@sphereon/ssi-sdk.sd-jwt 0.34.1-feature.SSISDK.45.93 → 0.34.1-feature.SSISDK.46.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/index.cjs +43 -253
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +8 -66
  4. package/dist/index.d.ts +8 -66
  5. package/dist/index.js +41 -251
  6. package/dist/index.js.map +1 -1
  7. package/package.json +20 -21
  8. package/src/__tests__/{sd-jwt-vc.test.ts → sd-jwt.test.ts} +4 -6
  9. package/src/action-handler.ts +36 -83
  10. package/src/types.ts +6 -40
  11. package/src/utils.ts +1 -32
  12. package/src/__tests__/sd-jwt-vcdm2.test.ts +0 -316
  13. package/src/sdJwtVcdm2Instance.ts +0 -155
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/sdJwtVcdm2Instance.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'\nimport { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport type { IAgentPlugin } from '@veramo/core'\n// import { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwtPayload, validateIntegrity } from './utils'\nimport type {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\nimport { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const payload = args.credentialPayload\n const isVcdm2 = isVcdm2SdJwtPayload(payload)\n const isSdJwtVc = isSdjwtVcPayload(payload)\n const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')\n\n const issuer = getIssuerFromSdJwt(args.credentialPayload)\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const signAlg = alg ?? signingKey?.alg ?? 'ES256'\n const hashAlg: HashAlgorithm = /(\\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg,\n hashAlg,\n })\n\n const header = {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n ...(type && { typ: type }),\n }\n let credential: string\n if (isVcdm2) {\n credential = await (sdjwt as SDJwtVcdm2Instance).issue(\n payload,\n // @ts-ignore\n args.disclosureFrame as DisclosureFrame<typeof payload>,\n { header },\n )\n } else if (isSdJwtVc) {\n credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })\n } else {\n return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))\n }\n\n return { type, credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const type = args.type ?? 'dc+sd-jwt'\n\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { type, presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n\n const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)\n const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'\n\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function\n // For now a workaround is to ad 5 days of skew seconds, yuck\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential, {skewSeconds: 60*60*24*5})\n\n\n return { type, header, payload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n\n // TODO add aud verification\n\n\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verifyCallbackImpl(\n sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload\n const issuer: string = getIssuerFromSdJwt(payload)\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n this.verifyKb(context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n const verifierOpts: VerifierOptions = {\n requiredClaimKeys: args.requiredClaimKeys,\n keyBindingNonce: args.keyBindingNonce,\n }\n\n return sdjwt.verify(args.presentation, verifierOpts)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\nimport type { SdJwtPayload } from '@sd-jwt/core'\nimport type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n\nexport function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {\n return (\n 'type' in payload &&\n Array.isArray(payload.type) &&\n payload.type.includes('VerifiableCredential') &&\n '@context' in payload &&\n ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||\n (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))\n )\n}\n\nexport function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {\n return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'\n}\n\nexport function getIssuerFromSdJwt(payload: SdJwtPayload): string {\n let issuer: string | undefined\n if (isSdjwtVcPayload(payload) || 'iss' in payload) {\n issuer = payload.iss as string\n } else if (isVcdm2SdJwtPayload(payload) || 'issuer' in payload && payload.issuer) {\n issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id\n }\n\n if (!issuer) {\n throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')\n }\n return issuer\n}\n","import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'\nimport type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'\nimport { SDJWTException } from '@sd-jwt/utils'\nimport { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'\nimport { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'\nimport { isVcdm2SdJwt } from './types'\n\ninterface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {\n payload: SdJwtVcdm2Payload\n}\n\nexport class SDJwtVcdmInstanceFactory {\n static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {\n if (isVcdm2SdJwt(type)) {\n return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)\n }\n return new SDJwtVcInstance(config as SDJWTVCConfig)\n }\n}\n\n// @ts-ignore\nexport class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {\n /**\n * The type of the SD-JWT VCDM2 set in the header.typ field.\n */\n protected static type = 'vc+sd-jwt'\n\n protected userConfig: SDJWTVCDM2Config = {}\n\n constructor(userConfig?: SDJWTVCDM2Config) {\n super(userConfig)\n if (userConfig) {\n this.userConfig = userConfig\n }\n }\n\n /**\n * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.\n * @param disclosureFrame\n */\n protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {\n //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2\n // @ts-ignore\n if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {\n const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']\n // check if there is any reserved names in the disclosureFrame._sd array\n const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))\n if (reservedNamesInDisclosureFrame.length > 0) {\n throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)\n }\n }\n }\n\n /**\n * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.