@digitalbazaar/oid4-client 4.4.0 → 5.0.0

package/lib/authorizationRequest.js

@@ -2,12 +2,25 @@
  * Copyright (c) 2023-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import {
-  assert, assertOptional, createNamedError, fetchJSON, selectJwk
+  assert, assertOptional, base64Encode, createNamedError, fetchJSON, selectJwk
 } from './util.js';
-import {decodeJwt, jwtVerify} from 'jose';
+import {decodeJwt, importX509, jwtVerify} from 'jose';
+import {
+  hasDomainSubjectAltName, parseCertificateChain, verifyCertificateChain
+} from './x509.js';
+
+const REQUIRED_SIGNED_AUTHZ_REQUEST_CLIENT_ID_SCHEMES = new Set([
+  'x509_san_dns', 'x509_hash', 'did', 'decentralized_identifier'
+]);
+const SUPPORTED_CLIENT_ID_SCHEMES = new Set([
+  'redirect_uri',
+  'x509_san_dns', 'x509_hash', 'did', 'decentralized_identifier'
+]);
 
 // get an authorization request from a verifier
-export async function get({url, getVerificationKey, agent} = {}) {
+export async function get({
+  url, getTrustedCertificates, getVerificationKey, agent
+} = {}) {
   try {
     assert(url, 'url', 'string');
 
@@ -28,6 +41,7 @@ export async function get({url, getVerificationKey, agent} = {}) {
       if(authorizationRequest.request) {
         authorizationRequest = await _parseJwt({
           jwt: authorizationRequest.request,
+          getTrustedCertificates,
           getVerificationKey,
           signatureRequired: true
         });
@@ -42,15 +56,14 @@ export async function get({url, getVerificationKey, agent} = {}) {
       fetched = true;
       ({
         payload: authorizationRequest, response, jwt
-      } = await _fetch({requestUrl, getVerificationKey, agent}));
+      } = await _fetch({
+        requestUrl, getTrustedCertificates, getVerificationKey, agent
+      }));
     }
 
     // ensure authorization request is valid
     validate({authorizationRequest, expectedClientId});
 
-    // resolve and validate any additional parameters in the request
-    authorizationRequest = await resolveParams({authorizationRequest, agent});
-
     return {authorizationRequest, fetched, requestUrl, response, jwt};
   } catch(cause) {
     const message = cause.data?.error_description ?? cause.message;
@@ -62,6 +75,11 @@ export async function get({url, getVerificationKey, agent} = {}) {
   }
 }
 
+export function getClientIdScheme({authorizationRequest} = {}) {
+  return authorizationRequest.client_id_scheme ??
+    authorizationRequest.client_id?.split(':')[0];
+}
+
 export function requestsFormat({authorizationRequest, format} = {}) {
   /* e.g. presentation definition requesting an mdoc:
   {
@@ -80,84 +98,11 @@ export function requestsFormat({authorizationRequest, format} = {}) {
     e => e?.format?.[format]);
 }
 
