@sphereon/ssi-sdk.sd-jwt 0.33.1-next.3 → 0.33.1-next.73

package/dist/index.js

@@ -1,22 +1,564 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/action-handler.ts
+import { SDJwt } from "@sd-jwt/core";
+import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
+import { calculateJwkThumbprint, signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
+import { decodeBase64url } from "@veramo/utils";
+import Debug from "debug";
+
+// src/defaultCallbacks.ts
+import { digestMethodParams } from "@sphereon/ssi-sdk-ext.key-utils";
+import { Loggers } from "@sphereon/ssi-types";
+import { v4 } from "uuid";
+import { fromString } from "uint8arrays/from-string";
+var defaultGenerateDigest = /* @__PURE__ */ __name((data, alg) => {
+  return digestMethodParams(alg.includes("256") ? "SHA-256" : "SHA-512").hash(typeof data === "string" ? fromString(data, "utf-8") : new Uint8Array(data));
+}, "defaultGenerateDigest");
+var defaultGenerateSalt = /* @__PURE__ */ __name(() => {
+  return v4();
+}, "defaultGenerateSalt");
+var defaultVerifySignature = /* @__PURE__ */ __name((context) => async (data, signature, publicKey) => {
+  const result = await context.agent.jwtVerifyJwsSignature({
+    jws: `${data}.${signature}`,
+    jwk: publicKey
+  });
+  Loggers.DEFAULT.get("sd-jwt").info(`SD-JWT signature verified. Result: ${result.message}`);
+  return !result.error;
+}, "defaultVerifySignature");
+
+// src/trustAnchors.ts
+var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
+var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
+
+// src/utils.ts
+import { toString } from "uint8arrays/to-string";
+async function fetchUrlWithErrorHandling(url) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`${response.status}: ${response.statusText}`);
+  }
+  return response;
+}
+__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
+function extractHashAlgFromIntegrity(integrityValue) {
+  const val = integrityValue?.toLowerCase().trim().split("-")[0];
+  if (val === "sha256" || val === "sha384" || val === "sha512") {
+    return val;
+  }
+  return void 0;
+}
+__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
+function extractHashFromIntegrity(integrityValue) {
+  return integrityValue?.toLowerCase().trim().split("-")[1];
+}
+__name(extractHashFromIntegrity, "extractHashFromIntegrity");
+async function validateIntegrity({ input, integrityValue, hasher }) {
+  if (!integrityValue) {
+    return true;
+  }
+  const alg = extractHashAlgFromIntegrity(integrityValue);
+  if (!alg) {
+    return false;
+  }
+  const calculatedHash = await createIntegrity({
+    hasher,
+    input,
+    alg
+  });
+  return calculatedHash == integrityValue;
+}
+__name(validateIntegrity, "validateIntegrity");
+async function createIntegrity({ input, hasher, alg = "sha256" }) {
+  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
+  return `${alg}-${toString(calculatedHash, "base64")}`;
+}
+__name(createIntegrity, "createIntegrity");
+function assertValidTypeMetadata(metadata, vct) {
+  if (metadata.vct !== vct) {
+    throw new Error("VCT mismatch in metadata and credential");
+  }
+}
+__name(assertValidTypeMetadata, "assertValidTypeMetadata");
+
+// src/action-handler.ts
+var debug = Debug("@sphereon/ssi-sdk.sd-jwt");
+var SDJwtPlugin = class {
+  static {
+    __name(this, "SDJwtPlugin");
+  }
+  // @ts-ignore
+  trustAnchorsInPEM;
+  registeredImplementations;
+  _signers;
+  _defaultSigner;
+  constructor(registeredImplementations, trustAnchorsInPEM) {
+    this.trustAnchorsInPEM = trustAnchorsInPEM ?? [];
+    if (!registeredImplementations) {
+      registeredImplementations = {};
+    }
+    if (typeof registeredImplementations?.hasher !== "function") {
+      registeredImplementations.hasher = defaultGenerateDigest;
+    }
+    if (typeof registeredImplementations?.saltGenerator !== "function") {
+      registeredImplementations.saltGenerator = defaultGenerateSalt;
+    }
+    this.registeredImplementations = registeredImplementations;
+    this._signers = registeredImplementations?.signers ?? {};
+    this._defaultSigner = registeredImplementations?.defaultSigner;
+  }
+  // map the methods your plugin is declaring to their implementation
+  methods = {
+    createSdJwtVc: this.createSdJwtVc.bind(this),
+    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),
+    verifySdJwtVc: this.verifySdJwtVc.bind(this),
+    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),
+    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this)
+  };
+  async getSignerForIdentifier(args, context) {
+    const { identifier, resolution } = args;
+    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === "function") {
+      return {
+        signer: this._signers[identifier]
+      };
+    } else if (typeof this._defaultSigner === "function") {
+      return {
+        signer: this._defaultSigner
+      };
+    }
+    const signingKey = await this.getSignKey({
+      identifier,
+      vmRelationship: "assertionMethod",
+      resolution
+    }, context);
+    const { key, alg } = signingKey;
+    const signer = /* @__PURE__ */ __name(async (data) => {
+      return context.agent.keyManagerSign({
+        keyRef: key.kmsKeyRef,
+        data
+      });
+    }, "signer");
+    return {
+      signer,
+      alg,
+      signingKey
+    };
+  }
+  /**
+  * Create a signed SD-JWT credential.
