@sphereon/ssi-sdk-ext.jwt-service 0.24.1-unstable.93 → 0.25.0

package/README.md

@@ -6,410 +6,109 @@
   <br>
 </h1>
 
-A plugin that in a uniform way can resolve any supported external identifiers, as well as get managed identifiers. It
-performs validations as well as return the objects in a uniform way. Public keys will always be resolved and presented
-as JWKs.
+A plugin that can generate and verify JWTs. It can create/sign JWS in Compact, JSON General and JSON Flattened form as
+specified in [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515)
 
-Currently, it supports the following identifier methods and types:
+Currently, it supports the following JWS forms:
 
-- DIDs (and the internal IIdentifier type)
-- JWKs (JWK object and public key in hex)
-- kid, KMS key references and jwk thumbprints
-- X.509 certificate chains
+- JWS Compact Form
+- JWS Json General
+- JWS Json Flattened (1 signature)
 
-TODO:
+The plugin is using
+the [Universal Identifier Resolution](https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/develop/packages/identifier-resolution)
+module. Both for generating JWS JWTs as well as for verifying JWTs.
 
-- https .well-knowns (JWKSet)
-- OIDC Discovery
-- X.509 CN en SANs
-- OID4VCI Issuers
+When signing a JWS it takes into account any x5c, kid or JWK value already present in the header, as well as the `iss`
+value. When not present but a Managed Identifier is being provided, the signing service will take care of putting the
+correct headers into the JWS.
 
-Since the plugin dynamically looks for the correct agent plugins based on the types being resolved, this plugin should
-be used for any and all identifier resolution.
+# Creating/signing a JWS
 
-No matter whether the plugin is doing resolution of external identifiers or managed/internal identifiers, the results
-will always include certain objects, like the JWK key(s) associated, certificates etc. This ensures uniform handling in
-all places that rely on key/identifier management.
+The `jwtCreateJswCompactSignature` accepts a protected JWT header. You can put any JWT header properties in there.
+The `payload` can either be a base64url payload, a `JwtPayload` object or a Buffer/Uint8arry. The method will take care
+of any relevant conversions
 
-## Managed Identifiers
-
-Managed or internal identifiers, are identifiers that are being controlled by the agent. This means the agent either has
-access to the private key, or is using a hardware protected mechanism with access to the private key. All of the managed
-methods return both a JWK managed by the agent, an IKey instance, which is the internal key representations, as well as
-a kmsKeyRef allowing you to retrieve the key easily later.
-
-Read an identifier by IIdentifier object or DID (or did URL)
-
-### DIDs and IIdentifiers
+The `issuer` object allows you to provide a managed identifier
 
 ```typescript
-const identifier = await agent.didManagerCreate({ kms: 'local' })
-// Created an idenftier. For example did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0"
-
-let resolution = await agent.identifierManagedGet({ identifier })
-console.log(JSON.stringify(resolution, null, 2))
-
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierManagedGetByDid({ identifier })
-
-resolution = await agent.identifierManagedGet({
-  identifier:
-    'did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0',
-})
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierManagedGetByDid({
-  identifier:
-    'did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0',
+const publicKeyHex = '037fcdce2770f6c45d4183cbee6fdb4b7b580733357be9ef13bacf6e3c7bd15445'
+const kid = publicKeyHex
