@sphereon/ssi-sdk.oid4vci-holder 0.33.1-feature.vcdm2.tsup.32 → 0.33.1-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/agent/OID4VCIHolder.d.ts +59 -0
  2. package/dist/agent/OID4VCIHolder.d.ts.map +1 -0
  3. package/dist/agent/OID4VCIHolder.js +884 -0
  4. package/dist/agent/OID4VCIHolder.js.map +1 -0
  5. package/dist/index.d.ts +11 -785
  6. package/dist/index.d.ts.map +1 -0
  7. package/dist/index.js +31 -3111
  8. package/dist/index.js.map +1 -1
  9. package/dist/link-handler/index.d.ts +31 -0
  10. package/dist/link-handler/index.d.ts.map +1 -0
  11. package/dist/link-handler/index.js +65 -0
  12. package/dist/link-handler/index.js.map +1 -0
  13. package/dist/listeners/headlessStateNavListener.d.ts +3 -0
  14. package/dist/listeners/headlessStateNavListener.d.ts.map +1 -0
  15. package/dist/listeners/headlessStateNavListener.js +45 -0
  16. package/dist/listeners/headlessStateNavListener.js.map +1 -0
  17. package/dist/localization/Localization.d.ts +9 -0
  18. package/dist/localization/Localization.d.ts.map +1 -0
  19. package/dist/localization/Localization.js +46 -0
  20. package/dist/localization/Localization.js.map +1 -0
  21. package/dist/localization/translations/en.json +19 -0
  22. package/dist/localization/translations/nl.json +18 -0
  23. package/dist/machines/firstPartyMachine.d.ts +15 -0
  24. package/dist/machines/firstPartyMachine.d.ts.map +1 -0
  25. package/dist/machines/firstPartyMachine.js +222 -0
  26. package/dist/machines/firstPartyMachine.js.map +1 -0
  27. package/dist/machines/oid4vciMachine.d.ts +7 -0
  28. package/dist/machines/oid4vciMachine.d.ts.map +1 -0
  29. package/dist/machines/oid4vciMachine.js +727 -0
  30. package/dist/machines/oid4vciMachine.js.map +1 -0
  31. package/dist/mappers/OIDC4VCIBrandingMapper.d.ts +16 -0
  32. package/dist/mappers/OIDC4VCIBrandingMapper.d.ts.map +1 -0
  33. package/dist/mappers/OIDC4VCIBrandingMapper.js +201 -0
  34. package/dist/mappers/OIDC4VCIBrandingMapper.js.map +1 -0
  35. package/dist/services/FirstPartyMachineServices.d.ts +9 -0
  36. package/dist/services/FirstPartyMachineServices.d.ts.map +1 -0
  37. package/dist/services/FirstPartyMachineServices.js +53 -0
  38. package/dist/services/FirstPartyMachineServices.js.map +1 -0
  39. package/dist/services/OID4VCIHolderService.d.ts +28 -0
  40. package/dist/services/OID4VCIHolderService.d.ts.map +1 -0
  41. package/dist/services/OID4VCIHolderService.js +524 -0
  42. package/dist/services/OID4VCIHolderService.js.map +1 -0
  43. package/dist/types/FirstPartyMachine.d.ts +112 -0
  44. package/dist/types/FirstPartyMachine.d.ts.map +1 -0
  45. package/dist/types/FirstPartyMachine.js +30 -0
  46. package/dist/types/FirstPartyMachine.js.map +1 -0
  47. package/dist/types/IOID4VCIHolder.d.ts +558 -0
  48. package/dist/types/IOID4VCIHolder.d.ts.map +1 -0
  49. package/dist/types/IOID4VCIHolder.js +114 -0
  50. package/dist/types/IOID4VCIHolder.js.map +1 -0
  51. package/package.json +34 -45
  52. package/src/agent/OID4VCIHolder.ts +4 -3
  53. package/dist/index.cjs +0 -3142
  54. package/dist/index.cjs.map +0 -1
  55. package/dist/index.d.cts +0 -786
package/dist/agent/OID4VCIHolder.js ADDED
@@ -0,0 +1,884 @@
1
+ "use strict";
2
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
+ return new (P || (P = Promise))(function (resolve, reject) {
5
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
9
+ });
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.OID4VCIHolder = exports.oid4vciHolderContextMethods = void 0;
13
+ exports.signCallback = signCallback;
14
+ exports.verifyEBSICredentialIssuer = verifyEBSICredentialIssuer;
15
+ const oid4vci_client_1 = require("@sphereon/oid4vci-client");
16
+ const oid4vci_common_1 = require("@sphereon/oid4vci-common");
17
+ const ssi_sdk_ext_did_utils_1 = require("@sphereon/ssi-sdk-ext.did-utils");
18
+ const ssi_sdk_ext_identifier_resolution_1 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
19
+ const ssi_sdk_ext_key_utils_1 = require("@sphereon/ssi-sdk-ext.key-utils");
20
+ const ssi_sdk_data_store_1 = require("@sphereon/ssi-sdk.data-store");
21
+ const ssi_types_1 = require("@sphereon/ssi-types");
22
+ const utils_1 = require("@veramo/utils");
23
+ const did_jwt_1 = require("did-jwt");
24
+ const uuid_1 = require("uuid");
25
+ const oid4vciMachine_1 = require("../machines/oid4vciMachine");
26
+ const IOID4VCIHolder_1 = require("../types/IOID4VCIHolder");
27
+ const OID4VCIHolderService_1 = require("../services/OID4VCIHolderService");
28
+ require("cross-fetch/polyfill");
29
+ const ssi_sdk_core_1 = require("@sphereon/ssi-sdk.core");
30
+ /**
31
+ * {@inheritDoc IOID4VCIHolder}
32
+ */
33
+ // Exposing the methods here for any REST implementation
34
+ exports.oid4vciHolderContextMethods = [
35
+ 'cmGetContacts',
36
+ 'cmGetContact',
37
+ 'cmAddContact',
38
+ 'cmAddIdentity',
39
+ 'ibCredentialLocaleBrandingFrom',
40
+ 'ibAddCredentialBranding',
41
+ 'dataStoreSaveVerifiableCredential',
42
+ 'didManagerFind',
43
+ 'didManagerGet',
44
+ 'keyManagerSign',
45
+ 'verifyCredential',
46
+ ];
47
+ const logger = ssi_types_1.Loggers.DEFAULT.get('sphereon:oid4vci:holder');
48
+ function signCallback(identifier, context, nonce) {
49
+ return (jwt, kid) => __awaiter(this, void 0, void 0, function* () {
50
+ var _a;
51
+ let resolution = yield context.agent.identifierManagedGet(identifier);
52
+ const jwk = (_a = jwt.header.jwk) !== null && _a !== void 0 ? _a : (resolution.method === 'jwk' ? resolution.jwk : undefined);
53
+ if (!resolution.issuer && !jwt.payload.iss) {
54
+ return Promise.reject(Error(`No issuer could be determined from the JWT ${JSON.stringify(jwt)} or identifier resolution`));
55
+ }
56
+ const header = jwt.header;
57
+ const payload = jwt.payload;
58
+ if (nonce) {
59
+ payload.nonce = nonce;
60
+ }
61
+ if (jwk && header.kid) {
62
+ console.log(`Deleting kid, as we are using a jwk and the oid4vci spec does not allow both to be present (which is not the case in the JOSE spec)`);
63
+ delete header.kid; // The OID4VCI spec does not allow a JWK with kid present although the JWS spec does
64
+ }
65
+ return (yield context.agent.jwtCreateJwsCompactSignature({
66
+ issuer: Object.assign(Object.assign({}, resolution), { noIssPayloadUpdate: false }),
67
+ protectedHeader: header,
68
+ payload,
69
+ })).jwt;
70
+ });
71
+ }
72
+ function verifyEBSICredentialIssuer(args) {
73
+ return __awaiter(this, void 0, void 0, function* () {
74
+ var _a, _b, _c, _d, _e, _f, _g, _h, _j;
75
+ const { wrappedVc, issuerType = ['TI'] } = args;
76
