@sovrahq/waci 3.4.0

package/src/utils/index.ts

@@ -0,0 +1,272 @@
+import * as UUID from 'uuid';
+import * as jsonpath from 'jsonpath';
+import * as jsonschema from 'jsonschema';
+import {
+  CredentialApplication,
+  CredentialPresentation,
+  PresentationDefinition,
+  WACIMessage,
+} from '../types';
+import { Callback } from '../callbacks';
+import { InputDescriptorError } from './erros';
+
+/**
+ * Extract the claim key from a JSONPath expression.
+ * E.g. "$.credentialSubject.name" → "name", "$.type" → "type"
+ */
+export const extractClaimKeyFromPath = (path: string): string => {
+  const segments = path.replace(/^\$\.?/, '').split('.');
+  return segments[segments.length - 1];
+};
+
+/**
+ * Parse an SD-JWT string and extract the disclosed claim names as a Set.
+ * SD-JWT format: <JWT>~<disclosure1>~<disclosure2>~...~[<KB-JWT>]
+ * Each disclosure is base64url-encoded JSON array: [salt, claimName, claimValue]
+ */
+export const extractSDJWTClaims = (sdJwtString: string): Set<string> => {
+  const claims = new Set<string>();
+  try {
+    const parts = sdJwtString.split('~');
+    // Skip first part (JWT) and filter out empty strings and potential KB-JWT (has dots)
+    const disclosures = parts.slice(1).filter(p => p.length > 0);
+    for (const disclosure of disclosures) {
+      // Skip if it looks like a JWT (KB-JWT)
+      if (disclosure.split('.').length === 3) continue;
+      try {
+        // Base64url decode
+        let base64 = disclosure.replace(/-/g, '+').replace(/_/g, '/');
+        while (base64.length % 4 !== 0) base64 += '=';
+        const decoded = Buffer.from(base64, 'base64').toString('utf-8');
+        const array = JSON.parse(decoded);
+        if (Array.isArray(array) && array.length >= 2) {
+          claims.add(array[1]); // claimName is second element
+        }
+      } catch {
+        // Skip malformed disclosures
+      }
+    }
+  } catch {
+    // Return empty set on any error
+  }
+  return claims;
+};
+
+export const getObjectValues = (object: any): string[] =>
+  Object.values<string>(object);
+
+export const createUUID = UUID.v4;
+
+export const verifyPresentation = async (
+  presentationDefinition: PresentationDefinition,
+  credentialApplication: CredentialApplication | CredentialPresentation,
+  verificationCallback: Callback<any, { result: boolean, error?: string[] }>,
+): Promise<any> => {
+  try {
+    const vcs: any[] = [];
+    for await (const inputDescriptor of presentationDefinition.input_descriptors) {
+
+      const vcInput =
+        credentialApplication.data.json.presentation_submission.descriptor_map.find(
+          (descriptor) => inputDescriptor.id === descriptor.id,
+        );
+
+      if (!vcInput) return new InputDescriptorError();
+      const vc = jsonpath.query(
+        credentialApplication.data.json,
+        vcInput.path,
+      )[0];
+
+      vcs.push(vc);
+
+      // SD-JWT: if VC is a string (e.g. SD-JWT compact), verify signature then validate disclosed fields
+      if (typeof vc === 'string') {
+        const verificationResult = await verificationCallback(vc);
+        console.log('---- Verification Result (SD-JWT string) -----', verificationResult);
+        if (!verificationResult.result) {
+          return {
+            result: false,
+            error: verificationResult.error || ['Credential verification failed'],
+            vcs
+          };
+        }
+        // Validate that required fields from constraints are present in SD-JWT disclosures
+        if (inputDescriptor.constraints?.fields) {
+          const disclosedClaims = extractSDJWTClaims(vc);
+          for (const field of inputDescriptor.constraints.fields) {
+            const pathKey = extractClaimKeyFromPath(field.path[0]);
+            if (!disclosedClaims.has(pathKey)) {
+              return {
+                result: false,
+                error: [{ name: 'missing-field', description: `SD-JWT missing required disclosure: ${pathKey}` }],
+                vcs,
+              };
+            }
+          }
+        }
+        continue;
+      }
+
+      // Verify fields
+      for (const field of inputDescriptor.constraints.fields) {
+        const fieldValue = jsonpath.query(vc, field.path[0])?.[0];
+        if (!fieldValue) {
+          return { result: false, error: [{ name: 'missing-field', description: `Missing required field: ${field.path[0]}` }], vcs };
+        }
+        if (field.filter) {
+          const { errors } = jsonschema.validate(fieldValue, field.filter);
+          if (errors.length) {
+            return { result: false, error: [{ name: 'invalid-field', description: `Field ${field.path[0]} does not match filter` }], vcs };
+          }
+        }
+      }
+
+      // Verify proof
+      const verificationResult = await verificationCallback(vc);
+      console.log('---- Verification Result -----', verificationResult);
+
+      if (!verificationResult.result) {
+        const error = verificationResult.error as any;
+        switch (error.name) {
+          case 'did-document-resolution-error':
+            // DIDDocumentResolutionError
+            console.log(`Cannot resolve DID document: ${error.did}`);
