@sphereon/ssi-sdk.oid4vci-issuer 0.36.1-next.11 → 0.36.1-next.113

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/index.cjs +49 -9
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +9 -4
  4. package/dist/index.d.ts +9 -4
  5. package/dist/index.js +49 -9
  6. package/dist/index.js.map +1 -1
  7. package/package.json +20 -20
  8. package/src/agent/OID4VCIIssuer.ts +42 -23
  9. package/src/functions.ts +35 -9
  10. package/src/index.ts +1 -1
  11. package/src/types/IOID4VCIIssuer.ts +5 -1
package/dist/index.js CHANGED
@@ -341,9 +341,9 @@ var require_plugin_schema = __commonJS({
341
341
  });
342
342
 
343
343
  // src/agent/OID4VCIIssuer.ts
344
+ import { retrieveWellknown } from "@sphereon/oid4vci-client";
344
345
  import { WellKnownEndpoints } from "@sphereon/oid4vci-common";
345
346
  import { assertValidAccessTokenRequest, createAccessTokenResponse } from "@sphereon/oid4vci-issuer";
346
- import { retrieveWellknown } from "@sphereon/oid4vci-client";
347
347
  import { getAgentResolver as getAgentResolver2 } from "@sphereon/ssi-sdk-ext.did-utils";
348
348
 
349
349
  // src/functions.ts
@@ -442,13 +442,17 @@ async function getAccessTokenKeyRef(opts, context) {
442
442
  }
443
443
  __name(getAccessTokenKeyRef, "getAccessTokenKeyRef");
444
444
  async function getAccessTokenSignerCallback(opts, context) {
445
+ const resolution = legacyKeyRefsToIdentifierOpts(opts);
446
+ const identifier = await context.agent.identifierManagedGet({
447
+ identifier: resolution.identifier,
448
+ vmRelationship: "authentication"
449
+ });
450
+ const keyRef = identifier.kmsKeyRef;
451
+ if (!keyRef) {
452
+ throw Error("Cannot sign access tokens without a key ref");
453
+ }
445
454
  const signer = /* @__PURE__ */ __name(async (data) => {
446
455
  let dataString, encoding;
447
- const resolution = await legacyKeyRefsToIdentifierOpts(opts);
448
- const keyRef = resolution.kmsKeyRef;
449
- if (!keyRef) {
450
- throw Error("Cannot sign access tokens without a key ref");
451
- }
452
456
  if (typeof data === "string") {
453
457
  dataString = data;
454
458
  encoding = void 0;
@@ -468,11 +472,18 @@ async function getAccessTokenSignerCallback(opts, context) {
468
472
  throw Error("No issuer configured for access tokens");
469
473
  }
470
474
  let kidHeader = jwt?.header?.kid ?? kid;
475
+ if (!kidHeader && identifier.kid) {
476
+ kidHeader = identifier.kid;
477
+ }
471
478
  if (!kidHeader) {
472
479
  if (opts.idOpts?.method === "did" || opts.idOpts?.method === "kid" || typeof opts.didOpts?.idOpts.identifier === "string" && opts.didOpts?.idOpts?.identifier?.startsWith("did:")) {
473
480
  kidHeader = opts.idOpts?.kid ?? opts.didOpts?.idOpts?.kid ?? opts?.didOpts?.identifierOpts?.kid;
474
481
  }
475
482
  }
483
+ const alg = identifier.jwk?.alg;
484
+ if (!alg) {
485
+ return Promise.reject(Error("No algorithm found in identifier JWK"));
486
+ }
476
487
  return await createJWT(jwt.payload, {
477
488
  signer,
478
489
  issuer
@@ -481,7 +492,8 @@ async function getAccessTokenSignerCallback(opts, context) {
481
492
  ...kidHeader && {
482
493
  kid: kidHeader
483
494
  },
484
- typ: "JWT"
495
+ typ: "JWT",
496
+ alg
485
497
  });
486
498
  }
487
499
  __name(accessTokenSignerCallback, "accessTokenSignerCallback");
@@ -493,7 +505,15 @@ async function getCredentialSignerCallback(idOpts, context) {
493
505
  const { jwtVerifyResult, format, statusLists } = args;
494
506
  const credential = args.credential;
495
507
  let proofFormat;
496
- const resolution = await context.agent.identifierManagedGet(idOpts);
508
+ let resolution;
509
+ if (typeof idOpts.identifier !== "string") {
510
+ resolution = idOpts;
511
+ } else {
512
+ resolution = await context.agent.identifierManagedGet({
513
+ identifier: idOpts.identifier,
514
+ vmRelationship: "assertionMethod"
515
+ });
516
+ }
497
517
  proofFormat = format?.includes("ld") ? "lds" : "jwt";
498
518
  const issuer = resolution.issuer ?? resolution.kmsKeyRef;
499
519
  if (CredentialMapper.isW3cCredential(credential)) {
@@ -739,6 +759,13 @@ var IssuerInstance = class {
739
759
  };
740
760
 
741
761
  // src/agent/OID4VCIIssuer.ts
762
+ var oid4vciIssuerMethods = [
763
+ "oid4vciCreateOfferURI",
764
+ "oid4vciIssueCredential",
765
+ "oid4vciCreateAccessTokenResponse",
766
+ "oid4vciGetInstance",
767
+ "oid4vciRefreshInstanceMetadata"
768
+ ];
742
769
  var OID4VCIIssuer = class _OID4VCIIssuer {
743
770
  static {
744
771
  __name(this, "OID4VCIIssuer");
@@ -750,7 +777,8 @@ var OID4VCIIssuer = class _OID4VCIIssuer {
750
777
  oid4vciCreateOfferURI: this.oid4vciCreateOfferURI.bind(this),
751
778
  oid4vciIssueCredential: this.oid4vciIssueCredential.bind(this),
752
779
  oid4vciCreateAccessTokenResponse: this.oid4vciCreateAccessTokenResponse.bind(this),
753
- oid4vciGetInstance: this.oid4vciGetInstance.bind(this)
780
+ oid4vciGetInstance: this.oid4vciGetInstance.bind(this),
781
+ oid4vciRefreshInstanceMetadata: this.oid4vciRefreshInstanceMetadata.bind(this)
754
782
  };
755
783
  _opts;
756
784
  constructor(opts) {
@@ -848,6 +876,17 @@ var OID4VCIIssuer = class _OID4VCIIssuer {
848
876
  }));
849
877
  return this.oid4vciGetInstance(args, context);
850
878
  }
879
+ // TODO SSISDK-87 create proper solution to update issuer metadata
880
+ async oid4vciRefreshInstanceMetadata(args, context) {
881
+ const instance = this.instances.get(args.credentialIssuer);
882
+ if (instance) {
883
+ instance.issuerMetadata = await this.getIssuerMetadata({
884
+ ...args
885
+ }, context);
886
+ return true;
887
+ }
888
+ return false;
889
+ }
851
890
  async oid4vciGetInstance(args, context) {
852
891
  const credentialIssuer = args.credentialIssuer ?? _OID4VCIIssuer._DEFAULT_OPTS_KEY;
853
892
  if (!this.instances.has(credentialIssuer)) {
@@ -935,6 +974,7 @@ export {
935
974
  getAccessTokenSignerCallback,
936
975
  getCredentialSignerCallback,
937
976
  getJwtVerifyCallback,
977
+ oid4vciIssuerMethods,
938
978
  schema
939
979
  };
940
980
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../plugin.schema.json","../src/agent/OID4VCIIssuer.ts","../src/functions.ts","../src/IssuerInstance.ts","../src/index.ts"],"sourcesContent":["{\n \"IDidAuthSiopOpAuthenticator\": {\n \"components\": {\n \"schemas\": {\n \"IGetSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } \"\n },\n \"IRegisterSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"identifier\": {\n \"type\": \"object\",\n \"properties\": {\n \"did\": {\n \"type\": \"string\"\n },\n \"alias\": {\n \"type\": \"string\"\n },\n \"provider\": {\n \"type\": \"string\"\n },\n \"controllerKeyId\": {\n \"type\": \"string\"\n },\n \"keys\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n }\n },\n \"services\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\"did\", \"provider\", \"keys\", \"services\"]\n },\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"expiresIn\": {\n \"type\": \"number\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"identifier\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } \"\n },\n \"IRemoveSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } \"\n },\n \"IAuthenticateWithSiopArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"stateId\": {\n \"type\": \"string\"\n },\n \"redirectUrl\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"stateId\", \"redirectUrl\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } \"\n },\n \"IResponse\": {\n \"type\": \"object\",\n \"properties\": {\n \"status\": {\n \"type\": \"number\"\n },\n \"additionalProperties\": true\n },\n \"required\": [\"status\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } \"\n },\n \"IGetSiopAuthenticationRequestFromRpArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"stateId\": {\n \"type\": \"string\"\n },\n \"redirectUrl\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"stateId\", \"redirectUrl\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } \"\n },\n \"ParsedAuthenticationRequestURI\": {\n \"type\": \"object\",\n \"properties\": {\n \"jwt\": {\n \"type\": \"string\"\n },\n \"requestPayload\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"registration\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"jwt\", \"requestPayload\", \"registration\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } \"\n },\n \"IGetSiopAuthenticationRequestDetailsArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"verifiedAuthenticationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"credentialFilter\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"verifiedAuthenticationRequest\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } \"\n },\n \"IAuthRequestDetails\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"string\"\n },\n \"alsoKnownAs\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n },\n \"vpResponseOpts\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"id\", \"vpResponseOpts\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } \"\n },\n \"IVerifySiopAuthenticationRequestUriArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"ParsedAuthenticationRequestURI\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"ParsedAuthenticationRequestURI\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } \"\n },\n \"VerifiedAuthorizationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"payload\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"presentationDefinitions\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"verifyOpts\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"payload\", \"verifyOpts\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } \"\n },\n \"ISendSiopAuthenticationResponseArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"verifiedAuthenticationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"verifiablePresentationResponse\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"verifiedAuthenticationRequest\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } \"\n }\n },\n \"methods\": {\n \"getSessionForSiop\": {\n \"description\": \"Get SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopSessionArgs\"\n },\n \"returnType\": \"object\"\n },\n \"registerSessionForSiop\": {\n \"description\": \"Register SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IRegisterSiopSessionArgs\"\n },\n \"returnType\": \"object\"\n },\n \"removeSessionForSiop\": {\n \"description\": \"Remove SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IRemoveSiopSessionArgs\"\n },\n \"returnType\": \"boolean\"\n },\n \"authenticateWithSiop\": {\n \"description\": \"Authenticate using DID Auth SIOP\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IAuthenticateWithSiopArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/Response\"\n }\n },\n \"getSiopAuthenticationRequestFromRP\": {\n \"description\": \"Get authentication request from RP\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/ParsedAuthenticationRequestURI\"\n }\n },\n \"getSiopAuthenticationRequestDetails\": {\n \"description\": \"Get authentication request details\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/IAuthRequestDetails\"\n }\n },\n \"verifySiopAuthenticationRequestURI\": {\n \"description\": \"Verify authentication request URI\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IVerifySiopAuthenticationRequestUriArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/VerifiedAuthorizationRequest\"\n }\n },\n \"sendSiopAuthenticationResponse\": {\n \"description\": \"Send authentication response\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/ISendSiopAuthenticationResponseArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/IRequiredContext\"\n }\n }\n }\n }\n }\n}\n","import {\n AccessTokenResponse,\n AuthorizationServerMetadata,\n CredentialResponse,\n IssuerMetadata,\n OpenIDResponse,\n WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport { assertValidAccessTokenRequest, createAccessTokenResponse, VcIssuer } from '@sphereon/oid4vci-issuer'\nimport { retrieveWellknown } from '@sphereon/oid4vci-client'\nimport { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'\nimport { IMetadataOptions } from '@sphereon/ssi-sdk.oid4vci-issuer-store'\nimport { IAgentPlugin } from '@veramo/core'\nimport { getAccessTokenSignerCallback } from '../functions'\nimport {\n IAssertValidAccessTokenArgs,\n ICreateCredentialOfferURIResult,\n ICreateOfferArgs,\n IIssueCredentialArgs,\n IIssuerInstanceArgs,\n IIssuerOptions,\n IOID4VCIIssuerOpts,\n IRequiredContext,\n schema,\n} from '../index'\nimport { IssuerInstance } from '../IssuerInstance'\n\nimport { IOID4VCIIssuer } from '../types/IOID4VCIIssuer'\n\nexport class OID4VCIIssuer implements IAgentPlugin {\n private static readonly _DEFAULT_OPTS_KEY = '_default'\n private readonly instances: Map<string, IssuerInstance> = new Map()\n readonly schema = schema.IDidAuthSiopOpAuthenticator\n\n readonly methods: IOID4VCIIssuer = {\n oid4vciCreateOfferURI: this.oid4vciCreateOfferURI.bind(this),\n oid4vciIssueCredential: this.oid4vciIssueCredential.bind(this),\n oid4vciCreateAccessTokenResponse: this.oid4vciCreateAccessTokenResponse.bind(this),\n oid4vciGetInstance: this.oid4vciGetInstance.bind(this),\n }\n private _opts: IOID4VCIIssuerOpts\n\n constructor(opts?: IOID4VCIIssuerOpts) {\n this._opts = opts ?? {}\n }\n\n private async oid4vciCreateOfferURI(createArgs: ICreateOfferArgs, context: IRequiredContext): Promise<ICreateCredentialOfferURIResult> {\n return await this.oid4vciGetInstance(createArgs, context)\n .then((instance) => instance.get({ context }))\n .then((issuer: VcIssuer) =>\n issuer.createCredentialOfferURI(createArgs).then((response) => {\n const result: ICreateCredentialOfferURIResult = response\n if (this._opts.returnSessions === false) {\n delete result.session\n }\n return result\n }),\n )\n }\n\n private async oid4vciIssueCredential(issueArgs: IIssueCredentialArgs, context: IRequiredContext): Promise<CredentialResponse> {\n return await this.oid4vciGetInstance(issueArgs, context)\n .then((instance) => instance.get({ context }))\n .then((issuer: VcIssuer) => issuer.issueCredential(issueArgs))\n }\n\n private async oid4vciCreateAccessTokenResponse(\n accessTokenArgs: IAssertValidAccessTokenArgs,\n context: IRequiredContext,\n ): Promise<AccessTokenResponse> {\n return await this.oid4vciGetInstance(accessTokenArgs, context).then(async (instance) => {\n const issuer = await instance.get({ context })\n\n await assertValidAccessTokenRequest(accessTokenArgs.request, {\n credentialOfferSessions: issuer.credentialOfferSessions,\n expirationDuration: accessTokenArgs.expirationDuration,\n })\n const accessTokenIssuer = instance.issuerOptions.idOpts?.issuer ?? instance.issuerOptions.didOpts?.idOpts.identifier.toString() // last part is legacy\n if (!accessTokenIssuer) {\n return Promise.reject(Error(`Could not determine access token issuer`))\n }\n return createAccessTokenResponse(accessTokenArgs.request, {\n accessTokenIssuer,\n tokenExpiresIn: accessTokenArgs.expirationDuration,\n cNonceExpiresIn: accessTokenArgs.expirationDuration,\n cNonces: issuer.cNonces,\n credentialOfferSessions: issuer.credentialOfferSessions,\n accessTokenSignerCallback: await getAccessTokenSignerCallback(instance.issuerOptions, context),\n })\n })\n }\n\n private getExternalAS(issuerMetadata: IssuerMetadata): string | undefined {\n if ('authorization_servers' in issuerMetadata && Array.isArray(issuerMetadata.authorization_servers)) {\n return issuerMetadata.authorization_servers.find((as) => as !