+ const issuer = (_b = (_a = wrappedVc.decoded) === null || _a === void 0 ? void 0 : _a.iss) !== null && _b !== void 0 ? _b : (typeof ((_d = (_c = wrappedVc.decoded) === null || _c === void 0 ? void 0 : _c.vc) === null || _d === void 0 ? void 0 : _d.issuer) === 'string' ? (_f = (_e = wrappedVc.decoded) === null || _e === void 0 ? void 0 : _e.vc) === null || _f === void 0 ? void 0 : _f.issuer : (_j = (_h = (_g = wrappedVc.decoded) === null || _g === void 0 ? void 0 : _g.vc) === null || _h === void 0 ? void 0 : _h.issuer) === null || _j === void 0 ? void 0 : _j.existingInstanceId);
77
+ if (!issuer) {
78
+ throw Error('The issuer of the VC is required to be present');
79
+ }
80
+ const url = `https://api-conformance.ebsi.eu/trusted-issuers-registry/v4/issuers/${issuer}`;
81
+ const response = yield fetch(url);
82
+ if (response.status !== 200) {
83
+ throw Error('The issuer of the VC cannot be trusted');
84
+ }
85
+ const payload = yield response.json();
86
+ if (!payload.attributes.some((a) => issuerType.includes(a.issuerType))) {
87
+ throw Error(`The issuer type is required to be one of: ${issuerType.join(', ')}`);
88
+ }
89
+ return payload;
90
+ });
91
+ }
92
+ class OID4VCIHolder {
93
+ constructor(options) {
94
+ this.eventTypes = [
95
+ IOID4VCIHolder_1.OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED,
96
+ IOID4VCIHolder_1.OID4VCIHolderEvent.CREDENTIAL_STORED,
97
+ IOID4VCIHolder_1.OID4VCIHolderEvent.IDENTIFIER_CREATED,
98
+ ];
99
+ this.methods = {
100
+ oid4vciHolderStart: this.oid4vciHolderStart.bind(this),
101
+ oid4vciHolderGetIssuerMetadata: this.oid4vciHolderGetIssuerMetadata.bind(this),
102
+ oid4vciHolderGetMachineInterpreter: this.oid4vciHolderGetMachineInterpreter.bind(this),
103
+ oid4vciHolderCreateCredentialsToSelectFrom: this.oid4vciHolderCreateCredentialsToSelectFrom.bind(this),
104
+ oid4vciHolderGetContact: this.oid4vciHolderGetContact.bind(this),
105
+ oid4vciHolderGetCredentials: this.oid4vciHolderGetCredentials.bind(this),
106
+ oid4vciHolderGetCredential: this.oid4vciHolderGetCredential.bind(this),
107
+ oid4vciHolderAddContactIdentity: this.oid4vciHolderAddContactIdentity.bind(this),
108
+ oid4vciHolderAssertValidCredentials: this.oid4vciHolderAssertValidCredentials.bind(this),
109
+ oid4vciHolderStoreCredentialBranding: this.oid4vciHolderStoreCredentialBranding.bind(this),
110
+ oid4vciHolderStoreCredentials: this.oid4vciHolderStoreCredentials.bind(this),
111
+ oid4vciHolderSendNotification: this.oid4vciHolderSendNotification.bind(this),
112
+ oid4vciHolderGetIssuerBranding: this.oid4vciHolderGetIssuerBranding.bind(this),
113
+ oid4vciHolderStoreIssuerBranding: this.oid4vciHolderStoreIssuerBranding.bind(this),
114
+ };
115
+ this.vcFormatPreferences = ['vc+sd-jwt', 'mso_mdoc', 'jwt_vc_json', 'jwt_vc', 'ldp_vc'];
116
+ this.jsonldCryptographicSuitePreferences = [
117
+ 'Ed25519Signature2018',
118
+ 'EcdsaSecp256k1Signature2019',
119
+ 'Ed25519Signature2020',
120
+ 'JsonWebSignature2020',
121
+ // "JcsEd25519Signature2020"
122
+ ];
123
+ this.didMethodPreferences = [
124
+ ssi_sdk_ext_did_utils_1.SupportedDidMethodEnum.DID_JWK, // FIXME prefer JWK until we devise a method to detect when to use EBSI/jcs for did:key and when not
125
+ ssi_sdk_ext_did_utils_1.SupportedDidMethodEnum.DID_KEY,
126
+ ssi_sdk_ext_did_utils_1.SupportedDidMethodEnum.DID_OYD,
127
+ ssi_sdk_ext_did_utils_1.SupportedDidMethodEnum.DID_EBSI,
128
+ ssi_sdk_ext_did_utils_1.SupportedDidMethodEnum.DID_ION,
129
+ ];
130
+ this.jwtCryptographicSuitePreferences = [
131
+ ssi_types_1.JoseSignatureAlgorithm.ES256,
132
+ ssi_types_1.JoseSignatureAlgorithm.ES256K,
133
+ ssi_types_1.JoseSignatureAlgorithm.EdDSA,
134
+ ];
135
+ this.defaultAuthorizationRequestOpts = { redirectUri: OID4VCIHolder.DEFAULT_MOBILE_REDIRECT_URI };
136
+ const { onContactIdentityCreated, onCredentialStored, onIdentifierCreated, onVerifyEBSICredentialIssuer, vcFormatPreferences, jsonldCryptographicSuitePreferences, didMethodPreferences, jwtCryptographicSuitePreferences, defaultAuthorizationRequestOptions, hasher = ssi_sdk_core_1.defaultHasher, } = Object.assign({}, options);
137
+ this.hasher = hasher;
138
+ if (vcFormatPreferences !== undefined && vcFormatPreferences.length > 0) {
139
+ this.vcFormatPreferences = vcFormatPreferences;
140
+ }
141
+ if (jsonldCryptographicSuitePreferences !== undefined && jsonldCryptographicSuitePreferences.length > 0) {
142
+ this.jsonldCryptographicSuitePreferences = jsonldCryptographicSuitePreferences;
143
+ }
144
+ if (didMethodPreferences !== undefined && didMethodPreferences.length > 0) {
145
+ this.didMethodPreferences = didMethodPreferences;
146
+ }
147
+ if (jwtCryptographicSuitePreferences !== undefined && jwtCryptographicSuitePreferences.length > 0) {
148
+ this.jwtCryptographicSuitePreferences = jwtCryptographicSuitePreferences;
149
+ }
150
+ if (defaultAuthorizationRequestOptions) {
151
+ this.defaultAuthorizationRequestOpts = defaultAuthorizationRequestOptions;
152
+ }
153
+ this.onContactIdentityCreated = onContactIdentityCreated;
154
+ this.onCredentialStored = onCredentialStored;
155
+ this.onIdentifierCreated = onIdentifierCreated;
156
+ this.onVerifyEBSICredentialIssuer = onVerifyEBSICredentialIssuer;
157
+ }
158
+ onEvent(event, context) {
159
+ return __awaiter(this, void 0, void 0, function* () {
160
+ var _a, _b, _c;
161
+ switch (event.type) {
162
+ case IOID4VCIHolder_1.OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED:
163
+ (_a = this.onContactIdentityCreated) === null || _a === void 0 ? void 0 : _a.call(this, event.data);
164
+ break;
165
+ case IOID4VCIHolder_1.OID4VCIHolderEvent.CREDENTIAL_STORED:
166
+ (_b = this.onCredentialStored) === null || _b === void 0 ? void 0 : _b.call(this, event.data);
167
+ break;
168
+ case IOID4VCIHolder_1.OID4VCIHolderEvent.IDENTIFIER_CREATED:
169
+ (_c = this.onIdentifierCreated) === null || _c === void 0 ? void 0 : _c.call(this, event.data);
170
+ break;
171
+ default:
172
+ return Promise.reject(Error(`Event type ${event.type} not supported`));
173
+ }
174
+ });
175
+ }
176
+ /**
177
+ * FIXME: This method can only be used locally. Creating the interpreter should be local to where the agent is running
178
+ */
179
+ oid4vciHolderGetMachineInterpreter(opts, context) {
180
+ return __awaiter(this, void 0, void 0, function* () {
181
+ const authorizationRequestOpts = Object.assign(Object.assign({}, this.defaultAuthorizationRequestOpts), opts.authorizationRequestOpts);
182
+ const services = {
183
+ [IOID4VCIHolder_1.OID4VCIMachineServices.start]: (args) => this.oid4vciHolderStart(Object.assign(Object.assign({}, args), { authorizationRequestOpts }), context),
184
+ [IOID4VCIHolder_1.OID4VCIMachineServices.startFirstPartApplicationFlow]: (args) => (0, OID4VCIHolderService_1.startFirstPartApplicationMachine)(Object.assign(Object.assign({}, args), { stateNavigationListener: opts.firstPartyStateNavigationListener }), context),
185
