@solidus-network/sdk 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (57) hide show
  1. package/dist/chain/chainInfo.d.ts +37 -0
  2. package/dist/chain/chainInfo.d.ts.map +1 -0
  3. package/dist/chain/chainInfo.js +22 -0
  4. package/dist/chain/chainInfo.js.map +1 -0
  5. package/dist/chain/credentials.d.ts.map +1 -1
  6. package/dist/chain/credentials.js +3 -16
  7. package/dist/chain/credentials.js.map +1 -1
  8. package/dist/chain/did.d.ts +43 -0
  9. package/dist/chain/did.d.ts.map +1 -1
  10. package/dist/chain/did.js +111 -49
  11. package/dist/chain/did.js.map +1 -1
  12. package/dist/chain/index.d.ts.map +1 -1
  13. package/dist/chain/index.js +7 -0
  14. package/dist/chain/index.js.map +1 -1
  15. package/dist/chain/transaction.d.ts +28 -0
  16. package/dist/chain/transaction.d.ts.map +1 -1
  17. package/dist/chain/transaction.js +20 -0
  18. package/dist/chain/transaction.js.map +1 -1
  19. package/dist/chain/transfer.d.ts +26 -0
  20. package/dist/chain/transfer.d.ts.map +1 -0
  21. package/dist/chain/transfer.js +32 -0
  22. package/dist/chain/transfer.js.map +1 -0
  23. package/dist/index.d.ts +76 -2
  24. package/dist/index.d.ts.map +1 -1
  25. package/dist/index.js +9 -3
  26. package/dist/index.js.map +1 -1
  27. package/dist/sdjwt/index.d.ts +5 -1
  28. package/dist/sdjwt/index.d.ts.map +1 -1
  29. package/dist/sdjwt/index.js +3 -0
  30. package/dist/sdjwt/index.js.map +1 -1
  31. package/dist/sdjwt/issue.d.ts.map +1 -1
  32. package/dist/sdjwt/issue.js +49 -8
  33. package/dist/sdjwt/issue.js.map +1 -1
  34. package/dist/sdjwt/present.d.ts +15 -0
  35. package/dist/sdjwt/present.d.ts.map +1 -0
  36. package/dist/sdjwt/present.js +80 -0
  37. package/dist/sdjwt/present.js.map +1 -0
  38. package/dist/sdjwt/signer.d.ts +16 -0
  39. package/dist/sdjwt/signer.d.ts.map +1 -1
  40. package/dist/sdjwt/signer.js +27 -0
  41. package/dist/sdjwt/signer.js.map +1 -1
  42. package/dist/sdjwt/status-list.d.ts +61 -0
  43. package/dist/sdjwt/status-list.d.ts.map +1 -0
  44. package/dist/sdjwt/status-list.js +63 -0
  45. package/dist/sdjwt/status-list.js.map +1 -0
  46. package/dist/sdjwt/types.d.ts +96 -5
  47. package/dist/sdjwt/types.d.ts.map +1 -1
  48. package/dist/sdjwt/verify.d.ts +17 -4
  49. package/dist/sdjwt/verify.d.ts.map +1 -1
  50. package/dist/sdjwt/verify.js +171 -22
  51. package/dist/sdjwt/verify.js.map +1 -1
  52. package/dist/stub/credentials.js +1 -1
  53. package/dist/stub/did.d.ts +19 -0
  54. package/dist/stub/did.d.ts.map +1 -1
  55. package/dist/stub/did.js +55 -1
  56. package/dist/stub/did.js.map +1 -1
  57. package/package.json +3 -3
@@ -33,18 +33,38 @@ export interface IssueSdJwtVcParams {
33
33
  */
34
34
  issuerPrivateKey: Uint8Array;
35
35
  /**
36
- * Subject-claim paths that should be disclosable. Each entry is a
37
- * top-level subject key (Phase 1 supports flat structures only;
38
- * nested disclosure comes in Phase 2). If omitted, every subject
39
- * claim is disclosable.
36
+ * Subject-claim paths that should be disclosable. Each entry is
37
+ * either a top-level key (`'birthdate'`) or a dotted path into a
38
+ * nested object (`'address.street'`). If omitted, every top-level
39
+ * subject claim except `id` is disclosable; nested objects are not
40
+ * auto-expanded — pass explicit paths to selectively disclose them.
40
41
  *
41
- * @example ['birthdate', 'address']
42
+ * @example ['birthdate', 'address.street', 'address.city']
42
43
  */
43
44
  disclosable?: string[];
44
45
  /** RFC 3339 timestamp; sd-jwt-vc maps this to `nbf`. Defaults to now. */
45
46
  validFrom?: string;
46
47
  /** RFC 3339 timestamp; sd-jwt-vc maps this to `exp`. Optional. */
47
48
  validUntil?: string;
49
+ /**
50
+ * Optional 32-byte Ed25519 public key of the *holder*. When provided,
51
+ * the issued SD-JWT embeds a `cnf.jwk` claim binding the credential
52
+ * to this key — required if the verifier is going to enforce a
53
+ * Key-Binding JWT at presentation time. Omit to issue a bearer
54
+ * credential (Phase 1 default).
