@sphereon/ssi-sdk.linked-vp 0.34.1-feature.SSISDK.82.linkedVP.328 → 0.36.1-feature.SSISDK.70.integrate.digidentity.55

package/src/agent/LinkedVPManager.ts

@@ -1,4 +1,5 @@
 import { DigitalCredential } from '@sphereon/ssi-sdk.data-store-types'
+import { type IVerifiableCredential } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { IsNull, Not } from 'typeorm'
 import { schema } from '../index'
@@ -38,12 +39,6 @@ export class LinkedVPManager implements IAgentPlugin {
     lvpGeneratePresentation: this.lvpGeneratePresentation.bind(this),
   }
 
-  private readonly holderDids: Record<string, string>
-
-  constructor(options: { holderDids: Record<string, string> }) {
-    this.holderDids = options.holderDids
-  }
-
   private async lvpPublishCredential(args: PublishCredentialArgs, context: RequiredContext): Promise<LinkedVPEntry> {
     const { digitalCredentialId } = args
 
@@ -57,18 +52,20 @@ export class LinkedVPManager implements IAgentPlugin {
 
     await this.ensureLinkedVpIdUnique(linkedVpId, context, credential.tenantId)
 
-    const publishedAt = new Date()
+    const publishAt = args.linkedVpFrom ?? new Date()
     await context.agent.crsUpdateCredential({
       id: digitalCredentialId,
       linkedVpId,
-      linkedVpFrom: publishedAt,
+      linkedVpFrom: publishAt,
+      linkedVpUntil: args.linkedVpUntil,
     })
 
     return {
       id: credential.id,
       linkedVpId,
       tenantId: credential.tenantId,
-      linkedVpFrom: publishedAt,
+      linkedVpFrom: publishAt,
+      linkedVpUntil: args.linkedVpUntil,
       createdAt: credential.createdAt,
     }
   }
@@ -108,35 +105,38 @@ export class LinkedVPManager implements IAgentPlugin {
   }
 
   private async lvpGetServiceEntries(args: GetServiceEntriesArgs, context: RequiredContext): Promise<Array<LinkedVPServiceEntry>> {
-    const { tenantId } = args
+    const { tenantId, subjectDid } = args
 
     // Get all published credentials (credentials with linkedVpId set)
     const filter: any = { linkedVpId: Not(IsNull()) }
     if (tenantId) {
       filter.tenantId = tenantId
     }
+    if (subjectDid) {
+      filter.subjectCorrelationId = subjectDid
+    }
 
     const credentials = await context.agent.crsGetCredentials({
       filter: [filter],
     })
 
     return credentials
-      .filter((cred) => cred.linkedVpId !== undefined && cred.linkedVpId !== null)
-      .map((cred) => {
-        const holderDidForEntry = this.getHolderDid(cred.tenantId)
-        return this.credentialToServiceEntry(cred, holderDidForEntry)
+      .flatMap((cred) => {
+        const uniformDocument = JSON.parse(cred.uniformDocument) as IVerifiableCredential
+        const holderDidForEntry = this.getHolderDid(uniformDocument)
+        return holderDidForEntry && holderDidForEntry.startsWith('did:web') ? [this.credentialToServiceEntry(cred, holderDidForEntry)] : []
       })
   }
 
   private async lvpGeneratePresentation(args: GeneratePresentationArgs, context: RequiredContext): Promise<LinkedVPPresentation> {
     const { linkedVpId } = args
     const tenantId = this.parseTenantFromLinkedVpId(linkedVpId)
-    const holderDid = this.getHolderDid(tenantId)
 
     const uniqueCredentials = await context.agent.crsGetUniqueCredentials({
       filter: [
         {
           linkedVpId: args.linkedVpId,
+          linkedVpUntil: args.linkedVpUntil,
           ...(tenantId && { tenantId }),
         },
       ],
@@ -148,16 +148,37 @@ export class LinkedVPManager implements IAgentPlugin {
       return Promise.reject(Error(`Multiple credentials found for linkedVpId ${linkedVpId}`))
     }
 
+    const uniqueDigitalCredential = uniqueCredentials[0]
+    if (!uniqueDigitalCredential.uniformVerifiableCredential) {
+      return Promise.reject(Error(`uniformVerifiableCredential could not be found for credential ${uniqueDigitalCredential.digitalCredential.id}`))
+    }
+    const holderDid = this.getHolderDid(uniqueDigitalCredential.uniformVerifiableCredential)
+    if (!holderDid) {
+      return Promise.reject(Error(`Could not extract the holder did:web from cnf nor the credentialSubject id`))
+    }
+
     // Generate the Verifiable Presentation with all published credentials
-    return createLinkedVPPresentation(holderDid, uniqueCredentials[0], context.agent)
+    return createLinkedVPPresentation(holderDid, uniqueDigitalCredential, context.agent)
   }
 
