npm - @sphereon/oid4vc-common - Versions diffs - 0.20.1-next.13 → 0.20.1-next.16 - Mend

@sphereon/oid4vc-common 0.20.1-next.13 → 0.20.1-next.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n alg?: string\n x5c?: string[]\n kid?: string\n jwk?: JWK\n jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n client_id?: string\n nonce?: string\n request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n EDDSA = 'EdDSA',\n RS256 = 'RS256',\n PS256 = 'PS256',\n ES256 = 'ES256',\n ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n if (typeof value !== 'string' \|\| !value) {\n throw Error(`${description} missing or invalid`)\n }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n if (!jwk \|\| typeof jwk !== 'object') {\n throw new TypeError('JWK must be an object')\n }\n const algorithm = digestAlgorithm ?? 'sha256'\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n }\n let components\n switch (jwk.kty) {\n case 'EC':\n check(jwk.crv, '\"crv\" (Curve) Parameter')\n check(jwk.x, '\"x\" (X Coordinate) Parameter')\n check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n break\n case 'OKP':\n check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n check(jwk.x, '\"x\" (Public Key) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n break\n case 'RSA':\n check(jwk.e, '\"e\" (Exponent) Parameter')\n check(jwk.n, '\"n\" (Modulus) Parameter')\n components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n break\n case 'oct':\n check(jwk.k, '\"k\" (Key Value) Parameter')\n components = { k: jwk.k, kty: jwk.kty }\n break\n default:\n throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n }\n return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n if (!match) {\n throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n }\n const algorithm = `sha${match[1]}` as DigestAlgorithm\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n }\n return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string \| ArrayBuffer, algorithm: string) => {\n return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n type: JwtType\n method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n method: 'did'\n\n alg: SigningAlgo \| string\n didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n method: 'x5c'\n\n alg: SigningAlgo \| string\n\n /*\n \n * Array of base64-encoded certificate strings in the DER-format.\n \n The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n /\n x5c: Array<string>\n\n /\n The jwt issuer\n /\n issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n method: 'openid-federation'\n\n /\n The OpenId federation Entity\n /\n entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n method: 'jwk'\n alg: SigningAlgo \| string\n\n jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier \| X5cJwtVerifier \| CustomJwtVerifier \| JwkJwtVerifier \| OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n const { type } = options\n if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!jwt.header.kid.includes('#')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n }\n return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n if (type === 'request-object') {\n if (!payload.client_id) {\n throw new Error('Missing required field client_id in request object JWT')\n }\n return payload.client_id as string\n }\n\n if (typeof payload.iss !== 'string') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n }\n return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n const { type } = options\n if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!Array.isArray(jwt.header.x5c) \|\| jwt.header.x5c.length === 0 \|\| !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n }\n\n return {\n method: 'x5c',\n x5c: jwt.header.x5c,\n issuer: getIssuer(type, jwt.payload),\n type: type,\n alg: jwt.header.alg,\n }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n const { type } = options\n if (!jwt.header.jwk) throw new Error(`Received an invalid JWT. Missing jwk header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (typeof jwt.header.jwk !== 'object') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n }\n\n return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n jwt: { header: JwtHeader; payload: JwtPayload },\n options: { type: JwtType },\n): Promise<JwtVerifier> => {\n const { header, payload } = jwt\n\n if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n jwtVerifier: T,\n jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' \| 'request-object' \| 'verifier-attestation' \| 'dpop'\n\nexport type JwtProtectionMethod = 'did' \| 'x5c' \| 'jwk' \| 'openid-federation' \| 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n const header = jwtDecode<Header>(jwt, { header: true })\n const payload = jwtDecode<Payload>(jwt, { header: false })\n\n if (!payload \|\| !header) {\n throw new Error('Jwt Payload and/or Header could not be parsed')\n }\n return { header, payload }\n}\n\n/\n The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n \n See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n /\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n const _now = now ? now : epochTime()\n const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n return {\n nowSkewedPast: _now - _skewTime,\n nowSkewedFuture: _now + _skewTime,\n }\n}\n\n/\n Returns the current unix timestamp in seconds.\n /\nexport function epochTime() {\n return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})(([0-9a-zA-Z-_]{2}(==)?)\|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n const jwsParts = jws.split('.')\n return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n const jweParts = jwe.split('.')\n return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n exp: number\n now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n clockSkew?: number\n}) => {\n const { exp, now, clockSkew } = input\n return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n calculateJwkThumbprint,\n CreateJwtCallback,\n epochTime,\n getNowSkewed,\n JWK,\n JwtHeader,\n JwtIssuerJwk,\n JwtPayload,\n parseJWT,\n SigningAlgo,\n VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n type: 'dpop'\n dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n htu: string\n iat: number\n htm: 'GET' \| 'POST' \| 'PUT' \| 'DELETE' \| 'HEAD' \| 'OPTIONS' \| 'TRACE' \| 'CONNECT' \| 'PATCH'\n ath?: string\n nonce?: string\n jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' \| 'jti' \| 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n jwtIssuer: Omit<JwtIssuerJwk, 'method' \| 'type'>\n jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n dPoPSigningAlgValuesSupported?: (string \| SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' \| 'htu'>>\n\nexport function getCreateDPoPOptions(\n createDPoPClientOpts: CreateDPoPClientOpts,\n endPointUrl: string,\n resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n const htu = endPointUrl.split('?')