+            // Handle DID resolution failure
+            break;
+            
+          case 'vc-invalid-signature':
+            // InvalidSignatureError
+            console.log('Invalid signature detected');
+            console.log('Description:', error.description);
+            // Handle signature validation failure
+            break;
+            
+          case 'verification-method-not-found':
+            // VerificationMethodNotFound
+            console.log(`Verification method ${error.verificationMethod} not found in DID Document: ${error.did}`);
+            // Handle missing verification method
+            break;
+            
+          case 'verification-relationship-invalid':
+            // VerificationRelationshipError
+            console.log(`Verification method ${error.verificationMethod} is not configured as ${error.expectedVerificationRelationship}`);
+            // Handle incorrect verification relationship
+            break;
+            
+          case 'unexpected-challenge':
+            // UnexpectedChallengeError
+            console.log('Unexpected challenge error:', error.errorMessage);
+            // Handle challenge validation failure
+            break;
+            
+          case 'authentication-purpose-challenge-required':
+            // AuthenticationPurposeChallengeRequired
+            console.log('Authentication purpose requires a challenge');
+            // Handle missing challenge for authentication
+            break;
+            
+          case 'verifiable-credential-revoked':
+            // VerifiableCredentialRevoked
+            console.log('Credential has been revoked');
+            console.log('Revocation details:', error.errors);
+            return {
+              result: false,
+              error: verificationResult.error || ['Credential verification failed'],
+              vcs:vcs
+            };
+            // Handle revoked credential
+            break;
+            
+          case 'verifiable-credential-suspended':
+            // VerifiableCredentialSuspended
+            console.log('Credential has been suspended');
+            console.log('Suspension details:', error.errors); 
+            return {
+              result: false,
+              error: verificationResult.error || ['Credential verification failed'],
+              vcs:vcs
+            };
+            // Handle suspended credential
+            break;
+            
+          case 'credential-status-service-error':
+            // CredentialStatusServiceError
+            console.log(`Error retrieving credential status from: ${error.endpoint}`);
+            console.log(`HTTP Status: ${error.httpStatusResult}`);
+            console.log(`Response Data: ${error.dataResult}`);
+            // Handle credential status service failure
+            break;
+            
+          case 'verifiable-credential-expired':
+            // VerifiableCredentialExpired
+            console.log('Credential has expired');
+            return {
+              result: false,
+              error: verificationResult.error || ['Credential verification failed'],
+              vcs:vcs
+            };
+            // Handle expired credential
+            break;
+            
+          case 'unhandled-vc-suite-error':
+            // UnhandledVCSuiteError
+            console.log('Unhandled VC suite error:', error.messageError);
+            // Handle unexpected verification errors
+            break;
+            
+          default:
+            console.log('Unknown error type:', error.name);
+            console.log('Error description:', error.description);
+            console.log('Error code:', error.code);
+            // Handle unknown errors
+        }
+      } 
+    }
+    return {
+      result: true,
+      vcs
+    };
+  } catch (error) {
+    console.error(error);
+    return {
+      result: false, error, vcs: []
+    };
+  }
+};
+
+export const extractExpectedChallenge = (
+  presentationDefinitionMessage: WACIMessage,
+): string => {
+  return presentationDefinitionMessage.attachments.find(
+    (attachment) => attachment?.data?.json?.options?.challenge,
+  ).data.json.options.challenge;
+};
+
+export const validateVcByInputDescriptor = (vc, inputDescriptor): boolean => {
+  // SD-JWT: validate disclosed claims against required fields
+  if (typeof vc === 'string') {
+    if (!inputDescriptor.constraints?.fields) return true;
+    const disclosedClaims = extractSDJWTClaims(vc);
+    for (const field of inputDescriptor.constraints.fields) {
+      const pathKey = extractClaimKeyFromPath(field.path[0]);
+      if (!disclosedClaims.has(pathKey)) return false;
+    }
+    return true;
+  }
+  for (const field of inputDescriptor.constraints.fields) {
+    const fieldValues = field.path?.map((path) => {
+      return jsonpath.value(vc, path);
+    });
+
+    for (const value of fieldValues) {
+      if (!value) return false;
+      if (field.filter) {
+        const { errors } = jsonschema.validate(value, field.filter);
+        if (errors.length) {
+          return false;
+        }
+      }
+    }
+  }
+  return true;
+};

