npm - @sphereon/ssi-sdk.sd-jwt - Versions diffs - 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.41 - Mend

@sphereon/ssi-sdk.sd-jwt 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.cjs +43 -253
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +8 -66
package/dist/index.d.ts +8 -66
package/dist/index.js +41 -251
package/dist/index.js.map +1 -1
package/package.json +20 -21
package/src/__tests__/{sd-jwt-vc.test.ts → sd-jwt.test.ts} +4 -6
package/src/action-handler.ts +36 -83
package/src/types.ts +6 -40
package/src/utils.ts +1 -32
package/src/__tests__/sd-jwt-vcdm2.test.ts +0 -316
package/src/sdJwtVcdm2Instance.ts +0 -155

package/dist/index.js CHANGED Viewed

@@ -3,8 +3,9 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
 // src/action-handler.ts
 import { SDJwt } from "@sd-jwt/core";
-import { SDJwtVcInstance as SDJwtVcInstance2 } from "@sd-jwt/sd-jwt-vc";
+import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
+import { decodeBase64url } from "@veramo/utils";
 import Debug from "debug";
 // src/defaultCallbacks.ts
@@ -80,189 +81,8 @@ function assertValidTypeMetadata(metadata, vct) {
   }
 }
 __name(assertValidTypeMetadata, "assertValidTypeMetadata");
-function isVcdm2SdJwtPayload(payload) {
-  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
-}
-__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
-function isSdjwtVcPayload(payload) {
-  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
-}
-__name(isSdjwtVcPayload, "isSdjwtVcPayload");
-function getIssuerFromSdJwt(payload) {
-  let issuer;
-  if (isSdjwtVcPayload(payload) || "iss" in payload) {
-    issuer = payload.iss;
-  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
-    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
-  }
-  if (!issuer) {
-    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
-  }
-  return issuer;
-}
-__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
-// src/sdJwtVcdm2Instance.ts
-import { SDJwtInstance } from "@sd-jwt/core";
-import { SDJWTException } from "@sd-jwt/utils";
-import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
-// src/types.ts
-import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
-var sdJwtPluginContextMethods = [
-  "createSdJwtVc",
-  "createSdJwtPresentation",
-  "verifySdJwtVc",
-  "verifySdJwtPresentation"
-];
-function contextHasSDJwtPlugin(context) {
-  return contextHasPlugin(context, "verifySdJwtVc");
-}
-__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
-function isVcdm2SdJwt(type) {
-  return type === "vc+sd-jwt" || type === "vp+sd-jwt";
-}
-__name(isVcdm2SdJwt, "isVcdm2SdJwt");
-// src/sdJwtVcdm2Instance.ts
-var SDJwtVcdmInstanceFactory = class {
-  static {
-    __name(this, "SDJwtVcdmInstanceFactory");
-  }
-  static create(type, config) {
-    if (isVcdm2SdJwt(type)) {
-      return new SDJwtVcdm2Instance(config);
-    }
-    return new SDJwtVcInstance(config);
-  }
-};
-var SDJwtVcdm2Instance = class extends SDJwtInstance {
-  static {
-    __name(this, "SDJwtVcdm2Instance");
-  }
-  /**
-  * The type of the SD-JWT VCDM2 set in the header.typ field.
-  */
-  static type = "vc+sd-jwt";
-  userConfig = {};
-  constructor(userConfig) {
-    super(userConfig);
-    if (userConfig) {
-      this.userConfig = userConfig;
-    }
-  }
-  /**
-  * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-  * @param disclosureFrame
-  */
-  validateReservedFields(disclosureFrame) {
-    if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {
-      const reservedNames = [
-        "iss",
-        "nbf",
-        "exp",
-        "cnf",
-        "@context",
-        "type",
-        "credentialStatus",
-        "credentialSchema",
-        "relatedResource"
-      ];
-      const reservedNamesInDisclosureFrame = disclosureFrame._sd.filter((key) => reservedNames.includes(key));
-      if (reservedNamesInDisclosureFrame.length > 0) {
-        throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(", ")}`);
-      }
-    }
-  }
-  /**
-  * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-  * @param encodedSDJwt
-  * @param options
-  */
-  async verify(encodedSDJwt, options) {
-    const result = await super.verify(encodedSDJwt, options).then((res) => {
-      return {
-        payload: res.payload,
-        header: res.header,
-        kb: res.kb
-      };
-    });
-    return result;
-  }
-  /**
-  * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-  * @param integrity
-  * @param response
-  */
-  async validateIntegrity(response, url, integrity) {
-    if (integrity) {
-      const arrayBuffer = await response.arrayBuffer();
-      const alg = integrity.split("-")[0];
-      const hashBuffer = await this.userConfig.hasher(arrayBuffer, alg);
-      const integrityHash = integrity.split("-")[1];
-      const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
-      if (hash !== integrityHash) {
-        throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`);
-      }
-    }
-  }
-  /**
-  * Fetches the content from the url with a timeout of 10 seconds.
