@sphereon/ssi-sdk.credential-vcdm2-sdjwt-provider 0.34.1-next.85

package/dist/index.cjs

@@ -0,0 +1,896 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CredentialProviderVcdm2SdJwt: () => CredentialProviderVcdm2SdJwt
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/agent/CredentialProviderVcdm2SdJwt.ts
+var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
+var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
+var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-vcdm");
+var import_ssi_types = require("@sphereon/ssi-types");
+var import_debug = __toESM(require("debug"), 1);
+var import_did_jwt3 = require("did-jwt");
+var import_did_jwt_vc = require("did-jwt-vc");
+
+// src/did-jwt/JWT.ts
+var import_canonicalize = __toESM(require("canonicalize"), 1);
+var import_did_resolver = require("did-resolver");
+
+// src/did-jwt/util.ts
+var u8a = __toESM(require("uint8arrays"), 1);
+var import_ed25519 = require("@noble/curves/ed25519");
+var import_multiformats = require("multiformats");
+var import_multibase = require("multibase");
+var import_secp256k1 = require("@noble/curves/secp256k1");
+var import_p256 = require("@noble/curves/p256");
+function bytesToBase64url(b) {
+  return u8a.toString(b, "base64url");
+}
+__name(bytesToBase64url, "bytesToBase64url");
+function base64ToBytes(s) {
+  const inputBase64Url = s.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return u8a.fromString(inputBase64Url, "base64url");
+}
+__name(base64ToBytes, "base64ToBytes");
+function base58ToBytes(s) {
+  return u8a.fromString(s, "base58btc");
+}
+__name(base58ToBytes, "base58ToBytes");
+var VM_TO_KEY_TYPE = {
+  Secp256k1SignatureVerificationKey2018: "Secp256k1",
+  Secp256k1VerificationKey2018: "Secp256k1",
+  EcdsaSecp256k1VerificationKey2019: "Secp256k1",
+  EcdsaPublicKeySecp256k1: "Secp256k1",
+  EcdsaSecp256k1RecoveryMethod2020: "Secp256k1",
+  EcdsaSecp256r1VerificationKey2019: "P-256",
+  Ed25519VerificationKey2018: "Ed25519",
+  Ed25519VerificationKey2020: "Ed25519",
+  ED25519SignatureVerification: "Ed25519",
+  X25519KeyAgreementKey2019: "X25519",
+  X25519KeyAgreementKey2020: "X25519",
+  ConditionalProof2022: void 0,
+  JsonWebKey2020: void 0,
+  Multikey: void 0
+};
+var supportedCodecs = {
+  "ed25519-pub": 237,
+  "x25519-pub": 236,
+  "secp256k1-pub": 231,
+  "bls12_381-g1-pub": 234,
+  "bls12_381-g2-pub": 235,
+  "p256-pub": 4608
+};
+var CODEC_TO_KEY_TYPE = {
+  "bls12_381-g1-pub": "Bls12381G1",
+  "bls12_381-g2-pub": "Bls12381G2",
+  "ed25519-pub": "Ed25519",
+  "p256-pub": "P-256",
+  "secp256k1-pub": "Secp256k1",
+  "x25519-pub": "X25519"
+};
+function extractPublicKeyBytes(pk) {
+  if (pk.publicKeyBase58) {
+    return {
+      keyBytes: base58ToBytes(pk.publicKeyBase58),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyBase64) {
+    return {
+      keyBytes: base64ToBytes(pk.publicKeyBase64),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyHex) {
+    return {
+      keyBytes: hexToBytes(pk.publicKeyHex),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.crv === "secp256k1" && pk.publicKeyJwk.x && pk.publicKeyJwk.y) {
+    return {
+      keyBytes: import_secp256k1.secp256k1.ProjectivePoint.fromAffine({
+        x: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.x)),
+        y: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.y))
+      }).toRawBytes(false),
+      keyType: "Secp256k1"
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.crv === "P-256" && pk.publicKeyJwk.x && pk.publicKeyJwk.y) {
+    return {
+      keyBytes: import_p256.p256.ProjectivePoint.fromAffine({
+        x: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.x)),
+        y: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.y))
+      }).toRawBytes(false),
+      keyType: "P-256"
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.kty === "OKP" && [
+    "Ed25519",
+    "X25519"
+  ].includes(pk.publicKeyJwk.crv ?? "") && pk.publicKeyJwk.x) {
+    return {
+      keyBytes: base64ToBytes(pk.publicKeyJwk.x),
+      keyType: pk.publicKeyJwk.crv
+    };
+  } else if (pk.publicKeyMultibase) {
