@openid4vc/openid4vci 0.3.0-alpha-20250325212250 → 0.3.0-alpha-20250328112257

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +8194 -5423
  2. package/dist/index.d.ts +8194 -5423
  3. package/dist/index.js +514 -500
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +487 -479
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +3 -3
package/dist/index.js CHANGED
@@ -38,51 +38,267 @@ __export(src_exports, {
38
38
  Openid4vciRetrieveCredentialsError: () => Openid4vciRetrieveCredentialsError,
39
39
  Openid4vciSendNotificationError: () => Openid4vciSendNotificationError,
40
40
  Openid4vciWalletProvider: () => Openid4vciWalletProvider,
41
+ createKeyAttestationJwt: () => createKeyAttestationJwt,
41
42
  credentialsSupportedToCredentialConfigurationsSupported: () => credentialsSupportedToCredentialConfigurationsSupported,
43
+ determineAuthorizationServerForCredentialOffer: () => determineAuthorizationServerForCredentialOffer,
42
44
  extractScopesForCredentialConfigurationIds: () => extractScopesForCredentialConfigurationIds,
43
45
  getCredentialConfigurationsMatchingRequestFormat: () => getCredentialConfigurationsMatchingRequestFormat,
44
46
  getGlobalConfig: () => import_utils20.getGlobalConfig,
45
- setGlobalConfig: () => import_utils20.setGlobalConfig
47
+ parseKeyAttestationJwt: () => parseKeyAttestationJwt,
48
+ setGlobalConfig: () => import_utils20.setGlobalConfig,
49
+ verifyKeyAttestationJwt: () => verifyKeyAttestationJwt
46
50
  });
47
51
  module.exports = __toCommonJS(src_exports);
52
+
53
+ // src/credential-offer/credential-offer.ts
54
+ var import_oauth22 = require("@openid4vc/oauth2");
55
+ var import_utils2 = require("@openid4vc/utils");
56
+
57
+ // src/version.ts
58
+ var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
59
+ Openid4vciDraftVersion2["Draft15"] = "Draft15";
60
+ Openid4vciDraftVersion2["Draft14"] = "Draft14";
61
+ Openid4vciDraftVersion2["Draft11"] = "Draft11";
62
+ return Openid4vciDraftVersion2;
63
+ })(Openid4vciDraftVersion || {});
64
+
65
+ // src/credential-offer/z-credential-offer.ts
66
+ var import_oauth2 = require("@openid4vc/oauth2");
67
+ var import_utils = require("@openid4vc/utils");
68
+ var import_zod = __toESM(require("zod"));
69
+ var zTxCode = import_zod.default.object({
70
+ input_mode: import_zod.default.union([import_zod.default.literal("numeric"), import_zod.default.literal("text")]).optional(),
71
+ length: import_zod.default.number().int().optional(),
72
+ description: import_zod.default.string().max(300).optional()
73
+ }).passthrough();
74
+ var zCredentialOfferGrants = import_zod.default.object({
75
+ authorization_code: import_zod.default.object({
76
+ issuer_state: import_zod.default.string().optional(),
77
+ authorization_server: import_utils.zHttpsUrl.optional()
78
+ }).passthrough().optional(),
79
+ [import_oauth2.preAuthorizedCodeGrantIdentifier]: import_zod.default.object({
80
+ "pre-authorized_code": import_zod.default.string(),
81
+ tx_code: zTxCode.optional(),
82
+ authorization_server: import_utils.zHttpsUrl.optional()
83
+ }).passthrough().optional()
84
+ }).passthrough();
85
+ var zCredentialOfferObjectDraft14 = import_zod.default.object({
86
+ credential_issuer: import_utils.zHttpsUrl,
87
+ credential_configuration_ids: import_zod.default.array(import_zod.default.string()),
88
+ grants: import_zod.default.optional(zCredentialOfferGrants)
89
+ }).passthrough();
90
+ var zCredentialOfferObjectDraft11To14 = import_zod.default.object({
91
+ credential_issuer: import_utils.zHttpsUrl,
92
+ // We don't support the inline offer objects from draft 11
93
+ credentials: import_zod.default.array(
94
+ import_zod.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
95
+ ),
96
+ grants: import_zod.default.optional(
97
+ import_zod.default.object({
98
+ // Has extra param in draft 14, but doesn't matter for transform purposes
99
+ authorization_code: zCredentialOfferGrants.shape.authorization_code,
100
+ [import_oauth2.preAuthorizedCodeGrantIdentifier]: import_zod.default.object({
101
+ "pre-authorized_code": import_zod.default.string(),
102
+ user_pin_required: import_zod.default.optional(import_zod.default.boolean())
103
+ }).passthrough().optional()
104
+ })
105
+ )
106
+ }).passthrough().transform(({ credentials, grants, ...rest }) => {
107
+ const v14 = {
108
+ ...rest,
109
+ credential_configuration_ids: credentials
110
+ };
111
+ if (grants) {
112
+ v14.grants = { ...grants };
113
+ if (grants[import_oauth2.preAuthorizedCodeGrantIdentifier]) {
114
+ const { user_pin_required, ...restGrants } = grants[import_oauth2.preAuthorizedCodeGrantIdentifier];
115
+ v14.grants[import_oauth2.preAuthorizedCodeGrantIdentifier] = {
116
+ ...restGrants
117
+ };
118
+ if (user_pin_required) {
119
+ v14.grants[import_oauth2.preAuthorizedCodeGrantIdentifier].tx_code = {
120
+ input_mode: "text"
121
+ };
122
+ }
123
+ }
124
+ }
125
+ return v14;
126
+ }).pipe(zCredentialOfferObjectDraft14);
127
+ var zCredentialOfferObject = import_zod.default.union([
128
+ // First prioritize draft 14 (and 13)
129
+ zCredentialOfferObjectDraft14,
130
+ // Then try parsing draft 11 and transform into draft 14
131
+ zCredentialOfferObjectDraft11To14
132
+ ]);
133
+
134
+ // src/credential-offer/credential-offer.ts
135
+ async function resolveCredentialOffer(credentialOffer, options) {
136
+ const parsedQueryParams = (0, import_utils2.getQueryParams)(credentialOffer);
137
+ let credentialOfferParseResult;
138
+ if (parsedQueryParams.credential_offer_uri) {
139
+ const fetchWithZod = (0, import_utils2.createZodFetcher)(options?.fetch);
140
+ const { response, result } = await fetchWithZod(
141
+ zCredentialOfferObject,
142
+ import_utils2.ContentType.Json,
143
+ parsedQueryParams.credential_offer_uri
144
+ );
145
+ if (!response.ok || !result) {
146
+ throw new import_oauth22.InvalidFetchResponseError(
147
+ `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
148
+ await response.clone().text(),
149
+ response
150
+ );
151
+ }
152
+ credentialOfferParseResult = result;
153
+ } else if (parsedQueryParams.credential_offer) {
154
+ let credentialOfferJson;
155
+ try {
156
+ credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
157
+ } catch (error) {
158
+ throw new import_oauth22.Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
159
+ }
160
+ credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
161
+ } else {
162
+ throw new import_oauth22.Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
163
+ }
164
+ if (credentialOfferParseResult.error) {
165
+ throw new import_utils2.ValidationError(
166
+ `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
167
+ credentialOfferParseResult.error
168
+ );
169
+ }
170
+ return credentialOfferParseResult.data;
171
+ }
172
+ function determineAuthorizationServerForCredentialOffer(options) {
173
+ const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
174
+ let authorizationServer;
175
+ if (options.grantAuthorizationServer) {
176
+ authorizationServer = options.grantAuthorizationServer;
177
+ if (!authorizationServers) {
178
+ throw new import_oauth22.Oauth2Error(
179
+ `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
180
+ );
181
+ }
182
+ if (!authorizationServers.includes(authorizationServer)) {
183
+ throw new import_oauth22.Oauth2Error(
184
+ `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
185
+ );
186
+ }
187
+ } else if (!authorizationServers) {
188
+ authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
189
+ } else {
190
+ if (authorizationServers.length === 0) {
191
+ throw new import_oauth22.Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
192
+ }
193
+ if (authorizationServers.length > 1) {
194
+ throw new import_oauth22.Oauth2Error(
195
+ `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
196
+ );
197
+ }
198
+ authorizationServer = authorizationServers[0];
199
+ }
200
+ return authorizationServer;
201
+ }
202
+ async function createCredentialOffer(options) {
203
+ const {
204
+ [import_oauth22.preAuthorizedCodeGrantIdentifier]: preAuthorizedCodeGrant,
205
+ [import_oauth22.authorizationCodeGrantIdentifier]: authorizationCodeGrant,
206
+ ...restGrants
207
+ } = options.grants;
208
+ const grants = { ...restGrants };
209
+ if (authorizationCodeGrant) {
210
+ determineAuthorizationServerForCredentialOffer({
211
+ issuerMetadata: options.issuerMetadata,
212
+ grantAuthorizationServer: authorizationCodeGrant.authorization_server
213
+ });
214
+ grants[import_oauth22.authorizationCodeGrantIdentifier] = authorizationCodeGrant;
215
+ }
216
+ if (preAuthorizedCodeGrant) {
217
+ determineAuthorizationServerForCredentialOffer({
218
+ issuerMetadata: options.issuerMetadata,
219
+ grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
220
+ });
221
+ grants[import_oauth22.preAuthorizedCodeGrantIdentifier] = {
222
+ ...preAuthorizedCodeGrant,
223
+ "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? (0, import_utils2.encodeToBase64Url)(await options.callbacks.generateRandom(32))
224
+ };
225
+ const txCode = grants[import_oauth22.preAuthorizedCodeGrantIdentifier].tx_code;
226
+ if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
227
+ grants[import_oauth22.preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== void 0;
228
+ }
229
+ }
230
+ const idsNotInMetadata = options.credentialConfigurationIds.filter(
231
+ (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
232
+ );
233
+ if (idsNotInMetadata.length > 0) {
234
+ throw new import_oauth22.Oauth2Error(
235
+ `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
236
+ );
237
+ }
238
+ const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
239
+ const credentialOfferObject = (0, import_utils2.parseWithErrorHandling)(zCredentialOfferObject, {
240
+ credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
241
+ credential_configuration_ids: options.credentialConfigurationIds,
242
+ grants,
243
+ ...options.additionalPayload
244
+ });
245
+ if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
246
+ credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
247
+ }
248
+ const url = new import_utils2.URL(credentialOfferScheme);
249
+ url.search = `?${new import_utils2.URLSearchParams([
250
+ ...url.searchParams.entries(),
251
+ ...(0, import_utils2.objectToQueryParams)({
252
+ credential_offer_uri: options.credentialOfferUri,
253
+ // Only add credential_offer is uri is undefined
254
+ credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
255
+ }).entries()
256
+ ]).toString()}`;
257
+ return {
258
+ credentialOffer: url.toString(),
259
+ credentialOfferObject
260
+ };
261
+ }
262
+
263
+ // src/index.ts
48
264
  var import_utils20 = require("@openid4vc/utils");
49
265
 
