npm - @credo-ts/openid4vc - Versions diffs - 0.6.1-pr-2091-20241119140918 → 0.6.1 - Mend

@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (409) hide show

package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OpenId4VciHolderServiceOptions.mjs","names":["openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[]"],"sources":["../../src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts"],"sourcesContent":["import type {\n AgentContext,\n Kms,\n MdocRecord,\n SdJwtVcRecord,\n W3cCredentialRecord,\n W3cV2CredentialRecord,\n} from '@credo-ts/core'\nimport type { CredentialOfferObject, IssuerMetadataResult } from '@openid4vc/openid4vci'\nimport { AuthorizationFlow as OpenId4VciAuthorizationFlow } from '@openid4vc/openid4vci'\nimport type {\n OpenId4VcCredentialHolderBinding,\n OpenId4VciAccessTokenResponse,\n OpenId4VciCredentialConfigurationSupportedWithFormats,\n OpenId4VciCredentialConfigurationsSupportedWithFormats,\n OpenId4VciMetadata,\n} from '../shared'\nimport { OpenId4VciCredentialFormatProfile } from '../shared/models/OpenId4VciCredentialFormatProfile'\n\nexport { OpenId4VciAuthorizationFlow }\n\nexport type OpenId4VciSupportedCredentialFormats =\n | OpenId4VciCredentialFormatProfile.JwtVcJson\n | OpenId4VciCredentialFormatProfile.JwtVcJsonLd\n | OpenId4VciCredentialFormatProfile.SdJwtVc\n | OpenId4VciCredentialFormatProfile.SdJwtDc\n | OpenId4VciCredentialFormatProfile.LdpVc\n | OpenId4VciCredentialFormatProfile.MsoMdoc\n\nexport const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[] = [\n OpenId4VciCredentialFormatProfile.JwtVcJson,\n OpenId4VciCredentialFormatProfile.JwtVcJsonLd,\n OpenId4VciCredentialFormatProfile.SdJwtVc,\n OpenId4VciCredentialFormatProfile.SdJwtDc,\n OpenId4VciCredentialFormatProfile.LdpVc,\n OpenId4VciCredentialFormatProfile.MsoMdoc,\n]\n\nexport interface OpenId4VciDpopRequestOptions {\n jwk: Kms.PublicJwk\n alg: Kms.KnownJwaSignatureAlgorithm\n nonce?: string\n}\n\n/**\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\nexport type OpenId4VciNotificationEvent = 'credential_accepted' | 'credential_failure' | 'credential_deleted'\n\nexport type OpenId4VciRequestTokenResponse = {\n accessToken: string\n refreshToken?: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n authorizationServer?: string\n\n accessTokenResponse: OpenId4VciAccessTokenResponse\n}\n\nexport interface OpenId4VciCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n\n /**\n * The record containing the credentials returned in the OpenID4VCI credential response\n *\n * The credential is returned as a record, which can be provided to the\n * respective `store()` method of each credential-specific API.\n *\n * The record contains the credential instance (instances in case of batch issuance)\n * along with metadata such as the VCT Type Metadata (in case of SD-JWT)\n */\n record: SdJwtVcRecord | MdocRecord | W3cCredentialRecord | W3cV2CredentialRecord\n\n notificationId?: string\n}\n\nexport interface OpenId4VciDeferredCredentialResponse {\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n transactionId: string\n interval?: number\n notificationId?: string\n /**\n * Mapping from JWK thumbprint values to KMS key ids that were submitted in the credential request.\n * These should be used when retrieving the deferred credentials, to store the associated kms key id\n * for each received credential.\n */\n jwkThumbprintKmsKeyIdMapping?: Record<string, string>\n}\n\nexport interface OpenId4VciResolvedCredentialOffer {\n metadata: IssuerMetadataResult\n credentialOfferPayload: CredentialOfferObject\n\n /**\n * Offered credential configurations with known formats\n */\n offeredCredentialConfigurations: OpenId4VciCredentialConfigurationsSupportedWithFormats\n}\n\nexport type OpenId4VciResolvedAuthorizationRequest =\n | {\n openid4vpRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.PresentationDuringIssuance\n authSession: string\n\n /**\n * DPoP request options if DPoP was used for the authorization challenge request\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n | {\n authorizationRequestUrl: string\n authorizationFlow: OpenId4VciAuthorizationFlow.Oauth2Redirect\n codeVerifier?: string\n\n /**\n * DPoP request options if DPoP was used for the pushed authorization reuqest\n */\n dpop?: OpenId4VciDpopRequestOptions\n }\n\nexport interface OpenId4VciSendNotificationOptions {\n metadata: IssuerMetadataResult\n\n notificationId: string\n\n /**\n * The access token obtained through @see requestToken\n */\n accessToken: string\n\n /**\n * The notification event\n *\n * 'credential_accepted' The Credential was successfully stored in the Wallet.\n * 'credential_deleted' when the unsuccessful Credential issuance was caused by a user action.\n * 'credential_failure' otherwise.\n */\n notificationEvent: OpenId4VciNotificationEvent\n\n dpop?: OpenId4VciDpopRequestOptions\n}\n\nexport interface OpenId4VcAuthorizationCodeTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n code: string\n clientId: string\n codeVerifier?: string\n redirectUri?: string\n\n txCode?: never\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n *\n * If DPoP was already used in the initiateAuthorization method, it should be provided\n * here as well and be bound to the same key.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\n// TODO: support wallet attestation for pre-auth flow\nexport interface OpenId4VciPreAuthorizedTokenRequestOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n txCode?: string\n\n code?: undefined\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport type OpenId4VciTokenRequestOptions =\n | OpenId4VciPreAuthorizedTokenRequestOptions\n | OpenId4VcAuthorizationCodeTokenRequestOptions\n\nexport type OpenId4VciTokenRefreshOptions = {\n refreshToken: string\n\n /**\n * The issuer metadata.\n */\n issuerMetadata: IssuerMetadataResult\n\n /**\n * The authorization server where the refresh token was obtained from.\n */\n authorizationServer?: string\n\n /**\n * DPoP parameters to use in the request if supported by the authorization server.\n */\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n}\n\nexport interface OpenId4VciRetrieveAuthorizationCodeUsingPresentationOptions {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations are supported by the issuer, and should be provided\n * if wallet attestation was provided in the authorization request as well.\n *\n * A Proof of Possession will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n /**\n * auth session returned at an earlier call to the authorization challenge endpoint\n */\n authSession: string\n\n /**\n * Presentation during issuance session returned by the verifier after submitting a valid presentation\n */\n presentationDuringIssuanceSession?: string\n}\n\nexport interface OpenId4VciCredentialRequestOptions extends Omit<OpenId4VciAcceptCredentialOfferOptions, 'userPin'> {\n resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer\n accessToken: string\n cNonce?: string\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * The client id used for authorization. Only required if authorization_code flow was used.\n */\n clientId?: string\n}\n\n/**\n * Options that are used to accept a credential offer for both the pre-authorized code flow and authorization code flow.\n * NOTE: Merge with @see OpenId4VciCredentialRequestOptions for 0.6\n */\nexport interface OpenId4VciAcceptCredentialOfferOptions {\n /**\n * This is the list of credentials configuration ids that will be requested from the issuer.\n * Should be a list of ids of the credentials that are included in the credential offer.\n * If not provided all offered credentials will be requested.\n */\n credentialConfigurationIds?: string[]\n\n verifyCredentialStatus?: boolean\n\n /**\n * A list of allowed proof of possession signature algorithms in order of preference.\n *\n * Note that the signature algorithms must be supported by the wallet implementation.\n * Signature algorithms that are not supported by the wallet will be ignored.\n *\n * The proof of possession (pop) signature algorithm is used in the credential request\n * to bind the credential to a did. In most cases the JWA signature algorithm\n * that is used in the pop will determine the cryptographic suite that is used\n * for signing the credential, but this not a requirement for the spec. E.g. if the\n * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020.\n */\n allowedProofOfPossessionSignatureAlgorithms?: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * A function that should resolve key material for binding the to-be-issued credential\n * to the holder based on the options passed. This key material will be used for signing\n * the proof of possession included in the credential request.