@sphereon/ssi-sdk.oid4vci-holder 0.34.1-next.7 → 0.34.1-next.86

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.oid4vci-holder",
-  "version": "0.34.1-next.7+abc1dfeb",
+  "version": "0.34.1-next.86+38dc1ac2",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,40 +26,41 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-next.2",
+    "@sphereon/did-auth-siop": "0.19.1-feature.SSISDK.45.86",
     "@sphereon/kmp-mdoc-core": "0.2.0-SNAPSHOT.26",
-    "@sphereon/oid4vci-client": "0.19.1-next.2",
-    "@sphereon/oid4vci-common": "0.19.1-next.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.29.1-next.3",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.core": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.oidf-client": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.7+abc1dfeb",
-    "@sphereon/ssi-types": "0.34.1-next.7+abc1dfeb",
+    "@sphereon/oid4vci-client": "0.19.1-feature.SSISDK.45.86",
+    "@sphereon/oid4vci-common": "0.19.1-feature.SSISDK.45.86",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.core": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.data-store": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.oidf-client": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.86+38dc1ac2",
+    "@sphereon/ssi-types": "0.34.1-next.86+38dc1ac2",
     "@veramo/core": "4.2.0",
     "@veramo/data-store": "4.2.0",
     "@veramo/utils": "4.2.0",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "dcql": "1.0.1",
     "i18n-js": "^3.9.2",
     "lodash.memoize": "^4.1.2",
     "uuid": "^9.0.1",
     "xstate": "^4.38.3"
   },
   "devDependencies": {
-    "@sphereon/oid4vc-common": "0.19.1-next.2",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.29.1-next.3",
+    "@sphereon/oid4vc-common": "0.19.1-feature.SSISDK.45.86",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-next.86+38dc1ac2",
     "@sphereon/ssi-sdk.siopv2-oid4vp-common": "workspace:*",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
@@ -89,5 +90,5 @@
     "OID4VCI",
     "State Machine"
   ],
-  "gitHead": "abc1dfebd9a53c49235573ad0a337abb248bf2f3"
+  "gitHead": "38dc1ac283787611ad5ebcedf1ca222438566dd9"
 }

package/src/agent/OID4VCIHolder.ts

@@ -4,8 +4,8 @@ import {
   AuthorizationRequestOpts,
   AuthorizationServerClientOpts,
   AuthorizationServerOpts,
-  CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13,
-  CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13,
+  CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15,
+  CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15,
   CredentialOfferRequestWithBaseUrl,
   DefaultURISchemes,
   EndpointMetadataResult,
@@ -30,6 +30,7 @@ import {
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IJwtService, JwsHeader } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
+import { defaultHasher } from '@sphereon/ssi-sdk.core'
 import {
   ConnectionType,
   CorrelationIdentifierType,
@@ -73,6 +74,18 @@ import { asArray, computeEntryHash } from '@veramo/utils'
 import { decodeJWT } from 'did-jwt'
 import { v4 as uuidv4 } from 'uuid'
 import { OID4VCIMachine } from '../machines/oid4vciMachine'
+import {
+  getBasicIssuerLocaleBranding,
+  getCredentialBranding,
+  getCredentialConfigsSupportedMerged,
+  getIdentifierOpts,
+  getIssuanceOpts,
+  mapCredentialToAccept,
+  selectCredentialLocaleBranding,
+  startFirstPartApplicationMachine,
+  verifyCredentialToAccept,
+} from '../services/OID4VCIHolderService'
+import 'cross-fetch/polyfill'
 import {
   AddContactIdentityArgs,
   AssertValidCredentialsArgs,
@@ -111,19 +124,6 @@ import {
   VerifyEBSICredentialIssuerArgs,
   VerifyEBSICredentialIssuerResult,
 } from '../types/IOID4VCIHolder'
-import {
-  getBasicIssuerLocaleBranding,
-  getCredentialBranding,
-  getCredentialConfigsSupportedMerged,
-  getIdentifierOpts,
-  getIssuanceOpts,
-  mapCredentialToAccept,
-  selectCredentialLocaleBranding,
-  startFirstPartApplicationMachine,
-  verifyCredentialToAccept,
-} from '../services/OID4VCIHolderService'
-import 'cross-fetch/polyfill'
-import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
 /**
  * {@inheritDoc IOID4VCIHolder}
@@ -151,7 +151,7 @@ export function signCallback(
   context: IAgentContext<IKeyManager & IDIDManager & IResolver & IIdentifierResolution & IJwtService>,
   nonce?: string,
 ) {
-  return async (jwt: Jwt, kid?: string) => {
+  return async (jwt: Jwt, kid?: string, noIssPayloadUpdate?: boolean) => {
     let resolution = await context.agent.identifierManagedGet(identifier)
     const jwk = jwt.header.jwk ?? (resolution.method === 'jwk' ? resolution.jwk : undefined)
     if (!resolution.issuer && !jwt.payload.iss) {
@@ -170,7 +170,7 @@ export function signCallback(
     }
     return (
       await context.agent.jwtCreateJwsCompactSignature({
-        issuer: { ...resolution, noIssPayloadUpdate: false },
+        issuer: { ...resolution, noIssPayloadUpdate: noIssPayloadUpdate ?? false },
         protectedHeader: header,
         payload,
       })
@@ -229,7 +229,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     oid4vciHolderStoreIssuerBranding: this.oid4vciHolderStoreIssuerBranding.bind(this),
   }
 