-// FIXME: in a major release, remove support for params requiring resolution
-export async function resolveParams({authorizationRequest, agent}) {
-  const {
-    client_metadata_uri,
-    presentation_definition_uri,
-    ...resolved
-  } = {...authorizationRequest};
-
-  // get client meta data from URL if specified
-  if(client_metadata_uri) {
-    const response = await fetchJSON({url: client_metadata_uri, agent});
-    if(!response.data) {
-      throw createNamedError({
-        message: 'Client meta data format is not JSON.',
-        name: 'DataError'
-      });
-    }
-    resolved.client_metadata = response.data;
-  }
-
-  // get presentation definition from URL if not embedded
-  if(presentation_definition_uri) {
-    const response = await fetchJSON(
-      {url: presentation_definition_uri, agent});
-    if(!response.data) {
-      throw createNamedError({
-        message: 'Presentation definition format is not JSON.',
-        name: 'DataError'
-      });
-    }
-    resolved.presentation_definition = response.data;
-  }
-
-  assert(resolved.presentation_definition, 'presentation_definition', 'object');
-  assert(
-    resolved.presentation_definition?.id,
-    'presentation_definition.id', 'string');
-
-  // FIXME: further validate `authorizationRequest.presentation_definition`
-  // FIXME: further validate `authorizationRequest.client_metadata`
-
-  // `direct_post.jwt` response mode requires encryption; ensure the client
-  // meta data has the necessary parameters
-  if(resolved.response_mode === 'direct_post.jwt') {
-    const {
-      authorization_encrypted_response_alg = 'ECDH-ES',
-      authorization_encrypted_response_enc = 'A256GCM',
-      jwks
-    } = resolved.client_metadata;
-    if(authorization_encrypted_response_alg !== 'ECDH-ES') {
-      throw createNamedError({
-        message: `"${authorization_encrypted_response_alg}" is not ` +
-          'supported; only "ECDH-ES" is supported.',
-        name: 'NotSupportedError'
-      });
-    }
-    if(authorization_encrypted_response_enc !== 'A256GCM') {
-      throw createNamedError({
-        message: `"${authorization_encrypted_response_enc}" is not ` +
-          'supported; only "A256GCM" is supported.',
-        name: 'NotSupportedError'
-      });
-    }
-    if(!selectJwk({
-      keys: jwks?.keys, alg: 'ECDH-ES', kty: 'EC', crv: 'P-256', use: 'enc'
-    })) {
-      throw createNamedError({
-        message: 'No matching key found for "ECDH-ES" in client meta data ' +
-          'JWK key set.',
-        name: 'NotFoundError'
-      });
-    }
-  }
-
-  return resolved;
-}
-
 export function usesClientIdScheme({authorizationRequest, scheme} = {}) {
+  if(Array.isArray(scheme)) {
+    return scheme.some(
+      scheme => usesClientIdScheme({authorizationRequest, scheme}));
+  }
   return authorizationRequest?.client_id_scheme === scheme ||
     authorizationRequest?.client_id?.startsWith(`${scheme}:`);
 }
@@ -168,10 +113,8 @@ export async function validate({authorizationRequest, expectedClientId}) {
     client_id,
     client_id_scheme,
     client_metadata,
-    client_metadata_uri,
     nonce,
     presentation_definition,
-    presentation_definition_uri,
     response_mode,
     scope
   } = authorizationRequest;
@@ -187,31 +130,26 @@ export async function validate({authorizationRequest, expectedClientId}) {
   assert(nonce, 'nonce', 'string');
   assertOptional(client_id_scheme, 'client_id_scheme', 'string');
   assertOptional(client_metadata, 'client_metadata', 'object');
-  // FIXME: remove `client_metadata_uri` in a future revision, it is not
-  // supported in the latest OID4VP, bad practice, and rarely used
-  assertOptional(client_metadata_uri, 'client_metadata_uri', 'string');
   assertOptional(
     presentation_definition, 'presentation_definition', 'object');
