npm - @sphereon/oid4vci-common - Versions diffs - 0.20.2-next.2 → 0.20.2-next.21 - Mend

@sphereon/oid4vci-common 0.20.2-next.2 → 0.20.2-next.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -362,8 +362,13 @@ type CredentialConfigurationSupportedCommonV1_0_15 = {
     credential_signing_alg_values_supported?: string[];
     proof_types_supported?: ProofTypesSupported;
     display?: CredentialsSupportedDisplay[];
+    credential_metadata?: CredentialMetadataV1_0_15;
     [x: string]: unknown;
 };
+interface CredentialMetadataV1_0_15 {
+    display?: CredentialsSupportedDisplay[];
+    claims?: ClaimsDescriptionV1_0_15[];
+}
 interface CredentialConfigurationSupportedSdJwtVcV1_0_15 extends CredentialConfigurationSupportedCommonV1_0_15 {
     format: 'dc+sd-jwt' | 'vc+sd-jwt';
     vct: string;
@@ -649,8 +654,211 @@ interface IStateManager<T extends StateType> {
     stopCleanupRoutine(): Promise<void>;
 }
+interface ProofTypesV1_0 {
+    jwt?: ProofTypeV1_0;
+    di_vp?: ProofTypeV1_0;
+    attestation?: ProofTypeV1_0;
+}
+interface ProofTypeV1_0 {
+    proof_signing_alg_values_supported: string[];
+    key_attestations_required?: KeyAttestationsRequiredV1_0_15;
+}
+type ProofTypesSupportedV1_0 = {
+    [key: string]: ProofTypeV1_0;
+};
+type CredentialConfigurationSupportedCommonV1_0 = {
+    format: OID4VCICredentialFormat | string;
+    scope?: string;
+    cryptographic_binding_methods_supported?: string[];
+    cryptographic_suites_supported?: string[];
+    credential_signing_alg_values_supported?: string[];
+    proof_types_supported?: ProofTypesSupportedV1_0;
+    display?: CredentialsSupportedDisplay[];
+    credential_metadata?: CredentialMetadataV1_0;
+    [x: string]: unknown;
+};
+interface CredentialConfigurationSupportedSdJwtVcV1_0 extends CredentialConfigurationSupportedCommonV1_0 {
+    format: 'dc+sd-jwt' | 'vc+sd-jwt';
+    vct: string;
+    claims?: ClaimsDescriptionV1_0[];
+    order?: string[];
+}
+interface CredentialConfigurationSupportedJwtVcJsonV1_0 extends CredentialConfigurationSupportedCommonV1_0 {
+    format: 'jwt_vc_json' | 'jwt_vc';
+    credential_definition: CredentialDefinitionJwtVcJsonV1_0_15;
+    claims?: ClaimsDescriptionV1_0[];
+    order?: string[];
+}
+interface CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0 extends CredentialConfigurationSupportedCommonV1_0 {
+    format: 'ldp_vc' | 'jwt_vc_json-ld';
+    credential_definition: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15;
+    claims?: ClaimsDescriptionV1_0[];
+    order?: string[];
+}
+interface CredentialConfigurationSupportedMsoMdocV1_0 extends CredentialConfigurationSupportedCommonV1_0 {
+    format: 'mso_mdoc';
+    doctype: string;
+    claims?: ClaimsDescriptionV1_0[];
+    order?: string[];
+}
+type CredentialConfigurationSupportedV1_0 = CredentialConfigurationSupportedCommonV1_0 & (CredentialConfigurationSupportedSdJwtVcV1_0 | CredentialConfigurationSupportedJwtVcJsonV1_0 | CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0 | CredentialConfigurationSupportedMsoMdocV1_0);
+interface ClaimsDescriptionV1_0 {
+    path: (string | number | null)[];
+    mandatory?: boolean;
+    display?: CredentialsSupportedDisplay[];
+}
+interface CredentialMetadataV1_0 {
+    display?: CredentialsSupportedDisplay[];
+    claims?: ClaimsDescriptionV1_0[];
+}
+interface IssuerMetadataV1_0 {
+    credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0>;
+    credential_issuer: string;
+    credential_endpoint: string;
+    token_endpoint?: string;
+    nonce_endpoint?: string;
+    authorization_servers?: string[];
+    authorization_endpoint?: string;
+    deferred_credential_endpoint?: string;
+    notification_endpoint?: string;
+    credential_response_encryption?: ResponseEncryption;
+    batch_credential_issuance_supported?: boolean;
+    credential_issuer_public_key?: object;
+    display?: MetadataDisplay[];
+    authorization_challenge_endpoint?: string;
+    signed_metadata?: string;
+    [x: string]: unknown;
+}
+type CredentialRequestV1_0ResponseEncryption = {
+    jwk: JWK;
+    alg: AlgValue;
+    enc: EncValue;
+};
+interface CredentialRequestV1_0Common extends ExperimentalSubjectIssuance {
+    credential_configuration_id: string;
+    credential_identifiers?: string[];
+    credential_response_encryption?: CredentialRequestV1_0ResponseEncryption;
+    proof?: ProofOfPossession;
+    proofs?: ProofOfPossessionMap;
+}
+type CredentialRequestV1_0 = CredentialRequestV1_0Common;
+interface CredentialResponseV1_0 extends ExperimentalSubjectIssuance {
+    credential?: string | object;
+    transaction_id?: string;
+    acceptance_token?: string;
+    interval?: number;
+    c_nonce?: string;
+    c_nonce_expires_in?: number;
+    notification_id?: string;
+}
+interface DeferredCredentialResponseV1_0 {
+    credential: string | object;
+    acceptance_token?: string;
+    interval?: number;
+    c_nonce?: string;
+    c_nonce_expires_in?: number;
+    notification_id?: string;
+}
+interface TokenResponseV1_0 {
+    access_token: string;
+    token_type: string;
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+    authorization_details?: AuthorizationDetailsV1_0[];
+    c_nonce?: string;
+    c_nonce_expires_in?: number;
+}
+interface AuthorizationDetailsV1_0 {
+    type: 'openid_credential';
+    credential_configuration_id: string;
+    credential_identifiers?: string[];
