@sphereon/ssi-sdk.credential-vcdm1-jwt-provider 0.33.1-next.68 → 0.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +14 -14
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +4 -3
  4. package/dist/index.d.ts +4 -3
  5. package/dist/index.js +6 -6
  6. package/dist/index.js.map +1 -1
  7. package/package.json +9 -9
  8. package/src/agent/CredentialProviderJWT.ts +41 -29
package/dist/index.cjs CHANGED
@@ -36,13 +36,13 @@ __export(index_exports, {
36
36
  module.exports = __toCommonJS(index_exports);
37
37
 
38
38
  // src/agent/CredentialProviderJWT.ts
39
- var import_ssi_sdk = require("@sphereon/ssi-sdk.credential-vcdm");
39
+ var import_ssi_sdk = require("@sphereon/ssi-sdk.core");
40
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.credential-vcdm");
41
+ var import_ssi_types = require("@sphereon/ssi-types");
40
42
  var import_canonicalize = __toESM(require("canonicalize"), 1);
41
- var import_did_jwt_vc = require("did-jwt-vc");
42
- var import_did_jwt = require("did-jwt");
43
43
  var import_debug = __toESM(require("debug"), 1);
44
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
45
- var import_ssi_types = require("@sphereon/ssi-types");
44
+ var import_did_jwt = require("did-jwt");
45
+ var import_did_jwt_vc = require("did-jwt-vc");
46
46
  var debug = (0, import_debug.default)("sphereon:ssi-sdk:credential-jwt");
47
47
  var CredentialProviderJWT = class {
48
48
  static {
@@ -78,7 +78,7 @@ var CredentialProviderJWT = class {
78
78
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
79
79
  async createVerifiableCredential(args, context) {
80
80
  let { keyRef, removeOriginalFields, ...otherOptions } = args;
81
- const { credential, issuer } = (0, import_ssi_sdk.preProcessCredentialPayload)(args);
81
+ const { credential, issuer } = (0, import_ssi_sdk2.preProcessCredentialPayload)(args);
82
82
  let identifier;
83
83
  try {
84
84
  identifier = await context.agent.didManagerGet({
@@ -87,7 +87,7 @@ var CredentialProviderJWT = class {
87
87
  } catch (e) {
88
88
  throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`);
89
89
  }
90
- const key = await (0, import_ssi_sdk.pickSigningKey)({
90
+ const key = await (0, import_ssi_sdk2.pickSigningKey)({
91
91
  identifier,
92
92
  kmsKeyRef: keyRef
93
93
  }, context);
@@ -120,7 +120,7 @@ var CredentialProviderJWT = class {
120
120
  let verificationResult = {
121
121
  verified: false
122
122
  };
123
- let jwt = typeof credential === "string" ? credential : (0, import_ssi_sdk2.asArray)(credential.proof)[0].jwt;
123
+ let jwt = typeof credential === "string" ? credential : (0, import_ssi_sdk.asArray)("proof" in credential ? credential.proof : [])?.[0]?.jwt;
124
124
  let errorCode, message;
125
125
  const resolver = {
126
126
  resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
@@ -140,7 +140,7 @@ var CredentialProviderJWT = class {
140
140
  }
141
141
  });
142
142
  verifiedCredential = verificationResult.verifiableCredential;
143
- if (typeof credential !== "string" && (0, import_ssi_sdk2.asArray)(credential.proof)[0].type === "JwtProof2020") {
143
+ if (typeof credential !== "string" && "proof" in credential && (0, import_ssi_sdk.asArray)(credential.proof)[0].type === "JwtProof2020") {
144
144
  const credentialCopy = JSON.parse(JSON.stringify(credential));
145
145
  delete credentialCopy.proof.jwt;
146
146
  const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential));
@@ -167,7 +167,7 @@ var CredentialProviderJWT = class {
167
167
  }
168
168
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
169
169
  async createVerifiablePresentation(args, context) {
170
- const { presentation, holder } = (0, import_ssi_sdk.preProcessPresentation)(args);
170
+ const { presentation, holder } = (0, import_ssi_sdk2.preProcessPresentation)(args);
171
171
  let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args;
172
172
  let identifier;
173
173
  try {
@@ -177,7 +177,7 @@ var CredentialProviderJWT = class {
177
177
  } catch (e) {
178
178
  throw new Error("invalid_argument: presentation.holder must be a DID managed by this agent");
179
179
  }
180
- const key = await (0, import_ssi_sdk.pickSigningKey)({
180
+ const key = await (0, import_ssi_sdk2.pickSigningKey)({
181
181
  identifier,
182
182
  kmsKeyRef: keyRef
183
183
  }, context);
@@ -209,7 +209,7 @@ var CredentialProviderJWT = class {
209
209
  if (typeof presentation === "string") {
210
210
  jwt = presentation;
211
211
  } else {
212
- jwt = (0, import_ssi_sdk2.asArray)(presentation.proof)[0].jwt;
212
+ jwt = (0, import_ssi_sdk.asArray)(presentation.proof)[0].jwt;
213
213
  }
214
214
  const resolver = {
215
215
  resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
@@ -221,7 +221,7 @@ var CredentialProviderJWT = class {
221
221
  if (!audience) {
222
222
  const { payload } = await (0, import_did_jwt.decodeJWT)(jwt);
223
223
  if (payload.aud) {
224
- const intendedAudience = (0, import_ssi_sdk2.asArray)(payload.aud);
224
+ const intendedAudience = (0, import_ssi_sdk.asArray)(payload.aud);
225
225
  const managedDids = await context.agent.didManagerFind();
226
226
  const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did));
227
227
  if (filtered.length > 0) {
@@ -275,7 +275,7 @@ var CredentialProviderJWT = class {
275
275
  case "Secp256r1":
276
276
  return true;
277
277
  case "Secp256k1":
278
- return (0, import_ssi_sdk2.intersect)(key.meta?.algorithms ?? [], [
278
+ return (0, import_ssi_sdk.intersect)(key.meta?.algorithms ?? [], [
279
279
  "ES256K",
280
280
  "ES256K-R"
281
281
  ]).length > 0;
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/agent/CredentialProviderJWT.ts"],"sourcesContent":["export { CredentialProviderJWT } from './agent/CredentialProviderJWT'\n","import type { IAgentContext, IIdentifier, IKey, IKeyManager, IVerifyResult, VerifiableCredential, VerifierAgentContext } from '@veramo/core'\nimport {\n type ICanIssueCredentialTypeArgs,\n type ICanVerifyDocumentTypeArgs,\n type ICreateVerifiableCredentialLDArgs,\n type ICreateVerifiablePresentationLDArgs,\n type IVcdmCredentialProvider,\n type IVcdmIssuerAgentContext,\n IVerifyCredentialLDArgs,\n IVerifyPresentationLDArgs,\n pickSigningKey,\n preProcessCredentialPayload,\n preProcessPresentation,\n} from '@sphereon/ssi-sdk.credential-vcdm'\n\nimport canonicalize from 'canonicalize'\n\nimport {\n createVerifiableCredentialJwt,\n createVerifiablePresentationJwt,\n normalizeCredential,\n normalizePresentation,\n verifyCredential as verifyCredentialJWT,\n verifyPresentation as verifyPresentationJWT,\n // @ts-ignore\n} from 'did-jwt-vc'\n\nimport { type Resolvable } from 'did-resolver'\n\nimport { decodeJWT } from 'did-jwt'\n\nimport Debug from 'debug'\nimport { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'\nimport { isVcdm1Credential } from '@sphereon/ssi-types'\n\nconst debug = Debug('sphereon:ssi-sdk:credential-jwt')\n\n/**\n * A handler that implements the {@link IVcdmCredentialProvider} methods.\n *\n * @beta This API may change without a BREAKING CHANGE notice.\n */\nexport class CredentialProviderJWT implements IVcdmCredentialProvider {\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */\n matchKeyForType(key: IKey): boolean {\n return this.matchKeyForJWT(key)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */\n getTypeProofFormat(): string {\n return 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */\n canIssueCredentialType(args: ICanIssueCredentialTypeArgs): boolean {\n return args.proofFormat === 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */\n canVerifyDocumentType(args: ICanVerifyDocumentTypeArgs): boolean {\n const { document } = args\n const jwt = typeof document === 'string' ? document : (<VerifiableCredential>document)?.proof?.jwt\n if (!jwt) {\n return false\n }\n const { payload } = decodeJWT(jwt)\n if ('vc' in payload) {\n return isVcdm1Credential(payload.vc)\n } else if ('vp' in payload) {\n return isVcdm1Credential(payload.vp)\n }\n return false\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */\n async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {\n let { keyRef, removeOriginalFields, ...otherOptions } = args\n\n const { credential, issuer } = preProcessCredentialPayload(args)\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: issuer })\n } catch (e) {\n throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`)\n }\n\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VC with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiableCredentialJwt(\n credential as any,\n { did: identifier.did, signer, alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id }) },\n { removeOriginalFields, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizeCredential(jwt)\n }\n\n /** {@inheritdoc ICredentialVerifier.verifyCredential} */\n async verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { credential, policies, ...otherOptions } = args\n let verifiedCredential: VerifiableCredential\n let verificationResult: IVerifyResult = { verified: false }\n let jwt: string = typeof credential === 'string' ? credential : asArray(credential.proof)[0].jwt\n let errorCode, message\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n try {\n // needs broader credential as well to check equivalence with jwt\n verificationResult = await verifyCredentialJWT(jwt, resolver, {\n ...otherOptions,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n })\n verifiedCredential = verificationResult.verifiableCredential\n\n // if credential was presented with other fields, make sure those fields match what's in the JWT\n if (typeof credential !