-  // FIXME: remove `presentation_definition_uri` in a future revision, it is
-  // not supported in the latest OID4VP, bad practice, and rarely used
-  assertOptional(
-    presentation_definition_uri, 'presentation_definition_uri', 'string');
   assertOptional(response_mode, 'response_mode', 'string');
   assertOptional(scope, 'scope', 'string');
-  if(client_metadata && client_metadata_uri) {
-    throw createNamedError({
-      message: 'Only one of "client_metadata" and ' +
-        '"client_metadata_uri" must be present.',
-      name: 'DataError'
-    });
-  }
-  if(presentation_definition && presentation_definition_uri) {
+  // FIXME: further validate `presentation_definition`
+  // FIXME: further validate `client_metadata`
+
+  // Note: This implementation requires client ID scheme to be one of:
+  // `redirect_uri`, `x509_san_dns`, `x509_hash`, `did`, or
+  // `decentralized_identifier`
+  const scheme = getClientIdScheme({authorizationRequest});
+  if(!SUPPORTED_CLIENT_ID_SCHEMES.has(scheme)) {
+    const schemes = [...SUPPORTED_CLIENT_ID_SCHEMES].join(', ');
     throw createNamedError({
-      message: 'Only one of "presentation_definition" and ' +
-        '"presentation_definition_uri" must be present.',
-      name: 'DataError'
+      message: `Unsupported client ID scheme "${scheme}"; ` +
+        `supported schemes are: ${schemes}.'`,
+      name: 'NotSupportedError'
     });
   }
+
   // Note: This implementation requires `response_mode` to be `direct_post`
   // or `direct_post.jwt`; no other modes are supported.
   if(!(response_mode === 'direct_post' ||
@@ -222,9 +160,151 @@ export async function validate({authorizationRequest, expectedClientId}) {
       name: 'NotSupportedError'
     });
   }
+
+  // `direct_post.jwt` response mode requires encryption; ensure the client
+  // meta data has the necessary parameters
+  if(response_mode === 'direct_post.jwt') {
+    const {
+      authorization_encrypted_response_alg = 'ECDH-ES',
+      authorization_encrypted_response_enc = 'A256GCM',
+      jwks
+    } = client_metadata;
+    if(authorization_encrypted_response_alg !== 'ECDH-ES') {
+      throw createNamedError({
+        message: `"${authorization_encrypted_response_alg}" is not ` +
+          'supported; only "ECDH-ES" is supported.',
+        name: 'NotSupportedError'
+      });
+    }
+    if(authorization_encrypted_response_enc !== 'A256GCM') {
+      throw createNamedError({
+        message: `"${authorization_encrypted_response_enc}" is not ` +
+          'supported; only "A256GCM" is supported.',
+        name: 'NotSupportedError'
+      });
+    }
+    if(!selectJwk({
+      keys: jwks?.keys, alg: 'ECDH-ES', kty: 'EC', crv: 'P-256', use: 'enc'
+    })) {
+      throw createNamedError({
+        message: 'No matching key found for "ECDH-ES" in client meta data ' +
+          'JWK key set.',
+        name: 'NotFoundError'
+      });
+    }
+  }
+}
+
+async function _checkClientIdSchemeRequirements({
+  clientIdScheme, authorizationRequest, protectedHeader,
+  certificatePublicKey, getTrustedCertificates
+}) {
+  // if `x509_san_dns` or `x509_hash`...
+  if(clientIdScheme.startsWith('x509_')) {
+    // `x5c` MUST be present where the public key is in the leaf cert (which is
+    // the first in the chain per RFC 7515:
+    // https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6)
+    if(!certificatePublicKey) {
+      throw createNamedError({
+        message:
+          'No "x5c" header with an acceptable public key found; client ID ' +
+          'schemes starting with "x509_" must use the "x5c" header ' +
+          'to provide an X.509 certificate with the public key for verifying ' +
+          'the request.',
+        name: 'DataError'
+      });
+    }
+
+    // ensure trusted certs can be retrieved
