@sphereon/ssi-sdk.credential-vcdm2-jose-provider 0.33.1-feature.jose.vcdm.67 → 0.33.1-feature.vcdm.verification.71
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +108 -27
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +4 -3
- package/dist/index.d.ts +4 -3
- package/dist/index.js +102 -21
- package/dist/index.js.map +1 -1
- package/package.json +13 -13
- package/src/__tests__/issue-verify-flow-vcdm2-jose.test.ts +11 -2
- package/src/agent/CredentialProviderVcdm2Jose.ts +161 -61
package/dist/index.cjs
CHANGED
|
@@ -36,14 +36,15 @@ __export(index_exports, {
|
|
|
36
36
|
module.exports = __toCommonJS(index_exports);
|
|
37
37
|
|
|
38
38
|
// src/agent/CredentialProviderVcdm2Jose.ts
|
|
39
|
-
var import_ssi_sdk = require("@sphereon/ssi-sdk.credential-vcdm");
|
|
40
|
-
var import_did_jwt_vc = require("did-jwt-vc");
|
|
41
|
-
var import_did_jwt3 = require("did-jwt");
|
|
42
|
-
var import_debug = __toESM(require("debug"), 1);
|
|
43
|
-
var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
|
|
44
|
-
var import_ssi_sdk3 = require("@sphereon/ssi-sdk.agent-config");
|
|
45
39
|
var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
|
|
40
|
+
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
|
|
41
|
+
var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
|
|
42
|
+
var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
|
|
43
|
+
var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-vcdm");
|
|
46
44
|
var import_ssi_types = require("@sphereon/ssi-types");
|
|
45
|
+
var import_debug = __toESM(require("debug"), 1);
|
|
46
|
+
var import_did_jwt3 = require("did-jwt");
|
|
47
|
+
var import_did_jwt_vc = require("did-jwt-vc");
|
|
47
48
|
|
|
48
49
|
// src/did-jwt/JWT.ts
|
|
49
50
|
var import_canonicalize = __toESM(require("canonicalize"), 1);
|
|
@@ -443,7 +444,6 @@ var SELF_ISSUED_V2_VC_INTEROP = "https://self-issued.me/v2/openid-vc";
|
|
|
443
444
|
var SELF_ISSUED_V0_1 = "https://self-issued.me";
|
|
444
445
|
|
|
445
446
|
// src/agent/CredentialProviderVcdm2Jose.ts
|
|
446
|
-
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
|
|
447
447
|
var debug = (0, import_debug.default)("sphereon:ssi-sdk:credential-jwt");
|
|
448
448
|
var CredentialProviderVcdm2Jose = class {
|
|
449
449
|
static {
|
|
@@ -476,7 +476,7 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
476
476
|
async createVerifiableCredential(args, context) {
|
|
477
477
|
const { keyRef } = args;
|
|
478
478
|
const agent = assertContext(context).agent;
|
|
479
|
-
const { credential, issuer } = (0,
|
|
479
|
+
const { credential, issuer } = (0, import_ssi_sdk3.preProcessCredentialPayload)(args);
|
|
480
480
|
if (!(0, import_ssi_types.isVcdm2Credential)(credential)) {
|
|
481
481
|
return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + credential["@context"]));
|
|
482
482
|
}
|
|
@@ -492,7 +492,7 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
492
492
|
identifier: identifier.did,
|
|
493
493
|
kmsKeyRef: keyRef
|
|
494
494
|
});
|
|
495
|
-
const key = await (0,
|
|
495
|
+
const key = await (0, import_ssi_sdk3.pickSigningKey)({
|
|
496
496
|
identifier,
|
|
497
497
|
kmsKeyRef: keyRef
|
|
498
498
|
}, context);
|
|
@@ -517,13 +517,10 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
517
517
|
}
|
|
518
518
|
/** {@inheritdoc ICredentialVerifier.verifyCredential} */
|
|
519
519
|
async verifyCredential(args, context) {
|
|
520
|
-
let {
|
|
521
|
-
credential
|
|
522
|
-
/*policies, ...otherOptions*/
|
|
523
|
-
} = args;
|
|
520
|
+