[0].split('#')[0]\n return {\n ...createDPoPClientOpts,\n jwtPayloadProps: {\n ...createDPoPClientOpts.jwtPayloadProps,\n htu,\n htm: 'POST',\n ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n },\n }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') \|\| jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n throw new Error('expected access token without scheme')\n }\n\n const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n return createJwtCallback(\n { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n {\n header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n payload: {\n ...jwtPayloadProps,\n iat: epochTime(),\n jti: uuidv4(),\n ...(ath && { ath }),\n },\n },\n )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n expectedNonce?: string\n acceptedAlgorithms?: (string \| SigningAlgo)[]\n // defaults to 300 seconds (5 minutes)\n maxIatAgeInSeconds?: number\n expectAccessToken?: boolean\n jwtVerifyCallback: DPoPVerifyJwtCallback\n now?: number\n}\n\nexport async function verifyDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: DPoPVerifyOptions,\n) {\n // There is not more than one DPoP HTTP request header field.\n const dpop = request.headers['dpop']\n if (!dpop \|\| typeof dpop !== 'string') {\n throw new Error('missing or invalid dpop header. Expected compact JWT')\n }\n\n // The DPoP HTTP request header field value is a single and well-formed JWT.\n const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n // Ensure all required header claims are present\n if (dPoPHeader.typ !== 'dpop+jwt' \|\| !dPoPHeader.alg \|\| !dPoPHeader.jwk \|\| typeof dPoPHeader.jwk !== 'object' \|\| dPoPHeader.jwk.d) {\n throw new Error('invalid_dpop_proof. Invalid header claims')\n }\n\n // Ensure all required payload claims are present\n if (!dPoPPayload.htm \|\| !dPoPPayload.htu \|\| !dPoPPayload.iat \|\| !dPoPPayload.jti) {\n throw new Error('invalid_dpop_proof. Missing required claims')\n }\n\n // Validate alg is supported\n if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n }\n\n // Validate nonce if provided\n if ((options?.expectedNonce && !dPoPPayload.nonce) \|\| dPoPPayload.nonce !== options.expectedNonce) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Verify JWT signature\n try {\n const verificationResult = await options.jwtVerifyCallback(\n {\n method: 'jwk',\n type: 'dpop',\n jwk: dPoPHeader.jwk,\n alg: dPoPHeader.alg,\n },\n {\n header: dPoPHeader,\n payload: dPoPPayload,\n raw: dpop,\n },\n )\n\n if (!verificationResult) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature')\n }\n } catch (error: unknown) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n }\n\n // Validate htm claim\n if (dPoPPayload.htm !== request.method) {\n throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n }\n\n // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n if (dPoPPayload.htu !== currentUri) {\n throw new Error('invalid_dpop_proof. Invalid htu claim')\n }\n\n // Validate nonce if provided\n if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) \|\| (!options.expectedNonce && dPoPPayload.nonce)) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Validate iat claim\n const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n if (\n // iat claim is too far in the future\n nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat \|\|\n // iat claim is too old\n nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n ) {\n // 5 minute window\n throw new Error('invalid_dpop_proof. Invalid iat claim')\n }\n\n // If access token is present, validate ath claim\n const authorizationHeader = request.headers.authorization\n if (!options.expectAccessToken && authorizationHeader) {\n throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n }\n\n if (options.expectAccessToken) {\n if (!dPoPPayload.ath) {\n throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n }\n\n // validate that the DPOP proof is made for the provided access token\n if (!authorizationHeader \|\| typeof authorizationHeader !== 'string' \|\| !authorizationHeader.startsWith('DPoP ')) {\n throw new Error('invalid_dpop_proof. Invalid authorization header.')\n }\n\n const accessToken = authorizationHeader.replace('DPoP ', '')\n const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n if (dPoPPayload.ath !== expectedAth) {\n throw new Error('invalid_dpop_proof. Invalid ath claim')\n }\n\n // validate that the access token is signed with the same key as the DPOP proof\n const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n if (!accessTokenPayload.cnf?.jkt) {\n throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n }\n\n const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n if (accessTokenPayload.cnf?.jkt !== thumprint) {\n throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n }\n }\n\n // If all validations pass, return the dpop jwk\n return dPoPHeader.jwk\n}\n\n/*\n DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n /\nexport async function verifyResourceDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n if (!request.headers.authorization \|\| typeof request.headers.authorization !== 'string') {\n throw new Error('Received an invalid resource request. Missing authorization header.')\n }\n const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n const tokenType = tokenPayload.token_type\n\n if (tokenType !== 'DPoP') {\n return\n }\n\n return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' \| 'base64'): string {\n return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n const uint8array = fromString(base64url, 'base64url')\n return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACkBjB,IAAKC,cAAAA,0BAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,UAAqB;;;ACFrB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AAGrB,kBAA6B;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,yBAAqBC,8BAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,IAAAI,OAAqB;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAE1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APPhB,IAAAG,eAA6B;AATtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
