@sphereon/ssi-sdk.oid4vci-holder 0.33.1-next.3 → 0.33.1-next.68

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/index.cjs +3143 -0
  2. package/dist/index.cjs.map +1 -0
  3. package/dist/index.d.cts +786 -0
  4. package/dist/index.d.ts +785 -11
  5. package/dist/index.js +3112 -31
  6. package/dist/index.js.map +1 -1
  7. package/package.json +44 -33
  8. package/src/agent/OID4VCIHolder.ts +8 -5
  9. package/dist/agent/OID4VCIHolder.d.ts +0 -59
  10. package/dist/agent/OID4VCIHolder.d.ts.map +0 -1
  11. package/dist/agent/OID4VCIHolder.js +0 -884
  12. package/dist/agent/OID4VCIHolder.js.map +0 -1
  13. package/dist/index.d.ts.map +0 -1
  14. package/dist/link-handler/index.d.ts +0 -31
  15. package/dist/link-handler/index.d.ts.map +0 -1
  16. package/dist/link-handler/index.js +0 -65
  17. package/dist/link-handler/index.js.map +0 -1
  18. package/dist/listeners/headlessStateNavListener.d.ts +0 -3
  19. package/dist/listeners/headlessStateNavListener.d.ts.map +0 -1
  20. package/dist/listeners/headlessStateNavListener.js +0 -45
  21. package/dist/listeners/headlessStateNavListener.js.map +0 -1
  22. package/dist/localization/Localization.d.ts +0 -9
  23. package/dist/localization/Localization.d.ts.map +0 -1
  24. package/dist/localization/Localization.js +0 -46
  25. package/dist/localization/Localization.js.map +0 -1
  26. package/dist/localization/translations/en.json +0 -19
  27. package/dist/localization/translations/nl.json +0 -18
  28. package/dist/machines/firstPartyMachine.d.ts +0 -15
  29. package/dist/machines/firstPartyMachine.d.ts.map +0 -1
  30. package/dist/machines/firstPartyMachine.js +0 -222
  31. package/dist/machines/firstPartyMachine.js.map +0 -1
  32. package/dist/machines/oid4vciMachine.d.ts +0 -7
  33. package/dist/machines/oid4vciMachine.d.ts.map +0 -1
  34. package/dist/machines/oid4vciMachine.js +0 -727
  35. package/dist/machines/oid4vciMachine.js.map +0 -1
  36. package/dist/mappers/OIDC4VCIBrandingMapper.d.ts +0 -16
  37. package/dist/mappers/OIDC4VCIBrandingMapper.d.ts.map +0 -1
  38. package/dist/mappers/OIDC4VCIBrandingMapper.js +0 -201
  39. package/dist/mappers/OIDC4VCIBrandingMapper.js.map +0 -1
  40. package/dist/services/FirstPartyMachineServices.d.ts +0 -9
  41. package/dist/services/FirstPartyMachineServices.d.ts.map +0 -1
  42. package/dist/services/FirstPartyMachineServices.js +0 -53
  43. package/dist/services/FirstPartyMachineServices.js.map +0 -1
  44. package/dist/services/OID4VCIHolderService.d.ts +0 -28
  45. package/dist/services/OID4VCIHolderService.d.ts.map +0 -1
  46. package/dist/services/OID4VCIHolderService.js +0 -524
  47. package/dist/services/OID4VCIHolderService.js.map +0 -1
  48. package/dist/types/FirstPartyMachine.d.ts +0 -112
  49. package/dist/types/FirstPartyMachine.d.ts.map +0 -1
  50. package/dist/types/FirstPartyMachine.js +0 -30
  51. package/dist/types/FirstPartyMachine.js.map +0 -1
  52. package/dist/types/IOID4VCIHolder.d.ts +0 -558
  53. package/dist/types/IOID4VCIHolder.d.ts.map +0 -1
  54. package/dist/types/IOID4VCIHolder.js +0 -114
  55. package/dist/types/IOID4VCIHolder.js.map +0 -1
package/dist/index.cjs ADDED
@@ -0,0 +1,3143 @@
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
9
+ var __commonJS = (cb, mod) => function __require() {
10
+ return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
11
+ };
12
+ var __export = (target, all) => {
13
+ for (var name in all)
14
+ __defProp(target, name, { get: all[name], enumerable: true });
15
+ };
16
+ var __copyProps = (to, from, except, desc) => {
17
+ if (from && typeof from === "object" || typeof from === "function") {
18
+ for (let key of __getOwnPropNames(from))
19
+ if (!__hasOwnProp.call(to, key) && key !== except)
20
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
21
+ }
22
+ return to;
23
+ };
24
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
25
+ // If the importer is in node compatibility mode or this is not an ESM
26
+ // file that has been converted to a CommonJS file using a Babel-
27
+ // compatible transform (i.e. "__esModule" has not been set), then set
28
+ // "default" to the CommonJS "module.exports" for node compatibility.
29
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
30
+ mod
31
+ ));
32
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
33
+
34
+ // src/localization/translations/en.json
35
+ var require_en = __commonJS({
36
+ "src/localization/translations/en.json"(exports, module2) {
37
+ module2.exports = {
38
+ oid4vci_machine_verify_credentials_error_title: "Verify credentials",
39
+ oid4vci_machine_store_credential_branding_error_title: "Store credential branding",
40
+ oid4vci_machine_store_credential_error_title: "Store credential",
41
+ oid4vci_machine_add_contact_identity_error_title: "Add contact identity",
42
+ oid4vci_machine_retrieve_credentials_error_title: "Retrieve credentials",
43
+ oid4vci_machine_retrieve_issuer_branding_error_title: "Retrieve issuer branding",
44
+ oid4vci_machine_store_issuer_branding_error_title: "Store issuer branding",
45
+ oid4vci_machine_retrieve_contact_error_title: "Retrieve contact",
46
+ oid4vci_machine_credential_selection_error_title: "Credential selection",
47
+ oid4vci_machine_initiation_error_title: "Initiate OID4VCI provider",
48
+ oid4vci_machine_credential_verification_failed_message: "The credential verification resulted in an error.",
49
+ oid4vci_machine_credential_verification_schema_failed_message: "The credential schema verification resulted in an error.",
50
+ oid4vci_machine_retrieve_federation_trust_error_title: "Retrieve federation trust",
51
+ oid4vci_machine_first_party_error_title: "First party flow",
52
+ oid4vci_machine_send_authorization_challenge_request_error_title: "Sending authorization challenge request",
53
+ oid4vci_machine_create_config_error_title: "Creating siopV2 config",
54
+ oid4vci_machine_get_request_error_title: "Getting siopV2 request"
55
+ };
56
+ }
57
+ });
58
+
59
+ // src/localization/translations/nl.json
60
+ var require_nl = __commonJS({
61
+ "src/localization/translations/nl.json"(exports, module2) {
62
+ module2.exports = {
63
+ oid4vci_machine_verify_credentials_error_title: "Verifi\xEBren credential",
64
+ oid4vci_machine_store_credential_branding_error_title: "Opslaan credential branding",
65
+ oid4vci_machine_store_credential_error_title: "Opslaan credential",
66
+ oid4vci_machine_add_contact_identity_error_title: "Toevoegen identiteit contact",
67
+ oid4vci_machine_retrieve_credentials_error_title: "Ophalen credential",
68
+ oid4vci_machine_retrieve_issuer_branding_error_title: "Ophalen issuer branding",
69
+ oid4vci_machine_store_issuer_branding_error_title: "Opslaan issuer branding",
70
+ oid4vci_machine_retrieve_contact_error_title: "Ophalen contact",
71
+ oid4vci_machine_credential_selection_error_title: "Credential selectie",
72
+ oid4vci_machine_initiation_error_title: "Initi\xEBren OID4VCI provider",
73
+ oid4vci_machine_credential_verification_failed_message: "Verificatie van de credential leidde tot een fout.",
74
+ oid4vci_machine_retrieve_federation_trust_error_title: "Ophalen federatievertrouwen",
75
+ oid4vci_machine_first_party_error_title: "Eerste partijstroom",
76
+ oid4vci_machine_send_authorization_challenge_request_error_title: "Versturen autorisatie-uitdaging aanvraag",
77
+ oid4vci_machine_create_config_error_title: "SiopV2-configuratie aanmaken",
78
+ oid4vci_machine_get_request_error_title: "SiopV2-verzoek ophalen"
79
+ };
80
+ }
81
+ });
82
+
83
+ // src/index.ts
84
+ var index_exports = {};
85
+ __export(index_exports, {
86
+ FirstPartyMachineEvents: () => FirstPartyMachineEvents,
87
+ FirstPartyMachineServices: () => FirstPartyMachineServices,
88
+ FirstPartyMachineStateTypes: () => FirstPartyMachineStateTypes,
89
+ IdentifierAliasEnum: () => IdentifierAliasEnum,
90
+ OID4VCICallbackStateListener: () => OID4VCICallbackStateListener,
91
+ OID4VCIHolder: () => OID4VCIHolder,
92
+ OID4VCIHolderEvent: () => OID4VCIHolderEvent,
93
+ OID4VCIHolderLinkHandler: () => OID4VCIHolderLinkHandler,
94
+ OID4VCIMachineAddContactStates: () => OID4VCIMachineAddContactStates,
95
+ OID4VCIMachineEvents: () => OID4VCIMachineEvents,
96
+ OID4VCIMachineGuards: () => OID4VCIMachineGuards,
97
+ OID4VCIMachineServices: () => OID4VCIMachineServices,
98
+ OID4VCIMachineStates: () => OID4VCIMachineStates,
99
+ OID4VCIMachineVerifyPinStates: () => OID4VCIMachineVerifyPinStates,
100
+ RequestType: () => RequestType,
101
+ SupportedLanguage: () => SupportedLanguage,
102
+ createConfig: () => createConfig,
103
+ getBasicIssuerLocaleBranding: () => getBasicIssuerLocaleBranding,
104
+ getCredentialBranding: () => getCredentialBranding,
105
+ getCredentialConfigsBasedOnFormatPref: () => getCredentialConfigsBasedOnFormatPref,
106
+ getCredentialConfigsSupported: () => getCredentialConfigsSupported,
107
+ getCredentialConfigsSupportedBySingleTypeOrId: () => getCredentialConfigsSupportedBySingleTypeOrId,
108
+ getCredentialConfigsSupportedMerged: () => getCredentialConfigsSupportedMerged,
109
+ getIdentifierOpts: () => getIdentifierOpts,
110
+ getIssuanceCryptoSuite: () => getIssuanceCryptoSuite,
111
+ getIssuanceMethod: () => getIssuanceMethod,
112
+ getIssuanceOpts: () => getIssuanceOpts,
113
+ getSiopRequest: () => getSiopRequest,
114
+ issuerLocaleBrandingFrom: () => issuerLocaleBrandingFrom,
115
+ mapCredentialToAccept: () => mapCredentialToAccept,
116
+ oid4vciCombineDisplayLocalesFrom: () => oid4vciCombineDisplayLocalesFrom,
117
+ oid4vciCredentialDisplayLocalesFrom: () => oid4vciCredentialDisplayLocalesFrom,
118
+ oid4vciCredentialLocaleBrandingFrom: () => oid4vciCredentialLocaleBrandingFrom,
119
+ oid4vciGetCredentialBrandingFrom: () => oid4vciGetCredentialBrandingFrom,
120
+ oid4vciHolderContextMethods: () => oid4vciHolderContextMethods,
121
+ oid4vciIssuerCredentialSubjectLocalesFrom: () => oid4vciIssuerCredentialSubjectLocalesFrom,
122
+ sdJwtCombineDisplayLocalesFrom: () => sdJwtCombineDisplayLocalesFrom,
123
+ sdJwtCredentialClaimLocalesFrom: () => sdJwtCredentialClaimLocalesFrom,
124
+ sdJwtCredentialDisplayLocalesFrom: () => sdJwtCredentialDisplayLocalesFrom,
125
+ sdJwtCredentialLocaleBrandingFrom: () => sdJwtCredentialLocaleBrandingFrom,
126
+ sdJwtGetCredentialBrandingFrom: () => sdJwtGetCredentialBrandingFrom,
127
+ selectCredentialLocaleBranding: () => selectCredentialLocaleBranding,
128
+ sendAuthorizationChallengeRequest: () => sendAuthorizationChallengeRequest,
129
+ sendAuthorizationResponse: () => sendAuthorizationResponse,
130
+ signCallback: () => signCallback,
131
+ startFirstPartApplicationMachine: () => startFirstPartApplicationMachine,
132
+ verifyCredentialToAccept: () => verifyCredentialToAccept
133
+ });
134
+ module.exports = __toCommonJS(index_exports);
135
+
136
+ // src/agent/OID4VCIHolder.ts
137
+ var import_oid4vci_client3 = require("@sphereon/oid4vci-client");
138
+ var import_oid4vci_common4 = require("@sphereon/oid4vci-common");
139
+ var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
140
+ var import_ssi_sdk_ext6 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
141
+ var import_ssi_sdk_ext7 = require("@sphereon/ssi-sdk-ext.key-utils");
142
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.data-store");
143
+ var import_ssi_types2 = require("@sphereon/ssi-types");
144
+ var import_utils2 = require("@veramo/utils");
145
+ var import_did_jwt = require("did-jwt");
146
+ var import_uuid2 = require("uuid");
147
+
148
+ // src/machines/oid4vciMachine.ts
149
+ var import_oid4vci_common = require("@sphereon/oid4vci-common");
150
+ var import_xstate = require("xstate");
151
+
152
+ // src/localization/Localization.ts
153
+ var import_i18n_js = __toESM(require("i18n-js"), 1);
154
+ var import_lodash = __toESM(require("lodash.memoize"), 1);
155
+
156
+ // src/types/IOID4VCIHolder.ts
157
+ var OID4VCIHolderEvent = /* @__PURE__ */ function(OID4VCIHolderEvent2) {
158
+ OID4VCIHolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
159
+ OID4VCIHolderEvent2["CREDENTIAL_STORED"] = "credential_stored";
160
+ OID4VCIHolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
161
+ return OID4VCIHolderEvent2;
162
+ }({});
163
+ var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
164
+ SupportedLanguage2["ENGLISH"] = "en";
165
+ SupportedLanguage2["DUTCH"] = "nl";
166
+ return SupportedLanguage2;
167
+ }({});
168
+ var OID4VCIMachineStates = /* @__PURE__ */ function(OID4VCIMachineStates2) {
169
+ OID4VCIMachineStates2["start"] = "start";
170
+ OID4VCIMachineStates2["createCredentialsToSelectFrom"] = "createCredentialsToSelectFrom";
171
+ OID4VCIMachineStates2["getContact"] = "getContact";
172
+ OID4VCIMachineStates2["transitionFromSetup"] = "transitionFromSetup";
173
+ OID4VCIMachineStates2["getFederationTrust"] = "getFederationTrust";
174
+ OID4VCIMachineStates2["reviewContact"] = "reviewContact";
175
+ OID4VCIMachineStates2["addContact"] = "addContact";
176
+ OID4VCIMachineStates2["getIssuerBranding"] = "getIssuerBranding";
177
+ OID4VCIMachineStates2["storeIssuerBranding"] = "storeIssuerBranding";
178
+ OID4VCIMachineStates2["addIssuerBrandingAfterIdentity"] = "addIssuerBrandingAfterIdentity";
179
+ OID4VCIMachineStates2["transitionFromContactSetup"] = "transitionFromContactSetup";
180
+ OID4VCIMachineStates2["startFirstPartApplicationFlow"] = "startFirstPartApplicationFlow";
181
+ OID4VCIMachineStates2["selectCredentials"] = "selectCredentials";
182
+ OID4VCIMachineStates2["transitionFromSelectingCredentials"] = "transitionFromSelectingCredentials";
183
+ OID4VCIMachineStates2["verifyPin"] = "verifyPin";
184
+ OID4VCIMachineStates2["initiateAuthorizationRequest"] = "initiateAuthorizationRequest";
185
+ OID4VCIMachineStates2["waitForAuthorizationResponse"] = "waitForAuthorizationResponse";
186
+ OID4VCIMachineStates2["getCredentials"] = "getCredentials";
187
+ OID4VCIMachineStates2["transitionFromWalletInput"] = "transitionFromWalletInput";
188
+ OID4VCIMachineStates2["addContactIdentity"] = "addContactIdentity";
189
+ OID4VCIMachineStates2["reviewCredentials"] = "reviewCredentials";
190
+ OID4VCIMachineStates2["verifyCredentials"] = "verifyCredentials";
191
+ OID4VCIMachineStates2["storeCredentialBranding"] = "storeCredentialBranding";
192
+ OID4VCIMachineStates2["storeCredentials"] = "storeCredentials";
193
+ OID4VCIMachineStates2["handleError"] = "handleError";
194
+ OID4VCIMachineStates2["aborted"] = "aborted";
195
+ OID4VCIMachineStates2["declined"] = "declined";
196
+ OID4VCIMachineStates2["error"] = "error";
197
+ OID4VCIMachineStates2["done"] = "done";
198
+ return OID4VCIMachineStates2;
199
+ }({});
200
+ var OID4VCIMachineAddContactStates = /* @__PURE__ */ function(OID4VCIMachineAddContactStates2) {
201
+ OID4VCIMachineAddContactStates2["idle"] = "idle";
202
+ OID4VCIMachineAddContactStates2["next"] = "next";
203
+ return OID4VCIMachineAddContactStates2;
204
+ }({});
205
+ var OID4VCIMachineVerifyPinStates = /* @__PURE__ */ function(OID4VCIMachineVerifyPinStates2) {
206
+ OID4VCIMachineVerifyPinStates2["idle"] = "idle";
207
+ OID4VCIMachineVerifyPinStates2["next"] = "next";
208
+ return OID4VCIMachineVerifyPinStates2;
209
+ }({});
210
+ var OID4VCIMachineEvents = /* @__PURE__ */ function(OID4VCIMachineEvents2) {
211
+ OID4VCIMachineEvents2["NEXT"] = "NEXT";
212
+ OID4VCIMachineEvents2["PREVIOUS"] = "PREVIOUS";
213
+ OID4VCIMachineEvents2["DECLINE"] = "DECLINE";
214
+ OID4VCIMachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
215
+ OID4VCIMachineEvents2["SET_VERIFICATION_CODE"] = "SET_VERIFICATION_CODE";
216
+ OID4VCIMachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
217
+ OID4VCIMachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
218
+ OID4VCIMachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
219
+ OID4VCIMachineEvents2["SET_AUTHORIZATION_CODE_URL"] = "SET_AUTHORIZATION_CODE_URL";
220
+ OID4VCIMachineEvents2["INVOKED_AUTHORIZATION_CODE_REQUEST"] = "INVOKED_AUTHORIZATION_CODE_REQUEST";
221
+ OID4VCIMachineEvents2["PROVIDE_AUTHORIZATION_CODE_RESPONSE"] = "PROVIDE_AUTHORIZATION_CODE_RESPONSE";
222
+ return OID4VCIMachineEvents2;
223
+ }({});
224
+ var OID4VCIMachineGuards = /* @__PURE__ */ function(OID4VCIMachineGuards2) {
225
+ OID4VCIMachineGuards2["hasContactGuard"] = "oid4vciHasContactGuard";
226
+ OID4VCIMachineGuards2["hasNoContactGuard"] = "oid4vciHasNoContactGuard";
227
+ OID4VCIMachineGuards2["credentialsToSelectRequiredGuard"] = "oid4vciCredentialsToSelectRequiredGuard";
228
+ OID4VCIMachineGuards2["requirePinGuard"] = "oid4vciRequirePinGuard";
229
+ OID4VCIMachineGuards2["requireAuthorizationGuard"] = "oid4vciRequireAuthorizationGuard";
230
+ OID4VCIMachineGuards2["noAuthorizationGuard"] = "oid4vciNoAuthorizationGuard";
231
+ OID4VCIMachineGuards2["hasAuthorizationResponse"] = "oid4vciHasAuthorizationResponse";
232
+ OID4VCIMachineGuards2["hasNoContactIdentityGuard"] = "oid4vciHasNoContactIdentityGuard";
233
+ OID4VCIMachineGuards2["verificationCodeGuard"] = "oid4vciVerificationCodeGuard";
234
+ OID4VCIMachineGuards2["createContactGuard"] = "oid4vciCreateContactGuard";
235
+ OID4VCIMachineGuards2["hasSelectedCredentialsGuard"] = "oid4vciHasSelectedCredentialsGuard";
236
+ OID4VCIMachineGuards2["isOIDFOriginGuard"] = "oid4vciIsOIDFOriginGuard";
237
+ OID4VCIMachineGuards2["contactHasLowTrustGuard"] = "oid4vciContactHasLowTrustGuard";
238
+ OID4VCIMachineGuards2["isFirstPartyApplication"] = "oid4vciIsFirstPartyApplication";
