@digitalbazaar/oid4-client 5.2.1 → 5.4.0

package/lib/convert/index.js

@@ -73,14 +73,26 @@ export function fromVpr({
     if(verifiablePresentationRequest.challenge) {
       authorizationRequest.nonce = verifiablePresentationRequest.challenge;
     }
-    // only a single `DIDAuthentication` query is supported at this time; use
-    // the last one
+    // any DID authentication queries must be merged to a single set of
+    // supported values for compatibility purposes
     const didAuthnQuery = [...groupMap.values()]
       .filter(g => g.has(DID_AUTHENTICATION))
       .map(g => g.get(DID_AUTHENTICATION))
-      .at(-1);
-    if(didAuthnQuery) {
-      const [query] = didAuthnQuery;
+      .flat();
+    if(didAuthnQuery.length > 0) {
+      // merge the accepted envelopes and cryptosuites across DID authn queries
+      const cryptosuites = new Set();
+      const envelopes = new Set();
+      for(const query of didAuthnQuery) {
+        query.acceptedCryptosuites?.forEach(
+          ({cryptosuite}) => cryptosuites.add(cryptosuite));
+        query.acceptedEnvelopes?.forEach(envelope => envelopes.add(envelope));
+      }
+      // convert last DID authn query w/merged cryptosuites and envelopes
+      const query = structuredClone(didAuthnQuery.at(-1));
+      query.acceptedCryptosuites = [...cryptosuites].map(
+        cryptosuite => ({cryptosuite}));
+      query.acceptedEnvelopes = [...envelopes];
       const client_metadata = _fromDIDAuthenticationQuery({query, strict});
       if(client_metadata) {
         authorizationRequest.client_metadata = client_metadata;
@@ -258,37 +270,60 @@ function _strictCheckVprGroups({groupMap, queryFormats}) {
 }
 
 function _fromDIDAuthenticationQuery({query, strict = false}) {
+  const vp_formats_supported = {};
+  const client_metadata = {
+    require_signed_request_object: false,
+    vp_formats: {},
+    vp_formats_supported
+  };
+
   const cryptosuites = query.acceptedCryptosuites?.map(
     ({cryptosuite}) => cryptosuite);
-  if(!(cryptosuites?.length > 0)) {
+  if(cryptosuites?.length > 0) {
+    // legacy (before OID4VP 1.0)
+    client_metadata.vp_formats.ldp_vp = {
+      proof_type: cryptosuites
+    };
+    // OID4VP 1.0+
+    vp_formats_supported.ldp_vc = {
+      proof_type_values: ['DataIntegrityProof'],
+      cryptosuite_values: cryptosuites
+    };
+    // compatibility with legacy cryptosuite
+    if(cryptosuites.includes('Ed25519Signature2020')) {
+      vp_formats_supported.ldp_vc
+        .proof_type_values.push('Ed25519Signature2020');
+    }
+  }
+
+  if(query.acceptedEnvelopes?.length > 0) {
+    for(const envelope of query.acceptedEnvelopes) {
+      if(envelope === 'application/jwt') {
+        // legacy (before OID4VP 1.0)
+        vp_formats_supported.jwt_vp_json = {};
+        // OID4VP 1.0+
+        vp_formats_supported.jwt_vc_json = {};
+      } else if(envelope === 'application/mdl' ||
+        envelope === 'application/mdoc') {
+        vp_formats_supported.mso_mdoc = {};
+      } else if(envelope === 'application/dc+sd-jwt') {
+        vp_formats_supported['dc+sd-jwt'] = {};
+      }
+      // ignore unknown envelope format
+    }
+  }
+
+  if(Object.keys(vp_formats_supported) === 0) {
     if(strict) {
       const error = new Error(
-        '"query.acceptedCryptosuites" must be a non-array with specified ' +
-        `cryptosuites to convert from a "${DID_AUTHENTICATION}" query.`);
+        '"query.acceptedCryptosuites" or "query.acceptedEnvelopes" must be a ' +
+        'non-array with specified cryptosuites (or envelopes, respectively) ' +
+        `to convert from a "${DID_AUTHENTICATION}" query.`);
       error.name = 'NotSupportedError';
       throw error;
     }
     return;
   }
-  const client_metadata = {
-    require_signed_request_object: false,
-    vp_formats: {
-      ldp_vp: {
-        proof_type: cryptosuites
-      }
-    },
-    vp_formats_supported: {
-      ldp_vc: {
-        proof_type_values: ['DataIntegrityProof']
-      },
-      cryptosuite_values: cryptosuites
-    }
-  };
-  // compatibility with legacy cryptosuite
-  if(cryptosuites.includes('Ed25519Signature2020')) {
-    client_metadata.vp_formats_supported.ldp_vc
-      .proof_type_values.push('Ed25519Signature2020');
-  }
 