55
+ */
56
+ holderPublicKey?: Uint8Array;
57
+ /**
58
+ * Optional reference into a status list (draft-ietf-oauth-status-list).
59
+ * When set, the issued SD-JWT carries `status: { status_list: { uri,
60
+ * idx } }`; verifiers that supply a `statusListFetcher` will fetch
61
+ * the list, look up bit `idx`, and reject the credential if the
62
+ * status indicates revocation.
63
+ */
64
+ status?: {
65
+ uri: string;
66
+ idx: number;
67
+ };
48
68
  }
49
69
  /**
50
70
  * The compact-serialised SD-JWT VC, plus metadata. The `compact` field
@@ -70,6 +90,77 @@ export interface VerifySdJwtVcParams {
70
90
  * from the chain client.
71
91
  */
72
92
  issuerPublicKey: Uint8Array;
93
+ /**
94
+ * If provided, the verifier requires a valid Key-Binding JWT and
95
+ * checks the KB-JWT's `aud` claim against this value. Use this to
96
+ * stop a stolen presentation from being replayed against a different
97
+ * verifier.
98
+ */
99
+ expectedAudience?: string;
100
+ /**
101
+ * If provided, the verifier requires a valid Key-Binding JWT and
102
+ * checks the KB-JWT's `nonce` claim against this value. The verifier
103
+ * is responsible for generating a fresh nonce per presentation
104
+ * request and remembering it for the duration of the round-trip.
105
+ */
106
+ expectedNonce?: string;
107
+ /**
108
+ * Callback that fetches the status-list JWT at a given URI. Required
109
+ * to enable revocation checking; if absent the verifier skips the
110
+ * status check (treats every credential as live). In production the
111
+ * caller usually wires this to `fetch()`; tests can use an in-memory
112
+ * map.
113
+ */
114
+ statusListFetcher?: (uri: string) => Promise<string>;
115
+ /**
116
+ * Verifier callback for the *status list JWT*'s signature. The
117
+ * status list JWT is signed by the issuer (or a status-list-specific
118
+ * key); pass the public key here. If omitted, the same issuerPublicKey
119
+ * used for the SD-JWT is reused — appropriate when the issuer signs
120
+ * its own status lists.
121
+ */
122
+ statusListIssuerPublicKey?: Uint8Array;
123
+ }
124
+ /** Parameters accepted by [`presentSdJwtVc`]. */
125
+ export interface PresentSdJwtVcParams {
126
+ /** Compact-serialised SD-JWT VC as issued (with all disclosures attached). */
127
+ compact: string;
128
+ /**
129
+ * Paths of the subject claims to reveal in this presentation. Each
130
+ * entry is either a top-level key (`'firstName'`) or a dotted path
131
+ * into a nested object (`'address.street'`). Any disclosure not
132
+ * listed here is omitted from the presented compact form; the
133
+ * verifier still sees the hash but cannot recover the value.
134
+ *
135
+ * @example ['firstName', 'address.street']
136
+ */
137
+ claimsToReveal: string[];
138
+ /**
139
+ * Holder's raw 32-byte Ed25519 *private* key. Must be the partner of
140
+ * the `holderPublicKey` that was bound at issuance time via `cnf.jwk`.
141
+ * Required because Phase 2 always emits a Key-Binding JWT — bearer
142
+ * presentations stay on the Phase-1 verify path with no `aud`/`nonce`.
143
+ */
144
+ holderPrivateKey: Uint8Array;
145
+ /**
146
+ * Audience identifier for the verifier (typically the verifier's
147
+ * client_id or origin). Becomes the `aud` claim of the KB-JWT.
148
+ */
149
+ audience: string;
150
+ /**
151
+ * Fresh, single-use nonce supplied by the verifier. Becomes the
152
+ * `nonce` claim of the KB-JWT.
153
+ */
154
+ nonce: string;
155
+ }
156
+ /** Result of [`presentSdJwtVc`]. */
157
+ export interface PresentationResult {
158
+ /**
159
+ * Compact-serialised presentation:
160
+ * `<jws>~<revealed_d1>~<revealed_d2>~<kb-jwt>`. Note that the trailing
161
+ * `~` before the KB-JWT is part of the spec.