50
266
  // src/credential-request/credential-request-configurations.ts
51
- var import_utils4 = require("@openid4vc/utils");
267
+ var import_utils6 = require("@openid4vc/utils");
52
268
 
53
269
  // src/metadata/credential-issuer/credential-issuer-metadata.ts
54
- var import_oauth23 = require("@openid4vc/oauth2");
55
- var import_utils3 = require("@openid4vc/utils");
270
+ var import_oauth25 = require("@openid4vc/oauth2");
271
+ var import_utils5 = require("@openid4vc/utils");
56
272
 
57
273
  // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
58
- var import_oauth22 = require("@openid4vc/oauth2");
59
- var import_utils2 = require("@openid4vc/utils");
60
- var import_zod11 = __toESM(require("zod"));
274
+ var import_oauth24 = require("@openid4vc/oauth2");
275
+ var import_utils4 = require("@openid4vc/utils");
276
+ var import_zod12 = __toESM(require("zod"));
61
277
 
62
278
  // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
63
- var import_zod2 = __toESM(require("zod"));
279
+ var import_zod3 = __toESM(require("zod"));
64
280
 
65
281
  // src/metadata/credential-issuer/z-claims-description.ts
66
- var import_zod = __toESM(require("zod"));
67
- var zCredentialConfigurationSupportedClaimsDraft14 = import_zod.default.object({
68
- mandatory: import_zod.default.boolean().optional(),
69
- value_type: import_zod.default.string().optional(),
70
- display: import_zod.default.object({
71
- name: import_zod.default.string().optional(),
72
- locale: import_zod.default.string().optional()
282
+ var import_zod2 = __toESM(require("zod"));
283
+ var zCredentialConfigurationSupportedClaimsDraft14 = import_zod2.default.object({
284
+ mandatory: import_zod2.default.boolean().optional(),
285
+ value_type: import_zod2.default.string().optional(),
286
+ display: import_zod2.default.object({
287
+ name: import_zod2.default.string().optional(),
288
+ locale: import_zod2.default.string().optional()
73
289
  }).passthrough().optional()
74
290
  }).passthrough();
75
- var zClaimsDescriptionPath = import_zod.default.array(import_zod.default.union([import_zod.default.string(), import_zod.default.number().int().nonnegative(), import_zod.default.null()])).nonempty();
76
- var zMsoMdocClaimsDescriptionPath = import_zod.default.tuple([import_zod.default.string(), import_zod.default.string()], {
291
+ var zClaimsDescriptionPath = import_zod2.default.array(import_zod2.default.union([import_zod2.default.string(), import_zod2.default.number().int().nonnegative(), import_zod2.default.null()])).nonempty();
292
+ var zMsoMdocClaimsDescriptionPath = import_zod2.default.tuple([import_zod2.default.string(), import_zod2.default.string()], {
77
293
  message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
78
294
  });
79
- var zIssuerMetadataClaimsDescription = import_zod.default.object({
295
+ var zIssuerMetadataClaimsDescription = import_zod2.default.object({
80
296
  path: zClaimsDescriptionPath,
81
- mandatory: import_zod.default.boolean().optional(),
82
- display: import_zod.default.array(
83
- import_zod.default.object({
84
- name: import_zod.default.string().optional(),
85
- locale: import_zod.default.string().optional()
297
+ mandatory: import_zod2.default.boolean().optional(),
298
+ display: import_zod2.default.array(
299
+ import_zod2.default.object({
300
+ name: import_zod2.default.string().optional(),
301
+ locale: import_zod2.default.string().optional()
86
302
  }).passthrough()
87
303
  ).optional()
88
304
  }).passthrough();
@@ -91,97 +307,97 @@ var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.e
91
307
  });
92
308
 
93
309
  // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
94
- var zMsoMdocFormatIdentifier = import_zod2.default.literal("mso_mdoc");
95
- var zMsoMdocCredentialIssuerMetadata = import_zod2.default.object({
310
+ var zMsoMdocFormatIdentifier = import_zod3.default.literal("mso_mdoc");
311
+ var zMsoMdocCredentialIssuerMetadata = import_zod3.default.object({
96
312
  format: zMsoMdocFormatIdentifier,
97
- doctype: import_zod2.default.string(),
98
- claims: import_zod2.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
313
+ doctype: import_zod3.default.string(),
314
+ claims: import_zod3.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
99
315
  });
100
- var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod2.default.object({
316
+ var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod3.default.object({
101
317
  format: zMsoMdocFormatIdentifier,
102
- doctype: import_zod2.default.string(),
318
+ doctype: import_zod3.default.string(),
103
319
  claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
104
- order: import_zod2.default.optional(import_zod2.default.array(import_zod2.default.string()))
320
+ order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
105
321
  });
106
- var zMsoMdocCredentialRequestFormatDraft14 = import_zod2.default.object({
322
+ var zMsoMdocCredentialRequestFormatDraft14 = import_zod3.default.object({
107
323
  format: zMsoMdocFormatIdentifier,
108
- doctype: import_zod2.default.string(),
324
+ doctype: import_zod3.default.string(),
109
325
  // Format based request is removed in Draft 15, so only old claims syntax supported.
110
- claims: import_zod2.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
326
+ claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
111
327
  });
112
328
 
113
329
  // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
114
- var import_zod3 = __toESM(require("zod"));
115
- var zSdJwtVcFormatIdentifier = import_zod3.default.literal("vc+sd-jwt");
116
- var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod3.default.object({
117
- vct: import_zod3.default.string(),
330
+ var import_zod4 = __toESM(require("zod"));
331
+ var zSdJwtVcFormatIdentifier = import_zod4.default.literal("vc+sd-jwt");
332
+ var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod4.default.object({
333
+ vct: import_zod4.default.string(),
118
334
  format: zSdJwtVcFormatIdentifier,
119
- claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
120
- order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
335
+ claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
336
+ order: import_zod4.default.optional(import_zod4.default.array(import_zod4.default.string()))
121
337
  });
122
- var zSdJwtVcCredentialRequestFormatDraft14 = import_zod3.default.object({
338
+ var zSdJwtVcCredentialRequestFormatDraft14 = import_zod4.default.object({
123
339
  format: zSdJwtVcFormatIdentifier,
124
- vct: import_zod3.default.string(),
125
- claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
340
+ vct: import_zod4.default.string(),
341
+ claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
126
342
  });
127
343
 
128
344
  // src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
129
- var import_zod4 = __toESM(require("zod"));
130
- var zSdJwtDcFormatIdentifier = import_zod4.default.literal("dc+sd-jwt");
131
- var zSdJwtDcCredentialIssuerMetadata = import_zod4.default.object({
132
- vct: import_zod4.default.string(),
345
+ var import_zod5 = __toESM(require("zod"));
346
+ var zSdJwtDcFormatIdentifier = import_zod5.default.literal("dc+sd-jwt");
347
+ var zSdJwtDcCredentialIssuerMetadata = import_zod5.default.object({
348
+ vct: import_zod5.default.string(),
133
349
  format: zSdJwtDcFormatIdentifier,
134
- claims: import_zod4.default.array(zIssuerMetadataClaimsDescription).optional()
350
+ claims: import_zod5.default.array(zIssuerMetadataClaimsDescription).optional()
135
351
  });
136
352
 
137
353
  // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
138
- var import_zod6 = __toESM(require("zod"));
354
+ var import_zod7 = __toESM(require("zod"));
139
355
 