+    const { keyBytes, keyType } = multibaseToBytes(pk.publicKeyMultibase);
+    return {
+      keyBytes,
+      keyType: keyType ?? VM_TO_KEY_TYPE[pk.type]
+    };
+  }
+  return {
+    keyBytes: new Uint8Array()
+  };
+}
+__name(extractPublicKeyBytes, "extractPublicKeyBytes");
+function multibaseToBytes(s) {
+  const bytes = (0, import_multibase.decode)(s);
+  if ([
+    32,
+    33,
+    48,
+    64,
+    65,
+    96
+  ].includes(bytes.length)) {
+    return {
+      keyBytes: bytes
+    };
+  }
+  try {
+    const [codec, length] = import_multiformats.varint.decode(bytes);
+    const possibleCodec = Object.entries(supportedCodecs).filter(([, code]) => code === codec)?.[0][0] ?? "";
+    return {
+      keyBytes: bytes.slice(length),
+      keyType: CODEC_TO_KEY_TYPE[possibleCodec]
+    };
+  } catch (e) {
+    return {
+      keyBytes: bytes
+    };
+  }
+}
+__name(multibaseToBytes, "multibaseToBytes");
+function hexToBytes(s, minLength) {
+  let input = s.startsWith("0x") ? s.substring(2) : s;
+  if (input.length % 2 !== 0) {
+    input = `0${input}`;
+  }
+  if (minLength) {
+    const paddedLength = Math.max(input.length, minLength * 2);
+    input = input.padStart(paddedLength, "00");
+  }
+  return u8a.fromString(input.toLowerCase(), "base16");
+}
+__name(hexToBytes, "hexToBytes");
+function bytesToHex(b) {
+  return u8a.toString(b, "base16");
+}
+__name(bytesToHex, "bytesToHex");
+function bytesToBigInt(b) {
+  return BigInt(`0x` + u8a.toString(b, "base16"));
+}
+__name(bytesToBigInt, "bytesToBigInt");
+function stringToBytes(s) {
+  return u8a.fromString(s, "utf-8");
+}
+__name(stringToBytes, "stringToBytes");
+function toJose({ r, s, recoveryParam }, recoverable) {
+  const jose = new Uint8Array(recoverable ? 65 : 64);
+  jose.set(u8a.fromString(r, "base16"), 0);
+  jose.set(u8a.fromString(s, "base16"), 32);
+  if (recoverable) {
+    if (typeof recoveryParam === "undefined") {
+      throw new Error("Signer did not return a recoveryParam");
+    }
+    jose[64] = recoveryParam;
+  }
+  return bytesToBase64url(jose);
+}
+__name(toJose, "toJose");
+function fromJose(signature) {
+  const signatureBytes = base64ToBytes(signature);
+  if (signatureBytes.length < 64 || signatureBytes.length > 65) {
+    throw new TypeError(`Wrong size for signature. Expected 64 or 65 bytes, but got ${signatureBytes.length}`);
+  }
+  const r = bytesToHex(signatureBytes.slice(0, 32));
+  const s = bytesToHex(signatureBytes.slice(32, 64));
+  const recoveryParam = signatureBytes.length === 65 ? signatureBytes[64] : void 0;
+  return {
+    r,
+    s,
+    recoveryParam
+  };
+}
+__name(fromJose, "fromJose");
+
+// src/did-jwt/SignerAlgorithm.ts
+function instanceOfEcdsaSignature(object) {
+  return typeof object === "object" && "r" in object && "s" in object;
+}
+__name(instanceOfEcdsaSignature, "instanceOfEcdsaSignature");
+function ES256SignerAlg() {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (instanceOfEcdsaSignature(signature)) {
+      return toJose(signature);
+    } else {
+      return signature;
+    }
+  }, "sign");
+}
+__name(ES256SignerAlg, "ES256SignerAlg");
+function ES256KSignerAlg(recoverable) {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (instanceOfEcdsaSignature(signature)) {
+      return toJose(signature, recoverable);
+    } else {
+      if (recoverable && typeof fromJose(signature).recoveryParam === "undefined") {
+        throw new Error(`not_supported: ES256K-R not supported when signer doesn't provide a recovery param`);
+      }
+      return signature;
+    }
+  }, "sign");
+}
+__name(ES256KSignerAlg, "ES256KSignerAlg");
+function Ed25519SignerAlg() {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (!instanceOfEcdsaSignature(signature)) {
+      return signature;
+    } else {
+      throw new Error("invalid_config: expected a signer function that returns a string instead of signature object");
+    }
+  }, "sign");
+}
+__name(Ed25519SignerAlg, "Ed25519SignerAlg");
+var algorithms = {
+  ES256: ES256SignerAlg(),
+  ES256K: ES256KSignerAlg(),
+  // This is a non-standard algorithm but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/146
