npm - @sphereon/ssi-sdk.mdl-mdoc - Versions diffs - 0.37.2-next.34 → 0.38.0 - Mend

@sphereon/ssi-sdk.mdl-mdoc 0.37.2-next.34 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -119,16 +119,22 @@ declare const mdocSupportMethods: Array<string>;
 declare class MDLMdoc implements IAgentPlugin {
     readonly schema: any;
     readonly methods: ImDLMdoc;
-    private readonly trustAnchors;
+    private readonly staticTrustAnchors;
+    private readonly trustAnchorProvider?;
+    private readonly blindlyTrustedAnchorProvider?;
     private opts;
     constructor(args?: {
         trustAnchors?: string[];
+        trustAnchorProvider?: () => string[];
+        blindlyTrustedAnchorProvider?: () => string[];
         opts?: {
             trustRootWhenNoAnchors?: boolean;
             allowSingleNoCAChainElement?: boolean;
             blindlyTrustedAnchors?: string[];
         };
     });
+    private get trustAnchors();
+    private get effectiveBlindlyTrustedAnchors();
     /**
      * Processes and verifies the provided mdoc, generates device response and presentation submission tokens.
      *

package/dist/index.d.ts CHANGED Viewed

@@ -119,16 +119,22 @@ declare const mdocSupportMethods: Array<string>;
 declare class MDLMdoc implements IAgentPlugin {
     readonly schema: any;
     readonly methods: ImDLMdoc;
-    private readonly trustAnchors;
+    private readonly staticTrustAnchors;
+    private readonly trustAnchorProvider?;
+    private readonly blindlyTrustedAnchorProvider?;
     private opts;
     constructor(args?: {
         trustAnchors?: string[];
+        trustAnchorProvider?: () => string[];
+        blindlyTrustedAnchorProvider?: () => string[];
         opts?: {
             trustRootWhenNoAnchors?: boolean;
             allowSingleNoCAChainElement?: boolean;
             blindlyTrustedAnchors?: string[];
         };
     });
+    private get trustAnchors();
+    private get effectiveBlindlyTrustedAnchors();
     /**
      * Processes and verifies the provided mdoc, generates device response and presentation submission tokens.
      *

package/dist/index.js CHANGED Viewed

@@ -2056,15 +2056,315 @@ import { derToPEM, getCertificateInfo, getSubjectDN, pemOrDerToX509Certificate,
 import * as crypto from "crypto";
 import { CryptoEngine, setEngine } from "pkijs";
 import { fromString } from "uint8arrays/from-string";
+import { toString as u8aToString } from "uint8arrays/to-string";
 var { com } = mdocPkg;
 var CoseJoseKeyMappingService = com.sphereon.crypto.CoseJoseKeyMappingService;
 var KeyInfo = mdocPkg.com.sphereon.crypto.KeyInfo;
 var DateTimeUtils = mdocPkg.com.sphereon.kmp.DateTimeUtils;
-var decodeFrom = mdocPkg.com.sphereon.kmp.decodeFrom;
-var encodeTo = mdocPkg.com.sphereon.kmp.encodeTo;
-var Encoding = mdocPkg.com.sphereon.kmp.Encoding;
 var SignatureAlgorithm = mdocPkg.com.sphereon.crypto.generic.SignatureAlgorithm;
 var DefaultCallbacks = mdocPkg.com.sphereon.crypto.DefaultCallbacks;
+function toU8(bytes) {
+  if (bytes instanceof Uint8Array) return bytes;
+  if (ArrayBuffer.isView(bytes)) {
+    const v = bytes;
+    return new Uint8Array(v.buffer, v.byteOffset, v.byteLength);
+  }
+  if (Array.isArray(bytes)) return Uint8Array.from(bytes.map((b) => b & 255));
+  throw new Error("unsupported raw bytes type");
+}
+__name(toU8, "toU8");
+function extractIssuerAuthRawParts(rawInput) {
+  const u8 = toU8(rawInput);
