@sd-jwt/core 0.3.0 → 2.0.4-next.58

package/dist/index.js

@@ -0,0 +1,606 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __reflectGet = Reflect.get;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __superGet = (cls, obj, key) => __reflectGet(__getProtoOf(cls), key, obj);
+var __async = (__this, __arguments, generator) => {
+  return new Promise((resolve, reject) => {
+    var fulfilled = (value) => {
+      try {
+        step(generator.next(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var rejected = (value) => {
+      try {
+        step(generator.throw(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
+    step((generator = generator.apply(__this, __arguments)).next());
+  });
+};
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  Jwt: () => Jwt,
+  KBJwt: () => KBJwt,
+  SDJwt: () => SDJwt,
+  SDJwtInstance: () => SDJwtInstance,
+  createDecoy: () => createDecoy,
+  listKeys: () => listKeys,
+  pack: () => pack
+});
+module.exports = __toCommonJS(src_exports);
+var import_utils5 = require("@sd-jwt/utils");
+
+// src/jwt.ts
+var import_utils = require("@sd-jwt/utils");
+var import_decode = require("@sd-jwt/decode");
+var Jwt = class _Jwt {
+  constructor(data) {
+    this.header = data == null ? void 0 : data.header;
+    this.payload = data == null ? void 0 : data.payload;
+    this.signature = data == null ? void 0 : data.signature;
+  }
+  static decodeJWT(jwt) {
+    return (0, import_decode.decodeJwt)(jwt);
+  }
+  static fromEncode(encodedJwt) {
+    const { header, payload, signature } = _Jwt.decodeJWT(
+      encodedJwt
+    );
+    const jwt = new _Jwt({
+      header,
+      payload,
+      signature
+    });
+    return jwt;
+  }
+  setHeader(header) {
+    this.header = header;
+    return this;
+  }
+  setPayload(payload) {
+    this.payload = payload;
+    return this;
+  }
+  sign(signer) {
+    return __async(this, null, function* () {
+      if (!this.header || !this.payload) {
+        throw new import_utils.SDJWTException("Sign Error: Invalid JWT");
+      }
+      const header = (0, import_utils.Base64urlEncode)(JSON.stringify(this.header));
+      const payload = (0, import_utils.Base64urlEncode)(JSON.stringify(this.payload));
+      const data = `${header}.${payload}`;
+      this.signature = yield signer(data);
+      return this.encodeJwt();
+    });
+  }
+  encodeJwt() {
+    if (!this.header || !this.payload || !this.signature) {
+      throw new import_utils.SDJWTException("Serialize Error: Invalid JWT");
+    }
+    const header = (0, import_utils.Base64urlEncode)(JSON.stringify(this.header));
+    const payload = (0, import_utils.Base64urlEncode)(JSON.stringify(this.payload));
+    const signature = this.signature;
+    const compact = `${header}.${payload}.${signature}`;
+    return compact;
+  }
+  verify(verifier) {
+    return __async(this, null, function* () {
+      if (!this.header || !this.payload || !this.signature) {
+        throw new import_utils.SDJWTException("Verify Error: Invalid JWT");
+      }
+      const header = (0, import_utils.Base64urlEncode)(JSON.stringify(this.header));
+      const payload = (0, import_utils.Base64urlEncode)(JSON.stringify(this.payload));
+      const data = `${header}.${payload}`;
+      const verified = verifier(data, this.signature);
+      if (!verified) {
+        throw new import_utils.SDJWTException("Verify Error: Invalid JWT Signature");
+      }
+      return { payload: this.payload, header: this.header };
+    });
+  }
+};
+
+// src/kbjwt.ts
+var import_utils2 = require("@sd-jwt/utils");
+var KBJwt = class _KBJwt extends Jwt {
+  // Checking the validity of the key binding jwt
+  verify(verifier) {
+    return __async(this, null, function* () {
+      var _a, _b, _c, _d, _e, _f;
+      if (!((_a = this.header) == null ? void 0 : _a.alg) || !this.header.typ || !((_b = this.payload) == null ? void 0 : _b.iat) || !((_c = this.payload) == null ? void 0 : _c.aud) || !((_d = this.payload) == null ? void 0 : _d.nonce) || // this is for backward compatibility with version 06
