@originals/sdk 1.4.3 → 1.4.5

package/dist/vc/Issuer.js

@@ -0,0 +1,70 @@
+import { multikey } from '../crypto/Multikey';
+import { createDocumentLoader } from './documentLoader';
+import { DataIntegrityProofManager } from './proofs/data-integrity';
+export class Issuer {
+    constructor(didManager, verificationMethod) {
+        this.didManager = didManager;
+        this.verificationMethod = verificationMethod;
+    }
+    inferKeyType(publicKeyMultibase) {
+        try {
+            return multikey.decodePublicKey(publicKeyMultibase).type;
+        }
+        catch {
+            return 'Ed25519';
+        }
+    }
+    async issueCredential(unsigned, options) {
+        const documentLoader = options.documentLoader || createDocumentLoader(this.didManager);
+        await documentLoader(this.verificationMethod.id);
+        const issuerId = typeof unsigned.issuer === 'string' ? unsigned.issuer : unsigned.issuer?.id;
+        const credential = {
+            ...unsigned,
+            '@context': ['https://www.w3.org/ns/credentials/v2'],
+            issuer: issuerId || this.verificationMethod.controller,
+            proof: undefined
+        };
+        if (!this.verificationMethod.secretKeyMultibase) {
+            throw new Error('Missing secretKeyMultibase for issuance');
+        }
+        const keyType = this.inferKeyType(this.verificationMethod.publicKeyMultibase);
+        if (keyType !== 'Ed25519') {
+            throw new Error('Only Ed25519 supported for eddsa-rdfc-2022');
+        }
+        const proof = await DataIntegrityProofManager.createProof(credential, {
+            verificationMethod: this.verificationMethod.id,
+            proofPurpose: options.proofPurpose,
+            cryptosuite: 'eddsa-rdfc-2022',
+            type: 'DataIntegrityProof',
+            privateKey: this.verificationMethod.secretKeyMultibase,
+            documentLoader
+        });
+        return { ...credential, proof };
+    }
+    async issuePresentation(presentation, options) {
+        const documentLoader = options.documentLoader || createDocumentLoader(this.didManager);
+        await documentLoader(this.verificationMethod.id);
+        if (!this.verificationMethod.secretKeyMultibase) {
+            throw new Error('Missing secretKeyMultibase for issuance');
+        }
+        const keyType = this.inferKeyType(this.verificationMethod.publicKeyMultibase);
+        if (keyType !== 'Ed25519') {
+            throw new Error('Only Ed25519 supported for eddsa-rdfc-2022');
+        }
+        const proof = await DataIntegrityProofManager.createProof({ ...presentation, '@context': ['https://www.w3.org/ns/credentials/v2'] }, {
+            verificationMethod: this.verificationMethod.id,
+            proofPurpose: options.proofPurpose,
+            cryptosuite: 'eddsa-rdfc-2022',
+            type: 'DataIntegrityProof',
+            privateKey: this.verificationMethod.secretKeyMultibase,
+            challenge: options.challenge,
+            domain: options.domain,
+            documentLoader
+        });
+        return {
+            ...presentation,
+            '@context': ['https://www.w3.org/ns/credentials/v2'],
+            proof
+        };
+    }
+}

package/dist/vc/Verifier.d.ts

@@ -0,0 +1,16 @@
+import { VerifiableCredential, VerifiablePresentation } from '../types';
+import { DIDManager } from '../did/DIDManager';
+export type VerificationResult = {
+    verified: boolean;
+    errors: string[];
+};
+export declare class Verifier {
+    private didManager;
+    constructor(didManager: DIDManager);
+    verifyCredential(vc: VerifiableCredential, options?: {
+        documentLoader?: (iri: string) => Promise<any>;
+    }): Promise<VerificationResult>;
+    verifyPresentation(vp: VerifiablePresentation, options?: {
+        documentLoader?: (iri: string) => Promise<any>;
+    }): Promise<VerificationResult>;
+}

