@sphereon/ssi-sdk-ext.jwt-service 0.28.1-feature.jose.vcdm.24 → 0.28.1-feature.jose.vcdm.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +45 -13
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +40 -8
- package/dist/index.js.map +1 -1
- package/package.json +13 -11
- package/src/functions/index.ts +25 -17
package/dist/index.cjs
CHANGED
|
@@ -37365,8 +37365,10 @@ var JwtService = class {
|
|
|
37365
37365
|
};
|
|
37366
37366
|
|
|
37367
37367
|
// src/functions/index.ts
|
|
37368
|
-
var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.
|
|
37369
|
-
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.
|
|
37368
|
+
var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.did-utils");
|
|
37369
|
+
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
|
|
37370
|
+
var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.key-utils");
|
|
37371
|
+
var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
|
|
37370
37372
|
var import_utils2 = require("@veramo/utils");
|
|
37371
37373
|
var u8a3 = __toESM(require("uint8arrays"), 1);
|
|
37372
37374
|
var { fromString: fromString3 } = u8a3;
|
|
@@ -37378,7 +37380,7 @@ var payloadToBytes = /* @__PURE__ */ __name((payload) => {
|
|
|
37378
37380
|
var prepareJwsObject = /* @__PURE__ */ __name(async (args, context) => {
|
|
37379
37381
|
const { existingSignatures, protectedHeader, unprotectedHeader, issuer, payload, mode = "auto", clientId, clientIdScheme } = args;
|
|
37380
37382
|
const { noIdentifierInHeader = false } = issuer;
|
|
37381
|
-
const identifier = await (0,
|
|
37383
|
+
const identifier = await (0, import_ssi_sdk_ext2.ensureManagedIdentifierResult)(issuer, context);
|
|
37382
37384
|
await checkAndUpdateJwsHeader({
|
|
37383
37385
|
mode,
|
|
37384
37386
|
identifier,
|
|
@@ -37439,10 +37441,14 @@ var createJwsJsonGeneral = /* @__PURE__ */ __name(async (args, context) => {
|
|
|
37439
37441
|
issuer,
|
|
37440
37442
|
mode
|
|
37441
37443
|
}, context);
|
|
37444
|
+
const alg = protectedHeader.alg ?? (0, import_ssi_sdk_ext3.signatureAlgorithmFromKeyType)({
|
|
37445
|
+
type: identifier.key.type
|
|
37446
|
+
});
|
|
37442
37447
|
const signature = await context.agent.keyManagerSign({
|
|
37443
37448
|
keyRef: identifier.kmsKeyRef,
|
|
37444
37449
|
data: `${b64.protectedHeader}.${b64.payload}`,
|
|
37445
|
-
encoding: void 0
|
|
37450
|
+
encoding: void 0,
|
|
37451
|
+
algorithm: alg
|
|
37446
37452
|
});
|
|
37447
37453
|
const jsonSignature = {
|
|
37448
37454
|
protected: b64.protectedHeader,
|
|
@@ -37458,6 +37464,9 @@ var createJwsJsonGeneral = /* @__PURE__ */ __name(async (args, context) => {
|
|
|
37458
37464
|
};
|
|
37459
37465
|
}, "createJwsJsonGeneral");
|
|
37460
37466
|
var checkAndUpdateJwsHeader = /* @__PURE__ */ __name(async ({ mode = "auto", identifier, header, noIdentifierInHeader = false }, context) => {
|
|
37467
|
+
header.alg = header.alg ?? (0, import_ssi_sdk_ext3.signatureAlgorithmFromKeyType)({
|
|
37468
|
+
type: identifier.key.type
|
|
37469
|
+
});
|
|
37461
37470
|
if (isIdentifierMode(mode, identifier.method, "did")) {
|
|
37462
37471
|
await checkAndUpdateDidHeader({
|
|
37463
37472
|
header,
|
|
@@ -37496,7 +37505,7 @@ var checkAndUpdateX5cHeader = /* @__PURE__ */ __name(async ({ header, identifier
|
|
|
37496
37505
|
return Promise.reject(Error(`An x5c header was present, but its issuer public key did not match the provided signing public key!`));
|
|
37497
37506
|
}
|
|
37498
37507
|
} else if (!noIdentifierInHeader) {
|
|
