@sphereon/ssi-sdk.credential-vcdm2-jose-provider 0.33.1-feature.vcdm.verification.69 → 0.33.1-feature.vcdm.verification.72
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +24 -10
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +24 -10
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/agent/CredentialProviderVcdm2Jose.ts +56 -42
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.credential-vcdm2-jose-provider",
|
|
3
3
|
"description": "Plugin for working with W3C Verifiable Credentials DataModel 2 JOSE Credentials & Presentations.",
|
|
4
|
-
"version": "0.33.1-feature.vcdm.verification.
|
|
4
|
+
"version": "0.33.1-feature.vcdm.verification.72+3e51baa9",
|
|
5
5
|
"source": "src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -30,9 +30,9 @@
|
|
|
30
30
|
"@sphereon/ssi-sdk-ext.identifier-resolution": "0.28.1-next.53",
|
|
31
31
|
"@sphereon/ssi-sdk-ext.jwt-service": "0.28.1-next.53",
|
|
32
32
|
"@sphereon/ssi-sdk-ext.key-utils": "0.28.1-next.53",
|
|
33
|
-
"@sphereon/ssi-sdk.core": "0.33.1-feature.vcdm.verification.
|
|
34
|
-
"@sphereon/ssi-sdk.credential-vcdm": "0.33.1-feature.vcdm.verification.
|
|
35
|
-
"@sphereon/ssi-types": "0.33.1-feature.vcdm.verification.
|
|
33
|
+
"@sphereon/ssi-sdk.core": "0.33.1-feature.vcdm.verification.72+3e51baa9",
|
|
34
|
+
"@sphereon/ssi-sdk.credential-vcdm": "0.33.1-feature.vcdm.verification.72+3e51baa9",
|
|
35
|
+
"@sphereon/ssi-types": "0.33.1-feature.vcdm.verification.72+3e51baa9",
|
|
36
36
|
"@veramo/core": "4.2.0",
|
|
37
37
|
"@veramo/utils": "4.2.0",
|
|
38
38
|
"canonicalize": "^2.0.0",
|
|
@@ -47,7 +47,7 @@
|
|
|
47
47
|
"@sphereon/ssi-sdk-ext.did-provider-key": "0.28.1-next.53",
|
|
48
48
|
"@sphereon/ssi-sdk-ext.key-manager": "0.28.1-next.53",
|
|
49
49
|
"@sphereon/ssi-sdk-ext.kms-local": "0.28.1-next.53",
|
|
50
|
-
"@sphereon/ssi-sdk.agent-config": "0.33.1-feature.vcdm.verification.
|
|
50
|
+
"@sphereon/ssi-sdk.agent-config": "0.33.1-feature.vcdm.verification.72+3e51baa9",
|
|
51
51
|
"@types/debug": "4.1.8",
|
|
52
52
|
"@veramo/did-manager": "4.2.0",
|
|
53
53
|
"@veramo/did-provider-ethr": "4.2.0",
|
|
@@ -84,5 +84,5 @@
|
|
|
84
84
|
"node_modules",
|
|
85
85
|
"src"
|
|
86
86
|
],
|
|
87
|
-
"gitHead": "
|
|
87
|
+
"gitHead": "3e51baa92956b7979a4f9e673369ef8c32ac5cf2"
|
|
88
88
|
}
|
|
@@ -35,7 +35,7 @@ import type {
|
|
|
35
35
|
IKey,
|
|
36
36
|
IKeyManager,
|
|
37
37
|
IResolver,
|
|
38
|
-
VerifiableCredential,
|
|
38
|
+
VerifiableCredential, VerificationPolicies,
|
|
39
39
|
VerifierAgentContext
|
|
40
40
|
} from '@veramo/core'
|
|
41
41
|
|
|
@@ -111,7 +111,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
111
111
|
kid: key.meta?.verificationMethod?.id ?? key.kid,
|
|
112
112
|
alg,
|
|
113
113
|
typ: 'vc+jwt',
|
|
114
|
-
cty: 'vc'
|
|
114
|
+
cty: 'vc'
|
|
115
115
|
}
|
|
116
116
|
|
|
117
117
|
const jwt = await context.agent.jwtCreateJwsCompactSignature({
|
|
@@ -119,7 +119,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
119
119
|
issuer: managedIdentifier,
|
|
120
120
|
payload: credential,
|
|
121
121
|
protectedHeader: header,
|
|
122
|
-
clientIdScheme: 'did'
|
|
122
|
+
clientIdScheme: 'did'
|
|
123
123
|
})
|
|
124
124
|
|
|
