@sd-jwt/sd-jwt-vc 0.17.2-next.3 → 0.17.2-next.7

package/dist/index.js

@@ -1,10 +1,25 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
 var __reflectGet = Reflect.get;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,6 +32,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var __superGet = (cls, obj, key) => __reflectGet(__getProtoOf(cls), key, obj);
 var __async = (__this, __arguments, generator) => {
@@ -43,7 +66,21 @@ var __async = (__this, __arguments, generator) => {
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  SDJwtVcInstance: () => SDJwtVcInstance
+  ClaimDisplaySchema: () => ClaimDisplaySchema,
+  ClaimPathSchema: () => ClaimPathSchema,
+  ClaimSchema: () => ClaimSchema,
+  ClaimSelectiveDisclosureSchema: () => ClaimSelectiveDisclosureSchema,
+  ColorSchemeSchema: () => ColorSchemeSchema,
+  ContrastSchema: () => ContrastSchema,
+  DisplaySchema: () => DisplaySchema,
+  LogoSchema: () => LogoSchema,
+  OrientationSchema: () => OrientationSchema,
+  RenderingSchema: () => RenderingSchema,
+  SDJwtVcInstance: () => SDJwtVcInstance,
+  SimpleRenderingSchema: () => SimpleRenderingSchema,
+  SvgTemplatePropertiesSchema: () => SvgTemplatePropertiesSchema,
+  SvgTemplateRenderingSchema: () => SvgTemplateRenderingSchema,
+  TypeMetadataFormatSchema: () => TypeMetadataFormatSchema
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -51,6 +88,109 @@ module.exports = __toCommonJS(index_exports);
 var import_core = require("@sd-jwt/core");
 var import_jwt_status_list = require("@sd-jwt/jwt-status-list");
 var import_utils = require("@sd-jwt/utils");
+var import_zod2 = __toESM(require("zod"));
+
+// src/sd-jwt-vc-type-metadata-format.ts
+var import_zod = require("zod");
+var LogoSchema = import_zod.z.object({
+  /** REQUIRED. A URI pointing to the logo image. */
+  uri: import_zod.z.string(),
+  /** OPTIONAL. An "integrity metadata" string as described in Section 7. */
+  "uri#integrity": import_zod.z.string().optional(),
+  /** OPTIONAL. A string containing alternative text for the logo image. */
+  alt_text: import_zod.z.string().optional()
+});
+var SimpleRenderingSchema = import_zod.z.object({
+  /** OPTIONAL. Logo metadata to display for the credential. */
+  logo: LogoSchema.optional(),
+  /** OPTIONAL. RGB color value for the credential background (e.g., "#FFFFFF"). */
+  background_color: import_zod.z.string().optional(),
+  /** OPTIONAL. RGB color value for the credential text (e.g., "#000000"). */
+  text_color: import_zod.z.string().optional()
+});
+var OrientationSchema = import_zod.z.enum(["portrait", "landscape"]);
+var ColorSchemeSchema = import_zod.z.enum(["light", "dark"]);
+var ContrastSchema = import_zod.z.enum(["normal", "high"]);
+var SvgTemplatePropertiesSchema = import_zod.z.object({
+  /** OPTIONAL. Orientation optimized for the template. */
+  orientation: OrientationSchema.optional(),
+  /** OPTIONAL. Color scheme optimized for the template. */
+  color_scheme: ColorSchemeSchema.optional(),
+  /** OPTIONAL. Contrast level optimized for the template. */
+  contrast: ContrastSchema.optional()
+});
+var SvgTemplateRenderingSchema = import_zod.z.object({
+  /** REQUIRED. A URI pointing to the SVG template. */
+  uri: import_zod.z.string(),
+  /** OPTIONAL. An "integrity metadata" string as described in Section 7. */
+  "uri#integrity": import_zod.z.string().optional(),
+  /** REQUIRED if more than one SVG template is present. */
+  properties: SvgTemplatePropertiesSchema.optional()
+});
+var RenderingSchema = import_zod.z.object({
+  /** OPTIONAL. Simple rendering metadata. */
+  simple: SimpleRenderingSchema.optional(),
+  /** OPTIONAL. Array of SVG template rendering objects. */
+  svg_template: import_zod.z.array(SvgTemplateRenderingSchema).optional()
+});
+var DisplaySchema = import_zod.z.object({