+  "ES256K-R": ES256KSignerAlg(true),
+  // This is actually incorrect but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/130
+  Ed25519: Ed25519SignerAlg(),
+  EdDSA: Ed25519SignerAlg()
+};
+
+// src/did-jwt/VerifierAlgorithm.ts
+var import_did_jwt = require("did-jwt");
+var import_secp256k12 = require("@noble/curves/secp256k1");
+var import_p2562 = require("@noble/curves/p256");
+var import_ed255192 = require("@noble/curves/ed25519");
+var u8a2 = __toESM(require("uint8arrays"), 1);
+var import_sha256 = require("@noble/hashes/sha256");
+function sha256(payload) {
+  const data = typeof payload === "string" ? u8a2.fromString(payload) : payload;
+  return (0, import_sha256.sha256)(data);
+}
+__name(sha256, "sha256");
+function toSignatureObject(signature, recoverable = false) {
+  const rawSig = base64ToBytes(signature);
+  if (rawSig.length !== (recoverable ? 65 : 64)) {
+    throw new Error("wrong signature length");
+  }
+  const r = bytesToHex(rawSig.slice(0, 32));
+  const s = bytesToHex(rawSig.slice(32, 64));
+  const sigObj = {
+    r,
+    s
+  };
+  if (recoverable) {
+    sigObj.recoveryParam = rawSig[64];
+  }
+  return sigObj;
+}
+__name(toSignatureObject, "toSignatureObject");
+function toSignatureObject2(signature, recoverable = false) {
+  const bytes = base64ToBytes(signature);
+  if (bytes.length !== (recoverable ? 65 : 64)) {
+    throw new Error("wrong signature length");
+  }
+  return {
+    compact: bytes.slice(0, 64),
+    recovery: bytes[64]
+  };
+}
+__name(toSignatureObject2, "toSignatureObject2");
+function verifyES256(data, signature, authenticators) {
+  const hash2 = sha256(data);
+  const sig = import_p2562.p256.Signature.fromCompact(toSignatureObject2(signature).compact);
+  const fullPublicKeys = authenticators.filter((a) => !a.ethereumAddress && !a.blockchainAccountId);
+  const signer = fullPublicKeys.find((pk) => {
+    try {
+      const { keyBytes } = extractPublicKeyBytes(pk);
+      return import_p2562.p256.verify(sig, hash2, keyBytes);
+    } catch (err) {
+      return false;
+    }
+  });
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyES256, "verifyES256");
+function verifyES256K(data, signature, authenticators) {
+  const hash2 = sha256(data);
+  const signatureNormalized = import_secp256k12.secp256k1.Signature.fromCompact(base64ToBytes(signature)).normalizeS();
+  const fullPublicKeys = authenticators.filter((a) => {
+    return !a.ethereumAddress && !a.blockchainAccountId;
+  });
+  const blockchainAddressKeys = authenticators.filter((a) => {
+    return a.ethereumAddress || a.blockchainAccountId;
+  });
+  let signer = fullPublicKeys.find((pk) => {
+    try {
+      const { keyBytes } = extractPublicKeyBytes(pk);
+      return import_secp256k12.secp256k1.verify(signatureNormalized, hash2, keyBytes);
+    } catch (err) {
+      return false;
+    }
+  });
+  if (!signer && blockchainAddressKeys.length > 0) {
+    signer = verifyRecoverableES256K(data, signature, blockchainAddressKeys);
+  }
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyES256K, "verifyES256K");
+function verifyRecoverableES256K(data, signature, authenticators) {
+  const signatures = [];
+  if (signature.length > 86) {
+    signatures.push(toSignatureObject2(signature, true));
+  } else {
+    const so = toSignatureObject2(signature, false);
+    signatures.push({
+      ...so,
+      recovery: 0
+    });
+    signatures.push({
+      ...so,
+      recovery: 1
+    });
+  }
+  const hash2 = sha256(data);
+  const checkSignatureAgainstSigner = /* @__PURE__ */ __name((sigObj) => {
+    const signature2 = import_secp256k12.secp256k1.Signature.fromCompact(sigObj.compact).addRecoveryBit(sigObj.recovery || 0);
+    const recoveredPublicKey = signature2.recoverPublicKey(hash2);
+    const recoveredAddress = (0, import_did_jwt.toEthereumAddress)(recoveredPublicKey.toHex(false)).toLowerCase();
+    const recoveredPublicKeyHex = recoveredPublicKey.toHex(false);
+    const recoveredCompressedPublicKeyHex = recoveredPublicKey.toHex(true);
+    return authenticators.find((a) => {
+      const { keyBytes } = extractPublicKeyBytes(a);
