@openid4vc/openid4vci 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250328112257

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +21626 -12050
  2. package/dist/index.d.ts +21626 -12050
  3. package/dist/index.js +860 -618
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +855 -617
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +3 -3
package/dist/index.js CHANGED
@@ -37,67 +37,250 @@ __export(src_exports, {
37
37
  Openid4vciIssuer: () => Openid4vciIssuer,
38
38
  Openid4vciRetrieveCredentialsError: () => Openid4vciRetrieveCredentialsError,
39
39
  Openid4vciSendNotificationError: () => Openid4vciSendNotificationError,
40
+ Openid4vciWalletProvider: () => Openid4vciWalletProvider,
41
+ createKeyAttestationJwt: () => createKeyAttestationJwt,
40
42
  credentialsSupportedToCredentialConfigurationsSupported: () => credentialsSupportedToCredentialConfigurationsSupported,
43
+ determineAuthorizationServerForCredentialOffer: () => determineAuthorizationServerForCredentialOffer,
41
44
  extractScopesForCredentialConfigurationIds: () => extractScopesForCredentialConfigurationIds,
42
45
  getCredentialConfigurationsMatchingRequestFormat: () => getCredentialConfigurationsMatchingRequestFormat,
43
46
  getGlobalConfig: () => import_utils20.getGlobalConfig,
44
- setGlobalConfig: () => import_utils20.setGlobalConfig
47
+ parseKeyAttestationJwt: () => parseKeyAttestationJwt,
48
+ setGlobalConfig: () => import_utils20.setGlobalConfig,
49
+ verifyKeyAttestationJwt: () => verifyKeyAttestationJwt
45
50
  });
46
51
  module.exports = __toCommonJS(src_exports);
52
+
53
+ // src/credential-offer/credential-offer.ts
54
+ var import_oauth22 = require("@openid4vc/oauth2");
55
+ var import_utils2 = require("@openid4vc/utils");
56
+
57
+ // src/version.ts
58
+ var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
59
+ Openid4vciDraftVersion2["Draft15"] = "Draft15";
60
+ Openid4vciDraftVersion2["Draft14"] = "Draft14";
61
+ Openid4vciDraftVersion2["Draft11"] = "Draft11";
62
+ return Openid4vciDraftVersion2;
63
+ })(Openid4vciDraftVersion || {});
64
+
65
+ // src/credential-offer/z-credential-offer.ts
66
+ var import_oauth2 = require("@openid4vc/oauth2");
67
+ var import_utils = require("@openid4vc/utils");
68
+ var import_zod = __toESM(require("zod"));
69
+ var zTxCode = import_zod.default.object({
70
+ input_mode: import_zod.default.union([import_zod.default.literal("numeric"), import_zod.default.literal("text")]).optional(),
71
+ length: import_zod.default.number().int().optional(),
72
+ description: import_zod.default.string().max(300).optional()
73
+ }).passthrough();
74
+ var zCredentialOfferGrants = import_zod.default.object({
75
+ authorization_code: import_zod.default.object({
76
+ issuer_state: import_zod.default.string().optional(),
77
+ authorization_server: import_utils.zHttpsUrl.optional()
78
+ }).passthrough().optional(),
79
+ [import_oauth2.preAuthorizedCodeGrantIdentifier]: import_zod.default.object({
80
+ "pre-authorized_code": import_zod.default.string(),
81
+ tx_code: zTxCode.optional(),
82
+ authorization_server: import_utils.zHttpsUrl.optional()
83
+ }).passthrough().optional()
84
+ }).passthrough();
85
+ var zCredentialOfferObjectDraft14 = import_zod.default.object({
86
+ credential_issuer: import_utils.zHttpsUrl,
87
+ credential_configuration_ids: import_zod.default.array(import_zod.default.string()),
88
+ grants: import_zod.default.optional(zCredentialOfferGrants)
89
+ }).passthrough();
90
+ var zCredentialOfferObjectDraft11To14 = import_zod.default.object({
91
+ credential_issuer: import_utils.zHttpsUrl,
92
+ // We don't support the inline offer objects from draft 11
93
+ credentials: import_zod.default.array(
94
+ import_zod.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
95
+ ),
96
+ grants: import_zod.default.optional(
97
+ import_zod.default.object({
98
+ // Has extra param in draft 14, but doesn't matter for transform purposes
99
+ authorization_code: zCredentialOfferGrants.shape.authorization_code,
100
+ [import_oauth2.preAuthorizedCodeGrantIdentifier]: import_zod.default.object({
101
+ "pre-authorized_code": import_zod.default.string(),
102
+ user_pin_required: import_zod.default.optional(import_zod.default.boolean())
103
+ }).passthrough().optional()
104
+ })
105
+ )
106
+ }).passthrough().transform(({ credentials, grants, ...rest }) => {
107
+ const v14 = {
108
+ ...rest,
109
+ credential_configuration_ids: credentials
110
+ };
111
+ if (grants) {
112
+ v14.grants = { ...grants };
113
+ if (grants[import_oauth2.preAuthorizedCodeGrantIdentifier]) {
114
+ const { user_pin_required, ...restGrants } = grants[import_oauth2.preAuthorizedCodeGrantIdentifier];
115
+ v14.grants[import_oauth2.preAuthorizedCodeGrantIdentifier] = {
116
+ ...restGrants
117
+ };
118
+ if (user_pin_required) {
119
+ v14.grants[import_oauth2.preAuthorizedCodeGrantIdentifier].tx_code = {
120
+ input_mode: "text"
121
+ };
122
+ }
123
+ }
124
+ }
125
+ return v14;
126
+ }).pipe(zCredentialOfferObjectDraft14);
127
+ var zCredentialOfferObject = import_zod.default.union([
128
+ // First prioritize draft 14 (and 13)
129
+ zCredentialOfferObjectDraft14,
130
+ // Then try parsing draft 11 and transform into draft 14
131
+ zCredentialOfferObjectDraft11To14
132
+ ]);
133
+
134
+ // src/credential-offer/credential-offer.ts
135
+ async function resolveCredentialOffer(credentialOffer, options) {
136
+ const parsedQueryParams = (0, import_utils2.getQueryParams)(credentialOffer);
137
+ let credentialOfferParseResult;
138
+ if (parsedQueryParams.credential_offer_uri) {
139
+ const fetchWithZod = (0, import_utils2.createZodFetcher)(options?.fetch);
140
+ const { response, result } = await fetchWithZod(
141
+ zCredentialOfferObject,
142
+ import_utils2.ContentType.Json,
143
+ parsedQueryParams.credential_offer_uri
144
+ );
145
+ if (!response.ok || !result) {
146
+ throw new import_oauth22.InvalidFetchResponseError(
147
+ `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
148
+ await response.clone().text(),
149
+ response
150
+ );
151
+ }
152
+ credentialOfferParseResult = result;
153
+ } else if (parsedQueryParams.credential_offer) {
154
+ let credentialOfferJson;
155
+ try {
156
+ credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
157
+ } catch (error) {
158
+ throw new import_oauth22.Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
159
+ }
160
+ credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
161
+ } else {
162
+ throw new import_oauth22.Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
163
+ }
164
+ if (credentialOfferParseResult.error) {
165
+ throw new import_utils2.ValidationError(
166
+ `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
167
+ credentialOfferParseResult.error
168
+ );
169
+ }
170
+ return credentialOfferParseResult.data;
171
+ }
172
+ function determineAuthorizationServerForCredentialOffer(options) {
173
+ const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
174
+ let authorizationServer;
175
+ if (options.grantAuthorizationServer) {
176
+ authorizationServer = options.grantAuthorizationServer;
177
+ if (!authorizationServers) {
178
+ throw new import_oauth22.Oauth2Error(
179
+ `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
180
+ );
181
+ }
182
+ if (!authorizationServers.includes(authorizationServer)) {
183
+ throw new import_oauth22.Oauth2Error(
184
+ `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
185
+ );
186
+ }
187
+ } else if (!authorizationServers) {
188
+ authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
189
+ } else {
190
+ if (authorizationServers.length === 0) {
191
+ throw new import_oauth22.Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
192
+ }
193
+ if (authorizationServers.length > 1) {
194
+ throw new import_oauth22.Oauth2Error(
195
+ `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
196
+ );
197
+ }
198
+ authorizationServer = authorizationServers[0];
199
+ }
200
+ return authorizationServer;
201
+ }
202
+ async function createCredentialOffer(options) {
203
+ const {
204
+ [import_oauth22.preAuthorizedCodeGrantIdentifier]: preAuthorizedCodeGrant,
205
+ [import_oauth22.authorizationCodeGrantIdentifier]: authorizationCodeGrant,
206
+ ...restGrants
207
+ } = options.grants;
208
+ const grants = { ...restGrants };
209
+ if (authorizationCodeGrant) {
210
+ determineAuthorizationServerForCredentialOffer({
211
+ issuerMetadata: options.issuerMetadata,
212
+ grantAuthorizationServer: authorizationCodeGrant.authorization_server
213
+ });
214
+ grants[import_oauth22.authorizationCodeGrantIdentifier] = authorizationCodeGrant;
215
+ }
216
+ if (preAuthorizedCodeGrant) {
217
+ determineAuthorizationServerForCredentialOffer({
218
+ issuerMetadata: options.issuerMetadata,
219
+ grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
220
+ });
221
+ grants[import_oauth22.preAuthorizedCodeGrantIdentifier] = {
222
+ ...preAuthorizedCodeGrant,
223
+ "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? (0, import_utils2.encodeToBase64Url)(await options.callbacks.generateRandom(32))
224
+ };
225
+ const txCode = grants[import_oauth22.preAuthorizedCodeGrantIdentifier].tx_code;
226
+ if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
227
+ grants[import_oauth22.preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== void 0;
228
+ }
229
+ }
230
+ const idsNotInMetadata = options.credentialConfigurationIds.filter(
231
+ (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
232
+ );
233
+ if (idsNotInMetadata.length > 0) {
234
+ throw new import_oauth22.Oauth2Error(
235
+ `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
236
+ );
237
+ }
238
+ const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
239
+ const credentialOfferObject = (0, import_utils2.parseWithErrorHandling)(zCredentialOfferObject, {
240
+ credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
241
+ credential_configuration_ids: options.credentialConfigurationIds,
242
+ grants,
243
+ ...options.additionalPayload
244
+ });
245
+ if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
246
+ credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
247
+ }
248
+ const url = new import_utils2.URL(credentialOfferScheme);
249
+ url.search = `?${new import_utils2.URLSearchParams([
250
+ ...url.searchParams.entries(),
251
+ ...(0, import_utils2.objectToQueryParams)({
252
+ credential_offer_uri: options.credentialOfferUri,
253
+ // Only add credential_offer is uri is undefined
254
+ credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
255
+ }).entries()
256
+ ]).toString()}`;
257
+ return {
258
+ credentialOffer: url.toString(),
259
+ credentialOfferObject
260
+ };
261
+ }
262
+
263
+ // src/index.ts
47
264
  var import_utils20 = require("@openid4vc/utils");
48
265
 
49
266
  // src/credential-request/credential-request-configurations.ts
50
- var import_utils4 = require("@openid4vc/utils");
267
+ var import_utils6 = require("@openid4vc/utils");
51
268
 
52
269
  // src/metadata/credential-issuer/credential-issuer-metadata.ts
53
- var import_oauth23 = require("@openid4vc/oauth2");
54
- var import_utils3 = require("@openid4vc/utils");
270
+ var import_oauth25 = require("@openid4vc/oauth2");
271
+ var import_utils5 = require("@openid4vc/utils");
55
272
 
56
273
  // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
57
- var import_oauth22 = require("@openid4vc/oauth2");
58
- var import_utils2 = require("@openid4vc/utils");
59
- var import_zod9 = __toESM(require("zod"));
274
+ var import_oauth24 = require("@openid4vc/oauth2");
275
+ var import_utils4 = require("@openid4vc/utils");
276
+ var import_zod12 = __toESM(require("zod"));
60
277
 
61
278
  // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
62
279
  var import_zod3 = __toESM(require("zod"));
63
280
 