package/dist/vc/Verifier.js

@@ -0,0 +1,50 @@
+import { createDocumentLoader } from './documentLoader';
+import { DataIntegrityProofManager } from './proofs/data-integrity';
+export class Verifier {
+    constructor(didManager) {
+        this.didManager = didManager;
+    }
+    async verifyCredential(vc, options = {}) {
+        try {
+            if (!vc || !vc['@context'] || !vc.type)
+                throw new Error('Invalid credential');
+            if (!vc.proof)
+                throw new Error('Credential has no proof');
+            const loader = options.documentLoader || createDocumentLoader(this.didManager);
+            const ctxs = Array.isArray(vc['@context']) ? vc['@context'] : [vc['@context']];
+            for (const c of ctxs)
+                await loader(c);
+            const proof = Array.isArray(vc.proof) ? vc.proof[0] : vc.proof;
+            const result = await DataIntegrityProofManager.verifyProof(vc, proof, { documentLoader: loader });
+            return result.verified ? { verified: true, errors: [] } : { verified: false, errors: result.errors ?? ['Verification failed'] };
+        }
+        catch (e) {
+            return { verified: false, errors: [e?.message ?? 'Unknown error in verifyCredential'] };
+        }
+    }
+    async verifyPresentation(vp, options = {}) {
+        try {
+            if (!vp || !vp['@context'] || !vp.type)
+                throw new Error('Invalid presentation');
+            if (!vp.proof)
+                throw new Error('Presentation has no proof');
+            const loader = options.documentLoader || createDocumentLoader(this.didManager);
+            const ctxs = Array.isArray(vp['@context']) ? vp['@context'] : [vp['@context']];
+            for (const c of ctxs)
+                await loader(c);
+            if (vp.verifiableCredential) {
+                for (const c of vp.verifiableCredential) {
+                    const res = await this.verifyCredential(c, { documentLoader: loader });
+                    if (!res.verified)
+                        return res;
+                }
+            }
+            const proof = Array.isArray(vp.proof) ? vp.proof[0] : vp.proof;
+            const result = await DataIntegrityProofManager.verifyProof(vp, proof, { documentLoader: loader });
+            return result.verified ? { verified: true, errors: [] } : { verified: false, errors: result.errors ?? ['Verification failed'] };
+        }
+        catch (e) {
+            return { verified: false, errors: [e?.message ?? 'Unknown error in verifyPresentation'] };
+        }
+    }
+}

package/dist/vc/cryptosuites/bbs.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Minimal BBS utility methods ported from legacy for working with
+ * Data Integrity BBS (bbs-2023) base and derived proof value encoding.
+ *
+ * Notes:
+ * - This module focuses on serialization/parsing helpers used by callers
+ *   to pack/unpack proof values. It does not perform signing or verification.
+ * - All methods operate on Uint8Array inputs and return multibase strings
+ *   (base64url with 'u' prefix) where applicable to match the spec.
+ */
+export declare class BBSCryptosuiteUtils {
+    private static encodeBase64urlNoPad;
+    private static decodeBase64urlNoPad;
+    private static compareBytes;
+    private static concatBytes;
+    static serializeBaseProofValue(bbsSignature: Uint8Array, bbsHeader: Uint8Array, publicKey: Uint8Array, hmacKey: Uint8Array, mandatoryPointers: string[], featureOption: 'baseline' | 'anonymous_holder_binding' | 'pseudonym_issuer_pid' | 'pseudonym_hidden_pid', pid?: Uint8Array, signerBlind?: Uint8Array): string;
+    static parseBaseProofValue(proofValue: string): {
+        bbsSignature: Uint8Array;
+        bbsHeader: Uint8Array;
+        publicKey: Uint8Array;
+        hmacKey: Uint8Array;
+        mandatoryPointers: string[];
+        featureOption: 'baseline' | 'anonymous_holder_binding' | 'pseudonym_issuer_pid' | 'pseudonym_hidden_pid' | 'base_proof';
+        pid?: Uint8Array;
+        signerBlind?: Uint8Array;
+    };
+    private static compressLabelMap;
+    private static decompressLabelMap;
+    static serializeDerivedProofValue(bbsProof: Uint8Array, labelMap: {
+        [key: string]: string;
+    }, mandatoryIndexes: number[], selectiveIndexes: number[], presentationHeader: Uint8Array, featureOption: 'baseline' | 'anonymous_holder_binding' | 'pseudonym', pseudonym?: string, lengthBBSMessages?: number): string;
+    static parseDerivedProofValue(proofValue: string): {
+        bbsProof: Uint8Array;
+        labelMap: {
+            [key: string]: string;
+        };
+        mandatoryIndexes: number[];
+        selectiveIndexes: number[];
+        presentationHeader: Uint8Array;
+        featureOption: 'baseline' | 'anonymous_holder_binding' | 'pseudonym';
+        pseudonym?: string;
+        lengthBBSMessages?: number;
+    };
+}