+  let pos = 0;
+  const readHead = /* @__PURE__ */ __name(() => {
+    const b = u8[pos++];
+    const mt = b >> 5;
+    const info = b & 31;
+    let len;
+    if (info < 24) len = info;
+    else if (info === 24) {
+      len = u8[pos];
+      pos += 1;
+    } else if (info === 25) {
+      len = u8[pos] << 8 | u8[pos + 1];
+      pos += 2;
+    } else if (info === 26) {
+      len = u8[pos] * 16777216 + (u8[pos + 1] << 16) + (u8[pos + 2] << 8) + u8[pos + 3];
+      pos += 4;
+    } else throw new Error("unsupported cbor length info " + info);
+    return {
+      mt,
+      len
+    };
+  }, "readHead");
+  const skip = /* @__PURE__ */ __name(() => {
+    const h = readHead();
+    switch (h.mt) {
+      case 0:
+      case 1:
+      case 7:
+        return;
+      case 2:
+      case 3:
+        pos += h.len;
+        return;
+      case 4:
+        for (let i = 0; i < h.len; i++) skip();
+        return;
+      case 5:
+        for (let i = 0; i < h.len * 2; i++) skip();
+        return;
+      case 6:
+        skip();
+        return;
+    }
+  }, "skip");
+  const readBstr = /* @__PURE__ */ __name(() => {
+    const h = readHead();
+    if (h.mt !== 2) throw new Error("expected bstr, got mt " + h.mt);
+    const out = u8.slice(pos, pos + h.len);
+    pos += h.len;
+    return out;
+  }, "readBstr");
+  const readTstr = /* @__PURE__ */ __name(() => {
+    const h = readHead();
+    if (h.mt !== 3) throw new Error("expected tstr, got mt " + h.mt);
+    const out = new TextDecoder().decode(u8.slice(pos, pos + h.len));
+    pos += h.len;
+    return out;
+  }, "readTstr");
+  const outer = readHead();
+  if (outer.mt !== 5) return void 0;
+  for (let i = 0; i < outer.len; i++) {
+    const key = readTstr();
+    if (key === "issuerAuth") {
+      const arr = readHead();
+      if (arr.mt !== 4 || arr.len !== 4) throw new Error("issuerAuth is not a 4-element array");
+      const protectedBytes = readBstr();
+      skip();
+      const payloadBytes = readBstr();
+      return {
+        protectedBytes,
+        payloadBytes
+      };
+    }
+    skip();
+  }
+  return void 0;
+}
+__name(extractIssuerAuthRawParts, "extractIssuerAuthRawParts");
+function encodeBstrHeader(len) {
+  if (len < 24) return new Uint8Array([
+    64 | len
+  ]);
+  if (len < 256) return new Uint8Array([
+    88,
+    len
+  ]);
+  if (len < 65536) return new Uint8Array([
+    89,
+    len >> 8 & 255,
+    len & 255
+  ]);
+  return new Uint8Array([
+    90,
+    len >>> 24 & 255,
+    len >> 16 & 255,
+    len >> 8 & 255,
+    len & 255
+  ]);
+}
+__name(encodeBstrHeader, "encodeBstrHeader");
+function concatU8(parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let off = 0;
+  for (const p of parts) {
+    out.set(p, off);
+    off += p.length;
+  }
+  return out;
+}
+__name(concatU8, "concatU8");
+function buildSig1Structure(protectedBytes, payloadBytes) {
+  const sig1Label = new Uint8Array([
+    106,
+    83,
+    105,
+    103,
+    110,
+    97,
+    116,
+    117,
+    114,
+    101,
+    49
+  ]);
+  return concatU8([
+    new Uint8Array([
+      132
+    ]),
+    sig1Label,
+    encodeBstrHeader(protectedBytes.length),
+    protectedBytes,
+    new Uint8Array([
+      64
+    ]),
+    encodeBstrHeader(payloadBytes.length),
+    payloadBytes
+  ]);
+}
+__name(buildSig1Structure, "buildSig1Structure");
+function derEcdsaToRaw(der, coordSize) {
