@sphereon/oid4vci-client 0.10.3 → 0.10.4-next.17

package/lib/OpenID4VCIClient.ts

@@ -11,12 +11,15 @@ import {
   CredentialSupported,
   DefaultURISchemes,
   EndpointMetadataResult,
+  ExperimentalSubjectIssuance,
   getClientIdFromCredentialOfferPayload,
   getIssuerFromCredentialOfferPayload,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
   JWK,
   KID_JWK_X5C_ERROR,
+  NotificationRequest,
+  NotificationResult,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PKCEOpts,
@@ -29,10 +32,12 @@ import Debug from 'debug';
 import { AccessTokenClient } from './AccessTokenClient';
 import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { CredentialOfferClient } from './CredentialOfferClient';
+import { CredentialRequestOpts } from './CredentialRequestClient';
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { MetadataClient } from './MetadataClient';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
 import { generateMissingPKCEOpts } from './functions/AuthorizationUtil';
+import { sendNotification } from './functions/notifications';
 
 const debug = Debug('sphereon:oid4vci');
 
@@ -339,7 +344,8 @@ export class OpenID4VCIClient {
     jti?: string;
     deferredCredentialAwait?: boolean;
     deferredCredentialIntervalInMS?: number;
-  }): Promise<CredentialResponse> {
+    experimentalHolderIssuanceSupported?: boolean;
+  }): Promise<CredentialResponse & { access_token: string }> {
     if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
       throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
     }
@@ -362,6 +368,7 @@ export class OpenID4VCIClient {
 
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
+    let subjectIssuance: ExperimentalSubjectIssuance | undefined;
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
       const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
@@ -376,6 +383,9 @@ export class OpenID4VCIClient {
             (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
           ) {
             typeSupported = true;
+            if (supportedCredential.credential_subject_issuance) {
+              subjectIssuance = { credential_subject_issuance: supportedCredential.credential_subject_issuance };
+            }
           }
         });
 
@@ -391,6 +401,10 @@ export class OpenID4VCIClient {
       }
       // todo: Format check? We might end up with some disjoint type / format combinations supported by the server
     }
+    if (subjectIssuance) {
+      requestBuilder.withSubjectIssuance(subjectIssuance);
+    }
+
     const credentialRequestClient = requestBuilder.build();
     const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
       accessTokenResponse: this.accessTokenResponse,
@@ -418,6 +432,7 @@ export class OpenID4VCIClient {
       credentialTypes,
       context,
       format,
+      subjectIssuance,
     });
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
@@ -434,7 +449,7 @@ export class OpenID4VCIClient {
         } for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
-    return response.successBody;
+    return { ...response.successBody, access_token: response.access_token };
   }
 
   public async exportState(): Promise<string> {
@@ -457,6 +472,14 @@ export class OpenID4VCIClient {
     });
   }
 
+  public async sendNotification(
+    credentialRequestOpts: CredentialRequestOpts,
+    request: NotificationRequest,
+    accessToken?: string,
+  ): Promise<NotificationResult> {
+    return sendNotification(credentialRequestOpts, request, accessToken ?? this.accessTokenResponse.access_token);
+  }
+
   getCredentialOfferTypes(): string[][] {
     if (!this.credentialOffer) {
       return [];

package/lib/ProofOfPossessionBuilder.ts

@@ -1,6 +1,7 @@
 import {
   AccessTokenResponse,
   Alg,
+  createProofOfPossession,
   EndpointMetadata,
   JWK,
   Jwt,
@@ -12,8 +13,6 @@ import {
   Typ,
 } from '@sphereon/oid4vci-common';
 