+      !(((_e = this.payload) == null ? void 0 : _e.sd_hash) || ((_f = this.payload) == null ? void 0 : _f._sd_hash))) {
+        throw new import_utils2.SDJWTException("Invalid Key Binding Jwt");
+      }
+      return yield __superGet(_KBJwt.prototype, this, "verify").call(this, verifier);
+    });
+  }
+  // This function is for creating KBJwt object for verify properly
+  static fromKBEncode(encodedJwt) {
+    const { header, payload, signature } = Jwt.decodeJWT(
+      encodedJwt
+    );
+    const jwt = new _KBJwt({
+      header,
+      payload,
+      signature
+    });
+    return jwt;
+  }
+};
+
+// src/decoy.ts
+var import_utils3 = require("@sd-jwt/utils");
+var createDecoy = (hash, saltGenerator) => __async(void 0, null, function* () {
+  const { hasher, alg } = hash;
+  const salt = yield saltGenerator(16);
+  const decoy = yield hasher(salt, alg);
+  return (0, import_utils3.Uint8ArrayToBase64Url)(decoy);
+});
+
+// src/sdjwt.ts
+var import_utils4 = require("@sd-jwt/utils");
+var import_types = require("@sd-jwt/types");
+var import_decode2 = require("@sd-jwt/decode");
+var SDJwt = class _SDJwt {
+  constructor(data) {
+    this.jwt = data == null ? void 0 : data.jwt;
+    this.disclosures = data == null ? void 0 : data.disclosures;
+    this.kbJwt = data == null ? void 0 : data.kbJwt;
+  }
+  static decodeSDJwt(sdjwt, hasher) {
+    return __async(this, null, function* () {
+      const [encodedJwt, ...encodedDisclosures] = sdjwt.split(import_types.SD_SEPARATOR);
+      const jwt = Jwt.fromEncode(encodedJwt);
+      if (!jwt.payload) {
+        throw new Error("Payload is undefined on the JWT. Invalid state reached");
+      }
+      if (encodedDisclosures.length === 0) {
+        return {
+          jwt,
+          disclosures: []
+        };
+      }
+      const encodedKeyBindingJwt = encodedDisclosures.pop();
+      const kbJwt = encodedKeyBindingJwt ? KBJwt.fromKBEncode(encodedKeyBindingJwt) : void 0;
+      const { _sd_alg } = (0, import_decode2.getSDAlgAndPayload)(jwt.payload);
+      const disclosures = yield Promise.all(
+        encodedDisclosures.map(
+          (ed) => import_utils4.Disclosure.fromEncode(ed, { alg: _sd_alg, hasher })
+        )
+      );
+      return {
+        jwt,
+        disclosures,
+        kbJwt
+      };
+    });
+  }
+  static fromEncode(encodedSdJwt, hasher) {
+    return __async(this, null, function* () {
+      const { jwt, disclosures, kbJwt } = yield _SDJwt.decodeSDJwt(encodedSdJwt, hasher);
+      return new _SDJwt({
+        jwt,
+        disclosures,
+        kbJwt
+      });
+    });
+  }
+  present(keys, hasher) {
+    return __async(this, null, function* () {
+      var _a;
+      if (!((_a = this.jwt) == null ? void 0 : _a.payload) || !this.disclosures) {
+        throw new import_utils4.SDJWTException("Invalid sd-jwt: jwt or disclosures is missing");
+      }
+      const { _sd_alg: alg } = (0, import_decode2.getSDAlgAndPayload)(this.jwt.payload);
+      const hash = { alg, hasher };
+      const hashmap = yield (0, import_decode2.createHashMapping)(this.disclosures, hash);
+      const { disclosureKeymap } = yield (0, import_decode2.unpack)(
+        this.jwt.payload,
+        this.disclosures,
+        hasher
+      );
+      const presentableKeys = Object.keys(disclosureKeymap);
+      const missingKeys = keys.filter((k) => !presentableKeys.includes(k));
+      if (missingKeys.length > 0) {
+        throw new import_utils4.SDJWTException(
+          `Invalid sd-jwt: invalid present keys: ${missingKeys.join(", ")}`
+        );
+      }
+      const disclosures = keys.map((k) => hashmap[disclosureKeymap[k]]);
+      const presentSDJwt = new _SDJwt({
+        jwt: this.jwt,
+        disclosures,
+        kbJwt: this.kbJwt
+      });