+
+const example = await agent.jwtCreateJwsCompactSignature({
+  // Example payloads from IETF spec
+  issuer: { identifier: kid, noIdentifierInHeader: true }, // do not update any header values with the provided identifier. Just use the identifier for signing
+  protectedHeader: { alg: 'ES256' },
+  payload: 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ',
 })
 ```
 
-result (some parts omited for brevity:
-
-```json
-{
-  "method": "did",
-  "jwk": {
-    "alg": "ES256",
-    "kty": "EC",
-    "crv": "P-256",
-    "x": "GjhS83y2FihjbF38P_sMUKf935hVvMDsck0DgxxmC34",
-    "y": "SpVOGx5levQc5M_Y3eAM2ouhfFqtUsPzU__DAITX-hI",
-    "kid": "77_7PdYbkikec5AR6zSKVIxgNExChvuOLLULBwS6jwc"
-  },
-  "jwkThumbprint": "77_7PdYbkikec5AR6zSKVIxgNExChvuOLLULBwS6jwc",
-  "identifier": {
-    "did": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0",
-    "controllerKeyId": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0#0",
-    "keys": [
-      {
-        <snip>
-        "kms": "local"
-      }
-    ],
-    "services": [],
-    "provider": "did:jwk"
-  },
-  "did": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0",
-  "controllerKeyId": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0#0",
-  "keys": [
-    {
-      <snip,
-      see
-      key
-      below>
-    }
-  ],
-  "key": {
-    "type": "Secp256r1",
-    "kid": "021a3852f37cb61628636c5dfc3ffb0c50a7fddf9855bcc0ec724d03831c660b7e",
-    "publicKeyHex": "021a3852f37cb61628636c5dfc3ffb0c50a7fddf9855bcc0ec724d03831c660b7e",
-    "kms": "local",
-    "meta": <snip>
-  },
-  "kmsKeyRef": "021a3852f37cb61628636c5dfc3ffb0c50a7fddf9855bcc0ec724d03831c660b7e"
-}
-```
-
-### KMS Key reference, JWK Thumbprint
+Verify the signature:
 
-Read a managed identifier by kmsRef, or jwkThumbprint, using the above example. The response is the same, minus the
-identifier object, did and controllerKey values in the result as it will be a single key only in this case.
+You can optionally provide a JWK if you want to use the JWK as a key for verification. Otherwise it will automacally
+resolve the header params like x5c, kid (DID), JWK to perform the resolution with
+the [Universal Identifier Resolution](https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/develop/packages/identifier-resolution)
+module
 
 ```typescript
-// JWK Thumbprint
-resolution = await agent.identifierManagedGet({ identifier: '77_7PdYbkikec5AR6zSKVIxgNExChvuOLLULBwS6jwc' })
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierManagedGetByKid({ identifier: '77_7PdYbkikec5AR6zSKVIxgNExChvuOLLULBwS6jwc' })
-
-// KMS Key ref
-resolution = await agent.identifierManagedGet({ identifier: '021a3852f37cb61628636c5dfc3ffb0c50a7fddf9855bcc0ec724d03831c660b7e' })
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierManagedGetByKid({ identifier: '021a3852f37cb61628636c5dfc3ffb0c50a7fddf9855bcc0ec724d03831c660b7e' })
-
-const jwk = {
-  alg: 'ES256',
+const ietfJwk = {
   kty: 'EC',
   crv: 'P-256',
-  x: 'GjhS83y2FihjbF38P_sMUKf935hVvMDsck0DgxxmC34',
-  y: 'SpVOGx5levQc5M_Y3eAM2ouhfFqtUsPzU__DAITX-hI',
-  kid: '77_7PdYbkikec5AR6zSKVIxgNExChvuOLLULBwS6jwc',
-}
-
-// By JWK object
-resolution = await agent.identifierManagedGet({ identifier: jwk })
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierManagedGetByJwk({ identifier: jwk })
-```
-
-## External Identifiers
-
-We will use the example JWK above again, as that is an in memory construct, we can also resolve it like an external
-identifier
-
-### DIDs
-
-```typescript
-const did =
-  'did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiR2poUzgzeTJGaWhqYkYzOFBfc01VS2Y5MzVoVnZNRHNjazBEZ3h4bUMzNCIsInkiOiJTcFZPR3g1bGV2UWM1TV9ZM2VBTTJvdWhmRnF0VXNQelVfX0RBSVRYLWhJIn0'
