@sphereon/ssi-sdk.credential-vcdm2-sdjwt-provider 0.34.1-next.85

package/dist/index.js

@@ -0,0 +1,865 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/agent/CredentialProviderVcdm2SdJwt.ts
+import { isDidIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
+import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
+import { asArray, intersect } from "@sphereon/ssi-sdk.core";
+import { pickSigningKey, preProcessCredentialPayload, preProcessPresentation } from "@sphereon/ssi-sdk.credential-vcdm";
+import { CredentialMapper, isVcdm2Credential } from "@sphereon/ssi-types";
+import Debug from "debug";
+import { decodeJWT, JWT_ERROR as JWT_ERROR2 } from "did-jwt";
+import { normalizeCredential, normalizePresentation, verifyPresentation as verifyPresentationJWT } from "did-jwt-vc";
+
+// src/did-jwt/JWT.ts
+import canonicalizeData from "canonicalize";
+import { parse } from "did-resolver";
+
+// src/did-jwt/util.ts
+import * as u8a from "uint8arrays";
+import { x25519 } from "@noble/curves/ed25519";
+import { varint } from "multiformats";
+import { decode, encode } from "multibase";
+import { secp256k1 } from "@noble/curves/secp256k1";
+import { p256 } from "@noble/curves/p256";
+function bytesToBase64url(b) {
+  return u8a.toString(b, "base64url");
+}
+__name(bytesToBase64url, "bytesToBase64url");
+function base64ToBytes(s) {
+  const inputBase64Url = s.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return u8a.fromString(inputBase64Url, "base64url");
+}
+__name(base64ToBytes, "base64ToBytes");
+function base58ToBytes(s) {
+  return u8a.fromString(s, "base58btc");
+}
+__name(base58ToBytes, "base58ToBytes");
+var VM_TO_KEY_TYPE = {
+  Secp256k1SignatureVerificationKey2018: "Secp256k1",
+  Secp256k1VerificationKey2018: "Secp256k1",
+  EcdsaSecp256k1VerificationKey2019: "Secp256k1",
+  EcdsaPublicKeySecp256k1: "Secp256k1",
+  EcdsaSecp256k1RecoveryMethod2020: "Secp256k1",
+  EcdsaSecp256r1VerificationKey2019: "P-256",
+  Ed25519VerificationKey2018: "Ed25519",
+  Ed25519VerificationKey2020: "Ed25519",
+  ED25519SignatureVerification: "Ed25519",
+  X25519KeyAgreementKey2019: "X25519",
+  X25519KeyAgreementKey2020: "X25519",
+  ConditionalProof2022: void 0,
+  JsonWebKey2020: void 0,
+  Multikey: void 0
+};
+var supportedCodecs = {
+  "ed25519-pub": 237,
+  "x25519-pub": 236,
+  "secp256k1-pub": 231,
+  "bls12_381-g1-pub": 234,
+  "bls12_381-g2-pub": 235,
+  "p256-pub": 4608
+};
+var CODEC_TO_KEY_TYPE = {
+  "bls12_381-g1-pub": "Bls12381G1",
+  "bls12_381-g2-pub": "Bls12381G2",
+  "ed25519-pub": "Ed25519",
+  "p256-pub": "P-256",
+  "secp256k1-pub": "Secp256k1",
+  "x25519-pub": "X25519"
+};
+function extractPublicKeyBytes(pk) {
+  if (pk.publicKeyBase58) {
+    return {
+      keyBytes: base58ToBytes(pk.publicKeyBase58),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyBase64) {
+    return {
+      keyBytes: base64ToBytes(pk.publicKeyBase64),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyHex) {
+    return {
+      keyBytes: hexToBytes(pk.publicKeyHex),
+      keyType: VM_TO_KEY_TYPE[pk.type]
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.crv === "secp256k1" && pk.publicKeyJwk.x && pk.publicKeyJwk.y) {
+    return {
+      keyBytes: secp256k1.ProjectivePoint.fromAffine({
+        x: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.x)),
+        y: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.y))
+      }).toRawBytes(false),
+      keyType: "Secp256k1"
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.crv === "P-256" && pk.publicKeyJwk.x && pk.publicKeyJwk.y) {
+    return {
+      keyBytes: p256.ProjectivePoint.fromAffine({