140
356
  // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
141
- var import_zod5 = __toESM(require("zod"));
142
- var zCredentialSubjectLeafTypeDraft14 = import_zod5.default.object({
143
- mandatory: import_zod5.default.boolean().optional(),
144
- value_type: import_zod5.default.string().optional(),
145
- display: import_zod5.default.array(
146
- import_zod5.default.object({
147
- name: import_zod5.default.string().optional(),
148
- locale: import_zod5.default.string().optional()
357
+ var import_zod6 = __toESM(require("zod"));
358
+ var zCredentialSubjectLeafTypeDraft14 = import_zod6.default.object({
359
+ mandatory: import_zod6.default.boolean().optional(),
360
+ value_type: import_zod6.default.string().optional(),
361
+ display: import_zod6.default.array(
362
+ import_zod6.default.object({
363
+ name: import_zod6.default.string().optional(),
364
+ locale: import_zod6.default.string().optional()
149
365
  }).passthrough()
150
366
  ).optional()
151
367
  }).passthrough();
152
- var zClaimValueSchemaDraft14 = import_zod5.default.union([
153
- import_zod5.default.array(import_zod5.default.any()),
154
- import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()),
368
+ var zClaimValueSchemaDraft14 = import_zod6.default.union([
369
+ import_zod6.default.array(import_zod6.default.any()),
370
+ import_zod6.default.record(import_zod6.default.string(), import_zod6.default.any()),
155
371
  zCredentialSubjectLeafTypeDraft14
156
372
  ]);
157
- var zW3cVcCredentialSubjectDraft14 = import_zod5.default.record(import_zod5.default.string(), zClaimValueSchemaDraft14);
158
- var zW3cVcJsonLdCredentialDefinition = import_zod5.default.object({
159
- "@context": import_zod5.default.array(import_zod5.default.string()),
160
- type: import_zod5.default.array(import_zod5.default.string())
373
+ var zW3cVcCredentialSubjectDraft14 = import_zod6.default.record(import_zod6.default.string(), zClaimValueSchemaDraft14);
374
+ var zW3cVcJsonLdCredentialDefinition = import_zod6.default.object({
375
+ "@context": import_zod6.default.array(import_zod6.default.string()),
376
+ type: import_zod6.default.array(import_zod6.default.string())
161
377
  }).passthrough();
162
378
  var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
163
379
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
164
380
  });
165
381
 
166
382
  // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
167
- var zLdpVcFormatIdentifier = import_zod6.default.literal("ldp_vc");
168
- var zLdpVcCredentialIssuerMetadata = import_zod6.default.object({
383
+ var zLdpVcFormatIdentifier = import_zod7.default.literal("ldp_vc");
384
+ var zLdpVcCredentialIssuerMetadata = import_zod7.default.object({
169
385
  format: zLdpVcFormatIdentifier,
170
386
  credential_definition: zW3cVcJsonLdCredentialDefinition,
171
387
  claims: zIssuerMetadataClaimsDescription.optional()
172
388
  });
173
- var zLdpVcCredentialIssuerMetadataDraft14 = import_zod6.default.object({
389
+ var zLdpVcCredentialIssuerMetadataDraft14 = import_zod7.default.object({
174
390
  format: zLdpVcFormatIdentifier,
175
391
  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
176
- order: import_zod6.default.array(import_zod6.default.string()).optional()
392
+ order: import_zod7.default.array(import_zod7.default.string()).optional()
177
393
  });
178
- var zLdpVcCredentialIssuerMetadataDraft11 = import_zod6.default.object({
179
- order: import_zod6.default.array(import_zod6.default.string()).optional(),
394
+ var zLdpVcCredentialIssuerMetadataDraft11 = import_zod7.default.object({
395
+ order: import_zod7.default.array(import_zod7.default.string()).optional(),
180
396
  format: zLdpVcFormatIdentifier,
181
397
  // Credential definition was spread on top level instead of a separatey property in v11
182
398
  // As well as using types instead of type
183
- "@context": import_zod6.default.array(import_zod6.default.string()),
184
- types: import_zod6.default.array(import_zod6.default.string()),
399
+ "@context": import_zod7.default.array(import_zod7.default.string()),
400
+ types: import_zod7.default.array(import_zod7.default.string()),
185
401
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
186
402
  }).passthrough();
187
403
  var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
@@ -200,16 +416,16 @@ var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDr
200
416
  ...credentialDefinition,
201
417
  types: type
202
418
  })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
203
- var zLdpVcCredentialRequestFormatDraft14 = import_zod6.default.object({
419
+ var zLdpVcCredentialRequestFormatDraft14 = import_zod7.default.object({
204
420
  format: zLdpVcFormatIdentifier,
205
421
  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
206
422
  });
207
- var zLdpVcCredentialRequestDraft11 = import_zod6.default.object({
423
+ var zLdpVcCredentialRequestDraft11 = import_zod7.default.object({
208
424
  format: zLdpVcFormatIdentifier,
209
- credential_definition: import_zod6.default.object({
210
- "@context": import_zod6.default.array(import_zod6.default.string()),
425
+ credential_definition: import_zod7.default.object({
426
+ "@context": import_zod7.default.array(import_zod7.default.string()),
211
427
  // credential_definition was using types instead of type in v11
212
- types: import_zod6.default.array(import_zod6.default.string()),
428
+ types: import_zod7.default.array(import_zod7.default.string()),
213
429
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
214
430
  })
215
431
  }).passthrough();
@@ -231,25 +447,25 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.pa
231
447
  })).pipe(zLdpVcCredentialRequestDraft11);
232
448
 
233
449
  // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
234
- var import_zod7 = __toESM(require("zod"));
235
- var zJwtVcJsonLdFormatIdentifier = import_zod7.default.literal("jwt_vc_json-ld");
236
- var zJwtVcJsonLdCredentialIssuerMetadata = import_zod7.default.object({
450
+ var import_zod8 = __toESM(require("zod"));
451
+ var zJwtVcJsonLdFormatIdentifier = import_zod8.default.literal("jwt_vc_json-ld");
452
+ var zJwtVcJsonLdCredentialIssuerMetadata = import_zod8.default.object({
237
453
  format: zJwtVcJsonLdFormatIdentifier,
238
454
  credential_definition: zW3cVcJsonLdCredentialDefinition,
239
455
  claims: zIssuerMetadataClaimsDescription.optional()
240
456
  });
241
- var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod7.default.object({
457
+ var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod8.default.object({
242
458
  format: zJwtVcJsonLdFormatIdentifier,
243
459
  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
244
- order: import_zod7.default.optional(import_zod7.default.array(import_zod7.default.string()))
460
+ order: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string()))
245
461
  });
246
- var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod7.default.object({
247
- order: import_zod7.default.array(import_zod7.default.string()).optional(),
462
+ var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod8.default.object({
463
+ order: import_zod8.default.array(import_zod8.default.string()).optional(),
248
464
  format: zJwtVcJsonLdFormatIdentifier,
249
465
  // Credential definition was spread on top level instead of a separatey property in v11
250
466
  // As well as using types instead of type
251
- "@context": import_zod7.default.array(import_zod7.default.string()),
252
- types: import_zod7.default.array(import_zod7.default.string()),
467
+ "@context": import_zod8.default.array(import_zod8.default.string()),
468
+ types: import_zod8.default.array(import_zod8.default.string()),
253
469
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
254
470
  }).passthrough();
255
471
  var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
@@ -268,17 +484,17 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssu
268
484
  ...credentialDefinition,
269
485
  types: type
270
486
  })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
271
- var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod7.default.object({
487
+ var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod8.default.object({
272
488
  format: zJwtVcJsonLdFormatIdentifier,
273
489
  credential_definition: zW3cVcJsonLdCredentialDefinition
274
490
  });
275
- var zJwtVcJsonLdCredentialRequestDraft11 = import_zod7.default.object({
491
+ var zJwtVcJsonLdCredentialRequestDraft11 = import_zod8.default.object({
276
492
  format: zJwtVcJsonLdFormatIdentifier,
277
- credential_definition: import_zod7.default.object({
278
- "@context": import_zod7.default.array(import_zod7.default.string()),
493
+ credential_definition: import_zod8.default.object({
494
+ "@context": import_zod8.default.array(import_zod8.default.string()),
279
495
  // credential_definition was using types instead of type in v11
280
- types: import_zod7.default.array(import_zod7.default.string()),
281
- credentialSubject: import_zod7.default.optional(zW3cVcCredentialSubjectDraft14)
496
+ types: import_zod8.default.array(import_zod8.default.string()),
497
+ credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubjectDraft14)
282
498
  }).passthrough()
283
499
  }).passthrough();
284
500
  var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -299,30 +515,30 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
299
515
  })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
300
516
 
