@sphereon/ssi-sdk.oid4vci-issuer 0.32.1-feature.VDX.341.56 → 0.32.1-feature.new.develop.273

package/src/functions.ts

@@ -3,10 +3,12 @@ import {
   CredentialRequest,
   IssuerMetadata,
   Jwt,
+  JWTHeader,
+  JWTPayload,
   JwtVerifyResult,
   OID4VCICredentialFormat,
+  StatusListOpts,
 } from '@sphereon/oid4vci-common'
-import { JWTHeader, JWTPayload } from '@sphereon/oid4vci-common/lib/types'
 import { CredentialDataSupplier, CredentialIssuanceInput, CredentialSignerCallback, VcIssuer, VcIssuerBuilder } from '@sphereon/oid4vci-issuer'
 import { getAgentResolver, IDIDOptions } from '@sphereon/ssi-sdk-ext.did-utils'
 import { legacyKeyRefsToIdentifierOpts, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
@@ -14,15 +16,17 @@ import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
 import { SdJwtVcPayload } from '@sphereon/ssi-sdk.sd-jwt/dist'
 import { IStatusListPlugin } from '@sphereon/ssi-sdk.vc-status-list'
 import { CompactSdJwtVc, CredentialMapper, ICredential, W3CVerifiableCredential } from '@sphereon/ssi-types'
-import { CredentialPayload, DIDDocument, ProofFormat } from '@veramo/core'
+import { CredentialPayload, ProofFormat } from '@veramo/core'
 import { bytesToBase64 } from '@veramo/utils'
 import { createJWT, decodeJWT, JWTVerifyOptions, verifyJWT } from 'did-jwt'
 import { Resolvable } from 'did-resolver'
 import { jwtDecode } from 'jwt-decode'
 import { IIssuerOptions, IRequiredContext } from './types/IOID4VCIIssuer'
+import fetch from 'cross-fetch'
+import { AuthorizationResponseStateStatus } from '@sphereon/did-auth-siop'
 
 export function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOptions }, _context: IRequiredContext) {
-  return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult<DIDDocument>> => {
+  return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> => {
     const resolver = getAgentResolver(_context, {
       resolverResolution: true,
       uniresolverResolution: true,
@@ -49,11 +53,16 @@ export function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOpt
 
       const header = jwtDecode<JWTHeader>(args.jwt, { header: true })
       const payload = jwtDecode<JWTPayload>(args.jwt, { header: false })
+      const kid = args.kid ?? header.kid
+      //const jwk = !kid ? jwkInfo.jwk : undefined // TODO double-check if this is correct
+      const jwk = jwkInfo.jwk // FIXME workaround IATAB2B-57
       return {
         alg,
         ...identifier,
         jwt: { header, payload },
-      } as JwtVerifyResult<DIDDocument>
+        ...(kid && { kid }),
+        ...(jwk && { jwk }),
+      } as JwtVerifyResult
     }
 
     const decodedJwt = (await decodeJWT(args.jwt)) as Jwt
@@ -64,7 +73,7 @@ export function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOpt
       return {
         alg: decodedJwt.header.alg,
         jwt: decodedJwt,
-      } as JwtVerifyResult<DIDDocument>
+      } as JwtVerifyResult
     }
     const did = kid.split('#')[0]
 