1	+ {"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n alg?: string\n x5c?: string[]\n kid?: string\n jwk?: JWK\n jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n client_id?: string\n nonce?: string\n request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n EDDSA = 'EdDSA',\n RS256 = 'RS256',\n PS256 = 'PS256',\n ES256 = 'ES256',\n ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n if (typeof value !== 'string' \|\| !value) {\n throw Error(`${description} missing or invalid`)\n }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n if (!jwk \|\| typeof jwk !== 'object') {\n throw new TypeError('JWK must be an object')\n }\n const algorithm = digestAlgorithm ?? 'sha256'\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n }\n let components\n switch (jwk.kty) {\n case 'EC':\n check(jwk.crv, '\"crv\" (Curve) Parameter')\n check(jwk.x, '\"x\" (X Coordinate) Parameter')\n check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n break\n case 'OKP':\n check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n check(jwk.x, '\"x\" (Public Key) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n break\n case 'RSA':\n check(jwk.e, '\"e\" (Exponent) Parameter')\n check(jwk.n, '\"n\" (Modulus) Parameter')\n components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n break\n case 'oct':\n check(jwk.k, '\"k\" (Key Value) Parameter')\n components = { k: jwk.k, kty: jwk.kty }\n break\n default:\n throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n }\n return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n if (!match) {\n throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n }\n const algorithm = `sha${match[1]}` as DigestAlgorithm\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n }\n return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string \| ArrayBuffer \| SharedArrayBuffer, algorithm: string) => {\n return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n type: JwtType\n method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n method: 'did'\n\n alg: SigningAlgo \| string\n didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n method: 'x5c'\n\n alg: SigningAlgo \| string\n\n /*\n \n * Array of base64-encoded certificate strings in the DER-format.\n \n The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n /\n x5c: Array<string>\n\n /\n The jwt issuer\n /\n issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n method: 'openid-federation'\n\n /\n The OpenId federation Entity\n /\n entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n method: 'jwk'\n alg: SigningAlgo \| string\n\n jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier \| X5cJwtVerifier \| CustomJwtVerifier \| JwkJwtVerifier \| OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n const { type } = options\n if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!jwt.header.kid.includes('#')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n }\n return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n if (type === 'request-object') {\n if (!payload.client_id) {\n throw new Error('Missing required field client_id in request object JWT')\n }\n return payload.client_id as string\n }\n\n if (typeof payload.iss !== 'string') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n }\n return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n const { type } = options\n if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!Array.isArray(jwt.header.x5c) \|\| jwt.header.x5c.length === 0 \|\| !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n }\n\n return {\n method: 'x5c',\n x5c: jwt.header.x5c,\n issuer: getIssuer(type, jwt.payload),\n type: type,\n alg: jwt.header.alg,\n }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n const { type } = options\n if (!jwt.header.jwk) throw new Error(`Received an invalid JWT. Missing jwk header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (typeof jwt.header.jwk !== 'object') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n }\n\n return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n jwt: { header: JwtHeader; payload: JwtPayload },\n options: { type: JwtType },\n): Promise<JwtVerifier> => {\n const { header, payload } = jwt\n\n if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n jwtVerifier: T,\n jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' \| 'request-object' \| 'verifier-attestation' \| 'dpop'\n\nexport type JwtProtectionMethod = 'did' \| 'x5c' \| 'jwk' \| 'openid-federation' \| 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n const header = jwtDecode<Header>(jwt, { header: true })\n const payload = jwtDecode<Payload>(jwt, { header: false })\n\n if (!payload \|\| !header) {\n throw new Error('Jwt Payload and/or Header could not be parsed')\n }\n return { header, payload }\n}\n\n/\n The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n \n See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n /\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n const _now = now ? now : epochTime()\n const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n return {\n nowSkewedPast: _now - _skewTime,\n nowSkewedFuture: _now + _skewTime,\n }\n}\n\n/\n Returns the current unix timestamp in seconds.\n /\nexport function epochTime() {\n return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})(([0-9a-zA-Z-_]{2}(==)?)\|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n const jwsParts = jws.split('.')\n return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n const jweParts = jwe.split('.')\n return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n exp: number\n now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n clockSkew?: number\n}) => {\n const { exp, now, clockSkew } = input\n return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n calculateJwkThumbprint,\n CreateJwtCallback,\n epochTime,\n getNowSkewed,\n JWK,\n JwtHeader,\n JwtIssuerJwk,\n JwtPayload,\n parseJWT,\n SigningAlgo,\n VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n type: 'dpop'\n dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n htu: string\n iat: number\n htm: 'GET' \| 'POST' \| 'PUT' \| 'DELETE' \| 'HEAD' \| 'OPTIONS' \| 'TRACE' \| 'CONNECT' \| 'PATCH'\n ath?: string\n nonce?: string\n jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' \| 'jti' \| 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n jwtIssuer: Omit<JwtIssuerJwk, 'method' \| 'type'>\n jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n dPoPSigningAlgValuesSupported?: (string \| SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' \| 'htu'>>\n\nexport function getCreateDPoPOptions(\n createDPoPClientOpts: CreateDPoPClientOpts,\n endPointUrl: string,\n resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n const htu = endPointUrl.split('?')