162
+ */
163
+ compact: string;
73
164
  }
74
165
  export interface VerificationResult {
75
166
  /** True if signature, hashes, and freshness all check out. */
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sdjwt/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IAEX;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC;;;OAGG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IAEtB,yEAAyE;IACzE,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAA;IAEf,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC,4CAA4C;IAC5C,eAAe,EAAE,MAAM,CAAA;CACxB;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAA;IAEf;;;;;OAKG;IACH,eAAe,EAAE,UAAU,CAAA;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,KAAK,EAAE,OAAO,CAAA;IAEd;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAE/B,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAA;IAEZ,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAA;CACf"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sdjwt/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IAEX;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC;;;OAGG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IAEtB,yEAAyE;IACzE,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,UAAU,CAAA;IAE5B;;;;;;OAMG;IACH,MAAM,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAA;IAEf,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC,4CAA4C;IAC5C,eAAe,EAAE,MAAM,CAAA;CACxB;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAA;IAEf;;;;;OAKG;IACH,eAAe,EAAE,UAAU,CAAA;IAE3B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;IAEpD;;;;;;OAMG;IACH,yBAAyB,CAAC,EAAE,UAAU,CAAA;CACvC;AAED,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACnC,8EAA8E;IAC9E,OAAO,EAAE,MAAM,CAAA;IAEf;;;;;;;;OAQG;IACH,cAAc,EAAE,MAAM,EAAE,CAAA;IAExB;;;;;OAKG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;CACd;AAED,oCAAoC;AACpC,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,KAAK,EAAE,OAAO,CAAA;IAEd;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAE/B,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAA;IAEZ,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAA;CACf"}
@@ -1,9 +1,22 @@
1
1
  /**
2
- * Verify an SD-JWT VC.
2
+ * Verify an SD-JWT VC, optionally including a Key-Binding JWT.
3
3
  *
4
- * Phase 1 verifies signature, freshness (`iat`/`nbf`/`exp`), and
5
- * reconstructs the disclosed claims. Status-list and KB-JWT
6
- * verification land in Phase 2.
4
+ * Phase 1 verified just the issuer's signature + freshness; Phase 2
5
+ * adds an optional KB-JWT path. When the caller supplies
6
+ * `expectedAudience` and/or `expectedNonce`, the verifier:
7
+ * - requires a KB-JWT to be present in the compact form,
8
+ * - extracts the holder's public key from the SD-JWT's `cnf.jwk`,
9
+ * - verifies the KB-JWT signature against that key,
10
+ * - checks `aud` and `nonce` match the caller's expectations,
11
+ * - confirms `sd_hash` matches the hash of the SD-JWT being presented.
12
+ *
13
+ * If neither expected* is set, the verifier behaves as Phase 1 — bearer
14
+ * presentations remain accepted.
15
+ *
16
+ * KB-JWT parsing is done in this module rather than via sd-jwt-js's
17
+ * `verify()` because sd-jwt-js conflates "extract KB-JWT" and "check
18
+ * nonce" in a single option, leaving us no clean way to surface
19
+ * `aud mismatch` separately from `nonce mismatch`.
7
20
  */
8
21
  import type { VerifySdJwtVcParams, VerificationResult } from './types.js';
9
22
  export declare function verifySdJwtVc(params: VerifySdJwtVcParams): Promise<VerificationResult>;
@@ -1 +1 @@
1
- {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AAEzE,wBAAsB,aAAa,CACjC,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAyC7B"}
1
+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAWH,OAAO,KAAK,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AA4EzE,wBAAsB,aAAa,CACjC,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAuI7B"}
@@ -1,12 +1,81 @@
1
1
  /**
2
- * Verify an SD-JWT VC.
2
+ * Verify an SD-JWT VC, optionally including a Key-Binding JWT.
3
3
  *
4
- * Phase 1 verifies signature, freshness (`iat`/`nbf`/`exp`), and
5
- * reconstructs the disclosed claims. Status-list and KB-JWT
6
- * verification land in Phase 2.
4
+ * Phase 1 verified just the issuer's signature + freshness; Phase 2
5
+ * adds an optional KB-JWT path. When the caller supplies
6
+ * `expectedAudience` and/or `expectedNonce`, the verifier:
7
+ * - requires a KB-JWT to be present in the compact form,
8
+ * - extracts the holder's public key from the SD-JWT's `cnf.jwk`,
9
+ * - verifies the KB-JWT signature against that key,
10
+ * - checks `aud` and `nonce` match the caller's expectations,
11
+ * - confirms `sd_hash` matches the hash of the SD-JWT being presented.
12
+ *
13
+ * If neither expected* is set, the verifier behaves as Phase 1 — bearer
14
+ * presentations remain accepted.
15
+ *
16
+ * KB-JWT parsing is done in this module rather than via sd-jwt-js's
17
+ * `verify()` because sd-jwt-js conflates "extract KB-JWT" and "check
18
+ * nonce" in a single option, leaving us no clean way to surface
19
+ * `aud mismatch` separately from `nonce mismatch`.