+ [IOID4VCIHolder_1.OID4VCIMachineServices.createCredentialsToSelectFrom]: (args) => this.oid4vciHolderCreateCredentialsToSelectFrom(args, context),
186
+ [IOID4VCIHolder_1.OID4VCIMachineServices.getContact]: (args) => this.oid4vciHolderGetContact(args, context),
187
+ [IOID4VCIHolder_1.OID4VCIMachineServices.getCredentials]: (args) => { var _a; return this.oid4vciHolderGetCredentials(Object.assign({ accessTokenOpts: (_a = args.accessTokenOpts) !== null && _a !== void 0 ? _a : opts.accessTokenOpts }, args), context); },
188
+ [IOID4VCIHolder_1.OID4VCIMachineServices.addContactIdentity]: (args) => this.oid4vciHolderAddContactIdentity(args, context),
189
+ [IOID4VCIHolder_1.OID4VCIMachineServices.getIssuerBranding]: (args) => this.oid4vciHolderGetIssuerBranding(args, context),
190
+ [IOID4VCIHolder_1.OID4VCIMachineServices.storeIssuerBranding]: (args) => this.oid4vciHolderStoreIssuerBranding(args, context),
191
+ [IOID4VCIHolder_1.OID4VCIMachineServices.assertValidCredentials]: (args) => this.oid4vciHolderAssertValidCredentials(args, context),
192
+ [IOID4VCIHolder_1.OID4VCIMachineServices.storeCredentialBranding]: (args) => this.oid4vciHolderStoreCredentialBranding(args, context),
193
+ [IOID4VCIHolder_1.OID4VCIMachineServices.storeCredentials]: (args) => this.oid4vciHolderStoreCredentials(args, context),
194
+ [IOID4VCIHolder_1.OID4VCIMachineServices.sendNotification]: (args) => this.oid4vciHolderSendNotification(args, context),
195
+ [IOID4VCIHolder_1.OID4VCIMachineServices.getFederationTrust]: (args) => this.getFederationTrust(args, context),
196
+ };
197
+ const oid4vciMachineInstanceArgs = Object.assign(Object.assign({}, opts), { authorizationRequestOpts, services: Object.assign(Object.assign({}, services), opts.services) });
198
+ const { interpreter } = yield oid4vciMachine_1.OID4VCIMachine.newInstance(oid4vciMachineInstanceArgs, context);
199
+ return {
200
+ interpreter,
201
+ };
202
+ });
203
+ }
204
+ /**
205
+ * This method is run before the machine starts! So there is no concept of the state machine context or states yet
206
+ *
207
+ * The result of this method can be directly passed into the start method of the state machine
208
+ * @param args
209
+ * @param context
210
+ * @private
211
+ */
212
+ oid4vciHolderStart(args, context) {
213
+ return __awaiter(this, void 0, void 0, function* () {
214
+ var _a, _b, _c;
215
+ const { requestData } = args;
216
+ if (!requestData) {
217
+ throw Error(`Cannot start the OID4VCI holder flow without request data being provided`);
218
+ }
219
+ const { uri = undefined } = requestData;
220
+ if (!uri) {
221
+ return Promise.reject(Error('Missing request URI in context'));
222
+ }
223
+ const authorizationRequestOpts = Object.assign(Object.assign({}, this.defaultAuthorizationRequestOpts), args.authorizationRequestOpts);
224
+ // We filter the details first against our vcformat prefs
225
+ authorizationRequestOpts.authorizationDetails = (authorizationRequestOpts === null || authorizationRequestOpts === void 0 ? void 0 : authorizationRequestOpts.authorizationDetails)
226
+ ? (0, utils_1.asArray)(authorizationRequestOpts.authorizationDetails).filter((detail) => typeof detail === 'string' || this.vcFormatPreferences.includes(detail.format))
227
+ : undefined;
228
+ if (!authorizationRequestOpts.redirectUri) {
229
+ authorizationRequestOpts.redirectUri = OID4VCIHolder.DEFAULT_MOBILE_REDIRECT_URI;
230
+ }
231
+ if (authorizationRequestOpts.redirectUri.startsWith('http') && !authorizationRequestOpts.clientId) {
232
+ // At least set a default for a web based wallet.
233
+ // TODO: We really need (dynamic) client registration support
234
+ authorizationRequestOpts.clientId = authorizationRequestOpts.redirectUri;
235
+ }
236
+ let formats = this.vcFormatPreferences;
237
+ const authFormats = (_a = authorizationRequestOpts === null || authorizationRequestOpts === void 0 ? void 0 : authorizationRequestOpts.authorizationDetails) === null || _a === void 0 ? void 0 : _a.map((detail) => (typeof detail === 'object' && 'format' in detail && detail.format ? detail.format : undefined)).filter((format) => !!format).map((format) => format);
238
+ if (authFormats && authFormats.length > 0) {
239
+ formats = Array.from(new Set(authFormats));
240
+ }
241
+ let oid4vciClient;
242
+ let types = undefined;
243
+ let offer;
244
+ if (requestData.existingClientState) {
245
+ oid4vciClient = yield oid4vci_client_1.OpenID4VCIClient.fromState({ state: requestData.existingClientState });
246
+ offer = oid4vciClient.credentialOffer;
247
+ }
248
+ else {
249
+ offer = requestData.credentialOffer;
250
+ if (uri.startsWith(IOID4VCIHolder_1.RequestType.OPENID_INITIATE_ISSUANCE) ||
251
+ uri.startsWith(IOID4VCIHolder_1.RequestType.OPENID_CREDENTIAL_OFFER) ||
252
+ uri.match(/https?:\/\/.*credential_offer(_uri)=?.*/)) {
253
+ if (!offer) {
254
+ // Let's make sure to convert the URI to offer, as it matches the regexes. Normally this should already have happened at this point though
255
+ offer = yield oid4vci_client_1.CredentialOfferClient.fromURI(uri);
256
+ }
257
+ }
258
+ else {
259
+ if (!!offer) {
260
+ logger.warning(`Non default URI used for credential offer: ${uri}`);
261
+ }
262
+ }
263
+ if (!offer) {
264
+ // else no offer, meaning we have an issuer URL
265
+ logger.log(`Issuer url received (no credential offer): ${uri}`);
266
+ oid4vciClient = yield oid4vci_client_1.OpenID4VCIClient.fromCredentialIssuer({
267
+ credentialIssuer: uri,
268
+ authorizationRequest: authorizationRequestOpts,
269
+ clientId: authorizationRequestOpts.clientId,
270
+ createAuthorizationRequestURL: (_b = requestData.createAuthorizationRequestURL) !== null && _b !== void 0 ? _b : true,
271
+ });
272
+ }
273
+ else {
274
+ logger.log(`Credential offer received: ${uri}`);
275
+ oid4vciClient = yield oid4vci_client_1.OpenID4VCIClient.fromURI({
276
+ uri,
277
+ authorizationRequest: authorizationRequestOpts,
278
+ clientId: authorizationRequestOpts.clientId,
279
+ createAuthorizationRequestURL: (_c = requestData.createAuthorizationRequestURL) !== null && _c !== void 0 ? _c : true,
280
+ });
281
+ }
282
+ }
283
+ if (offer) {
284
+ types = (0, oid4vci_common_1.getTypesFromCredentialOffer)(offer.original_credential_offer);
285
+ }
286
+ else {
287
+ types = (0, utils_1.asArray)(authorizationRequestOpts.authorizationDetails)
288
+ .map((authReqOpts) => { var _a; return (_a = (0, oid4vci_common_1.getTypesFromAuthorizationDetails)(authReqOpts)) !== null && _a !== void 0 ? _a : []; })
289
+ .filter((inner) => inner.length > 0);
290
+ }
291
+ const serverMetadata = yield oid4vciClient.retrieveServerMetadata();
292
+ const credentialsSupported = yield (0, OID4VCIHolderService_1.getCredentialConfigsSupportedMerged)({
293