+    if(typeof getTrustedCertificates !== 'function') {
+      throw createNamedError({
+        message:
+          'No "getTrustedCertificates" function provided; client ID schemes ' +
+          'starting with "x509_" require such a function to be provided ' +
+          'that will return the certificates that are to be trusted ' +
+          'when verifying X.509 certificate chains.',
+        name: 'DataError'
+      });
+    }
+
+    // get trusted certificates for `x5c` and verify chain
+    const {x5c} = protectedHeader;
+    const chain = parseCertificateChain({x5c});
+    const trustedCertificates = await getTrustedCertificates({
+      x5c, chain, authorizationRequest
+    });
+    const verifyResult = await verifyCertificateChain({
+      chain, trustedCertificates
+    });
+    if(!verifyResult.result) {
+      throw createNamedError({
+        message:
+          'Signed authorization request "x5c" certificate chain is invalid: ' +
+          verifyResult.resultMessage,
+        name: 'DataError'
+      });
+    }
+
+    let {client_id: clientId} = authorizationRequest;
+    clientId = clientId.startsWith(`${clientIdScheme}:`) ?
+      clientId.slice(clientIdScheme.length + 2) : clientId;
+
+    if(clientIdScheme === 'x509_san_dns') {
+      // `x509_san_dns` requires leaf cert to have a dNSName ("domain" type) in
+      // a subject alternative name field that matches the client_id
+      if(!hasDomainSubjectAltName({certificate: chain[0], name: clientId})) {
+        throw createNamedError({
+          message:
+            `Signed authorization request header "x5c" parameter's leaf ` +
+            'certificate does not have a DNS subject alternative name that ' +
+            'matches the client ID as required by the used "x509_san_dns" ' +
+            'client ID scheme.',
+          name: 'DataError'
+        });
+      }
+      /* Note: The current implementation does not support `redirect_uri` as
+      a `response_mode`. If a future revision adds support for this, then
+      when `x509_san_dns` is used, the `redirect_uri` value must match the
+      FQDN of the `client_id` unless an allow list for overrides is passed
+      and it includes the client ID. */
+    } else if(clientIdScheme === 'x509_hash') {
+      // `x509_hash:<base64url sha256-hash of DER leaf cert>`
+      const hash = base64Encode(await _sha256(chain[0].toBER()));
+      if(clientId !== hash) {
+        throw createNamedError({
+          message:
+            `The signed authorization request header "x5c" parameter's leaf ` +
+            `certificate's SHA-256 hash digest not match the client ID as ` +
+            'required by the used "x509_hash" client ID scheme.',
+          name: 'DataError'
+        });
+      }
+    }
+  } else if(
+    clientIdScheme === 'did' || clientIdScheme === 'decentralized_identifier') {
+    // "kid" header must reference a verification method controlled by the
+    // DID expressed in client ID; this is checked by default when a proper
+    // DID resolver is used in `getVerificationKey` but this check provides
+    // a partial additional sanity check
+    let {client_id: clientId} = authorizationRequest;
+    clientId = clientId.startsWith('decentralized_identifier:did:') ?
+      clientId.slice('decentralized_identifier:'.length + 1) : clientId;
+    if(!protectedHeader?.kid?.startsWith(clientId + '#')) {
+      throw createNamedError({
+        message:
+          `The signed authorization request header "kid" parameter's value ` +
+          'does not reference a verification method controlled by the DID ' +
+          'identified in the client ID as required by the used ' +
+          '"did"/"decentralized_identifier" client ID scheme.',
+        name: 'DataError'
+      });
+    }
+  }
 }
 