\n * @param encodedSDJwt\n * @param options\n */\n async verify(encodedSDJwt: string, options?: VerifierOptions) {\n // Call the parent class's verify method\n const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {\n return {\n payload: res.payload as SdJwtVcdm2Payload,\n header: res.header,\n kb: res.kb,\n }\n })\n\n // await this.verifyStatus(result, options)\n\n return result\n }\n\n /**\n * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.\n * @param integrity\n * @param response\n */\n private async validateIntegrity(response: Response, url: string, integrity?: string) {\n if (integrity) {\n // validate the integrity of the response according to https://www.w3.org/TR/SRI/\n const arrayBuffer = await response.arrayBuffer()\n const alg = integrity.split('-')[0]\n //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec\n const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)\n const integrityHash = integrity.split('-')[1]\n const hash = Array.from(new Uint8Array(hashBuffer))\n .map((byte) => byte.toString(16).padStart(2, '0'))\n .join('')\n if (hash !== integrityHash) {\n throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)\n }\n }\n }\n\n /**\n * Fetches the content from the url with a timeout of 10 seconds.\n * @param url\n * @param integrity\n * @returns\n */\n protected async fetch<T>(url: string, integrity?: string): Promise<T> {\n try {\n const response = await fetch(url, {\n signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),\n })\n if (!response.ok) {\n const errorText = await response.text()\n return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))\n }\n await this.validateIntegrity(response.clone(), url, integrity)\n return response.json() as Promise<T>\n } catch (error) {\n if ((error as Error).name === 'TimeoutError') {\n throw new Error(`Request to ${url} timed out`)\n }\n throw error\n }\n }\n\n public async issue<Payload extends SdJwtVcdm2Payload>(\n payload: Payload,\n disclosureFrame?: DisclosureFrame<Payload>,\n options?: {\n header?: object; // This is for customizing the header of the jwt\n },\n ): Promise<SDJWTCompact> {\n if (payload.iss && !payload.issuer) {\n payload.issuer = {id: payload.iss}\n delete payload.iss\n }\n if (payload.nbf && !payload.validFrom) {\n payload.validFrom = toVcdm2Date(payload.nbf)\n delete payload.nbf\n }\n if (payload.exp && !payload.validUntil) {\n payload.validUntil = toVcdm2Date(payload.exp)\n delete payload.exp\n }\n if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {\n payload.credentialSubject.id = payload.sub\n delete payload.sub\n }\n return super.issue(payload, disclosureFrame, options)\n }\n}\n\nfunction toVcdm2Date(value: number | string): string {\n const num = typeof value === 'string' ? Number(value) : value\n if (!Number.isFinite(num)) {\n throw new SDJWTException(`Invalid numeric date: ${value}`)\n }\n // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)\n return new Date(num * 1000).toISOString()\n}\n","import { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport {\n HasherSync,\n JoseSignatureAlgorithm,\n JsonWebKey,\n SdJwtType,\n SdJwtTypeMetadata,\n SdJwtVcdm2Payload,\n SdJwtVcType,\n SdJwtVpType,\n} from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\nimport { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { SdJwtPayload } from '@sd-jwt/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends OrigSdJwtVcPayload {\n x5c?: string[]\n}\n\nexport type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'\n\nexport function isVcdm2SdJwt(type: SdJwtType | string): Boolean {\n return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'\n}\n\nexport interface ICreateSdJwtVcArgs {\n type?: SdJwtVcType\n credentialPayload: SdJwtPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n type: SdJwtVcType\n\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n\n type?: SdJwtVpType\n\n vcdm2Enveloped?: Vcdm2Enveloped\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n\n type: SdJwtVpType\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n type: SdJwtVcType\n payload: SdJwtVcPayload | SdJwtVcdm2Payload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n /**\n * nonce used to verify the key binding jwt to prevent replay attacks.\n */\n keyBindingNonce?: string\n\n /**\n * Audience used to verify the key binding jwt\n */\n keyBindingAud?: string\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAsD;AACpE,SAASC,mBAAAA,wBAA4C;AAErD,SAASC,wBAAwBC,iCAAiC;AAKlE,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,SAASC,gBAAgB;AAMzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,SAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;AAMT,SAASG,oBAAoBC,SAAqB;AACvD,SACE,UAAUA,WACVC,MAAMC,QAAQF,QAAQG,IAAI,KAC1BH,QAAQG,KAAKC,SAAS,sBAAA,KACtB,cAAcJ,YACZ,OAAOA,QAAQ,UAAA,MAAgB,YAAYA,QAAQ,UAAA,EAAYK,SAAS,KACvEJ,MAAMC,QAAQF,QAAQ,UAAA,CAAW,KAAKA,QAAQ,UAAA,EAAYK,SAAS,KAAKL,QAAQ,UAAA,EAAYI,SAAS,sCAAA;AAE5G;AATgBL;AAWT,SAASO,iBAAiBN,SAAqB;AACpD,SAAO,CAACD,oBAAoBC,OAAAA,KAAY,SAASA,WAAW,OAAOA,QAAQF,QAAQ;AACrF;AAFgBQ;AAIT,SAASC,mBAAmBP,SAAqB;AACtD,MAAIQ;AACJ,MAAIF,iBAAiBN,OAAAA,KAAY,SAASA,SAAS;AACjDQ,aAASR,QAAQS;EACnB,WAAWV,oBAAoBC,OAAAA,KAAY,YAAYA,WAAWA,QAAQQ,QAAQ;AAChFA,aAAS,OAAOR,QAAQQ,WAAW,WAAWR,QAAQQ,SAAUR,QAAQQ,QAAgBE;EAC1F;AAEA,MAAI,CAACF,QAAQ;AACX,UAAM,IAAIhC,MAAM,kFAAA;EAClB;AACA,SAAOgC;AACT;AAZgBD;;;ACpFhB,SAASI,qBAA2C;AAEpD,SAASC,sBAAsB;AAE/B,SAA6BC,uBAAgD;;;ACA7E,SAASC,wBAAwB;AAgB1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;AAgBT,SAASG,aAAaC,MAAwB;AACnD,SAAOA,SAAS,eAAeA,SAAS;AAC1C;AAFgBD;;;AD5FT,IAAME,2BAAN,MAAMA;EAXb,OAWaA;;;EACX,OAAOC,OAAOC,MAAiBC,QAAgF;AAC7G,QAAIC,aAAaF,IAAAA,GAAO;AACtB,aAAO,IAAIG,mBAAmBF,MAAAA;IAChC;AACA,WAAO,IAAIG,gBAAgBH,MAAAA;EAC7B;AACF;AAGO,IAAME,qBAAN,cAAiCE,cAAAA;EArBxC,OAqBwCA;;;;;;EAItC,OAAiBL,OAAO;EAEdM,aAA+B,CAAC;EAE1CC,YAAYD,YAA+B;AACzC,UAAMA,UAAAA;AACN,QAAIA,YAAY;AACd,WAAKA,aAAaA;IACpB;EACF;;;;;EAMUE,uBAAuBC,iBAA2D;AAG1F,QAAIA,iBAAiBC,OAAOC,MAAMC,QAAQH,gBAAgBC,GAAG,KAAKD,gBAAgBC,IAAIG,SAAS,GAAG;AAChG,YAAMC,gBAAgB;QAAC;QAAO;QAAO;QAAO;QAAO;QAAY;QAAQ;QAAoB;QAAoB;;AAE/G,YAAMC,iCAAkCN,gBAAgBC,IAAiBM,OAAO,CAACC,QAAQH,cAAcI,SAASD,GAAAA,CAAAA;AAChH,UAAIF,+BAA+BF,SAAS,GAAG;AAC7C,cAAM,IAAIM,eAAe,uCAAuCJ,+BAA+BK,KAAK,IAAA,CAAA,EAAO;MAC7G;IACF;EACF;;;;;;EAOA,MAAMC,OAAOC,cAAsBC,SAA2B;AAE5D,UAAMC,SAAuC,MAAM,MAAMH,OAAOC,cAAcC,OAAAA,EAASE,KAAK,CAACC,QAAAA;AAC3F,aAAO;QACLC,SAASD,IAAIC;QACbC,QAAQF,IAAIE;QACZC,IAAIH,IAAIG;MACV;IACF,CAAA;AAIA,WAAOL;EACT;;;;;;EAOA,MAAcM,kBAAkBC,UAAoBC,KAAaC,WAAoB;AACnF,QAAIA,WAAW;AAEb,YAAMC,cAAc,MAAMH,SAASG,YAAW;AAC9C,YAAMC,MAAMF,UAAUG,MAAM,GAAA,EAAK,CAAA;AAEjC,YAAMC,aAAa,MAAO,KAAK/B,WAAWgC,OAAkBJ,aAAaC,GAAAA;AACzE,YAAMI,gBAAgBN,UAAUG,MAAM,GAAA,EAAK,CAAA;AAC3C,YAAMI,OAAO7B,MAAM8B,KAAK,IAAIC,WAAWL,UAAAA,CAAAA,EACpCM,IAAI,CAACC,SAASA,KAAKC,SAAS,EAAA,EAAIC,SAAS,GAAG,GAAA,CAAA,EAC5C1B,KAAK,EAAA;AACR,UAAIoB,SAASD,eAAe;AAC1B,cAAM,IAAIQ,MAAM,uBAAuBf,GAAAA,eAAkBQ,IAAAA,kBAAsBD,aAAAA,EAAe;MAChG;IACF;EACF;;;;;;;EAQA,MAAgBS,MAAShB,KAAaC,WAAgC;AACpE,QAAI;AACF,YAAMF,WAAW,MAAMiB,MAAMhB,KAAK;QAChCiB,QAAQC,YAAYC,QAAQ,KAAK7C,WAAW6C,WAAW,GAAA;MACzD,CAAA;AACA,UAAI,CAACpB,SAASqB,IAAI;AAChB,cAAMC,YAAY,MAAMtB,SAASuB,KAAI;AACrC,eAAOC,QAAQC,OAAO,IAAIT,MAAM,kBAAkBf,GAAAA,KAAQD,SAAS0B,MAAM,IAAI1B,SAAS2B,UAAU,MAAML,SAAAA,EAAW,CAAA;MACnH;AACA,YAAM,KAAKvB,kBAAkBC,SAAS4B,MAAK,GAAI3B,KAAKC,SAAAA;AACpD,aAAOF,SAAS6B,KAAI;IACtB,SAASC,OAAO;AACd,UAAKA,MAAgBC,SAAS,gBAAgB;AAC5C,cAAM,IAAIf,MAAM,cAAcf,GAAAA,YAAe;MAC/C;AACA,YAAM6B;IACR;EACF;EAEA,MAAaE,MACXpC,SACAlB,iBACAc,SAGuB;AACvB,QAAII,QAAQqC,OAAO,CAACrC,QAAQsC,QAAQ;AAClCtC,cAAQsC,SAAS;QAACC,IAAIvC,QAAQqC;MAAG;AACjC,aAAOrC,QAAQqC;IACjB;AACA,QAAIrC,QAAQwC,OAAO,CAACxC,QAAQyC,WAAW;AACrCzC,cAAQyC,YAAYC,YAAY1C,QAAQwC,GAAG;AAC3C,aAAOxC,QAAQwC;IACjB;AACA,QAAIxC,QAAQ2C,OAAO,CAAC3C,QAAQ4C,YAAY;AACtC5C,cAAQ4C,aAAaF,YAAY1C,QAAQ2C,GAAG;AAC5C,aAAO3C,QAAQ2C;IACjB;AACA,QAAI3C,QAAQ6C,OAAO,CAAC7D,MAAMC,QAAQe,QAAQ8C,iBAAiB,KAAK,CAAC9C,QAAQ8C,kBAAkBP,IAAI;AAC7FvC,cAAQ8C,kBAAkBP,KAAKvC,QAAQ6C;AACvC,aAAO7C,QAAQ6C;IACjB;AACA,WAAO,MAAMT,MAAMpC,SAASlB,iBAAiBc,OAAAA;EAC/C;AACF;AAEA,SAAS8C,YAAYK,OAAsB;AACzC,QAAMC,MAAM,OAAOD,UAAU,WAAWE,OAAOF,KAAAA,IAASA;AACxD,MAAI,CAACE,OAAOC,SAASF,GAAAA,GAAM;AACzB,UAAM,IAAIxD,eAAe,yBAAyBuD,KAAAA,EAAO;EAC3D;AAEA,SAAO,IAAII,KAAKH,MAAM,GAAA,EAAMI,YAAW;AACzC;AAPSV;;;AJhHT,YAAYW,SAAS;AAErB,IAAMC,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EA3Cb,OA2CaA;;;;EAEMC;EACAC;EACTC;EACAC;EAERC,YACEH,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BI,WAAW,YAAY;AAC3DJ,gCAA0BI,SAASC;IACrC;AACA,QAAI,OAAOL,2BAA2BM,kBAAkB,YAAY;AAClEN,gCAA0BM,gBAAgBC;IAC5C;AACA,SAAKP,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BQ,WAAW,CAAC;AACvD,SAAKN,iBAAiBF,2BAA2BS;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKtB,QAAQ,EAAEuB,SAASJ,UAAAA,KAAe,OAAO,KAAKnB,SAASmB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKxB,SAASmB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKlB,mBAAmB,YAAY;AACpD,aAAO;QAAEuB,QAAQ,KAAKvB;MAAe;IACvC;AACA,UAAMwB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,UAAUlB,KAAKmB;AACrB,UAAMC,UAAUC,oBAAoBH,OAAAA;AACpC,UAAMI,YAAYC,iBAAiBL,OAAAA;AACnC,UAAMM,OAAOxB,KAAKwB,SAASJ,UAAU,cAAc;AAEnD,UAAMK,SAASC,mBAAmB1B,KAAKmB,iBAAiB;AACxD,QAAI,CAACM,QAAQ;AACX,YAAM,IAAIE,MAAM,qCAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYuB;MAAQtB,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAM2B,UAAUhB,OAAOJ,YAAYI,OAAO;AAC1C,UAAMiB,UAAyB,WAAWC,KAAKF,OAAAA,IAAY,OAAOA,QAAQG,MAAM,EAAC,CAAA,KAAyB;AAC1G,UAAMC,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACT5B;MACArB,QAAQ,KAAKJ,0BAA0BI;MACvCE,eAAe,KAAKN,0BAA0BM;MAC9CwC;MACAC;IACF,CAAA;AAEA,UAAMO,SAAS;MACb,GAAI5B,YAAYG,IAAI0B,QAAQC,UAAa;QAAED,KAAK7B,WAAWG,IAAI0B;MAAI;MACnE,GAAI7B,YAAYG,IAAI4B,QAAQD,UAAa;QAAEC,KAAK/B,WAAWG,IAAI4B;MAAI;MACnE,GAAIf,QAAQ;QAAEgB,KAAKhB;MAAK;IAC1B;AACA,QAAIiB;AACJ,QAAIrB,SAAS;AACXqB,mBAAa,MAAOT,MAA6BU;QAC/CxB;;QAEAlB,KAAK2C;QACL;UAAEP;QAAO;MAAA;IAEb,WAAWd,WAAW;AACpBmB,mBAAa,MAAOT,MAA0BU,MAAMxB,SAASlB,KAAK2C,iBAAoD;QAAEP;MAAO,CAAA;IACjI,OAAO;AACL,aAAOQ,QAAQC,OAAO,IAAIlB,MAAM,iCAAiCH,IAAAA,yBAA6B,CAAA;IAChG;AAEA,WAAO;MAAEA;MAAMiB;IAAW;EAC5B;;;;;;;EAQA,MAAMhC,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,cAAQR,WAAW4C,QAAM;QACvB,KAAK;AACHrE,gBAAM,eAAeiC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWoB,KAAKlC,WAAWkC;YAAI;UAAE;QACtF;AACE,cAAI1B,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,mBAAO;cAAE3B;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;cAAgB;YAAE;UAClH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWkC,eAAexC,IAAIsC,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWkD,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMpD,QAAQa,MAAMwC,0BAA0B;QAAEpD;MAAW,CAAA;AACjF,UAAI,CAACmD,eAAe;AAClB,cAAM,IAAI1B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM0C,cAAc1C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClDjC,YAAM,eAAeiC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWoC,cAAcpC;UAAWoB,KAAKgB,cAAchB;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMkB,gBAAgB,MAAMtD,QAAQa,MAAM0C,0BAA0B;QAAEtD;MAAW,CAAA;AACjF,UAAI,CAACqD,eAAe;AAClB,cAAM,IAAI5B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM4C,cAAc5C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,UAAIA,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,eAAO;UAAE3B;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;UAAgB;QAAE;MACxH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWkC,eAAexC,IAAIsC,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAMuB,OAAOxB,KAAKwB,QAAQ;AAE1B,UAAMiC,OAAO,MAAMC,MAAMC,WAAW3D,KAAK4D,cAAc,KAAK9E,0BAA0BI,MAAM;AAE5F,UAAM2E,SAAS,MAAMJ,KAAKK,UAAkB,KAAKhF,0BAA0BI,MAAM;AACjF,QAAI6E;AAEJ,QAAI/D,KAAK+D,QAAQ;AACfA,eAAS/D,KAAK+D;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAK3B,KAAK;AAC1B0B,eAASF,OAAOG,KAAK3B;IACvB,WAAWwB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIxC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAY6D;IAAO,GAAG9D,OAAAA;AAElF,UAAM+B,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACTjD,QAAQ,KAAKJ,0BAA0BI;MACvCE,eAAe,KAAKN,0BAA0BM;MAC9CgF,UAAU7D;MACV8D,WAAWzD,OAAO;IACpB,CAAA;AAEA,UAAMgD,eAAe,MAAM5B,MAAMsC,QAAQtE,KAAK4D,cAAc5D,KAAKuE,mBAAwD;MAAEC,IAAIxE,KAAKwE;IAAG,CAAA;AAEvI,WAAO;MAAEhD;MAAMoC;IAAa;EAC9B;;;;;;;EAQA,MAAMhE,cAAcI,MAA0BC,SAA0D;AAEtG,UAAMwE,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAE3B,UAAMjB,OAAO,MAAMC,MAAMC,WAAW3D,KAAKyC,YAAY,KAAK3D,0BAA0BI,MAAM;AAC1F,UAAMsC,OAAOH,oBAAoBoC,KAAKmB,KAAK1D,OAAAA,IAA2B,cAAc;AAGpF,UAAMc,QAAQC,yBAAyBC,OAAOV,MAAM;MAACiD;MAAUvF,QAAQ,KAAKJ,0BAA0BI,UAAUC;IAAsB,CAAA;AAGtI,UAAM,EAAEiD,SAAS,CAAC,GAAGlB,SAASsD,GAAE,IAAK,MAAMxC,MAAM6C,OAAO7E,KAAKyC,YAAY;MAACqC,aAAa,KAAG,KAAG,KAAG;IAAC,CAAA;AAGjG,WAAO;MAAEtD;MAAMY;MAAQlB;MAASsD;IAAG;EACrC;;;;;;;;;;EAWQO,SAAS9E,SAA2BY,MAAc6D,WAAmBxD,SAAuC;AAClH,QAAI,CAACA,QAAQ8C,KAAK;AAChB,YAAMrC,MAAM,4CAAA;IACd;AAKA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAW,KAAKO,OAAO/D,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMyD,mBACJ3C,OACA/B,SACAY,MACA6D,WACAQ,MACkB;AAClB,UAAMC,YAAY,MAAMnD,MAAMoD,OAAO,GAAGvE,IAAAA,IAAQ6D,SAAAA,EAAW;AAC3D,UAAMxD,UAAyBiE,UAAUP,IAAY1D;AACrD,UAAMO,SAAiBC,mBAAmBR,OAAAA;AAC1C,UAAMkB,SAAU+C,UAAUP,IAAYxC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAI0B,MAAoC7B,OAAO6B;AAC/C,QAAI1B,KAAK;AACP,YAAM8C,eAAe,oBAAIC,IAAY;WAAI,KAAKzG;OAAkB;AAChE,UAAIwG,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM1F,QAAQa,MAAM8E,2BAA2B;QACjFC,OAAOtD;QACP8C,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBH,MAAMA,MAAMc,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOxD,QAAQC,OAAOlB,MAAM,wCAAwCgE,4BAA4BU,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWX,4BAA4BS,iBAAiB,CAAA;AAC9DnC,YAAMqC,SAASC;IACjB;AAEA,QAAI,CAACtC,OAAO7B,OAAOC,KAAK/B,SAAS,MAAA,GAAS;AACxC,YAAMkG,SAAS,MAAMvG,QAAQa,MAAM2F,WAAW;QAAEC,QAAQtE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAACmE,QAAQ;AACX,cAAM,IAAI7E,MAAM,0DAAA;MAClB;AAEA,YAAMgF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACnG,QAAQA,IAAIoG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIhF,MAAM,qEAAA;MAClB;AAGAsC,YAAM0C,eAAeK;IACvB;AAEA,QAAI,CAAC/C,OAAOxC,OAAOnB,SAAS,MAAA,GAAS;AAEnC,YAAMkG,SAAS,MAAMvG,QAAQa,MAAM2F,WAAW;QAAEC,QAAQjF;MAAO,CAAA;AAC/D,UAAI,CAAC+E,QAAQ;AACX,cAAM,IAAI7E,MAAM,0DAAA;MAClB;AAEA,YAAMgF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACnG,QAAQA,IAAIoG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIhF,MAAM,qEAAA;MAClB;AAGAsC,YAAM0C,eAAeK;IACvB;AAEA,QAAI,CAAC/C,KAAK;AACR,YAAM,IAAItC,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMpE,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAI+B;AACJ,UAAMyC,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAC3B,UAAMuC,aAAyB,8BAAOpG,MAAc6D,WAAmBxD,YACrE,KAAK6D,SAAS9E,SAASY,MAAM6D,WAAWxD,OAAAA,GADX;AAE/Bc,YAAQ,IAAIkF,iBAAgB;MAC1BzC;MACAvF,QAAQ,KAAKJ,0BAA0BI;MACvCiI,YAAYF;IACd,CAAA;AAEA,UAAMG,eAAgC;MACpCC,mBAAmBrH,KAAKqH;MACxBC,iBAAiBtH,KAAKsH;IACxB;AAEA,WAAOtF,MAAM6C,OAAO7E,KAAK4D,cAAcwD,YAAAA;EACzC;;;;;;;EAQA,MAAMtH,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEsH,KAAKC,cAActC,KAAI,IAAKlF;AACpC,UAAMyH,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBjJ,YAAAA;AAC5E,UAAIA,WAAUiJ,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOhJ,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACkJ,YAAY;AACf,iBAAOxF,QAAQC,OAAOlB,MAAM,mCAAmC4F,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMjJ,SAAUgG,MAAMhG,UAAU,KAAKJ,0BAA0BI,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIsI,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAActI,MAAAA;AAC5C,cAAMqJ,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU5I;QAAO,CAAA;AACtG,YAAI,CAACqJ,eAAe;AAClB,iBAAO3F,QAAQC,OAAOlB,MAAM,mCAAmC4F,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK1I,iCAAiC;UAAEyH,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGjF,OAAAA;AAClH,cAAMgI,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB5I,MAAAA;MACtE;AAEA,UAAI4I,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB5I,MAAAA;MAChE;AAEA4I,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwB/E,SAAiD;AAC/E,QAAI,OAAO,KAAKnB,0BAA0BsK,oBAAoB,YAAY;AACxE,aAAO,KAAKtK,0BAA0BsK;IACxC;AAEA,WAAOC,uBAAuBpJ,OAAAA;EAChC;EAEQgF,OAAO/D,SAAiC;AAC9C,QAAIA,QAAQ8C,KAAKC,QAAQ3B,QAAW;AAClC,aAAOpB,QAAQ8C,IAAIC;IACrB,WAAW/C,QAAQ8C,QAAQ1B,UAAa,SAASpB,QAAQ8C,OAAO,OAAO9C,QAAQ8C,IAAI3B,QAAQ,YAAYnB,QAAQ8C,IAAI3B,IAAIe,WAAW,UAAA,GAAa;AAG7I,YAAMkG,UAAU,KAAKC,wBAAwBrI,QAAQ8C,IAAI3B,GAAG;AAC5D,YAAMmH,UAAe3B,aAAa4B,eAAWH,SAAS,WAAA,GAAc,OAAA;AACpE,YAAM1E,MAAM8E,KAAKC,MAAMH,OAAAA;AACvB,aAAO5E;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQ4H,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAIpI,MAAM,oBAAA;IAClB;AACA,WAAOkI,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","isVcdm2SdJwtPayload","payload","Array","isArray","type","includes","length","isSdjwtVcPayload","getIssuerFromSdJwt","issuer","iss","id","SDJwtInstance","SDJWTException","SDJwtVcInstance","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin","isVcdm2SdJwt","type","SDJwtVcdmInstanceFactory","create","type","config","isVcdm2SdJwt","SDJwtVcdm2Instance","SDJwtVcInstance","SDJwtInstance","userConfig","constructor","validateReservedFields","disclosureFrame","_sd","Array","isArray","length","reservedNames","reservedNamesInDisclosureFrame","filter","key","includes","SDJWTException","join","verify","encodedSDJwt","options","result","then","res","payload","header","kb","validateIntegrity","response","url","integrity","arrayBuffer","alg","split","hashBuffer","hasher","integrityHash","hash","from","Uint8Array