npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250304095426 → 0.3.0-alpha-20250307131618 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250304095426 → 0.3.0-alpha-20250307131618

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as zod from 'zod';
 import zod__default, { z } from 'zod';
 import * as _openid4vc_oauth2 from '@openid4vc/oauth2';
-import { CallbackContext, JwtSigner, Jwk, JwtSignerWithJwk } from '@openid4vc/oauth2';
+import { CallbackContext, JwtSigner, Jwk, JwtSignerWithJwk, HashAlgorithm } from '@openid4vc/oauth2';
 declare const zClientIdScheme: z.ZodEnum<["pre-registered", "redirect_uri", "https", "verifier_attestation", "did", "x509_san_dns", "x509_san_uri", "web-origin"]>;
 type ClientIdScheme = z.infer<typeof zClientIdScheme>;
@@ -11688,32 +11688,28 @@ type ParsedClientIdentifier = {
 declare const zTransactionEntry: z.ZodObject<{
     type: z.ZodString;
-    credential_ids: z.ZodArray<z.ZodString, "many">;
+    credential_ids: z.ZodArray<z.ZodString, "atleastone">;
     transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
     type: string;
-    credential_ids: string[];
+    credential_ids: [string, ...string[]];
     transaction_data_hashes_alg?: string[] | undefined;
 }, {
     type: string;
-    credential_ids: string[];
+    credential_ids: [string, ...string[]];
     transaction_data_hashes_alg?: string[] | undefined;
 }>;
 type TransactionDataEntry = z.infer<typeof zTransactionEntry>;
-declare const zTransactionData: z.ZodArray<z.ZodObject<{
-    type: z.ZodString;
-    credential_ids: z.ZodArray<z.ZodString, "many">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-}, "strip", z.ZodTypeAny, {
-    type: string;
-    credential_ids: string[];
-    transaction_data_hashes_alg?: string[] | undefined;
-}, {
-    type: string;
-    credential_ids: string[];
-    transaction_data_hashes_alg?: string[] | undefined;
-}>, "many">;
-type TransactionData = z.infer<typeof zTransactionData>;
+interface ParseTransactionDataOptions {
+    transactionData: string[];
+}
+interface ParsedTransactionDataEntry {
+    transactionData: TransactionDataEntry;
+    transactionDataIndex: number;
+    encoded: string;
+}
+declare function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
 interface ResolveOpenid4vpAuthorizationRequestOptions {
     requestPayload: Openid4vpAuthorizationRequest | JarAuthRequest;
@@ -11723,7 +11719,7 @@ interface ResolveOpenid4vpAuthorizationRequestOptions {
     callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'getX509CertificateMetadata'>;
 }
 type ResolvedOpenid4vpAuthRequest = {
-    transactionData?: TransactionData;
+    transactionData?: ParsedTransactionDataEntry[];
     requestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi;
     jar: VerifiedJarRequest | undefined;
     client: ParsedClientIdentifier;
@@ -11871,11 +11867,6 @@ interface ValidateOpenid4vpAuthorizationResponseOptions {
  */
 declare function validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions): ValidateOpenid4VpAuthorizationResponseResult;
-interface ParseTransactionDataOptions {
-    transactionData: string[];
-}
-declare function parseTransactionData(options: ParseTransactionDataOptions): TransactionData;
 declare function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]];
 declare function parseDcqlVpToken(vpToken: unknown): VpTokenDcql;
@@ -11925,6 +11916,39 @@ declare class Openid4vpClient {
     }>;
 }
+interface TransactionDataHashesCredentials {
+    /**
+     * credentialId is the pex input descriptor id
+     * or dcql credential query id
+     *
+     * The values must be an array of transaction data hashes
+     */
+    [credentialId: string]: {
+        /**
+         * The hashes of the transaction data
+         */
+        transaction_data_hashes: string[];
+        /**
+         * The transaction data hash alg. If not provided
+         * in the presentation, the default value of sha256
+         * is used.
