@sphereon/ssi-sdk.credential-vcdm2-jose-provider 0.34.1-next.91 → 0.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -2,7 +2,7 @@ import {
|
|
|
2
2
|
type ExternalIdentifierDidOpts,
|
|
3
3
|
ExternalIdentifierResult,
|
|
4
4
|
type IIdentifierResolution,
|
|
5
|
-
isDidIdentifier
|
|
5
|
+
isDidIdentifier,
|
|
6
6
|
} from '@sphereon/ssi-sdk-ext.identifier-resolution'
|
|
7
7
|
import type { IJwtService, JwsHeader, JwsPayload } from '@sphereon/ssi-sdk-ext.jwt-service'
|
|
8
8
|
import { signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
|
|
@@ -20,14 +20,9 @@ import {
|
|
|
20
20
|
IVerifyPresentationLDArgs,
|
|
21
21
|
pickSigningKey,
|
|
22
22
|
preProcessCredentialPayload,
|
|
23
|
-
preProcessPresentation
|
|
23
|
+
preProcessPresentation,
|
|
24
24
|
} from '@sphereon/ssi-sdk.credential-vcdm'
|
|
25
|
-
import {
|
|
26
|
-
CredentialMapper,
|
|
27
|
-
isVcdm2Credential,
|
|
28
|
-
type IVerifyResult,
|
|
29
|
-
type OriginalVerifiableCredential
|
|
30
|
-
} from '@sphereon/ssi-types'
|
|
25
|
+
import { CredentialMapper, isVcdm2Credential, type IVerifyResult, type OriginalVerifiableCredential } from '@sphereon/ssi-types'
|
|
31
26
|
import type {
|
|
32
27
|
IAgentContext,
|
|
33
28
|
IDIDManager,
|
|
@@ -35,8 +30,9 @@ import type {
|
|
|
35
30
|
IKey,
|
|
36
31
|
IKeyManager,
|
|
37
32
|
IResolver,
|
|
38
|
-
VerifiableCredential,
|
|
39
|
-
|
|
33
|
+
VerifiableCredential,
|
|
34
|
+
VerificationPolicies,
|
|
35
|
+
VerifierAgentContext,
|
|
40
36
|
} from '@veramo/core'
|
|
41
37
|
|
|
42
38
|
import Debug from 'debug'
|
|
@@ -111,7 +107,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
111
107
|
kid: key.meta?.verificationMethod?.id ?? key.kid,
|
|
112
108
|
alg,
|
|
113
109
|
typ: 'vc+jwt',
|
|
114
|
-
cty: 'vc'
|
|
110
|
+
cty: 'vc',
|
|
115
111
|
}
|
|
116
112
|
|
|
117
113
|
const jwt = await context.agent.jwtCreateJwsCompactSignature({
|
|
@@ -119,7 +115,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
119
115
|
issuer: managedIdentifier,
|
|
120
116
|
payload: credential,
|
|
121
117
|
protectedHeader: header,
|
|
122
|
-
clientIdScheme: 'did'
|
|
118
|
+
clientIdScheme: 'did',
|
|
123
119
|
})
|
|
124
120
|
|
|
125
121
|
// debug(jwt)
|
|
@@ -128,7 +124,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
128
124
|
|
|
129
125
|
/** {@inheritdoc ICredentialVerifier.verifyCredential} */
|
|
130
126
|
async verifyCredential(args: IVerifyCredentialVcdmArgs, context: VerifierAgentContext): Promise<IVerifyResult> {
|
|
131
|
-
let { credential, policies
|
|
127
|
+
let { credential, policies /*...otherOptions*/ } = args
|
|
132
128
|
const uniform = CredentialMapper.toUniformCredential(credential as OriginalVerifiableCredential)
|
|
133
129
|
// let verifiedCredential: VerifiableCredential
|
|
134
130
|
if (!isVcdm2Credential(uniform)) {
|
|
@@ -144,7 +140,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
144
140
|
nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
145
141
|
iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
|
|
146
142
|
exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
|
|
147
|
-
aud: policies?.aud ?? policies?.audience
|
|
143
|
+
aud: policies?.aud ?? policies?.audience,
|
|
148
144
|
}
|
|
149
145
|
verificationResult = await verifierSignature({ jwt, policies }, context)
|
|
150
146
|
return verificationResult
|
|
@@ -221,9 +217,9 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
221
217
|
const key = await pickSigningKey(
|
|
222
218
|
{
|
|
223
219
|
identifier: managedIdentifier.identifier,
|
|
224
|
-
kmsKeyRef: managedIdentifier.kmsKeyRef
|
|
220
|
+
kmsKeyRef: managedIdentifier.kmsKeyRef,
|
|
225
221
|
},
|
|
226
|
-
context
|
|
222
|
+
context,
|
|
227
223
|
)
|
|
228
224
|
|
|
229
225
|
debug('Signing VC with', identifier.did)
|
|
@@ -238,12 +234,12 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
238
234
|
kid: key.meta.verificationMethod.id ?? key.kid,
|
|
239
235
|
alg,
|
|
240
236
|
typ: 'vp+jwt',
|
|
241
|
-
cty: 'vp'
|
|
237
|
+
cty: 'vp',
|
|
242
238
|
}
|
|
243
239
|
const payload: JwsPayload = {
|
|
244
240
|
...presentation,
|
|
245
241
|
...(domain && { aud: domain }),
|
|
246
|
-
...(challenge && { nonce: challenge })
|
|
242
|
+
...(challenge && { nonce: challenge }),
|
|
247
243
|
}
|
|
248
244
|
|
|
249
245
|
const jwt = await agent.jwtCreateJwsCompactSignature({
|
|
@@ -251,7 +247,7 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
251
247
|
issuer: managedIdentifier,
|
|
252
248
|
payload,
|
|
253
249
|
protectedHeader: header,
|
|
254
|
-
clientIdScheme: 'did'
|
|
250
|
+
clientIdScheme: 'did',
|
|
255
251
|
})
|
|
256
252
|
|
|
257
253
|
debug(jwt)
|
|
@@ -271,8 +267,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
271
267
|
resolve: (didUrl: string) =>
|
|
272
268
|
context.agent.resolveDid({
|
|
273
269
|
didUrl,
|
|
274
|
-
options: otherOptions?.resolutionOptions
|
|
275
|
-
})
|
|
270
|
+
options: otherOptions?.resolutionOptions,
|
|
271
|
+
}),
|
|
276
272
|
} as Resolvable
|
|
277
273
|
|
|
278
274
|
let audience = domain
|
|
@@ -300,9 +296,9 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
300
296
|
nbf: policies?.nbf ?? policies?.issuanceDate,
|
|
301
297
|
iat: policies?.iat ?? policies?.issuanceDate,
|
|
302
298
|
exp: policies?.exp ?? policies?.expirationDate,
|
|
303
|
-
aud: policies?.aud ?? policies?.audience
|
|
299
|
+
aud: policies?.aud ?? policies?.audience,
|
|
304
300
|
},
|
|
305
|
-
...otherOptions
|
|
301
|
+
...otherOptions,
|
|
306
302
|
})
|
|
307
303
|
if (result) {
|
|
308
304
|
/**
|
|
@@ -321,11 +317,11 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
321
317
|
log: [
|
|
322
318
|
{
|
|
323
319
|
id: 'valid_signature',
|
|
324
|
-
valid: true
|
|
325
|
-
}
|
|
326
|
-
]
|
|
327
|
-
}
|
|
328
|
-
]
|
|
320
|
+
valid: true,
|
|
321
|
+
},
|
|
322
|
+
],
|
|
323
|
+
},
|
|
324
|
+
],
|
|
329
325
|
} satisfies IVerifyResult
|
|
330
326
|
}
|
|
331
327
|
} catch (e: any) {
|
|
