@digitalbazaar/oid4-client 5.0.0 → 5.2.0

package/lib/query/util.js

@@ -0,0 +1,105 @@
+/*!
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import {assert} from '../util.js';
+import jsonpointer from 'json-pointer';
+
+export function fromJsonPointerMap({map} = {}) {
+  assert(map, 'map', Map);
+  return _fromPointers({map});
+}
+
+export function isNumber(x) {
+  return typeof toNumberIfNumber(x) === 'number';
+}
+
+export function isObject(x) {
+  return x && typeof x === 'object' && !Array.isArray(x);
+}
+
+export function resolvePointer(obj, pointer) {
+  if(pointer === '/') {
+    return obj;
+  }
+  try {
+    return jsonpointer.get(obj, pointer);
+  } catch(e) {
+    return undefined;
+  }
+}
+
+// produces a map of deep pointers to primitives and sets; the values in each
+// set share the same pointer value and if any value in the set is an object,
+// it becomes a new map of deep pointers from that starting place; the pointer
+// value for an empty objects will be an empty map
+export function toJsonPointerMap({obj, flat = false} = {}) {
+  assert(obj, 'obj', 'object');
+  return _toPointers({cursor: obj, map: new Map(), flat});
+}
+
+export function toNumberIfNumber(x) {
+  if(typeof x === 'number') {
+    return x;
+  }
+  const num = parseInt(x, 10);
+  if(!isNaN(num)) {
+    return num;
+  }
+  return x;
+}
+
+export function _fromPointers({map} = {}) {
+  const result = {};
+
+  for(const [pointer, value] of map) {
+    // convert any non-primitive values
+    let val = value;
+    if(value instanceof Map) {
+      val = _fromPointers({map: value});
+    } else if(value instanceof Set) {
+      val = [...value].map(e => e instanceof Map ? _fromPointers({map: e}) : e);
+    }
+
+    // if root pointer is used, `value` is result
+    if(pointer === '/') {
+      return val;
+    }
+
+    jsonpointer.set(result, pointer, val);
+  }
+
+  return result;
+}
+
+function _toPointers({
+  cursor, map, tokens = [], pointer = '/', flat = false
+}) {
+  if(!flat && Array.isArray(cursor)) {
+    const set = new Set();
+    // when `map` is not set, case is array of arrays; return a new map
+    const result = map ? set : (map = new Map());
+    map.set(pointer, set);
+    for(const element of cursor) {
+      // reset map, tokens, and pointer for array elements
+      set.add(_toPointers({cursor: element, flat}));
+    }
+    return result;
+  }
+  if(cursor !== null && typeof cursor === 'object') {
+    map = map ?? new Map();
+    const entries = Object.entries(cursor);
+    if(entries.length === 0) {
+      // ensure empty object / array case is represented
+      map.set(pointer, Array.isArray(cursor) ? new Set() : new Map());
+    }
+    for(const [token, value] of entries) {
+      tokens.push(String(token));
+      pointer = jsonpointer.compile(tokens);
+      _toPointers({cursor: value, map, tokens, pointer, flat});
+      tokens.pop();
+    }
+    return map;
+  }
+  map?.set(pointer, cursor);
+  return cursor;
+}

package/lib/util.js

@@ -6,14 +6,15 @@ import {httpClient} from '@digitalbazaar/http-client';
 
 const TEXT_ENCODER = new TextEncoder();
 const ENCODED_PERIOD = TEXT_ENCODER.encode('.');
-const WELL_KNOWN_REGEX = /\/\.well-known\/([^\/]+)/;
 
 export function assert(x, name, type, optional = false) {
   const article = type === 'object' ? 'an' : 'a';
-  if(x !== undefined && typeof x !== type) {
+  const xType = typeof type === 'string' ?
+    typeof x : (x instanceof type && type);
+  if(x !== undefined && xType !== type) {
     throw new TypeError(
       `${optional ? 'When present, ' : ''} ` +
-      `"${name}" must be ${article} ${type}.`);
+      `"${name}" must be ${article} ${type?.name ?? type}.`);
   }
 }
 