239
+ return OID4VCIMachineGuards2;
240
+ }({});
241
+ var OID4VCIMachineServices = /* @__PURE__ */ function(OID4VCIMachineServices2) {
242
+ OID4VCIMachineServices2["start"] = "start";
243
+ OID4VCIMachineServices2["getContact"] = "getContact";
244
+ OID4VCIMachineServices2["getFederationTrust"] = "getFederationTrust";
245
+ OID4VCIMachineServices2["addContactIdentity"] = "addContactIdentity";
246
+ OID4VCIMachineServices2["createCredentialsToSelectFrom"] = "createCredentialsToSelectFrom";
247
+ OID4VCIMachineServices2["getIssuerBranding"] = "getIssuerBranding";
248
+ OID4VCIMachineServices2["storeIssuerBranding"] = "storeIssuerBranding";
249
+ OID4VCIMachineServices2["getCredentials"] = "getCredentials";
250
+ OID4VCIMachineServices2["assertValidCredentials"] = "assertValidCredentials";
251
+ OID4VCIMachineServices2["storeCredentialBranding"] = "storeCredentialBranding";
252
+ OID4VCIMachineServices2["sendNotification"] = "sendNotification";
253
+ OID4VCIMachineServices2["storeCredentials"] = "storeCredentials";
254
+ OID4VCIMachineServices2["startFirstPartApplicationFlow"] = "startFirstPartApplicationFlow";
255
+ return OID4VCIMachineServices2;
256
+ }({});
257
+ var RequestType = /* @__PURE__ */ function(RequestType2) {
258
+ RequestType2["OPENID_INITIATE_ISSUANCE"] = "openid-initiate-issuance";
259
+ RequestType2["OPENID_CREDENTIAL_OFFER"] = "openid-credential-offer";
260
+ RequestType2["URL"] = "URL";
261
+ return RequestType2;
262
+ }({});
263
+ var IdentifierAliasEnum = /* @__PURE__ */ function(IdentifierAliasEnum2) {
264
+ IdentifierAliasEnum2["PRIMARY"] = "primary";
265
+ return IdentifierAliasEnum2;
266
+ }({});
267
+
268
+ // src/localization/Localization.ts
269
+ var Localization = class Localization2 {
270
+ static {
271
+ __name(this, "Localization");
272
+ }
273
+ static translationGetters = {
274
+ [SupportedLanguage.ENGLISH]: () => require_en(),
275
+ [SupportedLanguage.DUTCH]: () => require_nl()
276
+ };
277
+ static translate = (0, import_lodash.default)((key, config) => {
278
+ if (Object.keys(import_i18n_js.default.translations).length === 0) {
279
+ import_i18n_js.default.translations = {
280
+ [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
281
+ };
282
+ import_i18n_js.default.locale = SupportedLanguage.ENGLISH;
283
+ } else {
284
+ import_i18n_js.default.translations = {
285
+ [import_i18n_js.default.locale]: {
286
+ ...import_i18n_js.default.translations[import_i18n_js.default.locale],
287
+ ...Localization2.translationGetters[this.findSupportedLanguage(import_i18n_js.default.locale) || SupportedLanguage.ENGLISH]()
288
+ }
289
+ };
290
+ }
291
+ return import_i18n_js.default.t(key, config);
292
+ }, (key, config) => config ? key + JSON.stringify(config) : key);
293
+ static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
294
+ for (const language of Object.values(SupportedLanguage)) {
295
+ if (language === locale) {
296
+ return language;
297
+ }
298
+ }
299
+ return void 0;
300
+ }, "findSupportedLanguage");
301
+ static getLocale = /* @__PURE__ */ __name(() => {
302
+ return import_i18n_js.default.locale || SupportedLanguage.ENGLISH;
303
+ }, "getLocale");
304
+ };
305
+ var translate = Localization.translate;
306
+
307
+ // src/types/FirstPartyMachine.ts
308
+ var FirstPartyMachineStateTypes = /* @__PURE__ */ function(FirstPartyMachineStateTypes2) {
309
+ FirstPartyMachineStateTypes2["sendAuthorizationChallengeRequest"] = "sendAuthorizationChallengeRequest";
310
+ FirstPartyMachineStateTypes2["sendAuthorizationResponse"] = "sendAuthorizationResponse";
311
+ FirstPartyMachineStateTypes2["selectCredentials"] = "selectCredentials";
312
+ FirstPartyMachineStateTypes2["createConfig"] = "createConfig";
313
+ FirstPartyMachineStateTypes2["getSiopRequest"] = "getSiopRequest";
314
+ FirstPartyMachineStateTypes2["error"] = "error";
315
+ FirstPartyMachineStateTypes2["done"] = "done";
316
+ FirstPartyMachineStateTypes2["aborted"] = "aborted";
317
+ FirstPartyMachineStateTypes2["declined"] = "declined";
318
+ return FirstPartyMachineStateTypes2;
319
+ }({});
320
+ var FirstPartyMachineServices = /* @__PURE__ */ function(FirstPartyMachineServices2) {
321
+ FirstPartyMachineServices2["sendAuthorizationChallengeRequest"] = "sendAuthorizationChallengeRequest";
322
+ FirstPartyMachineServices2["sendAuthorizationResponse"] = "sendAuthorizationResponse";
323
+ FirstPartyMachineServices2["createConfig"] = "createConfig";
324
+ FirstPartyMachineServices2["getSiopRequest"] = "getSiopRequest";
325
+ return FirstPartyMachineServices2;
326
+ }({});
327
+ var FirstPartyMachineEvents = /* @__PURE__ */ function(FirstPartyMachineEvents2) {
328
+ FirstPartyMachineEvents2["NEXT"] = "NEXT";
329
+ FirstPartyMachineEvents2["PREVIOUS"] = "PREVIOUS";
330
+ FirstPartyMachineEvents2["DECLINE"] = "DECLINE";
331
+ FirstPartyMachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
332
+ return FirstPartyMachineEvents2;
333
+ }({});
334
+
335
+ // src/machines/oid4vciMachine.ts
336
+ var oid4vciHasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
337
+ const { contact } = _ctx;
338
+ return contact === void 0;
339
+ }, "oid4vciHasNoContactGuard");
340
+ var oid4vciHasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
341
+ const { contact } = _ctx;
342
+ return contact !== void 0;
343
+ }, "oid4vciHasContactGuard");
344
+ var oid4vciContactHasLowTrustGuard = /* @__PURE__ */ __name((_ctx, _event) => {
345
+ const { contact, trustedAnchors } = _ctx;
346
+ return contact !== void 0 && trustedAnchors !== void 0 && trustedAnchors.length === 0;
347
+ }, "oid4vciContactHasLowTrustGuard");
348
+ var oid4vciCredentialsToSelectRequiredGuard = /* @__PURE__ */ __name((_ctx, _event) => {
349
+ const { credentialToSelectFrom } = _ctx;
350
+ return credentialToSelectFrom && credentialToSelectFrom.length > 1;
351
+ }, "oid4vciCredentialsToSelectRequiredGuard");
352
+ var oid4vciRequirePinGuard = /* @__PURE__ */ __name((_ctx, _event) => {
353
+ const { requestData } = _ctx;
354
+ return requestData?.credentialOffer?.userPinRequired === true;
355
+ }, "oid4vciRequirePinGuard");
356
+ var oid4vciHasNoContactIdentityGuard = /* @__PURE__ */ __name((_ctx, _event) => {
357
+ const { contact, credentialsToAccept } = _ctx;
358
+ let toAcceptId = credentialsToAccept[0].correlationId;
359
+ if (toAcceptId.match(/^https?:\/\/.*/)) {
360
+ toAcceptId = new URL(toAcceptId).hostname;
361
+ }
362
+ return !contact?.identities.some((identity) => identity.identifier.correlationId === toAcceptId);
363
+ }, "oid4vciHasNoContactIdentityGuard");
364
+ var oid4vciVerificationCodeGuard = /* @__PURE__ */ __name((_ctx, _event) => {
365
+ const { verificationCode } = _ctx;
366
+ return verificationCode !== void 0 && verificationCode.length > 0;
367
+ }, "oid4vciVerificationCodeGuard");
368
+ var oid4vciCreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
369
+ const { contactAlias, hasContactConsent } = _ctx;
370
+ return hasContactConsent && !!contactAlias && contactAlias.length > 0;
371
+ }, "oid4vciCreateContactGuard");
372
+ var oid4vciHasSelectedCredentialsGuard = /* @__PURE__ */ __name((_ctx, _event) => {
373
+ const { selectedCredentials } = _ctx;
374
+ return selectedCredentials !== void 0 && selectedCredentials.length > 0;
375
+ }, "oid4vciHasSelectedCredentialsGuard");
376
+ var oid4vciIsOIDFOriginGuard = /* @__PURE__ */ __name((_ctx, _event) => {
377
+ const { trustAnchors } = _ctx;
378
+ return trustAnchors.length > 0;
379
+ }, "oid4vciIsOIDFOriginGuard");
380
+ var oid4vciNoAuthorizationGuard = /* @__PURE__ */ __name((ctx, _event) => {
381
+ return !oid4vciHasAuthorizationResponse(ctx, _event);
382
+ }, "oid4vciNoAuthorizationGuard");
383
+ var oid4vciRequireAuthorizationGuard = /* @__PURE__ */ __name((ctx, _event) => {
384
+ const { openID4VCIClientState } = ctx;
385
+ if (!openID4VCIClientState) {
386
+ throw Error("Missing openID4VCI client state in context");
387
+ }
388
+ if (!openID4VCIClientState.authorizationURL) {
389
+ return false;
390
+ } else if (openID4VCIClientState.authorizationRequestOpts) {
391
+ return !ctx.openID4VCIClientState?.authorizationCodeResponse;
392
+ } else if (openID4VCIClientState.credentialOffer?.supportedFlows?.includes(import_oid4vci_common.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
393
+ return !ctx.openID4VCIClientState?.authorizationCodeResponse;
394
+ } else if (openID4VCIClientState.credentialOffer?.supportedFlows?.includes(import_oid4vci_common.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
395
+ return false;
396
+ } else if (openID4VCIClientState.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint) {
397
+ return !ctx.openID4VCIClientState?.authorizationCodeResponse;
398
+ }
399
+ return false;
400
+ }, "oid4vciRequireAuthorizationGuard");
401
+ var oid4vciHasAuthorizationResponse = /* @__PURE__ */ __name((ctx, _event) => {
402
+ return !!ctx.openID4VCIClientState?.authorizationCodeResponse;
403
+ }, "oid4vciHasAuthorizationResponse");
404
+ var oid4vciIsFirstPartyApplication = /* @__PURE__ */ __name((ctx, _event) => {
405
+ return !!ctx.serverMetadata?.authorization_challenge_endpoint;
406
+ }, "oid4vciIsFirstPartyApplication");
407
+ var createOID4VCIMachine = /* @__PURE__ */ __name((opts) => {
408
+ const initialContext = {
409
+ // TODO WAL-671 we need to store the data from OpenIdProvider here in the context and make sure we can restart the machine with it and init the OpenIdProvider
410
+ accessTokenOpts: opts?.accessTokenOpts,
411
+ requestData: opts?.requestData,
412
+ trustAnchors: opts?.trustAnchors ?? [],
413
+ issuanceOpt: opts?.issuanceOpt,
414
+ didMethodPreferences: opts?.didMethodPreferences,
415
+ locale: opts?.locale,
416
+ credentialsSupported: {},
417
+ credentialToSelectFrom: [],
418
+ selectedCredentials: [],
419
+ credentialsToAccept: [],
420
+ hasContactConsent: true,
421
+ contactAlias: ""
422
+ };
423
+ return (0, import_xstate.createMachine)({
424
+ id: opts?.machineName ?? "OID4VCIHolder",
425
+ predictableActionArguments: true,
426
+ initial: OID4VCIMachineStates.start,
427
+ schema: {
428
+ events: {},
429
+ guards: {},
430
+ services: {}
431
+ },
432
+ context: initialContext,
433
+ states: {
434
+ [OID4VCIMachineStates.start]: {
435
+ id: OID4VCIMachineStates.start,
436
+ invoke: {
437
+ src: OID4VCIMachineServices.start,
438
+ onDone: {
439
+ target: OID4VCIMachineStates.createCredentialsToSelectFrom,
440
+ actions: (0, import_xstate.assign)({
441
+ authorizationCodeURL: /* @__PURE__ */ __name((_ctx, _event) => _event.data.authorizationCodeURL, "authorizationCodeURL"),
442
+ credentialBranding: /* @__PURE__ */ __name((_ctx, _event) => _event.data.credentialBranding ?? {}, "credentialBranding"),
443
+ credentialsSupported: /* @__PURE__ */ __name((_ctx, _event) => _event.data.credentialsSupported, "credentialsSupported"),
444
+ serverMetadata: /* @__PURE__ */ __name((_ctx, _event) => _event.data.serverMetadata, "serverMetadata"),
445
+ openID4VCIClientState: /* @__PURE__ */ __name((_ctx, _event) => _event.data.oid4vciClientState, "openID4VCIClientState")
446
+ })
447
+ },
448
+ onError: {
449
+ target: OID4VCIMachineStates.handleError,
450
+ actions: (0, import_xstate.assign)({
451
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
452
+ title: translate("oid4vci_machine_initiation_error_title"),
453
+ message: _event.data.message,
454
+ stack: _event.data.stack
455
+ }), "error")
456
+ })
457
+ }
458
+ }
459
+ },
460
+ [OID4VCIMachineStates.createCredentialsToSelectFrom]: {
461
+ id: OID4VCIMachineStates.createCredentialsToSelectFrom,
462
+ invoke: {
463
+ src: OID4VCIMachineServices.createCredentialsToSelectFrom,
464
+ onDone: {
465
+ target: OID4VCIMachineStates.getContact,
466
+ actions: (0, import_xstate.assign)({
467
+ credentialToSelectFrom: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "credentialToSelectFrom")
468
+ })
469
+ },
470
+ onError: {
471
+ target: OID4VCIMachineStates.handleError,
472
+ actions: (0, import_xstate.assign)({
473
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
474
+ title: translate("oid4vci_machine_credential_selection_error_title"),
475
+ message: _event.data.message,
476
+ stack: _event.data.stack
477
+ }), "error")
478
+ })
479
+ }
480
+ }
481
+ },
482
+ [OID4VCIMachineStates.getContact]: {
483
+ id: OID4VCIMachineStates.getContact,
484
+ invoke: {
485
+ src: OID4VCIMachineServices.getContact,
486
+ onDone: {
487
+ target: OID4VCIMachineStates.getIssuerBranding,
488
+ actions: (0, import_xstate.assign)({
489
+ contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
490
+ })
491
+ },
492
+ onError: {
493
+ target: OID4VCIMachineStates.handleError,
494
+ actions: (0, import_xstate.assign)({
495
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
496
+ title: translate("oid4vci_machine_retrieve_contact_error_title"),
497
+ message: _event.data.message,
498
+ stack: _event.data.stack
499
+ }), "error")
500
+ })
501
+ }
502
+ }
503
+ },
504
+ [OID4VCIMachineStates.getIssuerBranding]: {
505
+ id: OID4VCIMachineStates.getIssuerBranding,
506
+ invoke: {
507
+ src: OID4VCIMachineServices.getIssuerBranding,
508
+ onDone: [
509
+ {
510
+ target: OID4VCIMachineStates.getFederationTrust,
511
+ cond: OID4VCIMachineGuards.isOIDFOriginGuard,
512
+ actions: (0, import_xstate.assign)({
513
+ issuerBranding: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "issuerBranding")
514
+ })
515
+ },
516
+ {
517
+ target: OID4VCIMachineStates.transitionFromSetup,
518
+ actions: (0, import_xstate.assign)({
519
+ issuerBranding: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "issuerBranding")
520
+ })
521
+ }
522
+ ],
523
+ onError: {
524
+ target: OID4VCIMachineStates.handleError,
525
+ actions: (0, import_xstate.assign)({
526
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
527
+ title: translate("oid4vci_machine_retrieve_issuer_branding_error_title"),
528
+ message: _event.data.message,
529
+ stack: _event.data.stack
530
+ }), "error")
531
+ })
532
+ }
533
+ }
534
+ },
535
+ [OID4VCIMachineStates.getFederationTrust]: {
536
+ id: OID4VCIMachineStates.getFederationTrust,
537
+ invoke: {
538
+ src: OID4VCIMachineServices.getFederationTrust,
539
+ onDone: {
540
+ target: OID4VCIMachineStates.transitionFromSetup,
541
+ actions: (0, import_xstate.assign)({
542
+ trustedAnchors: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "trustedAnchors")
543
+ })
544
+ },
545
+ onError: {
546
+ target: OID4VCIMachineStates.handleError,
547
+ actions: (0, import_xstate.assign)({
548
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
549
+ title: translate("oid4vci_machine_retrieve_federation_trust_error_title"),
550
+ message: _event.data.message,
551
+ stack: _event.data.stack
552
+ }), "error")
553
+ })
554
+ }
555
+ }
556
+ },
557
+ [OID4VCIMachineStates.transitionFromSetup]: {
558
+ id: OID4VCIMachineStates.transitionFromSetup,
559
+ always: [
560
+ {
561
+ target: OID4VCIMachineStates.addContact,
562
+ cond: OID4VCIMachineGuards.hasNoContactGuard
563
+ },
564
+ {
565
+ target: OID4VCIMachineStates.reviewContact,
566
+ cond: OID4VCIMachineGuards.contactHasLowTrustGuard
567
+ },
568
+ {
569
+ target: OID4VCIMachineStates.selectCredentials,
570
+ cond: OID4VCIMachineGuards.credentialsToSelectRequiredGuard
571
+ },
572
+ {
573
+ target: OID4VCIMachineStates.startFirstPartApplicationFlow,
574
+ cond: OID4VCIMachineGuards.isFirstPartyApplication
575
+ },
576
+ {
577
+ target: OID4VCIMachineStates.initiateAuthorizationRequest,
578
+ cond: OID4VCIMachineGuards.requireAuthorizationGuard
579
+ },
580
+ {
581
+ target: OID4VCIMachineStates.verifyPin,
582
+ cond: OID4VCIMachineGuards.requirePinGuard
583
+ },
584
+ {
585
+ target: OID4VCIMachineStates.getCredentials
586
+ }
587
+ ],
588
+ on: {
589
+ [OID4VCIMachineEvents.SET_AUTHORIZATION_CODE_URL]: {
590
+ actions: (0, import_xstate.assign)({
591
+ authorizationCodeURL: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationCodeURL")
592
+ })
593
+ }
594
+ }
595
+ },
596
+ [OID4VCIMachineStates.addContact]: {
597
+ id: OID4VCIMachineStates.addContact,
598
+ initial: OID4VCIMachineAddContactStates.idle,
599
+ on: {
600
+ [OID4VCIMachineEvents.SET_CONTACT_CONSENT]: {
601
+ actions: (0, import_xstate.assign)({
602
+ hasContactConsent: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "hasContactConsent")
603
+ })
604
+ },
605
+ [OID4VCIMachineEvents.SET_CONTACT_ALIAS]: {
606
+ actions: (0, import_xstate.assign)({
607
+ contactAlias: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contactAlias")
608
+ })
609
+ },
610
+ [OID4VCIMachineEvents.CREATE_CONTACT]: {
611
+ target: `.${OID4VCIMachineAddContactStates.next}`,
612
+ actions: (0, import_xstate.assign)({
613
+ contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
614
+ }),
615
+ cond: OID4VCIMachineGuards.createContactGuard
616
+ },
617
+ [OID4VCIMachineEvents.DECLINE]: {
618
+ target: OID4VCIMachineStates.declined
619
+ },
620
+ [OID4VCIMachineEvents.PREVIOUS]: {
621
+ target: OID4VCIMachineStates.aborted
622
+ }
623
+ },
624
+ states: {
625
+ [OID4VCIMachineAddContactStates.idle]: {},
626
+ [OID4VCIMachineAddContactStates.next]: {
627
+ always: {
628
+ target: `#${OID4VCIMachineStates.storeIssuerBranding}`,
629
+ cond: OID4VCIMachineGuards.hasContactGuard
630
+ }
631
+ }
632
+ }
633
+ },
634
+ [OID4VCIMachineStates.reviewContact]: {
635
+ id: OID4VCIMachineStates.reviewContact,
636
+ on: {
637