+ client: oid4vciClient,
294
+ vcFormatPreferences: formats,
295
+ types,
296
+ });
297
+ const credentialBranding = yield (0, OID4VCIHolderService_1.getCredentialBranding)({ credentialsSupported, context });
298
+ const authorizationCodeURL = oid4vciClient.authorizationURL;
299
+ if (authorizationCodeURL) {
300
+ logger.log(`authorization code URL ${authorizationCodeURL}`);
301
+ }
302
+ const oid4vciClientState = JSON.parse(yield oid4vciClient.exportState());
303
+ return {
304
+ authorizationCodeURL,
305
+ credentialBranding,
306
+ credentialsSupported,
307
+ serverMetadata,
308
+ oid4vciClientState,
309
+ };
310
+ });
311
+ }
312
+ oid4vciHolderCreateCredentialsToSelectFrom(args, context) {
313
+ return __awaiter(this, void 0, void 0, function* () {
314
+ const { credentialBranding, locale, selectedCredentials /*, openID4VCIClientState*/, credentialsSupported } = args;
315
+ // const client = await OpenID4VCIClient.fromState({ state: openID4VCIClientState! }) // TODO see if we need the check openID4VCIClientState defined
316
+ /*const credentialsSupported = await getCredentialConfigsSupportedBySingleTypeOrId({
317
+ client,
318
+ vcFormatPreferences: this.vcFormatPreferences,
319
+ })*/
320
+ logger.info(`Credentials supported ${Object.keys(credentialsSupported).join(', ')}`);
321
+ const credentialSelection = yield Promise.all(Object.entries(credentialsSupported).map((_a) => __awaiter(this, [_a], void 0, function* ([id, credentialConfigSupported]) {
322
+ // FIXME this allows for duplicate VerifiableCredential, which the user has no idea which ones those are and we also have a branding map with unique keys, so some branding will not match
323
+ // const defaultCredentialType = 'VerifiableCredential'
324
+ var _b, _c, _d;
325
+ const credentialTypes = (0, oid4vci_common_1.getTypesFromObject)(credentialConfigSupported);
326
+ // const credentialType = id /*?? credentialTypes?.find((type) => type !== defaultCredentialType) ?? defaultCredentialType*/
327
+ const localeBranding = !credentialBranding
328
+ ? undefined
329
+ : ((_b = credentialBranding === null || credentialBranding === void 0 ? void 0 : credentialBranding[id]) !== null && _b !== void 0 ? _b : (_c = Object.entries(credentialBranding)
330
+ .find(([type, _brandings]) => {
331
+ credentialTypes && type in credentialTypes;
332
+ })) === null || _c === void 0 ? void 0 : _c.map(([type, supported]) => supported));
333
+ const credentialAlias = (_d = (yield (0, OID4VCIHolderService_1.selectCredentialLocaleBranding)({
334
+ locale,
335
+ localeBranding,
336
+ }))) === null || _d === void 0 ? void 0 : _d.alias;
337
+ return {
338
+ id: (0, uuid_1.v4)(),
339
+ credentialId: id,
340
+ credentialTypes: credentialTypes !== null && credentialTypes !== void 0 ? credentialTypes : (0, utils_1.asArray)(id),
341
+ credentialAlias: credentialAlias !== null && credentialAlias !== void 0 ? credentialAlias : id,
342
+ isSelected: false,
343
+ };
344
+ })));
345
+ // TODO find better place to do this, would be nice if the machine does this?
346
+ if (credentialSelection.length >= 1) {
347
+ credentialSelection.map((sel) => selectedCredentials.push(sel.credentialId));
348
+ }
349
+ logger.log(`Credential selection ${JSON.stringify(credentialSelection)}`);
350
+ return credentialSelection;
351
+ });
352
+ }
353
+ oid4vciHolderGetContact(args, context) {
354
+ return __awaiter(this, void 0, void 0, function* () {
355
+ var _a, _b, _c;
356
+ const { serverMetadata } = args;
357
+ if (serverMetadata === undefined) {
358
+ return Promise.reject(Error('Missing serverMetadata in context'));
359
+ }
360
+ const names = new Set((_c = (_b = (_a = serverMetadata.credentialIssuerMetadata) === null || _a === void 0 ? void 0 : _a.display) === null || _b === void 0 ? void 0 : _b.map((display) => display.name).filter((name) => name != undefined).map((name) => name)) !== null && _c !== void 0 ? _c : []);
361
+ const name = names.size > 0 ? Array.from(names)[0] : undefined;
362
+ const correlationId = new URL(serverMetadata.issuer).hostname;
363
+ const filter = [
364
+ {
365
+ identities: {
366
+ identifier: {
367
+ correlationId,
368
+ },
369
+ },
370
+ },
371
+ ];
372
+ if (name) {
373
+ filter.push({
374
+ contact: {
375
+ legalName: name,
376
+ },
377
+ });
378
+ filter.push({
379
+ contact: {
380
+ displayName: name,
381
+ },
382
+ });
383
+ }
384
+ const parties = yield context.agent.cmGetContacts({
385
+ filter,
386
+ });
387
+ if (parties.length > 1) {
388
+ logger.warning(`Get contacts returned more than one result: ${parties.length}, ${parties.map((party) => party.contact.displayName).join(',')}`);
389
+ }
390
+ const party = parties.length >= 1 ? parties[0] : undefined;
391
+ logger.log(`Party involved: `, party);
392
+ return party;
393
+ });
394
+ }
395
+ oid4vciHolderGetCredentials(args, context) {
396
+ return __awaiter(this, void 0, void 0, function* () {
397
+ const { verificationCode, openID4VCIClientState, didMethodPreferences = this.didMethodPreferences, issuanceOpt, accessTokenOpts } = args;
398
+ logger.debug(`Getting credentials`, issuanceOpt, accessTokenOpts);
399
+ if (!openID4VCIClientState) {
400
+ return Promise.reject(Error('Missing openID4VCI client state in context'));
401
+ }
402
+ const client = yield oid4vci_client_1.OpenID4VCIClient.fromState({ state: openID4VCIClientState });
403
+ const credentialsSupported = yield (0, OID4VCIHolderService_1.getCredentialConfigsSupportedMerged)({
404
+ client,
405
+ vcFormatPreferences: this.vcFormatPreferences,
406
+ configurationIds: args.selectedCredentials,
407
+ });
408
+ const serverMetadata = yield client.retrieveServerMetadata();
409
+ const issuanceOpts = yield (0, OID4VCIHolderService_1.getIssuanceOpts)(Object.assign({ client,
410
+ credentialsSupported,
411
+ serverMetadata,
412
+ context, didMethodPreferences: Array.isArray(didMethodPreferences) && didMethodPreferences.length > 0 ? didMethodPreferences : this.didMethodPreferences, jwtCryptographicSuitePreferences: this.jwtCryptographicSuitePreferences, jsonldCryptographicSuitePreferences: this.jsonldCryptographicSuitePreferences }, (issuanceOpt && { forceIssuanceOpt: issuanceOpt })));
413
+ const getCredentials = issuanceOpts.map((issuanceOpt) => __awaiter(this, void 0, void 0, function* () {
414
+ return yield this.oid4vciHolderGetCredential({
415
+ issuanceOpt,
416
+ pin: verificationCode,
417
+ client,
418
+ accessTokenOpts,
419
+ }, context);
420
+ }));
421
+ const allCredentials = yield Promise.all(getCredentials);
422
+ logger.log(`Credentials received`, allCredentials);
423
+ return allCredentials;
424
+ });
425
+ }
426
+ oid4vciHolderGetCredential(args, context) {
427
+ return __awaiter(this, void 0, void 0, function* () {
428