7
20
  */
8
21
  import { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
9
- import { makeEd25519Verifier, sdJwtHasher } from './signer.js';
22
+ import * as ed from '@noble/ed25519';
23
+ import { sha256 } from '@noble/hashes/sha2';
24
+ import { ed25519PublicKeyFromJwk, makeEd25519Verifier, sdJwtHasher, } from './signer.js';
25
+ function fromBase64Url(input) {
26
+ const padded = input
27
+ .replace(/-/g, '+')
28
+ .replace(/_/g, '/')
29
+ .padEnd(input.length + ((4 - (input.length % 4)) % 4), '=');
30
+ return new Uint8Array(Buffer.from(padded, 'base64'));
31
+ }
32
+ function toBase64Url(input) {
33
+ return Buffer.from(input)
34
+ .toString('base64')
35
+ .replace(/\+/g, '-')
36
+ .replace(/\//g, '_')
37
+ .replace(/=/g, '');
38
+ }
39
+ /**
40
+ * Decode (without verifying) the KB-JWT off the end of a compact SD-JWT.
41
+ *
42
+ * The compact form is `<jws>~<d1>~<d2>~<kb-jwt>`. The KB-JWT is the
43
+ * final non-empty segment; the `<jws>~<d1>~...~` prefix (with the
44
+ * trailing `~` retained) is what `sd_hash` covers per spec §3.3.
45
+ */
46
+ function extractKbJwt(compact) {
47
+ const lastTilde = compact.lastIndexOf('~');
48
+ if (lastTilde < 0)
49
+ return null;
50
+ const kbCompact = compact.slice(lastTilde + 1);
51
+ if (kbCompact.length === 0)
52
+ return null;
53
+ const sdJwtBody = compact.slice(0, lastTilde + 1); // includes trailing `~`
54
+ const segments = kbCompact.split('.');
55
+ if (segments.length !== 3)
56
+ return null;
57
+ let payload;
58
+ try {
59
+ payload = JSON.parse(new TextDecoder().decode(fromBase64Url(segments[1])));
60
+ }
61
+ catch {
62
+ return null;
63
+ }
64
+ return { kbCompact, sdJwtBody, payload };
65
+ }
66
+ async function verifyKbSignature(kbCompact, holderPublicKey) {
67
+ const segments = kbCompact.split('.');
68
+ if (segments.length !== 3)
69
+ return false;
70
+ const signingInput = `${segments[0]}.${segments[1]}`;
71
+ const signature = fromBase64Url(segments[2]);
72
+ try {
73
+ return await ed.verifyAsync(signature, new TextEncoder().encode(signingInput), holderPublicKey);
74
+ }
75
+ catch {
76
+ return false;
77
+ }
78
+ }
10
79
  export async function verifySdJwtVc(params) {
11
80
  if (params.issuerPublicKey.length !== 32) {
12
81
  return {
@@ -15,31 +84,31 @@ export async function verifySdJwtVc(params) {
15
84
  error: `issuerPublicKey must be 32 bytes, got ${params.issuerPublicKey.length}`,
16
85
  };
17
86
  }
87
+ const requireKb = params.expectedAudience !== undefined ||
88
+ params.expectedNonce !== undefined;
89
+ const statusListVerifier = params.statusListIssuerPublicKey
90
+ ? makeEd25519Verifier(params.statusListIssuerPublicKey)
91
+ : makeEd25519Verifier(params.issuerPublicKey);
18
92
  const sdjwt = new SDJwtVcInstance({
19
93
  verifier: makeEd25519Verifier(params.issuerPublicKey),
20
94
  hasher: sdJwtHasher,
21
95
  hashAlg: 'sha-256',
22
96
  loadTypeMetadataFormat: false,
97
+ // Wire status-list lookup if the caller supplied a fetcher.
98
+ // sd-jwt-vc fetches the status-list JWT, verifies its signature,
99
+ // looks up `idx`, and (by default) treats any non-zero status as
100
+ // revoked.
101
+ ...(params.statusListFetcher !== undefined
102
+ ? {
103
+ statusListFetcher: params.statusListFetcher,
104
+ statusVerifier: statusListVerifier,
105
+ }
106
+ : {}),
23
107
  });
108
+ let payload;
24
109
  try {
25
110
  const result = await sdjwt.verify(params.compact);
26
- const payload = result.payload;
27
- // sd-jwt-js's verify() reconstructs the disclosed claims and merges
28
- // them into the payload, dropping the `_sd` arrays. So
29
- // `result.payload` is already the full revealed claim set.
30
- const claims = {};
31
- for (const [k, v] of Object.entries(payload)) {
32
- // Drop SD-JWT housekeeping fields from the user-facing claim set.