+    locations?: string[];
+    [x: string]: unknown;
+}
+interface NonceRequestV1_0 {
+}
+interface NonceResponseV1_0 {
+    c_nonce: string;
+    c_nonce_expires_in: number;
+}
+interface CredentialErrorResponseV1_0 {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+    c_nonce?: string;
+    c_nonce_expires_in?: number;
+}
+interface CredentialOfferV1_0 {
+    credential_offer?: CredentialOfferPayloadV1_0;
+    credential_offer_uri?: string;
+}
+interface CredentialOfferPayloadV1_0 {
+    credential_issuer: string;
+    credential_configuration_ids: string[];
+    grants?: Grant;
+    client_id?: string;
+}
+interface CredentialOfferRESTRequestV1_0 extends Partial<CredentialOfferPayloadV1_0> {
+    redirectUri?: string;
+    baseUri?: string;
+    scheme?: string;
+    correlationId?: string;
+    sessionLifeTimeInSec?: number;
+    pinLength?: number;
+    qrCodeOpts?: QRCodeOpts;
+    client_id?: string;
+    credentialDataSupplierInput?: CredentialDataSupplierInput;
+    statusListOpts?: Array<StatusListOpts>;
+    offerMode?: CredentialOfferMode;
+}
+interface CredentialIssuerMetadataOptsV1_0 {
+    credential_endpoint: string;
+    nonce_endpoint?: string;
+    deferred_credential_endpoint?: string;
+    notification_endpoint?: string;
+    credential_response_encryption?: ResponseEncryption;
+    batch_credential_issuance_supported?: boolean;
+    credential_issuer_public_key?: object;
+    credential_identifiers_supported?: boolean;
+    credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0>;
+    credential_issuer: string;
+    authorization_servers?: string[];
+    signed_metadata?: string;
+    display?: MetadataDisplay[];
+    authorization_challenge_endpoint?: string;
+    token_endpoint?: string;
+    credential_supplier_config?: CredentialSupplierConfig;
+}
+interface CredentialIssuerMetadataV1_0 extends CredentialIssuerMetadataOptsV1_0, Partial<AuthorizationServerMetadata> {
+    authorization_servers?: string[];
+    credential_endpoint: string;
+    credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0>;
+    credential_issuer: string;
+    credential_response_encryption_alg_values_supported?: string;
+    credential_response_encryption_enc_values_supported?: string;
+    require_credential_response_encryption?: boolean;
+    credential_identifiers_supported?: boolean;
+    nonce_endpoint?: string;
+}
+declare const credentialIssuerMetadataFieldNamesV1_0: Array<keyof CredentialIssuerMetadataOptsV1_0>;
+interface EndpointMetadataResultV1_0 extends EndpointMetadata {
+    authorizationServerType: AuthorizationServerType;
+    authorizationServerMetadata?: AuthorizationServerMetadata;
+    credentialIssuerMetadata?: Partial<AuthorizationServerMetadata> & IssuerMetadataV1_0;
+}
+interface NotificationResponseV1_0 {
+}
+interface NotificationErrorResponseV1_0 {
+    error: 'invalid_notification_id' | 'invalid_notification_request';
+    error_description?: string;
+}
+interface AuthorizationServerMetadataV1_0 extends AuthorizationServerMetadata {
+    'pre-authorized_grant_anonymous_access_supported'?: boolean;
+}
 type InputCharSet = 'numeric' | 'text';
-type KeyProofType = 'jwt' | 'cwt' | 'ldp_vp';
+type KeyProofType = 'jwt' | 'cwt' | 'ldp_vp' | 'di_vp';
 type PoPMode = 'pop' | 'JWT';
 type CredentialOfferMode = 'VALUE' | 'REFERENCE';
 /**
@@ -778,7 +986,7 @@ interface CredentialSupportedMsoMdoc extends CommonCredentialSupported {
     claims?: IssuerCredentialSubject;
     order?: string[];
 }
-type CredentialConfigurationSupported = CredentialConfigurationSupportedV1_0_15 | (CommonCredentialSupported & (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedMsoMdoc));
+type CredentialConfigurationSupported = CredentialConfigurationSupportedV1_0_15 | CredentialConfigurationSupportedV1_0 | (CommonCredentialSupported & (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedMsoMdoc));
 type CredentialsSupportedLegacy = CommonCredentialSupported & (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedSdJwtVcV13 | CredentialSupportedMsoMdoc);
 interface CommonCredentialOfferFormat {
     format: OID4VCICredentialFormat | string;
@@ -830,7 +1038,8 @@ interface ErrorResponse {
     error_uri?: string;
     state?: string;
 }
-type CredentialRequest = CredentialRequestV1_0_15;
+type CredentialRequest = CredentialRequestV1_0_15 | CredentialRequestV1_0;
+type AuthorizationDetails = AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0;
 interface CommonCredentialRequest extends ExperimentalSubjectIssuance {
     format: OID4VCICredentialFormat;
     proof?: ProofOfPossession;
@@ -952,8 +1161,15 @@ interface GrantUrnIetf {
 }
 declare const PRE_AUTH_CODE_LITERAL = "pre-authorized_code";
 declare const PRE_AUTH_GRANT_LITERAL = "urn:ietf:params:oauth:grant-type:pre-authorized_code";
-type EndpointMetadataResult = EndpointMetadataResultV1_0_15;
-type IssuerMetadata = IssuerMetadataV1_0_15;
+type EndpointMetadataResult = EndpointMetadataResultV1_0_15 | EndpointMetadataResultV1_0;
+type IssuerMetadata = IssuerMetadataV1_0_15 | IssuerMetadataV1_0;
+type SignedMetadataVerifyCallback = (args: {
+    signedMetadata: string;
+    issuer: string;
+}) => Promise<{
+    verified: boolean;
+    metadata: Record<string, unknown>;
+}>;
 type NotificationEventType = 'credential_accepted' | 'credential_failure' | 'credential_deleted';
 interface NotificationRequest {