","map","byte","toString","padStart","Error","fetch","signal","AbortSignal","timeout","ok","errorText","text","Promise","reject","status","statusText","clone","json","error","name","issue","iss","issuer","id","nbf","validFrom","toVcdm2Date","exp","validUntil","sub","credentialSubject","value","num","Number","isFinite","Date","toISOString","u8a","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","constructor","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","payload","credentialPayload","isVcdm2","isVcdm2SdJwtPayload","isSdJwtVc","isSdjwtVcPayload","type","issuer","getIssuerFromSdJwt","Error","signAlg","hashAlg","test","slice","sdjwt","SDJwtVcdmInstanceFactory","create","omitTyp","header","kid","undefined","x5c","typ","credential","issue","disclosureFrame","Promise","reject","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verifyCallbackImpl","jwt","verify","skewSeconds","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","SDJwtVcInstance","kbVerifier","verifierOpts","requiredClaimKeys","keyBindingNonce","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","fromString","JSON","parse","did","parts","split","length"]}
1
+ {"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt } from '@sd-jwt/core'\nimport { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { IAgentPlugin } from '@veramo/core'\nimport { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'\nimport {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const issuer = args.credentialPayload.iss\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const sdjwt = new SDJwtVcInstance({\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg: alg ?? 'ES256',\n hashAlg: 'sha-256',\n })\n\n const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {\n header: {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n },\n })\n\n return { credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = new SDJwtVcInstance({\n hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential)\n\n return { header, payload: payload as SdJwtVcPayload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verify(\n sdjwt: SDJwtVcInstance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>\n this.verifyKb(sdjwt, context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = decodeBase64url(encoded)\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import { SdJwtTypeMetadata } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n","import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends SdJwtPayload {\n x5c?: string[]\n}\n\nexport interface ICreateSdJwtVcArgs {\n credentialPayload: SdJwtVcPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n payload: SdJwtPayload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n kb?: boolean\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAa;AAC3B,SAASC,uBAAuC;AAEhD,SAASC,wBAAwBC,iCAAiC;AAIlE,SAASC,uBAAuB;AAChC,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAA4BC,QAAAA;AAC5E,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACJF,SAASC,gBAAgB;AAIzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,SAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;;;AH5BhB,IAAMG,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAvCb,OAuCaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,SAASlB,KAAKmB,kBAAkBC;AACtC,QAAI,CAACF,QAAQ;AACX,YAAM,IAAIG,MAAM,qCAAA;IAClB;AACA,UAAM,EAAET,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYgB;MAAQf,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChChB;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CoC,SAASZ,OAAO;MAChBa,SAAS;IACX,CAAA;AAEA,UAAMC,aAAa,MAAMJ,MAAMK,MAAM3B,KAAKmB,mBAAmBnB,KAAK4B,iBAAmE;MACnIC,QAAQ;QACN,GAAIrB,YAAYG,IAAImB,QAAQC,UAAa;UAAED,KAAKtB,WAAWG,IAAImB;QAAI;QACnE,GAAItB,YAAYG,IAAIqB,QAAQD,UAAa;UAAEC,KAAKxB,WAAWG,IAAIqB;QAAI;MACrE;IACF,CAAA;AAEA,WAAO;MAAEN;IAAW;EACtB;;;;;;;EAQA,MAAMjB,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,cAAQR,WAAW+B,QAAM;QACvB,KAAK;AACHvD,gBAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWa,KAAK3B,WAAW2B;YAAI;UAAE;QACtF;AACE,cAAInB,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,mBAAO;cAAEpB;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;cAAgB;YAAE;UAClH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;gBAAWqB,eAAe3B,IAAIyB,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAE1B;cAAKD,KAAK;gBAAEmB,KAAK3B,WAAW2B;gBAAKb,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWqC,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMvC,QAAQa,MAAM2B,0BAA0B;QAAEvC;MAAW,CAAA;AACjF,UAAI,CAACsC,eAAe;AAClB,cAAM,IAAInB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM6B,cAAc7B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIwB,YAAY,yBAAyBjC,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWuB,cAAcvB;UAAWa,KAAKU,cAAcV;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMY,gBAAgB,MAAMzC,QAAQa,MAAM6B,0BAA0B;QAAEzC;MAAW,CAAA;AACjF,UAAI,CAACwC,eAAe;AAClB,cAAM,IAAIrB,MAAM,2CAA2CnB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM+B,cAAc/B;AAC1B,YAAMC,MAAM,MAAMqB,0BAA0B;QAAEtB;MAAI,CAAA;AAClD,UAAIA,IAAIyB,MAAMC,QAAQ1B,IAAIyB,KAAKC,KAAKL,KAAK;AACvC,eAAO;UAAEpB;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWe,KAAKrB,IAAIyB,KAAKC,KAAKL;UAAgB;QAAE;MACxH,WAAWrB,IAAIyB,MAAME,eAAe;AAClC,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;YAAWqB,eAAe3B,IAAIyB,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAE1B;UAAKD,KAAK;YAAEmB,KAAKY,cAAcZ;YAAKb,WAAWyB,cAAczB;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAM2C,OAAO,MAAMC,MAAMC,WAAW9C,KAAK+C,cAAc,KAAKhE,0BAA0BG,MAAM;AAC5F,UAAM8D,SAAS,MAAMJ,KAAKK,UAAkB,KAAKlE,0BAA0BG,MAAM;AACjF,QAAIgE;AAEJ,QAAIlD,KAAKkD,QAAQ;AACfA,eAASlD,KAAKkD;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAKrB,KAAK;AAC1BoB,eAASF,OAAOG,KAAKrB;IACvB,WAAWkB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIjC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAET,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAYgD;IAAO,GAAGjD,OAAAA;AAElF,UAAMqB,QAAQ,IAAIC,gBAAgB;MAChCrC,QAAQ,KAAKH,0BAA0BG,UAAUC;MACjDC,eAAe,KAAKL,0BAA0BK;MAC9CmE,UAAUhD;MACViD,WAAW5C,OAAO;IACpB,CAAA;AACA,UAAMmC,eAAe,MAAMzB,MAAMmC,QAAQzD,KAAK+C,cAAc/C,KAAK0D,mBAAwD;MAAEC,IAAI3D,KAAK2D;IAAG,CAAA;AAEvI,WAAO;MAAEZ;IAAa;EACxB;;;;;;;EAQA,MAAMnD,cAAcI,MAA0BC,SAA0D;AAEtG,UAAM2D,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMvC,QAAQ,IAAIC,gBAAgB;MAAEqC;MAAU1E,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AACrH,UAAM,EAAE0C,SAAS,CAAC,GAAGkC,SAASJ,GAAE,IAAK,MAAMrC,MAAMwC,OAAO9D,KAAK0B,UAAU;AAEvE,WAAO;MAAEG;MAAQkC;MAAoCJ;IAAG;EAC1D;;;;;;;;;;EAWQK,SAAS1C,OAAwBrB,SAA2BY,MAAcgD,WAAmBE,SAAuC;AAC1I,QAAI,CAACA,QAAQZ,KAAK;AAChB,YAAM9B,MAAM,4CAAA;IACd;AACA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAW,KAAKK,OAAOH,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMD,OACJxC,OACArB,SACAY,MACAgD,WACAM,MACkB;AAClB,UAAMC,YAAY,MAAM9C,MAAM+C,OAAO,GAAGxD,IAAAA,IAAQgD,SAAAA,EAAW;AAC3D,UAAM3C,SAAmBkD,UAAUE,IAAYP,QAAoC3C;AACnF,UAAMS,SAAUuC,UAAUE,IAAYzC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAIoB,MAAoCvB,OAAOuB;AAC/C,QAAIpB,KAAK;AACP,YAAMuC,eAAe,oBAAIC,IAAY;WAAI,KAAK1F;OAAkB;AAChE,UAAIyF,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM5E,QAAQa,MAAMgE,2BAA2B;QACjFC,OAAO/C;QACPuC,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOC,QAAQC,OAAOnE,MAAM,wCAAwCwD,4BAA4BY,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWb,4BAA4BS,iBAAiB,CAAA;AAC9DlC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAOvB,OAAOC,KAAKxB,SAAS,MAAA,GAAS;AACxC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQjE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAAC8D,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOlC,OAAOZ,SAAS,MAAA,GAAS;AAEnC,YAAMsF,SAAS,MAAM3F,QAAQa,MAAM+E,WAAW;QAAEC,QAAQ5E;MAAO,CAAA;AAC/D,UAAI,CAAC0E,QAAQ;AACX,cAAM,IAAIvE,MAAM,0DAAA;MAClB;AAEA,YAAM0E,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACvF,QAAQA,IAAIwF,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAI1E,MAAM,qEAAA;MAClB;AAGA+B,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAI/B,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAK4C,wBAAwBhE,OAAAA,EAASY,MAAMgD,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMvD,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAIqB;AACJ,UAAMsC,WAAqB,8BAAO/C,MAAcgD,cAAsB,KAAKC,OAAOxC,OAAOrB,SAASY,MAAMgD,SAAAA,GAA7E;AAC3B,UAAMwC,aAAyB,8BAAOxF,MAAcgD,WAAmBE,YACrE,KAAKC,SAAS1C,OAAOrB,SAASY,MAAMgD,WAAWE,OAAAA,GADlB;AAE/BzC,YAAQ,IAAIC,gBAAgB;MAC1BqC;MACA1E,QAAQ,KAAKH,0BAA0BG;MACvCoH,YAAYD;IACd,CAAA;AAEA,WAAO/E,MAAMwC,OAAO9D,KAAK+C,cAAc/C,KAAKuG,mBAAmBvG,KAAK2D,EAAE;EACxE;;;;;;;EAQA,MAAM7D,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuG,KAAKC,cAActC,KAAI,IAAKnE;AACpC,UAAM0G,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlI,YAAAA;AAC5E,UAAIA,WAAUkI,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjI,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmI,YAAY;AACf,iBAAO9B,QAAQC,OAAOnE,MAAM,mCAAmCmF,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlI,SAAUiF,MAAMjF,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuH,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvH,MAAAA;AAC5C,cAAMsI,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7H;QAAO,CAAA;AACtG,YAAI,CAACsI,eAAe;AAClB,iBAAOjC,QAAQC,OAAOnE,MAAM,mCAAmCmF,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3H,iCAAiC;UAAE0G,KAAKO,SAAS,mBAAA;UAAsB5C;QAAK,GAAGlE,OAAAA;AAClH,cAAMiH,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7H,MAAAA;MACtE;AAEA,UAAI6H,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7H,MAAAA;MAChE;AAEA6H,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ9C,wBAAwBhE,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsJ,oBAAoB,YAAY;AACxE,aAAO,KAAKtJ,0BAA0BsJ;IACxC;AAEA,WAAOC,uBAAuBrI,OAAAA;EAChC;EAEQiE,OAAOH,SAAiC;AAC9C,QAAIA,QAAQZ,KAAKC,QAAQrB,QAAW;AAClC,aAAOgC,QAAQZ,IAAIC;IACrB,WAAWW,QAAQZ,QAAQpB,UAAa,SAASgC,QAAQZ,OAAO,OAAOY,QAAQZ,IAAIrB,QAAQ,YAAYiC,QAAQZ,IAAIrB,IAAIS,WAAW,UAAA,GAAa;AAG7I,YAAMgG,UAAU,KAAKC,wBAAwBzE,QAAQZ,IAAIrB,GAAG;AAC5D,YAAM2G,UAAUC,gBAAgBH,OAAAA;AAChC,YAAMjE,MAAMqE,KAAKC,MAAMH,OAAAA;AACvB,aAAOnE;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQmH,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAME,SAAS,GAAG;AACpB,YAAM,IAAI3H,MAAM,oBAAA;IAClB;AACA,WAAOyH,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;;;AItaA,SAASE,wBAAwB;AAK1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","decodeBase64url","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","issuer","credentialPayload","iss","Error","sdjwt","SDJwtVcInstance","signAlg","hashAlg","credential","issue","disclosureFrame","header","kid","undefined","x5c","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verify","payload","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","jwt","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","Promise","reject","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","kbVerifier","requiredClaimKeys","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","decodeBase64url","JSON","parse","did","parts","split","length","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.sd-jwt",
3
- "version": "0.34.1-feature.SSISDK.45.93+e2988de4",
3
+ "version": "0.34.1-feature.SSISDK.46.40+f6339611",
4
4
  "source": "src/index.ts",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -26,30 +26,29 @@
26
26
  }
27
27
  },
28
28
  "dependencies": {
29
- "@sd-jwt/core": "^0.15.0",
30
- "@sd-jwt/decode": "^0.15.0",
31
- "@sd-jwt/sd-jwt-vc": "^0.15.0",
32
- "@sd-jwt/types": "^0.15.0",
33
- "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.45.93+e2988de4",
34
- "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.45.93+e2988de4",
35
- "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.45.93+e2988de4",
36
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.45.93+e2988de4",
37