@@ -155,11 +164,25 @@ export async function getAccessTokenSignerCallback(
   }
 
   async function accessTokenSignerCallback(jwt: Jwt, kid?: string): Promise<string> {
-    const issuer = opts?.iss ?? opts.didOpts?.idOpts?.identifier.toString()
+    const issuer =
+      opts.idOpts?.issuer ??
+      (typeof opts.idOpts?.identifier === 'string' ? opts.idOpts.identifier : (opts.didOpts?.idOpts?.identifier?.toString() ?? opts?.iss))
     if (!issuer) {
       throw Error('No issuer configured for access tokens')
     }
-    return await createJWT(jwt.payload, { signer, issuer }, { ...jwt.header, typ: 'JWT' })
+
+    let kidHeader: string | undefined = jwt?.header?.kid ?? kid
+    if (!kidHeader) {
+      if (
+        opts.idOpts?.method === 'did' ||
+        opts.idOpts?.method === 'kid' ||
+        (typeof opts.didOpts?.idOpts.identifier === 'string' && opts.didOpts?.idOpts?.identifier?.startsWith('did:'))
+      ) {
+        // @ts-ignore
+        kidHeader = opts.idOpts?.kid ?? opts.didOpts?.idOpts?.kid ?? opts?.didOpts?.identifierOpts?.kid
+      }
+    }
+    return await createJWT(jwt.payload, { signer, issuer }, { ...jwt.header, ...(kidHeader && { kid: kidHeader }), typ: 'JWT' })
   }
 
   return accessTokenSignerCallback
@@ -170,14 +193,15 @@ export async function getCredentialSignerCallback(
     crypto?: Crypto
   },
   context: IRequiredContext,
-): Promise<CredentialSignerCallback<DIDDocument>> {
+): Promise<CredentialSignerCallback> {
   async function issueVCCallback(args: {
     credentialRequest: CredentialRequest
     credential: CredentialIssuanceInput
-    jwtVerifyResult: JwtVerifyResult<DIDDocument>
+    jwtVerifyResult: JwtVerifyResult
     format?: OID4VCICredentialFormat
+    statusLists?: Array<StatusListOpts>
   }): Promise<W3CVerifiableCredential | CompactSdJwtVc> {
-    const { jwtVerifyResult, format } = args
+    const { jwtVerifyResult, format, statusLists } = args
     const credential = args.credential as ICredential // TODO: SDJWT
     let proofFormat: ProofFormat
 
@@ -204,9 +228,10 @@ export async function getCredentialSignerCallback(
       // TODO: We should extend the plugin capabilities of issuance so we do not have to tuck this into the sign callback
       if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToCredential')) {
         // Add status list if enabled (and when the input has a credentialStatus object (can be empty))
-        const credentialStatusVC = await context.agent.slAddStatusToCredential({ credential })
+        const credentialStatusVC = await context.agent.slAddStatusToCredential({ credential, statusLists })
         if (credential.credentialStatus && !credential.credentialStatus.statusListCredential) {
           credential.credentialStatus = credentialStatusVC.credentialStatus
+          // TODO update statusLists somehow?
         }
       }
 
@@ -237,6 +262,28 @@ export async function getCredentialSignerCallback(
           _sd: credential['_sd'],
         }
       }
+
+      if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToSdJwtCredential')) {
+        if ((sdJwtPayload.status && sdJwtPayload.status.status_list) || (statusLists && statusLists.length > 0)) {
+          // Add status list if enabled (and when the input has a credentialStatus object (can be empty))
+          const sdJwtPayloadWithStatus = await context.agent.slAddStatusToSdJwtCredential({ credential: sdJwtPayload, statusLists })
+          if (sdJwtPayload.status?.status_list?.idx) {
+            if (!sdJwtPayloadWithStatus.status || !sdJwtPayloadWithStatus.status.status_list) {
+              // sdJwtPayload and sdJwtPayloadWithStatus is the same for now, but we should use the result anyway as this could be subject to change
+              return Promise.reject(Error('slAddStatusToSdJwtCredential did not return a status_list'))
+            }
+
+            // Update statusListId & statusListIndex back to the credential session TODO SSISDK-4 This is not a clean way to do this.
+            if (statusLists && statusLists.length > 0) {
+              const statusList = statusLists[0]
+              statusList.statusListId = sdJwtPayloadWithStatus.status.status_list.uri
+              statusList.statusListIndex = sdJwtPayloadWithStatus.status.status_list.idx
+            }
+            sdJwtPayload.status.status_list.idx = sdJwtPayloadWithStatus.status.status_list.idx
+          }
+        }
+      }
+
       const result = await context.agent.createSdJwtVc({
         credentialPayload: sdJwtPayload,
         disclosureFrame: disclosureFrame,
@@ -261,10 +308,10 @@ export async function createVciIssuerBuilder(
     credentialDataSupplier?: CredentialDataSupplier
   },
   context: IRequiredContext,
-): Promise<VcIssuerBuilder<DIDDocument>> {
+): Promise<VcIssuerBuilder> {
   const { issuerOpts, issuerMetadata, authorizationServerMetadata } = args
 
