@digitalbazaar/oid4-client 4.3.0 → 5.0.0

package/lib/util.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as base64url from 'base64url-universal';
 import {httpClient} from '@digitalbazaar/http-client';
@@ -21,6 +21,28 @@ export function assertOptional(x, name, type) {
   return assert(x, name, type, true);
 }
 
+export function base64Decode(str) {
+  if(Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(str);
+  }
+  return base64url.decode(
+    str.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_'));
+}
+
+export function base64Encode(data) {
+  if(data.toBase64) {
+    return data.toBase64();
+  }
+  // note: this is base64-no-pad; will only work with specific data lengths
+  base64url.encode(data).replace(/-/g, '+').replace(/_/g, '/');
+}
+
+export function createNamedError({message, name, cause} = {}) {
+  const error = new Error(message, {cause});
+  error.name = name;
+  return error;
+}
+
 export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
   try {
     assert(issuerConfigUrl, 'issuerConfigUrl', 'string');
@@ -251,6 +273,49 @@ export async function robustDiscoverIssuer({issuer, agent} = {}) {
   throw error;
 }
 
+export function selectJwk({keys, kid, alg, kty, crv, use} = {}) {
+  /* Example JWKs "keys":
+  "jwks": {
+    "keys": [
+      {
+        "kty": "EC",
+        "use": "enc",
+        "crv": "P-256",
+        "x": "...",
+        "y": "...",
+        "alg": "ECDH-ES",
+        "kid": "..."
+      }
+    ]
+  } */
+  if(!Array.isArray(keys)) {
+    return;
+  }
+
+  // match `kid` exactly if given
+  if(kid !== undefined) {
+    return keys.find(jwk => jwk?.kid === kid);
+  }
+
+  return keys.find(jwk => {
+    // default unspecified search values to whatever is in `jwk`
+    const alg1 = alg ?? jwk.alg;
+    const kty1 = kty ?? jwk.kty;
+    const crv1 = crv ?? jwk.crv;
+    const use1 = use ?? jwk.use;
+    const {
+      // default missing `alg` value in `jwk` to search value
+      alg: alg2 = alg1,
+      kty: kty2,
+      crv: crv2,
+      // default missing `use` value in `jwk` to search value
+      use: use2 = use1
+    } = jwk;
+    // return if `jwk` matches computed values
+    return alg1 === alg2 && kty1 === kty2 && crv1 === crv2 && use1 === use2;
+  });
+}
+
 export async function signJWT({payload, protectedHeader, signer} = {}) {
   // encode payload and protected header
   const b64Payload = base64url.encode(JSON.stringify(payload));

package/lib/x509.js

@@ -0,0 +1,61 @@
+/*!
+ * Copyright (c) 2023-2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import {
+  Certificate,
+  CertificateChainValidationEngine,
+  id_SubjectAltName
+} from 'pkijs';
+import {base64Decode} from './util.js';
+
+export function fromPemOrBase64(str) {
+  const tag = 'CERTIFICATE';
+  const pattern = new RegExp(
+    `-{5}BEGIN ${tag}-{5}([a-zA-Z0-9=+\\/\\n\\r]+)-{5}END ${tag}-{5}`, 'g');
+  const matches = pattern.exec(str);
+  if(!matches) {
+    throw new Error('No PEM or Base64-formatted certificate found.');
+  }
+  const b64 = matches[1].replace(/\r/g, '').replace(/\n/g, '');
+  return _fromBase64(b64);
+}
+
+export function hasDomainSubjectAltName({certificate, name} = {}) {
+  const subjectAltNames = new Set();
+  for(const extension of certificate.extensions) {
+    if(extension.extnID === id_SubjectAltName) {
+      for(const altName of extension.parsedValue.altNames) {
+        // `domain` type
+        if(altName.type === 2) {
+          subjectAltNames.add(altName.value);
+        }
+      }
+    }
+  }
+  return subjectAltNames.has(name);
+}
+
+export function parseCertificateChain({x5c} = {}) {
+  return x5c.map(c => Certificate.fromBER(base64Decode(c)));
+}
+
+export async function verifyCertificateChain({
+  chain, trustedCertificates
+} = {}) {
+  if(!(chain?.length > 0)) {
+    throw new Error('No matching certificate.');
+  }
+
+  const chainEngine = new CertificateChainValidationEngine({
+    certs: chain.map(c => typeof c === 'string' ? fromPemOrBase64(c) : c),
+    trustedCerts: trustedCertificates.map(
+      c => typeof c === 'string' ? fromPemOrBase64(c) : c)
+  });
+
+  const verifyResult = await chainEngine.verify();
+  return verifyResult;
+}
+
+function _fromBase64(str) {
+  return Certificate.fromBER(base64Decode(str));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "4.3.0",
+  "version": "5.0.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {
@@ -25,15 +25,15 @@
   "dependencies": {
     "@digitalbazaar/http-client": "^4.0.0",
     "base64url-universal": "^2.0.0",
-    "jose": "^5.9.4",
-    "jsonpath-plus": "^10.0.0",
+    "jose": "^6.0.13",
+    "jsonpath-plus": "^10.3.0",
     "jsonpointer": "^5.0.1",
-    "uuid": "^10.0.0"
+    "pkijs": "^3.2.5"
   },
   "devDependencies": {
-    "c8": "^7.11.3",
+    "c8": "^10.1.3",
     "chai": "^4.3.6",
-    "cross-env": "^7.0.3",
+    "cross-env": "^10.0.0",
     "eslint": "^8.41.0",
     "eslint-config-digitalbazaar": "^5.0.1",
     "eslint-plugin-jsdoc": "^50.4.1",
@@ -49,7 +49,7 @@
     "karma-webpack": "^5.0.0",
     "mocha": "^10.0.0",
     "mocha-lcov-reporter": "^1.3.0",
-    "webpack": "^5.73.0"
+    "webpack": "^5.101.3"
   },
   "c8": {
     "reporter": [
@@ -59,7 +59,7 @@
     ]
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "keywords": [
     "OID4",