npm - @sphereon/ssi-sdk.credential-vcdm1-jwt-provider - Versions diffs - 0.33.1-feature.jose.vcdm.59 - Mend

@sphereon/ssi-sdk.credential-vcdm1-jwt-provider 0.33.1-feature.jose.vcdm.59

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/LICENSE +201 -0
package/dist/index.cjs +297 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +38 -0
package/dist/index.d.ts +38 -0
package/dist/index.js +266 -0
package/dist/index.js.map +1 -0
package/package.json +77 -0
package/src/__tests__/issue-verify-flow-jwt.test.ts +125 -0
package/src/agent/CredentialProviderJWT.ts +287 -0
package/src/index.ts +1 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,266 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+// src/agent/CredentialProviderJWT.ts
+import { pickSigningKey, preProcessCredentialPayload, preProcessPresentation } from "@sphereon/ssi-sdk.credential-vcdm";
+import canonicalize from "canonicalize";
+import { createVerifiableCredentialJwt, createVerifiablePresentationJwt, normalizeCredential, normalizePresentation, verifyCredential as verifyCredentialJWT, verifyPresentation as verifyPresentationJWT } from "did-jwt-vc";
+import { decodeJWT } from "did-jwt";
+import Debug from "debug";
+import { asArray, intersect } from "@sphereon/ssi-sdk.core";
+import { isVcdm1Credential } from "@sphereon/ssi-types";
+var debug = Debug("sphereon:ssi-sdk:credential-jwt");
+var CredentialProviderJWT = class {
+  static {
+    __name(this, "CredentialProviderJWT");
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */
+  matchKeyForType(key) {
+    return this.matchKeyForJWT(key);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */
+  getTypeProofFormat() {
+    return "jwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */
+  canIssueCredentialType(args) {
+    return args.proofFormat === "jwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */
+  canVerifyDocumentType(args) {
+    const { document } = args;
+    const jwt = typeof document === "string" ? document : document?.proof?.jwt;
+    if (!jwt) {
+      return false;
+    }
+    const { payload } = decodeJWT(jwt);
+    if ("vc" in payload) {
+      return isVcdm1Credential(payload.vc);
+    } else if ("vp" in payload) {
+      return isVcdm1Credential(payload.vp);
+    }
+    return false;
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
+  async createVerifiableCredential(args, context) {
+    let { keyRef, removeOriginalFields, ...otherOptions } = args;
+    const { credential, issuer } = preProcessCredentialPayload(args);
+    let identifier;
+    try {
+      identifier = await context.agent.didManagerGet({
+        did: issuer
+      });
+    } catch (e) {
+      throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`);
+    }
+    const key = await pickSigningKey({
+      identifier,
+      kmsKeyRef: keyRef
+    }, context);
+    debug("Signing VC with", identifier.did);
+    let alg = "ES256";
+    if (key.type === "Ed25519") {
+      alg = "EdDSA";
+    } else if (key.type === "Secp256k1") {
+      alg = "ES256K";
+    }
+    const signer = this.wrapSigner(context, key, alg);
+    const jwt = await createVerifiableCredentialJwt(credential, {
+      did: identifier.did,
+      signer,
+      alg,
+      ...key.meta.verificationMethod.id && {
+        kid: key.meta.verificationMethod.id
+      }
+    }, {
+      removeOriginalFields,
+      ...otherOptions
+    });
+    debug(jwt);
+    return normalizeCredential(jwt);
+  }
+  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
+  async verifyCredential(args, context) {
+    let { credential, policies, ...otherOptions } = args;
+    let verifiedCredential;
+    let verificationResult = {
+      verified: false
+    };
+    let jwt = typeof credential === "string" ? credential : asArray(credential.proof)[0].jwt;
+    let errorCode, message;
+    const resolver = {
+      resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
+        didUrl,
+        options: otherOptions?.resolutionOptions
+      }), "resolve")
+    };
+    try {
+      verificationResult = await verifyCredentialJWT(jwt, resolver, {
+        ...otherOptions,
+        policies: {
+          ...policies,
