@sphereon/ssi-sdk.sd-jwt 0.33.1-next.3 → 0.33.1-next.68

package/dist/index.cjs

@@ -0,0 +1,595 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  SDJwtPlugin: () => SDJwtPlugin,
+  assertValidTypeMetadata: () => assertValidTypeMetadata,
+  contextHasSDJwtPlugin: () => contextHasSDJwtPlugin,
+  createIntegrity: () => createIntegrity,
+  extractHashFromIntegrity: () => extractHashFromIntegrity,
+  fetchUrlWithErrorHandling: () => fetchUrlWithErrorHandling,
+  sdJwtPluginContextMethods: () => sdJwtPluginContextMethods,
+  validateIntegrity: () => validateIntegrity
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/action-handler.ts
+var import_core = require("@sd-jwt/core");
+var import_sd_jwt_vc = require("@sd-jwt/sd-jwt-vc");
+var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
+var import_utils = require("@veramo/utils");
+var import_debug = __toESM(require("debug"), 1);
+
+// src/defaultCallbacks.ts
+var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
+var import_ssi_types = require("@sphereon/ssi-types");
+var import_uuid = require("uuid");
+var import_from_string = require("uint8arrays/from-string");
+var defaultGenerateDigest = /* @__PURE__ */ __name((data, alg) => {
+  return (0, import_ssi_sdk_ext.digestMethodParams)(alg.includes("256") ? "SHA-256" : "SHA-512").hash(typeof data === "string" ? (0, import_from_string.fromString)(data, "utf-8") : new Uint8Array(data));
+}, "defaultGenerateDigest");
+var defaultGenerateSalt = /* @__PURE__ */ __name(() => {
+  return (0, import_uuid.v4)();
+}, "defaultGenerateSalt");
+var defaultVerifySignature = /* @__PURE__ */ __name((context) => async (data, signature, publicKey) => {
+  const result = await context.agent.jwtVerifyJwsSignature({
+    jws: `${data}.${signature}`,
+    jwk: publicKey
+  });
+  import_ssi_types.Loggers.DEFAULT.get("sd-jwt").info(`SD-JWT signature verified. Result: ${result.message}`);
+  return !result.error;
+}, "defaultVerifySignature");
+
+// src/trustAnchors.ts
+var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
+var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
+
+// src/utils.ts
+var import_to_string = require("uint8arrays/to-string");
+async function fetchUrlWithErrorHandling(url) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`${response.status}: ${response.statusText}`);
+  }
+  return response;
+}
+__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
+function extractHashAlgFromIntegrity(integrityValue) {
+  const val = integrityValue?.toLowerCase().trim().split("-")[0];
+  if (val === "sha256" || val === "sha384" || val === "sha512") {
+    return val;
+  }
+  return void 0;
+}
+__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
+function extractHashFromIntegrity(integrityValue) {
+  return integrityValue?.toLowerCase().trim().split("-")[1];
+}
+__name(extractHashFromIntegrity, "extractHashFromIntegrity");
+async function validateIntegrity({ input, integrityValue, hasher }) {
+  if (!integrityValue) {
+    return true;
+  }
+  const alg = extractHashAlgFromIntegrity(integrityValue);
+  if (!alg) {
+    return false;
+  }
+  const calculatedHash = await createIntegrity({
+    hasher,
+    input,
+    alg
+  });
+  return calculatedHash == integrityValue;
+}
+__name(validateIntegrity, "validateIntegrity");
+async function createIntegrity({ input, hasher, alg = "sha256" }) {
+  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
+  return `${alg}-${(0, import_to_string.toString)(calculatedHash, "base64")}`;
+}
+__name(createIntegrity, "createIntegrity");
+function assertValidTypeMetadata(metadata, vct) {
+  if (metadata.vct !== vct) {
+    throw new Error("VCT mismatch in metadata and credential");
+  }
+}
+__name(assertValidTypeMetadata, "assertValidTypeMetadata");
+
+// src/action-handler.ts
+var debug = (0, import_debug.default)("@sphereon/ssi-sdk.sd-jwt");
+var SDJwtPlugin = class {
+  static {
+    __name(this, "SDJwtPlugin");
+  }
+  // @ts-ignore
+  trustAnchorsInPEM;
+  registeredImplementations;
+  _signers;
+  _defaultSigner;
+  constructor(registeredImplementations, trustAnchorsInPEM) {
+    this.trustAnchorsInPEM = trustAnchorsInPEM ?? [];
+    if (!registeredImplementations) {
+      registeredImplementations = {};
+    }
+    if (typeof registeredImplementations?.hasher !== "function") {
+      registeredImplementations.hasher = defaultGenerateDigest;
+    }
+    if (typeof registeredImplementations?.saltGenerator !== "function") {
+      registeredImplementations.saltGenerator = defaultGenerateSalt;
+    }
+    this.registeredImplementations = registeredImplementations;
+    this._signers = registeredImplementations?.signers ?? {};
+    this._defaultSigner = registeredImplementations?.defaultSigner;
+  }
+  // map the methods your plugin is declaring to their implementation
+  methods = {
+    createSdJwtVc: this.createSdJwtVc.bind(this),
+    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),
