@sphereon/ssi-sdk.sd-jwt 0.32.1-next.54 → 0.33.1-feature.vcdm2.4

package/dist/action-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action-handler.d.ts","sourceRoot":"","sources":["../src/action-handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAkB,MAAM,mBAAmB,CAAA;AACnE,OAAO,EAA8D,MAAM,EAAY,MAAM,eAAe,CAAA;AAE5G,OAAO,EAAE,kCAAkC,EAAE,MAAM,kCAAkC,CAAA;AACrF,OAAO,EAAO,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAU3C,OAAO,EAEL,oCAAoC,EAGpC,4BAA4B,EAC5B,8BAA8B,EAC9B,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,YAAY,EACZ,4BAA4B,EAC5B,8BAA8B,EAC9B,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,EAEnB,WAAW,EACX,aAAa,EACd,MAAM,SAAS,CAAA;AAIhB;;;GAGG;AACH,qBAAa,WAAY,YAAW,YAAY;IAE9C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAU;IAC5C,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAqB;IAC/D,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,cAAc,CAAC,CAAQ;gBAG7B,yBAAyB,CAAC,EAAE,mBAAmB,GAAG;QAChD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,aAAa,CAAC,EAAE,MAAM,CAAA;KACvB,EACD,iBAAiB,CAAC,EAAE,MAAM,EAAE;IAoB9B,QAAQ,CAAC,OAAO,EAAE,YAAY,CAM7B;YAEa,sBAAsB;IAiBpC;;;;;OAKG;IACG,aAAa,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAwBvG;;;;;OAKG;IACG,UAAU,CAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC;IA8CtF;;;;;OAKG;IACG,uBAAuB,CAAC,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,8BAA8B,CAAC;IA8BrI;;;;;OAKG;IACG,aAAa,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IASvG;;;;;;;;OAQG;IACH,OAAO,CAAC,QAAQ;IAOhB;;;;;;;OAOG;IACG,MAAM,CAAC,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAC,aAAa,CAAC,EAAE,kCAAkC,CAAA;KAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAgE/K;;;;;OAKG;IACG,uBAAuB,CAAC,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,8BAA8B,CAAC;IAcrI;;;;;OAKG;IACG,gCAAgC,CAAC,IAAI,EAAE,oCAAoC,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAiBzI,OAAO,CAAC,uBAAuB;IAQ/B,OAAO,CAAC,MAAM;IAcd,OAAO,CAAC,uBAAuB;CAQhC"}
+{"version":3,"file":"action-handler.d.ts","sourceRoot":"","sources":["../src/action-handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAkB,MAAM,mBAAmB,CAAA;AACnE,OAAO,EAAsE,MAAM,EAAY,MAAM,eAAe,CAAA;AAEpH,OAAO,EAAE,kCAAkC,EAAE,MAAM,kCAAkC,CAAA;AACrF,OAAO,EAAmB,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACxE,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAM3C,OAAO,EAEL,oCAAoC,EAGpC,4BAA4B,EAC5B,8BAA8B,EAC9B,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,YAAY,EACZ,4BAA4B,EAC5B,8BAA8B,EAC9B,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,EAEnB,WAAW,EACX,aAAa,EACd,MAAM,SAAS,CAAA;AAIhB;;;GAGG;AACH,qBAAa,WAAY,YAAW,YAAY;IAE9C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAU;IAC5C,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAqB;IAC/D,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,cAAc,CAAC,CAAQ;gBAG7B,yBAAyB,CAAC,EAAE,mBAAmB,GAAG;QAChD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,aAAa,CAAC,EAAE,MAAM,CAAA;KACvB,EACD,iBAAiB,CAAC,EAAE,MAAM,EAAE;IAoB9B,QAAQ,CAAC,OAAO,EAAE,YAAY,CAM7B;YAEa,sBAAsB;IAiBpC;;;;;OAKG;IACG,aAAa,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAwBvG;;;;;OAKG;IACG,UAAU,CAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC;IA8CtF;;;;;OAKG;IACG,uBAAuB,CAAC,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,8BAA8B,CAAC;IA8BrI;;;;;OAKG;IACG,aAAa,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IASvG;;;;;;;;OAQG;IACH,OAAO,CAAC,QAAQ;IAOhB;;;;;;;OAOG;IACG,MAAM,CACV,KAAK,EAAE,eAAe,EACtB,OAAO,EAAE,gBAAgB,EACzB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,kCAAkC,CAAA;KAAE,GAC5D,OAAO,CAAC,OAAO,CAAC;IAgEnB;;;;;OAKG;IACG,uBAAuB,CAAC,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,8BAA8B,CAAC;IAcrI;;;;;OAKG;IACG,gCAAgC,CAAC,IAAI,EAAE,oCAAoC,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAiDzI,OAAO,CAAC,uBAAuB;IAQ/B,OAAO,CAAC,MAAM;IAcd,OAAO,CAAC,uBAAuB;CAOhC"}

package/dist/action-handler.js

@@ -1,73 +1,60 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SDJwtPlugin = void 0;
-const core_1 = require("@sd-jwt/core");
-const sd_jwt_vc_1 = require("@sd-jwt/sd-jwt-vc");
-const ssi_sdk_ext_key_utils_1 = require("@sphereon/ssi-sdk-ext.key-utils");
-const utils_1 = require("@veramo/utils");
-const debug_1 = __importDefault(require("debug"));
-const defaultCallbacks_1 = require("./defaultCallbacks");
-const trustAnchors_1 = require("./trustAnchors");
-const utils_2 = require("./utils");
-const debug = (0, debug_1.default)('@sphereon/ssi-sdk.sd-jwt');
+import { SDJwt } from '@sd-jwt/core';
+import { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
+import { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils';
+import { decodeBase64url } from '@veramo/utils';
+import Debug from 'debug';
+import { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks';
+import { funkeTestCA, sphereonCA } from './trustAnchors';
+import { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils';