[0].split('#')[0]\n return {\n ...createDPoPClientOpts,\n jwtPayloadProps: {\n ...createDPoPClientOpts.jwtPayloadProps,\n htu,\n htm: 'POST',\n ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n },\n }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') \|\| jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n throw new Error('expected access token without scheme')\n }\n\n const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n return createJwtCallback(\n { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n {\n header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n payload: {\n ...jwtPayloadProps,\n iat: epochTime(),\n jti: uuidv4(),\n ...(ath && { ath }),\n },\n },\n )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n expectedNonce?: string\n acceptedAlgorithms?: (string \| SigningAlgo)[]\n // defaults to 300 seconds (5 minutes)\n maxIatAgeInSeconds?: number\n expectAccessToken?: boolean\n jwtVerifyCallback: DPoPVerifyJwtCallback\n now?: number\n}\n\nexport async function verifyDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: DPoPVerifyOptions,\n) {\n // There is not more than one DPoP HTTP request header field.\n const dpop = request.headers['dpop']\n if (!dpop \|\| typeof dpop !== 'string') {\n throw new Error('missing or invalid dpop header. Expected compact JWT')\n }\n\n // The DPoP HTTP request header field value is a single and well-formed JWT.\n const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n // Ensure all required header claims are present\n if (dPoPHeader.typ !== 'dpop+jwt' \|\| !dPoPHeader.alg \|\| !dPoPHeader.jwk \|\| typeof dPoPHeader.jwk !== 'object' \|\| dPoPHeader.jwk.d) {\n throw new Error('invalid_dpop_proof. Invalid header claims')\n }\n\n // Ensure all required payload claims are present\n if (!dPoPPayload.htm \|\| !dPoPPayload.htu \|\| !dPoPPayload.iat \|\| !dPoPPayload.jti) {\n throw new Error('invalid_dpop_proof. Missing required claims')\n }\n\n // Validate alg is supported\n if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n }\n\n // Validate nonce if provided\n if ((options?.expectedNonce && !dPoPPayload.nonce) \|\| dPoPPayload.nonce !== options.expectedNonce) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Verify JWT signature\n try {\n const verificationResult = await options.jwtVerifyCallback(\n {\n method: 'jwk',\n type: 'dpop',\n jwk: dPoPHeader.jwk,\n alg: dPoPHeader.alg,\n },\n {\n header: dPoPHeader,\n payload: dPoPPayload,\n raw: dpop,\n },\n )\n\n if (!verificationResult) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature')\n }\n } catch (error: unknown) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n }\n\n // Validate htm claim\n if (dPoPPayload.htm !== request.method) {\n throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n }\n\n // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n if (dPoPPayload.htu !== currentUri) {\n throw new Error('invalid_dpop_proof. Invalid htu claim')\n }\n\n // Validate nonce if provided\n if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) \|\| (!options.expectedNonce && dPoPPayload.nonce)) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Validate iat claim\n const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n if (\n // iat claim is too far in the future\n nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat \|\|\n // iat claim is too old\n nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n ) {\n // 5 minute window\n throw new Error('invalid_dpop_proof. Invalid iat claim')\n }\n\n // If access token is present, validate ath claim\n const authorizationHeader = request.headers.authorization\n if (!options.expectAccessToken && authorizationHeader) {\n throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n }\n\n if (options.expectAccessToken) {\n if (!dPoPPayload.ath) {\n throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n }\n\n // validate that the DPOP proof is made for the provided access token\n if (!authorizationHeader \|\| typeof authorizationHeader !== 'string' \|\| !authorizationHeader.startsWith('DPoP ')) {\n throw new Error('invalid_dpop_proof. Invalid authorization header.')\n }\n\n const accessToken = authorizationHeader.replace('DPoP ', '')\n const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n if (dPoPPayload.ath !== expectedAth) {\n throw new Error('invalid_dpop_proof. Invalid ath claim')\n }\n\n // validate that the access token is signed with the same key as the DPOP proof\n const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n if (!accessTokenPayload.cnf?.jkt) {\n throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n }\n\n const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n if (accessTokenPayload.cnf?.jkt !== thumprint) {\n throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n }\n }\n\n // If all validations pass, return the dpop jwk\n return dPoPHeader.jwk\n}\n\n/*\n DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n /\nexport async function verifyResourceDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n if (!request.headers.authorization \|\| typeof request.headers.authorization !== 'string') {\n throw new Error('Received an invalid resource request. Missing authorization header.')\n }\n const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n const tokenType = tokenPayload.token_type\n\n if (tokenType !== 'DPoP') {\n return\n }\n\n return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' \| 'base64'): string {\n return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n const uint8array = fromString(base64url, 'base64url')\n return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACkBjB,IAAKC,cAAAA,0BAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,UAAqB;;;ACFrB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAAgDC,cAAAA;AACxF,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AAGrB,kBAA6B;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,yBAAqBC,8BAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,IAAAI,OAAqB;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAE1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APPhB,IAAAG,eAA6B;AATtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n alg?: string\n x5c?: string[]\n kid?: string\n jwk?: JWK\n jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n client_id?: string\n nonce?: string\n request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n EDDSA = 'EdDSA',\n RS256 = 'RS256',\n PS256 = 'PS256',\n ES256 = 'ES256',\n ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n if (typeof value !