+    verifySdJwtVc: this.verifySdJwtVc.bind(this),
+    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),
+    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this)
+  };
+  async getSignerForIdentifier(args, context) {
+    const { identifier, resolution } = args;
+    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === "function") {
+      return {
+        signer: this._signers[identifier]
+      };
+    } else if (typeof this._defaultSigner === "function") {
+      return {
+        signer: this._defaultSigner
+      };
+    }
+    const signingKey = await this.getSignKey({
+      identifier,
+      vmRelationship: "assertionMethod",
+      resolution
+    }, context);
+    const { key, alg } = signingKey;
+    const signer = /* @__PURE__ */ __name(async (data) => {
+      return context.agent.keyManagerSign({
+        keyRef: key.kmsKeyRef,
+        data
+      });
+    }, "signer");
+    return {
+      signer,
+      alg,
+      signingKey
+    };
+  }
+  /**
+  * Create a signed SD-JWT credential.
+  * @param args - Arguments necessary for the creation of a SD-JWT credential.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns A signed SD-JWT credential.
+  */
+  async createSdJwtVc(args, context) {
+    const issuer = args.credentialPayload.iss;
+    if (!issuer) {
+      throw new Error("credential.issuer must not be empty");
+    }
+    const { alg, signer, signingKey } = await this.getSignerForIdentifier({
+      identifier: issuer,
+      resolution: args.resolution
+    }, context);
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
+      signer,
+      hasher: this.registeredImplementations.hasher,
+      saltGenerator: this.registeredImplementations.saltGenerator,
+      signAlg: alg ?? "ES256",
+      hashAlg: "sha-256"
+    });
+    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
+      header: {
+        ...signingKey?.key.kid !== void 0 && {
+          kid: signingKey.key.kid
+        },
+        ...signingKey?.key.x5c !== void 0 && {
+          x5c: signingKey.key.x5c
+        }
+      }
+    });
+    return {
+      credential
+    };
+  }
+  /**
+  * Get the key to sign the SD-JWT
+  * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key
+  * @param context - agent instance
+  * @returns the key to sign the SD-JWT
+  */
+  async getSignKey(args, context) {
+    const { identifier, resolution } = {
+      ...args
+    };
+    if (resolution) {
+      const key = resolution.key;
+      const alg = await (0, import_ssi_sdk_ext2.signatureAlgorithmFromKey)({
+        key
+      });
+      switch (resolution.method) {
+        case "did":
+          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+          return {
+            alg,
+            key: {
+              ...key,
+              kmsKeyRef: resolution.kmsKeyRef,
+              kid: resolution.kid
+            }
+          };
+        default:
+          if (key.meta?.x509 && key.meta.x509.x5c) {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef,
+                x5c: key.meta.x509.x5c
+              }
+            };
+          } else if (key.meta?.jwkThumbprint) {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef,
+                jwkThumbprint: key.meta.jwkThumbprint
+              }
+            };
+          } else {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef
+              }
+            };
+          }
+      }
+    } else if (identifier.startsWith("did:")) {
+      const didIdentifier = await context.agent.identifierManagedGetByDid({
+        identifier
+      });
+      if (!didIdentifier) {
+        throw new Error(`No identifier found with the given did: ${identifier}`);
+      }
+      const key = didIdentifier.key;
+      const alg = await (0, import_ssi_sdk_ext2.signatureAlgorithmFromKey)({
+        key
+      });
+      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+      return {
+        alg,
+        key: {
+          ...key,
+          kmsKeyRef: didIdentifier.kmsKeyRef,
+          kid: didIdentifier.kid
+        }
+      };
+    } else {
+      const kidIdentifier = await context.agent.identifierManagedGetByKid({
+        identifier
+      });
+      if (!kidIdentifier) {
+        throw new Error(`No identifier found with the given kid: ${identifier}`);
+      }
+      const key = kidIdentifier.key;
+      const alg = await (0, import_ssi_sdk_ext2.signatureAlgorithmFromKey)({
+        key
+      });
+      if (key.meta?.x509 && key.meta.x509.x5c) {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef,
+            x5c: key.meta.x509.x5c
+          }
+        };
+      } else if (key.meta?.jwkThumbprint) {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef,
+            jwkThumbprint: key.meta.jwkThumbprint
+          }
+        };
+      } else {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef
+          }
+        };
+      }
+    }
+  }
+  /**
+  * Create a signed SD-JWT presentation.