\n *\n * This method will be called once for each of the credentials that are included\n * in the credential offer.\n *\n * Based on the credential format, JWA signature algorithm, verification method types\n * and binding methods (did methods, jwk), the resolver must return an object\n * conformant to the `CredentialHolderBinding` interface, which will be used\n * for the proof of possession signature.\n */\n credentialBindingResolver: OpenId4VciCredentialBindingResolver\n}\n\n/**\n * Options to request deferred credentials from the issuer.\n */\nexport interface OpenId4VciDeferredCredentialRequestOptions {\n issuerMetadata: IssuerMetadataResult\n transactionId: string\n credentialConfigurationId: string\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n verifyCredentialStatus?: boolean\n accessToken: string\n dpop?: OpenId4VciDpopRequestOptions\n\n /**\n * Mapping from JWK thumbprint values to KMS key ids that were submitted in the credential request.\n * These were returned in the deferred credential return value in case JWKs were used in the proof\n * of possession of the credential request\n */\n jwkThumbprintKmsKeyIdMapping?: Record<string, string>\n}\n\n/**\n * Options that are used for the authorization code flow.\n */\nexport interface OpenId4VciAuthCodeFlowOptions {\n clientId: string\n\n /**\n * The wallet attestation to send to the issuer. This will only be used\n * if client attestations and PAR are supported by the issuer.\n *\n * A Proof of Possesion will be created based on the wallet attestation,\n * so the key bound to the wallet attestation must be in the wallet.\n */\n walletAttestationJwt?: string\n\n redirectUri: string\n scope?: string[]\n}\n\nexport interface OpenId4VciCredentialBindingOptions {\n agentContext: AgentContext\n\n /**\n * The OpenID4VCI metadata, consisting of the draft version used,\n * the issuer metadatan and the authorization server metadata\n */\n metadata: OpenId4VciMetadata\n\n /**\n * The credential format that will be requested from the issuer.\n * E.g. `jwt_vc` or `ldp_vc`.\n */\n credentialFormat: OpenId4VciSupportedCredentialFormats\n\n /**\n * The max batch size as configured by the issuer. If the issuer has not indicated support for batch issuance\n * this will be `1`.\n */\n issuerMaxBatchSize: number\n\n /**\n * The proof types supported by the credential issuer that are also supported\n * by credo. Currently `jwt` and `attestation` are supported.\n *\n * Each proof type will list the supported algorithms, key types\n * and whether key attesations are required\n */\n proofTypes: OpenId4VciProofOfPressionProofTypes\n\n /**\n * The id of the credential configuration that will be requested from the issuer.\n */\n credentialConfigurationId: string\n\n /**\n * The credential configuration that will be requested from the issuer.\n */\n credentialConfiguration: OpenId4VciCredentialConfigurationSupportedWithFormats\n\n /**\n * Whether the issuer supports the `did` cryptographic binding method,\n * indicating they support all did methods. In most cases, they do not\n * support all did methods, and it means we have to make an assumption\n * about the did methods they support.\n *\n * If this value is `false`, the `supportedDidMethods` property will\n * contain a list of supported did methods.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportsAllDidMethods: boolean\n\n /**\n * A list of supported did methods. This is only used if the `supportsAllDidMethods`\n * property is `false`. When this array is populated, the returned verification method\n * MUST be based on one of these did methods.\n *\n * The did methods are returned in the format `did:<method>`, e.g. `did:web`.\n *\n * The value is undefined in the case the supported did methods could not be extracted.\n * This is the case when the issuer didn't include the supported did methods in the issuer metadata.\n *\n * NOTE: an empty array (no did methods supported) has a different meaning from the value\n * being undefined (the supported did methods could not be extracted). If `supportsAllDidMethods`\n * is true, the value of this property MUST be ignored.\n *\n * NOTE: when key attestations are required for a specific proof type, support for did method\n * binding is not supported at the moment, as there's no way to indicate which did the credential\n * should be bound to.\n * https://github.com/openid/OpenID4VCI/issues/475\n */\n supportedDidMethods?: string[]\n\n /**\n * Whether the issuer supports the `jwk` cryptographic binding method,\n * indicating they support proof of possession signatures bound to a jwk.\n */\n supportsJwk: boolean\n\n /**\n * The cNonce that will be used for the credential request. May be used if dynamically creating a key attestation\n * that must include the cNonce.\n */\n cNonce: string\n}\n\n/**\n * The proof of possession verification method resolver is a function that can be passed by the\n * user of the framework and allows them to determine which verification method should be used\n * for the proof of possession signature.\n */\nexport type OpenId4VciCredentialBindingResolver = (\n options: OpenId4VciCredentialBindingOptions\n) => Promise<OpenId4VcCredentialHolderBinding> | OpenId4VcCredentialHolderBinding\n\nexport type OpenId4VciProofOfPressionProofTypes = Record<\n 'jwt' | 'attestation',\n | {\n /**\n * The JWA Signature Algorithm(s) that can be used in the proof of possession.\n * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed\n * to the request credential method, and the supported proof type signature\n * algorithms for the specific credential configuration\n */\n supportedSignatureAlgorithms: Kms.KnownJwaSignatureAlgorithm[]\n\n /**\n * Whether key attestations are required and which level needs to be met. If the object\n * is not defined, it can be interpreted that key attestations are not required.\n *\n * OpenID4VCI defined common levels in https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#appendix-D.2, such as:\n * - `iso_18045_high`\n * - `iso_18045_moderate`\n * - `iso_18045_enhanced-basic`\n * - `iso_18045_basic`\n *\n * Other values may be defined and present as well. When key attestations are required you MUST return a key attestation.\n * If `userAuthentication` or `keyStorage` are defined you MUST return a key attestation that reaches the level as required\n * by the `keyStorage` and `userAuthentication` values.\n */\n keyAttestationsRequired?: {\n keyStorage?: string[]\n userAuthentication?: string[]\n }\n }\n | undefined\n>\n\n/**\n * @internal\n */\nexport interface OpenId4VciProofOfPossessionRequirements {\n proofTypes: OpenId4VciProofOfPressionProofTypes\n supportedDidMethods?: string[]\n supportsAllDidMethods: boolean\n supportsJwk: boolean\n}\n"],"mappings":";;;;AA6BA,MAAaA,uCAA+E;CAC1F,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CAClC,kCAAkC;CACnC"}

package/build/openid4vc-holder/OpenId4vpHolderService.d.mts ADDED Viewed

@@ -0,0 +1,130 @@
+import { OpenId4VpAcceptAuthorizationRequestOptions, OpenId4VpResolvedAuthorizationRequest, ResolveOpenId4VpAuthorizationRequestOptions } from "./OpenId4vpHolderServiceOptions.mjs";
+import { AgentContext, DcqlService, DifPresentationExchangeService, DifPresentationExchangeSubmission } from "@credo-ts/core";
+//#region src/openid4vc-holder/OpenId4vpHolderService.d.ts
+declare class OpenId4VpHolderService {
+  private presentationExchangeService;
+  private dcqlService;
+  constructor(presentationExchangeService: DifPresentationExchangeService, dcqlService: DcqlService);
+  private getOpenid4vpClient;
+  private handlePresentationExchangeRequest;
+  private handleDcqlRequest;
+  resolveAuthorizationRequest(agentContext: AgentContext,
+  /**
+   * Can be:
+   * - JWT
+   * - URI containing request or request_uri param
+   * - Request payload
+   */
+  authorizationRequest: string | Record<string, unknown>, options?: ResolveOpenId4VpAuthorizationRequestOptions): Promise<OpenId4VpResolvedAuthorizationRequest>;
+  private extendCredentialsWithTransactionDataHashes;
+  acceptAuthorizationRequest(agentContext: AgentContext, options: OpenId4VpAcceptAuthorizationRequestOptions): Promise<{
+    readonly ok: true;
+    readonly authorizationResponse: ({
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    }) | {
+      response: string;
+    };
+    readonly authorizationResponsePayload: {
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    };
+    readonly serverResponse?: undefined;
+    readonly redirectUri?: undefined;
+    readonly presentationDuringIssuanceSession?: undefined;
+  } | {
+    readonly ok: false;
+    readonly serverResponse: {
+      readonly status: number;
+      readonly body: string | Record<string, unknown> | null;
+    };
+    readonly authorizationResponse: ({
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    }) | {
+      response: string;
+    };