+ var _a, _b, _c, _d, _e, _f, _g, _h, _j;
429
+ const { issuanceOpt, pin, client, accessTokenOpts } = args;
430
+ logger.info(`Getting credential`, issuanceOpt);
431
+ if (!issuanceOpt) {
432
+ return Promise.reject(Error(`Cannot get credential issuance options`));
433
+ }
434
+ const identifier = yield (0, OID4VCIHolderService_1.getIdentifierOpts)({ issuanceOpt, context });
435
+ issuanceOpt.identifier = identifier;
436
+ logger.info(`ID opts`, identifier);
437
+ const alg = yield (0, ssi_sdk_ext_key_utils_1.signatureAlgorithmFromKey)({ key: identifier.key });
438
+ // The VCI lib either expects a jwk or a kid
439
+ const jwk = (0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierJwkResult)(identifier) ? identifier.jwk : undefined;
440
+ const callbacks = {
441
+ signCallback: signCallback(identifier, context),
442
+ };
443
+ try {
444
+ // We need to make sure we have acquired the access token
445
+ if (!client.clientId) {
446
+ client.clientId = (0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierDidResult)(identifier) ? identifier.did : identifier.issuer;
447
+ }
448
+ let asOpts = undefined;
449
+ let kid = (_b = (_a = accessTokenOpts === null || accessTokenOpts === void 0 ? void 0 : accessTokenOpts.clientOpts) === null || _a === void 0 ? void 0 : _a.kid) !== null && _b !== void 0 ? _b : identifier.kid;
450
+ if (accessTokenOpts === null || accessTokenOpts === void 0 ? void 0 : accessTokenOpts.clientOpts) {
451
+ const clientId = (_d = (_c = accessTokenOpts.clientOpts.clientId) !== null && _c !== void 0 ? _c : client.clientId) !== null && _d !== void 0 ? _d : identifier.issuer;
452
+ if (client.isEBSI() && (clientId === null || clientId === void 0 ? void 0 : clientId.startsWith('http')) && (kid === null || kid === void 0 ? void 0 : kid.includes('#'))) {
453
+ kid = kid.split('#')[1];
454
+ }
455
+ //todo: investigate if the jwk should be used here as well if present
456
+ const clientOpts = Object.assign(Object.assign({}, accessTokenOpts.clientOpts), { clientId,
457
+ kid,
458
+ // @ts-ignore
459
+ alg: (_e = accessTokenOpts.clientOpts.alg) !== null && _e !== void 0 ? _e : alg, signCallbacks: (_f = accessTokenOpts.clientOpts.signCallbacks) !== null && _f !== void 0 ? _f : callbacks });
460
+ asOpts = {
461
+ clientOpts,
462
+ };
463
+ }
464
+ yield client.acquireAccessToken(Object.assign({ clientId: client.clientId, pin, authorizationResponse: JSON.parse(yield client.exportState()).authorizationCodeResponse, additionalRequestParams: accessTokenOpts === null || accessTokenOpts === void 0 ? void 0 : accessTokenOpts.additionalRequestParams }, (asOpts && { asOpts })));
465
+ // FIXME: This type mapping is wrong. It should use credential_identifier in case the access token response has authorization details
466
+ const types = (0, oid4vci_common_1.getTypesFromObject)(issuanceOpt);
467
+ const id = 'id' in issuanceOpt && issuanceOpt.id ? issuanceOpt.id : undefined;
468
+ const credentialTypes = (0, utils_1.asArray)((_h = (_g = issuanceOpt.credentialConfigurationId) !== null && _g !== void 0 ? _g : types) !== null && _h !== void 0 ? _h : id);
469
+ if (!credentialTypes || credentialTypes.length === 0) {
470
+ return Promise.reject(Error('cannot determine credential id to request'));
471
+ }
472
+ const credentialDefinition = this.getCredentialDefinition(issuanceOpt);
473
+ const credentialResponse = yield client.acquireCredentials(Object.assign(Object.assign(Object.assign(Object.assign({}, (credentialDefinition && { context: credentialDefinition['@context'] })), { credentialTypes, proofCallbacks: callbacks, format: issuanceOpt.format,
474
+ // TODO: We need to update the machine and add notifications support for actual deferred credentials instead of just waiting/retrying
475
+ deferredCredentialAwait: true }), (!jwk && { kid })), { // vci client either wants a jwk or kid. If we have used the jwk method do not provide the kid
476
+ jwk,
477
+ alg, jti: (0, uuid_1.v4)() }));
478
+ const credential = {
479
+ id: (_j = issuanceOpt.credentialConfigurationId) !== null && _j !== void 0 ? _j : id,
480
+ types: types !== null && types !== void 0 ? types : (0, utils_1.asArray)(credentialTypes),
481
+ issuanceOpt,
482
+ credentialResponse,
483
+ };
484
+ return (0, OID4VCIHolderService_1.mapCredentialToAccept)({ credentialToAccept: credential, hasher: this.hasher });
485
+ }
486
+ catch (error) {
487
+ return Promise.reject(error);
488
+ }
489
+ });
490
+ }
491
+ oid4vciHolderAddContactIdentity(args, context) {
492
+ return __awaiter(this, void 0, void 0, function* () {
493
+ const { credentialsToAccept, contact } = args;
494
+ if (!contact) {
495
+ return Promise.reject(Error('Missing contact in context'));
496
+ }
497
+ if (credentialsToAccept === undefined || credentialsToAccept.length === 0) {
498
+ return Promise.reject(Error('Missing credential offers in context'));
499
+ }
500
+ let correlationId = credentialsToAccept[0].correlationId;
501
+ let identifierType = ssi_sdk_data_store_1.CorrelationIdentifierType.DID;
502
+ if (!correlationId.toLowerCase().startsWith('did:')) {
503
+ identifierType = ssi_sdk_data_store_1.CorrelationIdentifierType.URL;
504
+ if (correlationId.startsWith('http')) {
505
+ correlationId = new URL(correlationId).hostname;
506
+ }
507
+ }
508
+ const identity = Object.assign({ alias: credentialsToAccept[0].correlationId, origin: ssi_sdk_data_store_1.IdentityOrigin.EXTERNAL, roles: [ssi_sdk_data_store_1.CredentialRole.ISSUER], identifier: {
509
+ type: identifierType,
510
+ correlationId,
511
+ } }, (identifierType === ssi_sdk_data_store_1.CorrelationIdentifierType.URL && {
512
+ connection: {
513
+ type: ssi_sdk_data_store_1.ConnectionType.OPENID_CONNECT,
514
+ config: {
515
+ clientId: '138d7bf8-c930-4c6e-b928-97d3a4928b01',
516
+ clientSecret: '03b3955f-d020-4f2a-8a27-4e452d4e27a0',
517
+ scopes: ['auth'],
518
+ issuer: 'https://example.com/app-test',
519
+ redirectUrl: 'app:/callback',
520
+ dangerouslyAllowInsecureHttpRequests: true,
521
+ clientAuthMethod: 'post',
522
+ },
523
+ },
524
+ }));
525
+ yield context.agent.emit(IOID4VCIHolder_1.OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED, {
526
+ contactId: contact.id,
527
+ identity,
528
+ });
529
+ logger.log(`Contact added: ${correlationId}`);
530
+ return context.agent.cmAddIdentity({ contactId: contact.id, identity });
531
+ });
532
+ }
533
+ oid4vciHolderGetIssuerBranding(args, context) {
534
+ return __awaiter(this, void 0, void 0, function* () {
535
+ var _a, _b;
536
+ const { serverMetadata, contact } = args;
537
+ // Here we are fetching issuer branding for a contact. If no contact is found that means we encounter this contact for the first time. This also means we do not have any branding for the contact.