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.45.93+e2988de4",
38
- "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.45.93+e2988de4",
39
- "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-feature.SSISDK.45.93+e2988de4",
40
- "@sphereon/ssi-types": "0.34.1-feature.SSISDK.45.93+e2988de4",
29
+ "@sd-jwt/core": "^0.9.2",
30
+ "@sd-jwt/sd-jwt-vc": "^0.9.2",
31
+ "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.46.40+f6339611",
32
+ "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.46.40+f6339611",
33
+ "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.46.40+f6339611",
34
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.46.40+f6339611",
35
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.46.40+f6339611",
36
+ "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.46.40+f6339611",
37
+ "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-feature.SSISDK.46.40+f6339611",
38
+ "@sphereon/ssi-types": "0.34.1-feature.SSISDK.46.40+f6339611",
39
+ "@veramo/utils": "4.2.0",
41
40
  "debug": "^4.3.5",
42
41
  "uint8arrays": "^3.1.1",
43
42
  "uuid": "^9.0.1"
44
43
  },
45
44
  "devDependencies": {
46
- "@sd-jwt/decode": "^0.15.0",
47
- "@sd-jwt/types": "^0.15.0",
48
- "@sd-jwt/utils": "^0.15.0",
49
- "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.34.1-feature.SSISDK.45.93+e2988de4",
50
- "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.45.93+e2988de4",
51
- "@sphereon/ssi-sdk-ext.key-manager": "0.34.1-feature.SSISDK.45.93+e2988de4",
52
- "@sphereon/ssi-sdk-ext.kms-local": "0.34.1-feature.SSISDK.45.93+e2988de4",
45
+ "@sd-jwt/decode": "^0.9.2",
46
+ "@sd-jwt/types": "^0.9.2",
47
+ "@sd-jwt/utils": "^0.9.2",
48
+ "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.34.1-feature.SSISDK.46.40+f6339611",
49
+ "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.46.40+f6339611",
50
+ "@sphereon/ssi-sdk-ext.key-manager": "0.34.1-feature.SSISDK.46.40+f6339611",
51
+ "@sphereon/ssi-sdk-ext.kms-local": "0.34.1-feature.SSISDK.46.40+f6339611",
53
52
  "@types/node": "^20.17.1",
54
53
  "@types/uuid": "^9.0.8",
55
54
  "@veramo/core": "4.2.0",
@@ -84,5 +83,5 @@
84
83
  "Selective Disclosure",
85
84
  "Verifiable Credential"
86
85
  ],
87
- "gitHead": "e2988de4fefe3562aa17e64048824f17672d7cd5"
86
+ "gitHead": "f633961166543652ec09e4e194ed2bacbcb92602"
88
87
  }
package/src/__tests__/{sd-jwt-vc.test.ts → sd-jwt.test.ts} RENAMED
@@ -105,7 +105,7 @@ describe('Agent plugin', () => {
105
105
  ...claims,
106
106
  iss: issuer,
107
107
  iat: Math.floor(new Date().getTime() / 1000),
108
- vct: 'example',
108
+ vct: '',
109
109
  }
110
110
  const credential = await agent.createSdJwtVc({
111
111
  credentialPayload,
@@ -125,7 +125,7 @@ describe('Agent plugin', () => {
125
125
  credentialPayload: credentialPayload as unknown as SdJwtVcPayload,
126
126
  disclosureFrame,
127
127
  }),
128
- ).rejects.toThrow('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')
128
+ ).rejects.toThrow('credential.issuer must not be empty')
129
129
  })
130
130
 
131
131
  it('verify a sd-jwt', async () => {
@@ -277,8 +277,7 @@ describe('Agent plugin', () => {
277
277
  presentation: presentation.presentation,
278
278
  requiredClaimKeys: ['given_name'],
279
279
  // we are not able to verify the kb yet since we have no reference to the public key of the holder.
280
- keyBindingAud: '1',
281
- keyBindingNonce: '342',
280
+ kb: true,
282
281
  })
283
282
  expect(result).toBeDefined()
284
283
  expect((result.payload as typeof claims).given_name).toBe('John')
@@ -315,8 +314,7 @@ describe('Agent plugin', () => {
315
314
  presentation: presentation.presentation,
316
315
  requiredClaimKeys: ['given_name'],
317
316
  // we are not able to verify the kb yet since we have no reference to the public key of the holder.
318
- keyBindingAud: '1',
319
- keyBindingNonce: '342',
317
+ kb: true,
320
318
  })
321
319
  expect(result).toBeDefined()
322
320
  expect((result.payload as typeof claims).given_name).toBe('John')
package/src/action-handler.ts CHANGED
@@ -1,16 +1,16 @@
1
- import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'
2
- import { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
3
- import type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
1
+ import { Jwt, SDJwt } from '@sd-jwt/core'
2
+ import { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
3
+ import { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
4
4
  import { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
5
- import type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
6
- import type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
7
- import type { IAgentPlugin } from '@veramo/core'
8
- // import { decodeBase64url } from '@veramo/utils'
5
+ import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
6
+ import { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
7
+ import { IAgentPlugin } from '@veramo/core'
8
+ import { decodeBase64url } from '@veramo/utils'
9
9
  import Debug from 'debug'
10
10
  import { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'
11
11
  import { funkeTestCA, sphereonCA } from './trustAnchors'
12
- import { assertValidTypeMetadata, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwtPayload, validateIntegrity } from './utils'
13
- import type {
12
+ import { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'
13
+ import {
14
14
  Claims,
15
15
  FetchSdJwtTypeMetadataFromVctUrlArgs,
16
16
  GetSignerForIdentifierArgs,
@@ -30,10 +30,6 @@ import type {
30
30
  SignKeyArgs,
31
31
  SignKeyResult,
32
32
  } from './types'
33
- import { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'
34
-
35
- // @ts-ignore
36
- import * as u8a from 'uint8arrays'
37
33
 
38
34
  const debug = Debug('@sphereon/ssi-sdk.sd-jwt')
39
35
 
@@ -105,47 +101,27 @@ export class SDJwtPlugin implements IAgentPlugin {
105
101
  * @returns A signed SD-JWT credential.
