed proof of possession signature algorithms, and the
+	* credential type, this method will select the best credential format and signature
+	* algorithm to use, based on the order of preference.
+	*/
+	getProofOfPossessionRequirements(agentContext, options) {
+		const { credentialToRequest, possibleProofOfPossessionSignatureAlgorithms, metadata } = options;
+		const { configuration, id: configurationId } = credentialToRequest;
+		if (!openId4VciSupportedCredentialFormats.includes(configuration.format)) throw new CredoError([
+			`Requested credential with format '${credentialToRequest.configuration.format}',`,
+			`for the credential with id '${credentialToRequest.id},`,
+			`but the wallet only supports the following formats '${openId4VciSupportedCredentialFormats.join(", ")}'`
+		].join("\n"));
+		const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry);
+		let proofTypesSupported = configuration.proof_types_supported;
+		if (!proofTypesSupported) {
+			if (metadata.originalDraftVersion !== Openid4vciDraftVersion.Draft11) throw new CredoError(`Credential configuration '${configurationId}' does not specifcy proof_types_supported. Credentials not bound to keys are not supported at the moment`);
+			proofTypesSupported = { jwt: { proof_signing_alg_values_supported: possibleProofOfPossessionSignatureAlgorithms } };
+		}
+		const proofTypes = {
+			jwt: void 0,
+			attestation: void 0
+		};
+		for (const [proofType, proofTypeConfig] of Object.entries(proofTypesSupported)) {
+			if (proofType !== "jwt" && proofType !== "attestation") continue;
+			let signatureAlgorithms = [];
+			const proofSigningAlgsSupported = proofTypeConfig?.proof_signing_alg_values_supported;
+			if (proofSigningAlgsSupported === void 0) signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms;
+			else switch (credentialToRequest.configuration.format) {
+				case OpenId4VciCredentialFormatProfile.JwtVcJson:
+				case OpenId4VciCredentialFormatProfile.JwtVcJsonLd:
+				case OpenId4VciCredentialFormatProfile.SdJwtVc:
+				case OpenId4VciCredentialFormatProfile.SdJwtDc:
+				case OpenId4VciCredentialFormatProfile.MsoMdoc:
+					signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) => proofSigningAlgsSupported.includes(signatureAlgorithm));
+					break;
+				case OpenId4VciCredentialFormatProfile.LdpVc:
+					signatureAlgorithms = options.possibleProofOfPossessionSignatureAlgorithms.filter((signatureAlgorithm) => {
+						try {
+							const jwkClass = Kms.PublicJwk.supportedPublicJwkClassForSignatureAlgorithm(signatureAlgorithm);
+							const matchingSuites = signatureSuiteRegistry.getAllByPublicJwkType(jwkClass);
+							if (matchingSuites.length === 0) return false;
+							return proofSigningAlgsSupported.includes(matchingSuites[0].proofType);
+						} catch {
+							return false;
+						}
+					});
+					break;
+				default: throw new CredoError("Unsupported credential format.");
+			}
+			proofTypes[proofType] = {
+				supportedSignatureAlgorithms: signatureAlgorithms,
+				keyAttestationsRequired: proofTypeConfig.key_attestations_required ? {
+					keyStorage: proofTypeConfig.key_attestations_required.key_storage,
+					userAuthentication: proofTypeConfig.key_attestations_required.user_authentication
+				} : void 0
+			};
+		}
+		const { jwt, attestation } = proofTypes;
+		if (!jwt && !attestation) throw new CredoError(`Unsupported proof type(s) ${Object.keys(proofTypesSupported).join(", ")}. Supported proof type(s) are: jwt, attestation`);
+		const issuerSupportedBindingMethods = credentialToRequest.configuration.cryptographic_binding_methods_supported;
+		const supportsAllDidMethods = issuerSupportedBindingMethods?.includes("did") ?? false;
+		const supportedDidMethods = issuerSupportedBindingMethods?.filter((method) => method.startsWith("did:"));
+		const supportsCoseKey = issuerSupportedBindingMethods?.includes("cose_key") ?? false;
+		return {
+			proofTypes,
+			supportedDidMethods,
+			supportsAllDidMethods,
+			supportsJwk: issuerSupportedBindingMethods?.includes("jwk") || supportsCoseKey
+		};
+	}
+	async handleCredentialResponse(agentContext, credentialResponse, options) {
+		const { verifyCredentialStatus, credentialConfigurationId, credentialConfiguration } = options;
+		this.logger.debug("Credential response", credentialResponse);
