@solidus-network/sdk 0.2.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chain/chainInfo.d.ts +37 -0
- package/dist/chain/chainInfo.d.ts.map +1 -0
- package/dist/chain/chainInfo.js +22 -0
- package/dist/chain/chainInfo.js.map +1 -0
- package/dist/chain/credentials.d.ts.map +1 -1
- package/dist/chain/credentials.js +3 -16
- package/dist/chain/credentials.js.map +1 -1
- package/dist/chain/did.d.ts +43 -0
- package/dist/chain/did.d.ts.map +1 -1
- package/dist/chain/did.js +111 -49
- package/dist/chain/did.js.map +1 -1
- package/dist/chain/index.d.ts.map +1 -1
- package/dist/chain/index.js +7 -0
- package/dist/chain/index.js.map +1 -1
- package/dist/chain/transaction.d.ts +28 -0
- package/dist/chain/transaction.d.ts.map +1 -1
- package/dist/chain/transaction.js +20 -0
- package/dist/chain/transaction.js.map +1 -1
- package/dist/chain/transfer.d.ts +26 -0
- package/dist/chain/transfer.d.ts.map +1 -0
- package/dist/chain/transfer.js +32 -0
- package/dist/chain/transfer.js.map +1 -0
- package/dist/index.d.ts +76 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -3
- package/dist/index.js.map +1 -1
- package/dist/sdjwt/index.d.ts +5 -1
- package/dist/sdjwt/index.d.ts.map +1 -1
- package/dist/sdjwt/index.js +3 -0
- package/dist/sdjwt/index.js.map +1 -1
- package/dist/sdjwt/issue.d.ts.map +1 -1
- package/dist/sdjwt/issue.js +49 -8
- package/dist/sdjwt/issue.js.map +1 -1
- package/dist/sdjwt/present.d.ts +15 -0
- package/dist/sdjwt/present.d.ts.map +1 -0
- package/dist/sdjwt/present.js +80 -0
- package/dist/sdjwt/present.js.map +1 -0
- package/dist/sdjwt/signer.d.ts +16 -0
- package/dist/sdjwt/signer.d.ts.map +1 -1
- package/dist/sdjwt/signer.js +27 -0
- package/dist/sdjwt/signer.js.map +1 -1
- package/dist/sdjwt/status-list.d.ts +61 -0
- package/dist/sdjwt/status-list.d.ts.map +1 -0
- package/dist/sdjwt/status-list.js +63 -0
- package/dist/sdjwt/status-list.js.map +1 -0
- package/dist/sdjwt/types.d.ts +96 -5
- package/dist/sdjwt/types.d.ts.map +1 -1
- package/dist/sdjwt/verify.d.ts +17 -4
- package/dist/sdjwt/verify.d.ts.map +1 -1
- package/dist/sdjwt/verify.js +171 -22
- package/dist/sdjwt/verify.js.map +1 -1
- package/dist/stub/credentials.js +1 -1
- package/dist/stub/did.d.ts +19 -0
- package/dist/stub/did.d.ts.map +1 -1
- package/dist/stub/did.js +55 -1
- package/dist/stub/did.js.map +1 -1
- package/package.json +3 -3
package/dist/sdjwt/types.d.ts
CHANGED
|
@@ -33,18 +33,38 @@ export interface IssueSdJwtVcParams {
|
|
|
33
33
|
*/
|
|
34
34
|
issuerPrivateKey: Uint8Array;
|
|
35
35
|
/**
|
|
36
|
-
* Subject-claim paths that should be disclosable. Each entry is
|
|
37
|
-
* top-level
|
|
38
|
-
* nested
|
|
39
|
-
* claim is disclosable
|
|
36
|
+
* Subject-claim paths that should be disclosable. Each entry is
|
|
37
|
+
* either a top-level key (`'birthdate'`) or a dotted path into a
|
|
38
|
+
* nested object (`'address.street'`). If omitted, every top-level
|
|
39
|
+
* subject claim except `id` is disclosable; nested objects are not
|
|
40
|
+
* auto-expanded — pass explicit paths to selectively disclose them.
|
|
40
41
|
*
|
|
41
|
-
* @example ['birthdate', 'address']
|
|
42
|
+
* @example ['birthdate', 'address.street', 'address.city']
|
|
42
43
|
*/
|
|
43
44
|
disclosable?: string[];
|
|
44
45
|
/** RFC 3339 timestamp; sd-jwt-vc maps this to `nbf`. Defaults to now. */
|
|
45
46
|
validFrom?: string;
|
|
46
47
|
/** RFC 3339 timestamp; sd-jwt-vc maps this to `exp`. Optional. */
|
|
47
48
|
validUntil?: string;
|
|
49
|
+
/**
|
|
50
|
+
* Optional 32-byte Ed25519 public key of the *holder*. When provided,
|
|
51
|
+
* the issued SD-JWT embeds a `cnf.jwk` claim binding the credential
|
|
52
|
+
* to this key — required if the verifier is going to enforce a
|
|
53
|
+
* Key-Binding JWT at presentation time. Omit to issue a bearer
|
|
54
|
+
* credential (Phase 1 default).