@@ -34,108 +35,16 @@ export function base64Encode(data) {
     return data.toBase64();
   }
   // note: this is base64-no-pad; will only work with specific data lengths
-  base64url.encode(data).replace(/-/g, '+').replace(/_/g, '/');
+  return base64url.encode(data).replace(/-/g, '+').replace(/_/g, '/');
 }
 
-export function createNamedError({message, name, cause} = {}) {
+export function createNamedError({message, name, details, cause} = {}) {
   const error = new Error(message, {cause});
   error.name = name;
-  return error;
-}
-
-export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
-  try {
-    assert(issuerConfigUrl, 'issuerConfigUrl', 'string');
-
-    const response = await fetchJSON({url: issuerConfigUrl, agent});
-    if(!response.data) {
-      const error = new Error('Issuer configuration format is not JSON.');
-      error.name = 'DataError';
-      throw error;
-    }
-    const {data: issuerMetaData} = response;
-    const {issuer, authorization_server} = issuerMetaData;
-
-    if(authorization_server && authorization_server !== issuer) {
-      // not yet implemented
-      throw new Error('Separate authorization server not yet implemented.');
-    }
-
-    // validate `issuer`
-    if(!(typeof issuer === 'string' && issuer.startsWith('https://'))) {
-      const error = new Error('"issuer" is not an HTTPS URL.');
-      error.name = 'DataError';
-      throw error;
-    }
-
-    // ensure `credential_issuer` matches `issuer`, if present
-    const {credential_issuer} = issuerMetaData;
-    if(credential_issuer !== undefined && credential_issuer !== issuer) {
-      const error = new Error('"credential_issuer" must match "issuer".');
-      error.name = 'DataError';
-      throw error;
-    }
-
-    /* Validate `issuer` value against `issuerConfigUrl` (per RFC 8414):
-
-    The `origin` and `path` element must be parsed from `issuer` and checked
-    against `issuerConfigUrl` like so:
-
-    For issuer `<origin>` (no path), `issuerConfigUrl` must match:
-    `<origin>/.well-known/<any-path-segment>`
-
-    For issuer `<origin><path>`, `issuerConfigUrl` must be:
-    `<origin>/.well-known/<any-path-segment><path>` */
-    const {pathname: wellKnownPath} = new URL(issuerConfigUrl);
-    const anyPathSegment = wellKnownPath.match(WELL_KNOWN_REGEX)[1];
-    const {origin, pathname} = new URL(issuer);
-    let expectedConfigUrl = `${origin}/.well-known/${anyPathSegment}`;
-    if(pathname !== '/') {
-      expectedConfigUrl += pathname;
-    }
-    if(issuerConfigUrl !== expectedConfigUrl) {
-      // alternatively, against RFC 8414, but according to OID4VCI, make sure
-      // the issuer config URL matches:
-      // <origin><path>/.well-known/<any-path-segment>
-      expectedConfigUrl = origin;
-      if(pathname !== '/') {
-        expectedConfigUrl += pathname;
-      }
-      expectedConfigUrl += `/.well-known/${anyPathSegment}`;
-      if(issuerConfigUrl !== expectedConfigUrl) {
-        const error = new Error('"issuer" does not match configuration URL.');
-        error.name = 'DataError';
-        throw error;
-      }
-    }
-
-    // fetch AS meta data
-    const asMetaDataUrl =
-      `${origin}/.well-known/oauth-authorization-server${pathname}`;
-    const asMetaDataResponse = await fetchJSON({url: asMetaDataUrl, agent});
-    if(!asMetaDataResponse.data) {
-      const error = new Error('Authorization server meta data is not JSON.');
-      error.name = 'DataError';
-      throw error;
-    }
-
-    const {data: asMetaData} = response;
-    // merge AS meta data into total issuer config
-    const issuerConfig = {...issuerMetaData, ...asMetaData};
-
-    // ensure `token_endpoint` is valid
-    const {token_endpoint} = asMetaData;
-    assert(token_endpoint, 'token_endpoint', 'string');
-
-    // return merged config and separate issuer and AS configs
-    const metadata = {issuer: issuerMetaData, authorizationServer: asMetaData};
-    return {issuerConfig, metadata};
-  } catch(cause) {
-    const error = new Error('Could not get OpenID issuer configuration.');
-    error.name = 'OperationError';
-    error.cause = cause;
-    throw error;
+  if(details) {
+    error.details = details;
   }
+  return error;
 }
 