37499
|
-
if (!(0,
|
|
37508
|
+
if (!(0, import_ssi_sdk_ext2.isManagedIdentifierX5cResult)(identifier)) {
|
|
37500
37509
|
return Promise.reject(Error("No x5c header in the JWT, but mode was x5c and also no x5x identifier was provided!"));
|
|
37501
37510
|
} else if (header.jwk || header.kid) {
|
|
37502
37511
|
return Promise.reject(Error("x5c mode was choosen, but jwk or kid headers were provided. These cannot be used together!"));
|
|
@@ -37514,7 +37523,7 @@ var checkAndUpdateDidHeader = /* @__PURE__ */ __name(async ({ header, identifier
|
|
|
37514
37523
|
return Promise.reject(Error(`A kid header was present, but its value did not match the provided signing kid!`));
|
|
37515
37524
|
}
|
|
37516
37525
|
} else if (!noIdentifierInHeader) {
|
|
37517
|
-
if (!(0,
|
|
37526
|
+
if (!(0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier)) {
|
|
37518
37527
|
return Promise.reject(Error("No kid header in the JWT, but mode was did and also no DID identifier was provided!"));
|
|
37519
37528
|
} else if (header.jwk || header.x5c) {
|
|
37520
37529
|
return Promise.reject(Error("did mode was chosen, but jwk or x5c headers were provided. These cannot be used together!"));
|
|
@@ -37575,12 +37584,35 @@ var verifyJws = /* @__PURE__ */ __name(async (args, context) => {
|
|
|
37575
37584
|
let valid;
|
|
37576
37585
|
const data = fromString3(`${sigWithId.protected}.${jws.payload}`, "utf-8");
|
|
37577
37586
|
const jwkInfo = sigWithId.identifier.jwks[0];
|
|
37578
|
-
|
|
37579
|
-
|
|
37580
|
-
|
|
37581
|
-
|
|
37582
|
-
|
|
37583
|
-
|
|
37587
|
+
let signatureAlg = void 0;
|
|
37588
|
+
if (sigWithId.protected.startsWith(`ey`)) {
|
|
37589
|
+
const header = (0, import_utils2.decodeJoseBlob)(sigWithId.protected);
|
|
37590
|
+
signatureAlg = header.alg;
|
|
37591
|
+
}
|
|
37592
|
+
if (false) {
|
|
37593
|
+
const publicKeyHex = (0, import_ssi_sdk_ext.jwkTtoPublicKeyHex)(jwkInfo.jwk);
|
|
37594
|
+
valid = await context.agent.keyManagerVerify({
|
|
37595
|
+
signature: sigWithId.signature,
|
|
37596
|
+
data,
|
|
37597
|
+
publicKeyHex,
|
|
37598
|
+
type: (0, import_ssi_sdk_ext3.keyTypeFromCryptographicSuite)({
|
|
37599
|
+
...jwkInfo.jwk.crv && {
|
|
37600
|
+
crv: jwkInfo.jwk.crv
|
|
37601
|
+
},
|
|
37602
|
+
alg: signatureAlg
|
|
37603
|
+
})
|
|
37604
|
+
});
|
|
37605
|
+
} else {
|
|
37606
|
+
const signature = (0, import_utils2.base64ToBytes)(sigWithId.signature);
|
|
37607
|
+
valid = await (0, import_ssi_sdk_ext3.verifyRawSignature)({
|
|
37608
|
+
data,
|
|
37609
|
+
signature,
|
|
37610
|
+
key: jwkInfo.jwk,
|
|
37611
|
+
opts: {
|
|
37612
|
+
signatureAlg
|
|
37613
|
+
}
|
|
37614
|
+
});
|
|
37615
|
+
}
|
|
37584
37616
|
if (!valid) {
|
|
37585
37617
|
errorMessages.push(`Signature ${index} was not valid`);
|
|
37586
37618
|
}
|
|
@@ -37683,7 +37715,7 @@ var toJwsJsonGeneralWithIdentifiers = /* @__PURE__ */ __name(async (args, contex
|
|
|
37683
37715
|
const signatures = await Promise.all(jws.signatures.map(async (signature) => {
|
|
37684
37716
|
const protectedHeader = (0, import_utils2.decodeJoseBlob)(signature.protected);
|
|
37685
37717
|
const jwk = loadJWK(args.jwk, protectedHeader, jws);
|
|
37686
|
-
const identifier = jwk ? await (0,
|
|
37718
|
+
const identifier = jwk ? await (0, import_ssi_sdk_ext2.resolveExternalJwkIdentifier)({
|
|
37687
37719
|
identifier: jwk,
|
|
37688
37720
|
method: "jwk"
|
|
37689
37721
|
}, context) : await resolveExternalIdentifierFromJwsHeader(protectedHeader, context, args);
|