@sphereon/ssi-sdk.oid4vci-holder 0.36.1-next.11 → 0.36.1-next.115

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.oid4vci-holder",
-  "version": "0.36.1-next.11+262d209a",
+  "version": "0.36.1-next.115+0fab323a",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,27 +26,27 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.20.1-next.3",
+    "@sphereon/did-auth-siop": "0.20.1-next.8",
     "@sphereon/kmp-mdoc-core": "0.2.0-SNAPSHOT.26",
-    "@sphereon/oid4vci-client": "0.20.1-next.3",
-    "@sphereon/oid4vci-common": "0.20.1-next.3",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.contact-manager": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.core": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.credential-store": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.credential-validation": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.data-store-types": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.issuance-branding": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.oidf-client": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.sd-jwt": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.36.1-next.11+262d209a",
-    "@sphereon/ssi-types": "0.36.1-next.11+262d209a",
+    "@sphereon/oid4vci-client": "0.20.1-next.8",
+    "@sphereon/oid4vci-common": "0.20.1-next.8",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.contact-manager": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.core": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.credential-store": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.credential-validation": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.data-store-types": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.issuance-branding": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.oidf-client": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.sd-jwt": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.36.1-next.115+0fab323a",
+    "@sphereon/ssi-types": "0.36.1-next.115+0fab323a",
     "@veramo/core": "4.2.0",
     "@veramo/data-store": "4.2.0",
     "@veramo/utils": "4.2.0",
@@ -60,7 +60,7 @@
   },
   "devDependencies": {
     "@sphereon/oid4vc-common": "0.20.1-feat.SSISDK.83.1",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.36.1-next.11+262d209a",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.36.1-next.115+0fab323a",
     "@sphereon/ssi-sdk.siopv2-oid4vp-common": "workspace:*",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
@@ -90,5 +90,5 @@
     "OID4VCI",
     "State Machine"
   ],
-  "gitHead": "262d209a803fecfba1ad5878724c4f6f91f86cec"
+  "gitHead": "0fab323abf92edba332557800ab79493e3681e1f"
 }

package/src/agent/OID4VCIHolder.ts

@@ -123,6 +123,7 @@ import {
   VerificationResult,
   VerifyEBSICredentialIssuerArgs,
   VerifyEBSICredentialIssuerResult,
+  WalletType,
 } from '../types/IOID4VCIHolder'
 
 /**
@@ -206,6 +207,7 @@ export async function verifyEBSICredentialIssuer(args: VerifyEBSICredentialIssue
 
 export class OID4VCIHolder implements IAgentPlugin {
   private readonly hasher?: HasherSync
+  private readonly defaultHolderIdentifier?: string
   readonly eventTypes: Array<OID4VCIHolderEvent> = [
     OID4VCIHolderEvent.CONTACT_IDENTITY_CREATED,
     OID4VCIHolderEvent.CREDENTIAL_STORED,
@@ -269,9 +271,11 @@ export class OID4VCIHolder implements IAgentPlugin {
       jwtCryptographicSuitePreferences,
       defaultAuthorizationRequestOptions,
       hasher = defaultHasher,
+      defaultHolderIdentifier,
     } = { ...options }
 
     this.hasher = hasher
+    this.defaultHolderIdentifier = defaultHolderIdentifier
     if (vcFormatPreferences !== undefined && vcFormatPreferences.length > 0) {
       this.vcFormatPreferences = vcFormatPreferences
     }
@@ -493,7 +497,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     if (!clientId) {
       return Promise.reject(Error(`Missing client id in contact's connectionConfig`))
     }
-    const client = await OpenID4VCIClient.fromState({ state: openID4VCIClientState })
+    const client = await OpenID4VCIClientV1_0_15.fromState({ state: openID4VCIClientState })
     const authorizationCodeURL = await client.createAuthorizationRequestUrl({
       authorizationRequest: {
         clientId: clientId,
@@ -505,7 +509,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     return {
       authorizationCodeURL,
       // Needed, because the above createAuthorizationRequestUrl manipulates the state, adding pkce opts to the state
-      oid4vciClientState: JSON.parse(await client.exportState())
+      oid4vciClientState: JSON.parse(await client.exportState()),
     }
   }
 