301
517
  // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
302
- var import_zod8 = __toESM(require("zod"));
303
- var zJwtVcJsonFormatIdentifier = import_zod8.default.literal("jwt_vc_json");
304
- var zJwtVcJsonCredentialDefinition = import_zod8.default.object({
305
- type: import_zod8.default.array(import_zod8.default.string())
518
+ var import_zod9 = __toESM(require("zod"));
519
+ var zJwtVcJsonFormatIdentifier = import_zod9.default.literal("jwt_vc_json");
520
+ var zJwtVcJsonCredentialDefinition = import_zod9.default.object({
521
+ type: import_zod9.default.array(import_zod9.default.string())
306
522
  }).passthrough();
307
523
  var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
308
524
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
309
525
  });
310
- var zJwtVcJsonCredentialIssuerMetadata = import_zod8.default.object({
526
+ var zJwtVcJsonCredentialIssuerMetadata = import_zod9.default.object({
311
527
  format: zJwtVcJsonFormatIdentifier,
312
528
  credential_definition: zJwtVcJsonCredentialDefinition,
313
529
  claims: zIssuerMetadataClaimsDescription.optional()
314
530
  });
315
- var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod8.default.object({
531
+ var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod9.default.object({
316
532
  format: zJwtVcJsonFormatIdentifier,
317
533
  credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
318
- order: import_zod8.default.array(import_zod8.default.string()).optional()
534
+ order: import_zod9.default.array(import_zod9.default.string()).optional()
319
535
  });
320
- var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod8.default.object({
536
+ var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod9.default.object({
321
537
  format: zJwtVcJsonFormatIdentifier,
322
- order: import_zod8.default.array(import_zod8.default.string()).optional(),
538
+ order: import_zod9.default.array(import_zod9.default.string()).optional(),
323
539
  // Credential definition was spread on top level instead of a separatey property in v11
324
540
  // As well as using types instead of type
325
- types: import_zod8.default.array(import_zod8.default.string()),
541
+ types: import_zod9.default.array(import_zod9.default.string()),
326
542
  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
327
543
  }).passthrough();
328
544
  var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
@@ -340,16 +556,16 @@ var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMe
340
556
  types: type,
341
557
  ...credentialDefinition
342
558
  })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
343
- var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod8.default.object({
559
+ var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod9.default.object({
344
560
  format: zJwtVcJsonFormatIdentifier,
345
561
  credential_definition: zJwtVcJsonCredentialDefinition
346
562
  });
347
- var zJwtVcJsonCredentialRequestDraft11 = import_zod8.default.object({
563
+ var zJwtVcJsonCredentialRequestDraft11 = import_zod9.default.object({
348
564
  format: zJwtVcJsonFormatIdentifier,
349
565
  // Credential definition was spread on top level instead of a separatey property in v11
350
566
  // As well as using types instead of type
351
- types: import_zod8.default.array(import_zod8.default.string()),
352
- credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubjectDraft14)
567
+ types: import_zod9.default.array(import_zod9.default.string()),
568
+ credentialSubject: import_zod9.default.optional(zW3cVcCredentialSubjectDraft14)
353
569
  }).passthrough();
354
570
  var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
355
571
  ({ types, credentialSubject, ...rest }) => {
@@ -369,81 +585,76 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDr
369
585
  ...credentialDefinition
370
586
  })).pipe(zJwtVcJsonCredentialRequestDraft11);
371
587
 
372
- // src/version.ts
373
- var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
374
- Openid4vciDraftVersion2["Draft15"] = "Draft15";
375
- Openid4vciDraftVersion2["Draft14"] = "Draft14";
376
- Openid4vciDraftVersion2["Draft11"] = "Draft11";
377
- return Openid4vciDraftVersion2;
378
- })(Openid4vciDraftVersion || {});
379
-
380
588
  // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
381
- var import_zod10 = __toESM(require("zod"));
589
+ var import_zod11 = __toESM(require("zod"));
382
590
 
383
591
  // src/key-attestation/z-key-attestation.ts
384
- var import_oauth2 = require("@openid4vc/oauth2");
385
- var import_utils = require("@openid4vc/utils");
386
- var import_zod9 = __toESM(require("zod"));
387
- var zKeyAttestationJwtHeader = import_zod9.default.object({
388
- ...import_oauth2.zJwtHeader.shape,
389
- typ: import_zod9.default.literal("keyattestation+jwt")
592
+ var import_oauth23 = require("@openid4vc/oauth2");
593
+ var import_utils3 = require("@openid4vc/utils");
594
+ var import_zod10 = __toESM(require("zod"));
595
+ var zKeyAttestationJwtHeader = import_zod10.default.object({
596
+ ...import_oauth23.zJwtHeader.shape,
597
+ typ: import_zod10.default.literal("keyattestation+jwt").or(
598
+ // Draft 16
599
+ import_zod10.default.literal("key-attestation+jwt")
600
+ )
390
601
  }).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
391
602
  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
392
603
  }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
393
604
  message: `When 'trust_chain' is provided, 'kid' is required`
394
605
  });
395
- var zIso18045 = import_zod9.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
396
- var zIso18045OrStringArray = import_zod9.default.array(import_zod9.default.union([zIso18045, import_zod9.default.string()]));
397
- var zKeyAttestationJwtPayload = import_zod9.default.object({
398
- ...import_oauth2.zJwtPayload.shape,
399
- iat: import_utils.zInteger,
400
- attested_keys: import_zod9.default.array(import_oauth2.zJwk),
401
- key_storage: import_zod9.default.optional(zIso18045OrStringArray),
402
- user_authentication: import_zod9.default.optional(zIso18045OrStringArray),
403
- certification: import_zod9.default.optional(import_zod9.default.string().url())
606
+ var zIso18045 = import_zod10.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
607
+ var zIso18045OrStringArray = import_zod10.default.array(import_zod10.default.union([zIso18045, import_zod10.default.string()]));
608
+ var zKeyAttestationJwtPayload = import_zod10.default.object({
609
+ ...import_oauth23.zJwtPayload.shape,
610
+ iat: import_utils3.zInteger,
611
+ attested_keys: import_zod10.default.array(import_oauth23.zJwk),
612
+ key_storage: import_zod10.default.optional(zIso18045OrStringArray),
613
+ user_authentication: import_zod10.default.optional(zIso18045OrStringArray),
614
+ certification: import_zod10.default.optional(import_zod10.default.string().url())
404
615
  }).passthrough();
405
- var zKeyAttestationJwtPayloadForUse = (use) => import_zod9.default.object({
616
+ var zKeyAttestationJwtPayloadForUse = (use) => import_zod10.default.object({
406
617
  ...zKeyAttestationJwtPayload.shape,
407
618
  // REQUIRED when used as proof_type.attesation directly
408
- nonce: use === "proof_type.attestation" ? import_zod9.default.string({
619
+ nonce: use === "proof_type.attestation" ? import_zod10.default.string({
409
620
  message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
410
- }) : import_zod9.default.optional(import_zod9.default.string()),
621
+ }) : import_zod10.default.optional(import_zod10.default.string()),
411
622
  // REQUIRED when used within header of proof_type.jwt
412
- exp: use === "proof_type.jwt" ? import_utils.zInteger : import_zod9.default.optional(import_utils.zInteger)
623
+ exp: use === "proof_type.jwt" ? import_utils3.zInteger : import_zod10.default.optional(import_utils3.zInteger)
413
624
  }).passthrough();
414
625
 