125
125
|
// debug(jwt)
|
|
@@ -128,7 +128,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
128
128
|
|
|
129
129
|
/** {@inheritdoc ICredentialVerifier.verifyCredential} */
|
|
130
130
|
async verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult> {
|
|
131
|
-
let { credential
|
|
131
|
+
let { credential, policies, /*...otherOptions*/ } = args
|
|
132
132
|
const uniform = CredentialMapper.toUniformCredential(credential as OriginalVerifiableCredential)
|
|
133
133
|
// let verifiedCredential: VerifiableCredential
|
|
134
134
|
if (!isVcdm2Credential(uniform)) {
|
|
@@ -139,7 +139,14 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
139
139
|
if (!jwt) {
|
|
140
140
|
return Promise.reject(new Error('invalid_argument: credential must be a VCDM2 credential in JOSE format (string)'))
|
|
141
141
|
}
|
|
142
|
-
|
|
142
|
+
policies = {
|
|
143
|
+
...policies,
|
|
144
|
+
nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
145
|
+
iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
146
|
+
exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
|
|
147
|
+
aud: policies?.aud ?? policies?.audience
|
|
148
|
+
}
|
|
149
|
+
verificationResult = await verifierSignature({ jwt, policies }, context)
|
|
143
150
|
return verificationResult
|
|
144
151
|
/* let errorCode, message
|
|
145
152
|
const resolver = {
|
|
@@ -214,9 +221,9 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
214
221
|
const key = await pickSigningKey(
|
|
215
222
|
{
|
|
216
223
|
identifier: managedIdentifier.identifier,
|
|
217
|
-
kmsKeyRef: managedIdentifier.kmsKeyRef
|
|
224
|
+
kmsKeyRef: managedIdentifier.kmsKeyRef
|
|
218
225
|
},
|
|
219
|
-
context
|
|
226
|
+
context
|
|
220
227
|
)
|
|
221
228
|
|
|
222
229
|
debug('Signing VC with', identifier.did)
|
|
@@ -231,12 +238,12 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
231
238
|
kid: key.meta.verificationMethod.id ?? key.kid,
|
|
232
239
|
alg,
|
|
233
240
|
typ: 'vp+jwt',
|
|
234
|
-
cty: 'vp'
|
|
241
|
+
cty: 'vp'
|
|
235
242
|
}
|
|
236
243
|
const payload: JwsPayload = {
|
|
237
244
|
...presentation,
|
|
238
245
|
...(domain && { aud: domain }),
|
|
239
|
-
...(challenge && { nonce: challenge })
|
|
246
|
+
...(challenge && { nonce: challenge })
|
|
240
247
|
}
|
|
241
248
|
|
|
242
249
|
const jwt = await agent.jwtCreateJwsCompactSignature({
|
|
@@ -244,7 +251,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
244
251
|
issuer: managedIdentifier,
|
|
245
252
|
payload,
|
|
246
253
|
protectedHeader: header,
|
|
247
|
-
clientIdScheme: 'did'
|
|
254
|
+
clientIdScheme: 'did'
|
|
248
255
|
})
|
|
249
256
|
|
|
250
257
|
debug(jwt)
|
|
@@ -264,8 +271,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
264
271
|
resolve: (didUrl: string) =>
|
|
265
272
|
context.agent.resolveDid({
|
|
266
273
|
didUrl,
|
|
267
|
-
options: otherOptions?.resolutionOptions
|
|
268
|
-
})
|
|
274
|
+
options: otherOptions?.resolutionOptions
|
|
275
|
+
})
|
|
269
276
|
} as Resolvable
|
|
270
277
|
|
|
271
278
|
let audience = domain
|
|
@@ -293,9 +300,9 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
293
300
|
nbf: policies?.nbf ?? policies?.issuanceDate,
|
|
294
301
|