+      const keyHex = bytesToHex(keyBytes);
+      return keyHex === recoveredPublicKeyHex || keyHex === recoveredCompressedPublicKeyHex || a.ethereumAddress?.toLowerCase() === recoveredAddress || a.blockchainAccountId?.split("@eip155")?.[0].toLowerCase() === recoveredAddress;
+    });
+  }, "checkSignatureAgainstSigner");
+  for (const signature2 of signatures) {
+    const verificationMethod = checkSignatureAgainstSigner(signature2);
+    if (verificationMethod) return verificationMethod;
+  }
+  throw new Error("invalid_signature: Signature invalid for JWT");
+}
+__name(verifyRecoverableES256K, "verifyRecoverableES256K");
+function verifyEd25519(data, signature, authenticators) {
+  const clear = stringToBytes(data);
+  const signatureBytes = base64ToBytes(signature);
+  const signer = authenticators.find((a) => {
+    const { keyBytes, keyType } = extractPublicKeyBytes(a);
+    if (keyType === "Ed25519") {
+      return import_ed255192.ed25519.verify(signatureBytes, clear, keyBytes);
+    } else {
+      return false;
+    }
+  });
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyEd25519, "verifyEd25519");
+var algorithms2 = {
+  ES256: verifyES256,
+  ES256K: verifyES256K,
+  // This is a non-standard algorithm but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/146
+  "ES256K-R": verifyRecoverableES256K,
+  // This is actually incorrect but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/130
+  Ed25519: verifyEd25519,
+  EdDSA: verifyEd25519
+};
+function VerifierAlgorithm(alg) {
+  const impl = algorithms2[alg];
+  if (!impl) throw new Error(`not_supported: Unsupported algorithm ${alg}`);
+  return impl;
+}
+__name(VerifierAlgorithm, "VerifierAlgorithm");
+VerifierAlgorithm.toSignatureObject = toSignatureObject;
+
+// src/did-jwt/JWT.ts
+var import_did_jwt2 = require("did-jwt");
+var SELF_ISSUED_V2 = "https://self-issued.me/v2";
+var SELF_ISSUED_V2_VC_INTEROP = "https://self-issued.me/v2/openid-vc";
+var SELF_ISSUED_V0_1 = "https://self-issued.me";
+
+// src/agent/CredentialProviderVcdm2SdJwt.ts
+var import_ssi_sdk4 = require("@sphereon/ssi-sdk.sd-jwt");
+var debug = (0, import_debug.default)("sphereon:ssi-sdk:credential-vcdm2-sdjwt");
+var CredentialProviderVcdm2SdJwt = class {
+  static {
+    __name(this, "CredentialProviderVcdm2SdJwt");
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */
+  matchKeyForType(key) {
+    return this.matchKeyForJWT(key);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */
+  getTypeProofFormat() {
+    return "vc+sd-jwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */
+  canIssueCredentialType(args) {
+    const format = args.proofFormat.toLowerCase();
+    return format === "vc+sd-jwt" || format === "vcdm2_sdjwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */
+  canVerifyDocumentType(args) {
+    const { document } = args;
+    const jwt = typeof document === "string" ? document : document?.proof?.jwt;
+    if (!jwt) {
+      return false;
+    }
+    const { payload } = (0, import_did_jwt3.decodeJWT)(jwt.split("~")[0]);
+    return (0, import_ssi_types.isVcdm2Credential)(payload);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
+  async createVerifiableCredential(args, context) {
+    const { keyRef } = args;
+    const agent = assertContext(context).agent;
+    const { credential, issuer } = (0, import_ssi_sdk3.preProcessCredentialPayload)(args);
+    if (!(0, import_ssi_types.isVcdm2Credential)(credential)) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + credential["@context"]));
+    } else if (!(0, import_ssi_sdk.contextHasPlugin)(context, "createSdJwtVc")) {
+      return Promise.reject(new Error("invalid_argument: SD-JWT plugin not available. Please install @sphereon/ssi-sdk.sd-jwt and configure agent for VCDM2 SD-JWT"));
+    }
+    let identifier;
+    try {
+      identifier = await agent.didManagerGet({
+        did: issuer
+      });
+    } catch (e) {
+      return Promise.reject(new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`));
+    }
+    const managedIdentifier = await agent.identifierManagedGetByDid({
+      identifier: identifier.did,
+      kmsKeyRef: keyRef
+    });