+		const credentials = credentialResponse.credentials ? credentialResponse.credentials.every((c) => typeof c === "object" && c !== null && "credential" in c) ? credentialResponse.credentials.map((c) => c.credential) : credentialResponse.credentials : credentialResponse.credential ? [credentialResponse.credential] : void 0;
+		if (!credentials) throw new CredoError(`Credential response returned neither 'credentials' nor 'credential' parameter.`);
+		const notificationId = credentialResponse.notification_id;
+		const format = options.format;
+		if (format === OpenId4VciCredentialFormatProfile.SdJwtVc || format === OpenId4VciCredentialFormatProfile.SdJwtDc) {
+			if (!credentials.every((c) => typeof c === "string")) throw new CredoError(`Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(credentials)}`);
+			if (format === OpenId4VciCredentialFormatProfile.SdJwtDc || credentialConfiguration.vct) {
+				const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi);
+				const verificationResults = await Promise.all(credentials.map((compactSdJwtVc, index) => sdJwtVcApi.verify({
+					compactSdJwtVc,
+					fetchTypeMetadata: index === 0
+				})));
+				if (!verificationResults.every((result$1) => result$1.isValid)) {
+					agentContext.config.logger.error("Failed to validate credential(s)", { verificationResults });
+					throw new CredoError(`Failed to validate sd-jwt-vc credentials. Results = ${JSON.stringify(verificationResults, replaceError)}`);
+				}
+				return {
+					record: new SdJwtVcRecord({
+						credentialInstances: verificationResults.map((r) => ({
+							compactSdJwtVc: r.sdJwtVc.compact,
+							kmsKeyId: r.sdJwtVc.kmsKeyId
+						})),
+						typeMetadata: verificationResults[0].sdJwtVc.typeMetadata
+					}),
+					notificationId,
+					credentialConfigurationId,
+					credentialConfiguration
+				};
+			}
+			const result = await Promise.all(credentials.map(async (c) => {
+				const credential = W3cV2SdJwtVerifiableCredential.fromCompact(c);
+				return {
+					credential,
+					result: await this.w3cV2CredentialService.verifyCredential(agentContext, { credential })
+				};
+			}));
+			if (!result.every((c) => c.result.isValid)) {
+				agentContext.config.logger.error("Failed to validate credentials", { result });
+				throw new CredoError(`Failed to validate credential, error = ${result.map((e) => e.result.error?.message).filter(Boolean).join(", ")}`);
+			}
+			return {
+				record: new W3cV2CredentialRecord({ credentialInstances: result.map((r) => ({ credential: r.credential.encoded })) }),
+				notificationId,
+				credentialConfigurationId,
+				credentialConfiguration
+			};
+		}
+		if (options.format === OpenId4VciCredentialFormatProfile.JwtVcJson || options.format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd) {
+			if (!credentials.every((c) => typeof c === "string")) throw new CredoError(`Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(credentials)}`);
+			const result = await Promise.all(credentials.map(async (c) => {
+				const credential = W3cJwtVerifiableCredential.fromSerializedJwt(c);
+				return {
+					credential,
+					result: await this.w3cCredentialService.verifyCredential(agentContext, {
+						credential,
+						verifyCredentialStatus
+					})
+				};
+			}));
+			if (!result.every((c) => c.result.isValid)) {
+				agentContext.config.logger.error("Failed to validate credentials", { result });
+				throw new CredoError(`Failed to validate credential, error = ${result.map((e) => e.result.error?.message).filter(Boolean).join(", ")}`);
+			}
+			return {
+				record: new W3cCredentialRecord({
+					credentialInstances: result.map((r) => ({ credential: r.credential.encoded })),
+					tags: {}
+				}),
+				notificationId,
+				credentialConfigurationId,
+				credentialConfiguration
+			};
+		}
+		if (format === OpenId4VciCredentialFormatProfile.LdpVc) {
+			if (!credentials.every((c) => typeof c === "object" && c !== null)) throw new CredoError(`Received credential(s) of format ${format}, but not all credential(s) are an object. ${JSON.stringify(credentials)}`);
+			const result = await Promise.all(credentials.map(async (c) => {
+				const credential = W3cJsonLdVerifiableCredential.fromJson(c);
+				return {
+					credential,
+					result: await this.w3cCredentialService.verifyCredential(agentContext, {
+						credential,
+						verifyCredentialStatus
+					})
+				};
+			}));
+			if (!result.every((c) => c.result.isValid)) {
+				agentContext.config.logger.error("Failed to validate credentials", { result });
