@sphereon/ssi-sdk.sd-jwt 0.34.0 → 0.34.1-next.3

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/types.ts"],"sourcesContent":["export { SDJwtPlugin } from './action-handler'\nexport * from './utils'\nexport * from './types'\n","import { Jwt, SDJwt } from '@sd-jwt/core'\nimport { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { IAgentPlugin } from '@veramo/core'\nimport { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'\nimport {\n  Claims,\n  FetchSdJwtTypeMetadataFromVctUrlArgs,\n  GetSignerForIdentifierArgs,\n  GetSignerResult,\n  ICreateSdJwtPresentationArgs,\n  ICreateSdJwtPresentationResult,\n  ICreateSdJwtVcArgs,\n  ICreateSdJwtVcResult,\n  IRequiredContext,\n  ISDJwtPlugin,\n  IVerifySdJwtPresentationArgs,\n  IVerifySdJwtPresentationResult,\n  IVerifySdJwtVcArgs,\n  IVerifySdJwtVcResult,\n  SdJWTImplementation,\n  SdJwtVerifySignature,\n  SignKeyArgs,\n  SignKeyResult,\n} from './types'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n  // @ts-ignore\n  private readonly trustAnchorsInPEM: string[]\n  private readonly registeredImplementations: SdJWTImplementation\n  private _signers: Record<string, Signer>\n  private _defaultSigner?: Signer\n\n  constructor(\n    registeredImplementations?: SdJWTImplementation & {\n      signers?: Record<string, Signer>\n      defaultSigner?: Signer\n    },\n    trustAnchorsInPEM?: string[],\n  ) {\n    this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n    if (!registeredImplementations) {\n      registeredImplementations = {}\n    }\n    if (typeof registeredImplementations?.hasher !== 'function') {\n      registeredImplementations.hasher = defaultGenerateDigest\n    }\n    if (typeof registeredImplementations?.saltGenerator !== 'function') {\n      registeredImplementations.saltGenerator = defaultGenerateSalt\n    }\n    this.registeredImplementations = registeredImplementations\n    this._signers = registeredImplementations?.signers ?? {}\n    this._defaultSigner = registeredImplementations?.defaultSigner\n\n    // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n  }\n\n  // map the methods your plugin is declaring to their implementation\n  readonly methods: ISDJwtPlugin = {\n    createSdJwtVc: this.createSdJwtVc.bind(this),\n    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n    verifySdJwtVc: this.verifySdJwtVc.bind(this),\n    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n  }\n\n  private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n    const { identifier, resolution } = args\n    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n      return { signer: this._signers[identifier] }\n    } else if (typeof this._defaultSigner === 'function') {\n      return { signer: this._defaultSigner }\n    }\n    const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n    const { key, alg } = signingKey\n\n    const signer: Signer = async (data: string): Promise<string> => {\n      return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n    }\n\n    return { signer, alg, signingKey }\n  }\n\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT credential.\n   */\n  async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n    const issuer = args.credentialPayload.iss\n    if (!issuer) {\n      throw new Error('credential.issuer must not be empty')\n    }\n    const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n    const sdjwt = new SDJwtVcInstance({\n      signer,\n      hasher: this.registeredImplementations.hasher,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      signAlg: alg ?? 'ES256',\n      hashAlg: 'sha-256',\n    })\n\n    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {\n      header: {\n        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n      },\n    })\n\n    return { credential }\n  }\n\n  /**\n   * Get the key to sign the SD-JWT\n   * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n   * @param context - agent instance\n   * @returns the key to sign the SD-JWT\n   */\n  async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n    // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n    const { identifier, resolution } = { ...args }\n    if (resolution) {\n      const key = resolution.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      switch (resolution.method) {\n        case 'did':\n          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n          return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n        default:\n          if (key.meta?.x509 && key.meta.x509.x5c) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n          } else if (key.meta?.jwkThumbprint) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n          } else {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n          }\n      }\n    } else if (identifier.startsWith('did:')) {\n      const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n      if (!didIdentifier) {\n        throw new Error(`No identifier found with the given did: ${identifier}`)\n      }\n      const key = didIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n      return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n    } else {\n      const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n      if (!kidIdentifier) {\n        throw new Error(`No identifier found with the given kid: ${identifier}`)\n      }\n      const key = kidIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      if (key.meta?.x509 && key.meta.x509.x5c) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n      } else if (key.meta?.jwkThumbprint) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n      } else {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n      }\n    }\n  }\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT presentation.\n   */\n  async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n    const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n    const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n    let holder: string\n    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n    if (args.holder) {\n      holder = args.holder\n    } else if (claims.cnf?.jwk) {\n      const jwk = claims.cnf.jwk\n      holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n    } else if (claims.cnf?.kid) {\n      holder = claims.cnf?.kid\n    } else if (claims.sub) {\n      holder = claims.sub as string\n    } else {\n      throw new Error('invalid_argument: credential does not include a holder reference')\n    }\n    const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n    const sdjwt = new SDJwtVcInstance({\n      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      kbSigner: signer,\n      kbSignAlg: alg ?? 'ES256',\n    })\n    const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n    return { presentation }\n  }\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verify a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n    // callback\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n    const { header = {}, payload, kb } = await sdjwt.verify(args.credential)\n\n    return { header, payload: payload as SdJwtVcPayload, kb }\n  }\n\n  /**\n   * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @param payload - The payload of the SD-JWT\n   * @returns\n   */\n  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n    if (!payload.cnf) {\n      throw Error('other method than cnf is not supported yet')\n    }\n    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n  }\n\n  /**\n   * Validates the signature of a SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @returns\n   */\n  async verify(\n    sdjwt: SDJwtVcInstance,\n    context: IRequiredContext,\n    data: string,\n    signature: string,\n    opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n  ): Promise<boolean> {\n    const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string\n    const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n    const x5c: string[] | undefined = header?.x5c as string[]\n    let jwk: JWK | JsonWebKey | undefined = header.jwk\n    if (x5c) {\n      const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n      if (trustAnchors.size === 0) {\n        trustAnchors.add(sphereonCA)\n        trustAnchors.add(funkeTestCA)\n      }\n      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n        chain: x5c,\n        trustAnchors: Array.from(trustAnchors),\n        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n        opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n      })\n\n      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n      }\n      const certInfo = certificateValidationResult.certificateChain[0]\n      jwk = certInfo.publicKeyJWK as JWK\n    }\n\n    if (!jwk && header.kid?.includes('did:')) {\n      const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk && issuer.includes('did:')) {\n      // TODO refactor\n      const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk) {\n      throw new Error('No valid public key found for signature verification')\n    }\n\n    return this.verifySignatureCallback(context)(data, signature, jwk)\n  }\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verify a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n    let sdjwt: SDJwtVcInstance\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n      this.verifyKb(sdjwt, context, data, signature, payload)\n    sdjwt = new SDJwtVcInstance({\n      verifier,\n      hasher: this.registeredImplementations.hasher,\n      kbVerifier: verifierKb,\n    })\n\n    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)\n  }\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n    const { vct, vctIntegrity, opts } = args\n    const url = new URL(vct)\n\n    const response = await fetchUrlWithErrorHandling(url.toString())\n    const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n    assertValidTypeMetadata(metadata, vct)\n\n    const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n      if (hasher && integrityValue) {\n        const validation = await validateIntegrity({ integrityValue, input, hasher })\n        if (!validation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n        }\n      }\n    }\n\n    const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n    if (hasher) {\n      if (vctIntegrity) {\n        await validate(vct, metadata, vctIntegrity, hasher)\n        const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n        if (!vctValidation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n        }\n      }\n\n      if (metadata['extends#integrity']) {\n        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n        await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n      }\n\n      if (metadata['schema_uri#integrity']) {\n        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n        const schema = await schemaResponse.json()\n        await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n      }\n\n      metadata.display?.forEach((display) => {\n        const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n        if (simpleLogoIntegrity) {\n          console.log('TODO: Logo integrity check')\n        }\n      })\n    }\n\n    return metadata\n  }\n\n  private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n    if (typeof this.registeredImplementations.verifySignature === 'function') {\n      return this.registeredImplementations.verifySignature\n    }\n\n    return defaultVerifySignature(context)\n  }\n\n  private getJwk(payload: JwtPayload): JsonWebKey {\n    if (payload.cnf?.jwk !== undefined) {\n      return payload.cnf.jwk as JsonWebKey\n    } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n      // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n      // FIXME this is a quick-fix to make verification but we need a real solution\n      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n      const decoded = decodeBase64url(encoded)\n      const jwt = JSON.parse(decoded)\n      return jwt as JsonWebKey\n    }\n    throw Error('Unable to extract JWK from SD-JWT payload')\n  }\n\n  private extractBase64FromDIDJwk(did: string): string {\n    const parts = did.split(':')\n    if (parts.length < 3) {\n      throw new Error('Invalid DID format')\n    }\n    return parts[2].split('#')[0]\n  }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n  return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n    typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n  )\n}\n\nexport const defaultGenerateSalt = (): string => {\n  return v4()\n}\n\nexport const defaultVerifySignature =\n  (context: IRequiredContext): SdJwtVerifySignature =>\n  async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n    // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n    const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n    Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n    return !result.error\n  }\n","export const funkeTestCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n  '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n  'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n  'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n  'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n  'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n  'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n  'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n  'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n  'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n  'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n  'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n  '-----END CERTIFICATE-----'\n","import { SdJwtTypeMetadata } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n  const response = await fetch(url)\n  if (!response.ok) {\n    throw new Error(`${response.status}: ${response.statusText}`)\n  }\n  return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n  const val = integrityValue?.toLowerCase().trim().split('-')[0]\n  if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n    return val as IntegrityAlg\n  }\n  return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n  return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n  input,\n  integrityValue,\n  hasher,\n}: {\n  input: any\n  integrityValue?: string\n  hasher: HasherSync | Hasher\n}): Promise<boolean> {\n  if (!integrityValue) {\n    return true\n  }\n  const alg = extractHashAlgFromIntegrity(integrityValue)\n  if (!alg) {\n    return false\n  }\n  const calculatedHash = await createIntegrity({ hasher, input, alg })\n  return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n  input,\n  hasher,\n  alg = 'sha256',\n}: {\n  input: any\n  hasher: HasherSync | Hasher\n  alg?: IntegrityAlg\n}): Promise<string> {\n  const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n  return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n  if (metadata.vct !