npm - @openid4vc/openid4vci - Versions diffs - 0.3.0-alpha-20251021081452 → 0.3.0-alpha-20251021082313 - Mend

@openid4vc/openid4vci 0.3.0-alpha-20251021081452 → 0.3.0-alpha-20251021082313

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -733,20 +733,76 @@ const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMeta
 	originalDraftVersion: Openid4vciDraftVersion.Draft11
 }))]);
+//#endregion
+//#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.ts
+const zSignedCredentialIssuerMetadataHeader = z.object({
+	...zJwtHeader.shape,
+	typ: z.literal("openidvci-issuer-metadata+jwt")
+}).loose();
+const zSignedCredentialIssuerMetadataPayload = z.object({
+	...zJwtPayload.shape,
+	iat: zInteger,
+	sub: z.string(),
+	...zCredentialIssuerMetadataDraft14Draft15V1.shape
+}).loose();
 //#endregion
 //#region src/metadata/credential-issuer/credential-issuer-metadata.ts
 const wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
 /**
 * @inheritdoc {@link fetchWellKnownMetadata}
 */
-async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
+async function fetchCredentialIssuerMetadata(credentialIssuer, options) {
 	const parsedIssuerUrl = new URL(credentialIssuer);
 	const legacyWellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
 	const wellKnownMetadataUrl = joinUriParts(parsedIssuerUrl.origin, [wellKnownCredentialIssuerSuffix, parsedIssuerUrl.pathname]);
-	let result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await fetchWellKnownMetadata(legacyWellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new Oauth2Error(`The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
-	return result;
+	const acceptedContentType = options?.callbacks?.verifyJwt ? [ContentType.Jwt, ContentType.Json] : [ContentType.Json];
+	const responseSchema = zCredentialIssuerMetadataWithDraftVersion.or(zCompactJwt);
+	let result = await fetchWellKnownMetadata(wellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await fetchWellKnownMetadata(legacyWellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	let issuerMetadataWithVersion = null;
+	if (typeof result === "string") {
+		if (!options?.callbacks?.verifyJwt) throw new Oauth2Error(`Unable to verify signed credential issuer metadata, no 'verifyJwt' callback provided to fetch credential issuer metadata method.`);
+		const { header, payload, signature } = decodeJwt({
+			jwt: result,
+			headerSchema: zSignedCredentialIssuerMetadataHeader,
+			payloadSchema: zSignedCredentialIssuerMetadataPayload
+		});
+		if (payload.sub !== credentialIssuer) throw new Oauth2Error(`The 'sub' parameter '${payload.sub}' in the signed well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+		const signer = jwtSignerFromJwt({
+			header,
+			payload
+		});
+		const verifyResult = await verifyJwt({
+			compact: result,
+			header,
+			payload,
+			verifyJwtCallback: options.callbacks.verifyJwt,
+			now: options.now,
+			signer,
+			errorMessage: "signed credential issuer metadata jwt verification failed"
+		});
+		issuerMetadataWithVersion = {
+			...parseWithErrorHandling(zCredentialIssuerMetadataWithDraftVersion, payload, "Unable to determine version for signed issuer metadata"),
+			signed: {
+				signer: verifyResult.signer,
+				jwt: {
+					header,
+					payload,
+					signature,
+					compact: result
+				}
+			}
+		};
+	} else if (result) issuerMetadataWithVersion = result;
+	if (issuerMetadataWithVersion && issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new Oauth2Error(`The 'credential_issuer' parameter '${issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+	return issuerMetadataWithVersion;
 }
 /**
 * Extract credential configuration supported entries where the `format` is known to this
@@ -1371,14 +1427,17 @@ async function verifyCredentialRequestJwtProof(options) {
 //#region src/metadata/fetch-issuer-metadata.ts
 async function resolveIssuerMetadata(credentialIssuer, options) {
 	const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
-	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
+	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, {
+		callbacks: options?.callbacks,
+		now: options?.now
+	});
 	if (!credentialIssuerMetadataWithDraftVersion) throw new Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
-	const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
+	const { credentialIssuerMetadata, originalDraftVersion, signed } = credentialIssuerMetadataWithDraftVersion;
 	const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
 	const authoriationServersMetadata = [];
 	for (const authorizationServer of authorizationServers) {
 		if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) continue;
-		let authorizationServerMetadata = await fetchAuthorizationServerMetadata(authorizationServer, options?.fetch);
+		let authorizationServerMetadata = await fetchAuthorizationServerMetadata(authorizationServer, options?.callbacks.fetch);
 		if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) authorizationServerMetadata = parseWithErrorHandling(zAuthorizationServerMetadata, {
 			token_endpoint: credentialIssuerMetadata.token_endpoint,
 			issuer: credentialIssuer
@@ -1389,6 +1448,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 	return {
 		originalDraftVersion,
 		credentialIssuer: credentialIssuerMetadata,
+		signedCredentialIssuer: signed,
 		authorizationServers: authoriationServersMetadata
 	};
 }
@@ -1494,7 +1554,7 @@ var Openid4vciClient = class {
 		return resolveCredentialOffer(credentialOffer, { fetch: this.options.callbacks.fetch });
 	}
 	async resolveIssuerMetadata(credentialIssuer) {
-		return resolveIssuerMetadata(credentialIssuer, { fetch: this.options.callbacks.fetch });
+		return resolveIssuerMetadata(credentialIssuer, { callbacks: this.options.callbacks });
 	}
 	/**
 	* Retrieve an authorization code for a presentation during issuance session
@@ -1829,6 +1889,28 @@ async function verifyCredentialRequestAttestationProof(options) {
 	});
 }
+//#endregion
+//#region src/metadata/credential-issuer/signed-credential-issuer-metadata.ts
+async function createSignedCredentialIssuerMetadataJwt(options) {
+	const header = parseWithErrorHandling(zSignedCredentialIssuerMetadataHeader, {
+		...jwtHeaderFromJwtSigner(options.signer),
+		typ: "openidvci-issuer-metadata+jwt"
+	});
+	const payload = parseWithErrorHandling(zSignedCredentialIssuerMetadataPayload, {
+		...options.credentialIssuerMetadata,
+		sub: options.credentialIssuerMetadata.credential_issuer,
+		iat: dateToSeconds(options.issuedAt),
+		exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
+		iss: options.issuer,
+		...options.additionalPayload
+	});
+	const { jwt } = await options.callbacks.signJwt(options.signer, {
+		header,
+		payload
+	});
+	return jwt;
+}
 //#endregion
 //#region src/Openid4vciIssuer.ts
 var Openid4vciIssuer = class {
@@ -1847,6 +1929,15 @@ var Openid4vciIssuer = class {
 	createCredentialIssuerMetadata(credentialIssuerMetadata) {
 		return parseWithErrorHandling(zCredentialIssuerMetadata, credentialIssuerMetadata, "Error validating credential issuer metadata");
 	}
+	/**
+	* Validates credential issuer metadata structure is correct and creates signed credential issuer metadata JWT
+	*/
+	createSignedCredentialIssuerMetadataJwt(options) {
+		return createSignedCredentialIssuerMetadataJwt({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
 	async createCredentialOffer(options) {
 		return createCredentialOffer({
 			callbacks: this.options.callbacks,