64
- // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
281
+ // src/metadata/credential-issuer/z-claims-description.ts
65
282
  var import_zod2 = __toESM(require("zod"));
66
-
67
- // src/key-attestation/z-key-attestation.ts
68
- var import_oauth2 = require("@openid4vc/oauth2");
69
- var import_utils = require("@openid4vc/utils");
70
- var import_zod = __toESM(require("zod"));
71
- var zKeyAttestationJwtHeader = import_zod.default.object({
72
- ...import_oauth2.zJwtHeader.shape,
73
- typ: import_zod.default.literal("keyattestation+jwt")
74
- }).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
75
- message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
76
- }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
77
- message: `When 'trust_chain' is provided, 'kid' is required`
78
- });
79
- var zIso18045 = import_zod.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
80
- var zIso18045OrStringArray = import_zod.default.array(import_zod.default.union([zIso18045, import_zod.default.string()]));
81
- var zKeyAttestationJwtPayload = import_zod.default.object({
82
- ...import_oauth2.zJwtPayload.shape,
83
- iat: import_utils.zInteger,
84
- attested_keys: import_zod.default.array(import_oauth2.zJwk),
85
- key_storage: import_zod.default.optional(zIso18045OrStringArray),
86
- user_authentication: import_zod.default.optional(zIso18045OrStringArray),
87
- certification: import_zod.default.optional(import_zod.default.string())
88
- }).passthrough();
89
- var zKeyAttestationJwtPayloadForUse = (use) => import_zod.default.object({
90
- ...zKeyAttestationJwtPayload.shape,
91
- // REQUIRED when used as proof_type.attesation directly
92
- nonce: use === "proof_type.attestation" ? import_zod.default.string({
93
- message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
94
- }) : import_zod.default.optional(import_zod.default.string()),
95
- // REQUIRED when used within header of proof_type.jwt
96
- exp: use === "proof_type.jwt" ? import_utils.zInteger : import_zod.default.optional(import_utils.zInteger)
97
- }).passthrough();
98
-
99
- // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
100
- var zCredentialConfigurationSupportedClaims = import_zod2.default.object({
283
+ var zCredentialConfigurationSupportedClaimsDraft14 = import_zod2.default.object({
101
284
  mandatory: import_zod2.default.boolean().optional(),
102
285
  value_type: import_zod2.default.string().optional(),
103
286
  display: import_zod2.default.object({
@@ -105,108 +288,117 @@ var zCredentialConfigurationSupportedClaims = import_zod2.default.object({
105
288
  locale: import_zod2.default.string().optional()
106
289
  }).passthrough().optional()
107
290
  }).passthrough();
108
- var zCredentialConfigurationSupportedCommon = import_zod2.default.object({
109
- format: import_zod2.default.string(),
110
- scope: import_zod2.default.string().optional(),
111
- cryptographic_binding_methods_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
112
- credential_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
113
- proof_types_supported: import_zod2.default.record(
114
- import_zod2.default.union([import_zod2.default.literal("jwt"), import_zod2.default.literal("attestation"), import_zod2.default.string()]),
115
- import_zod2.default.object({
116
- proof_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()),
117
- key_attestations_required: import_zod2.default.object({
118
- key_storage: zIso18045OrStringArray.optional(),
119
- user_authentication: zIso18045OrStringArray.optional()
120
- }).passthrough().optional()
121
- })
122
- ).optional(),
291
+ var zClaimsDescriptionPath = import_zod2.default.array(import_zod2.default.union([import_zod2.default.string(), import_zod2.default.number().int().nonnegative(), import_zod2.default.null()])).nonempty();
292
+ var zMsoMdocClaimsDescriptionPath = import_zod2.default.tuple([import_zod2.default.string(), import_zod2.default.string()], {
293
+ message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
294
+ });
295
+ var zIssuerMetadataClaimsDescription = import_zod2.default.object({
296
+ path: zClaimsDescriptionPath,
297
+ mandatory: import_zod2.default.boolean().optional(),
123
298
  display: import_zod2.default.array(
124
299
  import_zod2.default.object({
125
- name: import_zod2.default.string(),
126
- locale: import_zod2.default.string().optional(),
127
- logo: import_zod2.default.object({
128
- // FIXME: make required again, but need to support draft 11 first
129
- uri: import_zod2.default.string().optional(),
130
- alt_text: import_zod2.default.string().optional()
131
- }).passthrough().optional(),
132
- description: import_zod2.default.string().optional(),
133
- background_color: import_zod2.default.string().optional(),
134
- background_image: import_zod2.default.object({
135
- // TODO: should be required, but paradym's metadata is wrong here.
136
- uri: import_zod2.default.string().optional()
137
- }).passthrough().optional(),
138
- text_color: import_zod2.default.string().optional()
300
+ name: import_zod2.default.string().optional(),
301
+ locale: import_zod2.default.string().optional()
139
302
  }).passthrough()
140
303
  ).optional()
141
304
  }).passthrough();
305
+ var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({
306
+ path: zMsoMdocClaimsDescriptionPath
307
+ });
142
308
 
143
309
  // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
144
310
  var zMsoMdocFormatIdentifier = import_zod3.default.literal("mso_mdoc");
145
311
  var zMsoMdocCredentialIssuerMetadata = import_zod3.default.object({
146
312
  format: zMsoMdocFormatIdentifier,
147
313
  doctype: import_zod3.default.string(),
148
- claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims),
314
+ claims: import_zod3.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
315
+ });
316
+ var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod3.default.object({
317
+ format: zMsoMdocFormatIdentifier,
318
+ doctype: import_zod3.default.string(),
319
+ claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
149
320
  order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
150
321
  });
151
- var zMsoMdocCredentialRequestFormat = import_zod3.default.object({
322
+ var zMsoMdocCredentialRequestFormatDraft14 = import_zod3.default.object({
152
323
  format: zMsoMdocFormatIdentifier,
153
324
  doctype: import_zod3.default.string(),
154
- claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims)
325
+ // Format based request is removed in Draft 15, so only old claims syntax supported.
326
+ claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
155
327
  });
156
328
 
157
329
  // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
158
330
  var import_zod4 = __toESM(require("zod"));
159
331
  var zSdJwtVcFormatIdentifier = import_zod4.default.literal("vc+sd-jwt");
160
- var zSdJwtVcCredentialIssuerMetadata = import_zod4.default.object({
332
+ var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod4.default.object({
161
333
  vct: import_zod4.default.string(),
162
334
  format: zSdJwtVcFormatIdentifier,
163
- claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims),
335
+ claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
164
336
  order: import_zod4.default.optional(import_zod4.default.array(import_zod4.default.string()))
165
337
  });
166
- var zSdJwtVcCredentialRequestFormat = import_zod4.default.object({
338
+ var zSdJwtVcCredentialRequestFormatDraft14 = import_zod4.default.object({
167
339
  format: zSdJwtVcFormatIdentifier,
168
340
  vct: import_zod4.default.string(),
169
- claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims)
341
+ claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
342
+ });
343
+
344
+ // src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
345
+ var import_zod5 = __toESM(require("zod"));
346
+ var zSdJwtDcFormatIdentifier = import_zod5.default.literal("dc+sd-jwt");
347
+ var zSdJwtDcCredentialIssuerMetadata = import_zod5.default.object({
348
+ vct: import_zod5.default.string(),
349
+ format: zSdJwtDcFormatIdentifier,
350
+ claims: import_zod5.default.array(zIssuerMetadataClaimsDescription).optional()
170
351
  });
171
352
 
172
353
  // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
173
- var import_zod6 = __toESM(require("zod"));
354
+ var import_zod7 = __toESM(require("zod"));
174
355
 
175
356
  // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
176
- var import_zod5 = __toESM(require("zod"));
177
- var zCredentialSubjectLeafType = import_zod5.default.object({
178
- mandatory: import_zod5.default.boolean().optional(),
179
- value_type: import_zod5.default.string().optional(),
180
- display: import_zod5.default.array(
181
- import_zod5.default.object({
182
- name: import_zod5.default.string().optional(),
183
- locale: import_zod5.default.string().optional()
357
+ var import_zod6 = __toESM(require("zod"));
358
+ var zCredentialSubjectLeafTypeDraft14 = import_zod6.default.object({
359
+ mandatory: import_zod6.default.boolean().optional(),
360
+ value_type: import_zod6.default.string().optional(),
361
+ display: import_zod6.default.array(
362
+ import_zod6.default.object({
363
+ name: import_zod6.default.string().optional(),
364
+ locale: import_zod6.default.string().optional()
184
365
  }).passthrough()
185
366
  ).optional()
186
367
  }).passthrough();
187
- var zClaimValueSchema = import_zod5.default.union([import_zod5.default.array(import_zod5.default.any()), import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()), zCredentialSubjectLeafType]);
188
- var zW3cVcCredentialSubject = import_zod5.default.record(import_zod5.default.string(), zClaimValueSchema);
189
- var zW3cVcJsonLdCredentialDefinition = import_zod5.default.object({
190
- "@context": import_zod5.default.array(import_zod5.default.string()),
191
- type: import_zod5.default.array(import_zod5.default.string()),
192
- credentialSubject: zW3cVcCredentialSubject.optional()
368
+ var zClaimValueSchemaDraft14 = import_zod6.default.union([
369
+ import_zod6.default.array(import_zod6.default.any()),
370
+ import_zod6.default.record(import_zod6.default.string(), import_zod6.default.any()),
371
+ zCredentialSubjectLeafTypeDraft14
372
+ ]);
373
+ var zW3cVcCredentialSubjectDraft14 = import_zod6.default.record(import_zod6.default.string(), zClaimValueSchemaDraft14);
374
+ var zW3cVcJsonLdCredentialDefinition = import_zod6.default.object({
375
+ "@context": import_zod6.default.array(import_zod6.default.string()),
376
+ type: import_zod6.default.array(import_zod6.default.string())
193
377
  }).passthrough();
378
+ var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
379
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
380
+ });
194
381
 
195
382
  // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
196
- var zLdpVcFormatIdentifier = import_zod6.default.literal("ldp_vc");
197
- var zLdpVcCredentialIssuerMetadata = import_zod6.default.object({
383
+ var zLdpVcFormatIdentifier = import_zod7.default.literal("ldp_vc");
384
+ var zLdpVcCredentialIssuerMetadata = import_zod7.default.object({
198
385
  format: zLdpVcFormatIdentifier,
199
386
  credential_definition: zW3cVcJsonLdCredentialDefinition,
200
- order: import_zod6.default.array(import_zod6.default.string()).optional()
387
+ claims: zIssuerMetadataClaimsDescription.optional()
388
+ });
389
+ var zLdpVcCredentialIssuerMetadataDraft14 = import_zod7.default.object({
390
+ format: zLdpVcFormatIdentifier,
391
+ credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
392
+ order: import_zod7.default.array(import_zod7.default.string()).optional()
201
393
  });
202
- var zLdpVcCredentialIssuerMetadataDraft11 = import_zod6.default.object({
203
- order: import_zod6.default.array(import_zod6.default.string()).optional(),
394
+ var zLdpVcCredentialIssuerMetadataDraft11 = import_zod7.default.object({
395
+ order: import_zod7.default.array(import_zod7.default.string()).optional(),
204
396
  format: zLdpVcFormatIdentifier,
205
397
  // Credential definition was spread on top level instead of a separatey property in v11
206
398
  // As well as using types instead of type
207
- "@context": import_zod6.default.array(import_zod6.default.string()),
208
- types: import_zod6.default.array(import_zod6.default.string()),
209
- credentialSubject: zW3cVcCredentialSubject.optional()
399
+ "@context": import_zod7.default.array(import_zod7.default.string()),
400
+ types: import_zod7.default.array(import_zod7.default.string()),
401
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
210
402
  }).passthrough();
211
403
  var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
212
404
  ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -219,22 +411,22 @@ var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDr
219
411
  }
220
412
  })
221
413
  );
222
- var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
414
+ var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
223
415
  ...rest,
224
416
  ...credentialDefinition,
225
417
  types: type
226
418
  })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
227
- var zLdpVcCredentialRequestFormat = import_zod6.default.object({
419
+ var zLdpVcCredentialRequestFormatDraft14 = import_zod7.default.object({
228
420
  format: zLdpVcFormatIdentifier,
229
- credential_definition: zW3cVcJsonLdCredentialDefinition
421
+ credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
230
422
  });
231
- var zLdpVcCredentialRequestDraft11 = import_zod6.default.object({
423
+ var zLdpVcCredentialRequestDraft11 = import_zod7.default.object({
232
424
  format: zLdpVcFormatIdentifier,
233
- credential_definition: import_zod6.default.object({
234
- "@context": import_zod6.default.array(import_zod6.default.string()),
425
+ credential_definition: import_zod7.default.object({
426
+ "@context": import_zod7.default.array(import_zod7.default.string()),
235
427
  // credential_definition was using types instead of type in v11
236
- types: import_zod6.default.array(import_zod6.default.string()),
237
- credentialSubject: zW3cVcCredentialSubject.optional()
428
+ types: import_zod7.default.array(import_zod7.default.string()),
429
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
238
430
  })
239
431
  }).passthrough();
240
432
  var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
@@ -246,7 +438,7 @@ var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transfor
246
438
  }
247
439
  })
248
440
  );
249
- var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
441
+ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
250
442
  ...rest,
251
443
  credential_definition: {
252
444
  ...restCredentialDefinition,
@@ -255,21 +447,26 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrou
255
447
  })).pipe(zLdpVcCredentialRequestDraft11);
256
448
 