package/dist/vc/cryptosuites/bbs.js

@@ -0,0 +1,213 @@
+import * as cbor from 'cbor-js';
+/**
+ * Minimal BBS utility methods ported from legacy for working with
+ * Data Integrity BBS (bbs-2023) base and derived proof value encoding.
+ *
+ * Notes:
+ * - This module focuses on serialization/parsing helpers used by callers
+ *   to pack/unpack proof values. It does not perform signing or verification.
+ * - All methods operate on Uint8Array inputs and return multibase strings
+ *   (base64url with 'u' prefix) where applicable to match the spec.
+ */
+export class BBSCryptosuiteUtils {
+    static encodeBase64urlNoPad(bytes) {
+        const b64 = Buffer.from(bytes).toString('base64');
+        const b64url = b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+        return 'u' + b64url;
+    }
+    static decodeBase64urlNoPad(s) {
+        if (!s.startsWith('u'))
+            throw new Error('Not a multibase base64url (u- prefixed) string');
+        const raw = s.slice(1);
+        const b64 = raw.replace(/-/g, '+').replace(/_/g, '/');
+        const pad = b64.length % 4 === 2 ? '==' : b64.length % 4 === 3 ? '=' : '';
+        return new Uint8Array(Buffer.from(b64 + pad, 'base64'));
+    }
+    static compareBytes(a, b) {
+        if (a.length !== b.length)
+            return false;
+        for (let i = 0; i < b.length; i++) {
+            if (a[i] !== b[i])
+                return false;
+        }
+        return true;
+    }
+    static concatBytes(a, b) {
+        const out = new Uint8Array(a.length + b.length);
+        out.set(a, 0);
+        out.set(b, a.length);
+        return out;
+    }
+    // ===== Base proof (serialize/parse) =====
+    static serializeBaseProofValue(bbsSignature, bbsHeader, publicKey, hmacKey, mandatoryPointers, featureOption, pid, signerBlind) {
+        let headerBytes;
+        let components;
+        switch (featureOption) {
+            case 'baseline':
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x02]);
+                components = [bbsSignature, bbsHeader, publicKey, hmacKey, mandatoryPointers];
+                break;
+            case 'anonymous_holder_binding':
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x04]);
+                if (!signerBlind)
+                    throw new Error('signerBlind is required for anonymous_holder_binding');
+                components = [bbsSignature, bbsHeader, publicKey, hmacKey, mandatoryPointers, signerBlind];
+                break;
+            case 'pseudonym_issuer_pid':
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x06]);
+                if (!pid)
+                    throw new Error('pid is required for pseudonym_issuer_pid');
+                components = [bbsSignature, bbsHeader, publicKey, hmacKey, mandatoryPointers, pid];
+                break;
+            case 'pseudonym_hidden_pid':
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x08]);
+                if (!signerBlind)
+                    throw new Error('signerBlind is required for pseudonym_hidden_pid');
+                components = [bbsSignature, bbsHeader, publicKey, hmacKey, mandatoryPointers, signerBlind];
+                break;
+            default:
+                throw new Error(`Unsupported feature option: ${featureOption}`);
+        }
+        const encodedComponents = cbor.encode(components);
+        const proofBytes = BBSCryptosuiteUtils.concatBytes(headerBytes, new Uint8Array(encodedComponents));
+        return BBSCryptosuiteUtils.encodeBase64urlNoPad(proofBytes);
+    }
+    static parseBaseProofValue(proofValue) {
+        const decoded = BBSCryptosuiteUtils.decodeBase64urlNoPad(proofValue);
+        const header = decoded.slice(0, 3);
+        let featureOption;
+        if (this.compareBytes(header, [0xd9, 0x5d, 0x02]))
+            featureOption = 'baseline';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x04]))
+            featureOption = 'anonymous_holder_binding';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x06]))
+            featureOption = 'pseudonym_issuer_pid';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x08]))
+            featureOption = 'pseudonym_hidden_pid';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x03]))
+            featureOption = 'base_proof';
+        else
+            throw new Error('Invalid BBS base proof header');
+        const components = cbor.decode(decoded.slice(3).buffer);
+        const base = {
+            bbsSignature: components[0],
+            bbsHeader: components[1],
+            publicKey: components[2],
+            hmacKey: components[3],
+            mandatoryPointers: components[4],
+            featureOption
+        };