33
- if (k === '_sd' || k === '_sd_alg' || k === 'cnf')
34
- continue;
35
- claims[k] = v;
36
- }
37
- const out = { valid: true, claims };
38
- if (typeof payload['iss'] === 'string')
39
- out.issuer = payload['iss'];
40
- if (typeof payload['vct'] === 'string')
41
- out.vct = payload['vct'];
42
- return out;
111
+ payload = result.payload;
43
112
  }
44
113
  catch (e) {
45
114
  return {
@@ -48,5 +117,85 @@ export async function verifySdJwtVc(params) {
48
117
  error: e instanceof Error ? e.message : String(e),
49
118
  };
50
119
  }
120
+ if (requireKb) {
121
+ const parsed = extractKbJwt(params.compact);
122
+ if (!parsed) {
123
+ return {
124
+ valid: false,
125
+ claims: {},
126
+ error: 'KB-JWT required but not present in compact form',
127
+ };
128
+ }
129
+ const cnf = payload.cnf;
130
+ if (!cnf?.jwk) {
131
+ return {
132
+ valid: false,
133
+ claims: {},
134
+ error: 'SD-JWT does not bind a holder key (`cnf.jwk` missing)',
135
+ };
136
+ }
137
+ let holderPk;
138
+ try {
139
+ holderPk = ed25519PublicKeyFromJwk(cnf.jwk);
140
+ }
141
+ catch (e) {
142
+ return {
143
+ valid: false,
144
+ claims: {},
145
+ error: `cnf.jwk invalid: ${e instanceof Error ? e.message : String(e)}`,
146
+ };
147
+ }
148
+ const sigOk = await verifyKbSignature(parsed.kbCompact, holderPk);
149
+ if (!sigOk) {
150
+ return {
151
+ valid: false,
152
+ claims: {},
153
+ error: 'KB-JWT signature does not match the holder key from cnf.jwk',
154
+ };
155
+ }
156
+ if (params.expectedAudience !== undefined &&
157
+ parsed.payload.aud !== params.expectedAudience) {
158
+ return {
159
+ valid: false,
160
+ claims: {},
161
+ error: `KB-JWT aud mismatch: expected ${params.expectedAudience}, got ${parsed.payload.aud ?? '<missing>'}`,
162
+ };
163
+ }
164
+ if (params.expectedNonce !== undefined &&
165
+ parsed.payload.nonce !== params.expectedNonce) {
166
+ return {
167
+ valid: false,
168
+ claims: {},
169
+ error: `KB-JWT nonce mismatch: expected ${params.expectedNonce}, got ${parsed.payload.nonce ?? '<missing>'}`,
170
+ };
171
+ }
172
+ // Confirm sd_hash matches the SHA-256 of the SD-JWT body (everything
173
+ // before the KB-JWT, with the trailing `~` retained per spec).
174
+ if (parsed.payload.sd_hash !== undefined) {
175
+ const expectedHash = toBase64Url(sha256(new TextEncoder().encode(parsed.sdJwtBody)));
176
+ if (parsed.payload.sd_hash !== expectedHash) {
177
+ return {
178
+ valid: false,
179
+ claims: {},
180
+ error: 'KB-JWT sd_hash does not cover the presented SD-JWT body',
181
+ };
182
+ }
183
+ }
184
+ }
185
+ // sd-jwt-js's verify() reconstructs disclosed claims and merges
186
+ // them into the payload, dropping the `_sd` arrays. The caller
187
+ // should never see SD-JWT housekeeping fields.
