@sd-jwt/sd-jwt-vc 0.17.2-next.1 → 0.17.2-next.11

package/dist/index.mjs

@@ -1,5 +1,21 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
 var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
 var __reflectGet = Reflect.get;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
 var __superGet = (cls, obj, key) => __reflectGet(__getProtoOf(cls), key, obj);
 var __async = (__this, __arguments, generator) => {
   return new Promise((resolve, reject) => {
@@ -28,7 +44,110 @@ import {
   getListFromStatusListJWT,
   SLException
 } from "@sd-jwt/jwt-status-list";
-import { base64urlDecode, SDJWTException } from "@sd-jwt/utils";
+import { SDJWTException } from "@sd-jwt/utils";
+import z2 from "zod";
+
+// src/sd-jwt-vc-type-metadata-format.ts
+import { z } from "zod";
+var LogoSchema = z.object({
+  /** REQUIRED. A URI pointing to the logo image. */
+  uri: z.string(),
+  /** OPTIONAL. An "integrity metadata" string as described in Section 7. */
+  "uri#integrity": z.string().optional(),
+  /** OPTIONAL. A string containing alternative text for the logo image. */
+  alt_text: z.string().optional()
+});
+var SimpleRenderingSchema = z.object({
+  /** OPTIONAL. Logo metadata to display for the credential. */
+  logo: LogoSchema.optional(),
+  /** OPTIONAL. RGB color value for the credential background (e.g., "#FFFFFF"). */
+  background_color: z.string().optional(),
+  /** OPTIONAL. RGB color value for the credential text (e.g., "#000000"). */
+  text_color: z.string().optional()
+});
+var OrientationSchema = z.enum(["portrait", "landscape"]);
+var ColorSchemeSchema = z.enum(["light", "dark"]);
+var ContrastSchema = z.enum(["normal", "high"]);
+var SvgTemplatePropertiesSchema = z.object({
+  /** OPTIONAL. Orientation optimized for the template. */
+  orientation: OrientationSchema.optional(),
+  /** OPTIONAL. Color scheme optimized for the template. */
+  color_scheme: ColorSchemeSchema.optional(),
+  /** OPTIONAL. Contrast level optimized for the template. */
+  contrast: ContrastSchema.optional()
+});
+var SvgTemplateRenderingSchema = z.object({
+  /** REQUIRED. A URI pointing to the SVG template. */
+  uri: z.string(),
+  /** OPTIONAL. An "integrity metadata" string as described in Section 7. */
+  "uri#integrity": z.string().optional(),
+  /** REQUIRED if more than one SVG template is present. */
+  properties: SvgTemplatePropertiesSchema.optional()
+});
+var RenderingSchema = z.object({
+  /** OPTIONAL. Simple rendering metadata. */
+  simple: SimpleRenderingSchema.optional(),
+  /** OPTIONAL. Array of SVG template rendering objects. */
+  svg_template: z.array(SvgTemplateRenderingSchema).optional()
+});
+var DisplaySchema = z.object({
+  /** REQUIRED. Language tag according to RFC 5646 (e.g., "en", "de"). */
+  lang: z.string(),
+  /** REQUIRED. Human-readable name for the credential type. */
+  name: z.string(),
+  /** OPTIONAL. Description of the credential type for end users. */
+  description: z.string().optional(),
+  /** OPTIONAL. Rendering information (simple or SVG) for the credential. */
+  rendering: RenderingSchema.optional()
+});
+var ClaimPathSchema = z.array(z.string().nullable());
+var ClaimDisplaySchema = z.object({
+  /** REQUIRED. Language tag according to RFC 5646. */
+  lang: z.string(),
+  /** REQUIRED. Human-readable label for the claim. */
+  label: z.string(),
+  /** OPTIONAL. Description of the claim for end users. */
+  description: z.string().optional()
+});
+var ClaimSelectiveDisclosureSchema = z.enum([
+  "always",
+  "allowed",
+  "never"
+]);
+var ClaimSchema = z.object({
+  /**
+   * REQUIRED. Array of one or more paths to the claim in the credential subject.