-import { createProofOfPossession } from './functions';
-
 export class ProofOfPossessionBuilder<DIDDoc> {
   private readonly proof?: ProofOfPossession;
   private readonly callbacks?: ProofOfPossessionCallbacks<DIDDoc>;

package/lib/__tests__/CredentialRequestClient.spec.ts

@@ -1,3 +1,6 @@
+// Walt uses a self signed cert
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
 import { KeyObject } from 'crypto';
 
 import {
@@ -164,7 +167,8 @@ describe('Credential Request Client with Walt.id ', () => {
   afterEach(() => {
     nock.cleanAll();
   });
-  it('should have correct metadata endpoints', async function () {
+  // Walt id has cert issue
+  it.skip('should have correct metadata endpoints', async function () {
     nock.cleanAll();
     const WALT_IRR_URI =
       'openid-initiate-issuance://?issuer=https%3A%2F%2Fjff.walt.id%2Fissuer-api%2Foidc%2F&credential_type=OpenBadgeCredential&pre-authorized_code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhOTUyZjUxNi1jYWVmLTQ4YjMtODIxYy00OTRkYzgyNjljZjAiLCJwcmUtYXV0aG9yaXplZCI6dHJ1ZX0.YE5DlalcLC2ChGEg47CQDaN1gTxbaQqSclIVqsSAUHE&user_pin_required=false';

package/lib/__tests__/HttpUtils.spec.ts

@@ -1,4 +1,4 @@
-import { isValidURL } from '../functions';
+import { isValidURL } from '@sphereon/oid4vci-common';
 
 describe('httputils.isValidURL', () => {
   it('Should return true for http://localhost', () => {

package/lib/__tests__/IT.spec.ts

@@ -50,7 +50,13 @@ describe('OID4VCI-Client should', () => {
   const INITIATE_QR =
     'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true';
   const OFFER_QR =
-    'openid-credential-offer://credential_offer=%7B%22credential_issuer%22:%22https://credential-issuer.example.com%22,%22credentials%22:%5B%7B%22format%22:%22jwt_vc_json%22,%22types%22:%5B%22VerifiableCredential%22,%22UniversityDegreeCredential%22%5D%7D%5D,%22issuer_state%22:%22eyJhbGciOiJSU0Et...FYUaBy%22%7D';
+    'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22adhjhdjajkdkhjhdj%22%2C%22user_pin_required%22%3Atrue%7D%7D%7D';
+  const HTTPS_INITIATE_QR =
+    'https://issuer.research.identiproof.io?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true';
+  const HTTPS_OFFER_QR_AUTHORIZATION_CODE =
+    'https://issuer.research.identiproof.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%22eyJhbGciOiJSU0Et...FYUaBy%22%7D%7D%7D';
+  const HTTPS_OFFER_QR_PRE_AUTHORIZED =
+    'https://issuer.research.identiproof.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22adhjhdjajkdkhjhdj%22%2C%22user_pin_required%22%3Atrue%7D%7D%7D';
 
   function succeedWithAFullFlowWithClientSetup() {
     nock(IDENTIPROOF_ISSUER_URL).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
@@ -78,7 +84,7 @@ describe('OID4VCI-Client should', () => {
     await assertionOfsucceedWithAFullFlowWithClient(client);
   });
 
-  test.skip('succeed with a full flow wit the client using OpenID4VCI version 11', async () => {
+  it('succeed with a full flow with the client using OpenID4VCI version 11 and deeplink', async () => {
     succeedWithAFullFlowWithClientSetup();
     const client = await OpenID4VCIClient.fromURI({
       uri: OFFER_QR,
@@ -89,6 +95,39 @@ describe('OID4VCI-Client should', () => {
     await assertionOfsucceedWithAFullFlowWithClient(client);
   });
 
+  it('succeed with a full flow with the client using OpenID4VCI draft < 9 and https', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_INITIATE_QR,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  it('should succeed with a full flow with the client using OpenID4VCI draft > 11, https and authorization_code flow', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_OFFER_QR_AUTHORIZATION_CODE,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  it('should succeed with a full flow with the client using OpenID4VCI draft > 11, https and preauthorized_code flow', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_OFFER_QR_PRE_AUTHORIZED,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
   async function assertionOfsucceedWithAFullFlowWithClient(client: OpenID4VCIClient) {
     expect(client.credentialOffer).toBeDefined();
     expect(client.endpointMetadata).toBeDefined();
@@ -96,7 +135,7 @@ describe('OID4VCI-Client should', () => {
     expect(client.getCredentialEndpoint()).toEqual('https://issuer.research.identiproof.io/credential');
     expect(client.getAccessTokenEndpoint()).toEqual('https://auth.research.identiproof.io/oauth2/token');
 