-
-resolution = await agent.identifierExternalResolve({ identifier: did })
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierExternalResolveByDid({ identifier: did })
-console.log(JSON.stringify(resolution, null, 2))
-```
-
-Results in the following JSON, with some properties removed for brevity
-
-```json
-{
-  "method": "did",
-  "did": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-  "jwks": [
-    {
-      "jwk": {
-        "alg": "ES256",
-        "use": "sig",
-        "kty": "EC",
-        "crv": "P-256",
-        "x": "wdIEmfjmaZiGsub9Hffnhbr0xVVVmVLiUYLscgRt-3Y",
-        "y": "ept3ke4SslZb7ZbweWKmSaM3166ZuvecZ9ciKs6PDcw",
-        "kid": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-      },
-      "jwkThumbprint": "gBT5We3eKcs3NNBAeJ40iPHbWvqAmY8C8L36rGwOAJk",
-      "kid": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-    }
-  ],
-  "didJwks": {
-    // These are the JWKs per verification method relationship. For a JWK this includes the above JWK, so we will not repeat it here
-    "verificationMethod": [
-      {
-        <snip>
-      }
-    ],
-    "assertionMethod": [
-      {
-        <snip>
-      }
-    ],
-    "authentication": [
-      {
-        <snip>
-      }
-    ],
-    "keyAgreement": [],
-    "capabilityInvocation": [
-      {
-        <snip>
-      }
-    ],
-    "capabilityDelegation": [
-      {
-        <snip>
-      }
-    ]
-  },
-  "didDocument": {
-    "@context": [
-      "https://www.w3.org/ns/did/v1",
-      {
-        "@vocab": "https://www.iana.org/assignments/jose#"
-      }
-    ],
-    "id": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-    "verificationMethod": [
-      {
-        "id": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0",
-        "type": "JsonWebKey2020",
-        "controller": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-        "publicKeyJwk": {
-          "alg": "ES256",
-          "use": "sig",
-          "kty": "EC",
-          "crv": "P-256",
-          "x": "wdIEmfjmaZiGsub9Hffnhbr0xVVVmVLiUYLscgRt-3Y",
-          "y": "ept3ke4SslZb7ZbweWKmSaM3166ZuvecZ9ciKs6PDcw",
-          "kid": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-        }
-      }
-    ],
-    "assertionMethod": [
-      "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-    ],
-    "authentication": [
-      "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-    ],
-    "capabilityInvocation": [
-      "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-    ],
-    "capabilityDelegation": [
-      "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0#0"
-    ]
-  },
-  "didResolutionResult": {
-    "didDocumentMetadata": {},
-    "didResolutionMetadata": {
-      "contentType": "application/did+ld+json",
-      "pattern": "^(did:jwk:.+)$",
-      "did": {
-        "didString": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-        "methodSpecificId": "eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-        "method": "jwk"
-      }
-    }
-  },
-  "didParsed": {
-    "did": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-    "method": "jwk",
-    "id": "eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0",
-    "didUrl": "did:jwk:eyJhbGciOiJFUzI1NiIsInVzZSI6InNpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4Ijoid2RJRW1mam1hWmlHc3ViOUhmZm5oYnIweFZWVm1WTGlVWUxzY2dSdC0zWSIsInkiOiJlcHQza2U0U3NsWmI3WmJ3ZVdLbVNhTTMxNjZadXZlY1o5Y2lLczZQRGN3In0"
-  }
-}
-```
-
-### X.509 Certificate Chains
-
-You can provide an optional verification time as well using a Date as value. By default the X5C will be fully verified,
-unless the verification param is set to false.