+  let offset = 0;
+  if (der[offset++] !== 48) throw new Error("Invalid DER ECDSA signature: missing SEQUENCE tag");
+  let seqLen = der[offset++];
+  if (seqLen & 128) {
+    const numBytes = seqLen & 127;
+    seqLen = 0;
+    for (let i = 0; i < numBytes; i++) seqLen = seqLen << 8 | der[offset++];
+  }
+  const readInt = /* @__PURE__ */ __name(() => {
+    if (der[offset++] !== 2) throw new Error("Invalid DER ECDSA signature: missing INTEGER tag");
+    const len = der[offset++];
+    let val = der.slice(offset, offset + len);
+    offset += len;
+    let start = 0;
+    while (start < val.length - 1 && val[start] === 0) start++;
+    val = val.slice(start);
+    if (val.length > coordSize) throw new Error(`Invalid DER ECDSA signature: integer (${val.length}) exceeds ${coordSize}`);
+    const out = new Uint8Array(coordSize);
+    out.set(val, coordSize - val.length);
+    return out;
+  }, "readInt");
+  const r = readInt();
+  const s = readInt();
+  return concatU8([
+    r,
+    s
+  ]);
+}
+__name(derEcdsaToRaw, "derEcdsaToRaw");
+function decodeKmsSignatureToRaw(signature, coordSize) {
+  const normalized = signature.trim().replace(/\s+/g, "").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  const bytes = fromString(normalized, "base64url");
+  if (bytes.length > coordSize * 2 && bytes[0] === 48) {
+    return derEcdsaToRaw(bytes, coordSize);
+  }
+  return bytes;
+}
+__name(decodeKmsSignatureToRaw, "decodeKmsSignatureToRaw");
+function cborHeader(buf, off) {
+  const ib = buf[off];
+  const major = ib >> 5;
+  const ai = ib & 31;
+  if (ai < 24) return {
+    major,
+    headerLen: 1,
+    argument: ai
+  };
+  if (ai === 24) return {
+    major,
+    headerLen: 2,
+    argument: buf[off + 1]
+  };
+  if (ai === 25) return {
+    major,
+    headerLen: 3,
+    argument: buf[off + 1] << 8 | buf[off + 2]
+  };
+  if (ai === 26) return {
+    major,
+    headerLen: 5,
+    argument: buf[off + 1] * 16777216 + (buf[off + 2] << 16) + (buf[off + 3] << 8) + buf[off + 4]
+  };
+  if (ai === 27) {
+    let v = 0;
+    for (let i = 1; i <= 8; i++) v = v * 256 + buf[off + i];
+    return {
+      major,
+      headerLen: 9,
+      argument: v
+    };
+  }
+  throw new Error(`unsupported CBOR additional-info ${ai} at offset ${off}`);
+}
+__name(cborHeader, "cborHeader");
+function cborItemLen(buf, off) {
+  const h = cborHeader(buf, off);
+  let total = h.headerLen;
+  switch (h.major) {
+    case 0:
+    case 1:
+    case 7:
+      break;
+    case 2:
+    case 3:
+      total += h.argument;
+      break;
+    case 4:
+      for (let i = 0; i < h.argument; i++) total += cborItemLen(buf, off + total);
+      break;
+    case 5:
+      for (let i = 0; i < h.argument * 2; i++) total += cborItemLen(buf, off + total);
+      break;
+    case 6:
+      total += cborItemLen(buf, off + total);
+      break;
+    default:
+      throw new Error(`unsupported CBOR major type ${h.major}`);
+  }
+  return total;
+}
+__name(cborItemLen, "cborItemLen");
+function reconstructMdocDeviceAuthSigStructure(sig) {
+  if (sig[0] !== 132) return sig;
+  let off = 1;
+  off += cborItemLen(sig, off);
+  off += cborItemLen(sig, off);
+  off += cborItemLen(sig, off);
+  const payloadStart = off;
+  const ph = cborHeader(sig, payloadStart);
+  if (ph.major !== 2) return sig;
+  const daStart = payloadStart + ph.headerLen;
+  const da = sig.subarray(daStart, daStart + ph.argument);