== issuerMetadata.credential_issuer)\n }\n return undefined\n }\n\n private async createIssuerInstance(args: IIssuerInstanceArgs, context: IRequiredContext): Promise<IssuerInstance> {\n const credentialIssuer = args.credentialIssuer ?? OID4VCIIssuer._DEFAULT_OPTS_KEY\n //todo: prob doesn't make sense as credentialIssuer is mandatory anyway\n\n const metadataOpts = await this.getMetadataOpts({ ...args, credentialIssuer }, context)\n const issuerMetadata = await this.getIssuerMetadata({ ...args, credentialIssuer }, context)\n const externalAS = this.getExternalAS(issuerMetadata)\n let asMetadataResponse: OpenIDResponse<AuthorizationServerMetadata> | undefined = undefined\n if (externalAS) {\n // Let's try OIDC first and then fallback to OAuth2\n asMetadataResponse = await retrieveWellknown(externalAS, WellKnownEndpoints.OPENID_CONFIGURATION, {\n errorOnNotFound: false,\n })\n if (!asMetadataResponse) {\n asMetadataResponse = await retrieveWellknown(externalAS, WellKnownEndpoints.OAUTH_AS, {\n errorOnNotFound: true,\n })\n }\n }\n const authorizationServerMetadata = asMetadataResponse?.successBody\n ? asMetadataResponse!.successBody\n : await this.getAuthorizationServerMetadataFromStore(\n {\n ...args,\n credentialIssuer,\n },\n context,\n )\n const issuerOpts = await this.getIssuerOptsFromStore({ ...args, credentialIssuer }, context)\n if (!issuerOpts.resolveOpts) {\n issuerOpts.resolveOpts = { ...issuerOpts.didOpts?.resolveOpts, ...this._opts.resolveOpts }\n }\n if (!issuerOpts.resolveOpts?.resolver) {\n issuerOpts.resolveOpts.resolver = getAgentResolver(context)\n }\n\n this.instances.set(\n credentialIssuer,\n new IssuerInstance({\n issuerOpts,\n metadataOpts,\n issuerMetadata,\n authorizationServerMetadata,\n }),\n )\n\n return this.oid4vciGetInstance(args, context)\n }\n\n public async oid4vciGetInstance(args: IIssuerInstanceArgs, context: IRequiredContext): Promise<IssuerInstance> {\n const credentialIssuer = args.credentialIssuer ?? OID4VCIIssuer._DEFAULT_OPTS_KEY\n //todo: prob doesn't make sense as credentialIssuer is mandatory anyway\n if (!this.instances.has(credentialIssuer)) {\n await this.createIssuerInstance(args, context)\n }\n return this.instances.get(credentialIssuer)!\n }\n\n private async getIssuerOptsFromStore(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IIssuerOptions> {\n const credentialIssuer = opts.credentialIssuer\n const storeId = await this.storeId(opts, context)\n const namespace = await this.namespace(opts, context)\n const options = await context.agent.oid4vciStoreGetIssuerOpts({\n metadataType: 'issuer',\n correlationId: credentialIssuer,\n storeId,\n namespace,\n })\n if (!options) {\n throw Error(`Could not get specific nor default options for definition ${credentialIssuer}`)\n }\n return options\n }\n\n private async getMetadataOpts(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IMetadataOptions> {\n const credentialIssuer = opts.credentialIssuer\n const storeId = await this.storeId(opts, context)\n const storeNamespace = await this.namespace(opts, context)\n return { credentialIssuer, storeId, storeNamespace }\n }\n\n private async getIssuerMetadata(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IssuerMetadata> {\n const metadataOpts = await this.getMetadataOpts(opts, context)\n const metadata = (await context.agent.oid4vciStoreGetMetadata({\n metadataType: 'issuer',\n correlationId: metadataOpts.credentialIssuer,\n namespace: metadataOpts.storeNamespace,\n storeId: metadataOpts.storeId,\n })) as IssuerMetadata\n if (!metadata) {\n throw Error(`Issuer metadata not found for issuer ${opts.credentialIssuer}, namespace ${opts.namespace} and store ${opts.storeId}`)\n }\n return metadata\n }\n\n private async getAuthorizationServerMetadataFromStore(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<AuthorizationServerMetadata> {\n const metadataOpts = await this.getMetadataOpts(opts, context)\n const metadata = (await context.agent.oid4vciStoreGetMetadata({\n metadataType: 'authorizationServer',\n correlationId: metadataOpts.credentialIssuer,\n namespace: metadataOpts.storeNamespace,\n storeId: metadataOpts.storeId,\n })) as AuthorizationServerMetadata\n if (!metadata) {\n throw Error(\n `Authorization server ${opts.credentialIssuer} metadata not found for namespace ${metadataOpts.storeNamespace} and store ${metadataOpts.storeId}`,\n )\n }\n return metadata\n }\n\n private async storeId(opts?: { storeId?: string }, context?: IRequiredContext): Promise<string> {\n const storeId = opts?.storeId ?? this._opts?.defaultStoreId ?? (await context?.agent.oid4vciStoreDefaultStoreId())\n if (!storeId) {\n throw Error('Please provide a store id a default value, or provide the context for a global default store id')\n }\n return storeId\n }\n\n private async namespace(opts?: { namespace?: string }, context?: IRequiredContext): Promise<string> {\n const namespace = opts?.namespace ?? this._opts?.defaultNamespace ?? (await context?.agent.oid4vciStoreDefaultNamespace())\n if (!namespace) {\n throw Error('Please provide a namespace a default value, or provide the context for a global default namespace')\n }\n return namespace\n }\n}\n","import { AuthorizationResponseStateStatus } from '@sphereon/did-auth-siop'\nimport {\n AuthorizationServerMetadata,\n CredentialRequestV1_0_15,\n IssuerMetadata,\n Jwt,\n JWTHeader,\n JWTPayload,\n JwtVerifyResult,\n type OID4VCICredentialFormat,\n StatusListOpts,\n} from '@sphereon/oid4vci-common'\nimport { CredentialDataSupplier, CredentialIssuanceInput, CredentialSignerCallback, VcIssuer, VcIssuerBuilder } from '@sphereon/oid4vci-issuer'\nimport { getAgentResolver, IDIDOptions } from '@sphereon/ssi-sdk-ext.did-utils'\nimport { legacyKeyRefsToIdentifierOpts, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { SdJwtVcPayload } from '@sphereon/ssi-sdk.sd-jwt'\nimport { IStatusListPlugin } from '@sphereon/ssi-sdk.vc-status-list'\nimport { CompactSdJwtVc, CredentialMapper, ICredential, W3CVerifiableCredential } from '@sphereon/ssi-types'\nimport { CredentialPayload, ProofFormat } from '@veramo/core'\nimport { bytesToBase64 } from '@veramo/utils'\nimport fetch from 'cross-fetch'\nimport { createJWT, decodeJWT, JWTVerifyOptions, verifyJWT } from 'did-jwt'\nimport { Resolvable } from 'did-resolver'\nimport { jwtDecode } from 'jwt-decode'\nimport { IIssuerOptions, IRequiredContext } from './types/IOID4VCIIssuer'\n\nexport function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOptions }, _context: IRequiredContext) {\n return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> => {\n const resolver = getAgentResolver(_context, {\n resolverResolution: true,\n uniresolverResolution: true,\n localResolution: true,\n })\n verifyOpts = { ...verifyOpts, resolver: verifyOpts?.resolver } // Resolver separately as that is a function\n if (!verifyOpts?.resolver || typeof verifyOpts?.resolver?.resolve !== 'function') {\n verifyOpts.resolver = resolver\n }\n const result = await _context.agent.jwtVerifyJwsSignature({ jws: args.jwt })\n if (!result.error) {\n const identifier = result.jws.signatures[0].identifier\n if (!identifier) {\n return Promise.reject(Error('the jws did not contain a signature with an identifier'))\n }\n const jwkInfo = identifier.jwks[0]\n if (!jwkInfo) {\n return Promise.reject(Error(`the identifier of type ${identifier.method} is missing jwks (ExternalJwkInfo)`))\n }\n const { alg } = jwkInfo.jwk\n const header = jwtDecode<JWTHeader>(args.jwt, { header: true })\n const payload = jwtDecode<JWTPayload>(args.jwt, { header: false })\n const kid = args.kid ?? header.kid\n //const jwk = !kid ? jwkInfo.jwk : undefined // TODO double-check if this is correct\n const jwk = jwkInfo.jwk // FIXME workaround IATAB2B-57\n return {\n alg,\n ...identifier,\n jwt: { header, payload },\n ...(kid && { kid }),\n ...(jwk && { jwk }),\n } as JwtVerifyResult\n }\n\n const decodedJwt = (await decodeJWT(args.jwt)) as Jwt\n const kid = args.kid ?? decodedJwt.header.kid\n\n if (!kid || !kid.startsWith('did:')) {\n // No DID method present in header. We already performed the validation above. So return that\n return {\n alg: decodedJwt.header.alg,\n jwt: decodedJwt,\n } as JwtVerifyResult\n }\n const did = kid.split('#')[0]\n\n const didResult = await verifyJWT(args.jwt, verifyOpts)\n if (!didResult.verified) {\n console.log(`JWT invalid: ${args.jwt}`)\n throw Error('JWT did not verify successfully')\n }\n\n const didResolution = await resolver.resolve(did)\n if (!didResolution || !didResolution.didDocument) {\n throw Error(`Could not resolve did: ${did}, metadata: ${didResolution?.didResolutionMetadata}`)\n }\n\n const alg = decodedJwt.header.alg\n return {\n alg,\n kid,\n did,\n didDocument: didResolution.didDocument,\n jwt: decodedJwt,\n }\n }\n}\n\nexport async function getAccessTokenKeyRef(\n opts: {\n /**\n * Uniform identifier options\n */\n idOpts?: ManagedIdentifierOptsOrResult\n /**\n * @deprecated\n */\n iss?: string\n /**\n * @deprecated\n */\n keyRef?: string\n /**\n * @deprecated\n */\n didOpts?: IDIDOptions\n },\n context: IRequiredContext,\n) {\n let identifier = legacyKeyRefsToIdentifierOpts(opts)\n return await context.agent.identifierManagedGet(identifier)\n}\n\nexport async function getAccessTokenSignerCallback(\n opts: {\n /**\n * Uniform identifier options\n */\n idOpts?: ManagedIdentifierOptsOrResult\n /**\n * @deprecated\n */\n iss?: string\n /**\n * @deprecated\n */\n keyRef?: string\n /**\n * @deprecated\n */\n didOpts?: IDIDOptions\n },\n context: IRequiredContext,\n) {\n const signer = async (data: string | Uint8Array) => {\n let dataString, encoding: 'base64' | undefined\n\n const resolution = await legacyKeyRefsToIdentifierOpts(opts)\n const keyRef = resolution.kmsKeyRef\n if (!keyRef) {\n throw Error('Cannot sign access tokens without a key ref')\n }\n if (typeof data === 'string') {\n dataString = data\n encoding = undefined\n } else {\n dataString = bytesToBase64(data)\n encoding = 'base64'\n }\n return context.agent.keyManagerSign({ keyRef, data: dataString, encoding })\n }\n\n async function accessTokenSignerCallback(jwt: Jwt, kid?: string): Promise<string> {\n const issuer =\n opts.idOpts?.issuer ??\n (typeof opts.idOpts?.identifier === 'string' ? opts.idOpts.identifier : (opts.didOpts?.idOpts?.identifier?.toString() ?? opts?.iss))\n if (!issuer) {\n throw Error('No issuer configured for access tokens')\n }\n\n let kidHeader: string | undefined = jwt?.header?.kid ?? kid\n if (!kidHeader) {\n if (\n opts.idOpts?.method === 'did' ||\n opts.idOpts?.method === 'kid' ||\n (typeof opts.didOpts?.idOpts.identifier === 'string' && opts.didOpts?.idOpts?.identifier?.startsWith('did:'))\n ) {\n // @ts-ignore\n kidHeader = opts.idOpts?.kid ?? opts.didOpts?.idOpts?.kid ?? opts?.didOpts?.identifierOpts?.kid\n }\n }\n return await createJWT(jwt.payload, { signer, issuer }, { ...jwt.header, ...(kidHeader && { kid: kidHeader }), typ: 'JWT' })\n }\n\n return accessTokenSignerCallback\n}\n\nexport async function getCredentialSignerCallback(\n idOpts: ManagedIdentifierOptsOrResult & {\n crypto?: Crypto\n },\n context: IRequiredContext,\n): Promise<CredentialSignerCallback> {\n async function issueVCCallback(args: {\n credentialRequest: CredentialRequestV1_0_15\n credential: CredentialIssuanceInput\n jwtVerifyResult: JwtVerifyResult\n format?: OID4VCICredentialFormat\n statusLists?: Array<StatusListOpts>\n }): Promise<W3CVerifiableCredential | CompactSdJwtVc> {\n const { jwtVerifyResult, format, statusLists } = args\n const credential = args.credential as ICredential // TODO: SDJWT\n let proofFormat: ProofFormat\n\n const resolution = await context.agent.identifierManagedGet(idOpts)\n proofFormat = format?.includes('ld') ? 'lds' : 'jwt'\n const issuer = resolution.issuer ?? resolution.kmsKeyRef\n\n if (CredentialMapper.isW3cCredential(credential)) {\n if (!credential.issuer) {\n credential.issuer = { id: issuer }\n } else if (typeof credential.issuer === 'object' && !credential.issuer.id) {\n credential.issuer.id = issuer\n }\n const subjectIsArray = Array.isArray(credential.credentialSubject)\n let credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]\n credentialSubjects = credentialSubjects.map((subject) => {\n if (!subject.id) {\n subject.id = jwtVerifyResult.did\n }\n return subject\n })\n credential.credentialSubject = subjectIsArray ? credentialSubjects : credentialSubjects[0]\n\n // TODO: We should extend the plugin capabilities of issuance so we do not have to tuck this into the sign callback\n if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToCredential')) {\n // Add status list if enabled (and when the input has a credentialStatus object (can be empty))\n const credentialStatusVC = await context.agent.slAddStatusToCredential({ credential, statusLists })\n if (credential.credentialStatus && !credential.credentialStatus.statusListCredential) {\n credential.credentialStatus = credentialStatusVC.credentialStatus\n // TODO update statusLists somehow?\n }\n }\n\n const result = await context.agent.createVerifiableCredential({\n credential: credential as CredentialPayload,\n proofFormat,\n removeOriginalFields: false,\n fetchRemoteContexts: true,\n domain: typeof credential.issuer === 'object' ? credential.issuer.id : credential.issuer,\n ...(resolution.kid && { header: { kid: resolution.kid } }),\n })\n return (proofFormat === 'jwt' && 'jwt' in result.proof ? result.proof.jwt : result) as W3CVerifiableCredential\n } else if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {\n const sdJwtPayload = credential as SdJwtVcPayload\n if (sdJwtPayload.iss === undefined) {\n sdJwtPayload.iss = issuer\n }\n if (sdJwtPayload.iat === undefined) {\n sdJwtPayload.iat = Math.floor(new Date().getTime() / 1000)\n }\n\n let disclosureFrame\n if ('disclosureFrame' in credential) {\n disclosureFrame = credential['disclosureFrame']\n delete credential['disclosureFrame']\n } else {\n disclosureFrame = {\n _sd: credential['_sd'],\n }\n }\n\n if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToSdJwtCredential')) {\n if ((sdJwtPayload.status && sdJwtPayload.status.status_list) || (statusLists && statusLists.length > 0)) {\n // Add status list if enabled (and when the input has a credentialStatus object (can be empty))\n const sdJwtPayloadWithStatus = await context.agent.slAddStatusToSdJwtCredential({ credential: sdJwtPayload, statusLists })\n if (sdJwtPayload.status?.status_list?.idx) {\n if (!sdJwtPayloadWithStatus.status || !sdJwtPayloadWithStatus.status.status_list) {\n // sdJwtPayload and sdJwtPayloadWithStatus is the same for now, but we should use the result anyway as this could be subject to change\n return Promise.reject(Error('slAddStatusToSdJwtCredential did not return a status_list'))\n }\n\n // Update statusListId & statusListIndex back to the credential session TODO SSISDK-4 This is not a clean way to do this.