-    const accessToken = await client.acquireAccessToken({ pin: '1234' });
+    const accessToken = await client.acquireAccessToken({ pin: '1234', code: 'ABCD' });
     expect(accessToken).toEqual(mockedAccessTokenResponse);
 
     const credentialResponse = await client.acquireCredentials({

package/lib/__tests__/IssuanceInitiation.spec.ts

@@ -58,4 +58,26 @@ describe('Issuance Initiation', () => {
     expect(client.credential_offer.credential_issuer).toEqual('https://launchpad.vii.electron.mattrlabs.io');
     expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
   });
+
+  it('Should take an https url as input and return a Credential Offer', async () => {
+    const client = await CredentialOfferClient.fromURI(
+      'https://launchpad.vii.electron.mattrlabs.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D',
+    );
+    expect(client.version).toEqual(OpenId4VCIVersion.VER_1_0_11);
+    expect(client.baseUrl).toEqual('https://launchpad.vii.electron.mattrlabs.io');
+    expect(client.scheme).toEqual('https');
+    expect(client.credential_offer.credential_issuer).toEqual('https://launchpad.vii.electron.mattrlabs.io');
+    expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
+  })
+
+  it('Should take an http url as input and return a Credential Offer', async () => {
+    const client = await CredentialOfferClient.fromURI(
+      'http://launchpad.vii.electron.mattrlabs.io?credential_offer=%7B%22credential_issuer%22%3A%22http%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D',
+    );
+    expect(client.version).toEqual(OpenId4VCIVersion.VER_1_0_11);
+    expect(client.baseUrl).toEqual('http://launchpad.vii.electron.mattrlabs.io');
+    expect(client.scheme).toEqual('http');
+    expect(client.credential_offer.credential_issuer).toEqual('http://launchpad.vii.electron.mattrlabs.io');
+    expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
+  })
 });

package/lib/__tests__/ProofOfPossessionBuilder.spec.ts

@@ -9,7 +9,7 @@ import { IDENTIPROOF_ISSUER_URL } from './MetadataMocks';
 
 const jwt: Jwt = {
   header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: 'jwt' },
-  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now()/1000 },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now() / 1000 },
 };
 
 const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';

package/lib/__tests__/SdJwt.spec.ts

@@ -43,7 +43,7 @@ const vcIssuer = new VcIssuerBuilder()
         },
         payload: {
           aud: issuerMetadata.credential_issuer,
-          iat: +new Date()/1000,
+          iat: +new Date() / 1000,
           nonce: 'a-c-nonce',
         },
       },
@@ -152,6 +152,8 @@ describe('sd-jwt vc', () => {
       });
 
       expect(credentials).toEqual({
+        notification_id: expect.any(String),
+        access_token: 'ey.val.ue',
         c_nonce: 'new-c-nonce',
         c_nonce_expires_in: 300,
         credential: 'sd-jwt',

package/lib/__tests__/SphereonE2E.spec.test.ts

@@ -115,7 +115,8 @@ async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promi
 }
 
 describe('ismapolis bug report #63, https://github.com/Sphereon-Opensource/OID4VC-demo/issues/63, should', () => {
-  it('work as expected provided a correct JWT is supplied', async () => {
+  // Sphereon infra is not working currently
+  it.skip('work as expected provided a correct JWT is supplied', async () => {
     debug.enable('*');
     const { uri } = await getCredentialOffer('jwt_vc_json');
     const client = await OpenID4VCIClient.fromURI({ uri: uri, clientId: 'test-clientID' });

package/lib/functions/index.ts

@@ -1,3 +1 @@
-export * from '@sphereon/oid4vci-common/dist/functions/Encoding';
-export * from '@sphereon/oid4vci-common/dist/functions/HttpUtils';
-export * from './ProofUtil';
+export * from './AuthorizationUtil';