-
-```typescript
-const sphereonCA = 'PEM or DER CERT'
-const sphereonTest = 'PEM or DER CERT'
-
-let resolution = await agent.identifierExternalResolve({
-  identifier: [sphereonTest, sphereonCA],
-  trustAnchors: [sphereonCA],
-})
-
-// This is the same as above, but with the benefit of having fully typed response, instead of a union
-resolution = await agent.identifierExternalResolveByX5c({
-  identifier: [sphereonTest, sphereonCA],
-  trustAnchors: [sphereonCA],
+  x: 'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU',
+  y: 'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0',
+  // d: 'jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI',
+} satisfies JWK
+
+const result = await agent.jwtVerifyJwsSignature({
+  jws: example.jwt,
+  jwk: ietfJwk,
 })
-
-console.log(JSON.stringify(resolution, null, 2))
 ```
 
-```json
-{
-  "method": "x5c",
-  "verificationResult": {
-    "error": false,
-    "critical": false,
-    "message": "Certificate chain was valid",
-    "verificationTime": "2024-08-13T13:28:16.457Z",
-    "certificateChain": [
+```typescript
+const result = {
+  critical: false,
+  error: false,
+  jws: {
+    payload: 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ',
+    signatures: [
       {
-        "issuer": {
-          "dn": {
-            "DN": "C=NL,O=Sphereon International B.V.,OU=IT,CN=ca.sphereon.com",
-            "attributes": {
-              "C": "NL",
-              "O": "Sphereon International B.V.",
-              "OU": "IT",
-              "CN": "ca.sphereon.com"
-            }
-          }
-        },
-        "subject": {
-          "dn": {
-            "DN": "CN=test123.test.sphereon.com",
-            "attributes": {
-              "CN": "test123.test.sphereon.com"
-            }
-          }
-        },
-        "publicKeyJWK": {
-          "key_ops": ["verify"],
-          "ext": true,
-          "kty": "EC",
-          "x": "pyVHVR7IdgWmG_TLb3-K_4dg3XC6GQQWDB61Lna15ns",
-          "y": "OcVNCBD0kMmqEaKjbczwd2GvbV1AOxgE7AKsa3L0zxM",
-          "crv": "P-256"
+        identifier: {
+          jwk: {
+            crv: 'P-256',
+            kty: 'EC',
+            x: 'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU',
+            y: 'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0',
+          },
+          jwks: [
+            {
+              jwk: {
+                crv: 'P-256',
+                kty: 'EC',
+                x: 'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU',
+                y: 'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0',
+              },
+              jwkThumbprint: 'oKIywvGUpTVTyxMQ3bwIIeQUudfr_CkLMjCE19ECD-U',
+              publicKeyHex: '037fcdce2770f6c45d4183cbee6fdb4b7b580733357be9ef13bacf6e3c7bd15445',
+            },
+          ],
+          method: 'jwk',
         },
-        "notBefore": "2024-08-06T20:16:12.000Z",
-        "notAfter": "2024-11-04T22:16:12.000Z"
+        protected: 'eyJhbGciOiJFUzI1NiJ9',
+        signature: 'e4ZrhZdbFQ7630Tq51E6RQiJaae9bFNGJszIhtusEwzvO21rzH76Wer6yRn2Zb34VjIm3cVRl0iQctbf4uBY3w',
       },
-      {
-        "issuer": {
-          "dn": {
-            "DN": "C=NL,O=Sphereon International B.V.,OU=IT,CN=ca.sphereon.com",
-            "attributes": {
-              "C": "NL",
-              "O": "Sphereon International B.V.",
-              "OU": "IT",