+  if (da[0] !== 132) return sig;
+  let d = 1;
+  d += cborItemLen(da, d);
+  d += cborItemLen(da, d);
+  d += cborItemLen(da, d);
+  const e4 = da.subarray(d, d + cborItemLen(da, d));
+  const e4Tagged = concatU8([
+    new Uint8Array([
+      216,
+      24
+    ]),
+    encodeBstrHeader(e4.length),
+    e4
+  ]);
+  const daCorrected = concatU8([
+    da.subarray(0, d),
+    e4Tagged
+  ]);
+  const deviceAuthBytes = concatU8([
+    new Uint8Array([
+      216,
+      24
+    ]),
+    encodeBstrHeader(daCorrected.length),
+    daCorrected
+  ]);
+  const newPayload = concatU8([
+    encodeBstrHeader(deviceAuthBytes.length),
+    deviceAuthBytes
+  ]);
+  return concatU8([
+    sig.subarray(0, payloadStart),
+    newPayload
+  ]);
+}
+__name(reconstructMdocDeviceAuthSigStructure, "reconstructMdocDeviceAuthSigStructure");
 var CoseCryptoService = class {
   static {
     __name(this, "CoseCryptoService");
@@ -2081,7 +2381,21 @@ var CoseCryptoService = class {
       throw Error("No context provided. Please provide a context with the setContext method or constructor");
     }
     const { keyInfo, alg, value } = input;
+    let toBeSigned = toU8(value);
+    try {
+      toBeSigned = reconstructMdocDeviceAuthSigStructure(toBeSigned);
+    } catch (e) {
+      console.log(`(mdl-mdoc:sign) Sig_structure tag-24 reconstruction failed, signing kmp original: ${e?.message}`);
+    }
+    try {
+      let hex = "";
+      for (let i = 0; i < toBeSigned.length; i++) hex += (toBeSigned[i] & 255).toString(16).padStart(2, "0");
+      console.log(`(mdl-mdoc:sign) ToBeSigned len=${toBeSigned.length} hex=${hex}`);
+    } catch (e) {
+      console.log(`(mdl-mdoc:sign) ToBeSigned hex failed: ${e?.message}`);
+    }
     let kmsKeyRef = keyInfo.kmsKeyRef ?? void 0;
+    const fallbackKeyRefs = [];
     if (!kmsKeyRef) {
       const key = keyInfo.key;
       if (key == null) {
@@ -2089,21 +2403,49 @@ var CoseCryptoService = class {
       }
       const resolvedKeyInfo = com.sphereon.crypto.ResolvedKeyInfo.Static.fromKeyInfo(keyInfo, key);
       const jwkKeyInfo = CoseJoseKeyMappingService.toResolvedJwkKeyInfo(resolvedKeyInfo);
-      const kid = jwkKeyInfo.kid ?? calculateJwkThumbprint({
+      const thumbprint = calculateJwkThumbprint({
         jwk: jwkKeyInfo.key.toJsonDTO()
-      }) ?? jwkKeyInfo.key.getKidAsString(true);
+      });
+      const kid = jwkKeyInfo.kid ?? thumbprint ?? jwkKeyInfo.key.getKidAsString(true);
       if (!kid) {
         return Promise.reject(Error("No kid present and not kmsKeyRef provided"));
       }
       kmsKeyRef = kid;
+      if (thumbprint && thumbprint !== kid) {
+        fallbackKeyRefs.push(thumbprint);
+      }
     }
-    const result = await this.context.agent.keyManagerSign({
+    const doSign = /* @__PURE__ */ __name((keyRef) => this.context.agent.keyManagerSign({
       algorithm: alg.jose.value,
-      data: encodeTo(value, Encoding.UTF8),
-      encoding: "utf-8",
-      keyRef: kmsKeyRef
-    });
-    return decodeFrom(result, Encoding.UTF8);
+      // Pass the raw ToBeSigned (COSE Sig_structure) bytes as base64. The previous `encodeTo(value, UTF8)`
+      // interpreted the binary CBOR as UTF-8 text, corrupting every non-ASCII byte before the KMS even saw it
+      // (the MUSAP bridge then signed the mangled bytes -> verifier "Signature invalid"). base64 round-trips losslessly.