     notification_id: string;
@@ -978,6 +1194,7 @@ interface StatusListOpts {
 declare enum OpenId4VCIVersion {
     VER_1_0_15 = 1015,
+    VER_1_0 = 1100,
     VER_UNKNOWN
 }
 declare enum DefaultURISchemes {
@@ -986,10 +1203,12 @@ declare enum DefaultURISchemes {
 }
 interface CredentialResponse extends ExperimentalSubjectIssuance {
+    credential?: string | object;
     credentials?: Array<CredentialResponseCredentialV1_0_15>;
     format?: OID4VCICredentialFormat;
     transaction_id?: string;
     acceptance_token?: string;
+    interval?: number;
     c_nonce?: string;
     c_nonce_expires_in?: number;
     notification_id?: string;
@@ -1003,9 +1222,9 @@ interface CredentialOfferRequestWithBaseUrl extends UniformCredentialOfferReques
     preAuthorizedCode?: string;
     userPinRequired: boolean;
 }
-type CredentialOffer = CredentialOfferV1_0_15;
-type CredentialOfferPayloadLatest = CredentialOfferPayloadV1_0_15;
-type CredentialOfferPayload = CredentialOfferPayloadV1_0_15 & {
+type CredentialOffer = CredentialOfferV1_0_15 | CredentialOfferV1_0;
+type CredentialOfferPayloadLatest = CredentialOfferPayloadV1_0;
+type CredentialOfferPayload = (CredentialOfferPayloadV1_0_15 | CredentialOfferPayloadV1_0) & {
     [x: string]: any;
 };
 interface AssertedUniformCredentialOffer extends UniformCredentialOffer {
@@ -1020,12 +1239,18 @@ interface UniformCredentialOfferRequest extends AssertedUniformCredentialOffer {
     version: OpenId4VCIVersion;
     supportedFlows: AuthzFlowType[];
 }
-type UniformCredentialOfferPayload = CredentialOfferPayloadV1_0_15;
-interface ProofOfPossession {
+type UniformCredentialOfferPayload = CredentialOfferPayloadV1_0_15 | CredentialOfferPayloadV1_0;
+interface JwtProofOfPossession {
     proof_type: 'jwt';
     jwt: string;
     [x: string]: unknown;
 }
+interface CwtProofOfPossession {
+    proof_type: 'cwt';
+    cwt: string;
+    [x: string]: unknown;
+}
+type ProofOfPossession = JwtProofOfPossession | CwtProofOfPossession;
 type SearchValue = {
     [Symbol.replace](string: string, replacer: (substring: string, ...args: any[]) => string): string;
 };
@@ -1051,6 +1276,7 @@ interface Jwt {
 }
 interface ProofOfPossessionCallbacks {
     signCallback: JWTSignerCallback;
+    cwtSignCallback?: CWTSignerCallback;
     verifyCallback?: JWTVerifyCallback;
 }
 /**
@@ -1105,6 +1331,15 @@ interface JWTPayload {
     [s: string]: unknown;
 }
 type JWTSignerCallback = (jwt: Jwt, kid?: string, noIssPayloadUpdate?: boolean) => Promise<string>;
+type CWTSignerCallback = (args: {
+    iss?: string;
+    aud: string;
+    nonce?: string;
+    alg?: string;
+    jwk?: JWK;
+    kid?: string;
+    coseKey?: unknown;
+}) => Promise<string>;
 type JWTVerifyCallback = (args: {
     jwt: string;
     kid?: string;
@@ -1745,6 +1980,15 @@ declare const adjustUrl: <T extends string | URL>(urlOrPath: T, opts?: {
  *  - Optional, clientId of the party requesting the credential
  */
 declare const createProofOfPossession: <DIDDoc extends object = never>(popMode: PoPMode, callbacks: ProofOfPossessionCallbacks, jwtProps?: JwtProps, existingJwt?: Jwt) => Promise<ProofOfPossession>;
+declare const createCwtProofOfPossession: (callbacks: ProofOfPossessionCallbacks, opts: {
+    iss?: string;
+    aud: string;
+    nonce?: string;
+    alg?: string;
+    jwk?: JWK;
+    kid?: string;
+    coseKey?: unknown;
+}) => Promise<CwtProofOfPossession>;
 declare const isJWS: (token: string) => boolean;
 declare const extractBearerToken: (authorizationHeader?: string) => string | undefined;
 declare const validateJWT: <DIDDoc extends object = never>(jwt?: string, opts?: {
@@ -1774,6 +2018,24 @@ declare const generateCodeVerifier: (length?: number) => string;
 declare const createCodeChallenge: (codeVerifier: string, codeChallengeMethod?: CodeChallengeMethod) => string;
 declare const assertValidCodeVerifier: (codeVerifier: string) => void;
+/**
+ * Process the signed_metadata JWT from issuer metadata.
+ *
+ * Per OID4VCI spec, signed_metadata is a signed JWT containing Credential Issuer
+ * metadata parameters as claims. When present and verified, the signed claims
+ * take precedence over unsigned metadata fields.
+ *
+ * @param opts.metadata - The fetched issuer metadata (may contain signed_metadata)
+ * @param opts.issuer - The credential_issuer URL for JWT validation
+ * @param opts.signedMetadataVerifyCallback - Callback to verify and decode the signed JWT
+ * @returns The metadata with signed claims merged in (signed claims override unsigned)
+ */
+declare function processSignedMetadata<T extends IssuerMetadata>(opts: {
+    metadata: T;
+    issuer: string;
+    signedMetadataVerifyCallback?: SignedMetadataVerifyCallback;
+}): Promise<T>;
 type EventNames = CredentialOfferEventNames | NotificationStatusEventNames | LogEvents | CredentialEventNames;
 declare enum CredentialOfferEventNames {
     OID4VCI_OFFER_CREATED = "OID4VCI_OFFER_CREATED",
@@ -1794,4 +2056,4 @@ declare const EVENTS: EventManager;
 declare const VCI_LOGGERS: Loggers;
 declare const VCI_LOG_COMMON: _sphereon_ssi_types.ISimpleLogger<unknown>;
