@interop/vc 11.0.0

package/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017-2021, Digital Bazaar, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package/README.md

@@ -0,0 +1,542 @@
+# Verifiable Credentials JS Library _(@interop/vc)_
+
+[![Node.js CI](https://github.com/interop-alliance/vc/workflows/CI/badge.svg)](https://github.com/interop-alliance/vc/actions?query=workflow%3A%22CI%22)
+[![NPM Version](https://img.shields.io/npm/v/@interop/vc.svg)](https://npm.im/@interop/vc)
+
+> A TypeScript/JS library for issuing and verifying Verifiable Credentials for Node.js, browsers, and React Native.
+
+## Table of Contents
+
+- [Security](#security)
+- [Background](#background)
+- [Install](#install)
+- [Usage](#usage)
+- [Testing](#testing)
+- [Contribute](#contribute)
+- [Commercial Support](#commercial-support)
+- [License](#license)
+
+## Security
+
+As with most security- and cryptography-related tools, the overall security of
+your system will largely depend on your design decisions (which key types
+you will use, where you'll store the private keys, what you put into your
+credentials, and so on.)
+
+## Background
+
+(Forked from
+[`@digitalcredentials/vc@10.0.0`](https://github.com/digitalcredentials/vc), which was
+in turn forked from
+[`@digitalbazaar/vc@1.0.0`](https://github.com/digitalbazaar/vc-js) to provide
+React Native compatibility.)
+
+This library is a TypeScript (Node.js and browser) implementation of the
+[Verifiable Credentials Data Model](https://w3c.github.io/vc-data-model/)
+specification, supporting both VC Data Model 1.0 and 2.0 (the JWT serialization
+is not currently supported).
+
+It allows you to perform the following basic operations:
+
+1. Signing (issuing) a Verifiable Credential (VC).
+2. Creating a Verifiable Presentation (VP), signed or unsigned
+3. Verifying a VP
+4. Verifying a standalone VC
+
+**Pre-requisites:** Usage of this library assumes you have the ability to do
+the following:
+
+* [Generate LD key pairs and signature suites](BACKGROUND.md#generating-keys-and-suites)
+* Publish the corresponding public keys somewhere that is accessible to the
+  verifier.
+* Make sure your custom `@context`s, verification methods (such as public keys)
+  and their corresponding controller documents, and any other resolvable
+  objects, are reachable via a `documentLoader`.
+
+## Install
+
+- Browsers and Node.js 24+ are supported.
+
+To install from NPM:
+
+```
+npm install @interop/vc
+```
+
+To install locally (for development), using [pnpm](https://pnpm.io/):
+
+```
+git clone https://github.com/interop-alliance/vc.git
+cd vc
+pnpm install
+```
+
+## Usage
+
+### Setting up a signature suite
+
+For signing, when setting up a signature suite, you will need to pass in
+a key pair containing a private key.
+
+```js
+import * as vc from '@interop/vc';
+
+// Required to set up a suite instance with private key
+import {Ed25519VerificationKey} from '@interop/ed25519-verification-key';
+import {Ed25519Signature2020} from '@interop/ed25519-signature';
+
+const keyPair = await Ed25519VerificationKey.generate();
+
+const suite = new Ed25519Signature2020({signer: keyPair.signer()});
+```
+
+### Issuing a Verifiable Credential
+
+Pre-requisites:
+
+* You have a private key (with id and controller) and corresponding suite
+* If you're using a custom `@context`, make sure it's resolvable
+* (Recommended) You have a strategy for where to publish your Controller
+  Document and Public Key
+
+```js
+import * as vc from '@interop/vc';
+
+// Sample unsigned credential
+const credential = {
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1"
+  ],
+  "id": "https://example.com/credentials/1872",
+  "type": ["VerifiableCredential", "AlumniCredential"],
+  "issuer": "https://example.edu/issuers/565049",
+  "issuanceDate": "2010-01-01T19:23:24Z",