+  /** REQUIRED. Language tag according to RFC 5646 (e.g., "en", "de"). */
+  lang: import_zod.z.string(),
+  /** REQUIRED. Human-readable name for the credential type. */
+  name: import_zod.z.string(),
+  /** OPTIONAL. Description of the credential type for end users. */
+  description: import_zod.z.string().optional(),
+  /** OPTIONAL. Rendering information (simple or SVG) for the credential. */
+  rendering: RenderingSchema.optional()
+});
+var ClaimPathSchema = import_zod.z.array(import_zod.z.string().nullable());
+var ClaimDisplaySchema = import_zod.z.object({
+  /** REQUIRED. Language tag according to RFC 5646. */
+  lang: import_zod.z.string(),
+  /** REQUIRED. Human-readable label for the claim. */
+  label: import_zod.z.string(),
+  /** OPTIONAL. Description of the claim for end users. */
+  description: import_zod.z.string().optional()
+});
+var ClaimSelectiveDisclosureSchema = import_zod.z.enum([
+  "always",
+  "allowed",
+  "never"
+]);
+var ClaimSchema = import_zod.z.object({
+  /**
+   * REQUIRED. Array of one or more paths to the claim in the credential subject.
+   * Each path is an array of strings (or null for array elements).
+   */
+  path: ClaimPathSchema,
+  /** OPTIONAL. Display metadata in multiple languages. */
+  display: import_zod.z.array(ClaimDisplaySchema).optional(),
+  /** OPTIONAL. Controls whether the claim must, may, or must not be selectively disclosed. */
+  sd: ClaimSelectiveDisclosureSchema.optional(),
+  /**
+   * OPTIONAL. Unique string identifier for referencing the claim in an SVG template.
+   * Must consist of alphanumeric characters or underscores and must not start with a digit.
+   */
+  svg_id: import_zod.z.string().optional()
+});
+var TypeMetadataFormatSchema = import_zod.z.object({
+  /** REQUIRED. A URI uniquely identifying the credential type. */
+  vct: import_zod.z.string(),
+  /** OPTIONAL. Human-readable name for developers. */
+  name: import_zod.z.string().optional(),
+  /** OPTIONAL. Human-readable description for developers. */
+  description: import_zod.z.string().optional(),
+  /** OPTIONAL. URI of another type that this one extends. */
+  extends: import_zod.z.string().optional(),
+  /** OPTIONAL. Integrity metadata for the 'extends' field. */
+  "extends#integrity": import_zod.z.string().optional(),
+  /** OPTIONAL. Array of localized display metadata for the type. */
+  display: import_zod.z.array(DisplaySchema).optional(),
+  /** OPTIONAL. Array of claim metadata. */
+  claims: import_zod.z.array(ClaimSchema).optional()
+});
+
+// src/sd-jwt-vc-instance.ts
 var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
   constructor(userConfig) {
     super(userConfig);
@@ -131,7 +271,8 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
       });
       yield this.verifyStatus(result, options);
       if (this.userConfig.loadTypeMetadataFormat) {
-        yield this.verifyVct(result);
+        const resolvedTypeMetadata = yield this.fetchVct(result);
+        result.typeMetadata = resolvedTypeMetadata;
       }
       return result;
     });
@@ -165,20 +306,19 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
    */
   validateIntegrity(response, url, integrity) {
     return __async(this, null, function* () {
-      if (integrity) {
-        const arrayBuffer = yield response.arrayBuffer();
-        const alg = integrity.split("-")[0];
-        const hashBuffer = yield this.userConfig.hasher(
-          arrayBuffer,
-          alg
+      if (!integrity) return;
+      const arrayBuffer = yield response.arrayBuffer();
+      const alg = integrity.split("-")[0];
+      const hashBuffer = yield this.userConfig.hasher(
+        arrayBuffer,
+        alg
+      );
+      const integrityHash = integrity.split("-")[1];