188
+ const claims = {};
189
+ for (const [k, v] of Object.entries(payload)) {
190
+ if (k === '_sd' || k === '_sd_alg' || k === 'cnf')
191
+ continue;
192
+ claims[k] = v;
193
+ }
194
+ const out = { valid: true, claims };
195
+ if (typeof payload['iss'] === 'string')
196
+ out.issuer = payload['iss'];
197
+ if (typeof payload['vct'] === 'string')
198
+ out.vct = payload['vct'];
199
+ return out;
51
200
  }
52
201
  //# sourceMappingURL=verify.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAG9D,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAA2B;IAE3B,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,yCAAyC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE;SAChF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;QAChC,QAAQ,EAAE,mBAAmB,CAAC,MAAM,CAAC,eAAe,CAAC;QACrD,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,SAAS;QAClB,sBAAsB,EAAE,KAAK;KAC9B,CAAC,CAAA;IAEF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkC,CAAA;QAEzD,oEAAoE;QACpE,uDAAuD;QACvD,2DAA2D;QAC3D,MAAM,MAAM,GAA4B,EAAE,CAAA;QAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7C,kEAAkE;YAClE,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,KAAK;gBAAE,SAAQ;YAC3D,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QACf,CAAC;QAED,MAAM,GAAG,GAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;QACvD,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;QACnE,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;QAChE,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;SAClD,CAAA;IACH,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EACL,uBAAuB,EACvB,mBAAmB,EACnB,WAAW,GACZ,MAAM,aAAa,CAAA;AAGpB,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,MAAM,GAAG,KAAK;SACjB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC7D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,SAAS,WAAW,CAAC,KAAiB;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;SACtB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AACtB,CAAC;AAeD;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAA;IAC9C,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA,CAAC,wBAAwB;IAC1E,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACtC,IAAI,OAAqB,CAAA;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAClB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAC,CACtC,CAAA;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,CAAA;AAC1C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,SAAiB,EACjB,eAA2B;IAE3B,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,YAAY,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAE,IAAI,QAAQ,CAAC,CAAC,CAAE,EAAE,CAAA;IACtD,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAA;IAC7C,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,WAAW,CACzB,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EACtC,eAAe,CAChB,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAA2B;IAE3B,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,yCAAyC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE;SAChF,CAAA;IACH,CAAC;IAED,MAAM,SAAS,GACb,MAAM,CAAC,gBAAgB,KAAK,SAAS;QACrC,MAAM,CAAC,aAAa,KAAK,SAAS,CAAA;IAEpC,MAAM,kBAAkB,GAAG,MAAM,CAAC,yBAAyB;QACzD,CAAC,CAAC,mBAAmB,CAAC,MAAM,CAAC,yBAAyB,CAAC;QACvD,CAAC,CAAC,mBAAmB,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;IAE/C,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;QAChC,QAAQ,EAAE,mBAAmB,CAAC,MAAM,CAAC,eAAe,CAAC;QACrD,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,SAAS;QAClB,sBAAsB,EAAE,KAAK;QAC7B,4DAA4D;QAC5D,iEAAiE;QACjE,iEAAiE;QACjE,WAAW;QACX,GAAG,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS;YACxC,CAAC,CAAC;gBACE,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAA;IAEF,IAAI,OAAgC,CAAA;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QACjD,OAAO,GAAG,MAAM,CAAC,OAAkC,CAAA;IACrD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;SAClD,CAAA;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,iDAAiD;aACzD,CAAA;QACH,CAAC;QAED,MAAM,GAAG,GAAI,OAAuC,CAAC,GAAG,CAAA;QACxD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;YACd,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,uDAAuD;aAC/D,CAAA;QACH,CAAC;QACD,IAAI,QAAoB,CAAA;QACxB,IAAI,CAAC;YACH,QAAQ,GAAG,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,oBAAoB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;aACxE,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,6DAA6D;aACrE,CAAA;QACH,CAAC;QAED,IACE,MAAM,CAAC,gBAAgB,KAAK,SAAS;YACrC,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,gBAAgB,EAC9C,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,iCAAiC,MAAM,CAAC,gBAAgB,SAAS,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,WAAW,EAAE;aAC5G,CAAA;QACH,CAAC;QAED,IACE,MAAM,CAAC,aAAa,KAAK,SAAS;YAClC,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,MAAM,CAAC,aAAa,EAC7C,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,mCAAmC,MAAM,CAAC,aAAa,SAAS,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE;aAC7G,CAAA;QACH,CAAC;QAED,qEAAqE;QACrE,+DAA+D;QAC/D,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YACzC,MAAM,YAAY,GAAG,WAAW,CAC9B,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CACnD,CAAA;YACD,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,EAAE;oBACV,KAAK,EAAE,yDAAyD;iBACjE,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,+DAA+D;IAC/D,+CAA+C;IAC/C,MAAM,MAAM,GAA4B,EAAE,CAAA;IAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,KAAK;YAAE,SAAQ;QAC3D,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IACf,CAAC;IAED,MAAM,GAAG,GAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACvD,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;QAAE,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IACnE,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;QAAE,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IAChE,OAAO,GAAG,CAAA;AACZ,CAAC"}
@@ -13,7 +13,7 @@ function rowToVC(row) {
13
13
  proof: {
14
14
  type: 'Ed25519Signature2020',
15
15
  created: row.issued_at.toISOString(),
16
- verificationMethod: `${row.issuer_did}#key-1`,
16
+ verificationMethod: `${row.issuer_did}#key-0`,
17
17
  proofPurpose: 'assertionMethod',
18
18
  proofValue: row.proof_value,
19
19
  },
@@ -1,5 +1,24 @@
1
1
  import type { DID, DIDDocument } from '@solidus-network/types';
2
+ import type { ChainTransaction } from '../chain/transaction.js';
2
3
  export declare function didCreate(publicKeyHex: string): Promise<DID>;
3
4
  export declare function didResolve(did: string): Promise<DIDDocument | null>;
4
5
  export declare function didDeactivate(did: string, _signerKey: string): Promise<void>;
6
+ /**
7
+ * Stub-mode `buildCreate`. Produces a shape-compatible `ChainTransaction`
8
+ * envelope so callers can write a single relay-style code path that runs
9
+ * unchanged in stub and chain modes. The "signature" is meaningless in
10
+ * stub mode — there is no chain to verify against — but the payload is
11
+ * faithful so that `submitCreate` can extract `public_key`.