+      data: u8aToString(toBeSigned, "base64"),
+      encoding: "base64",
+      keyRef
+    }), "doSign");
+    let result;
+    try {
+      result = await doSign(kmsKeyRef);
+    } catch (error) {
+      let signed;
+      for (const ref of fallbackKeyRefs) {
+        try {
+          signed = await doSign(ref);
+          break;
+        } catch {
+        }
+      }
+      if (signed === void 0) {
+        throw error;
+      }
+      result = signed;
+    }
+    const joseAlg = alg.jose?.value;
+    const coordSize = joseAlg === "ES512" ? 66 : joseAlg === "ES384" ? 48 : 32;
+    const raw = decodeKmsSignatureToRaw(result, coordSize);
+    console.log(`(mdl-mdoc:sign) signature decoded: alg=${joseAlg}, inputChars=${result.length}, rawLen=${raw.length} (expected ${coordSize * 2})`);
+    return Int8Array.from(raw);
   }
   async verify1Async(input, keyInfo, requireX5Chain) {
     const getCertAndKey = /* @__PURE__ */ __name(async (x5c2) => {
@@ -2153,9 +2495,22 @@ var CoseCryptoService = class {
     const issuerCoseKeyInfo = new KeyInfo(kid, issuerCoseKey, coseKeyInfo.opts, coseKeyInfo.keyVisibility, issuerCoseKey.getSignatureAlgorithm() ?? coseKeyInfo.signatureAlgorithm, x5c, coseKeyInfo.kmsKeyRef, coseKeyInfo.kms, coseKeyInfo.keyType ?? issuerCoseKey.getKty());
     const recalculatedToBeSigned = input.toBeSignedJson(issuerCoseKeyInfo, SignatureAlgorithm.Static.fromCose(coseAlg));
     const key = CoseJoseKeyMappingService.toJoseJwk(issuerCoseKeyInfo.key).toJsonDTO();
+    let data = fromString(recalculatedToBeSigned.base64UrlValue, "base64url");
+    const signatureBytes = fromString(sign1Json.signature, "base64url");
+    const rawMdocBytes = globalThis.__sphereon_mdoc_raw_bytes;
+    if (rawMdocBytes) {
+      try {
+        const extracted = extractIssuerAuthRawParts(rawMdocBytes);
+        if (extracted) {
+          data = buildSig1Structure(extracted.protectedBytes, extracted.payloadBytes);
+        }
+      } catch (e) {
+        console.warn("[mdl-mdoc verify] failed to reparse raw mdoc; falling back to kmp-computed Sig_structure:", e.message);
+      }
+    }
     const valid = await verifyRawSignature({
-      data: fromString(recalculatedToBeSigned.base64UrlValue, "base64url"),
-      signature: fromString(sign1Json.signature, "base64url"),
+      data,
+      signature: signatureBytes,
       key
     });
     return {
@@ -2276,9 +2631,9 @@ var CoseCryptoServiceJS = com2.sphereon.crypto.CoseCryptoServiceJS;
 var CoseJoseKeyMappingService2 = com2.sphereon.crypto.CoseJoseKeyMappingService;
 var KeyInfo2 = com2.sphereon.crypto.KeyInfo;
 var DateTimeUtils2 = com2.sphereon.kmp.DateTimeUtils;
-var decodeFrom2 = com2.sphereon.kmp.decodeFrom;
-var encodeTo2 = com2.sphereon.kmp.encodeTo;
-var Encoding2 = com2.sphereon.kmp.Encoding;
+var decodeFrom = com2.sphereon.kmp.decodeFrom;
+var encodeTo = com2.sphereon.kmp.encodeTo;
+var Encoding = com2.sphereon.kmp.Encoding;
 var MdocValidations = com2.sphereon.mdoc.data.MdocValidations;
 var MdocOid4vpService = com2.sphereon.mdoc.oid4vp.MdocOid4vpServiceJs;
 var Jwk = com2.sphereon.crypto.jose.Jwk;
@@ -2305,14 +2660,31 @@ var MDLMdoc = class {
     mdocOid4vpHolderPresent: this.mdocOid4vpHolderPresent.bind(this),
     mdocOid4vpRPVerify: this.mdocOid4vpRPVerify.bind(this)
   };
-  trustAnchors;
+  staticTrustAnchors;
+  trustAnchorProvider;