415
626
  // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
416
- var zCredentialConfigurationSupportedCommon = import_zod10.default.object({
417
- format: import_zod10.default.string(),
418
- scope: import_zod10.default.string().optional(),
419
- cryptographic_binding_methods_supported: import_zod10.default.array(import_zod10.default.string()).optional(),
420
- credential_signing_alg_values_supported: import_zod10.default.array(import_zod10.default.string()).optional(),
421
- proof_types_supported: import_zod10.default.record(
422
- import_zod10.default.union([import_zod10.default.literal("jwt"), import_zod10.default.literal("attestation"), import_zod10.default.string()]),
423
- import_zod10.default.object({
424
- proof_signing_alg_values_supported: import_zod10.default.array(import_zod10.default.string()),
425
- key_attestations_required: import_zod10.default.object({
627
+ var zCredentialConfigurationSupportedCommon = import_zod11.default.object({
628
+ format: import_zod11.default.string(),
629
+ scope: import_zod11.default.string().optional(),
630
+ cryptographic_binding_methods_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
631
+ credential_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
632
+ proof_types_supported: import_zod11.default.record(
633
+ import_zod11.default.union([import_zod11.default.literal("jwt"), import_zod11.default.literal("attestation"), import_zod11.default.string()]),
634
+ import_zod11.default.object({
635
+ proof_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()),
636
+ key_attestations_required: import_zod11.default.object({
426
637
  key_storage: zIso18045OrStringArray.optional(),
427
638
  user_authentication: zIso18045OrStringArray.optional()
428
639
  }).passthrough().optional()
429
640
  })
430
641
  ).optional(),
431
- display: import_zod10.default.array(
432
- import_zod10.default.object({
433
- name: import_zod10.default.string(),
434
- locale: import_zod10.default.string().optional(),
435
- logo: import_zod10.default.object({
642
+ display: import_zod11.default.array(
643
+ import_zod11.default.object({
644
+ name: import_zod11.default.string(),
645
+ locale: import_zod11.default.string().optional(),
646
+ logo: import_zod11.default.object({
436
647
  // FIXME: make required again, but need to support draft 11 first
437
- uri: import_zod10.default.string().optional(),
438
- alt_text: import_zod10.default.string().optional()
648
+ uri: import_zod11.default.string().optional(),
649
+ alt_text: import_zod11.default.string().optional()
439
650
  }).passthrough().optional(),
440
- description: import_zod10.default.string().optional(),
441
- background_color: import_zod10.default.string().optional(),
442
- background_image: import_zod10.default.object({
651
+ description: import_zod11.default.string().optional(),
652
+ background_color: import_zod11.default.string().optional(),
653
+ background_image: import_zod11.default.object({
443
654
  // TODO: should be required, but paradym's metadata is wrong here.
444
- uri: import_zod10.default.string().optional()
655
+ uri: import_zod11.default.string().optional()
445
656
  }).passthrough().optional(),
446
- text_color: import_zod10.default.string().optional()
657
+ text_color: import_zod11.default.string().optional()
447
658
  }).passthrough()
448
659
  ).optional()
449
660
  }).passthrough();
@@ -478,8 +689,8 @@ var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSuppo
478
689
  },
479
690
  {}
480
691
  )[data.format];
481
- const result = import_zod11.default.object({}).passthrough().and(
482
- validators.length > 1 ? import_zod11.default.union(validators) : validators[0]
692
+ const result = import_zod12.default.object({}).passthrough().and(
693
+ validators.length > 1 ? import_zod12.default.union(validators) : validators[0]
483
694
  ).safeParse(data);
484
695
  if (result.success) {
485
696
  return result.data;
@@ -487,49 +698,49 @@ var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSuppo
487
698
  for (const issue of result.error.issues) {
488
699
  ctx.addIssue(issue);
489
700
  }
490
- return import_zod11.default.NEVER;
701
+ return import_zod12.default.NEVER;
491
702
  }
492
703
  );
493
- var zCredentialIssuerMetadataDisplayEntry = import_zod11.default.object({
494
- name: import_zod11.default.string().optional(),
495
- locale: import_zod11.default.string().optional(),
496
- logo: import_zod11.default.object({
704
+ var zCredentialIssuerMetadataDisplayEntry = import_zod12.default.object({
705
+ name: import_zod12.default.string().optional(),
706
+ locale: import_zod12.default.string().optional(),
707
+ logo: import_zod12.default.object({
497
708
  // FIXME: make required again, but need to support draft 11 first
498
- uri: import_zod11.default.string().optional(),
499
- alt_text: import_zod11.default.string().optional()
709
+ uri: import_zod12.default.string().optional(),
710
+ alt_text: import_zod12.default.string().optional()
500
711
  }).passthrough().optional()
501
712
  }).passthrough();
502
- var zCredentialIssuerMetadataDraft14Draft15 = import_zod11.default.object({
503
- credential_issuer: import_utils2.zHttpsUrl,
504
- authorization_servers: import_zod11.default.array(import_utils2.zHttpsUrl).optional(),
505
- credential_endpoint: import_utils2.zHttpsUrl,
506
- deferred_credential_endpoint: import_utils2.zHttpsUrl.optional(),
507
- notification_endpoint: import_utils2.zHttpsUrl.optional(),
713
+ var zCredentialIssuerMetadataDraft14Draft15 = import_zod12.default.object({
714
+ credential_issuer: import_utils4.zHttpsUrl,
715
+ authorization_servers: import_zod12.default.array(import_utils4.zHttpsUrl).optional(),
716
+ credential_endpoint: import_utils4.zHttpsUrl,
717
+ deferred_credential_endpoint: import_utils4.zHttpsUrl.optional(),
718
+ notification_endpoint: import_utils4.zHttpsUrl.optional(),
508
719
  // Added after draft 14, but needed for proper
509
- nonce_endpoint: import_utils2.zHttpsUrl.optional(),
510
- credential_response_encryption: import_zod11.default.object({
511
- alg_values_supported: import_zod11.default.array(import_zod11.default.string()),
512
- enc_values_supported: import_zod11.default.array(import_zod11.default.string()),
513
- encryption_required: import_zod11.default.boolean()
720
+ nonce_endpoint: import_utils4.zHttpsUrl.optional(),
721
+ credential_response_encryption: import_zod12.default.object({
722
+ alg_values_supported: import_zod12.default.array(import_zod12.default.string()),
723
+ enc_values_supported: import_zod12.default.array(import_zod12.default.string()),
724
+ encryption_required: import_zod12.default.boolean()
514
725
  }).passthrough().optional(),
515
- batch_credential_issuance: import_zod11.default.object({
516
- batch_size: import_zod11.default.number().positive()
726
+ batch_credential_issuance: import_zod12.default.object({
727
+ batch_size: import_zod12.default.number().positive()
517
728
  }).passthrough().optional(),
518
- signed_metadata: import_oauth22.zCompactJwt.optional(),
519
- display: import_zod11.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
520
- credential_configurations_supported: import_zod11.default.record(import_zod11.default.string(), zCredentialConfigurationSupportedWithFormats)
729
+ signed_metadata: import_oauth24.zCompactJwt.optional(),
730
+ display: import_zod12.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
731
+ credential_configurations_supported: import_zod12.default.record(import_zod12.default.string(), zCredentialConfigurationSupportedWithFormats)
521
732
  }).passthrough();
522
- var zCredentialConfigurationSupportedDraft11To14 = import_zod11.default.object({
523
- id: import_zod11.default.string().optional(),
524
- format: import_zod11.default.string(),
525
- cryptographic_suites_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
526
- display: import_zod11.default.array(
527
- import_zod11.default.object({
528
- logo: import_zod11.default.object({
529
- url: import_zod11.default.string().url().optional()
733
+ var zCredentialConfigurationSupportedDraft11To14 = import_zod12.default.object({
734
+ id: import_zod12.default.string().optional(),
735
+ format: import_zod12.default.string(),
736
+ cryptographic_suites_supported: import_zod12.default.array(import_zod12.default.string()).optional(),
737
+ display: import_zod12.default.array(
738
+ import_zod12.default.object({
739
+ logo: import_zod12.default.object({
740
+ url: import_zod12.default.string().url().optional()
530
741
  }).passthrough().optional(),
531
- background_image: import_zod11.default.object({
532
- url: import_zod11.default.string().url().optional()
742
+ background_image: import_zod12.default.object({
743
+ url: import_zod12.default.string().url().optional()
533
744
  }).passthrough().optional()
534
745
  }).passthrough()
535
746
  ).optional()
@@ -570,11 +781,11 @@ var zCredentialConfigurationSupportedDraft11To14 = import_zod11.default.object({
570
781
  for (const issue of result.error.issues) {
571
782
  ctx.addIssue(issue);
572
783
  }
573
- return import_zod11.default.NEVER;
784
+ return import_zod12.default.NEVER;
574
785
  }).pipe(zCredentialConfigurationSupportedWithFormats);
575
786
  var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
576
- import_zod11.default.object({
577
- id: import_zod11.default.string()
787
+ import_zod12.default.object({
788
+ id: import_zod12.default.string()
578
789
  }).passthrough()
579
790
  ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
580
791
  ...rest,
@@ -594,15 +805,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
594
805
  } : {},
595
806
  id
596
807
  })).pipe(
597
- import_zod11.default.union([
808
+ import_zod12.default.union([
598
809
  zLdpVcCredentialIssuerMetadataDraft14To11,
599
810
  zJwtVcJsonCredentialIssuerMetadataDraft14To11,
600
811
  zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
601
812
  // To handle unrecognized formats and not error immediately we allow the common format as well
602
813
  // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
603
814
  // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
604
- import_zod11.default.object({
605
- format: import_zod11.default.string().refine(
815
+ import_zod12.default.object({
816
+ format: import_zod12.default.string().refine(
606
817
  (input) => ![
607
818
  zLdpVcFormatIdentifier.value,
608
819
  zJwtVcJsonFormatIdentifier.value,
@@ -612,11 +823,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
612
823
  }).passthrough()
613
824
  ])
614
825
  );
615
- var zCredentialIssuerMetadataDraft11To14 = import_zod11.default.object({
616
- authorization_server: import_zod11.default.string().optional(),
617
- credentials_supported: import_zod11.default.array(
618
- import_zod11.default.object({
619
- id: import_zod11.default.string().optional()
826
+ var zCredentialIssuerMetadataDraft11To14 = import_zod12.default.object({
827
+ authorization_server: import_zod12.default.string().optional(),
828
+ credentials_supported: import_zod12.default.array(
829
+ import_zod12.default.object({
830
+ id: import_zod12.default.string().optional()
620
831
  }).passthrough()
621
832
  )
622
833
  }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -629,9 +840,9 @@ var zCredentialIssuerMetadataDraft11To14 = import_zod11.default.object({
629
840
  )
630
841
  };
631
842
  }).pipe(
632
- import_zod11.default.object({
843
+ import_zod12.default.object({
633
844
  // Update from v11 structrue to v14 structure
634
- credential_configurations_supported: import_zod11.default.record(import_zod11.default.string(), zCredentialConfigurationSupportedDraft11To14)
845
+ credential_configurations_supported: import_zod12.default.record(import_zod12.default.string(), zCredentialConfigurationSupportedDraft11To14)
635
846
  }).passthrough()
636
847
  ).pipe(zCredentialIssuerMetadataDraft14Draft15);
637
848
  var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
@@ -643,16 +854,16 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft
643
854
  }))
644
855
  })).pipe(
645
856
  zCredentialIssuerMetadataDraft14Draft15.extend({
646
- credentials_supported: import_zod11.default.array(zCredentialConfigurationSupportedDraft14To11)
857
+ credentials_supported: import_zod12.default.array(zCredentialConfigurationSupportedDraft14To11)
647
858
  })
648
859
  );
649
- var zCredentialIssuerMetadata = import_zod11.default.union([
860
+ var zCredentialIssuerMetadata = import_zod12.default.union([
650
861
  // First prioritize draft 15/14 (and 13)
651
862
  zCredentialIssuerMetadataDraft14Draft15,
652
863
  // Then try parsing draft 11 and transform into draft 14
653
864
  zCredentialIssuerMetadataDraft11To14
654
865
  ]);
655
- var zCredentialIssuerMetadataWithDraftVersion = import_zod11.default.union([
866
+ var zCredentialIssuerMetadataWithDraftVersion = import_zod12.default.union([
656
867
  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
657
868
  const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
658
869
  (configuration) => {
@@ -681,10 +892,10 @@ var zCredentialIssuerMetadataWithDraftVersion = import_zod11.default.union([
681
892
  // src/metadata/credential-issuer/credential-issuer-metadata.ts
682
893
  var wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
683
894
  async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
684
- const wellKnownMetadataUrl = (0, import_utils3.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
685
- const result = await (0, import_oauth23.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
895
+ const wellKnownMetadataUrl = (0, import_utils5.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
896
+ const result = await (0, import_oauth25.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
686
897
  if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
687
- throw new import_oauth23.Oauth2Error(
898
+ throw new import_oauth25.Oauth2Error(
688
899
  `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
689
900
  );
690
901
  }
@@ -700,7 +911,7 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
700
911
  function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
701
912
  const configuration = credentialConfigurations[credentialConfigurationId];
702
913
  if (!configuration) {
703
- throw new import_oauth23.Oauth2Error(
914
+ throw new import_oauth25.Oauth2Error(
704
915
  `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
705
916
  );
706
917
  }
@@ -719,10 +930,10 @@ function getCredentialConfigurationsMatchingRequestFormat({
719
930
  const r = requestFormat;
720
931
  const c = credentialConfiguration;
721
932
  if ((c.format === "ldp_vc" || c.format === "jwt_vc_json-ld") && r.format === c.format) {
722
- return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type) && (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition["@context"], c.credential_definition["@context"]);
933
+ return (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type) && (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition["@context"], c.credential_definition["@context"]);
723
934
  }
724
935
  if (c.format === "jwt_vc_json" && r.format === c.format) {
725
- return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type);
936
+ return (0, import_utils6.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type);
726
937
  }
727
938
  if (c.format === "vc+sd-jwt" && r.format === c.format) {
728
939
  return r.vct === c.vct;
@@ -764,22 +975,74 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
764
975
  }
765
976
  };
766
977
 