+    readonly authorizationResponsePayload: {
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    };
+    readonly redirectUri?: undefined;
+    readonly presentationDuringIssuanceSession?: undefined;
+  } | {
+    readonly ok: true;
+    readonly serverResponse: {
+      readonly status: number;
+      readonly body: Record<string, unknown>;
+    };
+    readonly authorizationResponse: ({
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    }) | {
+      response: string;
+    };
+    readonly authorizationResponsePayload: {
+      [x: string]: unknown;
+      vp_token: string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]] | Record<string, string | Record<string, any> | [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
+      state?: string | undefined;
+      id_token?: string | undefined;
+      presentation_submission?: any;
+      refresh_token?: string | undefined;
+      token_type?: string | undefined;
+      access_token?: string | undefined;
+      expires_in?: number | undefined;
+    } & {
+      presentation_submission?: DifPresentationExchangeSubmission;
+    };
+    readonly redirectUri: string | undefined;
+    readonly presentationDuringIssuanceSession: string | undefined;
+  }>;
+}
+//#endregion
+export { OpenId4VpHolderService };
+//# sourceMappingURL=OpenId4vpHolderService.d.mts.map

package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OpenId4vpHolderService.d.mts","names":[],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":[],"mappings":";;;;cA2Ca,sBAAA;EAAA,QAAA,2BAAsB;EAEM,QAAA,WAAA;EAChB,WAAA,CAAA,2BAAA,EADgB,8BAChB,EAAA,WAAA,EAAA,WAAA;EAiEP,QAAA,kBAAA;EAOiB,QAAA,iCAAA;EACrB,QAAA,iBAAA;EACD,2BAAA,CAAA,YAAA,EATK,YASL;EAAR;;;;;;iCAF8B,mCACrB,8CACT,QAAQ;;2CAiLK,uBACL,6CAA0C;;IAkOvB,SAAA,qBAAA,EAAA,CAAA;;;;;;;;MAAA,YAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;gCAAA;;;;;;MAAA,QAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,SAAA,CAAA,MAAA,EAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAAA,CAAA,MAAA,SAAA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,CAAA,CAAA;;;;;;;;IAAA,CAAA,GAAA;gCAAA;;;;;;;;MAAA,SAAA,MAAA,EAAA,MAAA;;;;;;;;MAAA,uBAAA,CAAA,EAAA,GAAA;MAlOuB,aAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAA,UAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;;gCAkOvB;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;;;;;;;gCAAA;;;;;;;;;;;;;;;gCAAA"}

package/build/openid4vc-holder/OpenId4vpHolderService.mjs ADDED Viewed

@@ -0,0 +1,278 @@
+import { getOid4vcCallbacks } from "../shared/callbacks.mjs";
+import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
+import { __decorate } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
+import { ClaimFormat, CredoError, DcqlService, DifPresentationExchangeService, DifPresentationExchangeSubmissionLocation, Hasher, Kms, TypedArrayEncoder, injectable } from "@credo-ts/core";
+import { Openid4vpClient, extractEncryptionJwkFromJwks, getOpenid4vpClientId, isJarmResponseMode, isOpenid4vpAuthorizationRequestDcApi, parseAuthorizationRequestVersion, parseTransactionData } from "@openid4vc/openid4vp";
+//#region src/openid4vc-holder/OpenId4vpHolderService.ts
+var _ref, _ref2;
+let OpenId4VpHolderService = class OpenId4VpHolderService$1 {
+	constructor(presentationExchangeService, dcqlService) {
+		this.presentationExchangeService = presentationExchangeService;
+		this.dcqlService = dcqlService;
+	}
+	getOpenid4vpClient(agentContext, options) {
+		return new Openid4vpClient({ callbacks: getOid4vcCallbacks(agentContext, {
+			trustedCertificates: options?.trustedCertificates,
+			isVerifyOpenId4VpAuthorizationRequest: options?.isVerifyOpenId4VpAuthorizationRequest
+		}) });
+	}
+	async handlePresentationExchangeRequest(agentContext, _presentationDefinition, transactionData) {
+		const presentationDefinition = _presentationDefinition;
+		this.presentationExchangeService.validatePresentationDefinition(presentationDefinition);
+		const presentationExchange = {
+			definition: presentationDefinition,
+			credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest(agentContext, presentationDefinition)
+		};
+		const availableCredentialIds = presentationExchange.credentialsForRequest.requirements.flatMap((requirement) => requirement.submissionEntry.map((entry) => entry.inputDescriptorId));
+		return {
+			pex: presentationExchange,
+			matchedTransactionData: transactionData?.map((entry) => ({
+				entry,
+				matchedCredentialIds: entry.transactionData.credential_ids.filter((credentialId) => availableCredentialIds.includes(credentialId))
+			}))
+		};
+	}
+	async handleDcqlRequest(agentContext, dcql, transactionData) {
+		const dcqlQuery = this.dcqlService.validateDcqlQuery(dcql);
+		const dcqlQueryResult = await this.dcqlService.getCredentialsForRequest(agentContext, dcqlQuery);
+		const matchedTransactionData = transactionData?.map((entry) => ({
+			entry,
+			matchedCredentialIds: entry.transactionData.credential_ids.filter((credentialId) => dcqlQueryResult.credential_matches[credentialId].success)
+		}));
+		return {
+			dcql: { queryResult: dcqlQueryResult },
+			matchedTransactionData
+		};
+	}
+	async resolveAuthorizationRequest(agentContext, authorizationRequest, options) {
+		const openid4vpClient = this.getOpenid4vpClient(agentContext, {
+			trustedCertificates: options?.trustedCertificates,
+			isVerifyOpenId4VpAuthorizationRequest: true
+		});
+		const { params } = openid4vpClient.parseOpenid4vpAuthorizationRequest({ authorizationRequest });
+		const verifiedAuthorizationRequest = await openid4vpClient.resolveOpenId4vpAuthorizationRequest({
+			authorizationRequestPayload: params,
+			origin: options?.origin
+		});
+		const { client, pex, transactionData, dcql } = verifiedAuthorizationRequest;
+		if (client.prefix !== "x509_san_dns" && client.prefix !== "x509_hash" && client.prefix !== "decentralized_identifier" && client.prefix !== "origin" && client.prefix !== "redirect_uri") throw new CredoError(`Client id prefix '${client.prefix}' is not supported`);
+		const returnValue = {
+			authorizationRequestPayload: verifiedAuthorizationRequest.authorizationRequestPayload,
+			origin: options?.origin,
+			signedAuthorizationRequest: verifiedAuthorizationRequest.jar ? {
+				signer: verifiedAuthorizationRequest.jar?.signer,
+				payload: verifiedAuthorizationRequest.jar.jwt.payload,
+				header: verifiedAuthorizationRequest.jar.jwt.header
+			} : void 0
+		};
+		const pexResult = pex?.presentation_definition ? await this.handlePresentationExchangeRequest(agentContext, pex.presentation_definition, transactionData) : void 0;
+		const dcqlResult = dcql?.query ? await this.handleDcqlRequest(agentContext, dcql.query, transactionData) : void 0;
+		agentContext.config.logger.debug("verified Authorization Request");
+		agentContext.config.logger.debug(`request '${authorizationRequest}'`);
+		return {
+			...returnValue,
+			verifier: {
+				clientIdPrefix: client.prefix,
+				effectiveClientId: client.effective
+			},
+			transactionData: pexResult?.matchedTransactionData ?? dcqlResult?.matchedTransactionData,
+			presentationExchange: pexResult?.pex,
+			dcql: dcqlResult?.dcql
+		};
+	}
+	extendCredentialsWithTransactionDataHashes(selectedCredentials, transactionData, selectedTransactionDataCredentials) {
+		if (!transactionData && !selectedTransactionDataCredentials) return selectedCredentials;
+		if (!selectedTransactionDataCredentials) throw new CredoError("Authorization request contains transaction data entries, but no credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method.");
+		if (!transactionData) throw new CredoError("Authorization request does not contains transaction data entries, but credential ids were provided to sign transaction data hashes in acceptAuthorizationRequest method.");
+		if (transactionData.length !== selectedTransactionDataCredentials.length) throw new CredoError("Credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method, but the length does not match the number of transaction data entries from the authorization request.");
+		const credentialsToTransactionData = {};
+		transactionData.forEach((transactionDataEntry, transactionDataIndex) => {
+			const { credentialId } = selectedTransactionDataCredentials[transactionDataIndex];
+			if (!transactionDataEntry.transactionData.credential_ids.includes(credentialId)) throw new CredoError(`Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}' is not present in allowed credential ids for transaction. Allowed credential ids are ${transactionDataEntry.transactionData.credential_ids.join(", ")}`);
+			if (!selectedCredentials[credentialId]) throw new CredoError(`Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}', but credential is not included in the credentials for the presentation.`);