+        x: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.x)),
+        y: bytesToBigInt(base64ToBytes(pk.publicKeyJwk.y))
+      }).toRawBytes(false),
+      keyType: "P-256"
+    };
+  } else if (pk.publicKeyJwk && pk.publicKeyJwk.kty === "OKP" && [
+    "Ed25519",
+    "X25519"
+  ].includes(pk.publicKeyJwk.crv ?? "") && pk.publicKeyJwk.x) {
+    return {
+      keyBytes: base64ToBytes(pk.publicKeyJwk.x),
+      keyType: pk.publicKeyJwk.crv
+    };
+  } else if (pk.publicKeyMultibase) {
+    const { keyBytes, keyType } = multibaseToBytes(pk.publicKeyMultibase);
+    return {
+      keyBytes,
+      keyType: keyType ?? VM_TO_KEY_TYPE[pk.type]
+    };
+  }
+  return {
+    keyBytes: new Uint8Array()
+  };
+}
+__name(extractPublicKeyBytes, "extractPublicKeyBytes");
+function multibaseToBytes(s) {
+  const bytes = decode(s);
+  if ([
+    32,
+    33,
+    48,
+    64,
+    65,
+    96
+  ].includes(bytes.length)) {
+    return {
+      keyBytes: bytes
+    };
+  }
+  try {
+    const [codec, length] = varint.decode(bytes);
+    const possibleCodec = Object.entries(supportedCodecs).filter(([, code]) => code === codec)?.[0][0] ?? "";
+    return {
+      keyBytes: bytes.slice(length),
+      keyType: CODEC_TO_KEY_TYPE[possibleCodec]
+    };
+  } catch (e) {
+    return {
+      keyBytes: bytes
+    };
+  }
+}
+__name(multibaseToBytes, "multibaseToBytes");
+function hexToBytes(s, minLength) {
+  let input = s.startsWith("0x") ? s.substring(2) : s;
+  if (input.length % 2 !== 0) {
+    input = `0${input}`;
+  }
+  if (minLength) {
+    const paddedLength = Math.max(input.length, minLength * 2);
+    input = input.padStart(paddedLength, "00");
+  }
+  return u8a.fromString(input.toLowerCase(), "base16");
+}
+__name(hexToBytes, "hexToBytes");
+function bytesToHex(b) {
+  return u8a.toString(b, "base16");
+}
+__name(bytesToHex, "bytesToHex");
+function bytesToBigInt(b) {
+  return BigInt(`0x` + u8a.toString(b, "base16"));
+}
+__name(bytesToBigInt, "bytesToBigInt");
+function stringToBytes(s) {
+  return u8a.fromString(s, "utf-8");
+}
+__name(stringToBytes, "stringToBytes");
+function toJose({ r, s, recoveryParam }, recoverable) {
+  const jose = new Uint8Array(recoverable ? 65 : 64);
+  jose.set(u8a.fromString(r, "base16"), 0);
+  jose.set(u8a.fromString(s, "base16"), 32);
+  if (recoverable) {
+    if (typeof recoveryParam === "undefined") {
+      throw new Error("Signer did not return a recoveryParam");
+    }
+    jose[64] = recoveryParam;
+  }
+  return bytesToBase64url(jose);
+}
+__name(toJose, "toJose");
+function fromJose(signature) {
+  const signatureBytes = base64ToBytes(signature);
+  if (signatureBytes.length < 64 || signatureBytes.length > 65) {
+    throw new TypeError(`Wrong size for signature. Expected 64 or 65 bytes, but got ${signatureBytes.length}`);
+  }
+  const r = bytesToHex(signatureBytes.slice(0, 32));
+  const s = bytesToHex(signatureBytes.slice(32, 64));
+  const recoveryParam = signatureBytes.length === 65 ? signatureBytes[64] : void 0;
+  return {
+    r,
+    s,
+    recoveryParam
+  };
+}
+__name(fromJose, "fromJose");
+
+// src/did-jwt/SignerAlgorithm.ts
+function instanceOfEcdsaSignature(object) {
+  return typeof object === "object" && "r" in object && "s" in object;
+}
+__name(instanceOfEcdsaSignature, "instanceOfEcdsaSignature");
+function ES256SignerAlg() {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (instanceOfEcdsaSignature(signature)) {
+      return toJose(signature);
+    } else {
+      return signature;
+    }
+  }, "sign");
+}
+__name(ES256SignerAlg, "ES256SignerAlg");