-  private getHolderDid(tenantId: string | undefined) {
-    const holderDid = this.holderDids[tenantId ?? 'default']
-    if (!holderDid) {
-      throw Error(`No holder did supplied for tenant ${tenantId ?? 'default'}`)
+  private getHolderDid(uniformDocument: IVerifiableCredential): string | undefined {
+    // Determine holder DID for identifier resolution
+    if ('cnf' in uniformDocument && 'jwk' in uniformDocument.cnf && 'kid' in uniformDocument.cnf.jwk) {
+      return uniformDocument.cnf.jwk.kid.split('#')[0]
+    }
+
+    if ('credentialSubject' in uniformDocument) {
+      const credentialSubject = Array.isArray(uniformDocument.credentialSubject)
+        ? uniformDocument.credentialSubject[0]
+        : uniformDocument.credentialSubject
+      if ('id' in credentialSubject && credentialSubject.id) {
+        if (credentialSubject.id.startsWith('did:web')) {
+          return credentialSubject.id
+        }
+      }
     }
-    return holderDid
+
+    return undefined
   }
 
   private parseTenantFromLinkedVpId(linkedVpId: string): string | undefined {
@@ -182,8 +203,13 @@ export class LinkedVPManager implements IAgentPlugin {
   private buildLinkedVpId(linkedVpId: string | undefined, tenantId: string | undefined) {
     let finalLinkedVpId = linkedVpId || this.generateLinkedVpId()
 
-    // Append tenantId if provided and not already present
-    if (tenantId && tenantId !== '' && !finalLinkedVpId.includes('@')) {
+    // Validate that user-provided ID doesn't contain @ char reserved for tenant id separator
+    if (linkedVpId && linkedVpId.includes('@')) {
+      throw new Error(`LinkedVP ID cannot contain '@' character as it is reserved for tenant separation`)
+    }
+
+    // Append tenantId if provided
+    if (tenantId && tenantId !== '') {
       finalLinkedVpId = `${finalLinkedVpId}@${tenantId}`
     }
     return finalLinkedVpId

package/src/services/LinkedVPService.ts

@@ -14,6 +14,37 @@ import { LinkedVPPresentation, LOGGER_NAMESPACE, RequiredContext } from '../type
 const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 const CLOCK_SKEW = 120 // TODO make adjustable?
 
+/**
+ * Creates a Verifiable Presentation for LinkedVP publishing
+ * Contains multiple credentials in a single JWT VP
+ * No nonce or audience since this is for publishing, not responding to verification
+ */
+export async function createLinkedVPPresentation(
+  holderDid: string,
+  credential: UniqueDigitalCredential,
+  agent: RequiredContext['agent'],
+): Promise<LinkedVPPresentation> {
+  logger.debug(`Creating LinkedVP presentation for ${holderDid} of credential ${credential.id}`)
+
+  const originalCredential = extractOriginalCredential(credential)
+  const documentFormat = CredentialMapper.detectDocumentType(originalCredential)
+
+  switch (documentFormat) {
+    case DocumentFormat.SD_JWT_VC: {
+      return createSdJwtPresentation(originalCredential, agent)
+    }
+    case DocumentFormat.JSONLD: {
+      return createJsonLdPresentation(holderDid, originalCredential, agent)
+    }
+    case DocumentFormat.MSO_MDOC: {
+      return createMdocPresentation(originalCredential)
+    }
+    default: {
+      return createJwtPresentation(holderDid, originalCredential, agent)
+    }
+  }
+}
+
 /**
  * Extracts the original credential from various wrapper types
  */
@@ -40,111 +71,123 @@ function extractOriginalCredential(
 }
 