|
|
55
|
+
*/
|
|
56
|
+
holderPublicKey?: Uint8Array;
|
|
57
|
+
/**
|
|
58
|
+
* Optional reference into a status list (draft-ietf-oauth-status-list).
|
|
59
|
+
* When set, the issued SD-JWT carries `status: { status_list: { uri,
|
|
60
|
+
* idx } }`; verifiers that supply a `statusListFetcher` will fetch
|
|
61
|
+
* the list, look up bit `idx`, and reject the credential if the
|
|
62
|
+
* status indicates revocation.
|
|
63
|
+
*/
|
|
64
|
+
status?: {
|
|
65
|
+
uri: string;
|
|
66
|
+
idx: number;
|
|
67
|
+
};
|
|
48
68
|
}
|
|
49
69
|
/**
|
|
50
70
|
* The compact-serialised SD-JWT VC, plus metadata. The `compact` field
|
|
@@ -70,6 +90,77 @@ export interface VerifySdJwtVcParams {
|
|
|
70
90
|
* from the chain client.
|
|
71
91
|
*/
|
|
72
92
|
issuerPublicKey: Uint8Array;
|
|
93
|
+
/**
|
|
94
|
+
* If provided, the verifier requires a valid Key-Binding JWT and
|
|
95
|
+
* checks the KB-JWT's `aud` claim against this value. Use this to
|
|
96
|
+
* stop a stolen presentation from being replayed against a different
|
|
97
|
+
* verifier.
|
|
98
|
+
*/
|
|
99
|
+
expectedAudience?: string;
|
|
100
|
+
/**
|
|
101
|
+
* If provided, the verifier requires a valid Key-Binding JWT and
|
|
102
|
+
* checks the KB-JWT's `nonce` claim against this value. The verifier
|
|
103
|
+
* is responsible for generating a fresh nonce per presentation
|
|
104
|
+
* request and remembering it for the duration of the round-trip.
|
|
105
|
+
*/
|
|
106
|
+
expectedNonce?: string;
|
|
107
|
+
/**
|
|
108
|
+
* Callback that fetches the status-list JWT at a given URI. Required
|
|
109
|
+
* to enable revocation checking; if absent the verifier skips the
|
|
110
|
+
* status check (treats every credential as live). In production the
|
|
111
|
+
* caller usually wires this to `fetch()`; tests can use an in-memory
|
|
112
|
+
* map.
|
|
113
|
+
*/
|
|
114
|
+
statusListFetcher?: (uri: string) => Promise<string>;
|
|
115
|
+
/**
|
|
116
|
+
* Verifier callback for the *status list JWT*'s signature. The
|
|
117
|
+
* status list JWT is signed by the issuer (or a status-list-specific
|
|
118
|
+
* key); pass the public key here. If omitted, the same issuerPublicKey
|
|
119
|
+
* used for the SD-JWT is reused — appropriate when the issuer signs
|
|
120
|
+
* its own status lists.
|
|
121
|
+
*/
|
|
122
|
+
statusListIssuerPublicKey?: Uint8Array;
|
|
123
|
+
}
|
|
124
|
+
/** Parameters accepted by [`presentSdJwtVc`]. */
|
|
125
|
+
export interface PresentSdJwtVcParams {
|
|
126
|
+
/** Compact-serialised SD-JWT VC as issued (with all disclosures attached). */
|
|
127
|
+
compact: string;
|
|
128
|
+
/**
|
|
129
|
+
* Paths of the subject claims to reveal in this presentation. Each
|
|
130
|
+
* entry is either a top-level key (`'firstName'`) or a dotted path
|
|
131
|
+
* into a nested object (`'address.street'`). Any disclosure not
|
|
132
|
+
* listed here is omitted from the presented compact form; the
|
|
133
|
+
* verifier still sees the hash but cannot recover the value.
|
|
134
|
+
*
|
|
135
|
+
* @example ['firstName', 'address.street']
|
|
136
|
+
*/
|
|
137
|
+
claimsToReveal: string[];
|
|
138
|
+
/**
|
|
139
|
+
* Holder's raw 32-byte Ed25519 *private* key. Must be the partner of
|
|
140
|
+
* the `holderPublicKey` that was bound at issuance time via `cnf.jwk`.
|
|
141
|
+
* Required because Phase 2 always emits a Key-Binding JWT — bearer
|
|
142
|
+
* presentations stay on the Phase-1 verify path with no `aud`/`nonce`.
|
|
143
|
+
*/
|
|
144
|
+
holderPrivateKey: Uint8Array;
|
|
145
|
+
/**
|
|
146
|
+
* Audience identifier for the verifier (typically the verifier's
|
|
147
|
+
* client_id or origin). Becomes the `aud` claim of the KB-JWT.
|
|
148
|
+
*/
|
|
149
|
+
audience: string;
|
|
150
|
+
/**
|
|
151
|
+
* Fresh, single-use nonce supplied by the verifier. Becomes the
|
|
152
|
+
* `nonce` claim of the KB-JWT.
|
|
153
|
+
*/
|
|
154
|
+
nonce: string;
|
|
155
|
+
}
|
|
156
|
+
/** Result of [`presentSdJwtVc`]. */
|
|
157
|
+
export interface PresentationResult {
|
|
158
|
+
/**
|
|
159
|
+
* Compact-serialised presentation:
|
|
160
|
+
* `<jws>~<revealed_d1>~<revealed_d2>~<kb-jwt>`. Note that the trailing
|
|
161
|
+
* `~` before the KB-JWT is part of the spec.