+      const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+      if (hash !== integrityHash) {
+        throw new Error(
+          `Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`
         );
-        const integrityHash = integrity.split("-")[1];
-        const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
-        if (hash !== integrityHash) {
-          throw new Error(
-            `Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`
-          );
-        }
       }
     });
   }
@@ -187,7 +327,7 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
    * @param url
    * @returns
    */
-  fetch(url, integrity) {
+  fetchWithIntegrity(url, integrity) {
     return __async(this, null, function* () {
       var _a;
       try {
@@ -201,7 +341,8 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
           );
         }
         yield this.validateIntegrity(response.clone(), url, integrity);
-        return response.json();
+        const data = yield response.json();
+        return data;
       } catch (error) {
         if (error.name === "TimeoutError") {
           throw new Error(`Request to ${url} timed out`);
@@ -212,59 +353,190 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
   }
   /**
    * Verifies the VCT of the SD-JWT-VC. Returns the type metadata format.
+   * Resolves the full extends chain according to spec sections 6.4, 8.2, and 9.5.
    * @param result
    * @returns
    */
-  verifyVct(result) {
+  fetchVct(result) {
     return __async(this, null, function* () {
-      const typeMetadataFormat = yield this.fetchVct(result);
-      if (typeMetadataFormat.extends) {
+      const typeMetadataFormat = yield this.fetchSingleVct(
+        result.payload.vct,
+        result.payload["vct#integrity"]
+      );
+      if (!typeMetadataFormat) return void 0;
+      if (!typeMetadataFormat.extends) {
+        return {
+          mergedTypeMetadata: typeMetadataFormat,
+          typeMetadataChain: [typeMetadataFormat],
+          vctValues: [typeMetadataFormat.vct]
+        };
       }
-      return typeMetadataFormat;
+      return this.resolveVctExtendsChain(typeMetadataFormat);
     });
   }
   /**
-   * Fetches VCT Metadata of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
-   * @param result
-   * @returns
+   * Checks if two claim paths are equal by comparing each element.
+   * @param path1 First claim path
+   * @param path2 Second claim path
+   * @returns True if paths are equal, false otherwise
    */
-  fetchVct(result) {
-    return __async(this, null, function* () {
-      var _a, _b;
-      if (!result.payload.vct) {
-        throw new import_utils.SDJWTException("vct claim is required");
+  claimPathsEqual(path1, path2) {
+    if (path1.length !== path2.length) return false;
+    return path1.every((element, index) => element === path2[index]);
+  }
+  /**
+   * Validates that extending claim metadata respects the constraints from spec section 9.5.1.
+   * @param baseClaim The base claim metadata
+   * @param extendingClaim The extending claim metadata
+   * @throws SDJWTException if validation fails
+   */
+  validateClaimExtension(baseClaim, extendingClaim) {
+    if (baseClaim.sd && extendingClaim.sd) {
+      if ((baseClaim.sd === "always" || baseClaim.sd === "never") && baseClaim.sd !== extendingClaim.sd) {
+        const pathStr = JSON.stringify(extendingClaim.path);
+        throw new import_utils.SDJWTException(
+          `Cannot change 'sd' property from '${baseClaim.sd}' to '${extendingClaim.sd}' for claim at path ${pathStr}`
+        );
       }
-      if ((_a = result.header) == null ? void 0 : _a.vctm) {
-        return this.fetchVctFromHeader(result.payload.vct, result);
+    }
+  }
+  /**
+   * Merges two type metadata formats, with the extending metadata overriding the base metadata.