== 'string' \|\| !value) {\n throw Error(`${description} missing or invalid`)\n }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n if (!jwk \|\| typeof jwk !== 'object') {\n throw new TypeError('JWK must be an object')\n }\n const algorithm = digestAlgorithm ?? 'sha256'\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n }\n let components\n switch (jwk.kty) {\n case 'EC':\n check(jwk.crv, '\"crv\" (Curve) Parameter')\n check(jwk.x, '\"x\" (X Coordinate) Parameter')\n check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n break\n case 'OKP':\n check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n check(jwk.x, '\"x\" (Public Key) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n break\n case 'RSA':\n check(jwk.e, '\"e\" (Exponent) Parameter')\n check(jwk.n, '\"n\" (Modulus) Parameter')\n components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n break\n case 'oct':\n check(jwk.k, '\"k\" (Key Value) Parameter')\n components = { k: jwk.k, kty: jwk.kty }\n break\n default:\n throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n }\n return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n if (!match) {\n throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n }\n const algorithm = `sha${match[1]}` as DigestAlgorithm\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n }\n return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string \| ArrayBuffer, algorithm: string) => {\n return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n type: JwtType\n method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n method: 'did'\n\n alg: SigningAlgo \| string\n didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n method: 'x5c'\n\n alg: SigningAlgo \| string\n\n /*\n \n * Array of base64-encoded certificate strings in the DER-format.\n \n The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n /\n x5c: Array<string>\n\n /\n The jwt issuer\n /\n issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n method: 'openid-federation'\n\n /\n The OpenId federation Entity\n /\n entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n method: 'jwk'\n alg: SigningAlgo \| string\n\n jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier \| X5cJwtVerifier \| CustomJwtVerifier \| JwkJwtVerifier \| OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n const { type } = options\n if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!jwt.header.kid.includes('#')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n }\n return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n if (type === 'request-object') {\n if (!payload.client_id) {\n throw new Error('Missing required field client_id in request object JWT')\n }\n return payload.client_id as string\n }\n\n if (typeof payload.iss !== 'string') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n }\n return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n const { type } = options\n if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!Array.isArray(jwt.header.x5c) \|\| jwt.header.x5c.length === 0 \|\| !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n }\n\n return {\n method: 'x5c',\n x5c: jwt.header.x5c,\n issuer: getIssuer(type, jwt.payload),\n type: type,\n alg: jwt.header.alg,\n }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n const { type } = options\n if (!jwt.header.jwk) throw new Error(`Received an invalid JWT. Missing jwk header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (typeof jwt.header.jwk !== 'object') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n }\n\n return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n jwt: { header: JwtHeader; payload: JwtPayload },\n options: { type: JwtType },\n): Promise<JwtVerifier> => {\n const { header, payload } = jwt\n\n if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n jwtVerifier: T,\n jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' \| 'request-object' \| 'verifier-attestation' \| 'dpop'\n\nexport type JwtProtectionMethod = 'did' \| 'x5c' \| 'jwk' \| 'openid-federation' \| 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n const header = jwtDecode<Header>(jwt, { header: true })\n const payload = jwtDecode<Payload>(jwt, { header: false })\n\n if (!payload \|\| !header) {\n throw new Error('Jwt Payload and/or Header could not be parsed')\n }\n return { header, payload }\n}\n\n/\n The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n \n See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n /\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n const _now = now ? now : epochTime()\n const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n return {\n nowSkewedPast: _now - _skewTime,\n nowSkewedFuture: _now + _skewTime,\n }\n}\n\n/\n Returns the current unix timestamp in seconds.\n /\nexport function epochTime() {\n return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})(([0-9a-zA-Z-_]{2}(==)?)\|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n const jwsParts = jws.split('.')\n return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n const jweParts = jwe.split('.')\n return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n exp: number\n now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n clockSkew?: number\n}) => {\n const { exp, now, clockSkew } = input\n return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n calculateJwkThumbprint,\n CreateJwtCallback,\n epochTime,\n getNowSkewed,\n JWK,\n JwtHeader,\n JwtIssuerJwk,\n JwtPayload,\n parseJWT,\n SigningAlgo,\n VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n type: 'dpop'\n dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n htu: string\n iat: number\n htm: 'GET' \| 'POST' \| 'PUT' \| 'DELETE' \| 'HEAD' \| 'OPTIONS' \| 'TRACE' \| 'CONNECT' \| 'PATCH'\n ath?: string\n nonce?: string\n jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' \| 'jti' \| 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n jwtIssuer: Omit<JwtIssuerJwk, 'method' \| 'type'>\n jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n dPoPSigningAlgValuesSupported?: (string \| SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' \| 'htu'>>\n\nexport function getCreateDPoPOptions(\n createDPoPClientOpts: CreateDPoPClientOpts,\n endPointUrl: string,\n resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n const htu = endPointUrl.split('?')