538
+ const issuerCorrelationId = contact === null || contact === void 0 ? void 0 : contact.identities.filter((identity) => identity.roles.includes(ssi_sdk_data_store_1.CredentialRole.ISSUER)).map((identity) => identity.identifier.correlationId)[0];
539
+ if (issuerCorrelationId) {
540
+ const branding = yield context.agent.ibGetIssuerBranding({ filter: [{ issuerCorrelationId }] });
541
+ if (branding.length > 0) {
542
+ return branding[0].localeBranding;
543
+ }
544
+ }
545
+ // We should have serverMetadata in the context else something went wrong
546
+ if (!serverMetadata) {
547
+ return Promise.reject(Error('Missing serverMetadata in context'));
548
+ }
549
+ return (0, OID4VCIHolderService_1.getBasicIssuerLocaleBranding)({
550
+ display: (_b = (_a = serverMetadata.credentialIssuerMetadata) === null || _a === void 0 ? void 0 : _a.display) !== null && _b !== void 0 ? _b : [],
551
+ dynamicRegistrationClientMetadata: serverMetadata.credentialIssuerMetadata,
552
+ context,
553
+ });
554
+ });
555
+ }
556
+ oid4vciHolderStoreIssuerBranding(args, context) {
557
+ return __awaiter(this, void 0, void 0, function* () {
558
+ const { issuerBranding, contact } = args;
559
+ if (!issuerBranding || issuerBranding.length === 0 || issuerBranding[0].id) {
560
+ // FIXME we need better separation between a contact(issuer) we encountered before and it's branding vs a new contact and it's branding
561
+ return;
562
+ }
563
+ if (!contact) {
564
+ return Promise.reject(Error('Missing contact in context'));
565
+ }
566
+ const issuerCorrelationId = contact === null || contact === void 0 ? void 0 : contact.identities.filter((identity) => identity.roles.includes(ssi_sdk_data_store_1.CredentialRole.ISSUER)).map((identity) => identity.identifier.correlationId)[0];
567
+ // we check for issuer branding as adding an identity might also trigger storing the issuer branding
568
+ const branding = yield context.agent.ibGetIssuerBranding({ filter: [{ issuerCorrelationId }] });
569
+ if (branding.length > 0) {
570
+ return;
571
+ }
572
+ yield context.agent.ibAddIssuerBranding({
573
+ localeBranding: issuerBranding,
574
+ issuerCorrelationId,
575
+ });
576
+ });
577
+ }
578
+ oid4vciHolderAssertValidCredentials(args, context) {
579
+ return __awaiter(this, void 0, void 0, function* () {
580
+ const { credentialsToAccept, issuanceOpt } = args;
581
+ return yield Promise.all(credentialsToAccept.map((credentialToAccept) => (0, OID4VCIHolderService_1.verifyCredentialToAccept)({
582
+ mappedCredential: credentialToAccept,
583
+ onVerifyEBSICredentialIssuer: this.onVerifyEBSICredentialIssuer,
584
+ hasher: this.hasher,
585
+ schemaValidation: issuanceOpt === null || issuanceOpt === void 0 ? void 0 : issuanceOpt.schemaValidation,
586
+ context,
587
+ })));
588
+ });
589
+ }
590
+ oid4vciHolderStoreCredentialBranding(args, context) {
591
+ return __awaiter(this, void 0, void 0, function* () {
592
+ const { credentialBranding, serverMetadata, selectedCredentials, credentialsToAccept } = args;
593
+ if (serverMetadata === undefined) {
594
+ return Promise.reject(Error('Missing serverMetadata in context'));
595
+ }
596
+ else if (selectedCredentials.length === 0) {
597
+ logger.warning(`No credentials selected for issuer: ${serverMetadata.issuer}`);
598
+ return;
599
+ }
600
+ let counter = 0;
601
+ for (const credentialId of selectedCredentials) {
602
+ const localeBranding = credentialBranding === null || credentialBranding === void 0 ? void 0 : credentialBranding[credentialId];
603
+ if (localeBranding && localeBranding.length > 0) {
604
+ const credential = credentialsToAccept.find((credAccept) => credAccept.credentialToAccept.id === credentialId || JSON.stringify(credAccept.types) === credentialId || credentialsToAccept[counter]);
605
+ counter++;
606
+ yield context.agent.ibAddCredentialBranding({
607
+ vcHash: (0, utils_1.computeEntryHash)(credential.rawVerifiableCredential),
608
+ issuerCorrelationId: new URL(serverMetadata.issuer).hostname,
609
+ localeBranding,
610
+ });
611
+ logger.log(`Credential branding for issuer ${serverMetadata.issuer} and type ${credentialId} stored with locales ${localeBranding.map((b) => b.locale).join(',')}`);
612
+ }
613
+ else {
614
+ logger.warning(`No credential branding found for issuer: ${serverMetadata.issuer} and type ${credentialId}`);
615
+ }
616
+ }
617
+ });
618
+ }
619
+ oid4vciHolderStoreCredentials(args, context) {
620
+ return __awaiter(this, void 0, void 0, function* () {
621
+ var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
622
+ function trimmed(input) {
623
+ const trim = input === null || input === void 0 ? void 0 : input.trim();
624
+ if (trim === '') {
625
+ return undefined;
626
+ }
627
+ return trim;
628
+ }
629
+ const { credentialsToAccept, openID4VCIClientState, credentialsSupported, serverMetadata, selectedCredentials } = args;
630
+ const mappedCredentialToAccept = credentialsToAccept[0];
631
+ if (selectedCredentials && selectedCredentials.length > 1) {
632
+ logger.error(`More than 1 credential selected ${selectedCredentials.join(', ')}, but current service only stores 1 credential!`);
633
+ }
634
+ // TODO determine when and how we should store credentials without key kmsKeyRef & id method), this should be tested with the code below
635
+ const issuanceOpt = (_a = args.issuanceOpt) !== null && _a !== void 0 ? _a : mappedCredentialToAccept.credentialToAccept.issuanceOpt;
636
+ if (!issuanceOpt || !issuanceOpt.identifier) {
637
+ return Promise.reject(Error('issuanceOpt.identifier must me set in order to store a credential'));
638
+ }
639
+ const { kmsKeyRef, method } = issuanceOpt.identifier;
640
+ let persist = true;
641
+ const verifiableCredential = mappedCredentialToAccept.uniformVerifiableCredential;
642
+ const notificationId = mappedCredentialToAccept.credentialToAccept.credentialResponse.notification_id;
643
+ const subjectIssuance = mappedCredentialToAccept.credential_subject_issuance;
644
+ const notificationEndpoint = (_b = serverMetadata === null || serverMetadata === void 0 ? void 0 : serverMetadata.credentialIssuerMetadata) === null || _b === void 0 ? void 0 : _b.notification_endpoint;
645
+ let holderCredential = undefined;
646
+ if (!notificationEndpoint) {
647
+ logger.log(`Notifications not supported by issuer ${serverMetadata === null || serverMetadata === void 0 ? void 0 : serverMetadata.issuer}. Will not provide a notification`);
648
+ }
649
+ else if (notificationEndpoint && !notificationId) {
650
+ logger.warning(`Notification endpoint available in issuer metadata with value ${notificationEndpoint}, but no ${notificationId} provided. Will not send a notification to issuer ${serverMetadata === null || serverMetadata === void 0 ? void 0 : serverMetadata.issuer}`);
651
+ }
652
+ else if (notificationEndpoint && notificationId) {
653
+ logger.log(`Notification id ${notificationId} found, will send back a notification to ${notificationEndpoint}`);
654
+ let event = 'credential_accepted';
655
+ if (Array.isArray(subjectIssuance === null || subjectIssuance === void 0 ? void 0 : subjectIssuance.notification_events_supported)) {
656
+ // experimental subject issuance, where a new credential is being created
657
+ event = subjectIssuance.notification_events_supported.includes('credential_accepted_holder_signed')
658
+ ? 'credential_accepted_holder_signed'
659
+ : 'credential_deleted_holder_signed';
660
+ logger.log(`Subject issuance/signing will be used, with event`, event);
661
+ const issuerVC = mappedCredentialToAccept.credentialToAccept.credentialResponse.credential;
662
+ const wrappedIssuerVC = ssi_types_1.CredentialMapper.toWrappedVerifiableCredential(issuerVC, { hasher: (_c = this.hasher) !== null && _c !== void 0 ? _c : ssi_sdk_core_1.defaultHasher });
663
+ console.log(`Wrapped VC: ${wrappedIssuerVC.type}, ${wrappedIssuerVC.format}`);
664
+ // We will use the subject of the VCI Issuer (the holder, as the issuer of the new credential, so the below is not a mistake!)
