@originals/sdk 1.4.3 → 1.5.0

package/dist/vc/CredentialManager.js

@@ -0,0 +1,615 @@
+import { canonicalizeDocument } from '../utils/serialization';
+import { encodeBase64UrlMultibase, decodeBase64UrlMultibase } from '../utils/encoding';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bytesToHex } from '@noble/hashes/utils.js';
+import { ES256KSigner, Ed25519Signer, ES256Signer } from '../crypto/Signer';
+import { Issuer } from './Issuer';
+import { createDocumentLoader } from './documentLoader';
+import { Verifier } from './Verifier';
+export class CredentialManager {
+    constructor(config, didManager) {
+        this.config = config;
+        this.didManager = didManager;
+    }
+    async createResourceCredential(type, subject, issuer) {
+        return {
+            '@context': ['https://www.w3.org/2018/credentials/v1'],
+            type: ['VerifiableCredential', type],
+            issuer,
+            issuanceDate: new Date().toISOString(),
+            credentialSubject: subject
+        };
+    }
+    async signCredential(credential, privateKeyMultibase, verificationMethod) {
+        if (this.didManager && typeof verificationMethod === 'string' && verificationMethod.startsWith('did:')) {
+            try {
+                const loader = createDocumentLoader(this.didManager);
+                const { document } = await loader(verificationMethod);
+                if (document && document.publicKeyMultibase) {
+                    const vm = {
+                        id: verificationMethod,
+                        controller: typeof credential.issuer === 'string' ? credential.issuer : credential.issuer?.id,
+                        publicKeyMultibase: document.publicKeyMultibase,
+                        secretKeyMultibase: privateKeyMultibase,
+                        type: document.type || 'Multikey'
+                    };
+                    const issuer = new Issuer(this.didManager, vm);
+                    const unsigned = { ...credential };
+                    delete unsigned['@context'];
+                    delete unsigned.proof;
+                    return issuer.issueCredential(unsigned, { proofPurpose: 'assertionMethod' });
+                }
+            }
+            catch {
+                // fall through to legacy signing
+            }
+        }
+        // fallback to legacy local signer
+        const proofBase = {
+            type: 'DataIntegrityProof',
+            created: new Date().toISOString(),
+            verificationMethod,
+            proofPurpose: 'assertionMethod',
+            proofValue: ''
+        };
+        const proofValue = await this.generateProofValue(credential, privateKeyMultibase, proofBase);
+        const proof = { ...proofBase, proofValue };
+        return { ...credential, proof };
+    }
+    /**
+     * Sign a credential using an external signer (e.g., hardware wallet, Turnkey)
+     * @param credential - The unsigned credential
+     * @param signer - External signer implementation
+     * @returns Signed verifiable credential
+     */
+    async signCredentialWithExternalSigner(credential, signer) {
+        const verificationMethodId = await signer.getVerificationMethodId();
+        // Create proof structure
+        const proofBase = {
+            type: 'DataIntegrityProof',
+            cryptosuite: 'eddsa-rdfc-2022', // Or derive from signer type
+            created: new Date().toISOString(),
+            verificationMethod: verificationMethodId,
+            proofPurpose: 'assertionMethod'
+        };
+        // Prepare unsigned credential
+        const unsignedCredential = { ...credential };
+        delete unsignedCredential.proof;
+        // Use external signer to sign
+        const { proofValue } = await signer.sign({
+            document: unsignedCredential,
+            proof: proofBase
+        });
+        // Return signed credential
+        return {
+            ...credential,
+            proof: {
+                ...proofBase,
+                proofValue
+            }
+        };
+    }
+    async verifyCredential(credential) {
+        if (this.didManager) {
+            const proofAny = credential.proof;
+            if (proofAny && (proofAny.cryptosuite || (Array.isArray(proofAny) && proofAny[0]?.cryptosuite))) {
+                const verifier = new Verifier(this.didManager);
+                const res = await verifier.verifyCredential(credential);
+                return res.verified;
+            }
+        }
+        const proof = credential.proof;
+        if (!proof) {
+            return false;
+        }
+        const { proofValue, verificationMethod } = proof;
+        if (!proofValue || !verificationMethod)
+            return false;
+        const signature = this.decodeMultibase(proofValue);
+        if (!signature)
+            return false;
+        const proofSansValue = { ...proof };
+        delete proofSansValue.proofValue;
+        const proofInput = { ...proofSansValue };
+        const credentialContext = credential['@context'];
+        if (credentialContext && !proofInput['@context']) {
+            proofInput['@context'] = credentialContext;
+        }