+  blindlyTrustedAnchorProvider;
   opts;
   constructor(args) {
-    this.trustAnchors = args?.trustAnchors ?? [];
+    this.staticTrustAnchors = args?.trustAnchors ?? [];
+    this.trustAnchorProvider = args?.trustAnchorProvider;
+    this.blindlyTrustedAnchorProvider = args?.blindlyTrustedAnchorProvider;
     this.opts = args?.opts ?? {
       trustRootWhenNoAnchors: true
     };
   }
+  // Live-merged anchors: static (constructor) + provider (runtime/user). Read on every verification.
+  get trustAnchors() {
+    return [
+      ...this.staticTrustAnchors,
+      ...this.trustAnchorProvider?.() ?? []
+    ];
+  }
+  get effectiveBlindlyTrustedAnchors() {
+    return [
+      ...this.opts.blindlyTrustedAnchors ?? [],
+      ...this.blindlyTrustedAnchorProvider?.() ?? []
+    ];
+  }
   /**
   * Processes and verifies the provided mdoc, generates device response and presentation submission tokens.
   *
@@ -2353,22 +2725,36 @@ var MDLMdoc = class {
         const result = await validate(match.document);
         if (!result.error || responseUri.includes("openid.net")) {
           try {
-            const cborKey = result.keyInfo?.key ? CoseKeyCbor.Static.fromDTO(result.keyInfo.key) : void 0;
+            const matchDeviceKeyInfo = match.deviceKeyInfo;
+            const deviceKeyInfoSource = matchDeviceKeyInfo ?? result.keyInfo;
+            console.log(`(mdl-mdoc:deviceKey) amend: match.deviceKeyInfo present=${!!matchDeviceKeyInfo}, match.deviceKeyInfo.key present=${!!matchDeviceKeyInfo?.key}, result.keyInfo present=${!!result.keyInfo}, result.keyInfo.key present=${!!result.keyInfo?.key}, source=${matchDeviceKeyInfo ? "match.deviceKeyInfo" : "result.keyInfo"}`);
+            const cborKey = deviceKeyInfoSource?.key ? CoseKeyCbor.Static.fromDTO(deviceKeyInfoSource.key) : void 0;
             if (!cborKey) {
-              throw Error("No key found in result");
+              throw Error("No device (public) key found to amend: neither match.deviceKeyInfo.key nor result.keyInfo.key is populated. The mdoc MSO device public key is required to resolve the hardware-backed KMS key for signing.");
             }
             let jwk = CoseJoseKeyMappingService2.toJoseJwk(cborKey).toJsonDTO();
-            if (!result.keyInfo?.kmsKeyRef) {
-              const keyInfo = result.keyInfo;
-              const kid = jwk.kid ?? calculateJwkThumbprint2({
+            if (!deviceKeyInfoSource?.kmsKeyRef) {
+              const keyInfo = deviceKeyInfoSource;
+              const thumbprint = calculateJwkThumbprint2({
                 jwk
               });
-              const key = await _context.agent.keyManagerGet({
-                kid
-              });
+              const kid = jwk.kid ?? thumbprint;
+              console.log(`(mdl-mdoc:deviceKey) amend: resolved device public jwk kid=${jwk.kid}, thumbprint=${thumbprint}`);
+              let key;
+              try {
+                key = await _context.agent.keyManagerGet({
+                  kid
+                });
+              } catch (e) {
+                console.log(`(mdl-mdoc:deviceKey) amend: keyManagerGet by kid '${kid}' failed (${e?.message}); retrying by thumbprint '${thumbprint}'`);
+                key = await _context.agent.keyManagerGet({
+                  kid: thumbprint
+                });
+              }