-              "CN": "ca.sphereon.com"
-            }
-          }
-        },
-        "subject": {
-          "dn": {
-            "DN": "C=NL,O=Sphereon International B.V.,OU=IT,CN=ca.sphereon.com",
-            "attributes": {
-              "C": "NL",
-              "O": "Sphereon International B.V.",
-              "OU": "IT",
-              "CN": "ca.sphereon.com"
-            }
-          }
-        },
-        "publicKeyJWK": {
-          "key_ops": ["verify"],
-          "ext": true,
-          "kty": "EC",
-          "x": "SIDQp4RJI2s5yYIOBrxiwGRROCjBkbCq8vaf3UlSkAw",
-          "y": "dRSwvlVFdqdiLXnk2pQqT1vZnDG0I-x-iz2EbdsG0aY",
-          "crv": "P-256"
-        },
-        "notBefore": "2024-07-28T21:26:49.000Z",
-        "notAfter": "2034-07-28T21:26:49.000Z"
-      }
-    ]
-  },
-  "issuerJWK": {
-    "key_ops": ["verify"],
-    "ext": true,
-    "kty": "EC",
-    "x": "pyVHVR7IdgWmG_TLb3-K_4dg3XC6GQQWDB61Lna15ns",
-    "y": "OcVNCBD0kMmqEaKjbczwd2GvbV1AOxgE7AKsa3L0zxM",
-    "crv": "P-256"
+    ],
   },
-  "jwks": [
-    {
-      "jwk": {
-        "key_ops": ["verify"],
-        "ext": true,
-        "kty": "EC",
-        "x": "pyVHVR7IdgWmG_TLb3-K_4dg3XC6GQQWDB61Lna15ns",
-        "y": "OcVNCBD0kMmqEaKjbczwd2GvbV1AOxgE7AKsa3L0zxM",
-        "crv": "P-256"
-      },
-      "kid": "CN=test123.test.sphereon.com",
-      "jwkThumbprint": "LlITYB6tlvSVtVrMtIEzrkkSQkMSoPslhQ3Rnk1x484"
-    },
-    {
-      "jwk": {
-        "key_ops": ["verify"],
-        "ext": true,
-        "kty": "EC",
-        "x": "SIDQp4RJI2s5yYIOBrxiwGRROCjBkbCq8vaf3UlSkAw",
-        "y": "dRSwvlVFdqdiLXnk2pQqT1vZnDG0I-x-iz2EbdsG0aY",
-        "crv": "P-256"
-      },
-      "kid": "C=NL,O=Sphereon International B.V.,OU=IT,CN=ca.sphereon.com",
-      "jwkThumbprint": "1wAefk4zZ8Q8cM-9djHoJhPUtKjVFLqG7u9VftVqulA"
-    }
-  ],
-  "x5c": [
-    "MIIC1jCCAnygAwIBAgITALtvb+InWBtzJO3mAeQZIUBXbzAKBggqhkjOPQQDAjBaMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBCLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0MDgwNjIwMTYxMloXDTI0MTEwNDIyMTYxMlowJDEiMCAGA1UEAwwZdGVzdDEyMy50ZXN0LnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKclR1UeyHYFphv0y29/iv+HYN1wuhkEFgwetS52teZ7OcVNCBD0kMmqEaKjbczwd2GvbV1AOxgE7AKsa3L0zxOjggFVMIIBUTAdBgNVHQ4EFgQUoWVOwL15ttB1YPUd0HgvYry0Z+UwHwYDVR0jBBgwFoAU5wfKXZVc+cig/s7jZEUegLMsMsEwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vZXUuY2VydC5lemNhLmlvL2NlcnRzL2RhYTFiNGI0LTg1ZmQtNGJhNC1iOTZiLTMzMmFkZDg5OWNlOS5jZXIwEwYDVR0lBAwwCgYIKwYBBQUHAwIwJAYDVR0RBB0wG4IZdGVzdDEyMy50ZXN0LnNwaGVyZW9uLmNvbTAOBgNVHQ8BAf8EBAMCB4AwYQYDVR0fBFowWDBWoFSgUoZQaHR0cDovL2V1LmNybC5lemNhLmlvL2NybC8yY2RmN2M1ZS1iOWNkLTQzMTctYmI1Ni0zODZkMjQ0MzgwZTIvY2FzcGhlcmVvbmNvbS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIgThuggyhKePvRt5YEvfg6MD42N2/63L0ypw0vLZkM+zYCIQD+uInjqsfR6K/D+ebjuOAdhOyeD2nZAW29zN20WIQJsw==",
-    "MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBaMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBCLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNVBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAWBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQqT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6AsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8AQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI="
-  ]
+  message: 'Signature validated',
+  name: 'jws',
+  verificationTime: '2024-08-10T23:04:23',