+			const unsupportedFormats = selectedCredentials[credentialId].filter((c) => c.claimFormat !== ClaimFormat.SdJwtDc).map((c) => c.claimFormat);
+			if (unsupportedFormats.length > 0) throw new CredoError(`Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}' unsupported format(s) ${unsupportedFormats.join(", ")}. Only '${ClaimFormat.SdJwtDc}' is supported for transaction data signing in Credo at the moment.`);
+			if (!credentialsToTransactionData[credentialId]) credentialsToTransactionData[credentialId] = [];
+			credentialsToTransactionData[credentialId].push(transactionDataEntry);
+		});
+		const updatedCredentials = { ...selectedCredentials };
+		for (const [credentialId, entries] of Object.entries(credentialsToTransactionData)) {
+			const allowedHashAlgs = entries.reduce((allowedHashValues, entry) => (entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"]).filter((value) => !allowedHashValues || allowedHashValues.includes(value)), void 0);
+			if (!allowedHashAlgs || allowedHashAlgs.length === 0) throw new CredoError(`Unable to determine hash alg for credential with id '${credentialId}' and transaction data indexes ${entries.map((e) => e.transactionDataIndex).join(" ")}, no common 'transaction_data_hashes_alg' value found.`);
+			const supportedHashAlgs = ["sha-1", "sha-256"];
+			const supportedAllowedHashAlgs = supportedHashAlgs.filter((alg) => allowedHashAlgs.includes(alg));
+			if (supportedAllowedHashAlgs.length === 0) throw new CredoError(`Unable to create transaction data hash for credential with id '${credentialId}' and transaction data indexes ${entries.map((e) => e.transactionDataIndex).join(" ")}. None of the common allowed hash algorithms is supported by Credo: ${allowedHashAlgs.join(", ")}. Supported hash algs are ${supportedHashAlgs.join(", ")}.`);
+			const [transactionDataHahsesAlg] = supportedAllowedHashAlgs;
+			const transactionDataHashes = entries.map((entry) => TypedArrayEncoder.toBase64URL(Hasher.hash(entry.encoded, transactionDataHahsesAlg)));
+			updatedCredentials[credentialId] = updatedCredentials[credentialId].map((credential) => {
+				if (credential.claimFormat !== ClaimFormat.SdJwtDc) throw new CredoError(`Unexpected claim format '${credential.claimFormat}' for transaction data, expected '${ClaimFormat.SdJwtDc}'`);
+				return {
+					...credential,
+					additionalPayload: {
+						...credential.additionalPayload ?? {},
+						transaction_data_hashes: transactionDataHashes,
+						transaction_data_hashes_alg: transactionDataHahsesAlg
+					}
+				};
+			});
+		}
+		return updatedCredentials;
+	}
+	async acceptAuthorizationRequest(agentContext, options) {
+		const kms = agentContext.resolve(Kms.KeyManagementApi);
+		const { authorizationRequestPayload, presentationExchange, dcql, transactionData } = options;
+		const openid4vpClient = this.getOpenid4vpClient(agentContext);
+		const authorizationResponseNonce = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
+		const { nonce } = authorizationRequestPayload;
+		let openid4vpVersionNumber = parseAuthorizationRequestVersion(authorizationRequestPayload);
+		if (openid4vpVersionNumber >= 24 && openid4vpVersionNumber < 27 && (!authorizationRequestPayload.client_id || authorizationRequestPayload.client_id?.startsWith("x509_san_dns:"))) openid4vpVersionNumber = 24;
+		const openid4vpVersion = openid4vpVersionNumber > 24 ? "v1" : openid4vpVersionNumber <= 21 ? "v1.draft21" : "v1.draft24";
+		const clientId = getOpenid4vpClientId({
+			responseMode: authorizationRequestPayload.response_mode,
+			clientId: authorizationRequestPayload.client_id,
+			legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
+			origin: options.origin,
+			version: openid4vpVersionNumber
+		}).effectiveClientId;
+		const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload);
+		const shouldEncryptResponse = authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode);
+		const audience = openid4vpVersion === "v1" && isDcApiRequest ? `origin:${options.origin}` : clientId;
+		let encryptionJwk;
+		if (shouldEncryptResponse) {
+			const clientMetadata = authorizationRequestPayload.client_metadata;
+			if (!clientMetadata) throw new CredoError("Authorization request payload does not contain 'client_metadata' needed to extract response encryption JWK.");
+			if (!clientMetadata.jwks) throw new CredoError("Authorization request payload 'client_metadata' does not contain 'jwks' needed to extract response encryption JWK.");
+			encryptionJwk = extractEncryptionJwkFromJwks(clientMetadata.jwks, { supportedAlgValues: ["ECDH-ES"] });
+			if (!encryptionJwk) throw new CredoError("Unable to extract encryption JWK from 'client_metadata' for supported alg 'ECDH-ES'");
+		}
+		let mdocSessionTranscript;
+		if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+			if (!options.origin) throw new CredoError("Missing required parameter `origin` parameter for accepting openid4vp dc api requests.");
+			if (openid4vpVersion === "v1") mdocSessionTranscript = {
+				type: "openId4VpDcApi",
+				origin: options.origin,
+				verifierGeneratedNonce: nonce,
+				encryptionJwk: encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : void 0
+			};
+			else mdocSessionTranscript = {
+				type: "openId4VpDcApiDraft24",
+				clientId,
+				origin: options.origin,
+				verifierGeneratedNonce: nonce
+			};
+		} else {
+			const responseUri = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
+			if (!responseUri) throw new CredoError("Missing required parameter `response_uri` or `redirect_uri` in the authorization request.");
+			if (openid4vpVersion === "v1") mdocSessionTranscript = {
+				type: "openId4Vp",
+				responseUri,
+				clientId,
+				verifierGeneratedNonce: nonce,
+				encryptionJwk: encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : void 0
+			};
+			else mdocSessionTranscript = {
+				type: "openId4VpDraft18",
+				mdocGeneratedNonce: authorizationResponseNonce,
+				responseUri,
+				clientId,
+				verifierGeneratedNonce: nonce
+			};
+		}
+		let vpToken;
+		let presentationSubmission;
+		const parsedTransactionData = authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0;
+		if (authorizationRequestPayload.presentation_definition || presentationExchange) {
+			if (!presentationExchange) throw new CredoError("Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.");
+			if (!authorizationRequestPayload.presentation_definition) throw new CredoError("`presentationExchange` was supplied, but no presentation definition was found in the presentation request.");
+			const credentialsWithTransactionData = this.extendCredentialsWithTransactionDataHashes(presentationExchange.credentials, parsedTransactionData, transactionData);
+			const { presentationSubmission: _presentationSubmission, encodedVerifiablePresentations } = await this.presentationExchangeService.createPresentation(agentContext, {
+				credentialsForInputDescriptor: credentialsWithTransactionData,
+				presentationDefinition: authorizationRequestPayload.presentation_definition,
+				challenge: nonce,
+				domain: audience,
+				presentationSubmissionLocation: DifPresentationExchangeSubmissionLocation.EXTERNAL,
+				mdocSessionTranscript
+			});
+			vpToken = encodedVerifiablePresentations.length === 1 && _presentationSubmission?.descriptor_map[0]?.path === "$" ? encodedVerifiablePresentations[0] : encodedVerifiablePresentations;
+			presentationSubmission = _presentationSubmission;
+		} else if (authorizationRequestPayload.dcql_query || dcql) {
+			if (!authorizationRequestPayload.dcql_query) throw new CredoError(`'dcql' was supplied, but no dcql request was found in the presentation request.`);
+			if (!dcql) throw new CredoError(`Authorization request included dcql request. 'dcql' MUST be supplied to accept authorization requests.`);
+			const credentialsWithTransactionData = this.extendCredentialsWithTransactionDataHashes(dcql.credentials, parsedTransactionData, transactionData);
+			const { encodedDcqlPresentation } = await this.dcqlService.createPresentation(agentContext, {
+				credentialQueryToCredential: credentialsWithTransactionData,
+				challenge: nonce,
+				domain: audience,
+				mdocSessionTranscript
+			});
+			vpToken = encodedDcqlPresentation;
+			if (openid4vpVersion !== "v1") vpToken = Object.fromEntries(Object.entries(encodedDcqlPresentation).map(([credentialQueryId, presentations]) => {
+				if (presentations.length > 1) throw new CredoError(`Multiple presentations for a single dcql query credential are not supported when using OpenID4VP version '${openid4vpVersion}'.`);
+				return [credentialQueryId, presentations[0]];
+			}));
+		} else throw new CredoError("Either pex or dcql must be provided");
+		const response = await openid4vpClient.createOpenid4vpAuthorizationResponse({
+			authorizationRequestPayload,
+			origin: options.origin,
+			authorizationResponsePayload: {