-  const builder = new VcIssuerBuilder<DIDDocument>()
+  const builder = new VcIssuerBuilder()
   // @ts-ignore
   const resolver =
     args.resolver ??
@@ -285,14 +332,23 @@ export async function createVciIssuerBuilder(
   builder.withAuthorizationMetadata(authorizationServerMetadata)
   // builder.withUserPinRequired(issuerOpts.userPinRequired ?? false) was removed from implementers draft v1
   builder.withCredentialSignerCallback(await getCredentialSignerCallback(idOpts, context))
+
+  if (issuerOpts.asClientOpts) {
+    builder.withASClientMetadata(issuerOpts.asClientOpts)
+    // @ts-ignore
+    // const authorizationServer = issuerMetadata.authorization_servers[0] as string
+    // Set the OIDC verifier
+    // builder.withJWTVerifyCallback(oidcAccessTokenVerifyCallback({clientMetadata: issuerOpts.asClientOpts, credentialIssuer: issuerMetadata.credential_issuer as string, authorizationServer}))
+  }
+  // Do not use it when asClient is used
   builder.withJWTVerifyCallback(getJwtVerifyCallback({ verifyOpts: jwtVerifyOpts }, context))
+
   if (args.credentialDataSupplier) {
     builder.withCredentialDataSupplier(args.credentialDataSupplier)
   }
   builder.withInMemoryCNonceState()
   builder.withInMemoryCredentialOfferState()
   builder.withInMemoryCredentialOfferURIState()
-  builder.build()
 
   return builder
 }
@@ -310,7 +366,7 @@ export async function createVciIssuer(
     credentialDataSupplier?: CredentialDataSupplier
   },
   context: IRequiredContext,
-): Promise<VcIssuer<DIDDocument>> {
+): Promise<VcIssuer> {
   return (
     await createVciIssuerBuilder(
       {
@@ -323,3 +379,58 @@ export async function createVciIssuer(
     )
   ).build()
 }
+
+export async function createAuthRequestUriCallback(opts: { path: string; presentationDefinitionId: string }): Promise<() => Promise<string>> {
+  async function authRequestUriCallback(): Promise<string> {
+    const path = opts.path.replace(':definitionId', opts.presentationDefinitionId)
+    return fetch(path, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    }).then(async (response): Promise<string> => {
+      if (response.status >= 400) {
+        return Promise.reject(Error(await response.text()))
+      } else {
+        const responseData = await response.json()
+
+        if (!responseData.authRequestURI) {
+          return Promise.reject(Error('Missing auth request uri in response body'))
+        }
+
+        return responseData.authRequestURI
+      }
+    })
+  }
+
+  return authRequestUriCallback
+}
+
+export async function createVerifyAuthResponseCallback(opts: {
+  path: string
+  presentationDefinitionId: string
+}): Promise<(correlationId: string) => Promise<boolean>> {
+  async function verifyAuthResponseCallback(correlationId: string): Promise<boolean> {
+    return fetch(opts.path, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ definitionId: opts.presentationDefinitionId, correlationId }),
+    }).then(async (response): Promise<boolean> => {
+      if (response.status >= 400) {
+        return Promise.reject(Error(await response.text()))
+      } else {
+        const responseData = await response.json()
+
+        if (!responseData.status) {
+          return Promise.reject(Error('Missing status in response body'))
+        }
+
+        return responseData.status === AuthorizationResponseStateStatus.VERIFIED
+      }
+    })
+  }
+
+  return verifyAuthResponseCallback
+}