+      return presentSDJwt.encodeSDJwt();
+    });
+  }
+  encodeSDJwt() {
+    const data = [];
+    if (!this.jwt) {
+      throw new import_utils4.SDJWTException("Invalid sd-jwt: jwt is missing");
+    }
+    const encodedJwt = this.jwt.encodeJwt();
+    data.push(encodedJwt);
+    if (this.disclosures && this.disclosures.length > 0) {
+      const encodeddisclosures = this.disclosures.map((dc) => dc.encode()).join(import_types.SD_SEPARATOR);
+      data.push(encodeddisclosures);
+    }
+    data.push(this.kbJwt ? this.kbJwt.encodeJwt() : "");
+    return data.join(import_types.SD_SEPARATOR);
+  }
+  keys(hasher) {
+    return __async(this, null, function* () {
+      return listKeys(yield this.getClaims(hasher)).sort();
+    });
+  }
+  presentableKeys(hasher) {
+    return __async(this, null, function* () {
+      var _a, _b;
+      if (!((_a = this.jwt) == null ? void 0 : _a.payload) || !this.disclosures) {
+        throw new import_utils4.SDJWTException("Invalid sd-jwt: jwt or disclosures is missing");
+      }
+      const { disclosureKeymap } = yield (0, import_decode2.unpack)(
+        (_b = this.jwt) == null ? void 0 : _b.payload,
+        this.disclosures,
+        hasher
+      );
+      return Object.keys(disclosureKeymap).sort();
+    });
+  }
+  getClaims(hasher) {
+    return __async(this, null, function* () {
+      var _a;
+      if (!((_a = this.jwt) == null ? void 0 : _a.payload) || !this.disclosures) {
+        throw new import_utils4.SDJWTException("Invalid sd-jwt: jwt or disclosures is missing");
+      }
+      const { unpackedObj } = yield (0, import_decode2.unpack)(
+        this.jwt.payload,
+        this.disclosures,
+        hasher
+      );
+      return unpackedObj;
+    });
+  }
+};
+var listKeys = (obj, prefix = "") => {
+  const keys = [];
+  for (const key in obj) {
+    if (obj[key] === void 0)
+      continue;
+    const newKey = prefix ? `${prefix}.${key}` : key;
+    keys.push(newKey);
+    if (obj[key] && typeof obj[key] === "object" && obj[key] !== null) {
+      keys.push(...listKeys(obj[key], newKey));
+    }
+  }
+  return keys;
+};
+var pack = (claims, disclosureFrame, hash, saltGenerator) => __async(void 0, null, function* () {
+  var _a, _b;
+  if (!disclosureFrame) {
+    return {
+      packedClaims: claims,
+      disclosures: []
+    };
+  }
+  const sd = (_a = disclosureFrame[import_types.SD_DIGEST]) != null ? _a : [];
+  const decoyCount = (_b = disclosureFrame[import_types.SD_DECOY]) != null ? _b : 0;
+  if (Array.isArray(claims)) {
+    const packedClaims2 = [];
+    const disclosures2 = [];
+    const recursivePackedClaims2 = {};
+    for (const key in disclosureFrame) {
+      if (key !== import_types.SD_DIGEST) {
+        const idx = parseInt(key);
+        const packed = yield pack(
+          claims[idx],
+          disclosureFrame[idx],
+          hash,
+          saltGenerator
+        );
+        recursivePackedClaims2[idx] = packed.packedClaims;
+        disclosures2.push(...packed.disclosures);
+      }
+    }
+    for (let i = 0; i < claims.length; i++) {
+      const claim = recursivePackedClaims2[i] ? recursivePackedClaims2[i] : claims[i];
+      if (sd.includes(i)) {
+        const salt = yield saltGenerator(16);
+        const disclosure = new import_utils4.Disclosure([salt, claim]);
+        const digest = yield disclosure.digest(hash);
+        packedClaims2.push({ [import_types.SD_LIST_KEY]: digest });
+        disclosures2.push(disclosure);
+      } else {
+        packedClaims2.push(claim);
+      }
+    }
+    for (let j = 0; j < decoyCount; j++) {
+      const decoyDigest = yield createDecoy(hash, saltGenerator);
+      packedClaims2.push({ [import_types.SD_LIST_KEY]: decoyDigest });
+    }
+    return { packedClaims: packedClaims2, disclosures: disclosures2 };
+  }
+  const packedClaims = {};
+  const disclosures = [];
+  const recursivePackedClaims = {};