+   * Each path is an array of strings (or null for array elements).
+   */
+  path: ClaimPathSchema,
+  /** OPTIONAL. Display metadata in multiple languages. */
+  display: z.array(ClaimDisplaySchema).optional(),
+  /** OPTIONAL. Controls whether the claim must, may, or must not be selectively disclosed. */
+  sd: ClaimSelectiveDisclosureSchema.optional(),
+  /**
+   * OPTIONAL. Unique string identifier for referencing the claim in an SVG template.
+   * Must consist of alphanumeric characters or underscores and must not start with a digit.
+   */
+  svg_id: z.string().optional()
+});
+var TypeMetadataFormatSchema = z.object({
+  /** REQUIRED. A URI uniquely identifying the credential type. */
+  vct: z.string(),
+  /** OPTIONAL. Human-readable name for developers. */
+  name: z.string().optional(),
+  /** OPTIONAL. Human-readable description for developers. */
+  description: z.string().optional(),
+  /** OPTIONAL. URI of another type that this one extends. */
+  extends: z.string().optional(),
+  /** OPTIONAL. Integrity metadata for the 'extends' field. */
+  "extends#integrity": z.string().optional(),
+  /** OPTIONAL. Array of localized display metadata for the type. */
+  display: z.array(DisplaySchema).optional(),
+  /** OPTIONAL. Array of claim metadata. */
+  claims: z.array(ClaimSchema).optional()
+});
+
+// src/sd-jwt-vc-instance.ts
 var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
   constructor(userConfig) {
     super(userConfig);
@@ -109,13 +228,17 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
       });
       yield this.verifyStatus(result, options);
       if (this.userConfig.loadTypeMetadataFormat) {
-        yield this.verifyVct(result);
+        const resolvedTypeMetadata = yield this.fetchVct(result);
+        result.typeMetadata = resolvedTypeMetadata;
       }
       return result;
     });
   }
   /**
    * Gets VCT Metadata of the raw SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC is invalid or does not contain a vct claim, an error is thrown.
+   *
+   * It may return `undefined` if the fetcher returned an undefined value (instead of throwing an error).
+   *
    * @param encodedSDJwt
    * @returns
    */
@@ -140,20 +263,19 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
    */
   validateIntegrity(response, url, integrity) {
     return __async(this, null, function* () {
-      if (integrity) {
-        const arrayBuffer = yield response.arrayBuffer();
-        const alg = integrity.split("-")[0];
-        const hashBuffer = yield this.userConfig.hasher(
-          arrayBuffer,
-          alg
+      if (!integrity) return;
+      const arrayBuffer = yield response.arrayBuffer();
+      const alg = integrity.split("-")[0];
+      const hashBuffer = yield this.userConfig.hasher(
+        arrayBuffer,
+        alg
+      );
+      const integrityHash = integrity.split("-")[1];
+      const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+      if (hash !== integrityHash) {
+        throw new Error(
+          `Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`
         );
-        const integrityHash = integrity.split("-")[1];
-        const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
-        if (hash !== integrityHash) {
-          throw new Error(
-            `Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`
-          );
-        }
       }
     });
   }
@@ -162,7 +284,7 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
    * @param url
    * @returns
    */
-  fetch(url, integrity) {
+  fetchWithIntegrity(url, integrity) {
     return __async(this, null, function* () {
       var _a;
       try {
@@ -176,7 +298,8 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
           );
         }
         yield this.validateIntegrity(response.clone(), url, integrity);
-        return response.json();
+        const data = yield response.json();
+        return data;
       } catch (error) {
         if (error.name === "TimeoutError") {
           throw new Error(`Request to ${url} timed out`);
@@ -187,59 +310,190 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
   }
   /**
    * Verifies the VCT of the SD-JWT-VC. Returns the type metadata format.
+   * Resolves the full extends chain according to spec sections 6.4, 8.2, and 9.5.