|
|
162
|
+
*/
|
|
163
|
+
compact: string;
|
|
73
164
|
}
|
|
74
165
|
export interface VerificationResult {
|
|
75
166
|
/** True if signature, hashes, and freshness all check out. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sdjwt/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IAEX;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC;;;OAGG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sdjwt/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IAEX;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC;;;OAGG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IAEtB,yEAAyE;IACzE,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,UAAU,CAAA;IAE5B;;;;;;OAMG;IACH,MAAM,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAA;IAEf,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAEhC,4CAA4C;IAC5C,eAAe,EAAE,MAAM,CAAA;CACxB;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAA;IAEf;;;;;OAKG;IACH,eAAe,EAAE,UAAU,CAAA;IAE3B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;IAEpD;;;;;;OAMG;IACH,yBAAyB,CAAC,EAAE,UAAU,CAAA;CACvC;AAED,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACnC,8EAA8E;IAC9E,OAAO,EAAE,MAAM,CAAA;IAEf;;;;;;;;OAQG;IACH,cAAc,EAAE,MAAM,EAAE,CAAA;IAExB;;;;;OAKG;IACH,gBAAgB,EAAE,UAAU,CAAA;IAE5B;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;CACd;AAED,oCAAoC;AACpC,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,KAAK,EAAE,OAAO,CAAA;IAEd;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAE/B,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAA;IAEZ,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAA;CACf"}
|
package/dist/sdjwt/verify.d.ts
CHANGED
|
@@ -1,9 +1,22 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Verify an SD-JWT VC.
|
|
2
|
+
* Verify an SD-JWT VC, optionally including a Key-Binding JWT.
|
|
3
3
|
*
|
|
4
|
-
* Phase 1
|
|
5
|
-
*
|
|
6
|
-
*
|
|
4
|
+
* Phase 1 verified just the issuer's signature + freshness; Phase 2
|
|
5
|
+
* adds an optional KB-JWT path. When the caller supplies
|
|
6
|
+
* `expectedAudience` and/or `expectedNonce`, the verifier:
|
|
7
|
+
* - requires a KB-JWT to be present in the compact form,
|
|
8
|
+
* - extracts the holder's public key from the SD-JWT's `cnf.jwk`,
|
|
9
|
+
* - verifies the KB-JWT signature against that key,
|
|
10
|
+
* - checks `aud` and `nonce` match the caller's expectations,
|
|
11
|
+
* - confirms `sd_hash` matches the hash of the SD-JWT being presented.
|
|
12
|
+
*
|
|
13
|
+
* If neither expected* is set, the verifier behaves as Phase 1 — bearer
|
|
14
|
+
* presentations remain accepted.
|
|
15
|
+
*
|
|
16
|
+
* KB-JWT parsing is done in this module rather than via sd-jwt-js's
|
|
17
|
+
* `verify()` because sd-jwt-js conflates "extract KB-JWT" and "check
|
|
18
|
+
* nonce" in a single option, leaving us no clean way to surface
|
|
19
|
+
* `aud mismatch` separately from `nonce mismatch`.
|
|
7
20
|
*/
|
|
8
21
|
import type { VerifySdJwtVcParams, VerificationResult } from './types.js';
|
|
9
22
|
export declare function verifySdJwtVc(params: VerifySdJwtVcParams): Promise<VerificationResult>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAWH,OAAO,KAAK,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AA4EzE,wBAAsB,aAAa,CACjC,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAuI7B"}
|
package/dist/sdjwt/verify.js
CHANGED
|
@@ -1,12 +1,81 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Verify an SD-JWT VC.
|
|
2
|
+
* Verify an SD-JWT VC, optionally including a Key-Binding JWT.
|
|
3
3
|
*
|
|
4
|
-
* Phase 1
|
|
5
|
-
*
|
|
6
|
-
*
|
|
4
|
+
* Phase 1 verified just the issuer's signature + freshness; Phase 2
|
|
5
|
+
* adds an optional KB-JWT path. When the caller supplies
|
|
6
|
+
* `expectedAudience` and/or `expectedNonce`, the verifier:
|
|
7
|
+
* - requires a KB-JWT to be present in the compact form,
|
|
8
|
+
* - extracts the holder's public key from the SD-JWT's `cnf.jwk`,
|
|
9
|
+
* - verifies the KB-JWT signature against that key,
|
|
10
|
+
* - checks `aud` and `nonce` match the caller's expectations,
|
|
11
|
+
* - confirms `sd_hash` matches the hash of the SD-JWT being presented.
|
|
12
|
+
*
|
|
13
|
+
* If neither expected* is set, the verifier behaves as Phase 1 — bearer
|
|
14
|
+
* presentations remain accepted.
|
|
15
|
+
*
|
|
16
|
+
* KB-JWT parsing is done in this module rather than via sd-jwt-js's
|
|
17
|
+
* `verify()` because sd-jwt-js conflates "extract KB-JWT" and "check
|
|
18
|
+
* nonce" in a single option, leaving us no clean way to surface
|
|
19
|
+
* `aud mismatch` separately from `nonce mismatch`.