-export { ACCESS_TOKEN_ISSUER_REQUIRED_ERROR, ALG_ERROR, AUD_ERROR, type AccessTokenFromAuthorizationResponseOpts, type AccessTokenRequest, type AccessTokenRequestOpts, type AccessTokenResponse, Alg, type AlgValue, type AssertedUniformCredentialOffer, type AuthorizationChallengeCodeResponse, AuthorizationChallengeError, type AuthorizationChallengeErrorResponse, type AuthorizationChallengeRequestOpts, type AuthorizationDetailsJwtVcJson, type AuthorizationDetailsJwtVcJsonLdAndLdpVc, type AuthorizationDetailsMsoMdoc, type AuthorizationDetailsSdJwtVc, type AuthorizationDetailsV1_0_15, type AuthorizationGrantResponse, type AuthorizationRequest, type AuthorizationRequestJwtVcJson, type AuthorizationRequestJwtVcJsonLdAndLdpVc, type AuthorizationRequestMsoMdoc, type AuthorizationRequestOpts, type AuthorizationRequestSdJwtVc, type AuthorizationResponse, type AuthorizationServerClientOpts, type AuthorizationServerMetadata, type AuthorizationServerMetadataV1_0_15, type AuthorizationServerOpts, type AuthorizationServerType, AuthzFlowType, BAD_PARAMS, type BatchCredentialIssuance, type CNonceState, CODE_VERIFIER_DEFAULT_LENGTH, CREDENTIAL_MISSING_ERROR, type ClaimsDescriptionV1_0_15, type ClientAuthMethod, type ClientMetadata, type ClientResponseType, CodeChallengeMethod, type CommonAuthorizationChallengeRequest, type CommonAuthorizationDetails, type CommonAuthorizationRequest, type CommonCredentialOfferFormat, type CommonCredentialRequest, type CommonCredentialResponse, type CommonCredentialSupported, type CompactJWSHeaderParameters, type ComponentOptions, type CreateCredentialOfferURIResult, CreateRequestObjectMode, type CredentialConfigurationSupported, type CredentialConfigurationSupportedCommonV1_0_15, type CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15, type CredentialConfigurationSupportedJwtVcJsonV1_0_15, type CredentialConfigurationSupportedMsoMdocV1_0_15, type CredentialConfigurationSupportedSdJwtVcV1_0_15, type CredentialConfigurationSupportedV1_0_15, type CredentialDataSupplierInput, type CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15, type CredentialDefinitionJwtVcJsonV1_0_15, type CredentialErrorResponseV1_0_15, CredentialEventNames, type CredentialIssuerMetadata, type CredentialIssuerMetadataOpts, type CredentialIssuerMetadataOptsV1_0_15, type CredentialIssuerMetadataV1_0_15, type CredentialOffer, CredentialOfferEventNames, type CredentialOfferFormatJwtVcJson, type CredentialOfferFormatJwtVcJsonLdAndLdpVc, type CredentialOfferFormatMsoMdoc, type CredentialOfferFormatSdJwtVc, type CredentialOfferFormatSdJwtVcv13, type CredentialOfferFormatV1_0_11, type CredentialOfferMode, type CredentialOfferPayload, type CredentialOfferPayloadLatest, type CredentialOfferPayloadV1_0_15, type CredentialOfferRESTRequestV1_0_15, type CredentialOfferRequestWithBaseUrl, type CredentialOfferSession, type CredentialOfferV1_0_15, type CredentialRequest, type CredentialRequestJwtVcJson, type CredentialRequestJwtVcJsonLdAndLdpVc, type CredentialRequestMsoMdoc, type CredentialRequestSdJwtVc, type CredentialRequestV1_0_15, type CredentialRequestV1_0_15Common, type CredentialRequestV1_0_15CredentialConfigurationId, type CredentialRequestV1_0_15CredentialIdentifier, type CredentialRequestV1_0_15ResponseEncryption, type CredentialResponse, type CredentialResponseCredentialV1_0_15, type CredentialResponseJwtVc, type CredentialResponseLdpVc, type CredentialResponseSdJwtVc, type CredentialResponseV1_0_15, type CredentialSubjectDisplay, type CredentialSupplierConfig, type CredentialSupportedBrief, type CredentialSupportedJwtVcJson, type CredentialSupportedJwtVcJsonLdAndLdpVc, type CredentialSupportedMsoMdoc, type CredentialSupportedSdJwtVc, type CredentialSupportedSdJwtVcV13, type CredentialsSupportedDisplay, type CredentialsSupportedLegacy, DID_NO_DIDDOC_ERROR, type DPoPResponseParams, type DecodeURIAsJsonOpts, DefaultURISchemes, type DeferredCredentialResponseV1_0_15, EVENTS, EXPERIMENTAL_SUBJECT_PROOF_MODE_ENABLED, EXPIRED_PRE_AUTHORIZED_CODE, type EncValue, type EncodeJsonAsURIOpts, Encoding, type EndpointMetadata, type EndpointMetadataResult, type EndpointMetadataResultV1_0_15, type ErrorResponse, type EventNames, type ExperimentalSubjectIssuance, GRANTS_MUST_NOT_BE_UNDEFINED, type Grant, type GrantAuthorizationCode, GrantTypes, type GrantUrnIetf, IAT_ERROR, INVALID_PRE_AUTHORIZED_CODE, ISSUER_CONFIG_ERROR, ISS_MUST_BE_CLIENT_ID, ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT, type IStateManager, type ImageInfo, type InputCharSet, IssueStatus, type IssueStatusResponse, type IssuerCredentialSubject, type IssuerCredentialSubjectDisplay, type IssuerMetadata, type IssuerMetadataV1_0_15, type IssuerOpts, type JWSHeaderParameters, JWS_NOT_VALID, type JWTHeader, type JWTHeaderParameters, type JWTPayload, type JWTSignerCallback, type JWTVerifyCallback, JWT_SIGNER_CALLBACK_REQUIRED_ERROR, JWT_VERIFY_CONFIG_ERROR, type JoseHeaderParameters, type JsonLdIssuerCredentialDefinition, JsonURIMode, type Jwt, type JwtProps, type JwtVerifyResult, KID_DID_NO_DID_ERROR, KID_JWK_X5C_ERROR, type KeyAttestationJWT, type KeyAttestationsRequiredV1_0_15, type KeyProofType, type LogEvents, type LogoAndColor, type MetadataDisplay, NONCE_ERROR, NONCE_LENGTH, NONCE_STATE_MANAGER_REQUIRED_ERROR, NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT, NO_JWT_PROVIDED, type NameAndLocale, type NonceRequestV1_0_15, type NonceResponseV1_0_15, type NotificationError, type NotificationErrorResponse, type NotificationErrorResponseV1_0_15, type NotificationEventType, type NotificationRequest, type NotificationResponseResult, type NotificationResponseV1_0_15, NotificationStatusEventNames, type OAuthGrantType, type OAuthResponseMode, type