+         */
+        transaction_data_hashes_alg?: string;
+    } | undefined;
+}
+interface VerifyTransactionDataOptions {
+    transactionData: string[];
+    credentials: TransactionDataHashesCredentials;
+    callbacks: Pick<CallbackContext, 'hash'>;
+}
+interface VerifiedTransactionDataEntry {
+    transactionDataEntry: ParsedTransactionDataEntry;
+    credentialId: string;
+    hash: string;
+    hashAlg: HashAlgorithm;
+    credentialHashIndex: number;
+}
 interface Openid4vpVerifierOptions {
     /**
      * Callbacks required for the openid4vp verifier
@@ -13445,11 +13469,8 @@ declare class Openid4vpVerifier {
     validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions): ValidateOpenid4VpAuthorizationResponseResult;
     parsePexVpToken(vpToken: unknown): [string | Record<string, any>, ...(string | Record<string, any>)[]];
     parseDcqlVpToken(vpToken: unknown): Record<string, string | Record<string, any>>;
-    parseTransactionData(options: ParseTransactionDataOptions): {
-        type: string;
-        credential_ids: string[];
-        transaction_data_hashes_alg?: string[] | undefined;
-    }[];
+    parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
+    verifyTransactionData(options: VerifyTransactionDataOptions): Promise<VerifiedTransactionDataEntry[]>;
 }
 declare const jarmResponseMode: readonly ["jwt", "query.jwt", "fragment.jwt", "form_post.jwt", "direct_post.jwt", "dc_api.jwt"];

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as zod from 'zod';
 import zod__default, { z } from 'zod';
 import * as _openid4vc_oauth2 from '@openid4vc/oauth2';
-import { CallbackContext, JwtSigner, Jwk, JwtSignerWithJwk } from '@openid4vc/oauth2';
+import { CallbackContext, JwtSigner, Jwk, JwtSignerWithJwk, HashAlgorithm } from '@openid4vc/oauth2';
 declare const zClientIdScheme: z.ZodEnum<["pre-registered", "redirect_uri", "https", "verifier_attestation", "did", "x509_san_dns", "x509_san_uri", "web-origin"]>;
 type ClientIdScheme = z.infer<typeof zClientIdScheme>;
@@ -11688,32 +11688,28 @@ type ParsedClientIdentifier = {
 declare const zTransactionEntry: z.ZodObject<{
     type: z.ZodString;
-    credential_ids: z.ZodArray<z.ZodString, "many">;
+    credential_ids: z.ZodArray<z.ZodString, "atleastone">;
     transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
     type: string;
-    credential_ids: string[];
+    credential_ids: [string, ...string[]];
     transaction_data_hashes_alg?: string[] | undefined;
 }, {
     type: string;
-    credential_ids: string[];
+    credential_ids: [string, ...string[]];
     transaction_data_hashes_alg?: string[] | undefined;
 }>;
 type TransactionDataEntry = z.infer<typeof zTransactionEntry>;
-declare const zTransactionData: z.ZodArray<z.ZodObject<{
-    type: z.ZodString;
-    credential_ids: z.ZodArray<z.ZodString, "many">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-}, "strip", z.ZodTypeAny, {
-    type: string;
-    credential_ids: string[];
-    transaction_data_hashes_alg?: string[] | undefined;
-}, {
-    type: string;
-    credential_ids: string[];
-    transaction_data_hashes_alg?: string[] | undefined;
-}>, "many">;
-type TransactionData = z.infer<typeof zTransactionData>;
+interface ParseTransactionDataOptions {
+    transactionData: string[];
+}
+interface ParsedTransactionDataEntry {
+    transactionData: TransactionDataEntry;
+    transactionDataIndex: number;
+    encoded: string;
+}
+declare function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
 interface ResolveOpenid4vpAuthorizationRequestOptions {
     requestPayload: Openid4vpAuthorizationRequest | JarAuthRequest;
@@ -11723,7 +11719,7 @@ interface ResolveOpenid4vpAuthorizationRequestOptions {
     callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'getX509CertificateMetadata'>;
 }
 type ResolvedOpenid4vpAuthRequest = {
-    transactionData?: TransactionData;
+    transactionData?: ParsedTransactionDataEntry[];
     requestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi;
     jar: VerifiedJarRequest | undefined;
     client: ParsedClientIdentifier;
@@ -11871,11 +11867,6 @@ interface ValidateOpenid4vpAuthorizationResponseOptions {
  */
 declare function validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions): ValidateOpenid4VpAuthorizationResponseResult;
-interface ParseTransactionDataOptions {
-    transactionData: string[];
-}
-declare function parseTransactionData(options: ParseTransactionDataOptions): TransactionData;
 declare function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]];
 declare function parseDcqlVpToken(vpToken: unknown): VpTokenDcql;
@@ -11925,6 +11916,39 @@ declare class Openid4vpClient {
     }>;
 }
+interface TransactionDataHashesCredentials {
+    /**
+     * credentialId is the pex input descriptor id
+     * or dcql credential query id
+     *
+     * The values must be an array of transaction data hashes
+     */
+    [credentialId: string]: {
+        /**
+         * The hashes of the transaction data
+         */
+        transaction_data_hashes: string[];
+        /**
+         * The transaction data hash alg. If not provided
+         * in the presentation, the default value of sha256
+         * is used.