+  "credentialSubject": {
+    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+    "alumniOf": "Example University"
+  }
+};
+
+const signedVC = await vc.issue({credential, suite, documentLoader});
+console.log(JSON.stringify(signedVC, null, 2));
+```
+
+### Issuing a Selective Disclosure Verifiable Credential
+
+Pre-requisites:
+
+* You have a private key (with id and controller) and corresponding suite
+* You have are using a cryptosuite that supports selective disclosure, such
+  as `ecdsa-sd-2023`
+* If you're using a custom `@context`, make sure it's resolvable
+* (Recommended) You have a strategy for where to publish your Controller
+  Document and Public Key
+
+```js
+import * as vc from '@interop/vc';
+import * as ecdsaSd2023Cryptosuite from
+  '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import {DataIntegrityProof} from '@interop/data-integrity-proof';
+
+const ecdsaKeyPair = await EcdsaMultikey.generate({
+  curve: 'P-256',
+  id: 'https://example.edu/issuers/keys/2',
+  controller: 'https://example.edu/issuers/565049'
+});
+
+// sample unsigned credential
+const credential = {
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1"
+  ],
+  "id": "https://example.com/credentials/1872",
+  "type": ["VerifiableCredential", "AlumniCredential"],
+  "issuer": "https://example.edu/issuers/565049",
+  "issuanceDate": "2010-01-01T19:23:24Z",
+  "credentialSubject": {
+    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+    "alumniOf": "Example University"
+  }
+};
+
+// setup ecdsa-sd-2023 suite for signing selective disclosure VCs
+const suite = new DataIntegrityProof({
+  signer: ecdsaKeyPair.signer(),
+  cryptosuite: createSignCryptosuite({
+    // require the `issuer` and `issuanceDate` fields to always be disclosed
+    // by the holder (presenter)
+    mandatoryPointers: [
+      '/issuanceDate',
+      '/issuer'
+    ]
+  })
+});
+// use a proof ID to enable it to be found and transformed into a disclosure
+// proof by the holder later
+const proofId = `urn:uuid:${uuid()}`;
+suite.proof = {id: proofId};
+
+const signedVC = await vc.issue({credential, suite, documentLoader});
+console.log(JSON.stringify(signedVC, null, 2));
+```
+
+### Deriving a Selective Disclosure Verifiable Credential
+
+Note: This step is performed as a holder of a verifiable credential, not as
+an issuer.
+
+Pre-requisites:
+
+* You have a verifiable credential that was issued using a cryptosuite that
+  supports selective disclosure, such as `ecdsa-sd-2023`
+* If you're using a custom `@context`, make sure it's resolvable
+
+```js
+import * as vc from '@interop/vc';
+import * as ecdsaSd2023Cryptosuite from
+  '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import {DataIntegrityProof} from '@interop/data-integrity-proof';
+
+const {
+  createDiscloseCryptosuite,
+  createSignCryptosuite,
+  createVerifyCryptosuite
+} = ecdsaSd2023Cryptosuite;
+
+// sample signed credential
+const credential = {
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1",
+    "https://w3id.org/security/data-integrity/v2"
+  ],
+  "id": "http://example.edu/credentials/1872",
+  "type": [
+    "VerifiableCredential",
+    "AlumniCredential"
+  ],
+  "issuer": "https://example.edu/issuers/565049",
+  "issuanceDate": "2010-01-01T19:23:24Z",
+  "credentialSubject": {
+    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+    "alumniOf": "<span lang=\"en\">Example University</span>"
+  },
+  "proof": {
+    "id": "urn:uuid:2ef8c7ce-a4da-44b4-ba7f-3d43eaf1e50c",
+    "type": "DataIntegrityProof",
+    "created": "2023-11-13T22:58:06Z",
+    "verificationMethod": "https://example.edu/issuers/keys/2",