+  * @param args - Arguments necessary for the creation of a SD-JWT presentation.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns A signed SD-JWT presentation.
+  */
+  async createSdJwtPresentation(args, context) {
+    const cred = await import_core.SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
+    const claims = await cred.getClaims(this.registeredImplementations.hasher);
+    let holder;
+    if (args.holder) {
+      holder = args.holder;
+    } else if (claims.cnf?.jwk) {
+      const jwk = claims.cnf.jwk;
+      holder = (0, import_ssi_sdk_ext2.calculateJwkThumbprint)({
+        jwk
+      });
+    } else if (claims.cnf?.kid) {
+      holder = claims.cnf?.kid;
+    } else if (claims.sub) {
+      holder = claims.sub;
+    } else {
+      throw new Error("invalid_argument: credential does not include a holder reference");
+    }
+    const { alg, signer } = await this.getSignerForIdentifier({
+      identifier: holder
+    }, context);
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+      saltGenerator: this.registeredImplementations.saltGenerator,
+      kbSigner: signer,
+      kbSignAlg: alg ?? "ES256"
+    });
+    const presentation = await sdjwt.present(args.presentation, args.presentationFrame, {
+      kb: args.kb
+    });
+    return {
+      presentation
+    };
+  }
+  /**
+  * Verify a signed SD-JWT credential.
+  * @param args - Arguments necessary for the verify a SD-JWT credential.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async verifySdJwtVc(args, context) {
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
+      verifier,
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest
+    });
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
+    return {
+      header,
+      payload,
+      kb
+    };
+  }
+  /**
+  * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT
+  * @param sdjwt - SD-JWT instance
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @param data - signed data
+  * @param signature - The signature
+  * @param payload - The payload of the SD-JWT
+  * @returns
+  */
+  verifyKb(sdjwt, context, data, signature, payload) {
+    if (!payload.cnf) {
+      throw Error("other method than cnf is not supported yet");
+    }
+    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload));
+  }
+  /**
+  * Validates the signature of a SD-JWT
+  * @param sdjwt - SD-JWT instance
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @param data - signed data
+  * @param signature - The signature
+  * @returns
+  */
+  async verify(sdjwt, context, data, signature, opts) {
+    const decodedVC = await sdjwt.decode(`${data}.${signature}`);
+    const issuer = decodedVC.jwt.payload.iss;
+    const header = decodedVC.jwt.header;
+    const x5c = header?.x5c;
+    let jwk = header.jwk;
+    if (x5c) {
+      const trustAnchors = /* @__PURE__ */ new Set([
+        ...this.trustAnchorsInPEM
+      ]);
+      if (trustAnchors.size === 0) {
+        trustAnchors.add(sphereonCA);
+        trustAnchors.add(funkeTestCA);
+      }
+      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({
+        chain: x5c,
+        trustAnchors: Array.from(trustAnchors),
+        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream
+        opts: opts?.x5cValidation ?? {
+          trustRootWhenNoAnchors: true,
+          allowNoTrustAnchorsFound: true
+        }
+      });
+      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {
+        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`));
+      }
+      const certInfo = certificateValidationResult.certificateChain[0];
+      jwk = certInfo.publicKeyJWK;
+    }
+    if (!jwk && header.kid?.includes("did:")) {
+      const didDoc = await context.agent.resolveDid({
+        didUrl: header.kid
+      });
+      if (!didDoc) {
+        throw new Error("invalid_issuer: issuer did not resolve to a did document");
+      }
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      if (!didDocumentKey) {
+        throw new Error("invalid_issuer: issuer did document does not include referenced key");
+      }
+      jwk = didDocumentKey.publicKeyJwk;
+    }
+    if (!jwk && issuer.includes("did:")) {
+      const didDoc = await context.agent.resolveDid({
+        didUrl: issuer
+      });
+      if (!didDoc) {
+        throw new Error("invalid_issuer: issuer did not resolve to a did document");
+      }
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      if (!didDocumentKey) {
+        throw new Error("invalid_issuer: issuer did document does not include referenced key");
+      }
+      jwk = didDocumentKey.publicKeyJwk;
+    }
+    if (!jwk) {
+      throw new Error("No valid public key found for signature verification");
+    }
+    return this.verifySignatureCallback(context)(data, signature, jwk);
+  }
+  /**
+  * Verify a signed SD-JWT presentation.