\n if (statusLists && statusLists.length > 0) {\n const statusList = statusLists[0]\n statusList.statusListId = sdJwtPayloadWithStatus.status.status_list.uri\n statusList.statusListIndex = sdJwtPayloadWithStatus.status.status_list.idx\n }\n sdJwtPayload.status.status_list.idx = sdJwtPayloadWithStatus.status.status_list.idx\n }\n }\n }\n\n const result = await context.agent.createSdJwtVc({\n credentialPayload: sdJwtPayload,\n disclosureFrame: disclosureFrame,\n resolution,\n })\n return result.credential\n } /*else if (CredentialMapper.isMsoMdocDecodedCredential(credential)) {\n TODO\n }*/\n return Promise.reject('VC issuance failed, an incorrect or unsupported credential was supplied')\n }\n\n return issueVCCallback\n}\n\nexport async function createVciIssuerBuilder(\n args: {\n issuerOpts: IIssuerOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n resolver?: Resolvable\n credentialDataSupplier?: CredentialDataSupplier\n },\n context: IRequiredContext,\n): Promise<VcIssuerBuilder> {\n const { issuerOpts, issuerMetadata, authorizationServerMetadata } = args\n\n const builder = new VcIssuerBuilder()\n // @ts-ignore\n const resolver =\n args.resolver ??\n args?.issuerOpts?.didOpts?.resolveOpts?.resolver ??\n args.issuerOpts?.didOpts?.resolveOpts?.jwtVerifyOpts?.resolver ??\n getAgentResolver(context)\n if (!resolver) {\n throw Error('A Resolver is necessary to verify DID JWTs')\n }\n const idOpts = legacyKeyRefsToIdentifierOpts({ didOpts: issuerOpts.didOpts, idOpts: issuerOpts.idOpts })\n const jwtVerifyOpts: JWTVerifyOptions = {\n ...issuerOpts?.didOpts?.resolveOpts?.jwtVerifyOpts,\n ...args?.issuerOpts?.resolveOpts?.jwtVerifyOpts,\n resolver,\n audience: issuerMetadata.credential_issuer as string, // FIXME legacy version had {display: NameAndLocale | NameAndLocale[]} as credential_issuer\n }\n builder.withIssuerMetadata(issuerMetadata)\n builder.withAuthorizationMetadata(authorizationServerMetadata)\n // builder.withUserPinRequired(issuerOpts.userPinRequired ?? false) was removed from implementers draft v1\n builder.withCredentialSignerCallback(await getCredentialSignerCallback(idOpts, context))\n if (issuerOpts.nonceEndpoint) {\n builder.withNonceEndpoint(issuerOpts.nonceEndpoint)\n } else if (issuerMetadata.nonce_endpoint) {\n builder.withNonceEndpoint(issuerOpts.nonceEndpoint ?? issuerMetadata.nonce_endpoint)\n }\n\n if (issuerOpts.asClientOpts) {\n builder.withASClientMetadata(issuerOpts.asClientOpts)\n // @ts-ignore\n // const authorizationServer = issuerMetadata.authorization_servers[0] as string\n // Set the OIDC verifier\n // builder.withJWTVerifyCallback(oidcAccessTokenVerifyCallback({clientMetadata: issuerOpts.asClientOpts, credentialIssuer: issuerMetadata.credential_issuer as string, authorizationServer}))\n }\n // Do not use it when asClient is used\n builder.withJWTVerifyCallback(getJwtVerifyCallback({ verifyOpts: jwtVerifyOpts }, context))\n\n if (args.credentialDataSupplier) {\n builder.withCredentialDataSupplier(args.credentialDataSupplier)\n }\n builder.withInMemoryCNonceState()\n builder.withInMemoryCredentialOfferState()\n builder.withInMemoryCredentialOfferURIState()\n\n return builder\n}\n\nexport async function createVciIssuer(\n {\n issuerOpts,\n issuerMetadata,\n authorizationServerMetadata,\n credentialDataSupplier,\n }: {\n issuerOpts: IIssuerOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n credentialDataSupplier?: CredentialDataSupplier\n },\n context: IRequiredContext,\n): Promise<VcIssuer> {\n return (\n await createVciIssuerBuilder(\n {\n issuerOpts,\n issuerMetadata,\n authorizationServerMetadata,\n credentialDataSupplier,\n },\n context,\n )\n ).build()\n}\n\nexport async function createAuthRequestUriCallback(opts: { path: string; presentationDefinitionId: string }): Promise<() => Promise<string>> {\n async function authRequestUriCallback(): Promise<string> {\n const path = opts.path.replace(':definitionId', opts.presentationDefinitionId)\n return fetch(path, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n }).then(async (response): Promise<string> => {\n if (response.status >= 400) {\n return Promise.reject(Error(await response.text()))\n } else {\n const responseData = await response.json()\n\n if (!responseData.authRequestURI) {\n return Promise.reject(Error('Missing auth request uri in response body'))\n }\n\n return responseData.authRequestURI\n }\n })\n }\n\n return authRequestUriCallback\n}\n\nexport async function createVerifyAuthResponseCallback(opts: {\n path: string\n presentationDefinitionId: string\n}): Promise<(correlationId: string) => Promise<boolean>> {\n async function verifyAuthResponseCallback(correlationId: string): Promise<boolean> {\n return fetch(opts.path, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({ definitionId: opts.presentationDefinitionId, correlationId }),\n }).then(async (response): Promise<boolean> => {\n if (response.status >= 400) {\n return Promise.reject(Error(await response.text()))\n } else {\n const responseData = await response.json()\n\n if (!responseData.status) {\n return Promise.reject(Error('Missing status in response body'))\n }\n\n return responseData.status === AuthorizationResponseStateStatus.VERIFIED\n }\n })\n }\n\n return verifyAuthResponseCallback\n}\n","import { CredentialDataSupplier, VcIssuer } from '@sphereon/oid4vci-issuer'\nimport { createVciIssuerBuilder } from './functions'\nimport { AuthorizationServerMetadata, IssuerMetadata } from '@sphereon/oid4vci-common'\nimport { IIssuerOptions, IMetadataOptions, IRequiredContext } from './types/IOID4VCIIssuer'\n\nexport class IssuerInstance {\n private _issuer: VcIssuer | undefined\n private readonly _metadataOptions: IMetadataOptions\n private readonly _issuerOptions: IIssuerOptions\n private _issuerMetadata: IssuerMetadata\n private readonly _authorizationServerMetadata: AuthorizationServerMetadata\n\n public constructor({\n issuerOpts,\n metadataOpts,\n issuerMetadata,\n authorizationServerMetadata,\n }: {\n issuerOpts: IIssuerOptions\n metadataOpts: IMetadataOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n }) {\n this._issuerOptions = issuerOpts\n this._metadataOptions = metadataOpts\n this._issuerMetadata = issuerMetadata\n this._authorizationServerMetadata = authorizationServerMetadata\n }\n\n public async get(opts: { context: IRequiredContext; credentialDataSupplier?: CredentialDataSupplier }): Promise<VcIssuer> {\n if (!this._issuer) {\n const builder = await createVciIssuerBuilder(\n {\n issuerOpts: this.issuerOptions,\n issuerMetadata: this.issuerMetadata,\n authorizationServerMetadata: this.authorizationServerMetadata,\n credentialDataSupplier: opts?.credentialDataSupplier,\n },\n opts.context,\n )\n this._issuer = builder.build()\n }\n return this._issuer\n }\n\n get issuerOptions() {\n return this._issuerOptions\n }\n\n get metadataOptions() {\n return this._metadataOptions\n }\n\n get issuerMetadata() {\n return this._issuerMetadata\n }\n\n set issuerMetadata(value: IssuerMetadata) {\n // TODO SSISDK-87 create proper solution to update issuer metadata\n if (this._issuer?.issuerMetadata) {\n this._issuer.issuerMetadata = {\n ...this._issuer?.issuerMetadata,\n credential_configurations_supported: value.credential_configurations_supported\n }\n }\n\n this._issuerMetadata = value\n }\n\n get authorizationServerMetadata() {\n return this._authorizationServerMetadata\n }\n}\n","/**\n * @public\n */\nconst schema = require('../plugin.schema.json')\nexport { schema }\nexport { OID4VCIIssuer } from './agent/OID4VCIIssuer'\nexport * from './functions'\nexport * from './IssuerInstance'\nexport * from './types/IOID4VCIIssuer'\n"],"mappings":";;;;;;;;AAAA;AAAA;AAAA;AAAA,MACE,6BAA+B;AAAA,QAC7B,YAAc;AAAA,UACZ,SAAW;AAAA,YACT,qBAAuB;AAAA,cACrB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW;AAAA,cACxB,aAAe;AAAA,YACjB;AAAA,YACA,0BAA4B;AAAA,cAC1B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,YAAc;AAAA,kBACZ,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,KAAO;AAAA,sBACL,MAAQ;AAAA,oBACV;AAAA,oBACA,OAAS;AAAA,sBACP,MAAQ;AAAA,oBACV;AAAA,oBACA,UAAY;AAAA,sBACV,MAAQ;AAAA,oBACV;AAAA,oBACA,iBAAmB;AAAA,sBACjB,MAAQ;AAAA,oBACV;AAAA,oBACA,MAAQ;AAAA,sBACN,MAAQ;AAAA,sBACR,OAAS;AAAA,wBACP,MAAQ;AAAA,wBACR,YAAc;AAAA,0BACZ,sBAAwB;AAAA,wBAC1B;AAAA,sBACF;AAAA,oBACF;AAAA,oBACA,UAAY;AAAA,sBACV,MAAQ;AAAA,sBACR,OAAS;AAAA,wBACP,MAAQ;AAAA,wBACR,YAAc;AAAA,0BACZ,sBAAwB;AAAA,wBAC1B;AAAA,sBACF;AAAA,oBACF;AAAA,kBACF;AAAA,kBACA,sBAAwB;AAAA,kBACxB,UAAY,CAAC,OAAO,YAAY,QAAQ,UAAU;AAAA,gBACpD;AAAA,gBACA,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,YAAY;AAAA,cACzB,aAAe;AAAA,YACjB;AAAA,YACA,wBAA0B;AAAA,cACxB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW;AAAA,cACxB,aAAe;AAAA,YACjB;AAAA,YACA,2BAA6B;AAAA,cAC3B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,SAAW;AAAA,kBACT,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,WAAW,aAAa;AAAA,cAClD,aAAe;AAAA,YACjB;AAAA,YACA,WAAa;AAAA,cACX,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,QAAU;AAAA,kBACR,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,QAAQ;AAAA,cACrB,aAAe;AAAA,YACjB;AAAA,YACA,yCAA2C;AAAA,cACzC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,SAAW;AAAA,kBACT,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,WAAW,aAAa;AAAA,cAClD,aAAe;AAAA,YACjB;AAAA,YACA,gCAAkC;AAAA,cAChC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,KAAO;AAAA,kBACL,MAAQ;AAAA,gBACV;AAAA,gBACA,gBAAkB;AAAA,kBAChB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,cAAgB;AAAA,kBACd,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,OAAO,kBAAkB,cAAc;AAAA,cACpD,aAAe;AAAA,YACjB;AAAA,YACA,0CAA4C;AAAA,cAC1C,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,+BAAiC;AAAA,kBAC/B,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,kBAAoB;AAAA,kBAClB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,+BAA+B;AAAA,cACzD,aAAe;AAAA,YACjB;AAAA,YACA,qBAAuB;AAAA,cACrB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,IAAM;AAAA,kBACJ,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,kBACR,OAAS;AAAA,oBACP,MAAQ;AAAA,kBACV;AAAA,gBACF;AAAA,gBACA,gBAAkB;AAAA,kBAChB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,MAAM,gBAAgB;AAAA,cACnC,aAAe;AAAA,YACjB;AAAA,YACA,yCAA2C;AAAA,cACzC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,gCAAkC;AAAA,kBAChC,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,gCAAgC;AAAA,cAC1D,aAAe;AAAA,YACjB;AAAA,YACA,8BAAgC;AAAA,cAC9B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,SAAW;AAAA,kBACT,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,yBAA2B;AAAA,kBACzB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,YAAc;AAAA,kBACZ,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW,YAAY;AAAA,cACpC,aAAe;AAAA,YACjB;AAAA,YACA,qCAAuC;AAAA,cACrC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,+BAAiC;AAAA,kBAC/B,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,gCAAkC;AAAA,kBAChC,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,+BAA+B;AAAA,cACzD,aAAe;AAAA,YACjB;AAAA,UACF;AAAA,UACA,SAAW;AAAA,YACT,mBAAqB;AAAA,cACnB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,wBAA0B;AAAA,cACxB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,sBAAwB;AAAA,cACtB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,sBAAwB;AAAA,cACtB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,oCAAsC;AAAA,cACpC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,qCAAuC;AAAA,cACrC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,oCAAsC;AAAA,cACpC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,gCAAkC;AAAA,cAChC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACxUA,SAMEA,0BACK;AACP,SAASC,+BAA+BC,iCAA2C;AACnF,SAASC,yBAAyB;AAClC,SAASC,oBAAAA,yBAAwB;;;ACVjC,SAASC,wCAAwC;AAYjD,SAA8FC,uBAAuB;AACrH,SAASC,wBAAqC;AAC9C,SAASC,qCAAoE;AAC7E,SAASC,wBAAwB;AAGjC,SAAyBC,wBAA8D;AAEvF,SAASC,qBAAqB;AAC9B,OAAOC,WAAW;AAClB,SAASC,WAAWC,WAA6BC,iBAAiB;AAElE,SAASC,iBAAiB;AAGnB,SAASC,qBAAqB,EAAEC,WAAU,GAAuCC,UAA0B;AAChH,SAAO,OAAOC,SAAAA;AACZ,UAAMC,WAAWC,iBAAiBH,UAAU;MAC1CI,oBAAoB;MACpBC,uBAAuB;MACvBC,iBAAiB;IACnB,CAAA;AACAP,iBAAa;MAAE,GAAGA;MAAYG,UAAUH,YAAYG;IAAS;AAC7D,QAAI,CAACH,YAAYG,YAAY,OAAOH,YAAYG,UAAUK,YAAY,YAAY;AAChFR,iBAAWG,WAAWA;IACxB;AACA,UAAMM,SAAS,MAAMR,SAASS,MAAMC,sBAAsB;MAAEC,KAAKV,KAAKW;IAAI,CAAA;AAC1E,QAAI,CAACJ,OAAOK,OAAO;AACjB,YAAMC,aAAaN,OAAOG,IAAII,WAAW,CAAA,EAAGD;AAC5C,UAAI,CAACA,YAAY;AACf,eAAOE,QAAQC,OAAOC,MAAM,wDAAA,CAAA;MAC9B;AACA,YAAMC,UAAUL,WAAWM,KAAK,CAAA;AAChC,UAAI,CAACD,SAAS;AACZ,eAAOH,QAAQC,OAAOC,MAAM,0BAA0BJ,WAAWO,MAAM,oCAAoC,CAAA;MAC7G;AACA,YAAM,EAAEC,KAAAA,KAAG,IAAKH,QAAQI;AACxB,YAAMC,SAASC,UAAqBxB,KAAKW,KAAK;QAAEY,QAAQ;MAAK,CAAA;AAC7D,YAAME,UAAUD,UAAsBxB,KAAKW,KAAK;QAAEY,QAAQ;MAAM,CAAA;AAChE,YAAMG,OAAM1B,KAAK0B,OAAOH,OAAOG;AAE/B,YAAMJ,MAAMJ,QAAQI;AACpB,aAAO;QACLD,KAAAA;QACA,GAAGR;QACHF,KAAK;UAAEY;UAAQE;QAAQ;QACvB,GAAIC,QAAO;UAAEA,KAAAA;QAAI;QACjB,GAAIJ,OAAO;UAAEA;QAAI;MACnB;IACF;AAEA,UAAMK,aAAc,MAAMC,UAAU5B,KAAKW,GAAG;AAC5C,UAAMe,MAAM1B,KAAK0B,OAAOC,WAAWJ,OAAOG;AAE1C,QAAI,CAACA,OAAO,CAACA,IAAIG,WAAW,MAAA,GAAS;AAEnC,aAAO;QACLR,KAAKM,WAAWJ,OAAOF;QACvBV,KAAKgB;MACP;IACF;AACA,UAAMG,MAAMJ,IAAIK,MAAM,GAAA,EAAK,CAAA;AAE3B,UAAMC,YAAY,MAAMC,UAAUjC,KAAKW,KAAKb,UAAAA;AAC5C,QAAI,CAACkC,UAAUE,UAAU;AACvBC,cAAQC,IAAI,gBAAgBpC,KAAKW,GAAG,EAAE;AACtC,YAAMM,MAAM,iCAAA;IACd;AAEA,UAAMoB,gBAAgB,MAAMpC,SAASK,QAAQwB,GAAAA;AAC7C,QAAI,CAACO,iBAAiB,CAACA,cAAcC,aAAa;AAChD,YAAMrB,MAAM,0BAA0Ba,GAAAA,eAAkBO,eAAeE,qBAAAA,EAAuB;IAChG;AAEA,UAAMlB,MAAMM,WAAWJ,OAAOF;AAC9B,WAAO;MACLA;MACAK;MACAI;MACAQ,aAAaD,cAAcC;MAC3B3B,KAAKgB;IACP;EACF;AACF;AApEgB9B;AAsEhB,eAAsB2C,qBACpBC,MAkBAC,SAAyB;AAEzB,MAAI7B,aAAa8B,8BAA8BF,IAAAA;AAC/C,SAAO,MAAMC,QAAQlC,MAAMoC,qBAAqB/B,UAAAA;AAClD;AAvBsB2B;AAyBtB,eAAsBK,6BACpBJ,MAkBAC,SAAyB;AAEzB,QAAMI,SAAS,8BAAOC,SAAAA;AACpB,QAAIC,YAAYC;AAEhB,UAAMC,aAAa,MAAMP,8BAA8BF,IAAAA;AACvD,UAAMU,SAASD,WAAWE;AAC1B,QAAI,CAACD,QAAQ;AACX,YAAMlC,MAAM,6CAAA;IACd;AACA,QAAI,OAAO8B,SAAS,UAAU;AAC5BC,mBAAaD;AACbE,iBAAWI;IACb,OAAO;AACLL,mBAAaM,cAAcP,IAAAA;AAC3BE,iBAAW;IACb;AACA,WAAOP,QAAQlC,MAAM+C,eAAe;MAAEJ;MAAQJ,MAAMC;MAAYC;IAAS,CAAA;EAC3E,GAhBe;AAkBf,iBAAeO,0BAA0B7C,KAAUe,KAAY;AAC7D,UAAM+B,SACJhB,KAAKiB,QAAQD,WACZ,OAAOhB,KAAKiB,QAAQ7C,eAAe,WAAW4B,KAAKiB,OAAO7C,aAAc4B,KAAKkB,SAASD,QAAQ7C,YAAY+C,SAAAA,KAAcnB,MAAMoB;AACjI,QAAI,CAACJ,QAAQ;AACX,YAAMxC,MAAM,wCAAA;IACd;AAEA,QAAI6C,YAAgCnD,KAAKY,QAAQG,OAAOA;AACxD,QAAI,CAACoC,WAAW;AACd,UACErB,KAAKiB,QAAQtC,WAAW,SACxBqB,KAAKiB,QAAQtC,WAAW,SACvB,OAAOqB,KAAKkB,SAASD,OAAO7C,eAAe,YAAY4B,KAAKkB,SAASD,QAAQ7C,YAAYgB,WAAW,MAAA,GACrG;AAEAiC,oBAAYrB,KAAKiB,QAAQhC,OAAOe,KAAKkB,SAASD,QAAQhC,OAAOe,MAAMkB,SAASI,gBAAgBrC;MAC9F;IACF;AACA,WAAO,MAAMsC,UAAUrD,IAAIc,SAAS;MAAEqB;MAAQW;IAAO,GAAG;MAAE,GAAG9C,IAAIY;MAAQ,GAAIuC,aAAa;QAAEpC,KAAKoC;MAAU;MAAIG,KAAK;IAAM,CAAA;EAC5H;AApBeT;AAsBf,SAAOA;AACT;AA9DsBX;AAgEtB,eAAsBqB,4BACpBR,QAGAhB,SAAyB;AAEzB,iBAAeyB,gBAAgBnE,MAM9B;AACC,UAAM,EAAEoE,iBAAiBC,QAAQC,YAAW,IAAKtE;AACjD,UAAMuE,aAAavE,KAAKuE;AACxB,QAAIC;AAEJ,UAAMtB,aAAa,MAAMR,QAAQlC,MAAMoC,qBAAqBc,MAAAA;AAC5Dc,kBAAcH,QAAQI,SAAS,IAAA,IAAQ,QAAQ;AAC/C,UAAMhB,SAASP,WAAWO,UAAUP,WAAWE;AAE/C,QAAIsB,iBAAiBC,gBAAgBJ,UAAAA,GAAa;AAChD,UAAI,CAACA,WAAWd,QAAQ;AACtBc,mBAAWd,SAAS;UAAEmB,IAAInB;QAAO;MACnC,WAAW,OAAOc,WAAWd,WAAW,YAAY,CAACc,WAAWd,OAAOmB,IAAI;AACzEL,mBAAWd,OAAOmB,KAAKnB;MACzB;AACA,YAAMoB,iBAAiBC,MAAMC,QAAQR,WAAWS,iBAAiB;AACjE,UAAIC,qBAAqBH,MAAMC,QAAQR,WAAWS,iBAAiB,IAAIT,WAAWS,oBAAoB;QAACT,WAAWS;;AAClHC,2BAAqBA,mBAAmBC,IAAI,CAACC,YAAAA;AAC3C,YAAI,CAACA,QAAQP,IAAI;AACfO,kBAAQP,KAAKR,gBAAgBtC;QAC/B;AACA,eAAOqD;MACT,CAAA;AACAZ,iBAAWS,oBAAoBH,iBAAiBI,qBAAqBA,mBAAmB,CAAA;AAGxF,UAAIG,iBAAoC1C,SAAS,yBAAA,GAA4B;AAE3E,cAAM2C,qBAAqB,MAAM3C,QAAQlC,MAAM8E,wBAAwB;UAAEf;UAAYD;QAAY,CAAA;AACjG,YAAIC,WAAWgB,oBAAoB,CAAChB,WAAWgB,iBAAiBC,sBAAsB;AACpFjB,qBAAWgB,mBAAmBF,mBAAmBE;QAEnD;MACF;AAEA,YAAMhF,SAAS,MAAMmC,QAAQlC,MAAMiF,2BAA2B;QAC5DlB;QACAC;QACAkB,sBAAsB;QACtBC,qBAAqB;QACrBC,QAAQ,OAAOrB,WAAWd,WAAW,WAAWc,WAAWd,OAAOmB,KAAKL,WAAWd;QAClF,GAAIP,WAAWxB,OAAO;UAAEH,QAAQ;YAAEG,KAAKwB,WAAWxB;UAAI;QAAE;MAC1D,CAAA;AACA,aAAQ8C,gBAAgB,SAAS,SAASjE,OAAOsF,QAAQtF,OAAOsF,MAAMlF,MAAMJ;IAC9E,WAAWmE,iBAAiBoB,gCAAgCvB,UAAAA,GAAa;AACvE,YAAMwB,eAAexB;AACrB,UAAIwB,aAAalC,QAAQR,QAAW;AAClC0C,qBAAalC,MAAMJ;MACrB;AACA,UAAIsC,aAAaC,QAAQ3C,QAAW;AAClC0C,qBAAaC,MAAMC,KAAKC,OAAM,oBAAIC,KAAAA,GAAOC,QAAO,IAAK,GAAA;MACvD;AAEA,UAAIC;AACJ,UAAI,qBAAqB9B,YAAY;AACnC8B,0BAAkB9B,WAAW,iBAAA;AAC7B,eAAOA,WAAW,iBAAA;MACpB,OAAO;AACL8B,0BAAkB;UAChBC,KAAK/B,WAAW,KAAA;QAClB;MACF;AAEA,UAAIa,iBAAoC1C,SAAS,8BAAA,GAAiC;AAChF,YAAKqD,aAAaQ,UAAUR,aAAaQ,OAAOC,eAAiBlC,eAAeA,YAAYmC,SAAS,GAAI;AAEvG,gBAAMC,yBAAyB,MAAMhE,QAAQlC,MAAMmG,6BAA6B;YAAEpC,YAAYwB;YAAczB;UAAY,CAAA;AACxH,cAAIyB,aAAaQ,QAAQC,aAAaI,KAAK;AACzC,gBAAI,CAACF,uBAAuBH,UAAU,CAACG,uBAAuBH,OAAOC,aAAa;AAEhF,qBAAOzF,QAAQC,OAAOC,MAAM,2DAAA,CAAA;YAC9B;AAGA,gBAAIqD,eAAeA,YAAYmC,SAAS,GAAG;AACzC,oBAAMI,aAAavC,YAAY,CAAA;AAC/BuC,yBAAWC,eAAeJ,uBAAuBH,OAAOC,YAAYO;AACpEF,yBAAWG,kBAAkBN,uBAAuBH,OAAOC,YAAYI;YACzE;AACAb,yBAAaQ,OAAOC,YAAYI,MAAMF,uBAAuBH,OAAOC,YAAYI;UAClF;QACF;MACF;AAEA,YAAMrG,SAAS,MAAMmC,QAAQlC,MAAMyG,cAAc;QAC/CC,mBAAmBnB;QACnBM;QACAnD;MACF,CAAA;AACA,aAAO3C,OAAOgE;IAChB;AAGA,WAAOxD,QAAQC,OAAO,yEAAA;EACxB;AApGemD;AAsGf,SAAOA;AACT;AA7GsBD;AA+GtB,eAAsBiD,uBACpBnH,MAOA0C,SAAyB;AAEzB,QAAM,EAAE0E,YAAYC,gBAAgBC,4BAA2B,IAAKtH;AAEpE,QAAMuH,UAAU,IAAIC,gBAAAA;AAEpB,QAAMvH,WACJD,KAAKC,YACLD,MAAMoH,YAAYzD,SAAS8D,aAAaxH,YACxCD,KAAKoH,YAAYzD,SAAS8D,aAAaC,eAAezH,YACtDC,iBAAiBwC,OAAAA;AACnB,MAAI,CAACzC,UAAU;AACb,UAAMgB,MAAM,4CAAA;EACd;AACA,QAAMyC,SAASf,8BAA8B;IAAEgB,SAASyD,WAAWzD;IAASD,QAAQ0D,WAAW1D;EAAO,CAAA;AACtG,QAAMgE,gBAAkC;IACtC,GAAGN,YAAYzD,SAAS8D,aAAaC;IACrC,GAAG1H,MAAMoH,YAAYK,aAAaC;IAClCzH;IACA0H,UAAUN,eAAeO;EAC3B;AACAL,UAAQM,mBAAmBR,cAAAA;AAC3BE,UAAQO,0BAA0BR,2BAAAA;AAElCC,UAAQQ,6BAA6B,MAAM7D,4BAA4BR,QAAQhB,OAAAA,CAAAA;AAC/E,MAAI0E,WAAWY,eAAe;AAC5BT,YAAQU,kBAAkBb,WAAWY,aAAa;EACpD,WAAWX,eAAea,gBAAgB;AACxCX,YAAQU,kBAAkBb,WAAWY,iBAAiBX,eAAea,cAAc;EACrF;AAEA,MAAId,WAAWe,cAAc;AAC3BZ,YAAQa,qBAAqBhB,WAAWe,YAAY;EAKtD;AAEAZ,UAAQc,sBAAsBxI,qBAAqB;IAAEC,YAAY4H;EAAc,GAAGhF,OAAAA,CAAAA;AAElF,MAAI1C,KAAKsI,wBAAwB;AAC/Bf,YAAQgB,2BAA2BvI,KAAKsI,sBAAsB;EAChE;AACAf,UAAQiB,wBAAuB;AAC/BjB,UAAQkB,iCAAgC;AACxClB,UAAQmB,oCAAmC;AAE3C,SAAOnB;AACT;AAzDsBJ;AA2DtB,eAAsBwB,gBACpB,EACEvB,YACAC,gBACAC,6BACAgB,uBAAsB,GAOxB5F,SAAyB;AAEzB,UACE,MAAMyE,uBACJ;IACEC;IACAC;IACAC;IACAgB;EACF,GACA5F,OAAAA,GAEFkG,MAAK;AACT;AAzBsBD;AA2BtB,eAAsBE,6BAA6BpG,MAAwD;AACzG,iBAAeqG,yBAAAA;AACb,UAAMC,OAAOtG,KAAKsG,KAAKC,QAAQ,iBAAiBvG,KAAKwG,wBAAwB;AAC7E,WAAOC,MAAMH,MAAM;MACjB3H,QAAQ;MACR+H,SAAS;QACP,gBAAgB;MAClB;IACF,CAAA,EAAGC,KAAK,OAAOC,aAAAA;AACb,UAAIA,SAAS9C,UAAU,KAAK;AAC1B,eAAOxF,QAAQC,OAAOC,MAAM,MAAMoI,SAASC,KAAI,CAAA,CAAA;MACjD,OAAO;AACL,cAAMC,eAAe,MAAMF,SAASG,KAAI;AAExC,YAAI,CAACD,aAAaE,gBAAgB;AAChC,iBAAO1I,QAAQC,OAAOC,MAAM,2CAAA,CAAA;QAC9B;AAEA,eAAOsI,aAAaE;MACtB;IACF,CAAA;EACF;AApBeX;AAsBf,SAAOA;AACT;AAxBsBD;AA0BtB,eAAsBa,iCAAiCjH,MAGtD;AACC,iBAAekH,2BAA2BC,eAAqB;AAC7D,WAAOV,MAAMzG,KAAKsG,MAAM;MACtB3H,QAAQ;MACR+H,SAAS;QACP,gBAAgB;MAClB;MACAU,MAAMC,KAAKC,UAAU;QAAEC,cAAcvH,KAAKwG;QAA0BW;MAAc,CAAA;IACpF,CAAA,EAAGR,KAAK,OAAOC,aAAAA;AACb,UAAIA,SAAS9C,UAAU,KAAK;AAC1B,eAAOxF,QAAQC,OAAOC,MAAM,MAAMoI,SAASC,KAAI,CAAA,CAAA;MACjD,OAAO;AACL,cAAMC,eAAe,MAAMF,SAASG,KAAI;AAExC,YAAI,CAACD,aAAahD,QAAQ;AACxB,iBAAOxF,QAAQC,OAAOC,MAAM,iCAAA,CAAA;QAC9B;AAEA,eAAOsI,aAAahD,WAAW0D,iCAAiCC;MAClE;IACF,CAAA;EACF;AApBeP;AAsBf,SAAOA;AACT;AA3BsBD;;;ACpZf,IAAMS,iBAAN,MAAMA;EAJb,OAIaA;;;EACHC;EACSC;EACAC;EACTC;EACSC;EAEjB,YAAmB,EACjBC,YACAC,cACAC,gBACAC,4BAA2B,GAM1B;AACD,SAAKN,iBAAiBG;AACtB,SAAKJ,mBAAmBK;AACxB,SAAKH,kBAAkBI;AACvB,SAAKH,+BAA+BI;EACtC;EAEA,MAAaC,IAAIC,MAAyG;AACxH,QAAI,CAAC,KAAKV,SAAS;AACjB,YAAMW,UAAU,MAAMC,uBACpB;QACEP,YAAY,KAAKQ;QACjBN,gBAAgB,KAAKA;QACrBC,6BAA6B,KAAKA;QAClCM,wBAAwBJ,MAAMI;MAChC,GACAJ,KAAKK,OAAO;AAEd,WAAKf,UAAUW,QAAQK,MAAK;IAC9B;AACA,WAAO,KAAKhB;EACd;EAEA,IAAIa,gBAAgB;AAClB,WAAO,KAAKX;EACd;EAEA,IAAIe,kBAAkB;AACpB,WAAO,KAAKhB;EACd;EAEA,IAAIM,iBAAiB;AACnB,WAAO,KAAKJ;EACd;EAEA,IAAII,eAAeW,OAAuB;AAExC,QAAI,KAAKlB,SAASO,gBAAgB;AAChC,WAAKP,QAAQO,iBAAiB;QAC5B,GAAG,KAAKP,SAASO;QACjBY,qCAAqCD,MAAMC;MAC7C;IACF;AAEA,SAAKhB,kBAAkBe;EACzB;EAEA,IAAIV,8BAA8B;AAChC,WAAO,KAAKJ;EACd;AACF;;;AF3CO,IAAMgB,gBAAN,MAAMA,eAAAA;EA7Bb,OA6BaA;;;EACX,OAAwBC,oBAAoB;EAC3BC,YAAyC,oBAAIC,IAAAA;EACrDC,SAASA,OAAOC;EAEhBC,UAA0B;IACjCC,uBAAuB,KAAKA,sBAAsBC,KAAK,IAAI;IAC3DC,wBAAwB,KAAKA,uBAAuBD,KAAK,IAAI;IAC7DE,kCAAkC,KAAKA,iCAAiCF,KAAK,IAAI;IACjFG,oBAAoB,KAAKA,mBAAmBH,KAAK,IAAI;EACvD;EACQI;EAER,YAAYC,MAA2B;AACrC,SAAKD,QAAQC,QAAQ,CAAC;EACxB;EAEA,MAAcN,sBAAsBO,YAA8BC,SAAqE;AACrI,WAAO,MAAM,KAAKJ,mBAAmBG,YAAYC,OAAAA,EAC9CC,KAAK,CAACC,aAAaA,SAASC,IAAI;MAAEH;IAAQ,CAAA,CAAA,EAC1CC,KAAK,CAACG,WACLA,OAAOC,yBAAyBN,UAAAA,EAAYE,KAAK,CAACK,aAAAA;AAChD,YAAMC,SAA0CD;AAChD,UAAI,KAAKT,MAAMW,mBAAmB,OAAO;AACvC,eAAOD,OAAOE;MAChB;AACA,aAAOF;IACT,CAAA,CAAA;EAEN;EAEA,MAAcb,uBAAuBgB,WAAiCV,SAAwD;AAC5H,WAAO,MAAM,KAAKJ,mBAAmBc,WAAWV,OAAAA,EAC7CC,KAAK,CAACC,aAAaA,SAASC,IAAI;MAAEH;IAAQ,CAAA,CAAA,EAC1CC,KAAK,CAACG,WAAqBA,OAAOO,gBAAgBD,SAAAA,CAAAA;EACvD;EAEA,MAAcf,iCACZiB,iBACAZ,SAC8B;AAC9B,WAAO,MAAM,KAAKJ,mBAAmBgB,iBAAiBZ,OAAAA,EAASC,KAAK,OAAOC,aAAAA;AACzE,YAAME,SAAS,MAAMF,SAASC,IAAI;QAAEH;MAAQ,CAAA;AAE5C,YAAMa,8BAA8BD,gBAAgBE,SAAS;QAC3DC,yBAAyBX,OAAOW;QAChCC,oBAAoBJ,gBAAgBI;MACtC,CAAA;AACA,YAAMC,oBAAoBf,SAASgB,cAAcC,QAAQf,UAAUF,SAASgB,cAAcE,SAASD,OAAOE,WAAWC,SAAAA;AACrH,UAAI,CAACL,mBAAmB;AACtB,eAAOM,QAAQC,OAAOC,MAAM,yCAAyC,CAAA;MACvE;AACA,aAAOC,0BAA0Bd,gBAAgBE,SAAS;QACxDG;QACAU,gBAAgBf,gBAAgBI;QAChCY,iBAAiBhB,gBAAgBI;QACjCa,SAASzB,OAAOyB;QAChBd,yBAAyBX,OAAOW;QAChCe,2BAA2B,MAAMC,6BAA6B7B,SAASgB,eAAelB,OAAAA;MACxF,CAAA;IACF,CAAA;EACF;EAEQgC,cAAcC,gBAAoD;AACxE,QAAI,2BAA2BA,kBAAkBC,MAAMC,QAAQF,eAAeG,qBAAqB,GAAG;AACpG,aAAOH,eAAeG,sBAAsBC,KAAK,CAACC,OAAOA,OAAOL,eAAeM,iBAAiB;IAClG;AACA,WAAOC;EACT;EAEA,MAAcC,qBAAqBC,MAA2B1C,SAAoD;AAChH,UAAM2C,mBAAmBD,KAAKC,oBAAoB1D,eAAcC;AAGhE,UAAM0D,eAAe,MAAM,KAAKC,gBAAgB;MAAE,GAAGH;MAAMC;IAAiB,GAAG3C,OAAAA;AAC/E,UAAMiC,iBAAiB,MAAM,KAAKa,kBAAkB;MAAE,GAAGJ;MAAMC;IAAiB,GAAG3C,OAAAA;AACnF,UAAM+C,aAAa,KAAKf,cAAcC,cAAAA;AACtC,QAAIe,qBAA8ER;AAClF,QAAIO,YAAY;AAEdC,2BAAqB,MAAMC,kBAAkBF,YAAYG,mBAAmBC,sBAAsB;QAChGC,iBAAiB;MACnB,CAAA;AACA,UAAI,CAACJ,oBAAoB;AACvBA,6BAAqB,MAAMC,kBAAkBF,YAAYG,mBAAmBG,UAAU;UACpFD,iBAAiB;QACnB,CAAA;MACF;IACF;AACA,UAAME,8BAA8BN,oBAAoBO,cACpDP,mBAAoBO,cACpB,MAAM,KAAKC,wCACT;MACE,GAAGd;MACHC;IACF,GACA3C,OAAAA;AAEN,UAAMyD,aAAa,MAAM,KAAKC,uBAAuB;MAAE,GAAGhB;MAAMC;IAAiB,GAAG3C,OAAAA;AACpF,QAAI,CAACyD,WAAWE,aAAa;AAC3BF,iBAAWE,cAAc;QAAE,GAAGF,WAAWrC,SAASuC;QAAa,GAAG,KAAK9D,MAAM8D;MAAY;IAC3F;AACA,QAAI,CAACF,WAAWE,aAAaC,UAAU;AACrCH,iBAAWE,YAAYC,WAAWC,kBAAiB7D,OAAAA;IACrD;AAEA,SAAKb,UAAU2E,IACbnB,kBACA,IAAIoB,eAAe;MACjBN;MACAb;MACAX;MACAqB;IACF,CAAA,CAAA;AAGF,WAAO,KAAK1D,mBAAmB8C,MAAM1C,OAAAA;EACvC;EAEA,MAAaJ,mBAAmB8C,MAA2B1C,SAAoD;AAC7G,UAAM2C,mBAAmBD,KAAKC,oBAAoB1D,eAAcC;AAEhE,QAAI,CAAC,KAAKC,UAAU6E,IAAIrB,gBAAAA,GAAmB;AACzC,YAAM,KAAKF,qBAAqBC,MAAM1C,OAAAA;IACxC;AACA,WAAO,KAAKb,UAAUgB,IAAIwC,gBAAAA;EAC5B;EAEA,MAAce,uBACZ5D,MAKAE,SACyB;AACzB,UAAM2C,mBAAmB7C,KAAK6C;AAC9B,UAAMsB,UAAU,MAAM,KAAKA,QAAQnE,MAAME,OAAAA;AACzC,UAAMkE,YAAY,MAAM,KAAKA,UAAUpE,MAAME,OAAAA;AAC7C,UAAMmE,UAAU,MAAMnE,QAAQoE,MAAMC,0BAA0B;MAC5DC,cAAc;MACdC,eAAe5B;MACfsB;MACAC;IACF,CAAA;AACA,QAAI,CAACC,SAAS;AACZ,YAAM1C,MAAM,6DAA6DkB,gBAAAA,EAAkB;IAC7F;AACA,WAAOwB;EACT;EAEA,MAActB,gBACZ/C,MAKAE,SAC2B;AAC3B,UAAM2C,mBAAmB7C,KAAK6C;AAC9B,UAAMsB,UAAU,MAAM,KAAKA,QAAQnE,MAAME,OAAAA;AACzC,UAAMwE,iBAAiB,MAAM,KAAKN,UAAUpE,MAAME,OAAAA;AAClD,WAAO;MAAE2C;MAAkBsB;MAASO;IAAe;EACrD;EAEA,MAAc1B,kBACZhD,MAKAE,SACyB;AACzB,UAAM4C,eAAe,MAAM,KAAKC,gBAAgB/C,MAAME,OAAAA;AACtD,UAAMyE,WAAY,MAAMzE,QAAQoE,MAAMM,wBAAwB;MAC5DJ,cAAc;MACdC,eAAe3B,aAAaD;MAC5BuB,WAAWtB,aAAa4B;MACxBP,SAASrB,aAAaqB;IACxB,CAAA;AACA,QAAI,CAACQ,UAAU;AACb,YAAMhD,MAAM,wCAAwC3B,KAAK6C,gBAAgB,eAAe7C,KAAKoE,SAAS,cAAcpE,KAAKmE,OAAO,EAAE;IACpI;AACA,WAAOQ;EACT;EAEA,MAAcjB,wCACZ1D,MAKAE,SACsC;AACtC,UAAM4C,eAAe,MAAM,KAAKC,gBAAgB/C,MAAME,OAAAA;AACtD,UAAMyE,WAAY,MAAMzE,QAAQoE,MAAMM,wBAAwB;MAC5DJ,cAAc;MACdC,eAAe3B,aAAaD;MAC5BuB,WAAWtB,aAAa4B;MACxBP,SAASrB,aAAaqB;IACxB,CAAA;AACA,QAAI,CAACQ,UAAU;AACb,YAAMhD,MACJ,wBAAwB3B,KAAK6C,gBAAgB,sCAAsCC,aAAa4B,cAAc,cAAc5B,aAAaqB,OAAO,EAAE;IAEtJ;AACA,WAAOQ;EACT;EAEA,MAAcR,QAAQnE,MAA6BE,SAA6C;AAC9F,UAAMiE,UAAUnE,MAAMmE,WAAW,KAAKpE,OAAO8E,kBAAmB,MAAM3E,SAASoE,MAAMQ,2BAAAA;AACrF,QAAI,CAACX,SAAS;AACZ,YAAMxC,MAAM,iGAAA;IACd;AACA,WAAOwC;EACT;EAEA,MAAcC,UAAUpE,MAA+BE,SAA6C;AAClG,UAAMkE,YAAYpE,MAAMoE,aAAa,KAAKrE,OAAOgF,oBAAqB,MAAM7E,SAASoE,MAAMU,6BAAAA;AAC3F,QAAI,CAACZ,WAAW;AACd,YAAMzC,MAAM,mGAAA;IACd;AACA,WAAOyC;EACT;AACF;;;AG1PA,IAAMa,SAASC;","names":["WellKnownEndpoints","assertValidAccessTokenRequest","createAccessTokenResponse","retrieveWellknown","getAgentResolver","AuthorizationResponseStateStatus","VcIssuerBuilder","getAgentResolver","legacyKeyRefsToIdentifierOpts","contextHasPlugin","CredentialMapper","bytesToBase64","fetch","createJWT","decodeJWT","verifyJWT","jwtDecode","getJwtVerifyCallback","verifyOpts","_context","args","resolver","getAgentResolver","resolverResolution","uniresolverResolution","localResolution","resolve","result","agent","jwtVerifyJwsSignature","jws","jwt","error","identifier","signatures","Promise","reject","Error","jwkInfo","jwks","method","alg","jwk","header","jwtDecode","payload","kid","decodedJwt","decodeJWT","startsWith","did","split","didResult","verifyJWT","verified","console","log","didResolution","didDocument","didResolutionMetadata","getAccessTokenKeyRef","opts","context","legacyKeyRefsToIdentifierOpts","identifierManagedGet","getAccessTokenSignerCallback","signer","data","dataString","encoding","resolution","keyRef","kmsKeyRef","undefined","bytesToBase64","keyManagerSign","accessTokenSignerCallback","issuer","idOpts","didOpts","toString","iss","kidHeader","identifierOpts","createJWT","typ","getCredentialSignerCallback","issueVCCallback","jwtVerifyResult","format","statusLists","credential","proofFormat","includes","CredentialMapper","isW3cCredential","id","subjectIsArray","Array","isArray","credentialSubject","credentialSubjects","map","subject","contextHasPlugin","credentialStatusVC","slAddStatusToCredential","credentialStatus","statusListCredential","createVerifiableCredential","removeOriginalFields","fetchRemoteContexts","domain","proof","isSdJwtDecodedCredentialPayload","sdJwtPayload","iat","Math","floor","Date","getTime","disclosureFrame","_sd","status","status_list","length","sdJwtPayloadWithStatus","slAddStatusToSdJwtCredential","idx","statusList","statusListId","uri","statusListIndex","createSdJwtVc","credentialPayload","createVciIssuerBuilder","issuerOpts","issuerMetadata","authorizationServerMetadata","builder","VcIssuerBuilder","resolveOpts","jwtVerifyOpts","audience","credential_issuer","withIssuerMetadata","withAuthorizationMetadata","withCredentialSignerCallback","nonceEndpoint","withNonceEndpoint","nonce_endpoint","asClientOpts","withASClientMetadata","withJWTVerifyCallback","credentialDataSupplier","withCredentialDataSupplier","withInMemoryCNonceState","withInMemoryCredentialOfferState","withInMemoryCredentialOfferURIState","createVciIssuer","build","createAuthRequestUriCallback","authRequestUriCallback","path","replace","presentationDefinitionId","fetch","headers","then","response","text","responseData","json","authRequestURI","createVerifyAuthResponseCallback","verifyAuthResponseCallback","correlationId","body","JSON","stringify","definitionId","AuthorizationResponseStateStatus","VERIFIED","IssuerInstance","_issuer","_metadataOptions","_issuerOptions","_issuerMetadata","_authorizationServerMetadata","issuerOpts","metadataOpts","issuerMetadata","authorizationServerMetadata","get","opts","builder","createVciIssuerBuilder","issuerOptions","credentialDataSupplier","context","build","metadataOptions","value","credential_configurations_supported","OID4VCIIssuer","_DEFAULT_OPTS_KEY","instances","Map","schema","IDidAuthSiopOpAuthenticator","methods","oid4vciCreateOfferURI","bind","oid4vciIssueCredential","oid4vciCreateAccessTokenResponse","oid4vciGetInstance","_opts","opts","createArgs","context","then","instance","get","issuer","createCredentialOfferURI","response","result","returnSessions","session","issueArgs","issueCredential","accessTokenArgs","assertValidAccessTokenRequest","request","credentialOfferSessions","expirationDuration","accessTokenIssuer","issuerOptions","idOpts","didOpts","identifier","toString","Promise","reject","Error","createAccessTokenResponse","tokenExpiresIn","cNonceExpiresIn","cNonces","accessTokenSignerCallback","getAccessTokenSignerCallback","getExternalAS","issuerMetadata","Array","isArray","authorization_servers","find","as","credential_issuer","undefined","createIssuerInstance","args","credentialIssuer","metadataOpts","getMetadataOpts","getIssuerMetadata","externalAS","asMetadataResponse","retrieveWellknown","WellKnownEndpoints","OPENID_CONFIGURATION","errorOnNotFound","OAUTH_AS","authorizationServerMetadata","successBody","getAuthorizationServerMetadataFromStore","issuerOpts","getIssuerOptsFromStore","resolveOpts","resolver","getAgentResolver","set","IssuerInstance","has","storeId","namespace","options","agent","oid4vciStoreGetIssuerOpts","metadataType","correlationId","storeNamespace","metadata","oid4vciStoreGetMetadata","defaultStoreId","oid4vciStoreDefaultStoreId","defaultNamespace","oid4vciStoreDefaultNamespace","schema","require"]}
1