257
449
  // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
258
- var import_zod7 = __toESM(require("zod"));
259
- var zJwtVcJsonLdFormatIdentifier = import_zod7.default.literal("jwt_vc_json-ld");
260
- var zJwtVcJsonLdCredentialIssuerMetadata = import_zod7.default.object({
450
+ var import_zod8 = __toESM(require("zod"));
451
+ var zJwtVcJsonLdFormatIdentifier = import_zod8.default.literal("jwt_vc_json-ld");
452
+ var zJwtVcJsonLdCredentialIssuerMetadata = import_zod8.default.object({
261
453
  format: zJwtVcJsonLdFormatIdentifier,
262
454
  credential_definition: zW3cVcJsonLdCredentialDefinition,
263
- order: import_zod7.default.optional(import_zod7.default.array(import_zod7.default.string()))
455
+ claims: zIssuerMetadataClaimsDescription.optional()
264
456
  });
265
- var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod7.default.object({
266
- order: import_zod7.default.array(import_zod7.default.string()).optional(),
457
+ var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod8.default.object({
458
+ format: zJwtVcJsonLdFormatIdentifier,
459
+ credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
460
+ order: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string()))
461
+ });
462
+ var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod8.default.object({
463
+ order: import_zod8.default.array(import_zod8.default.string()).optional(),
267
464
  format: zJwtVcJsonLdFormatIdentifier,
268
465
  // Credential definition was spread on top level instead of a separatey property in v11
269
466
  // As well as using types instead of type
270
- "@context": import_zod7.default.array(import_zod7.default.string()),
271
- types: import_zod7.default.array(import_zod7.default.string()),
272
- credentialSubject: zW3cVcCredentialSubject.optional()
467
+ "@context": import_zod8.default.array(import_zod8.default.string()),
468
+ types: import_zod8.default.array(import_zod8.default.string()),
469
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
273
470
  }).passthrough();
274
471
  var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
275
472
  ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -282,22 +479,22 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssu
282
479
  }
283
480
  })
284
481
  );
285
- var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
482
+ var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
286
483
  ...rest,
287
484
  ...credentialDefinition,
288
485
  types: type
289
486
  })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
290
- var zJwtVcJsonLdCredentialRequestFormat = import_zod7.default.object({
487
+ var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod8.default.object({
291
488
  format: zJwtVcJsonLdFormatIdentifier,
292
489
  credential_definition: zW3cVcJsonLdCredentialDefinition
293
490
  });
294
- var zJwtVcJsonLdCredentialRequestDraft11 = import_zod7.default.object({
491
+ var zJwtVcJsonLdCredentialRequestDraft11 = import_zod8.default.object({
295
492
  format: zJwtVcJsonLdFormatIdentifier,
296
- credential_definition: import_zod7.default.object({
297
- "@context": import_zod7.default.array(import_zod7.default.string()),
493
+ credential_definition: import_zod8.default.object({
494
+ "@context": import_zod8.default.array(import_zod8.default.string()),
298
495
  // credential_definition was using types instead of type in v11
299
- types: import_zod7.default.array(import_zod7.default.string()),
300
- credentialSubject: import_zod7.default.optional(zW3cVcCredentialSubject)
496
+ types: import_zod8.default.array(import_zod8.default.string()),
497
+ credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubjectDraft14)
301
498
  }).passthrough()
302
499
  }).passthrough();
303
500
  var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -309,7 +506,7 @@ var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraf
309
506
  }
310
507
  })
311
508
  );
312
- var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
509
+ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
313
510
  ...rest,
314
511
  credential_definition: {
315
512
  ...restCredentialDefinition,
@@ -318,24 +515,31 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
318
515
  })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
319
516
 
320
517
  // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
321
- var import_zod8 = __toESM(require("zod"));
322
- var zJwtVcJsonFormatIdentifier = import_zod8.default.literal("jwt_vc_json");
323
- var zJwtVcJsonCredentialDefinition = import_zod8.default.object({
324
- type: import_zod8.default.array(import_zod8.default.string()),
325
- credentialSubject: zW3cVcCredentialSubject.optional()
518
+ var import_zod9 = __toESM(require("zod"));
519
+ var zJwtVcJsonFormatIdentifier = import_zod9.default.literal("jwt_vc_json");
520
+ var zJwtVcJsonCredentialDefinition = import_zod9.default.object({
521
+ type: import_zod9.default.array(import_zod9.default.string())
326
522
  }).passthrough();
327
- var zJwtVcJsonCredentialIssuerMetadata = import_zod8.default.object({
523
+ var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
524
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
525
+ });
526
+ var zJwtVcJsonCredentialIssuerMetadata = import_zod9.default.object({
328
527
  format: zJwtVcJsonFormatIdentifier,
329
528
  credential_definition: zJwtVcJsonCredentialDefinition,
330
- order: import_zod8.default.array(import_zod8.default.string()).optional()
529
+ claims: zIssuerMetadataClaimsDescription.optional()
331
530
  });
332
- var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod8.default.object({
531
+ var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod9.default.object({
333
532
  format: zJwtVcJsonFormatIdentifier,
334
- order: import_zod8.default.array(import_zod8.default.string()).optional(),
533
+ credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
534
+ order: import_zod9.default.array(import_zod9.default.string()).optional()
535
+ });
536
+ var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod9.default.object({
537
+ format: zJwtVcJsonFormatIdentifier,
538
+ order: import_zod9.default.array(import_zod9.default.string()).optional(),
335
539
  // Credential definition was spread on top level instead of a separatey property in v11
336
540
  // As well as using types instead of type
337
- types: import_zod8.default.array(import_zod8.default.string()),
338
- credentialSubject: zW3cVcCredentialSubject.optional()
541
+ types: import_zod9.default.array(import_zod9.default.string()),
542
+ credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
339
543
  }).passthrough();
340
544
  var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
341
545
  ({ types, credentialSubject, ...rest }) => ({
@@ -347,21 +551,21 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMe
347
551
  }
348
552
  })
349
553
  );
350
- var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
554
+ var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
351
555
  ...rest,
352
556
  types: type,
353
557
  ...credentialDefinition
354
558
  })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
355
- var zJwtVcJsonCredentialRequestFormat = import_zod8.default.object({
559
+ var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod9.default.object({
356
560
  format: zJwtVcJsonFormatIdentifier,
357
561
  credential_definition: zJwtVcJsonCredentialDefinition
358
562
  });
359
- var zJwtVcJsonCredentialRequestDraft11 = import_zod8.default.object({
563
+ var zJwtVcJsonCredentialRequestDraft11 = import_zod9.default.object({
360
564
  format: zJwtVcJsonFormatIdentifier,
361
565
  // Credential definition was spread on top level instead of a separatey property in v11
362
566
  // As well as using types instead of type
363
- types: import_zod8.default.array(import_zod8.default.string()),
364
- credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubject)
567
+ types: import_zod9.default.array(import_zod9.default.string()),
568
+ credentialSubject: import_zod9.default.optional(zW3cVcCredentialSubjectDraft14)
365
569
  }).passthrough();
366
570
  var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
367
571
  ({ types, credentialSubject, ...rest }) => {
@@ -375,26 +579,98 @@ var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.
375
579
  };
376
580
  }
377
581
  );
378
- var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
582
+ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
379
583
  ...rest,
380
584
  types: type,
381
585
  ...credentialDefinition
382
586
  })).pipe(zJwtVcJsonCredentialRequestDraft11);
383
587
 
384
- // src/version.ts
385
- var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
386
- Openid4vciDraftVersion2["Draft14"] = "Draft14";
387
- Openid4vciDraftVersion2["Draft11"] = "Draft11";
388
- return Openid4vciDraftVersion2;
389
- })(Openid4vciDraftVersion || {});
588
+ // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
589
+ var import_zod11 = __toESM(require("zod"));
590
+
591
+ // src/key-attestation/z-key-attestation.ts
592
+ var import_oauth23 = require("@openid4vc/oauth2");
593
+ var import_utils3 = require("@openid4vc/utils");
594
+ var import_zod10 = __toESM(require("zod"));
595
+ var zKeyAttestationJwtHeader = import_zod10.default.object({
596
+ ...import_oauth23.zJwtHeader.shape,
597
+ typ: import_zod10.default.literal("keyattestation+jwt").or(
598
+ // Draft 16
599
+ import_zod10.default.literal("key-attestation+jwt")
600
+ )
601
+ }).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
602
+ message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
603
+ }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
604
+ message: `When 'trust_chain' is provided, 'kid' is required`
605
+ });
606
+ var zIso18045 = import_zod10.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
607
+ var zIso18045OrStringArray = import_zod10.default.array(import_zod10.default.union([zIso18045, import_zod10.default.string()]));
608
+ var zKeyAttestationJwtPayload = import_zod10.default.object({
609
+ ...import_oauth23.zJwtPayload.shape,
610
+ iat: import_utils3.zInteger,
611
+ attested_keys: import_zod10.default.array(import_oauth23.zJwk),
612
+ key_storage: import_zod10.default.optional(zIso18045OrStringArray),
613
+ user_authentication: import_zod10.default.optional(zIso18045OrStringArray),
614
+ certification: import_zod10.default.optional(import_zod10.default.string().url())
615
+ }).passthrough();
616
+ var zKeyAttestationJwtPayloadForUse = (use) => import_zod10.default.object({
617
+ ...zKeyAttestationJwtPayload.shape,
618
+ // REQUIRED when used as proof_type.attesation directly
619
+ nonce: use === "proof_type.attestation" ? import_zod10.default.string({
620
+ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
621
+ }) : import_zod10.default.optional(import_zod10.default.string()),
622
+ // REQUIRED when used within header of proof_type.jwt
623
+ exp: use === "proof_type.jwt" ? import_utils3.zInteger : import_zod10.default.optional(import_utils3.zInteger)
624
+ }).passthrough();
625
+
626
+ // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
627
+ var zCredentialConfigurationSupportedCommon = import_zod11.default.object({
628
+ format: import_zod11.default.string(),
629
+ scope: import_zod11.default.string().optional(),
630
+ cryptographic_binding_methods_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
631
+ credential_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
632
+ proof_types_supported: import_zod11.default.record(
633
+ import_zod11.default.union([import_zod11.default.literal("jwt"), import_zod11.default.literal("attestation"), import_zod11.default.string()]),
634
+ import_zod11.default.object({
635
+ proof_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()),
636
+ key_attestations_required: import_zod11.default.object({
637
+ key_storage: zIso18045OrStringArray.optional(),
638
+ user_authentication: zIso18045OrStringArray.optional()
639
+ }).passthrough().optional()
640
+ })
641
+ ).optional(),
642
+ display: import_zod11.default.array(
643
+ import_zod11.default.object({
644
+ name: import_zod11.default.string(),
645
+ locale: import_zod11.default.string().optional(),
646
+ logo: import_zod11.default.object({
647
+ // FIXME: make required again, but need to support draft 11 first
648
+ uri: import_zod11.default.string().optional(),
649
+ alt_text: import_zod11.default.string().optional()
650
+ }).passthrough().optional(),
651
+ description: import_zod11.default.string().optional(),
652
+ background_color: import_zod11.default.string().optional(),
653
+ background_image: import_zod11.default.object({
654
+ // TODO: should be required, but paradym's metadata is wrong here.
655
+ uri: import_zod11.default.string().optional()
656
+ }).passthrough().optional(),
657
+ text_color: import_zod11.default.string().optional()
658
+ }).passthrough()
659
+ ).optional()
660
+ }).passthrough();
390
661
 