package/test/handlers/issuance/step-3-propose-credential.handler.spec.ts

@@ -0,0 +1,43 @@
+import {
+  WACIMessage,
+  WACIMessageHandlerResponse,
+  WACIMessageResponseType,
+  WACIMessageType,
+} from '../../../src';
+import {
+  credentialManifestParamsStub,
+  offerCredentialMessageStub1,
+} from '../../stubs';
+import { ProposeCredentialHandler } from '../../../src/handlers/issuance/step-3-propose-credential.handler';
+
+jest.mock('../../../src/utils', () => ({
+  extractSuffixFromUUID:
+    jest.requireActual('../../../src/utils').extractSuffixFromUUID,
+  verifyPresentation:
+    jest.requireActual('../../../src/utils').verifyPresentation,
+  createUUID: (): string => 'f137e0db-db7b-4776-9530-83c808a34a42',
+}));
+
+describe('ProposeCredentialHandler', () => {
+  const message: WACIMessage = {
+    type: WACIMessageType.ProposeCredential,
+    id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+    from: 'did:example:holder',
+    pthid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+    to: ['did:example:issuer'],
+  };
+
+  const callbacks = {
+    issuer: { getCredentialManifest: () => credentialManifestParamsStub },
+  };
+
+  const handler = new ProposeCredentialHandler();
+  it('should return an offer credential message', async () => {
+    const response = await handler.handle([message], callbacks);
+    const expectedResponse: WACIMessageHandlerResponse = {
+      responseType: WACIMessageResponseType.ReplyThread,
+      message: offerCredentialMessageStub1,
+    };
+    expect(response).toEqual(expectedResponse);
+  });
+});