== vct) {\n    throw new Error('VCT mismatch in metadata and credential')\n  }\n}\n","import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n *    \"pluginInterfaces\": {\n *      \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n *    }\n *  },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n  /**\n   * Your plugin method description\n   *\n   * @param args - Input parameters for this method\n   * @param context - The required context where this method can run.\n   *   Declaring a context type here lets other developers know which other plugins\n   *   need to also be installed for this method to work.\n   */\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verification of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n  return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends SdJwtPayload {\n  x5c?: string[]\n}\n\nexport interface ICreateSdJwtVcArgs {\n  credentialPayload: SdJwtVcPayload\n\n  // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n  disclosureFrame?: IDisclosureFrame\n\n  resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n  _sd?: string[]\n  _sd_decoy?: number\n\n  [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n  /**\n   * the encoded sd-jwt credential\n   */\n  credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n  /**\n   * Encoded SD-JWT credential\n   */\n  presentation: string\n\n  /*\n   * The keys to use for selective disclosure for presentation\n   * if not provided, all keys will be disclosed\n   * if empty object, no keys will be disclosed\n   */\n  presentationFrame?: IPresentationFrame\n\n  /**\n   * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n   */\n  holder?: string\n\n  /**\n   * Information to include to add key binding.\n   */\n  kb?: KBOptions\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n  [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n  /**\n   * Encoded presentation.\n   */\n  presentation: string\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n  credential: string\n  opts?: {\n    x5cValidation?: X509CertificateChainValidationOpts\n  }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n  payload: SdJwtPayload\n  header: Record<string, unknown>\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n  presentation: string\n\n  requiredClaimKeys?: string[]\n\n  kb?: boolean\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n  payload: unknown //fixme: maybe this can be `SdJwtPayload`\n  header: Record<string, unknown> | undefined\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n  identifier: string\n  vmRelationship: DIDDocumentSection\n  resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n  alg: JoseSignatureAlgorithm\n  key: {\n    kid?: string\n    kmsKeyRef: string\n    x5c?: string[]\n    jwkThumbprint?: string\n  }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n  saltGenerator?: SaltGenerator\n  hasher?: HasherSync\n  verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n  /**\n   * Subject of the SD-JWT\n   */\n  sub?: string\n  cnf?: {\n    jwk?: JsonWebKey\n    kid?: string\n  }\n\n  [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n  vct: string\n  vctIntegrity?: string\n  opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n  hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n  identifier: string\n  resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n  signer: Signer\n  alg?: string\n  signingKey?: SignKeyResult\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;ACAA,kBAA2B;AAC3B,uBAAgD;AAEhD,IAAAA,sBAAkE;AAIlE,mBAAgC;AAChC,mBAAkB;;;ACRlB,yBAAmC;AACnC,uBAAqD;AACrD,kBAAmB;AAEnB,yBAA2B;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,aAAOC,uCAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,eAAWK,+BAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,aAAOC,gBAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,2BAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,uBAAyB;AAIzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,QAAOK,2BAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;;;AH5BhB,IAAMG,YAAQC,aAAAA,SAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAvCb,OAuCaA;;;;EAEMC;EACAC;EACTC;EACAC;EAERC,YACEH,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BI,WAAW,YAAY;AAC3DJ,gCAA0BI,SAASC;IACrC;AACA,QAAI,OAAOL,2BAA2BM,kBAAkB,YAAY;AAClEN,gCAA0BM,gBAAgBC;IAC5C;AACA,SAAKP,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BQ,WAAW,CAAC;AACvD,SAAKN,iBAAiBF,2BAA2BS;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKtB,QAAQ,EAAEuB,SAASJ,UAAAA,KAAe,OAAO,KAAKnB,SAASmB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKxB,SAASmB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKlB,mBAAmB,YAAY;AACpD,aAAO;QAAEuB,QAAQ,KAAKvB;MAAe;IACvC;AACA,UAAMwB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,SAASlB,KAAKmB,kBAAkBC;AACtC,QAAI,CAACF,QAAQ;AACX,YAAM,IAAIG,MAAM,qCAAA;IAClB;AACA,UAAM,EAAET,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYgB;MAAQf,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAMqB,QAAQ,IAAIC,iCAAgB;MAChChB;MACArB,QAAQ,KAAKJ,0BAA0BI;MACvCE,eAAe,KAAKN,0BAA0BM;MAC9CoC,SAASZ,OAAO;MAChBa,SAAS;IACX,CAAA;AAEA,UAAMC,aAAa,MAAMJ,MAAMK,MAAM3B,KAAKmB,mBAAmBnB,KAAK4B,iBAAmE;MACnIC,QAAQ;QACN,GAAIrB,YAAYG,IAAImB,QAAQC,UAAa;UAAED,KAAKtB,WAAWG,IAAImB;QAAI;QACnE,GAAItB,YAAYG,IAAIqB,QAAQD,UAAa;UAAEC,KAAKxB,WAAWG,IAAIqB;QAAI;MACrE;IACF,CAAA;AAEA,WAAO;MAAEN;IAAW;EACtB;;;;;;;EAQA,MAAMjB,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClD,cAAQR,WAAW+B,QAAM;QACvB,KAAK;AACHxD,gBAAM,eAAeiC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWa,KAAK3B,WAAW2B;YAAI;UAAE;QACtF;AACE,cAAInB,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,mBAAO;cAAEpB;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;cAAgB;YAAE;UAClH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWqB,eAAe3B,IAAIyB,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWqC,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMvC,QAAQa,MAAM2B,0BAA0B;QAAEvC;MAAW,CAAA;AACjF,UAAI,CAACsC,eAAe;AAClB,cAAM,IAAInB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM6B,cAAc7B;AAC1B,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClDjC,YAAM,eAAeiC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWuB,cAAcvB;UAAWa,KAAKU,cAAcV;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMY,gBAAgB,MAAMzC,QAAQa,MAAM6B,0BAA0B;QAAEzC;MAAW,CAAA;AACjF,UAAI,CAACwC,eAAe;AAClB,cAAM,IAAIrB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM+B,cAAc/B;AAC1B,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClD,UAAIA,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,eAAO;UAAEpB;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;UAAgB;QAAE;MACxH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWqB,eAAe3B,IAAIyB,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAM2C,OAAO,MAAMC,kBAAMC,WAAW9C,KAAK+C,cAAc,KAAKjE,0BAA0BI,MAAM;AAC5F,UAAM8D,SAAS,MAAMJ,KAAKK,UAAkB,KAAKnE,0BAA0BI,MAAM;AACjF,QAAIgE;AAEJ,QAAIlD,KAAKkD,QAAQ;AACfA,eAASlD,KAAKkD;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,mBAASG,4CAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAKrB,KAAK;AAC1BoB,eAASF,OAAOG,KAAKrB;IACvB,WAAWkB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIjC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAET,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAYgD;IAAO,GAAGjD,OAAAA;AAElF,UAAMqB,QAAQ,IAAIC,iCAAgB;MAChCrC,QAAQ,KAAKJ,0BAA0BI,UAAUC;MACjDC,eAAe,KAAKN,0BAA0BM;MAC9CmE,UAAUhD;MACViD,WAAW5C,OAAO;IACpB,CAAA;AACA,UAAMmC,eAAe,MAAMzB,MAAMmC,QAAQzD,KAAK+C,cAAc/C,KAAK0D,mBAAwD;MAAEC,IAAI3D,KAAK2D;IAAG,CAAA;AAEvI,WAAO;MAAEZ;IAAa;EACxB;;;;;;;EAQA,MAAMnD,cAAcI,MAA0BC,SAA0D;AAEtG,UAAM2D,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMvC,QAAQ,IAAIC,iCAAgB;MAAEqC;MAAU1E,QAAQ,KAAKJ,0BAA0BI,UAAUC;IAAsB,CAAA;AACrH,UAAM,EAAE0C,SAAS,CAAC,GAAGkC,SAASJ,GAAE,IAAK,MAAMrC,MAAMwC,OAAO9D,KAAK0B,UAAU;AAEvE,WAAO;MAAEG;MAAQkC;MAAoCJ;IAAG;EAC1D;;;;;;;;;;EAWQK,SAAS1C,OAAwBrB,SAA2BY,MAAcgD,WAAmBE,SAAuC;AAC1I,QAAI,CAACA,QAAQZ,KAAK;AAChB,YAAM9B,MAAM,4CAAA;IACd;AACA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAW,KAAKK,OAAOH,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMD,OACJxC,OACArB,SACAY,MACAgD,WACAM,MACkB;AAClB,UAAMC,YAAY,MAAM9C,MAAM+C,OAAO,GAAGxD,IAAAA,IAAQgD,SAAAA,EAAW;AAC3D,UAAM3C,SAAmBkD,UAAUE,IAAYP,QAAoC3C;AACnF,UAAMS,SAAUuC,UAAUE,IAAYzC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAIoB,MAAoCvB,OAAOuB;AAC/C,QAAIpB,KAAK;AACP,YAAMuC,eAAe,oBAAIC,IAAY;WAAI,KAAK3F;OAAkB;AAChE,UAAI0F,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM5E,QAAQa,MAAMgE,2BAA2B;QACjFC,OAAO/C;QACPuC,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOC,QAAQC,OAAOnE,MAAM,wCAAwCwD,4BAA4BY,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWb,4BAA4BS,iBAAiB,CAAA;AAC9DlC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAOvB,OAAOC,KAAKxB,SAAS,MAAA,GAAS;AACxC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQjE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAAC8D,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOlC,OAAOZ,SAAS,MAAA,GAAS;AAEnC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQ5E;MAAO,CAAA;AAC/D,UAAI,CAAC0E,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAI/B,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMvD,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAIqB;AACJ,UAAMsC,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMwC,aAAyB,8BAAOxF,MAAcgD,WAAmBE,YACrE,KAAKC,SAAS1C,OAAOrB,SAASY,MAAMgD,WAAWE,OAAAA,GADlB;AAE/BzC,YAAQ,IAAIC,iCAAgB;MAC1BqC;MACA1E,QAAQ,KAAKJ,0BAA0BI;MACvCoH,YAAYD;IACd,CAAA;AAEA,WAAO/E,MAAMwC,OAAO9D,KAAK+C,cAAc/C,KAAKuG,mBAAmBvG,KAAK2D,EAAE;EACxE;;;;;;;EAQA,MAAM7D,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuG,KAAKC,cAActC,KAAI,IAAKnE;AACpC,UAAM0G,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlI,YAAAA;AAC5E,UAAIA,WAAUkI,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjI,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmI,YAAY;AACf,iBAAO9B,QAAQC,OAAOnE,MAAM,mCAAmCmF,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlI,SAAUiF,MAAMjF,UAAU,KAAKJ,0BAA0BI,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuH,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvH,MAAAA;AAC5C,cAAMsI,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7H;QAAO,CAAA;AACtG,YAAI,CAACsI,eAAe;AAClB,iBAAOjC,QAAQC,OAAOnE,MAAM,mCAAmCmF,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3H,iCAAiC;UAAE0G,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGlE,OAAAA;AAClH,cAAMiH,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7H,MAAAA;MACtE;AAEA,UAAI6H,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7H,MAAAA;MAChE;AAEA6H,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwBhE,SAAiD;AAC/E,QAAI,OAAO,KAAKnB,0BAA0BuJ,oBAAoB,YAAY;AACxE,aAAO,KAAKvJ,0BAA0BuJ;IACxC;AAEA,WAAOC,uBAAuBrI,OAAAA;EAChC;EAEQiE,OAAOH,SAAiC;AAC9C,QAAIA,QAAQZ,KAAKC,QAAQrB,QAAW;AAClC,aAAOgC,QAAQZ,IAAIC;IACrB,WAAWW,QAAQZ,QAAQpB,UAAa,SAASgC,QAAQZ,OAAO,OAAOY,QAAQZ,IAAIrB,QAAQ,YAAYiC,QAAQZ,IAAIrB,IAAIS,WAAW,UAAA,GAAa;AAG7I,YAAMgG,UAAU,KAAKC,wBAAwBzE,QAAQZ,IAAIrB,GAAG;AAC5D,YAAM2G,cAAUC,8BAAgBH,OAAAA;AAChC,YAAMjE,MAAMqE,KAAKC,MAAMH,OAAAA;AACvB,aAAOnE;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQmH,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAI3H,MAAM,oBAAA;IAClB;AACA,WAAOyH,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;;;AItaA,qBAAiC;AAK1B,IAAME,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,aAAOC,iCAAiBD,SAAS,eAAA;AACnC;AAFgBD;","names":["import_ssi_sdk_ext","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","constructor","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","issuer","credentialPayload","iss","Error","sdjwt","SDJwtVcInstance","signAlg","hashAlg","credential","issue","disclosureFrame","header","kid","undefined","x5c","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verify","payload","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","jwt","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","Promise","reject","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","kbVerifier","requiredClaimKeys","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","decodeBase64url","JSON","parse","did","parts","split","length","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin"]}