package/src/state-manager/oid4vcState/IAbstractMachineStateStore.ts

@@ -0,0 +1,51 @@
+import { StateType } from '@sphereon/oid4vci-common'
+import { Oid4vcStateEntity } from '@sphereon/ssi-sdk.data-store'
+
+export interface IOid4vcStateStore<StateType> {
+  persistOid4vcState(args: Oid4vcStateStoreParams<StateType>): Promise<Oid4vcStatePersisted<StateType>>
+
+  findOid4vcStates(args: StoreOid4vcFindActiveArgs): Promise<Array<Oid4vcStatePersisted<StateType>>>
+
+  getOid4vcState(args: StoreOid4vcGetArgs): Promise<Oid4vcStatePersisted<StateType>>
+
+  deleteOid4vcState(args: StoreOid4vcDeleteArgs): Promise<boolean>
+
+  deleteExpiredOid4vcStates(args: StoreOid4vcDeleteExpiredArgs): Promise<number>
+}
+
+export type StoreMachineStatePersistArgs<StateType> = Omit<Oid4vcStateStoreParams<StateType>, 'createdAt' | 'updatedAt'>
+
+export type StoreOid4vcFindActiveArgs = Partial<Pick<Oid4vcStateStoreParams<StateType>, 'expiresAt' | 'tenantId' | 'stateId'>>
+
+export type FindMachineStatesFilterArgs = Array<Partial<Omit<Oid4vcStateStoreParams<StateType>, 'state'>>>
+
+export type StoreFindMachineStatesArgs = {
+  filter: FindMachineStatesFilterArgs
+}
+
+export type StoreOid4vcGetArgs = Pick<Oid4vcStateEntity<StateType>, 'id' | 'stateId' | 'correlationId' | 'lookups' | 'tenantId'>
+export type Oid4vcStateStore<StateType> = Pick<Oid4vcStateEntity<StateType>, 'id' | 'stateId' | 'correlationId' | 'lookups'>
+
+export type StoreOid4vcDeleteArgs = StoreOid4vcGetArgs
+export type StoreOid4vcDeleteExpiredArgs = {
+  id?: string
+  correlationId?: string
+  sessionId?: string
+  lookups?: Array<string>
+  tenantId?: string
+}
+
+export type Oid4vcStatePersisted<StateType> = {
+  id: string
+  stateId?: string
+  correlationId?: string
+  type: string
+  state: StateType
+  lookups?: Array<string>
+  createdAt: Date
+  lastUpdatedAt: Date
+  expiresAt?: Date
+  tenantId?: string
+}
+
+export type Oid4vcStateStoreParams<StateType> = Omit<Oid4vcStatePersisted<StateType>, 'id'>