 }
 ```
 
 ### Installation
 
 ```shell
-pnpm add @sphereon/ssi-sdk-ext.identifier-resolution
+pnpm add @sphereon/ssi-sdk-ext.jwt-service
 ```
 
 ### Build

package/dist/agent/JwtService.d.ts

@@ -10,5 +10,8 @@ export declare class JwtService implements IAgentPlugin {
     private jwtCreateJwsJsonGeneralSignature;
     private jwtCreateJwsJsonFlattenedSignature;
     private jwtCreateJwsCompactSignature;
+    private jwtVerifyJwsSignature;
+    private jwtEncryptJweCompactJwt;
+    private jwtDecryptJweCompactJwt;
 }
 //# sourceMappingURL=JwtService.d.ts.map

package/dist/agent/JwtService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwtService.d.ts","sourceRoot":"","sources":["../../src/agent/JwtService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAOL,WAAW,EAQZ,MAAM,IAAI,CAAA;AAEX;;GAEG;AACH,qBAAa,UAAW,YAAW,YAAY;IAC7C,QAAQ,CAAC,MAAM,MAAgC;IAC/C,QAAQ,CAAC,OAAO,EAAE,WAAW,CAK5B;YAEa,aAAa;YAIb,gCAAgC;YAIhC,kCAAkC;YAIlC,4BAA4B;CAI3C"}
+{"version":3,"file":"JwtService.d.ts","sourceRoot":"","sources":["../../src/agent/JwtService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,YAAY,EAAC,MAAM,cAAc,CAAA;AACzC,OAAO,EAUH,WAAW,EAad,MAAM,IAAI,CAAA;AAKX;;GAEG;AACH,qBAAa,UAAW,YAAW,YAAY;IAC3C,QAAQ,CAAC,MAAM,MAAqB;IACpC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAQ5B;YAEa,aAAa;YAIb,gCAAgC;YAIhC,kCAAkC;YAIlC,4BAA4B;YAK5B,qBAAqB;YAIrB,uBAAuB;YAyCvB,uBAAuB;CAIxC"}

package/dist/agent/JwtService.js

@@ -1,4 +1,27 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -11,17 +34,22 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JwtService = void 0;
 const __1 = require("..");
+const JWE_1 = require("../functions/JWE");
+const u8a = __importStar(require("uint8arrays"));
 /**
  * @public
  */
 class JwtService {
     constructor() {
-        this.schema = __1.schema.IMnemonicInfoGenerator;
+        this.schema = __1.schema.IJwtService;
         this.methods = {
             jwtPrepareJws: this.jwtPrepareJws.bind(this),
             jwtCreateJwsJsonGeneralSignature: this.jwtCreateJwsJsonGeneralSignature.bind(this),
             jwtCreateJwsJsonFlattenedSignature: this.jwtCreateJwsJsonFlattenedSignature.bind(this),
             jwtCreateJwsCompactSignature: this.jwtCreateJwsCompactSignature.bind(this),
+            jwtVerifyJwsSignature: this.jwtVerifyJwsSignature.bind(this),
+            jwtEncryptJweCompactJwt: this.jwtEncryptJweCompactJwt.bind(this),
+            jwtDecryptJweCompactJwt: this.jwtDecryptJweCompactJwt.bind(this)
         };
     }
     jwtPrepareJws(args, context) {
@@ -45,6 +73,55 @@ class JwtService {
             return { jwt: yield (0, __1.createJwsCompact)(args, context) };
         });
     }
+    jwtVerifyJwsSignature(args, context) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return yield (0, __1.verifyJws)(args, context);
+        });
+    }
+    jwtEncryptJweCompactJwt(args, context) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c, _d, _e, _f, _g;
+            const { payload, protectedHeader = { alg: args.alg, enc: args.enc }, recipientKey, issuer, expirationTime, audience } = args;
+            console.log(JSON.stringify(args, null, 2));
+            const alg = (_b = (_a = (0, __1.jweAlg)(args.alg)) !== null && _a !== void 0 ? _a : (0, __1.jweAlg)(protectedHeader.alg)) !== null && _b !== void 0 ? _b : 'ECDH-ES';