OAuthResponseType, type OAuthScope, type OID4VCICredentialFormat, type OpenIDResponse, OpenId4VCIVersion, PARMode, PIN_NOT_MATCH_ERROR, PIN_VALIDATION_ERROR, type PKCECodeChallengeMethod, type PKCEOpts, PRE_AUTHORIZED_CODE_REQUIRED_ERROR, PRE_AUTH_CODE_LITERAL, PRE_AUTH_GRANT_LITERAL, PROOF_CANT_BE_CONSTRUCTED, type PoPMode, type ProofOfPossession, type ProofOfPossessionCallbacks, type ProofOfPossessionMap, type ProofType, type ProofTypeV1_0_15, type ProofTypesSupported, type ProofTypesV1_0_15, type PushedAuthorizationResponse, type QRCodeOpts, type RequestObjectOpts, type ResponseEncryption, ResponseType, type RevocationEndpointAuthMethod, type RevocationEndpointAuthSigningAlg, STATE_MANAGER_REQUIRED_ERROR, STATE_MISSING_ERROR, type SearchValue, type StateType, type StatusListOpts, type SubjectProofMode, type SubjectProofNotificationEventsSupported, TYP_ERROR, type TokenEndpointAuthMethod, type TokenEndpointAuthSigningAlg, TokenError, TokenErrorResponse, type TokenResponseV1_0_15, type TxCode, type TxCodeAndPinRequired, type Typ, UNKNOWN_CLIENT_ERROR, UNSUPPORTED_GRANT_TYPE_ERROR, type URIState, URL_NOT_VALID, USER_PIN_NOT_REQUIRED_ERROR, USER_PIN_REQUIRED_ERROR, USER_PIN_TX_CODE_SPEC_ERROR, type UniformCredentialOffer, type UniformCredentialOfferPayload, type UniformCredentialOfferRequest, VCI_LOGGERS, VCI_LOG_COMMON, WRONG_METADATA_FORMAT, type WalletAttestationJWT, WellKnownEndpoints, acquireDeferredCredential, adjustUrl, assertValidCodeVerifier, assertedUniformCredentialOffer, authorizationServerMetadataFieldNames, convertJsonToURI, convertURIToJsonObject, createCodeChallenge, createProofOfPossession, credentialIssuerMetadataFieldNamesV1_0_15, type credential_identifiers, decodeJsonProperties, determineFlowType, determineGrantTypes, determineSpecVersionFromOffer, determineSpecVersionFromScheme, determineSpecVersionFromURI, determineVersionsFromIssuerMetadata, extractBearerToken, formPost, generateCodeVerifier, generateNonce, generateRandomString, getClientIdFromCredentialOfferPayload, getCredentialConfigurationIdsFromOfferV1_0_15, getCredentialOfferPayload, getFormatForVersion, getIssuerDisplays, getIssuerFromCredentialOfferPayload, getIssuerName, getJson, getNumberOrUndefined, getScheme, getStateFromCredentialOfferPayload, getSupportedCredential, getSupportedCredentials, getTypesFromAuthorizationDetails, getTypesFromCredentialSupported, getTypesFromObject, getURIComponentsAsArray, getUniformFormat, isCredentialOfferVersion, isDeferredCredentialIssuancePending, isDeferredCredentialResponse, isFormat, isJWS, isNotFormat, isPreAuthCode, isValidURL, isW3cCredentialSupported, normalizeOfferInput, post, resolveCredentialOfferURI, supportedOID4VCICredentialFormat, toAuthorizationResponsePayload, toUniformCredentialOfferPayload, toUniformCredentialOfferRequest, trimBoth, trimEnd, trimStart, validateJWT };
+export { ACCESS_TOKEN_ISSUER_REQUIRED_ERROR, ALG_ERROR, AUD_ERROR, type AccessTokenFromAuthorizationResponseOpts, type AccessTokenRequest, type AccessTokenRequestOpts, type AccessTokenResponse, Alg, type AlgValue, type AssertedUniformCredentialOffer, type AuthorizationChallengeCodeResponse, AuthorizationChallengeError, type AuthorizationChallengeErrorResponse, type AuthorizationChallengeRequestOpts, type AuthorizationDetails, type AuthorizationDetailsJwtVcJson, type AuthorizationDetailsJwtVcJsonLdAndLdpVc, type AuthorizationDetailsMsoMdoc, type AuthorizationDetailsSdJwtVc, type AuthorizationDetailsV1_0, type AuthorizationDetailsV1_0_15, type AuthorizationGrantResponse, type AuthorizationRequest, type AuthorizationRequestJwtVcJson, type AuthorizationRequestJwtVcJsonLdAndLdpVc, type AuthorizationRequestMsoMdoc, type AuthorizationRequestOpts, type AuthorizationRequestSdJwtVc, type AuthorizationResponse, type AuthorizationServerClientOpts, type AuthorizationServerMetadata, type AuthorizationServerMetadataV1_0, type AuthorizationServerMetadataV1_0_15, type AuthorizationServerOpts, type AuthorizationServerType, AuthzFlowType, BAD_PARAMS, type BatchCredentialIssuance, type CNonceState, CODE_VERIFIER_DEFAULT_LENGTH, CREDENTIAL_MISSING_ERROR, type CWTSignerCallback, type ClaimsDescriptionV1_0, type ClaimsDescriptionV1_0_15, type ClientAuthMethod, type ClientMetadata, type ClientResponseType, CodeChallengeMethod, type CommonAuthorizationChallengeRequest, type CommonAuthorizationDetails, type CommonAuthorizationRequest, type CommonCredentialOfferFormat, type CommonCredentialRequest, type CommonCredentialResponse, type CommonCredentialSupported, type CompactJWSHeaderParameters, type ComponentOptions, type CreateCredentialOfferURIResult, CreateRequestObjectMode, type CredentialConfigurationSupported, type CredentialConfigurationSupportedCommonV1_0, type CredentialConfigurationSupportedCommonV1_0_15, type CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0, type CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15, type CredentialConfigurationSupportedJwtVcJsonV1_0, type CredentialConfigurationSupportedJwtVcJsonV1_0_15, type CredentialConfigurationSupportedMsoMdocV1_0, type CredentialConfigurationSupportedMsoMdocV1_0_15, type CredentialConfigurationSupportedSdJwtVcV1_0, type CredentialConfigurationSupportedSdJwtVcV1_0_15, type CredentialConfigurationSupportedV1_0, type CredentialConfigurationSupportedV1_0_15, type CredentialDataSupplierInput, type CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15, type