+function ES256KSignerAlg(recoverable) {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (instanceOfEcdsaSignature(signature)) {
+      return toJose(signature, recoverable);
+    } else {
+      if (recoverable && typeof fromJose(signature).recoveryParam === "undefined") {
+        throw new Error(`not_supported: ES256K-R not supported when signer doesn't provide a recovery param`);
+      }
+      return signature;
+    }
+  }, "sign");
+}
+__name(ES256KSignerAlg, "ES256KSignerAlg");
+function Ed25519SignerAlg() {
+  return /* @__PURE__ */ __name(async function sign(payload, signer) {
+    const signature = await signer(payload);
+    if (!instanceOfEcdsaSignature(signature)) {
+      return signature;
+    } else {
+      throw new Error("invalid_config: expected a signer function that returns a string instead of signature object");
+    }
+  }, "sign");
+}
+__name(Ed25519SignerAlg, "Ed25519SignerAlg");
+var algorithms = {
+  ES256: ES256SignerAlg(),
+  ES256K: ES256KSignerAlg(),
+  // This is a non-standard algorithm but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/146
+  "ES256K-R": ES256KSignerAlg(true),
+  // This is actually incorrect but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/130
+  Ed25519: Ed25519SignerAlg(),
+  EdDSA: Ed25519SignerAlg()
+};
+
+// src/did-jwt/VerifierAlgorithm.ts
+import { toEthereumAddress } from "did-jwt";
+import { secp256k1 as secp256k12 } from "@noble/curves/secp256k1";
+import { p256 as p2562 } from "@noble/curves/p256";
+import { ed25519 } from "@noble/curves/ed25519";
+import * as u8a2 from "uint8arrays";
+import { sha256 as hash } from "@noble/hashes/sha256";
+function sha256(payload) {
+  const data = typeof payload === "string" ? u8a2.fromString(payload) : payload;
+  return hash(data);
+}
+__name(sha256, "sha256");
+function toSignatureObject(signature, recoverable = false) {
+  const rawSig = base64ToBytes(signature);
+  if (rawSig.length !== (recoverable ? 65 : 64)) {
+    throw new Error("wrong signature length");
+  }
+  const r = bytesToHex(rawSig.slice(0, 32));
+  const s = bytesToHex(rawSig.slice(32, 64));
+  const sigObj = {
+    r,
+    s
+  };
+  if (recoverable) {
+    sigObj.recoveryParam = rawSig[64];
+  }
+  return sigObj;
+}
+__name(toSignatureObject, "toSignatureObject");
+function toSignatureObject2(signature, recoverable = false) {
+  const bytes = base64ToBytes(signature);
+  if (bytes.length !== (recoverable ? 65 : 64)) {
+    throw new Error("wrong signature length");
+  }
+  return {
+    compact: bytes.slice(0, 64),
+    recovery: bytes[64]
+  };
+}
+__name(toSignatureObject2, "toSignatureObject2");
+function verifyES256(data, signature, authenticators) {
+  const hash2 = sha256(data);
+  const sig = p2562.Signature.fromCompact(toSignatureObject2(signature).compact);
+  const fullPublicKeys = authenticators.filter((a) => !a.ethereumAddress && !a.blockchainAccountId);
+  const signer = fullPublicKeys.find((pk) => {
+    try {
+      const { keyBytes } = extractPublicKeyBytes(pk);
+      return p2562.verify(sig, hash2, keyBytes);
+    } catch (err) {
+      return false;
+    }
+  });
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyES256, "verifyES256");
+function verifyES256K(data, signature, authenticators) {
+  const hash2 = sha256(data);
+  const signatureNormalized = secp256k12.Signature.fromCompact(base64ToBytes(signature)).normalizeS();
+  const fullPublicKeys = authenticators.filter((a) => {
+    return !a.ethereumAddress && !a.blockchainAccountId;
+  });
+  const blockchainAddressKeys = authenticators.filter((a) => {