+    "cryptosuite": "ecdsa-sd-2023",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "u2V0AhVhAtYPKUQxwULXzMdsAfqtipsiX6YEPURYSBFYxoFY-v0vCPyAs1Ckyy61Wtk3xZWyBGNaEr3w0wQiJHHd5B9uR-1gjgCQCVtFPMk-ECi0CJFYv_GTjCChf8St0FQjuExTAnwP0-ipYIOHSun3YqabOfNe2DYFkHBTZa0Csf1a7YUDW8hhsOHqTglhA8aqnyanT-Ybo2-aHBTcI-UmHX0iluGb2IxoHLLhQoOPm2rDW0eB04Fa2Dh6WMKoOl_Bz3wZZDGQ31XoGrQvgIlhAo8qspvC-QQ-xI3KADiA12sO5LRsZ7hl9ozoJEECVsDOKlxWd-dhices5b2ZQIiiRE9XxxJx8YuwCMoD2bRLbOIJtL2lzc3VhbmNlRGF0ZWcvaXNzdWVy"
+  }
+};
+
+// note no `signer` needed; the selective disclosure credential will be
+// derived from the base proof already provided by the issuer
+const suite = new DataIntegrityProof({
+  cryptosuite: createDiscloseCryptosuite({
+    // the ID of the base proof to convert to a disclosure proof
+    proofId: 'urn:uuid:da088899-3439-41ea-a580-af3f1cf98cd3',
+    // selectively disclose the entire credential subject; different JSON
+    // pointers could be provided to selectively disclose different information;
+    // the issuer will have mandatory fields that will be automatically
+    // disclosed such as the `issuer` and `issuanceDate` fields
+    selectivePointers: [
+      '/credentialSubject'
+    ]
+  })
+});
+
+const derivedVC = await vc.derive({
+  verifiableCredential, suite, documentLoader
+});
+console.log(JSON.stringify(derivedVC, null, 2));
+```
+
+### Creating a Verifiable Presentation
+
+Pre-requisites:
+
+* You have the requisite private keys (with id and controller) and
+  corresponding suites
+* If you're using a custom `@context`, make sure it's resolvable
+* (Recommended) You have a strategy for where to publish your Controller
+  Documents and Public Keys
+
+#### Creating an unsigned presentation
+
+To create a presentation out of one or more verifiable credentials, you can
+use the `createPresentation()` convenience function. Alternatively, you can
+create the presentation object manually (don't forget to set the `@context` and
+`type` properties).
+
+To create a verifiable presentation with a custom `@context` field use a
+[custom documentLoader](#custom-documentLoader)
+
+```js
+const verifiableCredential = [vc1, vc2]; // either array or single object
+
+// optional `id` and `holder`
+const id = 'ebc6f1c2';
+const holder = 'did:ex:12345';
+
+const presentation = vc.createPresentation({
+  verifiableCredential, id, holder
+});
+
+console.log(JSON.stringify(presentation, null, 2));
+// ->
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1"
+  ],
+  "type": [
+    "VerifiablePresentation"
+  ],
+  "id": "ebc6f1c2",
+  "holder": "did:ex:12345",
+  "verifiableCredential": [
+    // vc1:
+    {
+      "@context": [
+        "https://www.w3.org/2018/credentials/v1",
+        "https://www.w3.org/2018/credentials/examples/v1"
+      ],
+      "id": "http://example.edu/credentials/1872",
+      "type": [
+        "VerifiableCredential",
+        "AlumniCredential"
+      ],
+      "issuer": "https://example.edu/issuers/565049",
+      "issuanceDate": "2010-01-01T19:23:24Z",
+      "credentialSubject": {
+        "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+        "alumniOf": "<span lang=\"en\">Example University</span>"
+      },
+      "proof": {
+        "type": "Ed25519Signature2018",
+        "created": "2020-02-03T17:23:49Z",
+        "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..AUQ3AJ23WM5vMOWNtYKuqZBekRAOUibOMH9XuvOd39my1sO-X9R4QyAXLD2ospssLvIuwmQVhJa-F0xMOnkvBg",
+        "proofPurpose": "assertionMethod",
+        "verificationMethod": "https://example.edu/issuers/keys/1"
+      }
+    },
+    // vc2 goes here ...
+  ]
+}
+```
+
+Note that this creates an _unsigned_ presentation (which may be valid
+for some use cases).
+
+### Custom documentLoader
+
+Pre-requisites:
+
+* You have an existing valid JSON-LD `@context`.
+* Your custom context is resolvable at an address.
+
+```js
+// jsonld-signatures has a secure context loader
+// by requiring this first you ensure security
+// contexts are loaded from jsonld-signatures
+// and not an insecure source.