package/test/handlers/issuance/step-4-offer-credential.handler.spec.ts

@@ -0,0 +1,53 @@
+import {
+  WACIMessageHandlerResponse,
+  WACIMessageResponseType,
+} from '../../../src';
+import {
+  credentialsToPresentStub,
+  offerCredentialMessageStub2,
+  requestCredentialMessageStub,
+} from '../../stubs';
+import { OfferCredentialHandler } from '../../../src/handlers/issuance/step-4-offer-credential.handler';
+
+jest.mock('../../../src/utils', () => ({
+  extractSuffixFromUUID:
+    jest.requireActual('../../../src/utils').extractSuffixFromUUID,
+  verifyPresentation:
+    jest.requireActual('../../../src/utils').verifyPresentation,
+  createUUID: (): string => 'f137e0db-db7b-4776-9530-83c808a34a42',
+}));
+
+describe('OfferCredentialHandler', () => {
+  const callbacks: any = {
+    holder: {
+      getCredentialApplication: () => ({
+        credentialsToPresent: credentialsToPresentStub,
+        presentationProofTypes: [
+          'JsonWebSignature2020',
+          'EcdsaSecp256k1Signature2019',
+        ],
+      }),
+      signPresentation: ({ contentToSign }) => ({
+        ...contentToSign,
+        proof: {
+          type: 'Ed25519Signature2018',
+          verificationMethod: 'did:example:123#key-0',
+          created: '2021-05-14T20:16:29.565377',
+          proofPurpose: 'authentication',
+          challenge: 'f137e0db-db7b-4776-9530-83c808a34a42',
+          jws: 'eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..7M9LwdJR1_SQayHIWVHF5eSSRhbVsrjQHKUrfRhRRrlbuKlggm8mm_4EI_kTPeBpalQWiGiyCb_0OWFPtn2wAQ',
+        },
+      }),
+    },
+  };
+
+  const handler = new OfferCredentialHandler();
+  it('should return a request credential message', async () => {
+    const response = await handler.handle([offerCredentialMessageStub2], callbacks);
+    const expectedResponse: WACIMessageHandlerResponse = {
+      responseType: WACIMessageResponseType.ReplyThread,
+      message: requestCredentialMessageStub,
+    };
+    expect(response).toEqual(expectedResponse);
+  });
+});

package/test/handlers/issuance/step-5-request-credential.handler.spec.ts

@@ -0,0 +1,102 @@
+import {
+  WACIMessageHandlerResponse,
+  WACIMessageResponseType,
+  WACIMessageType,
+} from '../../../src';
+import {
+  badCredentialApplicationStub,
+  credentialFulfillmentStub,
+  offerCredentialMessageStub1,
+  requestCredentialMessageStub,
+  credentialSignatureStub,
+  offerCredentialMessageStub2,
+} from '../../stubs';
+import { RequestCredentialHandler } from '../../../src/handlers/issuance/step-5-request-credential.handler';
+
+jest.mock('../../../src/utils', () => ({
+  extractSuffixFromUUID:
+    jest.requireActual('../../../src/utils').extractSuffixFromUUID,
+  verifyPresentation:
+    jest.requireActual('../../../src/utils').verifyPresentation,
+  extractExpectedChallenge:
+    jest.requireActual('../../../src/utils').extractExpectedChallenge,
+  createUUID: (): string => 'f137e0db-db7b-4776-9530-83c808a34a42',
+}));
+
+describe('RequestCredentialHandler', () => {
+  const callbacks: any = {
+    issuer: {
+      signCredential: (vc) => ({ ...vc, proof: credentialSignatureStub }),
+      verifyCredential: async () => true,
+      verifyPresentation: async () => true,
+    },
+  };
+
+  const handler = new RequestCredentialHandler();
+
+  it('should return a issue credential message when credential application is successful', async () => {
+    const response = await handler.handle([
+      offerCredentialMessageStub1,
+      requestCredentialMessageStub,
+    ], callbacks);
+    const expectedResponse: WACIMessageHandlerResponse = {
+      responseType: WACIMessageResponseType.ReplyThread,
+      message: {
+        type: WACIMessageType.IssueCredential,
+        id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        thid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        from: 'did:example:issuer',
+        to: ['did:example:holder'],
+        body: {},
+        attachments: [credentialFulfillmentStub],
+      },
+    };
+    expect(response).toEqual(expectedResponse);
+  });
+
+  it('should return a issue credential message when credential application is successful', async () => {
+    const response = await handler.handle([
+      offerCredentialMessageStub1,
+      {
+        type: WACIMessageType.RequestCredential,
+        id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        thid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        from: 'did:example:holder',
+        to: ['did:example:issuer'],
+        body: {},
+        attachments: [],
+      },
+    ], callbacks);
+    const expectedResponse: WACIMessageHandlerResponse = {
+      responseType: WACIMessageResponseType.ReplyThread,
+      message: {
+        type: WACIMessageType.IssueCredential,
+        id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        thid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        from: 'did:example:issuer',
+        to: ['did:example:holder'],
+        body: {},
+        attachments: [credentialFulfillmentStub],
+      },
+    };
+    expect(response).toEqual(expectedResponse);
+  });
+
+  it('should return undefined/void when credential application fails', async () => {
+    const failCallbacks: any = {
+      issuer: {
+        signCredential: (vc) => ({ ...vc, proof: credentialSignatureStub }),
+        verifyCredential: async () => false,
+        verifyPresentation: async () => false,
+      },
+    };
+    const response = await handler.handle([
+      offerCredentialMessageStub2,
+      {
+        ...requestCredentialMessageStub,
+        attachments: [badCredentialApplicationStub],
+      },
+    ], failCallbacks);
+    expect(response).toBe(undefined);
+  });
+});