== 'string' && asArray(credential.proof)[0].type === 'JwtProof2020') {\n const credentialCopy = JSON.parse(JSON.stringify(credential))\n delete credentialCopy.proof.jwt\n\n const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential))\n delete verifiedCopy.proof.jwt\n\n if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {\n verificationResult.verified = false\n verificationResult.error = new Error('invalid_credential: Credential JSON does not match JWT payload')\n }\n }\n } catch (e: any) {\n errorCode = e.errorCode\n message = e.message\n }\n if (verificationResult.verified) {\n return verificationResult\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */\n async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {\n const { presentation, holder } = preProcessPresentation(args)\n let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args\n\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: holder })\n } catch (e) {\n throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')\n }\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VP with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiablePresentationJwt(\n presentation as any,\n { did: identifier.did, signer, alg },\n { removeOriginalFields, challenge, domain, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizePresentation(jwt)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */\n async verifyPresentation(args: IVerifyPresentationLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args\n let jwt: string\n if (typeof presentation === 'string') {\n jwt = presentation\n } else {\n jwt = asArray(presentation.proof)[0].jwt\n }\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n\n let audience = domain\n if (!audience) {\n const { payload } = await decodeJWT(jwt)\n if (payload.aud) {\n // automatically add a managed DID as audience if one is found\n const intendedAudience = asArray(payload.aud)\n const managedDids = await context.agent.didManagerFind()\n const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did))\n if (filtered.length > 0) {\n audience = filtered[0].did\n }\n }\n }\n\n let message, errorCode\n try {\n const result = await verifyPresentationJWT(jwt, resolver, {\n challenge,\n domain,\n audience,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n ...otherOptions,\n })\n if (result) {\n return {\n verified: true,\n verifiablePresentation: result,\n }\n }\n } catch (e: any) {\n message = e.message\n errorCode = e.errorCode\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /**\n * Checks if a key is suitable for signing JWT payloads.\n * @param key - the key to check\n * @param context - the Veramo agent context, unused here\n *\n * @beta\n */\n matchKeyForJWT(key: IKey): boolean {\n switch (key.type) {\n case 'Ed25519':\n case 'Secp256r1':\n return true\n case 'Secp256k1':\n return intersect(key.meta?.algorithms ?? [], ['ES256K', 'ES256K-R']).length > 0\n default:\n return false\n }\n }\n\n wrapSigner(context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>, key: IKey, algorithm?: string) {\n return async (data: string | Uint8Array): Promise<string> => {\n const result = await context.agent.keyManagerSign({ keyRef: key.kid, data: <string>data, algorithm })\n return result\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,qBAYO;AAEP,0BAAyB;AAEzB,wBAQO;AAIP,qBAA0B;AAE1B,mBAAkB;AAClB,IAAAA,kBAAqF;AACrF,uBAAkC;AAElC,IAAMC,YAAQC,aAAAA,SAAM,iCAAA;AAOb,IAAMC,wBAAN,MAAMA;EAzCb,OAyCaA;;;;EAEXC,gBAAgBC,KAAoB;AAClC,WAAO,KAAKC,eAAeD,GAAAA;EAC7B;;EAGAE,qBAA6B;AAC3B,WAAO;EACT;;EAGAC,uBAAuBC,MAA4C;AACjE,WAAOA,KAAKC,gBAAgB;EAC9B;;EAGAC,sBAAsBF,MAA2C;AAC/D,UAAM,EAAEG,SAAQ,IAAKH;AACrB,UAAMI,MAAM,OAAOD,aAAa,WAAWA,WAAkCA,UAAWE,OAAOD;AAC/F,QAAI,CAACA,KAAK;AACR,aAAO;IACT;AACA,UAAM,EAAEE,QAAO,QAAKC,0BAAUH,GAAAA;AAC9B,QAAI,QAAQE,SAAS;AACnB,iBAAOE,oCAAkBF,QAAQG,EAAE;IACrC,WAAW,QAAQH,SAAS;AAC1B,iBAAOE,oCAAkBF,QAAQI,EAAE;IACrC;AACA,WAAO;EACT;;EAGA,MAAMC,2BAA2BX,MAAyCY,SAAmE;AAC3I,QAAI,EAAEC,QAAQC,sBAAsB,GAAGC,aAAAA,IAAiBf;AAExD,UAAM,EAAEgB,YAAYC,OAAM,QAAKC,4CAA4BlB,IAAAA;AAC3D,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKL;MAAO,CAAA;IAC/D,SAASM,GAAG;AACV,YAAM,IAAIC,MAAM,qBAAqBR,WAAWC,MAAM,yCAAyCM,CAAAA,EAAG;IACpG;AAEA,UAAM3B,MAAM,UAAM6B,+BAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,UAAM2B,iDAChBf,YACA;MAAEM,KAAKH,WAAWG;MAAKO;MAAQF;MAAK,GAAI/B,IAAIoC,KAAKC,mBAAmBC,MAAM;QAAEC,KAAKvC,IAAIoC,KAAKC,mBAAmBC;MAAG;IAAG,GACnH;MAAEpB;MAAsB,GAAGC;IAAa,CAAA;AAG1CvB,UAAMY,GAAAA;AACN,eAAOgC,uCAAoBhC,GAAAA;EAC7B;;EAGA,MAAMiC,iBAAiBrC,MAA+BY,SAAuD;AAC3G,QAAI,EAAEI,YAAYsB,UAAU,GAAGvB,aAAAA,IAAiBf;AAChD,QAAIuC;AACJ,QAAIC,qBAAoC;MAAEC,UAAU;IAAM;AAC1D,QAAIrC,MAAc,OAAOY,eAAe,WAAWA,iBAAa0B,yBAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGD;AAC7F,QAAIuC,WAAWC;AACf,UAAMC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AACA,QAAI;AAEFV,2BAAqB,UAAMW,kBAAAA,kBAAoB/C,KAAKyC,UAAU;QAC5D,GAAG9B;QACHuB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;MACF,CAAA;AACAnB,2BAAqBC,mBAAmBmB;AAGxC,UAAI,OAAO3C,eAAe,gBAAY0B,yBAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGuB,SAAS,gBAAgB;AAC1F,cAAMgC,iBAAiBC,KAAKC,MAAMD,KAAKE,UAAU/C,UAAAA,CAAAA;AACjD,eAAO4C,eAAevD,MAAMD;AAE5B,cAAM4D,eAAeH,KAAKC,MAAMD,KAAKE,UAAUxB,kBAAAA,CAAAA;AAC/C,eAAOyB,aAAa3D,MAAMD;AAE1B,gBAAI6D,oBAAAA,SAAaL,cAAAA,UAAoBK,oBAAAA,SAAaD,YAAAA,GAAe;AAC/DxB,6BAAmBC,WAAW;AAC9BD,6BAAmB0B,QAAQ,IAAI1C,MAAM,gEAAA;QACvC;MACF;IACF,SAASD,GAAQ;AACfoB,kBAAYpB,EAAEoB;AACdC,gBAAUrB,EAAEqB;IACd;AACA,QAAIJ,mBAAmBC,UAAU;AAC/B,aAAOD;IACT;AACA,WAAO;MACLC,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;EAGA,MAAMC,6BAA6BpE,MAA2CY,SAAqE;AACjJ,UAAM,EAAEyD,cAAcC,OAAM,QAAKC,uCAAuBvE,IAAAA;AACxD,QAAI,EAAEwE,QAAQC,WAAW3D,sBAAsBD,QAAQ6D,KAAK,GAAG3D,aAAAA,IAAiBf;AAEhF,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKgD;MAAO,CAAA;IAC/D,SAAS/C,GAAG;AACV,YAAM,IAAIC,MAAM,2EAAA;IAClB;AACA,UAAM5B,MAAM,UAAM6B,+BAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,UAAMuE,mDAChBN,cACA;MAAE/C,KAAKH,WAAWG;MAAKO;MAAQF;IAAI,GACnC;MAAEb;MAAsB2D;MAAWD;MAAQ,GAAGzD;IAAa,CAAA;AAG7DvB,UAAMY,GAAAA;AACN,eAAOwE,yCAAsBxE,GAAAA;EAC/B;;EAGA,MAAMyE,mBAAmB7E,MAAiCY,SAAuD;AAC/G,QAAI,EAAEyD,cAAcG,QAAQC,WAAWK,qBAAqBxC,UAAU,GAAGvB,aAAAA,IAAiBf;AAC1F,QAAII;AACJ,QAAI,OAAOiE,iBAAiB,UAAU;AACpCjE,YAAMiE;IACR,OAAO;AACLjE,gBAAMsC,yBAAQ2B,aAAahE,KAAK,EAAE,CAAA,EAAGD;IACvC;AACA,UAAMyC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AAEA,QAAIQ,WAAWc;AACf,QAAI,CAACd,UAAU;AACb,YAAM,EAAEpD,QAAO,IAAK,UAAMC,0BAAUH,GAAAA;AACpC,UAAIE,QAAQmD,KAAK;AAEf,cAAMsB,uBAAmBrC,yBAAQpC,QAAQmD,GAAG;AAC5C,cAAMuB,cAAc,MAAMpE,QAAQQ,MAAM6D,eAAc;AACtD,cAAMC,WAAWF,YAAYG,OAAO,CAAChE,eAAe4D,iBAAiBK,SAASjE,WAAWG,GAAG,CAAA;AAC5F,YAAI4D,SAASG,SAAS,GAAG;AACvB3B,qBAAWwB,SAAS,CAAA,EAAG5D;QACzB;MACF;IACF;AAEA,QAAIsB,SAASD;AACb,QAAI;AACF,YAAM2C,SAAS,UAAMC,kBAAAA,oBAAsBnF,KAAKyC,UAAU;QACxD4B;QACAD;QACAd;QACApB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;QACA,GAAG3C;MACL,CAAA;AACA,UAAIuE,QAAQ;AACV,eAAO;UACL7C,UAAU;UACV+C,wBAAwBF;QAC1B;MACF;IACF,SAAS/D,GAAQ;AACfqB,gBAAUrB,EAAEqB;AACZD,kBAAYpB,EAAEoB;IAChB;AACA,WAAO;MACLF,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;;;;;;;EASAtE,eAAeD,KAAoB;AACjC,YAAQA,IAAIgC,MAAI;MACd,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,mBAAO6D,2BAAU7F,IAAIoC,MAAM0D,cAAc,CAAA,GAAI;UAAC;UAAU;SAAW,EAAEL,SAAS;MAChF;AACE,eAAO;IACX;EACF;EAEAvD,WAAWlB,SAA6DhB,KAAW+F,WAAoB;AACrG,WAAO,OAAOC,SAAAA;AACZ,YAAMN,SAAS,MAAM1E,QAAQQ,MAAMyE,eAAe;QAAEhF,QAAQjB,IAAIuC;QAAKyD;QAAoBD;MAAU,CAAA;AACnG,aAAOL;IACT;EACF;AACF;","names":["import_ssi_sdk","debug","Debug","CredentialProviderJWT","matchKeyForType","key","matchKeyForJWT","getTypeProofFormat","canIssueCredentialType","args","proofFormat","canVerifyDocumentType","document","jwt","proof","payload","decodeJWT","isVcdm1Credential","vc","vp","createVerifiableCredential","context","keyRef","removeOriginalFields","otherOptions","credential","issuer","preProcessCredentialPayload","identifier","agent","didManagerGet","did","e","Error","pickSigningKey","kmsKeyRef","alg","type","signer","wrapSigner","createVerifiableCredentialJwt","meta","verificationMethod","id","kid","normalizeCredential","verifyCredential","policies","verifiedCredential","verificationResult","verified","asArray","errorCode","message","resolver","resolve","didUrl","resolveDid","options","resolutionOptions","verifyCredentialJWT","nbf","issuanceDate","iat","exp","expirationDate","aud","audience","verifiableCredential","credentialCopy","JSON","parse","stringify","verifiedCopy","canonicalize","error","split","createVerifiablePresentation","presentation","holder","preProcessPresentation","domain","challenge","now","createVerifiablePresentationJwt","normalizePresentation","verifyPresentation","fetchRemoteContexts","intendedAudience","managedDids","didManagerFind","filtered","filter","includes","length","result","verifyPresentationJWT","verifiablePresentation","intersect","algorithms","algorithm","data","keyManagerSign"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/agent/CredentialProviderJWT.ts"],"sourcesContent":["export { CredentialProviderJWT } from './agent/CredentialProviderJWT'\n","import { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'\nimport {\n type ICanIssueCredentialTypeArgs,\n type ICanVerifyDocumentTypeArgs,\n type ICreateVerifiableCredentialLDArgs,\n type ICreateVerifiablePresentationLDArgs,\n type IVcdmCredentialProvider,\n type IVcdmIssuerAgentContext,\n IVerifyCredentialVcdmArgs,\n IVerifyPresentationLDArgs,\n pickSigningKey,\n preProcessCredentialPayload,\n preProcessPresentation\n} from '@sphereon/ssi-sdk.credential-vcdm'\nimport { isVcdm1Credential, IVerifyResult } from '@sphereon/ssi-types'\nimport type {\n IAgentContext,\n IIdentifier,\n IKey,\n IKeyManager,\n VerifiableCredential,\n VerifierAgentContext\n} from '@veramo/core'\n\nimport canonicalize from 'canonicalize'\n\nimport Debug from 'debug'\n\nimport { decodeJWT } from 'did-jwt'\n\n\nimport {\n createVerifiableCredentialJwt,\n createVerifiablePresentationJwt,\n normalizeCredential,\n normalizePresentation,\n verifyCredential as verifyCredentialJWT,\n verifyPresentation as verifyPresentationJWT\n // @ts-ignore\n} from 'did-jwt-vc'\n\nimport { type Resolvable } from 'did-resolver'\n\nconst debug = Debug('sphereon:ssi-sdk:credential-jwt')\n\n/**\n * A handler that implements the {@link IVcdmCredentialProvider} methods.\n *\n * @beta This API may change without a BREAKING CHANGE notice.\n */\nexport class CredentialProviderJWT implements IVcdmCredentialProvider {\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */\n matchKeyForType(key: IKey): boolean {\n return this.matchKeyForJWT(key)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */\n getTypeProofFormat(): string {\n return 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */\n canIssueCredentialType(args: ICanIssueCredentialTypeArgs): boolean {\n return args.proofFormat === 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */\n canVerifyDocumentType(args: ICanVerifyDocumentTypeArgs): boolean {\n const { document } = args\n const jwt = typeof document === 'string' ? document : (<VerifiableCredential>document)?.proof?.jwt\n if (!jwt) {\n return false\n }\n const { payload } = decodeJWT(jwt)\n if ('vc' in payload) {\n return isVcdm1Credential(payload.vc)\n } else if ('vp' in payload) {\n return isVcdm1Credential(payload.vp)\n }\n return false\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */\n async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {\n let { keyRef, removeOriginalFields, ...otherOptions } = args\n\n const { credential, issuer } = preProcessCredentialPayload(args)\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: issuer })\n } catch (e) {\n throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`)\n }\n\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VC with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiableCredentialJwt(\n credential as any,\n {\n did: identifier.did,\n signer,\n alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id })\n },\n { removeOriginalFields, ...otherOptions }\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizeCredential(jwt)\n }\n\n /** {@inheritdoc ICredentialVerifier.verifyCredential} */\n async verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { credential, policies, ...otherOptions } = args\n let verifiedCredential: VerifiableCredential\n let verificationResult: IVerifyResult = { verified: false }\n let jwt: string = typeof credential === 'string' ? credential : asArray('proof' in credential ? credential.proof : [])?.[0]?.jwt\n let errorCode, message\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions\n })\n } as Resolvable\n try {\n // needs broader credential as well to check equivalence with jwt\n verificationResult = await verifyCredentialJWT(jwt, resolver, {\n ...otherOptions,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience\n }\n })\n verifiedCredential = verificationResult.verifiableCredential\n\n // if credential was presented with other fields, make sure those fields match what's in the JWT\n if (typeof credential !== 'string' && 'proof' in credential && asArray(credential.proof)[0].type === 'JwtProof2020') {\n const credentialCopy = JSON.parse(JSON.stringify(credential))\n delete credentialCopy.proof.jwt\n\n const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential))\n delete verifiedCopy.proof.jwt\n\n if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {\n verificationResult.verified = false\n verificationResult.error = new Error('invalid_credential: Credential JSON does not match JWT payload')\n }\n }\n } catch (e: any) {\n errorCode = e.errorCode\n message = e.message\n }\n if (verificationResult.verified) {\n return verificationResult\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0]\n }\n }\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */\n async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {\n const { presentation, holder } = preProcessPresentation(args)\n let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args\n\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: holder })\n } catch (e) {\n throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')\n }\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VP with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiablePresentationJwt(\n presentation as any,\n { did: identifier.did, signer, alg },\n { removeOriginalFields, challenge, domain, ...otherOptions }\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizePresentation(jwt)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */\n async verifyPresentation(args: IVerifyPresentationLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args\n let jwt: string\n if (typeof presentation === 'string') {\n jwt = presentation\n } else {\n jwt = asArray(presentation.proof)[0].jwt\n }\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions\n })\n } as Resolvable\n\n let audience = domain\n if (!audience) {\n const { payload } = await decodeJWT(jwt)\n if (payload.aud) {\n // automatically add a managed DID as audience if one is found\n const intendedAudience = asArray(payload.aud)\n const managedDids = await context.agent.didManagerFind()\n const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did))\n if (filtered.length > 0) {\n audience = filtered[0].did\n }\n }\n }\n\n let message, errorCode\n try {\n const result = await verifyPresentationJWT(jwt, resolver, {\n challenge,\n domain,\n audience,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience\n },\n ...otherOptions\n })\n if (result) {\n return {\n verified: true,\n verifiablePresentation: result\n }\n }\n } catch (e: any) {\n message = e.message\n errorCode = e.errorCode\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0]\n }\n }\n }\n\n /**\n * Checks if a key is suitable for signing JWT payloads.\n * @param key - the key to check\n * @param context - the Veramo agent context, unused here\n *\n * @beta\n */\n matchKeyForJWT(key: IKey): boolean {\n switch (key.type) {\n case 'Ed25519':\n case 'Secp256r1':\n return true\n case 'Secp256k1':\n return intersect(key.meta?.algorithms ?? [], ['ES256K', 'ES256K-R']).length > 0\n default:\n return false\n }\n }\n\n wrapSigner(context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>, key: IKey, algorithm?: string) {\n return async (data: string | Uint8Array): Promise<string> => {\n const result = await context.agent.keyManagerSign({ keyRef: key.kid, data: <string>data, algorithm })\n return result\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,qBAAqF;AACrF,IAAAA,kBAYO;AACP,uBAAiD;AAUjD,0BAAyB;AAEzB,mBAAkB;AAElB,qBAA0B;AAG1B,wBAQO;AAIP,IAAMC,YAAQC,aAAAA,SAAM,iCAAA;AAOb,IAAMC,wBAAN,MAAMA;EAlDb,OAkDaA;;;;EAEXC,gBAAgBC,KAAoB;AAClC,WAAO,KAAKC,eAAeD,GAAAA;EAC7B;;EAGAE,qBAA6B;AAC3B,WAAO;EACT;;EAGAC,uBAAuBC,MAA4C;AACjE,WAAOA,KAAKC,gBAAgB;EAC9B;;EAGAC,sBAAsBF,MAA2C;AAC/D,UAAM,EAAEG,SAAQ,IAAKH;AACrB,UAAMI,MAAM,OAAOD,aAAa,WAAWA,WAAkCA,UAAWE,OAAOD;AAC/F,QAAI,CAACA,KAAK;AACR,aAAO;IACT;AACA,UAAM,EAAEE,QAAO,QAAKC,0BAAUH,GAAAA;AAC9B,QAAI,QAAQE,SAAS;AACnB,iBAAOE,oCAAkBF,QAAQG,EAAE;IACrC,WAAW,QAAQH,SAAS;AAC1B,iBAAOE,oCAAkBF,QAAQI,EAAE;IACrC;AACA,WAAO;EACT;;EAGA,MAAMC,2BAA2BX,MAAyCY,SAAmE;AAC3I,QAAI,EAAEC,QAAQC,sBAAsB,GAAGC,aAAAA,IAAiBf;AAExD,UAAM,EAAEgB,YAAYC,OAAM,QAAKC,6CAA4BlB,IAAAA;AAC3D,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKL;MAAO,CAAA;IAC/D,SAASM,GAAG;AACV,YAAM,IAAIC,MAAM,qBAAqBR,WAAWC,MAAM,yCAAyCM,CAAAA,EAAG;IACpG;AAEA,UAAM3B,MAAM,UAAM6B,gCAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,UAAM2B,iDAChBf,YACA;MACEM,KAAKH,WAAWG;MAChBO;MACAF;MAAK,GAAI/B,IAAIoC,KAAKC,mBAAmBC,MAAM;QAAEC,KAAKvC,IAAIoC,KAAKC,mBAAmBC;MAAG;IACnF,GACA;MAAEpB;MAAsB,GAAGC;IAAa,CAAA;AAG1CvB,UAAMY,GAAAA;AACN,eAAOgC,uCAAoBhC,GAAAA;EAC7B;;EAGA,MAAMiC,iBAAiBrC,MAAiCY,SAAuD;AAC7G,QAAI,EAAEI,YAAYsB,UAAU,GAAGvB,aAAAA,IAAiBf;AAChD,QAAIuC;AACJ,QAAIC,qBAAoC;MAAEC,UAAU;IAAM;AAC1D,QAAIrC,MAAc,OAAOY,eAAe,WAAWA,iBAAa0B,wBAAQ,WAAW1B,aAAaA,WAAWX,QAAQ,CAAA,CAAE,IAAI,CAAA,GAAID;AAC7H,QAAIuC,WAAWC;AACf,UAAMC