@sphereon/ssi-sdk.sd-jwt 0.34.1-feature.FIDES.1.274 → 0.34.1-feature.IDK.11.49

package/dist/index.cjs

@@ -35,22 +35,18 @@ __export(index_exports, {
   assertValidTypeMetadata: () => assertValidTypeMetadata,
   contextHasSDJwtPlugin: () => contextHasSDJwtPlugin,
   createIntegrity: () => createIntegrity,
-  defaultGenerateDigest: () => defaultGenerateDigest,
   extractHashFromIntegrity: () => extractHashFromIntegrity,
   fetchUrlWithErrorHandling: () => fetchUrlWithErrorHandling,
-  getIssuerFromSdJwt: () => getIssuerFromSdJwt,
-  isSdjwtVcPayload: () => isSdjwtVcPayload,
-  isVcdm2SdJwt: () => isVcdm2SdJwt,
-  isVcdm2SdJwtPayload: () => isVcdm2SdJwtPayload,
   sdJwtPluginContextMethods: () => sdJwtPluginContextMethods,
   validateIntegrity: () => validateIntegrity
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/action-handler.ts
-var import_core2 = require("@sd-jwt/core");
-var import_sd_jwt_vc2 = require("@sd-jwt/sd-jwt-vc");
+var import_core = require("@sd-jwt/core");
+var import_sd_jwt_vc = require("@sd-jwt/sd-jwt-vc");
 var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.key-utils");
+var import_utils = require("@veramo/utils");
 var import_debug = __toESM(require("debug"), 1);
 
 // src/defaultCallbacks.ts
@@ -126,189 +122,8 @@ function assertValidTypeMetadata(metadata, vct) {
   }
 }
 __name(assertValidTypeMetadata, "assertValidTypeMetadata");
-function isVcdm2SdJwtPayload(payload) {
-  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
-}
-__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
-function isSdjwtVcPayload(payload) {
-  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
-}
-__name(isSdjwtVcPayload, "isSdjwtVcPayload");
-function getIssuerFromSdJwt(payload) {
-  let issuer;
-  if (isSdjwtVcPayload(payload) || "iss" in payload) {
-    issuer = payload.iss;
-  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
-    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
-  }
-  if (!issuer) {
-    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
-  }
-  return issuer;
-}
-__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
-
-// src/sdJwtVcdm2Instance.ts
-var import_core = require("@sd-jwt/core");
-var import_utils = require("@sd-jwt/utils");
-var import_sd_jwt_vc = require("@sd-jwt/sd-jwt-vc");
-
-// src/types.ts
-var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
-var sdJwtPluginContextMethods = [
-  "createSdJwtVc",
-  "createSdJwtPresentation",
-  "verifySdJwtVc",
-  "verifySdJwtPresentation"
-];
-function contextHasSDJwtPlugin(context) {
-  return (0, import_ssi_sdk.contextHasPlugin)(context, "verifySdJwtVc");
-}
-__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
-function isVcdm2SdJwt(type) {
-  return type === "vc+sd-jwt" || type === "vp+sd-jwt";
-}
-__name(isVcdm2SdJwt, "isVcdm2SdJwt");
-
-// src/sdJwtVcdm2Instance.ts
-var SDJwtVcdmInstanceFactory = class {
-  static {
-    __name(this, "SDJwtVcdmInstanceFactory");
-  }
-  static create(type, config) {
-    if (isVcdm2SdJwt(type)) {
-      return new SDJwtVcdm2Instance(config);
-    }
-    return new import_sd_jwt_vc.SDJwtVcInstance(config);
-  }
-};
-var SDJwtVcdm2Instance = class extends import_core.SDJwtInstance {
-  static {
-    __name(this, "SDJwtVcdm2Instance");
-  }
-  /**
-  * The type of the SD-JWT VCDM2 set in the header.typ field.