+				vp_token: vpToken,
+				presentation_submission: presentationSubmission
+			},
+			jarm: encryptionJwk ? {
+				encryption: {
+					nonce: authorizationResponseNonce,
+					jwk: encryptionJwk
+				},
+				serverMetadata: {
+					authorization_signing_alg_values_supported: [],
+					authorization_encryption_alg_values_supported: ["ECDH-ES"],
+					authorization_encryption_enc_values_supported: [
+						"A128GCM",
+						"A256GCM",
+						"A128CBC-HS256"
+					]
+				}
+			} : void 0
+		});
+		const authorizationResponsePayload = response.authorizationResponsePayload;
+		const authorizationResponse = response.jarm?.responseJwt ? { response: response.jarm.responseJwt } : authorizationResponsePayload;
+		if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) return {
+			ok: true,
+			authorizationResponse,
+			authorizationResponsePayload
+		};
+		const result = await openid4vpClient.submitOpenid4vpAuthorizationResponse({
+			authorizationRequestPayload,
+			authorizationResponsePayload: response.authorizationResponsePayload,
+			jarm: response.jarm ? { responseJwt: response.jarm.responseJwt } : void 0
+		});
+		const responseText = await result.response.clone().text().catch(() => null);
+		const responseJson = await result.response.clone().json().catch(() => null);
+		if (!result.response.ok) return {
+			ok: false,
+			serverResponse: {
+				status: result.response.status,
+				body: responseJson ?? responseText
+			},
+			authorizationResponse,
+			authorizationResponsePayload
+		};
+		return {
+			ok: true,
+			serverResponse: {
+				status: result.response.status,
+				body: responseJson ?? {}
+			},
+			authorizationResponse,
+			authorizationResponsePayload,
+			redirectUri: responseJson?.redirect_uri,
+			presentationDuringIssuanceSession: responseJson?.presentation_during_issuance_session
+		};
+	}
+};
+OpenId4VpHolderService = __decorate([injectable(), __decorateMetadata("design:paramtypes", [typeof (_ref = typeof DifPresentationExchangeService !== "undefined" && DifPresentationExchangeService) === "function" ? _ref : Object, typeof (_ref2 = typeof DcqlService !== "undefined" && DcqlService) === "function" ? _ref2 : Object])], OpenId4VpHolderService);
+//#endregion
+export { OpenId4VpHolderService };
+//# sourceMappingURL=OpenId4vpHolderService.mjs.map

package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OpenId4vpHolderService.mjs","names":["OpenId4VpHolderService","presentationExchangeService: DifPresentationExchangeService","dcqlService: DcqlService","credentialsToTransactionData: Record<string, ParsedTransactionDataEntry[]>","openid4vpVersion: OpenId4VpVersion","encryptionJwk: Jwk | undefined","mdocSessionTranscript: MdocSessionTranscriptOptions","vpToken: VpToken","presentationSubmission: DifPresentationExchangeSubmission | undefined"],"sources":["../../src/openid4vc-holder/OpenId4vpHolderService.ts"],"sourcesContent":["import type {\n AgentContext,\n DcqlCredentialsForRequest,\n DifPexInputDescriptorToCredentials,\n DifPresentationExchangeDefinition,\n DifPresentationExchangeSubmission,\n EncodedX509Certificate,\n HashName,\n MdocSessionTranscriptOptions,\n} from '@credo-ts/core'\nimport {\n ClaimFormat,\n CredoError,\n DcqlService,\n DifPresentationExchangeService,\n DifPresentationExchangeSubmissionLocation,\n Hasher,\n injectable,\n Kms,\n TypedArrayEncoder,\n} from '@credo-ts/core'\nimport type { Jwk } from '@openid4vc/oauth2'\nimport {\n extractEncryptionJwkFromJwks,\n getOpenid4vpClientId,\n isJarmResponseMode,\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationResponse,\n Openid4vpClient,\n parseAuthorizationRequestVersion,\n parseTransactionData,\n type VpToken,\n} from '@openid4vc/openid4vp'\nimport type { OpenId4VpVersion } from '../openid4vc-verifier'\nimport { getOid4vcCallbacks } from '../shared/callbacks'\nimport type {\n OpenId4VpAcceptAuthorizationRequestOptions,\n OpenId4VpResolvedAuthorizationRequest,\n ParsedTransactionDataEntry,\n ResolveOpenId4VpAuthorizationRequestOptions,\n} from './OpenId4vpHolderServiceOptions'\n\n@injectable()\nexport class OpenId4VpHolderService {\n public constructor(\n private presentationExchangeService: DifPresentationExchangeService,\n private dcqlService: DcqlService\n ) {}\n\n private getOpenid4vpClient(\n agentContext: AgentContext,\n options?: { trustedCertificates?: EncodedX509Certificate[]; isVerifyOpenId4VpAuthorizationRequest?: boolean }\n ) {\n const callbacks = getOid4vcCallbacks(agentContext, {\n trustedCertificates: options?.trustedCertificates,\n isVerifyOpenId4VpAuthorizationRequest: options?.isVerifyOpenId4VpAuthorizationRequest,\n })\n return new Openid4vpClient({ callbacks })\n }\n\n private async handlePresentationExchangeRequest(\n agentContext: AgentContext,\n _presentationDefinition: unknown,\n transactionData?: ParsedTransactionDataEntry[]\n ) {\n const presentationDefinition = _presentationDefinition as DifPresentationExchangeDefinition\n this.presentationExchangeService.validatePresentationDefinition(presentationDefinition)\n\n const presentationExchange = {\n definition: presentationDefinition,\n credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest(\n agentContext,\n presentationDefinition\n ),\n }\n\n const availableCredentialIds = presentationExchange.credentialsForRequest.requirements.flatMap((requirement) =>\n requirement.submissionEntry.map((entry) => entry.inputDescriptorId)\n )\n\n // for each transaction data entry, get all credentials that can be used to sign the respective transaction\n const matchedTransactionData = transactionData?.map((entry) => ({\n entry,\n matchedCredentialIds: entry.transactionData.credential_ids.filter((credentialId) =>\n availableCredentialIds.includes(credentialId)\n ),\n }))\n\n return { pex: presentationExchange, matchedTransactionData }\n }\n\n private async handleDcqlRequest(\n agentContext: AgentContext,\n dcql: unknown,\n transactionData?: ParsedTransactionDataEntry[]\n ) {\n const dcqlQuery = this.dcqlService.validateDcqlQuery(dcql)\n const dcqlQueryResult = await this.dcqlService.getCredentialsForRequest(agentContext, dcqlQuery)\n\n // for each transaction data entry, get all credentials that can fore used to sign the respective transaction\n const matchedTransactionData = transactionData?.map((entry) => ({\n entry,\n matchedCredentialIds: entry.transactionData.credential_ids.filter(\n (credentialId) => dcqlQueryResult.credential_matches[credentialId].success\n ),\n }))\n\n return { dcql: { queryResult: dcqlQueryResult }, matchedTransactionData }\n }\n\n public async resolveAuthorizationRequest(\n agentContext: AgentContext,\n /**\n * Can be:\n * - JWT\n * - URI containing request or request_uri param\n * - Request payload\n */\n authorizationRequest: string | Record<string, unknown>,\n options?: ResolveOpenId4VpAuthorizationRequestOptions\n ): Promise<OpenId4VpResolvedAuthorizationRequest> {\n const openid4vpClient = this.getOpenid4vpClient(agentContext, {\n trustedCertificates: options?.trustedCertificates,\n isVerifyOpenId4VpAuthorizationRequest: true,\n })\n const { params } = openid4vpClient.parseOpenid4vpAuthorizationRequest({ authorizationRequest })\n\n const verifiedAuthorizationRequest = await openid4vpClient.resolveOpenId4vpAuthorizationRequest({\n authorizationRequestPayload: params,\n origin: options?.origin,\n })\n\n const { client, pex, transactionData, dcql } = verifiedAuthorizationRequest\n\n // Prefix on client is normalized, so also includes did/web-orgin\n if (\n client.prefix !== 'x509_san_dns' &&\n client.prefix !== 'x509_hash' &&\n client.prefix !== 'decentralized_identifier' &&\n client.prefix !== 'origin' &&\n client.prefix !== 'redirect_uri'\n ) {\n throw new CredoError(`Client id prefix '${client.prefix}' is not supported`)\n }\n\n const returnValue = {\n authorizationRequestPayload: verifiedAuthorizationRequest.authorizationRequestPayload,\n origin: options?.origin,\n signedAuthorizationRequest: verifiedAuthorizationRequest.jar\n ? {\n signer: verifiedAuthorizationRequest.jar?.signer,\n payload: verifiedAuthorizationRequest.jar.jwt.payload,\n header: verifiedAuthorizationRequest.jar.jwt.header,\n }\n : undefined,\n }\n\n const pexResult = pex?.presentation_definition\n ? await this.handlePresentationExchangeRequest(agentContext, pex.presentation_definition, transactionData)\n : undefined\n\n const dcqlResult = dcql?.query ? await this.handleDcqlRequest(agentContext, dcql.query, transactionData) : undefined\n\n agentContext.config.logger.debug('verified Authorization Request')\n agentContext.config.logger.debug(`request '${authorizationRequest}'`)\n\n return {\n ...returnValue,\n verifier: {\n clientIdPrefix: client.prefix,\n effectiveClientId: client.effective,\n },\n transactionData: pexResult?.matchedTransactionData ?? dcqlResult?.matchedTransactionData,\n presentationExchange: pexResult?.pex,\n dcql: dcqlResult?.dcql,\n }\n }\n\n private extendCredentialsWithTransactionDataHashes<\n T extends DifPexInputDescriptorToCredentials | DcqlCredentialsForRequest,\n >(\n // Either PEX or DCQL\n selectedCredentials: T,\n transactionData?: ParsedTransactionDataEntry[],\n selectedTransactionDataCredentials?: Array<{ credentialId: string }>\n ): T {\n // TODO: it would make sense for oid4vc to also handle this validation logic, but it would require\n // knowledge of PEX / DCQL...