@openid4vc/openid4vp 0.3.0-alpha-20250713113151 → 0.3.0-alpha-20250714090135

package/dist/index.d.mts

@@ -2,6 +2,7 @@ import * as zod from 'zod';
 import zod__default, { z } from 'zod';
 import * as _openid4vc_oauth2 from '@openid4vc/oauth2';
 import { Jwk, JwtSignerWithJwk, decodeJwt, CallbackContext, JwtPayload, JwtSigner, JweEncryptor, HashAlgorithm, JwkSet } from '@openid4vc/oauth2';
+import { NonEmptyArray } from '@openid4vc/utils';
 
 declare const zOpenid4vpAuthorizationRequest: z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
@@ -21697,15 +21698,15 @@ type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>;
 declare const zTransactionEntry: z.ZodObject<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, z.ZodTypeAny, "passthrough">>;
 type TransactionDataEntry = z.infer<typeof zTransactionEntry>;
 
@@ -21904,11 +21905,11 @@ declare function validateOpenid4vpAuthorizationResponsePayload(options: Validate
 interface TransactionDataHashesCredentials {
     /**
      * credentialId is the pex input descriptor id
-     * or dcql credential query id
+     * or dcql credential query id.
      *
      * The values must be an array of transaction data hashes
      */
-    [credentialId: string]: {
+    [credentialId: string]: NonEmptyArray<{
         /**
          * The hashes of the transaction data
          */
@@ -21919,7 +21920,7 @@ interface TransactionDataHashesCredentials {
          * is used.
          */
         transaction_data_hashes_alg?: string;
-    } | undefined;
+    }> | undefined;
 }
 interface VerifyTransactionDataOptions {
     transactionData: string[];
@@ -21929,9 +21930,12 @@ interface VerifyTransactionDataOptions {
 interface VerifiedTransactionDataEntry {
     transactionDataEntry: ParsedTransactionDataEntry;
     credentialId: string;
-    hash: string;
-    hashAlg: HashAlgorithm;
-    credentialHashIndex: number;
+    presentations: NonEmptyArray<{
+        presentationIndex: number;
+        hash: string;
+        hashAlg: HashAlgorithm;
+        credentialHashIndex: number;
+    }>;
 }
 
 declare function parsePexVpToken(vpToken: unknown): [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]];
@@ -31238,6 +31242,14 @@ declare class Openid4vpVerifier {
     parsePexVpToken(vpToken: unknown): [string | Record<string, any>, ...(string | Record<string, any>)[]];
     parseDcqlVpToken(vpToken: unknown): Record<string, [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
     parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
+    /**
+     * Verify transaction data against submitted credentials.
+     *
+     * NOTE: this expects transaction data based authorization based on hashes. This is the method defined
+     * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
+     * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
+     * manually.
+     */
     verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>): Promise<VerifiedTransactionDataEntry[]>;
 }
 

package/dist/index.d.ts

@@ -2,6 +2,7 @@ import * as zod from 'zod';
 import zod__default, { z } from 'zod';
 import * as _openid4vc_oauth2 from '@openid4vc/oauth2';
 import { Jwk, JwtSignerWithJwk, decodeJwt, CallbackContext, JwtPayload, JwtSigner, JweEncryptor, HashAlgorithm, JwkSet } from '@openid4vc/oauth2';
+import { NonEmptyArray } from '@openid4vc/utils';
 
 declare const zOpenid4vpAuthorizationRequest: z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
@@ -21697,15 +21698,15 @@ type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>;
 declare const zTransactionEntry: z.ZodObject<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
     type: z.ZodString;
     credential_ids: z.ZodArray<z.ZodString, "atleastone">;
-    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    transaction_data_hashes_alg: z.ZodOptional<z.ZodArray<z.ZodString, "atleastone">>;
 }, z.ZodTypeAny, "passthrough">>;
 type TransactionDataEntry = z.infer<typeof zTransactionEntry>;
 
@@ -21904,11 +21905,11 @@ declare function validateOpenid4vpAuthorizationResponsePayload(options: Validate
 interface TransactionDataHashesCredentials {
     /**
      * credentialId is the pex input descriptor id
-     * or dcql credential query id
+     * or dcql credential query id.
      *
      * The values must be an array of transaction data hashes
      */
-    [credentialId: string]: {
+    [credentialId: string]: NonEmptyArray<{
         /**
          * The hashes of the transaction data
          */
@@ -21919,7 +21920,7 @@ interface TransactionDataHashesCredentials {
          * is used.
          */
         transaction_data_hashes_alg?: string;
-    } | undefined;
+    }> | undefined;
 }
 interface VerifyTransactionDataOptions {
     transactionData: string[];
@@ -21929,9 +21930,12 @@ interface VerifyTransactionDataOptions {
 interface VerifiedTransactionDataEntry {
     transactionDataEntry: ParsedTransactionDataEntry;
     credentialId: string;
-    hash: string;
-    hashAlg: HashAlgorithm;
-    credentialHashIndex: number;
+    presentations: NonEmptyArray<{
+        presentationIndex: number;
+        hash: string;
+        hashAlg: HashAlgorithm;
+        credentialHashIndex: number;
+    }>;
 }
 