+ [OID4VCIMachineEvents.NEXT]: {
638
+ target: OID4VCIMachineStates.transitionFromContactSetup
639
+ },
640
+ [OID4VCIMachineEvents.DECLINE]: {
641
+ target: OID4VCIMachineStates.declined
642
+ },
643
+ [OID4VCIMachineEvents.PREVIOUS]: {
644
+ target: OID4VCIMachineStates.aborted
645
+ }
646
+ }
647
+ },
648
+ [OID4VCIMachineStates.storeIssuerBranding]: {
649
+ id: OID4VCIMachineStates.storeIssuerBranding,
650
+ invoke: {
651
+ src: OID4VCIMachineServices.storeIssuerBranding,
652
+ onDone: {
653
+ target: OID4VCIMachineStates.transitionFromContactSetup
654
+ },
655
+ onError: {
656
+ target: OID4VCIMachineStates.handleError,
657
+ actions: (0, import_xstate.assign)({
658
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
659
+ title: translate("oid4vci_machine_store_issuer_branding_error_title"),
660
+ message: _event.data.message,
661
+ stack: _event.data.stack
662
+ }), "error")
663
+ })
664
+ }
665
+ }
666
+ },
667
+ [OID4VCIMachineStates.transitionFromContactSetup]: {
668
+ id: OID4VCIMachineStates.transitionFromContactSetup,
669
+ always: [
670
+ {
671
+ target: OID4VCIMachineStates.selectCredentials,
672
+ cond: OID4VCIMachineGuards.credentialsToSelectRequiredGuard
673
+ },
674
+ {
675
+ target: OID4VCIMachineStates.startFirstPartApplicationFlow,
676
+ cond: OID4VCIMachineGuards.isFirstPartyApplication
677
+ },
678
+ {
679
+ target: OID4VCIMachineStates.initiateAuthorizationRequest,
680
+ cond: OID4VCIMachineGuards.requireAuthorizationGuard
681
+ },
682
+ {
683
+ target: OID4VCIMachineStates.verifyPin,
684
+ cond: OID4VCIMachineGuards.requirePinGuard
685
+ },
686
+ {
687
+ target: OID4VCIMachineStates.getCredentials
688
+ }
689
+ ]
690
+ },
691
+ [OID4VCIMachineStates.startFirstPartApplicationFlow]: {
692
+ id: OID4VCIMachineStates.startFirstPartApplicationFlow,
693
+ invoke: {
694
+ src: OID4VCIMachineServices.startFirstPartApplicationFlow,
695
+ onDone: [
696
+ {
697
+ target: OID4VCIMachineStates.aborted,
698
+ cond: /* @__PURE__ */ __name((_ctx, _event) => _event.data === FirstPartyMachineStateTypes.aborted, "cond")
699
+ },
700
+ {
701
+ target: OID4VCIMachineStates.declined,
702
+ cond: /* @__PURE__ */ __name((_ctx, _event) => _event.data === FirstPartyMachineStateTypes.declined, "cond")
703
+ },
704
+ {
705
+ target: OID4VCIMachineStates.getCredentials,
706
+ actions: (0, import_xstate.assign)({
707
+ openID4VCIClientState: /* @__PURE__ */ __name((_ctx, _event) => {
708
+ const authorizationCodeResponse = (0, import_oid4vci_common.toAuthorizationResponsePayload)(_event.data);
709
+ return {
710
+ ..._ctx.openID4VCIClientState,
711
+ authorizationCodeResponse
712
+ };
713
+ }, "openID4VCIClientState")
714
+ })
715
+ }
716
+ ],
717
+ onError: {
718
+ target: OID4VCIMachineStates.handleError,
719
+ actions: (0, import_xstate.assign)({
720
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
721
+ title: _event.data.title ?? translate("oid4vci_machine_first_party_error_title"),
722
+ message: _event.data.message,
723
+ stack: _event.data.stack
724
+ }), "error")
725
+ })
726
+ }
727
+ }
728
+ },
729
+ [OID4VCIMachineStates.selectCredentials]: {
730
+ id: OID4VCIMachineStates.selectCredentials,
731
+ on: {
732
+ [OID4VCIMachineEvents.SET_SELECTED_CREDENTIALS]: {
733
+ actions: (0, import_xstate.assign)({
734
+ selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
735
+ })
736
+ },
737
+ [OID4VCIMachineEvents.NEXT]: {
738
+ target: OID4VCIMachineStates.transitionFromSelectingCredentials,
739
+ cond: OID4VCIMachineGuards.hasSelectedCredentialsGuard
740
+ },
741
+ [OID4VCIMachineEvents.PREVIOUS]: {
742
+ target: OID4VCIMachineStates.aborted
743
+ }
744
+ }
745
+ },
746
+ [OID4VCIMachineStates.transitionFromSelectingCredentials]: {
747
+ id: OID4VCIMachineStates.transitionFromSelectingCredentials,
748
+ always: [
749
+ {
750
+ target: OID4VCIMachineStates.startFirstPartApplicationFlow,
751
+ cond: OID4VCIMachineGuards.isFirstPartyApplication
752
+ },
753
+ {
754
+ target: OID4VCIMachineStates.verifyPin,
755
+ cond: OID4VCIMachineGuards.requirePinGuard
756
+ },
757
+ {
758
+ target: OID4VCIMachineStates.initiateAuthorizationRequest,
759
+ cond: OID4VCIMachineGuards.requireAuthorizationGuard
760
+ },
761
+ {
762
+ target: OID4VCIMachineStates.getCredentials
763
+ }
764
+ ]
765
+ },
766
+ [OID4VCIMachineStates.initiateAuthorizationRequest]: {
767
+ id: OID4VCIMachineStates.initiateAuthorizationRequest,
768
+ on: {
769
+ [OID4VCIMachineEvents.PREVIOUS]: {
770
+ target: OID4VCIMachineStates.selectCredentials
771
+ },
772
+ [OID4VCIMachineEvents.INVOKED_AUTHORIZATION_CODE_REQUEST]: {
773
+ target: OID4VCIMachineStates.waitForAuthorizationResponse
774
+ }
775
+ }
776
+ },
777
+ [OID4VCIMachineStates.waitForAuthorizationResponse]: {
778
+ id: OID4VCIMachineStates.waitForAuthorizationResponse,
779
+ on: {
780
+ [OID4VCIMachineEvents.PREVIOUS]: {
781
+ target: OID4VCIMachineStates.initiateAuthorizationRequest
782
+ },
783
+ [OID4VCIMachineEvents.PROVIDE_AUTHORIZATION_CODE_RESPONSE]: {
784
+ actions: (0, import_xstate.assign)({
785
+ openID4VCIClientState: /* @__PURE__ */ __name((_ctx, _event) => {
786
+ const authorizationCodeResponse = (0, import_oid4vci_common.toAuthorizationResponsePayload)(_event.data);
787
+ return {
788
+ ..._ctx.openID4VCIClientState,
789
+ authorizationCodeResponse
790
+ };
791
+ }, "openID4VCIClientState")
792
+ })
793
+ }
794
+ },
795
+ always: [
796
+ {
797
+ cond: OID4VCIMachineGuards.hasAuthorizationResponse,
798
+ target: OID4VCIMachineStates.getCredentials
799
+ }
800
+ ]
801
+ },
802
+ [OID4VCIMachineStates.verifyPin]: {
803
+ id: OID4VCIMachineStates.verifyPin,
804
+ initial: OID4VCIMachineVerifyPinStates.idle,
805
+ on: {
806
+ [OID4VCIMachineEvents.SET_VERIFICATION_CODE]: {
807
+ target: `.${OID4VCIMachineVerifyPinStates.next}`,
808
+ actions: (0, import_xstate.assign)({
809
+ verificationCode: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "verificationCode")
810
+ })
811
+ },
812
+ [OID4VCIMachineEvents.PREVIOUS]: [
813
+ {
814
+ target: OID4VCIMachineStates.selectCredentials,
815
+ cond: OID4VCIMachineGuards.credentialsToSelectRequiredGuard
816
+ },
817
+ {
818
+ target: OID4VCIMachineStates.aborted
819
+ }
820
+ ]
821
+ },
822
+ states: {
823
+ [OID4VCIMachineVerifyPinStates.idle]: {},
824
+ [OID4VCIMachineVerifyPinStates.next]: {
825
+ always: {
826
+ target: `#${OID4VCIMachineStates.getCredentials}`,
827
+ cond: OID4VCIMachineGuards.verificationCodeGuard
828
+ }
829
+ }
830
+ }
831
+ },
832
+ [OID4VCIMachineStates.getCredentials]: {
833
+ id: OID4VCIMachineStates.getCredentials,
834
+ invoke: {
835
+ src: OID4VCIMachineServices.getCredentials,
836
+ onDone: {
837
+ target: OID4VCIMachineStates.verifyCredentials,
838
+ actions: (0, import_xstate.assign)({
839
+ credentialsToAccept: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "credentialsToAccept")
840
+ })
841
+ },
842
+ onError: {
843
+ target: OID4VCIMachineStates.handleError,
844
+ actions: (0, import_xstate.assign)({
845
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
846
+ title: translate("oid4vci_machine_retrieve_credentials_error_title"),
847
+ message: _event.data.message,
848
+ stack: _event.data.stack
849
+ }), "error")
850
+ })
851
+ }
852
+ },
853
+ exit: (0, import_xstate.assign)({
854
+ verificationCode: void 0
855
+ })
856
+ },
857
+ [OID4VCIMachineStates.verifyCredentials]: {
858
+ id: OID4VCIMachineStates.verifyCredentials,
859
+ invoke: {
860
+ src: OID4VCIMachineServices.assertValidCredentials,
861
+ onDone: {
862
+ target: OID4VCIMachineStates.transitionFromWalletInput
863
+ },
864
+ onError: {
865
+ target: OID4VCIMachineStates.handleError,
866
+ actions: (0, import_xstate.assign)({
867
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
868
+ title: translate("oid4vci_machine_verify_credentials_error_title"),
869
+ message: _event.data.message,
870
+ stack: _event.data.stack
871
+ }), "error")
872
+ })
873
+ }
874
+ }
875
+ },
876
+ [OID4VCIMachineStates.transitionFromWalletInput]: {
877
+ id: OID4VCIMachineStates.transitionFromWalletInput,
878
+ always: [
879
+ {
880
+ target: OID4VCIMachineStates.addContactIdentity,
881
+ cond: OID4VCIMachineGuards.hasNoContactIdentityGuard
882
+ },
883
+ {
884
+ target: OID4VCIMachineStates.reviewCredentials
885
+ }
886
+ ]
887
+ },
888
+ [OID4VCIMachineStates.addContactIdentity]: {
889
+ id: OID4VCIMachineStates.addContactIdentity,
890
+ invoke: {
891
+ src: OID4VCIMachineServices.addContactIdentity,
892
+ onDone: {
893
+ target: OID4VCIMachineStates.addIssuerBrandingAfterIdentity,
894
+ actions: /* @__PURE__ */ __name((_ctx, _event) => {
895
+ _ctx.contact?.identities.push(_event.data);
896
+ }, "actions")
897
+ },
898
+ onError: {
899
+ target: OID4VCIMachineStates.handleError,
900
+ actions: (0, import_xstate.assign)({
901
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
902
+ title: translate("oid4vci_machine_add_contact_identity_error_title"),
903
+ message: _event.data.message,
904
+ stack: _event.data.stack
905
+ }), "error")
906
+ })
907
+ }
908
+ }
909
+ },
910
+ [OID4VCIMachineStates.addIssuerBrandingAfterIdentity]: {
911
+ id: OID4VCIMachineStates.addIssuerBrandingAfterIdentity,
912
+ invoke: {
913
+ src: OID4VCIMachineServices.storeIssuerBranding,
914
+ onDone: {
915
+ target: OID4VCIMachineStates.reviewCredentials
916
+ },
917
+ onError: {
918
+ target: OID4VCIMachineStates.handleError,
919
+ actions: (0, import_xstate.assign)({
920
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
921
+ title: translate("oid4vci_machine_store_issuer_branding_error_title"),
922
+ message: _event.data.message,
923
+ stack: _event.data.stack
924
+ }), "error")
925
+ })
926
+ }
927
+ }
928
+ },
929
+ [OID4VCIMachineStates.reviewCredentials]: {
930
+ id: OID4VCIMachineStates.reviewCredentials,
931
+ on: {
932
+ [OID4VCIMachineEvents.NEXT]: {
933
+ target: OID4VCIMachineStates.storeCredentialBranding
934
+ },
935
+ [OID4VCIMachineEvents.DECLINE]: {
936
+ target: OID4VCIMachineStates.declined
937
+ },
938
+ [OID4VCIMachineEvents.PREVIOUS]: {
939
+ target: OID4VCIMachineStates.aborted
940
+ }
941
+ }
942
+ },
943
+ [OID4VCIMachineStates.storeCredentialBranding]: {
944
+ id: OID4VCIMachineStates.storeCredentialBranding,
945
+ invoke: {
946
+ src: OID4VCIMachineServices.storeCredentialBranding,
947
+ onDone: {
948
+ target: OID4VCIMachineStates.storeCredentials
949
+ },
950
+ onError: {
951
+ target: OID4VCIMachineStates.handleError,
952
+ actions: (0, import_xstate.assign)({
953
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
954
+ title: translate("oid4vci_machine_store_credential_branding_error_title"),
955
+ message: _event.data.message,
956
+ stack: _event.data.stack
957
+ }), "error")
958
+ })
959
+ }
960
+ }
961
+ },
962
+ [OID4VCIMachineStates.storeCredentials]: {
963
+ id: OID4VCIMachineStates.storeCredentials,
964
+ invoke: {
965
+ src: OID4VCIMachineServices.storeCredentials,
966
+ onDone: {
967
+ target: OID4VCIMachineStates.done
968
+ },
969
+ onError: {
970
+ target: OID4VCIMachineStates.handleError,
971
+ actions: (0, import_xstate.assign)({
972
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
973
+ title: translate("oid4vci_machine_store_credential_error_title"),
974
+ message: _event.data.message,
975
+ stack: _event.data.stack
976
+ }), "error")
977
+ })
978
+ }
979
+ }
980
+ },
981
+ [OID4VCIMachineStates.handleError]: {
982
+ id: OID4VCIMachineStates.handleError,
983
+ on: {
984
+ [OID4VCIMachineEvents.NEXT]: {
985
+ target: OID4VCIMachineStates.error
986
+ },
987
+ [OID4VCIMachineEvents.PREVIOUS]: {
988
+ target: OID4VCIMachineStates.error
989
+ }
990
+ }
991
+ },
992
+ [OID4VCIMachineStates.aborted]: {
993
+ id: OID4VCIMachineStates.aborted,
994
+ type: "final"
995
+ },
996
+ [OID4VCIMachineStates.declined]: {
997
+ id: OID4VCIMachineStates.declined,
998
+ type: "final"
999
+ },
1000
+ [OID4VCIMachineStates.error]: {
1001
+ id: OID4VCIMachineStates.error,
1002
+ type: "final"
1003
+ },
1004
+ [OID4VCIMachineStates.done]: {
1005
+ id: OID4VCIMachineStates.done,
1006
+ type: "final"
1007
+ }
1008
+ }
1009
+ });
1010
+ }, "createOID4VCIMachine");
1011
+ var OID4VCIMachine = class {
1012
+ static {
1013
+ __name(this, "OID4VCIMachine");
1014
+ }
1015
+ static async newInstance(opts, context) {
1016
+ const interpreter = (0, import_xstate.interpret)(createOID4VCIMachine(opts).withConfig({
1017
+ services: {
1018
+ ...opts?.services
1019
+ },
1020
+ guards: {
1021
+ oid4vciHasNoContactGuard,
1022
+ oid4vciCredentialsToSelectRequiredGuard,
1023
+ oid4vciRequirePinGuard,
1024
+ oid4vciHasNoContactIdentityGuard,
1025
+ oid4vciVerificationCodeGuard,
1026
+ oid4vciHasContactGuard,
1027
+ oid4vciCreateContactGuard,
1028
+ oid4vciHasSelectedCredentialsGuard,
1029
+ oid4vciRequireAuthorizationGuard,
1030
+ oid4vciNoAuthorizationGuard,
1031
+ oid4vciHasAuthorizationResponse,
1032
+ oid4vciIsOIDFOriginGuard,
1033
+ oid4vciContactHasLowTrustGuard,
1034
+ oid4vciIsFirstPartyApplication,
1035
+ ...opts?.guards
1036
+ }
1037
+ }));
1038
+ if (typeof opts?.subscription === "function") {
1039
+ interpreter.onTransition(opts.subscription);
1040
+ }
1041
+ if (opts?.requireCustomNavigationHook !== true) {
1042
+ if (typeof opts?.stateNavigationListener === "function") {
1043
+ interpreter.onTransition((snapshot) => {
1044
+ if (opts?.stateNavigationListener) {
1045
+ opts.stateNavigationListener(interpreter, snapshot);
1046
+ }
1047
+ });
1048
+ }
1049
+ }
1050
+ return {
1051
+ interpreter
1052
+ };
1053
+ }
1054
+ };
1055
+
1056
+ // src/services/OID4VCIHolderService.ts
1057
+ var import_oid4vci_client2 = require("@sphereon/oid4vci-client");
1058
+ var import_oid4vci_common3 = require("@sphereon/oid4vci-common");
1059
+ var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.did-resolver-jwk");
1060
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
1061
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1062
+ var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.key-utils");
1063
+ var import_ssi_types = require("@sphereon/ssi-types");
1064
+ var import_utils = require("@veramo/utils");
1065
+
1066
+ // src/mappers/OIDC4VCIBrandingMapper.ts
1067
+ var oid4vciGetCredentialBrandingFrom = /* @__PURE__ */ __name(async (args) => {
1068
+ const { credentialDisplay, issuerCredentialSubject } = args;
1069
+ return oid4vciCombineDisplayLocalesFrom({
1070
+ ...issuerCredentialSubject && {
1071
+ issuerCredentialSubjectLocales: await oid4vciIssuerCredentialSubjectLocalesFrom({
1072
+ issuerCredentialSubject
1073
+ })
1074
+ },
1075
+ ...credentialDisplay && {
1076
+ credentialDisplayLocales: await oid4vciCredentialDisplayLocalesFrom({
1077
+ credentialDisplay
1078
+ })
1079
+ }
1080
+ });
1081
+ }, "oid4vciGetCredentialBrandingFrom");
1082
+ var oid4vciCredentialDisplayLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1083
+ const { credentialDisplay } = args;
1084
+ return credentialDisplay.reduce((localeDisplays, display) => {
1085
+ const localeKey = display.locale || "";
1086
+ localeDisplays.set(localeKey, display);
1087
+ return localeDisplays;
1088
+ }, /* @__PURE__ */ new Map());
1089
+ }, "oid4vciCredentialDisplayLocalesFrom");
1090
+ var oid4vciIssuerCredentialSubjectLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1091
+ const { issuerCredentialSubject } = args;
1092
+ const localeClaims = /* @__PURE__ */ new Map();
1093
+ const processClaimObject = /* @__PURE__ */ __name((claim, parentKey = "") => {
1094
+ Object.entries(claim).forEach(([key, value]) => {
1095
+ if (key === "mandatory" || key === "value_type") {
1096
+ return;
1097
+ }
1098
+ if (key === "display" && Array.isArray(value)) {
1099
+ value.forEach(({ name, locale = "" }) => {
1100
+ if (!name) {
1101
+ return;
1102
+ }
1103
+ if (!localeClaims.has(locale)) {
1104
+ localeClaims.set(locale, []);
1105
+ }
1106
+ localeClaims.get(locale).push({
1107
+ key: parentKey,
1108
+ name
1109
+ });
1110
+ });
1111
+ } else if (typeof value === "object" && value !== null) {
1112
+ processClaimObject(value, parentKey ? `${parentKey}.${key}` : key);
1113
+ }
1114
+ });
1115
+ }, "processClaimObject");
1116
+ processClaimObject(issuerCredentialSubject);
1117
+ return localeClaims;
1118
+ }, "oid4vciIssuerCredentialSubjectLocalesFrom");
1119
+ var oid4vciCredentialLocaleBrandingFrom = /* @__PURE__ */ __name(async (args) => {
1120
+ const { credentialDisplay } = args;
1121
+ return {
1122
+ ...credentialDisplay.name && {
1123
+ alias: credentialDisplay.name
1124
+ },
1125
+ ...credentialDisplay.locale && {
1126
+ locale: credentialDisplay.locale
1127
+ },
1128
+ ...credentialDisplay.logo && {
1129
+ logo: {
1130
+ ...(credentialDisplay.logo.url || credentialDisplay.logo.uri) && {
1131
+ uri: credentialDisplay.logo?.url ?? credentialDisplay.logo.uri
1132
+ },
1133
+ ...credentialDisplay.logo.alt_text && {
1134
+ alt: credentialDisplay.logo?.alt_text
1135
+ }
1136
+ }
1137
+ },
1138
+ ...credentialDisplay.description && {
1139
+ description: credentialDisplay.description
1140
+ },
1141
+ ...credentialDisplay.text_color && {
1142
+ text: {
1143
+ color: credentialDisplay.text_color
1144
+ }
1145
+ },
1146
+ ...(credentialDisplay.background_image || credentialDisplay.background_color) && {
1147
+ background: {
1148
+ ...credentialDisplay.background_image && {
1149
+ image: {
1150
+ ...(credentialDisplay.background_image.url || credentialDisplay.background_image.uri) && {
1151