[0].split('#')[0]\n return {\n ...createDPoPClientOpts,\n jwtPayloadProps: {\n ...createDPoPClientOpts.jwtPayloadProps,\n htu,\n htm: 'POST',\n ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n },\n }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') \|\| jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n throw new Error('expected access token without scheme')\n }\n\n const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n return createJwtCallback(\n { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n {\n header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n payload: {\n ...jwtPayloadProps,\n iat: epochTime(),\n jti: uuidv4(),\n ...(ath && { ath }),\n },\n },\n )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n expectedNonce?: string\n acceptedAlgorithms?: (string \| SigningAlgo)[]\n // defaults to 300 seconds (5 minutes)\n maxIatAgeInSeconds?: number\n expectAccessToken?: boolean\n jwtVerifyCallback: DPoPVerifyJwtCallback\n now?: number\n}\n\nexport async function verifyDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: DPoPVerifyOptions,\n) {\n // There is not more than one DPoP HTTP request header field.\n const dpop = request.headers['dpop']\n if (!dpop \|\| typeof dpop !== 'string') {\n throw new Error('missing or invalid dpop header. Expected compact JWT')\n }\n\n // The DPoP HTTP request header field value is a single and well-formed JWT.\n const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n // Ensure all required header claims are present\n if (dPoPHeader.typ !== 'dpop+jwt' \|\| !dPoPHeader.alg \|\| !dPoPHeader.jwk \|\| typeof dPoPHeader.jwk !== 'object' \|\| dPoPHeader.jwk.d) {\n throw new Error('invalid_dpop_proof. Invalid header claims')\n }\n\n // Ensure all required payload claims are present\n if (!dPoPPayload.htm \|\| !dPoPPayload.htu \|\| !dPoPPayload.iat \|\| !dPoPPayload.jti) {\n throw new Error('invalid_dpop_proof. Missing required claims')\n }\n\n // Validate alg is supported\n if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n }\n\n // Validate nonce if provided\n if ((options?.expectedNonce && !dPoPPayload.nonce) \|\| dPoPPayload.nonce !== options.expectedNonce) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Verify JWT signature\n try {\n const verificationResult = await options.jwtVerifyCallback(\n {\n method: 'jwk',\n type: 'dpop',\n jwk: dPoPHeader.jwk,\n alg: dPoPHeader.alg,\n },\n {\n header: dPoPHeader,\n payload: dPoPPayload,\n raw: dpop,\n },\n )\n\n if (!verificationResult) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature')\n }\n } catch (error: unknown) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n }\n\n // Validate htm claim\n if (dPoPPayload.htm !== request.method) {\n throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n }\n\n // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n if (dPoPPayload.htu !== currentUri) {\n throw new Error('invalid_dpop_proof. Invalid htu claim')\n }\n\n // Validate nonce if provided\n if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) \|\| (!options.expectedNonce && dPoPPayload.nonce)) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Validate iat claim\n const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n if (\n // iat claim is too far in the future\n nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat \|\|\n // iat claim is too old\n nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n ) {\n // 5 minute window\n throw new Error('invalid_dpop_proof. Invalid iat claim')\n }\n\n // If access token is present, validate ath claim\n const authorizationHeader = request.headers.authorization\n if (!options.expectAccessToken && authorizationHeader) {\n throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n }\n\n if (options.expectAccessToken) {\n if (!dPoPPayload.ath) {\n throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n }\n\n // validate that the DPOP proof is made for the provided access token\n if (!authorizationHeader \|\| typeof authorizationHeader !== 'string' \|\| !authorizationHeader.startsWith('DPoP ')) {\n throw new Error('invalid_dpop_proof. Invalid authorization header.')\n }\n\n const accessToken = authorizationHeader.replace('DPoP ', '')\n const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n if (dPoPPayload.ath !== expectedAth) {\n throw new Error('invalid_dpop_proof. Invalid ath claim')\n }\n\n // validate that the access token is signed with the same key as the DPOP proof\n const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n if (!accessTokenPayload.cnf?.jkt) {\n throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n }\n\n const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n if (accessTokenPayload.cnf?.jkt !== thumprint) {\n throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n }\n }\n\n // If all validations pass, return the dpop jwk\n return dPoPHeader.jwk\n}\n\n/*\n DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n /\nexport async function verifyResourceDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n if (!request.headers.authorization \|\| typeof request.headers.authorization !== 'string') {\n throw new Error('Received an invalid resource request. Missing authorization header.')\n }\n const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n const tokenType = tokenPayload.token_type\n\n if (tokenType !== 'DPoP') {\n return\n }\n\n return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' \| 'base64'): string {\n return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n const uint8array = fromString(base64url, 'base64url')\n return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACkBjB,IAAKC,cAAAA,0BAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,YAAYC,SAAS;;;ACFrB,SAAqBC,iBAAiB;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,SAAOC,UAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AAGrB,SAASC,MAAMC,cAAc;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,qBAAqBC,WAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,YAAYI,UAAS;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAE1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APPhB,SAAeG,UAAc;AATtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","shaHasher","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