+const debug = Debug('@sphereon/ssi-sdk.sd-jwt');
 /**
  * @beta
  * SD-JWT plugin
  */
-class SDJwtPlugin {
+export class SDJwtPlugin {
+    // @ts-ignore
+    trustAnchorsInPEM;
+    registeredImplementations;
+    _signers;
+    _defaultSigner;
     constructor(registeredImplementations, trustAnchorsInPEM) {
-        var _a;
-        // map the methods your plugin is declaring to their implementation
-        this.methods = {
-            createSdJwtVc: this.createSdJwtVc.bind(this),
-            createSdJwtPresentation: this.createSdJwtPresentation.bind(this),
-            verifySdJwtVc: this.verifySdJwtVc.bind(this),
-            verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),
-            fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),
-        };
-        this.trustAnchorsInPEM = trustAnchorsInPEM !== null && trustAnchorsInPEM !== void 0 ? trustAnchorsInPEM : [];
+        this.trustAnchorsInPEM = trustAnchorsInPEM ?? [];
         if (!registeredImplementations) {
             registeredImplementations = {};
         }
-        if (typeof (registeredImplementations === null || registeredImplementations === void 0 ? void 0 : registeredImplementations.hasher) !== 'function') {
-            registeredImplementations.hasher = defaultCallbacks_1.defaultGenerateDigest;
+        if (typeof registeredImplementations?.hasher !== 'function') {
+            registeredImplementations.hasher = defaultGenerateDigest;
         }
-        if (typeof (registeredImplementations === null || registeredImplementations === void 0 ? void 0 : registeredImplementations.saltGenerator) !== 'function') {
-            registeredImplementations.saltGenerator = defaultCallbacks_1.defaultGenerateSalt;
+        if (typeof registeredImplementations?.saltGenerator !== 'function') {
+            registeredImplementations.saltGenerator = defaultGenerateSalt;
         }
         this.registeredImplementations = registeredImplementations;
-        this._signers = (_a = registeredImplementations === null || registeredImplementations === void 0 ? void 0 : registeredImplementations.signers) !== null && _a !== void 0 ? _a : {};
-        this._defaultSigner = registeredImplementations === null || registeredImplementations === void 0 ? void 0 : registeredImplementations.defaultSigner;
+        this._signers = registeredImplementations?.signers ?? {};
+        this._defaultSigner = registeredImplementations?.defaultSigner;
         // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent
     }
-    getSignerForIdentifier(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { identifier, resolution } = args;
-            if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {
-                return { signer: this._signers[identifier] };
-            }
-            else if (typeof this._defaultSigner === 'function') {
-                return { signer: this._defaultSigner };
-            }
-            const signingKey = yield this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context);
-            const { key, alg } = signingKey;
-            const signer = (data) => __awaiter(this, void 0, void 0, function* () {
-                return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data });
-            });
-            return { signer, alg, signingKey };
-        });
+    // map the methods your plugin is declaring to their implementation
+    methods = {
+        createSdJwtVc: this.createSdJwtVc.bind(this),
+        createSdJwtPresentation: this.createSdJwtPresentation.bind(this),
+        verifySdJwtVc: this.verifySdJwtVc.bind(this),
+        verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),
+        fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),
+    };
+    async getSignerForIdentifier(args, context) {
+        const { identifier, resolution } = args;
+        if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {
+            return { signer: this._signers[identifier] };
+        }
+        else if (typeof this._defaultSigner === 'function') {
+            return { signer: this._defaultSigner };
+        }
+        const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context);
+        const { key, alg } = signingKey;
+        const signer = async (data) => {
+            return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data });
+        };
+        return { signer, alg, signingKey };
     }
     /**
      * Create a signed SD-JWT credential.
@@ -75,25 +62,26 @@ class SDJwtPlugin {
      * @param context - This reserved param is automatically added and handled by the framework, *do not override*
      * @returns A signed SD-JWT credential.
      */
-    createSdJwtVc(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const issuer = args.credentialPayload.iss;
-            if (!issuer) {