+  * @param args - Arguments necessary for the creation of a SD-JWT credential.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns A signed SD-JWT credential.
+  */
+  async createSdJwtVc(args, context) {
+    const issuer = args.credentialPayload.iss;
+    if (!issuer) {
+      throw new Error("credential.issuer must not be empty");
+    }
+    const { alg, signer, signingKey } = await this.getSignerForIdentifier({
+      identifier: issuer,
+      resolution: args.resolution
+    }, context);
+    const sdjwt = new SDJwtVcInstance({
+      signer,
+      hasher: this.registeredImplementations.hasher,
+      saltGenerator: this.registeredImplementations.saltGenerator,
+      signAlg: alg ?? "ES256",
+      hashAlg: "sha-256"
+    });
+    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
+      header: {
+        ...signingKey?.key.kid !== void 0 && {
+          kid: signingKey.key.kid
+        },
+        ...signingKey?.key.x5c !== void 0 && {
+          x5c: signingKey.key.x5c
+        }
+      }
+    });
+    return {
+      credential
+    };
+  }
+  /**
+  * Get the key to sign the SD-JWT
+  * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key
+  * @param context - agent instance
+  * @returns the key to sign the SD-JWT
+  */
+  async getSignKey(args, context) {
+    const { identifier, resolution } = {
+      ...args
+    };
+    if (resolution) {
+      const key = resolution.key;
+      const alg = await signatureAlgorithmFromKey({
+        key
+      });
+      switch (resolution.method) {
+        case "did":
+          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+          return {
+            alg,
+            key: {
+              ...key,
+              kmsKeyRef: resolution.kmsKeyRef,
+              kid: resolution.kid
+            }
+          };
+        default:
+          if (key.meta?.x509 && key.meta.x509.x5c) {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef,
+                x5c: key.meta.x509.x5c
+              }
+            };
+          } else if (key.meta?.jwkThumbprint) {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef,
+                jwkThumbprint: key.meta.jwkThumbprint
+              }
+            };
+          } else {
+            return {
+              alg,
+              key: {
+                kid: resolution.kid,
+                kmsKeyRef: resolution.kmsKeyRef
+              }
+            };
+          }
+      }
+    } else if (identifier.startsWith("did:")) {
+      const didIdentifier = await context.agent.identifierManagedGetByDid({
+        identifier
+      });
+      if (!didIdentifier) {
+        throw new Error(`No identifier found with the given did: ${identifier}`);
+      }
+      const key = didIdentifier.key;
+      const alg = await signatureAlgorithmFromKey({
+        key
+      });
+      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`);
+      return {
+        alg,
+        key: {
+          ...key,
+          kmsKeyRef: didIdentifier.kmsKeyRef,
+          kid: didIdentifier.kid
+        }
+      };
+    } else {
+      const kidIdentifier = await context.agent.identifierManagedGetByKid({
+        identifier
+      });
+      if (!kidIdentifier) {
+        throw new Error(`No identifier found with the given kid: ${identifier}`);
+      }
+      const key = kidIdentifier.key;
+      const alg = await signatureAlgorithmFromKey({
+        key
+      });
+      if (key.meta?.x509 && key.meta.x509.x5c) {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef,
+            x5c: key.meta.x509.x5c
+          }
+        };
+      } else if (key.meta?.jwkThumbprint) {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef,
+            jwkThumbprint: key.meta.jwkThumbprint
+          }
+        };
+      } else {
+        return {
+          alg,
+          key: {
+            kid: kidIdentifier.kid,
+            kmsKeyRef: kidIdentifier.kmsKeyRef
+          }
+        };
+      }
+    }
+  }
+  /**
+  * Create a signed SD-JWT presentation.