1	+ {"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n alg?: string\n x5c?: string[]\n kid?: string\n jwk?: JWK\n jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n client_id?: string\n nonce?: string\n request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n EDDSA = 'EdDSA',\n RS256 = 'RS256',\n PS256 = 'PS256',\n ES256 = 'ES256',\n ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n if (typeof value !== 'string' \|\| !value) {\n throw Error(`${description} missing or invalid`)\n }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n if (!jwk \|\| typeof jwk !== 'object') {\n throw new TypeError('JWK must be an object')\n }\n const algorithm = digestAlgorithm ?? 'sha256'\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n }\n let components\n switch (jwk.kty) {\n case 'EC':\n check(jwk.crv, '\"crv\" (Curve) Parameter')\n check(jwk.x, '\"x\" (X Coordinate) Parameter')\n check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n break\n case 'OKP':\n check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n check(jwk.x, '\"x\" (Public Key) Parameter')\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n break\n case 'RSA':\n check(jwk.e, '\"e\" (Exponent) Parameter')\n check(jwk.n, '\"n\" (Modulus) Parameter')\n components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n break\n case 'oct':\n check(jwk.k, '\"k\" (Key Value) Parameter')\n components = { k: jwk.k, kty: jwk.kty }\n break\n default:\n throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n }\n return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n if (!match) {\n throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n }\n const algorithm = `sha${match[1]}` as DigestAlgorithm\n if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n }\n return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string \| ArrayBuffer \| SharedArrayBuffer, algorithm: string) => {\n return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n type: JwtType\n method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n method: 'did'\n\n alg: SigningAlgo \| string\n didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n method: 'x5c'\n\n alg: SigningAlgo \| string\n\n /*\n \n * Array of base64-encoded certificate strings in the DER-format.\n \n The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n /\n x5c: Array<string>\n\n /\n The jwt issuer\n /\n issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n method: 'openid-federation'\n\n /\n The OpenId federation Entity\n /\n entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n method: 'jwk'\n alg: SigningAlgo \| string\n\n jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier \| X5cJwtVerifier \| CustomJwtVerifier \| JwkJwtVerifier \| OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n const { type } = options\n if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!jwt.header.kid.includes('#')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n }\n return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n if (type === 'request-object') {\n if (!payload.client_id) {\n throw new Error('Missing required field client_id in request object JWT')\n }\n return payload.client_id as string\n }\n\n if (typeof payload.iss !== 'string') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n }\n return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n const { type } = options\n if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (!Array.isArray(jwt.header.x5c) \|\| jwt.header.x5c.length === 0 \|\| !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n }\n\n return {\n method: 'x5c',\n x5c: jwt.header.x5c,\n issuer: getIssuer(type, jwt.payload),\n type: type,\n alg: jwt.header.alg,\n }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n const { type } = options\n if (!jwt.header.jwk) throw new Error(`Received an invalid JWT. Missing jwk header.`)\n if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n if (typeof jwt.header.jwk !== 'object') {\n throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n }\n\n return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n jwt: { header: JwtHeader; payload: JwtPayload },\n options: { type: JwtType },\n): Promise<JwtVerifier> => {\n const { header, payload } = jwt\n\n if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n jwtVerifier: T,\n jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' \| 'request-object' \| 'verifier-attestation' \| 'dpop'\n\nexport type JwtProtectionMethod = 'did' \| 'x5c' \| 'jwk' \| 'openid-federation' \| 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n const header = jwtDecode<Header>(jwt, { header: true })\n const payload = jwtDecode<Payload>(jwt, { header: false })\n\n if (!payload \|\| !header) {\n throw new Error('Jwt Payload and/or Header could not be parsed')\n }\n return { header, payload }\n}\n\n/\n The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n \n See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n /\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n const _now = now ? now : epochTime()\n const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n return {\n nowSkewedPast: _now - _skewTime,\n nowSkewedFuture: _now + _skewTime,\n }\n}\n\n/\n Returns the current unix timestamp in seconds.\n /\nexport function epochTime() {\n return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})(([0-9a-zA-Z-_]{2}(==)?)\|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n const jwsParts = jws.split('.')\n return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n const jweParts = jwe.split('.')\n return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n exp: number\n now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n clockSkew?: number\n}) => {\n const { exp, now, clockSkew } = input\n return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n calculateJwkThumbprint,\n CreateJwtCallback,\n epochTime,\n getNowSkewed,\n JWK,\n JwtHeader,\n JwtIssuerJwk,\n JwtPayload,\n parseJWT,\n SigningAlgo,\n VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n type: 'dpop'\n dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n htu: string\n iat: number\n htm: 'GET' \| 'POST' \| 'PUT' \| 'DELETE' \| 'HEAD' \| 'OPTIONS' \| 'TRACE' \| 'CONNECT' \| 'PATCH'\n ath?: string\n nonce?: string\n jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' \| 'jti' \| 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n jwtIssuer: Omit<JwtIssuerJwk, 'method' \| 'type'>\n jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n dPoPSigningAlgValuesSupported?: (string \| SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' \| 'htu'>>\n\nexport function getCreateDPoPOptions(\n createDPoPClientOpts: CreateDPoPClientOpts,\n endPointUrl: string,\n resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n const htu = endPointUrl.split('?')[0].split('#')[0]\n return {\n ...createDPoPClientOpts,\n jwtPayloadProps: {\n ...createDPoPClientOpts.jwtPayloadProps,\n htu,\n htm: 'POST',\n ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n },\n }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') \|\| jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n throw new Error('expected access token without scheme')\n }\n\n const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n return createJwtCallback(\n { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n {\n header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n payload: {\n ...jwtPayloadProps,\n iat: epochTime(),\n jti: uuidv4(),\n ...