-                throw new Error('credential.issuer must not be empty');
-            }
-            const { alg, signer, signingKey } = yield this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context);
-            const sdjwt = new sd_jwt_vc_1.SDJwtVcInstance({
-                signer,
-                hasher: this.registeredImplementations.hasher,
-                saltGenerator: this.registeredImplementations.saltGenerator,
-                signAlg: alg !== null && alg !== void 0 ? alg : 'ES256',
-                hashAlg: 'SHA-256',
-            });
-            const credential = yield sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
-                header: Object.assign(Object.assign({}, ((signingKey === null || signingKey === void 0 ? void 0 : signingKey.key.kid) !== undefined && { kid: signingKey.key.kid })), ((signingKey === null || signingKey === void 0 ? void 0 : signingKey.key.x5c) !== undefined && { x5c: signingKey.key.x5c })),
-            });
-            return { credential };
+    async createSdJwtVc(args, context) {
+        const issuer = args.credentialPayload.iss;
+        if (!issuer) {
+            throw new Error('credential.issuer must not be empty');
+        }
+        const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context);
+        const sdjwt = new SDJwtVcInstance({
+            signer,
+            hasher: this.registeredImplementations.hasher,
+            saltGenerator: this.registeredImplementations.saltGenerator,
+            signAlg: alg ?? 'ES256',
+            hashAlg: 'sha-256',
         });
+        const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
+            header: {
+                ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
+                ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
+            },
+        });
+        return { credential };
     }
     /**
      * Get the key to sign the SD-JWT
@@ -101,58 +89,55 @@ class SDJwtPlugin {
      * @param context - agent instance
      * @returns the key to sign the SD-JWT
      */
-    getSignKey(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d;
-            // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here
-            const { identifier, resolution } = Object.assign({}, args);
-            if (resolution) {
-                const key = resolution.key;
-                const alg = yield (0, ssi_sdk_ext_key_utils_1.signatureAlgorithmFromKey)({ key });
-                switch (resolution.method) {
-                    case 'did':
-                        debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
-                        return { alg, key: Object.assign(Object.assign({}, key), { kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid }) };
-                    default:
-                        if (((_a = key.meta) === null || _a === void 0 ? void 0 : _a.x509) && key.meta.x509.x5c) {
-                            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c } };
-                        }
-                        else if ((_b = key.meta) === null || _b === void 0 ? void 0 : _b.jwkThumbprint) {
-                            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } };
-                        }
-                        else {
-                            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } };
-                        }
-                }
+    async getSignKey(args, context) {
+        // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here
+        const { identifier, resolution } = { ...args };
+        if (resolution) {
+            const key = resolution.key;
+            const alg = await signatureAlgorithmFromKey({ key });
+            switch (resolution.method) {
+                case 'did':
+                    debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+                    return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } };
+                default:
+                    if (key.meta?.x509 && key.meta.x509.x5c) {
+                        return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c } };
+                    }
+                    else if (key.meta?.jwkThumbprint) {
+                        return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } };
+                    }
+                    else {
+                        return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } };
+                    }
             }
-            else if (identifier.startsWith('did:')) {
-                const didIdentifier = yield context.agent.identifierManagedGetByDid({ identifier });
-                if (!didIdentifier) {
-                    throw new Error(`No identifier found with the given did: ${identifier}`);
-                }
-                const key = didIdentifier.key;