-async function _fetch({requestUrl, getVerificationKey, agent}) {
+async function _fetch({
+  requestUrl, getTrustedCertificates, getVerificationKey, agent
+}) {
   // FIXME: every `fetchJSON` call needs to use a block list or other
   // protections to prevent a confused deputy attack where the `requestUrl`
   // accesses a location it should not, e.g., a URL `localhost` is used when
@@ -246,7 +326,9 @@ async function _fetch({requestUrl, getVerificationKey, agent}) {
   }
 
   // return parsed payload and original response
-  const payload = await _parseJwt({jwt, getVerificationKey});
+  const payload = await _parseJwt({
+    jwt, getTrustedCertificates, getVerificationKey
+  });
   return {payload, response, jwt};
 }
 
@@ -255,15 +337,27 @@ function _get(sp, name) {
   return value === null ? undefined : value;
 }
 
-async function _parseJwt({jwt, getVerificationKey, signatureRequired}) {
+function _importPublicKeyFromX5c({x5c}) {
+  if(x5c?.[0]) {
+    const pem =
+      `-----BEGIN CERTIFICATE-----\n${x5c[0]}\n-----END CERTIFICATE-----`;
+    return importX509(pem, 'ES256');
+  }
+}
+
+async function _parseJwt({
+  jwt, getTrustedCertificates, getVerificationKey, signatureRequired
+}) {
+  // parse unprotected payload and scheme from it
   const payload = decodeJwt(jwt);
+  const clientIdScheme = getClientIdScheme({authorizationRequest: payload});
 
   // check if a signature on the JWT is required:
   // - `client_metadata.require_signed_request_object` is `true`, OR
   // - `client_id_scheme` requires the JWT to be signed
   signatureRequired = signatureRequired ||
     payload.client_metadata?.require_signed_request_object === true ||
-    usesClientIdScheme({authorizationRequest: payload, scheme: 'x509_san_dns'});
+    REQUIRED_SIGNED_AUTHZ_REQUEST_CLIENT_ID_SCHEMES.has(clientIdScheme);
   if(!signatureRequired) {
     // no signature required, just use the decoded payload
     return payload;
@@ -271,16 +365,34 @@ async function _parseJwt({jwt, getVerificationKey, signatureRequired}) {
 
   // create callback function to handle key lookup; `getVerificationKey` may
   // return a promise
-  const getKey = protectedHeader => {
-    // FIXME: add parser for `x5c`?
+  let certificatePublicKey;
+  const getKey = async protectedHeader => {
+    // parse any `x5c` to get certificate public key and include that in
+    // `getVerificationKey` params
+    const {x5c} = protectedHeader;
+    certificatePublicKey = await _importPublicKeyFromX5c({x5c});
     if(getVerificationKey) {
-      return getVerificationKey({protectedHeader});
+      return getVerificationKey({
+        protectedHeader, certificatePublicKey,
+        clientIdScheme, authorizationRequest: payload
+      });
+    }
+    if(x5c) {
+      return certificatePublicKey;
     }
     _throwKeyNotFound(protectedHeader);
   };
 
   // verify the JWT
   const verifyResult = await jwtVerify(jwt, getKey, {alg: 'ES256'});
+  const {payload: authorizationRequest, protectedHeader} = verifyResult;
+
+  // ensure all client ID scheme requirements are met
+  await _checkClientIdSchemeRequirements({
+    clientIdScheme, authorizationRequest, protectedHeader,
+    certificatePublicKey, getTrustedCertificates
+  });
+
   return verifyResult.payload;
 }
 
@@ -292,8 +404,6 @@ function _parseOID4VPUrl({url}) {
   const response_mode = _get(searchParams, 'response_mode');
   const presentation_definition = _get(
     searchParams, 'presentation_definition');
-  const presentation_definition_uri = _get(
-    searchParams, 'presentation_definition_uri');
   const client_id = _get(searchParams, 'client_id');
   const client_id_scheme = _get(searchParams, 'client_id_scheme');
   const client_metadata = _get(searchParams, 'client_metadata');
@@ -324,7 +434,6 @@ function _parseOID4VPUrl({url}) {
     response_mode,
     presentation_definition: presentation_definition &&
       JSON.parse(presentation_definition),
-    presentation_definition_uri,
     client_id,
     client_id_scheme,
     client_metadata: client_metadata && JSON.parse(client_metadata),
@@ -335,6 +444,14 @@ function _parseOID4VPUrl({url}) {
   return {authorizationRequest};
 }
 