|
|
7
20
|
*/
|
|
8
21
|
import { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
|
|
9
|
-
import
|
|
22
|
+
import * as ed from '@noble/ed25519';
|
|
23
|
+
import { sha256 } from '@noble/hashes/sha2';
|
|
24
|
+
import { ed25519PublicKeyFromJwk, makeEd25519Verifier, sdJwtHasher, } from './signer.js';
|
|
25
|
+
function fromBase64Url(input) {
|
|
26
|
+
const padded = input
|
|
27
|
+
.replace(/-/g, '+')
|
|
28
|
+
.replace(/_/g, '/')
|
|
29
|
+
.padEnd(input.length + ((4 - (input.length % 4)) % 4), '=');
|
|
30
|
+
return new Uint8Array(Buffer.from(padded, 'base64'));
|
|
31
|
+
}
|
|
32
|
+
function toBase64Url(input) {
|
|
33
|
+
return Buffer.from(input)
|
|
34
|
+
.toString('base64')
|
|
35
|
+
.replace(/\+/g, '-')
|
|
36
|
+
.replace(/\//g, '_')
|
|
37
|
+
.replace(/=/g, '');
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Decode (without verifying) the KB-JWT off the end of a compact SD-JWT.
|
|
41
|
+
*
|
|
42
|
+
* The compact form is `<jws>~<d1>~<d2>~<kb-jwt>`. The KB-JWT is the
|
|
43
|
+
* final non-empty segment; the `<jws>~<d1>~...~` prefix (with the
|
|
44
|
+
* trailing `~` retained) is what `sd_hash` covers per spec §3.3.
|
|
45
|
+
*/
|
|
46
|
+
function extractKbJwt(compact) {
|
|
47
|
+
const lastTilde = compact.lastIndexOf('~');
|
|
48
|
+
if (lastTilde < 0)
|
|
49
|
+
return null;
|
|
50
|
+
const kbCompact = compact.slice(lastTilde + 1);
|
|
51
|
+
if (kbCompact.length === 0)
|
|
52
|
+
return null;
|
|
53
|
+
const sdJwtBody = compact.slice(0, lastTilde + 1); // includes trailing `~`
|
|
54
|
+
const segments = kbCompact.split('.');
|
|
55
|
+
if (segments.length !== 3)
|
|
56
|
+
return null;
|
|
57
|
+
let payload;
|
|
58
|
+
try {
|
|
59
|
+
payload = JSON.parse(new TextDecoder().decode(fromBase64Url(segments[1])));
|
|
60
|
+
}
|
|
61
|
+
catch {
|
|
62
|
+
return null;
|
|
63
|
+
}
|
|
64
|
+
return { kbCompact, sdJwtBody, payload };
|
|
65
|
+
}
|
|
66
|
+
async function verifyKbSignature(kbCompact, holderPublicKey) {
|
|
67
|
+
const segments = kbCompact.split('.');
|
|
68
|
+
if (segments.length !== 3)
|
|
69
|
+
return false;
|
|
70
|
+
const signingInput = `${segments[0]}.${segments[1]}`;
|
|
71
|
+
const signature = fromBase64Url(segments[2]);
|
|
72
|
+
try {
|
|
73
|
+
return await ed.verifyAsync(signature, new TextEncoder().encode(signingInput), holderPublicKey);
|
|
74
|
+
}
|
|
75
|
+
catch {
|
|
76
|
+
return false;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
10
79
|
export async function verifySdJwtVc(params) {
|
|
11
80
|
if (params.issuerPublicKey.length !== 32) {
|
|
12
81
|
return {
|
|
@@ -15,31 +84,31 @@ export async function verifySdJwtVc(params) {
|
|
|
15
84
|
error: `issuerPublicKey must be 32 bytes, got ${params.issuerPublicKey.length}`,
|
|
16
85
|
};
|
|
17
86
|
}
|
|
87
|
+
const requireKb = params.expectedAudience !== undefined ||
|
|
88
|
+
params.expectedNonce !== undefined;
|
|
89
|
+
const statusListVerifier = params.statusListIssuerPublicKey
|
|
90
|
+
? makeEd25519Verifier(params.statusListIssuerPublicKey)
|
|
91
|
+
: makeEd25519Verifier(params.issuerPublicKey);
|
|
18
92
|
const sdjwt = new SDJwtVcInstance({
|
|
19
93
|
verifier: makeEd25519Verifier(params.issuerPublicKey),
|
|
20
94
|
hasher: sdJwtHasher,
|
|
21
95
|
hashAlg: 'sha-256',
|
|
22
96
|
loadTypeMetadataFormat: false,
|
|
97
|
+
// Wire status-list lookup if the caller supplied a fetcher.
|
|
98
|
+
// sd-jwt-vc fetches the status-list JWT, verifies its signature,
|
|
99
|
+
// looks up `idx`, and (by default) treats any non-zero status as
|
|
100
|
+
// revoked.