+  for (const key in disclosureFrame) {
+    if (key !== import_types.SD_DIGEST) {
+      const packed = yield pack(
+        // @ts-ignore
+        claims[key],
+        disclosureFrame[key],
+        hash,
+        saltGenerator
+      );
+      recursivePackedClaims[key] = packed.packedClaims;
+      disclosures.push(...packed.disclosures);
+    }
+  }
+  const _sd = [];
+  for (const key in claims) {
+    const claim = recursivePackedClaims[key] ? recursivePackedClaims[key] : claims[key];
+    if (sd.includes(key)) {
+      const salt = yield saltGenerator(16);
+      const disclosure = new import_utils4.Disclosure([salt, key, claim]);
+      const digest = yield disclosure.digest(hash);
+      _sd.push(digest);
+      disclosures.push(disclosure);
+    } else {
+      packedClaims[key] = claim;
+    }
+  }
+  for (let j = 0; j < decoyCount; j++) {
+    const decoyDigest = yield createDecoy(hash, saltGenerator);
+    _sd.push(decoyDigest);
+  }
+  if (_sd.length > 0) {
+    packedClaims[import_types.SD_DIGEST] = _sd.sort();
+  }
+  return { packedClaims, disclosures };
+});
+
+// src/index.ts
+var import_types2 = require("@sd-jwt/types");
+var _SDJwtInstance = class _SDJwtInstance {
+  constructor(userConfig) {
+    this.userConfig = {};
+    if (userConfig) {
+      this.userConfig = userConfig;
+    }
+  }
+  createKBJwt(options) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.kbSigner) {
+        throw new import_utils5.SDJWTException("Key Binding Signer not found");
+      }
+      if (!this.userConfig.kbSignAlg) {
+        throw new import_utils5.SDJWTException("Key Binding sign algorithm not specified");
+      }
+      const { payload } = options;
+      const kbJwt = new KBJwt({
+        header: {
+          typ: import_types2.KB_JWT_TYP,
+          alg: this.userConfig.kbSignAlg
+        },
+        payload
+      });
+      yield kbJwt.sign(this.userConfig.kbSigner);
+      return kbJwt;
+    });
+  }
+  SignJwt(jwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.signer) {
+        throw new import_utils5.SDJWTException("Signer not found");
+      }
+      yield jwt.sign(this.userConfig.signer);
+      return jwt;
+    });
+  }
+  VerifyJwt(jwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.verifier) {
+        throw new import_utils5.SDJWTException("Verifier not found");
+      }
+      return jwt.verify(this.userConfig.verifier);
+    });
+  }
+  issue(payload, disclosureFrame, options) {
+    return __async(this, null, function* () {
+      var _a, _b;
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      if (!this.userConfig.saltGenerator) {
+        throw new import_utils5.SDJWTException("SaltGenerator not found");
+      }
+      if (!this.userConfig.signAlg) {
+        throw new import_utils5.SDJWTException("sign alogrithm not specified");
+      }
+      const hasher = this.userConfig.hasher;
+      const hashAlg = (_a = this.userConfig.hashAlg) != null ? _a : _SDJwtInstance.DEFAULT_hashAlg;
+      const { packedClaims, disclosures } = yield pack(
+        payload,
+        disclosureFrame,
+        { hasher, alg: hashAlg },
+        this.userConfig.saltGenerator
+      );
+      const alg = this.userConfig.signAlg;
+      const OptionHeader = (_b = options == null ? void 0 : options.header) != null ? _b : {};
+      const CustomHeader = this.userConfig.omitTyp ? OptionHeader : __spreadValues({ typ: import_types2.SD_JWT_TYP }, OptionHeader);
+      const header = __spreadProps(__spreadValues({}, CustomHeader), { alg });
+      const jwt = new Jwt({
+        header,
+        payload: __spreadProps(__spreadValues({}, packedClaims), {
+          _sd_alg: hashAlg
+        })
+      });
+      yield this.SignJwt(jwt);
+      const sdJwt = new SDJwt({
+        jwt,
+        disclosures
+      });
+      return sdJwt.encodeSDJwt();
+    });
+  }
+  present(encodedSDJwt, presentationKeys, options) {