+   * According to spec section 9.5:
+   * - All claim metadata from the extended type are inherited
+   * - The child type can add new claims or properties
+   * - If the child type defines claim metadata with the same path as the extended type,
+   *   the child type's object will override the corresponding object from the extended type
+   * According to spec section 9.5.1:
+   * - sd property can only be changed from 'allowed' (or omitted) to 'always' or 'never'
+   * - sd property cannot be changed from 'always' or 'never' to a different value
+   * According to spec section 8.2:
+   * - If the extending type defines its own display property, the original display metadata is ignored
+   * Note: The spec also mentions 'mandatory' property constraints, but this is not currently
+   * defined in the Claim type and will be validated when that property is added to the type.
+   * @param base The base type metadata format
+   * @param extending The extending type metadata format
+   * @returns The merged type metadata format
+   */
+  mergeTypeMetadata(base, extending) {
+    var _a, _b;
+    const merged = __spreadValues({}, extending);
+    if (base.claims || extending.claims) {
+      const baseClaims = (_a = base.claims) != null ? _a : [];
+      const extendingClaims = (_b = extending.claims) != null ? _b : [];
+      for (const extendingClaim of extendingClaims) {
+        const matchingBaseClaim = baseClaims.find(
+          (baseClaim) => this.claimPathsEqual(baseClaim.path, extendingClaim.path)
+        );
+        if (matchingBaseClaim) {
+          this.validateClaimExtension(matchingBaseClaim, extendingClaim);
+        }
+      }
+      const mergedClaims = [];
+      const extendedClaimsWithoutBase = [...extendingClaims];
+      for (const baseClaim of baseClaims) {
+        const extendingClaimIndex = extendedClaimsWithoutBase.findIndex(
+          (extendingClaim2) => this.claimPathsEqual(baseClaim.path, extendingClaim2.path)
+        );
+        const extendingClaim = extendingClaimIndex !== -1 ? extendedClaimsWithoutBase[extendingClaimIndex] : void 0;
+        if (extendingClaim) {
+          extendedClaimsWithoutBase.splice(extendingClaimIndex, 1);
+        }
+        mergedClaims.push(extendingClaim != null ? extendingClaim : baseClaim);
+      }
+      mergedClaims.push(...extendedClaimsWithoutBase);
+      merged.claims = mergedClaims;
+    }
+    if (!extending.display && base.display) {
+      merged.display = base.display;
+    }
+    return merged;
+  }
+  /**
+   * Resolves the full VCT chain by recursively fetching extended type metadata.
+   * Implements security considerations from spec section 10.3 for circular dependencies.
+   * @param vct The VCT URI to resolve
+   * @param integrity Optional integrity metadata for the VCT
+   * @param depth Current depth in the chain
+   * @param visitedVcts Set of already visited VCT URIs to detect circular dependencies
+   * @returns The fully resolved and merged type metadata format
+   */
+  resolveVctExtendsChain(_0) {
+    return __async(this, arguments, function* (parentTypeMetadata, depth = 1, visitedVcts = new Set(parentTypeMetadata.vct)) {
+      var _a;
+      const maxDepth = (_a = this.userConfig.maxVctExtendsDepth) != null ? _a : 5;
+      if (maxDepth !== -1 && depth > maxDepth) {
+        throw new import_utils.SDJWTException(
+          `Maximum VCT extends depth of ${maxDepth} exceeded`
+        );
+      }
+      if (!parentTypeMetadata.extends) {
+        throw new import_utils.SDJWTException(
+          `Type metadata for vct '${parentTypeMetadata.vct}' has no 'extends' field. Unable to resolve extended type metadata document.`
+        );
+      }