(ath && { ath }),\n },\n },\n )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n expectedNonce?: string\n acceptedAlgorithms?: (string \| SigningAlgo)[]\n // defaults to 300 seconds (5 minutes)\n maxIatAgeInSeconds?: number\n expectAccessToken?: boolean\n jwtVerifyCallback: DPoPVerifyJwtCallback\n now?: number\n}\n\nexport async function verifyDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: DPoPVerifyOptions,\n) {\n // There is not more than one DPoP HTTP request header field.\n const dpop = request.headers['dpop']\n if (!dpop \|\| typeof dpop !== 'string') {\n throw new Error('missing or invalid dpop header. Expected compact JWT')\n }\n\n // The DPoP HTTP request header field value is a single and well-formed JWT.\n const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n // Ensure all required header claims are present\n if (dPoPHeader.typ !== 'dpop+jwt' \|\| !dPoPHeader.alg \|\| !dPoPHeader.jwk \|\| typeof dPoPHeader.jwk !== 'object' \|\| dPoPHeader.jwk.d) {\n throw new Error('invalid_dpop_proof. Invalid header claims')\n }\n\n // Ensure all required payload claims are present\n if (!dPoPPayload.htm \|\| !dPoPPayload.htu \|\| !dPoPPayload.iat \|\| !dPoPPayload.jti) {\n throw new Error('invalid_dpop_proof. Missing required claims')\n }\n\n // Validate alg is supported\n if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n }\n\n // Validate nonce if provided\n if ((options?.expectedNonce && !dPoPPayload.nonce) \|\| dPoPPayload.nonce !== options.expectedNonce) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Verify JWT signature\n try {\n const verificationResult = await options.jwtVerifyCallback(\n {\n method: 'jwk',\n type: 'dpop',\n jwk: dPoPHeader.jwk,\n alg: dPoPHeader.alg,\n },\n {\n header: dPoPHeader,\n payload: dPoPPayload,\n raw: dpop,\n },\n )\n\n if (!verificationResult) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature')\n }\n } catch (error: unknown) {\n throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n }\n\n // Validate htm claim\n if (dPoPPayload.htm !== request.method) {\n throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n }\n\n // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n if (dPoPPayload.htu !== currentUri) {\n throw new Error('invalid_dpop_proof. Invalid htu claim')\n }\n\n // Validate nonce if provided\n if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) \|\| (!options.expectedNonce && dPoPPayload.nonce)) {\n throw new Error('invalid_dpop_proof. Nonce mismatch')\n }\n\n // Validate iat claim\n const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n if (\n // iat claim is too far in the future\n nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat \|\|\n // iat claim is too old\n nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n ) {\n // 5 minute window\n throw new Error('invalid_dpop_proof. Invalid iat claim')\n }\n\n // If access token is present, validate ath claim\n const authorizationHeader = request.headers.authorization\n if (!options.expectAccessToken && authorizationHeader) {\n throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n }\n\n if (options.expectAccessToken) {\n if (!dPoPPayload.ath) {\n throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n }\n\n // validate that the DPOP proof is made for the provided access token\n if (!authorizationHeader \|\| typeof authorizationHeader !== 'string' \|\| !authorizationHeader.startsWith('DPoP ')) {\n throw new Error('invalid_dpop_proof. Invalid authorization header.')\n }\n\n const accessToken = authorizationHeader.replace('DPoP ', '')\n const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n if (dPoPPayload.ath !== expectedAth) {\n throw new Error('invalid_dpop_proof. Invalid ath claim')\n }\n\n // validate that the access token is signed with the same key as the DPOP proof\n const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n if (!accessTokenPayload.cnf?.jkt) {\n throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n }\n\n const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n if (accessTokenPayload.cnf?.jkt !== thumprint) {\n throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n }\n }\n\n // If all validations pass, return the dpop jwk\n return dPoPHeader.jwk\n}\n\n/*\n DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n /\nexport async function verifyResourceDPoP(\n request: { headers: Record<string, string \| string[] \| undefined>; fullUrl: string } & Pick<Request, 'method'>,\n options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n if (!request.headers.authorization \|\| typeof request.headers.authorization !== 'string') {\n throw new Error('Received an invalid resource request. Missing authorization header.')\n }\n const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n const tokenType = tokenPayload.token_type\n\n if (tokenType !== 'DPoP') {\n return\n }\n\n return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' \| 'base64'): string {\n return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n const uint8array = fromString(base64url, 'base64url')\n return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACkBjB,IAAKC,cAAAA,0BAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,YAAYC,SAAS;;;ACFrB,SAAqBC,iBAAiB;AAE/B,IAAMC,gBAA4B,wBAACC,MAAgDC,cAAAA;AACxF,SAAOC,UAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AAGrB,SAASC,MAAMC,cAAc;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,qBAAqBC,WAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,YAAYI,UAAS;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAE1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APPhB,SAAeG,UAAc;AATtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","shaHasher","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vc-common",
-  "version": "0.20.1-next.13+35024961",
+  "version": "0.20.1-next.16+de3c46dd",
   "description": "OpenID 4 Verifiable Credentials Common",
   "source": "./src/index.ts",
   "type": "module",
@@ -22,7 +22,7 @@
     "test": "vitest run --config ../../vitest.config.mts --coverage"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "jwt-decode": "^4.0.0",
     "uint8arrays": "^3.1.1",
     "uuid": "^9.0.0"
@@ -59,5 +59,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "35024961f55481edb0decfaa81e239659a8caa69"
+  "gitHead": "de3c46dd1b7b8d9640a58bd413fea0df98a79eae"
 }