106
102
  */
107
103
  async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {
108
- const payload = args.credentialPayload
109
- const isVcdm2 = isVcdm2SdJwtPayload(payload)
110
- const isSdJwtVc = isSdjwtVcPayload(payload)
111
- const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')
112
-
113
- const issuer = getIssuerFromSdJwt(args.credentialPayload)
104
+ const issuer = args.credentialPayload.iss
114
105
  if (!issuer) {
115
106
  throw new Error('credential.issuer must not be empty')
116
107
  }
117
108
  const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)
118
- const signAlg = alg ?? signingKey?.alg ?? 'ES256'
119
- const hashAlg: HashAlgorithm = /(\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'
120
- const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
121
- omitTyp: true,
109
+ const sdjwt = new SDJwtVcInstance({
122
110
  signer,
123
111
  hasher: this.registeredImplementations.hasher,
124
112
  saltGenerator: this.registeredImplementations.saltGenerator,
125
- signAlg,
126
- hashAlg,
113
+ signAlg: alg ?? 'ES256',
114
+ hashAlg: 'sha-256',
127
115
  })
128
116
 
129
- const header = {
130
- ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
131
- ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
132
- ...(type && { typ: type }),
133
- }
134
- let credential: string
135
- if (isVcdm2) {
136
- credential = await (sdjwt as SDJwtVcdm2Instance).issue(
137
- payload,
138
- // @ts-ignore
139
- args.disclosureFrame as DisclosureFrame<typeof payload>,
140
- { header },
141
- )
142
- } else if (isSdJwtVc) {
143
- credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })
144
- } else {
145
- return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))
146
- }
117
+ const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {
118
+ header: {
119
+ ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
120
+ ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
121
+ },
122
+ })
147
123
 
148
- return { type, credential }
124
+ return { credential }
149
125
  }
150
126
 
151
127
  /**
@@ -207,13 +183,10 @@ export class SDJwtPlugin implements IAgentPlugin {
207
183
  * @returns A signed SD-JWT presentation.
208
184
  */
209
185
  async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {
210
- const type = args.type ?? 'dc+sd-jwt'
211
-
212
186
  const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)
213
-
214
187
  const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)
215
188
  let holder: string
216
- // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.
189
+ // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.
217
190
  if (args.holder) {
218
191
  holder = args.holder
219
192
  } else if (claims.cnf?.jwk) {
@@ -228,17 +201,15 @@ export class SDJwtPlugin implements IAgentPlugin {
228
201
  }
229
202
  const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)
230
203
 
231
- const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
232
- omitTyp: true,
233
- hasher: this.registeredImplementations.hasher,
204
+ const sdjwt = new SDJwtVcInstance({
205
+ hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
234
206
  saltGenerator: this.registeredImplementations.saltGenerator,
235
207
  kbSigner: signer,
236
208
  kbSignAlg: alg ?? 'ES256',
237
209
  })
238
-
239
210
  const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })
240
211
 
241
- return { type, presentation }
212
+ return { presentation }
242
213
  }
243
214
 
244
215
  /**
@@ -249,19 +220,11 @@ export class SDJwtPlugin implements IAgentPlugin {
249
220
  */
250
221
  async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {
251
222
  // callback
252
- const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
223
+ const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
224
+ const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
225
+ const { header = {}, payload, kb } = await sdjwt.verify(args.credential)
253
226
 
254
- const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)
255
- const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'
256
-
257
-
258
- const sdjwt = SDJwtVcdmInstanceFactory.create(type, {verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
259
- // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function
260
- // For now a workaround is to ad 5 days of skew seconds, yuck
261
- const { header = {}, payload, kb } = await sdjwt.verify(args.credential, {skewSeconds: 60*60*24*5})
262
-
263
-
264
- return { type, header, payload, kb }
227
+ return { header, payload: payload as SdJwtVcPayload, kb }
265
228
  }
266
229
 
267
230
  /**
@@ -273,14 +236,10 @@ export class SDJwtPlugin implements IAgentPlugin {
273
236
  * @param payload - The payload of the SD-JWT
274
237
  * @returns
275
238
  */
276
- private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
239
+ private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
277
240
  if (!payload.cnf) {
278
241
  throw Error('other method than cnf is not supported yet')
279
242
  }
280
-
281
- // TODO add aud verification
282
-
283
-
284
243
  return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))
285
244
  }
286
245
 
@@ -292,16 +251,15 @@ export class SDJwtPlugin implements IAgentPlugin {
292
251
  * @param signature - The signature
293
252
  * @returns
294
253
  */
295
- async verifyCallbackImpl(
296
- sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,
254
+ async verify(
255
+ sdjwt: SDJwtVcInstance,
297
256
  context: IRequiredContext,
298
257
  data: string,
299
258
  signature: string,
300
259
  opts?: { x5cValidation?: X509CertificateChainValidationOpts },
301
260
  ): Promise<boolean> {
302
261
  const decodedVC = await sdjwt.decode(`${data}.${signature}`)
303
- const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload
304
- const issuer: string = getIssuerFromSdJwt(payload)
262
+ const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string
305
263
  const header = (decodedVC.jwt as Jwt).header as Record<string, any>
306
264
  const x5c: string[] | undefined = header?.x5c as string[]
307
265
  let jwk: JWK | JsonWebKey | undefined = header.jwk
@@ -371,21 +329,16 @@ export class SDJwtPlugin implements IAgentPlugin {
371
329
  */
372
330
  async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {
373
331
  let sdjwt: SDJwtVcInstance
374
- const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
332
+ const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
375
333
  const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>
376
- this.verifyKb(context, data, signature, payload)
334
+ this.verifyKb(sdjwt, context, data, signature, payload)
377
335
  sdjwt = new SDJwtVcInstance({
378
336
  verifier,
379
337
  hasher: this.registeredImplementations.hasher,
380
338
  kbVerifier: verifierKb,
381
339
  })
382
340
 
383
- const verifierOpts: VerifierOptions = {
384
- requiredClaimKeys: args.requiredClaimKeys,
385
- keyBindingNonce: args.keyBindingNonce,
386
- }
387
-
388
- return sdjwt.verify(args.presentation, verifierOpts)
341
+ return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)
389
342
  }
390
343
 
391
344
  /**
@@ -458,7 +411,7 @@ export class SDJwtPlugin implements IAgentPlugin {
458
411
  // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one
459
412
  // FIXME this is a quick-fix to make verification but we need a real solution
460
413
  const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)
461
- const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')
414
+ const decoded = decodeBase64url(encoded)
462
415
  const jwt = JSON.parse(decoded)
463
416
  return jwt as JsonWebKey
464
417
  }