978
+ // src/key-attestation/key-attestation.ts
979
+ var import_oauth26 = require("@openid4vc/oauth2");
980
+ var import_oauth27 = require("@openid4vc/oauth2");
981
+ var import_utils7 = require("@openid4vc/utils");
982
+ async function createKeyAttestationJwt(options) {
983
+ const header = (0, import_utils7.parseWithErrorHandling)(zKeyAttestationJwtHeader, {
984
+ ...(0, import_oauth26.jwtHeaderFromJwtSigner)(options.signer),
985
+ typ: "keyattestation+jwt"
986
+ });
987
+ const payload = (0, import_utils7.parseWithErrorHandling)(zKeyAttestationJwtPayloadForUse(options.use), {
988
+ iat: (0, import_utils7.dateToSeconds)(options.issuedAt),
989
+ exp: options.expiresAt ? (0, import_utils7.dateToSeconds)(options.expiresAt) : void 0,
990
+ nonce: options.nonce,
991
+ attested_keys: options.attestedKeys,
992
+ user_authentication: options.userAuthentication,
993
+ key_storage: options.keyStorage,
994
+ certification: options.certification,
995
+ ...options.additionalPayload
996
+ });
997
+ const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
998
+ return jwt;
999
+ }
1000
+ function parseKeyAttestationJwt({ keyAttestationJwt, use }) {
1001
+ return (0, import_oauth26.decodeJwt)({
1002
+ jwt: keyAttestationJwt,
1003
+ headerSchema: zKeyAttestationJwtHeader,
1004
+ payloadSchema: zKeyAttestationJwtPayloadForUse(use)
1005
+ });
1006
+ }
1007
+ async function verifyKeyAttestationJwt(options) {
1008
+ const { header, payload } = parseKeyAttestationJwt({ keyAttestationJwt: options.keyAttestationJwt, use: options.use });
1009
+ const now = options.now?.getTime() ?? Date.now();
1010
+ if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
1011
+ throw new Openid4vciError("Nonce used for key attestation jwt expired");
1012
+ }
1013
+ const { signer } = await (0, import_oauth27.verifyJwt)({
1014
+ compact: options.keyAttestationJwt,
1015
+ header,
1016
+ payload,
1017
+ signer: (0, import_oauth27.jwtSignerFromJwt)({ header, payload }),
1018
+ verifyJwtCallback: options.callbacks.verifyJwt,
1019
+ errorMessage: "Error verifiying key attestation jwt",
1020
+ expectedNonce: options.expectedNonce,
1021
+ now: options.now
1022
+ });
1023
+ return {
1024
+ header,
1025
+ payload,
1026
+ signer
1027
+ };
1028
+ }
1029
+
767
1030
  // src/metadata/credential-issuer/credential-configurations.ts
768
- var import_oauth24 = require("@openid4vc/oauth2");
769
- var import_utils5 = require("@openid4vc/utils");
1031
+ var import_oauth28 = require("@openid4vc/oauth2");
1032
+ var import_utils8 = require("@openid4vc/utils");
770
1033
  function extractScopesForCredentialConfigurationIds(options) {
771
1034
  const scopes = /* @__PURE__ */ new Set();
772
1035
  for (const credentialConfigurationId of options.credentialConfigurationIds) {
773
1036
  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
774
1037
  if (!credentialConfiguration) {
775
- throw new import_oauth24.Oauth2Error(
1038
+ throw new import_oauth28.Oauth2Error(
776
1039
  `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
777
1040
  );
778
1041
  }
779
1042
  const scope = credentialConfiguration.scope;
780
1043
  if (scope) scopes.add(scope);
781
1044
  else if (!scope && options.throwOnConfigurationWithoutScope) {
782
- throw new import_oauth24.Oauth2Error(
1045
+ throw new import_oauth28.Oauth2Error(
783
1046
  `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
784
1047
  );
785
1048
  }
@@ -797,7 +1060,7 @@ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupp
797
1060
  }
798
1061
  const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
799
1062
  if (!parseResult.success) {
800
- throw new import_utils5.ValidationError(
1063
+ throw new import_utils8.ValidationError(
801
1064
  `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
802
1065
  parseResult.error
803
1066
  );
@@ -810,228 +1073,26 @@ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupp
810
1073
  // src/Openid4vciClient.ts
811
1074
  var import_oauth218 = require("@openid4vc/oauth2");
812
1075
 