+        const unsignedCredential = { ...credential };
+        delete unsignedCredential.proof;
+        const c14nProof = await canonicalizeDocument(proofInput);
+        const c14nCred = await canonicalizeDocument(unsignedCredential);
+        const hProof = Buffer.from(sha256(Buffer.from(c14nProof, 'utf8')));
+        const hCred = Buffer.from(sha256(Buffer.from(c14nCred, 'utf8')));
+        const digest = Buffer.concat([hProof, hCred]);
+        const signer = this.getSigner();
+        try {
+            const resolvedKey = proof.publicKeyMultibase
+                || await this.resolveVerificationMethodMultibase(verificationMethod);
+            if (!resolvedKey) {
+                return false;
+            }
+            return await signer.verify(Buffer.from(digest), Buffer.from(signature), resolvedKey);
+        }
+        catch {
+            return false;
+        }
+    }
+    async createPresentation(credentials, holder) {
+        return {
+            '@context': ['https://www.w3.org/2018/credentials/v1'],
+            type: ['VerifiablePresentation'],
+            holder,
+            verifiableCredential: credentials
+        };
+    }
+    async generateProofValue(credential, privateKeyMultibase, proofBase) {
+        // Construct canonical digest including provided proof sans proofValue
+        const proofSansValue = { ...proofBase };
+        delete proofSansValue.proofValue;
+        const proofInput = { ...proofSansValue };
+        const credentialContext = credential['@context'];
+        if (credentialContext && !proofInput['@context']) {
+            proofInput['@context'] = credentialContext;
+        }
+        const unsignedCredential = { ...credential };
+        delete unsignedCredential.proof;
+        const c14nProof = await canonicalizeDocument(proofInput);
+        const c14nCred = await canonicalizeDocument(unsignedCredential);
+        const hProof = Buffer.from(sha256(Buffer.from(c14nProof, 'utf8')));
+        const hCred = Buffer.from(sha256(Buffer.from(c14nCred, 'utf8')));
+        const digest = Buffer.concat([hProof, hCred]);
+        const signer = this.getSigner();
+        const sig = await signer.sign(Buffer.from(digest), privateKeyMultibase);
+        return encodeBase64UrlMultibase(sig);
+    }
+    getSigner() {
+        switch (this.config.defaultKeyType) {
+            case 'ES256K':
+                return new ES256KSigner();
+            case 'Ed25519':
+                return new Ed25519Signer();
+            case 'ES256':
+                return new ES256Signer();
+            default:
+                return new ES256KSigner();
+        }
+    }
+    async resolveVerificationMethodMultibase(verificationMethod) {
+        if (typeof verificationMethod === 'string' && verificationMethod.startsWith('z')) {
+            return verificationMethod;
+        }
+        if (!this.didManager || typeof verificationMethod !== 'string' || !verificationMethod.startsWith('did:')) {
+            return null;
+        }
+        const loader = createDocumentLoader(this.didManager);
+        try {
+            const { document } = await loader(verificationMethod);
+            if (document && typeof document.publicKeyMultibase === 'string') {
+                return document.publicKeyMultibase;
+            }
+        }
+        catch (err) {
+            // Document loader failed; will try alternative resolution method
+            if (this.config.enableLogging) {
+                console.warn('Failed to load verification method via document loader:', err);
+            }
+        }
+        try {
+            const did = verificationMethod.split('#')[0];
+            if (!did) {
+                return null;
+            }
+            const didDoc = await this.didManager.resolveDID(did);
+            const vms = didDoc?.verificationMethod;
+            if (Array.isArray(vms)) {
+                const vm = vms.find((m) => m?.id === verificationMethod);
+                if (vm && typeof vm.publicKeyMultibase === 'string') {
+                    return vm.publicKeyMultibase;
+                }
+            }
+        }
+        catch (err) {
+            // Failed to resolve DID document
+            if (this.config.enableLogging) {
+                console.warn('Failed to resolve DID for verification method:', err);
+            }
+        }
+        return null;
+    }
+    decodeMultibase(s) {
+        try {
+            return decodeBase64UrlMultibase(s);
+        }
+        catch {
+            return null;
+        }
+    }
+    // ===== Credential Factory Methods =====
+    /**
+     * Issue a ResourceCreated credential for a newly created resource
+     *
+     * @param resource - The created resource
+     * @param assetDid - The DID of the asset containing the resource
+     * @param creatorDid - The DID of the creator
+     * @param chainOptions - Optional chaining options for linking to previous credentials
+     * @returns Unsigned verifiable credential
+     *
+     * @example
+     * ```typescript
+     * const credential = await credentialManager.issueResourceCredential(
+     *   resource,
+     *   'did:peer:abc...',
+     *   'did:peer:creator...'