let { credential, policies } = args;
|
|
524
521
|
const uniform = import_ssi_types.CredentialMapper.toUniformCredential(credential);
|
|
525
522
|
if (!(0, import_ssi_types.isVcdm2Credential)(uniform)) {
|
|
526
|
-
return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " +
|
|
523
|
+
return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + uniform["@context"]));
|
|
527
524
|
}
|
|
528
525
|
let verificationResult = {
|
|
529
526
|
verified: false
|
|
@@ -532,14 +529,22 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
532
529
|
if (!jwt) {
|
|
533
530
|
return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential in JOSE format (string)"));
|
|
534
531
|
}
|
|
532
|
+
policies = {
|
|
533
|
+
...policies,
|
|
534
|
+
nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
535
|
+
iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
536
|
+
exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
|
|
537
|
+
aud: policies?.aud ?? policies?.audience
|
|
538
|
+
};
|
|
535
539
|
verificationResult = await verifierSignature({
|
|
536
|
-
jwt
|
|
540
|
+
jwt,
|
|
541
|
+
policies
|
|
537
542
|
}, context);
|
|
538
543
|
return verificationResult;
|
|
539
544
|
}
|
|
540
545
|
/** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
|
|
541
546
|
async createVerifiablePresentation(args, context) {
|
|
542
|
-
const { presentation, holder } = (0,
|
|
547
|
+
const { presentation, holder } = (0, import_ssi_sdk3.preProcessPresentation)(args);
|
|
543
548
|
let {
|
|
544
549
|
domain,
|
|
545
550
|
challenge,
|
|
@@ -552,7 +557,7 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
552
557
|
kmsKeyRef: keyRef
|
|
553
558
|
});
|
|
554
559
|
const identifier = managedIdentifier.identifier;
|
|
555
|
-
const key = await (0,
|
|
560
|
+
const key = await (0, import_ssi_sdk3.pickSigningKey)({
|
|
556
561
|
identifier: managedIdentifier.identifier,
|
|
557
562
|
kmsKeyRef: managedIdentifier.kmsKeyRef
|
|
558
563
|
}, context);
|
|
@@ -633,7 +638,18 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
633
638
|
if (result) {
|
|
634
639
|
return {
|
|
635
640
|
verified: true,
|
|
636
|
-
|
|
641
|
+
results: [
|
|
642
|
+
{
|
|
643
|
+
verified: true,
|
|
644
|
+
presentation: result.verifiablePresentation,
|
|
645
|
+
log: [
|
|
646
|
+
{
|
|
647
|
+
id: "valid_signature",
|
|
648
|
+
valid: true
|
|
649
|
+
}
|
|
650
|
+
]
|
|
651
|
+
}
|
|
652
|
+
]
|
|
637
653
|
};
|
|
638
654
|
}
|
|
639
655
|
} catch (e) {
|
|
@@ -680,7 +696,7 @@ var CredentialProviderVcdm2Jose = class {
|
|
|
680
696
|
};
|
|
681
697
|
}
|
|
682
698
|
};
|
|
683
|
-
async function verifierSignature({ jwt }, verifierContext) {
|
|
699
|
+
async function verifierSignature({ jwt, policies }, verifierContext) {
|
|
684
700
|
let credIssuer = void 0;
|
|
685
701
|
const context = assertContext(verifierContext);
|
|
686
702
|
const agent = context.agent;
|
|
@@ -721,9 +737,16 @@ async function verifierSignature({ jwt }, verifierContext) {
|
|
|
721
737
|
if (!credIssuer) {
|
|
722
738
|
throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: No DID has been found in the JWT`);
|
|
723
739
|
}
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
740
|
+
let resolution = void 0;
|
|
741
|
+
try {
|
|
742
|
+
resolution = await agent.identifierExternalResolve({
|
|
743
|
+
identifier: credIssuer
|
|
744
|
+
});
|
|
745
|
+
} catch (e) {
|
|
746
|
+
}
|
|
747
|
+
const credential = import_ssi_types.CredentialMapper.toUniformCredential(jwt);
|
|
748
|
+