-                const alg = yield (0, ssi_sdk_ext_key_utils_1.signatureAlgorithmFromKey)({ key });
-                debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
-                return { alg, key: Object.assign(Object.assign({}, key), { kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid }) };
+        }
+        else if (identifier.startsWith('did:')) {
+            const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier });
+            if (!didIdentifier) {
+                throw new Error(`No identifier found with the given did: ${identifier}`);
+            }
+            const key = didIdentifier.key;
+            const alg = await signatureAlgorithmFromKey({ key });
+            debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+            return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } };
+        }
+        else {
+            const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier });
+            if (!kidIdentifier) {
+                throw new Error(`No identifier found with the given kid: ${identifier}`);
+            }
+            const key = kidIdentifier.key;
+            const alg = await signatureAlgorithmFromKey({ key });
+            if (key.meta?.x509 && key.meta.x509.x5c) {
+                return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c } };
+            }
+            else if (key.meta?.jwkThumbprint) {
+                return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } };
             }
             else {
-                const kidIdentifier = yield context.agent.identifierManagedGetByKid({ identifier });
-                if (!kidIdentifier) {
-                    throw new Error(`No identifier found with the given kid: ${identifier}`);
-                }
-                const key = kidIdentifier.key;
-                const alg = yield (0, ssi_sdk_ext_key_utils_1.signatureAlgorithmFromKey)({ key });
-                if (((_c = key.meta) === null || _c === void 0 ? void 0 : _c.x509) && key.meta.x509.x5c) {
-                    return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c } };
-                }
-                else if ((_d = key.meta) === null || _d === void 0 ? void 0 : _d.jwkThumbprint) {
-                    return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } };
-                }
-                else {
-                    return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } };
-                }
+                return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } };
             }
-        });
+        }
     }
     /**
      * Create a signed SD-JWT presentation.
@@ -160,39 +145,36 @@ class SDJwtPlugin {
      * @param context - This reserved param is automatically added and handled by the framework, *do not override*
      * @returns A signed SD-JWT presentation.
      */
-    createSdJwtPresentation(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c;
-            const cred = yield core_1.SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
-            const claims = yield cred.getClaims(this.registeredImplementations.hasher);
-            let holder;
-            // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.
-            if (args.holder) {
-                holder = args.holder;
-            }
-            else if ((_a = claims.cnf) === null || _a === void 0 ? void 0 : _a.jwk) {
-                const jwk = claims.cnf.jwk;
-                holder = (0, ssi_sdk_ext_key_utils_1.calculateJwkThumbprint)({ jwk: jwk });
-            }
-            else if ((_b = claims.cnf) === null || _b === void 0 ? void 0 : _b.kid) {
-                holder = (_c = claims.cnf) === null || _c === void 0 ? void 0 : _c.kid;
-            }
-            else if (claims.sub) {
-                holder = claims.sub;
-            }
-            else {
-                throw new Error('invalid_argument: credential does not include a holder reference');
-            }
-            const { alg, signer } = yield this.getSignerForIdentifier({ identifier: holder }, context);
-            const sdjwt = new sd_jwt_vc_1.SDJwtVcInstance({
-                hasher: this.registeredImplementations.hasher,
-                saltGenerator: this.registeredImplementations.saltGenerator,
-                kbSigner: signer,
-                kbSignAlg: alg !== null && alg !== void 0 ? alg : 'ES256',
-            });
-            const presentation = yield sdjwt.present(args.presentation, args.presentationFrame, { kb: args.kb });
-            return { presentation };
+    async createSdJwtPresentation(args, context) {
+        const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
+        const claims = await cred.getClaims(this.registeredImplementations.hasher);
+        let holder;
+        // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.