+import * as vc from '@interop/vc';
+import { securityLoader } from '@interop/security-document-loader';
+
+const documentLoader = securityLoader().build();
+
+const vp = await vc.signPresentation({
+  presentation, suite, challenge, documentLoader
+});
+
+// or
+const signedVC = await vc.issue({credential, suite, documentLoader});
+
+// or
+const result = await vc.verifyCredential({credential: signedVC, suite, documentLoader});
+
+```
+
+#### Signing the Presentation
+
+Once you've created the presentation (either via `createPresentation()` or
+manually), you can sign it using `signPresentation()`:
+
+```js
+const vp = await vc.signPresentation({
+  presentation, suite, challenge, documentLoader
+});
+
+console.log(JSON.stringify(vp, null, 2));
+// ->
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1"
+  ],
+  "type": [
+    "VerifiablePresentation"
+  ],
+  "verifiableCredential": [
+    {
+      "@context": [
+        "https://www.w3.org/2018/credentials/v1",
+        "https://www.w3.org/2018/credentials/examples/v1"
+      ],
+      "id": "http://example.edu/credentials/1872",
+      "type": [
+        "VerifiableCredential",
+        "AlumniCredential"
+      ],
+      "issuer": "https://example.edu/issuers/565049",
+      "issuanceDate": "2010-01-01T19:23:24Z",
+      "credentialSubject": {
+        "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+        "alumniOf": "<span lang=\"en\">Example University</span>"
+      },
+      "proof": {
+        "type": "Ed25519Signature2018",
+        "created": "2020-02-03T17:23:49Z",
+        "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..AUQ3AJ23WM5vMOWNtYKuqZBekRAOUibOMH9XuvOd39my1sO-X9R4QyAXLD2ospssLvIuwmQVhJa-F0xMOnkvBg",
+        "proofPurpose": "assertionMethod",
+        "verificationMethod": "https://example.edu/issuers/keys/1"
+      }
+    }
+  ],
+  "id": "ebc6f1c2",
+  "holder": "did:ex:holder123",
+  "proof": {
+    "type": "Ed25519Signature2018",
+    "created": "2019-02-03T17:23:49Z",
+    "challenge": "12ec21",
+    "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..ZO4Lkq8-fOruE4oUvuMaxepGX-vLD2gPyNIsz-iA7X0tzC3_96djaBYDxxl6wD1xKrx0h60NjI9i9p_MxoXkDQ",
+    "proofPurpose": "authentication",
+    "verificationMethod": "https://example.edu/issuers/keys/1"
+  }
+}
+```
+
+### Verifying a Verifiable Presentation
+
+Pre-requisites:
+
+* Your custom `@context`s, verification methods (like public keys) and their
+  corresponding controller documents are reachable via a `documentLoader`.
+
+To verify a verifiable presentation:
+
+```js
+// challenge has been received from the requesting party - see 'challenge'
+// section below
+import * as vc from '@interop/vc';
+import { securityLoader } from '@interop/security-document-loader';
+
+const documentLoader = securityLoader().build();
+
+const result = await vc.verify({presentation, challenge, suite, documentLoader});
+// {valid: true}
+```
+
+By default, `verify()` will throw an error if the `proof` section is missing.
+To verify an unsigned presentation, you must set the `unsignedPresentation`
+flag:
+
+```js
+const result = await vc.verify({
+  presentation, suite, documentLoader, unsignedPresentation: true
+});
+// {valid: true}
+```
+
+#### `challenge` parameter
+
+Verifiable Presentations are typically used for authentication purposes.
+A `challenge` param (similar to a `nonce` in OAuth2/OpenID Connect) is provided
+by the party that's receiving the VP, and serves to prevent presentation replay
+attacks. The workflow is:
+
+1. Receiving party asks for the VerifiablePresentation, and provides a
+  `challenge` parameter.
+2. The client code creating the VP passes in that challenge (from the requesting
+  party), and it gets included in the VP.
+3. The client code passes the VP to the receiving party, which then checks to
+  make sure the `challenge` is the same as the one it provided in the request
+  in 1).