+async function _sha256(data) {
+  if(typeof data === 'string') {
+    data = new TextEncoder().encode(data);
+  }
+  const algorithm = {name: 'SHA-256'};
+  return new Uint8Array(await crypto.subtle.digest(algorithm, data));
+}
+
 function _throwKeyNotFound(protectedHeader) {
   const error = new Error(
     'Could not verify signed authorization request; ' +

package/lib/authorizationResponse.js

@@ -42,6 +42,15 @@ export async function send({
 
     // if `authorizationRequest.response_mode` is `direct.jwt` generate a JWT
     if(authorizationRequest.response_mode === 'direct_post.jwt') {
+      if(submitsFormat({presentationSubmission, format: 'mso_mdoc'}) &&
+        !encryptionOptions?.mdl?.sessionTranscript) {
+        throw createNamedError({
+          message: '"encryptionOptions.mdl.sessionTranscript" is required ' +
+            'when submitting an mDL presentation.',
+          name: 'DataError'
+        });
+      }
+
       const jwt = await _encrypt({
         vpToken, presentationSubmission, authorizationRequest,
         encryptionOptions
@@ -72,7 +81,7 @@ export async function send({
   } catch(cause) {
     const message = cause.data?.error_description ?? cause.message;
     const error = new Error(
-      `Could not send OID4VP authorization response: ${message}.`,
+      `Could not send OID4VP authorization response: ${message}`,
       {cause});
     error.name = 'OperationError';
     throw error;
@@ -135,6 +144,22 @@ export function createPresentationSubmission({
   return {presentationSubmission};
 }
 
+export function submitsFormat({presentationSubmission, format} = {}) {
+  /* e.g. presentation submission submitting an mdoc:
+  {
+    "definition_id": "mDL-sample-req",
+    "id": "mDL-sample-res",
+    "descriptor_map": [{
+      "id": "org.iso.18013.5.1.mDL",
+      "format": "mso_mdoc",
+      "path": "$"
+    }]
+  }
+  */
+  return presentationSubmission?.descriptor_map?.some(
+    e => e?.format === format);
+}
+
 async function _encrypt({
   vpToken, presentationSubmission, authorizationRequest, encryptionOptions
 }) {
@@ -153,13 +178,13 @@ async function _encrypt({
 
   // configure `keyManagementParameters` for `EncryptJWT` API
   const keyManagementParameters = {};
-  if(encryptionOptions?.mdoc?.sessionTranscript) {
+  if(encryptionOptions?.mdl?.sessionTranscript) {
     // ISO 18013-7: include specific session transcript params as apu + apv
     const {
       mdocGeneratedNonce,
       // default to using `authorizationRequest.nonce` for verifier nonce
       verifierGeneratedNonce = authorizationRequest.nonce
-    } = encryptionOptions.mdoc.sessionTranscript;
+    } = encryptionOptions.mdl.sessionTranscript;
     // note: `EncryptJWT` API requires `apu/apv` (`partyInfoU`/`partyInfoV`)
     // to be passed as Uint8Arrays; they will be encoded using `base64url` by
     // that API

package/lib/convert.js

@@ -1,12 +1,11 @@
 /*!
  * Copyright (c) 2023-2025 Digital Bazaar, Inc. All rights reserved.
  */
+import {JSONPath} from 'jsonpath-plus';
+import jsonpointer from 'jsonpointer';
 import {
-  resolveParams as resolveAuthorizationRequestParams,
   validate as validateAuthorizationRequest
 } from './authorizationRequest.js';
-import {JSONPath} from 'jsonpath-plus';
-import jsonpointer from 'jsonpointer';
 
 // converts a VPR to partial "authorization request"
 export function fromVpr({
@@ -100,26 +99,17 @@ export function pathsToVerifiableCredentialPointers({paths} = {}) {
 
 // converts an OID4VP authorization request (including its
 // "presentation definition") to a VPR
-export async function toVpr({
-  authorizationRequest, strict = false, agent
-} = {}) {
+export async function toVpr({authorizationRequest, strict = false} = {}) {
   try {
     // ensure authorization request is valid
     validateAuthorizationRequest({authorizationRequest});
 
-    // FIXME: in a major release, remove support for params requiring
-    // resolution
-
-    // resolve and validate any additional parameters in the request
-    authorizationRequest = await resolveAuthorizationRequestParams({
-      authorizationRequest, agent
-    });
-
     const {
       client_id,
       client_metadata,
       nonce,
-      presentation_definition
+      presentation_definition,
+      response_uri
     } = authorizationRequest;
 