-  * @param url
-  * @param integrity
-  * @returns
-  */
-  async fetch(url, integrity) {
-    try {
-      const response = await fetch(url, {
-        signal: AbortSignal.timeout(this.userConfig.timeout ?? 1e4)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`));
-      }
-      await this.validateIntegrity(response.clone(), url, integrity);
-      return response.json();
-    } catch (error) {
-      if (error.name === "TimeoutError") {
-        throw new Error(`Request to ${url} timed out`);
-      }
-      throw error;
-    }
-  }
-  async issue(payload, disclosureFrame, options) {
-    if (payload.iss && !payload.issuer) {
-      payload.issuer = {
-        id: payload.iss
-      };
-      delete payload.iss;
-    }
-    if (payload.nbf && !payload.validFrom) {
-      payload.validFrom = toVcdm2Date(payload.nbf);
-      delete payload.nbf;
-    }
-    if (payload.exp && !payload.validUntil) {
-      payload.validUntil = toVcdm2Date(payload.exp);
-      delete payload.exp;
-    }
-    if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {
-      payload.credentialSubject.id = payload.sub;
-      delete payload.sub;
-    }
-    return super.issue(payload, disclosureFrame, options);
-  }
-};
-function toVcdm2Date(value) {
-  const num = typeof value === "string" ? Number(value) : value;
-  if (!Number.isFinite(num)) {
-    throw new SDJWTException(`Invalid numeric date: ${value}`);
-  }
-  return new Date(num * 1e3).toISOString();
-}
-__name(toVcdm2Date, "toVcdm2Date");
 // src/action-handler.ts
-import * as u8a from "uint8arrays";
 var debug = Debug("@sphereon/ssi-sdk.sd-jwt");
 var SDJwtPlugin = class {
   static {
@@ -332,11 +152,7 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT credential.
   */
   async createSdJwtVc(args, context) {
-    const payload = args.credentialPayload;
-    const isVcdm2 = isVcdm2SdJwtPayload(payload);
-    const isSdJwtVc = isSdjwtVcPayload(payload);
-    const type = args.type ?? (isVcdm2 ? "vc+sd-jwt" : "dc+sd-jwt");
-    const issuer = getIssuerFromSdJwt(args.credentialPayload);
+    const issuer = args.credentialPayload.iss;
     if (!issuer) {
       throw new Error("credential.issuer must not be empty");
     }
@@ -344,46 +160,24 @@ var SDJwtPlugin = class {
       identifier: issuer,
       resolution: args.resolution
     }, context);
-    const signAlg = alg ?? signingKey?.alg ?? "ES256";
-    const hashAlg = /(\d{3})$/.test(signAlg) ? `sha-${signAlg.slice(-3)}` : "sha-256";
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
-      omitTyp: true,
+    const sdjwt = new SDJwtVcInstance({
       signer,
       hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
-      signAlg,
-      hashAlg
+      signAlg: alg ?? "ES256",
+      hashAlg: "sha-256"
     });
-    const header = {
-      ...signingKey?.key.kid !== void 0 && {
-        kid: signingKey.key.kid
-      },
-      ...signingKey?.key.x5c !== void 0 && {
-        x5c: signingKey.key.x5c
-      },
-      ...type && {
-        typ: type
-      }
-    };
-    let credential;
-    if (isVcdm2) {
-      credential = await sdjwt.issue(
-        payload,
-        // @ts-ignore
-        args.disclosureFrame,
-        {
-          header
+    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
+      header: {
+        ...signingKey?.key.kid !== void 0 && {
+          kid: signingKey.key.kid
+        },
+        ...signingKey?.key.x5c !== void 0 && {
+          x5c: signingKey.key.x5c
         }
-      );
-    } else if (isSdJwtVc) {
-      credential = await sdjwt.issue(payload, args.disclosureFrame, {
-        header
-      });
-    } else {
-      return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`));
-    }
+      }
+    });
     return {
-      type,
       credential
     };
   }
@@ -509,7 +303,6 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT presentation.