+     * );
+     * // Sign the credential with your key
+     * const signed = await credentialManager.signCredential(credential, privateKey, vmId);
+     * ```
+     */
+    async issueResourceCredential(resource, assetDid, creatorDid, chainOptions) {
+        const subject = {
+            id: assetDid,
+            resourceId: resource.id,
+            resourceType: resource.type,
+            contentHash: resource.hash,
+            contentType: resource.contentType,
+            creator: creatorDid,
+            createdAt: resource.createdAt || new Date().toISOString()
+        };
+        const credential = await this.createCredentialWithChain('ResourceCreated', subject, creatorDid, chainOptions);
+        return credential;
+    }
+    /**
+     * Issue a ResourceUpdated credential for a resource version update
+     *
+     * @param resourceId - The logical resource ID
+     * @param assetDid - The DID of the asset
+     * @param previousHash - Hash of the previous version
+     * @param newHash - Hash of the new version
+     * @param fromVersion - Previous version number
+     * @param toVersion - New version number
+     * @param updaterDid - DID of the entity performing the update
+     * @param updateReason - Optional reason for the update
+     * @param chainOptions - Optional chaining options
+     * @returns Unsigned verifiable credential
+     *
+     * @example
+     * ```typescript
+     * const credential = await credentialManager.issueResourceUpdateCredential(
+     *   'main.js',
+     *   'did:webvh:example.com:asset',
+     *   'abc123...',
+     *   'def456...',
+     *   1,
+     *   2,
+     *   'did:webvh:example.com:user',
+     *   'Bug fix'
+     * );
+     * ```
+     */
+    async issueResourceUpdateCredential(resourceId, assetDid, previousHash, newHash, fromVersion, toVersion, updaterDid, updateReason, chainOptions) {
+        const subject = {
+            id: assetDid,
+            resourceId,
+            previousHash,
+            newHash,
+            fromVersion,
+            toVersion,
+            updatedAt: new Date().toISOString(),
+            ...(updateReason && { updateReason })
+        };
+        const credential = await this.createCredentialWithChain('ResourceUpdated', subject, updaterDid, chainOptions);
+        return credential;
+    }
+    /**
+     * Issue a MigrationCompleted credential for layer migrations
+     *
+     * Records the migration of an asset between Originals layers (peer -> webvh -> btco).