+            const enc = (_d = (_c = (0, __1.jweEnc)(args.enc)) !== null && _c !== void 0 ? _c : (0, __1.jweEnc)(protectedHeader.enc)) !== null && _d !== void 0 ? _d : 'A256GCM';
+            const encJwks = recipientKey.jwks.length === 1 ? [recipientKey.jwks[0]] : recipientKey.jwks.filter(jwk => (jwk.kid && (jwk.kid === jwk.jwk.kid || jwk.kid === jwk.jwkThumbprint)) || jwk.jwk.use === 'enc');
+            if (encJwks.length === 0) {
+                return Promise.reject(Error(`No public JWK found that can be used to encrypt against`));
+            }
+            const jwkInfo = encJwks[0];
+            if (encJwks.length > 0) {
+                __1.JwtLogger.warning(`More than one JWK with 'enc' usage found. Selected the first one as no 'kid' was provided`, encJwks);
+            }
+            if (((_e = jwkInfo.jwk.kty) === null || _e === void 0 ? void 0 : _e.startsWith('EC')) !== true || !alg.startsWith('ECDH')) {
+                return Promise.reject(Error(`Currently only ECDH-ES is supported for encryption. JWK alg ${jwkInfo.jwk.kty}, header alg ${alg}`)); // TODO: Probably we support way more already
+            }
+            const apuVal = (_f = protectedHeader.apu) !== null && _f !== void 0 ? _f : args.apu;
+            const apu = apuVal ? u8a.fromString(apuVal, 'base64url') : undefined;
+            const apvVal = (_g = protectedHeader.apv) !== null && _g !== void 0 ? _g : args.apv;
+            const apv = apvVal ? u8a.fromString(apvVal, 'base64url') : undefined;
+            const pubKey = yield crypto.subtle.importKey('jwk', jwkInfo.jwk, {
+                name: 'ECDH',
+                namedCurve: 'P-256',
+            }, true, []);
+            const encrypter = new JWE_1.CompactJwtEncrypter({
+                enc,
+                alg,
+                keyManagementParams: { apu, apv },
+                key: pubKey,
+                issuer,
+                expirationTime,
+                audience
+            });
+            const jwe = yield encrypter.encryptCompactJWT(payload, {});
+            return { jwt: jwe };
+        });
+    }
+    jwtDecryptJweCompactJwt(args, context) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return { jwt: "FIXME" };
+        });
+    }
 }
 exports.JwtService = JwtService;
 //# sourceMappingURL=JwtService.js.map

package/dist/agent/JwtService.js.map

@@ -1 +1 @@
-{"version":3,"file":"JwtService.js","sourceRoot":"","sources":["../../src/agent/JwtService.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,0BAeW;AAEX;;GAEG;AACH,MAAa,UAAU;IAAvB;QACW,WAAM,GAAG,UAAM,CAAC,sBAAsB,CAAA;QACtC,YAAO,GAAgB;YAC9B,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5C,gCAAgC,EAAE,IAAI,CAAC,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;YAClF,kCAAkC,EAAE,IAAI,CAAC,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC;YACtF,4BAA4B,EAAE,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC;SAC3E,CAAA;IAkBH,CAAC;IAhBe,aAAa,CAAC,IAAuB,EAAE,OAAyB;;YAC5E,OAAO,MAAM,IAAA,oBAAgB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC9C,CAAC;KAAA;IAEa,gCAAgC,CAAC,IAAuB,EAAE,OAAyB;;YAC/F,OAAO,MAAM,IAAA,wBAAoB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;KAAA;IAEa,kCAAkC,CAAC,IAA4B,EAAE,OAAyB;;YACtG,OAAO,MAAM,IAAA,0BAAsB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QACpD,CAAC;KAAA;IAEa,4BAA4B,CAAC,IAA0B,EAAE,OAAyB;;YAC9F,oDAAoD;YACpD,OAAO,EAAE,GAAG,EAAE,MAAM,IAAA,oBAAgB,EAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAA;QACvD,CAAC;KAAA;CACF;AAzBD,gCAyBC"}