+    const key = await (0, import_ssi_sdk3.pickSigningKey)({
+      identifier,
+      kmsKeyRef: keyRef
+    }, context);
+    const alg = await (0, import_ssi_sdk_ext2.signatureAlgorithmFromKey)({
+      key
+    });
+    debug("Signing VC with", identifier.did, alg);
+    credential.issuer = {
+      id: identifier.did
+    };
+    const result = await context.agent.createSdJwtVc({
+      type: "vc+sd-jwt",
+      credentialPayload: credential,
+      resolution: managedIdentifier,
+      disclosureFrame: args.opts?.disclosureFrame
+    });
+    const jwt = result.credential.split("~")[0];
+    const normalized = (0, import_did_jwt_vc.normalizeCredential)(jwt);
+    normalized.proof.jwt = result.credential;
+    return normalized;
+  }
+  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
+  async verifyCredential(args, context) {
+    let {
+      credential,
+      policies
+      /*...otherOptions*/
+    } = args;
+    const uniform = import_ssi_types.CredentialMapper.toUniformCredential(credential);
+    if (!(0, import_ssi_types.isVcdm2Credential)(uniform)) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + uniform["@context"]));
+    } else if (!(0, import_ssi_sdk.contextHasPlugin)(context, "createSdJwtVc")) {
+      return Promise.reject(new Error("invalid_argument: SD-JWT plugin not available. Please install @sphereon/ssi-sdk.sd-jwt and configure agent for VCDM2 SD-JWT"));
+    }
+    let verificationResult = {
+      verified: false
+    };
+    let jwt = typeof credential === "string" ? credential : (0, import_ssi_sdk2.asArray)(uniform.proof)?.[0]?.jwt;
+    if (!jwt) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential in JOSE format (string)"));
+    }
+    try {
+      const result = await context.agent.verifySdJwtVc({
+        credential: jwt
+      });
+      if (result.payload) {
+        verificationResult = {
+          verified: true,
+          results: [
+            {
+              credential,
+              verified: true,
+              log: [
+                {
+                  id: "valid_signature",
+                  valid: true
+                },
+                {
+                  id: "issuer_did_resolves",
+                  valid: true
+                }
+              ]
+            }
+          ]
+        };
+      }
+    } catch (e) {
+      verificationResult = {
+        verified: false,
+        error: {
+          message: e.message,
+          errorCode: e.name
+        }
+      };
+    }
+    policies = {
+      ...policies,
+      nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
+      iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
+      exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
+      aud: policies?.aud ?? policies?.audience
+    };
+    verificationResult = await verifierSignature({
+      jwt: jwt.split("~")[0],
+      policies
+    }, context);
+    return verificationResult;
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
+  async createVerifiablePresentation(args, context) {
+    const { presentation, holder } = (0, import_ssi_sdk3.preProcessPresentation)(args);
+    let {
+      domain,
+      challenge,
+      keyRef
+      /* removeOriginalFields, keyRef, now, ...otherOptions*/
+    } = args;
+    const agent = assertContext(context).agent;
+    const managedIdentifier = await agent.identifierManagedGetByDid({
+      identifier: holder,
+      kmsKeyRef: keyRef
+    });
+    const identifier = managedIdentifier.identifier;
+    const key = await (0, import_ssi_sdk3.pickSigningKey)({
+      identifier: managedIdentifier.identifier,
+      kmsKeyRef: managedIdentifier.kmsKeyRef
+    }, context);
+    debug("Signing VC with", identifier.did);
+    let alg = "ES256";
+    if (key.type === "Ed25519") {
+      alg = "EdDSA";
+    } else if (key.type === "Secp256k1") {
+      alg = "ES256K";
+    }
+    const header = {
+      kid: key.meta.verificationMethod.id ?? key.kid,
+      alg,
+      typ: "vp+jwt",
+      cty: "vp"
+    };
+    const payload = {
+      ...presentation,
+      ...domain && {
+        aud: domain
+      },
+      ...challenge && {