665
+ let issuer;
666
+ if (ssi_types_1.CredentialMapper.isWrappedSdJwtVerifiableCredential(wrappedIssuerVC)) {
667
+ issuer = trimmed((_d = wrappedIssuerVC.decoded) === null || _d === void 0 ? void 0 : _d.sub);
668
+ }
669
+ else if (ssi_types_1.CredentialMapper.isWrappedW3CVerifiableCredential(wrappedIssuerVC)) {
670
+ // @ts-ignore
671
+ issuer = (_j = (_f = trimmed((_e = wrappedIssuerVC.credential) === null || _e === void 0 ? void 0 : _e.sub)) !== null && _f !== void 0 ? _f : trimmed((_h = (_g = wrappedIssuerVC.credential) === null || _g === void 0 ? void 0 : _g.credentialSubject) === null || _h === void 0 ? void 0 : _h.id)) !== null && _j !== void 0 ? _j : trimmed(this.idFromW3cCredentialSubject(wrappedIssuerVC));
672
+ }
673
+ else if (ssi_types_1.CredentialMapper.isWrappedMdocCredential(wrappedIssuerVC)) {
674
+ return Promise.reject(Error('mdoc not yet supported'));
675
+ }
676
+ if (!issuer) {
677
+ issuer = trimmed((_k = verifiableCredential.credentialSubject) === null || _k === void 0 ? void 0 : _k.id);
678
+ }
679
+ if (!issuer && ((_l = openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.kid) === null || _l === void 0 ? void 0 : _l.startsWith('did:'))) {
680
+ issuer = (0, ssi_types_1.parseDid)(openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.kid).did;
681
+ }
682
+ if (!issuer && ((_o = (_m = openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.jwk) === null || _m === void 0 ? void 0 : _m.kid) === null || _o === void 0 ? void 0 : _o.startsWith('did:'))) {
683
+ issuer = (0, ssi_types_1.parseDid)(openID4VCIClientState.jwk.kid).did;
684
+ }
685
+ if (!issuer && (openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.clientId)) {
686
+ issuer = trimmed(openID4VCIClientState.clientId);
687
+ }
688
+ if (!issuer && (openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.accessTokenResponse)) {
689
+ const decodedJwt = (0, did_jwt_1.decodeJWT)(openID4VCIClientState.accessTokenResponse.access_token);
690
+ issuer = decodedJwt.payload.sub;
691
+ }
692
+ if (!issuer && mappedCredentialToAccept.credentialToAccept.issuanceOpt.identifier) {
693
+ const resolution = yield context.agent.identifierManagedGet(mappedCredentialToAccept.credentialToAccept.issuanceOpt.identifier);
694
+ issuer = resolution.issuer;
695
+ }
696
+ if (!issuer) {
697
+ throw Error(`We could not determine the issuer, which means we cannot sign the credential`);
698
+ }
699
+ logger.log(`Issuer for self-issued credential will be: ${issuer}`);
700
+ const holderCredentialToSign = wrappedIssuerVC.decoded;
701
+ let proofFormat = 'lds';
702
+ if (wrappedIssuerVC.format.includes('jwt') && !wrappedIssuerVC.format.includes('mso_mdoc')) {
703
+ holderCredentialToSign.iss = issuer;
704
+ proofFormat = 'jwt';
705
+ }
706
+ if ('issuer' in holderCredentialToSign && !('iss' in holderCredentialToSign)) {
707
+ holderCredentialToSign.issuer = issuer;
708
+ }
709
+ if ('sub' in holderCredentialToSign) {
710
+ holderCredentialToSign.sub = issuer;
711
+ }
712
+ if ('credentialSubject' in holderCredentialToSign && !Array.isArray(holderCredentialToSign.credentialSubject)) {
713
+ holderCredentialToSign.credentialSubject.id = issuer;
714
+ }
715
+ if ('vc' in holderCredentialToSign) {
716
+ if (holderCredentialToSign.vc.credentialSubject) {
717
+ holderCredentialToSign.vc.credentialSubject.id = issuer;
718
+ }
719
+ holderCredentialToSign.vc.issuer = issuer;
720
+ delete holderCredentialToSign.vc.proof;
721
+ delete holderCredentialToSign.vc.issuanceDate;
722
+ }
723
+ delete holderCredentialToSign.proof;
724
+ delete holderCredentialToSign.issuanceDate;
725
+ delete holderCredentialToSign.iat;
726
+ logger.log(`Subject issuance/signing will sign credential of type ${proofFormat}:`, holderCredentialToSign);
727
+ const issuedVC = yield context.agent.createVerifiableCredential({
728
+ credential: ('vc' in holderCredentialToSign ? holderCredentialToSign.vc : holderCredentialToSign),
729
+ fetchRemoteContexts: true,
730
+ save: false,
731
+ proofFormat,
732
+ });
733
+ if (!issuedVC) {
734
+ throw Error(`Could not issue holder credential from the wallet`);
735
+ }
736
+ logger.log(`Holder ${issuedVC.issuer} issued new credential with id ${issuedVC.id}`, issuedVC);
737
+ holderCredential = ssi_types_1.CredentialMapper.storedCredentialToOriginalFormat(issuedVC);
738
+ persist = event === 'credential_accepted_holder_signed';
739
+ }
740
+ const notificationRequest = Object.assign(Object.assign({ notification_id: notificationId }, (holderCredential && { credential: holderCredential })), { event });
741
+ yield this.oid4vciHolderSendNotification({
742
+ openID4VCIClientState,
743
+ stored: persist,
744
+ credentialsToAccept,
745
+ credentialsSupported,
746
+ notificationRequest,
747
+ serverMetadata,
748
+ }, context);
749
+ }
750
+ const persistCredential = holderCredential
751
+ ? ssi_types_1.CredentialMapper.storedCredentialToOriginalFormat(holderCredential)
752
+ : mappedCredentialToAccept.rawVerifiableCredential;
753
+ if (!persist && holderCredential) {
754
+ logger.log(`Will not persist credential, since we are signing as a holder and the issuer asked not to persist`);
755
+ }
756
+ else {
757
+ logger.log(`Persisting credential`, persistCredential);
758
+ const issuer = ssi_types_1.CredentialMapper.issuerCorrelationIdFromIssuerType(verifiableCredential.issuer);
759
+ const [subjectCorrelationType, subjectCorrelationId] = this.determineSubjectCorrelation(issuanceOpt.identifier, issuer);
760
+ const persistedCredential = yield context.agent.crsAddCredential({
761
+ credential: {
762
+ rawDocument: (0, ssi_sdk_data_store_1.ensureRawDocument)(persistCredential),
763
+ kmsKeyRef: kmsKeyRef,
764
+ identifierMethod: method,
765
+ credentialRole: ssi_sdk_data_store_1.CredentialRole.HOLDER,
766
+ issuerCorrelationType: (issuer === null || issuer === void 0 ? void 0 : issuer.startsWith('did:')) ? ssi_sdk_data_store_1.CredentialCorrelationType.DID : ssi_sdk_data_store_1.CredentialCorrelationType.URL,
767
+ issuerCorrelationId: issuer,
768