+{"version":3,"sources":["../src/index.ts","../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/types.ts"],"sourcesContent":["export { SDJwtPlugin } from './action-handler'\nexport * from './utils'\nexport * from './types'\n","import { Jwt, SDJwt } from '@sd-jwt/core'\nimport { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { IAgentPlugin } from '@veramo/core'\nimport { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'\nimport {\n  Claims,\n  FetchSdJwtTypeMetadataFromVctUrlArgs,\n  GetSignerForIdentifierArgs,\n  GetSignerResult,\n  ICreateSdJwtPresentationArgs,\n  ICreateSdJwtPresentationResult,\n  ICreateSdJwtVcArgs,\n  ICreateSdJwtVcResult,\n  IRequiredContext,\n  ISDJwtPlugin,\n  IVerifySdJwtPresentationArgs,\n  IVerifySdJwtPresentationResult,\n  IVerifySdJwtVcArgs,\n  IVerifySdJwtVcResult,\n  SdJWTImplementation,\n  SdJwtVerifySignature,\n  SignKeyArgs,\n  SignKeyResult,\n} from './types'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n  // @ts-ignore\n  private readonly trustAnchorsInPEM: string[]\n  private readonly registeredImplementations: SdJWTImplementation\n  private _signers: Record<string, Signer>\n  private _defaultSigner?: Signer\n\n  constructor(\n    registeredImplementations?: SdJWTImplementation & {\n      signers?: Record<string, Signer>\n      defaultSigner?: Signer\n    },\n    trustAnchorsInPEM?: string[],\n  ) {\n    this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n    if (!registeredImplementations) {\n      registeredImplementations = {}\n    }\n    if (typeof registeredImplementations?.hasher !== 'function') {\n      registeredImplementations.hasher = defaultGenerateDigest\n    }\n    if (typeof registeredImplementations?.saltGenerator !== 'function') {\n      registeredImplementations.saltGenerator = defaultGenerateSalt\n    }\n    this.registeredImplementations = registeredImplementations\n    this._signers = registeredImplementations?.signers ?? {}\n    this._defaultSigner = registeredImplementations?.defaultSigner\n\n    // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n  }\n\n  // map the methods your plugin is declaring to their implementation\n  readonly methods: ISDJwtPlugin = {\n    createSdJwtVc: this.createSdJwtVc.bind(this),\n    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n    verifySdJwtVc: this.verifySdJwtVc.bind(this),\n    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n  }\n\n  private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n    const { identifier, resolution } = args\n    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n      return { signer: this._signers[identifier] }\n    } else if (typeof this._defaultSigner === 'function') {\n      return { signer: this._defaultSigner }\n    }\n    const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n    const { key, alg } = signingKey\n\n    const signer: Signer = async (data: string): Promise<string> => {\n      return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n    }\n\n    return { signer, alg, signingKey }\n  }\n\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT credential.\n   */\n  async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n    const issuer = args.credentialPayload.iss\n    if (!issuer) {\n      throw new Error('credential.issuer must not be empty')\n    }\n    const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n    const sdjwt = new SDJwtVcInstance({\n      signer,\n      hasher: this.registeredImplementations.hasher,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      signAlg: alg ?? 'ES256',\n      hashAlg: 'sha-256',\n    })\n\n    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {\n      header: {\n        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n      },\n    })\n\n    return { credential }\n  }\n\n  /**\n   * Get the key to sign the SD-JWT\n   * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n   * @param context - agent instance\n   * @returns the key to sign the SD-JWT\n   */\n  async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n    // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n    const { identifier, resolution } = { ...args }\n    if (resolution) {\n      const key = resolution.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      switch (resolution.method) {\n        case 'did':\n          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n          return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n        default:\n          if (key.meta?.x509 && key.meta.x509.x5c) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n          } else if (key.meta?.jwkThumbprint) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n          } else {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n          }\n      }\n    } else if (identifier.startsWith('did:')) {\n      const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n      if (!didIdentifier) {\n        throw new Error(`No identifier found with the given did: ${identifier}`)\n      }\n      const key = didIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n      return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n    } else {\n      const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n      if (!kidIdentifier) {\n        throw new Error(`No identifier found with the given kid: ${identifier}`)\n      }\n      const key = kidIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      if (key.meta?.x509 && key.meta.x509.x5c) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n      } else if (key.meta?.jwkThumbprint) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n      } else {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n      }\n    }\n  }\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT presentation.\n   */\n  async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n    const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n    const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n    let holder: string\n    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n    if (args.holder) {\n      holder = args.holder\n    } else if (claims.cnf?.jwk) {\n      const jwk = claims.cnf.jwk\n      holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n    } else if (claims.cnf?.kid) {\n      holder = claims.cnf?.kid\n    } else if (claims.sub) {\n      holder = claims.sub as string\n    } else {\n      throw new Error('invalid_argument: credential does not include a holder reference')\n    }\n    const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n    const sdjwt = new SDJwtVcInstance({\n      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      kbSigner: signer,\n      kbSignAlg: alg ?? 'ES256',\n    })\n    const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n    return { presentation }\n  }\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verify a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n    // callback\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n    const { header = {}, payload, kb } = await sdjwt.verify(args.credential)\n\n    return { header, payload: payload as SdJwtVcPayload, kb }\n  }\n\n  /**\n   * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @param payload - The payload of the SD-JWT\n   * @returns\n   */\n  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n    if (!payload.cnf) {\n      throw Error('other method than cnf is not supported yet')\n    }\n    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n  }\n\n  /**\n   * Validates the signature of a SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @returns\n   */\n  async verify(\n    sdjwt: SDJwtVcInstance,\n    context: IRequiredContext,\n    data: string,\n    signature: string,\n    opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n  ): Promise<boolean> {\n    const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string\n    const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n    const x5c: string[] | undefined = header?.x5c as string[]\n    let jwk: JWK | JsonWebKey | undefined = header.jwk\n    if (x5c) {\n      const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n      if (trustAnchors.size === 0) {\n        trustAnchors.add(sphereonCA)\n        trustAnchors.add(funkeTestCA)\n      }\n      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n        chain: x5c,\n        trustAnchors: Array.from(trustAnchors),\n        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n        opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n      })\n\n      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n      }\n      const certInfo = certificateValidationResult.certificateChain[0]\n      jwk = certInfo.publicKeyJWK as JWK\n    }\n\n    if (!jwk && header.kid?.includes('did:')) {\n      const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk && issuer.includes('did:')) {\n      // TODO refactor\n      const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk) {\n      throw new Error('No valid public key found for signature verification')\n    }\n\n    return this.verifySignatureCallback(context)(data, signature, jwk)\n  }\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verify a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n    let sdjwt: SDJwtVcInstance\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n      this.verifyKb(sdjwt, context, data, signature, payload)\n    sdjwt = new SDJwtVcInstance({\n      verifier,\n      hasher: this.registeredImplementations.hasher,\n      kbVerifier: verifierKb,\n    })\n\n    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)\n  }\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n    const { vct, vctIntegrity, opts } = args\n    const url = new URL(vct)\n\n    const response = await fetchUrlWithErrorHandling(url.toString())\n    const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n    assertValidTypeMetadata(metadata, vct)\n\n    const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n      if (hasher && integrityValue) {\n        const validation = await validateIntegrity({ integrityValue, input, hasher })\n        if (!validation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n        }\n      }\n    }\n\n    const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n    if (hasher) {\n      if (vctIntegrity) {\n        await validate(vct, metadata, vctIntegrity, hasher)\n        const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n        if (!vctValidation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n        }\n      }\n\n      if (metadata['extends#integrity']) {\n        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n        await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n      }\n\n      if (metadata['schema_uri#integrity']) {\n        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n        const schema = await schemaResponse.json()\n        await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n      }\n\n      metadata.display?.forEach((display) => {\n        const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n        if (simpleLogoIntegrity) {\n          console.log('TODO: Logo integrity check')\n        }\n      })\n    }\n\n    return metadata\n  }\n\n  private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n    if (typeof this.registeredImplementations.verifySignature === 'function') {\n      return this.registeredImplementations.verifySignature\n    }\n\n    return defaultVerifySignature(context)\n  }\n\n  private getJwk(payload: JwtPayload): JsonWebKey {\n    if (payload.cnf?.jwk !== undefined) {\n      return payload.cnf.jwk as JsonWebKey\n    } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n      // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n      // FIXME this is a quick-fix to make verification but we need a real solution\n      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n      const decoded = decodeBase64url(encoded)\n      const jwt = JSON.parse(decoded)\n      return jwt as JsonWebKey\n    }\n    throw Error('Unable to extract JWK from SD-JWT payload')\n  }\n\n  private extractBase64FromDIDJwk(did: string): string {\n    const parts = did.split(':')\n    if (parts.length < 3) {\n      throw new Error('Invalid DID format')\n    }\n    return parts[2].split('#')[0]\n  }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n  return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n    typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n  )\n}\n\nexport const defaultGenerateSalt = (): string => {\n  return v4()\n}\n\nexport const defaultVerifySignature =\n  (context: IRequiredContext): SdJwtVerifySignature =>\n  async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n    // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n    const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n    Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n    return !result.error\n  }\n","export const funkeTestCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n  '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n  'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n  'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n  'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n  'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n  'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n  'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n  'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n  'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n  'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n  'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n  '-----END CERTIFICATE-----'\n","import { SdJwtTypeMetadata } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n  const response = await fetch(url)\n  if (!response.ok) {\n    throw new Error(`${response.status}: ${response.statusText}`)\n  }\n  return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n  const val = integrityValue?.toLowerCase().trim().split('-')[0]\n  if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n    return val as IntegrityAlg\n  }\n  return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n  return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n  input,\n  integrityValue,\n  hasher,\n}: {\n  input: any\n  integrityValue?: string\n  hasher: HasherSync | Hasher\n}): Promise<boolean> {\n  if (!integrityValue) {\n    return true\n  }\n  const alg = extractHashAlgFromIntegrity(integrityValue)\n  if (!alg) {\n    return false\n  }\n  const calculatedHash = await createIntegrity({ hasher, input, alg })\n  return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n  input,\n  hasher,\n  alg = 'sha256',\n}: {\n  input: any\n  hasher: HasherSync | Hasher\n  alg?: IntegrityAlg\n}): Promise<string> {\n  const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n  return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n  if (metadata.vct !