+  * @param args - Arguments necessary for the verify a SD-JWT presentation.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async verifySdJwtPresentation(args, context) {
+    let sdjwt;
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload), "verifierKb");
+    sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
+      verifier,
+      hasher: this.registeredImplementations.hasher,
+      kbVerifier: verifierKb
+    });
+    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
+  }
+  /**
+  * Fetch and validate Type Metadata.
+  * @param args - Arguments necessary for fetching and validating the type metadata.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async fetchSdJwtTypeMetadataFromVctUrl(args, context) {
+    const { vct, vctIntegrity, opts } = args;
+    const url = new URL(vct);
+    const response = await fetchUrlWithErrorHandling(url.toString());
+    const metadata = await response.json();
+    assertValidTypeMetadata(metadata, vct);
+    const validate = /* @__PURE__ */ __name(async (vct2, input, integrityValue, hasher2) => {
+      if (hasher2 && integrityValue) {
+        const validation = await validateIntegrity({
+          integrityValue,
+          input,
+          hasher: hasher2
+        });
+        if (!validation) {
+          return Promise.reject(Error(`Integrity check failed for vct: ${vct2}, extends: ${metadata.extends}, integrity: ${integrityValue}}`));
+        }
+      }
+    }, "validate");
+    const hasher = opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest;
+    if (hasher) {
+      if (vctIntegrity) {
+        await validate(vct, metadata, vctIntegrity, hasher);
+        const vctValidation = await validateIntegrity({
+          integrityValue: vctIntegrity,
+          input: metadata,
+          hasher
+        });
+        if (!vctValidation) {
+          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`));
+        }
+      }
+      if (metadata["extends#integrity"]) {
+        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({
+          vct: metadata["extends#integrity"],
+          opts
+        }, context);
+        await validate(vct, extendsMetadata, metadata["extends#integrity"], hasher);
+      }
+      if (metadata["schema_uri#integrity"]) {
+        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri);
+        const schema = await schemaResponse.json();
+        await validate(vct, schema, metadata["schema_uri#integrity"], hasher);
+      }
+      metadata.display?.forEach((display) => {
+        const simpleLogoIntegrity = display.rendering?.simple?.logo?.["uri#integrity"];
+        if (simpleLogoIntegrity) {
+          console.log("TODO: Logo integrity check");
+        }
+      });
+    }
+    return metadata;
+  }
+  verifySignatureCallback(context) {
+    if (typeof this.registeredImplementations.verifySignature === "function") {
+      return this.registeredImplementations.verifySignature;
+    }
+    return defaultVerifySignature(context);
+  }
+  getJwk(payload) {
+    if (payload.cnf?.jwk !== void 0) {
+      return payload.cnf.jwk;
+    } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
+      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
+      const decoded = (0, import_utils.decodeBase64url)(encoded);
+      const jwt = JSON.parse(decoded);
+      return jwt;
+    }
+    throw Error("Unable to extract JWK from SD-JWT payload");
+  }
+  extractBase64FromDIDJwk(did) {
+    const parts = did.split(":");
+    if (parts.length < 3) {
+      throw new Error("Invalid DID format");
+    }
+    return parts[2].split("#")[0];
+  }
+};
+
+// src/types.ts
+var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
+var sdJwtPluginContextMethods = [
+  "createSdJwtVc",
+  "createSdJwtPresentation",
+  "verifySdJwtVc",
+  "verifySdJwtPresentation"
+];
+function contextHasSDJwtPlugin(context) {
+  return (0, import_ssi_sdk.contextHasPlugin)(context, "verifySdJwtVc");
+}
+__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
+//# sourceMappingURL=index.cjs.map