package/lib/functions/notifications.ts

@@ -0,0 +1,32 @@
+import { NotificationErrorResponse, NotificationRequest, NotificationResult, post } from '@sphereon/oid4vci-common';
+
+import { CredentialRequestOpts } from '../CredentialRequestClient';
+import { LOG } from '../types';
+
+export async function sendNotification(
+  credentialRequestOpts: CredentialRequestOpts,
+  request: NotificationRequest,
+  accessToken?: string,
+): Promise<NotificationResult> {
+  LOG.info(`Sending status notification event '${request.event}' for id ${request.notification_id}`);
+  if (!credentialRequestOpts.notificationEndpoint) {
+    throw Error(`Cannot send notification when no notification endpoint is provided`);
+  }
+  const token = accessToken ?? credentialRequestOpts.token;
+  const response = await post<NotificationErrorResponse>(credentialRequestOpts.notificationEndpoint, JSON.stringify(request), {
+    bearerToken: token,
+  });
+  const error = response.errorBody?.error !== undefined;
+  const result = {
+    error,
+    response: error ? await response.errorBody?.json() : undefined,
+  };
+  if (error) {
+    LOG.warning(
+      `Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${await response.errorBody?.json()}`,
+    );
+  } else {
+    LOG.debug(`Notification endpoint returned success for event '${request.event}' and id ${request.notification_id}`);
+  }
+  return result;
+}

package/lib/types/index.ts

@@ -0,0 +1,6 @@
+import { VCI_LOGGERS } from '@sphereon/oid4vci-common';
+import { ISimpleLogger, LogMethod } from '@sphereon/ssi-types';
+
+export const LOG: ISimpleLogger<string> = VCI_LOGGERS.options('sphereon:oid4vci:client', { methods: [LogMethod.EVENT, LogMethod.DEBUG_PKG] }).get(
+  'sphereon:oid4vci:client',
+);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.10.3",
+  "version": "0.10.4-next.17+126f976",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,8 +15,8 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vci-common": "0.10.3",
-    "@sphereon/ssi-types": "^0.23.0",
+    "@sphereon/oid4vci-common": "0.10.4-next.17+126f976",
+    "@sphereon/ssi-types": "0.24.1-unstable.112",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
   },
@@ -69,5 +69,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "4d46a7282a475c4e78d496f82f24114f700ee5e0"
+  "gitHead": "126f97644a247d3c86faea8b1bd96e68f8bcf52c"
 }

package/dist/functions/ProofUtil.d.ts

@@ -1,30 +0,0 @@
-import { JWK, Jwt, ProofOfPossession, ProofOfPossessionCallbacks, Typ } from '@sphereon/oid4vci-common';
-/**
- *
- *  - proofOfPossessionCallback: JWTSignerCallback
- *    Mandatory if you want to create (sign) ProofOfPossession
- *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *    If exists, verifies the ProofOfPossession
- *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
- *    arguments needed for signing ProofOfPossession
- * @param callbacks:
- *    - proofOfPossessionCallback: JWTSignerCallback
- *      Mandatory to create (sign) ProofOfPossession
- *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *      If exists, verifies the ProofOfPossession
- * @param jwtProps
- * @param existingJwt
- *  - Optional, clientId of the party requesting the credential
- */
-export declare const createProofOfPossession: <DIDDoc>(callbacks: ProofOfPossessionCallbacks<DIDDoc>, jwtProps?: JwtProps, existingJwt?: Jwt) => Promise<ProofOfPossession>;
-export interface JwtProps {
-    typ?: Typ;
-    kid?: string;
-    jwk?: JWK;
-    issuer?: string;
-    clientId?: string;
-    alg?: string;
-    jti?: string;
-    nonce?: string;
-}
-//# sourceMappingURL=ProofUtil.d.ts.map

package/dist/functions/ProofUtil.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ProofUtil.d.ts","sourceRoot":"","sources":["../../lib/functions/ProofUtil.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,GAAG,EAEH,GAAG,EAGH,iBAAiB,EACjB,0BAA0B,EAC1B,GAAG,EACJ,MAAM,0BAA0B,CAAC;AAKlC;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,qEAEvB,QAAQ,gBACL,GAAG,KAChB,QAAQ,iBAAiB,CA0B3B,CAAC;AAQF,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/functions/ProofUtil.js