+ uri: credentialDisplay.background_image?.url ?? credentialDisplay.background_image.uri
1152
+ },
1153
+ ...credentialDisplay.background_image.alt_text && {
1154
+ alt: credentialDisplay.background_image?.alt_text
1155
+ }
1156
+ }
1157
+ },
1158
+ ...credentialDisplay.background_color && {
1159
+ color: credentialDisplay.background_color
1160
+ }
1161
+ }
1162
+ }
1163
+ };
1164
+ }, "oid4vciCredentialLocaleBrandingFrom");
1165
+ var oid4vciCombineDisplayLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1166
+ const { credentialDisplayLocales = /* @__PURE__ */ new Map(), issuerCredentialSubjectLocales = /* @__PURE__ */ new Map() } = args;
1167
+ const locales = Array.from(/* @__PURE__ */ new Set([
1168
+ ...issuerCredentialSubjectLocales.keys(),
1169
+ ...credentialDisplayLocales.keys()
1170
+ ]));
1171
+ return Promise.all(locales.map(async (locale) => {
1172
+ const display = credentialDisplayLocales.get(locale);
1173
+ const claims = issuerCredentialSubjectLocales.get(locale);
1174
+ return {
1175
+ ...display && await oid4vciCredentialLocaleBrandingFrom({
1176
+ credentialDisplay: display
1177
+ }),
1178
+ ...locale.length > 0 && {
1179
+ locale
1180
+ },
1181
+ claims
1182
+ };
1183
+ }));
1184
+ }, "oid4vciCombineDisplayLocalesFrom");
1185
+ var sdJwtGetCredentialBrandingFrom = /* @__PURE__ */ __name(async (args) => {
1186
+ const { credentialDisplay, claimsMetadata } = args;
1187
+ return sdJwtCombineDisplayLocalesFrom({
1188
+ ...claimsMetadata && {
1189
+ claimsMetadata: await sdJwtCredentialClaimLocalesFrom({
1190
+ claimsMetadata
1191
+ })
1192
+ },
1193
+ ...credentialDisplay && {
1194
+ credentialDisplayLocales: await sdJwtCredentialDisplayLocalesFrom({
1195
+ credentialDisplay
1196
+ })
1197
+ }
1198
+ });
1199
+ }, "sdJwtGetCredentialBrandingFrom");
1200
+ var sdJwtCredentialDisplayLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1201
+ const { credentialDisplay } = args;
1202
+ return credentialDisplay.reduce((localeDisplays, display) => {
1203
+ const localeKey = display.lang || "";
1204
+ localeDisplays.set(localeKey, display);
1205
+ return localeDisplays;
1206
+ }, /* @__PURE__ */ new Map());
1207
+ }, "sdJwtCredentialDisplayLocalesFrom");
1208
+ var sdJwtCredentialClaimLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1209
+ const { claimsMetadata } = args;
1210
+ const localeClaims = /* @__PURE__ */ new Map();
1211
+ claimsMetadata.forEach((claim) => {
1212
+ claim.display?.forEach((display) => {
1213
+ const { lang = "", label } = display;
1214
+ const key = claim.path.map((value) => String(value)).join(".");
1215
+ if (!localeClaims.has(lang)) {
1216
+ localeClaims.set(lang, []);
1217
+ }
1218
+ localeClaims.get(lang).push({
1219
+ key,
1220
+ name: label
1221
+ });
1222
+ });
1223
+ });
1224
+ return localeClaims;
1225
+ }, "sdJwtCredentialClaimLocalesFrom");
1226
+ var sdJwtCredentialLocaleBrandingFrom = /* @__PURE__ */ __name(async (args) => {
1227
+ const { credentialDisplay } = args;
1228
+ return {
1229
+ ...credentialDisplay.name && {
1230
+ alias: credentialDisplay.name
1231
+ },
1232
+ ...credentialDisplay.lang && {
1233
+ locale: credentialDisplay.lang
1234
+ },
1235
+ ...credentialDisplay.rendering?.simple?.logo && {
1236
+ logo: {
1237
+ ...credentialDisplay.rendering.simple.logo.uri && {
1238
+ uri: credentialDisplay.rendering.simple.logo.uri
1239
+ },
1240
+ ...credentialDisplay.rendering.simple.logo.alt_text && {
1241
+ alt: credentialDisplay.rendering.simple.logo.alt_text
1242
+ }
1243
+ }
1244
+ },
1245
+ ...credentialDisplay.description && {
1246
+ description: credentialDisplay.description
1247
+ },
1248
+ ...credentialDisplay.rendering?.simple?.text_color && {
1249
+ text: {
1250
+ color: credentialDisplay.rendering.simple.text_color
1251
+ }
1252
+ },
1253
+ ...credentialDisplay.rendering?.simple?.background_color && {
1254
+ background: {
1255
+ color: credentialDisplay.rendering.simple.background_color
1256
+ }
1257
+ }
1258
+ };
1259
+ }, "sdJwtCredentialLocaleBrandingFrom");
1260
+ var sdJwtCombineDisplayLocalesFrom = /* @__PURE__ */ __name(async (args) => {
1261
+ const { credentialDisplayLocales = /* @__PURE__ */ new Map(), claimsMetadata = /* @__PURE__ */ new Map() } = args;
1262
+ const locales = Array.from(/* @__PURE__ */ new Set([
1263
+ ...claimsMetadata.keys(),
1264
+ ...credentialDisplayLocales.keys()
1265
+ ]));
1266
+ return Promise.all(locales.map(async (locale) => {
1267
+ const display = credentialDisplayLocales.get(locale);
1268
+ const claims = claimsMetadata.get(locale);
1269
+ return {
1270
+ ...display && await sdJwtCredentialLocaleBrandingFrom({
1271
+ credentialDisplay: display
1272
+ }),
1273
+ ...locale.length > 0 && {
1274
+ locale
1275
+ },
1276
+ claims
1277
+ };
1278
+ }));
1279
+ }, "sdJwtCombineDisplayLocalesFrom");
1280
+ var issuerLocaleBrandingFrom = /* @__PURE__ */ __name(async (args) => {
1281
+ const { issuerDisplay, dynamicRegistrationClientMetadata } = args;
1282
+ return {
1283
+ ...dynamicRegistrationClientMetadata?.client_name && {
1284
+ alias: dynamicRegistrationClientMetadata.client_name
1285
+ },
1286
+ ...issuerDisplay.name && {
1287
+ alias: issuerDisplay.name
1288
+ },
1289
+ ...issuerDisplay.locale && {
1290
+ locale: issuerDisplay.locale
1291
+ },
1292
+ ...(issuerDisplay.logo || dynamicRegistrationClientMetadata?.logo_uri) && {
1293
+ logo: {
1294
+ ...dynamicRegistrationClientMetadata?.logo_uri && {
1295
+ uri: dynamicRegistrationClientMetadata?.logo_uri
1296
+ },
1297
+ ...(issuerDisplay.logo?.url || issuerDisplay.logo?.uri) && {
1298
+ uri: issuerDisplay.logo?.url ?? issuerDisplay.logo?.uri
1299
+ },
1300
+ ...issuerDisplay.logo?.alt_text && {
1301
+ alt: issuerDisplay.logo?.alt_text
1302
+ }
1303
+ }
1304
+ },
1305
+ ...issuerDisplay.description && {
1306
+ description: issuerDisplay.description
1307
+ },
1308
+ ...issuerDisplay.text_color && {
1309
+ text: {
1310
+ color: issuerDisplay.text_color
1311
+ }
1312
+ },
1313
+ ...dynamicRegistrationClientMetadata?.client_uri && {
1314
+ clientUri: dynamicRegistrationClientMetadata.client_uri
1315
+ },
1316
+ ...dynamicRegistrationClientMetadata?.tos_uri && {
1317
+ tosUri: dynamicRegistrationClientMetadata.tos_uri
1318
+ },
1319
+ ...dynamicRegistrationClientMetadata?.policy_uri && {
1320
+ policyUri: dynamicRegistrationClientMetadata.policy_uri
1321
+ },
1322
+ ...dynamicRegistrationClientMetadata?.contacts && {
1323
+ contacts: dynamicRegistrationClientMetadata.contacts
1324
+ }
1325
+ };
1326
+ }, "issuerLocaleBrandingFrom");
1327
+
1328
+ // src/machines/firstPartyMachine.ts
1329
+ var import_xstate2 = require("xstate");
1330
+ var import_oid4vci_common2 = require("@sphereon/oid4vci-common");
1331
+
1332
+ // src/services/FirstPartyMachineServices.ts
1333
+ var import_oid4vci_client = require("@sphereon/oid4vci-client");
1334
+ var import_uuid = require("uuid");
1335
+ var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (args) => {
1336
+ const { openID4VCIClientState, authSession, presentationDuringIssuanceSession } = args;
1337
+ const oid4vciClient = await import_oid4vci_client.OpenID4VCIClient.fromState({
1338
+ state: openID4VCIClientState
1339
+ });
1340
+ return oid4vciClient.acquireAuthorizationChallengeCode({
1341
+ clientId: oid4vciClient.clientId ?? (0, import_uuid.v4)(),
1342
+ ...authSession && {
1343
+ authSession
1344
+ },
1345
+ ...!authSession && openID4VCIClientState.credentialOffer?.preAuthorizedCode && {
1346
+ issuerState: openID4VCIClientState.credentialOffer?.preAuthorizedCode
1347
+ },
1348
+ ...!authSession && openID4VCIClientState.credentialOffer?.issuerState && {
1349
+ issuerState: openID4VCIClientState.credentialOffer?.issuerState
1350
+ },
1351
+ ...presentationDuringIssuanceSession && {
1352
+ presentationDuringIssuanceSession
1353
+ }
1354
+ });
1355
+ }, "sendAuthorizationChallengeRequest");
1356
+ var createConfig = /* @__PURE__ */ __name(async (args, context) => {
1357
+ const { presentationUri } = args;
1358
+ if (!presentationUri) {
1359
+ return Promise.reject(Error("Missing presentation uri in context"));
1360
+ }
1361
+ return context.agent.siopCreateConfig({
1362
+ url: presentationUri
1363
+ });
1364
+ }, "createConfig");
1365
+ var getSiopRequest = /* @__PURE__ */ __name(async (args, context) => {
1366
+ const { didAuthConfig, presentationUri } = args;
1367
+ if (presentationUri === void 0) {
1368
+ return Promise.reject(Error("Missing presentation uri in context"));
1369
+ }
1370
+ if (didAuthConfig === void 0) {
1371
+ return Promise.reject(Error("Missing did auth config in context"));
1372
+ }
1373
+ return context.agent.siopGetSiopRequest({
1374
+ didAuthConfig,
1375
+ url: presentationUri
1376
+ });
1377
+ }, "getSiopRequest");
1378
+ var sendAuthorizationResponse = /* @__PURE__ */ __name(async (args, context) => {
1379
+ const { didAuthConfig, authorizationRequestData, selectedCredentials } = args;
1380
+ const responseData = await context.agent.siopSendResponse({
1381
+ authorizationRequestData,
1382
+ selectedCredentials,
1383
+ didAuthConfig,
1384
+ isFirstParty: true
1385
+ });
1386
+ return responseData.body.presentation_during_issuance_session;
1387
+ }, "sendAuthorizationResponse");
1388
+
1389
+ // src/machines/firstPartyMachine.ts
1390
+ var firstPartyMachineStates = {
1391
+ [FirstPartyMachineStateTypes.sendAuthorizationChallengeRequest]: {
1392
+ id: FirstPartyMachineStateTypes.sendAuthorizationChallengeRequest,
1393
+ invoke: {
1394
+ src: FirstPartyMachineServices.sendAuthorizationChallengeRequest,
1395
+ onDone: {
1396
+ target: FirstPartyMachineStateTypes.done,
1397
+ actions: (0, import_xstate2.assign)({
1398
+ authorizationCodeResponse: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationCodeResponse")
1399
+ })
1400
+ },
1401
+ onError: [
1402
+ {
1403
+ target: FirstPartyMachineStateTypes.createConfig,
1404
+ cond: /* @__PURE__ */ __name((_ctx, _event) => _event.data.error === import_oid4vci_common2.AuthorizationChallengeError.insufficient_authorization, "cond"),
1405
+ actions: (0, import_xstate2.assign)({
1406
+ authSession: /* @__PURE__ */ __name((_ctx, _event) => _event.data.auth_session, "authSession"),
1407
+ presentationUri: /* @__PURE__ */ __name((_ctx, _event) => _event.data.presentation, "presentationUri")
1408
+ })
1409
+ },
1410
+ {
1411
+ target: FirstPartyMachineStateTypes.error,
1412
+ actions: (0, import_xstate2.assign)({
1413
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
1414
+ title: translate("oid4vci_machine_send_authorization_challenge_request_error_title"),
1415
+ message: _event.data.message,
1416
+ stack: _event.data.stack
1417
+ }), "error")
1418
+ })
1419
+ }
1420
+ ]
1421
+ }
1422
+ },
1423
+ [FirstPartyMachineStateTypes.createConfig]: {
1424
+ id: FirstPartyMachineStateTypes.createConfig,
1425
+ invoke: {
1426
+ src: FirstPartyMachineServices.createConfig,
1427
+ onDone: {
1428
+ target: FirstPartyMachineStateTypes.getSiopRequest,
1429
+ actions: (0, import_xstate2.assign)({
1430
+ didAuthConfig: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "didAuthConfig")
1431
+ })
1432
+ },
1433
+ onError: {
1434
+ target: FirstPartyMachineStateTypes.error,
1435
+ actions: (0, import_xstate2.assign)({
1436
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
1437
+ title: translate("oid4vci_machine_create_config_error_title"),
1438
+ message: _event.data.message,
1439
+ stack: _event.data.stack
1440
+ }), "error")
1441
+ })
1442
+ }
1443
+ }
1444
+ },
1445
+ [FirstPartyMachineStateTypes.getSiopRequest]: {
1446
+ id: FirstPartyMachineStateTypes.getSiopRequest,
1447
+ invoke: {
1448
+ src: FirstPartyMachineServices.getSiopRequest,
1449
+ onDone: {
1450
+ target: FirstPartyMachineStateTypes.selectCredentials,
1451
+ actions: (0, import_xstate2.assign)({
1452
+ authorizationRequestData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationRequestData")
1453
+ })
1454
+ },
1455
+ onError: {
1456
+ target: FirstPartyMachineStateTypes.error,
1457
+ actions: (0, import_xstate2.assign)({
1458
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
1459
+ title: translate("siopV2_machine_get_request_error_title"),
1460
+ message: _event.data.message,
1461
+ stack: _event.data.stack
1462
+ }), "error")
1463
+ })
1464
+ }
1465
+ }
1466
+ },
1467
+ [FirstPartyMachineStateTypes.selectCredentials]: {
1468
+ id: FirstPartyMachineStateTypes.selectCredentials,
1469
+ on: {
1470
+ [FirstPartyMachineEvents.SET_SELECTED_CREDENTIALS]: {
1471
+ actions: (0, import_xstate2.assign)({
1472
+ selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
1473
+ })
1474
+ },
1475
+ [FirstPartyMachineEvents.NEXT]: {
1476
+ target: FirstPartyMachineStateTypes.sendAuthorizationResponse
1477
+ },
1478
+ [FirstPartyMachineEvents.DECLINE]: {
1479
+ target: FirstPartyMachineStateTypes.declined
1480
+ },
1481
+ [FirstPartyMachineEvents.PREVIOUS]: {
1482
+ target: FirstPartyMachineStateTypes.aborted
1483
+ }
1484
+ }
1485
+ },
1486
+ [FirstPartyMachineStateTypes.sendAuthorizationResponse]: {
1487
+ id: FirstPartyMachineStateTypes.sendAuthorizationResponse,
1488
+ invoke: {
1489
+ src: FirstPartyMachineServices.sendAuthorizationResponse,
1490
+ onDone: {
1491
+ target: FirstPartyMachineStateTypes.sendAuthorizationChallengeRequest,
1492
+ actions: (0, import_xstate2.assign)({
1493
+ presentationDuringIssuanceSession: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "presentationDuringIssuanceSession")
1494
+ })
1495
+ },
1496
+ onError: {
1497
+ target: FirstPartyMachineStateTypes.error,
1498
+ actions: (0, import_xstate2.assign)({
1499
+ error: /* @__PURE__ */ __name((_ctx, _event) => ({
1500
+ title: translate("oid4vci_machine_get_request_error_title"),
1501
+ message: _event.data.message,
1502
+ stack: _event.data.stack
1503
+ }), "error")
1504
+ })
1505
+ }
1506
+ }
1507
+ },
1508
+ [FirstPartyMachineStateTypes.aborted]: {
1509
+ id: FirstPartyMachineStateTypes.aborted,
1510
+ type: "final"
1511
+ },
1512
+ [FirstPartyMachineStateTypes.declined]: {
1513
+ id: FirstPartyMachineStateTypes.declined,
1514
+ type: "final"
1515
+ },
1516
+ [FirstPartyMachineStateTypes.error]: {
1517
+ id: FirstPartyMachineStateTypes.error,
1518
+ type: "final"
1519
+ },
1520
+ [FirstPartyMachineStateTypes.done]: {
1521
+ id: FirstPartyMachineStateTypes.done,
1522
+ type: "final"
1523
+ }
1524
+ };
1525
+ var createFirstPartyActivationMachine = /* @__PURE__ */ __name((opts) => {
1526
+ const initialContext = {
1527
+ openID4VCIClientState: opts.openID4VCIClientState,
1528
+ contact: opts.contact,
1529
+ selectedCredentials: []
1530
+ };
1531
+ return (0, import_xstate2.createMachine)({
1532
+ id: opts?.machineId ?? "FirstParty",
1533
+ predictableActionArguments: true,
1534
+ initial: FirstPartyMachineStateTypes.sendAuthorizationChallengeRequest,
1535
+ context: initialContext,
1536
+ states: firstPartyMachineStates,
1537
+ schema: {
1538
+ events: {},
1539
+ services: {}
1540
+ }
1541
+ });
1542
+ }, "createFirstPartyActivationMachine");
1543
+ var FirstPartyMachine = class _FirstPartyMachine {
1544
+ static {
1545
+ __name(this, "FirstPartyMachine");
1546
+ }
1547
+ static _instance;
1548
+ static hasInstance() {
1549
+ return _FirstPartyMachine._instance !== void 0;
1550
+ }
1551
+ static get instance() {
1552
+ if (!_FirstPartyMachine._instance) {
1553
+ throw Error("Please initialize ESIMActivation machine first");
1554
+ }
1555
+ return _FirstPartyMachine._instance;
1556
+ }
1557
+ static clearInstance(opts) {
1558
+ const { stop } = opts;
1559
+ if (_FirstPartyMachine.hasInstance()) {
1560
+ if (stop) {
1561
+ _FirstPartyMachine.stopInstance();
1562
+ }
1563
+ }
1564
+ _FirstPartyMachine._instance = void 0;
1565
+ }
1566
+ static stopInstance() {
1567
+ if (!_FirstPartyMachine.hasInstance()) {
1568
+ return;
1569
+ }
1570
+ _FirstPartyMachine.instance.stop();
1571
+ _FirstPartyMachine._instance = void 0;
1572
+ }
1573
+ static newInstance(opts) {
1574
+ const { agentContext } = opts;
1575
+ const services = {
1576
+ [FirstPartyMachineServices.sendAuthorizationChallengeRequest]: sendAuthorizationChallengeRequest,
1577
+ [FirstPartyMachineServices.createConfig]: (args) => createConfig(args, agentContext),
1578
+ [FirstPartyMachineServices.getSiopRequest]: (args) => getSiopRequest(args, agentContext),
1579
+ [FirstPartyMachineServices.sendAuthorizationResponse]: (args) => sendAuthorizationResponse(args, agentContext)
1580
+ };
1581
+ const newInst = (0, import_xstate2.interpret)(createFirstPartyActivationMachine(opts).withConfig({
1582
+ services: {
1583
+ ...services,
1584
+ ...opts?.services
1585
+ },
1586
+ guards: {
1587
+ ...opts?.guards
1588
+ }
1589
+ }));
1590
+ if (typeof opts?.subscription === "function") {
1591
+ newInst.onTransition(opts.subscription);
1592
+ }
1593
+ if (opts?.requireCustomNavigationHook !== true) {
1594
+ newInst.onTransition((snapshot) => {
1595
+ if (opts?.stateNavigationListener) {
1596
+ void opts.stateNavigationListener(newInst, snapshot);
1597
+ }
1598
+ });
1599
+ }
1600
+ return newInst;
1601
+ }
1602
+ static getInstance(opts) {
1603
+ if (!_FirstPartyMachine._instance) {
1604
+ if (opts?.requireExisting === true) {
1605
+ throw Error(`Existing FirstPartyMachine instance requested, but none was created at this point!`);
1606
+ }
1607
+ _FirstPartyMachine._instance = _FirstPartyMachine.newInstance(opts);
1608
+ }
1609
+ return _FirstPartyMachine._instance;
1610
+ }
1611
+ };
1612
+
1613
+ // src/services/OID4VCIHolderService.ts