+
+### Verifying a Verifiable Credential
+For most situations, Verifiable Credentials will be wrapped in a Verifiable
+Presentation and the entire VP should be verified. However, this library
+provides a utility function to verify a Verifiable Credential on its own.
+
+Pre-requisites:
+
+* Your custom `@context`s, verification methods (like public keys) and their
+  corresponding controller documents are reachable via a `documentLoader`.
+
+To verify a verifiable credential:
+
+```js
+const suite = new Ed25519Signature2020();
+const result = await vc.verifyCredential({credential: signedVC, suite, documentLoader});
+// {valid: true}
+```
+
+To verify a selective disclosure verifiable credential ensure the suite
+supports it, for example:
+
+```js
+import * as ecdsaSd2023Cryptosuite from
+  '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import {DataIntegrityProof} from '@interop/data-integrity-proof';
+
+const {
+  createDiscloseCryptosuite,
+  createSignCryptosuite,
+  createVerifyCryptosuite
+} = ecdsaSd2023Cryptosuite;
+
+const suite = new DataIntegrityProof({
+  cryptosuite: createVerifyCryptosuite()
+});
+const result = await vc.verifyCredential({credential, suite, documentLoader});
+// {valid: true}
+```
+
+To verify a verifiable credential with a custom `@context` field use a
+[custom documentLoader](#custom-documentLoader)
+
+
+## Testing
+
+To run the [Vitest](https://vitest.dev/) Node tests:
+
+```
+pnpm run test-node
+```
+
+To run the [Playwright](https://playwright.dev/) (in-browser) tests:
+
+```
+pnpm run test-browser
+```
+
+To run the full suite (lint, Node, and browser tests):
+
+```
+pnpm test
+```
+
+## Contribute
+
+PRs accepted.
+
+Note: If editing the Readme, please conform to the
+[standard-readme](https://github.com/RichardLitt/standard-readme) specification.
+
+## License
+
+* MIT License - DCC - TypeScript compatibility.
+* New BSD License (3-clause) © 2020-2021 Digital Bazaar - Initial implementation.

package/dist/CredentialIssuancePurpose.d.ts

@@ -0,0 +1,50 @@
+/*!
+ * Copyright (c) 2019-2023 Digital Bazaar, Inc. All rights reserved.
+ */
+import jsigs from '@interop/jsonld-signatures';
+import type { DocumentLoader, LinkedDataProof, ProofValidateResult } from '@interop/jsonld-signatures';
+declare const AssertionProofPurpose: typeof jsigs.AssertionProofPurpose;
+/**
+ * Creates a proof purpose that will validate whether the verification
+ * method in a proof was authorized by its declared controller for the
+ * proof's purpose.
+ */
+export declare class CredentialIssuancePurpose extends AssertionProofPurpose {
+    /**
+     * @param options - The options to use.
+     * @param options.controller - The description of the controller, if it is
+     *   not to be dereferenced via a `documentLoader`.
+     * @param options.date - The expected date for the creation of the proof.
+     * @param options.maxTimestampDelta - A maximum number of seconds that the
+     *   date on the signature can deviate from.
+     */
+    constructor({ controller, date, maxTimestampDelta }?: {
+        controller?: object;
+        date?: string | Date | number;
+        maxTimestampDelta?: number;
+    });
+    /**
+     * Validates the purpose of a proof. This method is called during
+     * proof verification, after the proof value has been checked against the
+     * given verification method (in the case of a digital signature, the
+     * signature has been cryptographically verified against the public key).
+     *
+     * @param proof - The proof to validate.
+     * @param options - The options to use.
+     * @param options.document - The document whose signature is being verified.
+     * @param options.suite - Signature suite used in the proof.
+     * @param options.verificationMethod - Key id URL to the paired public key.
+     * @param options.documentLoader - A document loader.
+     *
+     * @throws {Error} If verification method not authorized by controller.
+     * @throws {Error} If proof's created timestamp is out of range.