package/test/handlers/presentation/step-5-present-proof.handler.spec.ts

@@ -0,0 +1,142 @@
+import {
+  badPresentProofMessageStub,
+  presentProofMessageStub,
+  requestPresentationMessageStub,
+} from '../../stubs';
+import {
+  AckStatus,
+  WACIMessageHandlerResponse,
+  WACIMessageResponseType,
+  WACIMessageType,
+} from '../../../src';
+import { PresentProofHandler } from '../../../src/handlers/presentation/step-5-present-proof.handler';
+
+jest.mock('../../../src/utils', () => ({
+  extractSuffixFromUUID:
+    jest.requireActual('../../../src/utils').extractSuffixFromUUID,
+  verifyPresentation:
+    jest.requireActual('../../../src/utils').verifyPresentation,
+  extractExpectedChallenge:
+    jest.requireActual('../../../src/utils').extractExpectedChallenge,
+  createUUID: (): string => 'f137e0db-db7b-4776-9530-83c808a34a42',
+}));
+
+describe('PresentProofHandler', () => {
+  const callbacks: any = {
+    verifier: {
+      getPresentationDefinition: async () => [],
+      verifyCredential: () => true,
+      verifyPresentation: () => true,
+    },
+  };
+
+  const handler = new PresentProofHandler();
+  it('should return status OK', async () => {
+    const response = await handler.handle([
+      requestPresentationMessageStub,
+      presentProofMessageStub,
+    ], callbacks);
+    const expectedResponse: WACIMessageHandlerResponse = {
+      responseType: WACIMessageResponseType.ReplyThread,
+      message: {
+        type: WACIMessageType.PresentationAck,
+        id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        thid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        from: 'did:example:issuer',
+        to: ['did:example:holder'],
+        body: {
+          status: AckStatus.Ok,
+        },
+      },
+    };
+
+    expect(response).toEqual(expectedResponse);
+  });
+
+  it('should return status FAIL when wrong data is presented', async () => {
+    const failCallbacks: any = {
+      verifier: {
+        getPresentationDefinition: async () => [
+          {
+            id: 'ed7d9b1f-9eed-4bde-b81c-3aa7485cf947',
+            media_type: 'application/json',
+            format: 'dif/presentation-exchange/definitions@v1.0',
+            data: {
+              json: {
+                options: {
+                  challenge: '3fa85f64-5717-4562-b3fc-2c963f66afa7',
+                  domain: '4jt78h47fh47',
+                },
+                presentation_definition: {
+                  id: '32f54163-7166-48f1-93d8-ff217bdb0654',
+                  frame: {
+                    '@context': [
+                      'https://www.w3.org/2018/credentials/v1',
+                      'https://w3id.org/vaccination/v1',
+                      'https://w3id.org/security/suites/bls12381-2020/v1',
+                    ],
+                    type: ['VerifiableCredential', 'VaccinationCertificate'],
+                    credentialSubject: {
+                      '@explicit': true,
+                      type: ['VaccinationEvent'],
+                      batchNumber: {},
+                      countryOfVaccination: {},
+                    },
+                  },
+                  input_descriptors: [
+                    {
+                      id: 'vaccination_input',
+                      name: 'Vaccination Certificate',
+                      constraints: {
+                        fields: [
+                          {
+                            path: ['$.credentialSubject.batchNumber'],
+                            filter: {
+                              type: 'string',
+                            },
+                          },
+                          {
+                            path: ['$.credentialSubject.countryOfVaccination'],
+                            filter: {
+                              type: 'string',
+                            },
+                          },
+                        ],
+                      },
+                    },
+                  ],
+                },
+              },
+            },
+          },
+        ],
+        verifyCredential: () => true,
+        verifyPresentation: () => true,
+      },
+    };
+
+    const response2 = await handler.handle([
+      requestPresentationMessageStub,
+      {
+        ...badPresentProofMessageStub,
+        attachments: [],
+      },
+    ], failCallbacks);
+
+    const expectedResponse = {
+      message: {
+        body: {
+          status: 'FAIL',
+        },
+        from: 'did:example:issuer',
+        id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        thid: 'f137e0db-db7b-4776-9530-83c808a34a42',
+        to: ['did:example:holder'],
+        type: 'https://didcomm.org/present-proof/3.0/ack',
+      },
+      responseType: 1,
+    };
+
+    expect(response2).toEqual(expectedResponse);
+  });
+});