@@ -617,7 +621,7 @@ export class OID4VCIHolder implements IAgentPlugin {
   }
 
   private async oid4vciHolderGetCredentials(args: GetCredentialsArgs, context: RequiredContext): Promise<Array<MappedCredentialToAccept>> {
-    const { verificationCode, openID4VCIClientState, didMethodPreferences = this.didMethodPreferences, issuanceOpt, accessTokenOpts } = args
+    const { verificationCode, openID4VCIClientState, didMethodPreferences, issuanceOpt, accessTokenOpts, walletType } = args
     logger.debug(`Getting credentials`, issuanceOpt, accessTokenOpts)
 
     if (!openID4VCIClientState) {
@@ -636,7 +640,7 @@ export class OID4VCIHolder implements IAgentPlugin {
       credentialsSupported,
       serverMetadata,
       context,
-      didMethodPreferences: Array.isArray(didMethodPreferences) && didMethodPreferences.length > 0 ? didMethodPreferences : this.didMethodPreferences,
+      didMethodPreferences: this.selectDidMethodPreferences(didMethodPreferences, walletType),
       jwtCryptographicSuitePreferences: this.jwtCryptographicSuitePreferences,
       jsonldCryptographicSuitePreferences: this.jsonldCryptographicSuitePreferences,
       ...(issuanceOpt && { forceIssuanceOpt: issuanceOpt }),
@@ -661,6 +665,15 @@ export class OID4VCIHolder implements IAgentPlugin {
     return allCredentials
   }
 
+  private selectDidMethodPreferences(didMethodPreferences: Array<SupportedDidMethodEnum> | undefined, walletType: WalletType) {
+    const supportedDidMethodEnums =
+      Array.isArray(didMethodPreferences) && didMethodPreferences.length > 0 ? didMethodPreferences : this.didMethodPreferences
+    if (walletType === 'ORGANIZATIONAL') {
+      return [SupportedDidMethodEnum.DID_WEB, ...supportedDidMethodEnums]
+    }
+    return supportedDidMethodEnums
+  }
+
   private async oid4vciHolderGetCredential(args: GetCredentialArgs, context: RequiredContext): Promise<MappedCredentialToAccept> {
     const { issuanceOpt, pin, client, accessTokenOpts } = args
     logger.info(`Getting credential`, issuanceOpt)
@@ -669,7 +682,7 @@ export class OID4VCIHolder implements IAgentPlugin {
       return Promise.reject(Error(`Cannot get credential issuance options`))
     }
 
-    const identifier = await getIdentifierOpts({ issuanceOpt, context })
+    const identifier = await getIdentifierOpts({ issuanceOpt, context, defaultHolderIdentifier: this.defaultHolderIdentifier })
     issuanceOpt.identifier = identifier
     logger.info(`ID opts`, identifier)
     const alg: JoseSignatureAlgorithm | JoseSignatureAlgorithmString = await signatureAlgorithmFromKey({ key: identifier.key })
@@ -731,6 +744,7 @@ export class OID4VCIHolder implements IAgentPlugin {
         format: issuanceOpt.format,
         // TODO: We need to update the machine and add notifications support for actual deferred credentials instead of just waiting/retrying
         deferredCredentialAwait: true,
+        ...(issuanceOpt.id && typeof issuanceOpt.id === 'string' ? { credentialConfigurationId: issuanceOpt.id } : undefined),
         ...(!jwk && { kid }), // vci client either wants a jwk or kid. If we have used the jwk method do not provide the kid
         jwk,
         alg,

package/src/link-handler/index.ts

@@ -3,7 +3,7 @@ import { AuthorizationRequestOpts, AuthorizationServerClientOpts, AuthzFlowType,
 import { DefaultLinkPriorities, LinkHandlerAdapter } from '@sphereon/ssi-sdk.core'
 import { IMachineStatePersistence, interpreterStartOrResume, SerializableState } from '@sphereon/ssi-sdk.xstate-machine-persistence'
 import { IAgentContext } from '@veramo/core'
-import { GetMachineArgs, IOID4VCIHolder, OID4VCIMachineEvents, OID4VCIMachineStateNavigationListener } from '../types/IOID4VCIHolder'
+import { GetMachineArgs, IOID4VCIHolder, OID4VCIMachineEvents, OID4VCIMachineStateNavigationListener, WalletType } from '../types/IOID4VCIHolder'
 import { FirstPartyMachineStateNavigationListener } from '../types/FirstPartyMachine'
 