+ subjectCorrelationType,
769
+ subjectCorrelationId,
770
+ },
771
+ });
772
+ yield context.agent.emit(IOID4VCIHolder_1.OID4VCIHolderEvent.CREDENTIAL_STORED, {
773
+ credential: persistedCredential,
774
+ vcHash: persistedCredential.hash,
775
+ });
776
+ }
777
+ });
778
+ }
779
+ oid4vciHolderSendNotification(args, context) {
780
+ return __awaiter(this, void 0, void 0, function* () {
781
+ var _a, _b;
782
+ const { serverMetadata, notificationRequest, openID4VCIClientState } = args;
783
+ const notificationEndpoint = (_a = serverMetadata === null || serverMetadata === void 0 ? void 0 : serverMetadata.credentialIssuerMetadata) === null || _a === void 0 ? void 0 : _a.notification_endpoint;
784
+ if (!notificationEndpoint) {
785
+ return;
786
+ }
787
+ else if (!openID4VCIClientState) {
788
+ return Promise.reject(Error('Missing openID4VCI client state in context'));
789
+ }
790
+ else if (!notificationRequest) {
791
+ return Promise.reject(Error('Missing notification request'));
792
+ }
793
+ logger.log(`Will send notification to ${notificationEndpoint}`, notificationRequest);
794
+ const client = yield oid4vci_client_1.OpenID4VCIClient.fromState({ state: openID4VCIClientState });
795
+ yield client.sendNotification({ notificationEndpoint }, notificationRequest, (_b = openID4VCIClientState === null || openID4VCIClientState === void 0 ? void 0 : openID4VCIClientState.accessTokenResponse) === null || _b === void 0 ? void 0 : _b.access_token);
796
+ logger.log(`Notification to ${notificationEndpoint} has been dispatched`);
797
+ });
798
+ }
799
+ getFederationTrust(args, context) {
800
+ return __awaiter(this, void 0, void 0, function* () {
801
+ const { requestData, serverMetadata, trustAnchors } = args;
802
+ if (trustAnchors.length === 0) {
803
+ return Promise.reject(Error('No trust anchors found'));
804
+ }
805
+ if (!(requestData === null || requestData === void 0 ? void 0 : requestData.uri)) {
806
+ return Promise.reject(Error('Missing request URI in context'));
807
+ }
808
+ if (!serverMetadata) {
809
+ return Promise.reject(Error('Missing serverMetadata in context'));
810
+ }
811
+ const url = new URL(requestData === null || requestData === void 0 ? void 0 : requestData.uri);
812
+ const params = new URLSearchParams(url.search);
813
+ const openidFederation = params.get('openid_federation');
814
+ const entityIdentifier = openidFederation !== null && openidFederation !== void 0 ? openidFederation : serverMetadata.issuer;
815
+ if (entityIdentifier.startsWith('http://')) {
816
+ console.warn(`OpenID federation does not support http://, only https:// allowed; got: (${url.toString()})`);
817
+ // OIDF always needs to be https
818
+ return [];
819
+ }
820
+ const result = yield context.agent.identifierExternalResolveByOIDFEntityId({
821
+ method: 'entity_id',
822
+ trustAnchors: trustAnchors,
823
+ identifier: entityIdentifier,
824
+ });
825
+ return result.trustedAnchors;
826
+ });
827
+ }
828
+ oid4vciHolderGetIssuerMetadata(args, context) {
829
+ return __awaiter(this, void 0, void 0, function* () {
830
+ const { issuer, errorOnNotFound = true } = args;
831
+ return oid4vci_client_1.MetadataClient.retrieveAllMetadata(issuer, { errorOnNotFound });
832
+ });
833
+ }
834
+ determineSubjectCorrelation(identifier, issuer) {
835
+ switch (identifier.method) {
836
+ case 'did':
837
+ if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierResult)(identifier) && (0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierDidResult)(identifier)) {
838
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.DID, identifier.did];
839
+ }
840
+ else if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierDidOpts)(identifier)) {
841
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.DID, typeof identifier.identifier === 'string' ? identifier.identifier : identifier.identifier.did];
842
+ }
843
+ break;
844
+ case 'kid':
845
+ if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierResult)(identifier) && (0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierKidResult)(identifier)) {
846
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.KID, identifier.kid];
847
+ }
848
+ else if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierDidOpts)(identifier)) {
849
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.KID, identifier.identifier];
850
+ }
851
+ break;
852
+ case 'x5c':
853
+ if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierResult)(identifier) && (0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierX5cResult)(identifier)) {
854
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.X509_SAN, identifier.x5c.join('\r\n')];
855
+ }
856
+ else if ((0, ssi_sdk_ext_identifier_resolution_1.isManagedIdentifierX5cOpts)(identifier)) {
857
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.X509_SAN, identifier.identifier.join('\r\n')];
858
+ }
859
+ break;
860
+ }
861
+ return [ssi_sdk_data_store_1.CredentialCorrelationType.URL, issuer];
862
+ }
863
+ idFromW3cCredentialSubject(wrappedIssuerVC) {
864
+ var _a, _b, _c, _d, _e;
865
+ if (Array.isArray((_a = wrappedIssuerVC.credential) === null || _a === void 0 ? void 0 : _a.credentialSubject)) {
866
+ if (((_b = wrappedIssuerVC.credential) === null || _b === void 0 ? void 0 : _b.credentialSubject.length) > 0) {
867
+ return (_c = wrappedIssuerVC.credential) === null || _c === void 0 ? void 0 : _c.credentialSubject[0].id;
868
+ }
869
+ }
870
+ else {
871
+ return (_e = (_d = wrappedIssuerVC.credential) === null || _d === void 0 ? void 0 : _d.credentialSubject) === null || _e === void 0 ? void 0 : _e.id;
872
+ }
873
+ return undefined;
874
+ }
875
+ getCredentialDefinition(issuanceOpt) {
876
+ if (issuanceOpt.format == 'ldp_vc' || issuanceOpt.format == 'jwt_vc_json-ld') {
877
+ return issuanceOpt.credential_definition;
878
+ }
879
+ return undefined;
880
+ }
881
+ }
882
+ exports.OID4VCIHolder = OID4VCIHolder;
883
+ OID4VCIHolder.DEFAULT_MOBILE_REDIRECT_URI = `${oid4vci_common_1.DefaultURISchemes.CREDENTIAL_OFFER}://`;
884
+ //# sourceMappingURL=OID4VCIHolder.js.map