+        if (featureOption === 'anonymous_holder_binding' || featureOption === 'pseudonym_hidden_pid') {
+            base.signerBlind = components[5];
+        }
+        if (featureOption === 'pseudonym_issuer_pid') {
+            base.pid = components[5];
+        }
+        return base;
+    }
+    // ===== Label map compression helpers =====
+    static compressLabelMap(labelMap) {
+        const map = {};
+        for (const [k, v] of Object.entries(labelMap)) {
+            const c14nMatch = k.match(/^c14n(\d+)$/);
+            const bMatch = v.match(/^b(\d+)$/);
+            if (!c14nMatch || !bMatch) {
+                throw new Error(`Invalid label map entry: ${k} -> ${v}`);
+            }
+            const key = parseInt(c14nMatch[1], 10);
+            const value = parseInt(bMatch[1], 10);
+            map[key] = value.toString();
+        }
+        return map;
+    }
+    static decompressLabelMap(compressed) {
+        const map = {};
+        for (const [k, v] of Object.entries(compressed)) {
+            map[`c14n${k}`] = `b${v}`;
+        }
+        return map;
+    }
+    // ===== Derived proof (serialize/parse) =====
+    static serializeDerivedProofValue(bbsProof, labelMap, mandatoryIndexes, selectiveIndexes, presentationHeader, featureOption, pseudonym, lengthBBSMessages) {
+        const compressedLabelMap = this.compressLabelMap(labelMap);
+        let headerBytes;
+        let components;
+        switch (featureOption) {
+            case 'baseline':
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x03]);
+                components = [
+                    bbsProof,
+                    compressedLabelMap,
+                    mandatoryIndexes,
+                    selectiveIndexes,
+                    presentationHeader
+                ];
+                break;
+            case 'anonymous_holder_binding':
+                if (typeof lengthBBSMessages !== 'number') {
+                    throw new Error('lengthBBSMessages is required for anonymous_holder_binding');
+                }
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x05]);
+                components = [
+                    bbsProof,
+                    compressedLabelMap,
+                    mandatoryIndexes,
+                    selectiveIndexes,
+                    presentationHeader,
+                    lengthBBSMessages
+                ];
+                break;
+            case 'pseudonym':
+                if (!pseudonym || typeof lengthBBSMessages !== 'number') {
+                    throw new Error('pseudonym and lengthBBSMessages are required for pseudonym features');
+                }
+                headerBytes = new Uint8Array([0xd9, 0x5d, 0x07]);
+                components = [
+                    bbsProof,
+                    compressedLabelMap,
+                    mandatoryIndexes,
+                    selectiveIndexes,
+                    presentationHeader,
+                    pseudonym,
+                    lengthBBSMessages
+                ];
+                break;
+            default:
+                throw new Error(`Unsupported feature option: ${featureOption}`);
+        }
+        const encodedComponents = cbor.encode(components);
+        const proofBytes = this.concatBytes(headerBytes, new Uint8Array(encodedComponents));
+        return this.encodeBase64urlNoPad(proofBytes);
+    }
+    static parseDerivedProofValue(proofValue) {
+        const decoded = this.decodeBase64urlNoPad(proofValue);
+        const header = decoded.slice(0, 3);
+        let featureOption;
+        if (this.compareBytes(header, [0xd9, 0x5d, 0x03]))
+            featureOption = 'baseline';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x05]))
+            featureOption = 'anonymous_holder_binding';
+        else if (this.compareBytes(header, [0xd9, 0x5d, 0x07]))
+            featureOption = 'pseudonym';
+        else
+            throw new Error('Invalid BBS derived proof header');
+        const components = cbor.decode(decoded.slice(3).buffer);
+        const decompressedLabelMap = this.decompressLabelMap(components[1]);
+        const result = {
+            bbsProof: components[0],
+            labelMap: decompressedLabelMap,
+            mandatoryIndexes: components[2],
+            selectiveIndexes: components[3],
+            presentationHeader: components[4],
+            featureOption
+        };
+        if (featureOption === 'anonymous_holder_binding') {
+            result.lengthBBSMessages = components[5];
+        }
+        else if (featureOption === 'pseudonym') {
+            result.pseudonym = components[5];
+            result.lengthBBSMessages = components[6];
+        }
+        return result;
+    }
+}