1614
+ var import_ssi_sdk = require("@sphereon/ssi-sdk.core");
1615
+ var getCredentialBranding = /* @__PURE__ */ __name(async (args) => {
1616
+ const { credentialsSupported, context } = args;
1617
+ const credentialBranding = {};
1618
+ await Promise.all(Object.entries(credentialsSupported).map(async ([configId, credentialsConfigSupported]) => {
1619
+ let sdJwtTypeMetadata;
1620
+ if (credentialsConfigSupported.format === "vc+sd-jwt") {
1621
+ const vct = credentialsConfigSupported.vct;
1622
+ if (vct.startsWith("http")) {
1623
+ try {
1624
+ sdJwtTypeMetadata = await context.agent.fetchSdJwtTypeMetadataFromVctUrl({
1625
+ vct
1626
+ });
1627
+ } catch {
1628
+ }
1629
+ }
1630
+ }
1631
+ let mappedLocaleBranding = [];
1632
+ if (sdJwtTypeMetadata) {
1633
+ mappedLocaleBranding = await sdJwtGetCredentialBrandingFrom({
1634
+ credentialDisplay: sdJwtTypeMetadata.display,
1635
+ claimsMetadata: sdJwtTypeMetadata.claims
1636
+ });
1637
+ } else {
1638
+ mappedLocaleBranding = await oid4vciGetCredentialBrandingFrom({
1639
+ credentialDisplay: credentialsConfigSupported.display,
1640
+ issuerCredentialSubject: (
1641
+ // @ts-ignore // FIXME SPRIND-123 add proper support for type recognition as claim display can be located elsewhere for v13
1642
+ credentialsSupported.claims !== void 0 ? credentialsConfigSupported.claims : credentialsConfigSupported.credentialSubject
1643
+ )
1644
+ });
1645
+ }
1646
+ const localeBranding = await Promise.all(mappedLocaleBranding.map(async (localeBranding2) => await context.agent.ibCredentialLocaleBrandingFrom({
1647
+ localeBranding: localeBranding2
1648
+ })));
1649
+ const defaultCredentialType = "VerifiableCredential";
1650
+ const configSupportedTypes = (0, import_oid4vci_common3.getTypesFromCredentialSupported)(credentialsConfigSupported);
1651
+ const credentialTypes = configSupportedTypes.length === 0 ? (0, import_utils.asArray)(defaultCredentialType) : configSupportedTypes;
1652
+ const filteredCredentialTypes = credentialTypes.filter((type) => type !== defaultCredentialType);
1653
+ credentialBranding[filteredCredentialTypes[0]] = localeBranding;
1654
+ }));
1655
+ return credentialBranding;
1656
+ }, "getCredentialBranding");
1657
+ var getBasicIssuerLocaleBranding = /* @__PURE__ */ __name(async (args) => {
1658
+ const { display, dynamicRegistrationClientMetadata, context } = args;
1659
+ return await Promise.all(display.map(async (issuerDisplay) => {
1660
+ const branding = await issuerLocaleBrandingFrom({
1661
+ issuerDisplay,
1662
+ dynamicRegistrationClientMetadata
1663
+ });
1664
+ return context.agent.ibIssuerLocaleBrandingFrom({
1665
+ localeBranding: branding
1666
+ });
1667
+ }));
1668
+ }, "getBasicIssuerLocaleBranding");
1669
+ var getCredentialConfigsBasedOnFormatPref = /* @__PURE__ */ __name(async (args) => {
1670
+ const { vcFormatPreferences, credentials } = args;
1671
+ const prefConfigs = {};
1672
+ Object.entries(credentials).forEach(([key, config]) => {
1673
+ const result = !config.format || vcFormatPreferences.map((pref) => pref.toLowerCase()).includes(config.format.toLowerCase());
1674
+ if (result) {
1675
+ prefConfigs[key] = config;
1676
+ }
1677
+ });
1678
+ return prefConfigs;
1679
+ }, "getCredentialConfigsBasedOnFormatPref");
1680
+ var selectCredentialLocaleBranding = /* @__PURE__ */ __name(async (args) => {
1681
+ const { locale, localeBranding } = args;
1682
+ return localeBranding?.find((branding) => locale ? branding.locale?.startsWith(locale) || branding.locale === void 0 : branding.locale === void 0);
1683
+ }, "selectCredentialLocaleBranding");
1684
+ var verifyCredentialToAccept = /* @__PURE__ */ __name(async (args) => {
1685
+ const { mappedCredential, hasher, onVerifyEBSICredentialIssuer, schemaValidation, context } = args;
1686
+ const credential = mappedCredential.credentialToAccept.credentialResponse.credential;
1687
+ if (!credential) {
1688
+ return Promise.reject(Error("No credential found in credential response"));
1689
+ }
1690
+ const wrappedVC = import_ssi_types.CredentialMapper.toWrappedVerifiableCredential(credential, {
1691
+ hasher: hasher ?? import_ssi_sdk.defaultHasher
1692
+ });
1693
+ if (wrappedVC.decoded?.iss?.includes("did:ebsi:") || (typeof wrappedVC.decoded?.vc?.issuer === "string" ? wrappedVC.decoded?.vc?.issuer?.includes("did:ebsi:") : wrappedVC.decoded?.vc?.issuer?.existingInstanceId?.includes("did:ebsi:"))) {
1694
+ await context.agent.cvVerifySchema({
1695
+ credential,
1696
+ hasher,
1697
+ validationPolicy: schemaValidation
1698
+ });
1699
+ if (JSON.stringify(wrappedVC.decoded).includes("vc:ebsi:conformance")) {
1700
+ return {
1701
+ source: wrappedVC,
1702
+ error: void 0,
1703
+ result: true,
1704
+ subResults: []
1705
+ };
1706
+ }
1707
+ if (onVerifyEBSICredentialIssuer) {
1708
+ try {
1709
+ await onVerifyEBSICredentialIssuer({
1710
+ wrappedVc: wrappedVC
1711
+ });
1712
+ } catch (e) {
1713
+ return {
1714
+ source: wrappedVC,
1715
+ error: e.message,
1716
+ result: true,
1717
+ subResults: []
1718
+ };
1719
+ }
1720
+ }
1721
+ }
1722
+ const verificationResult = await context.agent.cvVerifyCredential({
1723
+ credential,
1724
+ hasher,
1725
+ // TODO WAL-675 we might want to allow these types of options as part of the context, now we have state machines. Allows us to pre-determine whether these policies apply and whether remote context should be fetched
1726
+ fetchRemoteContexts: true,
1727
+ policies: {
1728
+ schemaValidation,
1729
+ credentialStatus: false,
1730
+ expirationDate: false,
1731
+ issuanceDate: false
1732
+ }
1733
+ });
1734
+ if (!verificationResult.result || verificationResult.error) {
1735
+ return Promise.reject(Error(verificationResult.error ?? translate("oid4vci_machine_credential_verification_failed_message")));
1736
+ }
1737
+ return verificationResult;
1738
+ }, "verifyCredentialToAccept");
1739
+ var mapCredentialToAccept = /* @__PURE__ */ __name(async (args) => {
1740
+ const { credentialToAccept, hasher } = args;
1741
+ const credentialResponse = credentialToAccept.credentialResponse;
1742
+ const verifiableCredential = credentialResponse.credential;
1743
+ if (!verifiableCredential) {
1744
+ return Promise.reject(Error("No credential found in credential response"));
1745
+ }
1746
+ const wrappedVerifiableCredential = import_ssi_types.CredentialMapper.toWrappedVerifiableCredential(verifiableCredential, {
1747
+ hasher
1748
+ });
1749
+ let uniformVerifiableCredential;
1750
+ if (import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(wrappedVerifiableCredential.credential)) {
1751
+ uniformVerifiableCredential = await (0, import_ssi_types.sdJwtDecodedCredentialToUniformCredential)(wrappedVerifiableCredential.credential);
1752
+ } else if (import_ssi_types.CredentialMapper.isSdJwtEncoded(wrappedVerifiableCredential.credential)) {
1753
+ if (!hasher) {
1754
+ return Promise.reject("a hasher is required for encoded SD-JWT credentials");
1755
+ }
1756
+ const asyncHasher = /* @__PURE__ */ __name((data, algorithm) => Promise.resolve(hasher(data, algorithm)), "asyncHasher");
1757
+ const decodedSdJwt = await import_ssi_types.CredentialMapper.decodeSdJwtVcAsync(wrappedVerifiableCredential.credential, asyncHasher);
1758
+ uniformVerifiableCredential = (0, import_ssi_types.sdJwtDecodedCredentialToUniformCredential)(decodedSdJwt);
1759
+ } else if (import_ssi_types.CredentialMapper.isMsoMdocDecodedCredential(wrappedVerifiableCredential.credential)) {
1760
+ uniformVerifiableCredential = (0, import_ssi_types.mdocDecodedCredentialToUniformCredential)(wrappedVerifiableCredential.credential);
1761
+ } else {
1762
+ uniformVerifiableCredential = wrappedVerifiableCredential.credential;
1763
+ }
1764
+ const correlationId = typeof uniformVerifiableCredential.issuer === "string" ? uniformVerifiableCredential.issuer : import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uniformVerifiableCredential) ? uniformVerifiableCredential.decodedPayload.iss : uniformVerifiableCredential.issuer.id;
1765
+ return {
1766
+ correlationId,
1767
+ credentialToAccept,
1768
+ types: credentialToAccept.types,
1769
+ rawVerifiableCredential: verifiableCredential,
1770
+ uniformVerifiableCredential,
1771
+ ...credentialResponse.credential_subject_issuance && {
1772
+ credential_subject_issuance: credentialResponse.credential_subject_issuance
1773
+ }
1774
+ };
1775
+ }, "mapCredentialToAccept");
1776
+ var getIdentifierOpts = /* @__PURE__ */ __name(async (args) => {
1777
+ const { issuanceOpt, context } = args;
1778
+ const { identifier: identifierArg } = issuanceOpt;
1779
+ if (identifierArg && (0, import_ssi_sdk_ext3.isManagedIdentifierResult)(identifierArg)) {
1780
+ return identifierArg;
1781
+ }
1782
+ const { supportedPreferredDidMethod, supportedBindingMethods, keyType = "Secp256r1", kms = await context.agent.keyManagerGetDefaultKeyManagementSystem() } = issuanceOpt;
1783
+ let identifier;
1784
+ if (identifierArg) {
1785
+ if ((0, import_ssi_sdk_ext3.isIIdentifier)(identifierArg.identifier)) {
1786
+ identifier = await context.agent.identifierManagedGet(identifierArg);
1787
+ } else if (!identifierArg.method && issuanceOpt.supportedBindingMethods.includes("jwk")) {
1788
+ identifier = await (0, import_ssi_sdk_ext3.managedIdentifierToJwk)(identifierArg, context);
1789
+ } else if (identifierArg.method && !supportedBindingMethods.includes(identifierArg.method)) {
1790
+ throw Error(`Supplied identifier method ${identifierArg.method} not supported by the issuer: ${supportedBindingMethods.join(",")}`);
1791
+ } else {
1792
+ identifier = await context.agent.identifierManagedGet(identifierArg);
1793
+ }
1794
+ }
1795
+ const agentContext = {
1796
+ ...context,
1797
+ agent: context.agent
1798
+ };
1799
+ if ((!identifierArg || (0, import_ssi_sdk_ext3.isIIdentifier)(identifierArg.identifier)) && supportedPreferredDidMethod && (!supportedBindingMethods || supportedBindingMethods.length === 0 || supportedBindingMethods.filter((method) => method.startsWith("did")))) {
1800
+ const { result, created } = await (0, import_ssi_sdk_ext2.getOrCreatePrimaryIdentifier)(agentContext, {
1801
+ method: supportedPreferredDidMethod,
1802
+ createOpts: {
1803
+ options: {
1804
+ type: issuanceOpt.keyType,
1805
+ use: import_ssi_sdk_ext.KeyUse.Signature,
1806
+ codecName: issuanceOpt.codecName,
1807
+ kms: issuanceOpt.kms
1808
+ }
1809
+ }
1810
+ });
1811
+ identifier = await context.agent.identifierManagedGetByDid({
1812
+ identifier: result,
1813
+ keyType,
1814
+ offlineWhenNoDIDRegistered: result.did.startsWith("did:ebsi:")
1815
+ });
1816
+ if (created) {
1817
+ await agentContext.agent.emit(OID4VCIHolderEvent.IDENTIFIER_CREATED, {
1818
+ identifier
1819
+ });
1820
+ }
1821
+ } else if (supportedBindingMethods.includes("jwk")) {
1822
+ const key = await context.agent.keyManagerCreate({
1823
+ type: keyType,
1824
+ kms,
1825
+ meta: {
1826
+ keyAlias: `key_${keyType}_${Date.now()}`
1827
+ }
1828
+ });
1829
+ identifier = await (0, import_ssi_sdk_ext3.managedIdentifierToJwk)({
1830
+ method: "key",
1831
+ identifier: key,
1832
+ kmsKeyRef: key.kid
1833
+ }, context);
1834
+ } else {
1835
+ throw Error(`Holder currently does not support binding method: ${supportedBindingMethods.join(",")}`);
1836
+ }
1837
+ args.issuanceOpt.identifier = identifier;
1838
+ return identifier;
1839
+ }, "getIdentifierOpts");
1840
+ var getCredentialConfigsSupportedMerged = /* @__PURE__ */ __name(async (args) => {
1841
+ let result = {};
1842
+ (await getCredentialConfigsSupported(args)).forEach((supported) => {
1843
+ result = {
1844
+ ...result,
1845
+ ...supported
1846
+ };
1847
+ });
1848
+ return result;
1849
+ }, "getCredentialConfigsSupportedMerged");
1850
+ var getCredentialConfigsSupported = /* @__PURE__ */ __name(async (args) => {
1851
+ const { types, configurationIds } = args;
1852
+ if (Array.isArray(types) && types.length > 0) {
1853
+ return Promise.all(types.map((type) => getCredentialConfigsSupportedBySingleTypeOrId({
1854
+ ...args,
1855
+ types: type
1856
+ })));
1857
+ } else if (Array.isArray(configurationIds) && configurationIds.length > 0) {
1858
+ return Promise.all(configurationIds.map((configurationId) => getCredentialConfigsSupportedBySingleTypeOrId({
1859
+ ...args,
1860
+ configurationId,
1861
+ types: void 0
1862
+ })));
1863
+ }
1864
+ const configs = await getCredentialConfigsSupportedBySingleTypeOrId({
1865
+ ...args,
1866
+ types: void 0,
1867
+ configurationId: void 0
1868
+ });
1869
+ return configs && Object.keys(configs).length > 0 ? [
1870
+ configs
1871
+ ] : [];
1872
+ }, "getCredentialConfigsSupported");
1873
+ var getCredentialConfigsSupportedBySingleTypeOrId = /* @__PURE__ */ __name(async (args) => {
1874
+ const { client, vcFormatPreferences, configurationId } = args;
1875
+ let { format = void 0, types = void 0 } = args;
1876
+ function createIdFromTypes(supported) {
1877
+ const format2 = supported.format;
1878
+ const type = (0, import_oid4vci_common3.getTypesFromObject)(supported)?.join() ?? "";
1879
+ const id = `${type}:${format2}`;
1880
+ return id;
1881
+ }
1882
+ __name(createIdFromTypes, "createIdFromTypes");
1883
+ if (configurationId) {
1884
+ const allSupported2 = client.getCredentialsSupported(false);
1885
+ return Object.fromEntries(Object.entries(allSupported2).filter(([id, supported]) => id === configurationId || supported.id === configurationId || createIdFromTypes(supported) === configurationId));
1886
+ }
1887
+ if (!types && !client.credentialOffer) {
1888
+ return Promise.reject(Error("openID4VCIClient has no credentialOffer and no types where provided"));
1889
+ }
1890
+ if (!Array.isArray(format) && client.credentialOffer) {
1891
+ if (client.version() > import_oid4vci_common3.OpenId4VCIVersion.VER_1_0_09 && typeof client.credentialOffer.credential_offer === "object" && "credentials" in client.credentialOffer.credential_offer) {
1892
+ format = client.credentialOffer.credential_offer.credentials.filter((cred) => typeof cred !== "string").map((cred) => cred.format);
1893
+ if (format?.length === 0) {
1894
+ format = void 0;
1895
+ }
1896
+ }
1897
+ }
1898
+ const offerSupported = (0, import_oid4vci_common3.getSupportedCredentials)({
1899
+ types: types ? [
1900
+ types
1901
+ ] : client.getCredentialOfferTypes(),
1902
+ format,
1903
+ version: client.version(),
1904
+ issuerMetadata: client.endpointMetadata.credentialIssuerMetadata
1905
+ });
1906
+ let allSupported;
1907
+ if (!Array.isArray(offerSupported)) {
1908
+ allSupported = offerSupported;
1909
+ } else {
1910
+ allSupported = {};
1911
+ offerSupported.forEach((supported) => {
1912
+ if (supported.id) {
1913
+ allSupported[supported.id] = supported;
1914
+ return;
1915
+ }
1916
+ const id = createIdFromTypes(supported);
1917
+ allSupported[id] = supported;
1918
+ });
1919
+ }
1920
+ let credentialConfigsSupported = await getCredentialConfigsBasedOnFormatPref({
1921
+ credentials: allSupported,
1922
+ vcFormatPreferences
1923
+ });
1924
+ if (!credentialConfigsSupported || Object.keys(credentialConfigsSupported).length === 0) {
1925
+ import_oid4vci_client2.LOG.warning(`No matching supported credential found for ${client.getIssuer()}`);
1926
+ }
1927
+ if (client.credentialOffer === void 0) {
1928
+ return credentialConfigsSupported;
1929
+ }
1930
+ const credentialOffer = client.credentialOffer.credential_offer;
1931
+ let credentialsToOffer;
1932
+ if ("credential_configuration_ids" in credentialOffer) {
1933
+ credentialsToOffer = Object.fromEntries(Object.entries(credentialConfigsSupported).filter(([configId, config]) => credentialOffer.credential_configuration_ids.includes(configId)));
1934
+ if (Object.keys(credentialsToOffer).length === 0) {
1935
+ throw new Error(`No matching supported credential configs found for offer ${credentialOffer.credential_configuration_ids.join(", ")}`);
1936
+ }
1937
+ } else {
1938
+ credentialsToOffer = credentialConfigsSupported;
1939
+ }
1940
+ if (Object.keys(credentialsToOffer).length === 0) {
1941
+ throw new Error(`No matching supported credential configs found for offer`);
1942
+ }
1943
+ return credentialsToOffer;
1944
+ }, "getCredentialConfigsSupportedBySingleTypeOrId");
1945
+ var getIssuanceOpts = /* @__PURE__ */ __name(async (args) => {
1946
+ const {
1947
+ client,
1948
+ credentialsSupported,
1949
+ // serverMetadata,
1950
+ context,
1951
+ didMethodPreferences,
1952
+ jwtCryptographicSuitePreferences,
1953
+ jsonldCryptographicSuitePreferences,
1954
+ forceIssuanceOpt
1955
+ } = args;
1956
+ if (credentialsSupported === void 0 || Object.keys(credentialsSupported).length === 0) {
1957
+ return Promise.reject(Error("No credentials supported"));
1958
+ }
1959
+ const getIssuanceOpts2 = Object.values(credentialsSupported).map(async (credentialSupported) => {
1960
+ const cryptographicSuite = await getIssuanceCryptoSuite({
1961
+ credentialSupported,
1962
+ client,
1963
+ jwtCryptographicSuitePreferences,
1964
+ jsonldCryptographicSuitePreferences
1965
+ });
1966
+ const { didMethod, methods } = await getIssuanceMethod({
1967
+ credentialSupported,
1968
+ client,
1969
+ didMethodPreferences
1970
+ });
1971
+ if (methods.length == 0) {
1972
+ console.log(`Could not determine supported cryptographic_binding_methods_supported, will use DIDs`);
1973
+ methods.push("did");
1974
+ }
1975
+ const issuanceOpt = forceIssuanceOpt ? {
1976
+ ...credentialSupported,
1977
+ ...forceIssuanceOpt
1978