 /**
- * Creates a Verifiable Presentation for LinkedVP publishing
- * Contains multiple credentials in a single JWT VP
- * No nonce or audience since this is for publishing, not responding to verification
+ * Creates an SD-JWT presentation with KB-JWT
  */
-export async function createLinkedVPPresentation(
+async function createSdJwtPresentation(
+  originalCredential: OriginalVerifiableCredential,
+  agent: RequiredContext['agent'],
+): Promise<LinkedVPPresentation> {
+  // SD-JWT with KB-JWT
+  const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(
+    typeof originalCredential === 'string' ? originalCredential : (originalCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc,
+    defaultGenerateDigest,
+  )
+
+  const hashAlg = decodedSdJwt.signedPayload._sd_alg ?? 'sha-256'
+  const sdHash = calculateSdHash(decodedSdJwt.compactSdJwtVc, hashAlg, defaultGenerateDigest)
+  const kbJwtPayload: PartialSdJwtKbJwt['payload'] = {
+    iat: Math.floor(Date.now() / 1000 - CLOCK_SKEW),
+    sd_hash: sdHash,
+  }
+
+  const presentationResult = await agent.createSdJwtPresentation({
+    presentation: decodedSdJwt.compactSdJwtVc,
+    kb: {
+      payload: kbJwtPayload as any, // FIXME? (typescript seems impossible)
+    },
+  })
+
+  return {
+    documentFormat: DocumentFormat.SD_JWT_VC,
+    presentationPayload: presentationResult.presentation,
+  }
+}
+
+/**
+ * Creates a JSON-LD presentation with proof
+ */
+async function createJsonLdPresentation(
   holderDid: string,
-  credential: UniqueDigitalCredential,
+  originalCredential: OriginalVerifiableCredential,
   agent: RequiredContext['agent'],
 ): Promise<LinkedVPPresentation> {
-  logger.debug(`Creating LinkedVP presentation for ${holderDid} of credential ${credential.id}`)
+  // JSON-LD VC - create JSON-LD VP with challenge and domain in proof
+  const vcObject = typeof originalCredential === 'string' ? JSON.parse(originalCredential) : originalCredential
+
+  const vpObject = {
+    '@context': ['https://www.w3.org/2018/credentials/v1'],
+    type: ['VerifiablePresentation'],
+    verifiableCredential: [vcObject],
+    holder: holderDid,
+  }
 