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AACA,QAAI;AAEFV,2BAAqB,UAAMW,kBAAAA,kBAAoB/C,KAAKyC,UAAU;QAC5D,GAAG9B;QACHuB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;MACF,CAAA;AACAnB,2BAAqBC,mBAAmBmB;AAGxC,UAAI,OAAO3C,eAAe,YAAY,WAAWA,kBAAc0B,wBAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGuB,SAAS,gBAAgB;AACnH,cAAMgC,iBAAiBC,KAAKC,MAAMD,KAAKE,UAAU/C,UAAAA,CAAAA;AACjD,eAAO4C,eAAevD,MAAMD;AAE5B,cAAM4D,eAAeH,KAAKC,MAAMD,KAAKE,UAAUxB,kBAAAA,CAAAA;AAC/C,eAAOyB,aAAa3D,MAAMD;AAE1B,gBAAI6D,oBAAAA,SAAaL,cAAAA,UAAoBK,oBAAAA,SAAaD,YAAAA,GAAe;AAC/DxB,6BAAmBC,WAAW;AAC9BD,6BAAmB0B,QAAQ,IAAI1C,MAAM,gEAAA;QACvC;MACF;IACF,SAASD,GAAQ;AACfoB,kBAAYpB,EAAEoB;AACdC,gBAAUrB,EAAEqB;IACd;AACA,QAAIJ,mBAAmBC,UAAU;AAC/B,aAAOD;IACT;AACA,WAAO;MACLC,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;EAGA,MAAMC,6BAA6BpE,MAA2CY,SAAqE;AACjJ,UAAM,EAAEyD,cAAcC,OAAM,QAAKC,wCAAuBvE,IAAAA;AACxD,QAAI,EAAEwE,QAAQC,WAAW3D,sBAAsBD,QAAQ6D,KAAK,GAAG3D,aAAAA,IAAiBf;AAEhF,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKgD;MAAO,CAAA;IAC/D,SAAS/C,GAAG;AACV,YAAM,IAAIC,MAAM,2EAAA;IAClB;AACA,UAAM5B,MAAM,UAAM6B,gCAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,UAAMuE,mDAChBN,cACA;MAAE/C,KAAKH,WAAWG;MAAKO;MAAQF;IAAI,GACnC;MAAEb;MAAsB2D;MAAWD;MAAQ,GAAGzD;IAAa,CAAA;AAG7DvB,UAAMY,GAAAA;AACN,eAAOwE,yCAAsBxE,GAAAA;EAC/B;;EAGA,MAAMyE,mBAAmB7E,MAAiCY,SAAuD;AAC/G,QAAI,EAAEyD,cAAcG,QAAQC,WAAWK,qBAAqBxC,UAAU,GAAGvB,aAAAA,IAAiBf;AAC1F,QAAII;AACJ,QAAI,OAAOiE,iBAAiB,UAAU;AACpCjE,YAAMiE;IACR,OAAO;AACLjE,gBAAMsC,wBAAQ2B,aAAahE,KAAK,EAAE,CAAA,EAAGD;IACvC;AACA,UAAMyC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AAEA,QAAIQ,WAAWc;AACf,QAAI,CAACd,UAAU;AACb,YAAM,EAAEpD,QAAO,IAAK,UAAMC,0BAAUH,GAAAA;AACpC,UAAIE,QAAQmD,KAAK;AAEf,cAAMsB,uBAAmBrC,wBAAQpC,QAAQmD,GAAG;AAC5C,cAAMuB,cAAc,MAAMpE,QAAQQ,MAAM6D,eAAc;AACtD,cAAMC,WAAWF,YAAYG,OAAO,CAAChE,eAAe4D,iBAAiBK,SAASjE,WAAWG,GAAG,CAAA;AAC5F,YAAI4D,SAASG,SAAS,GAAG;AACvB3B,qBAAWwB,SAAS,CAAA,EAAG5D;QACzB;MACF;IACF;AAEA,QAAIsB,SAASD;AACb,QAAI;AACF,YAAM2C,SAAS,UAAMC,kBAAAA,oBAAsBnF,KAAKyC,UAAU;QACxD4B;QACAD;QACAd;QACApB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;QACA,GAAG3C;MACL,CAAA;AACA,UAAIuE,QAAQ;AACV,eAAO;UACL7C,UAAU;UACV+C,wBAAwBF;QAC1B;MACF;IACF,SAAS/D,GAAQ;AACfqB,gBAAUrB,EAAEqB;AACZD,kBAAYpB,EAAEoB;IAChB;AACA,WAAO;MACLF,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;;;;;;;EASAtE,eAAeD,KAAoB;AACjC,YAAQA,IAAIgC,MAAI;MACd,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,mBAAO6D,0BAAU7F,IAAIoC,MAAM0D,cAAc,CAAA,GAAI;UAAC;UAAU;SAAW,EAAEL,SAAS;MAChF;AACE,eAAO;IACX;EACF;EAEAvD,WAAWlB,SAA6DhB,KAAW+F,WAAoB;AACrG,WAAO,OAAOC,SAAAA;AACZ,YAAMN,SAAS,MAAM1E,QAAQQ,MAAMyE,eAAe;QAAEhF,QAAQjB,IAAIuC;QAAKyD;QAAoBD;MAAU,CAAA;AACnG,aAAOL;IACT;EACF;AACF;","names":["import_ssi_sdk","debug","Debug","CredentialProviderJWT","matchKeyForType","key","matchKeyForJWT","getTypeProofFormat","canIssueCredentialType","args","proofFormat","canVerifyDocumentType","document","jwt","proof","payload","decodeJWT","isVcdm1Credential","vc","vp","createVerifiableCredential","context","keyRef","removeOriginalFields","otherOptions","credential","issuer","preProcessCredentialPayload","identifier","agent","didManagerGet","did","e","Error","pickSigningKey","kmsKeyRef","alg","type","signer","wrapSigner","createVerifiableCredentialJwt","meta","verificationMethod","id","kid","normalizeCredential","verifyCredential","policies","verifiedCredential","verificationResult","verified","asArray","errorCode","message","resolver","resolve","didUrl","resolveDid","options","resolutionOptions","verifyCredentialJWT","nbf","issuanceDate","iat","exp","expirationDate","aud","audience","verifiableCredential","credentialCopy","JSON","parse","stringify","verifiedCopy","canonicalize","error","split","createVerifiablePresentation","presentation","holder","preProcessPresentation","domain","challenge","now","createVerifiablePresentationJwt","normalizePresentation","verifyPresentation","fetchRemoteContexts","intendedAudience","managedDids","didManagerFind","filtered","filter","includes","length","result","verifyPresentationJWT","verifiablePresentation","intersect","algorithms","algorithm","data","keyManagerSign"]}
package/dist/index.d.cts CHANGED
@@ -1,6 +1,7 @@
1
- import { IKey, VerifierAgentContext, IVerifyResult, IAgentContext, IKeyManager } from '@veramo/core';
2
- import { IVcdmCredentialProvider, ICanIssueCredentialTypeArgs, ICanVerifyDocumentTypeArgs, ICreateVerifiableCredentialLDArgs, IVcdmIssuerAgentContext, IVerifyCredentialLDArgs, ICreateVerifiablePresentationLDArgs, IVerifyPresentationLDArgs } from '@sphereon/ssi-sdk.credential-vcdm';
3
1
  import { VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core';
2
+ import { IVcdmCredentialProvider, ICanIssueCredentialTypeArgs, ICanVerifyDocumentTypeArgs, ICreateVerifiableCredentialLDArgs, IVcdmIssuerAgentContext, IVerifyCredentialVcdmArgs, ICreateVerifiablePresentationLDArgs, IVerifyPresentationLDArgs } from '@sphereon/ssi-sdk.credential-vcdm';
3
+ import { IVerifyResult } from '@sphereon/ssi-types';
4
+ import { IKey, VerifierAgentContext, IAgentContext, IKeyManager } from '@veramo/core';
4
5
 
5
6
  /**
6
7
  * A handler that implements the {@link IVcdmCredentialProvider} methods.
@@ -19,7 +20,7 @@ declare class CredentialProviderJWT implements IVcdmCredentialProvider {
19
20
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
20
21
  createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP>;
21
22
  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
22
- verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult>;
23
+ verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult>;
23
24
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
24
25
  createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP>;
25
26
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */
package/dist/index.d.ts CHANGED
@@ -1,6 +1,7 @@
1
- import { IKey, VerifierAgentContext, IVerifyResult, IAgentContext, IKeyManager } from '@veramo/core';
2
- import { IVcdmCredentialProvider, ICanIssueCredentialTypeArgs, ICanVerifyDocumentTypeArgs, ICreateVerifiableCredentialLDArgs, IVcdmIssuerAgentContext, IVerifyCredentialLDArgs, ICreateVerifiablePresentationLDArgs, IVerifyPresentationLDArgs } from '@sphereon/ssi-sdk.credential-vcdm';
3
1
  import { VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core';
2
+ import { IVcdmCredentialProvider, ICanIssueCredentialTypeArgs, ICanVerifyDocumentTypeArgs, ICreateVerifiableCredentialLDArgs, IVcdmIssuerAgentContext, IVerifyCredentialVcdmArgs, ICreateVerifiablePresentationLDArgs, IVerifyPresentationLDArgs } from '@sphereon/ssi-sdk.credential-vcdm';
3
+ import { IVerifyResult } from '@sphereon/ssi-types';
4
+ import { IKey, VerifierAgentContext, IAgentContext, IKeyManager } from '@veramo/core';
4
5
 
5
6
  /**
6
7
  * A handler that implements the {@link IVcdmCredentialProvider} methods.
@@ -19,7 +20,7 @@ declare class CredentialProviderJWT implements IVcdmCredentialProvider {
19
20
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
20
21
  createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP>;
21
22
  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
22
- verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult>;
23
+ verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult>;
23
24
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
24
25
  createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP>;
25
26
  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */
package/dist/index.js CHANGED
@@ -2,13 +2,13 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/agent/CredentialProviderJWT.ts
5
+ import { asArray, intersect } from "@sphereon/ssi-sdk.core";
5
6
  import { pickSigningKey, preProcessCredentialPayload, preProcessPresentation } from "@sphereon/ssi-sdk.credential-vcdm";
7
+ import { isVcdm1Credential } from "@sphereon/ssi-types";
6
8
  import canonicalize from "canonicalize";
7
- import { createVerifiableCredentialJwt, createVerifiablePresentationJwt, normalizeCredential, normalizePresentation, verifyCredential as verifyCredentialJWT, verifyPresentation as verifyPresentationJWT } from "did-jwt-vc";
8
- import { decodeJWT } from "did-jwt";
9
9
  import Debug from "debug";
10
- import { asArray, intersect } from "@sphereon/ssi-sdk.core";
11
- import { isVcdm1Credential } from "@sphereon/ssi-types";
10
+ import { decodeJWT } from "did-jwt";
11
+ import { createVerifiableCredentialJwt, createVerifiablePresentationJwt, normalizeCredential, normalizePresentation, verifyCredential as verifyCredentialJWT, verifyPresentation as verifyPresentationJWT } from "did-jwt-vc";
12
12
  var debug = Debug("sphereon:ssi-sdk:credential-jwt");
13
13
  var CredentialProviderJWT = class {
14
14
  static {
@@ -86,7 +86,7 @@ var CredentialProviderJWT = class {
86
86
  let verificationResult = {
87
87
  verified: false
88
88
  };
89
- let jwt = typeof credential === "string" ? credential : asArray(credential.proof)[0].jwt;
89
+ let jwt = typeof credential === "string" ? credential : asArray("proof" in credential ? credential.proof : [])?.[0]?.jwt;
90
90
  let errorCode, message;
91
91
  const resolver = {
92
92
  resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
@@ -106,7 +106,7 @@ var CredentialProviderJWT = class {
106
106
  }
107
107
  });
108
108
  verifiedCredential = verificationResult.verifiableCredential;
109
- if (typeof credential !== "string" && asArray(credential.proof)[0].type === "JwtProof2020") {
109
+ if (typeof credential !== "string" && "proof" in credential && asArray(credential.proof)[0].type === "JwtProof2020") {
110
110
  const credentialCopy = JSON.parse(JSON.stringify(credential));
111
111
  delete credentialCopy.proof.jwt;
112
112
  const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential));
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/agent/CredentialProviderJWT.ts"],"sourcesContent":["import type { IAgentContext, IIdentifier, IKey, IKeyManager, IVerifyResult, VerifiableCredential, VerifierAgentContext } from '@veramo/core'\nimport {\n type ICanIssueCredentialTypeArgs,\n type ICanVerifyDocumentTypeArgs,\n type ICreateVerifiableCredentialLDArgs,\n type ICreateVerifiablePresentationLDArgs,\n type IVcdmCredentialProvider,\n type IVcdmIssuerAgentContext,\n IVerifyCredentialLDArgs,\n IVerifyPresentationLDArgs,\n pickSigningKey,\n preProcessCredentialPayload,\n preProcessPresentation,\n} from '@sphereon/ssi-sdk.credential-vcdm'\n\nimport canonicalize from 'canonicalize'\n\nimport {\n createVerifiableCredentialJwt,\n createVerifiablePresentationJwt,\n normalizeCredential,\n normalizePresentation,\n verifyCredential as verifyCredentialJWT,\n verifyPresentation as verifyPresentationJWT,\n // @ts-ignore\n} from 'did-jwt-vc'\n\nimport { type Resolvable } from 'did-resolver'\n\nimport { decodeJWT } from 'did-jwt'\n\nimport Debug from 'debug'\nimport { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'\nimport { isVcdm1Credential } from '@sphereon/ssi-types'\n\nconst debug = Debug('sphereon:ssi-sdk:credential-jwt')\n\n/**\n * A handler that implements the {@link IVcdmCredentialProvider} methods.\n *\n * @beta This API may change without a BREAKING CHANGE notice.\n */\nexport class CredentialProviderJWT implements IVcdmCredentialProvider {\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */\n matchKeyForType(key: IKey): boolean {\n return this.matchKeyForJWT(key)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */\n getTypeProofFormat(): string {\n return 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */\n canIssueCredentialType(args: ICanIssueCredentialTypeArgs): boolean {\n return args.proofFormat === 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */\n canVerifyDocumentType(args: ICanVerifyDocumentTypeArgs): boolean {\n const { document } = args\n const jwt = typeof document === 'string' ? document : (<VerifiableCredential>document)?.proof?.jwt\n if (!jwt) {\n return false\n }\n const { payload } = decodeJWT(jwt)\n if ('vc' in payload) {\n return isVcdm1Credential(payload.vc)\n } else if ('vp' in payload) {\n return isVcdm1Credential(payload.vp)\n }\n return false\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */\n async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {\n let { keyRef, removeOriginalFields, ...otherOptions } = args\n\n const { credential, issuer } = preProcessCredentialPayload(args)\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: issuer })\n } catch (e) {\n throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`)\n }\n\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VC with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiableCredentialJwt(\n credential as any,\n { did: identifier.did, signer, alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id }) },\n { removeOriginalFields, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizeCredential(jwt)\n }\n\n /** {@inheritdoc ICredentialVerifier.verifyCredential} */\n async verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { credential, policies, ...otherOptions } = args\n let verifiedCredential: VerifiableCredential\n let verificationResult: IVerifyResult = { verified: false }\n let jwt: string = typeof credential === 'string' ? credential : asArray(credential.proof)[0].jwt\n let errorCode, message\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n try {\n // needs broader credential as well to check equivalence with jwt\n verificationResult = await verifyCredentialJWT(jwt, resolver, {\n ...otherOptions,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n })\n verifiedCredential = verificationResult.verifiableCredential\n\n // if credential was presented with other fields, make sure those fields match what's in the JWT\n if (typeof credential !== 'string' && asArray(credential.proof)[0].type === 'JwtProof2020') {\n const credentialCopy = JSON.parse(JSON.stringify(credential))\n delete credentialCopy.proof.jwt\n\n const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential))\n delete verifiedCopy.proof.jwt\n\n if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {\n verificationResult.verified = false\n verificationResult.error = new Error('invalid_credential: Credential JSON does not match JWT payload')\n }\n }\n } catch (e: any) {\n errorCode = e.errorCode\n message = e.message\n }\n if (verificationResult.verified) {\n return verificationResult\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */\n async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {\n const { presentation, holder } = preProcessPresentation(args)\n let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args\n\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: holder })\n } catch (e) {\n throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')\n }\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VP with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiablePresentationJwt(\n presentation as any,\n { did: identifier.did, signer, alg },\n { removeOriginalFields, challenge, domain, ...otherOptions },\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizePresentation(jwt)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */\n async verifyPresentation(args: IVerifyPresentationLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args\n let jwt: string\n if (typeof presentation === 'string') {\n jwt = presentation\n } else {\n jwt = asArray(presentation.proof)[0].jwt\n }\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions,\n }),\n } as Resolvable\n\n let audience = domain\n if (!audience) {\n const { payload } = await decodeJWT(jwt)\n if (payload.aud) {\n // automatically add a managed DID as audience if one is found\n const intendedAudience = asArray(payload.aud)\n const managedDids = await context.agent.didManagerFind()\n const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did))\n if (filtered.length > 0) {\n audience = filtered[0].did\n }\n }\n }\n\n let message, errorCode\n try {\n const result = await verifyPresentationJWT(jwt, resolver, {\n challenge,\n domain,\n audience,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience,\n },\n ...otherOptions,\n })\n if (result) {\n return {\n verified: true,\n verifiablePresentation: result,\n }\n }\n } catch (e: any) {\n message = e.message\n errorCode = e.errorCode\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0],\n },\n }\n }\n\n /**\n * Checks if a key is suitable for signing JWT payloads.\n * @param key - the key to check\n * @param context - the Veramo agent context, unused here\n *\n * @beta\n */\n matchKeyForJWT(key: IKey): boolean {\n switch (key.type) {\n case 'Ed25519':\n case 'Secp256r1':\n return true\n case 'Secp256k1':\n return intersect(key.meta?.algorithms ?? [], ['ES256K', 'ES256K-R']).length > 0\n default:\n return false\n }\n }\n\n wrapSigner(context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>, key: IKey, algorithm?: string) {\n return async (data: string | Uint8Array): Promise<string> => {\n const result = await context.agent.keyManagerSign({ keyRef: key.kid, data: <string>data, algorithm })\n return result\n }\n }\n}\n"],"mappings":";;;;AACA,SASEA,gBACAC,6BACAC,8BACK;AAEP,OAAOC,kBAAkB;AAEzB,SACEC,+BACAC,iCACAC,qBACAC,uBACAC,oBAAoBC,qBACpBC,sBAAsBC,6BAEjB;AAIP,SAASC,iBAAiB;AAE1B,OAAOC,WAAW;AAClB,SAASC,SAASC,iBAAmE;AACrF,SAASC,yBAAyB;AAElC,IAAMC,QAAQC,MAAM,iCAAA;AAOb,IAAMC,wBAAN,MAAMA;EAzCb,OAyCaA;;;;EAEXC,gBAAgBC,KAAoB;AAClC,WAAO,KAAKC,eAAeD,GAAAA;EAC7B;;EAGAE,qBAA6B;AAC3B,WAAO;EACT;;EAGAC,uBAAuBC,MAA4C;AACjE,WAAOA,KAAKC,gBAAgB;EAC9B;;EAGAC,sBAAsBF,MAA2C;AAC/D,UAAM,EAAEG,SAAQ,IAAKH;AACrB,UAAMI,MAAM,OAAOD,aAAa,WAAWA,WAAkCA,UAAWE,OAAOD;AAC/F,QAAI,CAACA,KAAK;AACR,aAAO;IACT;AACA,UAAM,EAAEE,QAAO,IAAKC,UAAUH,GAAAA;AAC9B,QAAI,QAAQE,SAAS;AACnB,aAAOE,kBAAkBF,QAAQG,EAAE;IACrC,WAAW,QAAQH,SAAS;AAC1B,aAAOE,kBAAkBF,QAAQI,EAAE;IACrC;AACA,WAAO;EACT;;EAGA,MAAMC,2BAA2BX,MAAyCY,SAAmE;AAC3I,QAAI,EAAEC,QAAQC,sBAAsB,GAAGC,aAAAA,IAAiBf;AAExD,UAAM,EAAEgB,YAAYC,OAAM,IAAKC,4BAA4BlB,IAAAA;AAC3D,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKL;MAAO,CAAA;IAC/D,SAASM,GAAG;AACV,YAAM,IAAIC,MAAM,qBAAqBR,WAAWC,MAAM,yCAAyCM,CAAAA,EAAG;IACpG;AAEA,UAAM3B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAM2B,8BAChBf,YACA;MAAEM,KAAKH,WAAWG;MAAKO;MAAQF;MAAK,GAAI/B,IAAIoC,KAAKC,mBAAmBC,MAAM;QAAEC,KAAKvC,IAAIoC,KAAKC,mBAAmBC;MAAG;IAAG,GACnH;MAAEpB;MAAsB,GAAGC;IAAa,CAAA;AAG1CvB,UAAMY,GAAAA;AACN,WAAOgC,oBAAoBhC,GAAAA;EAC7B;;EAGA,MAAMiC,iBAAiBrC,MAA+BY,SAAuD;AAC3G,QAAI,EAAEI,YAAYsB,UAAU,GAAGvB,aAAAA,IAAiBf;AAChD,QAAIuC;AACJ,QAAIC,qBAAoC;MAAEC,UAAU;IAAM;AAC1D,QAAIrC,MAAc,OAAOY,eAAe,WAAWA,aAAa0B,QAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGD;AAC7F,QAAIuC,WAAWC;AACf,UAAMC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AACA,QAAI;AAEFV,2BAAqB,MAAMW,oBAAoB/C,KAAKyC,UAAU;QAC5D,GAAG9B;QACHuB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;MACF,CAAA;AACAnB,2BAAqBC,mBAAmBmB;AAGxC,UAAI,OAAO3C,eAAe,YAAY0B,QAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGuB,SAAS,gBAAgB;AAC1F,cAAMgC,iBAAiBC,KAAKC,MAAMD,KAAKE,UAAU/C,UAAAA,CAAAA;AACjD,eAAO4C,eAAevD,MAAMD;AAE5B,cAAM4D,eAAeH,KAAKC,MAAMD,KAAKE,UAAUxB,kBAAAA,CAAAA;AAC/C,eAAOyB,aAAa3D,MAAMD;AAE1B,YAAI6D,aAAaL,cAAAA,MAAoBK,aAAaD,YAAAA,GAAe;AAC/DxB,6BAAmBC,WAAW;AAC9BD,6BAAmB0B,QAAQ,IAAI1C,MAAM,gEAAA;QACvC;MACF;IACF,SAASD,GAAQ;AACfoB,kBAAYpB,EAAEoB;AACdC,gBAAUrB,EAAEqB;IACd;AACA,QAAIJ,mBAAmBC,UAAU;AAC/B,aAAOD;IACT;AACA,WAAO;MACLC,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;EAGA,MAAMC,6BAA6BpE,MAA2CY,SAAqE;AACjJ,UAAM,EAAEyD,cAAcC,OAAM,IAAKC,uBAAuBvE,IAAAA;AACxD,QAAI,EAAEwE,QAAQC,WAAW3D,sBAAsBD,QAAQ6D,KAAK,GAAG3D,aAAAA,IAAiBf;AAEhF,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKgD;MAAO,CAAA;IAC/D,SAAS/C,GAAG;AACV,YAAM,IAAIC,MAAM,2EAAA;IAClB;AACA,UAAM5B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAMuE,gCAChBN,cACA;MAAE/C,KAAKH,WAAWG;MAAKO;MAAQF;IAAI,GACnC;MAAEb;MAAsB2D;MAAWD;MAAQ,GAAGzD;IAAa,CAAA;AAG7DvB,UAAMY,GAAAA;AACN,WAAOwE,sBAAsBxE,GAAAA;EAC/B;;EAGA,MAAMyE,mBAAmB7E,MAAiCY,SAAuD;AAC/G,QAAI,EAAEyD,cAAcG,QAAQC,WAAWK,qBAAqBxC,UAAU,GAAGvB,aAAAA,IAAiBf;AAC1F,QAAII;AACJ,QAAI,OAAOiE,iBAAiB,UAAU;AACpCjE,YAAMiE;IACR,OAAO;AACLjE,YAAMsC,QAAQ2B,aAAahE,KAAK,EAAE,CAAA,EAAGD;IACvC;AACA,UAAMyC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AAEA,QAAIQ,WAAWc;AACf,QAAI,CAACd,UAAU;AACb,YAAM,EAAEpD,QAAO,IAAK,MAAMC,UAAUH,GAAAA;AACpC,UAAIE,QAAQmD,KAAK;AAEf,cAAMsB,mBAAmBrC,QAAQpC,QAAQmD,GAAG;AAC5C,cAAMuB,cAAc,MAAMpE,QAAQQ,MAAM6D,eAAc;AACtD,cAAMC,WAAWF,YAAYG,OAAO,CAAChE,eAAe4D,iBAAiBK,SAASjE,WAAWG,GAAG,CAAA;AAC5F,YAAI4D,SAASG,SAAS,GAAG;AACvB3B,qBAAWwB,SAAS,CAAA,EAAG5D;QACzB;MACF;IACF;AAEA,QAAIsB,SAASD;AACb,QAAI;AACF,YAAM2C,SAAS,MAAMC,sBAAsBnF,KAAKyC,UAAU;QACxD4B;QACAD;QACAd;QACApB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;QACA,GAAG3C;MACL,CAAA;AACA,UAAIuE,QAAQ;AACV,eAAO;UACL7C,UAAU;UACV+C,wBAAwBF;QAC1B;MACF;IACF,SAAS/D,GAAQ;AACfqB,gBAAUrB,EAAEqB;AACZD,kBAAYpB,EAAEoB;IAChB;AACA,WAAO;MACLF,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;;;;;;;EASAtE,eAAeD,KAAoB;AACjC,YAAQA,IAAIgC,MAAI;MACd,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO6D,UAAU7F,IAAIoC,MAAM0D,cAAc,CAAA,GAAI;UAAC;UAAU;SAAW,EAAEL,SAAS;MAChF;AACE,eAAO;IACX;EACF;EAEAvD,WAAWlB,SAA6DhB,KAAW+F,WAAoB;AACrG,WAAO,OAAOC,SAAAA;AACZ,YAAMN,SAAS,MAAM1E,QAAQQ,MAAMyE,eAAe;QAAEhF,QAAQjB,IAAIuC;QAAKyD;QAAoBD;MAAU,CAAA;AACnG,aAAOL;IACT;EACF;AACF;","names":["pickSigningKey","preProcessCredentialPayload","preProcessPresentation","canonicalize","createVerifiableCredentialJwt","createVerifiablePresentationJwt","normalizeCredential","normalizePresentation","verifyCredential","verifyCredentialJWT","verifyPresentation","verifyPresentationJWT","decodeJWT","Debug","asArray","intersect","isVcdm1Credential","debug","Debug","CredentialProviderJWT","matchKeyForType","key","matchKeyForJWT","getTypeProofFormat","canIssueCredentialType","args","proofFormat","canVerifyDocumentType","document","jwt","proof","payload","decodeJWT","isVcdm1Credential","vc","vp","createVerifiableCredential","context","keyRef","removeOriginalFields","otherOptions","credential","issuer","preProcessCredentialPayload","identifier","agent","didManagerGet","did","e","Error","pickSigningKey","kmsKeyRef","alg","type","signer","wrapSigner","createVerifiableCredentialJwt","meta","verificationMethod","id","kid","normalizeCredential","verifyCredential","policies","verifiedCredential","verificationResult","verified","asArray","errorCode","message","resolver","resolve","didUrl","resolveDid","options","resolutionOptions","verifyCredentialJWT","nbf","issuanceDate","iat","exp","expirationDate","aud","audience","verifiableCredential","credentialCopy","JSON","parse","stringify","verifiedCopy","canonicalize","error","split","createVerifiablePresentation","presentation","holder","preProcessPresentation","domain","challenge","now","createVerifiablePresentationJwt","normalizePresentation","verifyPresentation","fetchRemoteContexts","intendedAudience","managedDids","didManagerFind","filtered","filter","includes","length","result","verifyPresentationJWT","verifiablePresentation","intersect","algorithms","algorithm","data","keyManagerSign"]}
1
+ {"version":3,"sources":["../src/agent/CredentialProviderJWT.ts"],"sourcesContent":["import { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'\nimport {\n type ICanIssueCredentialTypeArgs,\n type ICanVerifyDocumentTypeArgs,\n type ICreateVerifiableCredentialLDArgs,\n type ICreateVerifiablePresentationLDArgs,\n type IVcdmCredentialProvider,\n type IVcdmIssuerAgentContext,\n IVerifyCredentialVcdmArgs,\n IVerifyPresentationLDArgs,\n pickSigningKey,\n preProcessCredentialPayload,\n preProcessPresentation\n} from '@sphereon/ssi-sdk.credential-vcdm'\nimport { isVcdm1Credential, IVerifyResult } from '@sphereon/ssi-types'\nimport type {\n IAgentContext,\n IIdentifier,\n IKey,\n IKeyManager,\n VerifiableCredential,\n VerifierAgentContext\n} from '@veramo/core'\n\nimport canonicalize from 'canonicalize'\n\nimport Debug from 'debug'\n\nimport { decodeJWT } from 'did-jwt'\n\n\nimport {\n createVerifiableCredentialJwt,\n createVerifiablePresentationJwt,\n normalizeCredential,\n normalizePresentation,\n verifyCredential as verifyCredentialJWT,\n verifyPresentation as verifyPresentationJWT\n // @ts-ignore\n} from 'did-jwt-vc'\n\nimport { type Resolvable } from 'did-resolver'\n\nconst debug = Debug('sphereon:ssi-sdk:credential-jwt')\n\n/**\n * A handler that implements the {@link IVcdmCredentialProvider} methods.\n *\n * @beta This API may change without a BREAKING CHANGE notice.\n */\nexport class CredentialProviderJWT implements IVcdmCredentialProvider {\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */\n matchKeyForType(key: IKey): boolean {\n return this.matchKeyForJWT(key)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */\n getTypeProofFormat(): string {\n return 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */\n canIssueCredentialType(args: ICanIssueCredentialTypeArgs): boolean {\n return args.proofFormat === 'jwt'\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */\n canVerifyDocumentType(args: ICanVerifyDocumentTypeArgs): boolean {\n const { document } = args\n const jwt = typeof document === 'string' ? document : (<VerifiableCredential>document)?.proof?.jwt\n if (!jwt) {\n return false\n }\n const { payload } = decodeJWT(jwt)\n if ('vc' in payload) {\n return isVcdm1Credential(payload.vc)\n } else if ('vp' in payload) {\n return isVcdm1Credential(payload.vp)\n }\n return false\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */\n async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {\n let { keyRef, removeOriginalFields, ...otherOptions } = args\n\n const { credential, issuer } = preProcessCredentialPayload(args)\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: issuer })\n } catch (e) {\n throw new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`)\n }\n\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VC with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiableCredentialJwt(\n credential as any,\n {\n did: identifier.did,\n signer,\n alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id })\n },\n { removeOriginalFields, ...otherOptions }\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizeCredential(jwt)\n }\n\n /** {@inheritdoc ICredentialVerifier.verifyCredential} */\n async verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { credential, policies, ...otherOptions } = args\n let verifiedCredential: VerifiableCredential\n let verificationResult: IVerifyResult = { verified: false }\n let jwt: string = typeof credential === 'string' ? credential : asArray('proof' in credential ? credential.proof : [])?.[0]?.jwt\n let errorCode, message\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions\n })\n } as Resolvable\n try {\n // needs broader credential as well to check equivalence with jwt\n verificationResult = await verifyCredentialJWT(jwt, resolver, {\n ...otherOptions,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience\n }\n })\n verifiedCredential = verificationResult.verifiableCredential\n\n // if credential was presented with other fields, make sure those fields match what's in the JWT\n if (typeof credential !== 'string' && 'proof' in credential && asArray(credential.proof)[0].type === 'JwtProof2020') {\n const credentialCopy = JSON.parse(JSON.stringify(credential))\n delete credentialCopy.proof.jwt\n\n const verifiedCopy = JSON.parse(JSON.stringify(verifiedCredential))\n delete verifiedCopy.proof.jwt\n\n if (canonicalize(credentialCopy) !== canonicalize(verifiedCopy)) {\n verificationResult.verified = false\n verificationResult.error = new Error('invalid_credential: Credential JSON does not match JWT payload')\n }\n }\n } catch (e: any) {\n errorCode = e.errorCode\n message = e.message\n }\n if (verificationResult.verified) {\n return verificationResult\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0]\n }\n }\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */\n async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {\n const { presentation, holder } = preProcessPresentation(args)\n let { domain, challenge, removeOriginalFields, keyRef, now, ...otherOptions } = args\n\n let identifier: IIdentifier\n try {\n identifier = await context.agent.didManagerGet({ did: holder })\n } catch (e) {\n throw new Error('invalid_argument: presentation.holder must be a DID managed by this agent')\n }\n const key = await pickSigningKey({ identifier, kmsKeyRef: keyRef }, context)\n\n debug('Signing VP with', identifier.did)\n let alg = 'ES256'\n if (key.type === 'Ed25519') {\n alg = 'EdDSA'\n } else if (key.type === 'Secp256k1') {\n alg = 'ES256K'\n }\n\n const signer = this.wrapSigner(context, key, alg)\n const jwt = await createVerifiablePresentationJwt(\n presentation as any,\n { did: identifier.did, signer, alg },\n { removeOriginalFields, challenge, domain, ...otherOptions }\n )\n //FIXME: flagging this as a potential privacy leak.\n debug(jwt)\n return normalizePresentation(jwt)\n }\n\n /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */\n async verifyPresentation(args: IVerifyPresentationLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {\n let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args\n let jwt: string\n if (typeof presentation === 'string') {\n jwt = presentation\n } else {\n jwt = asArray(presentation.proof)[0].jwt\n }\n const resolver = {\n resolve: (didUrl: string) =>\n context.agent.resolveDid({\n didUrl,\n options: otherOptions?.resolutionOptions\n })\n } as Resolvable\n\n let audience = domain\n if (!audience) {\n const { payload } = await decodeJWT(jwt)\n if (payload.aud) {\n // automatically add a managed DID as audience if one is found\n const intendedAudience = asArray(payload.aud)\n const managedDids = await context.agent.didManagerFind()\n const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did))\n if (filtered.length > 0) {\n audience = filtered[0].did\n }\n }\n }\n\n let message, errorCode\n try {\n const result = await verifyPresentationJWT(jwt, resolver, {\n challenge,\n domain,\n audience,\n policies: {\n ...policies,\n nbf: policies?.nbf ?? policies?.issuanceDate,\n iat: policies?.iat ?? policies?.issuanceDate,\n exp: policies?.exp ?? policies?.expirationDate,\n aud: policies?.aud ?? policies?.audience\n },\n ...otherOptions\n })\n if (result) {\n return {\n verified: true,\n verifiablePresentation: result\n }\n }\n } catch (e: any) {\n message = e.message\n errorCode = e.errorCode\n }\n return {\n verified: false,\n error: {\n message,\n errorCode: errorCode ? errorCode : message?.split(':')[0]\n }\n }\n }\n\n /**\n * Checks if a key is suitable for signing JWT payloads.\n * @param key - the key to check\n * @param context - the Veramo agent context, unused here\n *\n * @beta\n */\n matchKeyForJWT(key: IKey): boolean {\n switch (key.type) {\n case 'Ed25519':\n case 'Secp256r1':\n return true\n case 'Secp256k1':\n return intersect(key.meta?.algorithms ?? [], ['ES256K', 'ES256K-R']).length > 0\n default:\n return false\n }\n }\n\n wrapSigner(context: IAgentContext<Pick<IKeyManager, 'keyManagerSign'>>, key: IKey, algorithm?: string) {\n return async (data: string | Uint8Array): Promise<string> => {\n const result = await context.agent.keyManagerSign({ keyRef: key.kid, data: <string>data, algorithm })\n return result\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,SAASC,iBAAmE;AACrF,SASEC,gBACAC,6BACAC,8BACK;AACP,SAASC,yBAAwC;AAUjD,OAAOC,kBAAkB;AAEzB,OAAOC,WAAW;AAElB,SAASC,iBAAiB;AAG1B,SACEC,+BACAC,iCACAC,qBACAC,uBACAC,oBAAoBC,qBACpBC,sBAAsBC,6BAEjB;AAIP,IAAMC,QAAQC,MAAM,iCAAA;AAOb,IAAMC,wBAAN,MAAMA;EAlDb,OAkDaA;;;;EAEXC,gBAAgBC,KAAoB;AAClC,WAAO,KAAKC,eAAeD,GAAAA;EAC7B;;EAGAE,qBAA6B;AAC3B,WAAO;EACT;;EAGAC,uBAAuBC,MAA4C;AACjE,WAAOA,KAAKC,gBAAgB;EAC9B;;EAGAC,sBAAsBF,MAA2C;AAC/D,UAAM,EAAEG,SAAQ,IAAKH;AACrB,UAAMI,MAAM,OAAOD,aAAa,WAAWA,WAAkCA,UAAWE,OAAOD;AAC/F,QAAI,CAACA,KAAK;AACR,aAAO;IACT;AACA,UAAM,EAAEE,QAAO,IAAKC,UAAUH,GAAAA;AAC9B,QAAI,QAAQE,SAAS;AACnB,aAAOE,kBAAkBF,QAAQG,EAAE;IACrC,WAAW,QAAQH,SAAS;AAC1B,aAAOE,kBAAkBF,QAAQI,EAAE;IACrC;AACA,WAAO;EACT;;EAGA,MAAMC,2BAA2BX,MAAyCY,SAAmE;AAC3I,QAAI,EAAEC,QAAQC,sBAAsB,GAAGC,aAAAA,IAAiBf;AAExD,UAAM,EAAEgB,YAAYC,OAAM,IAAKC,4BAA4BlB,IAAAA;AAC3D,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKL;MAAO,CAAA;IAC/D,SAASM,GAAG;AACV,YAAM,IAAIC,MAAM,qBAAqBR,WAAWC,MAAM,yCAAyCM,CAAAA,EAAG;IACpG;AAEA,UAAM3B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAM2B,8BAChBf,YACA;MACEM,KAAKH,WAAWG;MAChBO;MACAF;MAAK,GAAI/B,IAAIoC,KAAKC,mBAAmBC,MAAM;QAAEC,KAAKvC,IAAIoC,KAAKC,mBAAmBC;MAAG;IACnF,GACA;MAAEpB;MAAsB,GAAGC;IAAa,CAAA;AAG1CvB,UAAMY,GAAAA;AACN,WAAOgC,oBAAoBhC,GAAAA;EAC7B;;EAGA,MAAMiC,iBAAiBrC,MAAiCY,SAAuD;AAC7G,QAAI,EAAEI,YAAYsB,UAAU,GAAGvB,aAAAA,IAAiBf;AAChD,QAAIuC;AACJ,QAAIC,qBAAoC;MAAEC,UAAU;IAAM;AAC1D,QAAIrC,MAAc,OAAOY,eAAe,WAAWA,aAAa0B,QAAQ,WAAW1B,aAAaA,WAAWX,QAAQ,CAAA,CAAE,IAAI,CAAA,GAAID;AAC7H,QAAIuC,WAAWC;AACf,UAAMC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AACA,QAAI;AAEFV,2BAAqB,MAAMW,oBAAoB/C,KAAKyC,UAAU;QAC5D,GAAG9B;QACHuB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;MACF,CAAA;AACAnB,2BAAqBC,mBAAmBmB;AAGxC,UAAI,OAAO3C,eAAe,YAAY,WAAWA,cAAc0B,QAAQ1B,WAAWX,KAAK,EAAE,CAAA,EAAGuB,SAAS,gBAAgB;AACnH,cAAMgC,iBAAiBC,KAAKC,MAAMD,KAAKE,UAAU/C,UAAAA,CAAAA;AACjD,eAAO4C,eAAevD,MAAMD;AAE5B,cAAM4D,eAAeH,KAAKC,MAAMD,KAAKE,UAAUxB,kBAAAA,CAAAA;AAC/C,eAAOyB,aAAa3D,MAAMD;AAE1B,YAAI6D,aAAaL,cAAAA,MAAoBK,aAAaD,YAAAA,GAAe;AAC/DxB,6BAAmBC,WAAW;AAC9BD,6BAAmB0B,QAAQ,IAAI1C,MAAM,gEAAA;QACvC;MACF;IACF,SAASD,GAAQ;AACfoB,kBAAYpB,EAAEoB;AACdC,gBAAUrB,EAAEqB;IACd;AACA,QAAIJ,mBAAmBC,UAAU;AAC/B,aAAOD;IACT;AACA,WAAO;MACLC,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;EAGA,MAAMC,6BAA6BpE,MAA2CY,SAAqE;AACjJ,UAAM,EAAEyD,cAAcC,OAAM,IAAKC,uBAAuBvE,IAAAA;AACxD,QAAI,EAAEwE,QAAQC,WAAW3D,sBAAsBD,QAAQ6D,KAAK,GAAG3D,aAAAA,IAAiBf;AAEhF,QAAImB;AACJ,QAAI;AACFA,mBAAa,MAAMP,QAAQQ,MAAMC,cAAc;QAAEC,KAAKgD;MAAO,CAAA;IAC/D,SAAS/C,GAAG;AACV,YAAM,IAAIC,MAAM,2EAAA;IAClB;AACA,UAAM5B,MAAM,MAAM6B,eAAe;MAAEN;MAAYO,WAAWb;IAAO,GAAGD,OAAAA;AAEpEpB,UAAM,mBAAmB2B,WAAWG,GAAG;AACvC,QAAIK,MAAM;AACV,QAAI/B,IAAIgC,SAAS,WAAW;AAC1BD,YAAM;IACR,WAAW/B,IAAIgC,SAAS,aAAa;AACnCD,YAAM;IACR;AAEA,UAAME,SAAS,KAAKC,WAAWlB,SAAShB,KAAK+B,GAAAA;AAC7C,UAAMvB,MAAM,MAAMuE,gCAChBN,cACA;MAAE/C,KAAKH,WAAWG;MAAKO;MAAQF;IAAI,GACnC;MAAEb;MAAsB2D;MAAWD;MAAQ,GAAGzD;IAAa,CAAA;AAG7DvB,UAAMY,GAAAA;AACN,WAAOwE,sBAAsBxE,GAAAA;EAC/B;;EAGA,MAAMyE,mBAAmB7E,MAAiCY,SAAuD;AAC/G,QAAI,EAAEyD,cAAcG,QAAQC,WAAWK,qBAAqBxC,UAAU,GAAGvB,aAAAA,IAAiBf;AAC1F,QAAII;AACJ,QAAI,OAAOiE,iBAAiB,UAAU;AACpCjE,YAAMiE;IACR,OAAO;AACLjE,YAAMsC,QAAQ2B,aAAahE,KAAK,EAAE,CAAA,EAAGD;IACvC;AACA,UAAMyC,WAAW;MACfC,SAAS,wBAACC,WACRnC,QAAQQ,MAAM4B,WAAW;QACvBD;QACAE,SAASlC,cAAcmC;MACzB,CAAA,GAJO;IAKX;AAEA,QAAIQ,WAAWc;AACf,QAAI,CAACd,UAAU;AACb,YAAM,EAAEpD,QAAO,IAAK,MAAMC,UAAUH,GAAAA;AACpC,UAAIE,QAAQmD,KAAK;AAEf,cAAMsB,mBAAmBrC,QAAQpC,QAAQmD,GAAG;AAC5C,cAAMuB,cAAc,MAAMpE,QAAQQ,MAAM6D,eAAc;AACtD,cAAMC,WAAWF,YAAYG,OAAO,CAAChE,eAAe4D,iBAAiBK,SAASjE,WAAWG,GAAG,CAAA;AAC5F,YAAI4D,SAASG,SAAS,GAAG;AACvB3B,qBAAWwB,SAAS,CAAA,EAAG5D;QACzB;MACF;IACF;AAEA,QAAIsB,SAASD;AACb,QAAI;AACF,YAAM2C,SAAS,MAAMC,sBAAsBnF,KAAKyC,UAAU;QACxD4B;QACAD;QACAd;QACApB,UAAU;UACR,GAAGA;UACHc,KAAKd,UAAUc,OAAOd,UAAUe;UAChCC,KAAKhB,UAAUgB,OAAOhB,UAAUe;UAChCE,KAAKjB,UAAUiB,OAAOjB,UAAUkB;UAChCC,KAAKnB,UAAUmB,OAAOnB,UAAUoB;QAClC;QACA,GAAG3C;MACL,CAAA;AACA,UAAIuE,QAAQ;AACV,eAAO;UACL7C,UAAU;UACV+C,wBAAwBF;QAC1B;MACF;IACF,SAAS/D,GAAQ;AACfqB,gBAAUrB,EAAEqB;AACZD,kBAAYpB,EAAEoB;IAChB;AACA,WAAO;MACLF,UAAU;MACVyB,OAAO;QACLtB;QACAD,WAAWA,YAAYA,YAAYC,SAASuB,MAAM,GAAA,EAAK,CAAA;MACzD;IACF;EACF;;;;;;;;EASAtE,eAAeD,KAAoB;AACjC,YAAQA,IAAIgC,MAAI;MACd,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO6D,UAAU7F,IAAIoC,MAAM0D,cAAc,CAAA,GAAI;UAAC;UAAU;SAAW,EAAEL,SAAS;MAChF;AACE,eAAO;IACX;EACF;EAEAvD,WAAWlB,SAA6DhB,KAAW+F,WAAoB;AACrG,WAAO,OAAOC,SAAAA;AACZ,YAAMN,SAAS,MAAM1E,QAAQQ,MAAMyE,eAAe;QAAEhF,QAAQjB,IAAIuC;QAAKyD;QAAoBD;MAAU,CAAA;AACnG,aAAOL;IACT;EACF;AACF;","names":["asArray","intersect","pickSigningKey","preProcessCredentialPayload","preProcessPresentation","isVcdm1Credential","canonicalize","Debug","decodeJWT","createVerifiableCredentialJwt","createVerifiablePresentationJwt","normalizeCredential","normalizePresentation","verifyCredential","verifyCredentialJWT","verifyPresentation","verifyPresentationJWT","debug","Debug","CredentialProviderJWT","matchKeyForType","key","matchKeyForJWT","getTypeProofFormat","canIssueCredentialType","args","proofFormat","canVerifyDocumentType","document","jwt","proof","payload","decodeJWT","isVcdm1Credential","vc","vp","createVerifiableCredential","context","keyRef","removeOriginalFields","otherOptions","credential","issuer","preProcessCredentialPayload","identifier","agent","didManagerGet","did","e","Error","pickSigningKey","kmsKeyRef","alg","type","signer","wrapSigner","createVerifiableCredentialJwt","meta","verificationMethod","id","kid","normalizeCredential","verifyCredential","policies","verifiedCredential","verificationResult","verified","asArray","errorCode","message","resolver","resolve","didUrl","resolveDid","options","resolutionOptions","verifyCredentialJWT","nbf","issuanceDate","iat","exp","expirationDate","aud","audience","verifiableCredential","credentialCopy","JSON","parse","stringify","verifiedCopy","canonicalize","error","split","createVerifiablePresentation","presentation","holder","preProcessPresentation","domain","challenge","now","createVerifiablePresentationJwt","normalizePresentation","verifyPresentation","fetchRemoteContexts","intendedAudience","managedDids","didManagerFind","filtered","filter","includes","length","result","verifyPresentationJWT","verifiablePresentation","intersect","algorithms","algorithm","data","keyManagerSign"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.credential-vcdm1-jwt-provider",
3
3
  "description": "Plugin for working with JWT Verifiable Credentials & Presentations.",
4
- "version": "0.33.1-next.68+b6c8b366",
4
+ "version": "0.34.0",
5
5
  "source": "src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,9 +22,9 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk.core": "0.33.1-next.68+b6c8b366",
26
- "@sphereon/ssi-sdk.credential-vcdm": "0.33.1-next.68+b6c8b366",
27
- "@sphereon/ssi-types": "0.33.1-next.68+b6c8b366",
25
+ "@sphereon/ssi-sdk.core": "0.34.0",
26
+ "@sphereon/ssi-sdk.credential-vcdm": "0.34.0",
27
+ "@sphereon/ssi-types": "0.34.0",
28
28
  "@veramo/core": "4.2.0",
29
29
  "@veramo/utils": "4.2.0",
30
30
  "canonicalize": "^2.0.0",
@@ -33,10 +33,10 @@
33
33
  "did-resolver": "^4.1.0"
34
34
  },
35
35
  "devDependencies": {
36
- "@sphereon/ssi-sdk-ext.did-provider-key": "0.28.1-next.53",
37
- "@sphereon/ssi-sdk-ext.key-manager": "0.28.1-next.53",
38
- "@sphereon/ssi-sdk-ext.kms-local": "0.28.1-next.53",
39
- "@sphereon/ssi-sdk.agent-config": "0.33.1-next.68+b6c8b366",
36
+ "@sphereon/ssi-sdk-ext.did-provider-key": "0.29.0",
37
+ "@sphereon/ssi-sdk-ext.key-manager": "0.29.0",
38
+ "@sphereon/ssi-sdk-ext.kms-local": "0.29.0",
39
+ "@sphereon/ssi-sdk.agent-config": "0.34.0",
40
40
  "@types/debug": "4.1.8",
41
41
  "@veramo/did-manager": "4.2.0",
42
42
  "@veramo/did-provider-ethr": "4.2.0",
@@ -73,5 +73,5 @@
73
73
  "node_modules",
74
74
  "src"
75
75
  ],
76
- "gitHead": "b6c8b36636fa3777494f55860d6a75f2e5a5611e"
76
+ "gitHead": "b1c9c5e91a9ce4bc677ff2cce5f2d520a16b366d"
77
77
  }
package/src/agent/CredentialProviderJWT.ts CHANGED
@@ -1,4 +1,4 @@
1
- import type { IAgentContext, IIdentifier, IKey, IKeyManager, IVerifyResult, VerifiableCredential, VerifierAgentContext } from '@veramo/core'
1
+ import { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'
2
2
  import {
3
3
  type ICanIssueCredentialTypeArgs,
4
4
  type ICanVerifyDocumentTypeArgs,
@@ -6,33 +6,41 @@ import {
6
6
  type ICreateVerifiablePresentationLDArgs,
7
7
  type IVcdmCredentialProvider,
8
8
  type IVcdmIssuerAgentContext,
9
- IVerifyCredentialLDArgs,
9
+ IVerifyCredentialVcdmArgs,
10
10
  IVerifyPresentationLDArgs,
11
11
  pickSigningKey,
12
12
  preProcessCredentialPayload,
13
- preProcessPresentation,
13
+ preProcessPresentation
14
14
  } from '@sphereon/ssi-sdk.credential-vcdm'
15
+ import { isVcdm1Credential, IVerifyResult } from '@sphereon/ssi-types'
16
+ import type {
17
+ IAgentContext,
18
+ IIdentifier,
19
+ IKey,
20
+ IKeyManager,
21
+ VerifiableCredential,
22
+ VerifierAgentContext
23
+ } from '@veramo/core'
15
24
 
16
25
  import canonicalize from 'canonicalize'
17
26
 
27
+ import Debug from 'debug'
28
+
29
+ import { decodeJWT } from 'did-jwt'
30
+
31
+
18
32
  import {
19
33
  createVerifiableCredentialJwt,
20
34
  createVerifiablePresentationJwt,
21
35
  normalizeCredential,
22
36
  normalizePresentation,
23
37
  verifyCredential as verifyCredentialJWT,
24
- verifyPresentation as verifyPresentationJWT,
38
+ verifyPresentation as verifyPresentationJWT
25
39
  // @ts-ignore
26
40
  } from 'did-jwt-vc'
27
41
 
28
42
  import { type Resolvable } from 'did-resolver'
29
43
 
30
- import { decodeJWT } from 'did-jwt'
31
-
32
- import Debug from 'debug'
33
- import { asArray, intersect, VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'
34
- import { isVcdm1Credential } from '@sphereon/ssi-types'
35
-
36
44
  const debug = Debug('sphereon:ssi-sdk:credential-jwt')
37
45
 
38
46
  /**
@@ -97,8 +105,12 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
97
105
  const signer = this.wrapSigner(context, key, alg)
98
106
  const jwt = await createVerifiableCredentialJwt(
99
107
  credential as any,
100
- { did: identifier.did, signer, alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id }) },
101
- { removeOriginalFields, ...otherOptions },
108
+ {
109
+ did: identifier.did,
110
+ signer,
111
+ alg, ...(key.meta.verificationMethod.id && { kid: key.meta.verificationMethod.id })
112
+ },
113
+ { removeOriginalFields, ...otherOptions }
102
114
  )
103
115
  //FIXME: flagging this as a potential privacy leak.
104
116
  debug(jwt)
@@ -106,18 +118,18 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
106
118
  }
107
119
 
108
120
  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
109
- async verifyCredential(args: IVerifyCredentialLDArgs, context: VerifierAgentContext): Promise<IVerifyResult> {
121
+ async verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult> {
110
122
  let { credential, policies, ...otherOptions } = args
111
123
  let verifiedCredential: VerifiableCredential
112
124
  let verificationResult: IVerifyResult = { verified: false }
113
- let jwt: string = typeof credential === 'string' ? credential : asArray(credential.proof)[0].jwt
125
+ let jwt: string = typeof credential === 'string' ? credential : asArray('proof' in credential ? credential.proof : [])?.[0]?.jwt
114
126
  let errorCode, message
115
127
  const resolver = {
116
128
  resolve: (didUrl: string) =>
117
129
  context.agent.resolveDid({
118
130
  didUrl,
119
- options: otherOptions?.resolutionOptions,
120
- }),
131
+ options: otherOptions?.resolutionOptions
132
+ })
121
133
  } as Resolvable
122
134
  try {
123
135
  // needs broader credential as well to check equivalence with jwt
@@ -128,13 +140,13 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
128
140
  nbf: policies?.nbf ?? policies?.issuanceDate,
129
141
  iat: policies?.iat ?? policies?.issuanceDate,
130
142
  exp: policies?.exp ?? policies?.expirationDate,
131
- aud: policies?.aud ?? policies?.audience,
132
- },
143
+ aud: policies?.aud ?? policies?.audience
144
+ }
133
145
  })
134
146
  verifiedCredential = verificationResult.verifiableCredential
135
147
 
136
148
  // if credential was presented with other fields, make sure those fields match what's in the JWT
137
- if (typeof credential !== 'string' && asArray(credential.proof)[0].type === 'JwtProof2020') {
149
+ if (typeof credential !== 'string' && 'proof' in credential && asArray(credential.proof)[0].type === 'JwtProof2020') {
138
150
  const credentialCopy = JSON.parse(JSON.stringify(credential))
139
151
  delete credentialCopy.proof.jwt
140
152
 
@@ -157,8 +169,8 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
157
169
  verified: false,
158
170
  error: {
159
171
  message,
160
- errorCode: errorCode ? errorCode : message?.split(':')[0],
161
- },
172
+ errorCode: errorCode ? errorCode : message?.split(':')[0]
173
+ }
162
174
  }
163
175
  }
164
176
 
@@ -187,7 +199,7 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
187
199
  const jwt = await createVerifiablePresentationJwt(
188
200
  presentation as any,
189
201
  { did: identifier.did, signer, alg },
190
- { removeOriginalFields, challenge, domain, ...otherOptions },
202
+ { removeOriginalFields, challenge, domain, ...otherOptions }
191
203
  )
192
204
  //FIXME: flagging this as a potential privacy leak.
193
205
  debug(jwt)
@@ -207,8 +219,8 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
207
219
  resolve: (didUrl: string) =>
208
220
  context.agent.resolveDid({
209
221
  didUrl,
210
- options: otherOptions?.resolutionOptions,
211
- }),
222
+ options: otherOptions?.resolutionOptions
223
+ })
212
224
  } as Resolvable
213
225
 
214
226
  let audience = domain
@@ -236,14 +248,14 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
236
248
  nbf: policies?.nbf ?? policies?.issuanceDate,
237
249
  iat: policies?.iat ?? policies?.issuanceDate,
238
250
  exp: policies?.exp ?? policies?.expirationDate,
239
- aud: policies?.aud ?? policies?.audience,
251
+ aud: policies?.aud ?? policies?.audience
240
252
  },
241
- ...otherOptions,
253
+ ...otherOptions
242
254
  })
243
255
  if (result) {
244
256
  return {
245
257
  verified: true,
246
- verifiablePresentation: result,
258
+ verifiablePresentation: result
247
259
  }
248
260
  }
249
261
  } catch (e: any) {
@@ -254,8 +266,8 @@ export class CredentialProviderJWT implements IVcdmCredentialProvider {
254
266
  verified: false,
255
267
  error: {
256
268
  message,
257
- errorCode: errorCode ? errorCode : message?.split(':')[0],
258
- },
269
+ errorCode: errorCode ? errorCode : message?.split(':')[0]
270
+ }
259
271
  }
260
272
  }
261
273