+ } : {
1979
+ ...credentialSupported,
1980
+ supportedPreferredDidMethod: didMethod,
1981
+ supportedBindingMethods: methods,
1982
+ format: credentialSupported.format,
1983
+ keyType: client.isEBSI() ? "Secp256r1" : (0, import_ssi_sdk_ext4.keyTypeFromCryptographicSuite)({
1984
+ crv: cryptographicSuite
1985
+ }),
1986
+ ...client.isEBSI() && {
1987
+ codecName: "EBSI"
1988
+ }
1989
+ };
1990
+ const identifier = await getIdentifierOpts({
1991
+ issuanceOpt,
1992
+ context
1993
+ });
1994
+ if (!client.clientId && (0, import_ssi_sdk_ext3.isManagedIdentifierDidResult)(identifier)) {
1995
+ client.clientId = identifier.issuer ?? identifier.did;
1996
+ }
1997
+ return {
1998
+ ...issuanceOpt,
1999
+ identifier
2000
+ };
2001
+ });
2002
+ return await Promise.all(getIssuanceOpts2);
2003
+ }, "getIssuanceOpts");
2004
+ var getIssuanceMethod = /* @__PURE__ */ __name(async (opts) => {
2005
+ const { client, credentialSupported, didMethodPreferences } = opts;
2006
+ const { format, cryptographic_binding_methods_supported } = credentialSupported;
2007
+ let methods = [];
2008
+ if (cryptographic_binding_methods_supported && Array.isArray(cryptographic_binding_methods_supported)) {
2009
+ methods = cryptographic_binding_methods_supported;
2010
+ const didMethods = didMethodPreferences.find((method) => cryptographic_binding_methods_supported.includes(`did:${method.toLowerCase()}`));
2011
+ if (didMethods) {
2012
+ return {
2013
+ methods,
2014
+ didMethod: didMethods
2015
+ };
2016
+ } else if (cryptographic_binding_methods_supported.includes("did")) {
2017
+ return {
2018
+ methods,
2019
+ didMethod: format ? didMethodPreferences[1] : didMethodPreferences[0]
2020
+ };
2021
+ } else if (methods.length > 0) {
2022
+ return {
2023
+ methods
2024
+ };
2025
+ }
2026
+ console.warn(`We should have been able to determine cryptographic_binding_methods_supported, will fall back to legacy behaviour. This is likely a bug`);
2027
+ }
2028
+ if (client.isEBSI()) {
2029
+ return {
2030
+ methods: [
2031
+ "did"
2032
+ ],
2033
+ didMethod: import_ssi_sdk_ext2.SupportedDidMethodEnum.DID_KEY
2034
+ };
2035
+ }
2036
+ methods = [
2037
+ "did"
2038
+ ];
2039
+ if (!format || format.includes("jwt") && !format?.includes("jwt_vc_json_ld")) {
2040
+ return {
2041
+ methods,
2042
+ didMethod: format ? didMethodPreferences[1] : didMethodPreferences[0]
2043
+ };
2044
+ } else {
2045
+ return {
2046
+ methods,
2047
+ didMethod: didMethodPreferences[0]
2048
+ };
2049
+ }
2050
+ }, "getIssuanceMethod");
2051
+ var getIssuanceCryptoSuite = /* @__PURE__ */ __name(async (opts) => {
2052
+ const { client, credentialSupported, jwtCryptographicSuitePreferences, jsonldCryptographicSuitePreferences } = opts;
2053
+ let signing_algs_supported;
2054
+ if ("proof_types_supported" in credentialSupported && credentialSupported.proof_types_supported) {
2055
+ if ("jwt" in credentialSupported.proof_types_supported && credentialSupported.proof_types_supported.jwt) {
2056
+ signing_algs_supported = credentialSupported.proof_types_supported.jwt.proof_signing_alg_values_supported;
2057
+ } else if ("ldp_vp" in credentialSupported.proof_types_supported && credentialSupported.proof_types_supported.ldp_vp) {
2058
+ signing_algs_supported = credentialSupported.proof_types_supported.ldp_vp.proof_signing_alg_values_supported;
2059
+ } else if ("cwt" in credentialSupported.proof_types_supported && credentialSupported.proof_types_supported.cwt) {
2060
+ signing_algs_supported = credentialSupported.proof_types_supported.cwt.proof_signing_alg_values_supported;
2061
+ console.error("cwt proof type not supported. Likely that errors will occur after this point");
2062
+ } else {
2063
+ return Promise.reject(Error(`Unsupported proof_types_supported`));
2064
+ }
2065
+ } else {
2066
+ signing_algs_supported = (0, import_utils.asArray)(
2067
+ // @ts-ignore // legacy
2068
+ credentialSupported.credential_signing_alg_values_supported ?? credentialSupported.proof_signing_alg_values_supported ?? []
2069
+ );
2070
+ }
2071
+ switch (credentialSupported.format) {
2072
+ // @ts-ignore legacy value
2073
+ case "jwt":
2074
+ case "jwt_vc_json":
2075
+ case "jwt_vc":
2076
+ case "vc+sd-jwt":
2077
+ case "mso_mdoc": {
2078
+ const supportedPreferences = jwtCryptographicSuitePreferences.filter((suite) => signing_algs_supported.includes(suite));
2079
+ if (supportedPreferences.length > 0) {
2080
+ return supportedPreferences[0];
2081
+ } else if (client.isEBSI()) {
2082
+ return import_ssi_types.JoseSignatureAlgorithm.ES256;
2083
+ }
2084
+ const fallback = jwtCryptographicSuitePreferences[0];
2085
+ console.log(`Warn: We could not determine the crypto suites from the server metadata, and will fallback to a default: ${fallback}`);
2086
+ return fallback;
2087
+ }
2088
+ // @ts-ignore
2089
+ case "ldp":
2090
+ // @ts-ignore
2091
+ case "jwt_vc_json_ld":
2092
+ case "ldp_vc": {
2093
+ const supportedPreferences = jsonldCryptographicSuitePreferences.filter((suite) => signing_algs_supported.includes(suite));
2094
+ if (supportedPreferences.length > 0) {
2095
+ return supportedPreferences[0];
2096
+ }
2097
+ const fallback = jsonldCryptographicSuitePreferences[0];
2098
+ console.log(`Warn: We could not determine the crypto suites from the server metadata, and will fallback to a default: ${fallback}`);
2099
+ return fallback;
2100
+ }
2101
+ default:
2102
+ return Promise.reject(Error(`Credential format '${credentialSupported.format}' not supported`));
2103
+ }
2104
+ }, "getIssuanceCryptoSuite");
2105
+ var startFirstPartApplicationMachine = /* @__PURE__ */ __name(async (args, context) => {
2106
+ const { openID4VCIClientState, stateNavigationListener, contact } = args;
2107
+ if (!openID4VCIClientState) {
2108
+ return Promise.reject(Error("Missing openID4VCI client state in context"));
2109
+ }
2110
+ if (!contact) {
2111
+ return Promise.reject(Error("Missing contact in context"));
2112
+ }
2113
+ const firstPartyMachineInstance = FirstPartyMachine.newInstance({
2114
+ openID4VCIClientState,
2115
+ contact,
2116
+ agentContext: context,
2117
+ stateNavigationListener
2118
+ });
2119
+ return new Promise((resolve, reject) => {
2120
+ try {
2121
+ firstPartyMachineInstance.onTransition((state) => {
2122
+ if (state.matches(FirstPartyMachineStateTypes.done)) {
2123
+ const authorizationCodeResponse = state.context.authorizationCodeResponse;
2124
+ if (!authorizationCodeResponse) {
2125
+ reject(Error("No authorizationCodeResponse acquired"));
2126
+ }
2127
+ resolve(authorizationCodeResponse);
2128
+ } else if (state.matches(FirstPartyMachineStateTypes.aborted)) {
2129
+ resolve(FirstPartyMachineStateTypes.aborted);
2130
+ } else if (state.matches(FirstPartyMachineStateTypes.declined)) {
2131
+ resolve(FirstPartyMachineStateTypes.declined);
2132
+ } else if (state.matches(FirstPartyMachineStateTypes.error)) {
2133
+ reject(state.context.error);
2134
+ }
2135
+ });
2136
+ firstPartyMachineInstance.start();
2137
+ } catch (error) {
2138
+ reject(error);
2139
+ }
2140
+ });
2141
+ }, "startFirstPartApplicationMachine");
2142
+
2143
+ // src/agent/OID4VCIHolder.ts
2144
+ var import_polyfill = require("cross-fetch/polyfill");
2145
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
2146
+ var oid4vciHolderContextMethods = [
2147
+ "cmGetContacts",
2148
+ "cmGetContact",
2149
+ "cmAddContact",
2150
+ "cmAddIdentity",
2151
+ "ibCredentialLocaleBrandingFrom",
2152
+ "ibAddCredentialBranding",
2153
+ "dataStoreSaveVerifiableCredential",
2154
+ "didManagerFind",
2155
+ "didManagerGet",
2156
+ "keyManagerSign",
2157
+ "verifyCredential"
2158
+ ];
2159
+ var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vci:holder");
2160
+ function signCallback(identifier, context, nonce) {
2161
+ return async (jwt, kid) => {
2162
+ let resolution = await context.agent.identifierManagedGet(identifier);
2163
+ const jwk = jwt.header.jwk ?? (resolution.method === "jwk" ? resolution.jwk : void 0);
2164
+ if (!resolution.issuer && !jwt.payload.iss) {
2165
+ return Promise.reject(Error(`No issuer could be determined from the JWT ${JSON.stringify(jwt)} or identifier resolution`));
2166
+ }
2167
+ const header = jwt.header;
2168
+ const payload = jwt.payload;
2169
+ if (nonce) {
2170
+ payload.nonce = nonce;
2171
+ }
2172
+ if (jwk && header.kid) {
2173
+ console.log(`Deleting kid, as we are using a jwk and the oid4vci spec does not allow both to be present (which is not the case in the JOSE spec)`);
2174
+ delete header.kid;
2175
+ }
2176
+ return (await context.agent.jwtCreateJwsCompactSignature({
2177
+ issuer: {
2178
+ ...resolution,
2179
+ noIssPayloadUpdate: false
2180
+ },
2181
+ protectedHeader: header,
2182
+ payload
2183
+ })).jwt;
2184
+ };
2185
+ }
2186
+ __name(signCallback, "signCallback");
2187
+ var OID4VCIHolder = class _OID4VCIHolder {
2188
+ static {
2189
+ __name(this, "OID4VCIHolder");
2190
+ }
2191
+ hasher;
2192
+ eventTypes = [
2193
+ OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED,
2194
+ OID4VCIHolderEvent.CREDENTIAL_STORED,
2195
+ OID4VCIHolderEvent.IDENTIFIER_CREATED
2196
+ ];
2197
+ methods = {
2198
+ oid4vciHolderStart: this.oid4vciHolderStart.bind(this),
2199
+ oid4vciHolderGetIssuerMetadata: this.oid4vciHolderGetIssuerMetadata.bind(this),
2200
+ oid4vciHolderGetMachineInterpreter: this.oid4vciHolderGetMachineInterpreter.bind(this),
2201
+ oid4vciHolderCreateCredentialsToSelectFrom: this.oid4vciHolderCreateCredentialsToSelectFrom.bind(this),
2202
+ oid4vciHolderGetContact: this.oid4vciHolderGetContact.bind(this),
2203
+ oid4vciHolderGetCredentials: this.oid4vciHolderGetCredentials.bind(this),
2204
+ oid4vciHolderGetCredential: this.oid4vciHolderGetCredential.bind(this),
2205
+ oid4vciHolderAddContactIdentity: this.oid4vciHolderAddContactIdentity.bind(this),
2206
+ oid4vciHolderAssertValidCredentials: this.oid4vciHolderAssertValidCredentials.bind(this),
2207
+ oid4vciHolderStoreCredentialBranding: this.oid4vciHolderStoreCredentialBranding.bind(this),
2208
+ oid4vciHolderStoreCredentials: this.oid4vciHolderStoreCredentials.bind(this),
2209
+ oid4vciHolderSendNotification: this.oid4vciHolderSendNotification.bind(this),
2210
+ oid4vciHolderGetIssuerBranding: this.oid4vciHolderGetIssuerBranding.bind(this),
2211
+ oid4vciHolderStoreIssuerBranding: this.oid4vciHolderStoreIssuerBranding.bind(this)
2212
+ };
2213
+ vcFormatPreferences = [
2214
+ "vc+sd-jwt",
2215
+ "mso_mdoc",
2216
+ "jwt_vc_json",
2217
+ "jwt_vc",
2218
+ "ldp_vc"
2219
+ ];
2220
+ jsonldCryptographicSuitePreferences = [
2221
+ "Ed25519Signature2018",
2222
+ "EcdsaSecp256k1Signature2019",
2223
+ "Ed25519Signature2020",
2224
+ "JsonWebSignature2020"
2225
+ ];
2226
+ didMethodPreferences = [
2227
+ import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_JWK,
2228
+ import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
2229
+ import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_OYD,
2230
+ import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_EBSI,
2231
+ import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_ION
2232
+ ];
2233
+ jwtCryptographicSuitePreferences = [
2234
+ import_ssi_types2.JoseSignatureAlgorithm.ES256,
2235
+ import_ssi_types2.JoseSignatureAlgorithm.ES256K,
2236
+ import_ssi_types2.JoseSignatureAlgorithm.EdDSA
2237
+ ];
2238
+ static DEFAULT_MOBILE_REDIRECT_URI = `${import_oid4vci_common4.DefaultURISchemes.CREDENTIAL_OFFER}://`;
2239
+ defaultAuthorizationRequestOpts = {
2240
+ redirectUri: _OID4VCIHolder.DEFAULT_MOBILE_REDIRECT_URI
2241
+ };
2242
+ onContactIdentityCreated;
2243
+ onCredentialStored;
2244
+ onIdentifierCreated;
2245
+ onVerifyEBSICredentialIssuer;
2246
+ constructor(options) {
2247
+ const { onContactIdentityCreated, onCredentialStored, onIdentifierCreated, onVerifyEBSICredentialIssuer, vcFormatPreferences, jsonldCryptographicSuitePreferences, didMethodPreferences, jwtCryptographicSuitePreferences, defaultAuthorizationRequestOptions, hasher = import_ssi_sdk3.defaultHasher } = {
2248
+ ...options
2249
+ };
2250
+ this.hasher = hasher;
2251
+ if (vcFormatPreferences !== void 0 && vcFormatPreferences.length > 0) {
2252
+ this.vcFormatPreferences = vcFormatPreferences;
2253
+ }
2254
+ if (jsonldCryptographicSuitePreferences !== void 0 && jsonldCryptographicSuitePreferences.length > 0) {
2255
+ this.jsonldCryptographicSuitePreferences = jsonldCryptographicSuitePreferences;
2256
+ }
2257
+ if (didMethodPreferences !== void 0 && didMethodPreferences.length > 0) {
2258
+ this.didMethodPreferences = didMethodPreferences;
2259
+ }
2260
+ if (jwtCryptographicSuitePreferences !== void 0 && jwtCryptographicSuitePreferences.length > 0) {
2261
+ this.jwtCryptographicSuitePreferences = jwtCryptographicSuitePreferences;
2262
+ }
2263
+ if (defaultAuthorizationRequestOptions) {
2264
+ this.defaultAuthorizationRequestOpts = defaultAuthorizationRequestOptions;
2265
+ }
2266
+ this.onContactIdentityCreated = onContactIdentityCreated;
2267
+ this.onCredentialStored = onCredentialStored;
2268
+ this.onIdentifierCreated = onIdentifierCreated;
2269
+ this.onVerifyEBSICredentialIssuer = onVerifyEBSICredentialIssuer;
2270
+ }
2271
+ async onEvent(event, context) {
2272
+ switch (event.type) {
2273
+ case OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED:
2274
+ this.onContactIdentityCreated?.(event.data);
2275
+ break;
2276
+ case OID4VCIHolderEvent.CREDENTIAL_STORED:
2277
+ this.onCredentialStored?.(event.data);
2278
+ break;
2279
+ case OID4VCIHolderEvent.IDENTIFIER_CREATED:
2280
+ this.onIdentifierCreated?.(event.data);
2281
+ break;
2282
+ default:
2283
+ return Promise.reject(Error(`Event type ${event.type} not supported`));
2284
+ }
2285
+ }
2286
+ /**
2287
+ * FIXME: This method can only be used locally. Creating the interpreter should be local to where the agent is running
2288
+ */
2289
+ async oid4vciHolderGetMachineInterpreter(opts, context) {
2290
+ const authorizationRequestOpts = {
2291
+ ...this.defaultAuthorizationRequestOpts,
2292
+ ...opts.authorizationRequestOpts
2293
+ };
2294
+ const services = {
2295
+ [OID4VCIMachineServices.start]: (args) => this.oid4vciHolderStart({
2296
+ ...args,
2297
+ authorizationRequestOpts
2298
+ }, context),
2299
+ [OID4VCIMachineServices.startFirstPartApplicationFlow]: (args) => startFirstPartApplicationMachine({
2300
+ ...args,
2301
+ stateNavigationListener: opts.firstPartyStateNavigationListener
2302
+ }, context),
2303
+ [OID4VCIMachineServices.createCredentialsToSelectFrom]: (args) => this.oid4vciHolderCreateCredentialsToSelectFrom(args, context),
2304
+ [OID4VCIMachineServices.getContact]: (args) => this.oid4vciHolderGetContact(args, context),
2305
+ [OID4VCIMachineServices.getCredentials]: (args) => this.oid4vciHolderGetCredentials({
2306
+ accessTokenOpts: args.accessTokenOpts ?? opts.accessTokenOpts,
2307
+ ...args
2308
+ }, context),
2309
+ [OID4VCIMachineServices.addContactIdentity]: (args) => this.oid4vciHolderAddContactIdentity(args, context),
2310
+ [OID4VCIMachineServices.getIssuerBranding]: (args) => this.oid4vciHolderGetIssuerBranding(args, context),
2311
+ [OID4VCIMachineServices.storeIssuerBranding]: (args) => this.oid4vciHolderStoreIssuerBranding(args, context),
2312
+ [OID4VCIMachineServices.assertValidCredentials]: (args) => this.oid4vciHolderAssertValidCredentials(args, context),
2313
+ [OID4VCIMachineServices.storeCredentialBranding]: (args) => this.oid4vciHolderStoreCredentialBranding(args, context),
2314
+ [OID4VCIMachineServices.storeCredentials]: (args) => this.oid4vciHolderStoreCredentials(args, context),
2315
+ [OID4VCIMachineServices.sendNotification]: (args) => this.oid4vciHolderSendNotification(args, context),
2316
+ [OID4VCIMachineServices.getFederationTrust]: (args) => this.getFederationTrust(args, context)
2317
+ };
2318
+ const oid4vciMachineInstanceArgs = {
2319
+ ...opts,
2320
+ authorizationRequestOpts,
2321
+ services: {
2322
+ ...services,
2323
+ ...opts.services
2324
+ }
2325
+ };
2326
+ const { interpreter } = await OID4VCIMachine.newInstance(oid4vciMachineInstanceArgs, context);
2327
+ return {
2328
+ interpreter
2329
+ };
2330
+ }
2331
+ /**
2332
+ * This method is run before the machine starts! So there is no concept of the state machine context or states yet
2333
+ *
2334
+ * The result of this method can be directly passed into the start method of the state machine
2335
+ * @param args
2336
+ * @param context
2337
+ * @private
2338
+ */
2339
+ async oid4vciHolderStart(args, context) {
2340
+ const { requestData } = args;
2341
+ if (!requestData) {
2342
+ throw Error(`Cannot start the OID4VCI holder flow without request data being provided`);
2343
+ }
2344
+ const { uri = void 0 } = requestData;
2345
+ if (!uri) {
2346
+ return Promise.reject(Error("Missing request URI in context"));
2347
+ }
2348
+ const authorizationRequestOpts = {
2349
+ ...this.defaultAuthorizationRequestOpts,
2350
+ ...args.authorizationRequestOpts
2351
+ };
2352
+ authorizationRequestOpts.authorizationDetails = authorizationRequestOpts?.authorizationDetails ? (0, import_utils2.asArray)(authorizationRequestOpts.authorizationDetails).filter((detail) => typeof detail === "string" || this.vcFormatPreferences.includes(detail.format)) : void 0;
2353
+ if (!authorizationRequestOpts.redirectUri) {
2354
+ authorizationRequestOpts.redirectUri = _OID4VCIHolder.DEFAULT_MOBILE_REDIRECT_URI;
2355
+ }
2356
+ if (authorizationRequestOpts.redirectUri.startsWith("http") && !authorizationRequestOpts.clientId) {