iat: policies?.iat ?? policies?.issuanceDate,
|
|
295
302
|
exp: policies?.exp ?? policies?.expirationDate,
|
|
296
|
-
aud: policies?.aud ?? policies?.audience
|
|
303
|
+
aud: policies?.aud ?? policies?.audience
|
|
297
304
|
},
|
|
298
|
-
...otherOptions
|
|
305
|
+
...otherOptions
|
|
299
306
|
})
|
|
300
307
|
if (result) {
|
|
301
308
|
/**
|
|
@@ -314,11 +321,11 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
314
321
|
log: [
|
|
315
322
|
{
|
|
316
323
|
id: 'valid_signature',
|
|
317
|
-
valid: true
|
|
318
|
-
}
|
|
319
|
-
]
|
|
320
|
-
}
|
|
321
|
-
]
|
|
324
|
+
valid: true
|
|
325
|
+
}
|
|
326
|
+
]
|
|
327
|
+
}
|
|
328
|
+
]
|
|
322
329
|
} satisfies IVerifyResult
|
|
323
330
|
}
|
|
324
331
|
} catch (e: any) {
|
|
@@ -329,8 +336,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
329
336
|
verified: false,
|
|
330
337
|
error: {
|
|
331
338
|
message,
|
|
332
|
-
errorCode: errorCode ? errorCode : message?.split(':')[0]
|
|
333
|
-
}
|
|
339
|
+
errorCode: errorCode ? errorCode : message?.split(':')[0]
|
|
340
|
+
}
|
|
334
341
|
}
|
|
335
342
|
}
|
|
336
343
|
|
|
@@ -362,8 +369,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
362
369
|
}
|
|
363
370
|
|
|
364
371
|
export async function verifierSignature(
|
|
365
|
-
{ jwt }: { jwt: string /*resolver: Resolvable*/ },
|
|
366
|
-
verifierContext: VerifierAgentContext
|
|
372
|
+
{ jwt, policies }: { jwt: string, policies: VerificationPolicies /*resolver: Resolvable*/ },
|
|
373
|
+
verifierContext: VerifierAgentContext
|
|
367
374
|
): Promise<IVerifyResult> {
|
|
368
375
|
let credIssuer: string | undefined = undefined
|
|
369
376
|
const context = assertContext(verifierContext)
|
|
@@ -410,29 +417,32 @@ export async function verifierSignature(
|
|
|
410
417
|
let resolution: ExternalIdentifierResult | undefined = undefined
|
|
411
418
|
try {
|
|
412
419
|
resolution = await agent.identifierExternalResolve({ identifier: credIssuer })
|
|
413
|
-
} catch (e: any) {
|
|
420
|
+
} catch (e: any) {
|
|
421
|
+
}
|
|
414
422
|
const credential = CredentialMapper.toUniformCredential(jwt)
|
|
415
423
|
|
|
416
|
-
const
|
|
424
|
+
const validFromError = (policies.nbf !== false && policies.iat !== false) && 'validFrom' in credential && !!credential.validFrom && Date.parse(credential.validFrom) > new Date().getTime()
|
|
425
|
+
const expired = policies.exp !== false && 'validUntil' in credential && !!credential.validUntil && Date.parse(credential.validUntil) < new Date().getTime()
|
|
417
426
|
|
|
418
427
|
const didOpts = { method: 'did', identifier: credIssuer } satisfies ExternalIdentifierDidOpts
|
|
419
428
|
const jwtResult = await agent.jwtVerifyJwsSignature({
|
|
420
429
|
jws: jwt,
|
|
421
430
|
// @ts-ignore
|
|
422
431
|
jwk: resolution?.jwks[0].jwk,
|
|
423
|
-
opts: { ...(isDidIdentifier(credIssuer) && { did: didOpts }) }
|
|
432
|
+
opts: { ...(isDidIdentifier(credIssuer) && { did: didOpts }) }
|
|
424
433
|
})
|
|
425
434
|
const error = jwtResult.error || expired || !resolution
|
|
426
|
-
const errorMessage = expired ? 'Credential is expired' : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message
|
|
435
|
+