+				throw new CredoError(`Failed to validate credential, error = ${result.map((e) => e.result.error?.message).filter(Boolean).join(", ")}`);
+			}
+			const w3cJsonLdCredentialService = agentContext.resolve(W3cJsonLdCredentialService);
+			return {
+				record: new W3cCredentialRecord({
+					credentialInstances: result.map((r) => ({ credential: r.credential.encoded })),
+					tags: { expandedTypes: await w3cJsonLdCredentialService.getExpandedTypesForCredential(agentContext, result[0].credential) }
+				}),
+				notificationId,
+				credentialConfigurationId,
+				credentialConfiguration
+			};
+		}
+		if (format === OpenId4VciCredentialFormatProfile.MsoMdoc) {
+			if (!credentials.every((c) => typeof c === "string")) throw new CredoError(`Received credential(s) of format ${format}, but not all credential(s) are a string. ${JSON.stringify(credentials)}`);
+			const mdocApi = agentContext.dependencyManager.resolve(MdocApi);
+			const result = await Promise.all(credentials.map(async (credential) => {
+				const mdoc = Mdoc.fromBase64Url(credential);
+				const result$1 = await mdocApi.verify(mdoc, {});
+				const jwkThumbprint = TypedArrayEncoder.toBase64(mdoc.deviceKey.getJwkThumbprint());
+				const kmsKeyId = options.jwkThumbprintKmsKeyIdMapping?.[jwkThumbprint];
+				if (!kmsKeyId) throw new CredoError(`Missing kmsKeyId for jwk with thumbprint ${jwkThumbprint}. A credential was issued for a key that was not in the credential request.`);
+				return {
+					result: result$1,
+					mdoc,
+					kmsKeyId
+				};
+			}));
+			if (!result.every((r) => r.result.isValid)) {
+				agentContext.config.logger.error("Failed to validate credentials", { result });
+				throw new CredoError(`Failed to validate mdoc credential(s). \n - ${result.map((r, i) => r.result.isValid ? void 0 : `(${i}) ${r.result.error}`).filter(Boolean).join("\n - ")}`);
+			}
+			return {
+				record: new MdocRecord({ credentialInstances: result.map((c) => ({
+					issuerSignedBase64Url: c.mdoc.base64Url,
+					kmsKeyId: c.kmsKeyId
+				})) }),
+				notificationId,
+				credentialConfigurationId,
+				credentialConfiguration
+			};
+		}
+		throw new CredoError(`Unsupported credential format ${options.format}`);
+	}
+	getCallbacks(agentContext, { clientAttestation, clientId } = {}) {
+		const callbacks = getOid4vcCallbacks(agentContext);
+		return {
+			...callbacks,
+			clientAuthentication: (options) => {
+				const { authorizationServerMetadata, url, body } = options;
+				const clientAttestationSupported = this.getOauth2Client(agentContext).isClientAttestationSupported({ authorizationServerMetadata });
+				if (clientAttestation && clientAttestationSupported) return clientAuthenticationClientAttestationJwt({
+					clientAttestationJwt: clientAttestation,
+					callbacks
+				})(options);
+				if (url === authorizationServerMetadata.token_endpoint && authorizationServerMetadata["pre-authorized_grant_anonymous_access_supported"] && body.grant_type === preAuthorizedCodeGrantIdentifier) return clientAuthenticationAnonymous()(options);
+				if (clientId) return clientAuthenticationNone({ clientId })(options);
+				if (url === authorizationServerMetadata.token_endpoint && body.grant_type === preAuthorizedCodeGrantIdentifier) return clientAuthenticationAnonymous()(options);
+				if (body.grant_type === refreshTokenGrantIdentifier) return clientAuthenticationAnonymous()(options);
+				if (url === authorizationServerMetadata.authorization_challenge_endpoint && body.auth_session) return clientAuthenticationAnonymous()(options);
+				throw new CredoError("Unable to perform client authentication.");
+			}
+		};
+	}
+	getClient(agentContext, options = {}) {
+		return new Openid4vciClient({ callbacks: this.getCallbacks(agentContext, options) });
+	}
+	getOauth2Client(agentContext, options) {
+		return new Oauth2Client({ callbacks: options ? this.getCallbacks(agentContext, options) : getOid4vcCallbacks(agentContext) });
+	}
+};
+OpenId4VciHolderService = __decorate([
+	injectable(),
+	__decorateParam(0, inject(InjectionSymbols.Logger)),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref = typeof W3cCredentialService !== "undefined" && W3cCredentialService) === "function" ? _ref : Object,
+		typeof (_ref2 = typeof W3cV2CredentialService !== "undefined" && W3cV2CredentialService) === "function" ? _ref2 : Object
+	])
+], OpenId4VciHolderService);
+
+//#endregion
+export { OpenId4VciHolderService };
+//# sourceMappingURL=OpenId4VciHolderService.mjs.map