package/src/state-manager/oid4vcState/MachineStateStore.ts

@@ -0,0 +1,135 @@
+// import Debug from 'debug'
+//
+//
+// const debug = Debug('sphereon:ssi-sdk:machine-state:store')
+//
+// /**
+//  * Represents a data store for managing machine states.
+//  */
+// export class MachineStateStore extends IAbstractMachineStateStore {
+// private readonly _dbConnection: OrPromise<DataSource>
+//
+// constructor(dbConnection: OrPromise<DataSource>) {
+//   super()
+//   this._dbConnection = dbConnection
+// }
+// async persistMachineState(state: StoreMachineStatePersistArgs): Promise<StoreMachineStateInfo> {
+//   const connection: DataSource = await this._dbConnection
+//   const { machineName, instanceId, tenantId } = state
+//   debug(`Executing persistMachineState for machine ${machineName}, instance ${instanceId}, tenantId: ${tenantId}...`)
+//   const entity = MachineStateStore.machineStateInfoEntityFrom(state)
+//   const existing = await connection.getRepository(MachineStateInfoEntity).findOne({
+//     where: {
+//       instanceId: state.instanceId,
+//     },
+//   })
+//   if (existing && existing.updatedCount > state.updatedCount) {
+//     const error = `Updating machine state with an older version is not allowed. Machine ${existing.machineName}, last count: ${
+//       existing.updatedCount
+//     }, new count: ${existing.updatedCount}, last updated: ${existing.updatedAt}, current: ${new Date()}, instance: ${existing.instanceId}`
+//     console.log(error)
+//     return Promise.reject(new Error(error))
+//   }
+//   // No need for a transaction. This is a single entity. We don't want to be surprised by an isolation level hiding the state from others
+//   const result = await connection.getRepository(MachineStateInfoEntity).save(entity, { transaction: false })
+//   debug(`Done persistMachineState machine ${machineName}, instance ${instanceId}, tenantId: ${tenantId}`)
+//   return MachineStateStore.machineInfoFrom(result)
+// }
+//
+// async findActiveMachineStates(args: StoreMachineStatesFindActiveArgs): Promise<Array<StoreMachineStateInfo>> {
+//   const { tenantId, machineName, instanceId } = args
+//   const connection: DataSource = await this._dbConnection
+//   debug(`Executing findActiveMachineStates query with machineName: ${machineName}, tenantId: ${tenantId}`)
+//   const queryBuilder = connection
+//     .getRepository(MachineStateInfoEntity)
+//     .createQueryBuilder('state')
+//     .where('state.completedAt IS NULL')
+//     .andWhere(
+//       new Brackets((qb) => {
+//         qb.where('state.expiresAt IS NULL').orWhere('state.expiresAt > :now', { now: new Date() })
+//       }),
+//     )
+//
+//   if (instanceId) {
+//     queryBuilder.andWhere('state.instanceId = :instanceId', { instanceId })
+//   }
+//   if (tenantId) {
+//     queryBuilder.andWhere('state.tenantId = :tenantId', { tenantId })
+//   }
+//   if (machineName) {
+//     queryBuilder.andWhere('state.machineName = :machineName', { machineName })
+//   }
+//
+//   return (
+//     (await queryBuilder
+//       .orderBy('state.updatedAt', 'DESC')
+//       .getMany()
+//       .then((entities) => entities.map(MachineStateStore.machineInfoFrom))) ?? []
+//   )
+// }
+//
+// async findMachineStates(args?: StoreFindMachineStatesArgs): Promise<Array<StoreMachineStateInfo>> {
+//   const connection: DataSource = await this._dbConnection
+//   debug('findMachineStates', args)
+//   const result: Array<MachineStateInfoEntity> = await connection.getRepository(MachineStateInfoEntity).find({
+//     ...(args?.filter && { where: args?.filter }),
+//     transaction: false,
+//   })
+//
+//   return result.map((event: MachineStateInfoEntity) => MachineStateStore.machineInfoFrom(event))
+// }
+//
+// async getMachineState(args: StoreMachineStateGetArgs): Promise<StoreMachineStateInfo> {
+//   const connection: DataSource = await this._dbConnection
+//   debug('getMachineState', args)
+//   return connection.getRepository(MachineStateInfoEntity).findOneOrFail({ where: { instanceId: args.instanceId } })
+// }
+//
+// async deleteMachineState(args: StoreMachineStateDeleteArgs): Promise<boolean> {
+//   debug(`Executing deleteMachineState query with id: ${args.instanceId}`)
+//   if (!args.instanceId) {
+//     throw new Error('No instanceId parameter is provided.')
+//   }
+//   try {
+//     const connection: DataSource = await this._dbConnection
+//
+//     const result = await connection.getRepository(MachineStateInfoEntity).delete(args.instanceId)
+//     return result.affected != null && result.affected > 0
+//   } catch (error) {
+//     debug(`Error deleting state: ${error}`)
+//     return false
+//   }
+// }
+//
+// async deleteExpiredMachineStates(args: StoreMachineStateDeleteExpiredArgs): Promise<number> {
+//   const { machineName, tenantId, deleteDoneStates } = args
+//   debug(`Executing deleteExpiredMachineStates query with params: ${JSON.stringify(args)}`)
+//   try {
+//     const connection: DataSource = await this._dbConnection
+//
+//     const deleteCriteria: FindOptionsWhere<MachineStateInfoEntity> = {
+//       ...(machineName && { machineName }),
+//       ...(tenantId && { tenantId }),
+//       // When deleteOnDone state is set we only look at completedAt, in other cases we compare current time with expiresAt
+//       ...(!deleteDoneStates && { expiresAt: LessThan(new Date()) }),
+//       ...(deleteDoneStates && { completedAt: Not(IsNull()) }),
+//     }
+//     const result = await connection.getRepository(MachineStateInfoEntity).delete(deleteCriteria)
+//     return result.affected ?? 0
+//   } catch (error) {
+//     debug(`Error deleting machine info: ${error}`)
+//     return Promise.reject(new Error(`Error deleting expired machine states for machine type ${machineName}`))
+//   }
+// }
+//
+// protected static machineInfoFrom = (machineStateInfoEntity: MachineStateInfoEntity): StoreMachineStateInfo => {
+//   // We are making sure no entity function get copied
+//   return JSON.parse(JSON.stringify(machineStateInfoEntity))
+// }
+//
+// static machineStateInfoEntityFrom = (machineStateInfo: StoreMachineStateInfo | StoreMachineStatePersistArgs): MachineStateInfoEntity => {
+//   const entity = new MachineStateInfoEntity()
+//   Object.assign(entity, machineStateInfo)
+//   return entity
+// }
+// }