    * @param result
    * @returns
    */
-  verifyVct(result) {
+  fetchVct(result) {
     return __async(this, null, function* () {
-      const typeMetadataFormat = yield this.fetchVct(result);
-      if (typeMetadataFormat.extends) {
+      const typeMetadataFormat = yield this.fetchSingleVct(
+        result.payload.vct,
+        result.payload["vct#integrity"]
+      );
+      if (!typeMetadataFormat) return void 0;
+      if (!typeMetadataFormat.extends) {
+        return {
+          mergedTypeMetadata: typeMetadataFormat,
+          typeMetadataChain: [typeMetadataFormat],
+          vctValues: [typeMetadataFormat.vct]
+        };
       }
-      return typeMetadataFormat;
+      return this.resolveVctExtendsChain(typeMetadataFormat);
     });
   }
   /**
-   * Fetches VCT Metadata of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
-   * @param result
-   * @returns
+   * Checks if two claim paths are equal by comparing each element.
+   * @param path1 First claim path
+   * @param path2 Second claim path
+   * @returns True if paths are equal, false otherwise
    */
-  fetchVct(result) {
-    return __async(this, null, function* () {
-      var _a, _b;
-      if (!result.payload.vct) {
-        throw new SDJWTException("vct claim is required");
+  claimPathsEqual(path1, path2) {
+    if (path1.length !== path2.length) return false;
+    return path1.every((element, index) => element === path2[index]);
+  }
+  /**
+   * Validates that extending claim metadata respects the constraints from spec section 9.5.1.
+   * @param baseClaim The base claim metadata
+   * @param extendingClaim The extending claim metadata
+   * @throws SDJWTException if validation fails
+   */
+  validateClaimExtension(baseClaim, extendingClaim) {
+    if (baseClaim.sd && extendingClaim.sd) {
+      if ((baseClaim.sd === "always" || baseClaim.sd === "never") && baseClaim.sd !== extendingClaim.sd) {
+        const pathStr = JSON.stringify(extendingClaim.path);
+        throw new SDJWTException(
+          `Cannot change 'sd' property from '${baseClaim.sd}' to '${extendingClaim.sd}' for claim at path ${pathStr}`
+        );
       }
-      if ((_a = result.header) == null ? void 0 : _a.vctm) {
-        return this.fetchVctFromHeader(result.payload.vct, result);
+    }
+  }
+  /**
+   * Merges two type metadata formats, with the extending metadata overriding the base metadata.
+   * According to spec section 9.5:
+   * - All claim metadata from the extended type are inherited
+   * - The child type can add new claims or properties
+   * - If the child type defines claim metadata with the same path as the extended type,
+   *   the child type's object will override the corresponding object from the extended type
+   * According to spec section 9.5.1:
+   * - sd property can only be changed from 'allowed' (or omitted) to 'always' or 'never'
+   * - sd property cannot be changed from 'always' or 'never' to a different value
+   * According to spec section 8.2:
+   * - If the extending type defines its own display property, the original display metadata is ignored
+   * Note: The spec also mentions 'mandatory' property constraints, but this is not currently
+   * defined in the Claim type and will be validated when that property is added to the type.