 export function fetchJSON({url, agent} = {}) {
@@ -151,126 +60,17 @@ export function fetchJSON({url, agent} = {}) {
   return httpClient.get(url, fetchOptions);
 }
 
-export async function generateDIDProofJWT({
-  signer, nonce, iss, aud, exp, nbf
-} = {}) {
-  /* Example:
-  {
-    "alg": "ES256",
-    "kid":"did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1"
-  }.
-  {
-    "iss": "s6BhdRkqt3",
-    "aud": "https://server.example.com",
-    "iat": 1659145924,
-    "nonce": "tZignsnFbp"
-  }
-  */
-
-  if(exp === undefined) {
-    // default to 5 minute expiration time
-    exp = Math.floor(Date.now() / 1000) + 60 * 5;
-  }
-  if(nbf === undefined) {
-    // default to now
-    nbf = Math.floor(Date.now() / 1000);
-  }
-
-  const {id: kid} = signer;
-  const alg = _curveToAlg(signer.algorithm);
-  const payload = {nonce, iss, aud, exp, nbf};
-  const protectedHeader = {alg, kid};
-
-  return signJWT({payload, protectedHeader, signer});
-}
-
-export async function getCredentialOffer({url, agent} = {}) {
-  const {protocol, searchParams} = new URL(url);
-  if(protocol !== 'openid-credential-offer:') {
-    throw new SyntaxError(
-      '"url" must express a URL with the ' +
-      '"openid-credential-offer" protocol.');
-  }
-  const offer = searchParams.get('credential_offer');
-  if(offer) {
-    return JSON.parse(offer);
-  }
-
-  // try to fetch offer from URL
-  const offerUrl = searchParams.get('credential_offer_uri');
-  if(!offerUrl) {
-    throw new SyntaxError(
-      'OID4VCI credential offer must have "credential_offer" or ' +
-      '"credential_offer_uri".');
-  }
-
-  if(!offerUrl.startsWith('https://')) {
-    const error = new Error(
-      `"credential_offer_uri" (${offerUrl}) must start with "https://".`);
-    error.name = 'NotSupportedError';
-    throw error;
-  }
-
-  const response = await fetchJSON({url: offerUrl, agent});
-  if(!response.data) {
-    const error = new Error(
-      `Credential offer fetched from "${offerUrl}" is not JSON.`);
-    error.name = 'DataError';
-    throw error;
-  }
-  return response.data;
-}
-
-export function parseCredentialOfferUrl({url} = {}) {
-  assert(url, 'url', 'string');
-
-  /* Parse URL, e.g.:
-
-  'openid-credential-offer://?' +
-    'credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2F' +
-    'localhost%3A18443%2Fexchangers%2Fz19t8xb568tNRD1zVm9R5diXR%2F' +
-    'exchanges%2Fz1ADs3ur2s9tm6JUW6CnTiyn3%22%2C%22credentials' +
-    '%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22credential_definition' +
-    '%22%3A%7B%22%40context%22%3A%5B%22https%3A%2F%2Fwww.w3.org%2F2018%2F' +
-    'credentials%2Fv1%22%2C%22https%3A%2F%2Fwww.w3.org%2F2018%2F' +
-    'credentials%2Fexamples%2Fv1%22%5D%2C%22type%22%3A%5B%22' +
-    'VerifiableCredential%22%2C%22UniversityDegreeCredential' +
-    '%22%5D%7D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams' +
-    '%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22' +
-    'pre-authorized_code%22%3A%22z1AEvnk2cqeRM1Mfv75vzHSUo%22%7D%7D%7D';
-  */
-  const {protocol, searchParams} = new URL(url);
-  if(protocol !== 'openid-credential-offer:') {
-    throw new SyntaxError(
-      '"url" must express a URL with the ' +
-      '"openid-credential-offer" protocol.');
-  }
-  return JSON.parse(searchParams.get('credential_offer'));
-}
-
-export async function robustDiscoverIssuer({issuer, agent} = {}) {
-  // try issuer config URLs based on OID4VCI (first) and RFC 8414 (second)
-  const parsedIssuer = new URL(issuer);
-  const {origin} = parsedIssuer;
-  const path = parsedIssuer.pathname === '/' ? '' : parsedIssuer.pathname;
-
-  const issuerConfigUrls = [
-    // OID4VCI
-    `${origin}${path}/.well-known/openid-credential-issuer`,
-    // RFC 8414
-    `${origin}/.well-known/openid-credential-issuer${path}`
-  ];
-
-  let error;
-  for(const issuerConfigUrl of issuerConfigUrls) {
-    try {
-      const config = await discoverIssuer({issuerConfigUrl, agent});
-      return config;
-    } catch(e) {
-      error = e;
-    }
+export function parseJSON(x, name) {
+  try {
+    return JSON.parse(x);
+  } catch(cause) {
+    throw createNamedError({
+      message: `Could not parse "${name}".`,
+      name: 'DataError',
+      details: {httpStatusCode: 400, public: true},
+      cause
+    });
   }
-  throw error;
 }
 