   return client_metadata;
 }
@@ -297,9 +332,20 @@ function _toDIDAuthenticationQuery({client_metadata, strict = false}) {
   const {vp_formats_supported, vp_formats} = client_metadata;
   const proofTypes = vp_formats_supported?.ldp_vc?.cryptosuite_values ??
     vp_formats?.ldp_vp?.proof_type;
-  if(!Array.isArray(proofTypes)) {
+  const envelopes = [];
+  if(vp_formats_supported?.jwt_vc_json || vp_formats_supported?.jwt_vp_json) {
+    envelopes.push('application/jwt');
+  }
+  if(vp_formats_supported?.mso_mdoc) {
+    envelopes.push('application/mdoc');
+  }
+  if(vp_formats_supported?.['dc+sd-jwt']) {
+    envelopes.push('application/dc+sd-jwt');
+  }
+  if(!(Array.isArray(proofTypes) || envelopes.length > 0)) {
     if(strict) {
       const error = new Error(
+        '"client_metadata.vp_formats_supported.ldp_vc.cryptosuite_values" or ' +
         '"client_metadata.vp_formats.ldp_vp.proof_type" must be an array to ' +
         `convert to "${DID_AUTHENTICATION}" query.`);
       error.name = 'NotSupportedError';
@@ -307,10 +353,14 @@ function _toDIDAuthenticationQuery({client_metadata, strict = false}) {
     }
     return;
   }
-  return {
-    type: DID_AUTHENTICATION,
-    acceptedCryptosuites: proofTypes.map(cryptosuite => ({cryptosuite}))
-  };
+  const query = {type: DID_AUTHENTICATION};
+  if(proofTypes) {
+    query.acceptedCryptosuites = proofTypes.map(cryptosuite => ({cryptosuite}));
+  }
+  if(envelopes.length > 0) {
+    query.acceptedEnvelopes = envelopes;
+  }
+  return query;
 }
 
 function _vprGroupsToQuery({groupMap}) {

package/lib/oid4vp/authorizationRequest.js

@@ -13,6 +13,9 @@ import {
 const REQUIRED_SIGNED_AUTHZ_REQUEST_CLIENT_ID_SCHEMES = new Set([
   'x509_san_dns', 'x509_hash', 'did', 'decentralized_identifier'
 ]);
+const SUPPORTED_AUTHORIZATION_ENCRYPTED_RESPONSE_ENC = new Set([
+  'A256GCM', 'A128GCM'
+]);
 const SUPPORTED_CLIENT_ID_SCHEMES = new Set([
   'redirect_uri',
   'x509_san_dns', 'x509_hash', 'did', 'decentralized_identifier'
@@ -177,10 +180,12 @@ export async function validate({authorizationRequest, expectedClientId}) {
         name: 'NotSupportedError'
       });
     }
-    if(authorization_encrypted_response_enc !== 'A256GCM') {
+    if(!SUPPORTED_AUTHORIZATION_ENCRYPTED_RESPONSE_ENC.has(
+      authorization_encrypted_response_enc)) {
+      const supported = [...SUPPORTED_AUTHORIZATION_ENCRYPTED_RESPONSE_ENC];
       throw createNamedError({
         message: `"${authorization_encrypted_response_enc}" is not ` +
-          'supported; only "A256GCM" is supported.',
+          `supported; supported values are: ${supported.join(', ')}`,
         name: 'NotSupportedError'
       });
     }

package/lib/oid4vp/authorizationResponse.js

@@ -239,7 +239,8 @@ async function _encrypt({
   };
   const jwt = await new EncryptJWT(claimSet)
     .setProtectedHeader({
-      alg: 'ECDH-ES', enc: 'A256GCM',
+      alg: 'ECDH-ES',
+      enc: encryptionOptions?.enc ?? 'A256GCM',
       kid: recipientPublicJwk.kid
     })
     .setKeyManagementParameters(keyManagementParameters)

package/lib/oid4vp/verifier.js

@@ -96,7 +96,7 @@ async function _decrypt({jwt, getDecryptParameters}) {
 
   return jwtDecrypt(jwt, getKey, {
     // only supported algorithms at this time:
-    contentEncryptionAlgorithms: ['A256GCM'],
+    contentEncryptionAlgorithms: ['A256GCM', 'A128GCM'],
     keyManagementAlgorithms: ['ECDH-ES']
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "5.2.1",
+  "version": "5.4.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {