@sphereon/ssi-sdk.credential-vcdm2-jose-provider 0.33.1-feature.jose.vcdm.61 → 0.33.1-feature.jose.vcdm.63

package/src/did-jwt/JWT.ts

@@ -5,7 +5,6 @@ import { decodeBase64url, type EcdsaSignature, encodeBase64url, type KNOWN_JWA,
 import VerifierAlgorithm from './VerifierAlgorithm'
 import { JWT_ERROR } from 'did-jwt'
 
-
 export type Signer = (data: string | Uint8Array) => Promise<EcdsaSignature | string>
 export type SignerAlgorithm = (payload: string, signer: Signer) => Promise<string>
 
@@ -221,7 +220,7 @@ export async function createJWS(
   payload: string | Partial<JWTPayload>,
   signer: Signer,
   header: Partial<JWTHeader> = {},
-  options: JWSCreationOptions = {}
+  options: JWSCreationOptions = {},
 ): Promise<string> {
   if (!header.alg) header.alg = defaultAlg
   const encodedPayload = typeof payload === 'string' ? payload : encodeSection(payload, options.canonicalize)
@@ -259,7 +258,7 @@ export async function createJWS(
 export async function createJWT(
   payload: Partial<JWTPayload>,
   { issuer, signer, alg, expiresIn, canonicalize }: JWTOptions,
-  header: Partial<JWTHeader> = {}
+  header: Partial<JWTHeader> = {},
 ): Promise<string> {
   if (!signer) throw new Error('missing_signer: No Signer functionality has been configured')
   if (!issuer) throw new Error('missing_issuer: No issuing DID has been configured')
@@ -305,7 +304,7 @@ export async function createJWT(
 export async function createMultisignatureJWT(
   payload: Partial<JWTPayload>,
   { expiresIn, canonicalize }: Partial<JWTOptions>,
-  issuers: { issuer: string; signer: Signer; alg: string }[]
+  issuers: { issuer: string; signer: Signer; alg: string }[],
 ): Promise<string> {
   if (issuers.length === 0) throw new Error('invalid_argument: must provide one or more issuers')
 
@@ -337,7 +336,7 @@ export async function createMultisignatureJWT(
 
 export function verifyJWTDecoded(
   { header, payload, data, signature }: JWTDecoded,
-  pubKeys: VerificationMethod | VerificationMethod[]
+  pubKeys: VerificationMethod | VerificationMethod[],
 ): VerificationMethod {
   if (!Array.isArray(pubKeys)) pubKeys = [pubKeys]
 
@@ -365,10 +364,7 @@ export function verifyJWTDecoded(
   throw new Error(`${JWT_ERROR.INVALID_SIGNATURE}: no matching public key found`)
 }
 
-export function verifyJWSDecoded(
-  { header, data, signature }: JWSDecoded,
-  pubKeys: VerificationMethod | VerificationMethod[]
-): VerificationMethod {
+export function verifyJWSDecoded({ header, data, signature }: JWSDecoded, pubKeys: VerificationMethod | VerificationMethod[]): VerificationMethod {
   if (!Array.isArray(pubKeys)) pubKeys = [pubKeys]
   const signer: VerificationMethod = VerifierAlgorithm(header.alg)(data, signature, pubKeys)
   return signer
@@ -429,10 +425,10 @@ export async function verifyJWT(
     proofPurpose: undefined,
     policies: {},
     didAuthenticator: undefined,
-  }
+  },
 ): Promise<JWTVerified> {
   if (!options.resolver) throw new Error('missing_resolver: No DID resolver has been configured')
-  const { payload, header/*, signature, data*/ }: JWTDecoded = decodeJWT(jwt, false)
+  const { payload, header /*, signature, data*/ }: JWTDecoded = decodeJWT(jwt, false)
   const proofPurpose: ProofPurposeTypes | undefined = Object.prototype.hasOwnProperty.call(options, 'auth')
     ? options.auth
       ? 'authentication'
@@ -482,12 +478,7 @@ export async function verifyJWT(
   if (options.didAuthenticator) {
     ;({ didResolutionResult, authenticators, issuer } = options.didAuthenticator)
   } else {
-    ;({ didResolutionResult, authenticators, issuer } = await resolveAuthenticator(
-      options.resolver,
-      header.alg,
-      didUrl,
-      proofPurpose
-    ))
+    ;({ didResolutionResult, authenticators, issuer } = await resolveAuthenticator(options.resolver, header.alg, didUrl, proofPurpose))
     // Add to options object for recursive reference
     options.didAuthenticator = { didResolutionResult, authenticators, issuer }
   }
@@ -534,9 +525,7 @@ export async function verifyJWT(
     }
     if (options.policies?.aud !== false && payload.aud) {
       if (!options.audience && !options.callbackUrl) {
-        throw new Error(
-          `${JWT_ERROR.INVALID_AUDIENCE}: JWT audience is required but your app address has not been configured`
-        )
+        throw new Error(`${JWT_ERROR.INVALID_AUDIENCE}: JWT audience is required but your app address has not been configured`)
       }
       const audArray = Array.isArray(payload.aud) ? payload.aud : [payload.aud]
       const matchedAudience = audArray.find((item) => options.audience === item || options.callbackUrl === item)
@@ -549,7 +538,7 @@ export async function verifyJWT(
     return { verified: true, payload, didResolutionResult, issuer, signer, jwt, policies: options.policies }
   }
   throw new Error(
-    `${JWT_ERROR.INVALID_SIGNATURE}: JWT not valid. issuer DID document does not contain a verificationMethod that matches the signature.`
+    `${JWT_ERROR.INVALID_SIGNATURE}: JWT not valid. issuer DID document does not contain a verificationMethod that matches the signature.`,
   )
 }
 
@@ -579,7 +568,7 @@ export async function resolveAuthenticator(
   resolver: Resolvable,
   alg: string,
   issuer: string,
-  proofPurpose?: ProofPurposeTypes
+  proofPurpose?: ProofPurposeTypes,
 ): Promise<DIDAuthenticator> {
   const types: string[] = SUPPORTED_PUBLIC_KEY_TYPES[alg as KNOWN_JWA]
   if (!types || types.length === 0) {
@@ -601,9 +590,7 @@ export async function resolveAuthenticator(
 
   if (didResult.didResolutionMetadata?.error || didResult.didDocument == null) {
     const { error, message } = didResult.didResolutionMetadata
-    throw new Error(
-      `${JWT_ERROR.RESOLVER_ERROR}: Unable to resolve DID document for ${issuer}: ${error}, ${message || ''}`
-    )
+    throw new Error(`${JWT_ERROR.RESOLVER_ERROR}: Unable to resolve DID document for ${issuer}: ${error}, ${message || ''}`)
   }
 
   const getPublicKeyById = (verificationMethods: VerificationMethod[], pubid?: string): VerificationMethod | null => {
@@ -611,16 +598,10 @@ export async function resolveAuthenticator(
     return filtered.length > 0 ? filtered[0] : null
   }
 
-  let publicKeysToCheck: VerificationMethod[] = [
-    ...(didResult?.didDocument?.verificationMethod || []),
-    ...(didResult?.didDocument?.publicKey || []),
-  ]
+  let publicKeysToCheck: VerificationMethod[] = [...(didResult?.didDocument?.verificationMethod || []), ...(didResult?.didDocument?.publicKey || [])]
   if (typeof proofPurpose === 'string') {
     // support legacy DID Documents that do not list assertionMethod
-    if (
-      proofPurpose.startsWith('assertion') &&
-      !Object.getOwnPropertyNames(didResult?.didDocument).includes('assertionMethod')
-    ) {
+    if (proofPurpose.startsWith('assertion') && !Object.getOwnPropertyNames(didResult?.didDocument).includes('assertionMethod')) {
       didResult.didDocument = { ...(<DIDDocument>didResult.didDocument) }
       didResult.didDocument.assertionMethod = [...publicKeysToCheck.map((pk) => pk.id)]
     }
@@ -639,13 +620,11 @@ export async function resolveAuthenticator(
       .filter((key) => key != null) as VerificationMethod[]
   }
 
-  const authenticators: VerificationMethod[] = publicKeysToCheck.filter(({ type }) =>
-    types.find((supported) => supported === type)
-  )
+  const authenticators: VerificationMethod[] = publicKeysToCheck.filter(({ type }) => types.find((supported) => supported === type))
 
   if (typeof proofPurpose === 'string' && (!authenticators || authenticators.length === 0)) {
     throw new Error(
-      `${JWT_ERROR.NO_SUITABLE_KEYS}: DID document for ${issuer} does not have public keys suitable for ${alg} with ${proofPurpose} purpose`
+      `${JWT_ERROR.NO_SUITABLE_KEYS}: DID document for ${issuer} does not have public keys suitable for ${alg} with ${proofPurpose} purpose`,
     )
   }
   if (!authenticators || authenticators.length === 0) {

package/src/did-jwt/VerifierAlgorithm.ts

@@ -1,14 +1,6 @@
 import { toEthereumAddress } from 'did-jwt'
 import type { VerificationMethod } from 'did-resolver'
-import {
-  base64ToBytes,
-  bytesToHex,
-  type EcdsaSignature,
-  type ECDSASignature,
-  extractPublicKeyBytes,
-  type KNOWN_JWA,
-  stringToBytes,
-} from './util'
+import { base64ToBytes, bytesToHex, type EcdsaSignature, type ECDSASignature, extractPublicKeyBytes, type KNOWN_JWA, stringToBytes } from './util'
 // @ts-ignore
 // import { verifyBlockchainAccountId } from 'did-jwt'
 import { secp256k1 } from '@noble/curves/secp256k1'
@@ -66,11 +58,7 @@ export function verifyES256(data: string, signature: string, authenticators: Ver
   return signer
 }
 
-export function verifyES256K(
-  data: string,
-  signature: string,
-  authenticators: VerificationMethod[]
-): VerificationMethod {
+export function verifyES256K(data: string, signature: string, authenticators: VerificationMethod[]): VerificationMethod {
   const hash = sha256(data)
   const signatureNormalized = secp256k1.Signature.fromCompact(base64ToBytes(signature)).normalizeS()
   const fullPublicKeys = authenticators.filter((a: VerificationMethod) => {
@@ -97,11 +85,7 @@ export function verifyES256K(
   return signer
 }
 
-export function verifyRecoverableES256K(
-  data: string,
-  signature: string,
-  authenticators: VerificationMethod[]
-): VerificationMethod {
+export function verifyRecoverableES256K(data: string, signature: string, authenticators: VerificationMethod[]): VerificationMethod {
   const signatures: ECDSASignature[] = []
   if (signature.length > 86) {
     signatures.push(toSignatureObject2(signature, true))
@@ -141,11 +125,7 @@ export function verifyRecoverableES256K(
   throw new Error('invalid_signature: Signature invalid for JWT')
 }
 
-export function verifyEd25519(
-  data: string,
-  signature: string,
-  authenticators: VerificationMethod[]
-): VerificationMethod {
+export function verifyEd25519(data: string, signature: string, authenticators: VerificationMethod[]): VerificationMethod {
   const clear = stringToBytes(data)
   const signatureBytes = base64ToBytes(signature)
   const signer = authenticators.find((a: VerificationMethod) => {

package/src/did-jwt/util.ts

@@ -12,8 +12,6 @@ import { p256 } from '@noble/curves/p256'
 