+    return a.ethereumAddress || a.blockchainAccountId;
+  });
+  let signer = fullPublicKeys.find((pk) => {
+    try {
+      const { keyBytes } = extractPublicKeyBytes(pk);
+      return secp256k12.verify(signatureNormalized, hash2, keyBytes);
+    } catch (err) {
+      return false;
+    }
+  });
+  if (!signer && blockchainAddressKeys.length > 0) {
+    signer = verifyRecoverableES256K(data, signature, blockchainAddressKeys);
+  }
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyES256K, "verifyES256K");
+function verifyRecoverableES256K(data, signature, authenticators) {
+  const signatures = [];
+  if (signature.length > 86) {
+    signatures.push(toSignatureObject2(signature, true));
+  } else {
+    const so = toSignatureObject2(signature, false);
+    signatures.push({
+      ...so,
+      recovery: 0
+    });
+    signatures.push({
+      ...so,
+      recovery: 1
+    });
+  }
+  const hash2 = sha256(data);
+  const checkSignatureAgainstSigner = /* @__PURE__ */ __name((sigObj) => {
+    const signature2 = secp256k12.Signature.fromCompact(sigObj.compact).addRecoveryBit(sigObj.recovery || 0);
+    const recoveredPublicKey = signature2.recoverPublicKey(hash2);
+    const recoveredAddress = toEthereumAddress(recoveredPublicKey.toHex(false)).toLowerCase();
+    const recoveredPublicKeyHex = recoveredPublicKey.toHex(false);
+    const recoveredCompressedPublicKeyHex = recoveredPublicKey.toHex(true);
+    return authenticators.find((a) => {
+      const { keyBytes } = extractPublicKeyBytes(a);
+      const keyHex = bytesToHex(keyBytes);
+      return keyHex === recoveredPublicKeyHex || keyHex === recoveredCompressedPublicKeyHex || a.ethereumAddress?.toLowerCase() === recoveredAddress || a.blockchainAccountId?.split("@eip155")?.[0].toLowerCase() === recoveredAddress;
+    });
+  }, "checkSignatureAgainstSigner");
+  for (const signature2 of signatures) {
+    const verificationMethod = checkSignatureAgainstSigner(signature2);
+    if (verificationMethod) return verificationMethod;
+  }
+  throw new Error("invalid_signature: Signature invalid for JWT");
+}
+__name(verifyRecoverableES256K, "verifyRecoverableES256K");
+function verifyEd25519(data, signature, authenticators) {
+  const clear = stringToBytes(data);
+  const signatureBytes = base64ToBytes(signature);
+  const signer = authenticators.find((a) => {
+    const { keyBytes, keyType } = extractPublicKeyBytes(a);
+    if (keyType === "Ed25519") {
+      return ed25519.verify(signatureBytes, clear, keyBytes);
+    } else {
+      return false;
+    }
+  });
+  if (!signer) throw new Error("invalid_signature: Signature invalid for JWT");
+  return signer;
+}
+__name(verifyEd25519, "verifyEd25519");
+var algorithms2 = {
+  ES256: verifyES256,
+  ES256K: verifyES256K,
+  // This is a non-standard algorithm but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/146
+  "ES256K-R": verifyRecoverableES256K,
+  // This is actually incorrect but retained for backwards compatibility
+  // see https://github.com/decentralized-identity/did-jwt/issues/130
+  Ed25519: verifyEd25519,
+  EdDSA: verifyEd25519
+};
+function VerifierAlgorithm(alg) {
+  const impl = algorithms2[alg];
+  if (!impl) throw new Error(`not_supported: Unsupported algorithm ${alg}`);
+  return impl;
+}
+__name(VerifierAlgorithm, "VerifierAlgorithm");
+VerifierAlgorithm.toSignatureObject = toSignatureObject;
+
+// src/did-jwt/JWT.ts
+import { JWT_ERROR } from "did-jwt";
+var SELF_ISSUED_V2 = "https://self-issued.me/v2";
+var SELF_ISSUED_V2_VC_INTEROP = "https://self-issued.me/v2/openid-vc";
+var SELF_ISSUED_V0_1 = "https://self-issued.me";