               const kms = key.kms;
-              const kmsKeyRef = key.meta?.kmsKeyRef;
-              const updateCborKey = cborKey.copy(false, cborKey.kty, cborKey.kid ?? new CborByteString(decodeFrom2(kid, Encoding2.UTF8)));
+              const kmsKeyRef = key.meta?.kmsKeyRef ?? key.kid;
+              console.log(`(mdl-mdoc:deviceKey) amend: resolved hardware KMS key kms=${kms}, kmsKeyRef=${kmsKeyRef}`);
+              const updateCborKey = cborKey.copy(false, cborKey.kty, cborKey.kid ?? new CborByteString(decodeFrom(kid, Encoding.UTF8)));
               const deviceKeyInfo = KeyInfo2.Static.fromDTO(keyInfo).copy(kid, updateCborKey, keyInfo.opts, keyInfo.keyVisibility, keyInfo.signatureAlgorithm, keyInfo.x5c, kmsKeyRef, kms);
               const updateMatch = match.copy(match.inputDescriptor, match.document, match.documentError, deviceKeyInfo);
               match = updateMatch;
@@ -2388,9 +2774,74 @@ var MDLMdoc = class {
       }
       return Promise.reject(Error("No matching documents found"));
     }
-    const deviceResponse = await oid4vpService.createDeviceResponse(docsAndDescriptors, presentationDefinition, clientId, responseUri, authorizationRequestNonce);
-    const vp_token = encodeTo2(deviceResponse.cborEncode(), Encoding2.BASE64URL);
-    const presentation_submission = Oid4VPPresentationSubmission.Static.fromPresentationDefinition(presentationDefinition);
+    try {
+      console.log(`(mdl-mdoc:deviceResponse) args: clientId=${clientId}, responseUri=${responseUri}, authorizationRequestNonce=${authorizationRequestNonce}, docCount=${docsAndDescriptors.length}`);
+      try {
+        console.log(`(mdl-mdoc:deviceResponse) presentationDefinition=${JSON.stringify(presentationDefinition)}`);
+      } catch (e) {
+        console.log(`(mdl-mdoc:deviceResponse) presentationDefinition stringify failed: ${e?.message}`);
+      }
+      docsAndDescriptors.forEach((d, idx) => {
+        const dk = d?.deviceKeyInfo;
+        let docType = void 0;
+        try {
+          docType = d?.document?.docType?.value ?? d?.document?.MSO?.value?.docType?.value ?? d?.document?.getDocType?.();
+        } catch {
+        }
+        console.log(`(mdl-mdoc:deviceResponse) doc[${idx}]: inputDescriptor.id=${d?.inputDescriptor?.id?.value ?? d?.inputDescriptor?.id}, docType=${docType}, document present=${!!d?.document}, documentError present=${!!d?.documentError}, deviceKeyInfo present=${!!dk}, deviceKeyInfo.key present=${!!dk?.key}, deviceKeyInfo.kid=${dk?.kid}, kmsKeyRef=${dk?.kmsKeyRef}, kms=${dk?.kms}, signatureAlgorithm=${dk?.signatureAlgorithm}, x5c present=${!!dk?.x5c}`);
+        try {
+          const dkJson = dk?.toJson ? dk.toJson() : dk;
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo=${JSON.stringify(dkJson)}`);
+        } catch (e) {
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo serialize failed: ${e?.message}`);
+        }
+        try {
+          const keyJson = dk?.key?.toJson ? dk.key.toJson() : dk?.key;
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo.key=${JSON.stringify(keyJson)}`);
+        } catch (e) {
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo.key serialize failed: ${e?.message}`);
+        }
+      });
+    } catch (e) {
+      console.log(`(mdl-mdoc:deviceResponse) argument logging failed: ${e?.message}`);
+    }
+    let deviceResponse;
+    try {