+        if (args.holder) {
+            holder = args.holder;
+        }
+        else if (claims.cnf?.jwk) {
+            const jwk = claims.cnf.jwk;
+            holder = calculateJwkThumbprint({ jwk: jwk });
+        }
+        else if (claims.cnf?.kid) {
+            holder = claims.cnf?.kid;
+        }
+        else if (claims.sub) {
+            holder = claims.sub;
+        }
+        else {
+            throw new Error('invalid_argument: credential does not include a holder reference');
+        }
+        const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context);
+        const sdjwt = new SDJwtVcInstance({
+            hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+            saltGenerator: this.registeredImplementations.saltGenerator,
+            kbSigner: signer,
+            kbSignAlg: alg ?? 'ES256',
         });
+        const presentation = await sdjwt.present(args.presentation, args.presentationFrame, { kb: args.kb });
+        return { presentation };
     }
     /**
      * Verify a signed SD-JWT credential.
@@ -200,14 +182,12 @@ class SDJwtPlugin {
      * @param context - This reserved param is automatically added and handled by the framework, *do not override*
      * @returns
      */
-    verifySdJwtVc(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // callback
-            const verifier = (data, signature) => __awaiter(this, void 0, void 0, function* () { return this.verify(sdjwt, context, data, signature); });
-            const sdjwt = new sd_jwt_vc_1.SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher });
-            const { header = {}, payload, kb } = yield sdjwt.verify(args.credential);
-            return { header, payload: payload, kb };
-        });
+    async verifySdJwtVc(args, context) {
+        // callback
+        const verifier = async (data, signature) => this.verify(sdjwt, context, data, signature);
+        const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest });
+        const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
+        return { header, payload: payload, kb };
     }
     /**
      * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT
@@ -232,66 +212,63 @@ class SDJwtPlugin {
      * @param signature - The signature
      * @returns
      */
-    verify(sdjwt, context, data, signature, opts) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e, _f;
-            const decodedVC = yield sdjwt.decode(`${data}.${signature}`);
-            const issuer = decodedVC.jwt.payload.iss;
-            const header = decodedVC.jwt.header;
-            const x5c = header === null || header === void 0 ? void 0 : header.x5c;
-            let jwk = header.jwk;
-            if (x5c) {
-                const trustAnchors = new Set([...this.trustAnchorsInPEM]);
-                if (trustAnchors.size === 0) {
-                    trustAnchors.add(trustAnchors_1.sphereonCA);
-                    trustAnchors.add(trustAnchors_1.funkeTestCA);
-                }
-                const certificateValidationResult = yield context.agent.x509VerifyCertificateChain({
-                    chain: x5c,
-                    trustAnchors: Array.from(trustAnchors),
-                    // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream
-                    opts: (_a = opts === null || opts === void 0 ? void 0 : opts.x5cValidation) !== null && _a !== void 0 ? _a : { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },
-                });
-                if (certificateValidationResult.error || !(certificateValidationResult === null || certificateValidationResult === void 0 ? void 0 : certificateValidationResult.certificateChain)) {
-                    return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`));
-                }
-                const certInfo = certificateValidationResult.certificateChain[0];
-                jwk = certInfo.publicKeyJWK;
+    async verify(sdjwt, context, data, signature, opts) {
+        const decodedVC = await sdjwt.decode(`${data}.${signature}`);
+        const issuer = decodedVC.jwt.payload.iss;
+        const header = decodedVC.jwt.header;
+        const x5c = header?.x5c;
+        let jwk = header.jwk;
+        if (x5c) {
+            const trustAnchors = new Set([...this.trustAnchorsInPEM]);
+            if (trustAnchors.size === 0) {
+                trustAnchors.add(sphereonCA);
+                trustAnchors.add(funkeTestCA);
             }
-            if (!jwk && ((_b = header.kid) === null || _b === void 0 ? void 0 : _b.includes('did:'))) {