\n if (!transactionData && !selectedTransactionDataCredentials) return selectedCredentials\n\n if (!selectedTransactionDataCredentials) {\n throw new CredoError(\n 'Authorization request contains transaction data entries, but no credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method.'\n )\n }\n\n if (!transactionData) {\n throw new CredoError(\n 'Authorization request does not contains transaction data entries, but credential ids were provided to sign transaction data hashes in acceptAuthorizationRequest method.'\n )\n }\n\n if (transactionData.length !== selectedTransactionDataCredentials.length) {\n throw new CredoError(\n 'Credential ids to sign transaction data hashes provided in acceptAuthorizationRequest method, but the length does not match the number of transaction data entries from the authorization request.'\n )\n }\n\n const credentialsToTransactionData: Record<string, ParsedTransactionDataEntry[]> = {}\n\n transactionData.forEach((transactionDataEntry, transactionDataIndex) => {\n const { credentialId } = selectedTransactionDataCredentials[transactionDataIndex]\n\n if (!transactionDataEntry.transactionData.credential_ids.includes(credentialId)) {\n throw new CredoError(\n `Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}' is not present in allowed credential ids for transaction. Allowed credential ids are ${transactionDataEntry.transactionData.credential_ids.join(', ')}`\n )\n }\n\n if (!selectedCredentials[credentialId]) {\n throw new CredoError(\n `Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}', but credential is not included in the credentials for the presentation.`\n )\n }\n\n const unsupportedFormats = selectedCredentials[credentialId]\n .filter((c) => c.claimFormat !== ClaimFormat.SdJwtDc)\n .map((c) => c.claimFormat)\n\n if (unsupportedFormats.length > 0) {\n throw new CredoError(\n `Credential id '${credentialId}' selected to sign transaction data with index '${transactionDataIndex}' unsupported format(s) ${unsupportedFormats.join(', ')}. Only '${ClaimFormat.SdJwtDc}' is supported for transaction data signing in Credo at the moment.`\n )\n }\n\n if (!credentialsToTransactionData[credentialId]) {\n credentialsToTransactionData[credentialId] = []\n }\n credentialsToTransactionData[credentialId].push(transactionDataEntry)\n })\n\n const updatedCredentials = {\n ...selectedCredentials,\n }\n for (const [credentialId, entries] of Object.entries(credentialsToTransactionData)) {\n const allowedHashAlgs = entries.reduce<string[] | undefined>(\n (allowedHashValues, entry) =>\n (entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']).filter(\n (value) => !allowedHashValues || allowedHashValues.includes(value)\n ),\n undefined\n )\n\n if (!allowedHashAlgs || allowedHashAlgs.length === 0) {\n throw new CredoError(\n `Unable to determine hash alg for credential with id '${credentialId}' and transaction data indexes ${entries.map((e) => e.transactionDataIndex).join(' ')}, no common 'transaction_data_hashes_alg' value found.`\n )\n }\n\n const supportedHashAlgs = ['sha-1', 'sha-256'] satisfies HashName[]\n const supportedAllowedHashAlgs = supportedHashAlgs.filter((alg) => allowedHashAlgs.includes(alg))\n if (supportedAllowedHashAlgs.length === 0) {\n throw new CredoError(\n `Unable to create transaction data hash for credential with id '${credentialId}' and transaction data indexes ${entries.map((e) => e.transactionDataIndex).join(' ')}. None of the common allowed hash algorithms is supported by Credo: ${allowedHashAlgs.join(', ')}. Supported hash algs are ${supportedHashAlgs.join(', ')}.`\n )\n }\n\n // Not required, but we include it by default as otherwise we need to look at all entries to\n // see if any specified an alg array\n const [transactionDataHahsesAlg] = supportedAllowedHashAlgs\n const transactionDataHashes = entries.map((entry) =>\n TypedArrayEncoder.toBase64URL(Hasher.hash(entry.encoded, transactionDataHahsesAlg))\n )\n\n updatedCredentials[credentialId] = updatedCredentials[credentialId].map((credential) => {\n if (credential.claimFormat !== ClaimFormat.SdJwtDc) {\n // We already verified this above\n throw new CredoError(\n `Unexpected claim format '${credential.claimFormat}' for transaction data, expected '${ClaimFormat.SdJwtDc}'`\n )\n }\n\n return {\n ...credential,\n additionalPayload: {\n ...(credential.additionalPayload ?? {}),\n transaction_data_hashes: transactionDataHashes,\n transaction_data_hashes_alg: transactionDataHahsesAlg,\n },\n }\n })\n }\n\n return updatedCredentials\n }\n\n public async acceptAuthorizationRequest(\n agentContext: AgentContext,\n options: OpenId4VpAcceptAuthorizationRequestOptions\n ) {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const { authorizationRequestPayload, presentationExchange, dcql, transactionData } = options\n\n const openid4vpClient = this.getOpenid4vpClient(agentContext)\n const authorizationResponseNonce = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n const { nonce } = authorizationRequestPayload\n\n let openid4vpVersionNumber = parseAuthorizationRequestVersion(authorizationRequestPayload)\n\n // It's hard to detect draft 24 for x509_san_dns/unsigned dc-api. In draft 27 a new vp_formats structure was introduced\n // so if the client id prefix is 'x509_san_dns' or there's no client_id and still uses the old vp_formats structure, we parse it\n // as draft 24 (to at least ensure compatibility with credo)\n if (\n openid4vpVersionNumber >= 24 &&\n openid4vpVersionNumber < 27 &&\n (!authorizationRequestPayload.client_id || authorizationRequestPayload.client_id?.startsWith('x509_san_dns:'))\n ) {\n openid4vpVersionNumber = 24\n }\n\n // We mainly support draft 21/24 and 1.0, but we try to parse in-between versions\n // as one of the supported versions, to not throw errors even before trying.\n const openid4vpVersion: OpenId4VpVersion =\n openid4vpVersionNumber > 24 ? 'v1' : openid4vpVersionNumber <= 21 ? 'v1.draft21' : 'v1.draft24'\n\n const parsedClientId = getOpenid4vpClientId({\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n origin: options.origin,\n version: openid4vpVersionNumber,\n })\n\n const clientId = parsedClientId.effectiveClientId\n const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)\n\n const shouldEncryptResponse =\n authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)\n\n // TODO: we should return the effectiveAudience in the returned value of openid4vp lib\n // Since it differs based on the version of openid4vp used\n // NOTE: in v1 DC API request the audience is always origin: (not the client id)\n const audience = openid4vpVersion === 'v1' && isDcApiRequest ? `origin:${options.origin}` : clientId\n\n let encryptionJwk: Jwk | undefined\n if (shouldEncryptResponse) {\n // NOTE: Once we add support for federation we need to require the clientMetadata as input to the accept method.\n const clientMetadata = authorizationRequestPayload.client_metadata\n\n if (!clientMetadata) {\n throw new CredoError(\n \"Authorization request payload does not contain 'client_metadata' needed to extract response encryption JWK.\"\n )\n }\n if (!clientMetadata.jwks) {\n throw new CredoError(\n \"Authorization request payload 'client_metadata' does not contain 'jwks' needed to extract response encryption JWK.\"\n )\n }\n\n encryptionJwk = extractEncryptionJwkFromJwks(clientMetadata.jwks, {\n supportedAlgValues: ['ECDH-ES'],\n })\n\n if (!encryptionJwk) {\n throw new CredoError(\"Unable to extract encryption JWK from 'client_metadata' for supported alg 'ECDH-ES'\")\n }\n }\n\n let mdocSessionTranscript: MdocSessionTranscriptOptions\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n if (!options.origin) {\n throw new CredoError('Missing required parameter `origin` parameter for accepting openid4vp dc api requests.')\n }\n\n if (openid4vpVersion === 'v1') {\n mdocSessionTranscript = {\n type: 'openId4VpDcApi',\n origin: options.origin,\n verifierGeneratedNonce: nonce,\n encryptionJwk: encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : undefined,\n }\n } else {\n mdocSessionTranscript = {\n type: 'openId4VpDcApiDraft24',\n clientId,\n origin: options.origin,\n verifierGeneratedNonce: nonce,\n }\n }\n } else {\n const responseUri = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri\n if (!responseUri) {\n throw new CredoError(\n 'Missing required parameter `response_uri` or `redirect_uri` in the authorization request.'