-  */
-  static type = "vc+sd-jwt";
-  userConfig = {};
-  constructor(userConfig) {
-    super(userConfig);
-    if (userConfig) {
-      this.userConfig = userConfig;
-    }
-  }
-  /**
-  * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-  * @param disclosureFrame
-  */
-  validateReservedFields(disclosureFrame) {
-    if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {
-      const reservedNames = [
-        "iss",
-        "nbf",
-        "exp",
-        "cnf",
-        "@context",
-        "type",
-        "credentialStatus",
-        "credentialSchema",
-        "relatedResource"
-      ];
-      const reservedNamesInDisclosureFrame = disclosureFrame._sd.filter((key) => reservedNames.includes(key));
-      if (reservedNamesInDisclosureFrame.length > 0) {
-        throw new import_utils.SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(", ")}`);
-      }
-    }
-  }
-  /**
-  * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-  * @param encodedSDJwt
-  * @param options
-  */
-  async verify(encodedSDJwt, options) {
-    const result = await super.verify(encodedSDJwt, options).then((res) => {
-      return {
-        payload: res.payload,
-        header: res.header,
-        kb: res.kb
-      };
-    });
-    return result;
-  }
-  /**
-  * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-  * @param integrity
-  * @param response
-  */
-  async validateIntegrity(response, url, integrity) {
-    if (integrity) {
-      const arrayBuffer = await response.arrayBuffer();
-      const alg = integrity.split("-")[0];
-      const hashBuffer = await this.userConfig.hasher(arrayBuffer, alg);
-      const integrityHash = integrity.split("-")[1];
-      const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
-      if (hash !== integrityHash) {
-        throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`);
-      }
-    }
-  }
-  /**
-  * Fetches the content from the url with a timeout of 10 seconds.
-  * @param url
-  * @param integrity
-  * @returns
-  */
-  async fetch(url, integrity) {
-    try {
-      const response = await fetch(url, {
-        signal: AbortSignal.timeout(this.userConfig.timeout ?? 1e4)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`));
-      }
-      await this.validateIntegrity(response.clone(), url, integrity);
-      return response.json();
-    } catch (error) {
-      if (error.name === "TimeoutError") {
-        throw new Error(`Request to ${url} timed out`);
-      }
-      throw error;
-    }
-  }
-  async issue(payload, disclosureFrame, options) {
-    if (payload.iss && !payload.issuer) {
-      payload.issuer = {
-        id: payload.iss
-      };
-      delete payload.iss;
-    }
-    if (payload.nbf && !payload.validFrom) {
-      payload.validFrom = toVcdm2Date(payload.nbf);
-      delete payload.nbf;
-    }
-    if (payload.exp && !payload.validUntil) {
-      payload.validUntil = toVcdm2Date(payload.exp);
-      delete payload.exp;
-    }
-    if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {
-      payload.credentialSubject.id = payload.sub;
-      delete payload.sub;
-    }
-    return super.issue(payload, disclosureFrame, options);
-  }
-};
-function toVcdm2Date(value) {
-  const num = typeof value === "string" ? Number(value) : value;
-  if (!Number.isFinite(num)) {
-    throw new import_utils.SDJWTException(`Invalid numeric date: ${value}`);
-  }
-  return new Date(num * 1e3).toISOString();
-}
-__name(toVcdm2Date, "toVcdm2Date");
 
 // src/action-handler.ts
-var u8a = __toESM(require("uint8arrays"), 1);
 var debug = (0, import_debug.default)("@sphereon/ssi-sdk.sd-jwt");
 var SDJwtPlugin = class {
   static {
@@ -378,11 +193,7 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT credential.
   */
   async createSdJwtVc(args, context) {
-    const payload = args.credentialPayload;
-    const isVcdm2 = isVcdm2SdJwtPayload(payload);
-    const isSdJwtVc = isSdjwtVcPayload(payload);
-    const type = args.type ?? (isVcdm2 ? "vc+sd-jwt" : "dc+sd-jwt");
-    const issuer = getIssuerFromSdJwt(args.credentialPayload);
+    const issuer = args.credentialPayload.iss;
     if (!issuer) {
       throw new Error("credential.issuer must not be empty");
     }
@@ -390,46 +201,24 @@ var SDJwtPlugin = class {
       identifier: issuer,
       resolution: args.resolution
     }, context);
-    const signAlg = alg ?? signingKey?.alg ?? "ES256";
-    const hashAlg = /(\d{3})$/.test(signAlg) ? `sha-${signAlg.slice(-3)}` : "sha-256";
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
-      omitTyp: true,
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
       signer,
       hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
-      signAlg,
-      hashAlg
+      signAlg: alg ?? "ES256",
+      hashAlg: "sha-256"
     });
-    const header = {
-      ...signingKey?.key.kid !== void 0 && {
-        kid: signingKey.key.kid
-      },
-      ...signingKey?.key.x5c !== void 0 && {
-        x5c: signingKey.key.x5c
-      },
-      ...type && {
-        typ: type
-      }
-    };
-    let credential;
-    if (isVcdm2) {
-      credential = await sdjwt.issue(
-        payload,
-        // @ts-ignore
-        args.disclosureFrame,
-        {
-          header
+    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
+      header: {
+        ...signingKey?.key.kid !== void 0 && {
+          kid: signingKey.key.kid
+        },
+        ...signingKey?.key.x5c !== void 0 && {
+          x5c: signingKey.key.x5c
         }
-      );
-    } else if (isSdJwtVc) {
-      credential = await sdjwt.issue(payload, args.disclosureFrame, {
-        header
-      });
-    } else {
-      return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`));
-    }
+      }
+    });
     return {
-      type,
       credential
     };
   }
@@ -555,8 +344,7 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT presentation.