== vct) {\n    throw new Error('VCT mismatch in metadata and credential')\n  }\n}\n","import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n *    \"pluginInterfaces\": {\n *      \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n *    }\n *  },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n  /**\n   * Your plugin method description\n   *\n   * @param args - Input parameters for this method\n   * @param context - The required context where this method can run.\n   *   Declaring a context type here lets other developers know which other plugins\n   *   need to also be installed for this method to work.\n   */\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verification of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n  return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends SdJwtPayload {\n  x5c?: string[]\n}\n\nexport interface ICreateSdJwtVcArgs {\n  credentialPayload: SdJwtVcPayload\n\n  // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n  disclosureFrame?: IDisclosureFrame\n\n  resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n  _sd?: string[]\n  _sd_decoy?: number\n\n  [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n  /**\n   * the encoded sd-jwt credential\n   */\n  credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n  /**\n   * Encoded SD-JWT credential\n   */\n  presentation: string\n\n  /*\n   * The keys to use for selective disclosure for presentation\n   * if not provided, all keys will be disclosed\n   * if empty object, no keys will be disclosed\n   */\n  presentationFrame?: IPresentationFrame\n\n  /**\n   * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n   */\n  holder?: string\n\n  /**\n   * Information to include to add key binding.\n   */\n  kb?: KBOptions\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n  [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n  /**\n   * Encoded presentation.\n   */\n  presentation: string\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n  credential: string\n  opts?: {\n    x5cValidation?: X509CertificateChainValidationOpts\n  }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n  payload: SdJwtPayload\n  header: Record<string, unknown>\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n  presentation: string\n\n  requiredClaimKeys?: string[]\n\n  kb?: boolean\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n  payload: unknown //fixme: maybe this can be `SdJwtPayload`\n  header: Record<string, unknown> | undefined\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n  identifier: string\n  vmRelationship: DIDDocumentSection\n  resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n  alg: JoseSignatureAlgorithm\n  key: {\n    kid?: string\n    kmsKeyRef: string\n    x5c?: string[]\n    jwkThumbprint?: string\n  }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n  saltGenerator?: SaltGenerator\n  hasher?: HasherSync\n  verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n  /**\n   * Subject of the SD-JWT\n   */\n  sub?: string\n  cnf?: {\n    jwk?: JsonWebKey\n    kid?: string\n  }\n\n  [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n  vct: string\n  vctIntegrity?: string\n  opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n  hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n  identifier: string\n  resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n  signer: Signer\n  alg?: string\n  signingKey?: SignKeyResult\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;ACAA,kBAA2B;AAC3B,uBAAgD;AAEhD,IAAAA,sBAAkE;AAIlE,mBAAgC;AAChC,mBAAkB;;;ACRlB,yBAAmC;AACnC,uBAAqD;AACrD,kBAAmB;AAEnB,yBAA2B;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,aAAOC,uCAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,eAAWK,+BAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,aAAOC,gBAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,2BAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,uBAAyB;AAIzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,QAAOK,2BAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;;;AH5BhB,IAAMG,YAAQC,aAAAA,SAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAvCb,OAuCaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,SAASlB,KAAKmB,kBAAkBC;AACtC,QAAI,CAACF,QAAQ;AACX,YAAM,IAAIG,MAAM,qCAAA;IAClB;AACA,UAAM,EAAET,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYgB;MAAQf,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAMqB,QAAQ,IAAIC,iCAAgB;MAChChB;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CoC,SAASZ,OAAO;MAChBa,SAAS;IACX,CAAA;AAEA,UAAMC,aAAa,MAAMJ,MAAMK,MAAM3B,KAAKmB,mBAAmBnB,KAAK4B,iBAAmE;MACnIC,QAAQ;QACN,GAAIrB,YAAYG,IAAImB,QAAQC,UAAa;UAAED,KAAKtB,WAAWG,IAAImB;QAAI;QACnE,GAAItB,YAAYG,IAAIqB,QAAQD,UAAa;UAAEC,KAAKxB,WAAWG,IAAIqB;QAAI;MACrE;IACF,CAAA;AAEA,WAAO;MAAEN;IAAW;EACtB;;;;;;;EAQA,MAAMjB,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClD,cAAQR,WAAW+B,QAAM;QACvB,KAAK;AACHvD,gBAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWa,KAAK3B,WAAW2B;YAAI;UAAE;QACtF;AACE,cAAInB,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,mBAAO;cAAEpB;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;cAAgB;YAAE;UAClH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWqB,eAAe3B,IAAIyB,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWqC,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMvC,QAAQa,MAAM2B,0BAA0B;QAAEvC;MAAW,CAAA;AACjF,UAAI,CAACsC,eAAe;AAClB,cAAM,IAAInB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM6B,cAAc7B;AAC1B,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWuB,cAAcvB;UAAWa,KAAKU,cAAcV;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMY,gBAAgB,MAAMzC,QAAQa,MAAM6B,0BAA0B;QAAEzC;MAAW,CAAA;AACjF,UAAI,CAACwC,eAAe;AAClB,cAAM,IAAIrB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM+B,cAAc/B;AAC1B,YAAMC,MAAM,UAAMqB,+CAA0B;QAAEtB;MAAI,CAAA;AAClD,UAAIA,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,eAAO;UAAEpB;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;UAAgB;QAAE;MACxH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWqB,eAAe3B,IAAIyB,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAM2C,OAAO,MAAMC,kBAAMC,WAAW9C,KAAK+C,cAAc,KAAKhE,0BAA0BG,MAAM;AAC5F,UAAM8D,SAAS,MAAMJ,KAAKK,UAAkB,KAAKlE,0BAA0BG,MAAM;AACjF,QAAIgE;AAEJ,QAAIlD,KAAKkD,QAAQ;AACfA,eAASlD,KAAKkD;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,mBAASG,4CAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAKrB,KAAK;AAC1BoB,eAASF,OAAOG,KAAKrB;IACvB,WAAWkB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIjC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAET,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAYgD;IAAO,GAAGjD,OAAAA;AAElF,UAAMqB,QAAQ,IAAIC,iCAAgB;MAChCrC,QAAQ,KAAKH,0BAA0BG,UAAUC;MACjDC,eAAe,KAAKL,0BAA0BK;MAC9CmE,UAAUhD;MACViD,WAAW5C,OAAO;IACpB,CAAA;AACA,UAAMmC,eAAe,MAAMzB,MAAMmC,QAAQzD,KAAK+C,cAAc/C,KAAK0D,mBAAwD;MAAEC,IAAI3D,KAAK2D;IAAG,CAAA;AAEvI,WAAO;MAAEZ;IAAa;EACxB;;;;;;;EAQA,MAAMnD,cAAcI,MAA0BC,SAA0D;AAEtG,UAAM2D,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMvC,QAAQ,IAAIC,iCAAgB;MAAEqC;MAAU1E,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AACrH,UAAM,EAAE0C,SAAS,CAAC,GAAGkC,SAASJ,GAAE,IAAK,MAAMrC,MAAMwC,OAAO9D,KAAK0B,UAAU;AAEvE,WAAO;MAAEG;MAAQkC;MAAoCJ;IAAG;EAC1D;;;;;;;;;;EAWQK,SAAS1C,OAAwBrB,SAA2BY,MAAcgD,WAAmBE,SAAuC;AAC1I,QAAI,CAACA,QAAQZ,KAAK;AAChB,YAAM9B,MAAM,4CAAA;IACd;AACA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAW,KAAKK,OAAOH,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMD,OACJxC,OACArB,SACAY,MACAgD,WACAM,MACkB;AAClB,UAAMC,YAAY,MAAM9C,MAAM+C,OAAO,GAAGxD,IAAAA,IAAQgD,SAAAA,EAAW;AAC3D,UAAM3C,SAAmBkD,UAAUE,IAAYP,QAAoC3C;AACnF,UAAMS,SAAUuC,UAAUE,IAAYzC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAIoB,MAAoCvB,OAAOuB;AAC/C,QAAIpB,KAAK;AACP,YAAMuC,eAAe,oBAAIC,IAAY;WAAI,KAAK1F;OAAkB;AAChE,UAAIyF,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM5E,QAAQa,MAAMgE,2BAA2B;QACjFC,OAAO/C;QACPuC,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOC,QAAQC,OAAOnE,MAAM,wCAAwCwD,4BAA4BY,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWb,4BAA4BS,iBAAiB,CAAA;AAC9DlC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAOvB,OAAOC,KAAKxB,SAAS,MAAA,GAAS;AACxC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQjE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAAC8D,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOlC,OAAOZ,SAAS,MAAA,GAAS;AAEnC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQ5E;MAAO,CAAA;AAC/D,UAAI,CAAC0E,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAI/B,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMvD,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAIqB;AACJ,UAAMsC,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMwC,aAAyB,8BAAOxF,MAAcgD,WAAmBE,YACrE,KAAKC,SAAS1C,OAAOrB,SAASY,MAAMgD,WAAWE,OAAAA,GADlB;AAE/BzC,YAAQ,IAAIC,iCAAgB;MAC1BqC;MACA1E,QAAQ,KAAKH,0BAA0BG;MACvCoH,YAAYD;IACd,CAAA;AAEA,WAAO/E,MAAMwC,OAAO9D,KAAK+C,cAAc/C,KAAKuG,mBAAmBvG,KAAK2D,EAAE;EACxE;;;;;;;EAQA,MAAM7D,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuG,KAAKC,cAActC,KAAI,IAAKnE;AACpC,UAAM0G,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlI,YAAAA;AAC5E,UAAIA,WAAUkI,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjI,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmI,YAAY;AACf,iBAAO9B,QAAQC,OAAOnE,MAAM,mCAAmCmF,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlI,SAAUiF,MAAMjF,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuH,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvH,MAAAA;AAC5C,cAAMsI,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7H;QAAO,CAAA;AACtG,YAAI,CAACsI,eAAe;AAClB,iBAAOjC,QAAQC,OAAOnE,MAAM,mCAAmCmF,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3H,iCAAiC;UAAE0G,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGlE,OAAAA;AAClH,cAAMiH,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7H,MAAAA;MACtE;AAEA,UAAI6H,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7H,MAAAA;MAChE;AAEA6H,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwBhE,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsJ,oBAAoB,YAAY;AACxE,aAAO,KAAKtJ,0BAA0BsJ;IACxC;AAEA,WAAOC,uBAAuBrI,OAAAA;EAChC;EAEQiE,OAAOH,SAAiC;AAC9C,QAAIA,QAAQZ,KAAKC,QAAQrB,QAAW;AAClC,aAAOgC,QAAQZ,IAAIC;IACrB,WAAWW,QAAQZ,QAAQpB,UAAa,SAASgC,QAAQZ,OAAO,OAAOY,QAAQZ,IAAIrB,QAAQ,YAAYiC,QAAQZ,IAAIrB,IAAIS,WAAW,UAAA,GAAa;AAG7I,YAAMgG,UAAU,KAAKC,wBAAwBzE,QAAQZ,IAAIrB,GAAG;AAC5D,YAAM2G,cAAUC,8BAAgBH,OAAAA;AAChC,YAAMjE,MAAMqE,KAAKC,MAAMH,OAAAA;AACvB,aAAOnE;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQmH,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAI3H,MAAM,oBAAA;IAClB;AACA,WAAOyH,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;;;AItaA,qBAAiC;AAK1B,IAAME,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,aAAOC,iCAAiBD,SAAS,eAAA;AACnC;AAFgBD;","names":["import_ssi_sdk_ext","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","issuer","credentialPayload","iss","Error","sdjwt","SDJwtVcInstance","signAlg","hashAlg","credential","issue","disclosureFrame","header","kid","undefined","x5c","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verify","payload","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","jwt","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","Promise","reject","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","kbVerifier","requiredClaimKeys","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","decodeBase64url","JSON","parse","did","parts","split","length","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin"]}