\n )\n }\n\n if (openid4vpVersion === 'v1') {\n mdocSessionTranscript = {\n type: 'openId4Vp',\n responseUri,\n clientId,\n verifierGeneratedNonce: nonce,\n encryptionJwk: encryptionJwk ? Kms.PublicJwk.fromUnknown(encryptionJwk) : undefined,\n }\n } else {\n mdocSessionTranscript = {\n type: 'openId4VpDraft18',\n mdocGeneratedNonce: authorizationResponseNonce,\n responseUri,\n clientId,\n verifierGeneratedNonce: nonce,\n }\n }\n }\n\n let vpToken: VpToken\n let presentationSubmission: DifPresentationExchangeSubmission | undefined\n\n const parsedTransactionData = authorizationRequestPayload.transaction_data\n ? parseTransactionData({\n transactionData: authorizationRequestPayload.transaction_data,\n })\n : undefined\n\n // Handle presentation exchange part\n if (authorizationRequestPayload.presentation_definition || presentationExchange) {\n if (!presentationExchange) {\n throw new CredoError(\n 'Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.'\n )\n }\n if (!authorizationRequestPayload.presentation_definition) {\n throw new CredoError(\n '`presentationExchange` was supplied, but no presentation definition was found in the presentation request.'\n )\n }\n\n const credentialsWithTransactionData = this.extendCredentialsWithTransactionDataHashes(\n presentationExchange.credentials,\n parsedTransactionData,\n transactionData\n )\n\n const { presentationSubmission: _presentationSubmission, encodedVerifiablePresentations } =\n await this.presentationExchangeService.createPresentation(agentContext, {\n credentialsForInputDescriptor: credentialsWithTransactionData,\n presentationDefinition:\n authorizationRequestPayload.presentation_definition as unknown as DifPresentationExchangeDefinition,\n challenge: nonce,\n domain: audience,\n presentationSubmissionLocation: DifPresentationExchangeSubmissionLocation.EXTERNAL,\n mdocSessionTranscript: mdocSessionTranscript,\n })\n\n vpToken =\n encodedVerifiablePresentations.length === 1 && _presentationSubmission?.descriptor_map[0]?.path === '$'\n ? encodedVerifiablePresentations[0]\n : encodedVerifiablePresentations\n presentationSubmission = _presentationSubmission\n } else if (authorizationRequestPayload.dcql_query || dcql) {\n if (!authorizationRequestPayload.dcql_query) {\n throw new CredoError(`'dcql' was supplied, but no dcql request was found in the presentation request.`)\n }\n if (!dcql) {\n throw new CredoError(\n `Authorization request included dcql request. 'dcql' MUST be supplied to accept authorization requests.`\n )\n }\n\n const credentialsWithTransactionData = this.extendCredentialsWithTransactionDataHashes(\n dcql.credentials,\n parsedTransactionData,\n transactionData\n )\n\n const { encodedDcqlPresentation } = await this.dcqlService.createPresentation(agentContext, {\n credentialQueryToCredential: credentialsWithTransactionData,\n challenge: nonce,\n domain: audience,\n mdocSessionTranscript: mdocSessionTranscript,\n })\n\n vpToken = encodedDcqlPresentation\n\n // Pre 1.0 the vp_token directly maps from query id to presentation instead of array\n if (openid4vpVersion !== 'v1') {\n vpToken = Object.fromEntries(\n Object.entries(encodedDcqlPresentation).map(([credentialQueryId, presentations]) => {\n if (presentations.length > 1) {\n throw new CredoError(\n `Multiple presentations for a single dcql query credential are not supported when using OpenID4VP version '${openid4vpVersion}'.`\n )\n }\n\n return [credentialQueryId, presentations[0]]\n })\n )\n }\n } else {\n throw new CredoError('Either pex or dcql must be provided')\n }\n\n const response = await openid4vpClient.createOpenid4vpAuthorizationResponse({\n authorizationRequestPayload,\n origin: options.origin,\n authorizationResponsePayload: {\n vp_token: vpToken,\n presentation_submission: presentationSubmission,\n },\n jarm: encryptionJwk\n ? {\n encryption: { nonce: authorizationResponseNonce, jwk: encryptionJwk },\n serverMetadata: {\n authorization_signing_alg_values_supported: [],\n authorization_encryption_alg_values_supported: ['ECDH-ES'],\n authorization_encryption_enc_values_supported: ['A128GCM', 'A256GCM', 'A128CBC-HS256'],\n },\n }\n : undefined,\n })\n\n const authorizationResponsePayload = response.authorizationResponsePayload as Openid4vpAuthorizationResponse & {\n presentation_submission?: DifPresentationExchangeSubmission\n }\n const authorizationResponse = response.jarm?.responseJwt\n ? { response: response.jarm.responseJwt }\n : authorizationResponsePayload\n\n // TODO: we should include more typing here that the user\n // still needs to submit the response. or as we discussed, split\n // this method up in create and submit\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n return {\n ok: true,\n authorizationResponse,\n authorizationResponsePayload,\n } as const\n }\n\n // TODO: parse response in openi4vp library so we can have typed error\n // as well as typed response (with redirect_uri/presentation_during_issuance_session)\n const result = await openid4vpClient.submitOpenid4vpAuthorizationResponse({\n authorizationRequestPayload,\n authorizationResponsePayload: response.authorizationResponsePayload,\n jarm: response.jarm ? { responseJwt: response.jarm.responseJwt } : undefined,\n })\n\n const responseText = await result.response\n .clone()\n .text()\n .catch(() => null)\n\n const responseJson = (await result.response\n .clone()\n .json()\n .catch(() => null)) as null | Record<string, unknown>\n\n if (!result.response.ok) {\n return {\n ok: false,\n serverResponse: {\n status: result.response.status,\n body: responseJson ?? responseText,\n },\n authorizationResponse,\n authorizationResponsePayload,\n } as const\n }\n\n return {\n ok: true,\n serverResponse: {\n status: result.response.status,\n body: responseJson ?? {},\n },\n authorizationResponse,\n authorizationResponsePayload,\n redirectUri: responseJson?.redirect_uri as string | undefined,\n presentationDuringIssuanceSession: responseJson?.presentation_during_issuance_session as string | undefined,\n } as const\n }\n}\n"],"mappings":";;;;;;;;AA2CO,mCAAMA,yBAAuB;CAClC,AAAO,YACL,AAAQC,6BACR,AAAQC,aACR;EAFQ;EACA;;CAGV,AAAQ,mBACN,cACA,SACA;AAKA,SAAO,IAAI,gBAAgB,EAAE,WAJX,mBAAmB,cAAc;GACjD,qBAAqB,SAAS;GAC9B,uCAAuC,SAAS;GACjD,CAAC,EACsC,CAAC;;CAG3C,MAAc,kCACZ,cACA,yBACA,iBACA;EACA,MAAM,yBAAyB;AAC/B,OAAK,4BAA4B,+BAA+B,uBAAuB;EAEvF,MAAM,uBAAuB;GAC3B,YAAY;GACZ,uBAAuB,MAAM,KAAK,4BAA4B,yBAC5D,cACA,uBACD;GACF;EAED,MAAM,yBAAyB,qBAAqB,sBAAsB,aAAa,SAAS,gBAC9F,YAAY,gBAAgB,KAAK,UAAU,MAAM,kBAAkB,CACpE;AAUD,SAAO;GAAE,KAAK;GAAsB,wBAPL,iBAAiB,KAAK,WAAW;IAC9D;IACA,sBAAsB,MAAM,gBAAgB,eAAe,QAAQ,iBACjE,uBAAuB,SAAS,aAAa,CAC9C;IACF,EAAE;GAEyD;;CAG9D,MAAc,kBACZ,cACA,MACA,iBACA;EACA,MAAM,YAAY,KAAK,YAAY,kBAAkB,KAAK;EAC1D,MAAM,kBAAkB,MAAM,KAAK,YAAY,yBAAyB,cAAc,UAAU;EAGhG,MAAM,yBAAyB,iBAAiB,KAAK,WAAW;GAC9D;GACA,sBAAsB,MAAM,gBAAgB,eAAe,QACxD,iBAAiB,gBAAgB,mBAAmB,cAAc,QACpE;GACF,EAAE;AAEH,SAAO;GAAE,MAAM,EAAE,aAAa,iBAAiB;GAAE;GAAwB;;CAG3E,MAAa,4BACX,cAOA,sBACA,SACgD;EAChD,MAAM,kBAAkB,KAAK,mBAAmB,cAAc;GAC5D,qBAAqB,SAAS;GAC9B,uCAAuC;GACxC,CAAC;EACF,MAAM,EAAE,WAAW,gBAAgB,mCAAmC,EAAE,sBAAsB,CAAC;EAE/F,MAAM,+BAA+B,MAAM,gBAAgB,qCAAqC;GAC9F,6BAA6B;GAC7B,QAAQ,SAAS;GAClB,CAAC;EAEF,MAAM,EAAE,QAAQ,KAAK,iBAAiB,SAAS;AAG/C,MACE,OAAO,WAAW,kBAClB,OAAO,WAAW,eAClB,OAAO,WAAW,8BAClB,OAAO,WAAW,YAClB,OAAO,WAAW,eAElB,OAAM,IAAI,WAAW,qBAAqB,OAAO,OAAO,oBAAoB;EAG9E,MAAM,cAAc;GAClB,6BAA6B,6BAA6B;GAC1D,QAAQ,SAAS;GACjB,4BAA4B,6BAA6B,MACrD;IACE,QAAQ,6BAA6B,KAAK;IAC1C,SAAS,6BAA6B,IAAI,IAAI;IAC9C,QAAQ,6BAA6B,IAAI,IAAI;IAC9C,GACD;GACL;EAED,MAAM,YAAY,KAAK,0BACnB,MAAM,KAAK,kCAAkC,cAAc,IAAI,yBAAyB,gBAAgB,GACxG;EAEJ,MAAM,aAAa,MAAM,QAAQ,MAAM,KAAK,kBAAkB,cAAc,KAAK,OAAO,gBAAgB,GAAG;AAE3G,eAAa,OAAO,OAAO,MAAM,iCAAiC;AAClE,eAAa,OAAO,OAAO,MAAM,YAAY,qBAAqB,GAAG;AAErE,SAAO;GACL,GAAG;GACH,UAAU;IACR,gBAAgB,OAAO;IACvB,mBAAmB,OAAO;IAC3B;GACD,iBAAiB,WAAW,0BAA0B,YAAY;GAClE,sBAAsB,WAAW;GACjC,MAAM,YAAY;GACnB;;CAGH,AAAQ,2CAIN,qBACA,iBACA,oCACG;AAGH,MAAI,CAAC,mBAAmB,CAAC,mCAAoC,QAAO;AAEpE,MAAI,CAAC,mCACH,OAAM,IAAI,WACR,gKACD;AAGH,MAAI,CAAC,gBACH,OAAM,IAAI,WACR,2KACD;AAGH,MAAI,gBAAgB,WAAW,mCAAmC,OAChE,OAAM,IAAI,WACR,qMACD;EAGH,MAAMC,+BAA6E,EAAE;AAErF,kBAAgB,SAAS,sBAAsB,yBAAyB;GACtE,MAAM,EAAE,iBAAiB,mCAAmC;AAE5D,OAAI,CAAC,qBAAqB,gBAAgB,eAAe,SAAS,aAAa,CAC7E,OAAM,IAAI,WACR,kBAAkB,aAAa,kDAAkD,qBAAqB,yFAAyF,qBAAqB,gBAAgB,eAAe,KAAK,KAAK,GAC9P;AAGH,OAAI,CAAC,oBAAoB,cACvB,OAAM,IAAI,WACR,kBAAkB,aAAa,kDAAkD,qBAAqB,4EACvG;GAGH,MAAM,qBAAqB,oBAAoB,cAC5C,QAAQ,MAAM,EAAE,gBAAgB,YAAY,QAAQ,CACpD,KAAK,MAAM,EAAE,YAAY;AAE5B,OAAI,mBAAmB,SAAS,EAC9B,OAAM,IAAI,WACR,kBAAkB,aAAa,kDAAkD,qBAAqB,0BAA0B,mBAAmB,KAAK,KAAK,CAAC,UAAU,YAAY,QAAQ,qEAC7L;AAGH,OAAI,CAAC,6BAA6B,cAChC,8BAA6B,gBAAgB,EAAE;AAEjD,gCAA6B,cAAc,KAAK,qBAAqB;IACrE;EAEF,MAAM,qBAAqB,EACzB,GAAG,qBACJ;AACD,OAAK,MAAM,CAAC,cAAc,YAAY,OAAO,QAAQ,6