CredentialDefinitionJwtVcJsonV1_0_15, type CredentialErrorResponseV1_0, type CredentialErrorResponseV1_0_15, CredentialEventNames, type CredentialIssuerMetadata, type CredentialIssuerMetadataOpts, type CredentialIssuerMetadataOptsV1_0, type CredentialIssuerMetadataOptsV1_0_15, type CredentialIssuerMetadataV1_0, type CredentialIssuerMetadataV1_0_15, type CredentialMetadataV1_0, type CredentialMetadataV1_0_15, type CredentialOffer, CredentialOfferEventNames, type CredentialOfferFormatJwtVcJson, type CredentialOfferFormatJwtVcJsonLdAndLdpVc, type CredentialOfferFormatMsoMdoc, type CredentialOfferFormatSdJwtVc, type CredentialOfferFormatSdJwtVcv13, type CredentialOfferFormatV1_0_11, type CredentialOfferMode, type CredentialOfferPayload, type CredentialOfferPayloadLatest, type CredentialOfferPayloadV1_0, type CredentialOfferPayloadV1_0_15, type CredentialOfferRESTRequestV1_0, type CredentialOfferRESTRequestV1_0_15, type CredentialOfferRequestWithBaseUrl, type CredentialOfferSession, type CredentialOfferV1_0, type CredentialOfferV1_0_15, type CredentialRequest, type CredentialRequestJwtVcJson, type CredentialRequestJwtVcJsonLdAndLdpVc, type CredentialRequestMsoMdoc, type CredentialRequestSdJwtVc, type CredentialRequestV1_0, type CredentialRequestV1_0Common, type CredentialRequestV1_0ResponseEncryption, type CredentialRequestV1_0_15, type CredentialRequestV1_0_15Common, type CredentialRequestV1_0_15CredentialConfigurationId, type CredentialRequestV1_0_15CredentialIdentifier, type CredentialRequestV1_0_15ResponseEncryption, type CredentialResponse, type CredentialResponseCredentialV1_0_15, type CredentialResponseJwtVc, type CredentialResponseLdpVc, type CredentialResponseSdJwtVc, type CredentialResponseV1_0, type CredentialResponseV1_0_15, type CredentialSubjectDisplay, type CredentialSupplierConfig, type CredentialSupportedBrief, type CredentialSupportedJwtVcJson, type CredentialSupportedJwtVcJsonLdAndLdpVc, type CredentialSupportedMsoMdoc, type CredentialSupportedSdJwtVc, type CredentialSupportedSdJwtVcV13, type CredentialsSupportedDisplay, type CredentialsSupportedLegacy, type CwtProofOfPossession, DID_NO_DIDDOC_ERROR, type DPoPResponseParams, type DecodeURIAsJsonOpts, DefaultURISchemes, type DeferredCredentialResponseV1_0, type DeferredCredentialResponseV1_0_15, EVENTS, EXPERIMENTAL_SUBJECT_PROOF_MODE_ENABLED, EXPIRED_PRE_AUTHORIZED_CODE, type EncValue, type EncodeJsonAsURIOpts, Encoding, type EndpointMetadata, type EndpointMetadataResult, type EndpointMetadataResultV1_0, type EndpointMetadataResultV1_0_15, type ErrorResponse, type EventNames, type ExperimentalSubjectIssuance, GRANTS_MUST_NOT_BE_UNDEFINED, type Grant, type GrantAuthorizationCode, GrantTypes, type GrantUrnIetf, IAT_ERROR, INVALID_PRE_AUTHORIZED_CODE, ISSUER_CONFIG_ERROR, ISS_MUST_BE_CLIENT_ID, ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT, type IStateManager, type ImageInfo, type InputCharSet, IssueStatus, type IssueStatusResponse, type IssuerCredentialSubject, type IssuerCredentialSubjectDisplay, type IssuerMetadata, type IssuerMetadataV1_0, type IssuerMetadataV1_0_15, type IssuerOpts, type JWSHeaderParameters, JWS_NOT_VALID, type JWTHeader, type JWTHeaderParameters, type JWTPayload, type JWTSignerCallback, type JWTVerifyCallback, JWT_SIGNER_CALLBACK_REQUIRED_ERROR, JWT_VERIFY_CONFIG_ERROR, type JoseHeaderParameters, type JsonLdIssuerCredentialDefinition, JsonURIMode, type Jwt, type JwtProofOfPossession, type JwtProps, type JwtVerifyResult, KID_DID_NO_DID_ERROR, KID_JWK_X5C_ERROR, type KeyAttestationJWT, type KeyAttestationsRequiredV1_0_15, type KeyProofType, type LogEvents, type LogoAndColor, type MetadataDisplay, NONCE_ERROR, NONCE_LENGTH, NONCE_STATE_MANAGER_REQUIRED_ERROR, NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT, NO_JWT_PROVIDED, type NameAndLocale, type NonceRequestV1_0, type NonceRequestV1_0_15, type NonceResponseV1_0, type NonceResponseV1_0_15, type NotificationError, type NotificationErrorResponse, type NotificationErrorResponseV1_0, type NotificationErrorResponseV1_0_15, type NotificationEventType, type NotificationRequest, type NotificationResponseResult, type NotificationResponseV1_0, type NotificationResponseV1_0_15, NotificationStatusEventNames, type OAuthGrantType, type OAuthResponseMode, type OAuthResponseType, type OAuthScope, type OID4VCICredentialFormat, type OpenIDResponse, OpenId4VCIVersion, PARMode, PIN_NOT_MATCH_ERROR, PIN_VALIDATION_ERROR, type PKCECodeChallengeMethod, type PKCEOpts, PRE_AUTHORIZED_CODE_REQUIRED_ERROR, PRE_AUTH_CODE_LITERAL, PRE_AUTH_GRANT_LITERAL, PROOF_CANT_BE_CONSTRUCTED, type PoPMode, type ProofOfPossession, type ProofOfPossessionCallbacks, type ProofOfPossessionMap, type ProofType, type ProofTypeV1_0, type ProofTypeV1_0_15, type ProofTypesSupported, type ProofTypesSupportedV1_0, type ProofTypesV1_0, type ProofTypesV1_0_15, type PushedAuthorizationResponse, type QRCodeOpts, type RequestObjectOpts, type ResponseEncryption, ResponseType, type RevocationEndpointAuthMethod, type RevocationEndpointAuthSigningAlg, STATE_MANAGER_REQUIRED_ERROR, STATE_MISSING_ERROR, type SearchValue, type SignedMetadataVerifyCallback, type StateType, type StatusListOpts, type SubjectProofMode, type SubjectProofNotificationEventsSupported, TYP_ERROR, type TokenEndpointAuthMethod, type TokenEndpointAuthSigningAlg, TokenError, TokenErrorResponse, type TokenResponseV1_0, type