 /**
@@ -14,6 +14,7 @@ export class OID4VCIHolderLinkHandler extends LinkHandlerAdapter {
   private readonly stateNavigationListener?: OID4VCIMachineStateNavigationListener
   private readonly firstPartyStateNavigationListener?: FirstPartyMachineStateNavigationListener
   private readonly noStateMachinePersistence: boolean
+  private readonly walletType: WalletType
   private readonly authorizationRequestOpts?: AuthorizationRequestOpts
   private readonly clientOpts?: AuthorizationServerClientOpts
   private readonly trustAnchors?: Array<string>
@@ -21,7 +22,7 @@ export class OID4VCIHolderLinkHandler extends LinkHandlerAdapter {
   constructor(
     args: Pick<
       GetMachineArgs,
-      'stateNavigationListener' | 'authorizationRequestOpts' | 'clientOpts' | 'trustAnchors' | 'firstPartyStateNavigationListener'
+      'stateNavigationListener' | 'authorizationRequestOpts' | 'clientOpts' | 'trustAnchors' | 'firstPartyStateNavigationListener' | 'walletType'
     > & {
       priority?: number | DefaultLinkPriorities
       protocols?: Array<string | RegExp>
@@ -33,6 +34,7 @@ export class OID4VCIHolderLinkHandler extends LinkHandlerAdapter {
     this.authorizationRequestOpts = args.authorizationRequestOpts
     this.clientOpts = args.clientOpts
     this.context = args.context
+    this.walletType = args.walletType ?? 'NATURAL_PERSON'
     this.noStateMachinePersistence = args.noStateMachinePersistence === true
     this.stateNavigationListener = args.stateNavigationListener
     this.firstPartyStateNavigationListener = args.firstPartyStateNavigationListener
@@ -68,6 +70,7 @@ export class OID4VCIHolderLinkHandler extends LinkHandlerAdapter {
       ...((clientOpts.clientId || clientOpts.clientAssertionType) && { clientOpts: clientOpts as AuthorizationServerClientOpts }),
       stateNavigationListener: this.stateNavigationListener,
       firstPartyStateNavigationListener: this.firstPartyStateNavigationListener,
+      walletType: this.walletType,
     })
 
     const interpreter = oid4vciMachine.interpreter

package/src/machines/oid4vciMachine.ts

@@ -126,6 +126,7 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
     // TODO WAL-671 we need to store the data from OpenIdProvider here in the context and make sure we can restart the machine with it and init the OpenIdProvider
     accessTokenOpts: opts?.accessTokenOpts,
     requestData: opts?.requestData,
+    walletType: opts?.walletType ?? 'NATURAL_PERSON',
     trustAnchors: opts?.trustAnchors ?? [],
     issuanceOpt: opts?.issuanceOpt,
     didMethodPreferences: opts?.didMethodPreferences,
@@ -347,7 +348,7 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             cond: OID4VCIMachineGuards.isFirstPartyApplication,
           },
           {
-            target: OID4VCIMachineStates.initiateAuthorizationRequest,
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
           },
           {
@@ -444,10 +445,6 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.prepareAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
           },
-          {
-            target: OID4VCIMachineStates.initiateAuthorizationRequest,
-            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
-          },
           {
             target: OID4VCIMachineStates.verifyPin,
             cond: OID4VCIMachineGuards.requirePinGuard,
@@ -524,10 +521,6 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.verifyPin,
             cond: OID4VCIMachineGuards.requirePinGuard,
           },
-          {
-            target: OID4VCIMachineStates.prepareAuthorizationRequest,
-            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
-          },
           {
             target: OID4VCIMachineStates.getCredentials,
           },

package/src/services/OID4VCIHolderService.ts

@@ -214,7 +214,7 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
     if (!hasher) {
       return Promise.reject('a hasher is required for encoded SD-JWT credentials')
     }
-    const asyncHasher: Hasher = (data: string | ArrayBuffer, algorithm: string) => Promise.resolve(hasher(data, algorithm))
+    const asyncHasher: Hasher = (data: string | ArrayBuffer | SharedArrayBuffer, algorithm: string) => Promise.resolve(hasher(data, algorithm))
     const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(wrappedVerifiableCredential.credential, asyncHasher)
     uniformVerifiableCredential = sdJwtDecodedCredentialToUniformCredential(<SdJwtDecodedVerifiableCredential>decodedSdJwt)
   } else if (CredentialMapper.isMsoMdocDecodedCredential(wrappedVerifiableCredential.credential)) {
@@ -263,7 +263,7 @@ export const extractCredentialFromResponse = (credentialResponse: CredentialResp
 }
 