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt } from '@sd-jwt/core'\nimport { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { IAgentPlugin } from '@veramo/core'\nimport { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'\nimport {\n  Claims,\n  FetchSdJwtTypeMetadataFromVctUrlArgs,\n  GetSignerForIdentifierArgs,\n  GetSignerResult,\n  ICreateSdJwtPresentationArgs,\n  ICreateSdJwtPresentationResult,\n  ICreateSdJwtVcArgs,\n  ICreateSdJwtVcResult,\n  IRequiredContext,\n  ISDJwtPlugin,\n  IVerifySdJwtPresentationArgs,\n  IVerifySdJwtPresentationResult,\n  IVerifySdJwtVcArgs,\n  IVerifySdJwtVcResult,\n  SdJWTImplementation,\n  SdJwtVerifySignature,\n  SignKeyArgs,\n  SignKeyResult,\n} from './types'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n  // @ts-ignore\n  private readonly trustAnchorsInPEM: string[]\n  private readonly registeredImplementations: SdJWTImplementation\n  private _signers: Record<string, Signer>\n  private _defaultSigner?: Signer\n\n  constructor(\n    registeredImplementations?: SdJWTImplementation & {\n      signers?: Record<string, Signer>\n      defaultSigner?: Signer\n    },\n    trustAnchorsInPEM?: string[],\n  ) {\n    this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n    if (!registeredImplementations) {\n      registeredImplementations = {}\n    }\n    if (typeof registeredImplementations?.hasher !== 'function') {\n      registeredImplementations.hasher = defaultGenerateDigest\n    }\n    if (typeof registeredImplementations?.saltGenerator !== 'function') {\n      registeredImplementations.saltGenerator = defaultGenerateSalt\n    }\n    this.registeredImplementations = registeredImplementations\n    this._signers = registeredImplementations?.signers ?? {}\n    this._defaultSigner = registeredImplementations?.defaultSigner\n\n    // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n  }\n\n  // map the methods your plugin is declaring to their implementation\n  readonly methods: ISDJwtPlugin = {\n    createSdJwtVc: this.createSdJwtVc.bind(this),\n    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n    verifySdJwtVc: this.verifySdJwtVc.bind(this),\n    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n  }\n\n  private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n    const { identifier, resolution } = args\n    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n      return { signer: this._signers[identifier] }\n    } else if (typeof this._defaultSigner === 'function') {\n      return { signer: this._defaultSigner }\n    }\n    const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n    const { key, alg } = signingKey\n\n    const signer: Signer = async (data: string): Promise<string> => {\n      return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n    }\n\n    return { signer, alg, signingKey }\n  }\n\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT credential.\n   */\n  async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n    const issuer = args.credentialPayload.iss\n    if (!issuer) {\n      throw new Error('credential.issuer must not be empty')\n    }\n    const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n    const sdjwt = new SDJwtVcInstance({\n      signer,\n      hasher: this.registeredImplementations.hasher,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      signAlg: alg ?? 'ES256',\n      hashAlg: 'sha-256',\n    })\n\n    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {\n      header: {\n        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n      },\n    })\n\n    return { credential }\n  }\n\n  /**\n   * Get the key to sign the SD-JWT\n   * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n   * @param context - agent instance\n   * @returns the key to sign the SD-JWT\n   */\n  async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n    // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n    const { identifier, resolution } = { ...args }\n    if (resolution) {\n      const key = resolution.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      switch (resolution.method) {\n        case 'did':\n          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n          return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n        default:\n          if (key.meta?.x509 && key.meta.x509.x5c) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n          } else if (key.meta?.jwkThumbprint) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n          } else {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n          }\n      }\n    } else if (identifier.startsWith('did:')) {\n      const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n      if (!didIdentifier) {\n        throw new Error(`No identifier found with the given did: ${identifier}`)\n      }\n      const key = didIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n      return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n    } else {\n      const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n      if (!kidIdentifier) {\n        throw new Error(`No identifier found with the given kid: ${identifier}`)\n      }\n      const key = kidIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      if (key.meta?.x509 && key.meta.x509.x5c) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n      } else if (key.meta?.jwkThumbprint) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n      } else {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n      }\n    }\n  }\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT presentation.\n   */\n  async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n    const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n    const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n    let holder: string\n    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n    if (args.holder) {\n      holder = args.holder\n    } else if (claims.cnf?.jwk) {\n      const jwk = claims.cnf.jwk\n      holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n    } else if (claims.cnf?.kid) {\n      holder = claims.cnf?.kid\n    } else if (claims.sub) {\n      holder = claims.sub as string\n    } else {\n      throw new Error('invalid_argument: credential does not include a holder reference')\n    }\n    const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n    const sdjwt = new SDJwtVcInstance({\n      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      kbSigner: signer,\n      kbSignAlg: alg ?? 'ES256',\n    })\n    const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n    return { presentation }\n  }\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verify a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n    // callback\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n    const { header = {}, payload, kb } = await sdjwt.verify(args.credential)\n\n    return { header, payload: payload as SdJwtVcPayload, kb }\n  }\n\n  /**\n   * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @param payload - The payload of the SD-JWT\n   * @returns\n   */\n  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n    if (!payload.cnf) {\n      throw Error('other method than cnf is not supported yet')\n    }\n    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n  }\n\n  /**\n   * Validates the signature of a SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @returns\n   */\n  async verify(\n    sdjwt: SDJwtVcInstance,\n    context: IRequiredContext,\n    data: string,\n    signature: string,\n    opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n  ): Promise<boolean> {\n    const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string\n    const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n    const x5c: string[] | undefined = header?.x5c as string[]\n    let jwk: JWK | JsonWebKey | undefined = header.jwk\n    if (x5c) {\n      const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n      if (trustAnchors.size === 0) {\n        trustAnchors.add(sphereonCA)\n        trustAnchors.add(funkeTestCA)\n      }\n      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n        chain: x5c,\n        trustAnchors: Array.from(trustAnchors),\n        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n        opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n      })\n\n      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n      }\n      const certInfo = certificateValidationResult.certificateChain[0]\n      jwk = certInfo.publicKeyJWK as JWK\n    }\n\n    if (!jwk && header.kid?.includes('did:')) {\n      const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk && issuer.includes('did:')) {\n      // TODO refactor\n      const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk) {\n      throw new Error('No valid public key found for signature verification')\n    }\n\n    return this.verifySignatureCallback(context)(data, signature, jwk)\n  }\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verify a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n    let sdjwt: SDJwtVcInstance\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n      this.verifyKb(sdjwt, context, data, signature, payload)\n    sdjwt = new SDJwtVcInstance({\n      verifier,\n      hasher: this.registeredImplementations.hasher,\n      kbVerifier: verifierKb,\n    })\n\n    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)\n  }\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n    const { vct, vctIntegrity, opts } = args\n    const url = new URL(vct)\n\n    const response = await fetchUrlWithErrorHandling(url.toString())\n    const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n    assertValidTypeMetadata(metadata, vct)\n\n    const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n      if (hasher && integrityValue) {\n        const validation = await validateIntegrity({ integrityValue, input, hasher })\n        if (!validation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n        }\n      }\n    }\n\n    const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n    if (hasher) {\n      if (vctIntegrity) {\n        await validate(vct, metadata, vctIntegrity, hasher)\n        const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n        if (!vctValidation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n        }\n      }\n\n      if (metadata['extends#integrity']) {\n        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n        await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n      }\n\n      if (metadata['schema_uri#integrity']) {\n        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n        const schema = await schemaResponse.json()\n        await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n      }\n\n      metadata.display?.forEach((display) => {\n        const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n        if (simpleLogoIntegrity) {\n          console.log('TODO: Logo integrity check')\n        }\n      })\n    }\n\n    return metadata\n  }\n\n  private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n    if (typeof this.registeredImplementations.verifySignature === 'function') {\n      return this.registeredImplementations.verifySignature\n    }\n\n    return defaultVerifySignature(context)\n  }\n\n  private getJwk(payload: JwtPayload): JsonWebKey {\n    if (payload.cnf?.jwk !== undefined) {\n      return payload.cnf.jwk as JsonWebKey\n    } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n      // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n      // FIXME this is a quick-fix to make verification but we need a real solution\n      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n      const decoded = decodeBase64url(encoded)\n      const jwt = JSON.parse(decoded)\n      return jwt as JsonWebKey\n    }\n    throw Error('Unable to extract JWK from SD-JWT payload')\n  }\n\n  private extractBase64FromDIDJwk(did: string): string {\n    const parts = did.split(':')\n    if (parts.length < 3) {\n      throw new Error('Invalid DID format')\n    }\n    return parts[2].split('#')[0]\n  }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n  return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n    typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n  )\n}\n\nexport const defaultGenerateSalt = (): string => {\n  return v4()\n}\n\nexport const defaultVerifySignature =\n  (context: IRequiredContext): SdJwtVerifySignature =>\n  async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n    // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n    const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n    Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n    return !result.error\n  }\n","export const funkeTestCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n  '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n  'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n  'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n  'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n  'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n  'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n  'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n  'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n  'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n  'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n  'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n  '-----END CERTIFICATE-----'\n","import { SdJwtTypeMetadata } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n  const response = await fetch(url)\n  if (!response.ok) {\n    throw new Error(`${response.status}: ${response.statusText}`)\n  }\n  return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n  const val = integrityValue?.toLowerCase().trim().split('-')[0]\n  if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n    return val as IntegrityAlg\n  }\n  return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n  return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n  input,\n  integrityValue,\n  hasher,\n}: {\n  input: any\n  integrityValue?: string\n  hasher: HasherSync | Hasher\n}): Promise<boolean> {\n  if (!integrityValue) {\n    return true\n  }\n  const alg = extractHashAlgFromIntegrity(integrityValue)\n  if (!alg) {\n    return false\n  }\n  const calculatedHash = await createIntegrity({ hasher, input, alg })\n  return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n  input,\n  hasher,\n  alg = 'sha256',\n}: {\n  input: any\n  hasher: HasherSync | Hasher\n  alg?: IntegrityAlg\n}): Promise<string> {\n  const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n  return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n  if (metadata.vct !