|
|
101
|
+
...(params.statusListFetcher !== undefined
|
|
102
|
+
? {
|
|
103
|
+
statusListFetcher: params.statusListFetcher,
|
|
104
|
+
statusVerifier: statusListVerifier,
|
|
105
|
+
}
|
|
106
|
+
: {}),
|
|
23
107
|
});
|
|
108
|
+
let payload;
|
|
24
109
|
try {
|
|
25
110
|
const result = await sdjwt.verify(params.compact);
|
|
26
|
-
|
|
27
|
-
// sd-jwt-js's verify() reconstructs the disclosed claims and merges
|
|
28
|
-
// them into the payload, dropping the `_sd` arrays. So
|
|
29
|
-
// `result.payload` is already the full revealed claim set.
|
|
30
|
-
const claims = {};
|
|
31
|
-
for (const [k, v] of Object.entries(payload)) {
|
|
32
|
-
// Drop SD-JWT housekeeping fields from the user-facing claim set.
|
|
33
|
-
if (k === '_sd' || k === '_sd_alg' || k === 'cnf')
|
|
34
|
-
continue;
|
|
35
|
-
claims[k] = v;
|
|
36
|
-
}
|
|
37
|
-
const out = { valid: true, claims };
|
|
38
|
-
if (typeof payload['iss'] === 'string')
|
|
39
|
-
out.issuer = payload['iss'];
|
|
40
|
-
if (typeof payload['vct'] === 'string')
|
|
41
|
-
out.vct = payload['vct'];
|
|
42
|
-
return out;
|
|
111
|
+
payload = result.payload;
|
|
43
112
|
}
|
|
44
113
|
catch (e) {
|
|
45
114
|
return {
|
|
@@ -48,5 +117,85 @@ export async function verifySdJwtVc(params) {
|
|
|
48
117
|
error: e instanceof Error ? e.message : String(e),
|
|
49
118
|
};
|
|
50
119
|
}
|
|
120
|
+
if (requireKb) {
|
|
121
|
+
const parsed = extractKbJwt(params.compact);
|
|
122
|
+
if (!parsed) {
|
|
123
|
+
return {
|
|
124
|
+
valid: false,
|
|
125
|
+
claims: {},
|
|
126
|
+
error: 'KB-JWT required but not present in compact form',
|
|
127
|
+
};
|
|
128
|
+
}
|
|
129
|
+
const cnf = payload.cnf;
|
|
130
|
+
if (!cnf?.jwk) {
|
|
131
|
+
return {
|
|
132
|
+
valid: false,
|
|
133
|
+
claims: {},
|
|
134
|
+
error: 'SD-JWT does not bind a holder key (`cnf.jwk` missing)',
|
|
135
|
+
};
|
|
136
|
+
}
|
|
137
|
+
let holderPk;
|
|
138
|
+
try {
|
|
139
|
+
holderPk = ed25519PublicKeyFromJwk(cnf.jwk);
|
|
140
|
+
}
|
|
141
|
+
catch (e) {
|
|
142
|
+
return {
|
|
143
|
+
valid: false,
|
|
144
|
+
claims: {},
|
|
145
|
+
error: `cnf.jwk invalid: ${e instanceof Error ? e.message : String(e)}`,
|
|
146
|
+
};
|
|
147
|
+
}
|
|
148
|
+
const sigOk = await verifyKbSignature(parsed.kbCompact, holderPk);
|
|
149
|
+
if (!sigOk) {
|
|
150
|
+
return {
|
|
151
|
+
valid: false,
|
|
152
|
+
claims: {},
|
|
153
|
+
error: 'KB-JWT signature does not match the holder key from cnf.jwk',
|
|
154
|
+
};
|
|
155
|
+
}
|
|
156
|
+
if (params.expectedAudience !== undefined &&
|
|
157
|
+
parsed.payload.aud !== params.expectedAudience) {
|
|
158
|
+
return {
|
|
159
|
+
valid: false,
|
|
160
|
+
claims: {},
|
|
161
|
+
error: `KB-JWT aud mismatch: expected ${params.expectedAudience}, got ${parsed.payload.aud ?? '<missing>'}`,
|
|
162
|
+
};
|
|
163
|
+
}
|
|
164
|
+
if (params.expectedNonce !== undefined &&
|
|
165
|
+
parsed.payload.nonce !== params.expectedNonce) {
|
|
166
|
+
return {
|
|
167
|
+
valid: false,
|
|
168
|
+
claims: {},
|
|
169
|
+
error: `KB-JWT nonce mismatch: expected ${params.expectedNonce}, got ${parsed.payload.nonce ?? '<missing>'}`,
|
|
170
|
+
};
|
|
171
|
+
}
|
|
172
|
+
// Confirm sd_hash matches the SHA-256 of the SD-JWT body (everything
|
|
173
|
+
// before the KB-JWT, with the trailing `~` retained per spec).
|
|
174
|
+
if (parsed.payload.sd_hash !== undefined) {
|
|
175
|
+
const expectedHash = toBase64Url(sha256(new TextEncoder().encode(parsed.sdJwtBody)));
|
|
176
|
+
if (parsed.payload.sd_hash !== expectedHash) {
|
|
177
|
+
return {
|
|
178
|
+
valid: false,
|
|
179
|
+
claims: {},
|
|
180
|
+
error: 'KB-JWT sd_hash does not cover the presented SD-JWT body',
|
|
181
|
+
};
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
// sd-jwt-js's verify() reconstructs disclosed claims and merges
|
|
186
|
+
// them into the payload, dropping the `_sd` arrays. The caller
|
|
187
|
+
// should never see SD-JWT housekeeping fields.