package/src/types/IOID4VCIIssuer.ts

@@ -1,14 +1,18 @@
 import {
   AccessTokenRequest,
   AccessTokenResponse,
+  ClientMetadata,
   CredentialConfigurationSupported,
   CredentialDataSupplierInput,
   CredentialIssuerMetadataOpts,
+  CredentialOfferMode,
   CredentialOfferSession,
   CredentialRequest,
   CredentialResponse,
   Grant,
   JsonLdIssuerCredentialDefinition,
+  QRCodeOpts,
+  StatusListOpts,
 } from '@sphereon/oid4vci-common'
 import { CredentialDataSupplier } from '@sphereon/oid4vci-issuer'
 import { IDIDOptions, ResolveOpts } from '@sphereon/ssi-sdk-ext.did-utils'
@@ -17,7 +21,7 @@ import { IOID4VCIStore } from '@sphereon/ssi-sdk.oid4vci-issuer-store'
 import { ICredential } from '@sphereon/ssi-types/dist'
 import { IAgentContext, ICredentialIssuer, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
 import { IssuerInstance } from '../IssuerInstance'
-import { IJwtService } from '@sphereon/ssi-sdk-ext.identifier-resolution/src/types/IJwtService'
+import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
 
 export type IssuerCredentialDefinition = JsonLdIssuerCredentialDefinition
 
@@ -41,6 +45,16 @@ export interface ICreateOfferArgs extends IIssuerInstanceArgs {
   credentialDefinition?: IssuerCredentialDefinition
   credentialOfferUri?: string
   credentialDataSupplierInput?: CredentialDataSupplierInput // Optional storage that can help the credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on
+
+  redirectUri?: string
+  // auth_session?: string; Would be a nice extension to support, to allow external systems to determine what the auth_session value should be
+  // @Deprecated use tx_code in the grant object
+  correlationId?: string
+  sessionLifeTimeInSec?: number
+  qrCodeOpts?: QRCodeOpts
+  client_id?: string
+  statusListOpts?: Array<StatusListOpts>
+  offerMode?: CredentialOfferMode
   baseUri?: string
   scheme?: string
   pinLength?: number
@@ -74,6 +88,7 @@ export interface IIssuerInstanceOptions extends IMetadataOptions {
 }
 
 export interface IIssuerOptions {
+  asClientOpts?: ClientMetadata
   idOpts?: ManagedIdentifierOptsOrResult
   resolveOpts?: ResolveOpts
   /**
@@ -82,6 +97,12 @@ export interface IIssuerOptions {
   didOpts?: IDIDOptions
   userPinRequired?: boolean
   cNonceExpiresIn?: number
+
+  /**
+   * Used in the callbacks for the first party flow
+   */
+  // FIXME SPRIND-151 we need to start supporting a map with a definition id per credential, we can use the credential offer session to check which credential is being issued and then look it up in this map
+  presentationDefinitionId?: string
 }
 
 export interface IMetadataOptions {