391
662
  // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
392
663
  var allCredentialIssuerMetadataFormats = [
393
- zSdJwtVcCredentialIssuerMetadata,
664
+ zSdJwtDcCredentialIssuerMetadata,
394
665
  zMsoMdocCredentialIssuerMetadata,
395
666
  zJwtVcJsonLdCredentialIssuerMetadata,
396
667
  zLdpVcCredentialIssuerMetadata,
397
- zJwtVcJsonCredentialIssuerMetadata
668
+ zJwtVcJsonCredentialIssuerMetadata,
669
+ zMsoMdocCredentialIssuerMetadataDraft14,
670
+ zSdJwtVcCredentialIssuerMetadataDraft14,
671
+ zJwtVcJsonLdCredentialIssuerMetadataDraft14,
672
+ zLdpVcCredentialIssuerMetadataDraft14,
673
+ zJwtVcJsonCredentialIssuerMetadataDraft14
398
674
  ];
399
675
  var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
400
676
  (format) => format.shape.format.value
@@ -402,56 +678,69 @@ var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFo
402
678
  var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
403
679
  (data, ctx) => {
404
680
  if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
405
- const result = import_zod9.default.object({}).passthrough().and(import_zod9.default.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
681
+ const validators = allCredentialIssuerMetadataFormats.reduce(
682
+ (validators2, formatValidator) => {
683
+ const format = formatValidator.shape.format.value;
684
+ if (!validators2[format]) {
685
+ validators2[format] = [];
686
+ }
687
+ validators2[format].push(formatValidator);
688
+ return validators2;
689
+ },
690
+ {}
691
+ )[data.format];
692
+ const result = import_zod12.default.object({}).passthrough().and(
693
+ validators.length > 1 ? import_zod12.default.union(validators) : validators[0]
694
+ ).safeParse(data);
406
695
  if (result.success) {
407
696
  return result.data;
408
697
  }
409
698
  for (const issue of result.error.issues) {
410
699
  ctx.addIssue(issue);
411
700
  }
412
- return import_zod9.default.NEVER;
701
+ return import_zod12.default.NEVER;
413
702
  }
414
703
  );
415
- var zCredentialIssuerMetadataDisplayEntry = import_zod9.default.object({
416
- name: import_zod9.default.string().optional(),
417
- locale: import_zod9.default.string().optional(),
418
- logo: import_zod9.default.object({
704
+ var zCredentialIssuerMetadataDisplayEntry = import_zod12.default.object({
705
+ name: import_zod12.default.string().optional(),
706
+ locale: import_zod12.default.string().optional(),
707
+ logo: import_zod12.default.object({
419
708
  // FIXME: make required again, but need to support draft 11 first
420
- uri: import_zod9.default.string().optional(),
421
- alt_text: import_zod9.default.string().optional()
709
+ uri: import_zod12.default.string().optional(),
710
+ alt_text: import_zod12.default.string().optional()
422
711
  }).passthrough().optional()
423
712
  }).passthrough();
424
- var zCredentialIssuerMetadataDraft14 = import_zod9.default.object({
425
- credential_issuer: import_utils2.zHttpsUrl,
426
- authorization_servers: import_zod9.default.array(import_utils2.zHttpsUrl).optional(),
427
- credential_endpoint: import_utils2.zHttpsUrl,
428
- deferred_credential_endpoint: import_utils2.zHttpsUrl.optional(),
429
- notification_endpoint: import_utils2.zHttpsUrl.optional(),
713
+ var zCredentialIssuerMetadataDraft14Draft15 = import_zod12.default.object({
714
+ credential_issuer: import_utils4.zHttpsUrl,
715
+ authorization_servers: import_zod12.default.array(import_utils4.zHttpsUrl).optional(),
716
+ credential_endpoint: import_utils4.zHttpsUrl,
717
+ deferred_credential_endpoint: import_utils4.zHttpsUrl.optional(),
718
+ notification_endpoint: import_utils4.zHttpsUrl.optional(),
430
719
  // Added after draft 14, but needed for proper
431
- nonce_endpoint: import_utils2.zHttpsUrl.optional(),
432
- credential_response_encryption: import_zod9.default.object({
433
- alg_values_supported: import_zod9.default.array(import_zod9.default.string()),
434
- enc_values_supported: import_zod9.default.array(import_zod9.default.string()),
435
- encryption_required: import_zod9.default.boolean()
720
+ nonce_endpoint: import_utils4.zHttpsUrl.optional(),
721
+ credential_response_encryption: import_zod12.default.object({
722
+ alg_values_supported: import_zod12.default.array(import_zod12.default.string()),
723
+ enc_values_supported: import_zod12.default.array(import_zod12.default.string()),
724
+ encryption_required: import_zod12.default.boolean()
436
725
  }).passthrough().optional(),
437
- batch_credential_issuance: import_zod9.default.object({
438
- batch_size: import_zod9.default.number().positive()
726
+ batch_credential_issuance: import_zod12.default.object({
727
+ batch_size: import_zod12.default.number().positive()
439
728
  }).passthrough().optional(),
440
- signed_metadata: import_oauth22.zCompactJwt.optional(),
441
- display: import_zod9.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
442
- credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedWithFormats)
729
+ signed_metadata: import_oauth24.zCompactJwt.optional(),
730
+ display: import_zod12.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
731
+ credential_configurations_supported: import_zod12.default.record(import_zod12.default.string(), zCredentialConfigurationSupportedWithFormats)
443
732
  }).passthrough();
444
- var zCredentialConfigurationSupportedDraft11To14 = import_zod9.default.object({
445
- id: import_zod9.default.string().optional(),
446
- format: import_zod9.default.string(),
447
- cryptographic_suites_supported: import_zod9.default.array(import_zod9.default.string()).optional(),
448
- display: import_zod9.default.array(
449
- import_zod9.default.object({
450
- logo: import_zod9.default.object({
451
- url: import_zod9.default.string().url().optional()
733
+ var zCredentialConfigurationSupportedDraft11To14 = import_zod12.default.object({
734
+ id: import_zod12.default.string().optional(),
735
+ format: import_zod12.default.string(),
736
+ cryptographic_suites_supported: import_zod12.default.array(import_zod12.default.string()).optional(),
737
+ display: import_zod12.default.array(
738
+ import_zod12.default.object({
739
+ logo: import_zod12.default.object({
740
+ url: import_zod12.default.string().url().optional()
452
741
  }).passthrough().optional(),
453
- background_image: import_zod9.default.object({
454
- url: import_zod9.default.string().url().optional()
742
+ background_image: import_zod12.default.object({
743
+ url: import_zod12.default.string().url().optional()
455
744
  }).passthrough().optional()
456
745
  }).passthrough()
457
746
  ).optional()
@@ -492,11 +781,11 @@ var zCredentialConfigurationSupportedDraft11To14 = import_zod9.default.object({
492
781
  for (const issue of result.error.issues) {
493
782
  ctx.addIssue(issue);
494
783
  }
495
- return import_zod9.default.NEVER;
784
+ return import_zod12.default.NEVER;
496
785
  }).pipe(zCredentialConfigurationSupportedWithFormats);
497
786
  var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
498
- import_zod9.default.object({
499
- id: import_zod9.default.string()
787
+ import_zod12.default.object({
788
+ id: import_zod12.default.string()
500
789
  }).passthrough()
501
790
  ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
502
791
  ...rest,
@@ -516,15 +805,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
516
805
  } : {},
517
806
  id
518
807
  })).pipe(
519
- import_zod9.default.union([
808
+ import_zod12.default.union([
520
809
  zLdpVcCredentialIssuerMetadataDraft14To11,
521
810
  zJwtVcJsonCredentialIssuerMetadataDraft14To11,
522
811
  zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
523
812
  // To handle unrecognized formats and not error immediately we allow the common format as well
524
813
  // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
525
814
  // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
526
- import_zod9.default.object({
527
- format: import_zod9.default.string().refine(
815
+ import_zod12.default.object({
816
+ format: import_zod12.default.string().refine(
528
817
  (input) => ![
529
818
  zLdpVcFormatIdentifier.value,
530
819
  zJwtVcJsonFormatIdentifier.value,
@@ -534,11 +823,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
534
823
  }).passthrough()
535
824
  ])
536
825
  );
537
- var zCredentialIssuerMetadataDraft11To14 = import_zod9.default.object({
538
- authorization_server: import_zod9.default.string().optional(),
539
- credentials_supported: import_zod9.default.array(
540
- import_zod9.default.object({
541
- id: import_zod9.default.string().optional()
826
+ var zCredentialIssuerMetadataDraft11To14 = import_zod12.default.object({
827
+ authorization_server: import_zod12.default.string().optional(),
828
+ credentials_supported: import_zod12.default.array(
829
+ import_zod12.default.object({
830
+ id: import_zod12.default.string().optional()
542
831
  }).passthrough()
543
832
  )
544
833
  }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -551,12 +840,12 @@ var zCredentialIssuerMetadataDraft11To14 = import_zod9.default.object({
551
840
  )
552
841
  };
553
842
  }).pipe(
554
- import_zod9.default.object({
843
+ import_zod12.default.object({
555
844
  // Update from v11 structrue to v14 structure
556
- credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedDraft11To14)
845
+ credential_configurations_supported: import_zod12.default.record(import_zod12.default.string(), zCredentialConfigurationSupportedDraft11To14)
557
846
  }).passthrough()
558
- ).pipe(zCredentialIssuerMetadataDraft14);
559
- var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
847
+ ).pipe(zCredentialIssuerMetadataDraft14Draft15);
848
+ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
560
849
  ...issuerMetadata,
561
850
  ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
562
851
  credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -564,22 +853,35 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.tran
564
853
  id
565
854
  }))
566
855
  })).pipe(
567
- zCredentialIssuerMetadataDraft14.extend({
568
- credentials_supported: import_zod9.default.array(zCredentialConfigurationSupportedDraft14To11)
856
+ zCredentialIssuerMetadataDraft14Draft15.extend({
857
+ credentials_supported: import_zod12.default.array(zCredentialConfigurationSupportedDraft14To11)
569
858
  })
570
859
  );
571
- var zCredentialIssuerMetadata = import_zod9.default.union([
572
- // First prioritize draft 14 (and 13)
573
- zCredentialIssuerMetadataDraft14,
860
+ var zCredentialIssuerMetadata = import_zod12.default.union([
861
+ // First prioritize draft 15/14 (and 13)
862
+ zCredentialIssuerMetadataDraft14Draft15,
574
863
  // Then try parsing draft 11 and transform into draft 14
575
864
  zCredentialIssuerMetadataDraft11To14
576
865
  ]);
577
- var zCredentialIssuerMetadataWithDraftVersion = import_zod9.default.union([
578
- // First prioritize draft 14 (and 13)
579
- zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
580
- credentialIssuerMetadata,
581
- originalDraftVersion: "Draft14" /* Draft14 */
582
- })),
866
+ var zCredentialIssuerMetadataWithDraftVersion = import_zod12.default.union([
867
+ zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
868
+ const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
869
+ (configuration) => {
870
+ const knownConfiguration = configuration;
871
+ if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
872
+ if (Array.isArray(knownConfiguration.claims)) return true;
873
+ if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
874
+ (proofType) => proofType.key_attestations_required !== void 0
875
+ ))
876
+ return true;
877
+ return false;
878
+ }
879
+ );
880
+ return {
881
+ credentialIssuerMetadata,
882
+ originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
883
+ };
884
+ }),
583
885
  // Then try parsing draft 11 and transform into draft 14
584
886
  zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
585
887
  credentialIssuerMetadata,
@@ -590,10 +892,10 @@ var zCredentialIssuerMetadataWithDraftVersion = import_zod9.default.union([
590
892
  // src/metadata/credential-issuer/credential-issuer-metadata.ts
591
893
  var wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
592
894
  async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
593
- const wellKnownMetadataUrl = (0, import_utils3.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
594
- const result = await (0, import_oauth23.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
895
+ const wellKnownMetadataUrl = (0, import_utils5.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
896
+ const result = await (0, import_oauth25.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
595
897
  if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
596
- throw new import_oauth23.Oauth2Error(
898
+ throw new import_oauth25.Oauth2Error(
597
899
  `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
598
900
  );
599
901
  }
@@ -606,6 +908,15 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
606
908
  )
607
909
  );
608
910
  }
911
+ function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
912
+ const configuration = credentialConfigurations[credentialConfigurationId];
913
+ if (!configuration) {
914
+ throw new import_oauth25.Oauth2Error(
915
+ `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
916
+ );
917
+ }
918
+ return configuration;
919
+ }
609
920
 