   */
   async createSdJwtPresentation(args, context) {
-    const type = args.type ?? "dc+sd-jwt";
-    const cred = await import_core2.SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
+    const cred = await import_core.SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
     const claims = await cred.getClaims(this.registeredImplementations.hasher);
     let holder;
     if (args.holder) {
@@ -576,9 +364,8 @@ var SDJwtPlugin = class {
     const { alg, signer } = await this.getSignerForIdentifier({
       identifier: holder
     }, context);
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
-      omitTyp: true,
-      hasher: this.registeredImplementations.hasher,
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
       saltGenerator: this.registeredImplementations.saltGenerator,
       kbSigner: signer,
       kbSignAlg: alg ?? "ES256"
@@ -587,7 +374,6 @@ var SDJwtPlugin = class {
       kb: args.kb
     });
     return {
-      type,
       presentation
     };
   }
@@ -598,18 +384,13 @@ var SDJwtPlugin = class {
   * @returns
   */
   async verifySdJwtVc(args, context) {
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
-    const cred = await import_core2.SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher);
-    const type = isVcdm2SdJwtPayload(cred.jwt?.payload) ? "vc+sd-jwt" : "dc+sd-jwt";
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest
     });
-    const { header = {}, payload, kb } = await sdjwt.verify(args.credential, {
-      skewSeconds: 60 * 60 * 24 * 5
-    });
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
     return {
-      type,
       header,
       payload,
       kb
@@ -624,7 +405,7 @@ var SDJwtPlugin = class {
   * @param payload - The payload of the SD-JWT
   * @returns
   */
-  verifyKb(context, data, signature, payload) {
+  verifyKb(sdjwt, context, data, signature, payload) {
     if (!payload.cnf) {
       throw Error("other method than cnf is not supported yet");
     }
@@ -638,10 +419,9 @@ var SDJwtPlugin = class {
   * @param signature - The signature
   * @returns
   */
-  async verifyCallbackImpl(sdjwt, context, data, signature, opts) {
+  async verify(sdjwt, context, data, signature, opts) {
     const decodedVC = await sdjwt.decode(`${data}.${signature}`);
-    const payload = decodedVC.jwt.payload;
-    const issuer = getIssuerFromSdJwt(payload);
+    const issuer = decodedVC.jwt.payload.iss;
     const header = decodedVC.jwt.header;
     const x5c = header?.x5c;
     let jwk = header.jwk;
@@ -707,18 +487,14 @@ var SDJwtPlugin = class {
   */
   async verifySdJwtPresentation(args, context) {
     let sdjwt;
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
-    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(context, data, signature, payload), "verifierKb");
-    sdjwt = new import_sd_jwt_vc2.SDJwtVcInstance({
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload), "verifierKb");
+    sdjwt = new import_sd_jwt_vc.SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher,
       kbVerifier: verifierKb
     });
-    const verifierOpts = {
-      requiredClaimKeys: args.requiredClaimKeys,
-      keyBindingNonce: args.keyBindingNonce
-    };
-    return sdjwt.verify(args.presentation, verifierOpts);
+    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
   }
   /**
   * Fetch and validate Type Metadata.
@@ -789,7 +565,7 @@ var SDJwtPlugin = class {
       return payload.cnf.jwk;
     } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
-      const decoded = u8a.toString(u8a.fromString(encoded, "base64url"), "utf-8");
+      const decoded = (0, import_utils.decodeBase64url)(encoded);
       const jwt = JSON.parse(decoded);
       return jwt;
     }
@@ -803,4 +579,17 @@ var SDJwtPlugin = class {
     return parts[2].split("#")[0];
   }
 };
+
+// src/types.ts
+var import_ssi_sdk = require("@sphereon/ssi-sdk.agent-config");
+var sdJwtPluginContextMethods = [
+  "createSdJwtVc",
+  "createSdJwtPresentation",
+  "verifySdJwtVc",
+  "verifySdJwtPresentation"
+];
+function contextHasSDJwtPlugin(context) {
+  return (0, import_ssi_sdk.contextHasPlugin)(context, "verifySdJwtVc");
+}
+__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
 //# sourceMappingURL=index.cjs.map