+          nbf: policies?.nbf ?? policies?.issuanceDate,
+          iat: policies?.iat ?? policies?.issuanceDate,
+          exp: policies?.exp ?? policies?.expirationDate,
+          aud: policies?.aud ?? policies?.audience
+        }
+      });
+      verifiedCredential = verificationResult.verifiableCredential;
+      if (typeof credential !== "string" && asArray(credential.proof)[0].type === "JwtProof2020") {
+        const credentialCopy = JSON.parse(JSON.stringify(credential));
+        delete credentialCopy.proof.jwt;
+        const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential));
+        delete verifiedCopy.proof.jwt;
+        if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {
+          verificationResult.verified = false;
+          verificationResult.error = new Error("invalid_credential: Credential JSON does not match JWT payload");
+        }
+      }
+    } catch (e) {
+      errorCode = e.errorCode;
+      message = e.message;
+    }
+    if (verificationResult.verified) {
+      return verificationResult;
+    }
+    return {
+      verified: false,
+      error: {
+        message,
+        errorCode: errorCode ? errorCode : message?.split(":")[0]
+      }
+    };
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
+  async createVerifiablePresentation(args, context) {
+    const { presentation, holder } = preProcessPresentation(args);
+    let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args;
+    let identifier;
+    try {
+      identifier = await context.agent.didManagerGet({
+        did: holder
+      });
+    } catch (e) {
+      throw new Error("invalid_argument: presentation.holder must be a DID managed by this agent");
+    }
+    const key = await pickSigningKey({
+      identifier,
+      kmsKeyRef: keyRef
+    }, context);
+    debug("Signing VP with", identifier.did);
+    let alg = "ES256";
+    if (key.type === "Ed25519") {
+      alg = "EdDSA";
+    } else if (key.type === "Secp256k1") {
+      alg = "ES256K";
+    }
+    const signer = this.wrapSigner(context, key, alg);
+    const jwt = await createVerifiablePresentationJwt(presentation, {
+      did: identifier.did,
+      signer,
+      alg
+    }, {
+      removeOriginalFields,
+      challenge,
+      domain,
+      ...otherOptions
+    });
+    debug(jwt);
+    return normalizePresentation(jwt);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */
+  async verifyPresentation(args, context) {
+    let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args;
+    let jwt;
+    if (typeof presentation === "string") {
+      jwt = presentation;
+    } else {
+      jwt = asArray(presentation.proof)[0].jwt;
+    }
+    const resolver = {
+      resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
+        didUrl,
+        options: otherOptions?.resolutionOptions
+      }), "resolve")
+    };
+    let audience = domain;
+    if (!audience) {
+      const { payload } = await decodeJWT(jwt);
+      if (payload.aud) {
+        const intendedAudience = asArray(payload.aud);
+        const managedDids = await context.agent.didManagerFind();
+        const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did));
+        if (filtered.length > 0) {
+          audience = filtered[0].did;
+        }
+      }
+    }
+    let message, errorCode;
+    try {
+      const result = await verifyPresentationJWT(jwt, resolver, {
+        challenge,
+        domain,
+        audience,
+        policies: {
+          ...policies,
+          nbf: policies?.nbf ?? policies?.issuanceDate,
+          iat: policies?.iat ?? policies?.issuanceDate,
+          exp: policies?.exp ?? policies?.expirationDate,
+          aud: policies?.aud ?? policies?.audience
+        },
+        ...otherOptions
+      });
+      if (result) {
+        return {
+          verified: true,
+          verifiablePresentation: result
+        };
+      }
+    } catch (e) {
+      message = e.message;
+      errorCode = e.errorCode;
+    }
+    return {
+      verified: false,
+      error: {
+        message,
+        errorCode: errorCode ? errorCode : message?.split(":")[0]
+      }
+    };
+  }
+  /**
+  * Checks if a key is suitable for signing JWT payloads.