package/test/handlers/shared/step-2-oob-invitation.handler.spec.ts

@@ -0,0 +1,55 @@
+import { GoalCode, WACIMessage, WACIMessageType } from '../../../src';
+import { callbacks } from '../../../src/callbacks';
+import { OOBInvitationHandler } from '../../../src/handlers/common/step-2-oob-invitation.handler';
+
+describe('OobInvitationHandler', () => {
+  const message : WACIMessage = {
+    type: WACIMessageType.OutOfBandInvitation,
+    id: 'f137e0db-db7b-4776-9530-83c808a34a42',
+    from: 'did:example:issuer',
+    body: {
+      goal_code: GoalCode.Issuance,
+      accept: [ 'didcomm/v2' ],
+    },
+  };
+
+  Object.assign(callbacks, {
+    holder: {
+      getHolderDID: () => 'did:modena:1323232',
+    },
+  });
+
+  it('should return a propose credential message when handling an issuance invitation', async () => {
+    const response = await new OOBInvitationHandler().handle([ message ]);
+
+    expect(response.message.type).toEqual(WACIMessageType.ProposeCredential);
+  });
+
+  it('should return a propose presentation message when handling a presentation invitation', async () => {
+    const presentationInvitation = {
+      ...message,
+      body: {
+        ...message.body,
+        goal_code: GoalCode.Presentation,
+      },
+    };
+
+    const response = await new OOBInvitationHandler().handle([
+      presentationInvitation,
+    ]);
+
+    expect(response.message.type).toEqual(WACIMessageType.ProposePresentation);
+  });
+
+  it('should return a message whose parent thread id matches the invitation message id', async () => {
+    const response = await new OOBInvitationHandler().handle([ message ]);
+
+    expect(response.message.pthid).toEqual(message.id);
+  });
+
+  it('should return a message whose receiver matches the sender from the handled message', async () => {
+    const response = await new OOBInvitationHandler().handle([ message ]);
+
+    expect(response.message.to[0]).toEqual(message.from);
+  });
+});