+
+// src/agent/CredentialProviderVcdm2SdJwt.ts
+import { getIssuerFromSdJwt } from "@sphereon/ssi-sdk.sd-jwt";
+var debug = Debug("sphereon:ssi-sdk:credential-vcdm2-sdjwt");
+var CredentialProviderVcdm2SdJwt = class {
+  static {
+    __name(this, "CredentialProviderVcdm2SdJwt");
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.matchKeyForType} */
+  matchKeyForType(key) {
+    return this.matchKeyForJWT(key);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.getTypeProofFormat} */
+  getTypeProofFormat() {
+    return "vc+sd-jwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canIssueCredentialType} */
+  canIssueCredentialType(args) {
+    const format = args.proofFormat.toLowerCase();
+    return format === "vc+sd-jwt" || format === "vcdm2_sdjwt";
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.canVerifyDocumentType */
+  canVerifyDocumentType(args) {
+    const { document } = args;
+    const jwt = typeof document === "string" ? document : document?.proof?.jwt;
+    if (!jwt) {
+      return false;
+    }
+    const { payload } = decodeJWT(jwt.split("~")[0]);
+    return isVcdm2Credential(payload);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiableCredential} */
+  async createVerifiableCredential(args, context) {
+    const { keyRef } = args;
+    const agent = assertContext(context).agent;
+    const { credential, issuer } = preProcessCredentialPayload(args);
+    if (!isVcdm2Credential(credential)) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + credential["@context"]));
+    } else if (!contextHasPlugin(context, "createSdJwtVc")) {
+      return Promise.reject(new Error("invalid_argument: SD-JWT plugin not available. Please install @sphereon/ssi-sdk.sd-jwt and configure agent for VCDM2 SD-JWT"));
+    }
+    let identifier;
+    try {
+      identifier = await agent.didManagerGet({
+        did: issuer
+      });
+    } catch (e) {
+      return Promise.reject(new Error(`invalid_argument: ${credential.issuer} must be a DID managed by this agent. ${e}`));
+    }
+    const managedIdentifier = await agent.identifierManagedGetByDid({
+      identifier: identifier.did,
+      kmsKeyRef: keyRef
+    });
+    const key = await pickSigningKey({
+      identifier,
+      kmsKeyRef: keyRef
+    }, context);
+    const alg = await signatureAlgorithmFromKey({
+      key
+    });
+    debug("Signing VC with", identifier.did, alg);
+    credential.issuer = {
+      id: identifier.did
+    };
+    const result = await context.agent.createSdJwtVc({
+      type: "vc+sd-jwt",
+      credentialPayload: credential,
+      resolution: managedIdentifier,
+      disclosureFrame: args.opts?.disclosureFrame
+    });
+    const jwt = result.credential.split("~")[0];
+    const normalized = normalizeCredential(jwt);
+    normalized.proof.jwt = result.credential;
+    return normalized;
+  }
+  /** {@inheritdoc ICredentialVerifier.verifyCredential} */
+  async verifyCredential(args, context) {
+    let {
+      credential,
+      policies
+      /*...otherOptions*/
+    } = args;
+    const uniform = CredentialMapper.toUniformCredential(credential);
+    if (!isVcdm2Credential(uniform)) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential. Context: " + uniform["@context"]));
+    } else if (!contextHasPlugin(context, "createSdJwtVc")) {
+      return Promise.reject(new Error("invalid_argument: SD-JWT plugin not available. Please install @sphereon/ssi-sdk.sd-jwt and configure agent for VCDM2 SD-JWT"));
+    }
+    let verificationResult = {
+      verified: false
+    };