-  private readonly vcFormatPreferences: Array<string> = ['vc+sd-jwt', 'mso_mdoc', 'jwt_vc_json', 'jwt_vc', 'ldp_vc']
+  private readonly vcFormatPreferences: Array<string> = ['dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc', 'jwt_vc_json', 'jwt_vc', 'ldp_vc']
   private readonly jsonldCryptographicSuitePreferences: Array<string> = [
     'Ed25519Signature2018',
     'EcdsaSecp256k1Signature2019',
@@ -939,7 +939,21 @@ export class OID4VCIHolder implements IAgentPlugin {
           ? 'credential_accepted_holder_signed'
           : 'credential_deleted_holder_signed'
         logger.log(`Subject issuance/signing will be used, with event`, event)
-        const issuerVC = mappedCredentialToAccept.credentialToAccept.credentialResponse.credential as OriginalVerifiableCredential
+        const credentialResponse = mappedCredentialToAccept.credentialToAccept.credentialResponse
+        let issuerVC
+        if ('credential' in credentialResponse) {
+          issuerVC = credentialResponse.credential as OriginalVerifiableCredential
+        } else if (
+          'credentials' in credentialResponse &&
+          credentialResponse.credentials &&
+          Array.isArray(credentialResponse.credentials) &&
+          credentialResponse.credentials.length > 0
+        ) {
+          issuerVC = credentialResponse.credentials[0].credential as OriginalVerifiableCredential // FIXME SSISDK-13 (no multi-credential support yet)
+        }
+        if (!issuerVC) {
+          return Promise.reject(Error('No credential found in credential response'))
+        }
         const wrappedIssuerVC = CredentialMapper.toWrappedVerifiableCredential(issuerVC, { hasher: this.hasher ?? defaultHasher })
         console.log(`Wrapped VC: ${wrappedIssuerVC.type}, ${wrappedIssuerVC.format}`)
         // We will use the subject of the VCI Issuer (the holder, as the issuer of the new credential, so the below is not a mistake!)
@@ -1169,9 +1183,9 @@ export class OID4VCIHolder implements IAgentPlugin {
     return undefined
   }
 
-  private getCredentialDefinition(issuanceOpt: IssuanceOpts): CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13 | undefined {
+  private getCredentialDefinition(issuanceOpt: IssuanceOpts): CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15 | undefined {
     if (issuanceOpt.format == 'ldp_vc' || issuanceOpt.format == 'jwt_vc_json-ld') {
-      return (issuanceOpt as CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13).credential_definition
+      return (issuanceOpt as CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15).credential_definition
     }
     return undefined
   }

package/src/services/OID4VCIHolderService.ts

@@ -2,7 +2,7 @@ import { LOG } from '@sphereon/oid4vci-client'
 import {
   CredentialConfigurationSupported,
   CredentialSupportedSdJwtVc,
-  CredentialConfigurationSupportedSdJwtVcV1_0_13,
+  CredentialConfigurationSupportedSdJwtVcV1_0_15,
   CredentialOfferFormatV1_0_11,
   CredentialResponse,
   getSupportedCredentials,
@@ -72,8 +72,8 @@ export const getCredentialBranding = async (args: GetCredentialBrandingArgs): Pr
   await Promise.all(
     Object.entries(credentialsSupported).map(async ([configId, credentialsConfigSupported]): Promise<void> => {
       let sdJwtTypeMetadata: SdJwtTypeMetadata | undefined
-      if (credentialsConfigSupported.format === 'vc+sd-jwt') {
-        const vct = (<CredentialSupportedSdJwtVc | CredentialConfigurationSupportedSdJwtVcV1_0_13>credentialsConfigSupported).vct
+      if (credentialsConfigSupported.format === 'dc+sd-jwt') {
+        const vct = (<CredentialSupportedSdJwtVc | CredentialConfigurationSupportedSdJwtVcV1_0_15>credentialsConfigSupported).vct
         if (vct.startsWith('http')) {
           try {
             sdJwtTypeMetadata = await context.agent.fetchSdJwtTypeMetadataFromVctUrl({ vct })
@@ -153,7 +153,18 @@ export const selectCredentialLocaleBranding = async (
 export const verifyCredentialToAccept = async (args: VerifyCredentialToAcceptArgs): Promise<VerificationResult> => {
   const { mappedCredential, hasher, onVerifyEBSICredentialIssuer, schemaValidation, context } = args
 