+  * @param args - Arguments necessary for the creation of a SD-JWT presentation.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns A signed SD-JWT presentation.
+  */
+  async createSdJwtPresentation(args, context) {
+    const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
+    const claims = await cred.getClaims(this.registeredImplementations.hasher);
+    let holder;
+    if (args.holder) {
+      holder = args.holder;
+    } else if (claims.cnf?.jwk) {
+      const jwk = claims.cnf.jwk;
+      holder = calculateJwkThumbprint({
+        jwk
+      });
+    } else if (claims.cnf?.kid) {
+      holder = claims.cnf?.kid;
+    } else if (claims.sub) {
+      holder = claims.sub;
+    } else {
+      throw new Error("invalid_argument: credential does not include a holder reference");
+    }
+    const { alg, signer } = await this.getSignerForIdentifier({
+      identifier: holder
+    }, context);
+    const sdjwt = new SDJwtVcInstance({
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+      saltGenerator: this.registeredImplementations.saltGenerator,
+      kbSigner: signer,
+      kbSignAlg: alg ?? "ES256"
+    });
+    const presentation = await sdjwt.present(args.presentation, args.presentationFrame, {
+      kb: args.kb
+    });
+    return {
+      presentation
+    };
+  }
+  /**
+  * Verify a signed SD-JWT credential.
+  * @param args - Arguments necessary for the verify a SD-JWT credential.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async verifySdJwtVc(args, context) {
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const sdjwt = new SDJwtVcInstance({
+      verifier,
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest
+    });
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
+    return {
+      header,
+      payload,
+      kb
+    };
+  }
+  /**
+  * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT
+  * @param sdjwt - SD-JWT instance
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @param data - signed data
+  * @param signature - The signature
+  * @param payload - The payload of the SD-JWT
+  * @returns
+  */
+  verifyKb(sdjwt, context, data, signature, payload) {
+    if (!payload.cnf) {
+      throw Error("other method than cnf is not supported yet");
+    }
+    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload));
+  }
+  /**
+  * Validates the signature of a SD-JWT
+  * @param sdjwt - SD-JWT instance
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @param data - signed data
+  * @param signature - The signature
+  * @returns
+  */
+  async verify(sdjwt, context, data, signature, opts) {
+    const decodedVC = await sdjwt.decode(`${data}.${signature}`);
+    const issuer = decodedVC.jwt.payload.iss;
+    const header = decodedVC.jwt.header;
+    const x5c = header?.x5c;
+    let jwk = header.jwk;
+    if (x5c) {
+      const trustAnchors = /* @__PURE__ */ new Set([
+        ...this.trustAnchorsInPEM
+      ]);
+      if (trustAnchors.size === 0) {
+        trustAnchors.add(sphereonCA);
+        trustAnchors.add(funkeTestCA);
+      }
+      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({
+        chain: x5c,
+        trustAnchors: Array.from(trustAnchors),
+        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream
+        opts: opts?.x5cValidation ?? {
+          trustRootWhenNoAnchors: true,
+          allowNoTrustAnchorsFound: true
+        }
+      });
+      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {
+        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`));
+      }
+      const certInfo = certificateValidationResult.certificateChain[0];
+      jwk = certInfo.publicKeyJWK;
+    }
+    if (!jwk && header.kid?.includes("did:")) {
+      const didDoc = await context.agent.resolveDid({
+        didUrl: header.kid
+      });
+      if (!didDoc) {
+        throw new Error("invalid_issuer: issuer did not resolve to a did document");
+      }
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      if (!didDocumentKey) {
+        throw new Error("invalid_issuer: issuer did document does not include referenced key");
+      }
+      jwk = didDocumentKey.publicKeyJwk;
+    }
+    if (!jwk && issuer.includes("did:")) {
+      const didDoc = await context.agent.resolveDid({
+        didUrl: issuer
+      });
+      if (!didDoc) {
+        throw new Error("invalid_issuer: issuer did not resolve to a did document");
+      }
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      if (!didDocumentKey) {
+        throw new Error("invalid_issuer: issuer did document does not include referenced key");
+      }
+      jwk = didDocumentKey.publicKeyJwk;
+    }
+    if (!jwk) {
+      throw new Error("No valid public key found for signature verification");
+    }
+    return this.verifySignatureCallback(context)(data, signature, jwk);
+  }
+  /**
+  * Verify a signed SD-JWT presentation.