 declare function parsePexVpToken(vpToken: unknown): [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]];
@@ -31238,6 +31242,14 @@ declare class Openid4vpVerifier {
     parsePexVpToken(vpToken: unknown): [string | Record<string, any>, ...(string | Record<string, any>)[]];
     parseDcqlVpToken(vpToken: unknown): Record<string, [string | Record<string, any>, ...(string | Record<string, any>)[]]>;
     parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[];
+    /**
+     * Verify transaction data against submitted credentials.
+     *
+     * NOTE: this expects transaction data based authorization based on hashes. This is the method defined
+     * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
+     * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
+     * manually.
+     */
     verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>): Promise<VerifiedTransactionDataEntry[]>;
 }
 

package/dist/index.js

@@ -811,10 +811,10 @@ function parseAuthorizationRequestVersion(request) {
   if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
     requirements.push(["<", 28]);
   }
-  if (request.client_metadata?.vp_formats) {
+  if (request.client_metadata?.vp_formats_supported) {
     requirements.push([">=", 27]);
   }
-  if (request.client_metadata?.vp_formats_supported) {
+  if (request.client_metadata?.vp_formats) {
     requirements.push(["<", 27]);
   }
   if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
@@ -1400,7 +1400,8 @@ var import_zod14 = require("zod");
 var zTransactionEntry = import_zod14.z.object({
   type: import_zod14.z.string(),
   credential_ids: import_zod14.z.array(import_zod14.z.string()).nonempty(),
-  transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).optional()
+  // SD-JWT VC specific
+  transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).nonempty().optional()
 }).passthrough();
 var zTransactionData = import_zod14.z.array(zTransactionEntry);
 
@@ -2056,32 +2057,44 @@ async function verifyTransactionDataEntry({
     hashes[alg] = (0, import_utils25.encodeToBase64Url)(await callbacks.hash((0, import_utils25.decodeUtf8String)(entry.encoded), alg));
   }
   for (const credentialId of entry.transactionData.credential_ids) {
-    const transactionDataHashesCredential = credentials[credentialId];
-    if (!transactionDataHashesCredential) continue;
-    const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
-    const hash = hashes[alg];
-    if (!allowedAlgs.includes(alg)) {
-      throw new import_oauth229.Oauth2ServerErrorResponseError({
-        error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
-        error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
-      });
-    }
-    if (!hash) {
-      throw new import_oauth229.Oauth2ServerErrorResponseError({
-        error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
-        error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(import_oauth229.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
-      });
-    }
-    const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
-    if (credentialHashIndex !== -1) {
-      return {
-        transactionDataEntry: entry,
-        credentialId,
+    const transactionDataHashesCredentials = credentials[credentialId];
+    if (!transactionDataHashesCredentials) continue;
+    const presentations = [];
+    for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
+      const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
+      const hash = hashes[alg];
+      const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
+      if (!allowedAlgs.includes(alg)) {
+        throw new import_oauth229.Oauth2ServerErrorResponseError({
+          error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
+          error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
+        });
+      }
+      if (!hash) {
+        throw new import_oauth229.Oauth2ServerErrorResponseError({
+          error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
+          error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(import_oauth229.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
+        });
+      }
+      const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
+      if (credentialHashIndex === -1) {
+        throw new import_oauth229.Oauth2ServerErrorResponseError({
+          error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
+          error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
+        });
+      }
+      presentations.push({
+        credentialHashIndex,
         hash,
         hashAlg: alg,
-        credentialHashIndex
-      };
+        presentationIndex
+      });
     }
+    return {
+      transactionDataEntry: entry,
+      credentialId,
+      presentations
+    };
   }
   throw new import_oauth229.Oauth2ServerErrorResponseError({
     error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
@@ -2115,6 +2128,14 @@ var Openid4vpVerifier = class {
   parseTransactionData(options) {
     return parseTransactionData(options);
   }
+  /**
+   * Verify transaction data against submitted credentials.
+   *
+   * NOTE: this expects transaction data based authorization based on hashes. This is the method defined
+   * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
+   * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
+   * manually.
+   */
   verifyTransactionData(options) {
     return verifyTransactionData({
       ...options,