package/dist/vc/cryptosuites/bbsSimple.d.ts

@@ -0,0 +1,9 @@
+export type BbsKeyPair = {
+    publicKey: Uint8Array;
+    privateKey: Uint8Array;
+};
+export declare class BbsSimple {
+    static readonly CIPHERSUITE = "BLS12-381-SHA-256";
+    static sign(messages: Uint8Array[], keypair: BbsKeyPair, header?: Uint8Array): Promise<Uint8Array>;
+    static verify(messages: Uint8Array[], signature: Uint8Array, publicKey: Uint8Array, header?: Uint8Array): Promise<boolean>;
+}

package/dist/vc/cryptosuites/bbsSimple.js

@@ -0,0 +1,12 @@
+import { sha256 } from '@noble/hashes/sha2.js';
+export class BbsSimple {
+    static async sign(messages, keypair, header) {
+        const headerBytes = header ?? new Uint8Array(sha256(new Uint8Array(0)));
+        throw new Error('BbsSimple.sign is not implemented');
+    }
+    static async verify(messages, signature, publicKey, header) {
+        const headerBytes = header ?? new Uint8Array(sha256(new Uint8Array(0)));
+        throw new Error('BbsSimple.verify is not implemented');
+    }
+}
+BbsSimple.CIPHERSUITE = 'BLS12-381-SHA-256';

package/dist/vc/cryptosuites/eddsa.d.ts

@@ -0,0 +1,30 @@
+export interface DataIntegrityProof {
+    type: 'DataIntegrityProof';
+    cryptosuite: string;
+    created?: string;
+    verificationMethod: string;
+    proofPurpose: string;
+    proofValue: string;
+    id?: string;
+    previousProof?: string | string[];
+}
+export interface VerificationResult {
+    verified: boolean;
+    errors?: string[];
+}
+export declare class EdDSACryptosuiteManager {
+    static createProof(document: any, options: any): Promise<DataIntegrityProof>;
+    static verifyProof(document: any, proof: DataIntegrityProof, options: any): Promise<VerificationResult>;
+    private static createProofConfiguration;
+    private static transform;
+    private static hash;
+    static sign({ data, privateKey }: {
+        data: Uint8Array;
+        privateKey: Uint8Array;
+    }): Promise<Uint8Array>;
+    static verify({ data, signature, publicKey }: {
+        data: Uint8Array;
+        signature: Uint8Array;
+        publicKey: Uint8Array;
+    }): Promise<boolean>;
+}