813
- // src/credential-offer/credential-offer.ts
814
- var import_oauth26 = require("@openid4vc/oauth2");
815
- var import_utils7 = require("@openid4vc/utils");
816
-
817
- // src/credential-offer/z-credential-offer.ts
818
- var import_oauth25 = require("@openid4vc/oauth2");
819
- var import_utils6 = require("@openid4vc/utils");
820
- var import_zod12 = __toESM(require("zod"));
821
- var zTxCode = import_zod12.default.object({
822
- input_mode: import_zod12.default.union([import_zod12.default.literal("numeric"), import_zod12.default.literal("text")]).optional(),
823
- length: import_zod12.default.number().int().optional(),
824
- description: import_zod12.default.string().max(300).optional()
825
- }).passthrough();
826
- var zCredentialOfferGrants = import_zod12.default.object({
827
- authorization_code: import_zod12.default.object({
828
- issuer_state: import_zod12.default.string().optional(),
829
- authorization_server: import_utils6.zHttpsUrl.optional()
830
- }).passthrough().optional(),
831
- [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod12.default.object({
832
- "pre-authorized_code": import_zod12.default.string(),
833
- tx_code: zTxCode.optional(),
834
- authorization_server: import_utils6.zHttpsUrl.optional()
835
- }).passthrough().optional()
836
- }).passthrough();
837
- var zCredentialOfferObjectDraft14 = import_zod12.default.object({
838
- credential_issuer: import_utils6.zHttpsUrl,
839
- credential_configuration_ids: import_zod12.default.array(import_zod12.default.string()),
840
- grants: import_zod12.default.optional(zCredentialOfferGrants)
841
- }).passthrough();
842
- var zCredentialOfferObjectDraft11To14 = import_zod12.default.object({
843
- credential_issuer: import_utils6.zHttpsUrl,
844
- // We don't support the inline offer objects from draft 11
845
- credentials: import_zod12.default.array(
846
- import_zod12.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
847
- ),
848
- grants: import_zod12.default.optional(
849
- import_zod12.default.object({
850
- // Has extra param in draft 14, but doesn't matter for transform purposes
851
- authorization_code: zCredentialOfferGrants.shape.authorization_code,
852
- [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod12.default.object({
853
- "pre-authorized_code": import_zod12.default.string(),
854
- user_pin_required: import_zod12.default.optional(import_zod12.default.boolean())
855
- }).passthrough().optional()
856
- })
857
- )
858
- }).passthrough().transform(({ credentials, grants, ...rest }) => {
859
- const v14 = {
860
- ...rest,
861
- credential_configuration_ids: credentials
862
- };
863
- if (grants) {
864
- v14.grants = { ...grants };
865
- if (grants[import_oauth25.preAuthorizedCodeGrantIdentifier]) {
866
- const { user_pin_required, ...restGrants } = grants[import_oauth25.preAuthorizedCodeGrantIdentifier];
867
- v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier] = {
868
- ...restGrants
869
- };
870
- if (user_pin_required) {
871
- v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier].tx_code = {
872
- input_mode: "text"
873
- };
874
- }
875
- }
876
- }
877
- return v14;
878
- }).pipe(zCredentialOfferObjectDraft14);
879
- var zCredentialOfferObject = import_zod12.default.union([
880
- // First prioritize draft 14 (and 13)
881
- zCredentialOfferObjectDraft14,
882
- // Then try parsing draft 11 and transform into draft 14
883
- zCredentialOfferObjectDraft11To14
884
- ]);
885
-
886
- // src/credential-offer/credential-offer.ts
887
- async function resolveCredentialOffer(credentialOffer, options) {
888
- const parsedQueryParams = (0, import_utils7.getQueryParams)(credentialOffer);
889
- let credentialOfferParseResult;
890
- if (parsedQueryParams.credential_offer_uri) {
891
- const fetchWithZod = (0, import_utils7.createZodFetcher)(options?.fetch);
892
- const { response, result } = await fetchWithZod(
893
- zCredentialOfferObject,
894
- import_utils7.ContentType.Json,
895
- parsedQueryParams.credential_offer_uri
896
- );
897
- if (!response.ok || !result) {
898
- throw new import_oauth26.InvalidFetchResponseError(
899
- `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
900
- await response.clone().text(),
901
- response
902
- );
903
- }
904
- credentialOfferParseResult = result;
905
- } else if (parsedQueryParams.credential_offer) {
906
- let credentialOfferJson;
907
- try {
908
- credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
909
- } catch (error) {
910
- throw new import_oauth26.Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
911
- }
912
- credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
913
- } else {
914
- throw new import_oauth26.Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
915
- }
916
- if (credentialOfferParseResult.error) {
917
- throw new import_utils7.ValidationError(
918
- `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
919
- credentialOfferParseResult.error
920
- );
921
- }
922
- return credentialOfferParseResult.data;
923
- }
924
- function determineAuthorizationServerForCredentialOffer(options) {
925
- const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
926
- let authorizationServer;
927
- if (options.grantAuthorizationServer) {
928
- authorizationServer = options.grantAuthorizationServer;
929
- if (!authorizationServers) {
930
- throw new import_oauth26.Oauth2Error(
931
- `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
932
- );
933
- }
934
- if (!authorizationServers.includes(authorizationServer)) {
935
- throw new import_oauth26.Oauth2Error(
936
- `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
937
- );
938
- }
939
- } else if (!authorizationServers) {
940
- authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
941
- } else {
942
- if (authorizationServers.length === 0) {
943
- throw new import_oauth26.Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
944
- }
945
- if (authorizationServers.length > 1) {
946
- throw new import_oauth26.Oauth2Error(
947
- `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
948
- );
949
- }
950
- authorizationServer = authorizationServers[0];
951
- }
952
- return authorizationServer;
953
- }
954
- async function createCredentialOffer(options) {
955
- const {
956
- [import_oauth26.preAuthorizedCodeGrantIdentifier]: preAuthorizedCodeGrant,
957
- [import_oauth26.authorizationCodeGrantIdentifier]: authorizationCodeGrant,
958
- ...restGrants
959
- } = options.grants;
960
- const grants = { ...restGrants };
961
- if (authorizationCodeGrant) {
962
- determineAuthorizationServerForCredentialOffer({
963
- issuerMetadata: options.issuerMetadata,
964
- grantAuthorizationServer: authorizationCodeGrant.authorization_server
965
- });
966
- grants[import_oauth26.authorizationCodeGrantIdentifier] = authorizationCodeGrant;
967
- }
968
- if (preAuthorizedCodeGrant) {
969
- determineAuthorizationServerForCredentialOffer({
970
- issuerMetadata: options.issuerMetadata,
971
- grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
972
- });
973
- grants[import_oauth26.preAuthorizedCodeGrantIdentifier] = {
974
- ...preAuthorizedCodeGrant,
975
- "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? (0, import_utils7.encodeToBase64Url)(await options.callbacks.generateRandom(32))
976
- };
977
- const txCode = grants[import_oauth26.preAuthorizedCodeGrantIdentifier].tx_code;
978
- if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
979
- grants[import_oauth26.preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== void 0;
980
- }
981
- }
982
- const idsNotInMetadata = options.credentialConfigurationIds.filter(
983
- (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
984
- );
985
- if (idsNotInMetadata.length > 0) {
986
- throw new import_oauth26.Oauth2Error(
987
- `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
988
- );
989
- }
990
- const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
991
- const credentialOfferObject = (0, import_utils7.parseWithErrorHandling)(zCredentialOfferObject, {
992
- credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
993
- credential_configuration_ids: options.credentialConfigurationIds,
994
- grants,
995
- ...options.additionalPayload
996
- });
997
- if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
998
- credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
999
- }
1000
- const url = new import_utils7.URL(credentialOfferScheme);
1001
- url.search = `?${new import_utils7.URLSearchParams([
1002
- ...url.searchParams.entries(),
1003
- ...(0, import_utils7.objectToQueryParams)({
1004
- credential_offer_uri: options.credentialOfferUri,
1005
- // Only add credential_offer is uri is undefined
1006
- credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
1007
- }).entries()
1008
- ]).toString()}`;
1009
- return {
1010
- credentialOffer: url.toString(),
1011
- credentialOfferObject
1012
- };
1013
- }
1014
-
1015
1076
  // src/credential-request/format-payload.ts
1016
- var import_utils8 = require("@openid4vc/utils");
1077
+ var import_utils9 = require("@openid4vc/utils");
1017
1078
  function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
1018
1079
  const credentialConfiguration = getCredentialConfigurationSupportedById(
1019
1080
  options.issuerMetadata.credentialIssuer.credential_configurations_supported,
1020
1081
  options.credentialConfigurationId
1021
1082
  );
1022
- if ((0, import_utils8.zIs)(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1083
+ if ((0, import_utils9.zIs)(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1023
1084
  return {
1024
1085
  format: credentialConfiguration.format,
1025
1086
  vct: credentialConfiguration.vct
1026
1087
  };
1027
1088
  }
1028
- if ((0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1089
+ if ((0, import_utils9.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1029
1090
  return {
1030
1091
  format: credentialConfiguration.format,
1031
1092
  doctype: credentialConfiguration.doctype
1032
1093
  };
1033
1094
  }
1034
- if ((0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1095
+ if ((0, import_utils9.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1035
1096
  return {
1036
1097
  format: credentialConfiguration.format,
1037
1098
  credential_definition: {
@@ -1040,7 +1101,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
1040
1101
  }
1041
1102
  };
1042
1103
  }
1043
- if ((0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1104
+ if ((0, import_utils9.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1044
1105
  return {
1045
1106
  format: credentialConfiguration.format,
1046
1107
  credential_definition: {
@@ -1049,7 +1110,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
1049
1110
  }
1050
1111
  };
1051
1112
  }
1052
- if ((0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1113
+ if ((0, import_utils9.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils9.zIs)(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
1053
1114
  return {
1054
1115
  format: credentialConfiguration.format,
1055
1116
  credential_definition: {
@@ -1057,7 +1118,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
1057
1118
  }
1058
1119
  };
1059
1120
  }
1060
- if ((0, import_utils8.zIs)(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
1121
+ if ((0, import_utils9.zIs)(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
1061
1122
  throw new Openid4vciError(
1062
1123
  `Credential configuration id '${options.credentialConfigurationId}' with format ${zSdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
1063
1124
  );
@@ -1068,29 +1129,29 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
1068
1129
  }
1069
1130
 
1070
1131
  // src/credential-request/retrieve-credentials.ts
1071
- var import_oauth210 = require("@openid4vc/oauth2");
1072
- var import_utils10 = require("@openid4vc/utils");
1132
+ var import_oauth212 = require("@openid4vc/oauth2");
1133
+ var import_utils11 = require("@openid4vc/utils");
1073
1134
 
1074
1135
  // src/credential-request/z-credential-request.ts
1075
1136
  var import_zod16 = __toESM(require("zod"));
1076
1137
 
1077
1138
  // src/credential-request/z-credential-request-common.ts
1078
- var import_oauth29 = require("@openid4vc/oauth2");
1139
+ var import_oauth211 = require("@openid4vc/oauth2");
1079
1140
  var import_zod15 = __toESM(require("zod"));
1080
1141
 
1081
1142
  // src/formats/proof-type/jwt/z-jwt-proof-type.ts
1082
- var import_oauth27 = require("@openid4vc/oauth2");
1083
- var import_utils9 = require("@openid4vc/utils");
1143
+ var import_oauth29 = require("@openid4vc/oauth2");
1144
+ var import_utils10 = require("@openid4vc/utils");
1084
1145
  var import_zod13 = __toESM(require("zod"));
1085
1146
  var zJwtProofTypeIdentifier = import_zod13.default.literal("jwt");
1086
1147
  var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
1087
1148
  var zCredentialRequestProofJwt = import_zod13.default.object({
1088
1149
  proof_type: zJwtProofTypeIdentifier,
1089
- jwt: import_oauth27.zCompactJwt
1150
+ jwt: import_oauth29.zCompactJwt
1090
1151
  });
1091
- var zCredentialRequestJwtProofTypeHeader = import_oauth27.zJwtHeader.merge(
1152
+ var zCredentialRequestJwtProofTypeHeader = import_oauth29.zJwtHeader.merge(
1092
1153
  import_zod13.default.object({
1093
- key_attestation: import_zod13.default.optional(import_oauth27.zCompactJwt),
1154
+ key_attestation: import_zod13.default.optional(import_oauth29.zCompactJwt),
1094
1155
  typ: import_zod13.default.literal("openid4vci-proof+jwt")
1095
1156
  })
1096
1157
  ).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
@@ -1099,19 +1160,19 @@ var zCredentialRequestJwtProofTypeHeader = import_oauth27.zJwtHeader.merge(
1099
1160
  message: `When 'trust_chain' is provided, 'kid' is required`
1100
1161
  });
1101
1162
  var zCredentialRequestJwtProofTypePayload = import_zod13.default.object({
1102
- ...import_oauth27.zJwtPayload.shape,
1103
- aud: import_utils9.zHttpsUrl,
1104
- iat: import_utils9.zInteger
1163
+ ...import_oauth29.zJwtPayload.shape,
1164
+ aud: import_utils10.zHttpsUrl,
1165
+ iat: import_utils10.zInteger
1105
1166
  }).passthrough();
1106
1167
 