== vct) {\n    throw new Error('VCT mismatch in metadata and credential')\n  }\n}\n","import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n *    \"pluginInterfaces\": {\n *      \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n *    }\n *  },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n  /**\n   * Your plugin method description\n   *\n   * @param args - Input parameters for this method\n   * @param context - The required context where this method can run.\n   *   Declaring a context type here lets other developers know which other plugins\n   *   need to also be installed for this method to work.\n   */\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verification of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n  return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends SdJwtPayload {\n  x5c?: string[]\n}\n\nexport interface ICreateSdJwtVcArgs {\n  credentialPayload: SdJwtVcPayload\n\n  // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n  disclosureFrame?: IDisclosureFrame\n\n  resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n  _sd?: string[]\n  _sd_decoy?: number\n\n  [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n  /**\n   * the encoded sd-jwt credential\n   */\n  credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n  /**\n   * Encoded SD-JWT credential\n   */\n  presentation: string\n\n  /*\n   * The keys to use for selective disclosure for presentation\n   * if not provided, all keys will be disclosed\n   * if empty object, no keys will be disclosed\n   */\n  presentationFrame?: IPresentationFrame\n\n  /**\n   * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n   */\n  holder?: string\n\n  /**\n   * Information to include to add key binding.\n   */\n  kb?: KBOptions\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n  [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n  /**\n   * Encoded presentation.\n   */\n  presentation: string\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n  credential: string\n  opts?: {\n    x5cValidation?: X509CertificateChainValidationOpts\n  }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n  payload: SdJwtPayload\n  header: Record<string, unknown>\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n  presentation: string\n\n  requiredClaimKeys?: string[]\n\n  kb?: boolean\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n  payload: unknown //fixme: maybe this can be `SdJwtPayload`\n  header: Record<string, unknown> | undefined\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n  identifier: string\n  vmRelationship: DIDDocumentSection\n  resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n  alg: JoseSignatureAlgorithm\n  key: {\n    kid?: string\n    kmsKeyRef: string\n    x5c?: string[]\n    jwkThumbprint?: string\n  }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n  saltGenerator?: SaltGenerator\n  hasher?: HasherSync\n  verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n  /**\n   * Subject of the SD-JWT\n   */\n  sub?: string\n  cnf?: {\n    jwk?: JsonWebKey\n    kid?: string\n  }\n\n  [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n  vct: string\n  vctIntegrity?: string\n  opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n  hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n  identifier: string\n  resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n  signer: Signer\n  alg?: string\n  signingKey?: SignKeyResult\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAa;AAC3B,SAASC,uBAAuC;AAEhD,SAASC,wBAAwBC,iCAAiC;AAIlE,SAASC,uBAAuB;AAChC,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,SAASC,gBAAgB;AAIzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,SAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;;;AH5BhB,IAAMG,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAvCb,OAuCaA;;;;EAEMC;EACAC;EACTC;EACAC;EAERC,YACEH,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BI,WAAW,YAAY;AAC3DJ,gCAA0BI,SAASC;IACrC;AACA,QAAI,OAAOL,2BAA2BM,kBAAkB,YAAY;AAClEN,gCAA0BM,gBAAgBC;IAC5C;AACA,SAAKP,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BQ,WAAW,CAAC;AACvD,SAAKN,iBAAiBF,2BAA2BS;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKtB,QAAQ,EAAEuB,SAASJ,UAAAA,KAAe,OAAO,KAAKnB,SAASmB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKxB,SAASmB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKlB,mBAAmB,YAAY;AACpD,aAAO;QAAEuB,QAAQ,KAAKvB;MAAe;IACvC;AACA,UAAMwB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,SAASlB,KAAKmB,kBAAkBC;AACtC,QAAI,CAACF,QAAQ;AACX,YAAM,IAAIG,MAAM,qCAAA;IAClB;AACA,UAAM,EAAET,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYgB;MAAQf,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChChB;MACArB,QAAQ,KAAKJ,0BAA0BI;MACvCE,eAAe,KAAKN,0BAA0BM;MAC9CoC,SAASZ,OAAO;MAChBa,SAAS;IACX,CAAA;AAEA,UAAMC,aAAa,MAAMJ,MAAMK,MAAM3B,KAAKmB,mBAAmBnB,KAAK4B,iBAAmE;MACnIC,QAAQ;QACN,GAAIrB,YAAYG,IAAImB,QAAQC,UAAa;UAAED,KAAKtB,WAAWG,IAAImB;QAAI;QACnE,GAAItB,YAAYG,IAAIqB,QAAQD,UAAa;UAAEC,KAAKxB,WAAWG,IAAIqB;QAAI;MACrE;IACF,CAAA;AAEA,WAAO;MAAEN;IAAW;EACtB;;;;;;;EAQA,MAAMjB,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,cAAQR,WAAW+B,QAAM;QACvB,KAAK;AACHxD,gBAAM,eAAeiC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWa,KAAK3B,WAAW2B;YAAI;UAAE;QACtF;AACE,cAAInB,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,mBAAO;cAAEpB;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;cAAgB;YAAE;UAClH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWqB,eAAe3B,IAAIyB,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWqC,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMvC,QAAQa,MAAM2B,0BAA0B;QAAEvC;MAAW,CAAA;AACjF,UAAI,CAACsC,eAAe;AAClB,cAAM,IAAInB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM6B,cAAc7B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClDjC,YAAM,eAAeiC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWuB,cAAcvB;UAAWa,KAAKU,cAAcV;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMY,gBAAgB,MAAMzC,QAAQa,MAAM6B,0BAA0B;QAAEzC;MAAW,CAAA;AACjF,UAAI,CAACwC,eAAe;AAClB,cAAM,IAAIrB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM+B,cAAc/B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,UAAIA,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,eAAO;UAAEpB;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;UAAgB;QAAE;MACxH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWqB,eAAe3B,IAAIyB,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAM2C,OAAO,MAAMC,MAAMC,WAAW9C,KAAK+C,cAAc,KAAKjE,0BAA0BI,MAAM;AAC5F,UAAM8D,SAAS,MAAMJ,KAAKK,UAAkB,KAAKnE,0BAA0BI,MAAM;AACjF,QAAIgE;AAEJ,QAAIlD,KAAKkD,QAAQ;AACfA,eAASlD,KAAKkD;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAKrB,KAAK;AAC1BoB,eAASF,OAAOG,KAAKrB;IACvB,WAAWkB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIjC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAET,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAYgD;IAAO,GAAGjD,OAAAA;AAElF,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChCrC,QAAQ,KAAKJ,0BAA0BI,UAAUC;MACjDC,eAAe,KAAKN,0BAA0BM;MAC9CmE,UAAUhD;MACViD,WAAW5C,OAAO;IACpB,CAAA;AACA,UAAMmC,eAAe,MAAMzB,MAAMmC,QAAQzD,KAAK+C,cAAc/C,KAAK0D,mBAAwD;MAAEC,IAAI3D,KAAK2D;IAAG,CAAA;AAEvI,WAAO;MAAEZ;IAAa;EACxB;;;;;;;EAQA,MAAMnD,cAAcI,MAA0BC,SAA0D;AAEtG,UAAM2D,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMvC,QAAQ,IAAIC,gBAAgB;MAAEqC;MAAU1E,QAAQ,KAAKJ,0BAA0BI,UAAUC;IAAsB,CAAA;AACrH,UAAM,EAAE0C,SAAS,CAAC,GAAGkC,SAASJ,GAAE,IAAK,MAAMrC,MAAMwC,OAAO9D,KAAK0B,UAAU;AAEvE,WAAO;MAAEG;MAAQkC;MAAoCJ;IAAG;EAC1D;;;;;;;;;;EAWQK,SAAS1C,OAAwBrB,SAA2BY,MAAcgD,WAAmBE,SAAuC;AAC1I,QAAI,CAACA,QAAQZ,KAAK;AAChB,YAAM9B,MAAM,4CAAA;IACd;AACA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAW,KAAKK,OAAOH,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMD,OACJxC,OACArB,SACAY,MACAgD,WACAM,MACkB;AAClB,UAAMC,YAAY,MAAM9C,MAAM+C,OAAO,GAAGxD,IAAAA,IAAQgD,SAAAA,EAAW;AAC3D,UAAM3C,SAAmBkD,UAAUE,IAAYP,QAAoC3C;AACnF,UAAMS,SAAUuC,UAAUE,IAAYzC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAIoB,MAAoCvB,OAAOuB;AAC/C,QAAIpB,KAAK;AACP,YAAMuC,eAAe,oBAAIC,IAAY;WAAI,KAAK3F;OAAkB;AAChE,UAAI0F,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM5E,QAAQa,MAAMgE,2BAA2B;QACjFC,OAAO/C;QACPuC,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOC,QAAQC,OAAOnE,MAAM,wCAAwCwD,4BAA4BY,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWb,4BAA4BS,iBAAiB,CAAA;AAC9DlC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAOvB,OAAOC,KAAKxB,SAAS,MAAA,GAAS;AACxC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQjE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAAC8D,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOlC,OAAOZ,SAAS,MAAA,GAAS;AAEnC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQ5E;MAAO,CAAA;AAC/D,UAAI,CAAC0E,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAI/B,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMvD,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAIqB;AACJ,UAAMsC,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMwC,aAAyB,8BAAOxF,MAAcgD,WAAmBE,YACrE,KAAKC,SAAS1C,OAAOrB,SAASY,MAAMgD,WAAWE,OAAAA,GADlB;AAE/BzC,YAAQ,IAAIC,gBAAgB;MAC1BqC;MACA1E,QAAQ,KAAKJ,0BAA0BI;MACvCoH,YAAYD;IACd,CAAA;AAEA,WAAO/E,MAAMwC,OAAO9D,KAAK+C,cAAc/C,KAAKuG,mBAAmBvG,KAAK2D,EAAE;EACxE;;;;;;;EAQA,MAAM7D,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuG,KAAKC,cAActC,KAAI,IAAKnE;AACpC,UAAM0G,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlI,YAAAA;AAC5E,UAAIA,WAAUkI,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjI,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmI,YAAY;AACf,iBAAO9B,QAAQC,OAAOnE,MAAM,mCAAmCmF,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlI,SAAUiF,MAAMjF,UAAU,KAAKJ,0BAA0BI,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuH,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvH,MAAAA;AAC5C,cAAMsI,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7H;QAAO,CAAA;AACtG,YAAI,CAACsI,eAAe;AAClB,iBAAOjC,QAAQC,OAAOnE,MAAM,mCAAmCmF,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3H,iCAAiC;UAAE0G,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGlE,OAAAA;AAClH,cAAMiH,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7H,MAAAA;MACtE;AAEA,UAAI6H,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7H,MAAAA;MAChE;AAEA6H,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwBhE,SAAiD;AAC/E,QAAI,OAAO,KAAKnB,0BAA0BuJ,oBAAoB,YAAY;AACxE,aAAO,KAAKvJ,0BAA0BuJ;IACxC;AAEA,WAAOC,uBAAuBrI,OAAAA;EAChC;EAEQiE,OAAOH,SAAiC;AAC9C,QAAIA,QAAQZ,KAAKC,QAAQrB,QAAW;AAClC,aAAOgC,QAAQZ,IAAIC;IACrB,WAAWW,QAAQZ,QAAQpB,UAAa,SAASgC,QAAQZ,OAAO,OAAOY,QAAQZ,IAAIrB,QAAQ,YAAYiC,QAAQZ,IAAIrB,IAAIS,WAAW,UAAA,GAAa;AAG7I,YAAMgG,UAAU,KAAKC,wBAAwBzE,QAAQZ,IAAIrB,GAAG;AAC5D,YAAM2G,UAAUC,gBAAgBH,OAAAA;AAChC,YAAMjE,MAAMqE,KAAKC,MAAMH,OAAAA;AACvB,aAAOnE;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQmH,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAI3H,MAAM,oBAAA;IAClB;AACA,WAAOyH,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;;;AItaA,SAASE,wBAAwB;AAK1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","decodeBase64url","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","constructor","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","issuer","credentialPayload","iss","Error","sdjwt","SDJwtVcInstance","signAlg","hashAlg","credential","issue","disclosureFrame","header","kid","undefined","x5c","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verify","payload","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","jwt","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","Promise","reject","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","kbVerifier","requiredClaimKeys","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","decodeBase64url","JSON","parse","did","parts","split","length","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin"]}