 export function selectJwk({keys, kid, alg, kty, crv, use} = {}) {
@@ -316,6 +116,14 @@ export function selectJwk({keys, kid, alg, kty, crv, use} = {}) {
   });
 }
 
+export async function sha256(data) {
+  if(typeof data === 'string') {
+    data = new TextEncoder().encode(data);
+  }
+  const algorithm = {name: 'SHA-256'};
+  return new Uint8Array(await crypto.subtle.digest(algorithm, data));
+}
+
 export async function signJWT({payload, protectedHeader, signer} = {}) {
   // encode payload and protected header
   const b64Payload = base64url.encode(JSON.stringify(payload));
@@ -343,16 +151,3 @@ export async function signJWT({payload, protectedHeader, signer} = {}) {
   // create compact JWT
   return `${jws.protected}.${jws.payload}.${jws.signature}`;
 }
-
-function _curveToAlg(crv) {
-  if(crv === 'Ed25519' || crv === 'Ed448') {
-    return 'EdDSA';
-  }
-  if(crv?.startsWith('P-')) {
-    return `ES${crv.slice(2)}`;
-  }
-  if(crv === 'secp256k1') {
-    return 'ES256K';
-  }
-  return crv;
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "5.0.0",
+  "version": "5.2.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {
@@ -25,12 +25,14 @@
   "dependencies": {
     "@digitalbazaar/http-client": "^4.0.0",
     "base64url-universal": "^2.0.0",
-    "jose": "^6.0.13",
+    "jose": "^6.1.0",
+    "json-pointer": "^0.6.2",
     "jsonpath-plus": "^10.3.0",
-    "jsonpointer": "^5.0.1",
     "pkijs": "^3.2.5"
   },
   "devDependencies": {
+    "@auth0/mdl": "^3.0.0",
+    "asn1js": "^3.0.6",
     "c8": "^10.1.3",
     "chai": "^4.3.6",
     "cross-env": "^10.0.0",