1107
1168
  // src/formats/proof-type/attestation/z-attestation-proof-type.ts
1108
- var import_oauth28 = require("@openid4vc/oauth2");
1169
+ var import_oauth210 = require("@openid4vc/oauth2");
1109
1170
  var import_zod14 = __toESM(require("zod"));
1110
1171
  var zAttestationProofTypeIdentifier = import_zod14.default.literal("attestation");
1111
1172
  var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
1112
1173
  var zCredentialRequestProofAttestation = import_zod14.default.object({
1113
1174
  proof_type: zAttestationProofTypeIdentifier,
1114
- attestation: import_oauth28.zCompactJwt
1175
+ attestation: import_oauth210.zCompactJwt
1115
1176
  });
1116
1177
  var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
1117
1178
 
@@ -1137,7 +1198,7 @@ var zCredentialRequestCommon = import_zod15.default.object({
1137
1198
  })
1138
1199
  ),
1139
1200
  credential_response_encryption: import_zod15.default.object({
1140
- jwk: import_oauth29.zJwk,
1201
+ jwk: import_oauth211.zJwk,
1141
1202
  alg: import_zod15.default.string(),
1142
1203
  enc: import_zod15.default.string()
1143
1204
  }).passthrough().optional()
@@ -1351,7 +1412,7 @@ async function retrieveCredentialsWithFormat(options) {
1351
1412
  }
1352
1413
  async function retrieveCredentials(options) {
1353
1414
  const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
1354
- let credentialRequest = (0, import_utils10.parseWithErrorHandling)(
1415
+ let credentialRequest = (0, import_utils11.parseWithErrorHandling)(
1355
1416
  zCredentialRequest,
1356
1417
  options.credentialRequest,
1357
1418
  "Error validating credential request"
@@ -1359,25 +1420,25 @@ async function retrieveCredentials(options) {
1359
1420
  if (credentialRequest.proofs) {
1360
1421
  const { batch_credential_issuance } = options.issuerMetadata.credentialIssuer;
1361
1422
  if (!batch_credential_issuance) {
1362
- throw new import_oauth210.Oauth2Error(
1423
+ throw new import_oauth212.Oauth2Error(
1363
1424
  `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support batch credential issuance using the 'proofs' request property. Only 'proof' is supported.`
1364
1425
  );
1365
1426
  }
1366
1427
  const proofs = Object.values(credentialRequest.proofs)[0];
1367
1428
  if (proofs.length > batch_credential_issuance.batch_size) {
1368
- throw new import_oauth210.Oauth2Error(
1429
+ throw new import_oauth212.Oauth2Error(
1369
1430
  `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' supports batch issuance, but the max batch size is '${batch_credential_issuance.batch_size}'. A total of '${proofs.length}' proofs were provided.`
1370
1431
  );
1371
1432
  }
1372
1433
  }
1373
1434
  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
1374
- credentialRequest = (0, import_utils10.parseWithErrorHandling)(
1435
+ credentialRequest = (0, import_utils11.parseWithErrorHandling)(
1375
1436
  zCredentialRequestDraft14To11,
1376
1437
  credentialRequest,
1377
1438
  `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
1378
1439
  );
1379
1440
  }
1380
- const resourceResponse = await (0, import_oauth210.resourceRequest)({
1441
+ const resourceResponse = await (0, import_oauth212.resourceRequest)({
1381
1442
  dpop: options.dpop,
1382
1443
  accessToken: options.accessToken,
1383
1444
  callbacks: options.callbacks,
@@ -1385,19 +1446,19 @@ async function retrieveCredentials(options) {
1385
1446
  requestOptions: {
1386
1447
  method: "POST",
1387
1448
  headers: {
1388
- "Content-Type": import_utils10.ContentType.Json
1449
+ "Content-Type": import_utils11.ContentType.Json
1389
1450
  },
1390
1451
  body: JSON.stringify(credentialRequest)
1391
1452
  }
1392
1453
  });
1393
1454
  if (!resourceResponse.ok) {
1394
- const credentialErrorResponseResult = (0, import_utils10.isResponseContentType)(import_utils10.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1455
+ const credentialErrorResponseResult = (0, import_utils11.isResponseContentType)(import_utils11.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1395
1456
  return {
1396
1457
  ...resourceResponse,
1397
1458
  credentialErrorResponseResult
1398
1459
  };
1399
1460
  }
1400
- const credentialResponseResult = (0, import_utils10.isResponseContentType)(import_utils10.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1461
+ const credentialResponseResult = (0, import_utils11.isResponseContentType)(import_utils11.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
1401
1462
  if (!credentialResponseResult?.success) {
1402
1463
  return {
1403
1464
  ...resourceResponse,
@@ -1415,57 +1476,6 @@ async function retrieveCredentials(options) {
1415
1476
  var import_oauth213 = require("@openid4vc/oauth2");
1416
1477
  var import_oauth214 = require("@openid4vc/oauth2");
1417
1478
  var import_utils12 = require("@openid4vc/utils");
1418
-
1419
- // src/key-attestation/key-attestation.ts
1420
- var import_oauth211 = require("@openid4vc/oauth2");
1421
- var import_oauth212 = require("@openid4vc/oauth2");
1422
- var import_utils11 = require("@openid4vc/utils");
1423
- async function createKeyAttestationJwt(options) {
1424
- const header = (0, import_utils11.parseWithErrorHandling)(zKeyAttestationJwtHeader, {
1425
- ...(0, import_oauth211.jwtHeaderFromJwtSigner)(options.signer),
1426
- typ: "keyattestation+jwt"
1427
- });
1428
- const payload = (0, import_utils11.parseWithErrorHandling)(zKeyAttestationJwtPayloadForUse(options.use), {
1429
- iat: (0, import_utils11.dateToSeconds)(options.issuedAt),
1430
- exp: options.expiresAt ? (0, import_utils11.dateToSeconds)(options.expiresAt) : void 0,
1431
- nonce: options.nonce,
1432
- attested_keys: options.attestedKeys,
1433
- user_authentication: options.userAuthentication,
1434
- key_storage: options.keyStorage,
1435
- certification: options.certification,
1436
- ...options.additionalPayload
1437
- });
1438
- const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
1439
- return jwt;
1440
- }
1441
- async function verifyKeyAttestationJwt(options) {
1442
- const { header, payload } = (0, import_oauth211.decodeJwt)({
1443
- jwt: options.keyAttestationJwt,
1444
- headerSchema: zKeyAttestationJwtHeader,
1445
- payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
1446
- });
1447
- const now = options.now?.getTime() ?? Date.now();
1448
- if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
1449
- throw new Openid4vciError("Nonce used for key attestation jwt expired");
1450
- }
1451
- const { signer } = await (0, import_oauth212.verifyJwt)({
1452
- compact: options.keyAttestationJwt,
1453
- header,
1454
- payload,
1455
- signer: (0, import_oauth212.jwtSignerFromJwt)({ header, payload }),
1456
- verifyJwtCallback: options.callbacks.verifyJwt,
1457
- errorMessage: "Error verifiying key attestation jwt",
1458
- expectedNonce: options.expectedNonce,
1459
- now: options.now
1460
- });
1461
- return {
1462
- header,
1463
- payload,
1464
- signer
1465
- };
1466
- }
1467
-
1468
- // src/formats/proof-type/jwt/jwt-proof-type.ts
1469
1479
  async function createCredentialRequestJwtProof(options) {
1470
1480
  const header = (0, import_utils12.parseWithErrorHandling)(zCredentialRequestJwtProofTypeHeader, {
1471
1481
  ...(0, import_oauth213.jwtHeaderFromJwtSigner)(options.signer),
@@ -2329,10 +2339,14 @@ var Openid4vciWalletProvider = class {
2329
2339
  Openid4vciRetrieveCredentialsError,
2330
2340
  Openid4vciSendNotificationError,
2331
2341
  Openid4vciWalletProvider,
2342
+ createKeyAttestationJwt,
2332
2343
  credentialsSupportedToCredentialConfigurationsSupported,
2344
+ determineAuthorizationServerForCredentialOffer,
2333
2345
  extractScopesForCredentialConfigurationIds,
2334
2346
  getCredentialConfigurationsMatchingRequestFormat,
2335
2347
  getGlobalConfig,
2336
- setGlobalConfig
2348
+ parseKeyAttestationJwt,
2349
+ setGlobalConfig,
2350
+ verifyKeyAttestationJwt
2337
2351
  });
2338
2352
  //# sourceMappingURL=index.js.map