2357
+ authorizationRequestOpts.clientId = authorizationRequestOpts.redirectUri;
2358
+ }
2359
+ let formats = this.vcFormatPreferences;
2360
+ const authFormats = authorizationRequestOpts?.authorizationDetails?.map((detail) => typeof detail === "object" && "format" in detail && detail.format ? detail.format : void 0).filter((format) => !!format).map((format) => format);
2361
+ if (authFormats && authFormats.length > 0) {
2362
+ formats = Array.from(new Set(authFormats));
2363
+ }
2364
+ let oid4vciClient;
2365
+ let types = void 0;
2366
+ let offer;
2367
+ if (requestData.existingClientState) {
2368
+ oid4vciClient = await import_oid4vci_client3.OpenID4VCIClient.fromState({
2369
+ state: requestData.existingClientState
2370
+ });
2371
+ offer = oid4vciClient.credentialOffer;
2372
+ } else {
2373
+ offer = requestData.credentialOffer;
2374
+ if (uri.startsWith(RequestType.OPENID_INITIATE_ISSUANCE) || uri.startsWith(RequestType.OPENID_CREDENTIAL_OFFER) || uri.match(/https?:\/\/.*credential_offer(_uri)=?.*/)) {
2375
+ if (!offer) {
2376
+ offer = await import_oid4vci_client3.CredentialOfferClient.fromURI(uri);
2377
+ }
2378
+ } else {
2379
+ if (!!offer) {
2380
+ logger.warning(`Non default URI used for credential offer: ${uri}`);
2381
+ }
2382
+ }
2383
+ if (!offer) {
2384
+ logger.log(`Issuer url received (no credential offer): ${uri}`);
2385
+ oid4vciClient = await import_oid4vci_client3.OpenID4VCIClient.fromCredentialIssuer({
2386
+ credentialIssuer: uri,
2387
+ authorizationRequest: authorizationRequestOpts,
2388
+ clientId: authorizationRequestOpts.clientId,
2389
+ createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true
2390
+ });
2391
+ } else {
2392
+ logger.log(`Credential offer received: ${uri}`);
2393
+ oid4vciClient = await import_oid4vci_client3.OpenID4VCIClient.fromURI({
2394
+ uri,
2395
+ authorizationRequest: authorizationRequestOpts,
2396
+ clientId: authorizationRequestOpts.clientId,
2397
+ createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true
2398
+ });
2399
+ }
2400
+ }
2401
+ if (offer) {
2402
+ types = (0, import_oid4vci_common4.getTypesFromCredentialOffer)(offer.original_credential_offer);
2403
+ } else {
2404
+ types = (0, import_utils2.asArray)(authorizationRequestOpts.authorizationDetails).map((authReqOpts) => (0, import_oid4vci_common4.getTypesFromAuthorizationDetails)(authReqOpts) ?? []).filter((inner) => inner.length > 0);
2405
+ }
2406
+ const serverMetadata = await oid4vciClient.retrieveServerMetadata();
2407
+ const credentialsSupported = await getCredentialConfigsSupportedMerged({
2408
+ client: oid4vciClient,
2409
+ vcFormatPreferences: formats,
2410
+ types
2411
+ });
2412
+ const credentialBranding = await getCredentialBranding({
2413
+ credentialsSupported,
2414
+ context
2415
+ });
2416
+ const authorizationCodeURL = oid4vciClient.authorizationURL;
2417
+ if (authorizationCodeURL) {
2418
+ logger.log(`authorization code URL ${authorizationCodeURL}`);
2419
+ }
2420
+ const oid4vciClientState = JSON.parse(await oid4vciClient.exportState());
2421
+ return {
2422
+ authorizationCodeURL,
2423
+ credentialBranding,
2424
+ credentialsSupported,
2425
+ serverMetadata,
2426
+ oid4vciClientState
2427
+ };
2428
+ }
2429
+ async oid4vciHolderCreateCredentialsToSelectFrom(args, context) {
2430
+ const { credentialBranding, locale, selectedCredentials, credentialsSupported } = args;
2431
+ logger.info(`Credentials supported ${Object.keys(credentialsSupported).join(", ")}`);
2432
+ const credentialSelection = await Promise.all(Object.entries(credentialsSupported).map(async ([id, credentialConfigSupported]) => {
2433
+ const credentialTypes = (0, import_oid4vci_common4.getTypesFromObject)(credentialConfigSupported);
2434
+ const localeBranding = !credentialBranding ? void 0 : credentialBranding?.[id] ?? Object.entries(credentialBranding).find(([type, _brandings]) => {
2435
+ credentialTypes && type in credentialTypes;
2436
+ })?.map(([type, supported]) => supported);
2437
+ const credentialAlias = (await selectCredentialLocaleBranding({
2438
+ locale,
2439
+ localeBranding
2440
+ }))?.alias;
2441
+ return {
2442
+ id: (0, import_uuid2.v4)(),
2443
+ credentialId: id,
2444
+ credentialTypes: credentialTypes ?? (0, import_utils2.asArray)(id),
2445
+ credentialAlias: credentialAlias ?? id,
2446
+ isSelected: false
2447
+ };
2448
+ }));
2449
+ if (credentialSelection.length >= 1) {
2450
+ credentialSelection.map((sel) => selectedCredentials.push(sel.credentialId));
2451
+ }
2452
+ logger.log(`Credential selection ${JSON.stringify(credentialSelection)}`);
2453
+ return credentialSelection;
2454
+ }
2455
+ async oid4vciHolderGetContact(args, context) {
2456
+ const { serverMetadata } = args;
2457
+ if (serverMetadata === void 0) {
2458
+ return Promise.reject(Error("Missing serverMetadata in context"));
2459
+ }
2460
+ const names = new Set(serverMetadata.credentialIssuerMetadata?.display?.map((display) => display.name).filter((name2) => name2 != void 0).map((name2) => name2) ?? []);
2461
+ const name = names.size > 0 ? Array.from(names)[0] : void 0;
2462
+ const correlationId = new URL(serverMetadata.issuer).hostname;
2463
+ const filter = [
2464
+ {
2465
+ identities: {
2466
+ identifier: {
2467
+ correlationId
2468
+ }
2469
+ }
2470
+ }
2471
+ ];
2472
+ if (name) {
2473
+ filter.push({
2474
+ contact: {
2475
+ legalName: name
2476
+ }
2477
+ });
2478
+ filter.push({
2479
+ contact: {
2480
+ displayName: name
2481
+ }
2482
+ });
2483
+ }
2484
+ const parties = await context.agent.cmGetContacts({
2485
+ filter
2486
+ });
2487
+ if (parties.length > 1) {
2488
+ logger.warning(`Get contacts returned more than one result: ${parties.length}, ${parties.map((party2) => party2.contact.displayName).join(",")}`);
2489
+ }
2490
+ const party = parties.length >= 1 ? parties[0] : void 0;
2491
+ logger.log(`Party involved: `, party);
2492
+ return party;
2493
+ }
2494
+ async oid4vciHolderGetCredentials(args, context) {
2495
+ const { verificationCode, openID4VCIClientState, didMethodPreferences = this.didMethodPreferences, issuanceOpt, accessTokenOpts } = args;
2496
+ logger.debug(`Getting credentials`, issuanceOpt, accessTokenOpts);
2497
+ if (!openID4VCIClientState) {
2498
+ return Promise.reject(Error("Missing openID4VCI client state in context"));
2499
+ }
2500
+ const client = await import_oid4vci_client3.OpenID4VCIClient.fromState({
2501
+ state: openID4VCIClientState
2502
+ });
2503
+ const credentialsSupported = await getCredentialConfigsSupportedMerged({
2504
+ client,
2505
+ vcFormatPreferences: this.vcFormatPreferences,
2506
+ configurationIds: args.selectedCredentials
2507
+ });
2508
+ const serverMetadata = await client.retrieveServerMetadata();
2509
+ const issuanceOpts = await getIssuanceOpts({
2510
+ client,
2511
+ credentialsSupported,
2512
+ serverMetadata,
2513
+ context,
2514
+ didMethodPreferences: Array.isArray(didMethodPreferences) && didMethodPreferences.length > 0 ? didMethodPreferences : this.didMethodPreferences,
2515
+ jwtCryptographicSuitePreferences: this.jwtCryptographicSuitePreferences,
2516
+ jsonldCryptographicSuitePreferences: this.jsonldCryptographicSuitePreferences,
2517
+ ...issuanceOpt && {
2518
+ forceIssuanceOpt: issuanceOpt
2519
+ }
2520
+ });
2521
+ const getCredentials = issuanceOpts.map(async (issuanceOpt2) => await this.oid4vciHolderGetCredential({
2522
+ issuanceOpt: issuanceOpt2,
2523
+ pin: verificationCode,
2524
+ client,
2525
+ accessTokenOpts
2526
+ }, context));
2527
+ const allCredentials = await Promise.all(getCredentials);
2528
+ logger.log(`Credentials received`, allCredentials);
2529
+ return allCredentials;
2530
+ }
2531
+ async oid4vciHolderGetCredential(args, context) {
2532
+ const { issuanceOpt, pin, client, accessTokenOpts } = args;
2533
+ logger.info(`Getting credential`, issuanceOpt);
2534
+ if (!issuanceOpt) {
2535
+ return Promise.reject(Error(`Cannot get credential issuance options`));
2536
+ }
2537
+ const identifier = await getIdentifierOpts({
2538
+ issuanceOpt,
2539
+ context
2540
+ });
2541
+ issuanceOpt.identifier = identifier;
2542
+ logger.info(`ID opts`, identifier);
2543
+ const alg = await (0, import_ssi_sdk_ext7.signatureAlgorithmFromKey)({
2544
+ key: identifier.key
2545
+ });
2546
+ const jwk = (0, import_ssi_sdk_ext6.isManagedIdentifierJwkResult)(identifier) ? identifier.jwk : void 0;
2547
+ const callbacks = {
2548
+ signCallback: signCallback(identifier, context)
2549
+ };
2550
+ try {
2551
+ if (!client.clientId) {
2552
+ client.clientId = (0, import_ssi_sdk_ext6.isManagedIdentifierDidResult)(identifier) ? identifier.did : identifier.issuer;
2553
+ }
2554
+ let asOpts = void 0;
2555
+ let kid = accessTokenOpts?.clientOpts?.kid ?? identifier.kid;
2556
+ if (accessTokenOpts?.clientOpts) {
2557
+ const clientId = accessTokenOpts.clientOpts.clientId ?? client.clientId ?? identifier.issuer;
2558
+ if (client.isEBSI() && clientId?.startsWith("http") && kid?.includes("#")) {
2559
+ kid = kid.split("#")[1];
2560
+ }
2561
+ const clientOpts = {
2562
+ ...accessTokenOpts.clientOpts,
2563
+ clientId,
2564
+ kid,
2565
+ // @ts-ignore
2566
+ alg: accessTokenOpts.clientOpts.alg ?? alg,
2567
+ signCallbacks: accessTokenOpts.clientOpts.signCallbacks ?? callbacks
2568
+ };
2569
+ asOpts = {
2570
+ clientOpts
2571
+ };
2572
+ }
2573
+ await client.acquireAccessToken({
2574
+ clientId: client.clientId,
2575
+ pin,
2576
+ authorizationResponse: JSON.parse(await client.exportState()).authorizationCodeResponse,
2577
+ additionalRequestParams: accessTokenOpts?.additionalRequestParams,
2578
+ ...asOpts && {
2579
+ asOpts
2580
+ }
2581
+ });
2582
+ const types = (0, import_oid4vci_common4.getTypesFromObject)(issuanceOpt);
2583
+ const id = "id" in issuanceOpt && issuanceOpt.id ? issuanceOpt.id : void 0;
2584
+ const credentialTypes = (0, import_utils2.asArray)(issuanceOpt.credentialConfigurationId ?? types ?? id);
2585
+ if (!credentialTypes || credentialTypes.length === 0) {
2586
+ return Promise.reject(Error("cannot determine credential id to request"));
2587
+ }
2588
+ const credentialDefinition = this.getCredentialDefinition(issuanceOpt);
2589
+ const credentialResponse = await client.acquireCredentials({
2590
+ ...credentialDefinition && {
2591
+ context: credentialDefinition["@context"]
2592
+ },
2593
+ credentialTypes,
2594
+ proofCallbacks: callbacks,
2595
+ format: issuanceOpt.format,
2596
+ // TODO: We need to update the machine and add notifications support for actual deferred credentials instead of just waiting/retrying
2597
+ deferredCredentialAwait: true,
2598
+ ...!jwk && {
2599
+ kid
2600
+ },
2601
+ jwk,
2602
+ alg,
2603
+ jti: (0, import_uuid2.v4)()
2604
+ });
2605
+ const credential = {
2606
+ id: issuanceOpt.credentialConfigurationId ?? id,
2607
+ types: types ?? (0, import_utils2.asArray)(credentialTypes),
2608
+ issuanceOpt,
2609
+ credentialResponse
2610
+ };
2611
+ return mapCredentialToAccept({
2612
+ credentialToAccept: credential,
2613
+ hasher: this.hasher
2614
+ });
2615
+ } catch (error) {
2616
+ return Promise.reject(error);
2617
+ }
2618
+ }
2619
+ async oid4vciHolderAddContactIdentity(args, context) {
2620
+ const { credentialsToAccept, contact } = args;
2621
+ if (!contact) {
2622
+ return Promise.reject(Error("Missing contact in context"));
2623
+ }
2624
+ if (credentialsToAccept === void 0 || credentialsToAccept.length === 0) {
2625
+ return Promise.reject(Error("Missing credential offers in context"));
2626
+ }
2627
+ let correlationId = credentialsToAccept[0].correlationId;
2628
+ let identifierType = import_ssi_sdk2.CorrelationIdentifierType.DID;
2629
+ if (!correlationId.toLowerCase().startsWith("did:")) {
2630
+ identifierType = import_ssi_sdk2.CorrelationIdentifierType.URL;
2631
+ if (correlationId.startsWith("http")) {
2632
+ correlationId = new URL(correlationId).hostname;
2633
+ }
2634
+ }
2635
+ const identity = {
2636
+ alias: credentialsToAccept[0].correlationId,
2637
+ origin: import_ssi_sdk2.IdentityOrigin.EXTERNAL,
2638
+ roles: [
2639
+ import_ssi_sdk2.CredentialRole.ISSUER
2640
+ ],
2641
+ identifier: {
2642
+ type: identifierType,
2643
+ correlationId
2644
+ },
2645
+ ...identifierType === import_ssi_sdk2.CorrelationIdentifierType.URL && {
2646
+ connection: {
2647
+ type: import_ssi_sdk2.ConnectionType.OPENID_CONNECT,
2648
+ config: {
2649
+ clientId: "138d7bf8-c930-4c6e-b928-97d3a4928b01",
2650
+ clientSecret: "03b3955f-d020-4f2a-8a27-4e452d4e27a0",
2651
+ scopes: [
2652
+ "auth"
2653
+ ],
2654
+ issuer: "https://example.com/app-test",
2655
+ redirectUrl: "app:/callback",
2656
+ dangerouslyAllowInsecureHttpRequests: true,
2657
+ clientAuthMethod: "post"
2658
+ }
2659
+ }
2660
+ }
2661
+ };
2662
+ await context.agent.emit(OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED, {
2663
+ contactId: contact.id,
2664
+ identity
2665
+ });
2666
+ logger.log(`Contact added: ${correlationId}`);
2667
+ return context.agent.cmAddIdentity({
2668
+ contactId: contact.id,
2669
+ identity
2670
+ });
2671
+ }
2672
+ async oid4vciHolderGetIssuerBranding(args, context) {
2673
+ const { serverMetadata, contact } = args;
2674
+ const issuerCorrelationId = contact?.identities.filter((identity) => identity.roles.includes(import_ssi_sdk2.CredentialRole.ISSUER)).map((identity) => identity.identifier.correlationId)[0];
2675
+ if (issuerCorrelationId) {
2676
+ const branding = await context.agent.ibGetIssuerBranding({
2677
+ filter: [
2678
+ {
2679
+ issuerCorrelationId
2680
+ }
2681
+ ]
2682
+ });
2683
+ if (branding.length > 0) {
2684
+ return branding[0].localeBranding;
2685
+ }
2686
+ }
2687
+ if (!serverMetadata) {
2688
+ return Promise.reject(Error("Missing serverMetadata in context"));
2689
+ }
2690
+ return getBasicIssuerLocaleBranding({
2691
+ display: serverMetadata.credentialIssuerMetadata?.display ?? [],
2692
+ dynamicRegistrationClientMetadata: serverMetadata.credentialIssuerMetadata,
2693
+ context
2694
+ });
2695
+ }
2696
+ async oid4vciHolderStoreIssuerBranding(args, context) {
2697
+ const { issuerBranding, contact } = args;
2698
+ if (!issuerBranding || issuerBranding.length === 0 || issuerBranding[0].id) {
2699
+ return;
2700
+ }
2701
+ if (!contact) {
2702
+ return Promise.reject(Error("Missing contact in context"));
2703
+ }
2704
+ const issuerCorrelationId = contact?.identities.filter((identity) => identity.roles.includes(import_ssi_sdk2.CredentialRole.ISSUER)).map((identity) => identity.identifier.correlationId)[0];
2705
+ const branding = await context.agent.ibGetIssuerBranding({
2706
+ filter: [
2707
+ {
2708
+ issuerCorrelationId
2709
+ }
2710
+ ]
2711
+ });
2712
+ if (branding.length > 0) {
2713
+ return;
2714
+ }
2715
+ await context.agent.ibAddIssuerBranding({
2716
+ localeBranding: issuerBranding,
2717
+ issuerCorrelationId
2718
+ });
2719
+ }
2720
+ async oid4vciHolderAssertValidCredentials(args, context) {
2721
+ const { credentialsToAccept, issuanceOpt } = args;
2722
+ return await Promise.all(credentialsToAccept.map((credentialToAccept) => verifyCredentialToAccept({
2723
+ mappedCredential: credentialToAccept,
2724
+ onVerifyEBSICredentialIssuer: this.onVerifyEBSICredentialIssuer,
2725
+ hasher: this.hasher,
2726
+ schemaValidation: issuanceOpt?.schemaValidation,
2727
+ context
2728
+ })));
2729
+ }
2730
+ async oid4vciHolderStoreCredentialBranding(args, context) {
2731
+ const { credentialBranding, serverMetadata, selectedCredentials, credentialsToAccept } = args;
2732
+ if (serverMetadata === void 0) {
2733
+ return Promise.reject(Error("Missing serverMetadata in context"));
2734
+ } else if (selectedCredentials.length === 0) {
2735
+ logger.warning(`No credentials selected for issuer: ${serverMetadata.issuer}`);
2736
+ return;
2737
+ }
2738
+ let counter = 0;
2739
+ for (const credentialId of selectedCredentials) {
2740
+ const localeBranding = credentialBranding?.[credentialId];
2741
+ if (localeBranding && localeBranding.length > 0) {
2742
+ const credential = credentialsToAccept.find((credAccept) => credAccept.credentialToAccept.id === credentialId || JSON.stringify(credAccept.types) === credentialId || credentialsToAccept[counter]);
2743
+ counter++;
2744
+ await context.agent.ibAddCredentialBranding({
2745
+ vcHash: (0, import_utils2.computeEntryHash)(credential.rawVerifiableCredential),
2746
+ issuerCorrelationId: new URL(serverMetadata.issuer).hostname,
2747
+ localeBranding
2748
+ });
2749
+ logger.log(`Credential branding for issuer ${serverMetadata.issuer} and type ${credentialId} stored with locales ${localeBranding.map((b) => b.locale).join(",")}`);
2750
+ } else {
2751
+ logger.warning(`No credential branding found for issuer: ${serverMetadata.issuer} and type ${credentialId}`);
2752
+ }
2753
+ }
2754
+ }
2755
+ async oid4vciHolderStoreCredentials(args, context) {
2756
+ function trimmed(input) {
2757
+ const trim = input?.trim();
2758
+ if (trim === "") {
2759
+ return void 0;
2760
+ }
2761
+ return trim;
2762
+ }
2763
+ __name(trimmed, "trimmed");
2764
+ const { credentialsToAccept, openID4VCIClientState, credentialsSupported, serverMetadata, selectedCredentials } = args;
2765
+ const mappedCredentialToAccept = credentialsToAccept[0];
2766
+ if (selectedCredentials && selectedCredentials.length > 1) {
2767
+ logger.error(`More than 1 credential selected ${selectedCredentials.join(", ")}, but current service only stores 1 credential!`);
2768
+ }
2769