BAA6B,EAAE;GAClF,MAAM,kBAAkB,QAAQ,QAC7B,mBAAmB,WACjB,MAAM,gBAAgB,+BAA+B,CAAC,UAAU,EAAE,QAChE,UAAU,CAAC,qBAAqB,kBAAkB,SAAS,MAAM,CACnE,EACH,OACD;AAED,OAAI,CAAC,mBAAmB,gBAAgB,WAAW,EACjD,OAAM,IAAI,WACR,wDAAwD,aAAa,iCAAiC,QAAQ,KAAK,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC,wDAC5J;GAGH,MAAM,oBAAoB,CAAC,SAAS,UAAU;GAC9C,MAAM,2BAA2B,kBAAkB,QAAQ,QAAQ,gBAAgB,SAAS,IAAI,CAAC;AACjG,OAAI,yBAAyB,WAAW,EACtC,OAAM,IAAI,WACR,kEAAkE,aAAa,iCAAiC,QAAQ,KAAK,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC,sEAAsE,gBAAgB,KAAK,KAAK,CAAC,4BAA4B,kBAAkB,KAAK,KAAK,CAAC,GAChU;GAKH,MAAM,CAAC,4BAA4B;GACnC,MAAM,wBAAwB,QAAQ,KAAK,UACzC,kBAAkB,YAAY,OAAO,KAAK,MAAM,SAAS,yBAAyB,CAAC,CACpF;AAED,sBAAmB,gBAAgB,mBAAmB,cAAc,KAAK,eAAe;AACtF,QAAI,WAAW,gBAAgB,YAAY,QAEzC,OAAM,IAAI,WACR,4BAA4B,WAAW,YAAY,oCAAoC,YAAY,QAAQ,GAC5G;AAGH,WAAO;KACL,GAAG;KACH,mBAAmB;MACjB,GAAI,WAAW,qBAAqB,EAAE;MACtC,yBAAyB;MACzB,6BAA6B;MAC9B;KACF;KACD;;AAGJ,SAAO;;CAGT,MAAa,2BACX,cACA,SACA;EACA,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;EACtD,MAAM,EAAE,6BAA6B,sBAAsB,MAAM,oBAAoB;EAErF,MAAM,kBAAkB,KAAK,mBAAmB,aAAa;EAC7D,MAAM,6BAA6B,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;EACjG,MAAM,EAAE,UAAU;EAElB,IAAI,yBAAyB,iCAAiC,4BAA4B;AAK1F,MACE,0BAA0B,MAC1B,yBAAyB,OACxB,CAAC,4BAA4B,aAAa,4BAA4B,WAAW,WAAW,gBAAgB,EAE7G,0BAAyB;EAK3B,MAAMC,mBACJ,yBAAyB,KAAK,OAAO,0BAA0B,KAAK,eAAe;EAUrF,MAAM,WARiB,qBAAqB;GAC1C,cAAc,4BAA4B;GAC1C,UAAU,4BAA4B;GACtC,sBAAsB,4BAA4B;GAClD,QAAQ,QAAQ;GAChB,SAAS;GACV,CAAC,CAE8B;EAChC,MAAM,iBAAiB,qCAAqC,4BAA4B;EAExF,MAAM,wBACJ,4BAA4B,iBAAiB,mBAAmB,4BAA4B,cAAc;EAK5G,MAAM,WAAW,qBAAqB,QAAQ,iBAAiB,UAAU,QAAQ,WAAW;EAE5F,IAAIC;AACJ,MAAI,uBAAuB;GAEzB,MAAM,iBAAiB,4BAA4B;AAEnD,OAAI,CAAC,eACH,OAAM,IAAI,WACR,8GACD;AAEH,OAAI,CAAC,eAAe,KAClB,OAAM,IAAI,WACR,qHACD;AAGH,mBAAgB,6BAA6B,eAAe,MAAM,EAChE,oBAAoB,CAAC,UAAU,EAChC,CAAC;AAEF,OAAI,CAAC,cACH,OAAM,IAAI,WAAW,sFAAsF;;EAI/G,IAAIC;AACJ,MAAI,qCAAqC,4BAA4B,EAAE;AACrE,OAAI,CAAC,QAAQ,OACX,OAAM,IAAI,WAAW,yFAAyF;AAGhH,OAAI,qBAAqB,KACvB,yBAAwB;IACtB,MAAM;IACN,QAAQ,QAAQ;IAChB,wBAAwB;IACxB,eAAe,gBAAgB,IAAI,UAAU,YAAY,cAAc,GAAG;IAC3E;OAED,yBAAwB;IACtB,MAAM;IACN;IACA,QAAQ,QAAQ;IAChB,wBAAwB;IACzB;SAEE;GACL,MAAM,cAAc,4BAA4B,gBAAgB,4BAA4B;AAC5F,OAAI,CAAC,YACH,OAAM,IAAI,WACR,4FACD;AAGH,OAAI,qBAAqB,KACvB,yBAAwB;IACtB,MAAM;IACN;IACA;IACA,wBAAwB;IACxB,eAAe,gBAAgB,IAAI,UAAU,YAAY,cAAc,GAAG;IAC3E;OAED,yBAAwB;IACtB,MAAM;IACN,oBAAoB;IACpB;IACA;IACA,wBAAwB;IACzB;;EAIL,IAAIC;EACJ,IAAIC;EAEJ,MAAM,wBAAwB,4BAA4B,mBACtD,qBAAqB,EACnB,iBAAiB,4BAA4B,kBAC9C,CAAC,GACF;AAGJ,MAAI,4BAA4B,2BAA2B,sBAAsB;AAC/E,OAAI,CAAC,qBACH,OAAM,IAAI,WACR,oIACD;AAEH,OAAI,CAAC,4BAA4B,wBAC/B,OAAM,IAAI,WACR,6GACD;GAGH,MAAM,iCAAiC,KAAK,2CAC1C,qBAAqB,aACrB,uBACA,gBACD;GAED,MAAM,EAAE,wBAAwB,yBAAyB,mCACvD,MAAM,KAAK,4BAA4B,mBAAmB,cAAc;IACtE,+BAA+B;IAC/B,wBACE,4BAA4B;IAC9B,WAAW;IACX,QAAQ;IACR,gCAAgC,0CAA0C;IACnD;IACxB,CAAC;AAEJ,aACE,+BAA+B,WAAW,KAAK,yBAAyB,eAAe,IAAI,SAAS,MAChG,+BAA+B,KAC/B;AACN,4BAAyB;aAChB,4BAA4B,cAAc,MAAM;AACzD,OAAI,CAAC,4BAA4B,WAC/B,OAAM,IAAI,WAAW,kFAAkF;AAEzG,OAAI,CAAC,KACH,OAAM,IAAI,WACR,yGACD;GAGH,MAAM,iCAAiC,KAAK,2CAC1C,KAAK,aACL,uBACA,gBACD;GAED,MAAM,EAAE,4BAA4B,MAAM,KAAK,YAAY,mBAAmB,cAAc;IAC1F,6BAA6B;IAC7B,WAAW;IACX,QAAQ;IACe;IACxB,CAAC;AAEF,aAAU;AAGV,OAAI,qBAAqB,KACvB,WAAU,OAAO,YACf,OAAO,QAAQ,wBAAwB,CAAC,KAAK,CAAC,mBAAmB,mBAAmB;AAClF,QAAI,cAAc,SAAS,EACzB,OAAM,IAAI,WACR,6GAA6G,iBAAiB,IAC/H;AAGH,WAAO,CAAC,mBAAmB,cAAc,GAAG;KAC5C,CACH;QAGH,OAAM,IAAI,WAAW,sCAAsC;EAG7D,MAAM,WAAW,MAAM,gBAAgB,qCAAqC;GAC1E;GACA,QAAQ,QAAQ;GAChB,8BAA8B;IAC5B,UAAU;IACV,yBAAyB;IAC1B;GACD,MAAM,gBACF;IACE,YAAY;KAAE,OAAO;KAA4B,KAAK;KAAe;IACrE,gBAAgB;KACd,4CAA4C,EAAE;KAC9C,+CAA+C,CAAC,UAAU;KAC1D,+CAA+C;MAAC;MAAW;MAAW;MAAgB;KACvF;IACF,GACD;GACL,CAAC;EAEF,MAAM,+BAA+B,SAAS;EAG9C,MAAM,wBAAwB,SAAS,MAAM,cACzC,EAAE,UAAU,SAAS,KAAK,aAAa,GACvC;AAKJ,MAAI,qCAAqC,4BAA4B,CACnE,QAAO;GACL,IAAI;GACJ;GACA;GACD;EAKH,MAAM,SAAS,MAAM,gBAAgB,qCAAqC;GACxE;GACA,8BAA8B,SAAS;GACvC,MAAM,SAAS,OAAO,EAAE,aAAa,SAAS,KAAK,aAAa,GAAG;GACpE,CAAC;EAEF,MAAM,eAAe,MAAM,OAAO,SAC/B,OAAO,CACP,MAAM,CACN,YAAY,KAAK;EAEpB,MAAM,eAAgB,MAAM,OAAO,SAChC,OAAO,CACP,MAAM,CACN,YAAY,KAAK;AAEpB,MAAI,CAAC,OAAO,SAAS,GACnB,QAAO;GACL,IAAI;GACJ,gBAAgB;IACd,QAAQ,OAAO,SAAS;IACxB,MAAM,gBAAgB;IACvB;GACD;GACA;GACD;AAGH,SAAO;GACL,IAAI;GACJ,gBAAgB;IACd,QAAQ,OAAO,SAAS;IACxB,MAAM,gBAAgB,EAAE;IACzB;GACD;GACA;GACA,aAAa,cAAc;GAC3B,mCAAmC,cAAc;GAClD;;;qCA3hBJ,YAAY"}

package/build/openid4vc-holder/OpenId4vpHolderServiceOptions.d.mts ADDED Viewed

@@ -0,0 +1,112 @@
+import { OpenId4VpAuthorizationRequestPayload } from "../shared/models/index.mjs";
+import "../shared/index.mjs";
+import { DcqlCredentialsForRequest, DcqlQueryResult, DifPexCredentialsForRequest, DifPexInputDescriptorToCredentials, DifPresentationExchangeDefinition, EncodedX509Certificate } from "@credo-ts/core";
+import { ResolvedOpenid4vpAuthorizationRequest } from "@openid4vc/openid4vp";
+//#region src/openid4vc-holder/OpenId4vpHolderServiceOptions.d.ts
+type ParsedTransactionDataEntry = NonNullable<ResolvedOpenid4vpAuthorizationRequest['transactionData']>[number];
+interface ResolveOpenId4VpAuthorizationRequestOptions {
+  trustedCertificates?: EncodedX509Certificate[];
+  origin?: string;
+}
+type VerifiedJarRequest = NonNullable<ResolvedOpenid4vpAuthorizationRequest['jar']>;
+interface OpenId4VpResolvedAuthorizationRequest {
+  /**
+   * Parameters related to DIF Presentation Exchange. Only defined when
+   * the request included a presentation definition.
+   */
+  presentationExchange?: {
+    definition: DifPresentationExchangeDefinition;
+    credentialsForRequest: DifPexCredentialsForRequest;
+  };
+  /**
+   * Parameters related to DCQL. Only defined when
+   * the request included a dcql query.
+   */
+  dcql?: {
+    queryResult: DcqlQueryResult;
+  };
+  /**
+   * The transaction data entries, with the matched credential ids.
+   * - For Presentation Exchange the id refers to the presentation exchange id
+   * - For DCQL the id refers to the credential query id
+   *
+   * If no matches were found the `matchedCredentialIds` will be empty and means
+   * the presetnation cannot be satisfied.
+   *
+   * The entries have the same order as the transaction data entries from the request
+   */
+  transactionData?: Array<{
+    entry: ParsedTransactionDataEntry;
+    matchedCredentialIds: string[];
+  }>;
+  /**
+   * The authorization request payload
+   */
+  authorizationRequestPayload: OpenId4VpAuthorizationRequestPayload;
+  /**
+   * Metadata about the signed authorization request.
+   *
+   * Only present if the authorization request was signed
+   */
+  signedAuthorizationRequest?: {
+    signer: VerifiedJarRequest['signer'];
+    payload: VerifiedJarRequest['jwt']['payload'];
+    header: VerifiedJarRequest['jwt']['header'];
+  };
+  verifier: {
+    /**
+     * The client id prefix in normalized form (so e.g. 'did' is returned as 'decentralized_identifier')
+     */
+    clientIdPrefix: ResolvedOpenid4vpAuthorizationRequest['client']['prefix'];
+    /**
+     * The effective client id, taking into account default values and different draft versions.
+     */
+    effectiveClientId: ResolvedOpenid4vpAuthorizationRequest['client']['effective'];
+  };
+  /**
+   * Origin of the request, to be used with Digital Credentials API
+   */
+  origin?: string;
+}
+interface OpenId4VpAcceptAuthorizationRequestOptions {
+  /**
+   * Parameters related to DIF Presentation Exchange. MUST be present when the resolved
+   * authorization request included a `presentationExchange` parameter.
+   */
+  presentationExchange?: {
+    credentials: DifPexInputDescriptorToCredentials;
+  };
+  /**
+   * Parameters related to Dcql. MUST be present when the resolved
+   * authorization request included a `dcql` parameter.
+   */
+  dcql?: {
+    credentials: DcqlCredentialsForRequest;
+  };
+  /**
+   * The credentials to use for the transaction data hashes in the presentation. The length
+   * of the array MUST be the same length as the transaction data entries in the authorization
+   * request, and follow the same order (meaning the first entry in this array matches the first
+   * entry in the transaction data from the request).
+   *
+   * - For Presentation Exchange the id refers to the presentation exchange id
+   * - For DCQL the id refers to the credential query id
+   *
+   */
+  transactionData?: Array<{
+    credentialId: string;
+  }>;
+  /**
+   * The authorization request payload
+   */
+  authorizationRequestPayload: OpenId4VpAuthorizationRequestPayload;
+  /**
+   * The origin of the verifier that is making the request.
+   * Required in combination with the DC Api
+   */
+  origin?: string;
+}
+//#endregion
+export { OpenId4VpAcceptAuthorizationRequestOptions, OpenId4VpResolvedAuthorizationRequest, ParsedTransactionDataEntry, ResolveOpenId4VpAuthorizationRequestOptions };
+//# sourceMappingURL=OpenId4vpHolderServiceOptions.d.mts.map