@@ -336,8 +332,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
336
332
|
verified: false,
|
|
337
333
|
error: {
|
|
338
334
|
message,
|
|
339
|
-
errorCode: errorCode ? errorCode : message?.split(':')[0]
|
|
340
|
-
}
|
|
335
|
+
errorCode: errorCode ? errorCode : message?.split(':')[0],
|
|
336
|
+
},
|
|
341
337
|
}
|
|
342
338
|
}
|
|
343
339
|
|
|
@@ -369,8 +365,8 @@ export class CredentialProviderVcdm2Jose implements IVcdmCredentialProvider {
|
|
|
369
365
|
}
|
|
370
366
|
|
|
371
367
|
export async function verifierSignature(
|
|
372
|
-
{ jwt, policies }: { jwt: string
|
|
373
|
-
verifierContext: VerifierAgentContext
|
|
368
|
+
{ jwt, policies }: { jwt: string; policies: VerificationPolicies /*resolver: Resolvable*/ },
|
|
369
|
+
verifierContext: VerifierAgentContext,
|
|
374
370
|
): Promise<IVerifyResult> {
|
|
375
371
|
let credIssuer: string | undefined = undefined
|
|
376
372
|
const context = assertContext(verifierContext)
|
|
@@ -417,32 +413,43 @@ export async function verifierSignature(
|
|
|
417
413
|
let resolution: ExternalIdentifierResult | undefined = undefined
|
|
418
414
|
try {
|
|
419
415
|
resolution = await agent.identifierExternalResolve({ identifier: credIssuer })
|
|
420
|
-
} catch (e: any) {
|
|
421
|
-
}
|
|
416
|
+
} catch (e: any) {}
|
|
422
417
|
const credential = CredentialMapper.toUniformCredential(jwt)
|
|
423
418
|
|
|
424
|
-
const validFromError =
|
|
425
|
-
|
|
419
|
+
const validFromError =
|
|
420
|
+
policies.nbf !== false &&
|
|
421
|
+
policies.iat !== false &&
|
|
422
|
+
'validFrom' in credential &&
|
|
423
|
+
!!credential.validFrom &&
|
|
424
|
+
Date.parse(credential.validFrom) > new Date().getTime()
|
|
425
|
+
const expired =
|
|
426
|
+
policies.exp !== false && 'validUntil' in credential && !!credential.validUntil && Date.parse(credential.validUntil) < new Date().getTime()
|
|
426
427
|
|
|
427
428
|
const didOpts = { method: 'did', identifier: credIssuer } satisfies ExternalIdentifierDidOpts
|
|
428
429
|
const jwtResult = await agent.jwtVerifyJwsSignature({
|
|
429
430
|
jws: jwt,
|
|
430
431
|
// @ts-ignore
|
|
431
432
|
jwk: resolution?.jwks[0].jwk,
|
|
432
|
-
opts: { ...(isDidIdentifier(credIssuer) && { did: didOpts }) }
|
|
433
|
+
opts: { ...(isDidIdentifier(credIssuer) && { did: didOpts }) },
|
|
433
434
|
})
|
|
434
435
|
const error = jwtResult.error || expired || !resolution
|
|
435
|
-
const errorMessage = expired
|
|
436
|
+
const errorMessage = expired
|
|
437
|
+
? 'Credential is expired'
|
|
438
|
+
: validFromError
|
|
439
|
+
? 'Credential is not valid yet'
|
|
440
|
+
: !resolution
|
|
441
|
+
? `Issuer ${credIssuer} could not be resolved`
|
|
442
|
+
: jwtResult.message
|
|
436
443
|
|
|
437
444
|
if (error) {
|
|
438
445
|
const log = [
|
|
439
446
|
{
|
|
440
447
|
id: 'valid_signature',
|
|
441
|
-
valid: !jwtResult.error
|
|
448
|
+
valid: !jwtResult.error,
|
|
442
449
|
},
|
|
443
450
|
{ id: 'issuer_did_resolves', valid: resolution != undefined },
|
|
444
451
|