     // disallow unsupported `submission_requirements` in strict mode
@@ -147,9 +137,9 @@ export async function toVpr({
       }
     }
 
-    // map `client_id` to `domain`
-    if(client_id !== undefined) {
-      verifiablePresentationRequest.domain = client_id;
+    // map `response_uri` or `client_id` to `domain`
+    if(response_uri !== undefined || client_id !== undefined) {
+      verifiablePresentationRequest.domain = response_uri ?? client_id;
     }
 
     // map `nonce` to `challenge`

package/lib/util.js

@@ -21,6 +21,22 @@ export function assertOptional(x, name, type) {
   return assert(x, name, type, true);
 }
 
+export function base64Decode(str) {
+  if(Uint8Array.fromBase64) {
+    return Uint8Array.fromBase64(str);
+  }
+  return base64url.decode(
+    str.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_'));
+}
+
+export function base64Encode(data) {
+  if(data.toBase64) {
+    return data.toBase64();
+  }
+  // note: this is base64-no-pad; will only work with specific data lengths
+  base64url.encode(data).replace(/-/g, '+').replace(/_/g, '/');
+}
+
 export function createNamedError({message, name, cause} = {}) {
   const error = new Error(message, {cause});
   error.name = name;

package/lib/x509.js

@@ -0,0 +1,61 @@
+/*!
+ * Copyright (c) 2023-2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import {
+  Certificate,
+  CertificateChainValidationEngine,
+  id_SubjectAltName
+} from 'pkijs';
+import {base64Decode} from './util.js';
+
+export function fromPemOrBase64(str) {
+  const tag = 'CERTIFICATE';
+  const pattern = new RegExp(
+    `-{5}BEGIN ${tag}-{5}([a-zA-Z0-9=+\\/\\n\\r]+)-{5}END ${tag}-{5}`, 'g');
+  const matches = pattern.exec(str);
+  if(!matches) {
+    throw new Error('No PEM or Base64-formatted certificate found.');
+  }
+  const b64 = matches[1].replace(/\r/g, '').replace(/\n/g, '');
+  return _fromBase64(b64);
+}
+
+export function hasDomainSubjectAltName({certificate, name} = {}) {
+  const subjectAltNames = new Set();
+  for(const extension of certificate.extensions) {
+    if(extension.extnID === id_SubjectAltName) {
+      for(const altName of extension.parsedValue.altNames) {
+        // `domain` type
+        if(altName.type === 2) {
+          subjectAltNames.add(altName.value);
+        }
+      }
+    }
+  }
+  return subjectAltNames.has(name);
+}
+
+export function parseCertificateChain({x5c} = {}) {
+  return x5c.map(c => Certificate.fromBER(base64Decode(c)));
+}
+
+export async function verifyCertificateChain({
+  chain, trustedCertificates
+} = {}) {
+  if(!(chain?.length > 0)) {
+    throw new Error('No matching certificate.');
+  }
+
+  const chainEngine = new CertificateChainValidationEngine({
+    certs: chain.map(c => typeof c === 'string' ? fromPemOrBase64(c) : c),
+    trustedCerts: trustedCertificates.map(
+      c => typeof c === 'string' ? fromPemOrBase64(c) : c)
+  });
+
+  const verifyResult = await chainEngine.verify();
+  return verifyResult;
+}
+
+function _fromBase64(str) {
+  return Certificate.fromBER(base64Decode(str));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "4.4.0",
+  "version": "5.0.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {
@@ -27,7 +27,8 @@
     "base64url-universal": "^2.0.0",
     "jose": "^6.0.13",
     "jsonpath-plus": "^10.3.0",
-    "jsonpointer": "^5.0.1"
+    "jsonpointer": "^5.0.1",
+    "pkijs": "^3.2.5"
   },
   "devDependencies": {
     "c8": "^10.1.3",