   */
   async createSdJwtPresentation(args, context) {
-    const type = args.type ?? "dc+sd-jwt";
     const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
     const claims = await cred.getClaims(this.registeredImplementations.hasher);
     let holder;
@@ -530,9 +323,8 @@ var SDJwtPlugin = class {
     const { alg, signer } = await this.getSignerForIdentifier({
       identifier: holder
     }, context);
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
-      omitTyp: true,
-      hasher: this.registeredImplementations.hasher,
+    const sdjwt = new SDJwtVcInstance({
+      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
       saltGenerator: this.registeredImplementations.saltGenerator,
       kbSigner: signer,
       kbSignAlg: alg ?? "ES256"
@@ -541,7 +333,6 @@ var SDJwtPlugin = class {
       kb: args.kb
     });
     return {
-      type,
       presentation
     };
   }
@@ -552,18 +343,13 @@ var SDJwtPlugin = class {
   * @returns
   */
   async verifySdJwtVc(args, context) {
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
-    const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher);
-    const type = isVcdm2SdJwtPayload(cred.jwt?.payload) ? "vc+sd-jwt" : "dc+sd-jwt";
-    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const sdjwt = new SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest
     });
-    const { header = {}, payload, kb } = await sdjwt.verify(args.credential, {
-      skewSeconds: 60 * 60 * 24 * 5
-    });
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
     return {
-      type,
       header,
       payload,
       kb
@@ -578,7 +364,7 @@ var SDJwtPlugin = class {
   * @param payload - The payload of the SD-JWT
   * @returns
   */
-  verifyKb(context, data, signature, payload) {
+  verifyKb(sdjwt, context, data, signature, payload) {
     if (!payload.cnf) {
       throw Error("other method than cnf is not supported yet");
     }
@@ -592,10 +378,9 @@ var SDJwtPlugin = class {
   * @param signature - The signature
   * @returns
   */
-  async verifyCallbackImpl(sdjwt, context, data, signature, opts) {
+  async verify(sdjwt, context, data, signature, opts) {
     const decodedVC = await sdjwt.decode(`${data}.${signature}`);
-    const payload = decodedVC.jwt.payload;
-    const issuer = getIssuerFromSdJwt(payload);
+    const issuer = decodedVC.jwt.payload.iss;
     const header = decodedVC.jwt.header;
     const x5c = header?.x5c;
     let jwk = header.jwk;
@@ -661,18 +446,14 @@ var SDJwtPlugin = class {
   */
   async verifySdJwtPresentation(args, context) {
     let sdjwt;
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
-    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(context, data, signature, payload), "verifierKb");
-    sdjwt = new SDJwtVcInstance2({
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
+    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload), "verifierKb");
+    sdjwt = new SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher,
       kbVerifier: verifierKb
     });
-    const verifierOpts = {
-      requiredClaimKeys: args.requiredClaimKeys,
-      keyBindingNonce: args.keyBindingNonce
-    };
-    return sdjwt.verify(args.presentation, verifierOpts);
+    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
   }
   /**
   * Fetch and validate Type Metadata.
@@ -743,7 +524,7 @@ var SDJwtPlugin = class {
       return payload.cnf.jwk;
     } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
-      const decoded = u8a.toString(u8a.fromString(encoded, "base64url"), "utf-8");
+      const decoded = decodeBase64url(encoded);
       const jwt = JSON.parse(decoded);
       return jwt;
     }
@@ -757,6 +538,19 @@ var SDJwtPlugin = class {
     return parts[2].split("#")[0];
   }
 };
+// src/types.ts
+import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
+var sdJwtPluginContextMethods = [
+  "createSdJwtVc",
+  "createSdJwtPresentation",
+  "verifySdJwtVc",
+  "verifySdJwtPresentation"
+];
+function contextHasSDJwtPlugin(context) {
+  return contextHasPlugin(context, "verifySdJwtVc");
+}
+__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
 export {
   SDJwtPlugin,
   assertValidTypeMetadata,
@@ -764,10 +558,6 @@ export {
   createIntegrity,
   extractHashFromIntegrity,
   fetchUrlWithErrorHandling,
-  getIssuerFromSdJwt,
-  isSdjwtVcPayload,
-  isVcdm2SdJwt,
-  isVcdm2SdJwtPayload,
   sdJwtPluginContextMethods,
   validateIntegrity
 };