+     *
+     * @param sourceDid - The source DID (before migration)
+     * @param targetDid - The target DID (after migration, if different)
+     * @param fromLayer - The source layer
+     * @param toLayer - The target layer
+     * @param issuerDid - The DID issuing this credential
+     * @param details - Optional migration details (transactionId, inscriptionId, satoshi)
+     * @param chainOptions - Optional chaining options
+     * @returns Unsigned verifiable credential
+     *
+     * @example
+     * ```typescript
+     * const credential = await credentialManager.issueMigrationCredential(
+     *   'did:peer:abc...',
+     *   'did:webvh:example.com:asset',
+     *   'did:peer',
+     *   'did:webvh',
+     *   'did:webvh:example.com:publisher'
+     * );
+     * ```
+     */
+    async issueMigrationCredential(sourceDid, targetDid, fromLayer, toLayer, issuerDid, details, chainOptions) {
+        const subject = {
+            id: targetDid || sourceDid,
+            sourceDid,
+            ...(targetDid && { targetDid }),
+            fromLayer,
+            toLayer,
+            migratedAt: new Date().toISOString(),
+            ...(details?.transactionId && { transactionId: details.transactionId }),
+            ...(details?.inscriptionId && { inscriptionId: details.inscriptionId }),
+            ...(details?.satoshi && { satoshi: details.satoshi }),
+            ...(details?.migrationReason && { migrationReason: details.migrationReason })
+        };
+        const credential = await this.createCredentialWithChain('MigrationCompleted', subject, issuerDid, chainOptions);
+        return credential;
+    }
+    /**
+     * Issue an OwnershipTransferred credential for Bitcoin-anchored asset transfers
+     *
+     * Records the transfer of ownership of a did:btco asset to a new owner.
+     *
+     * @param assetDid - The DID of the asset being transferred
+     * @param previousOwner - The previous owner (DID or Bitcoin address)
+     * @param newOwner - The new owner (Bitcoin address)
+     * @param transactionId - The Bitcoin transaction ID
+     * @param issuerDid - The DID issuing this credential
+     * @param details - Optional additional details
+     * @param chainOptions - Optional chaining options
+     * @returns Unsigned verifiable credential
+     *
+     * @example
+     * ```typescript
+     * const credential = await credentialManager.issueOwnershipCredential(
+     *   'did:btco:12345',
+     *   'bc1q...oldowner',
+     *   'bc1q...newowner',
+     *   'abc123...txid',
+     *   'did:btco:12345'
+     * );
+     * ```
+     */
+    async issueOwnershipCredential(assetDid, previousOwner, newOwner, transactionId, issuerDid, details, chainOptions) {
+        const subject = {
+            id: assetDid,
+            previousOwner,
+            newOwner,
+            transferredAt: new Date().toISOString(),
+            transactionId,
+            ...(details?.satoshi && { satoshi: details.satoshi }),
+            ...(details?.transferReason && { transferReason: details.transferReason })
+        };
+        const credential = await this.createCredentialWithChain('OwnershipTransferred', subject, issuerDid, chainOptions);
+        return credential;
+    }
+    /**
+     * Create a credential with optional chaining to a previous credential
+     *
+     * Credential chaining creates a verifiable provenance chain by linking
+     * credentials together through their IDs and hashes.
+     *
+     * @param type - The credential type
+     * @param subject - The credential subject
+     * @param issuer - The issuer DID
+     * @param chainOptions - Optional chaining options
+     * @returns Unsigned verifiable credential with chain metadata
+     */
+    async createCredentialWithChain(type, subject, issuer, chainOptions) {
+        const credential = {
+            '@context': [
+                'https://www.w3.org/2018/credentials/v1',
+                'https://w3id.org/security/data-integrity/v2'
+            ],
+            type: ['VerifiableCredential', type],
+            id: this.generateCredentialId(),
+            issuer,
+            issuanceDate: new Date().toISOString(),
+            credentialSubject: subject
+        };
+        // Add expiration if specified
+        if (chainOptions?.expirationDate) {
+            credential.expirationDate = chainOptions.expirationDate;
+        }
+        // Add credential status if specified
+        if (chainOptions?.credentialStatus) {
+            credential.credentialStatus = chainOptions.credentialStatus;
+        }
+        // Add chaining metadata if provided
+        if (chainOptions?.previousCredentialId || chainOptions?.previousCredentialHash) {
+            credential.credentialSubject.previousCredential = {
+                ...(chainOptions.previousCredentialId && { id: chainOptions.previousCredentialId }),
+                ...(chainOptions.previousCredentialHash && { hash: chainOptions.previousCredentialHash })
+            };
+        }
+        return credential;