|
|
188
|
+
const claims = {};
|
|
189
|
+
for (const [k, v] of Object.entries(payload)) {
|
|
190
|
+
if (k === '_sd' || k === '_sd_alg' || k === 'cnf')
|
|
191
|
+
continue;
|
|
192
|
+
claims[k] = v;
|
|
193
|
+
}
|
|
194
|
+
const out = { valid: true, claims };
|
|
195
|
+
if (typeof payload['iss'] === 'string')
|
|
196
|
+
out.issuer = payload['iss'];
|
|
197
|
+
if (typeof payload['vct'] === 'string')
|
|
198
|
+
out.vct = payload['vct'];
|
|
199
|
+
return out;
|
|
51
200
|
}
|
|
52
201
|
//# sourceMappingURL=verify.js.map
|
package/dist/sdjwt/verify.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sdjwt/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EACL,uBAAuB,EACvB,mBAAmB,EACnB,WAAW,GACZ,MAAM,aAAa,CAAA;AAGpB,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,MAAM,GAAG,KAAK;SACjB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC7D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,SAAS,WAAW,CAAC,KAAiB;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;SACtB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AACtB,CAAC;AAeD;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAA;IAC9C,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA,CAAC,wBAAwB;IAC1E,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACtC,IAAI,OAAqB,CAAA;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAClB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAC,CACtC,CAAA;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,CAAA;AAC1C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,SAAiB,EACjB,eAA2B;IAE3B,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,YAAY,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAE,IAAI,QAAQ,CAAC,CAAC,CAAE,EAAE,CAAA;IACtD,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAA;IAC7C,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,WAAW,CACzB,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EACtC,eAAe,CAChB,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAA2B;IAE3B,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,yCAAyC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE;SAChF,CAAA;IACH,CAAC;IAED,MAAM,SAAS,GACb,MAAM,CAAC,gBAAgB,KAAK,SAAS;QACrC,MAAM,CAAC,aAAa,KAAK,SAAS,CAAA;IAEpC,MAAM,kBAAkB,GAAG,MAAM,CAAC,yBAAyB;QACzD,CAAC,CAAC,mBAAmB,CAAC,MAAM,CAAC,yBAAyB,CAAC;QACvD,CAAC,CAAC,mBAAmB,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;IAE/C,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;QAChC,QAAQ,EAAE,mBAAmB,CAAC,MAAM,CAAC,eAAe,CAAC;QACrD,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,SAAS;QAClB,sBAAsB,EAAE,KAAK;QAC7B,4DAA4D;QAC5D,iEAAiE;QACjE,iEAAiE;QACjE,WAAW;QACX,GAAG,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS;YACxC,CAAC,CAAC;gBACE,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAA;IAEF,IAAI,OAAgC,CAAA;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QACjD,OAAO,GAAG,MAAM,CAAC,OAAkC,CAAA;IACrD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;SAClD,CAAA;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,iDAAiD;aACzD,CAAA;QACH,CAAC;QAED,MAAM,GAAG,GAAI,OAAuC,CAAC,GAAG,CAAA;QACxD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;YACd,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,uDAAuD;aAC/D,CAAA;QACH,CAAC;QACD,IAAI,QAAoB,CAAA;QACxB,IAAI,CAAC;YACH,QAAQ,GAAG,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,oBAAoB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;aACxE,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,6DAA6D;aACrE,CAAA;QACH,CAAC;QAED,IACE,MAAM,CAAC,gBAAgB,KAAK,SAAS;YACrC,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,gBAAgB,EAC9C,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,iCAAiC,MAAM,CAAC,gBAAgB,SAAS,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,WAAW,EAAE;aAC5G,CAAA;QACH,CAAC;QAED,IACE,MAAM,CAAC,aAAa,KAAK,SAAS;YAClC,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,MAAM,CAAC,aAAa,EAC7C,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,mCAAmC,MAAM,CAAC,aAAa,SAAS,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE;aAC7G,CAAA;QACH,CAAC;QAED,qEAAqE;QACrE,+DAA+D;QAC/D,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YACzC,MAAM,YAAY,GAAG,WAAW,CAC9B,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CACnD,CAAA;YACD,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,EAAE;oBACV,KAAK,EAAE,yDAAyD;iBACjE,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,+DAA+D;IAC/D,+CAA+C;IAC/C,MAAM,MAAM,GAA4B,EAAE,CAAA;IAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,KAAK;YAAE,SAAQ;QAC3D,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IACf,CAAC;IAED,MAAM,GAAG,GAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACvD,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;QAAE,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IACnE,IAAI,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;QAAE,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IAChE,OAAO,GAAG,CAAA;AACZ,CAAC"}
|
package/dist/stub/credentials.js
CHANGED
|
@@ -13,7 +13,7 @@ function rowToVC(row) {
|
|
|
13
13
|
proof: {
|
|
14
14
|
type: 'Ed25519Signature2020',
|
|
15
15
|
created: row.issued_at.toISOString(),
|
|
16
|
-
verificationMethod: `${row.issuer_did}#key-
|
|
16
|
+
verificationMethod: `${row.issuer_did}#key-0`,
|
|
17
17
|
proofPurpose: 'assertionMethod',
|
|
18
18
|
proofValue: row.proof_value,
|
|
19
19
|
},
|
package/dist/stub/did.d.ts
CHANGED
|
@@ -1,5 +1,24 @@
|
|
|
1
1
|
import type { DID, DIDDocument } from '@solidus-network/types';
|
|
2
|
+
import type { ChainTransaction } from '../chain/transaction.js';
|
|
2
3
|
export declare function didCreate(publicKeyHex: string): Promise<DID>;
|
|
3
4
|
export declare function didResolve(did: string): Promise<DIDDocument | null>;
|
|
4
5
|
export declare function didDeactivate(did: string, _signerKey: string): Promise<void>;
|
|
6
|
+
/**
|
|
7
|
+
* Stub-mode `buildCreate`. Produces a shape-compatible `ChainTransaction`
|
|
8
|
+
* envelope so callers can write a single relay-style code path that runs
|
|
9
|
+
* unchanged in stub and chain modes. The "signature" is meaningless in
|
|
10
|
+
* stub mode — there is no chain to verify against — but the payload is
|
|
11
|
+
* faithful so that `submitCreate` can extract `public_key`.