+  * @param key - the key to check
+  * @param context - the Veramo agent context, unused here
+  *
+  * @beta
+  */
+  matchKeyForJWT(key) {
+    switch (key.type) {
+      case "Ed25519":
+      case "Secp256r1":
+        return true;
+      case "Secp256k1":
+        return intersect(key.meta?.algorithms ?? [], [
+          "ES256K",
+          "ES256K-R"
+        ]).length > 0;
+      default:
+        return false;
+    }
+  }
+  wrapSigner(context, key, algorithm) {
+    return async (data) => {
+      const result = await context.agent.keyManagerSign({
+        keyRef: key.kid,
+        data,
+        algorithm
+      });
+      return result;
+    };
+  }
+};
+export {
+  CredentialProviderJWT
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/agent/CredentialProviderJWT.ts"],"sourcesContent":["import type { IAgentContext, IIdentifier, IKey, IKeyManager, IVerifyResult, VerifiableCredential, VerifierAgentContext } from '@veramo/core'\nimport {\n type ICanIssueCredentialTypeArgs,\n type ICanVerifyDocumentTypeArgs,\n type ICreateVerifiableCredentialLDArgs,\n type ICreateVerifiablePresentationLDArgs,\n type IVcdmCredentialProvider,\n type IVcdmIssuerAgentContext,\n IVerifyCredentialLDArgs,\n IVerifyPresentationLDArgs,\n pickSigningKey,\n preProcessCredentialPayload,\n preProcessPresentation,\n} from '@sphereon/ssi-sdk.credential-vcdm'\n\nimport canonicalize from 'canonicalize'\n\nimport {\n createVerifiableCredentialJwt,\n createVerifiablePresentationJwt,\n normalizeCredential,\n normalizePresentation,\n verifyCredential as verifyCredentialJWT,\n verifyPresentation as verifyPresentationJWT,\n // @ts-ignore\n} from 'did-jwt-vc'\n\nimport { type Resolvable } from 'did-resolver'\n\nimport { decodeJWT } from 'did-jwt'\n\nimport Debug from 'debug'\nimport { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'\nimport { isVcdm1Credential } from '@sphereon/ssi-types'\n\nconst debug = Debug('sphereon:ssi-sdk:credential-jwt')\n\n/**\n * A handler that implements the {@link IVcdmCredentialProvider} methods.\n *\n * @beta This API may change without a BREAKING CHANGE notice.\n */\nexport class CredentialProviderJWT implements IVcdmCredentialProvider {\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */\n matchKeyForType(key: IKey): boolean {\n return this.matchKeyForJWT(key)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */\n getTypeProofFormat(): string {\n return 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */\n canIssueCredentialType(args: ICanIssueCredentialTypeArgs): boolean {\n return args.proofFormat === 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */\n canVerifyDocumentType(args: ICanVerifyDocumentTypeArgs): boolean {\n const { document } = args\n const jwt = typeof document === 'string' ? document : (<VerifiableCredential>document)?.proof?.jwt\n if (!jwt) {\n return false\n }\n const { payload } = decodeJWT(jwt)\n if ('vc' in payload) {\n return isVcdm1Credential(payload.vc)\n } else if ('vp' in payload) {\n return isVcdm1Credential(payload.vp)\n }\n return false\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */\n async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {\n let { keyRef, removeOriginalFields, ...otherOptions } = args\n\n const { credential, issuer } = preProcessCredentialPayload(args)\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: issuer })\n } catch (e) {\n throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`)\n }\n\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VC with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiableCredentialJwt(\n credential as any,\n { did: identifier.did, signer, alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id }) },\n { removeOriginalFields, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizeCredential(jwt)\n }\n\n /** {@inheritdoc ICredentialVerifier.verifyCredential} */\n async verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { credential, policies, ...otherOptions } = args\n let verifiedCredential: VerifiableCredential\n let verificationResult: IVerifyResult = { verified: false }\n let jwt: string = typeof credential === 'string' ? credential : asArray(credential.proof)[0].jwt\n let errorCode, message\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n try {\n // needs broader credential as well to check equivalence with jwt\n verificationResult = await verifyCredentialJWT(jwt, resolver, {\n ...otherOptions,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n })\n verifiedCredential = verificationResult.verifiableCredential\n\n // if credential was presented with other fields, make sure those fields match what's in the JWT\n if (typeof credential !== 'string' && asArray(credential.proof)[0].type === 'JwtProof2020') {\n const credentialCopy = JSON.parse(JSON.stringify(credential))\n delete credentialCopy.proof.jwt\n\n const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential))\n delete verifiedCopy.proof.jwt\n\n if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {\n verificationResult.verified = false\n verificationResult.error = new Error('invalid_credential: Credential JSON does not match JWT payload')\n }\n }\n } catch (e: any) {\n errorCode = e.errorCode\n message = e.message\n }\n if (verificationResult.verified) {\n return verificationResult\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */\n async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {\n const { presentation, holder } = preProcessPresentation(args)\n let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args\n\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: holder })\n } catch (e) {\n throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')\n }\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VP with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiablePresentationJwt(\n presentation as any,\n { did: identifier.did, signer, alg },\n { removeOriginalFields, challenge, domain, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizePresentation(jwt)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */\n async verifyPresentation(args: IVerifyPresentationLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args\n let jwt: string\n if (typeof presentation === 'string') {\n jwt = presentation\n } else {\n jwt = asArray(presentation.proof)[0].jwt\n }\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n\n let audience = domain\n if (!audience) {\n const { payload } = await decodeJWT(jwt)\n if (payload.aud) {\n // automatically add a managed DID as audience if one is found\n const intendedAudience = asArray(payload.aud)\n const managedDids = await context.agent.didManagerFind()\n const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did))\n if (filtered.length > 0) {\n audience = filtered[0].did\n }\n }\n }\n\n let message, errorCode\n try {\n const result = await verifyPresentationJWT(jwt, resolver, {\n challenge,\n domain,\n audience,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n ...otherOptions,\n })\n if (result) {\n return {\n verified: true,\n verifiablePresentation: result,\n }\n }\n } catch (e: any) {\n message = e.message\n errorCode = e.errorCode\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /**\n * Checks if a key is suitable for signing JWT payloads.