+    }
+    /**
+     * Generate a unique credential ID
+     */
+    generateCredentialId() {
+        const timestamp = Date.now();
+        const randomBytes = new Uint8Array(16);
+        if (typeof globalThis.crypto?.getRandomValues === 'function') {
+            globalThis.crypto.getRandomValues(randomBytes);
+        }
+        else {
+            // Fallback for environments without crypto.getRandomValues
+            for (let i = 0; i < 16; i++) {
+                randomBytes[i] = Math.floor(Math.random() * 256);
+            }
+        }
+        const randomHex = bytesToHex(randomBytes);
+        return `urn:uuid:${timestamp}-${randomHex.substring(0, 8)}-${randomHex.substring(8, 16)}`;
+    }
+    /**
+     * Compute the hash of a credential for chaining purposes
+     *
+     * @param credential - The credential to hash
+     * @returns SHA-256 hash of the canonicalized credential
+     */
+    async computeCredentialHash(credential) {
+        const canonicalized = await canonicalizeDocument(credential);
+        const hash = sha256(Buffer.from(canonicalized, 'utf8'));
+        return bytesToHex(hash);
+    }
+    /**
+     * Verify a credential chain by checking all previous credential links
+     *
+     * @param credentials - Array of credentials in chain order (oldest first)
+     * @returns Verification result with chain integrity status
+     */
+    async verifyCredentialChain(credentials) {
+        const errors = [];
+        if (credentials.length === 0) {
+            return { valid: true, errors: [], chainLength: 0 };
+        }
+        // Verify each credential individually
+        for (let i = 0; i < credentials.length; i++) {
+            const isValid = await this.verifyCredential(credentials[i]);
+            if (!isValid) {
+                errors.push(`Credential at index ${i} failed verification`);
+            }
+        }
+        // Verify chain links
+        for (let i = 1; i < credentials.length; i++) {
+            const current = credentials[i];
+            const previous = credentials[i - 1];
+            const previousCredRef = current.credentialSubject?.previousCredential;
+            if (previousCredRef) {
+                // Verify ID link
+                if (previousCredRef.id && previousCredRef.id !== previous.id) {
+                    errors.push(`Chain broken at index ${i}: previousCredential.id doesn't match`);
+                }
+                // Verify hash link
+                if (previousCredRef.hash) {
+                    const expectedHash = await this.computeCredentialHash(previous);
+                    if (previousCredRef.hash !== expectedHash) {
+                        errors.push(`Chain broken at index ${i}: previousCredential.hash doesn't match`);
+                    }
+                }
+            }
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+            chainLength: credentials.length
+        };
+    }
+    // ===== BBS+ Selective Disclosure =====
+    /**
+     * Prepare a credential for BBS+ selective disclosure
+     *
+     * This creates a base proof that can later be derived into a proof
+     * that selectively discloses only certain fields.
+     *
+     * Note: This requires BBS+ keys and is primarily used for privacy-preserving
+     * credential presentations.
+     *
+     * @param credential - The credential to prepare
+     * @param options - Selective disclosure options
+     * @returns The credential with BBS+ base proof metadata
+     */
+    async prepareSelectiveDisclosure(credential, options) {
+        // Validate mandatory pointers
+        if (!options.mandatoryPointers || options.mandatoryPointers.length === 0) {
+            throw new Error('At least one mandatory pointer is required for selective disclosure');
+        }
+        // Validate pointer format (JSON Pointers must start with /)
+        for (const pointer of options.mandatoryPointers) {
+            if (!pointer.startsWith('/')) {
+                throw new Error(`Invalid JSON Pointer: ${pointer} (must start with /)`);
+            }
+        }
+        const selectivePointers = options.selectivePointers || [];
+        for (const pointer of selectivePointers) {
+            if (!pointer.startsWith('/')) {
+                throw new Error(`Invalid JSON Pointer: ${pointer} (must start with /)`);
+            }
+        }
+        // Add selective disclosure metadata to credential
+        const enhancedCredential = {
+            ...credential,
+            // Store pointers in credential for later derivation
+            // In a full implementation, this would involve creating a BBS+ base proof
+        };
+        return {
+            credential: enhancedCredential,
+            mandatoryPointers: options.mandatoryPointers,
+            selectivePointers
+        };
+    }
+    /**
+     * Create a derived proof with selective disclosure
+     *
+     * Given a credential with a BBS+ base proof, creates a derived proof
+     * that only reveals the specified fields.