const errorMessage = expired ? 'Credential is expired' : validFromError ? 'Credential is not valid yet' : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message
|
|
427
436
|
|
|
428
437
|
if (error) {
|
|
429
438
|
const log = [
|
|
430
439
|
{
|
|
431
440
|
id: 'valid_signature',
|
|
432
|
-
valid:
|
|
441
|
+
valid: !jwtResult.error
|
|
433
442
|
},
|
|
434
443
|
{ id: 'issuer_did_resolves', valid: resolution != undefined },
|
|
435
|
-
{ id: '
|
|
444
|
+
{ id: 'validFrom', valid: policies.nbf !== false && !validFromError },
|
|
445
|
+
{ id: 'expiration', valid: policies.exp !== false && !expired }
|
|
436
446
|
]
|
|
437
447
|
return {
|
|
438
448
|
verified: false,
|
|
@@ -443,28 +453,32 @@ export async function verifierSignature(
|
|
|
443
453
|
verified: false,
|
|
444
454
|
credential: jwt,
|
|
445
455
|
log,
|
|
446
|
-
error: { message: errorMessage, errorCode: jwtResult.name }
|
|
447
|
-
}
|
|
456
|
+
error: { message: errorMessage, errorCode: jwtResult.name }
|
|
457
|
+
}
|
|
448
458
|
],
|
|
449
459
|
payload,
|
|
450
460
|
didResolutionResult: resolution,
|
|
451
|
-
jwt
|
|
461
|
+
jwt
|
|
452
462
|
} satisfies IVerifyResult
|
|
453
463
|
}
|
|
454
464
|
|
|
455
465
|
const log = [
|
|
456
466
|
{
|
|
457
467
|
id: 'valid_signature',
|
|
458
|
-
valid: true
|
|
468
|
+
valid: true
|
|
459
469
|
},
|
|
460
470
|
{
|
|
461
471
|
id: 'issuer_did_resolves',
|
|
462
|
-
valid: true
|
|
472
|
+
valid: true
|
|
463
473
|
},
|
|
464
474
|
{
|
|
465
|
-
id: '
|
|
466
|
-
valid: true
|
|
475
|
+
id: 'validFrom',
|
|
476
|
+
valid: true
|
|
467
477
|
},
|
|
478
|
+
{
|
|
479
|
+
id: 'expiration',
|
|
480
|
+
valid: true
|
|
481
|
+
}
|
|
468
482
|
]
|
|
469
483
|
return {
|
|
470
484
|
verified: true,
|
|
@@ -473,12 +487,12 @@ export async function verifierSignature(
|
|
|
473
487
|
{
|
|
474
488
|
verified: true,
|
|
475
489
|
credential,
|
|
476
|
-
log
|
|
477
|
-
}
|
|
490
|
+
log
|
|
491
|
+
}
|
|
478
492
|
],
|
|
479
493
|
payload,
|
|
480
494
|
didResolutionResult: resolution,
|
|
481
|
-
jwt
|
|
495
|
+
jwt
|
|
482
496
|
} satisfies IVerifyResult
|
|
483
497
|
}
|
|
484
498
|
|
|
@@ -621,17 +635,17 @@ export function validateContext(value: string | string[]): void {
|
|
|
621
635
|
}
|
|
622
636
|
*/
|
|
623
637
|
function assertContext(
|
|
624
|
-
context: IVcdmIssuerAgentContext | IVcdmVerifierAgentContext
|
|
638
|
+
context: IVcdmIssuerAgentContext | IVcdmVerifierAgentContext
|
|
625
639
|
): IAgentContext<
|
|
626
640
|
IResolver & IDIDManager & Pick<IKeyManager, 'keyManagerGet' | 'keyManagerSign' | 'keyManagerVerify'> & IJwtService & IIdentifierResolution
|
|
627
641
|
> {
|
|
628
642
|
if (!contextHasPlugin<IJwtService>(context, 'jwtPrepareJws')) {
|
|
629
643
|
throw Error(
|
|
630
|
-
'JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
644
|
+
'JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
631
645
|
)
|
|
632
646
|
} else if (!contextHasPlugin<IIdentifierResolution>(context, 'identifierManagedGet')) {
|
|
633
647
|
throw Error(
|
|
634
|
-
'Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
648
|
+
'Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
635
649
|
)
|
|
636
650
|
}
|
|
637
651
|
return context as IAgentContext<
|