610
921
  // src/credential-request/credential-request-configurations.ts
611
922
  function getCredentialConfigurationsMatchingRequestFormat({
@@ -619,10 +930,10 @@ function getCredentialConfigurationsMatchingRequestFormat({
619
930
  const r = requestFormat;
620
931
  const c = credentialConfiguration;
621
932
  if ((c.format === "ldp_vc" || c.format === "jwt_vc_json-ld") && r.format === c.format) {
622
- return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type) && (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition["@context"], c.credential_definition["@context"]);
933
+ return (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type) && (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition["@context"], c.credential_definition["@context"]);
623
934
  }
624
935
  if (c.format === "jwt_vc_json" && r.format === c.format) {
625
- return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type);
936
+ return (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type);
626
937
  }
627
938
  if (c.format === "vc+sd-jwt" && r.format === c.format) {
628
939
  return r.vct === c.vct;
@@ -664,276 +975,124 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
664
975
  }
665
976
  };
666
977
 
667
- // src/metadata/credential-issuer/credential-configurations.ts
668
- var import_oauth24 = require("@openid4vc/oauth2");
669
- var import_utils5 = require("@openid4vc/utils");
670
- function extractScopesForCredentialConfigurationIds(options) {
671
- const scopes = /* @__PURE__ */ new Set();
672
- for (const credentialConfigurationId of options.credentialConfigurationIds) {
673
- const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
674
- if (!credentialConfiguration) {
675
- throw new import_oauth24.Oauth2Error(
676
- `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
677
- );
678
- }
679
- const scope = credentialConfiguration.scope;
680
- if (scope) scopes.add(scope);
681
- else if (!scope && options.throwOnConfigurationWithoutScope) {
682
- throw new import_oauth24.Oauth2Error(
683
- `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
684
- );
685
- }
686
- }
687
- return scopes.size > 0 ? Array.from(scopes) : void 0;
688
- }
689
- function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
690
- const credentialConfigurationsSupported = {};
691
- for (let index = 0; index < credentialsSupported.length; index++) {
692
- const credentialSupported = credentialsSupported[index];
693
- if (!credentialSupported.id) {
694
- throw new Openid4vciError(
695
- `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
696
- );
697
- }
698
- const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
699
- if (!parseResult.success) {
700
- throw new import_utils5.ValidationError(
701
- `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
702
- parseResult.error
703
- );
704
- }
705
- credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
706
- }
707
- return credentialConfigurationsSupported;
708
- }
709
-
710
- // src/Openid4vciClient.ts
711
- var import_oauth218 = require("@openid4vc/oauth2");
712
-
713
- // src/credential-offer/credential-offer.ts
978
+ // src/key-attestation/key-attestation.ts
714
979
  var import_oauth26 = require("@openid4vc/oauth2");
980
+ var import_oauth27 = require("@openid4vc/oauth2");
715
981
  var import_utils7 = require("@openid4vc/utils");
716
-
717
- // src/credential-offer/z-credential-offer.ts
718
- var import_oauth25 = require("@openid4vc/oauth2");
719
- var import_utils6 = require("@openid4vc/utils");
720
- var import_zod10 = __toESM(require("zod"));
721
- var zTxCode = import_zod10.default.object({
722
- input_mode: import_zod10.default.union([import_zod10.default.literal("numeric"), import_zod10.default.literal("text")]).optional(),
723
- length: import_zod10.default.number().int().optional(),
724
- description: import_zod10.default.string().max(300).optional()
725
- }).passthrough();
726
- var zCredentialOfferGrants = import_zod10.default.object({
727
- authorization_code: import_zod10.default.object({
728
- issuer_state: import_zod10.default.string().optional(),
729
- authorization_server: import_utils6.zHttpsUrl.optional()
730
- }).passthrough().optional(),
731
- [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod10.default.object({
732
- "pre-authorized_code": import_zod10.default.string(),
733
- tx_code: zTxCode.optional(),
734
- authorization_server: import_utils6.zHttpsUrl.optional()
735
- }).passthrough().optional()
736
- }).passthrough();
737
- var zCredentialOfferObjectDraft14 = import_zod10.default.object({
738
- credential_issuer: import_utils6.zHttpsUrl,
739
- credential_configuration_ids: import_zod10.default.array(import_zod10.default.string()),
740
- grants: import_zod10.default.optional(zCredentialOfferGrants)
741
- }).passthrough();
742
- var zCredentialOfferObjectDraft11To14 = import_zod10.default.object({
743
- credential_issuer: import_utils6.zHttpsUrl,
744
- // We don't support the inline offer objects from draft 11
745
- credentials: import_zod10.default.array(
746
- import_zod10.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
747
- ),
748
- grants: import_zod10.default.optional(
749
- import_zod10.default.object({
750
- // Has extra param in draft 14, but doesn't matter for transform purposes
751
- authorization_code: zCredentialOfferGrants.shape.authorization_code,
752
- [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod10.default.object({
753
- "pre-authorized_code": import_zod10.default.string(),
754
- user_pin_required: import_zod10.default.optional(import_zod10.default.boolean())
755
- }).passthrough().optional()
756
- })
757
- )
758
- }).passthrough().transform(({ credentials, grants, ...rest }) => {
759
- const v14 = {
760
- ...rest,
761
- credential_configuration_ids: credentials
762
- };
763
- if (grants) {
764
- v14.grants = { ...grants };
765
- if (grants[import_oauth25.preAuthorizedCodeGrantIdentifier]) {
766
- const { user_pin_required, ...restGrants } = grants[import_oauth25.preAuthorizedCodeGrantIdentifier];
767
- v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier] = {
768
- ...restGrants
769
- };
770
- if (user_pin_required) {
771
- v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier].tx_code = {
772
- input_mode: "text"
773
- };
774
- }
775
- }
982
+ async function createKeyAttestationJwt(options) {
983
+ const header = (0, import_utils7.parseWithErrorHandling)(zKeyAttestationJwtHeader, {
984
+ ...(0, import_oauth26.jwtHeaderFromJwtSigner)(options.signer),
985
+ typ: "keyattestation+jwt"
986
+ });
987
+ const payload = (0, import_utils7.parseWithErrorHandling)(zKeyAttestationJwtPayloadForUse(options.use), {
988
+ iat: (0, import_utils7.dateToSeconds)(options.issuedAt),
989
+ exp: options.expiresAt ? (0, import_utils7.dateToSeconds)(options.expiresAt) : void 0,
990
+ nonce: options.nonce,
991
+ attested_keys: options.attestedKeys,
992
+ user_authentication: options.userAuthentication,
993
+ key_storage: options.keyStorage,
994
+ certification: options.certification,
995
+ ...options.additionalPayload
996
+ });
997
+ const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
998
+ return jwt;
999
+ }
1000
+ function parseKeyAttestationJwt({ keyAttestationJwt, use }) {
1001
+ return (0, import_oauth26.decodeJwt)({
1002
+ jwt: keyAttestationJwt,
1003
+ headerSchema: zKeyAttestationJwtHeader,
1004
+ payloadSchema: zKeyAttestationJwtPayloadForUse(use)
1005
+ });
1006
+ }
1007
+ async function verifyKeyAttestationJwt(options) {
1008
+ const { header, payload } = parseKeyAttestationJwt({ keyAttestationJwt: options.keyAttestationJwt, use: options.use });
1009
+ const now = options.now?.getTime() ?? Date.now();
1010
+ if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
1011
+ throw new Openid4vciError("Nonce used for key attestation jwt expired");
776
1012
  }
777
- return v14;
778
- }).pipe(zCredentialOfferObjectDraft14);
779
- var zCredentialOfferObject = import_zod10.default.union([
780
- // First prioritize draft 14 (and 13)
781
- zCredentialOfferObjectDraft14,
782
- // Then try parsing draft 11 and transform into draft 14
783
- zCredentialOfferObjectDraft11To14
784
- ]);
1013
+ const { signer } = await (0, import_oauth27.verifyJwt)({
1014
+ compact: options.keyAttestationJwt,
1015
+ header,
1016
+ payload,
1017
+ signer: (0, import_oauth27.jwtSignerFromJwt)({ header, payload }),
1018
+ verifyJwtCallback: options.callbacks.verifyJwt,
1019
+ errorMessage: "Error verifiying key attestation jwt",
1020
+ expectedNonce: options.expectedNonce,
1021
+ now: options.now
1022
+ });
1023
+ return {
1024
+ header,
1025
+ payload,
1026
+ signer
1027
+ };
1028
+ }
785
1029
 
786
- // src/credential-offer/credential-offer.ts
787
- async function resolveCredentialOffer(credentialOffer, options) {
788
- const parsedQueryParams = (0, import_utils7.getQueryParams)(credentialOffer);
789
- let credentialOfferParseResult;
790
- if (parsedQueryParams.credential_offer_uri) {
791
- const fetchWithZod = (0, import_utils7.createZodFetcher)(options?.fetch);
792
- const { response, result } = await fetchWithZod(
793
- zCredentialOfferObject,
794
- import_utils7.ContentType.Json,
795
- parsedQueryParams.credential_offer_uri
796
- );
797
- if (!response.ok || !result) {
798
- throw new import_oauth26.InvalidFetchResponseError(
799
- `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
800
- await response.clone().text(),
801
- response
1030
+ // src/metadata/credential-issuer/credential-configurations.ts
1031
+ var import_oauth28 = require("@openid4vc/oauth2");
1032
+ var import_utils8 = require("@openid4vc/utils");
1033
+ function extractScopesForCredentialConfigurationIds(options) {
1034
+ const scopes = /* @__PURE__ */ new Set();
1035
+ for (const credentialConfigurationId of options.credentialConfigurationIds) {
1036
+ const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
1037
+ if (!credentialConfiguration) {
1038
+ throw new import_oauth28.Oauth2Error(
1039
+ `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
802
1040
  );
803
1041
  }
804
- credentialOfferParseResult = result;
805
- } else if (parsedQueryParams.credential_offer) {
806
- let credentialOfferJson;
807
- try {
808
- credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
809
- } catch (error) {
810
- throw new import_oauth26.Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
1042
+ const scope = credentialConfiguration.scope;
1043
+ if (scope) scopes.add(scope);
1044
+ else if (!scope && options.throwOnConfigurationWithoutScope) {
1045
+ throw new import_oauth28.Oauth2Error(
1046
+ `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
1047
+ );
811
1048
  }
812
- credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
813
- } else {
814
- throw new import_oauth26.Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
815
- }
816
- if (credentialOfferParseResult.error) {
817
- throw new import_utils7.ValidationError(
818
- `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
819
- credentialOfferParseResult.error
820
- );
821
1049
  }
822
- return credentialOfferParseResult.data;
1050
+ return scopes.size > 0 ? Array.from(scopes) : void 0;
823
1051
  }
824
- function determineAuthorizationServerForCredentialOffer(options) {
825
- const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
826
- let authorizationServer;
827
- if (options.grantAuthorizationServer) {
828
- authorizationServer = options.grantAuthorizationServer;
829
- if (!authorizationServers) {
830
- throw new import_oauth26.Oauth2Error(
831
- `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
832
- );
833
- }
834
- if (!authorizationServers.includes(authorizationServer)) {
835
- throw new import_oauth26.Oauth2Error(
836
- `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
1052
+ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
1053
+ const credentialConfigurationsSupported = {};
1054
+ for (let index = 0; index < credentialsSupported.length; index++) {
1055
+ const credentialSupported = credentialsSupported[index];
1056
+ if (!credentialSupported.id) {
1057
+ throw new Openid4vciError(
1058
+ `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
837
1059
  );
838
1060
  }
839
- } else if (!authorizationServers) {
840
- authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
841
- } else {
842
- if (authorizationServers.length === 0) {
843
- throw new import_oauth26.Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
844
- }
845
- if (authorizationServers.length > 1) {
846
- throw new import_oauth26.Oauth2Error(
847
- `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
1061
+ const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
1062
+ if (!parseResult.success) {
1063
+ throw new import_utils8.ValidationError(
1064
+ `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
1065
+ parseResult.error
848
1066
  );
849
1067
  }
850
- authorizationServer = authorizationServers[0];
851
- }
852
- return authorizationServer;
853
- }
854
- async function createCredentialOffer(options) {
855
- const {
856
- [import_oauth26.preAuthorizedCodeGrantIdentifier]: preAuthorizedCodeGrant,
857
- [import_oauth26.authorizationCodeGrantIdentifier]: authorizationCodeGrant,
858
- ...restGrants
859
- } = options.grants;
860
- const grants = { ...restGrants };
861
- if (authorizationCodeGrant) {
862
- determineAuthorizationServerForCredentialOffer({
863
- issuerMetadata: options.issuerMetadata,
864
- grantAuthorizationServer: authorizationCodeGrant.authorization_server
865
- });
866
- grants[import_oauth26.authorizationCodeGrantIdentifier] = authorizationCodeGrant;
867
- }
868
- if (preAuthorizedCodeGrant) {
869
- determineAuthorizationServerForCredentialOffer({
870
- issuerMetadata: options.issuerMetadata,
871
- grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
872
- });
873
- grants[import_oauth26.preAuthorizedCodeGrantIdentifier] = {
874
- ...preAuthorizedCodeGrant,
875
- "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? (0, import_utils7.encodeToBase64Url)(await options.callbacks.generateRandom(32))
876
- };
877
- const txCode = grants[import_oauth26.preAuthorizedCodeGrantIdentifier].tx_code;
878
- if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
879
- grants[import_oauth26.preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== void 0;
880
- }
881
- }
882
- const idsNotInMetadata = options.credentialConfigurationIds.filter(
883
- (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
884
- );
885
- if (idsNotInMetadata.length > 0) {
886
- throw new import_oauth26.Oauth2Error(
887
- `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
888
- );
889
- }
890
- const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
891
- const credentialOfferObject = (0, import_utils7.parseWithErrorHandling)(zCredentialOfferObject, {
892
- credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
893
- credential_configuration_ids: options.credentialConfigurationIds,
894
- grants,
895
- ...options.additionalPayload
896
- });
897
- if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
898
- credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
1068
+ credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
899
1069
  }
900
- const url = new import_utils7.URL(credentialOfferScheme);
901
- url.search = `?${new import_utils7.URLSearchParams([
902
- ...url.searchParams.entries(),
903
- ...(0, import_utils7.objectToQueryParams)({
904
- credential_offer_uri: options.credentialOfferUri,
905
- // Only add credential_offer is uri is undefined
906
- credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
907
- }).entries()
908
- ]).toString()}`;
909
- return {
910
- credentialOffer: url.toString(),
911
- credentialOfferObject
912
- };
1070
+ return credentialConfigurationsSupported;
913
1071
  }
914
1072
 