+  * @param args - Arguments necessary for the verify a SD-JWT presentation.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async verifySdJwtPresentation(args, context) {
+    let sdjwt;
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload), "verifierKb");
+    sdjwt = new SDJwtVcInstance({
+      verifier,
+      hasher: this.registeredImplementations.hasher,
+      kbVerifier: verifierKb
+    });
+    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
+  }
+  /**
+  * Fetch and validate Type Metadata.
+  * @param args - Arguments necessary for fetching and validating the type metadata.
+  * @param context - This reserved param is automatically added and handled by the framework, *do not override*
+  * @returns
+  */
+  async fetchSdJwtTypeMetadataFromVctUrl(args, context) {
+    const { vct, vctIntegrity, opts } = args;
+    const url = new URL(vct);
+    const response = await fetchUrlWithErrorHandling(url.toString());
+    const metadata = await response.json();
+    assertValidTypeMetadata(metadata, vct);
+    const validate = /* @__PURE__ */ __name(async (vct2, input, integrityValue, hasher2) => {
+      if (hasher2 && integrityValue) {
+        const validation = await validateIntegrity({
+          integrityValue,
+          input,
+          hasher: hasher2
+        });
+        if (!validation) {
+          return Promise.reject(Error(`Integrity check failed for vct: ${vct2}, extends: ${metadata.extends}, integrity: ${integrityValue}}`));
+        }
+      }
+    }, "validate");
+    const hasher = opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest;
+    if (hasher) {
+      if (vctIntegrity) {
+        await validate(vct, metadata, vctIntegrity, hasher);
+        const vctValidation = await validateIntegrity({
+          integrityValue: vctIntegrity,
+          input: metadata,
+          hasher
+        });
+        if (!vctValidation) {
+          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`));
+        }
+      }
+      if (metadata["extends#integrity"]) {
+        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({
+          vct: metadata["extends#integrity"],
+          opts
+        }, context);
+        await validate(vct, extendsMetadata, metadata["extends#integrity"], hasher);
+      }
+      if (metadata["schema_uri#integrity"]) {
+        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri);
+        const schema = await schemaResponse.json();
+        await validate(vct, schema, metadata["schema_uri#integrity"], hasher);
+      }
+      metadata.display?.forEach((display) => {
+        const simpleLogoIntegrity = display.rendering?.simple?.logo?.["uri#integrity"];
+        if (simpleLogoIntegrity) {
+          console.log("TODO: Logo integrity check");
+        }
+      });
+    }
+    return metadata;
+  }
+  verifySignatureCallback(context) {
+    if (typeof this.registeredImplementations.verifySignature === "function") {
+      return this.registeredImplementations.verifySignature;
+    }
+    return defaultVerifySignature(context);
+  }
+  getJwk(payload) {
+    if (payload.cnf?.jwk !== void 0) {
+      return payload.cnf.jwk;
+    } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
+      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
+      const decoded = decodeBase64url(encoded);
+      const jwt = JSON.parse(decoded);
+      return jwt;
+    }
+    throw Error("Unable to extract JWK from SD-JWT payload");
+  }
+  extractBase64FromDIDJwk(did) {
+    const parts = did.split(":");
+    if (parts.length < 3) {
+      throw new Error("Invalid DID format");
+    }
+    return parts[2].split("#")[0];
+  }
+};
+
+// src/types.ts
+import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
+var sdJwtPluginContextMethods = [
+  "createSdJwtVc",
+  "createSdJwtPresentation",
+  "verifySdJwtVc",
+  "verifySdJwtPresentation"
+];
+function contextHasSDJwtPlugin(context) {
+  return contextHasPlugin(context, "verifySdJwtVc");
+}
+__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
+export {
+  SDJwtPlugin,
+  assertValidTypeMetadata,
+  contextHasSDJwtPlugin,
+  createIntegrity,
+  extractHashFromIntegrity,
+  fetchUrlWithErrorHandling,
+  sdJwtPluginContextMethods,
+  validateIntegrity
 };
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SDJwtPlugin = void 0;
-var action_handler_1 = require("./action-handler");
-Object.defineProperty(exports, "SDJwtPlugin", { enumerable: true, get: function () { return action_handler_1.SDJwtPlugin; } });
-__exportStar(require("./utils"), exports);
-__exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map