+        nonce: challenge
+      }
+    };
+    const jwt = await agent.jwtCreateJwsCompactSignature({
+      mode: "did",
+      issuer: managedIdentifier,
+      payload,
+      protectedHeader: header,
+      clientIdScheme: "did"
+    });
+    debug(jwt);
+    return (0, import_did_jwt_vc.normalizePresentation)(jwt.jwt);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */
+  async verifyPresentation(args, context) {
+    let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args;
+    let jwt;
+    if (typeof presentation === "string") {
+      jwt = presentation;
+    } else {
+      jwt = (0, import_ssi_sdk2.asArray)(presentation.proof)[0].jwt;
+    }
+    const resolver = {
+      resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
+        didUrl,
+        options: otherOptions?.resolutionOptions
+      }), "resolve")
+    };
+    let audience = domain;
+    if (!audience) {
+      const { payload } = await (0, import_did_jwt3.decodeJWT)(jwt);
+      if (payload.aud) {
+        const intendedAudience = (0, import_ssi_sdk2.asArray)(payload.aud);
+        const managedDids = await context.agent.didManagerFind();
+        const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did));
+        if (filtered.length > 0) {
+          audience = filtered[0].did;
+        }
+      }
+    }
+    let message, errorCode;
+    try {
+      const result = await (0, import_did_jwt_vc.verifyPresentation)(jwt, resolver, {
+        challenge,
+        domain,
+        audience,
+        policies: {
+          ...policies,
+          nbf: policies?.nbf ?? policies?.issuanceDate,
+          iat: policies?.iat ?? policies?.issuanceDate,
+          exp: policies?.exp ?? policies?.expirationDate,
+          aud: policies?.aud ?? policies?.audience
+        },
+        ...otherOptions
+      });
+      if (result) {
+        return {
+          verified: true,
+          results: [
+            {
+              verified: true,
+              presentation: result.verifiablePresentation,
+              log: [
+                {
+                  id: "valid_signature",
+                  valid: true
+                }
+              ]
+            }
+          ]
+        };
+      }
+    } catch (e) {
+      message = e.message;
+      errorCode = e.errorCode;
+    }
+    return {
+      verified: false,
+      error: {
+        message,
+        errorCode: errorCode ? errorCode : message?.split(":")[0]
+      }
+    };
+  }
+  /**
+  * Checks if a key is suitable for signing JWT payloads.
+  * @param key - the key to check
+  * @param context - the Veramo agent context, unused here
+  *
+  * @beta
+  */
+  matchKeyForJWT(key) {
+    switch (key.type) {
+      case "Ed25519":
+      case "Secp256r1":
+        return true;
+      case "Secp256k1":
+        return (0, import_ssi_sdk2.intersect)(key.meta?.algorithms ?? [], [
+          "ES256K",
+          "ES256K-R"
+        ]).length > 0;
+      default:
+        return false;
+    }
+  }
+  wrapSigner(context, key, algorithm) {
+    return async (data) => {
+      const result = await context.agent.keyManagerSign({
+        keyRef: key.kid,
+        data,
+        algorithm
+      });
+      return result;
+    };
+  }
+};
+async function verifierSignature({ jwt, policies }, verifierContext) {
+  let credIssuer = void 0;
+  const context = assertContext(verifierContext);
+  const agent = context.agent;
+  const {
+    payload,
+    header
+    /*signature, data*/
+  } = (0, import_did_jwt3.decodeJWT)(jwt);
+  if (!payload.issuer) {
+    throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: JWT iss or client_id are required`);
+  }
+  const issuer = (0, import_ssi_sdk4.getIssuerFromSdJwt)(payload);
+  if (issuer === SELF_ISSUED_V2 || issuer === SELF_ISSUED_V2_VC_INTEROP) {
+    if (!payload.credentialSubject.id) {
+      throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: JWT credentialSubject.id is required`);
+    }
+    if (typeof payload.sub_jwk === "undefined") {
+      credIssuer = payload.sub;
+    } else {
+      credIssuer = (header.kid || "").split("#")[0];
+    }
+  } else if (issuer === SELF_ISSUED_V0_1) {