12
+ */
13
+ export declare function didBuildCreate(opts: {
14
+ signerPrivateKey: string;
15
+ publicKey?: string;
16
+ serviceEndpoints?: unknown[];
17
+ nonce?: number;
18
+ }): Promise<ChainTransaction>;
19
+ /**
20
+ * Stub-mode `submitCreate`. Parses the publicKey out of the supplied tx
21
+ * and delegates to the existing `didCreate` to insert the row.
22
+ */
23
+ export declare function didSubmitCreate(signedTx: ChainTransaction | string): Promise<DID>;
5
24
  //# sourceMappingURL=did.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAYtD,wBAAsB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAWlE;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAgCzE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAKlF"}
1
+ {"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAY/D,wBAAsB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAWlE;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAgCzE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAKlF;AAID;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE;IACzC,gBAAgB,EAAE,MAAM,CAAA;IACxB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAA;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0B5B;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CASvF"}
package/dist/stub/did.js CHANGED
@@ -21,7 +21,7 @@ export async function didResolve(did) {
21
21
  if (rows.length === 0)
22
22
  return null;
23
23
  const row = rows[0];
24
- const vmId = `${row.did}#key-1`;
24
+ const vmId = `${row.did}#key-0`;
25
25
  return {
26
26
  '@context': [
27
27
  'https://www.w3.org/ns/did/v1',
@@ -49,4 +49,58 @@ export async function didDeactivate(did, _signerKey) {
49
49
  UPDATE stub_dids SET deactivated = true, updated_at = now() WHERE did = ${did}
50
50
  `;
51
51
  }
52
+ // ---------- buildCreate / submitCreate (stub) ----------
53
+ /**
54
+ * Stub-mode `buildCreate`. Produces a shape-compatible `ChainTransaction`
55
+ * envelope so callers can write a single relay-style code path that runs
56
+ * unchanged in stub and chain modes. The "signature" is meaningless in
57
+ * stub mode — there is no chain to verify against — but the payload is
58
+ * faithful so that `submitCreate` can extract `public_key`.
59
+ */
60
+ export async function didBuildCreate(opts) {
61
+ if (!opts.signerPrivateKey || opts.signerPrivateKey.length !== 64) {
62
+ throw new Error('didBuildCreate (stub): signerPrivateKey must be a 64-char hex string');
63
+ }
64
+ // Derive the signer pubkey from the privkey hex deterministically. We
65
+ // do NOT run real ed25519 in the stub — for the stub the "pubkey" is
66
+ // simply a marker derived by reversing the privkey bytes. This is
67
+ // sufficient for shape compatibility; chain mode does real signing.
68
+ const signerPubBytes = hexToBytes(opts.signerPrivateKey).reverse();
69
+ const publicKey = opts.publicKey ?? Buffer.from(signerPubBytes).toString('hex');
70
+ if (publicKey.toLowerCase() !== Buffer.from(signerPubBytes).toString('hex').toLowerCase()) {
71
+ throw new Error(`didBuildCreate (stub): signerPrivateKey does not own publicKey (the SDK enforces this invariant in both modes)`);
72
+ }
73
+ return {
74
+ sender_pubkey: Array.from(signerPubBytes),
75
+ nonce: opts.nonce ?? 0,
76
+ payload: {
77
+ DidCreate: {
78
+ public_key: Array.from(hexToBytes(publicKey)),
79
+ service_endpoints: opts.serviceEndpoints ?? [],
80
+ },
81
+ },
82
+ signature: Array(64).fill(0),
83
+ };
84
+ }
85
+ /**
86
+ * Stub-mode `submitCreate`. Parses the publicKey out of the supplied tx
87
+ * and delegates to the existing `didCreate` to insert the row.