+{"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt } from '@sd-jwt/core'\nimport { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { IAgentPlugin } from '@veramo/core'\nimport { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'\nimport {\n  Claims,\n  FetchSdJwtTypeMetadataFromVctUrlArgs,\n  GetSignerForIdentifierArgs,\n  GetSignerResult,\n  ICreateSdJwtPresentationArgs,\n  ICreateSdJwtPresentationResult,\n  ICreateSdJwtVcArgs,\n  ICreateSdJwtVcResult,\n  IRequiredContext,\n  ISDJwtPlugin,\n  IVerifySdJwtPresentationArgs,\n  IVerifySdJwtPresentationResult,\n  IVerifySdJwtVcArgs,\n  IVerifySdJwtVcResult,\n  SdJWTImplementation,\n  SdJwtVerifySignature,\n  SignKeyArgs,\n  SignKeyResult,\n} from './types'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n  // @ts-ignore\n  private readonly trustAnchorsInPEM: string[]\n  private readonly registeredImplementations: SdJWTImplementation\n  private _signers: Record<string, Signer>\n  private _defaultSigner?: Signer\n\n  constructor(\n    registeredImplementations?: SdJWTImplementation & {\n      signers?: Record<string, Signer>\n      defaultSigner?: Signer\n    },\n    trustAnchorsInPEM?: string[],\n  ) {\n    this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n    if (!registeredImplementations) {\n      registeredImplementations = {}\n    }\n    if (typeof registeredImplementations?.hasher !== 'function') {\n      registeredImplementations.hasher = defaultGenerateDigest\n    }\n    if (typeof registeredImplementations?.saltGenerator !== 'function') {\n      registeredImplementations.saltGenerator = defaultGenerateSalt\n    }\n    this.registeredImplementations = registeredImplementations\n    this._signers = registeredImplementations?.signers ?? {}\n    this._defaultSigner = registeredImplementations?.defaultSigner\n\n    // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n  }\n\n  // map the methods your plugin is declaring to their implementation\n  readonly methods: ISDJwtPlugin = {\n    createSdJwtVc: this.createSdJwtVc.bind(this),\n    createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n    verifySdJwtVc: this.verifySdJwtVc.bind(this),\n    verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n    fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n  }\n\n  private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n    const { identifier, resolution } = args\n    if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n      return { signer: this._signers[identifier] }\n    } else if (typeof this._defaultSigner === 'function') {\n      return { signer: this._defaultSigner }\n    }\n    const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n    const { key, alg } = signingKey\n\n    const signer: Signer = async (data: string): Promise<string> => {\n      return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n    }\n\n    return { signer, alg, signingKey }\n  }\n\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT credential.\n   */\n  async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n    const issuer = args.credentialPayload.iss\n    if (!issuer) {\n      throw new Error('credential.issuer must not be empty')\n    }\n    const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n    const sdjwt = new SDJwtVcInstance({\n      signer,\n      hasher: this.registeredImplementations.hasher,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      signAlg: alg ?? 'ES256',\n      hashAlg: 'sha-256',\n    })\n\n    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {\n      header: {\n        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n      },\n    })\n\n    return { credential }\n  }\n\n  /**\n   * Get the key to sign the SD-JWT\n   * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n   * @param context - agent instance\n   * @returns the key to sign the SD-JWT\n   */\n  async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n    // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n    const { identifier, resolution } = { ...args }\n    if (resolution) {\n      const key = resolution.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      switch (resolution.method) {\n        case 'did':\n          debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n          return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n        default:\n          if (key.meta?.x509 && key.meta.x509.x5c) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n          } else if (key.meta?.jwkThumbprint) {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n          } else {\n            return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n          }\n      }\n    } else if (identifier.startsWith('did:')) {\n      const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n      if (!didIdentifier) {\n        throw new Error(`No identifier found with the given did: ${identifier}`)\n      }\n      const key = didIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n      return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n    } else {\n      const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n      if (!kidIdentifier) {\n        throw new Error(`No identifier found with the given kid: ${identifier}`)\n      }\n      const key = kidIdentifier.key\n      const alg = await signatureAlgorithmFromKey({ key })\n      if (key.meta?.x509 && key.meta.x509.x5c) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n      } else if (key.meta?.jwkThumbprint) {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n      } else {\n        return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n      }\n    }\n  }\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns A signed SD-JWT presentation.\n   */\n  async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n    const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n    const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n    let holder: string\n    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n    if (args.holder) {\n      holder = args.holder\n    } else if (claims.cnf?.jwk) {\n      const jwk = claims.cnf.jwk\n      holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n    } else if (claims.cnf?.kid) {\n      holder = claims.cnf?.kid\n    } else if (claims.sub) {\n      holder = claims.sub as string\n    } else {\n      throw new Error('invalid_argument: credential does not include a holder reference')\n    }\n    const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n    const sdjwt = new SDJwtVcInstance({\n      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,\n      saltGenerator: this.registeredImplementations.saltGenerator,\n      kbSigner: signer,\n      kbSignAlg: alg ?? 'ES256',\n    })\n    const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n    return { presentation }\n  }\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verify a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n    // callback\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n    const { header = {}, payload, kb } = await sdjwt.verify(args.credential)\n\n    return { header, payload: payload as SdJwtVcPayload, kb }\n  }\n\n  /**\n   * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @param payload - The payload of the SD-JWT\n   * @returns\n   */\n  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n    if (!payload.cnf) {\n      throw Error('other method than cnf is not supported yet')\n    }\n    return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n  }\n\n  /**\n   * Validates the signature of a SD-JWT\n   * @param sdjwt - SD-JWT instance\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @param data - signed data\n   * @param signature - The signature\n   * @returns\n   */\n  async verify(\n    sdjwt: SDJwtVcInstance,\n    context: IRequiredContext,\n    data: string,\n    signature: string,\n    opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n  ): Promise<boolean> {\n    const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string\n    const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n    const x5c: string[] | undefined = header?.x5c as string[]\n    let jwk: JWK | JsonWebKey | undefined = header.jwk\n    if (x5c) {\n      const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n      if (trustAnchors.size === 0) {\n        trustAnchors.add(sphereonCA)\n        trustAnchors.add(funkeTestCA)\n      }\n      const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n        chain: x5c,\n        trustAnchors: Array.from(trustAnchors),\n        // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n        opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n      })\n\n      if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n        return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n      }\n      const certInfo = certificateValidationResult.certificateChain[0]\n      jwk = certInfo.publicKeyJWK as JWK\n    }\n\n    if (!jwk && header.kid?.includes('did:')) {\n      const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk && issuer.includes('did:')) {\n      // TODO refactor\n      const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n      if (!didDoc) {\n        throw new Error('invalid_issuer: issuer did not resolve to a did document')\n      }\n      //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n      if (!didDocumentKey) {\n        throw new Error('invalid_issuer: issuer did document does not include referenced key')\n      }\n      //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n      // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n      jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n    }\n\n    if (!jwk) {\n      throw new Error('No valid public key found for signature verification')\n    }\n\n    return this.verifySignatureCallback(context)(data, signature, jwk)\n  }\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verify a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n    let sdjwt: SDJwtVcInstance\n    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n      this.verifyKb(sdjwt, context, data, signature, payload)\n    sdjwt = new SDJwtVcInstance({\n      verifier,\n      hasher: this.registeredImplementations.hasher,\n      kbVerifier: verifierKb,\n    })\n\n    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)\n  }\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   * @returns\n   */\n  async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n    const { vct, vctIntegrity, opts } = args\n    const url = new URL(vct)\n\n    const response = await fetchUrlWithErrorHandling(url.toString())\n    const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n    assertValidTypeMetadata(metadata, vct)\n\n    const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n      if (hasher && integrityValue) {\n        const validation = await validateIntegrity({ integrityValue, input, hasher })\n        if (!validation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n        }\n      }\n    }\n\n    const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n    if (hasher) {\n      if (vctIntegrity) {\n        await validate(vct, metadata, vctIntegrity, hasher)\n        const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n        if (!vctValidation) {\n          return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n        }\n      }\n\n      if (metadata['extends#integrity']) {\n        const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n        await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n      }\n\n      if (metadata['schema_uri#integrity']) {\n        const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n        const schema = await schemaResponse.json()\n        await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n      }\n\n      metadata.display?.forEach((display) => {\n        const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n        if (simpleLogoIntegrity) {\n          console.log('TODO: Logo integrity check')\n        }\n      })\n    }\n\n    return metadata\n  }\n\n  private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n    if (typeof this.registeredImplementations.verifySignature === 'function') {\n      return this.registeredImplementations.verifySignature\n    }\n\n    return defaultVerifySignature(context)\n  }\n\n  private getJwk(payload: JwtPayload): JsonWebKey {\n    if (payload.cnf?.jwk !== undefined) {\n      return payload.cnf.jwk as JsonWebKey\n    } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n      // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n      // FIXME this is a quick-fix to make verification but we need a real solution\n      const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n      const decoded = decodeBase64url(encoded)\n      const jwt = JSON.parse(decoded)\n      return jwt as JsonWebKey\n    }\n    throw Error('Unable to extract JWK from SD-JWT payload')\n  }\n\n  private extractBase64FromDIDJwk(did: string): string {\n    const parts = did.split(':')\n    if (parts.length < 3) {\n      throw new Error('Invalid DID format')\n    }\n    return parts[2].split('#')[0]\n  }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n  return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n    typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n  )\n}\n\nexport const defaultGenerateSalt = (): string => {\n  return v4()\n}\n\nexport const defaultVerifySignature =\n  (context: IRequiredContext): SdJwtVerifySignature =>\n  async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n    // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n    const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n    Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n    return !result.error\n  }\n","export const funkeTestCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n  '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n  '-----BEGIN CERTIFICATE-----\\n' +\n  'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n  'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n  'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n  'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n  'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n  'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n  'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n  'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n  'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n  'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n  'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n  '-----END CERTIFICATE-----'\n","import { SdJwtTypeMetadata } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n  const response = await fetch(url)\n  if (!response.ok) {\n    throw new Error(`${response.status}: ${response.statusText}`)\n  }\n  return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n  const val = integrityValue?.toLowerCase().trim().split('-')[0]\n  if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n    return val as IntegrityAlg\n  }\n  return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n  return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n  input,\n  integrityValue,\n  hasher,\n}: {\n  input: any\n  integrityValue?: string\n  hasher: HasherSync | Hasher\n}): Promise<boolean> {\n  if (!integrityValue) {\n    return true\n  }\n  const alg = extractHashAlgFromIntegrity(integrityValue)\n  if (!alg) {\n    return false\n  }\n  const calculatedHash = await createIntegrity({ hasher, input, alg })\n  return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n  input,\n  hasher,\n  alg = 'sha256',\n}: {\n  input: any\n  hasher: HasherSync | Hasher\n  alg?: IntegrityAlg\n}): Promise<string> {\n  const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n  return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n  if (metadata.vct !