+     */
+    validate(proof: object, { document, suite, verificationMethod, documentLoader }: {
+        document?: object;
+        suite?: LinkedDataProof;
+        verificationMethod?: object;
+        documentLoader?: DocumentLoader;
+    }): Promise<ProofValidateResult>;
+}
+export {};
+//# sourceMappingURL=CredentialIssuancePurpose.d.ts.map

package/dist/CredentialIssuancePurpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CredentialIssuancePurpose.d.ts","sourceRoot":"","sources":["../src/CredentialIssuancePurpose.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,MAAM,4BAA4B,CAAA;AAC9C,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EACf,mBAAmB,EACpB,MAAM,4BAA4B,CAAA;AAGnC,QAAA,MACc,qBAAqB,oCAC1B,CAAA;AAET;;;;GAIG;AACH,qBAAa,yBAA0B,SAAQ,qBAAqB;IAClE;;;;;;;OAOG;gBACS,EACV,UAAU,EACV,IAAI,EACJ,iBAAiB,EAClB,GAAE;QACD,UAAU,CAAC,EAAE,MAAM,CAAA;QACnB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAAA;QAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAA;KACtB;IAIN;;;;;;;;;;;;;;;OAeG;IACG,QAAQ,CACZ,KAAK,EAAE,MAAM,EACb,EACE,QAAQ,EACR,KAAK,EACL,kBAAkB,EAClB,cAAc,EACf,EAAE;QACD,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,KAAK,CAAC,EAAE,eAAe,CAAA;QACvB,kBAAkB,CAAC,EAAE,MAAM,CAAA;QAC3B,cAAc,CAAC,EAAE,cAAc,CAAA;KAChC,GACA,OAAO,CAAC,mBAAmB,CAAC;CAiChC"}

package/dist/CredentialIssuancePurpose.js

@@ -0,0 +1,67 @@
+/*!
+ * Copyright (c) 2019-2023 Digital Bazaar, Inc. All rights reserved.
+ */
+import jsigs from '@interop/jsonld-signatures';
+import jsonld from '@interop/jsonld';
+const { purposes: { AssertionProofPurpose } } = jsigs;
+/**
+ * Creates a proof purpose that will validate whether the verification
+ * method in a proof was authorized by its declared controller for the
+ * proof's purpose.
+ */
+export class CredentialIssuancePurpose extends AssertionProofPurpose {
+    /**
+     * @param options - The options to use.
+     * @param options.controller - The description of the controller, if it is
+     *   not to be dereferenced via a `documentLoader`.
+     * @param options.date - The expected date for the creation of the proof.
+     * @param options.maxTimestampDelta - A maximum number of seconds that the
+     *   date on the signature can deviate from.
+     */
+    constructor({ controller, date, maxTimestampDelta } = {}) {
+        super({ controller, date, maxTimestampDelta });
+    }
+    /**
+     * Validates the purpose of a proof. This method is called during
+     * proof verification, after the proof value has been checked against the
+     * given verification method (in the case of a digital signature, the
+     * signature has been cryptographically verified against the public key).
+     *
+     * @param proof - The proof to validate.
+     * @param options - The options to use.
+     * @param options.document - The document whose signature is being verified.
+     * @param options.suite - Signature suite used in the proof.
+     * @param options.verificationMethod - Key id URL to the paired public key.
+     * @param options.documentLoader - A document loader.
+     *
+     * @throws {Error} If verification method not authorized by controller.
+     * @throws {Error} If proof's created timestamp is out of range.
+     */
+    async validate(proof, { document, suite, verificationMethod, documentLoader }) {
+        try {
+            const result = await super.validate(proof, {
+                document,
+                suite,
+                verificationMethod,
+                documentLoader
+            });
+            if (!result.valid) {
+                throw result.error;
+            }
+            const issuer = jsonld.getValues(document, 'issuer');
+            if (!issuer || issuer.length === 0) {
+                throw new Error('Credential issuer is required.');
+            }
+            const issuerId = typeof issuer[0] === 'string' ? issuer[0] : issuer[0].id;
+            const controller = result.controller;
+            if (controller?.id !== issuerId) {
+                throw new Error('Credential issuer must match the verification method controller.');
+            }
+            return { valid: true };
+        }
+        catch (error) {
+            return { valid: false, error: error };
+        }
+    }
+}
+//# sourceMappingURL=CredentialIssuancePurpose.js.map