+    if (!payload.did) {
+      throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: JWT did is required`);
+    }
+    credIssuer = payload.did;
+  } else if (!issuer && payload.scope === "openid" && payload.redirect_uri) {
+    if (!payload.client_id) {
+      throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: JWT client_id is required`);
+    }
+    credIssuer = payload.client_id;
+  } else if (issuer?.indexOf("did:") === 0) {
+    credIssuer = issuer;
+  } else if (header.kid?.indexOf("did:") === 0) {
+    credIssuer = (header.kid || "").split("#")[0];
+  } else if (typeof payload.issuer === "string") {
+    credIssuer = payload.issuer;
+  } else if (payload.issuer?.id) {
+    credIssuer = payload.issuer.id;
+  }
+  if (!credIssuer) {
+    throw new Error(`${import_did_jwt3.JWT_ERROR.INVALID_JWT}: No DID has been found in the JWT`);
+  }
+  let resolution = void 0;
+  try {
+    resolution = await agent.identifierExternalResolve({
+      identifier: credIssuer
+    });
+  } catch (e) {
+  }
+  const credential = import_ssi_types.CredentialMapper.toUniformCredential(jwt);
+  const validFromError = policies.nbf !== false && policies.iat !== false && "validFrom" in credential && !!credential.validFrom && Date.parse(credential.validFrom) > (/* @__PURE__ */ new Date()).getTime();
+  const expired = policies.exp !== false && "validUntil" in credential && !!credential.validUntil && Date.parse(credential.validUntil) < (/* @__PURE__ */ new Date()).getTime();
+  const didOpts = {
+    method: "did",
+    identifier: credIssuer
+  };
+  const jwtResult = await agent.jwtVerifyJwsSignature({
+    jws: jwt,
+    // @ts-ignore
+    jwk: resolution?.jwks[0].jwk,
+    opts: {
+      ...(0, import_ssi_sdk_ext.isDidIdentifier)(credIssuer) && {
+        did: didOpts
+      }
+    }
+  });
+  const error = jwtResult.error || expired || !resolution;
+  const errorMessage = expired ? "Credential is expired" : validFromError ? "Credential is not valid yet" : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message;
+  if (error) {
+    const log2 = [
+      {
+        id: "valid_signature",
+        valid: !jwtResult.error
+      },
+      {
+        id: "issuer_did_resolves",
+        valid: resolution != void 0
+      },
+      {
+        id: "validFrom",
+        valid: policies.nbf !== false && !validFromError
+      },
+      {
+        id: "expiration",
+        valid: policies.exp !== false && !expired
+      }
+    ];
+    return {
+      verified: false,
+      error: {
+        message: errorMessage,
+        errorCode: jwtResult.name
+      },
+      log: log2,
+      results: [
+        {
+          verified: false,
+          credential: jwt,
+          log: log2,
+          error: {
+            message: errorMessage,
+            errorCode: jwtResult.name
+          }
+        }
+      ],
+      payload,
+      didResolutionResult: resolution,
+      jwt
+    };
+  }
+  const log = [
+    {
+      id: "valid_signature",
+      valid: true
+    },
+    {
+      id: "issuer_did_resolves",
+      valid: true
+    },
+    {
+      id: "validFrom",
+      valid: true
+    },
+    {
+      id: "expiration",
+      valid: true
+    }
+  ];
+  return {
+    verified: true,
+    log,
+    results: [
+      {
+        verified: true,
+        credential,
+        log
+      }
+    ],
+    payload,
+    didResolutionResult: resolution,
+    jwt
+  };
+}
+__name(verifierSignature, "verifierSignature");
+function assertContext(context) {
+  if (!(0, import_ssi_sdk.contextHasPlugin)(context, "jwtPrepareJws")) {
+    throw Error("JwtService plugin not found, which is required for JWT signing in the VCDM2 SD-JWT credential provider. Please add the JwtService plugin to your agent configuration.");
+  } else if (!(0, import_ssi_sdk.contextHasPlugin)(context, "identifierManagedGet")) {
+    throw Error("Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 SD-JWT credential provider. Please add the JwtService plugin to your agent configuration.");
+  }
+  return context;
+}
+__name(assertContext, "assertContext");
+//# sourceMappingURL=index.cjs.map