-  const credential = mappedCredential.credentialToAccept.credentialResponse.credential as OriginalVerifiableCredential
+  const credentialResponse = mappedCredential.credentialToAccept.credentialResponse
+  let credential
+  if ('credential' in credentialResponse) {
+    credential = credentialResponse.credential as OriginalVerifiableCredential
+  } else if (
+    'credentials' in credentialResponse &&
+    credentialResponse.credentials &&
+    Array.isArray(credentialResponse.credentials) &&
+    credentialResponse.credentials.length > 0
+  ) {
+    credential = credentialResponse.credentials[0].credential as OriginalVerifiableCredential // FIXME SSISDK-13 (no multi-credential support yet)
+  }
   if (!credential) {
     return Promise.reject(Error('No credential found in credential response'))
   }
@@ -206,7 +217,17 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
   const { credentialToAccept, hasher } = args
 
   const credentialResponse: CredentialResponse = credentialToAccept.credentialResponse
-  const verifiableCredential: W3CVerifiableCredential | undefined = credentialResponse.credential
+  let verifiableCredential: W3CVerifiableCredential | undefined
+  if ('credential' in credentialResponse) {
+    verifiableCredential = credentialResponse.credential
+  } else if (
+    'credentials' in credentialResponse &&
+    credentialResponse.credentials &&
+    Array.isArray(credentialResponse.credentials) &&
+    credentialResponse.credentials.length > 0
+  ) {
+    verifiableCredential = credentialResponse.credentials[0].credential // FIXME SSISDK-13 (no multi-credential support yet)
+  }
   if (!verifiableCredential) {
     return Promise.reject(Error('No credential found in credential response'))
   }
@@ -580,7 +601,8 @@ export const getIssuanceCryptoSuite = async (opts: GetIssuanceCryptoSuiteArgs):
     case 'jwt':
     case 'jwt_vc_json':
     case 'jwt_vc':
-    case 'vc+sd-jwt':
+    case 'dc+sd-jwt':
+    case 'dc+sd-jwt':
     case 'mso_mdoc': {
       const supportedPreferences: Array<JoseSignatureAlgorithm | JoseSignatureAlgorithmString> = jwtCryptographicSuitePreferences.filter(
         (suite: JoseSignatureAlgorithm | JoseSignatureAlgorithmString) => signing_algs_supported.includes(suite),

package/src/types/FirstPartyMachine.ts

@@ -1,11 +1,12 @@
 import { BaseActionObject, Interpreter, ResolveTypegenMeta, ServiceMap, State, StateMachine, StatesConfig, TypegenDisabled } from 'xstate'
 import { OpenID4VCIClientState } from '@sphereon/oid4vci-client'
 import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store'
-import { PresentationDefinitionWithLocation, RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
+import { RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
 import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { AuthorizationChallengeCodeResponse } from '@sphereon/oid4vci-common'
 import { IIdentifier } from '@veramo/core'
 import { ErrorDetails, RequiredContext } from './IOID4VCIHolder'
+import { DcqlQuery } from 'dcql'
 
 export enum FirstPartyMachineStateTypes {
   sendAuthorizationChallengeRequest = 'sendAuthorizationChallengeRequest',
@@ -149,7 +150,7 @@ export type SiopV2AuthorizationRequestData = {
   clientIdScheme?: string
   clientId?: string
   entityId?: string
-  presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery: DcqlQuery
 }
 
 export type FirstPartyMachineNavigationArgs = {

package/src/types/IOID4VCIHolder.ts

@@ -7,6 +7,7 @@ import {
   CredentialConfigurationSupported,
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
+  CredentialResponseV1_0_15,
   CredentialsSupportedDisplay,
   EndpointMetadataResult,
   ExperimentalSubjectIssuance,
@@ -377,6 +378,7 @@ export enum OID4VCIMachineGuards {
   requirePinGuard = 'oid4vciRequirePinGuard',
   requireAuthorizationGuard = 'oid4vciRequireAuthorizationGuard',
   noAuthorizationGuard = 'oid4vciNoAuthorizationGuard',
+  hasNonceEndpointGuard = 'oid4vciHasNonceEndpointGuard ',
   hasAuthorizationResponse = 'oid4vciHasAuthorizationResponse',
   hasNoContactIdentityGuard = 'oid4vciHasNoContactIdentityGuard',
   verificationCodeGuard = 'oid4vciVerificationCodeGuard',
@@ -501,7 +503,7 @@ export type CredentialToAccept = {
   id?: string
   types: string[]
   issuanceOpt: IssuanceOpts
-  credentialResponse: CredentialResponse
+  credentialResponse: CredentialResponseV1_0_15 | CredentialResponse
 }
 
 export type GetCredentialConfigsSupportedArgs = {