1073
+ // src/Openid4vciClient.ts
1074
+ var import_oauth218 = require("@openid4vc/oauth2");
1075
+
915
1076
  // src/credential-request/format-payload.ts
916
- var import_utils8 = require("@openid4vc/utils");
1077
+ var import_utils9 = require("@openid4vc/utils");
917
1078
  function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
918
- const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
919
- if (!credentialConfiguration) {
920
- throw new Openid4vciError(
921
- `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
922
- );
923
- }
924
- if ((0, import_utils8.zIs)(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
1079
+ const credentialConfiguration = getCredentialConfigurationSupportedById(
1080
+ options.issuerMetadata.credentialIssuer.credential_configurations_supported,
1081
+ options.credentialConfigurationId
1082
+ );
1083
+ if ((0, import_utils9.zIs)(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
925
1084
  return {
926
1085
  format: credentialConfiguration.format,
927
1086
  vct: credentialConfiguration.vct
928
1087
  };
929
1088
  }
930
- if ((0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
1089
+ if ((0, import_utils9.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
931
1090
  return {
932
1091
  format: credentialConfiguration.format,
933
1092
  doctype: credentialConfiguration.doctype
934
1093
  };
935
1094
  }
936
- if ((0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
1095
+ if ((0, import_utils9.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
937
1096
  return {
938
1097
  format: credentialConfiguration.format,
939
1098
  credential_definition: {
@@ -942,7 +1101,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
942
1101
  }
943
1102
  };
944
1103
  }
945
- if ((0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
1104
+ if ((0, import_utils9.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
946
1105
  return {
947
1106
  format: credentialConfiguration.format,
948
1107
  credential_definition: {
@@ -951,7 +1110,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
951
1110
  }
952
1111
  };
953
1112
  }
954
- if ((0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
1113
+ if ((0, import_utils9.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
955
1114
  return {
956
1115
  format: credentialConfiguration.format,
957
1116
  credential_definition: {
@@ -959,84 +1118,89 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
959
1118
  }
960
1119
  };
961
1120
  }
1121
+ if ((0, import_utils9.zIs)(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
1122
+ throw new Openid4vciError(
1123
+ `Credential configuration id '${options.credentialConfigurationId}' with format ${zSdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
1124
+ );
1125
+ }
962
1126
  throw new Openid4vciError(
963
1127
  `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
964
1128
  );
965
1129
  }
966
1130
 
967
1131
  // src/credential-request/retrieve-credentials.ts
968
- var import_oauth210 = require("@openid4vc/oauth2");
969
- var import_utils10 = require("@openid4vc/utils");
1132
+ var import_oauth212 = require("@openid4vc/oauth2");
1133
+ var import_utils11 = require("@openid4vc/utils");
970
1134
 
971
1135
  // src/credential-request/z-credential-request.ts
972
- var import_zod14 = __toESM(require("zod"));
1136
+ var import_zod16 = __toESM(require("zod"));
973
1137
 
974
1138
  // src/credential-request/z-credential-request-common.ts
975
- var import_oauth29 = require("@openid4vc/oauth2");
976
- var import_zod13 = __toESM(require("zod"));
1139
+ var import_oauth211 = require("@openid4vc/oauth2");
1140
+ var import_zod15 = __toESM(require("zod"));
977
1141
 
978
1142
  // src/formats/proof-type/jwt/z-jwt-proof-type.ts
979
- var import_oauth27 = require("@openid4vc/oauth2");
980
- var import_utils9 = require("@openid4vc/utils");
981
- var import_zod11 = __toESM(require("zod"));
982
- var zJwtProofTypeIdentifier = import_zod11.default.literal("jwt");
1143
+ var import_oauth29 = require("@openid4vc/oauth2");
1144
+ var import_utils10 = require("@openid4vc/utils");
1145
+ var import_zod13 = __toESM(require("zod"));
1146
+ var zJwtProofTypeIdentifier = import_zod13.default.literal("jwt");
983
1147
  var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
984
- var zCredentialRequestProofJwt = import_zod11.default.object({
1148
+ var zCredentialRequestProofJwt = import_zod13.default.object({
985
1149
  proof_type: zJwtProofTypeIdentifier,
986
- jwt: import_oauth27.zCompactJwt
1150
+ jwt: import_oauth29.zCompactJwt
987
1151
  });
988
- var zCredentialRequestJwtProofTypeHeader = import_oauth27.zJwtHeader.merge(
989
- import_zod11.default.object({
990
- key_attestation: import_zod11.default.optional(import_oauth27.zCompactJwt),
991
- typ: import_zod11.default.literal("openid4vci-proof+jwt")
1152
+ var zCredentialRequestJwtProofTypeHeader = import_oauth29.zJwtHeader.merge(
1153
+ import_zod13.default.object({
1154
+ key_attestation: import_zod13.default.optional(import_oauth29.zCompactJwt),
1155
+ typ: import_zod13.default.literal("openid4vci-proof+jwt")
992
1156
  })
993
1157
  ).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
994
1158
  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
995
1159
  }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
996
1160
  message: `When 'trust_chain' is provided, 'kid' is required`
997
1161
  });
998
- var zCredentialRequestJwtProofTypePayload = import_zod11.default.object({
999
- ...import_oauth27.zJwtPayload.shape,
1000
- aud: import_utils9.zHttpsUrl,
1001
- iat: import_utils9.zInteger
1162
+ var zCredentialRequestJwtProofTypePayload = import_zod13.default.object({
1163
+ ...import_oauth29.zJwtPayload.shape,
1164
+ aud: import_utils10.zHttpsUrl,
1165
+ iat: import_utils10.zInteger
1002
1166
  }).passthrough();
1003
1167
 
1004
1168
  // src/formats/proof-type/attestation/z-attestation-proof-type.ts
1005
- var import_oauth28 = require("@openid4vc/oauth2");
1006
- var import_zod12 = __toESM(require("zod"));
1007
- var zAttestationProofTypeIdentifier = import_zod12.default.literal("attestation");
1169
+ var import_oauth210 = require("@openid4vc/oauth2");
1170
+ var import_zod14 = __toESM(require("zod"));
1171
+ var zAttestationProofTypeIdentifier = import_zod14.default.literal("attestation");
1008
1172
  var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
1009
- var zCredentialRequestProofAttestation = import_zod12.default.object({
1173
+ var zCredentialRequestProofAttestation = import_zod14.default.object({
1010
1174
  proof_type: zAttestationProofTypeIdentifier,
1011
- attestation: import_oauth28.zCompactJwt
1175
+ attestation: import_oauth210.zCompactJwt
1012
1176
  });
1013
1177
  var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
1014
1178
 
1015
1179
  // src/credential-request/z-credential-request-common.ts
1016
- var zCredentialRequestProofCommon = import_zod13.default.object({
1017
- proof_type: import_zod13.default.string()
1180
+ var zCredentialRequestProofCommon = import_zod15.default.object({
1181
+ proof_type: import_zod15.default.string()
1018
1182
  }).passthrough();
1019
1183
  var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
1020
- var zCredentialRequestProof = import_zod13.default.union([
1184
+ var zCredentialRequestProof = import_zod15.default.union([
1021
1185
  zCredentialRequestProofCommon,
1022
- import_zod13.default.discriminatedUnion("proof_type", allCredentialRequestProofs)
1186
+ import_zod15.default.discriminatedUnion("proof_type", allCredentialRequestProofs)
1023
1187
  ]);
1024
- var zCredentialRequestProofsCommon = import_zod13.default.record(import_zod13.default.string(), import_zod13.default.array(import_zod13.default.unknown()));
1025
- var zCredentialRequestProofs = import_zod13.default.object({
1026
- [zJwtProofTypeIdentifier.value]: import_zod13.default.optional(import_zod13.default.array(zCredentialRequestProofJwt.shape.jwt)),
1027
- [zAttestationProofTypeIdentifier.value]: import_zod13.default.optional(import_zod13.default.array(zCredentialRequestProofAttestation.shape.attestation))
1188
+ var zCredentialRequestProofsCommon = import_zod15.default.record(import_zod15.default.string(), import_zod15.default.array(import_zod15.default.unknown()));
1189
+ var zCredentialRequestProofs = import_zod15.default.object({
1190
+ [zJwtProofTypeIdentifier.value]: import_zod15.default.optional(import_zod15.default.array(zCredentialRequestProofJwt.shape.jwt)),
1191
+ [zAttestationProofTypeIdentifier.value]: import_zod15.default.optional(import_zod15.default.array(zCredentialRequestProofAttestation.shape.attestation))
1028
1192
  });
1029
- var zCredentialRequestCommon = import_zod13.default.object({
1193
+ var zCredentialRequestCommon = import_zod15.default.object({
1030
1194
  proof: zCredentialRequestProof.optional(),
1031
- proofs: import_zod13.default.optional(
1032
- import_zod13.default.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
1195
+ proofs: import_zod15.default.optional(
1196
+ import_zod15.default.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
1033
1197
  message: `The 'proofs' object in a credential request should contain exactly one attribute`
1034
1198
  })
1035
1199
  ),
1036
- credential_response_encryption: import_zod13.default.object({
1037
- jwk: import_oauth29.zJwk,
1038
- alg: import_zod13.default.string(),
1039
- enc: import_zod13.default.string()
1200
+ credential_response_encryption: import_zod15.default.object({
1201
+ jwk: import_oauth211.zJwk,
1202
+ alg: import_zod15.default.string(),
1203
+ enc: import_zod15.default.string()
1040
1204
  }).passthrough().optional()
1041
1205
  }).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
1042
1206
  message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
@@ -1044,40 +1208,54 @@ var zCredentialRequestCommon = import_zod13.default.object({
1044
1208
 