+   * @param base The base type metadata format
+   * @param extending The extending type metadata format
+   * @returns The merged type metadata format
+   */
+  mergeTypeMetadata(base, extending) {
+    var _a, _b;
+    const merged = __spreadValues({}, extending);
+    if (base.claims || extending.claims) {
+      const baseClaims = (_a = base.claims) != null ? _a : [];
+      const extendingClaims = (_b = extending.claims) != null ? _b : [];
+      for (const extendingClaim of extendingClaims) {
+        const matchingBaseClaim = baseClaims.find(
+          (baseClaim) => this.claimPathsEqual(baseClaim.path, extendingClaim.path)
+        );
+        if (matchingBaseClaim) {
+          this.validateClaimExtension(matchingBaseClaim, extendingClaim);
+        }
+      }
+      const mergedClaims = [];
+      const extendedClaimsWithoutBase = [...extendingClaims];
+      for (const baseClaim of baseClaims) {
+        const extendingClaimIndex = extendedClaimsWithoutBase.findIndex(
+          (extendingClaim2) => this.claimPathsEqual(baseClaim.path, extendingClaim2.path)
+        );
+        const extendingClaim = extendingClaimIndex !== -1 ? extendedClaimsWithoutBase[extendingClaimIndex] : void 0;
+        if (extendingClaim) {
+          extendedClaimsWithoutBase.splice(extendingClaimIndex, 1);
+        }
+        mergedClaims.push(extendingClaim != null ? extendingClaim : baseClaim);
+      }
+      mergedClaims.push(...extendedClaimsWithoutBase);
+      merged.claims = mergedClaims;
+    }
+    if (!extending.display && base.display) {
+      merged.display = base.display;
+    }
+    return merged;
+  }
+  /**
+   * Resolves the full VCT chain by recursively fetching extended type metadata.
+   * Implements security considerations from spec section 10.3 for circular dependencies.
+   * @param vct The VCT URI to resolve
+   * @param integrity Optional integrity metadata for the VCT
+   * @param depth Current depth in the chain
+   * @param visitedVcts Set of already visited VCT URIs to detect circular dependencies
+   * @returns The fully resolved and merged type metadata format
+   */
+  resolveVctExtendsChain(_0) {
+    return __async(this, arguments, function* (parentTypeMetadata, depth = 1, visitedVcts = new Set(parentTypeMetadata.vct)) {
+      var _a;
+      const maxDepth = (_a = this.userConfig.maxVctExtendsDepth) != null ? _a : 5;
+      if (maxDepth !== -1 && depth > maxDepth) {
+        throw new SDJWTException(
+          `Maximum VCT extends depth of ${maxDepth} exceeded`
+        );
+      }
+      if (!parentTypeMetadata.extends) {
+        throw new SDJWTException(
+          `Type metadata for vct '${parentTypeMetadata.vct}' has no 'extends' field. Unable to resolve extended type metadata document.`
+        );
       }
-      const fetcher = (_b = this.userConfig.vctFetcher) != null ? _b : ((uri, integrity) => this.fetch(uri, integrity));
-      return fetcher(result.payload.vct, result.payload["vct#Integrity"]);
+      if (visitedVcts.has(parentTypeMetadata.extends)) {
+        throw new SDJWTException(
+          `Circular dependency detected in VCT extends chain: ${parentTypeMetadata.extends}`
+        );
+      }
+      visitedVcts.add(parentTypeMetadata.extends);
+      const extendedTypeMetadata = yield this.fetchSingleVct(
+        parentTypeMetadata.extends,
+        parentTypeMetadata["extends#integrity"]
+      );
+      if (!extendedTypeMetadata) {
+        throw new SDJWTException(
+          `Resolving VCT extends value '${parentTypeMetadata.extends}' resulted in an undefined result.`
+        );
+      }
+      let resolvedTypeMetadata;
+      if (extendedTypeMetadata.extends) {
+        resolvedTypeMetadata = yield this.resolveVctExtendsChain(
+          extendedTypeMetadata,
+          depth + 1,
+          visitedVcts
+        );
+      } else {
+        resolvedTypeMetadata = {
+          mergedTypeMetadata: extendedTypeMetadata,
+          typeMetadataChain: [extendedTypeMetadata],
+          vctValues: [extendedTypeMetadata.vct]
+        };
+      }
+      const mergedTypeMetadata = this.mergeTypeMetadata(
+        resolvedTypeMetadata.mergedTypeMetadata,
+        parentTypeMetadata
+      );
+      return {
+        mergedTypeMetadata,
+        typeMetadataChain: [
+          parentTypeMetadata,
+          ...resolvedTypeMetadata.typeMetadataChain
+        ],
+        vctValues: [parentTypeMetadata.vct, ...resolvedTypeMetadata.vctValues]
+      };
     });
   }
   /**
-   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * Fetches and verifies the VCT Metadata for a VCT value.