+ {"version":3,"sources":["../plugin.schema.json","../src/agent/OID4VCIIssuer.ts","../src/functions.ts","../src/IssuerInstance.ts","../src/index.ts"],"sourcesContent":["{\n \"IDidAuthSiopOpAuthenticator\": {\n \"components\": {\n \"schemas\": {\n \"IGetSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } \"\n },\n \"IRegisterSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"identifier\": {\n \"type\": \"object\",\n \"properties\": {\n \"did\": {\n \"type\": \"string\"\n },\n \"alias\": {\n \"type\": \"string\"\n },\n \"provider\": {\n \"type\": \"string\"\n },\n \"controllerKeyId\": {\n \"type\": \"string\"\n },\n \"keys\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n }\n },\n \"services\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\"did\", \"provider\", \"keys\", \"services\"]\n },\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"expiresIn\": {\n \"type\": \"number\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"identifier\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } \"\n },\n \"IRemoveSiopSessionArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } \"\n },\n \"IAuthenticateWithSiopArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"stateId\": {\n \"type\": \"string\"\n },\n \"redirectUrl\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"stateId\", \"redirectUrl\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } \"\n },\n \"IResponse\": {\n \"type\": \"object\",\n \"properties\": {\n \"status\": {\n \"type\": \"number\"\n },\n \"additionalProperties\": true\n },\n \"required\": [\"status\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } \"\n },\n \"IGetSiopAuthenticationRequestFromRpArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"stateId\": {\n \"type\": \"string\"\n },\n \"redirectUrl\": {\n \"type\": \"string\"\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"stateId\", \"redirectUrl\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } \"\n },\n \"ParsedAuthenticationRequestURI\": {\n \"type\": \"object\",\n \"properties\": {\n \"jwt\": {\n \"type\": \"string\"\n },\n \"requestPayload\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"registration\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"jwt\", \"requestPayload\", \"registration\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } \"\n },\n \"IGetSiopAuthenticationRequestDetailsArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"verifiedAuthenticationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"credentialFilter\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"verifiedAuthenticationRequest\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } \"\n },\n \"IAuthRequestDetails\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"string\"\n },\n \"alsoKnownAs\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n },\n \"vpResponseOpts\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"id\", \"vpResponseOpts\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } \"\n },\n \"IVerifySiopAuthenticationRequestUriArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"ParsedAuthenticationRequestURI\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"ParsedAuthenticationRequestURI\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } \"\n },\n \"VerifiedAuthorizationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"payload\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"presentationDefinitions\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"verifyOpts\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"payload\", \"verifyOpts\"],\n \"description\": \"Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } \"\n },\n \"ISendSiopAuthenticationResponseArgs\": {\n \"type\": \"object\",\n \"properties\": {\n \"sessionId\": {\n \"type\": \"string\"\n },\n \"verifiedAuthenticationRequest\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"verifiablePresentationResponse\": {\n \"type\": \"object\",\n \"properties\": {\n \"additionalProperties\": true\n }\n },\n \"additionalProperties\": false\n },\n \"required\": [\"sessionId\", \"verifiedAuthenticationRequest\"],\n \"description\": \"Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } \"\n }\n },\n \"methods\": {\n \"getSessionForSiop\": {\n \"description\": \"Get SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopSessionArgs\"\n },\n \"returnType\": \"object\"\n },\n \"registerSessionForSiop\": {\n \"description\": \"Register SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IRegisterSiopSessionArgs\"\n },\n \"returnType\": \"object\"\n },\n \"removeSessionForSiop\": {\n \"description\": \"Remove SIOP session\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IRemoveSiopSessionArgs\"\n },\n \"returnType\": \"boolean\"\n },\n \"authenticateWithSiop\": {\n \"description\": \"Authenticate using DID Auth SIOP\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IAuthenticateWithSiopArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/Response\"\n }\n },\n \"getSiopAuthenticationRequestFromRP\": {\n \"description\": \"Get authentication request from RP\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/ParsedAuthenticationRequestURI\"\n }\n },\n \"getSiopAuthenticationRequestDetails\": {\n \"description\": \"Get authentication request details\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/IAuthRequestDetails\"\n }\n },\n \"verifySiopAuthenticationRequestURI\": {\n \"description\": \"Verify authentication request URI\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/IVerifySiopAuthenticationRequestUriArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/VerifiedAuthorizationRequest\"\n }\n },\n \"sendSiopAuthenticationResponse\": {\n \"description\": \"Send authentication response\",\n \"arguments\": {\n \"$ref\": \"#/components/schemas/ISendSiopAuthenticationResponseArgs\"\n },\n \"returnType\": {\n \"$ref\": \"#/components/schemas/IRequiredContext\"\n }\n }\n }\n }\n }\n}\n","import {retrieveWellknown} from '@sphereon/oid4vci-client'\nimport {\n AccessTokenResponse,\n AuthorizationServerMetadata,\n CredentialResponse,\n IssuerMetadata,\n OpenIDResponse,\n WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport {assertValidAccessTokenRequest, createAccessTokenResponse, VcIssuer} from '@sphereon/oid4vci-issuer'\nimport {getAgentResolver} from '@sphereon/ssi-sdk-ext.did-utils'\nimport {IMetadataOptions} from '@sphereon/ssi-sdk.oid4vci-issuer-store'\nimport {IAgentPlugin} from '@veramo/core'\nimport {getAccessTokenSignerCallback} from '../functions'\nimport {\n IAssertValidAccessTokenArgs,\n ICreateCredentialOfferURIResult,\n ICreateOfferArgs,\n IIssueCredentialArgs,\n IIssuerInstanceArgs,\n IIssuerOptions,\n IOID4VCIIssuerOpts,\n IRefreshInstanceMetadata,\n IRequiredContext,\n schema,\n} from '../index'\nimport {IssuerInstance} from '../IssuerInstance'\nimport {IOID4VCIIssuer} from '../types/IOID4VCIIssuer'\n\nexport const oid4vciIssuerMethods: Array<string> = [\n 'oid4vciCreateOfferURI',\n 'oid4vciIssueCredential',\n 'oid4vciCreateAccessTokenResponse',\n 'oid4vciGetInstance',\n 'oid4vciRefreshInstanceMetadata',\n]\n\nexport class OID4VCIIssuer implements IAgentPlugin {\n private static readonly _DEFAULT_OPTS_KEY = '_default'\n private readonly instances: Map<string, IssuerInstance> = new Map()\n readonly schema = schema.IDidAuthSiopOpAuthenticator\n\n readonly methods: IOID4VCIIssuer = {\n oid4vciCreateOfferURI: this.oid4vciCreateOfferURI.bind(this),\n oid4vciIssueCredential: this.oid4vciIssueCredential.bind(this),\n oid4vciCreateAccessTokenResponse: this.oid4vciCreateAccessTokenResponse.bind(this),\n oid4vciGetInstance: this.oid4vciGetInstance.bind(this),\n oid4vciRefreshInstanceMetadata: this.oid4vciRefreshInstanceMetadata.bind(this),\n }\n private _opts: IOID4VCIIssuerOpts\n\n constructor(opts?: IOID4VCIIssuerOpts) {\n this._opts = opts ?? {}\n }\n\n private async oid4vciCreateOfferURI(createArgs: ICreateOfferArgs, context: IRequiredContext): Promise<ICreateCredentialOfferURIResult> {\n return await this.oid4vciGetInstance(createArgs, context)\n .then((instance) => instance.get({ context }))\n .then((issuer: VcIssuer) =>\n issuer.createCredentialOfferURI(createArgs).then((response) => {\n const result: ICreateCredentialOfferURIResult = response\n if (this._opts.returnSessions === false) {\n delete result.session\n }\n return result\n }),\n )\n }\n\n private async oid4vciIssueCredential(issueArgs: IIssueCredentialArgs, context: IRequiredContext): Promise<CredentialResponse> {\n return await this.oid4vciGetInstance(issueArgs, context)\n .then((instance) => instance.get({ context }))\n .then((issuer: VcIssuer) => issuer.issueCredential(issueArgs))\n }\n\n private async oid4vciCreateAccessTokenResponse(\n accessTokenArgs: IAssertValidAccessTokenArgs,\n context: IRequiredContext,\n ): Promise<AccessTokenResponse> {\n return await this.oid4vciGetInstance(accessTokenArgs, context).then(async (instance) => {\n const issuer = await instance.get({ context })\n\n await assertValidAccessTokenRequest(accessTokenArgs.request, {\n credentialOfferSessions: issuer.credentialOfferSessions,\n expirationDuration: accessTokenArgs.expirationDuration,\n })\n const accessTokenIssuer = instance.issuerOptions.idOpts?.issuer ?? instance.issuerOptions.didOpts?.idOpts.identifier.toString() // last part is legacy\n if (!accessTokenIssuer) {\n return Promise.reject(Error(`Could not determine access token issuer`))\n }\n return createAccessTokenResponse(accessTokenArgs.request, {\n accessTokenIssuer,\n tokenExpiresIn: accessTokenArgs.expirationDuration,\n cNonceExpiresIn: accessTokenArgs.expirationDuration,\n cNonces: issuer.cNonces,\n credentialOfferSessions: issuer.credentialOfferSessions,\n accessTokenSignerCallback: await getAccessTokenSignerCallback(instance.issuerOptions, context),\n })\n })\n }\n\n private getExternalAS(issuerMetadata: IssuerMetadata): string | undefined {\n if ('authorization_servers' in issuerMetadata && Array.isArray(issuerMetadata.authorization_servers)) {\n return issuerMetadata.authorization_servers.find((as) => as !== issuerMetadata.credential_issuer)\n }\n return undefined\n }\n\n private async createIssuerInstance(args: IIssuerInstanceArgs, context: IRequiredContext): Promise<IssuerInstance> {\n const credentialIssuer = args.credentialIssuer ?? OID4VCIIssuer._DEFAULT_OPTS_KEY\n //todo: prob doesn't make sense as credentialIssuer is mandatory anyway\n\n const metadataOpts = await this.getMetadataOpts({ ...args, credentialIssuer }, context)\n const issuerMetadata = await this.getIssuerMetadata({ ...args, credentialIssuer }, context)\n const externalAS = this.getExternalAS(issuerMetadata)\n let asMetadataResponse: OpenIDResponse<AuthorizationServerMetadata> | undefined = undefined\n if (externalAS) {\n // Let's try OIDC first and then fallback to OAuth2\n asMetadataResponse = await retrieveWellknown(externalAS, WellKnownEndpoints.OPENID_CONFIGURATION, {\n errorOnNotFound: false,\n })\n if (!asMetadataResponse) {\n asMetadataResponse = await retrieveWellknown(externalAS, WellKnownEndpoints.OAUTH_AS, {\n errorOnNotFound: true,\n })\n }\n }\n const authorizationServerMetadata = asMetadataResponse?.successBody\n ? asMetadataResponse!.successBody\n : await this.getAuthorizationServerMetadataFromStore(\n {\n ...args,\n credentialIssuer,\n },\n context,\n )\n const issuerOpts = await this.getIssuerOptsFromStore({ ...args, credentialIssuer }, context)\n if (!issuerOpts.resolveOpts) {\n issuerOpts.resolveOpts = { ...issuerOpts.didOpts?.resolveOpts, ...this._opts.resolveOpts }\n }\n if (!issuerOpts.resolveOpts?.resolver) {\n issuerOpts.resolveOpts.resolver = getAgentResolver(context)\n }\n\n this.instances.set(\n credentialIssuer,\n new IssuerInstance({\n issuerOpts,\n metadataOpts,\n issuerMetadata,\n authorizationServerMetadata,\n }),\n )\n\n return this.oid4vciGetInstance(args, context)\n }\n\n // TODO SSISDK-87 create proper solution to update issuer metadata\n public async oid4vciRefreshInstanceMetadata(args: IRefreshInstanceMetadata, context: IRequiredContext): Promise<boolean> {\n const instance = this.instances.get(args.credentialIssuer)\n if (instance) {\n instance.issuerMetadata = await this.getIssuerMetadata({ ...args }, context)\n return true\n }\n return false\n }\n\n public async oid4vciGetInstance(args: IIssuerInstanceArgs, context: IRequiredContext): Promise<IssuerInstance> {\n const credentialIssuer = args.credentialIssuer ?? OID4VCIIssuer._DEFAULT_OPTS_KEY\n //todo: prob doesn't make sense as credentialIssuer is mandatory anyway\n if (!this.instances.has(credentialIssuer)) {\n await this.createIssuerInstance(args, context)\n }\n return this.instances.get(credentialIssuer)!\n }\n\n private async getIssuerOptsFromStore(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IIssuerOptions> {\n const credentialIssuer = opts.credentialIssuer\n const storeId = await this.storeId(opts, context)\n const namespace = await this.namespace(opts, context)\n const options = await context.agent.oid4vciStoreGetIssuerOpts({\n metadataType: 'issuer',\n correlationId: credentialIssuer,\n storeId,\n namespace,\n })\n if (!options) {\n throw Error(`Could not get specific nor default options for definition ${credentialIssuer}`)\n }\n return options\n }\n\n private async getMetadataOpts(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IMetadataOptions> {\n const credentialIssuer = opts.credentialIssuer\n const storeId = await this.storeId(opts, context)\n const storeNamespace = await this.namespace(opts, context)\n return { credentialIssuer, storeId, storeNamespace }\n }\n\n private async getIssuerMetadata(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<IssuerMetadata> {\n const metadataOpts = await this.getMetadataOpts(opts, context)\n const metadata = (await context.agent.oid4vciStoreGetMetadata({\n metadataType: 'issuer',\n correlationId: metadataOpts.credentialIssuer,\n namespace: metadataOpts.storeNamespace,\n storeId: metadataOpts.storeId,\n })) as IssuerMetadata\n if (!metadata) {\n throw Error(`Issuer metadata not found for issuer ${opts.credentialIssuer}, namespace ${opts.namespace} and store ${opts.storeId}`)\n }\n return metadata\n }\n\n private async getAuthorizationServerMetadataFromStore(\n opts: {\n credentialIssuer: string\n storeId?: string\n namespace?: string\n },\n context: IRequiredContext,\n ): Promise<AuthorizationServerMetadata> {\n const metadataOpts = await this.getMetadataOpts(opts, context)\n const metadata = (await context.agent.oid4vciStoreGetMetadata({\n metadataType: 'authorizationServer',\n correlationId: metadataOpts.credentialIssuer,\n namespace: metadataOpts.storeNamespace,\n storeId: metadataOpts.storeId,\n })) as AuthorizationServerMetadata\n if (!metadata) {\n throw Error(\n `Authorization server ${opts.credentialIssuer} metadata not found for namespace ${metadataOpts.storeNamespace} and store ${metadataOpts.storeId}`,\n )\n }\n return metadata\n }\n\n private async storeId(opts?: { storeId?: string }, context?: IRequiredContext): Promise<string> {\n const storeId = opts?.storeId ?? this._opts?.defaultStoreId ?? (await context?.agent.oid4vciStoreDefaultStoreId())\n if (!storeId) {\n throw Error('Please provide a store id a default value, or provide the context for a global default store id')\n }\n return storeId\n }\n\n private async namespace(opts?: { namespace?: string }, context?: IRequiredContext): Promise<string> {\n const namespace = opts?.namespace ?? this._opts?.defaultNamespace ?? (await context?.agent.oid4vciStoreDefaultNamespace())\n if (!namespace) {\n throw Error('Please provide a namespace a default value, or provide the context for a global default namespace')\n }\n return namespace\n }\n}\n","import { AuthorizationResponseStateStatus } from '@sphereon/did-auth-siop'\nimport {\n AuthorizationServerMetadata,\n CredentialRequestV1_0_15,\n IssuerMetadata,\n Jwt,\n JWTHeader,\n JWTPayload,\n JwtVerifyResult,\n type OID4VCICredentialFormat,\n StatusListOpts,\n} from '@sphereon/oid4vci-common'\nimport { CredentialDataSupplier, CredentialIssuanceInput, CredentialSignerCallback, VcIssuer, VcIssuerBuilder } from '@sphereon/oid4vci-issuer'\nimport { getAgentResolver, IDIDOptions } from '@sphereon/ssi-sdk-ext.did-utils'\nimport { legacyKeyRefsToIdentifierOpts, ManagedIdentifierOptsOrResult, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { SdJwtVcPayload } from '@sphereon/ssi-sdk.sd-jwt'\nimport { IStatusListPlugin } from '@sphereon/ssi-sdk.vc-status-list'\nimport { CompactSdJwtVc, CredentialMapper, ICredential, W3CVerifiableCredential } from '@sphereon/ssi-types'\nimport { CredentialPayload, ProofFormat } from '@veramo/core'\nimport { bytesToBase64 } from '@veramo/utils'\nimport fetch from 'cross-fetch'\nimport { createJWT, decodeJWT, JWTVerifyOptions, verifyJWT } from 'did-jwt'\nimport { Resolvable } from 'did-resolver'\nimport { jwtDecode } from 'jwt-decode'\nimport { IIssuerOptions, IRequiredContext } from './types/IOID4VCIIssuer'\n\nexport function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOptions }, _context: IRequiredContext) {\n return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> => {\n const resolver = getAgentResolver(_context, {\n resolverResolution: true,\n uniresolverResolution: true,\n localResolution: true,\n })\n verifyOpts = { ...verifyOpts, resolver: verifyOpts?.resolver } // Resolver separately as that is a function\n if (!verifyOpts?.resolver || typeof verifyOpts?.resolver?.resolve !