88
+ */
89
+ export async function didSubmitCreate(signedTx) {
90
+ const tx = typeof signedTx === 'string' ? JSON.parse(signedTx) : signedTx;
91
+ const payload = tx.payload;
92
+ const payloadPub = payload?.DidCreate?.public_key;
93
+ if (!Array.isArray(payloadPub) || payloadPub.length !== 32) {
94
+ throw new Error('didSubmitCreate (stub): tx is not a DidCreate with a 32-byte public_key');
95
+ }
96
+ const publicKeyHex = Buffer.from(Uint8Array.from(payloadPub)).toString('hex');
97
+ return didCreate(publicKeyHex);
98
+ }
99
+ function hexToBytes(hex) {
100
+ const out = new Uint8Array(hex.length / 2);
101
+ for (let i = 0; i < hex.length; i += 2) {
102
+ out[i / 2] = parseInt(hex.substring(i, i + 2), 16);
103
+ }
104
+ return out;
105
+ }
52
106
  //# sourceMappingURL=did.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"did.js","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAU7C,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,YAAoB;IAClD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,EAAE,GAAG,oBAAoB,UAAU,EAAE,EAAE,CAAA;IAC7C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,MAAM,GAAG,CAAA;;cAEG,EAAE,KAAK,YAAY,KAAK,EAAE;GACrC,CAAA;IAED,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AAC5E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAU;;;kBAGhB,GAAG;GAClB,CAAA;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAElC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;IACpB,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,QAAQ,CAAA;IAE/B,OAAO;QACL,UAAU,EAAE;YACV,8BAA8B;YAC9B,kDAAkD;SACnD;QACD,EAAE,EAAE,GAAG,CAAC,GAAG;QACX,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG,CAAC,GAAG;gBACnB,kBAAkB,EAAE,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC;aACpD;SACF;QACD,cAAc,EAAE,CAAC,IAAI,CAAC;QACtB,eAAe,EAAE,CAAC,IAAI,CAAC;QACvB,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;QACrC,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;KACtC,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,UAAkB;IACjE,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,GAAG,CAAA;8EACmE,GAAG;GAC9E,CAAA;AACH,CAAC"}
1
+ {"version":3,"file":"did.js","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAGxC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAU7C,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,YAAoB;IAClD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,EAAE,GAAG,oBAAoB,UAAU,EAAE,EAAE,CAAA;IAC7C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,MAAM,GAAG,CAAA;;cAEG,EAAE,KAAK,YAAY,KAAK,EAAE;GACrC,CAAA;IAED,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AAC5E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAU;;;kBAGhB,GAAG;GAClB,CAAA;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAElC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;IACpB,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,QAAQ,CAAA;IAE/B,OAAO;QACL,UAAU,EAAE;YACV,8BAA8B;YAC9B,kDAAkD;SACnD;QACD,EAAE,EAAE,GAAG,CAAC,GAAG;QACX,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG,CAAC,GAAG;gBACnB,kBAAkB,EAAE,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC;aACpD;SACF;QACD,cAAc,EAAE,CAAC,IAAI,CAAC;QACtB,eAAe,EAAE,CAAC,IAAI,CAAC;QACvB,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;QACrC,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;KACtC,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,UAAkB;IACjE,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,GAAG,CAAA;8EACmE,GAAG;GAC9E,CAAA;AACH,CAAC;AAED,0DAA0D;AAE1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAKpC;IACC,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAA;IACzF,CAAC;IACD,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,oEAAoE;IACpE,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAA;IAClE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/E,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1F,MAAM,IAAI,KAAK,CACb,gHAAgH,CACjH,CAAA;IACH,CAAC;IACD,OAAO;QACL,aAAa,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC;QACzC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,CAAC;QACtB,OAAO,EAAE;YACP,SAAS,EAAE;gBACT,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;gBAC7C,iBAAiB,EAAE,IAAI,CAAC,gBAAgB,IAAI,EAAE;aAC/C;SACF;QACD,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAmC;IACvE,MAAM,EAAE,GAAqB,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC3F,MAAM,OAAO,GAAG,EAAE,CAAC,OAAgE,CAAA;IACnF,MAAM,UAAU,GAAG,OAAO,EAAE,SAAS,EAAE,UAAU,CAAA;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAA;IAC5F,CAAC;IACD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC7E,OAAO,SAAS,CAAC,YAAY,CAAC,CAAA;AAChC,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACpD,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@solidus-network/sdk",
3
- "version": "0.2.0",
3
+ "version": "0.5.0",
4
4
  "description": "Solidus Network SDK — DID resolution, verifiable credential issuance and verification, SD-JWT VC (EUDI-compatible), and on-chain queries via JSON-RPC.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
@@ -17,8 +17,8 @@
17
17
  "@noble/hashes": "^1.5.0",
18
18
  "@sd-jwt/sd-jwt-vc": "^0.19.0",
19
19
  "@sd-jwt/types": "^0.19.0",
20
- "@solidus-network/auth": "0.2.0",
21
- "@solidus-network/types": "0.2.0",
20
+ "@solidus-network/auth": "0.5.0",
21
+ "@solidus-network/types": "0.5.0",
22
22
  "bs58": "^6.0.0",
23
23
  "postgres": "^3.4.4"
24
24
  },