+     *
+     * @param credential - The credential with BBS+ base proof
+     * @param fieldsToDisclose - JSON Pointer paths to disclose
+     * @param presentationHeader - Optional presentation-specific data
+     * @returns The credential with derived proof
+     */
+    async deriveSelectiveProof(credential, fieldsToDisclose, presentationHeader) {
+        // Validate that all disclosed fields are valid JSON pointers
+        for (const field of fieldsToDisclose) {
+            if (!field.startsWith('/')) {
+                throw new Error(`Invalid JSON Pointer for disclosure: ${field}`);
+            }
+        }
+        // Determine which fields will be hidden
+        const allFields = this.extractFieldPaths(credential);
+        const disclosedSet = new Set(fieldsToDisclose);
+        const hiddenFields = allFields.filter(f => !disclosedSet.has(f));
+        // In a full implementation, this would:
+        // 1. Parse the base proof
+        // 2. Create selective indexes from fieldsToDisclose
+        // 3. Generate the derived BBS+ proof
+        // For now, we return a structure showing what would be disclosed
+        return {
+            credential: {
+                ...credential,
+                // A real implementation would have a derived proof here
+            },
+            disclosedFields: fieldsToDisclose,
+            hiddenFields
+        };
+    }
+    /**
+     * Extract all field paths from a credential as JSON Pointers
+     */
+    extractFieldPaths(obj, prefix = '') {
+        const paths = [];
+        if (typeof obj !== 'object' || obj === null) {
+            return paths;
+        }
+        for (const [key, value] of Object.entries(obj)) {
+            const path = `${prefix}/${key}`;
+            paths.push(path);
+            if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+                paths.push(...this.extractFieldPaths(value, path));
+            }
+        }
+        return paths;
+    }
+    /**
+     * Get field value from credential using JSON Pointer
+     *
+     * @param credential - The credential to read from
+     * @param pointer - JSON Pointer path (e.g., /credentialSubject/name)
+     * @returns The value at the pointer path, or undefined if not found
+     */
+    getFieldByPointer(credential, pointer) {
+        if (!pointer.startsWith('/')) {
+            throw new Error('JSON Pointer must start with /');
+        }
+        const parts = pointer.slice(1).split('/');
+        let current = credential;
+        for (const part of parts) {
+            if (current === null || current === undefined) {
+                return undefined;
+            }
+            // Handle escaped characters in JSON Pointer
+            const unescaped = part.replace(/~1/g, '/').replace(/~0/g, '~');
+            current = current[unescaped];
+        }
+        return current;
+    }
+}

package/dist/vc/Issuer.d.ts

@@ -0,0 +1,27 @@
+import { VerifiableCredential, VerifiablePresentation } from '../types';
+import { DIDManager } from '../did/DIDManager';
+export interface IssueOptions {
+    proofPurpose: 'assertionMethod' | 'authentication';
+    documentLoader?: (iri: string) => Promise<{
+        document: any;
+        documentUrl: string;
+        contextUrl: string | null;
+    }>;
+    challenge?: string;
+    domain?: string;
+}
+export type VerificationMethodLike = {
+    id: string;
+    controller: string;
+    publicKeyMultibase: string;
+    secretKeyMultibase?: string;
+    type?: 'Multikey' | string;
+};
+export declare class Issuer {
+    private didManager;
+    private verificationMethod;
+    constructor(didManager: DIDManager, verificationMethod: VerificationMethodLike);
+    private inferKeyType;
+    issueCredential(unsigned: Omit<VerifiableCredential, '@context' | 'proof'>, options: IssueOptions): Promise<VerifiableCredential>;
+    issuePresentation(presentation: Omit<VerifiablePresentation, '@context' | 'proof'>, options: IssueOptions): Promise<VerifiablePresentation>;
+}