+         */
+        transaction_data_hashes_alg?: string;
+    } | undefined;
+}
+interface VerifyTransactionDataOptions {
+    transactionData: string[];
+    credentials: TransactionDataHashesCredentials;
+    callbacks: Pick<CallbackContext, 'hash'>;
+}
+interface VerifiedTransactionDataEntry {
+    transactionDataEntry: ParsedTransactionDataEntry;
+    credentialId: string;
+    hash: string;
+    hashAlg: HashAlgorithm;
+    credentialHashIndex: number;
+}
 interface Openid4vpVerifierOptions {
     /**
      * Callbacks required for the openid4vp verifier
@@ -13445,11 +13469,8 @@ declare class Openid4vpVerifier {
     validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions): ValidateOpenid4VpAuthorizationResponseResult;
     parsePexVpToken(vpToken: unknown): [string | Record<string, any>, ...(string | Record<string, any>)[]];
     parseDcqlVpToken(vpToken: unknown): Record<string, string | Record<string, any>>;
-    parseTransactionData(options: ParseTransactionDataOptions): {
-        type: string;
-        credential_ids: string[];
-        transaction_data_hashes_alg?: string[] | undefined;
-    }[];
+    parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
+    verifyTransactionData(options: VerifyTransactionDataOptions): Promise<VerifiedTransactionDataEntry[]>;
 }
 declare const jarmResponseMode: readonly ["jwt", "query.jwt", "fragment.jwt", "form_post.jwt", "direct_post.jwt", "dc_api.jwt"];

package/dist/index.js CHANGED Viewed

@@ -1096,7 +1096,7 @@ var import_utils12 = require("@openid4vc/utils");
 var import_zod14 = require("zod");
 var zTransactionEntry = import_zod14.z.object({
   type: import_zod14.z.string(),
-  credential_ids: import_zod14.z.array(import_zod14.z.string()).min(1),
+  credential_ids: import_zod14.z.array(import_zod14.z.string()).nonempty(),
   transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).optional()
 });
 var zTransactionData = import_zod14.z.array(zTransactionEntry);
@@ -1112,7 +1112,11 @@ function parseTransactionData(options) {
       error_description: "Failed to parse transaction data."
     });
   }
-  return parsedResult.data;
+  return parsedResult.data.map((decoded2, index) => ({
+    transactionData: decoded2,
+    encoded: transactionData[index],
+    transactionDataIndex: index
+  }));
 }
 // src/authorization-request/resolve-authorization-request.ts
@@ -1674,6 +1678,71 @@ var Openid4vpClient = class {
   }
 };
+// src/transaction-data/verify-transaction-data.ts
+var import_oauth228 = require("@openid4vc/oauth2");
+var import_utils21 = require("@openid4vc/utils");
+async function verifyTransactionData(options) {
+  const parsedTransactionData = parseTransactionData({
+    transactionData: options.transactionData
+  });
+  const matchedEntries = [];
+  for (const parsedEntry of parsedTransactionData) {
+    const matchedEntry = await verifyTransactionDataEntry({
+      entry: parsedEntry,
+      callbacks: options.callbacks,
+      credentials: options.credentials
+    });
+    matchedEntries.push(matchedEntry);
+  }
+  return matchedEntries;
+}
+async function verifyTransactionDataEntry({
+  entry,
+  credentials,
+  callbacks
+}) {
+  const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"];
+  const supportedAlgs = allowedAlgs.filter(
+    (alg) => Object.values(import_oauth228.HashAlgorithm).includes(alg)
+  );
+  const hashes = {};
+  for (const alg of supportedAlgs) {
+    hashes[alg] = (0, import_utils21.encodeToBase64Url)(await callbacks.hash((0, import_utils21.decodeUtf8String)(entry.encoded), alg));
+  }
+  for (const credentialId of entry.transactionData.credential_ids) {
+    const transactionDataHashesCredential = credentials[credentialId];
+    if (!transactionDataHashesCredential) continue;
+    const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
+    const hash = hashes[alg];
+    if (!allowedAlgs.includes(alg)) {
+      throw new import_oauth228.Oauth2ServerErrorResponseError({
+        error: import_oauth228.Oauth2ErrorCodes.InvalidTransactionData,
+        error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
+      });
+    }
+    if (!hash) {
+      throw new import_oauth228.Oauth2ServerErrorResponseError({
+        error: import_oauth228.Oauth2ErrorCodes.InvalidTransactionData,
+        error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(import_oauth228.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
+      });
+    }
+    const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
+    if (credentialHashIndex !== -1) {
+      return {
+        transactionDataEntry: entry,
+        credentialId,
+        hash,
+        hashAlg: alg,
+        credentialHashIndex
+      };
+    }
+  }
+  throw new import_oauth228.Oauth2ServerErrorResponseError({
+    error: import_oauth228.Oauth2ErrorCodes.InvalidTransactionData,
+    error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
+  });
+}
 // src/Openid4vpVerifier.ts
 var Openid4vpVerifier = class {
   constructor(options) {
@@ -1700,6 +1769,9 @@ var Openid4vpVerifier = class {
   parseTransactionData(options) {
     return parseTransactionData(options);
   }
+  verifyTransactionData(options) {
+    return verifyTransactionData(options);
+  }
 };
 // src/models/z-credential-formats.ts