+      deviceResponse = await oid4vpService.createDeviceResponse(docsAndDescriptors, presentationDefinition, clientId, responseUri, authorizationRequestNonce);
+    } catch (e) {
+      console.log(`(mdl-mdoc:deviceResponse) createDeviceResponse failed: ${e?.message}`);
+      console.log(`(mdl-mdoc:deviceResponse) STACK: ${e?.stack}`);
+      throw e;
+    }
+    try {
+      console.log(`(mdl-mdoc:deviceResponse) createDeviceResponse returned: present=${!!deviceResponse}, type=${typeof deviceResponse}`);
+      const dr = deviceResponse;
+      try {
+        const docs = dr?.documents ?? dr?.b3p_1 ?? void 0;
+        console.log(`(mdl-mdoc:deviceResponse) deviceResponse.version present=${!!dr?.version}, status present=${dr?.status != null}, documents present=${!!docs}, documentsCount=${docs?.length ?? docs?.size ?? "n/a"}`);
+      } catch (e) {
+        console.log(`(mdl-mdoc:deviceResponse) deviceResponse structure probe failed: ${e?.message}`);
+      }
+    } catch {
+    }
+    let vp_token;
+    try {
+      const encoded = deviceResponse.cborEncode();
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode OK, byteLen=${encoded?.length}`);
+      vp_token = encodeTo(encoded, Encoding.BASE64URL);
+    } catch (e) {
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode failed: ${e?.message}`);
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode STACK: ${e?.stack}`);
+      throw e;
+    }
+    let presentation_submission;
+    try {
+      presentation_submission = Oid4VPPresentationSubmission.Static.fromPresentationDefinition(presentationDefinition);
+    } catch (e) {
+      console.log(`(mdl-mdoc:deviceResponse) fromPresentationDefinition failed: ${e?.message}`);
+      console.log(`(mdl-mdoc:deviceResponse) fromPresentationDefinition STACK: ${e?.stack}`);
+      throw e;
+    }
     return {
       vp_token,
       presentation_submission
@@ -2406,7 +2857,7 @@ var MDLMdoc = class {
   */
   async mdocOid4vpRPVerify(args, _context) {
     const { vp_token, presentation_submission, trustAnchors } = args;
-    const deviceResponse = com3.sphereon.mdoc.data.device.DeviceResponseCbor.Static.cborDecode(decodeFrom2(vp_token, Encoding2.BASE64URL));
+    const deviceResponse = com3.sphereon.mdoc.data.device.DeviceResponseCbor.Static.cborDecode(decodeFrom(vp_token, Encoding.BASE64URL));
     if (!deviceResponse.documents) {
       return Promise.reject(Error(`No documents found in vp_token`));
     }
@@ -2492,7 +2943,8 @@ var MDLMdoc = class {
       trustAnchors: Array.from(trustAnchors),
       opts: {
         ...args?.opts,
-        ...this.opts
+        ...this.opts,
+        blindlyTrustedAnchors: this.effectiveBlindlyTrustedAnchors
       }
     });
     console.log(`x509 validation for ${validationResult.error ? "Error" : "Success"}. message: ${validationResult.message}, details: ${validationResult.detailMessage}`);
@@ -2526,7 +2978,7 @@ export {
   CoseJoseKeyMappingService2 as CoseJoseKeyMappingService,
   CoseKeyCbor,
   DateTimeUtils2 as DateTimeUtils,
-  Encoding2 as Encoding,
+  Encoding,
   Jwk,
   KeyInfo2 as KeyInfo,
   MDLMdoc,
@@ -2534,8 +2986,8 @@ export {
   MdocValidations,
   Oid4VPPresentationSubmission,
   X509CallbackService,
-  decodeFrom2 as decodeFrom,
-  encodeTo2 as encodeTo,
+  decodeFrom,
+  encodeTo,
   logger,
   mdocSupportMethods,
   schema