@sphereon/ssi-sdk.credential-vcdm2-jose-provider 0.33.1-next.68 → 0.34.0

package/dist/index.cjs

@@ -36,14 +36,15 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/agent/CredentialProviderVcdm2Jose.ts
-var import_ssi_sdk = require("@sphereon/ssi-sdk.credential-vcdm");
-var import_did_jwt_vc = require("did-jwt-vc");
-var import_did_jwt3 = require("did-jwt");
-var import_debug = __toESM(require("debug"), 1);
-var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
-var import_ssi_sdk3 = require("@sphereon/ssi-sdk.agent-config");
 var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
+var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
+var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-vcdm");
 var import_ssi_types = require("@sphereon/ssi-types");
+var import_debug = __toESM(require("debug"), 1);
+var import_did_jwt3 = require("did-jwt");
+var import_did_jwt_vc = require("did-jwt-vc");
 
 // src/did-jwt/JWT.ts
 var import_canonicalize = __toESM(require("canonicalize"), 1);
@@ -443,7 +444,6 @@ var SELF_ISSUED_V2_VC_INTEROP = "https://self-issued.me/v2/openid-vc";
 var SELF_ISSUED_V0_1 = "https://self-issued.me";
 
 // src/agent/CredentialProviderVcdm2Jose.ts
-var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
 var debug = (0, import_debug.default)("sphereon:ssi-sdk:credential-jwt");
 var CredentialProviderVcdm2Jose = class {
   static {
@@ -476,7 +476,7 @@ var CredentialProviderVcdm2Jose = class {
   async createVerifiableCredential(args, context) {
     const { keyRef } = args;
     const agent = assertContext(context).agent;
-    const { credential, issuer } = (0, import_ssi_sdk.preProcessCredentialPayload)(args);
+    const { credential, issuer } = (0, import_ssi_sdk3.preProcessCredentialPayload)(args);
     if (!(0, import_ssi_types.isVcdm2Credential)(credential)) {
       return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + credential["@context"]));
     }
@@ -492,7 +492,7 @@ var CredentialProviderVcdm2Jose = class {
       identifier: identifier.did,
       kmsKeyRef: keyRef
     });
-    const key = await (0, import_ssi_sdk.pickSigningKey)({
+    const key = await (0, import_ssi_sdk3.pickSigningKey)({
       identifier,
       kmsKeyRef: keyRef
     }, context);
@@ -517,13 +517,10 @@ var CredentialProviderVcdm2Jose = class {
   }
   /** {@inheritdoc ICredentialVerifier.verifyCredential} */
   async verifyCredential(args, context) {
-    let {
-      credential
-      /*policies, ...otherOptions*/
-    } = args;
+    let { credential, policies } = args;
     const uniform = import_ssi_types.CredentialMapper.toUniformCredential(credential);
     if (!(0, import_ssi_types.isVcdm2Credential)(uniform)) {
-      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + credential["@context"]));
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + uniform["@context"]));
     }
     let verificationResult = {
       verified: false
@@ -532,14 +529,22 @@ var CredentialProviderVcdm2Jose = class {
     if (!jwt) {
       return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential in JOSE format (string)"));
     }
+    policies = {
+      ...policies,
+      nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
+      iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
+      exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
+      aud: policies?.aud ?? policies?.audience
+    };
     verificationResult = await verifierSignature({
-      jwt
+      jwt,
+      policies
     }, context);
     return verificationResult;
   }
   /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
   async createVerifiablePresentation(args, context) {
-    const { presentation, holder } = (0, import_ssi_sdk.preProcessPresentation)(args);
+    const { presentation, holder } = (0, import_ssi_sdk3.preProcessPresentation)(args);
     let {
       domain,
       challenge,
@@ -552,7 +557,7 @@ var CredentialProviderVcdm2Jose = class {
       kmsKeyRef: keyRef
     });
     const identifier = managedIdentifier.identifier;
-    const key = await (0, import_ssi_sdk.pickSigningKey)({
+    const key = await (0, import_ssi_sdk3.pickSigningKey)({
       identifier: managedIdentifier.identifier,
       kmsKeyRef: managedIdentifier.kmsKeyRef
     }, context);
@@ -633,7 +638,18 @@ var CredentialProviderVcdm2Jose = class {
       if (result) {
         return {
           verified: true,