-                const didDoc = yield context.agent.resolveDid({ didUrl: header.kid });
-                if (!didDoc) {
-                    throw new Error('invalid_issuer: issuer did not resolve to a did document');
-                }
-                //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
-                const didDocumentKey = (_d = (_c = didDoc.didDocument) === null || _c === void 0 ? void 0 : _c.verificationMethod) === null || _d === void 0 ? void 0 : _d.find((key) => key.id);
-                if (!didDocumentKey) {
-                    throw new Error('invalid_issuer: issuer did document does not include referenced key');
-                }
-                //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url
-                // needs more checks. some DID methods do not expose the keys as publicKeyJwk
-                jwk = didDocumentKey.publicKeyJwk;
+            const certificateValidationResult = await context.agent.x509VerifyCertificateChain({
+                chain: x5c,
+                trustAnchors: Array.from(trustAnchors),
+                // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream
+                opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },
+            });
+            if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {
+                return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`));
             }
-            if (!jwk && issuer.includes('did:')) {
-                // TODO refactor
-                const didDoc = yield context.agent.resolveDid({ didUrl: issuer });
-                if (!didDoc) {
-                    throw new Error('invalid_issuer: issuer did not resolve to a did document');
-                }
-                //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
-                const didDocumentKey = (_f = (_e = didDoc.didDocument) === null || _e === void 0 ? void 0 : _e.verificationMethod) === null || _f === void 0 ? void 0 : _f.find((key) => key.id);
-                if (!didDocumentKey) {
-                    throw new Error('invalid_issuer: issuer did document does not include referenced key');
-                }
-                //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url
-                // needs more checks. some DID methods do not expose the keys as publicKeyJwk
-                jwk = didDocumentKey.publicKeyJwk;
+            const certInfo = certificateValidationResult.certificateChain[0];
+            jwk = certInfo.publicKeyJWK;
+        }
+        if (!jwk && header.kid?.includes('did:')) {
+            const didDoc = await context.agent.resolveDid({ didUrl: header.kid });
+            if (!didDoc) {
+                throw new Error('invalid_issuer: issuer did not resolve to a did document');
             }
-            if (!jwk) {
-                throw new Error('No valid public key found for signature verification');
+            //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
+            const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+            if (!didDocumentKey) {
+                throw new Error('invalid_issuer: issuer did document does not include referenced key');
             }
-            return this.verifySignatureCallback(context)(data, signature, jwk);
-        });
+            //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url
+            // needs more checks. some DID methods do not expose the keys as publicKeyJwk
+            jwk = didDocumentKey.publicKeyJwk;
+        }
+        if (!jwk && issuer.includes('did:')) {
+            // TODO refactor
+            const didDoc = await context.agent.resolveDid({ didUrl: issuer });
+            if (!didDoc) {
+                throw new Error('invalid_issuer: issuer did not resolve to a did document');
+            }
+            //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
+            const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+            if (!didDocumentKey) {
+                throw new Error('invalid_issuer: issuer did document does not include referenced key');
+            }
+            //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url
+            // needs more checks. some DID methods do not expose the keys as publicKeyJwk
+            jwk = didDocumentKey.publicKeyJwk;
+        }
+        if (!jwk) {
+            throw new Error('No valid public key found for signature verification');
+        }
+        return this.verifySignatureCallback(context)(data, signature, jwk);
     }
     /**
      * Verify a signed SD-JWT presentation.