@@ -1,106 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createProofOfPossession = void 0;
-const oid4vci_common_1 = require("@sphereon/oid4vci-common");
-const debug_1 = __importDefault(require("debug"));
-const debug = (0, debug_1.default)('sphereon:openid4vci:token');
-/**
- *
- *  - proofOfPossessionCallback: JWTSignerCallback
- *    Mandatory if you want to create (sign) ProofOfPossession
- *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *    If exists, verifies the ProofOfPossession
- *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
- *    arguments needed for signing ProofOfPossession
- * @param callbacks:
- *    - proofOfPossessionCallback: JWTSignerCallback
- *      Mandatory to create (sign) ProofOfPossession
- *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *      If exists, verifies the ProofOfPossession
- * @param jwtProps
- * @param existingJwt
- *  - Optional, clientId of the party requesting the credential
- */
-const createProofOfPossession = (callbacks, jwtProps, existingJwt) => __awaiter(void 0, void 0, void 0, function* () {
-    if (!callbacks.signCallback) {
-        debug(`no jwt signer callback or arguments supplied!`);
-        throw new Error(oid4vci_common_1.BAD_PARAMS);
-    }
-    const signerArgs = createJWT(jwtProps, existingJwt);
-    const jwt = yield callbacks.signCallback(signerArgs, signerArgs.header.kid);
-    const proof = {
-        proof_type: 'jwt',
-        jwt,
-    };
-    try {
-        partiallyValidateJWS(jwt);
-        if (callbacks.verifyCallback) {
-            debug(`Calling supplied verify callback....`);
-            yield callbacks.verifyCallback({ jwt, kid: signerArgs.header.kid });
-            debug(`Supplied verify callback return success result`);
-        }
-    }
-    catch (_a) {
-        debug(`JWS was not valid`);
-        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
-    }
-    debug(`Proof of Possession JWT:\r\n${jwt}`);
-    return proof;
-});
-exports.createProofOfPossession = createProofOfPossession;
-const partiallyValidateJWS = (jws) => {
-    if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {
-        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
-    }
-};
-const createJWT = (jwtProps, existingJwt) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
-    const aud = getJwtProperty('aud', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.issuer, (_a = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _a === void 0 ? void 0 : _a.aud);
-    const iss = getJwtProperty('iss', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.clientId, (_b = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _b === void 0 ? void 0 : _b.iss);
-    const jti = getJwtProperty('jti', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.jti, (_c = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _c === void 0 ? void 0 : _c.jti);
-    const typ = getJwtProperty('typ', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.typ, (_d = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _d === void 0 ? void 0 : _d.typ, 'jwt');
-    const nonce = getJwtProperty('nonce', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.nonce, (_e = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _e === void 0 ? void 0 : _e.nonce); // Officially this is required, but some implementations don't have it
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    const alg = getJwtProperty('alg', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.alg, (_f = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _f === void 0 ? void 0 : _f.alg, 'ES256');
-    const kid = getJwtProperty('kid', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.kid, (_g = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _g === void 0 ? void 0 : _g.kid);
-    const jwk = getJwtProperty('jwk', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.jwk, (_h = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _h === void 0 ? void 0 : _h.jwk);
-    const jwt = existingJwt ? existingJwt : {};
-    const now = +new Date();
-    const jwtPayload = Object.assign(Object.assign({ aud, iat: (_k = (_j = jwt.payload) === null || _j === void 0 ? void 0 : _j.iat) !== null && _k !== void 0 ? _k : Math.round(now / 1000 - 60), exp: (_m = (_l = jwt.payload) === null || _l === void 0 ? void 0 : _l.exp) !== null && _m !== void 0 ? _m : Math.round(now / 1000 + 10 * 60), nonce }, (iss ? { iss } : {})), (jti ? { jti } : {}));
-    const jwtHeader = {
-        typ,
-        alg,
-        kid,
-        jwk,
-    };
-    return {
-        payload: Object.assign(Object.assign({}, jwt.payload), jwtPayload),
-        header: Object.assign(Object.assign({}, jwt.header), jwtHeader),
-    };
-};
-const getJwtProperty = (propertyName, required, option, jwtProperty, defaultValue) => {
-    if (typeof option === 'string' && option && jwtProperty && option !== jwtProperty) {
-        throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
-    }
-    let result = (jwtProperty ? jwtProperty : option);
-    if (!result) {
-        if (required) {
-            throw Error(`No ${propertyName} property provided either in a JWT or as option`);
-        }
-        result = defaultValue;
-    }
-    return result;
-};
-//# sourceMappingURL=ProofUtil.js.map