-          verifiablePresentation: result
+          results: [
+            {
+              verified: true,
+              presentation: result.verifiablePresentation,
+              log: [
+                {
+                  id: "valid_signature",
+                  valid: true
+                }
+              ]
+            }
+          ]
         };
       }
     } catch (e) {
@@ -680,7 +696,7 @@ var CredentialProviderVcdm2Jose = class {
     };
   }
 };
-async function verifierSignature({ jwt }, verifierContext) {
+async function verifierSignature({ jwt, policies }, verifierContext) {
   let credIssuer = void 0;
   const context = assertContext(verifierContext);
   const agent = context.agent;
@@ -721,9 +737,16 @@ async function verifierSignature({ jwt }, verifierContext) {
   if (!credIssuer) {
     throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: No DID has been found in the JWT`);
   }
-  const resolution = await agent.identifierExternalResolve({
-    identifier: credIssuer
-  });
+  let resolution = void 0;
+  try {
+    resolution = await agent.identifierExternalResolve({
+      identifier: credIssuer
+    });
+  } catch (e) {
+  }
+  const credential = import_ssi_types.CredentialMapper.toUniformCredential(jwt);
+  const validFromError = policies.nbf !== false && policies.iat !== false && "validFrom" in credential && !!credential.validFrom && Date.parse(credential.validFrom) > (/* @__PURE__ */ new Date()).getTime();
+  const expired = policies.exp !== false && "validUntil" in credential && !!credential.validUntil && Date.parse(credential.validUntil) < (/* @__PURE__ */ new Date()).getTime();
   const didOpts = {
     method: "did",
     identifier: credIssuer
@@ -731,27 +754,85 @@ async function verifierSignature({ jwt }, verifierContext) {
   const jwtResult = await agent.jwtVerifyJwsSignature({
     jws: jwt,
     // @ts-ignore
-    jwk: resolution.jwks[0].jwk,
+    jwk: resolution?.jwks[0].jwk,
     opts: {
       ...(0, import_ssi_sdk_ext.isDidIdentifier)(credIssuer) && {
         did: didOpts
       }
     }
   });
-  if (jwtResult.error) {
+  const error = jwtResult.error || expired || !resolution;
+  const errorMessage = expired ? "Credential is expired" : validFromError ? "Credential is not valid yet" : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message;
+  if (error) {
+    const log2 = [
+      {
+        id: "valid_signature",
+        valid: !jwtResult.error
+      },
+      {
+        id: "issuer_did_resolves",
+        valid: resolution != void 0
+      },
+      {
+        id: "validFrom",
+        valid: policies.nbf !== false && !validFromError
+      },
+      {
+        id: "expiration",
+        valid: policies.exp !== false && !expired
+      }
+    ];
     return {
       verified: false,
       error: {
-        message: jwtResult.message,
+        message: errorMessage,
         errorCode: jwtResult.name
       },
+      log: log2,
+      results: [
+        {
+          verified: false,
+          credential: jwt,
+          log: log2,
+          error: {
+            message: errorMessage,
+            errorCode: jwtResult.name
+          }
+        }
+      ],
       payload,
       didResolutionResult: resolution,
       jwt
     };
   }
+  const log = [
+    {
+      id: "valid_signature",
+      valid: true
+    },
+    {
+      id: "issuer_did_resolves",
+      valid: true
+    },
+    {
+      id: "validFrom",
+      valid: true
+    },
+    {
+      id: "expiration",
+      valid: true
+    }
+  ];
   return {
     verified: true,
+    log,
+    results: [
+      {
+        verified: true,
+        credential,
+        log
+      }
+    ],
     payload,
     didResolutionResult: resolution,
     jwt
@@ -759,9 +840,9 @@ async function verifierSignature({ jwt }, verifierContext) {
 }
 __name(verifierSignature, "verifierSignature");
 function assertContext(context) {
-  if (!(0, import_ssi_sdk3.contextHasPlugin)(context, "jwtPrepareJws")) {
+  if (!(0, import_ssi_sdk.contextHasPlugin)(context, "jwtPrepareJws")) {
     throw Error("JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.");
-  } else if (!(0, import_ssi_sdk3.contextHasPlugin)(context, "identifierManagedGet")) {
+  } else if (!(0, import_ssi_sdk.contextHasPlugin)(context, "identifierManagedGet")) {
     throw Error("Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.");
   }
   return context;