const validFromError = policies.nbf !== false && policies.iat !== false && "validFrom" in credential && !!credential.validFrom && Date.parse(credential.validFrom) > (/* @__PURE__ */ new Date()).getTime();
|
|
749
|
+
const expired = policies.exp !== false && "validUntil" in credential && !!credential.validUntil && Date.parse(credential.validUntil) < (/* @__PURE__ */ new Date()).getTime();
|
|
727
750
|
const didOpts = {
|
|
728
751
|
method: "did",
|
|
729
752
|
identifier: credIssuer
|
|
@@ -731,27 +754,85 @@ async function verifierSignature({ jwt }, verifierContext) {
|
|
|
731
754
|
const jwtResult = await agent.jwtVerifyJwsSignature({
|
|
732
755
|
jws: jwt,
|
|
733
756
|
// @ts-ignore
|
|
734
|
-
jwk: resolution
|
|
757
|
+
jwk: resolution?.jwks[0].jwk,
|
|
735
758
|
opts: {
|
|
736
759
|
...(0, import_ssi_sdk_ext.isDidIdentifier)(credIssuer) && {
|
|
737
760
|
did: didOpts
|
|
738
761
|
}
|
|
739
762
|
}
|
|
740
763
|
});
|
|
741
|
-
|
|
764
|
+
const error = jwtResult.error || expired || !resolution;
|
|
765
|
+
const errorMessage = expired ? "Credential is expired" : validFromError ? "Credential is not valid yet" : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message;
|
|
766
|
+
if (error) {
|
|
767
|
+
const log2 = [
|
|
768
|
+
{
|
|
769
|
+
id: "valid_signature",
|
|
770
|
+
valid: !jwtResult.error
|
|
771
|
+
},
|
|
772
|
+
{
|
|
773
|
+
id: "issuer_did_resolves",
|
|
774
|
+
valid: resolution != void 0
|
|
775
|
+
},
|
|
776
|
+
{
|
|
777
|
+
id: "validFrom",
|
|
778
|
+
valid: !validFromError
|
|
779
|
+
},
|
|
780
|
+
{
|
|
781
|
+
id: "expiration",
|
|
782
|
+
valid: !expired
|
|
783
|
+
}
|
|
784
|
+
];
|
|
742
785
|
return {
|
|
743
786
|
verified: false,
|
|
744
787
|
error: {
|
|
745
|
-
message:
|
|
788
|
+
message: errorMessage,
|
|
746
789
|
errorCode: jwtResult.name
|
|
747
790
|
},
|
|
791
|
+
log: log2,
|
|
792
|
+
results: [
|
|
793
|
+
{
|
|
794
|
+
verified: false,
|
|
795
|
+
credential: jwt,
|
|
796
|
+
log: log2,
|
|
797
|
+
error: {
|
|
798
|
+
message: errorMessage,
|
|
799
|
+
errorCode: jwtResult.name
|
|
800
|
+
}
|
|
801
|
+
}
|
|
802
|
+
],
|
|
748
803
|
payload,
|
|
749
804
|
didResolutionResult: resolution,
|
|
750
805
|
jwt
|
|
751
806
|
};
|
|
752
807
|
}
|
|
808
|
+
const log = [
|
|
809
|
+
{
|
|
810
|
+
id: "valid_signature",
|
|
811
|
+
valid: true
|
|
812
|
+
},
|
|
813
|
+
{
|
|
814
|
+
id: "issuer_did_resolves",
|
|
815
|
+
valid: true
|
|
816
|
+
},
|
|
817
|
+
{
|
|
818
|
+
id: "validFrom",
|
|
819
|
+
valid: true
|
|
820
|
+
},
|
|
821
|
+
{
|
|
822
|
+
id: "expiration",
|
|
823
|
+
valid: true
|
|
824
|
+
}
|
|
825
|
+
];
|
|
753
826
|
return {
|
|
754
827
|
verified: true,
|
|
828
|
+
log,
|
|
829
|
+
results: [
|
|
830
|
+
{
|
|
831
|
+
verified: true,
|
|
832
|
+
credential,
|
|
833
|
+
log
|
|
834
|
+
}
|
|
835
|
+
],
|
|
755
836
|
payload,
|
|
756
837
|
didResolutionResult: resolution,
|
|
757
838
|
jwt
|
|
@@ -759,9 +840,9 @@ async function verifierSignature({ jwt }, verifierContext) {
|
|
|
759
840
|
}
|
|
760
841
|
__name(verifierSignature, "verifierSignature");
|
|
761
842
|
function assertContext(context) {
|
|
762
|
-
if (!(0,
|
|
843
|
+
if (!(0, import_ssi_sdk.contextHasPlugin)(context, "jwtPrepareJws")) {
|
|
763
844
|
throw Error("JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.");
|
|
764
|
-
} else if (!(0,
|
|
845
|
+
} else if (!(0, import_ssi_sdk.contextHasPlugin)(context, "identifierManagedGet")) {
|
|
765
846
|
throw Error("Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.");
|
|
766
847
|
}
|
|
767
848
|
return context;
|