package/dist/functions/ProofUtil.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ProofUtil.js","sourceRoot":"","sources":["../../lib/functions/ProofUtil.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6DAWkC;AAClC,kDAA0B;AAE1B,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,2BAA2B,CAAC,CAAC;AAEjD;;;;;;;;;;;;;;;;GAgBG;AACI,MAAM,uBAAuB,GAAG,CACrC,SAA6C,EAC7C,QAAmB,EACnB,WAAiB,EACW,EAAE;IAC9B,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5B,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,2BAAU,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,KAAK;QACjB,GAAG;KACiB,CAAC;IAEvB,IAAI,CAAC;QACH,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,SAAS,CAAC,cAAc,EAAE,CAAC;YAC7B,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC9C,MAAM,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YACpE,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,WAAM,CAAC;QACP,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;IACjC,CAAC;IACD,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC,CAAA,CAAC;AA9BW,QAAA,uBAAuB,2BA8BlC;AAEF,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAQ,EAAE;IACjD,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;IACjC,CAAC;AACH,CAAC,CAAC;AAaF,MAAM,SAAS,GAAG,CAAC,QAAmB,EAAE,WAAiB,EAAO,EAAE;;IAChE,MAAM,GAAG,GAAG,cAAc,CAAoB,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IACxG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IAChG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IAC3F,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAChG,MAAM,KAAK,GAAG,cAAc,CAAS,OAAO,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,KAAK,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,KAAK,CAAC,CAAC,CAAC,sEAAsE;IAC1K,oEAAoE;IACpE,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,OAAO,CAAE,CAAC;IACpG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,CAAC,CAAC;IAC1F,MAAM,GAAG,GAAG,cAAc,CAAU,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,CAAC,CAAC;IAC3F,MAAM,GAAG,GAAiB,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,MAAM,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACxB,MAAM,UAAU,iCACd,GAAG,EACH,GAAG,EAAE,MAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,mCAAI,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC,EACpD,GAAG,EAAE,MAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,mCAAI,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,EACzD,KAAK,IACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,GACpB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CACxB,CAAC;IAEF,MAAM,SAAS,GAAc;QAC3B,GAAG;QACH,GAAG;QACH,GAAG;QACH,GAAG;KACJ,CAAC;IACF,OAAO;QACL,OAAO,kCAAO,GAAG,CAAC,OAAO,GAAK,UAAU,CAAE;QAC1C,MAAM,kCAAO,GAAG,CAAC,MAAM,GAAK,SAAS,CAAE;KACxC,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAI,YAAoB,EAAE,QAAiB,EAAE,MAAqB,EAAE,WAAe,EAAE,YAAgB,EAAiB,EAAE;IAC7I,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,WAAW,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAClF,MAAM,KAAK,CAAC,2BAA2B,YAAY,iBAAiB,MAAM,8BAA8B,WAAW,oBAAoB,CAAC,CAAC;IAC3I,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAkB,CAAC;IACnE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,KAAK,CAAC,MAAM,YAAY,iDAAiD,CAAC,CAAC;QACnF,CAAC;QACD,MAAM,GAAG,YAAY,CAAC;IACxB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC"}