\n * @param key - the key to check\n * @param context - the Veramo agent context, unused here\n *\n * @beta\n */\n matchKeyForJWT(key: IKey): boolean {\n switch (key.type) {\n case 'Ed25519':\n case 'Secp256r1':\n return true\n case 'Secp256k1':\n return intersect(key.meta?.algorithms ?? [], ['ES256K', 'ES256K-R']).length > 0\n default:\n return false\n }\n }\n\n wrapSigner(context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>, key: IKey, algorithm?: string) {\n return async (data: string | Uint8Array): Promise<string> => {\n const result = await context.agent.keyManagerSign({ keyRef: key.kid, data: <string>data, algorithm })\n return result\n }\n }\n}\n"],"mappings":";;;;AACA,SASEA,gBACAC,6BACAC,8BACK;AAEP,OAAOC,kBAAkB;AAEzB,SACEC,+BACAC,iCACAC,qBACAC,uBACAC,oBAAoBC,qBACpBC,sBAAsBC,6BAEjB;AAIP,SAASC,iBAAiB;AAE1B,OAAOC,WAAW;AAClB,SAASC,SAASC,iBAAmE;AACrF,SAASC,yBAAyB;AAElC,IAAMC,QAAQC,MAAM,iCAAA;AAOb,IAAMC,wBAAN,MAAMA;EAzCb,OAyCaA;;;;EAEXC,gBAAgBC,KAAoB;AAClC,WAAO,KAAKC,eAAeD,GAAAA;EAC7B;;EAGAE,qBAA6B;AAC3B,WAAO;EACT;;EAGAC,uBAAuBC,MAA4C;AACjE,WAAOA,KAAKC,gBAAgB;EAC9B;;EAGAC,sBAAsBF,MAA2C;AAC/D,UAAM,EAAEG,SAAQ,IAAKH;AACrB,UAAMI,MAAM,OAAOD,aAAa,WAAWA,WAAkCA,UAAWE,OAAOD;AAC/F,QAAI,CAACA,KAAK;AACR,aAAO;IACT;AACA,UAAM,EAAEE,QAAO,IAAKC,UAAUH,GAAAA;AAC9B,QAAI,QAAQE,SAAS;AACnB,aAAOE,kBAAkBF,QAAQG,EAAE;IACrC,WAAW,QAAQH,SAAS;AAC1B,aAAOE,kBAAkBF,QAAQI,EAAE;IACrC;AACA,WAAO;EACT;;EAGA,MAAMC,2BAA2BX,MAAyCY,SAAmE;AAC3I,QAAI,EAAEC,QAAQC,sBAAsB,GAAGC,aAAAA,IAAiBf;AAExD,UAAM,EAAEgB,YAAYC,OAAM,IAAKC,4BAA4BlB,IAAAA;AAC3D,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKL;MAAO,CAAA;IAC/D,SAASM,GAAG;AACV,YAAM,IAAIC,MAAM,qBAAqBR,WAAWC,MAAM,yCAAyCM,CAAAA,EAAG;IACpG;AAEA,UAAM3B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAM2B,8BAChBf,YACA;MAAEM,KAAKH,WAAWG;MAAKO;MAAQF;MAAK,GAAI/B,IAAIoC,KAAKC,mBAAmBC,MAAM;QAAEC,KAAKvC,IAAIoC,KAAKC,mBAAmBC;MAAG;IAAG,GACnH;MAAEpB;MAAsB,GAAGC;IAAa,CAAA;AAG1CvB,UAAMY,GAAAA;AACN,WAAOgC,oBAAoBhC,GAAAA;EAC7B;;EAGA,MAAMiC,iBAAiBrC,MAA+BY,SAAuD;AAC3G,QAAI,EAAEI,YAAYsB,UAAU,GAAGvB,aAAAA,IAAiBf;AAChD,QAAIuC;AACJ,QAAIC,qBAAoC;MAAEC,UAAU;IAAM;AAC1D,QAAIrC,MAAc,OAAOY,eAAe,WAAWA,aAAa0B,QAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGD;AAC7F,QAAIuC,WAAWC;AACf,UAAMC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AACA,QAAI;AAEFV,2BAAqB,MAAMW,oBAAoB/C,KAAKyC,UAAU;QAC5D,GAAG9B;QACHuB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;MACF,CAAA;AACAnB,2BAAqBC,mBAAmBmB;AAGxC,UAAI,OAAO3C,eAAe,YAAY0B,QAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGuB,SAAS,gBAAgB;AAC1F,cAAMgC,iBAAiBC,KAAKC,MAAMD,KAAKE,UAAU/C,UAAAA,CAAAA;AACjD,eAAO4C,eAAevD,MAAMD;AAE5B,cAAM4D,eAAeH,KAAKC,MAAMD,KAAKE,UAAUxB,kBAAAA,CAAAA;AAC/C,eAAOyB,aAAa3D,MAAMD;AAE1B,YAAI6D,aAAaL,cAAAA,MAAoBK,aAAaD,YAAAA,GAAe;AAC/DxB,6BAAmBC,WAAW;AAC9BD,6BAAmB0B,QAAQ,IAAI1C,MAAM,gEAAA;QACvC;MACF;IACF,SAASD,GAAQ;AACfoB,kBAAYpB,EAAEoB;AACdC,gBAAUrB,EAAEqB;IACd;AACA,QAAIJ,mBAAmBC,UAAU;AAC/B,aAAOD;IACT;AACA,WAAO;MACLC,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;EAGA,MAAMC,6BAA6BpE,MAA2CY,SAAqE;AACjJ,UAAM,EAAEyD,cAAcC,OAAM,IAAKC,uBAAuBvE,IAAAA;AACxD,QAAI,EAAEwE,QAAQC,WAAW3D,sBAAsBD,QAAQ6D,KAAK,GAAG3D,aAAAA,IAAiBf;AAEhF,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKgD;MAAO,CAAA;IAC/D,SAAS/C,GAAG;AACV,YAAM,IAAIC,MAAM,2EAAA;IAClB;AACA,UAAM5B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAMuE,gCAChBN,cACA;MAAE/C,KAAKH,WAAWG;MAAKO;MAAQF;IAAI,GACnC;MAAEb;MAAsB2D;MAAWD;MAAQ,GAAGzD;IAAa,CAAA;AAG7DvB,UAAMY,GAAAA;AACN,WAAOwE,sBAAsBxE,GAAAA;EAC/B;;EAGA,MAAMyE,mBAAmB7E,MAAiCY,SAAuD;AAC/G,QAAI,EAAEyD,cAAcG,QAAQC,WAAWK,qBAAqBxC,UAAU,GAAGvB,aAAAA,IAAiBf;AAC1F,QAAII;AACJ,QAAI,OAAOiE,iBAAiB,UAAU;AACpCjE,YAAMiE;IACR,OAAO;AACLjE,YAAMsC,QAAQ2B,aAAahE,KAAK,EAAE,CAAA,EAAGD;IACvC;AACA,UAAMyC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AAEA,QAAIQ,WAAWc;AACf,QAAI,CAACd,UAAU;AACb,YAAM,EAAEpD,QAAO,IAAK,MAAMC,UAAUH,GAAAA;AACpC,UAAIE,QAAQmD,KAAK;AAEf,cAAMsB,mBAAmBrC,QAAQpC,QAAQmD,GAAG;AAC5C,cAAMuB,cAAc,MAAMpE,QAAQQ,MAAM6D,eAAc;AACtD,cAAMC,WAAWF,YAAYG,OAAO,CAAChE,eAAe4D,iBAAiBK,SAASjE,WAAWG,GAAG,CAAA;AAC5F,YAAI4D,SAASG,SAAS,GAAG;AACvB3B,qBAAWwB,SAAS,CAAA,EAAG5D;QACzB;MACF;IACF;AAEA,QAAIsB,SAASD;AACb,QAAI;AACF,YAAM2C,SAAS,MAAMC,sBAAsBnF,KAAKyC,UAAU;QACxD4B;QACAD;QACAd;QACApB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;QACA,GAAG3C;MACL,CAAA;AACA,UAAIuE,QAAQ;AACV,eAAO;UACL7C,UAAU;UACV+C,wBAAwBF;QAC1B;MACF;IACF,SAAS/D,GAAQ;AACfqB,gBAAUrB,EAAEqB;AACZD,kBAAYpB,EAAEoB;IAChB;AACA,WAAO;MACLF,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;;;;;;;EASAtE,eAAeD,KAAoB;AACjC,YAAQA,IAAIgC,MAAI;MACd,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO6D,UAAU7F,IAAIoC,MAAM0D,cAAc,CAAA,GAAI;UAAC;UAAU;SAAW,EAAEL,SAAS;MAChF;AACE,eAAO;IACX;EACF;EAEAvD,WAAWlB,SAA6DhB,KAAW+F,WAAoB;AACrG,WAAO,OAAOC,SAAAA;AACZ,YAAMN,SAAS,MAAM1E,QAAQQ,MAAMyE,eAAe;QAAEhF,QAAQjB,IAAIuC;QAAKyD;QAAoBD;MAAU,CAAA;AACnG,aAAOL;IACT;EACF;AACF;","names":["pickSigningKey","preProcessCredentialPayload","preProcessPresentation","canonicalize","createVerifiableCredentialJwt","createVerifiablePresentationJwt","normalizeCredential","normalizePresentation","verifyCredential","verifyCredentialJWT","verifyPresentation","verifyPresentationJWT","decodeJWT","Debug","asArray","intersect","isVcdm1Credential","debug","Debug","CredentialProviderJWT","matchKeyForType","key","matchKeyForJWT","getTypeProofFormat","canIssueCredentialType","args","proofFormat","canVerifyDocumentType","document","jwt","proof","payload","decodeJWT","isVcdm1Credential","vc","vp","createVerifiableCredential","context","keyRef","removeOriginalFields","otherOptions","credential","issuer","preProcessCredentialPayload","identifier","agent","didManagerGet","did","e","Error","pickSigningKey","kmsKeyRef","alg","type","signer","wrapSigner","createVerifiableCredentialJwt","meta","verificationMethod","id","kid","normalizeCredential","verifyCredential","policies","verifiedCredential","verificationResult","verified","asArray","errorCode","message","resolver","resolve","didUrl","resolveDid","options","resolutionOptions","verifyCredentialJWT","nbf","issuanceDate","iat","exp","expirationDate","aud","audience","verifiableCredential","credentialCopy","JSON","parse","stringify","verifiedCopy","canonicalize","error","split","createVerifiablePresentation","presentation","holder","preProcessPresentation","domain","challenge","now","createVerifiablePresentationJwt","normalizePresentation","verifyPresentation","fetchRemoteContexts","intendedAudience","managedDids","didManagerFind","filtered","filter","includes","length","result","verifyPresentationJWT","verifiablePresentation","intersect","algorithms","algorithm","data","keyManagerSign"]}