   const identifier = await agent.identifierManagedGet({ identifier: holderDid })
-  const originalCredential = extractOriginalCredential(credential)
-  const documentFormat = CredentialMapper.detectDocumentType(originalCredential)
-  switch (documentFormat) {
-    case DocumentFormat.SD_JWT_VC: {
-      // SD-JWT with KB-JWT
-      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(
-        typeof originalCredential === 'string' ? originalCredential : (originalCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc,
-        defaultGenerateDigest,
-      )
-
-      const hashAlg = decodedSdJwt.signedPayload._sd_alg ?? 'sha-256'
-      const sdHash = calculateSdHash(decodedSdJwt.compactSdJwtVc, hashAlg, defaultGenerateDigest)
-      const kbJwtPayload: PartialSdJwtKbJwt['payload'] = {
-        iat: Math.floor(Date.now() / 1000 - CLOCK_SKEW),
-        sd_hash: sdHash,
-      }
-
-      const presentationResult = await agent.createSdJwtPresentation({
-        presentation: decodedSdJwt.compactSdJwtVc,
-        kb: {
-          payload: kbJwtPayload as any, // FIXME?
-        },
-      })
-
-      return {
-        documentFormat,
-        presentationPayload: presentationResult.presentation,
-      }
-    }
-    case DocumentFormat.JSONLD: {
-      // JSON-LD VC - create JSON-LD VP with challenge and domain in proof
-      const vcObject = typeof originalCredential === 'string' ? JSON.parse(originalCredential) : originalCredential
-
-      const vpObject = {
-        '@context': ['https://www.w3.org/2018/credentials/v1'],
-        type: ['VerifiablePresentation'],
-        verifiableCredential: [vcObject],
-        holder: holderDid,
-      }
-
-      // Create JSON-LD VP with proof
-      const verifiablePresentationSP = await agent.createVerifiablePresentation({
-        presentation: vpObject,
-        proofFormat: 'lds',
-        keyRef: identifier.kmsKeyRef || identifier.kid,
-      })
-      return {
-        documentFormat,
-        presentationPayload: verifiablePresentationSP,
-      }
-    }
-    case DocumentFormat.MSO_MDOC: {
-      // ISO mdoc - create mdoc VP token
-      // This is a placeholder implementation
-      // Full implementation would require:
-      // 1. Decode the mdoc using CredentialMapper or mdoc utilities
-      // 2. Build proper mdoc VP token with session transcript
-      // 3. Include nonce/audience in the session transcript
-      logger.warning('mso_mdoc format has basic support - production use requires proper mdoc VP token implementation')
-
-      return {
-        documentFormat,
-        presentationPayload: originalCredential,
-      }
-    }
-    default: {
-      // JWT VC - create JWT VP with nonce and aud in payload
-      const vcJwt = typeof originalCredential === 'string' ? originalCredential : JSON.stringify(originalCredential)
-
-      // Create VP JWT using agent method
-      const vpPayload = {
-        iss: holderDid,
-        vp: {
-          '@context': ['https://www.w3.org/2018/credentials/v1'],
-          type: ['VerifiablePresentation'],
-          holder: holderDid,
-          verifiableCredential: [vcJwt],
-        },
-        iat: Math.floor(Date.now() / 1000 - CLOCK_SKEW),
-        exp: Math.floor(Date.now() / 1000 + 600 + CLOCK_SKEW), // 10 minutes
-      }
-
-      // Use the agent's JWT creation capability
-      const vpJwt = await agent.createVerifiablePresentation({
-        presentation: vpPayload.vp,
-        proofFormat: 'jwt',
-        keyRef: identifier.kmsKeyRef || identifier.kid,
-      })
-
-      return {
-        documentFormat,
-        presentationPayload: (vpJwt.proof && 'jwt' in vpJwt.proof && vpJwt.proof.jwt) || vpJwt,
-      }
-    }
+
+  // Create JSON-LD VP with proof
+  const verifiablePresentationSP = await agent.createVerifiablePresentation({
+    presentation: vpObject,
+    proofFormat: 'lds',
+    keyRef: identifier.kmsKeyRef || identifier.kid,
+  })
+  return {
+    documentFormat: DocumentFormat.JSONLD,
+    presentationPayload: verifiablePresentationSP,
+  }
+}
+
+/**
+ * Creates an ISO mdoc presentation (basic support)
+ */
+async function createMdocPresentation(originalCredential: OriginalVerifiableCredential): Promise<LinkedVPPresentation> {
+  // ISO mdoc - create mdoc VP token
+  // This is a placeholder implementation
+  // Full implementation would require:
+  // 1. Decode the mdoc using CredentialMapper or mdoc utilities
+  // 2. Build proper mdoc VP token with session transcript
+  // 3. Include nonce/audience in the session transcript
+  logger.warning('mso_mdoc format has basic support - production use requires proper mdoc VP token implementation')
+
+  return {
+    documentFormat: DocumentFormat.MSO_MDOC,
+    presentationPayload: originalCredential,
+  }
+}
+
+/**
+ * Creates a JWT presentation
+ */
+async function createJwtPresentation(
+  holderDid: string,
+  originalCredential: OriginalVerifiableCredential,
+  agent: RequiredContext['agent'],
+): Promise<LinkedVPPresentation> {
+  // JWT VC - create JWT VP with nonce and aud in payload
+  const vcJwt = typeof originalCredential === 'string' ? originalCredential : JSON.stringify(originalCredential)
+
+  const identifier = await agent.identifierManagedGet({ identifier: holderDid })
+
+  // Create VP JWT using agent method
+  const vpPayload = {
+    iss: holderDid,
+    vp: {
+      '@context': ['https://www.w3.org/2018/credentials/v1'],
+      type: ['VerifiablePresentation'],
+      holder: holderDid,
+      verifiableCredential: [vcJwt],
+    },
+    iat: Math.floor(Date.now() / 1000 - CLOCK_SKEW),
+    exp: Math.floor(Date.now() / 1000 + 600 + CLOCK_SKEW), // 10 minutes
+  }
+
+  // Use the agent's JWT creation capability
+  const vpJwt = await agent.createVerifiablePresentation({
+    presentation: vpPayload.vp,
+    proofFormat: 'jwt',
+    keyRef: identifier.kmsKeyRef || identifier.kid,
+  })
+
+  return {
+    documentFormat: DocumentFormat.JWT,
+    presentationPayload: (vpJwt.proof && 'jwt' in vpJwt.proof && vpJwt.proof.jwt) || vpJwt,
   }
 }

package/src/types/ILinkedVPManager.ts

@@ -55,6 +55,8 @@ export interface ILinkedVPManager extends IPluginMethodMap {
 export type PublishCredentialArgs = {
   digitalCredentialId: string
   linkedVpId?: string // Optional: if not provided, will be auto-generated
+  linkedVpFrom?: Date
+  linkedVpUntil?: Date
 }
 
 export type UnpublishCredentialArgs = {
@@ -66,18 +68,21 @@ export type HasLinkedVPEntryArgs = {
 }
 
 export type GetServiceEntriesArgs = {
+  subjectDid?: string
   tenantId?: string
 }
 
 export type GeneratePresentationArgs = {
   linkedVpId: string
+  linkedVpUntil?: Date
 }
 
 export type LinkedVPEntry = {
   id: string
   linkedVpId: string
-  tenantId?: string
   linkedVpFrom?: Date
+  linkedVpUntil?: Date
+  tenantId?: string
   createdAt: Date
 }