package/lib/functions/ProofUtil.ts

@@ -1,128 +0,0 @@
-import {
-  BAD_PARAMS,
-  BaseJWK,
-  JWK,
-  JWS_NOT_VALID,
-  Jwt,
-  JWTHeader,
-  JWTPayload,
-  ProofOfPossession,
-  ProofOfPossessionCallbacks,
-  Typ,
-} from '@sphereon/oid4vci-common';
-import Debug from 'debug';
-
-const debug = Debug('sphereon:openid4vci:token');
-
-/**
- *
- *  - proofOfPossessionCallback: JWTSignerCallback
- *    Mandatory if you want to create (sign) ProofOfPossession
- *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *    If exists, verifies the ProofOfPossession
- *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
- *    arguments needed for signing ProofOfPossession
- * @param callbacks:
- *    - proofOfPossessionCallback: JWTSignerCallback
- *      Mandatory to create (sign) ProofOfPossession
- *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *      If exists, verifies the ProofOfPossession
- * @param jwtProps
- * @param existingJwt
- *  - Optional, clientId of the party requesting the credential
- */
-export const createProofOfPossession = async <DIDDoc>(
-  callbacks: ProofOfPossessionCallbacks<DIDDoc>,
-  jwtProps?: JwtProps,
-  existingJwt?: Jwt,
-): Promise<ProofOfPossession> => {
-  if (!callbacks.signCallback) {
-    debug(`no jwt signer callback or arguments supplied!`);
-    throw new Error(BAD_PARAMS);
-  }
-
-  const signerArgs = createJWT(jwtProps, existingJwt);
-  const jwt = await callbacks.signCallback(signerArgs, signerArgs.header.kid);
-  const proof = {
-    proof_type: 'jwt',
-    jwt,
-  } as ProofOfPossession;
-
-  try {
-    partiallyValidateJWS(jwt);
-    if (callbacks.verifyCallback) {
-      debug(`Calling supplied verify callback....`);
-      await callbacks.verifyCallback({ jwt, kid: signerArgs.header.kid });
-      debug(`Supplied verify callback return success result`);
-    }
-  } catch {
-    debug(`JWS was not valid`);
-    throw new Error(JWS_NOT_VALID);
-  }
-  debug(`Proof of Possession JWT:\r\n${jwt}`);
-  return proof;
-};
-
-const partiallyValidateJWS = (jws: string): void => {
-  if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {
-    throw new Error(JWS_NOT_VALID);
-  }
-};
-
-export interface JwtProps {
-  typ?: Typ;
-  kid?: string;
-  jwk?: JWK;
-  issuer?: string;
-  clientId?: string;
-  alg?: string;
-  jti?: string;
-  nonce?: string;
-}
-
-const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
-  const aud = getJwtProperty<string | string[]>('aud', true, jwtProps?.issuer, existingJwt?.payload?.aud);
-  const iss = getJwtProperty<string>('iss', false, jwtProps?.clientId, existingJwt?.payload?.iss);
-  const jti = getJwtProperty<string>('jti', false, jwtProps?.jti, existingJwt?.payload?.jti);
-  const typ = getJwtProperty<string>('typ', true, jwtProps?.typ, existingJwt?.header?.typ, 'jwt');
-  const nonce = getJwtProperty<string>('nonce', false, jwtProps?.nonce, existingJwt?.payload?.nonce); // Officially this is required, but some implementations don't have it
-  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-  const alg = getJwtProperty<string>('alg', false, jwtProps?.alg, existingJwt?.header?.alg, 'ES256')!;
-  const kid = getJwtProperty<string>('kid', false, jwtProps?.kid, existingJwt?.header?.kid);
-  const jwk = getJwtProperty<BaseJWK>('jwk', false, jwtProps?.jwk, existingJwt?.header?.jwk);
-  const jwt: Partial<Jwt> = existingJwt ? existingJwt : {};
-  const now = +new Date();
-  const jwtPayload: Partial<JWTPayload> = {
-    aud,
-    iat: jwt.payload?.iat ?? Math.round(now / 1000 - 60), // Let's ensure we subtract 60 seconds for potential time offsets
-    exp: jwt.payload?.exp ?? Math.round(now / 1000 + 10 * 60),
-    nonce,
-    ...(iss ? { iss } : {}),
-    ...(jti ? { jti } : {}),
-  };
-
-  const jwtHeader: JWTHeader = {
-    typ,
-    alg,
-    kid,
-    jwk,
-  };
-  return {
-    payload: { ...jwt.payload, ...jwtPayload },
-    header: { ...jwt.header, ...jwtHeader },
-  };
-};
-
-const getJwtProperty = <T>(propertyName: string, required: boolean, option?: string | JWK, jwtProperty?: T, defaultValue?: T): T | undefined => {
-  if (typeof option === 'string' && option && jwtProperty && option !== jwtProperty) {
-    throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
-  }
-  let result = (jwtProperty ? jwtProperty : option) as T | undefined;
-  if (!result) {
-    if (required) {
-      throw Error(`No ${propertyName} property provided either in a JWT or as option`);
-    }
-    result = defaultValue;
-  }
-  return result;
-};