+      if (visitedVcts.has(parentTypeMetadata.extends)) {
+        throw new import_utils.SDJWTException(
+          `Circular dependency detected in VCT extends chain: ${parentTypeMetadata.extends}`
+        );
+      }
+      visitedVcts.add(parentTypeMetadata.extends);
+      const extendedTypeMetadata = yield this.fetchSingleVct(
+        parentTypeMetadata.extends,
+        parentTypeMetadata["extends#integrity"]
+      );
+      if (!extendedTypeMetadata) {
+        throw new import_utils.SDJWTException(
+          `Resolving VCT extends value '${parentTypeMetadata.extends}' resulted in an undefined result.`
+        );
+      }
+      let resolvedTypeMetadata;
+      if (extendedTypeMetadata.extends) {
+        resolvedTypeMetadata = yield this.resolveVctExtendsChain(
+          extendedTypeMetadata,
+          depth + 1,
+          visitedVcts
+        );
+      } else {
+        resolvedTypeMetadata = {
+          mergedTypeMetadata: extendedTypeMetadata,
+          typeMetadataChain: [extendedTypeMetadata],
+          vctValues: [extendedTypeMetadata.vct]
+        };
       }
-      const fetcher = (_b = this.userConfig.vctFetcher) != null ? _b : ((uri, integrity) => this.fetch(uri, integrity));
-      return fetcher(result.payload.vct, result.payload["vct#integrity"]);
+      const mergedTypeMetadata = this.mergeTypeMetadata(
+        resolvedTypeMetadata.mergedTypeMetadata,
+        parentTypeMetadata
+      );
+      return {
+        mergedTypeMetadata,
+        typeMetadataChain: [
+          parentTypeMetadata,
+          ...resolvedTypeMetadata.typeMetadataChain
+        ],
+        vctValues: [parentTypeMetadata.vct, ...resolvedTypeMetadata.vctValues]
+      };
     });
   }
   /**
-   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * Fetches and verifies the VCT Metadata for a VCT value.
    * @param result
-   * @param
+   * @returns
    */
-  fetchVctFromHeader(vct, result) {
+  fetchSingleVct(vct, integrity) {
     return __async(this, null, function* () {
       var _a;
-      const vctmHeader = (_a = result.header) == null ? void 0 : _a.vctm;
-      if (!vctmHeader || !Array.isArray(vctmHeader)) {
-        throw new Error("vctm claim in SD JWT header is invalid");
-      }
-      const typeMetadataFormat = vctmHeader.map((vctm) => {
-        if (!(typeof vctm === "string")) {
-          throw new Error("vctm claim in SD JWT header is invalid");
-        }
-        return JSON.parse((0, import_utils.base64urlDecode)(vctm));
-      }).find((typeMetadataFormat2) => {
-        return typeMetadataFormat2.vct === vct;
-      });
-      if (!typeMetadataFormat) {
-        throw new Error("could not find VCT Metadata in JWT header");
+      const fetcher = (_a = this.userConfig.vctFetcher) != null ? _a : ((uri, integrity2) => this.fetchWithIntegrity(uri, integrity2));
+      const data = yield fetcher(vct, integrity);
+      if (!data) return void 0;
+      const validated = TypeMetadataFormatSchema.safeParse(data);
+      if (!validated.success) {
+        throw new import_utils.SDJWTException(
+          `Invalid VCT type metadata for vct '${vct}':
+${import_zod2.default.prettifyError(validated.error)}`
+        );
       }
-      return typeMetadataFormat;
+      return validated.data;
     });
   }
   /**
@@ -304,5 +576,19 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  SDJwtVcInstance
+  ClaimDisplaySchema,
+  ClaimPathSchema,
+  ClaimSchema,
+  ClaimSelectiveDisclosureSchema,
+  ColorSchemeSchema,
+  ContrastSchema,
+  DisplaySchema,
+  LogoSchema,
+  OrientationSchema,
+  RenderingSchema,
+  SDJwtVcInstance,
+  SimpleRenderingSchema,
+  SvgTemplatePropertiesSchema,
+  SvgTemplateRenderingSchema,
+  TypeMetadataFormatSchema
 });