+ const issuanceOpt = args.issuanceOpt ?? mappedCredentialToAccept.credentialToAccept.issuanceOpt;
2770
+ if (!issuanceOpt || !issuanceOpt.identifier) {
2771
+ return Promise.reject(Error("issuanceOpt.identifier must me set in order to store a credential"));
2772
+ }
2773
+ const { kmsKeyRef, method } = issuanceOpt.identifier;
2774
+ let persist = true;
2775
+ const verifiableCredential = mappedCredentialToAccept.uniformVerifiableCredential;
2776
+ const notificationId = mappedCredentialToAccept.credentialToAccept.credentialResponse.notification_id;
2777
+ const subjectIssuance = mappedCredentialToAccept.credential_subject_issuance;
2778
+ const notificationEndpoint = serverMetadata?.credentialIssuerMetadata?.notification_endpoint;
2779
+ let holderCredential = void 0;
2780
+ if (!notificationEndpoint) {
2781
+ logger.log(`Notifications not supported by issuer ${serverMetadata?.issuer}. Will not provide a notification`);
2782
+ } else if (notificationEndpoint && !notificationId) {
2783
+ logger.warning(`Notification endpoint available in issuer metadata with value ${notificationEndpoint}, but no ${notificationId} provided. Will not send a notification to issuer ${serverMetadata?.issuer}`);
2784
+ } else if (notificationEndpoint && notificationId) {
2785
+ logger.log(`Notification id ${notificationId} found, will send back a notification to ${notificationEndpoint}`);
2786
+ let event = "credential_accepted";
2787
+ if (Array.isArray(subjectIssuance?.notification_events_supported)) {
2788
+ event = subjectIssuance.notification_events_supported.includes("credential_accepted_holder_signed") ? "credential_accepted_holder_signed" : "credential_deleted_holder_signed";
2789
+ logger.log(`Subject issuance/signing will be used, with event`, event);
2790
+ const issuerVC = mappedCredentialToAccept.credentialToAccept.credentialResponse.credential;
2791
+ const wrappedIssuerVC = import_ssi_types2.CredentialMapper.toWrappedVerifiableCredential(issuerVC, {
2792
+ hasher: this.hasher ?? import_ssi_sdk3.defaultHasher
2793
+ });
2794
+ console.log(`Wrapped VC: ${wrappedIssuerVC.type}, ${wrappedIssuerVC.format}`);
2795
+ let issuer;
2796
+ if (import_ssi_types2.CredentialMapper.isWrappedSdJwtVerifiableCredential(wrappedIssuerVC)) {
2797
+ issuer = trimmed(wrappedIssuerVC.decoded?.sub);
2798
+ } else if (import_ssi_types2.CredentialMapper.isWrappedW3CVerifiableCredential(wrappedIssuerVC)) {
2799
+ issuer = trimmed(wrappedIssuerVC.credential?.sub) ?? // @ts-ignore
2800
+ trimmed(wrappedIssuerVC.credential?.credentialSubject?.id) ?? trimmed(this.idFromW3cCredentialSubject(wrappedIssuerVC));
2801
+ } else if (import_ssi_types2.CredentialMapper.isWrappedMdocCredential(wrappedIssuerVC)) {
2802
+ return Promise.reject(Error("mdoc not yet supported"));
2803
+ }
2804
+ if (!issuer) {
2805
+ issuer = trimmed(verifiableCredential.credentialSubject?.id);
2806
+ }
2807
+ if (!issuer && openID4VCIClientState?.kid?.startsWith("did:")) {
2808
+ issuer = (0, import_ssi_types2.parseDid)(openID4VCIClientState?.kid).did;
2809
+ }
2810
+ if (!issuer && openID4VCIClientState?.jwk?.kid?.startsWith("did:")) {
2811
+ issuer = (0, import_ssi_types2.parseDid)(openID4VCIClientState.jwk.kid).did;
2812
+ }
2813
+ if (!issuer && openID4VCIClientState?.clientId) {
2814
+ issuer = trimmed(openID4VCIClientState.clientId);
2815
+ }
2816
+ if (!issuer && openID4VCIClientState?.accessTokenResponse) {
2817
+ const decodedJwt = (0, import_did_jwt.decodeJWT)(openID4VCIClientState.accessTokenResponse.access_token);
2818
+ issuer = decodedJwt.payload.sub;
2819
+ }
2820
+ if (!issuer && mappedCredentialToAccept.credentialToAccept.issuanceOpt.identifier) {
2821
+ const resolution = await context.agent.identifierManagedGet(mappedCredentialToAccept.credentialToAccept.issuanceOpt.identifier);
2822
+ issuer = resolution.issuer;
2823
+ }
2824
+ if (!issuer) {
2825
+ throw Error(`We could not determine the issuer, which means we cannot sign the credential`);
2826
+ }
2827
+ logger.log(`Issuer for self-issued credential will be: ${issuer}`);
2828
+ const holderCredentialToSign = wrappedIssuerVC.decoded;
2829
+ let proofFormat = "lds";
2830
+ if (wrappedIssuerVC.format.includes("jwt") && !wrappedIssuerVC.format.includes("mso_mdoc")) {
2831
+ holderCredentialToSign.iss = issuer;
2832
+ proofFormat = "jwt";
2833
+ }
2834
+ if ("issuer" in holderCredentialToSign && !("iss" in holderCredentialToSign)) {
2835
+ holderCredentialToSign.issuer = issuer;
2836
+ }
2837
+ if ("sub" in holderCredentialToSign) {
2838
+ holderCredentialToSign.sub = issuer;
2839
+ }
2840
+ if ("credentialSubject" in holderCredentialToSign && !Array.isArray(holderCredentialToSign.credentialSubject)) {
2841
+ holderCredentialToSign.credentialSubject.id = issuer;
2842
+ }
2843
+ if ("vc" in holderCredentialToSign) {
2844
+ if (holderCredentialToSign.vc.credentialSubject) {
2845
+ holderCredentialToSign.vc.credentialSubject.id = issuer;
2846
+ }
2847
+ holderCredentialToSign.vc.issuer = issuer;
2848
+ delete holderCredentialToSign.vc.proof;
2849
+ delete holderCredentialToSign.vc.issuanceDate;
2850
+ }
2851
+ delete holderCredentialToSign.proof;
2852
+ delete holderCredentialToSign.issuanceDate;
2853
+ delete holderCredentialToSign.iat;
2854
+ logger.log(`Subject issuance/signing will sign credential of type ${proofFormat}:`, holderCredentialToSign);
2855
+ const issuedVC = await context.agent.createVerifiableCredential({
2856
+ credential: "vc" in holderCredentialToSign ? holderCredentialToSign.vc : holderCredentialToSign,
2857
+ fetchRemoteContexts: true,
2858
+ save: false,
2859
+ proofFormat
2860
+ });
2861
+ if (!issuedVC) {
2862
+ throw Error(`Could not issue holder credential from the wallet`);
2863
+ }
2864
+ logger.log(`Holder ${issuedVC.issuer} issued new credential with id ${issuedVC.id}`, issuedVC);
2865
+ holderCredential = import_ssi_types2.CredentialMapper.storedCredentialToOriginalFormat(issuedVC);
2866
+ persist = event === "credential_accepted_holder_signed";
2867
+ }
2868
+ const notificationRequest = {
2869
+ notification_id: notificationId,
2870
+ ...holderCredential && {
2871
+ credential: holderCredential
2872
+ },
2873
+ event
2874
+ };
2875
+ await this.oid4vciHolderSendNotification({
2876
+ openID4VCIClientState,
2877
+ stored: persist,
2878
+ credentialsToAccept,
2879
+ credentialsSupported,
2880
+ notificationRequest,
2881
+ serverMetadata
2882
+ }, context);
2883
+ }
2884
+ const persistCredential = holderCredential ? import_ssi_types2.CredentialMapper.storedCredentialToOriginalFormat(holderCredential) : mappedCredentialToAccept.rawVerifiableCredential;
2885
+ if (!persist && holderCredential) {
2886
+ logger.log(`Will not persist credential, since we are signing as a holder and the issuer asked not to persist`);
2887
+ } else {
2888
+ logger.log(`Persisting credential`, persistCredential);
2889
+ const issuer = import_ssi_types2.CredentialMapper.issuerCorrelationIdFromIssuerType(verifiableCredential.issuer);
2890
+ const [subjectCorrelationType, subjectCorrelationId] = this.determineSubjectCorrelation(issuanceOpt.identifier, issuer);
2891
+ const persistedCredential = await context.agent.crsAddCredential({
2892
+ credential: {
2893
+ rawDocument: (0, import_ssi_sdk2.ensureRawDocument)(persistCredential),
2894
+ kmsKeyRef,
2895
+ identifierMethod: method,
2896
+ credentialRole: import_ssi_sdk2.CredentialRole.HOLDER,
2897
+ issuerCorrelationType: issuer?.startsWith("did:") ? import_ssi_sdk2.CredentialCorrelationType.DID : import_ssi_sdk2.CredentialCorrelationType.URL,
2898
+ issuerCorrelationId: issuer,
2899
+ subjectCorrelationType,
2900
+ subjectCorrelationId
2901
+ }
2902
+ });
2903
+ await context.agent.emit(OID4VCIHolderEvent.CREDENTIAL_STORED, {
2904
+ credential: persistedCredential,
2905
+ vcHash: persistedCredential.hash
2906
+ });
2907
+ }
2908
+ }
2909
+ async oid4vciHolderSendNotification(args, context) {
2910
+ const { serverMetadata, notificationRequest, openID4VCIClientState } = args;
2911
+ const notificationEndpoint = serverMetadata?.credentialIssuerMetadata?.notification_endpoint;
2912
+ if (!notificationEndpoint) {
2913
+ return;
2914
+ } else if (!openID4VCIClientState) {
2915
+ return Promise.reject(Error("Missing openID4VCI client state in context"));
2916
+ } else if (!notificationRequest) {
2917
+ return Promise.reject(Error("Missing notification request"));
2918
+ }
2919
+ logger.log(`Will send notification to ${notificationEndpoint}`, notificationRequest);
2920
+ const client = await import_oid4vci_client3.OpenID4VCIClient.fromState({
2921
+ state: openID4VCIClientState
2922
+ });
2923
+ await client.sendNotification({
2924
+ notificationEndpoint
2925
+ }, notificationRequest, openID4VCIClientState?.accessTokenResponse?.access_token);
2926
+ logger.log(`Notification to ${notificationEndpoint} has been dispatched`);
2927
+ }
2928
+ async getFederationTrust(args, context) {
2929
+ const { requestData, serverMetadata, trustAnchors } = args;
2930
+ if (trustAnchors.length === 0) {
2931
+ return Promise.reject(Error("No trust anchors found"));
2932
+ }
2933
+ if (!requestData?.uri) {
2934
+ return Promise.reject(Error("Missing request URI in context"));
2935
+ }
2936
+ if (!serverMetadata) {
2937
+ return Promise.reject(Error("Missing serverMetadata in context"));
2938
+ }
2939
+ const url = new URL(requestData?.uri);
2940
+ const params = new URLSearchParams(url.search);
2941
+ const openidFederation = params.get("openid_federation");
2942
+ const entityIdentifier = openidFederation ?? serverMetadata.issuer;
2943
+ if (entityIdentifier.startsWith("http://")) {
2944
+ console.warn(`OpenID federation does not support http://, only https:// allowed; got: (${url.toString()})`);
2945
+ return [];
2946
+ }
2947
+ const result = await context.agent.identifierExternalResolveByOIDFEntityId({
2948
+ method: "entity_id",
2949
+ trustAnchors,
2950
+ identifier: entityIdentifier
2951
+ });
2952
+ return result.trustedAnchors;
2953
+ }
2954
+ async oid4vciHolderGetIssuerMetadata(args, context) {
2955
+ const { issuer, errorOnNotFound = true } = args;
2956
+ return import_oid4vci_client3.MetadataClient.retrieveAllMetadata(issuer, {
2957
+ errorOnNotFound
2958
+ });
2959
+ }
2960
+ determineSubjectCorrelation(identifier, issuer) {
2961
+ switch (identifier.method) {
2962
+ case "did":
2963
+ if ((0, import_ssi_sdk_ext6.isManagedIdentifierResult)(identifier) && (0, import_ssi_sdk_ext6.isManagedIdentifierDidResult)(identifier)) {
2964
+ return [
2965
+ import_ssi_sdk2.CredentialCorrelationType.DID,
2966
+ identifier.did
2967
+ ];
2968
+ } else if ((0, import_ssi_sdk_ext6.isManagedIdentifierDidOpts)(identifier)) {
2969
+ return [
2970
+ import_ssi_sdk2.CredentialCorrelationType.DID,
2971
+ typeof identifier.identifier === "string" ? identifier.identifier : identifier.identifier.did
2972
+ ];
2973
+ }
2974
+ break;
2975
+ case "kid":
2976
+ if ((0, import_ssi_sdk_ext6.isManagedIdentifierResult)(identifier) && (0, import_ssi_sdk_ext6.isManagedIdentifierKidResult)(identifier)) {
2977
+ return [
2978
+ import_ssi_sdk2.CredentialCorrelationType.KID,
2979
+ identifier.kid
2980
+ ];
2981
+ } else if ((0, import_ssi_sdk_ext6.isManagedIdentifierDidOpts)(identifier)) {
2982
+ return [
2983
+ import_ssi_sdk2.CredentialCorrelationType.KID,
2984
+ identifier.identifier
2985
+ ];
2986
+ }
2987
+ break;
2988
+ case "x5c":
2989
+ if ((0, import_ssi_sdk_ext6.isManagedIdentifierResult)(identifier) && (0, import_ssi_sdk_ext6.isManagedIdentifierX5cResult)(identifier)) {
2990
+ return [
2991
+ import_ssi_sdk2.CredentialCorrelationType.X509_SAN,
2992
+ identifier.x5c.join("\r\n")
2993
+ ];
2994
+ } else if ((0, import_ssi_sdk_ext6.isManagedIdentifierX5cOpts)(identifier)) {
2995
+ return [
2996
+ import_ssi_sdk2.CredentialCorrelationType.X509_SAN,
2997
+ identifier.identifier.join("\r\n")
2998
+ ];
2999
+ }
3000
+ break;
3001
+ }
3002
+ return [
3003
+ import_ssi_sdk2.CredentialCorrelationType.URL,
3004
+ issuer
3005
+ ];
3006
+ }
3007
+ idFromW3cCredentialSubject(wrappedIssuerVC) {
3008
+ if (Array.isArray(wrappedIssuerVC.credential?.credentialSubject)) {
3009
+ if (wrappedIssuerVC.credential?.credentialSubject.length > 0) {
3010
+ return wrappedIssuerVC.credential?.credentialSubject[0].id;
3011
+ }
3012
+ } else {
3013
+ return wrappedIssuerVC.credential?.credentialSubject?.id;
3014
+ }
3015
+ return void 0;
3016
+ }
3017
+ getCredentialDefinition(issuanceOpt) {
3018
+ if (issuanceOpt.format == "ldp_vc" || issuanceOpt.format == "jwt_vc_json-ld") {
3019
+ return issuanceOpt.credential_definition;
3020
+ }
3021
+ return void 0;
3022
+ }
3023
+ };
3024
+
3025
+ // src/listeners/headlessStateNavListener.ts
3026
+ var import_ssi_types3 = require("@sphereon/ssi-types");
3027
+ var logger2 = import_ssi_types3.Loggers.DEFAULT.options("sphereon:oid4vci:holder", {
3028
+ defaultLogLevel: import_ssi_types3.LogLevel.DEBUG,
3029
+ methods: [
3030
+ import_ssi_types3.LogMethod.CONSOLE
3031
+ ]
3032
+ }).get("sphereon:oid4vci:holder");
3033
+ var OID4VCICallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
3034
+ return async (oid4vciMachine, state) => {
3035
+ if (state._event.type === "internal") {
3036
+ logger2.debug("oid4vciCallbackStateListener: internal event");
3037
+ return;
3038
+ }
3039
+ logger2.info(`VCI state listener state: ${JSON.stringify(state.value)}`);
3040
+ if (!callbacks || callbacks.size === 0) {
3041
+ logger2.info(`VCI no callbacks registered for state: ${JSON.stringify(state.value)}`);
3042
+ return;
3043
+ }
3044
+ for (const [stateKey, callback] of callbacks) {
3045
+ if (state.matches(stateKey)) {
3046
+ logger2.log(`VCI state callback for state: ${JSON.stringify(state.value)}, will execute...`);
3047
+ await callback(oid4vciMachine, state).then(() => logger2.log(`state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
3048
+ logger2.error(`VCI state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
3049
+ if (error.stack) {
3050
+ logger2.error(error.stack);
3051
+ }
3052
+ });
3053
+ break;
3054
+ }
3055
+ }
3056
+ };
3057
+ }, "OID4VCICallbackStateListener");
3058
+
3059
+ // src/link-handler/index.ts
3060
+ var import_oid4vci_client4 = require("@sphereon/oid4vci-client");
3061
+ var import_oid4vci_common5 = require("@sphereon/oid4vci-common");
3062
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
3063
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
3064
+ var OID4VCIHolderLinkHandler = class extends import_ssi_sdk4.LinkHandlerAdapter {
3065
+ static {
3066
+ __name(this, "OID4VCIHolderLinkHandler");
3067
+ }
3068
+ context;
3069
+ stateNavigationListener;
3070
+ firstPartyStateNavigationListener;
3071
+ noStateMachinePersistence;
3072
+ authorizationRequestOpts;
3073
+ clientOpts;
3074
+ trustAnchors;
3075
+ constructor(args) {
3076
+ super({
3077
+ ...args,
3078
+ id: "OID4VCIHolder"
3079
+ });
3080
+ this.authorizationRequestOpts = args.authorizationRequestOpts;
3081
+ this.clientOpts = args.clientOpts;
3082
+ this.context = args.context;
3083
+ this.noStateMachinePersistence = args.noStateMachinePersistence === true;
3084
+ this.stateNavigationListener = args.stateNavigationListener;
3085
+ this.firstPartyStateNavigationListener = args.firstPartyStateNavigationListener;
3086
+ this.trustAnchors = args.trustAnchors;
3087
+ }
3088
+ async handle(url, opts) {
3089
+ const uri = new URL(url).toString();
3090
+ const offerData = (0, import_oid4vci_common5.convertURIToJsonObject)(uri);
3091
+ const hasCode = "code" in offerData && !!offerData.code && !("issuer" in offerData);
3092
+ const code = hasCode ? offerData.code : void 0;
3093
+ const clientOpts = {
3094
+ ...this.clientOpts,
3095
+ ...opts?.clientOpts
3096
+ };
3097
+ const oid4vciMachine = await this.context.agent.oid4vciHolderGetMachineInterpreter({
3098
+ requestData: {
3099
+ // We know this can only be invoked with a credential offer, so we convert the URI to offer
3100
+ ...!hasCode && {
3101
+ credentialOffer: await import_oid4vci_client4.CredentialOfferClient.fromURI(uri)
3102
+ },
3103
+ ...hasCode && {
3104
+ code
3105
+ },
3106
+ createAuthorizationRequestURL: opts?.createAuthorizationRequestURL,
3107
+ flowType: opts?.flowType,
3108
+ uri
3109
+ },
3110
+ trustAnchors: this.trustAnchors,
3111
+ authorizationRequestOpts: {
3112
+ ...this.authorizationRequestOpts,
3113
+ ...opts?.authorizationRequestOpts
3114
+ },
3115
+ ...(clientOpts.clientId || clientOpts.clientAssertionType) && {
3116
+ clientOpts
3117
+ },
3118
+ stateNavigationListener: this.stateNavigationListener,
3119
+ firstPartyStateNavigationListener: this.firstPartyStateNavigationListener
3120
+ });
3121
+ const interpreter = oid4vciMachine.interpreter;
3122
+ if (!opts?.machineState && this.context.agent.availableMethods().includes("machineStatesFindActive")) {
3123
+ const stateType = hasCode ? "existing" : "new";
3124
+ await (0, import_ssi_sdk5.interpreterStartOrResume)({
3125
+ stateType,
3126
+ interpreter,
3127
+ context: this.context,
3128
+ cleanupAllOtherInstances: true,
3129
+ cleanupOnFinalState: true,
3130
+ singletonCheck: true,
3131
+ noRegistration: this.noStateMachinePersistence
3132
+ });
3133
+ } else {
3134
+ interpreter.start(opts?.machineState);
3135
+ }
3136
+ if (hasCode) {
3137
+ interpreter.send(OID4VCIMachineEvents.PROVIDE_AUTHORIZATION_CODE_RESPONSE, {
3138
+ data: uri
3139
+ });
3140
+ }
3141
+ }
3142
+ };
3143
+ //# sourceMappingURL=index.cjs.map