    * @param result
-   * @param
+   * @returns
    */
-  fetchVctFromHeader(vct, result) {
+  fetchSingleVct(vct, integrity) {
     return __async(this, null, function* () {
       var _a;
-      const vctmHeader = (_a = result.header) == null ? void 0 : _a.vctm;
-      if (!vctmHeader || !Array.isArray(vctmHeader)) {
-        throw new Error("vctm claim in SD JWT header is invalid");
-      }
-      const typeMetadataFormat = vctmHeader.map((vctm) => {
-        if (!(typeof vctm === "string")) {
-          throw new Error("vctm claim in SD JWT header is invalid");
-        }
-        return JSON.parse(base64urlDecode(vctm));
-      }).find((typeMetadataFormat2) => {
-        return typeMetadataFormat2.vct === vct;
-      });
-      if (!typeMetadataFormat) {
-        throw new Error("could not find VCT Metadata in JWT header");
+      const fetcher = (_a = this.userConfig.vctFetcher) != null ? _a : ((uri, integrity2) => this.fetchWithIntegrity(uri, integrity2));
+      const data = yield fetcher(vct, integrity);
+      if (!data) return void 0;
+      const validated = TypeMetadataFormatSchema.safeParse(data);
+      if (!validated.success) {
+        throw new SDJWTException(
+          `Invalid VCT type metadata for vct '${vct}':
+${z2.prettifyError(validated.error)}`
+        );
       }
-      return typeMetadataFormat;
+      return validated.data;
     });
   }
   /**
@@ -278,5 +532,19 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
   }
 };
 export {
-  SDJwtVcInstance
+  ClaimDisplaySchema,
+  ClaimPathSchema,
+  ClaimSchema,
+  ClaimSelectiveDisclosureSchema,
+  ColorSchemeSchema,
+  ContrastSchema,
+  DisplaySchema,
+  LogoSchema,
+  OrientationSchema,
+  RenderingSchema,
+  SDJwtVcInstance,
+  SimpleRenderingSchema,
+  SvgTemplatePropertiesSchema,
+  SvgTemplateRenderingSchema,
+  TypeMetadataFormatSchema
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/sd-jwt-vc",
-  "version": "0.17.2-next.1+9e8110d",
+  "version": "0.17.2-next.11+7e161c4",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -38,13 +38,14 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@sd-jwt/core": "0.17.2-next.1+9e8110d",
-    "@sd-jwt/jwt-status-list": "0.17.2-next.1+9e8110d",
-    "@sd-jwt/utils": "0.17.2-next.1+9e8110d"
+    "@sd-jwt/core": "0.17.2-next.11+7e161c4",
+    "@sd-jwt/jwt-status-list": "0.17.2-next.11+7e161c4",
+    "@sd-jwt/utils": "0.17.2-next.11+7e161c4",
+    "zod": "^4.3.5"
   },
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.17.2-next.1+9e8110d",
-    "@sd-jwt/types": "0.17.2-next.1+9e8110d",
+    "@sd-jwt/crypto-nodejs": "0.17.2-next.11+7e161c4",
+    "@sd-jwt/types": "0.17.2-next.11+7e161c4",
     "jose": "^6.1.2",
     "msw": "^2.12.3"
   },
@@ -64,5 +65,5 @@
       "esm"
     ]
   },
-  "gitHead": "9e8110d18a7af714d9eb4aa2c3bd66ce56bf18d9"
+  "gitHead": "7e161c400a72bd465e82fcbbb23d3eaf332585ac"
 }

package/src/sd-jwt-vc-config.ts

@@ -20,4 +20,6 @@ export type SDJWTVCConfig = SDJWTConfig & {
   loadTypeMetadataFormat?: boolean;
   // timeout value in milliseconds when to abort the fetch request. If not provided, it will default to 10000.
   timeout?: number;
+  // maximum depth of extends chain to resolve. If not provided, it will default to 5. Set to -1 to not limit the vct extends depth.
+  maxVctExtendsDepth?: number;
 };