TokenResponseV1_0_15, type TxCode, type TxCodeAndPinRequired, type Typ, UNKNOWN_CLIENT_ERROR, UNSUPPORTED_GRANT_TYPE_ERROR, type URIState, URL_NOT_VALID, USER_PIN_NOT_REQUIRED_ERROR, USER_PIN_REQUIRED_ERROR, USER_PIN_TX_CODE_SPEC_ERROR, type UniformCredentialOffer, type UniformCredentialOfferPayload, type UniformCredentialOfferRequest, VCI_LOGGERS, VCI_LOG_COMMON, WRONG_METADATA_FORMAT, type WalletAttestationJWT, WellKnownEndpoints, acquireDeferredCredential, adjustUrl, assertValidCodeVerifier, assertedUniformCredentialOffer, authorizationServerMetadataFieldNames, convertJsonToURI, convertURIToJsonObject, createCodeChallenge, createCwtProofOfPossession, createProofOfPossession, credentialIssuerMetadataFieldNamesV1_0, credentialIssuerMetadataFieldNamesV1_0_15, type credential_identifiers, decodeJsonProperties, determineFlowType, determineGrantTypes, determineSpecVersionFromOffer, determineSpecVersionFromScheme, determineSpecVersionFromURI, determineVersionsFromIssuerMetadata, extractBearerToken, formPost, generateCodeVerifier, generateNonce, generateRandomString, getClientIdFromCredentialOfferPayload, getCredentialConfigurationIdsFromOfferV1_0_15, getCredentialOfferPayload, getFormatForVersion, getIssuerDisplays, getIssuerFromCredentialOfferPayload, getIssuerName, getJson, getNumberOrUndefined, getScheme, getStateFromCredentialOfferPayload, getSupportedCredential, getSupportedCredentials, getTypesFromAuthorizationDetails, getTypesFromCredentialSupported, getTypesFromObject, getURIComponentsAsArray, getUniformFormat, isCredentialOfferVersion, isDeferredCredentialIssuancePending, isDeferredCredentialResponse, isFormat, isJWS, isNotFormat, isPreAuthCode, isValidURL, isW3cCredentialSupported, normalizeOfferInput, post, processSignedMetadata, resolveCredentialOfferURI, supportedOID4VCICredentialFormat, toAuthorizationResponsePayload, toUniformCredentialOfferPayload, toUniformCredentialOfferRequest, trimBoth, trimEnd, trimStart, validateJWT };

package/dist/index.js CHANGED Viewed

@@ -181,6 +181,26 @@ var credentialIssuerMetadataFieldNamesV1_0_15 = [
   "authorization_challenge_endpoint"
 ];
+// lib/types/v1_0.types.ts
+var credentialIssuerMetadataFieldNamesV1_0 = [
+  "credential_issuer",
+  "credential_configurations_supported",
+  "credential_endpoint",
+  "nonce_endpoint",
+  "deferred_credential_endpoint",
+  "notification_endpoint",
+  "credential_response_encryption",
+  "batch_credential_issuance_supported",
+  "credential_issuer_public_key",
+  "authorization_servers",
+  "token_endpoint",
+  "display",
+  "credential_supplier_config",
+  "credential_identifiers_supported",
+  "signed_metadata",
+  "authorization_challenge_endpoint"
+];
 // lib/types/ServerMetadata.ts
 var authorizationServerMetadataFieldNames = [
   "issuer",
@@ -256,6 +276,7 @@ var WRONG_METADATA_FORMAT = "Wrong metadata format";
 // lib/types/OpenID4VCIVersions.types.ts
 var OpenId4VCIVersion = /* @__PURE__ */ (function(OpenId4VCIVersion2) {
   OpenId4VCIVersion2[OpenId4VCIVersion2["VER_1_0_15"] = 1015] = "VER_1_0_15";
+  OpenId4VCIVersion2[OpenId4VCIVersion2["VER_1_0"] = 1100] = "VER_1_0";
   OpenId4VCIVersion2[OpenId4VCIVersion2["VER_UNKNOWN"] = Number.MAX_VALUE] = "VER_UNKNOWN";
   return OpenId4VCIVersion2;
 })({});
@@ -435,7 +456,8 @@ var adjustUrl = /* @__PURE__ */ __name((urlOrPath, opts) => {
 // lib/functions/CredentialResponseUtil.ts
 function isDeferredCredentialResponse(credentialResponse) {
   const orig = credentialResponse.successBody;
-  return credentialResponse.origResponse.status % 200 <= 2 && !!orig && !orig.credentials && (!!orig.acceptance_token || !!orig.transaction_id);
+  const hasNoCredential = !orig?.credentials && !orig?.credential;
+  return credentialResponse.origResponse.status % 200 <= 2 && !!orig && hasNoCredential && (!!orig.acceptance_token || !!orig.transaction_id);
 }
 __name(isDeferredCredentialResponse, "isDeferredCredentialResponse");
 function assertNonFatalError(credentialResponse) {
@@ -473,7 +495,7 @@ async function acquireDeferredCredential({ bearerToken, transactionId, deferredC
     deferredCredentialEndpoint
   });
   const DEFAULT_SLEEP_IN_MS = 5e3;
-  while (!credentialResponse.successBody?.credentials && deferredCredentialAwait) {
+  while (!credentialResponse.successBody?.credentials && !credentialResponse.successBody?.credential && deferredCredentialAwait) {
     assertNonFatalError(credentialResponse);
     const pending = isDeferredCredentialIssuancePending(credentialResponse);
     console.log(`Issuance still pending?: ${pending}`);
@@ -513,7 +535,7 @@ var logger2 = Loggers2.DEFAULT.get("sphereon:oid4vci:offer");
 function determineSpecVersionFromURI(uri) {
   let version = determineSpecVersionFromScheme(uri, OpenId4VCIVersion.VER_UNKNOWN) ?? OpenId4VCIVersion.VER_UNKNOWN;
   if (version === OpenId4VCIVersion.VER_UNKNOWN) {
-    version = OpenId4VCIVersion.VER_1_0_15;
+    version = OpenId4VCIVersion.VER_1_0;
   }
   return version;
 }
@@ -645,7 +667,7 @@ var getStateFromCredentialOfferPayload = /* @__PURE__ */ __name((credentialOffer
 }, "getStateFromCredentialOfferPayload");
 function determineSpecVersionFromOffer(offer) {
   if (isCredentialOfferV1_0_15(offer)) {
-    return OpenId4VCIVersion.VER_1_0_15;
+    return OpenId4VCIVersion.VER_1_0;
   }
   return OpenId4VCIVersion.VER_UNKNOWN;
 }
@@ -1025,19 +1047,22 @@ function getTypesFromAuthorizationDetails(authDetails, opts) {