== vct) {\n    throw new Error('VCT mismatch in metadata and credential')\n  }\n}\n","import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n *    \"pluginInterfaces\": {\n *      \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n *    }\n *  },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n  /**\n   * Your plugin method description\n   *\n   * @param args - Input parameters for this method\n   * @param context - The required context where this method can run.\n   *   Declaring a context type here lets other developers know which other plugins\n   *   need to also be installed for this method to work.\n   */\n  /**\n   * Create a signed SD-JWT credential.\n   * @param args - Arguments necessary for the creation of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n  /**\n   * Create a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n  /**\n   * Verify a signed SD-JWT credential.\n   * @param args - Arguments necessary for the verification of a SD-JWT credential.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n  /**\n   * Verify a signed SD-JWT presentation.\n   * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n  /**\n   * Fetch and validate Type Metadata.\n   * @param args - Arguments necessary for fetching and validating the type metadata.\n   * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n   */\n  fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n  return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends SdJwtPayload {\n  x5c?: string[]\n}\n\nexport interface ICreateSdJwtVcArgs {\n  credentialPayload: SdJwtVcPayload\n\n  // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n  disclosureFrame?: IDisclosureFrame\n\n  resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n  _sd?: string[]\n  _sd_decoy?: number\n\n  [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n  /**\n   * the encoded sd-jwt credential\n   */\n  credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n  /**\n   * Encoded SD-JWT credential\n   */\n  presentation: string\n\n  /*\n   * The keys to use for selective disclosure for presentation\n   * if not provided, all keys will be disclosed\n   * if empty object, no keys will be disclosed\n   */\n  presentationFrame?: IPresentationFrame\n\n  /**\n   * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n   */\n  holder?: string\n\n  /**\n   * Information to include to add key binding.\n   */\n  kb?: KBOptions\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n  [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n  /**\n   * Encoded presentation.\n   */\n  presentation: string\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n  credential: string\n  opts?: {\n    x5cValidation?: X509CertificateChainValidationOpts\n  }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n  payload: SdJwtPayload\n  header: Record<string, unknown>\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n  presentation: string\n\n  requiredClaimKeys?: string[]\n\n  kb?: boolean\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n  payload: unknown //fixme: maybe this can be `SdJwtPayload`\n  header: Record<string, unknown> | undefined\n  kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n  identifier: string\n  vmRelationship: DIDDocumentSection\n  resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n  alg: JoseSignatureAlgorithm\n  key: {\n    kid?: string\n    kmsKeyRef: string\n    x5c?: string[]\n    jwkThumbprint?: string\n  }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n  saltGenerator?: SaltGenerator\n  hasher?: HasherSync\n  verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n  /**\n   * Subject of the SD-JWT\n   */\n  sub?: string\n  cnf?: {\n    jwk?: JsonWebKey\n    kid?: string\n  }\n\n  [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n  vct: string\n  vctIntegrity?: string\n  opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n  hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n  identifier: string\n  resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n  signer: Signer\n  alg?: string\n  signingKey?: SignKeyResult\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAa;AAC3B,SAASC,uBAAuC;AAEhD,SAASC,wBAAwBC,iCAAiC;AAIlE,SAASC,uBAAuB;AAChC,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,SAASC,gBAAgB;AAIzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,SAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;;;AH5BhB,IAAMG,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAvCb,OAuCaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,SAASlB,KAAKmB,kBAAkBC;AACtC,QAAI,CAACF,QAAQ;AACX,YAAM,IAAIG,MAAM,qCAAA;IAClB;AACA,UAAM,EAAET,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYgB;MAAQf,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChChB;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CoC,SAASZ,OAAO;MAChBa,SAAS;IACX,CAAA;AAEA,UAAMC,aAAa,MAAMJ,MAAMK,MAAM3B,KAAKmB,mBAAmBnB,KAAK4B,iBAAmE;MACnIC,QAAQ;QACN,GAAIrB,YAAYG,IAAImB,QAAQC,UAAa;UAAED,KAAKtB,WAAWG,IAAImB;QAAI;QACnE,GAAItB,YAAYG,IAAIqB,QAAQD,UAAa;UAAEC,KAAKxB,WAAWG,IAAIqB;QAAI;MACrE;IACF,CAAA;AAEA,WAAO;MAAEN;IAAW;EACtB;;;;;;;EAQA,MAAMjB,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,cAAQR,WAAW+B,QAAM;QACvB,KAAK;AACHvD,gBAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWa,KAAK3B,WAAW2B;YAAI;UAAE;QACtF;AACE,cAAInB,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,mBAAO;cAAEpB;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;cAAgB;YAAE;UAClH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWqB,eAAe3B,IAAIyB,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWqC,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMvC,QAAQa,MAAM2B,0BAA0B;QAAEvC;MAAW,CAAA;AACjF,UAAI,CAACsC,eAAe;AAClB,cAAM,IAAInB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM6B,cAAc7B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWuB,cAAcvB;UAAWa,KAAKU,cAAcV;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMY,gBAAgB,MAAMzC,QAAQa,MAAM6B,0BAA0B;QAAEzC;MAAW,CAAA;AACjF,UAAI,CAACwC,eAAe;AAClB,cAAM,IAAIrB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM+B,cAAc/B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,UAAIA,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,eAAO;UAAEpB;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;UAAgB;QAAE;MACxH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWqB,eAAe3B,IAAIyB,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAM2C,OAAO,MAAMC,MAAMC,WAAW9C,KAAK+C,cAAc,KAAKhE,0BAA0BG,MAAM;AAC5F,UAAM8D,SAAS,MAAMJ,KAAKK,UAAkB,KAAKlE,0BAA0BG,MAAM;AACjF,QAAIgE;AAEJ,QAAIlD,KAAKkD,QAAQ;AACfA,eAASlD,KAAKkD;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAKrB,KAAK;AAC1BoB,eAASF,OAAOG,KAAKrB;IACvB,WAAWkB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIjC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAET,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAYgD;IAAO,GAAGjD,OAAAA;AAElF,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChCrC,QAAQ,KAAKH,0BAA0BG,UAAUC;MACjDC,eAAe,KAAKL,0BAA0BK;MAC9CmE,UAAUhD;MACViD,WAAW5C,OAAO;IACpB,CAAA;AACA,UAAMmC,eAAe,MAAMzB,MAAMmC,QAAQzD,KAAK+C,cAAc/C,KAAK0D,mBAAwD;MAAEC,IAAI3D,KAAK2D;IAAG,CAAA;AAEvI,WAAO;MAAEZ;IAAa;EACxB;;;;;;;EAQA,MAAMnD,cAAcI,MAA0BC,SAA0D;AAEtG,UAAM2D,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMvC,QAAQ,IAAIC,gBAAgB;MAAEqC;MAAU1E,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AACrH,UAAM,EAAE0C,SAAS,CAAC,GAAGkC,SAASJ,GAAE,IAAK,MAAMrC,MAAMwC,OAAO9D,KAAK0B,UAAU;AAEvE,WAAO;MAAEG;MAAQkC;MAAoCJ;IAAG;EAC1D;;;;;;;;;;EAWQK,SAAS1C,OAAwBrB,SAA2BY,MAAcgD,WAAmBE,SAAuC;AAC1I,QAAI,CAACA,QAAQZ,KAAK;AAChB,YAAM9B,MAAM,4CAAA;IACd;AACA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAW,KAAKK,OAAOH,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMD,OACJxC,OACArB,SACAY,MACAgD,WACAM,MACkB;AAClB,UAAMC,YAAY,MAAM9C,MAAM+C,OAAO,GAAGxD,IAAAA,IAAQgD,SAAAA,EAAW;AAC3D,UAAM3C,SAAmBkD,UAAUE,IAAYP,QAAoC3C;AACnF,UAAMS,SAAUuC,UAAUE,IAAYzC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAIoB,MAAoCvB,OAAOuB;AAC/C,QAAIpB,KAAK;AACP,YAAMuC,eAAe,oBAAIC,IAAY;WAAI,KAAK1F;OAAkB;AAChE,UAAIyF,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM5E,QAAQa,MAAMgE,2BAA2B;QACjFC,OAAO/C;QACPuC,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOC,QAAQC,OAAOnE,MAAM,wCAAwCwD,4BAA4BY,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWb,4BAA4BS,iBAAiB,CAAA;AAC9DlC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAOvB,OAAOC,KAAKxB,SAAS,MAAA,GAAS;AACxC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQjE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAAC8D,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOlC,OAAOZ,SAAS,MAAA,GAAS;AAEnC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQ5E;MAAO,CAAA;AAC/D,UAAI,CAAC0E,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAI/B,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMvD,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAIqB;AACJ,UAAMsC,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMwC,aAAyB,8BAAOxF,MAAcgD,WAAmBE,YACrE,KAAKC,SAAS1C,OAAOrB,SAASY,MAAMgD,WAAWE,OAAAA,GADlB;AAE/BzC,YAAQ,IAAIC,gBAAgB;MAC1BqC;MACA1E,QAAQ,KAAKH,0BAA0BG;MACvCoH,YAAYD;IACd,CAAA;AAEA,WAAO/E,MAAMwC,OAAO9D,KAAK+C,cAAc/C,KAAKuG,mBAAmBvG,KAAK2D,EAAE;EACxE;;;;;;;EAQA,MAAM7D,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuG,KAAKC,cAActC,KAAI,IAAKnE;AACpC,UAAM0G,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlI,YAAAA;AAC5E,UAAIA,WAAUkI,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjI,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmI,YAAY;AACf,iBAAO9B,QAAQC,OAAOnE,MAAM,mCAAmCmF,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlI,SAAUiF,MAAMjF,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuH,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvH,MAAAA;AAC5C,cAAMsI,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7H;QAAO,CAAA;AACtG,YAAI,CAACsI,eAAe;AAClB,iBAAOjC,QAAQC,OAAOnE,MAAM,mCAAmCmF,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3H,iCAAiC;UAAE0G,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGlE,OAAAA;AAClH,cAAMiH,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7H,MAAAA;MACtE;AAEA,UAAI6H,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7H,MAAAA;MAChE;AAEA6H,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwBhE,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsJ,oBAAoB,YAAY;AACxE,aAAO,KAAKtJ,0BAA0BsJ;IACxC;AAEA,WAAOC,uBAAuBrI,OAAAA;EAChC;EAEQiE,OAAOH,SAAiC;AAC9C,QAAIA,QAAQZ,KAAKC,QAAQrB,QAAW;AAClC,aAAOgC,QAAQZ,IAAIC;IACrB,WAAWW,QAAQZ,QAAQpB,UAAa,SAASgC,QAAQZ,OAAO,OAAOY,QAAQZ,IAAIrB,QAAQ,YAAYiC,QAAQZ,IAAIrB,IAAIS,WAAW,UAAA,GAAa;AAG7I,YAAMgG,UAAU,KAAKC,wBAAwBzE,QAAQZ,IAAIrB,GAAG;AAC5D,YAAM2G,UAAUC,gBAAgBH,OAAAA;AAChC,YAAMjE,MAAMqE,KAAKC,MAAMH,OAAAA;AACvB,aAAOnE;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQmH,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAI3H,MAAM,oBAAA;IAClB;AACA,WAAOyH,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;;;AItaA,SAASE,wBAAwB;AAK1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","decodeBase64url","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","issuer","credentialPayload","iss","Error","sdjwt","SDJwtVcInstance","signAlg","hashAlg","credential","issue","disclosureFrame","header","kid","undefined","x5c","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verify","payload","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","jwt","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","Promise","reject","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","kbVerifier","requiredClaimKeys","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","decodeBase64url","JSON","parse","did","parts","split","length","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.sd-jwt",
-  "version": "0.34.0",
+  "version": "0.34.1-next.3+6c49ea2f",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -28,14 +28,14 @@
   "dependencies": {
     "@sd-jwt/core": "^0.9.2",
     "@sd-jwt/sd-jwt-vc": "^0.9.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.29.0",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.29.0",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.29.0",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.29.0",
-    "@sphereon/ssi-sdk-ext.x509-utils": "0.29.0",
-    "@sphereon/ssi-sdk.agent-config": "0.34.0",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.0",
-    "@sphereon/ssi-types": "0.34.0",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.x509-utils": "0.29.1-next.3",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-next.3+6c49ea2f",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-next.3+6c49ea2f",
+    "@sphereon/ssi-types": "0.34.1-next.3+6c49ea2f",
     "@veramo/utils": "4.2.0",
     "debug": "^4.3.5",
     "uint8arrays": "^3.1.1",
@@ -45,10 +45,10 @@
     "@sd-jwt/decode": "^0.9.2",
     "@sd-jwt/types": "^0.9.2",
     "@sd-jwt/utils": "^0.9.2",
-    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.29.0",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.29.0",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.29.0",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.29.0",
+    "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.29.1-next.3",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.29.1-next.3",
     "@types/node": "^20.17.1",
     "@types/uuid": "^9.0.8",
     "@veramo/core": "4.2.0",
@@ -83,5 +83,5 @@
     "Selective Disclosure",
     "Verifiable Credential"
   ],
-  "gitHead": "b1c9c5e91a9ce4bc677ff2cce5f2d520a16b366d"
+  "gitHead": "6c49ea2f9c1bc61641ca2c98e3aa0a5b48018d91"
 }