+{"version":3,"file":"JwtService.js","sourceRoot":"","sources":["../../src/agent/JwtService.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,0BAuBW;AACX,0CAAqD;AAErD,iDAAkC;AAElC;;GAEG;AACH,MAAa,UAAU;IAAvB;QACa,WAAM,GAAG,UAAM,CAAC,WAAW,CAAA;QAC3B,YAAO,GAAgB;YAC5B,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5C,gCAAgC,EAAE,IAAI,CAAC,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;YAClF,kCAAkC,EAAE,IAAI,CAAC,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC;YACtF,4BAA4B,EAAE,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1E,qBAAqB,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5D,uBAAuB,EAAE,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;YAChE,uBAAuB,EAAE,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;SACnE,CAAA;IAoEL,CAAC;IAlEiB,aAAa,CAAC,IAAuB,EAAE,OAAyB;;YAC1E,OAAO,MAAM,IAAA,oBAAgB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAChD,CAAC;KAAA;IAEa,gCAAgC,CAAC,IAAuB,EAAE,OAAyB;;YAC7F,OAAO,MAAM,IAAA,wBAAoB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QACpD,CAAC;KAAA;IAEa,kCAAkC,CAAC,IAA4B,EAAE,OAAyB;;YACpG,OAAO,MAAM,IAAA,0BAAsB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QACtD,CAAC;KAAA;IAEa,4BAA4B,CAAC,IAA0B,EAAE,OAAyB;;YAC5F,oDAAoD;YACpD,OAAO,EAAC,GAAG,EAAE,MAAM,IAAA,oBAAgB,EAAC,IAAI,EAAE,OAAO,CAAC,EAAC,CAAA;QACvD,CAAC;KAAA;IAEa,qBAAqB,CAAC,IAAmB,EAAE,OAAyB;;YAC9E,OAAO,MAAM,IAAA,aAAS,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QACzC,CAAC;KAAA;IAEa,uBAAuB,CAAC,IAA8B,EAAE,OAAyB;;;YAC3F,MAAM,EAAC,OAAO,EAAE,eAAe,GAAG,EAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAC,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAC,GAAG,IAAI,CAAA;YAExH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YAE1C,MAAM,GAAG,GAAG,MAAA,MAAA,IAAA,UAAM,EAAC,IAAI,CAAC,GAAG,CAAC,mCAAI,IAAA,UAAM,EAAC,eAAe,CAAC,GAAG,CAAC,mCAAI,SAAS,CAAA;YACxE,MAAM,GAAG,GAAG,MAAA,MAAA,IAAA,UAAM,EAAC,IAAI,CAAC,GAAG,CAAC,mCAAI,IAAA,UAAM,EAAC,eAAe,CAAC,GAAG,CAAC,mCAAI,SAAS,CAAA;YACxE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAAA;YAC3M,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC,CAAA;YAC3F,CAAC;YACD,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAA;YAC1B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,aAAS,CAAC,OAAO,CAAC,2FAA2F,EAAE,OAAO,CAAC,CAAA;YAC3H,CAAC;YACD,IAAI,CAAA,MAAA,OAAO,CAAC,GAAG,CAAC,GAAG,0CAAE,UAAU,CAAC,IAAI,CAAC,MAAK,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxE,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+DAA+D,OAAO,CAAC,GAAG,CAAC,GAAG,gBAAgB,GAAG,EAAE,CAAC,CAAC,CAAA,CAAC,6CAA6C;YACnL,CAAC;YACD,MAAM,MAAM,GAAG,MAAA,eAAe,CAAC,GAAG,mCAAI,IAAI,CAAC,GAAG,CAAA;YAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;YACpE,MAAM,MAAM,GAAG,MAAA,eAAe,CAAC,GAAG,mCAAI,IAAI,CAAC,GAAG,CAAA;YAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;YAEpE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,EAAE;gBAC7D,IAAI,EAAE,MAAM;gBACZ,UAAU,EAAE,OAAO;aACtB,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;YACZ,MAAM,SAAS,GAAG,IAAI,yBAAmB,CAAC;gBACtC,GAAG;gBACH,GAAG;gBACH,mBAAmB,EAAE,EAAC,GAAG,EAAE,GAAG,EAAC;gBAC/B,GAAG,EAAE,MAAM;gBACX,MAAM;gBACN,cAAc;gBACd,QAAQ;aACX,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;YAC1D,OAAO,EAAC,GAAG,EAAE,GAAG,EAAC,CAAA;QACrB,CAAC;KAAA;IAEa,uBAAuB,CAAC,IAA8B,EAAE,OAAyB;;YAE3F,OAAO,EAAC,GAAG,EAAE,OAAO,EAAC,CAAA;QACzB,CAAC;KAAA;CACJ;AA9ED,gCA8EC"}