== 'function') {\n verifyOpts.resolver = resolver\n }\n const result = await _context.agent.jwtVerifyJwsSignature({ jws: args.jwt })\n if (!result.error) {\n const identifier = result.jws.signatures[0].identifier\n if (!identifier) {\n return Promise.reject(Error('the jws did not contain a signature with an identifier'))\n }\n const jwkInfo = identifier.jwks[0]\n if (!jwkInfo) {\n return Promise.reject(Error(`the identifier of type ${identifier.method} is missing jwks (ExternalJwkInfo)`))\n }\n const { alg } = jwkInfo.jwk\n const header = jwtDecode<JWTHeader>(args.jwt, { header: true })\n const payload = jwtDecode<JWTPayload>(args.jwt, { header: false })\n const kid = args.kid ?? header.kid\n //const jwk = !kid ? jwkInfo.jwk : undefined // TODO double-check if this is correct\n const jwk = jwkInfo.jwk // FIXME workaround IATAB2B-57\n return {\n alg,\n ...identifier,\n jwt: { header, payload },\n ...(kid && { kid }),\n ...(jwk && { jwk }),\n } as JwtVerifyResult\n }\n\n const decodedJwt = (await decodeJWT(args.jwt)) as Jwt\n const kid = args.kid ?? decodedJwt.header.kid\n\n if (!kid || !kid.startsWith('did:')) {\n // No DID method present in header. We already performed the validation above. So return that\n return {\n alg: decodedJwt.header.alg,\n jwt: decodedJwt,\n } as JwtVerifyResult\n }\n const did = kid.split('#')[0]\n\n const didResult = await verifyJWT(args.jwt, verifyOpts)\n if (!didResult.verified) {\n console.log(`JWT invalid: ${args.jwt}`)\n throw Error('JWT did not verify successfully')\n }\n\n const didResolution = await resolver.resolve(did)\n if (!didResolution || !didResolution.didDocument) {\n throw Error(`Could not resolve did: ${did}, metadata: ${didResolution?.didResolutionMetadata}`)\n }\n\n const alg = decodedJwt.header.alg\n return {\n alg,\n kid,\n did,\n didDocument: didResolution.didDocument,\n jwt: decodedJwt,\n }\n }\n}\n\nexport async function getAccessTokenKeyRef(\n opts: {\n /**\n * Uniform identifier options\n */\n idOpts?: ManagedIdentifierOptsOrResult\n /**\n * @deprecated\n */\n iss?: string\n /**\n * @deprecated\n */\n keyRef?: string\n /**\n * @deprecated\n */\n didOpts?: IDIDOptions\n },\n context: IRequiredContext,\n) {\n let identifier = legacyKeyRefsToIdentifierOpts(opts)\n return await context.agent.identifierManagedGet(identifier)\n}\n\nexport async function getAccessTokenSignerCallback(\n opts: {\n /**\n * Uniform identifier options\n */\n idOpts?: ManagedIdentifierOptsOrResult\n /**\n * @deprecated\n */\n iss?: string\n /**\n * @deprecated\n */\n keyRef?: string\n /**\n * @deprecated\n */\n didOpts?: IDIDOptions\n },\n context: IRequiredContext,\n) {\n const resolution = legacyKeyRefsToIdentifierOpts(opts)\n const identifier = await context.agent.identifierManagedGet({\n identifier: resolution.identifier as string,\n vmRelationship: 'authentication',\n })\n\n const keyRef = identifier.kmsKeyRef\n if (!keyRef) {\n throw Error('Cannot sign access tokens without a key ref')\n }\n\n const signer = async (data: string | Uint8Array) => {\n let dataString, encoding: 'base64' | undefined\n\n if (typeof data === 'string') {\n dataString = data\n encoding = undefined\n } else {\n dataString = bytesToBase64(data)\n encoding = 'base64'\n }\n return context.agent.keyManagerSign({ keyRef, data: dataString, encoding })\n }\n\n async function accessTokenSignerCallback(jwt: Jwt, kid?: string): Promise<string> {\n const issuer =\n opts.idOpts?.issuer ??\n (typeof opts.idOpts?.identifier === 'string' ? opts.idOpts.identifier : (opts.didOpts?.idOpts?.identifier?.toString() ?? opts?.iss))\n if (!issuer) {\n throw Error('No issuer configured for access tokens')\n }\n\n let kidHeader: string | undefined = jwt?.header?.kid ?? kid\n if (!kidHeader && identifier.kid) {\n kidHeader = identifier.kid\n }\n if (!kidHeader) {\n if (\n opts.idOpts?.method === 'did' ||\n opts.idOpts?.method === 'kid' ||\n (typeof opts.didOpts?.idOpts.identifier === 'string' && opts.didOpts?.idOpts?.identifier?.startsWith('did:'))\n ) {\n // @ts-ignore\n kidHeader = opts.idOpts?.kid ?? opts.didOpts?.idOpts?.kid ?? opts?.didOpts?.identifierOpts?.kid\n }\n }\n\n const alg = identifier.jwk?.alg\n if (!alg) {\n return Promise.reject(Error('No algorithm found in identifier JWK'))\n }\n\n return await createJWT(\n jwt.payload,\n { signer, issuer },\n { ...jwt.header, ...(kidHeader && { kid: kidHeader }), typ: 'JWT', alg },\n )\n }\n\n return accessTokenSignerCallback\n}\n\nexport async function getCredentialSignerCallback(\n idOpts: ManagedIdentifierOptsOrResult & {\n crypto?: Crypto\n },\n context: IRequiredContext,\n): Promise<CredentialSignerCallback> {\n async function issueVCCallback(args: {\n credentialRequest: CredentialRequestV1_0_15\n credential: CredentialIssuanceInput\n jwtVerifyResult: JwtVerifyResult\n format?: OID4VCICredentialFormat\n statusLists?: Array<StatusListOpts>\n }): Promise<W3CVerifiableCredential | CompactSdJwtVc> {\n const { jwtVerifyResult, format, statusLists } = args\n const credential = args.credential as ICredential // TODO: SDJWT\n let proofFormat: ProofFormat\n\n let resolution: ManagedIdentifierResult\n if (typeof idOpts.identifier !== 'string') {\n resolution = idOpts as ManagedIdentifierResult\n } else {\n resolution = await context.agent.identifierManagedGet({\n identifier: idOpts.identifier,\n vmRelationship: 'assertionMethod',\n })\n }\n proofFormat = format?.includes('ld') ? 'lds' : 'jwt'\n const issuer = resolution.issuer ?? resolution.kmsKeyRef\n\n if (CredentialMapper.isW3cCredential(credential)) {\n if (!credential.issuer) {\n credential.issuer = { id: issuer }\n } else if (typeof credential.issuer === 'object' && !credential.issuer.id) {\n credential.issuer.id = issuer\n }\n const subjectIsArray = Array.isArray(credential.credentialSubject)\n let credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]\n credentialSubjects = credentialSubjects.map((subject) => {\n if (!subject.id) {\n subject.id = jwtVerifyResult.did\n }\n return subject\n })\n credential.credentialSubject = subjectIsArray ? credentialSubjects : credentialSubjects[0]\n\n // TODO: We should extend the plugin capabilities of issuance so we do not have to tuck this into the sign callback\n if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToCredential')) {\n // Add status list if enabled (and when the input has a credentialStatus object (can be empty))\n const credentialStatusVC = await context.agent.slAddStatusToCredential({ credential, statusLists })\n if (credential.credentialStatus && !credential.credentialStatus.statusListCredential) {\n credential.credentialStatus = credentialStatusVC.credentialStatus\n }\n }\n\n const result = await context.agent.createVerifiableCredential({\n credential: credential as CredentialPayload,\n proofFormat,\n removeOriginalFields: false,\n fetchRemoteContexts: true,\n domain: typeof credential.issuer === 'object' ? credential.issuer.id : credential.issuer,\n ...(resolution.kid && { header: { kid: resolution.kid } }),\n })\n return (proofFormat === 'jwt' && 'jwt' in result.proof ? result.proof.jwt : result) as W3CVerifiableCredential\n } else if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {\n const sdJwtPayload = credential as SdJwtVcPayload\n if (sdJwtPayload.iss === undefined) {\n sdJwtPayload.iss = issuer\n }\n if (sdJwtPayload.iat === undefined) {\n sdJwtPayload.iat = Math.floor(new Date().getTime() / 1000)\n }\n\n let disclosureFrame\n if ('disclosureFrame' in credential) {\n disclosureFrame = credential['disclosureFrame']\n delete credential['disclosureFrame']\n } else {\n disclosureFrame = {\n _sd: credential['_sd'],\n }\n }\n\n if (contextHasPlugin<IStatusListPlugin>(context, 'slAddStatusToSdJwtCredential')) {\n if ((sdJwtPayload.status && sdJwtPayload.status.status_list) || (statusLists && statusLists.length > 0)) {\n // Add status list if enabled (and when the input has a credentialStatus object (can be empty))\n const sdJwtPayloadWithStatus = await context.agent.slAddStatusToSdJwtCredential({ credential: sdJwtPayload, statusLists })\n if (sdJwtPayload.status?.status_list?.idx) {\n if (!sdJwtPayloadWithStatus.status || !sdJwtPayloadWithStatus.status.status_list) {\n // sdJwtPayload and sdJwtPayloadWithStatus is the same for now, but we should use the result anyway as this could be subject to change\n return Promise.reject(Error('slAddStatusToSdJwtCredential did not return a status_list'))\n }\n\n // Update statusListId & statusListIndex back to the credential session TODO SSISDK-4 This is not a clean way to do this.\n if (statusLists && statusLists.length > 0) {\n const statusList = statusLists[0]\n statusList.statusListId = sdJwtPayloadWithStatus.status.status_list.uri\n statusList.statusListIndex = sdJwtPayloadWithStatus.status.status_list.idx\n }\n sdJwtPayload.status.status_list.idx = sdJwtPayloadWithStatus.status.status_list.idx\n }\n }\n }\n\n const result = await context.agent.createSdJwtVc({\n credentialPayload: sdJwtPayload,\n disclosureFrame: disclosureFrame,\n resolution,\n })\n return result.credential\n } /*else if (CredentialMapper.isMsoMdocDecodedCredential(credential)) {\n TODO\n }*/\n return Promise.reject('VC issuance failed, an incorrect or unsupported credential was supplied')\n }\n\n return issueVCCallback\n}\n\nexport async function createVciIssuerBuilder(\n args: {\n issuerOpts: IIssuerOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n resolver?: Resolvable\n credentialDataSupplier?: CredentialDataSupplier\n },\n context: IRequiredContext,\n): Promise<VcIssuerBuilder> {\n const { issuerOpts, issuerMetadata, authorizationServerMetadata } = args\n\n const builder = new VcIssuerBuilder()\n // @ts-ignore\n const resolver =\n args.resolver ??\n args?.issuerOpts?.didOpts?.resolveOpts?.resolver ??\n args.issuerOpts?.didOpts?.resolveOpts?.jwtVerifyOpts?.resolver ??\n getAgentResolver(context)\n if (!resolver) {\n throw Error('A Resolver is necessary to verify DID JWTs')\n }\n const idOpts = legacyKeyRefsToIdentifierOpts({ didOpts: issuerOpts.didOpts, idOpts: issuerOpts.idOpts })\n const jwtVerifyOpts: JWTVerifyOptions = {\n ...issuerOpts?.didOpts?.resolveOpts?.jwtVerifyOpts,\n ...args?.issuerOpts?.resolveOpts?.jwtVerifyOpts,\n resolver,\n audience: issuerMetadata.credential_issuer as string, // FIXME legacy version had {display: NameAndLocale | NameAndLocale[]} as credential_issuer\n }\n builder.withIssuerMetadata(issuerMetadata)\n builder.withAuthorizationMetadata(authorizationServerMetadata)\n // builder.withUserPinRequired(issuerOpts.userPinRequired ?? false) was removed from implementers draft v1\n builder.withCredentialSignerCallback(await getCredentialSignerCallback(idOpts, context))\n if (issuerOpts.nonceEndpoint) {\n builder.withNonceEndpoint(issuerOpts.nonceEndpoint)\n } else if (issuerMetadata.nonce_endpoint) {\n builder.withNonceEndpoint(issuerOpts.nonceEndpoint ?? issuerMetadata.nonce_endpoint)\n }\n\n if (issuerOpts.asClientOpts) {\n builder.withASClientMetadata(issuerOpts.asClientOpts)\n // @ts-ignore\n // const authorizationServer = issuerMetadata.authorization_servers[0] as string\n // Set the OIDC verifier\n // builder.withJWTVerifyCallback(oidcAccessTokenVerifyCallback({clientMetadata: issuerOpts.asClientOpts, credentialIssuer: issuerMetadata.credential_issuer as string, authorizationServer}))\n }\n // Do not use it when asClient is used\n builder.withJWTVerifyCallback(getJwtVerifyCallback({ verifyOpts: jwtVerifyOpts }, context))\n\n if (args.credentialDataSupplier) {\n builder.withCredentialDataSupplier(args.credentialDataSupplier)\n }\n builder.withInMemoryCNonceState()\n builder.withInMemoryCredentialOfferState()\n builder.withInMemoryCredentialOfferURIState()\n\n return builder\n}\n\nexport async function createVciIssuer(\n {\n issuerOpts,\n issuerMetadata,\n authorizationServerMetadata,\n credentialDataSupplier,\n }: {\n issuerOpts: IIssuerOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n credentialDataSupplier?: CredentialDataSupplier\n },\n context: IRequiredContext,\n): Promise<VcIssuer> {\n return (\n await createVciIssuerBuilder(\n {\n issuerOpts,\n issuerMetadata,\n authorizationServerMetadata,\n credentialDataSupplier,\n },\n context,\n )\n ).build()\n}\n\nexport async function createAuthRequestUriCallback(opts: { path: string; presentationDefinitionId: string }): Promise<() => Promise<string>> {\n async function authRequestUriCallback(): Promise<string> {\n const path = opts.path.replace(':definitionId', opts.presentationDefinitionId)\n return fetch(path, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n }).then(async (response): Promise<string> => {\n if (response.status >= 400) {\n return Promise.reject(Error(await response.text()))\n } else {\n const responseData = await response.json()\n\n if (!responseData.authRequestURI) {\n return Promise.reject(Error('Missing auth request uri in response body'))\n }\n\n return responseData.authRequestURI\n }\n })\n }\n\n return authRequestUriCallback\n}\n\nexport async function createVerifyAuthResponseCallback(opts: {\n path: string\n presentationDefinitionId: string\n}): Promise<(correlationId: string) => Promise<boolean>> {\n async function verifyAuthResponseCallback(correlationId: string): Promise<boolean> {\n return fetch(opts.path, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({ definitionId: opts.presentationDefinitionId, correlationId }),\n }).then(async (response): Promise<boolean> => {\n if (response.status >= 400) {\n return Promise.reject(Error(await response.text()))\n } else {\n const responseData = await response.json()\n\n if (!responseData.status) {\n return Promise.reject(Error('Missing status in response body'))\n }\n\n return responseData.status === AuthorizationResponseStateStatus.VERIFIED\n }\n })\n }\n\n return verifyAuthResponseCallback\n}\n","import { CredentialDataSupplier, VcIssuer } from '@sphereon/oid4vci-issuer'\nimport { createVciIssuerBuilder } from './functions'\nimport { AuthorizationServerMetadata, IssuerMetadata } from '@sphereon/oid4vci-common'\nimport { IIssuerOptions, IMetadataOptions, IRequiredContext } from './types/IOID4VCIIssuer'\n\nexport class IssuerInstance {\n private _issuer: VcIssuer | undefined\n private readonly _metadataOptions: IMetadataOptions\n private readonly _issuerOptions: IIssuerOptions\n private _issuerMetadata: IssuerMetadata\n private readonly _authorizationServerMetadata: AuthorizationServerMetadata\n\n public constructor({\n issuerOpts,\n metadataOpts,\n issuerMetadata,\n authorizationServerMetadata,\n }: {\n issuerOpts: IIssuerOptions\n metadataOpts: IMetadataOptions\n issuerMetadata: IssuerMetadata\n authorizationServerMetadata: AuthorizationServerMetadata\n }) {\n this._issuerOptions = issuerOpts\n this._metadataOptions = metadataOpts\n this._issuerMetadata = issuerMetadata\n this._authorizationServerMetadata = authorizationServerMetadata\n }\n\n public async get(opts: { context: IRequiredContext; credentialDataSupplier?: CredentialDataSupplier }): Promise<VcIssuer> {\n if (!this._issuer) {\n