@openid4vc/openid4vp 0.3.0-alpha-20250713113151 → 0.3.0-alpha-20250714090135
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +21 -9
- package/dist/index.d.ts +21 -9
- package/dist/index.js +47 -26
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +47 -26
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs
CHANGED
|
@@ -754,10 +754,10 @@ function parseAuthorizationRequestVersion(request) {
|
|
|
754
754
|
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
755
755
|
requirements.push(["<", 28]);
|
|
756
756
|
}
|
|
757
|
-
if (request.client_metadata?.
|
|
757
|
+
if (request.client_metadata?.vp_formats_supported) {
|
|
758
758
|
requirements.push([">=", 27]);
|
|
759
759
|
}
|
|
760
|
-
if (request.client_metadata?.
|
|
760
|
+
if (request.client_metadata?.vp_formats) {
|
|
761
761
|
requirements.push(["<", 27]);
|
|
762
762
|
}
|
|
763
763
|
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
@@ -1354,7 +1354,8 @@ import { z as z14 } from "zod";
|
|
|
1354
1354
|
var zTransactionEntry = z14.object({
|
|
1355
1355
|
type: z14.string(),
|
|
1356
1356
|
credential_ids: z14.array(z14.string()).nonempty(),
|
|
1357
|
-
|
|
1357
|
+
// SD-JWT VC specific
|
|
1358
|
+
transaction_data_hashes_alg: z14.array(z14.string()).nonempty().optional()
|
|
1358
1359
|
}).passthrough();
|
|
1359
1360
|
var zTransactionData = z14.array(zTransactionEntry);
|
|
1360
1361
|
|
|
@@ -2022,32 +2023,44 @@ async function verifyTransactionDataEntry({
|
|
|
2022
2023
|
hashes[alg] = encodeToBase64Url3(await callbacks.hash(decodeUtf8String(entry.encoded), alg));
|
|
2023
2024
|
}
|
|
2024
2025
|
for (const credentialId of entry.transactionData.credential_ids) {
|
|
2025
|
-
const
|
|
2026
|
-
if (!
|
|
2027
|
-
const
|
|
2028
|
-
const
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2032
|
-
|
|
2033
|
-
|
|
2034
|
-
|
|
2035
|
-
|
|
2036
|
-
|
|
2037
|
-
|
|
2038
|
-
|
|
2039
|
-
|
|
2040
|
-
|
|
2041
|
-
|
|
2042
|
-
|
|
2043
|
-
|
|
2044
|
-
|
|
2045
|
-
|
|
2026
|
+
const transactionDataHashesCredentials = credentials[credentialId];
|
|
2027
|
+
if (!transactionDataHashesCredentials) continue;
|
|
2028
|
+
const presentations = [];
|
|
2029
|
+
for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
|
|
2030
|
+
const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
|
|
2031
|
+
const hash = hashes[alg];
|
|
2032
|
+
const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
|
|
2033
|
+
if (!allowedAlgs.includes(alg)) {
|
|
2034
|
+
throw new Oauth2ServerErrorResponseError13({
|
|
2035
|
+
error: Oauth2ErrorCodes11.InvalidTransactionData,
|
|
2036
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
|
|
2037
|
+
});
|
|
2038
|
+
}
|
|
2039
|
+
if (!hash) {
|
|
2040
|
+
throw new Oauth2ServerErrorResponseError13({
|
|
2041
|
+
error: Oauth2ErrorCodes11.InvalidTransactionData,
|
|
2042
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm2).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
|
|
2043
|
+
});
|
|
2044
|
+
}
|
|
2045
|
+
const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
|
|
2046
|
+
if (credentialHashIndex === -1) {
|
|
2047
|
+
throw new Oauth2ServerErrorResponseError13({
|
|
2048
|
+
error: Oauth2ErrorCodes11.InvalidTransactionData,
|
|
2049
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
|
|
2050
|
+
});
|
|
2051
|
+
}
|
|
2052
|
+
presentations.push({
|
|
2053
|
+
credentialHashIndex,
|
|
2046
2054
|
hash,
|
|
2047
2055
|
hashAlg: alg,
|
|
2048
|
-
|
|
2049
|
-
};
|
|
2056
|
+
presentationIndex
|
|
2057
|
+
});
|
|
2050
2058
|
}
|
|
2059
|
+
return {
|
|
2060
|
+
transactionDataEntry: entry,
|
|
2061
|
+
credentialId,
|
|
2062
|
+
presentations
|
|
2063
|
+
};
|
|
2051
2064
|
}
|
|
2052
2065
|
throw new Oauth2ServerErrorResponseError13({
|
|
2053
2066
|
error: Oauth2ErrorCodes11.InvalidTransactionData,
|
|
@@ -2081,6 +2094,14 @@ var Openid4vpVerifier = class {
|
|
|
2081
2094
|
parseTransactionData(options) {
|
|
2082
2095
|
return parseTransactionData(options);
|
|
2083
2096
|
}
|
|
2097
|
+
/**
|
|
2098
|
+
* Verify transaction data against submitted credentials.
|
|
2099
|
+
*
|
|
2100
|
+
* NOTE: this expects transaction data based authorization based on hashes. This is the method defined
|
|
2101
|
+
* for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
|
|
2102
|
+
* on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
|
|
2103
|
+
* manually.
|
|
2104
|
+
*/
|
|
2084
2105
|
verifyTransactionData(options) {
|
|
2085
2106
|
return verifyTransactionData({
|
|
2086
2107
|
...options,
|