+    return __async(this, null, function* () {
+      if (!presentationKeys)
+        return encodedSDJwt;
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const hasher = this.userConfig.hasher;
+      const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
+      const kbJwt = (options == null ? void 0 : options.kb) ? yield this.createKBJwt(options.kb) : void 0;
+      sdjwt.kbJwt = kbJwt;
+      return sdjwt.present(presentationKeys.sort(), hasher);
+    });
+  }
+  // This function is for verifying the SD JWT
+  // If requiredClaimKeys is provided, it will check if the required claim keys are presentation in the SD JWT
+  // If requireKeyBindings is true, it will check if the key binding JWT is presentation and verify it
+  verify(encodedSDJwt, requiredClaimKeys, requireKeyBindings) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const hasher = this.userConfig.hasher;
+      const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
+      if (!sdjwt.jwt) {
+        throw new import_utils5.SDJWTException("Invalid SD JWT");
+      }
+      const { payload, header } = yield this.validate(encodedSDJwt);
+      if (requiredClaimKeys) {
+        const keys = yield sdjwt.keys(hasher);
+        const missingKeys = requiredClaimKeys.filter((k) => !keys.includes(k));
+        if (missingKeys.length > 0) {
+          throw new import_utils5.SDJWTException(
+            `Missing required claim keys: ${missingKeys.join(", ")}`
+          );
+        }
+      }
+      if (!requireKeyBindings) {
+        return { payload, header };
+      }
+      if (!sdjwt.kbJwt) {
+        throw new import_utils5.SDJWTException("Key Binding JWT not exist");
+      }
+      if (!this.userConfig.kbVerifier) {
+        throw new import_utils5.SDJWTException("Key Binding Verifier not found");
+      }
+      const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      return { payload, header, kb };
+    });
+  }
+  // This function is for validating the SD JWT
+  // Just checking signature and return its the claims
+  validate(encodedSDJwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const hasher = this.userConfig.hasher;
+      const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
+      if (!sdjwt.jwt) {
+        throw new import_utils5.SDJWTException("Invalid SD JWT");
+      }
+      const verifiedPayloads = yield this.VerifyJwt(sdjwt.jwt);
+      const claims = yield sdjwt.getClaims(hasher);
+      return { payload: claims, header: verifiedPayloads.header };
+    });
+  }
+  config(newConfig) {
+    this.userConfig = __spreadValues(__spreadValues({}, this.userConfig), newConfig);
+  }
+  encode(sdJwt) {
+    return sdJwt.encodeSDJwt();
+  }
+  decode(endcodedSDJwt) {
+    if (!this.userConfig.hasher) {
+      throw new import_utils5.SDJWTException("Hasher not found");
+    }
+    return SDJwt.fromEncode(endcodedSDJwt, this.userConfig.hasher);
+  }
+  keys(endcodedSDJwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const sdjwt = yield SDJwt.fromEncode(endcodedSDJwt, this.userConfig.hasher);
+      return sdjwt.keys(this.userConfig.hasher);
+    });
+  }
+  presentableKeys(endcodedSDJwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const sdjwt = yield SDJwt.fromEncode(endcodedSDJwt, this.userConfig.hasher);
+      return sdjwt.presentableKeys(this.userConfig.hasher);
+    });
+  }
+  getClaims(endcodedSDJwt) {
+    return __async(this, null, function* () {
+      if (!this.userConfig.hasher) {
+        throw new import_utils5.SDJWTException("Hasher not found");
+      }
+      const sdjwt = yield SDJwt.fromEncode(endcodedSDJwt, this.userConfig.hasher);
+      return sdjwt.getClaims(this.userConfig.hasher);
+    });
+  }
+};
+_SDJwtInstance.DEFAULT_hashAlg = "sha-256";
+var SDJwtInstance = _SDJwtInstance;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Jwt,
+  KBJwt,
+  SDJwt,
+  SDJwtInstance,
+  createDecoy,
+  listKeys,
+  pack
+});