@@ -299,18 +276,16 @@ class SDJwtPlugin {
      * @param context - This reserved param is automatically added and handled by the framework, *do not override*
      * @returns
      */
-    verifySdJwtPresentation(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let sdjwt;
-            const verifier = (data, signature) => __awaiter(this, void 0, void 0, function* () { return this.verify(sdjwt, context, data, signature); });
-            const verifierKb = (data, signature, payload) => __awaiter(this, void 0, void 0, function* () { return this.verifyKb(sdjwt, context, data, signature, payload); });
-            sdjwt = new sd_jwt_vc_1.SDJwtVcInstance({
-                verifier,
-                hasher: this.registeredImplementations.hasher,
-                kbVerifier: verifierKb,
-            });
-            return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
+    async verifySdJwtPresentation(args, context) {
+        let sdjwt;
+        const verifier = async (data, signature) => this.verify(sdjwt, context, data, signature);
+        const verifierKb = async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload);
+        sdjwt = new SDJwtVcInstance({
+            verifier,
+            hasher: this.registeredImplementations.hasher,
+            kbVerifier: verifierKb,
         });
+        return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
     }
     /**
      * Fetch and validate Type Metadata.
@@ -318,37 +293,62 @@ class SDJwtPlugin {
      * @param context - This reserved param is automatically added and handled by the framework, *do not override*
      * @returns
      */
-    fetchSdJwtTypeMetadataFromVctUrl(args, context) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { vct, opts } = args;
-            const url = new URL(vct);
-            const response = yield (0, utils_2.fetchUrlWithErrorHandling)(url.toString());
-            const metadata = yield response.json();
-            (0, utils_2.assertValidTypeMetadata)(metadata, vct);
-            if ((opts === null || opts === void 0 ? void 0 : opts.integrity) && opts.hasher) {
-                if (!(yield (0, utils_2.validateIntegrity)(metadata, opts.integrity, opts.hasher))) {
-                    throw new Error(`Integrity check failed. vct: ${vct}`);
+    async fetchSdJwtTypeMetadataFromVctUrl(args, context) {
+        const { vct, vctIntegrity, opts } = args;
+        const url = new URL(vct);
+        const response = await fetchUrlWithErrorHandling(url.toString());
+        const metadata = await response.json();
+        assertValidTypeMetadata(metadata, vct);
+        const validate = async (vct, input, integrityValue, hasher) => {
+            if (hasher && integrityValue) {
+                const validation = await validateIntegrity({ integrityValue, input, hasher });
+                if (!validation) {
+                    return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`));
                 }
             }
-            return metadata;
-        });
+        };
+        const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest);
+        if (hasher) {
+            if (vctIntegrity) {
+                await validate(vct, metadata, vctIntegrity, hasher);
+                const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher });
+                if (!vctValidation) {
+                    return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`));
+                }
+            }
+            if (metadata['extends#integrity']) {
+                const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context);
+                await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher);
+            }
+            if (metadata['schema_uri#integrity']) {
+                const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri);
+                const schema = await schemaResponse.json();
+                await validate(vct, schema, metadata['schema_uri#integrity'], hasher);
+            }
+            metadata.display?.forEach((display) => {
+                const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity'];
+                if (simpleLogoIntegrity) {
+                    console.log('TODO: Logo integrity check');
+                }
+            });
+        }
+        return metadata;
     }
     verifySignatureCallback(context) {
         if (typeof this.registeredImplementations.verifySignature === 'function') {
             return this.registeredImplementations.verifySignature;
         }
-        return (0, defaultCallbacks_1.defaultVerifySignature)(context);
+        return defaultVerifySignature(context);
     }
     getJwk(payload) {
-        var _a;
-        if (((_a = payload.cnf) === null || _a === void 0 ? void 0 : _a.jwk) !== undefined) {
+        if (payload.cnf?.jwk !== undefined) {
             return payload.cnf.jwk;
         }
         else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {
             // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one
             // FIXME this is a quick-fix to make verification but we need a real solution
             const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
-            const decoded = (0, utils_1.decodeBase64url)(encoded);
+            const decoded = decodeBase64url(encoded);
             const jwt = JSON.parse(decoded);
             return jwt;
         }
@@ -362,5 +362,4 @@ class SDJwtPlugin {
         return parts[2].split('#')[0];
     }
 }
-exports.SDJwtPlugin = SDJwtPlugin;
 //# sourceMappingURL=action-handler.js.map