package/package.json ADDED Viewed

@@ -0,0 +1,77 @@
+{
+  "name": "@sphereon/ssi-sdk.credential-vcdm1-jwt-provider",
+  "description": "Plugin for working with JWT Verifiable Credentials & Presentations.",
+  "version": "0.33.1-feature.jose.vcdm.59+5f24a990",
+  "source": "src/index.ts",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    "react-native": "./dist/index.js",
+    "import": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "require": {
+      "types": "./dist/index.d.cts",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "scripts": {
+    "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
+  },
+  "dependencies": {
+    "@sphereon/ssi-sdk.core": "0.33.1-feature.jose.vcdm.59+5f24a990",
+    "@sphereon/ssi-sdk.credential-vcdm": "0.33.1-feature.jose.vcdm.59+5f24a990",
+    "@sphereon/ssi-types": "0.33.1-feature.jose.vcdm.59+5f24a990",
+    "@veramo/core": "4.2.0",
+    "@veramo/utils": "4.2.0",
+    "canonicalize": "^2.0.0",
+    "debug": "^4.3.3",
+    "did-jwt-vc": "3.1.3",
+    "did-resolver": "^4.1.0"
+  },
+  "devDependencies": {
+    "@sphereon/ssi-sdk-ext.did-provider-key": "0.28.1-feature.jose.vcdm.25",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.28.1-feature.jose.vcdm.25",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.28.1-feature.jose.vcdm.25",
+    "@sphereon/ssi-sdk.agent-config": "0.33.1-feature.jose.vcdm.59+5f24a990",
+    "@types/debug": "4.1.8",
+    "@veramo/did-manager": "4.2.0",
+    "@veramo/did-provider-ethr": "4.2.0",
+    "@veramo/did-resolver": "4.2.0",
+    "@veramo/key-manager": "4.2.0",
+    "ethr-did-resolver": "^11.0.3",
+    "typescript": "5.8.3",
+    "vitest": "^3.1.2"
+  },
+  "files": [
+    "dist/**/*",
+    "src/**/*",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/decentralized-identity/veramo.git",
+    "directory": "packages/credential-jwt"
+  },
+  "author": "Nick Reynolds <nicholas.s.reynolds@gmail.com>",
+  "keywords": [
+    "Sphereon",
+    "DID",
+    "Verifiable Credential",
+    "JWT",
+    "veramo-plugin"
+  ],
+  "license": "Apache-2.0",
+  "moduleDirectories": [
+    "node_modules",
+    "src"
+  ],
+  "gitHead": "5f24a9904d53b07534cdaf71f2874f8e64b4c845"
+}

package/src/__tests__/issue-verify-flow-jwt.test.ts ADDED Viewed

@@ -0,0 +1,125 @@
+import { beforeAll, describe, expect, it } from 'vitest'
+import type { CredentialPayload, IDIDManager, IIdentifier, IResolver, TAgent } from '@veramo/core'
+import { createAgent } from '@sphereon/ssi-sdk.agent-config'
+import { type IVcdmCredentialPlugin, VcdmCredentialPlugin } from '@sphereon/ssi-sdk.credential-vcdm'
+import { DIDManager, MemoryDIDStore } from '@veramo/did-manager'
+import { getDidKeyResolver, SphereonKeyDidProvider } from '@sphereon/ssi-sdk-ext.did-provider-key'
+import { DIDResolverPlugin } from '@veramo/did-resolver'
+import { EthrDIDProvider } from '@veramo/did-provider-ethr'
+import { Resolver } from 'did-resolver'
+import { getResolver as ethrDidResolver } from 'ethr-did-resolver'
+import 'cross-fetch/polyfill'
+import { CredentialProviderJWT } from '../agent/CredentialProviderJWT'
+import { type ISphereonKeyManager, MemoryKeyStore, MemoryPrivateKeyStore, SphereonKeyManager } from '@sphereon/ssi-sdk-ext.key-manager'
+import { SphereonKeyManagementSystem } from '@sphereon/ssi-sdk-ext.kms-local'
+const infuraProjectId = '3586660d179141e3801c3895de1c2eba'