 // const u8a = { toString, fromString, concat }
 
-
-
 export interface EphemeralPublicKey {
   kty?: string
   //ECC
@@ -148,20 +146,8 @@ export const SUPPORTED_PUBLIC_KEY_TYPES: PublicKeyTypes = {
     'JsonWebKey2020',
     'Multikey',
   ],
-  Ed25519: [
-    'ED25519SignatureVerification',
-    'Ed25519VerificationKey2018',
-    'Ed25519VerificationKey2020',
-    'JsonWebKey2020',
-    'Multikey',
-  ],
-  EdDSA: [
-    'ED25519SignatureVerification',
-    'Ed25519VerificationKey2018',
-    'Ed25519VerificationKey2020',
-    'JsonWebKey2020',
-    'Multikey',
-  ],
+  Ed25519: ['ED25519SignatureVerification', 'Ed25519VerificationKey2018', 'Ed25519VerificationKey2020', 'JsonWebKey2020', 'Multikey'],
+  EdDSA: ['ED25519SignatureVerification', 'Ed25519VerificationKey2018', 'Ed25519VerificationKey2020', 'JsonWebKey2020', 'Multikey'],
 }
 
 export const VM_TO_KEY_TYPE: Record<KNOWN_VERIFICATION_METHOD, KNOWN_KEY_TYPE | undefined> = {
@@ -181,13 +167,7 @@ export const VM_TO_KEY_TYPE: Record<KNOWN_VERIFICATION_METHOD, KNOWN_KEY_TYPE |
   Multikey: undefined, // key type must be extracted from the multicodec
 }
 
-export type KNOWN_CODECS =
-  | 'ed25519-pub'
-  | 'x25519-pub'
-  | 'secp256k1-pub'
-  | 'bls12_381-g1-pub'
-  | 'bls12_381-g2-pub'
-  | 'p256-pub'
+export type KNOWN_CODECS = 'ed25519-pub' | 'x25519-pub' | 'secp256k1-pub' | 'bls12_381-g1-pub' | 'bls12_381-g2-pub' | 'p256-pub'
 
 // this is from the multicodec table https://github.com/multiformats/multicodec/blob/master/table.csv
 export const supportedCodecs: Record<KNOWN_CODECS, number> = {
@@ -242,12 +222,7 @@ export function extractPublicKeyBytes(pk: VerificationMethod): { keyBytes: Uint8
       }).toRawBytes(false),
       keyType: 'P-256',
     }
-  } else if (
-    pk.publicKeyJwk &&
-    pk.publicKeyJwk.kty === 'OKP' &&
-    ['Ed25519', 'X25519'].includes(pk.publicKeyJwk.crv ?? '') &&
-    pk.publicKeyJwk.x
-  ) {
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.kty === 'OKP' && ['Ed25519', 'X25519'].includes(pk.publicKeyJwk.crv ?? '') && pk.publicKeyJwk.x) {
     return { keyBytes: base64ToBytes(pk.publicKeyJwk.x), keyType: pk.publicKeyJwk.crv as KNOWN_KEY_TYPE }
   } else if (pk.publicKeyMultibase) {
     const { keyBytes, keyType } = multibaseToBytes(pk.publicKeyMultibase)
@@ -268,11 +243,7 @@ export function extractPublicKeyBytes(pk: VerificationMethod): { keyBytes: Uint8
  *
  * @public
  */
-export function bytesToMultibase(
-  b: Uint8Array,
-  base: BaseName = 'base58btc',
-  codec?: keyof typeof supportedCodecs | number
-): string {
+export function bytesToMultibase(b: Uint8Array, base: BaseName = 'base58btc', codec?: keyof typeof supportedCodecs | number): string {
   if (!codec) {
     return u8a.toString(encode(base, b), 'utf-8')
   } else {
@@ -308,8 +279,7 @@ export function multibaseToBytes(s: string): { keyBytes: Uint8Array; keyType?: K
   try {
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
     const [codec, length] = varint.decode(bytes)
-    const possibleCodec: string | undefined =
-      Object.entries(supportedCodecs).filter(([, code]) => code === codec)?.[0][0] ?? ''
+    const possibleCodec: string | undefined = Object.entries(supportedCodecs).filter(([, code]) => code === codec)?.[0][0] ?? ''
     return { keyBytes: bytes.slice(length), keyType: CODEC_TO_KEY_TYPE[possibleCodec as KNOWN_CODECS] }
   } catch (e) {
     // not a multicodec, return the bytes