 __name(getTypesFromAuthorizationDetails, "getTypesFromAuthorizationDetails");
 function getTypesFromCredentialSupported(credentialSupported, opts) {
   let types = [];
-  if (credentialSupported.format === "jwt_vc_json" || credentialSupported.format === "jwt_vc" || credentialSupported.format === "jwt_vc_json-ld" || credentialSupported.format === "ldp_vc") {
+  const format = credentialSupported.format;
+  if (format === "jwt_vc_json" || format === "jwt_vc" || format === "jwt_vc_json-ld" || format === "ldp_vc") {
     types = getTypesFromObject(credentialSupported) ?? [];
-  } else if (credentialSupported.format === "dc+sd-jwt" || credentialSupported.format === "vc+sd-jwt") {
+  } else if (format === "dc+sd-jwt" || format === "vc+sd-jwt") {
     types = [
       credentialSupported.vct
     ];
-  } else if (credentialSupported.format === "mso_mdoc") {
+  } else if (format === "mso_mdoc") {
     types = [
       credentialSupported.doctype
     ];
+  } else {
+    throw Error(`Unsupported credential format '${format}'`);
   }
   if (!types || types.length === 0) {
-    throw Error("Could not deduce types from credential supported");
+    throw Error(`Could not deduce types from credential supported (format '${format}')`);
   }
   if (opts?.filterVerifiableCredential) {
     return types.filter((type) => type !== "VerifiableCredential");
@@ -1070,7 +1095,37 @@ __name(getSupportedCredentials, "getSupportedCredentials");
 function determineVersionsFromIssuerMetadata(issuerMetadata) {
   const versions = /* @__PURE__ */ new Set();
   if ("credential_configurations_supported" in issuerMetadata) {
-    versions.add(OpenId4VCIVersion.VER_1_0_15);
+    let is1_0Final = false;
+    if ("batch_credential_issuance_supported" in issuerMetadata && typeof issuerMetadata.batch_credential_issuance_supported === "boolean") {
+      is1_0Final = true;
+    }
+    if ("credential_issuer_public_key" in issuerMetadata) {
+      is1_0Final = true;
+    }
+    if (!is1_0Final) {
+      const configs = issuerMetadata.credential_configurations_supported;
+      if (configs) {
+        for (const config of Object.values(configs)) {
+          if ("cryptographic_suites_supported" in config) {
+            is1_0Final = true;
+            break;
+          }
+          if (config.proof_types_supported && "di_vp" in config.proof_types_supported) {
+            is1_0Final = true;
+            break;
+          }
+        }
+      }
+    }
+    if (is1_0Final) {
+      versions.add(OpenId4VCIVersion.VER_1_0);
+    } else {
+      if ("batch_credential_issuance" in issuerMetadata && typeof issuerMetadata.batch_credential_issuance === "object") {
+        versions.add(OpenId4VCIVersion.VER_1_0_15);
+      } else {
+        versions.add(OpenId4VCIVersion.VER_1_0);
+      }
+    }
   }
   if (versions.size === 0) {
     versions.add(OpenId4VCIVersion.VER_UNKNOWN);
@@ -1227,6 +1282,16 @@ var createProofOfPossession = /* @__PURE__ */ __name(async (popMode, callbacks,
 ${jwt}`);
   return proof;
 }, "createProofOfPossession");
+var createCwtProofOfPossession = /* @__PURE__ */ __name(async (callbacks, opts) => {
+  if (!callbacks.cwtSignCallback) {
+    throw new Error("No CWT signer callback supplied");
+  }
+  const cwt = await callbacks.cwtSignCallback(opts);
+  return {
+    proof_type: "cwt",
+    cwt
+  };
+}, "createCwtProofOfPossession");
 var partiallyValidateJWS = /* @__PURE__ */ __name((jws) => {
   if (jws.split(".").length !== 3 || !jws.startsWith("ey")) {
     throw new Error(JWS_NOT_VALID);
@@ -1393,6 +1458,32 @@ var assertValidCodeVerifier = /* @__PURE__ */ __name((codeVerifier) => {
   }
 }, "assertValidCodeVerifier");
+// lib/functions/SignedMetadataUtils.ts
+async function processSignedMetadata(opts) {
+  const { metadata, issuer, signedMetadataVerifyCallback } = opts;
+  if (!metadata.signed_metadata) {
+    return metadata;
+  }
+  if (!signedMetadataVerifyCallback) {
+    VCI_LOG_COMMON.warning(`Issuer ${issuer} provides signed_metadata but no signedMetadataVerifyCallback was provided. Signed metadata will not be verified or applied.`);
+    return metadata;
+  }
+  const result = await signedMetadataVerifyCallback({
+    signedMetadata: metadata.signed_metadata,
+    issuer
+  });
+  if (!result.verified) {
+    throw Error(`Signed metadata verification failed for issuer ${issuer}`);
+  }
+  VCI_LOG_COMMON.info(`Signed metadata verified for issuer ${issuer}, applying signed claims`);
+  const { iss: _iss, iat: _iat, exp: _exp, nbf: _nbf, jti: _jti, aud: _aud, sub: _sub, ...metadataClaims } = result.metadata;
+  return {
+    ...metadata,
+    ...metadataClaims
+  };
+}
+__name(processSignedMetadata, "processSignedMetadata");
 // lib/experimental/holder-vci.ts
 var EXPERIMENTAL_SUBJECT_PROOF_MODE_ENABLED = process.env.EXPERIMENTAL_SUBJECT_PROOF_MODE?.trim().toLowerCase() === "true";
@@ -1491,7 +1582,9 @@ export {
   convertJsonToURI,
   convertURIToJsonObject,
   createCodeChallenge,
+  createCwtProofOfPossession,
   createProofOfPossession,
+  credentialIssuerMetadataFieldNamesV1_0,
   credentialIssuerMetadataFieldNamesV1_0_15,
   decodeJsonProperties,
   determineFlowType,
@@ -1534,6 +1627,7 @@ export {
   isW3cCredentialSupported,
   normalizeOfferInput,
   post,
+  processSignedMetadata,
   resolveCredentialOfferURI,
   supportedOID4VCICredentialFormat,
   toAuthorizationResponsePayload,