+describe('@sphereon/ssi-sdk.credential-vcdm1-jwt-provider full flow', () => {
+  let didKeyIdentifier: IIdentifier
+  let didEthrIdentifier: IIdentifier
+  let agent: TAgent<IResolver & ISphereonKeyManager & IDIDManager & IVcdmCredentialPlugin>
+  const jwt = new CredentialProviderJWT()
+  beforeAll(async () => {
+    agent = await createAgent<IResolver & ISphereonKeyManager & IDIDManager & IVcdmCredentialPlugin>({
+      plugins: [
+        new SphereonKeyManager({
+          store: new MemoryKeyStore(),
+          kms: {
+            local: new SphereonKeyManagementSystem(new MemoryPrivateKeyStore()),
+          },
+        }),
+        new DIDManager({
+          providers: {
+            'did:key': new SphereonKeyDidProvider({ defaultKms: 'local' }),
+            'did:ethr': new EthrDIDProvider({
+              defaultKms: 'local',
+              network: 'mainnet',
+            }),
+          },
+          store: new MemoryDIDStore(),
+          defaultProvider: 'did:key',
+        }),
+        new DIDResolverPlugin({
+          resolver: new Resolver({
+            ...getDidKeyResolver(),
+            ...ethrDidResolver({ infuraProjectId }),
+          }),
+        }),
+        new VcdmCredentialPlugin({ issuers: [jwt] }),
+      ],
+    })
+    didKeyIdentifier = await agent.didManagerCreate()
+    didEthrIdentifier = await agent.didManagerCreate({ provider: 'did:ethr' })
+  })
+  it('issues and verifies JWT credential', async () => {
+    const credential: CredentialPayload = {
+      issuer: { id: didEthrIdentifier.did },
+      '@context': ['https://www.w3.org/2018/credentials/v1', 'https://example.com/1/2/3'],
+      type: ['VerifiableCredential', 'Custom'],
+      issuanceDate: new Date().toISOString(),
+      credentialSubject: {
+        id: 'did:web:example.com',
+        you: 'Rock',
+      },
+    }
+    const verifiableCredential = await agent.createVerifiableCredential({
+      credential,
+      proofFormat: 'jwt',
+    })
+    expect(verifiableCredential).toBeDefined()
+    const result = await agent.verifyCredential({
+      credential: verifiableCredential,
+    })
+    expect(result.verified).toBe(true)
+  })
+  it('issues credential and verifies presentation', async () => {
+    const credential: CredentialPayload = {
+      issuer: { id: didEthrIdentifier.did },
+      '@context': ['https://www.w3.org/2018/credentials/v1', 'https://veramo.io/contexts/profile/v1'],
+      type: ['VerifiableCredential', 'Profile'],
+      issuanceDate: new Date().toISOString(),
+      credentialSubject: {
+        id: didKeyIdentifier.did,
+        name: 'Martin, the great',
+      },
+    }
+    const verifiableCredential1 = await agent.createVerifiableCredential({
+      credential,
+      proofFormat: 'jwt',
+    })
+    const verifiablePresentation = await agent.createVerifiablePresentation({
+      presentation: {
+        // @ts-ignore
+        verifiableCredential: [verifiableCredential1],
+        holder: didEthrIdentifier.did,
+      },
+      challenge: 'SUCCESS',
+      proofFormat: 'jwt',
+    })
+    expect(verifiablePresentation).toBeDefined()
+    const result = await agent.verifyPresentation({
+      presentation: verifiablePresentation,
+      challenge: 'SUCCESS',
+    })
+    expect(result.verified).toBe(true)
+    const failResult = await agent.verifyPresentation({
+      presentation: verifiablePresentation,
+      challenge: 'FAILED',
+    })
+    expect(failResult.verified).toBe(false)
+  })
+})