+    let jwt = typeof credential === "string" ? credential : asArray(uniform.proof)?.[0]?.jwt;
+    if (!jwt) {
+      return Promise.reject(new Error("invalid_argument: credential must be a VCDM2 credential in JOSE format (string)"));
+    }
+    try {
+      const result = await context.agent.verifySdJwtVc({
+        credential: jwt
+      });
+      if (result.payload) {
+        verificationResult = {
+          verified: true,
+          results: [
+            {
+              credential,
+              verified: true,
+              log: [
+                {
+                  id: "valid_signature",
+                  valid: true
+                },
+                {
+                  id: "issuer_did_resolves",
+                  valid: true
+                }
+              ]
+            }
+          ]
+        };
+      }
+    } catch (e) {
+      verificationResult = {
+        verified: false,
+        error: {
+          message: e.message,
+          errorCode: e.name
+        }
+      };
+    }
+    policies = {
+      ...policies,
+      nbf: policies?.nbf ?? policies?.issuanceDate ?? policies?.validFrom,
+      iat: policies?.iat ?? policies?.issuanceDate ?? policies?.validFrom,
+      exp: policies?.exp ?? policies?.expirationDate ?? policies?.validUntil,
+      aud: policies?.aud ?? policies?.audience
+    };
+    verificationResult = await verifierSignature({
+      jwt: jwt.split("~")[0],
+      policies
+    }, context);
+    return verificationResult;
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.createVerifiablePresentation} */
+  async createVerifiablePresentation(args, context) {
+    const { presentation, holder } = preProcessPresentation(args);
+    let {
+      domain,
+      challenge,
+      keyRef
+      /* removeOriginalFields, keyRef, now, ...otherOptions*/
+    } = args;
+    const agent = assertContext(context).agent;
+    const managedIdentifier = await agent.identifierManagedGetByDid({
+      identifier: holder,
+      kmsKeyRef: keyRef
+    });
+    const identifier = managedIdentifier.identifier;
+    const key = await pickSigningKey({
+      identifier: managedIdentifier.identifier,
+      kmsKeyRef: managedIdentifier.kmsKeyRef
+    }, context);
+    debug("Signing VC with", identifier.did);
+    let alg = "ES256";
+    if (key.type === "Ed25519") {
+      alg = "EdDSA";
+    } else if (key.type === "Secp256k1") {
+      alg = "ES256K";
+    }
+    const header = {
+      kid: key.meta.verificationMethod.id ?? key.kid,
+      alg,
+      typ: "vp+jwt",
+      cty: "vp"
+    };
+    const payload = {
+      ...presentation,
+      ...domain && {
+        aud: domain
+      },
+      ...challenge && {
+        nonce: challenge
+      }
+    };
+    const jwt = await agent.jwtCreateJwsCompactSignature({
+      mode: "did",
+      issuer: managedIdentifier,
+      payload,
+      protectedHeader: header,
+      clientIdScheme: "did"
+    });
+    debug(jwt);
+    return normalizePresentation(jwt.jwt);
+  }
+  /** {@inheritdoc @veramo/credential-w3c#AbstractCredentialProvider.verifyPresentation} */
+  async verifyPresentation(args, context) {
+    let { presentation, domain, challenge, fetchRemoteContexts, policies, ...otherOptions } = args;
+    let jwt;
+    if (typeof presentation === "string") {
+      jwt = presentation;
+    } else {
+      jwt = asArray(presentation.proof)[0].jwt;
+    }
+    const resolver = {
+      resolve: /* @__PURE__ */ __name((didUrl) => context.agent.resolveDid({
+        didUrl,
+        options: otherOptions?.resolutionOptions
+      }), "resolve")
+    };
+    let audience = domain;
+    if (!audience) {