 export const getIdentifierOpts = async (args: GetIdentifierArgs): Promise<ManagedIdentifierResult> => {
-  const { issuanceOpt, context } = args
+  const { issuanceOpt, context, defaultHolderIdentifier } = args
   const { identifier: identifierArg } = issuanceOpt
   if (identifierArg && isManagedIdentifierResult(identifierArg)) {
     return identifierArg
@@ -295,6 +295,11 @@ export const getIdentifierOpts = async (args: GetIdentifierArgs): Promise<Manage
     (!supportedBindingMethods || supportedBindingMethods.length === 0 || supportedBindingMethods.filter((method) => method.startsWith('did')))
   ) {
     // previous code for managing DIDs only
+    const identifierFilter = defaultHolderIdentifier
+      ? defaultHolderIdentifier.startsWith('did:')
+        ? { did: defaultHolderIdentifier }
+        : { alias: defaultHolderIdentifier }
+      : {}
     const { result, created } = await getOrCreatePrimaryIdentifier(agentContext, {
       method: supportedPreferredDidMethod,
       createOpts: {
@@ -303,6 +308,7 @@ export const getIdentifierOpts = async (args: GetIdentifierArgs): Promise<Manage
           use: KeyUse.Signature,
           codecName: issuanceOpt.codecName,
           kms: issuanceOpt.kms,
+          ...identifierFilter,
         },
       },
     })

package/src/types/IOID4VCIHolder.ts

@@ -113,6 +113,7 @@ export type OID4VCIHolderOptions = {
   didMethodPreferences?: Array<SupportedDidMethodEnum>
   jwtCryptographicSuitePreferences?: Array<JoseSignatureAlgorithm | JoseSignatureAlgorithmString>
   hasher?: HasherSync
+  defaultHolderIdentifier?: string
 }
 
 export type OnContactIdentityCreatedArgs = {
@@ -136,6 +137,7 @@ export type OnIdentifierCreatedArgs = {
 
 export type GetMachineArgs = {
   requestData: RequestData
+  walletType: WalletType
   trustAnchors?: Array<string>
   authorizationRequestOpts?: AuthorizationRequestOpts
   clientOpts?: AuthorizationServerClientOpts
@@ -157,7 +159,7 @@ export type CreateCredentialsToSelectFromArgs = Pick<
 export type GetContactArgs = Pick<OID4VCIMachineContext, 'serverMetadata'>
 export type GetCredentialsArgs = Pick<
   OID4VCIMachineContext,
-  'verificationCode' | 'openID4VCIClientState' | 'selectedCredentials' | 'didMethodPreferences' | 'issuanceOpt' | 'accessTokenOpts'
+  'verificationCode' | 'openID4VCIClientState' | 'selectedCredentials' | 'didMethodPreferences' | 'issuanceOpt' | 'accessTokenOpts' | 'walletType'
 >
 export type AddContactIdentityArgs = Pick<OID4VCIMachineContext, 'credentialsToAccept' | 'contact'>
 export type GetIssuerBrandingArgs = Pick<OID4VCIMachineContext, 'serverMetadata' | 'contact'>
@@ -233,6 +235,7 @@ export type OID4VCIMachineContext = {
   openID4VCIClientState?: OpenID4VCIClientState
   credentialToSelectFrom: Array<CredentialToSelectFromResult>
   contactAlias: string
+  walletType: WalletType
   contact?: Party
   selectedCredentials: Array<string>
   credentialsToAccept: Array<MappedCredentialToAccept>
@@ -316,6 +319,7 @@ export type OID4VCIStateMachine = StateMachine<
 
 export type CreateOID4VCIMachineOpts = {
   requestData: RequestData
+  walletType: WalletType
   machineName?: string
   locale?: string
   trustAnchors?: Array<string>
@@ -568,6 +572,7 @@ export type DefaultIssuanceOpts = {
 export type GetIdentifierArgs = {
   issuanceOpt: IssuanceOpts
   context: RequiredContext
+  defaultHolderIdentifier?: string
 }
 
 export type GetAuthenticationKeyArgs = {
@@ -729,6 +734,8 @@ export type DynamicRegistrationClientMetadataDisplay = Pick<
   'client_name' | 'client_uri' | 'contacts' | 'tos_uri' | 'policy_uri' | 'logo_uri'
 >
 
+export type WalletType = 'NATURAL_PERSON' | 'ORGANIZATIONAL'
+
 export type DidAgents = TAgent<IResolver & IDIDManager>
 
 export type RequiredContext = IAgentContext<