|
|
12
|
+
*/
|
|
13
|
+
export declare function didBuildCreate(opts: {
|
|
14
|
+
signerPrivateKey: string;
|
|
15
|
+
publicKey?: string;
|
|
16
|
+
serviceEndpoints?: unknown[];
|
|
17
|
+
nonce?: number;
|
|
18
|
+
}): Promise<ChainTransaction>;
|
|
19
|
+
/**
|
|
20
|
+
* Stub-mode `submitCreate`. Parses the publicKey out of the supplied tx
|
|
21
|
+
* and delegates to the existing `didCreate` to insert the row.
|
|
22
|
+
*/
|
|
23
|
+
export declare function didSubmitCreate(signedTx: ChainTransaction | string): Promise<DID>;
|
|
5
24
|
//# sourceMappingURL=did.d.ts.map
|
package/dist/stub/did.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAY/D,wBAAsB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAWlE;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAgCzE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAKlF;AAID;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE;IACzC,gBAAgB,EAAE,MAAM,CAAA;IACxB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,gBAAgB,CAAC,EAAE,OAAO,EAAE,CAAA;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0B5B;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CASvF"}
|
package/dist/stub/did.js
CHANGED
|
@@ -21,7 +21,7 @@ export async function didResolve(did) {
|
|
|
21
21
|
if (rows.length === 0)
|
|
22
22
|
return null;
|
|
23
23
|
const row = rows[0];
|
|
24
|
-
const vmId = `${row.did}#key-
|
|
24
|
+
const vmId = `${row.did}#key-0`;
|
|
25
25
|
return {
|
|
26
26
|
'@context': [
|
|
27
27
|
'https://www.w3.org/ns/did/v1',
|
|
@@ -49,4 +49,58 @@ export async function didDeactivate(did, _signerKey) {
|
|
|
49
49
|
UPDATE stub_dids SET deactivated = true, updated_at = now() WHERE did = ${did}
|
|
50
50
|
`;
|
|
51
51
|
}
|
|
52
|
+
// ---------- buildCreate / submitCreate (stub) ----------
|
|
53
|
+
/**
|
|
54
|
+
* Stub-mode `buildCreate`. Produces a shape-compatible `ChainTransaction`
|
|
55
|
+
* envelope so callers can write a single relay-style code path that runs
|
|
56
|
+
* unchanged in stub and chain modes. The "signature" is meaningless in
|
|
57
|
+
* stub mode — there is no chain to verify against — but the payload is
|
|
58
|
+
* faithful so that `submitCreate` can extract `public_key`.
|
|
59
|
+
*/
|
|
60
|
+
export async function didBuildCreate(opts) {
|
|
61
|
+
if (!opts.signerPrivateKey || opts.signerPrivateKey.length !== 64) {
|
|
62
|
+
throw new Error('didBuildCreate (stub): signerPrivateKey must be a 64-char hex string');
|
|
63
|
+
}
|
|
64
|
+
// Derive the signer pubkey from the privkey hex deterministically. We
|
|
65
|
+
// do NOT run real ed25519 in the stub — for the stub the "pubkey" is
|
|
66
|
+
// simply a marker derived by reversing the privkey bytes. This is
|
|
67
|
+
// sufficient for shape compatibility; chain mode does real signing.
|
|
68
|
+
const signerPubBytes = hexToBytes(opts.signerPrivateKey).reverse();
|
|
69
|
+
const publicKey = opts.publicKey ?? Buffer.from(signerPubBytes).toString('hex');
|
|
70
|
+
if (publicKey.toLowerCase() !== Buffer.from(signerPubBytes).toString('hex').toLowerCase()) {
|
|
71
|
+
throw new Error(`didBuildCreate (stub): signerPrivateKey does not own publicKey (the SDK enforces this invariant in both modes)`);
|
|
72
|
+
}
|
|
73
|
+
return {
|
|
74
|
+
sender_pubkey: Array.from(signerPubBytes),
|
|
75
|
+
nonce: opts.nonce ?? 0,
|
|
76
|
+
payload: {
|
|
77
|
+
DidCreate: {
|
|
78
|
+
public_key: Array.from(hexToBytes(publicKey)),
|
|
79
|
+
service_endpoints: opts.serviceEndpoints ?? [],
|
|
80
|
+
},
|
|
81
|
+
},
|
|
82
|
+
signature: Array(64).fill(0),
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
/**
|
|
86
|
+
* Stub-mode `submitCreate`. Parses the publicKey out of the supplied tx
|
|
87
|
+
* and delegates to the existing `didCreate` to insert the row.