1045
1209
  // src/credential-request/z-credential-request.ts
1046
1210
  var allCredentialRequestFormats = [
1047
- zSdJwtVcCredentialRequestFormat,
1048
- zMsoMdocCredentialRequestFormat,
1049
- zLdpVcCredentialRequestFormat,
1050
- zJwtVcJsonLdCredentialRequestFormat,
1051
- zJwtVcJsonCredentialRequestFormat
1211
+ zSdJwtVcCredentialRequestFormatDraft14,
1212
+ zMsoMdocCredentialRequestFormatDraft14,
1213
+ zLdpVcCredentialRequestFormatDraft14,
1214
+ zJwtVcJsonLdCredentialRequestFormatDraft14,
1215
+ zJwtVcJsonCredentialRequestFormatDraft14
1052
1216
  ];
1053
1217
  var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
1054
1218
  (format) => format.shape.format.value
1055
1219
  );
1056
- var zAuthorizationDetailsCredentialRequest = import_zod14.default.object({
1057
- credential_identifier: import_zod14.default.string(),
1220
+ var zCredentialRequestCredentialConfigurationId = import_zod16.default.object({
1221
+ credential_configuration_id: import_zod16.default.string(),
1222
+ format: import_zod16.default.never({ message: "'format' cannot be defined when 'credential_configuration_id' is set." }).optional(),
1223
+ credential_identifier: import_zod16.default.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
1224
+ });
1225
+ var zAuthorizationDetailsCredentialRequest = import_zod16.default.object({
1226
+ credential_identifier: import_zod16.default.string(),
1227
+ credential_configuration_id: import_zod16.default.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional(),
1058
1228
  // Cannot be present if credential identifier is present
1059
- format: import_zod14.default.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
1229
+ format: import_zod16.default.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
1060
1230
  });
1061
- var zCredentialRequestFormatNoCredentialIdentifier = import_zod14.default.object({
1062
- format: import_zod14.default.string(),
1063
- credential_identifier: import_zod14.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
1231
+ var zCredentialRequestFormat = import_zod16.default.object({
1232
+ format: import_zod16.default.string(),
1233
+ credential_identifier: import_zod16.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
1234
+ credential_configuration_id: import_zod16.default.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
1064
1235
  }).passthrough();
1065
- var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
1066
- if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
1067
- const result = import_zod14.default.object({}).passthrough().and(import_zod14.default.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
1236
+ var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
1237
+ if (!allCredentialRequestFormatIdentifiers.includes(
1238
+ data.format
1239
+ ))
1240
+ return data;
1241
+ const result = import_zod16.default.object({}).passthrough().and(import_zod16.default.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
1068
1242
  if (result.success) {
1069
1243
  return result.data;
1070
1244
  }
1071
1245
  for (const issue of result.error.issues) {
1072
1246
  ctx.addIssue(issue);
1073
1247
  }
1074
- return import_zod14.default.NEVER;
1248
+ return import_zod16.default.NEVER;
1075
1249
  });
1076
- var zCredentialRequestDraft14 = import_zod14.default.union([
1250
+ var zCredentialRequestDraft15 = import_zod16.default.union([
1251
+ zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest),
1252
+ zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
1253
+ ]);
1254
+ var zCredentialRequestDraft14 = import_zod16.default.union([
1077
1255
  zCredenialRequestDraft14WithFormat,
1078
1256
  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
1079
1257
  ]);
1080
- var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
1258
+ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
1081
1259
  const formatSpecificTransformations = {
1082
1260
  [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
1083
1261
  [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
@@ -1090,7 +1268,7 @@ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequ
1090
1268
  for (const issue of result.error.issues) {
1091
1269
  ctx.addIssue(issue);
1092
1270
  }
1093
- return import_zod14.default.NEVER;
1271
+ return import_zod16.default.NEVER;
1094
1272
  }).pipe(zCredentialRequestDraft14);
1095
1273
  var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
1096
1274
  (data) => data.credential_identifier === void 0,
@@ -1108,15 +1286,19 @@ var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
1108
1286
  for (const issue of result.error.issues) {
1109
1287
  ctx.addIssue(issue);
1110
1288
  }
1111
- return import_zod14.default.NEVER;
1289
+ return import_zod16.default.NEVER;
1112
1290
  });
1113
- var zCredentialRequest = import_zod14.default.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
1291
+ var zCredentialRequest = import_zod16.default.union([
1292
+ zCredentialRequestDraft15,
1293
+ zCredentialRequestDraft14,
1294
+ zCredentialRequestDraft11To14
1295
+ ]);
1114
1296
 
1115
1297
  // src/credential-request/z-credential-response.ts
1116
- var import_zod16 = __toESM(require("zod"));
1298
+ var import_zod18 = __toESM(require("zod"));
1117
1299
 
1118
1300
  // ../oauth2/src/common/z-oauth2-error.ts
1119
- var import_zod15 = __toESM(require("zod"));
1301
+ var import_zod17 = __toESM(require("zod"));
1120
1302
  var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
1121
1303
  Oauth2ErrorCodes4["ServerError"] = "server_error";
1122
1304
  Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
@@ -1153,21 +1335,21 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
1153
1335
  Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
1154
1336
  return Oauth2ErrorCodes4;
1155
1337
  })(Oauth2ErrorCodes || {});
1156
- var zOauth2ErrorResponse = import_zod15.default.object({
1157
- error: import_zod15.default.union([import_zod15.default.nativeEnum(Oauth2ErrorCodes), import_zod15.default.string()]),
1158
- error_description: import_zod15.default.string().optional(),
1159
- error_uri: import_zod15.default.string().optional()
1338
+ var zOauth2ErrorResponse = import_zod17.default.object({
1339
+ error: import_zod17.default.union([import_zod17.default.nativeEnum(Oauth2ErrorCodes), import_zod17.default.string()]),
1340
+ error_description: import_zod17.default.string().optional(),
1341
+ error_uri: import_zod17.default.string().optional()
1160
1342
  }).passthrough();
1161
1343
 
1162
1344
  // src/credential-request/z-credential-response.ts
1163
- var zCredentialEncoding = import_zod16.default.union([import_zod16.default.string(), import_zod16.default.record(import_zod16.default.string(), import_zod16.default.any())]);
1164
- var zCredentialResponse = import_zod16.default.object({
1165
- credential: import_zod16.default.optional(zCredentialEncoding),
1166
- credentials: import_zod16.default.optional(import_zod16.default.array(zCredentialEncoding)),
1167
- transaction_id: import_zod16.default.string().optional(),
1168
- c_nonce: import_zod16.default.string().optional(),
1169
- c_nonce_expires_in: import_zod16.default.number().int().optional(),
1170
- notification_id: import_zod16.default.string().optional()
1345
+ var zCredentialEncoding = import_zod18.default.union([import_zod18.default.string(), import_zod18.default.record(import_zod18.default.string(), import_zod18.default.any())]);
1346
+ var zCredentialResponse = import_zod18.default.object({
1347
+ credential: import_zod18.default.optional(zCredentialEncoding),
1348
+ credentials: import_zod18.default.optional(import_zod18.default.array(zCredentialEncoding)),
1349
+ transaction_id: import_zod18.default.string().optional(),
1350
+ c_nonce: import_zod18.default.string().optional(),
1351
+ c_nonce_expires_in: import_zod18.default.number().int().optional(),
1352
+ notification_id: import_zod18.default.string().optional()
1171
1353
  }).passthrough().refine(
1172
1354
  (value) => {
1173
1355
  const { credential, credentials, transaction_id } = value;
@@ -1177,14 +1359,43 @@ var zCredentialResponse = import_zod16.default.object({
1177
1359
  message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
1178
1360
  }
1179
1361
  );
1180
- var zCredentialErrorResponse = import_zod16.default.object({
1362
+ var zCredentialErrorResponse = import_zod18.default.object({
1181
1363
  ...zOauth2ErrorResponse.shape,
1182
- c_nonce: import_zod16.default.string().optional(),
1183
- c_nonce_expires_in: import_zod16.default.number().int().optional()
1364
+ c_nonce: import_zod18.default.string().optional(),
1365
+ c_nonce_expires_in: import_zod18.default.number().int().optional()
1184
1366
  }).passthrough();
1185
1367
 
1186
1368
  // src/credential-request/retrieve-credentials.ts
1369
+ async function retrieveCredentialsWithCredentialConfigurationId(options) {
1370
+ if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
1371
+ throw new Openid4vciError(
1372
+ "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
1373
+ );
1374
+ }
1375
+ getCredentialConfigurationSupportedById(
1376
+ options.issuerMetadata.credentialIssuer.credential_configurations_supported,
1377
+ options.credentialConfigurationId
1378
+ );
1379
+ const credentialRequest = {
1380
+ ...options.additionalRequestPayload,
1381
+ credential_configuration_id: options.credentialConfigurationId,
1382
+ proof: options.proof,
1383
+ proofs: options.proofs
1384
+ };
1385
+ return retrieveCredentials({
1386
+ callbacks: options.callbacks,
1387
+ credentialRequest,
1388
+ issuerMetadata: options.issuerMetadata,
1389
+ accessToken: options.accessToken,
1390
+ dpop: options.dpop
1391
+ });
1392
+ }
1187
1393
  async function retrieveCredentialsWithFormat(options) {
1394
+ if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
1395
+ throw new Openid4vciError(
1396
+ "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
1397
+ );
1398
+ }
1188
1399
  const credentialRequest = {
1189
1400
  ...options.formatPayload,
1190
1401
  ...options.additionalRequestPayload,
@@ -1201,7 +1412,7 @@ async function retrieveCredentialsWithFormat(options) {
1201
1412
  }
1202
1413
  async function retrieveCredentials(options) {
1203
1414
  const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
1204
- let credentialRequest = (0, import_utils10.parseWithErrorHandling)(
1415
+ let credentialRequest = (0, import_utils11.parseWithErrorHandling)(
1205
1416
  zCredentialRequest,
1206
1417
  options.credentialRequest,
1207
1418
  "Error validating credential request"
@@ -1209,25 +1420,25 @@ async function retrieveCredentials(options) {
1209
1420
  if (credentialRequest.proofs) {
1210
1421
  const { batch_credential_issuance } = options.issuerMetadata.credentialIssuer;
1211
1422
  if (!batch_credential_issuance) {
1212
- throw new import_oauth210.Oauth2Error(
1423
+ throw new import_oauth212.Oauth2Error(
1213
1424
  `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support batch credential issuance using the 'proofs' request property. Only 'proof' is supported.`
1214
1425
  );
1215
1426
  }
1216
1427
  const proofs = Object.values(credentialRequest.proofs)[0];
1217
1428
  if (proofs.length > batch_credential_issuance.batch_size) {
1218
- throw new import_oauth210.Oauth2Error(
1429
+ throw new import_oauth212.Oauth2Error(
1219
1430
  `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' supports batch issuance, but the max batch size is '${batch_credential_issuance.batch_size}'. A total of '${proofs.length}' proofs were provided.`
1220
1431
  );
1221
1432
  }
1222
1433
  }
1223
1434
  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
1224
- credentialRequest = (0, import_utils10.parseWithErrorHandling)(
1435
+ credentialRequest = (0, import_utils11.parseWithErrorHandling)(
1225
1436
  zCredentialRequestDraft14To11,
1226
1437
  credentialRequest,
1227
1438
  `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
1228
1439
  );
1229
1440
  }
1230
- const resourceResponse = await (0, import_oauth210.resourceRequest)({
1441
+ const resourceResponse = await (0, import_oauth212.resourceRequest)({
1231
1442
  dpop: options.dpop,
1232
1443
  accessToken: options.accessToken,
1233
1444
  callbacks: options.callbacks,
@@ -1235,19 +1446,19 @@ async function retrieveCredentials(options) {
1235
1446
  requestOptions: {
1236
1447
  method: "POST",
1237
1448
  headers: {
1238
- "Content-Type": import_utils10.ContentType.Json
1449
+ "Content-Type": import_utils11.ContentType.Json
1239
1450
  },
1240
1451
  body: JSON.stringify(credentialRequest)
1241
1452
  }
1242
1453
  });
1243
1454
  if (!resourceResponse.ok) {
1244
- const credentialErrorResponseResult = (0, import_utils10.isResponseContentType)(import_utils10.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1455
+ const credentialErrorResponseResult = (0, import_utils11.isResponseContentType)(import_utils11.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1245
1456
  return {
1246
1457
  ...resourceResponse,
1247
1458
  credentialErrorResponseResult
1248
1459
  };
1249
1460
  }
1250
- const credentialResponseResult = (0, import_utils10.isResponseContentType)(import_utils10.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1461
+ const credentialResponseResult = (0, import_utils11.isResponseContentType)(import_utils11.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1251
1462
  if (!credentialResponseResult?.success) {
1252
1463
  return {
1253
1464
  ...resourceResponse,
@@ -1265,39 +1476,6 @@ async function retrieveCredentials(options) {
1265
1476
  var import_oauth213 = require("@openid4vc/oauth2");
1266
1477
  var import_oauth214 = require("@openid4vc/oauth2");
1267
1478
  var import_utils12 = require("@openid4vc/utils");
1268
-
1269
- // src/key-attestation/key-attestation.ts
1270
- var import_oauth211 = require("@openid4vc/oauth2");
1271
- var import_oauth212 = require("@openid4vc/oauth2");
1272
- var import_utils11 = require("@openid4vc/utils");
1273
- async function verifyKeyAttestationJwt(options) {
1274
- const { header, payload } = (0, import_oauth211.decodeJwt)({
1275
- jwt: options.keyAttestationJwt,
1276
- headerSchema: zKeyAttestationJwtHeader,
1277
- payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
1278
- });
1279
- const now = options.now?.getTime() ?? Date.now();
1280
- if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
1281
- throw new Openid4vciError("Nonce used for key attestation jwt expired");
1282
- }
1283
- const { signer } = await (0, import_oauth212.verifyJwt)({
1284
- compact: options.keyAttestationJwt,
1285
- header,
1286
- payload,
1287
- signer: (0, import_oauth212.jwtSignerFromJwt)({ header, payload }),
1288
- verifyJwtCallback: options.callbacks.verifyJwt,
1289
- errorMessage: "Error verifiying key attestation jwt",
1290
- expectedNonce: options.expectedNonce,
1291
- now: options.now
1292
- });
1293
- return {
1294
- header,
1295
- payload,
1296
- signer
1297
- };
1298
- }
1299
-
1300
- // src/formats/proof-type/jwt/jwt-proof-type.ts
1301
1479
  async function createCredentialRequestJwtProof(options) {
1302
1480
  const header = (0, import_utils12.parseWithErrorHandling)(zCredentialRequestJwtProofTypeHeader, {
1303
1481
  ...(0, import_oauth213.jwtHeaderFromJwtSigner)(options.signer),
@@ -1425,10 +1603,10 @@ var import_utils15 = require("@openid4vc/utils");
1425
1603
 