package/dist/vc/cryptosuites/eddsa.js

@@ -0,0 +1,81 @@
+import { base58 } from '@scure/base';
+import * as ed25519 from '@noble/ed25519';
+import { canonize, canonizeProof } from '../utils/jsonld';
+import { multikey } from '../../crypto/Multikey';
+import { sha256Bytes } from '../../utils/hash';
+export class EdDSACryptosuiteManager {
+    static async createProof(document, options) {
+        const proofConfig = await this.createProofConfiguration(options);
+        const transformedData = await this.transform(document, options);
+        const hashData = await this.hash(transformedData, proofConfig, options);
+        let privateKey;
+        if (typeof options.privateKey === 'string') {
+            const dec = multikey.decodePrivateKey(options.privateKey);
+            if (dec.type !== 'Ed25519')
+                throw new Error('Invalid key type for EdDSA');
+            privateKey = dec.key;
+        }
+        else if (options.privateKey instanceof Uint8Array) {
+            privateKey = options.privateKey;
+        }
+        else {
+            throw new Error('Invalid private key format');
+        }
+        const proofValueBytes = await this.sign({ data: hashData, privateKey });
+        delete proofConfig['@context'];
+        return { ...proofConfig, proofValue: base58.encode(proofValueBytes) };
+    }
+    static async verifyProof(document, proof, options) {
+        try {
+            const documentToVerify = { ...document };
+            delete documentToVerify.proof;
+            const transformedData = await this.transform(documentToVerify, options);
+            const hashData = await this.hash(transformedData, { '@context': document['@context'], ...proof }, options);
+            const vmDoc = await options.documentLoader(proof.verificationMethod);
+            const pk = vmDoc.document.publicKeyMultibase;
+            const dec = multikey.decodePublicKey(pk);
+            if (dec.type !== 'Ed25519')
+                throw new Error('Invalid key type for EdDSA');
+            const signature = base58.decode(proof.proofValue);
+            const verified = await this.verify({ data: hashData, signature, publicKey: dec.key });
+            return verified ? { verified: true } : { verified: false, errors: ['Proof verification failed'] };
+        }
+        catch (e) {
+            return { verified: false, errors: [e?.message ?? 'Unknown verification error'] };
+        }
+    }
+    static async createProofConfiguration(options) {
+        return {
+            '@context': 'https://w3id.org/security/data-integrity/v2',
+            type: 'DataIntegrityProof',
+            cryptosuite: 'eddsa-rdfc-2022',
+            created: new Date().toISOString(),
+            verificationMethod: options.verificationMethod,
+            proofPurpose: options.proofPurpose || 'assertionMethod',
+            ...(options.challenge && { challenge: options.challenge }),
+            ...(options.domain && { domain: options.domain })
+        };
+    }
+    static async transform(document, options) {
+        return await canonize(document, { documentLoader: options.documentLoader });
+    }
+    static async hash(transformedData, proofConfig, options) {
+        const canonicalProofConfig = await canonizeProof(proofConfig, { documentLoader: options.documentLoader });
+        const proofConfigHash = await sha256Bytes(canonicalProofConfig);
+        const documentHash = await sha256Bytes(transformedData);
+        return new Uint8Array([...proofConfigHash, ...documentHash]);
+    }
+    static async sign({ data, privateKey }) {
+        if (privateKey.length !== 32) {
+            if (privateKey.length === 64)
+                privateKey = privateKey.slice(32);
+            else
+                throw new Error('Invalid private key length');
+        }
+        const signature = await ed25519.signAsync(Buffer.from(data).toString('hex'), Buffer.from(privateKey).toString('hex'));
+        return signature;
+    }
+    static async verify({ data, signature, publicKey }) {
+        return await ed25519.verifyAsync(Buffer.from(signature).toString('hex'), Buffer.from(data).toString('hex'), Buffer.from(publicKey).toString('hex'));
+    }
+}

package/dist/vc/documentLoader.d.ts

@@ -0,0 +1,16 @@
+import { DIDManager } from '../did/DIDManager';
+type LoadedDocument = {
+    document: any;
+    documentUrl: string;
+    contextUrl: string | null;
+};
+export declare class DocumentLoader {
+    private didManager;
+    constructor(didManager: DIDManager);
+    load(iri: string): Promise<LoadedDocument>;
+    private resolveDID;
+}
+export declare const createDocumentLoader: (didManager: DIDManager) => (iri: string) => Promise<LoadedDocument>;
+export declare const verificationMethodRegistry: Map<string, any>;
+export declare function registerVerificationMethod(vm: any): void;
+export {};