+      const { payload } = await decodeJWT(jwt);
+      if (payload.aud) {
+        const intendedAudience = asArray(payload.aud);
+        const managedDids = await context.agent.didManagerFind();
+        const filtered = managedDids.filter((identifier) => intendedAudience.includes(identifier.did));
+        if (filtered.length > 0) {
+          audience = filtered[0].did;
+        }
+      }
+    }
+    let message, errorCode;
+    try {
+      const result = await verifyPresentationJWT(jwt, resolver, {
+        challenge,
+        domain,
+        audience,
+        policies: {
+          ...policies,
+          nbf: policies?.nbf ?? policies?.issuanceDate,
+          iat: policies?.iat ?? policies?.issuanceDate,
+          exp: policies?.exp ?? policies?.expirationDate,
+          aud: policies?.aud ?? policies?.audience
+        },
+        ...otherOptions
+      });
+      if (result) {
+        return {
+          verified: true,
+          results: [
+            {
+              verified: true,
+              presentation: result.verifiablePresentation,
+              log: [
+                {
+                  id: "valid_signature",
+                  valid: true
+                }
+              ]
+            }
+          ]
+        };
+      }
+    } catch (e) {
+      message = e.message;
+      errorCode = e.errorCode;
+    }
+    return {
+      verified: false,
+      error: {
+        message,
+        errorCode: errorCode ? errorCode : message?.split(":")[0]
+      }
+    };
+  }
+  /**
+  * Checks if a key is suitable for signing JWT payloads.
+  * @param key - the key to check
+  * @param context - the Veramo agent context, unused here
+  *
+  * @beta
+  */
+  matchKeyForJWT(key) {
+    switch (key.type) {
+      case "Ed25519":
+      case "Secp256r1":
+        return true;
+      case "Secp256k1":
+        return intersect(key.meta?.algorithms ?? [], [
+          "ES256K",
+          "ES256K-R"
+        ]).length > 0;
+      default:
+        return false;
+    }
+  }
+  wrapSigner(context, key, algorithm) {
+    return async (data) => {
+      const result = await context.agent.keyManagerSign({
+        keyRef: key.kid,
+        data,
+        algorithm
+      });
+      return result;
+    };
+  }
+};
+async function verifierSignature({ jwt, policies }, verifierContext) {
+  let credIssuer = void 0;
+  const context = assertContext(verifierContext);
+  const agent = context.agent;
+  const {
+    payload,
+    header
+    /*signature, data*/
+  } = decodeJWT(jwt);
+  if (!payload.issuer) {
+    throw new Error(`${JWT_ERROR2.INVALID_JWT}: JWT iss or client_id are required`);
+  }
+  const issuer = getIssuerFromSdJwt(payload);
+  if (issuer === SELF_ISSUED_V2 || issuer === SELF_ISSUED_V2_VC_INTEROP) {
+    if (!payload.credentialSubject.id) {
+      throw new Error(`${JWT_ERROR2.INVALID_JWT}: JWT credentialSubject.id is required`);
+    }
+    if (typeof payload.sub_jwk === "undefined") {
+      credIssuer = payload.sub;
+    } else {
+      credIssuer = (header.kid || "").split("#")[0];
+    }
+  } else if (issuer === SELF_ISSUED_V0_1) {
+    if (!payload.did) {
+      throw new Error(`${JWT_ERROR2.INVALID_JWT}: JWT did is required`);
+    }
+    credIssuer = payload.did;
+  } else if (!issuer && payload.scope === "openid" && payload.redirect_uri) {
+    if (!payload.client_id) {
+      throw new Error(`${JWT_ERROR2.INVALID_JWT}: JWT client_id is required`);
+    }
+    credIssuer = payload.client_id;
+  } else if (issuer?.indexOf("did:") === 0) {
+    credIssuer = issuer;
+  } else if (header.kid?.indexOf("did:") === 0) {