const builder = await createVciIssuerBuilder(\n {\n issuerOpts: this.issuerOptions,\n issuerMetadata: this.issuerMetadata,\n authorizationServerMetadata: this.authorizationServerMetadata,\n credentialDataSupplier: opts?.credentialDataSupplier,\n },\n opts.context,\n )\n this._issuer = builder.build()\n }\n return this._issuer\n }\n\n get issuerOptions() {\n return this._issuerOptions\n }\n\n get metadataOptions() {\n return this._metadataOptions\n }\n\n get issuerMetadata() {\n return this._issuerMetadata\n }\n\n set issuerMetadata(value: IssuerMetadata) {\n // TODO SSISDK-87 create proper solution to update issuer metadata\n if (this._issuer?.issuerMetadata) {\n this._issuer.issuerMetadata = {\n ...this._issuer?.issuerMetadata,\n credential_configurations_supported: value.credential_configurations_supported\n }\n }\n\n this._issuerMetadata = value\n }\n\n get authorizationServerMetadata() {\n return this._authorizationServerMetadata\n }\n}\n","/**\n * @public\n */\nconst schema = require('../plugin.schema.json')\nexport { schema }\nexport { OID4VCIIssuer, oid4vciIssuerMethods } from './agent/OID4VCIIssuer'\nexport * from './functions'\nexport * from './IssuerInstance'\nexport * from './types/IOID4VCIIssuer'\n"],"mappings":";;;;;;;;AAAA;AAAA;AAAA;AAAA,MACE,6BAA+B;AAAA,QAC7B,YAAc;AAAA,UACZ,SAAW;AAAA,YACT,qBAAuB;AAAA,cACrB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW;AAAA,cACxB,aAAe;AAAA,YACjB;AAAA,YACA,0BAA4B;AAAA,cAC1B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,YAAc;AAAA,kBACZ,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,KAAO;AAAA,sBACL,MAAQ;AAAA,oBACV;AAAA,oBACA,OAAS;AAAA,sBACP,MAAQ;AAAA,oBACV;AAAA,oBACA,UAAY;AAAA,sBACV,MAAQ;AAAA,oBACV;AAAA,oBACA,iBAAmB;AAAA,sBACjB,MAAQ;AAAA,oBACV;AAAA,oBACA,MAAQ;AAAA,sBACN,MAAQ;AAAA,sBACR,OAAS;AAAA,wBACP,MAAQ;AAAA,wBACR,YAAc;AAAA,0BACZ,sBAAwB;AAAA,wBAC1B;AAAA,sBACF;AAAA,oBACF;AAAA,oBACA,UAAY;AAAA,sBACV,MAAQ;AAAA,sBACR,OAAS;AAAA,wBACP,MAAQ;AAAA,wBACR,YAAc;AAAA,0BACZ,sBAAwB;AAAA,wBAC1B;AAAA,sBACF;AAAA,oBACF;AAAA,kBACF;AAAA,kBACA,sBAAwB;AAAA,kBACxB,UAAY,CAAC,OAAO,YAAY,QAAQ,UAAU;AAAA,gBACpD;AAAA,gBACA,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,YAAY;AAAA,cACzB,aAAe;AAAA,YACjB;AAAA,YACA,wBAA0B;AAAA,cACxB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW;AAAA,cACxB,aAAe;AAAA,YACjB;AAAA,YACA,2BAA6B;AAAA,cAC3B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,SAAW;AAAA,kBACT,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,WAAW,aAAa;AAAA,cAClD,aAAe;AAAA,YACjB;AAAA,YACA,WAAa;AAAA,cACX,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,QAAU;AAAA,kBACR,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,QAAQ;AAAA,cACrB,aAAe;AAAA,YACjB;AAAA,YACA,yCAA2C;AAAA,cACzC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,SAAW;AAAA,kBACT,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,gBACV;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,WAAW,aAAa;AAAA,cAClD,aAAe;AAAA,YACjB;AAAA,YACA,gCAAkC;AAAA,cAChC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,KAAO;AAAA,kBACL,MAAQ;AAAA,gBACV;AAAA,gBACA,gBAAkB;AAAA,kBAChB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,cAAgB;AAAA,kBACd,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,OAAO,kBAAkB,cAAc;AAAA,cACpD,aAAe;AAAA,YACjB;AAAA,YACA,0CAA4C;AAAA,cAC1C,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,+BAAiC;AAAA,kBAC/B,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,kBAAoB;AAAA,kBAClB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,+BAA+B;AAAA,cACzD,aAAe;AAAA,YACjB;AAAA,YACA,qBAAuB;AAAA,cACrB,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,IAAM;AAAA,kBACJ,MAAQ;AAAA,gBACV;AAAA,gBACA,aAAe;AAAA,kBACb,MAAQ;AAAA,kBACR,OAAS;AAAA,oBACP,MAAQ;AAAA,kBACV;AAAA,gBACF;AAAA,gBACA,gBAAkB;AAAA,kBAChB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,MAAM,gBAAgB;AAAA,cACnC,aAAe;AAAA,YACjB;AAAA,YACA,yCAA2C;AAAA,cACzC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,gCAAkC;AAAA,kBAChC,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,gCAAgC;AAAA,cAC1D,aAAe;AAAA,YACjB;AAAA,YACA,8BAAgC;AAAA,cAC9B,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,SAAW;AAAA,kBACT,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,yBAA2B;AAAA,kBACzB,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,YAAc;AAAA,kBACZ,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,WAAW,YAAY;AAAA,cACpC,aAAe;AAAA,YACjB;AAAA,YACA,qCAAuC;AAAA,cACrC,MAAQ;AAAA,cACR,YAAc;AAAA,gBACZ,WAAa;AAAA,kBACX,MAAQ;AAAA,gBACV;AAAA,gBACA,+BAAiC;AAAA,kBAC/B,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,gCAAkC;AAAA,kBAChC,MAAQ;AAAA,kBACR,YAAc;AAAA,oBACZ,sBAAwB;AAAA,kBAC1B;AAAA,gBACF;AAAA,gBACA,sBAAwB;AAAA,cAC1B;AAAA,cACA,UAAY,CAAC,aAAa,+BAA+B;AAAA,cACzD,aAAe;AAAA,YACjB;AAAA,UACF;AAAA,UACA,SAAW;AAAA,YACT,mBAAqB;AAAA,cACnB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,wBAA0B;AAAA,cACxB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,sBAAwB;AAAA,cACtB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,YAChB;AAAA,YACA,sBAAwB;AAAA,cACtB,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,oCAAsC;AAAA,cACpC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,qCAAuC;AAAA,cACrC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,oCAAsC;AAAA,cACpC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,YACA,gCAAkC;AAAA,cAChC,aAAe;AAAA,cACf,WAAa;AAAA,gBACX,MAAQ;AAAA,cACV;AAAA,cACA,YAAc;AAAA,gBACZ,MAAQ;AAAA,cACV;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACxUA,SAAQA,yBAAwB;AAChC,SAMIC,0BACG;AACP,SAAQC,+BAA+BC,iCAA0C;AACjF,SAAQC,oBAAAA,yBAAuB;;;ACV/B,SAASC,wCAAwC;AAYjD,SAA8FC,uBAAuB;AACrH,SAASC,wBAAqC;AAC9C,SAASC,qCAA6F;AACtG,SAASC,wBAAwB;AAGjC,SAAyBC,wBAA8D;AAEvF,SAASC,qBAAqB;AAC9B,OAAOC,WAAW;AAClB,SAASC,WAAWC,WAA6BC,iBAAiB;AAElE,SAASC,iBAAiB;AAGnB,SAASC,qBAAqB,EAAEC,WAAU,GAAuCC,UAA0B;AAChH,SAAO,OAAOC,SAAAA;AACZ,UAAMC,WAAWC,iBAAiBH,UAAU;MAC1CI,oBAAoB;MACpBC,uBAAuB;MACvBC,iBAAiB;IACnB,CAAA;AACAP,iBAAa;MAAE,GAAGA;MAAYG,UAAUH,YAAYG;IAAS;AAC7D,QAAI,CAACH,YAAYG,YAAY,OAAOH,YAAYG,UAAUK,YAAY,YAAY;AAChFR,iBAAWG,WAAWA;IACxB;AACA,UAAMM,SAAS,MAAMR,SAASS,MAAMC,sBAAsB;MAAEC,KAAKV,KAAKW;IAAI,CAAA;AAC1E,QAAI,CAACJ,OAAOK,OAAO;AACjB,YAAMC,aAAaN,OAAOG,IAAII,WAAW,CAAA,EAAGD;AAC5C,UAAI,CAACA,YAAY;AACf,eAAOE,QAAQC,OAAOC,MAAM,wDAAA,CAAA;MAC9B;AACA,YAAMC,UAAUL,WAAWM,KAAK,CAAA;AAChC,UAAI,CAACD,SAAS;AACZ,eAAOH,QAAQC,OAAOC,MAAM,0BAA0BJ,WAAWO,MAAM,oCAAoC,CAAA;MAC7G;AACA,YAAM,EAAEC,KAAAA,KAAG,IAAKH,QAAQI;AACxB,YAAMC,SAASC,UAAqBxB,KAAKW,KAAK;QAAEY,QAAQ;MAAK,CAAA;AAC7D,YAAME,UAAUD,UAAsBxB,KAAKW,KAAK;QAAEY,QAAQ;MAAM,CAAA;AAChE,YAAMG,OAAM1B,KAAK0B,OAAOH,OAAOG;AAE/B,YAAMJ,MAAMJ,QAAQI;AACpB,aAAO;QACLD,KAAAA;QACA,GAAGR;QACHF,KAAK;UAAEY;UAAQE;QAAQ;QACvB,GAAIC,QAAO;UAAEA,KAAAA;QAAI;QACjB,GAAIJ,OAAO;UAAEA;QAAI;MACnB;IACF;AAEA,UAAMK,aAAc,MAAMC,UAAU5B,KAAKW,GAAG;AAC5C,UAAMe,MAAM1B,KAAK0B,OAAOC,WAAWJ,OAAOG;AAE1C,QAAI,CAACA,OAAO,CAACA,IAAIG,WAAW,MAAA,GAAS;AAEnC,aAAO;QACLR,KAAKM,WAAWJ,OAAOF;QACvBV,KAAKgB;MACP;IACF;AACA,UAAMG,MAAMJ,IAAIK,MAAM,GAAA,EAAK,CAAA;AAE3B,UAAMC,YAAY,MAAMC,UAAUjC,KAAKW,KAAKb,UAAAA;AAC5C,QAAI,CAACkC,UAAUE,UAAU;AACvBC,cAAQC,IAAI,gBAAgBpC,KAAKW,GAAG,EAAE;AACtC,YAAMM,MAAM,iCAAA;IACd;AAEA,UAAMoB,gBAAgB,MAAMpC,SAASK,QAAQwB,GAAAA;AAC7C,QAAI,CAACO,iBAAiB,CAACA,cAAcC,aAAa;AAChD,YAAMrB,MAAM,0BAA0Ba,GAAAA,eAAkBO,eAAeE,qBAAAA,EAAuB;IAChG;AAEA,UAAMlB,MAAMM,WAAWJ,OAAOF;AAC9B,WAAO;MACLA;MACAK;MACAI;MACAQ,aAAaD,cAAcC;MAC3B3B,KAAKgB;IACP;EACF;AACF;AApEgB9B;AAsEhB,eAAsB2C,qBACpBC,MAkBAC,SAAyB;AAEzB,MAAI7B,aAAa8B,8BAA8BF,IAAAA;AAC/C,SAAO,MAAMC,QAAQlC,MAAMoC,qBAAqB/B,UAAAA;AAClD;AAvBsB2B;AAyBtB,eAAsBK,6BACpBJ,MAkBAC,SAAyB;AAEzB,QAAMI,aAAaH,8BAA8BF,IAAAA;AACjD,QAAM5B,aAAa,MAAM6B,QAAQlC,MAAMoC,qBAAqB;IAC1D/B,YAAYiC,WAAWjC;IACvBkC,gBAAgB;EAClB,CAAA;AAEA,QAAMC,SAASnC,WAAWoC;AAC1B,MAAI,CAACD,QAAQ;AACX,UAAM/B,MAAM,6CAAA;EACd;AAEA,QAAMiC,SAAS,8BAAOC,SAAAA;AACpB,QAAIC,YAAYC;AAEhB,QAAI,OAAOF,SAAS,UAAU;AAC5BC,mBAAaD;AACbE,iBAAWC;IACb,OAAO;AACLF,mBAAaG,cAAcJ,IAAAA;AAC3BE,iBAAW;IACb;AACA,WAAOX,QAAQlC,MAAMgD,eAAe;MAAER;MAAQG,MAAMC;MAAYC;IAAS,CAAA;EAC3E,GAXe;AAaf,iBAAeI,0BAA0B9C,KAAUe,KAAY;AAC7D,UAAMgC,SACJjB,KAAKkB,QAAQD,WACZ,OAAOjB,KAAKkB,QAAQ9C,eAAe,WAAW4B,KAAKkB,OAAO9C,aAAc4B,KAAKmB,SAASD,QAAQ9C,YAAYgD,SAAAA,KAAcpB,MAAMqB;AACjI,QAAI,CAACJ,QAAQ;AACX,YAAMzC,MAAM,wCAAA;IACd;AAEA,QAAI8C,YAAgCpD,KAAKY,QAAQG,OAAOA;AACxD,QAAI,CAACqC,aAAalD,WAAWa,KAAK;AAChCqC,kBAAYlD,WAAWa;IACzB;AACA,QAAI,CAACqC,WAAW;AACd,UACEtB,KAAKkB,QAAQvC,WAAW,SACxBqB,KAAKkB,QAAQvC,WAAW,SACvB,OAAOqB,KAAKmB,SAASD,OAAO9C,eAAe,YAAY4B,KAAKmB,SAASD,QAAQ9C,YAAYgB,WAAW,MAAA,GACrG;AAEAkC,oBAAYtB,KAAKkB,QAAQjC,OAAOe,KAAKmB,SAASD,QAAQjC,OAAOe,MAAMmB,SAASI,gBAAgBtC;MAC9F;IACF;AAEA,UAAML,MAAMR,WAAWS,KAAKD;AAC5B,QAAI,CAACA,KAAK;AACR,aAAON,QAAQC,OAAOC,MAAM,sCAAA,CAAA;IAC9B;AAEA,WAAO,MAAMgD,UACXtD,IAAIc,SACJ;MAAEyB;MAAQQ;IAAO,GACjB;MAAE,GAAG/C,IAAIY;MAAQ,GAAIwC,aAAa;QAAErC,KAAKqC;MAAU;MAAIG,KAAK;MAAO7C;IAAI,CAAA;EAE3E;AAjCeoC;AAmCf,SAAOA;AACT;AAjFsBZ;AAmFtB,eAAsBsB,4BACpBR,QAGAjB,SAAyB;AAEzB,iBAAe0B,gBAAgBpE,MAM9B;AACC,UAAM,EAAEqE,iBAAiBC,QAAQC,YAAW,IAAKvE;AACjD,UAAMwE,aAAaxE,KAAKwE;AACxB,QAAIC;AAEJ,QAAI3B;AACJ,QAAI,OAAOa,OAAO9C,eAAe,UAAU;AACzCiC,mBAAaa;IACf,OAAO;AACLb,mBAAa,MAAMJ,QAAQlC,MAAMoC,qBAAqB;QACpD/B,YAAY8C,OAAO9C;QACnBkC,gBAAgB;MAClB,CAAA;IACF;AACA0B,kBAAcH,QAAQI,SAAS,IAAA,IAAQ,QAAQ;AAC/C,UAAMhB,SAASZ,WAAWY,UAAUZ,WAAWG;AAE/C,QAAI0B,iBAAiBC,gBAAgBJ,UAAAA,GAAa;AAChD,UAAI,CAACA,WAAWd,QAAQ;AACtBc,mBAAWd,SAAS;UAAEmB,IAAInB;QAAO;MACnC,WAAW,OAAOc,WAAWd,WAAW,YAAY,CAACc,WAAWd,OAAOmB,IAAI;AACzEL,mBAAWd,OAAOmB,KAAKnB;MACzB;AACA,YAAMoB,iBAAiBC,MAAMC,QAAQR,WAAWS,iBAAiB;AACjE,UAAIC,qBAAqBH,MAAMC,QAAQR,WAAWS,iBAAiB,IAAIT,WAAWS,oBAAoB;QAACT,WAAWS;;AAClHC,2BAAqBA,mBAAmBC,IAAI,CAACC,YAAAA;AAC3C,YAAI,CAACA,QAAQP,IAAI;AACfO,kBAAQP,KAAKR,gBAAgBvC;QAC/B;AACA,eAAOsD;MACT,CAAA;AACAZ,iBAAWS,oBAAoBH,iBAAiBI,qBAAqBA,mBAAmB,CAAA;AAGxF,UAAIG,iBAAoC3C,SAAS,yBAAA,GAA4B;AAE3E,cAAM4C,qBAAqB,MAAM5C,QAAQlC,MAAM+E,wBAAwB;UAAEf;UAAYD;QAAY,CAAA;AACjG,YAAIC,WAAWgB,oBAAoB,CAAChB,WAAWgB,iBAAiBC,sBAAsB;AACpFjB,qBAAWgB,mBAAmBF,mBAAmBE;QACnD;MACF;AAEA,YAAMjF,SAAS,MAAMmC,QAAQlC,MAAMkF,2BAA2B;QAC5DlB;QACAC;QACAkB,sBAAsB;QACtBC,qBAAqB;QACrBC,QAAQ,OAAOrB,WAAWd,WAAW,WAAWc,WAAWd,OAAOmB,KAAKL,WAAWd;QAClF,GAAIZ,WAAWpB,OAAO;UAAEH,QAAQ;YAAEG,KAAKoB,WAAWpB;UAAI;QAAE;MAC1D,CAAA;AACA,aAAQ+C,gBAAgB,SAAS,SAASlE,OAAOuF,QAAQvF,OAAOuF,MAAMnF,MAAMJ;IAC9E,WAAWoE,iBAAiBoB,gCAAgCvB,UAAAA,GAAa;AACvE,YAAMwB,eAAexB;AACrB,UAAIwB,aAAalC,QAAQR,QAAW;AAClC0C,qBAAalC,MAAMJ;MACrB;AACA,UAAIsC,aAAaC,QAAQ3C,QAAW;AAClC0C,qBAAaC,MAAMC,KAAKC,OAAM,oBAAIC,KAAAA,GAAOC,QAAO,IAAK,GAAA;MACvD;AAEA,UAAIC;AACJ,UAAI,qBAAqB9B,YAAY;AACnC8B,0BAAkB9B,WAAW,iBAAA;AAC7B,eAAOA,WAAW,iBAAA;MACpB,OAAO;AACL8B,0BAAkB;UAChBC,KAAK/B,WAAW,KAAA;QAClB;MACF;AAEA,UAAIa,iBAAoC3C,SAAS,8BAAA,GAAiC;AAChF,YAAKsD,aAAaQ,UAAUR,aAAaQ,OAAOC,eAAiBlC,eAAeA,YAAYmC,SAAS,GAAI;AAEvG,gBAAMC,yBAAyB,MAAMjE,QAAQlC,MAAMoG,6BAA6B;YAAEpC,YAAYwB;YAAczB;UAAY,CAAA;AACxH,cAAIyB,aAAaQ,QAAQC,aAAaI,KAAK;AACzC,gBAAI,CAACF,uBAAuBH,UAAU,CAACG,uBAAuBH,OAAOC,aAAa;AAEhF,qBAAO1F,QAAQC,OAAOC,MAAM,2DAAA,CAAA;YAC9B;AAGA,gBAAIsD,eAAeA,YAAYmC,SAAS,GAAG;AACzC,oBAAMI,aAAavC,YAAY,CAAA;AAC/BuC,yBAAWC,eAAeJ,uBAAuBH,OAAOC,YAAYO;AACpEF,yBAAWG,kBAAkBN,uBAAuBH,OAAOC,YAAYI;YACzE;AACAb,yBAAaQ,OAAOC,YAAYI,MAAMF,uBAAuBH,OAAOC,YAAYI;UAClF;QACF;MACF;AAEA,YAAMtG,SAAS,MAAMmC,QAAQlC,MAAM0G,cAAc;QAC/CC,mBAAmBnB;QACnBM;QACAxD;MACF,CAAA;AACA,aAAOvC,OAAOiE;IAChB;AAGA,WAAOzD,QAAQC,OAAO,yEAAA;EACxB;AA3GeoD;AA6Gf,SAAOA;AACT;AApHsBD;AAsHtB,eAAsBiD,uBACpBpH,MAOA0C,SAAyB;AAEzB,QAAM,EAAE2E,YAAYC,gBAAgBC,4BAA2B,IAAKvH;AAEpE,QAAMwH,UAAU,IAAIC,gBAAAA;AAEpB,QAAMxH,WACJD,KAAKC,YACLD,MAAMqH,YAAYzD,SAAS8D,aAAazH,YACxCD,KAAKqH,YAAYzD,SAAS8D,aAAaC,eAAe1H,YACtDC,iBAAiBwC,OAAAA;AACnB,MAAI,CAACzC,UAAU;AACb,UAAMgB,MAAM,4CAAA;EACd;AACA,QAAM0C,SAAShB,8BAA8B;IAAEiB,SAASyD,WAAWzD;IAASD,QAAQ0D,WAAW1D;EAAO,CAAA;AACtG,QAAMgE,gBAAkC;IACtC,GAAGN,YAAYzD,SAAS8D,aAAaC;IACrC,GAAG3H,MAAMqH,YAAYK,aAAaC;IAClC1H;IACA2H,UAAUN,eAAeO;EAC3B;AACAL,UAAQM,mBAAmBR,cAAAA;AAC3BE,UAAQO,0BAA0BR,2BAAAA;AAElCC,UAAQQ,6BAA6B,MAAM7D,4BAA4BR,QAAQjB,OAAAA,CAAAA;AAC/E,MAAI2E,WAAWY,eAAe;AAC5BT,YAAQU,kBAAkBb,WAAWY,aAAa;EACpD,WAAWX,eAAea,gBAAgB;AACxCX,YAAQU,kBAAkBb,WAAWY,iBAAiBX,eAAea,cAAc;EACrF;AAEA,MAAId,WAAWe,cAAc;AAC3BZ,YAAQa,qBAAqBhB,WAAWe,YAAY;EAKtD;AAEAZ,UAAQc,sBAAsBzI,qBAAqB;IAAEC,YAAY6H;EAAc,GAAGjF,OAAAA,CAAAA;AAElF,MAAI1C,KAAKuI,wBAAwB;AAC/Bf,YAAQgB,2BAA2BxI,KAAKuI,sBAAsB;EAChE;AACAf,UAAQiB,wBAAuB;AAC/BjB,UAAQkB,iCAAgC;AACxClB,UAAQmB,oCAAmC;AAE3C,SAAOnB;AACT;AAzDsBJ;AA2DtB,eAAsBwB,gBACpB,EACEvB,YACAC,gBACAC,6BACAgB,uBAAsB,GAOxB7F,SAAyB;AAEzB,UACE,MAAM0E,uBACJ;IACEC;IACAC;IACAC;IACAgB;EACF,GACA7F,OAAAA,GAEFmG,MAAK;AACT;AAzBsBD;AA2BtB,eAAsBE,6BAA6BrG,MAAwD;AACzG,iBAAesG,yBAAAA;AACb,UAAMC,OAAOvG,KAAKuG,KAAKC,QAAQ,iBAAiBxG,KAAKyG,wBAAwB;AAC7E,WAAOC,MAAMH,MAAM;MACjB5H,QAAQ;MACRgI,SAAS;QACP,gBAAgB;MAClB;IACF,CAAA,EAAGC,KAAK,OAAOC,aAAAA;AACb,UAAIA,SAAS9C,UAAU,KAAK;AAC1B,eAAOzF,QAAQC,OAAOC,MAAM,MAAMqI,SAASC,KAAI,CAAA,CAAA;MACjD,OAAO;AACL,cAAMC,eAAe,MAAMF,SAASG,KAAI;AAExC,YAAI,CAACD,aAAaE,gBAAgB;AAChC,iBAAO3I,QAAQC,OAAOC,MAAM,2CAAA,CAAA;QAC9B;AAEA,eAAOuI,aAAaE;MACtB;IACF,CAAA;EACF;AApBeX;AAsBf,SAAOA;AACT;AAxBsBD;AA0BtB,eAAsBa,iCAAiClH,MAGtD;AACC,iBAAemH,2BAA2BC,eAAqB;AAC7D,WAAOV,MAAM1G,KAAKuG,MAAM;MACtB5H,QAAQ;MACRgI,SAAS;QACP,gBAAgB;MAClB;MACAU,MAAMC,KAAKC,UAAU;QAAEC,cAAcxH,KAAKyG;QAA0BW;MAAc,CAAA;IACpF,CAAA,EAAGR,KAAK,OAAOC,aAAAA;AACb,UAAIA,SAAS9C,UAAU,KAAK;AAC1B,eAAOzF,QAAQC,OAAOC,MAAM,MAAMqI,SAASC,KAAI,CAAA,CAAA;MACjD,OAAO;AACL,cAAMC,eAAe,MAAMF,SAASG,KAAI;AAExC,YAAI,CAACD,aAAahD,QAAQ;AACxB,iBAAOzF,QAAQC,OAAOC,MAAM,iCAAA,CAAA;QAC9B;AAEA,eAAOuI,aAAahD,WAAW0D,iCAAiCC;MAClE;IACF,CAAA;EACF;AApBeP;AAsBf,SAAOA;AACT;AA3BsBD;;;AC9af,IAAMS,iBAAN,MAAMA;EAJb,OAIaA;;;EACHC;EACSC;EACAC;EACTC;EACSC;EAEjB,YAAmB,EACjBC,YACAC,cACAC,gBACAC,4BAA2B,GAM1B;AACD,SAAKN,iBAAiBG;AACtB,SAAKJ,mBAAmBK;AACxB,SAAKH,kBAAkBI;AACvB,SAAKH,+BAA+BI;EACtC;EAEA,MAAaC,IAAIC,MAAyG;AACxH,QAAI,CAAC,KAAKV,SAAS;AACjB,YAAMW,UAAU,MAAMC,uBACpB;QACEP,YAAY,KAAKQ;QACjBN,gBAAgB,KAAKA;QACrBC,6BAA6B,KAAKA;QAClCM,wBAAwBJ,MAAMI;MAChC,GACAJ,KAAKK,OAAO;AAEd,WAAKf,UAAUW,QAAQK,MAAK;IAC9B;AACA,WAAO,KAAKhB;EACd;EAEA,IAAIa,gBAAgB;AAClB,WAAO,KAAKX;EACd;EAEA,IAAIe,kBAAkB;AACpB,WAAO,KAAKhB;EACd;EAEA,IAAIM,iBAAiB;AACnB,WAAO,KAAKJ;EACd;EAEA,IAAII,eAAeW,OAAuB;AAExC,QAAI,KAAKlB,SAASO,gBAAgB;AAChC,WAAKP,QAAQO,iBAAiB;QAC5B,GAAG,KAAKP,SAASO;QACjBY,qCAAqCD,MAAMC;MAC7C;IACF;AAEA,SAAKhB,kBAAkBe;EACzB;EAEA,IAAIV,8BAA8B;AAChC,WAAO,KAAKJ;EACd;AACF;;;AF3CO,IAAMgB,uBAAsC;EACjD;EACA;EACA;EACA;EACA;;AAGK,IAAMC,gBAAN,MAAMA,eAAAA;EArCb,OAqCaA;;;EACX,OAAwBC,oBAAoB;EAC3BC,YAAyC,oBAAIC,IAAAA;EACrDC,SAASA,OAAOC;EAEhBC,UAA0B;IACjCC,uBAAuB,KAAKA,sBAAsBC,KAAK,IAAI;IAC3DC,wBAAwB,KAAKA,uBAAuBD,KAAK,IAAI;IAC7DE,kCAAkC,KAAKA,iCAAiCF,KAAK,IAAI;IACjFG,oBAAoB,KAAKA,mBAAmBH,KAAK,IAAI;IACrDI,gCAAgC,KAAKA,+BAA+BJ,KAAK,IAAI;EAC/E;EACQK;EAER,YAAYC,MAA2B;AACrC,SAAKD,QAAQC,QAAQ,CAAC;EACxB;EAEA,MAAcP,sBAAsBQ,YAA8BC,SAAqE;AACrI,WAAO,MAAM,KAAKL,mBAAmBI,YAAYC,OAAAA,EAC9CC,KAAK,CAACC,aAAaA,SAASC,IAAI;MAAEH;IAAQ,CAAA,CAAA,EAC1CC,KAAK,CAACG,WACLA,OAAOC,yBAAyBN,UAAAA,EAAYE,KAAK,CAACK,aAAAA;AAChD,YAAMC,SAA0CD;AAChD,UAAI,KAAKT,MAAMW,mBAAmB,OAAO;AACvC,eAAOD,OAAOE;MAChB;AACA,aAAOF;IACT,CAAA,CAAA;EAEN;EAEA,MAAcd,uBAAuBiB,WAAiCV,SAAwD;AAC5H,WAAO,MAAM,KAAKL,mBAAmBe,WAAWV,OAAAA,EAC7CC,KAAK,CAACC,aAAaA,SAASC,IAAI;MAAEH;IAAQ,CAAA,CAAA,EAC1CC,KAAK,CAACG,WAAqBA,OAAOO,gBAAgBD,SAAAA,CAAAA;EACvD;EAEA,MAAchB,iCACZkB,iBACAZ,SAC8B;AAC9B,WAAO,MAAM,KAAKL,mBAAmBiB,iBAAiBZ,OAAAA,EAASC,KAAK,OAAOC,aAAAA;AACzE,YAAME,SAAS,MAAMF,SAASC,IAAI;QAAEH;MAAQ,CAAA;AAE5C,YAAMa,8BAA8BD,gBAAgBE,SAAS;QAC3DC,yBAAyBX,OAAOW;QAChCC,oBAAoBJ,gBAAgBI;MACtC,CAAA;AACA,YAAMC,oBAAoBf,SAASgB,cAAcC,QAAQf,UAAUF,SAASgB,cAAcE,SAASD,OAAOE,WAAWC,SAAAA;AACrH,UAAI,CAACL,mBAAmB;AACtB,eAAOM,QAAQC,OAAOC,MAAM,yCAAyC,CAAA;MACvE;AACA,aAAOC,0BAA0Bd,gBAAgBE,SAAS;QACxDG;QACAU,gBAAgBf,gBAAgBI;QAChCY,iBAAiBhB,gBAAgBI;QACjCa,SAASzB,OAAOyB;QAChBd,yBAAyBX,OAAOW;QAChCe,2BAA2B,MAAMC,6BAA6B7B,SAASgB,eAAelB,OAAAA;MACxF,CAAA;IACF,CAAA;EACF;EAEQgC,cAAcC,gBAAoD;AACxE,QAAI,2BAA2BA,kBAAkBC,MAAMC,QAAQF,eAAeG,qBAAqB,GAAG;AACpG,aAAOH,eAAeG,sBAAsBC,KAAK,CAACC,OAAOA,OAAOL,eAAeM,iBAAiB;IAClG;AACA,WAAOC;EACT;EAEA,MAAcC,qBAAqBC,MAA2B1C,SAAoD;AAChH,UAAM2C,mBAAmBD,KAAKC,oBAAoB3D,eAAcC;AAGhE,UAAM2D,eAAe,MAAM,KAAKC,gBAAgB;MAAE,GAAGH;MAAMC;IAAiB,GAAG3C,OAAAA;AAC/E,UAAMiC,iBAAiB,MAAM,KAAKa,kBAAkB;MAAE,GAAGJ;MAAMC;IAAiB,GAAG3C,OAAAA;AACnF,UAAM+C,aAAa,KAAKf,cAAcC,cAAAA;AACtC,QAAIe,qBAA8ER;AAClF,QAAIO,YAAY;AAEdC,2BAAqB,MAAMC,kBAAkBF,YAAYG,mBAAmBC,sBAAsB;QAChGC,iBAAiB;MACnB,CAAA;AACA,UAAI,CAACJ,oBAAoB;AACvBA,6BAAqB,MAAMC,kBAAkBF,YAAYG,mBAAmBG,UAAU;UACpFD,iBAAiB;QACnB,CAAA;MACF;IACF;AACA,UAAME,8BAA8BN,oBAAoBO,cACpDP,mBAAoBO,cACpB,MAAM,KAAKC,wCACT;MACE,GAAGd;MACHC;IACF,GACA3C,OAAAA;AAEN,UAAMyD,aAAa,MAAM,KAAKC,uBAAuB;MAAE,GAAGhB;MAAMC;IAAiB,GAAG3C,OAAAA;AACpF,QAAI,CAACyD,WAAWE,aAAa;AAC3BF,iBAAWE,cAAc;QAAE,GAAGF,WAAWrC,SAASuC;QAAa,GAAG,KAAK9D,MAAM8D;MAAY;IAC3F;AACA,QAAI,CAACF,WAAWE,aAAaC,UAAU;AACrCH,iBAAWE,YAAYC,WAAWC,kBAAiB7D,OAAAA;IACrD;AAEA,SAAKd,UAAU4E,IACbnB,kBACA,IAAIoB,eAAe;MACjBN;MACAb;MACAX;MACAqB;IACF,CAAA,CAAA;AAGF,WAAO,KAAK3D,mBAAmB+C,MAAM1C,OAAAA;EACvC;;EAGA,MAAaJ,+BAA+B8C,MAAgC1C,SAA6C;AACvH,UAAME,WAAW,KAAKhB,UAAUiB,IAAIuC,KAAKC,gBAAgB;AACzD,QAAIzC,UAAU;AACZA,eAAS+B,iBAAiB,MAAM,KAAKa,kBAAkB;QAAE,GAAGJ;MAAK,GAAG1C,OAAAA;AACpE,aAAO;IACT;AACA,WAAO;EACT;EAEA,MAAaL,mBAAmB+C,MAA2B1C,SAAoD;AAC7G,UAAM2C,mBAAmBD,KAAKC,oBAAoB3D,eAAcC;AAEhE,QAAI,CAAC,KAAKC,UAAU8E,IAAIrB,gBAAAA,GAAmB;AACzC,YAAM,KAAKF,qBAAqBC,MAAM1C,OAAAA;IACxC;AACA,WAAO,KAAKd,UAAUiB,IAAIwC,gBAAAA;EAC5B;EAEA,MAAce,uBACZ5D,MAKAE,SACyB;AACzB,UAAM2C,mBAAmB7C,KAAK6C;AAC9B,UAAMsB,UAAU,MAAM,KAAKA,QAAQnE,MAAME,OAAAA;AACzC,UAAMkE,YAAY,MAAM,KAAKA,UAAUpE,MAAME,OAAAA;AAC7C,UAAMmE,UAAU,MAAMnE,QAAQoE,MAAMC,0BAA0B;MAC5DC,cAAc;MACdC,eAAe5B;MACfsB;MACAC;IACF,CAAA;AACA,QAAI,CAACC,SAAS;AACZ,YAAM1C,MAAM,6DAA6DkB,gBAAAA,EAAkB;IAC7F;AACA,WAAOwB;EACT;EAEA,MAActB,gBACZ/C,MAKAE,SAC2B;AAC3B,UAAM2C,mBAAmB7C,KAAK6C;AAC9B,UAAMsB,UAAU,MAAM,KAAKA,QAAQnE,MAAME,OAAAA;AACzC,UAAMwE,iBAAiB,MAAM,KAAKN,UAAUpE,MAAME,OAAAA;AAClD,WAAO;MAAE2C;MAAkBsB;MAASO;IAAe;EACrD;EAEA,MAAc1B,kBACZhD,MAKAE,SACyB;AACzB,UAAM4C,eAAe,MAAM,KAAKC,gBAAgB/C,MAAME,OAAAA;AACtD,UAAMyE,WAAY,MAAMzE,QAAQoE,MAAMM,wBAAwB;MAC5DJ,cAAc;MACdC,eAAe3B,aAAaD;MAC5BuB,WAAWtB,aAAa4B;MACxBP,SAASrB,aAAaqB;IACxB,CAAA;AACA,QAAI,CAACQ,UAAU;AACb,YAAMhD,MAAM,wCAAwC3B,KAAK6C,gBAAgB,eAAe7C,KAAKoE,SAAS,cAAcpE,KAAKmE,OAAO,EAAE;IACpI;AACA,WAAOQ;EACT;EAEA,MAAcjB,wCACZ1D,MAKAE,SACsC;AACtC,UAAM4C,eAAe,MAAM,KAAKC,gBAAgB/C,MAAME,OAAAA;AACtD,UAAMyE,WAAY,MAAMzE,QAAQoE,MAAMM,wBAAwB;MAC5DJ,cAAc;MACdC,eAAe3B,aAAaD;MAC5BuB,WAAWtB,aAAa4B;MACxBP,SAASrB,aAAaqB;IACxB,CAAA;AACA,QAAI,CAACQ,UAAU;AACb,YAAMhD,MACJ,wBAAwB3B,KAAK6C,gBAAgB,sCAAsCC,aAAa4B,cAAc,cAAc5B,aAAaqB,OAAO,EAAE;IAEtJ;AACA,WAAOQ;EACT;EAEA,MAAcR,QAAQnE,MAA6BE,SAA6C;AAC9F,UAAMiE,UAAUnE,MAAMmE,WAAW,KAAKpE,OAAO8E,kBAAmB,MAAM3E,SAASoE,MAAMQ,2BAAAA;AACrF,QAAI,CAACX,SAAS;AACZ,YAAMxC,MAAM,iGAAA;IACd;AACA,WAAOwC;EACT;EAEA,MAAcC,UAAUpE,MAA+BE,SAA6C;AAClG,UAAMkE,YAAYpE,MAAMoE,aAAa,KAAKrE,OAAOgF,oBAAqB,MAAM7E,SAASoE,MAAMU,6BAAAA;AAC3F,QAAI,CAACZ,WAAW;AACd,YAAMzC,MAAM,mGAAA;IACd;AACA,WAAOyC;EACT;AACF;;;AG7QA,IAAMa,SAASC;","names":["retrieveWellknown","WellKnownEndpoints","assertValidAccessTokenRequest","createAccessTokenResponse","getAgentResolver","AuthorizationResponseStateStatus","VcIssuerBuilder","getAgentResolver","legacyKeyRefsToIdentifierOpts","contextHasPlugin","CredentialMapper","bytesToBase64","fetch","createJWT","decodeJWT","verifyJWT","jwtDecode","getJwtVerifyCallback","verifyOpts","_context","args","resolver","getAgentResolver","resolverResolution","uniresolverResolution","localResolution","resolve","result","agent","jwtVerifyJwsSignature","jws","jwt","error","identifier","signatures","Promise","reject","Error","jwkInfo","jwks","method","alg","jwk","header","jwtDecode","payload","kid","decodedJwt","decodeJWT","startsWith","did","split","didResult","verifyJWT","verified","console","log","didResolution","didDocument","didResolutionMetadata","getAccessTokenKeyRef","opts","context","legacyKeyRefsToIdentifierOpts","identifierManagedGet","getAccessTokenSignerCallback","resolution","vmRelationship","keyRef","kmsKeyRef","signer","data","dataString","encoding","undefined","bytesToBase64","keyManagerSign","accessTokenSignerCallback","issuer","idOpts","didOpts","toString","iss","kidHeader","identifierOpts","createJWT","typ","getCredentialSignerCallback","issueVCCallback","jwtVerifyResult","format","statusLists","credential","proofFormat","includes","CredentialMapper","isW3cCredential","id","subjectIsArray","Array","isArray","credentialSubject","credentialSubjects","map","subject","contextHasPlugin","credentialStatusVC","slAddStatusToCredential","credentialStatus","statusListCredential","createVerifiableCredential","removeOriginalFields","fetchRemoteContexts","domain","proof","isSdJwtDecodedCredentialPayload","sdJwtPayload","iat","Math","floor","Date","getTime","disclosureFrame","_sd","status","status_list","length","sdJwtPayloadWithStatus","slAddStatusToSdJwtCredential","idx","statusList","statusListId","uri","statusListIndex","createSdJwtVc","credentialPayload","createVciIssuerBuilder","issuerOpts","issuerMetadata","authorizationServerMetadata","builder","VcIssuerBuilder","resolveOpts","jwtVerifyOpts","audience","credential_issuer","withIssuerMetadata","withAuthorizationMetadata","withCredentialSignerCallback","nonceEndpoint","withNonceEndpoint","nonce_endpoint","asClientOpts","withASClientMetadata","withJWTVerifyCallback","credentialDataSupplier","withCredentialDataSupplier","withInMemoryCNonceState","withInMemoryCredentialOfferState","withInMemoryCredentialOfferURIState","createVciIssuer","build","createAuthRequestUriCallback","authRequestUriCallback","path","replace","presentationDefinitionId","fetch","headers","then","response","text","responseData","json","authRequestURI","createVerifyAuthResponseCallback","verifyAuthResponseCallback","correlationId","body","JSON","stringify","definitionId","AuthorizationResponseStateStatus","VERIFIED","IssuerInstance","_issuer","_metadataOptions","_issuerOptions","_issuerMetadata","_authorizationServerMetadata","issuerOpts","metadataOpts","issuerMetadata","authorizationServerMetadata","get","opts","builder","createVciIssuerBuilder","issuerOptions","credentialDataSupplier","context","build","metadataOptions","value","credential_configurations_supported","oid4vciIssuerMethods","OID4VCIIssuer","_DEFAULT_OPTS_KEY","instances","Map","schema","IDidAuthSiopOpAuthenticator","methods","oid4vciCreateOfferURI","bind","oid4vciIssueCredential","oid4vciCreateAccessTokenResponse","oid4vciGetInstance","oid4vciRefreshInstanceMetadata","_opts","opts","createArgs","context","then","instance","get","issuer","createCredentialOfferURI","response","result","returnSessions","session","issueArgs","issueCredential","accessTokenArgs","assertValidAccessTokenRequest","request","credentialOfferSessions","expirationDuration","accessTokenIssuer","issuerOptions","idOpts","didOpts","identifier","toString","Promise","reject","Error","createAccessTokenResponse","tokenExpiresIn","cNonceExpiresIn","cNonces","accessTokenSignerCallback","getAccessTokenSignerCallback","getExternalAS","issuerMetadata","Array","isArray","authorization_servers","find","as","credential_issuer","undefined","createIssuerInstance","args","credentialIssuer","metadataOpts","getMetadataOpts","getIssuerMetadata","externalAS","asMetadataResponse","retrieveWellknown","WellKnownEndpoints","OPENID_CONFIGURATION","errorOnNotFound","OAUTH_AS","authorizationServerMetadata","successBody","getAuthorizationServerMetadataFromStore","issuerOpts","getIssuerOptsFromStore","resolveOpts","resolver","getAgentResolver","set","IssuerInstance","has","storeId","namespace","options","agent","oid4vciStoreGetIssuerOpts","metadataType","correlationId","storeNamespace","metadata","oid4vciStoreGetMetadata","defaultStoreId","oid4vciStoreDefaultStoreId","defaultNamespace","oid4vciStoreDefaultNamespace","schema","require"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.oid4vci-issuer",
3
- "version": "0.36.1-next.11+262d209a",
3
+ "version": "0.36.1-next.113+e4111993",
4
4
  "source": "./src/index.ts",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -26,23 +26,23 @@
26
26
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
27
27
  },
28
28
  "dependencies": {
29
- "@sphereon/oid4vci-client": "0.20.1-next.3",
30
- "@sphereon/oid4vci-common": "0.20.1-next.3",
31
- "@sphereon/oid4vci-issuer": "0.20.1-next.3",
32
- "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-next.11+262d209a",
33
- "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-next.11+262d209a",
34
- "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-next.11+262d209a",
35
- "@sphereon/ssi-sdk.agent-config": "0.36.1-next.11+262d209a",
36
- "@sphereon/ssi-sdk.core": "0.36.1-next.11+262d209a",
37
- "@sphereon/ssi-sdk.data-store": "0.36.1-next.11+262d209a",
38
- "@sphereon/ssi-sdk.data-store-types": "0.36.1-next.11+262d209a",
39
- "@sphereon/ssi-sdk.kv-store-temp": "0.36.1-next.11+262d209a",
40
- "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-next.11+262d209a",
41
- "@sphereon/ssi-sdk.oid4vci-issuer-store": "0.36.1-next.11+262d209a",
42
- "@sphereon/ssi-sdk.sd-jwt": "0.36.1-next.11+262d209a",
43
- "@sphereon/ssi-sdk.vc-status-list": "0.36.1-next.11+262d209a",
44
- "@sphereon/ssi-sdk.vc-status-list-issuer": "0.36.1-next.11+262d209a",
45
- "@sphereon/ssi-types": "0.36.1-next.11+262d209a",
29
+ "@sphereon/oid4vci-client": "0.20.1-next.8",
30
+ "@sphereon/oid4vci-common": "0.20.1-next.8",
31
+ "@sphereon/oid4vci-issuer": "0.20.1-next.8",
32
+ "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-next.113+e4111993",
33
+ "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-next.113+e4111993",
34
+ "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-next.113+e4111993",
35
+ "@sphereon/ssi-sdk.agent-config": "0.36.1-next.113+e4111993",
36
+ "@sphereon/ssi-sdk.core": "0.36.1-next.113+e4111993",
37
+ "@sphereon/ssi-sdk.data-store": "0.36.1-next.113+e4111993",
38
+ "@sphereon/ssi-sdk.data-store-types": "0.36.1-next.113+e4111993",
39
+ "@sphereon/ssi-sdk.kv-store-temp": "0.36.1-next.113+e4111993",
40
+ "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-next.113+e4111993",
41
+ "@sphereon/ssi-sdk.oid4vci-issuer-store": "0.36.1-next.113+e4111993",
42
+ "@sphereon/ssi-sdk.sd-jwt": "0.36.1-next.113+e4111993",
43
+ "@sphereon/ssi-sdk.vc-status-list": "0.36.1-next.113+e4111993",
44
+ "@sphereon/ssi-sdk.vc-status-list-issuer": "0.36.1-next.113+e4111993",
45
+ "@sphereon/ssi-types": "0.36.1-next.113+e4111993",
46
46
  "@types/uuid": "^9.0.8",
47
47
  "@veramo/core": "4.2.0",
48
48
  "@veramo/credential-w3c": "4.2.0",
@@ -51,7 +51,7 @@
51
51
  "uuid": "^9.0.1"
52
52
  },
53
53
  "devDependencies": {
54
- "@sphereon/did-auth-siop": "0.20.1-next.3",
54
+ "@sphereon/did-auth-siop": "0.20.1-next.8",
55
55
  "@sphereon/did-uni-client": "^0.6.3",
56
56
  "@veramo/did-provider-key": "4.2.0",
57
57
  "@veramo/did-resolver": "4.2.0",
@@ -85,5 +85,5 @@
85
85
  "OpenID Connect",
86
86
  "Authenticator"
87
87
  ],
88
- "gitHead": "262d209a803fecfba1ad5878724c4f6f91f86cec"
88
+ "gitHead": "e4111993609fb157be593a2933454bbb2384a60b"
89
89
  }
package/src/agent/OID4VCIIssuer.ts CHANGED
@@ -1,31 +1,39 @@
1
+ import {retrieveWellknown} from '@sphereon/oid4vci-client'
1
2
  import {
2
- AccessTokenResponse,
3
- AuthorizationServerMetadata,
4
- CredentialResponse,
5
- IssuerMetadata,
6
- OpenIDResponse,
7
- WellKnownEndpoints,
3
+ AccessTokenResponse,
4
+ AuthorizationServerMetadata,
5
+ CredentialResponse,
6
+ IssuerMetadata,
7
+ OpenIDResponse,
8
+ WellKnownEndpoints,
8
9
  } from '@sphereon/oid4vci-common'
9
- import { assertValidAccessTokenRequest, createAccessTokenResponse, VcIssuer } from '@sphereon/oid4vci-issuer'
10
- import { retrieveWellknown } from '@sphereon/oid4vci-client'
11
- import { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
12
- import { IMetadataOptions } from '@sphereon/ssi-sdk.oid4vci-issuer-store'
13
- import { IAgentPlugin } from '@veramo/core'
14
- import { getAccessTokenSignerCallback } from '../functions'
10
+ import {assertValidAccessTokenRequest, createAccessTokenResponse, VcIssuer} from '@sphereon/oid4vci-issuer'
11
+ import {getAgentResolver} from '@sphereon/ssi-sdk-ext.did-utils'
12
+ import {IMetadataOptions} from '@sphereon/ssi-sdk.oid4vci-issuer-store'
13
+ import {IAgentPlugin} from '@veramo/core'
14
+ import {getAccessTokenSignerCallback} from '../functions'
15
15
  import {
16
- IAssertValidAccessTokenArgs,
17
- ICreateCredentialOfferURIResult,
18
- ICreateOfferArgs,
19
- IIssueCredentialArgs,
20
- IIssuerInstanceArgs,
21
- IIssuerOptions,
22
- IOID4VCIIssuerOpts,
23
- IRequiredContext,
24
- schema,
16
+ IAssertValidAccessTokenArgs,
17
+ ICreateCredentialOfferURIResult,
18
+ ICreateOfferArgs,
19
+ IIssueCredentialArgs,
20
+ IIssuerInstanceArgs,
21
+ IIssuerOptions,
22
+ IOID4VCIIssuerOpts,
23
+ IRefreshInstanceMetadata,
24
+ IRequiredContext,
25
+ schema,
25
26
  } from '../index'
26
- import { IssuerInstance } from '../IssuerInstance'
27
+ import {IssuerInstance} from '../IssuerInstance'
28
+ import {IOID4VCIIssuer} from '../types/IOID4VCIIssuer'
27
29
 
28
- import { IOID4VCIIssuer } from '../types/IOID4VCIIssuer'
30
+ export const oid4vciIssuerMethods: Array<string> = [
31
+ 'oid4vciCreateOfferURI',
32
+ 'oid4vciIssueCredential',
33
+ 'oid4vciCreateAccessTokenResponse',
34
+ 'oid4vciGetInstance',
35
+ 'oid4vciRefreshInstanceMetadata',
36
+ ]
29
37
 
30
38
  export class OID4VCIIssuer implements IAgentPlugin {
31
39
  private static readonly _DEFAULT_OPTS_KEY = '_default'
@@ -37,6 +45,7 @@ export class OID4VCIIssuer implements IAgentPlugin {
37
45
  oid4vciIssueCredential: this.oid4vciIssueCredential.bind(this),
38
46
  oid4vciCreateAccessTokenResponse: this.oid4vciCreateAccessTokenResponse.bind(this),
39
47
  oid4vciGetInstance: this.oid4vciGetInstance.bind(this),
48
+ oid4vciRefreshInstanceMetadata: this.oid4vciRefreshInstanceMetadata.bind(this),
40
49
  }
41
50
  private _opts: IOID4VCIIssuerOpts
42
51
 
@@ -146,6 +155,16 @@ export class OID4VCIIssuer implements IAgentPlugin {
146
155
  return this.oid4vciGetInstance(args, context)
147
156
  }
148
157
 
158
+ // TODO SSISDK-87 create proper solution to update issuer metadata
159
+ public async oid4vciRefreshInstanceMetadata(args: IRefreshInstanceMetadata, context: IRequiredContext): Promise<boolean> {
160
+ const instance = this.instances.get(args.credentialIssuer)
161
+ if (instance) {
162
+ instance.issuerMetadata = await this.getIssuerMetadata({ ...args }, context)
163
+ return true
164
+ }
165
+ return false
166
+ }
167
+
149
168
  public async oid4vciGetInstance(args: IIssuerInstanceArgs, context: IRequiredContext): Promise<IssuerInstance> {
150
169
  const credentialIssuer = args.credentialIssuer ?? OID4VCIIssuer._DEFAULT_OPTS_KEY
151
170
  //todo: prob doesn't make sense as credentialIssuer is mandatory anyway