1426
1604
  // src/nonce/z-nonce.ts
1427
1605
  var import_utils14 = require("@openid4vc/utils");
1428
- var import_zod17 = __toESM(require("zod"));
1429
- var zNonceResponse = import_zod17.default.object({
1430
- c_nonce: import_zod17.default.string(),
1431
- c_nonce_expires_in: import_zod17.default.optional(import_utils14.zInteger)
1606
+ var import_zod19 = __toESM(require("zod"));
1607
+ var zNonceResponse = import_zod19.default.object({
1608
+ c_nonce: import_zod19.default.string(),
1609
+ c_nonce_expires_in: import_zod19.default.optional(import_utils14.zInteger)
1432
1610
  }).passthrough();
1433
1611
 
1434
1612
  // src/nonce/nonce-request.ts
@@ -1468,15 +1646,15 @@ var import_oauth217 = require("@openid4vc/oauth2");
1468
1646
  var import_utils16 = require("@openid4vc/utils");
1469
1647
 
1470
1648
  // src/notification/z-notification.ts
1471
- var import_zod18 = __toESM(require("zod"));
1472
- var zNotificationEvent = import_zod18.default.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
1473
- var zNotificationRequest = import_zod18.default.object({
1474
- notification_id: import_zod18.default.string(),
1649
+ var import_zod20 = __toESM(require("zod"));
1650
+ var zNotificationEvent = import_zod20.default.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
1651
+ var zNotificationRequest = import_zod20.default.object({
1652
+ notification_id: import_zod20.default.string(),
1475
1653
  event: zNotificationEvent,
1476
- event_description: import_zod18.default.optional(import_zod18.default.string())
1654
+ event_description: import_zod20.default.optional(import_zod20.default.string())
1477
1655
  }).passthrough();
1478
- var zNotificationErrorResponse = import_zod18.default.object({
1479
- error: import_zod18.default.enum(["invalid_notification_id", "invalid_notification_request"])
1656
+ var zNotificationErrorResponse = import_zod20.default.object({
1657
+ error: import_zod20.default.enum(["invalid_notification_id", "invalid_notification_request"])
1480
1658
  }).passthrough();
1481
1659
 
1482
1660
  // src/notification/notification.ts
@@ -1619,7 +1797,6 @@ var Openid4vciClient = class {
1619
1797
  issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
1620
1798
  },
1621
1799
  dpop: options.dpop,
1622
- clientAttestation: options.clientAttestation,
1623
1800
  resource: options.issuerMetadata.credentialIssuer.credential_issuer,
1624
1801
  authorizationServerMetadata
1625
1802
  });
@@ -1673,7 +1850,6 @@ var Openid4vciClient = class {
1673
1850
  redirectUri: options.redirectUri,
1674
1851
  scope: options.scope,
1675
1852
  pkceCodeVerifier: options.pkceCodeVerifier,
1676
- clientAttestation: options.clientAttestation,
1677
1853
  dpop: options.dpop
1678
1854
  });
1679
1855
  return {
@@ -1692,8 +1868,7 @@ var Openid4vciClient = class {
1692
1868
  issuerMetadata,
1693
1869
  additionalRequestPayload,
1694
1870
  txCode,
1695
- dpop,
1696
- clientAttestation
1871
+ dpop
1697
1872
  }) {
1698
1873
  if (!credentialOffer.grants?.[import_oauth218.preAuthorizedCodeGrantIdentifier]) {
1699
1874
  throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.preAuthorizedCodeGrantIdentifier}' grant.`);
@@ -1718,8 +1893,7 @@ var Openid4vciClient = class {
1718
1893
  txCode,
1719
1894
  resource: issuerMetadata.credentialIssuer.credential_issuer,
1720
1895
  additionalRequestPayload,
1721
- dpop,
1722
- clientAttestation
1896
+ dpop
1723
1897
  });
1724
1898
  return {
1725
1899
  ...result,
@@ -1737,8 +1911,7 @@ var Openid4vciClient = class {
1737
1911
  authorizationCode,
1738
1912
  pkceCodeVerifier,
1739
1913
  redirectUri,
1740
- dpop,
1741
- clientAttestation
1914
+ dpop
1742
1915
  }) {
1743
1916
  if (!credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
1744
1917
  throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.authorizationCodeGrantIdentifier}' grant.`);
@@ -1757,7 +1930,6 @@ var Openid4vciClient = class {
1757
1930
  pkceCodeVerifier,
1758
1931
  additionalRequestPayload,
1759
1932
  dpop,
1760
- clientAttestation,
1761
1933
  redirectUri,
1762
1934
  resource: issuerMetadata.credentialIssuer.credential_issuer
1763
1935
  });
@@ -1835,20 +2007,34 @@ var Openid4vciClient = class {
1835
2007
  accessToken,
1836
2008
  dpop
1837
2009
  }) {
1838
- const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
1839
- credentialConfigurationId,
1840
- issuerMetadata
1841
- });
1842
- const credentialResponse = await retrieveCredentialsWithFormat({
1843
- accessToken,
1844
- formatPayload,
1845
- issuerMetadata,
1846
- additionalRequestPayload,
1847
- proof,
1848
- proofs,
1849
- callbacks: this.options.callbacks,
1850
- dpop
1851
- });
2010
+ let credentialResponse;
2011
+ if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
2012
+ credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
2013
+ accessToken,
2014
+ credentialConfigurationId,
2015
+ issuerMetadata,
2016
+ additionalRequestPayload,
2017
+ proof,
2018
+ proofs,
2019
+ callbacks: this.options.callbacks,
2020
+ dpop
2021
+ });
2022
+ } else {
2023
+ const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
2024
+ credentialConfigurationId,
2025
+ issuerMetadata
2026
+ });
2027
+ credentialResponse = await retrieveCredentialsWithFormat({
2028
+ accessToken,
2029
+ formatPayload,
2030
+ issuerMetadata,
2031
+ additionalRequestPayload,
2032
+ proof,
2033
+ proofs,
2034
+ callbacks: this.options.callbacks,
2035
+ dpop
2036
+ });
2037
+ }
1852
2038
  if (!credentialResponse.ok) {
1853
2039
  throw new Openid4vciRetrieveCredentialsError(
1854
2040
  `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
@@ -1910,7 +2096,7 @@ function createCredentialResponse(options) {
1910
2096
 
1911
2097
  // src/credential-request/parse-credential-request.ts
1912
2098
  var import_utils18 = require("@openid4vc/utils");
1913
- var import_zod19 = __toESM(require("zod"));
2099
+ var import_zod21 = __toESM(require("zod"));
1914
2100
  function parseCredentialRequest(options) {
1915
2101
  const credentialRequest = (0, import_utils18.parseWithErrorHandling)(
1916
2102
  zCredentialRequest,
@@ -1922,12 +2108,27 @@ function parseCredentialRequest(options) {
1922
2108
  if (knownProofs.success) {
1923
2109
  proofs = knownProofs.data;
1924
2110
  }
1925
- const knownProof = import_zod19.default.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
2111
+ const knownProof = import_zod21.default.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
1926
2112
  if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
1927
2113
  proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
1928
2114
  } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
1929
2115
  proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
1930
2116
  }
2117
+ if (credentialRequest.credential_configuration_id) {
2118
+ getCredentialConfigurationSupportedById(
2119
+ options.issuerMetadata.credentialIssuer.credential_configurations_supported,
2120
+ credentialRequest.credential_configuration_id
2121
+ );
2122
+ const credentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(
2123
+ options.issuerMetadata.credentialIssuer.credential_configurations_supported
2124
+ );
2125
+ return {
2126
+ credentialConfiguration: credentialConfigurations[credentialRequest.credential_configuration_id],
2127
+ credentialConfigurationId: credentialRequest.credential_configuration_id,
2128
+ credentialRequest,
2129
+ proofs
2130
+ };
2131
+ }
1931
2132
  if (credentialRequest.credential_identifier) {
1932
2133
  return {
1933
2134
  credentialIdentifier: credentialRequest.credential_identifier,
@@ -1935,11 +2136,13 @@ function parseCredentialRequest(options) {
1935
2136
  proofs
1936
2137
  };
1937
2138
  }
1938
- if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
2139
+ if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(
2140
+ credentialRequest.format
2141
+ )) {
1939
2142
  return {
1940
2143
  // Removes all claims that are not specific to this format
1941
2144
  format: (0, import_utils18.parseWithErrorHandling)(
1942
- import_zod19.default.union(allCredentialRequestFormats),
2145
+ import_zod21.default.union(allCredentialRequestFormats),
1943
2146
  credentialRequest,
1944
2147
  "Unable to validate format specific properties from credential request"
1945
2148
  ),
@@ -2091,6 +2294,40 @@ var Openid4vciIssuer = class {
2091
2294
  createNonceResponse(options) {
2092
2295
  return createNonceResponse(options);
2093
2296
  }
2297
+ async verifyWalletAttestation(options) {
2298
+ return new import_oauth219.Oauth2AuthorizationServer({
2299
+ callbacks: this.options.callbacks
2300
+ }).verifyClientAttestation(options);
2301
+ }
2302
+ };
2303
+
2304
+ // src/Openid4vciWalletProvider.ts
2305
+ var import_oauth220 = require("@openid4vc/oauth2");
2306
+ var Openid4vciWalletProvider = class {
2307
+ constructor(options) {
2308
+ this.options = options;
2309
+ }
2310
+ async createWalletAttestationJwt(options) {
2311
+ const additionalPayload = options.additionalPayload ? {
2312
+ wallet_name: options.walletName,
2313
+ wallet_link: options.walletLink,
2314
+ ...options.additionalPayload
2315
+ } : {
2316
+ wallet_name: options.walletName,
2317
+ wallet_link: options.walletLink
2318
+ };
2319
+ return await (0, import_oauth220.createClientAttestationJwt)({
2320
+ ...options,
2321
+ callbacks: this.options.callbacks,
2322
+ additionalPayload
2323
+ });
2324
+ }
2325
+ async createKeyAttestationJwt(options) {
2326
+ return await createKeyAttestationJwt({
2327
+ callbacks: this.options.callbacks,
2328
+ ...options
2329
+ });
2330
+ }
2094
2331
  };
2095
2332
  // Annotate the CommonJS export names for ESM import in node:
2096
2333
  0 && (module.exports = {
@@ -2101,10 +2338,15 @@ var Openid4vciIssuer = class {
2101
2338
  Openid4vciIssuer,
2102
2339
  Openid4vciRetrieveCredentialsError,
2103
2340
  Openid4vciSendNotificationError,
2341
+ Openid4vciWalletProvider,
2342
+ createKeyAttestationJwt,
2104
2343
  credentialsSupportedToCredentialConfigurationsSupported,
2344
+ determineAuthorizationServerForCredentialOffer,
2105
2345
  extractScopesForCredentialConfigurationIds,
2106
2346
  getCredentialConfigurationsMatchingRequestFormat,
2107
2347
  getGlobalConfig,
2108
- setGlobalConfig
2348
+ parseKeyAttestationJwt,
2349
+ setGlobalConfig,
2350
+ verifyKeyAttestationJwt
2109
2351
  });
2110
2352
  //# sourceMappingURL=index.js.map