{ id: 'validFrom', valid: policies.nbf !== false && !validFromError },
|
|
445
|
-
{ id: 'expiration', valid: policies.exp !== false && !expired }
|
|
452
|
+
{ id: 'expiration', valid: policies.exp !== false && !expired },
|
|
446
453
|
]
|
|
447
454
|
return {
|
|
448
455
|
verified: false,
|
|
@@ -453,32 +460,32 @@ export async function verifierSignature(
|
|
|
453
460
|
verified: false,
|
|
454
461
|
credential: jwt,
|
|
455
462
|
log,
|
|
456
|
-
error: { message: errorMessage, errorCode: jwtResult.name }
|
|
457
|
-
}
|
|
463
|
+
error: { message: errorMessage, errorCode: jwtResult.name },
|
|
464
|
+
},
|
|
458
465
|
],
|
|
459
466
|
payload,
|
|
460
467
|
didResolutionResult: resolution,
|
|
461
|
-
jwt
|
|
468
|
+
jwt,
|
|
462
469
|
} satisfies IVerifyResult
|
|
463
470
|
}
|
|
464
471
|
|
|
465
472
|
const log = [
|
|
466
473
|
{
|
|
467
474
|
id: 'valid_signature',
|
|
468
|
-
valid: true
|
|
475
|
+
valid: true,
|
|
469
476
|
},
|
|
470
477
|
{
|
|
471
478
|
id: 'issuer_did_resolves',
|
|
472
|
-
valid: true
|
|
479
|
+
valid: true,
|
|
473
480
|
},
|
|
474
481
|
{
|
|
475
482
|
id: 'validFrom',
|
|
476
|
-
valid: true
|
|
483
|
+
valid: true,
|
|
477
484
|
},
|
|
478
485
|
{
|
|
479
486
|
id: 'expiration',
|
|
480
|
-
valid: true
|
|
481
|
-
}
|
|
487
|
+
valid: true,
|
|
488
|
+
},
|
|
482
489
|
]
|
|
483
490
|
return {
|
|
484
491
|
verified: true,
|
|
@@ -487,12 +494,12 @@ export async function verifierSignature(
|
|
|
487
494
|
{
|
|
488
495
|
verified: true,
|
|
489
496
|
credential,
|
|
490
|
-
log
|
|
491
|
-
}
|
|
497
|
+
log,
|
|
498
|
+
},
|
|
492
499
|
],
|
|
493
500
|
payload,
|
|
494
501
|
didResolutionResult: resolution,
|
|
495
|
-
jwt
|
|
502
|
+
jwt,
|
|
496
503
|
} satisfies IVerifyResult
|
|
497
504
|
}
|
|
498
505
|
|
|
@@ -635,17 +642,17 @@ export function validateContext(value: string | string[]): void {
|
|
|
635
642
|
}
|
|
636
643
|
*/
|
|
637
644
|
function assertContext(
|
|
638
|
-
context: IVcdmIssuerAgentContext | IVcdmVerifierAgentContext
|
|
645
|
+
context: IVcdmIssuerAgentContext | IVcdmVerifierAgentContext,
|
|
639
646
|
): IAgentContext<
|
|
640
647
|
IResolver & IDIDManager & Pick<IKeyManager, 'keyManagerGet' | 'keyManagerSign' | 'keyManagerVerify'> & IJwtService & IIdentifierResolution
|
|
641
648
|
> {
|
|
642
649
|
if (!contextHasPlugin<IJwtService>(context, 'jwtPrepareJws')) {
|
|
643
650
|
throw Error(
|
|
644
|
-
'JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
651
|
+
'JwtService plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.',
|
|
645
652
|
)
|
|
646
653
|
} else if (!contextHasPlugin<IIdentifierResolution>(context, 'identifierManagedGet')) {
|
|
647
654
|
throw Error(
|
|
648
|
-
'Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.'
|
|
655
|
+
'Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 Jose credential provider. Please add the JwtService plugin to your agent configuration.',
|
|
649
656
|
)
|
|
650
657
|
}
|
|
651
658
|
return context as IAgentContext<
|