+    credIssuer = (header.kid || "").split("#")[0];
+  } else if (typeof payload.issuer === "string") {
+    credIssuer = payload.issuer;
+  } else if (payload.issuer?.id) {
+    credIssuer = payload.issuer.id;
+  }
+  if (!credIssuer) {
+    throw new Error(`${JWT_ERROR2.INVALID_JWT}: No DID has been found in the JWT`);
+  }
+  let resolution = void 0;
+  try {
+    resolution = await agent.identifierExternalResolve({
+      identifier: credIssuer
+    });
+  } catch (e) {
+  }
+  const credential = CredentialMapper.toUniformCredential(jwt);
+  const validFromError = policies.nbf !== false && policies.iat !== false && "validFrom" in credential && !!credential.validFrom && Date.parse(credential.validFrom) > (/* @__PURE__ */ new Date()).getTime();
+  const expired = policies.exp !== false && "validUntil" in credential && !!credential.validUntil && Date.parse(credential.validUntil) < (/* @__PURE__ */ new Date()).getTime();
+  const didOpts = {
+    method: "did",
+    identifier: credIssuer
+  };
+  const jwtResult = await agent.jwtVerifyJwsSignature({
+    jws: jwt,
+    // @ts-ignore
+    jwk: resolution?.jwks[0].jwk,
+    opts: {
+      ...isDidIdentifier(credIssuer) && {
+        did: didOpts
+      }
+    }
+  });
+  const error = jwtResult.error || expired || !resolution;
+  const errorMessage = expired ? "Credential is expired" : validFromError ? "Credential is not valid yet" : !resolution ? `Issuer ${credIssuer} could not be resolved` : jwtResult.message;
+  if (error) {
+    const log2 = [
+      {
+        id: "valid_signature",
+        valid: !jwtResult.error
+      },
+      {
+        id: "issuer_did_resolves",
+        valid: resolution != void 0
+      },
+      {
+        id: "validFrom",
+        valid: policies.nbf !== false && !validFromError
+      },
+      {
+        id: "expiration",
+        valid: policies.exp !== false && !expired
+      }
+    ];
+    return {
+      verified: false,
+      error: {
+        message: errorMessage,
+        errorCode: jwtResult.name
+      },
+      log: log2,
+      results: [
+        {
+          verified: false,
+          credential: jwt,
+          log: log2,
+          error: {
+            message: errorMessage,
+            errorCode: jwtResult.name
+          }
+        }
+      ],
+      payload,
+      didResolutionResult: resolution,
+      jwt
+    };
+  }
+  const log = [
+    {
+      id: "valid_signature",
+      valid: true
+    },
+    {
+      id: "issuer_did_resolves",
+      valid: true
+    },
+    {
+      id: "validFrom",
+      valid: true
+    },
+    {
+      id: "expiration",
+      valid: true
+    }
+  ];
+  return {
+    verified: true,
+    log,
+    results: [
+      {
+        verified: true,
+        credential,
+        log
+      }
+    ],
+    payload,
+    didResolutionResult: resolution,
+    jwt
+  };
+}
+__name(verifierSignature, "verifierSignature");
+function assertContext(context) {
+  if (!contextHasPlugin(context, "jwtPrepareJws")) {
+    throw Error("JwtService plugin not found, which is required for JWT signing in the VCDM2 SD-JWT credential provider. Please add the JwtService plugin to your agent configuration.");
+  } else if (!contextHasPlugin(context, "identifierManagedGet")) {
+    throw Error("Identifier resolution plugin not found, which is required for JWT signing in the VCDM2 SD-JWT credential provider. Please add the JwtService plugin to your agent configuration.");
+  }
+  return context;
+}
+__name(assertContext, "assertContext");
+export {
+  CredentialProviderVcdm2SdJwt
+};
+//# sourceMappingURL=index.js.map