|
|
88
|
+
*/
|
|
89
|
+
export async function didSubmitCreate(signedTx) {
|
|
90
|
+
const tx = typeof signedTx === 'string' ? JSON.parse(signedTx) : signedTx;
|
|
91
|
+
const payload = tx.payload;
|
|
92
|
+
const payloadPub = payload?.DidCreate?.public_key;
|
|
93
|
+
if (!Array.isArray(payloadPub) || payloadPub.length !== 32) {
|
|
94
|
+
throw new Error('didSubmitCreate (stub): tx is not a DidCreate with a 32-byte public_key');
|
|
95
|
+
}
|
|
96
|
+
const publicKeyHex = Buffer.from(Uint8Array.from(payloadPub)).toString('hex');
|
|
97
|
+
return didCreate(publicKeyHex);
|
|
98
|
+
}
|
|
99
|
+
function hexToBytes(hex) {
|
|
100
|
+
const out = new Uint8Array(hex.length / 2);
|
|
101
|
+
for (let i = 0; i < hex.length; i += 2) {
|
|
102
|
+
out[i / 2] = parseInt(hex.substring(i, i + 2), 16);
|
|
103
|
+
}
|
|
104
|
+
return out;
|
|
105
|
+
}
|
|
52
106
|
//# sourceMappingURL=did.js.map
|
package/dist/stub/did.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"did.js","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;
|
|
1
|
+
{"version":3,"file":"did.js","sourceRoot":"","sources":["../../src/stub/did.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAGxC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAU7C,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,YAAoB;IAClD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,EAAE,GAAG,oBAAoB,UAAU,EAAE,EAAE,CAAA;IAC7C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,MAAM,GAAG,CAAA;;cAEG,EAAE,KAAK,YAAY,KAAK,EAAE;GACrC,CAAA;IAED,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AAC5E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAU;;;kBAGhB,GAAG;GAClB,CAAA;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAElC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;IACpB,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,QAAQ,CAAA;IAE/B,OAAO;QACL,UAAU,EAAE;YACV,8BAA8B;YAC9B,kDAAkD;SACnD;QACD,EAAE,EAAE,GAAG,CAAC,GAAG;QACX,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG,CAAC,GAAG;gBACnB,kBAAkB,EAAE,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC;aACpD;SACF;QACD,cAAc,EAAE,CAAC,IAAI,CAAC;QACtB,eAAe,EAAE,CAAC,IAAI,CAAC;QACvB,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;QACrC,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;KACtC,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,UAAkB;IACjE,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,MAAM,GAAG,CAAA;8EACmE,GAAG;GAC9E,CAAA;AACH,CAAC;AAED,0DAA0D;AAE1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAKpC;IACC,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAA;IACzF,CAAC;IACD,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,oEAAoE;IACpE,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAA;IAClE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/E,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1F,MAAM,IAAI,KAAK,CACb,gHAAgH,CACjH,CAAA;IACH,CAAC;IACD,OAAO;QACL,aAAa,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC;QACzC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,CAAC;QACtB,OAAO,EAAE;YACP,SAAS,EAAE;gBACT,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;gBAC7C,iBAAiB,EAAE,IAAI,CAAC,gBAAgB,IAAI,EAAE;aAC/C;SACF;QACD,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAmC;IACvE,MAAM,EAAE,GAAqB,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC3F,MAAM,OAAO,GAAG,EAAE,CAAC,OAAgE,CAAA;IACnF,MAAM,UAAU,GAAG,OAAO,EAAE,SAAS,EAAE,UAAU,CAAA;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAA;IAC5F,CAAC;IACD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC7E,OAAO,SAAS,CAAC,YAAY,CAAC,CAAA;AAChC,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACpD,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@solidus-network/sdk",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "Solidus Network SDK — DID resolution, verifiable credential issuance and verification, SD-JWT VC (EUDI-compatible), and on-chain queries via JSON-RPC.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -17,8 +17,8 @@
|
|
|
17
17
|
"@noble/hashes": "^1.5.0",
|
|
18
18
|
"@sd-jwt/sd-jwt-vc": "^0.19.0",
|
|
19
19
|
"@sd-jwt/types": "^0.19.0",
|
|
20
|
-
"@solidus-network/auth": "0.
|
|
21
|
-
"@solidus-network/types": "0.
|
|
20
|
+
"@solidus-network/auth": "0.5.0",
|
|
21
|
+
"@solidus-network/types": "0.5.0",
|
|
22
22
|
"bs58": "^6.0.0",
|
|
23
23
|
"postgres": "^3.4.4"
|
|
24
24
|
},
|