package/dist/vc/documentLoader.js

@@ -0,0 +1,59 @@
+const CONTEXTS = {
+    // Provide 1.1-compatible stubs for jsonld canonize
+    'https://www.w3.org/ns/credentials/v2': { '@context': { '@version': 1.1 } },
+    'https://w3id.org/security/data-integrity/v2': { '@context': { '@version': 1.1 } }
+};
+export class DocumentLoader {
+    constructor(didManager) {
+        this.didManager = didManager;
+    }
+    async load(iri) {
+        if (iri.startsWith('did:')) {
+            return this.resolveDID(iri);
+        }
+        const doc = CONTEXTS[iri];
+        if (doc) {
+            return { document: doc, documentUrl: iri, contextUrl: null };
+        }
+        throw new Error(`Document not found: ${iri}`);
+    }
+    async resolveDID(didUrl) {
+        const [did, fragment] = didUrl.split('#');
+        const didDoc = await this.didManager.resolveDID(did);
+        if (!didDoc) {
+            throw new Error(`DID not resolved: ${did}`);
+        }
+        if (fragment) {
+            // If a VM was registered explicitly, prefer it
+            const cached = verificationMethodRegistry.get(didUrl);
+            if (cached) {
+                return {
+                    document: { '@context': didDoc['@context'], ...cached },
+                    documentUrl: didUrl,
+                    contextUrl: null
+                };
+            }
+            const vms = didDoc.verificationMethod;
+            const vm = vms?.find((m) => m.id === didUrl);
+            if (vm) {
+                return {
+                    document: { '@context': didDoc['@context'], ...vm },
+                    documentUrl: didUrl,
+                    contextUrl: null
+                };
+            }
+            return {
+                document: { '@context': didDoc['@context'], id: didUrl },
+                documentUrl: didUrl,
+                contextUrl: null
+            };
+        }
+        return { document: didDoc, documentUrl: didUrl, contextUrl: null };
+    }
+}
+export const createDocumentLoader = (didManager) => (iri) => new DocumentLoader(didManager).load(iri);
+export const verificationMethodRegistry = new Map();
+export function registerVerificationMethod(vm) {
+    if (vm?.id)
+        verificationMethodRegistry.set(vm.id, vm);
+}

package/dist/vc/proofs/data-integrity.d.ts

@@ -0,0 +1,21 @@
+import { type DataIntegrityProof } from '../cryptosuites/eddsa';
+export interface VerificationResult {
+    verified: boolean;
+    errors?: string[];
+}
+export interface ProofOptions {
+    verificationMethod: string;
+    proofPurpose: string;
+    privateKey?: Uint8Array | string;
+    type: 'DataIntegrityProof';
+    created?: string;
+    cryptosuite: string;
+    documentLoader?: (url: string) => Promise<any>;
+    previousProof?: string | string[];
+    challenge?: string;
+    domain?: string;
+}
+export declare class DataIntegrityProofManager {
+    static createProof(document: any, options: ProofOptions): Promise<DataIntegrityProof>;
+    static verifyProof(document: any, proof: DataIntegrityProof, options: any): Promise<VerificationResult>;
+}

package/dist/vc/proofs/data-integrity.js

@@ -0,0 +1,15 @@
+import { EdDSACryptosuiteManager } from '../cryptosuites/eddsa';
+export class DataIntegrityProofManager {
+    static async createProof(document, options) {
+        if (options.cryptosuite !== 'eddsa-rdfc-2022') {
+            throw new Error(`Unsupported cryptosuite: ${options.cryptosuite}`);
+        }
+        return await EdDSACryptosuiteManager.createProof(document, options);
+    }
+    static async verifyProof(document, proof, options) {
+        if (proof.cryptosuite !== 'eddsa-rdfc-2022') {
+            return { verified: false, errors: [`Unsupported cryptosuite: ${proof.cryptosuite}`] };
+        }
+        return await EdDSACryptosuiteManager.verifyProof(document, proof, options);
+    }
+}

package/dist/vc/utils/jsonld.d.ts

@@ -0,0 +1,2 @@
+export declare function canonize(input: any, { documentLoader }: any): Promise<string>;
+export declare function canonizeProof(proof: any, { documentLoader }: any): Promise<string>;

package/dist/vc/utils/jsonld.js

@@ -0,0 +1,15 @@
+import jsonld from 'jsonld';
+export async function canonize(input, { documentLoader }) {
+    return await jsonld.canonize(input, {
+        algorithm: 'URDNA2015',
+        format: 'application/n-quads',
+        documentLoader,
+        safe: false,
+        useNative: false,
+        rdfDirection: 'i18n-datatype'
+    });
+}
+export async function canonizeProof(proof, { documentLoader }) {
+    const { jws, signatureValue, proofValue, ...rest } = proof;
+    return await canonize(rest, { documentLoader });
+}