@sphereon/ssi-sdk.sd-jwt 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.41

package/src/types.ts

@@ -1,22 +1,12 @@
+import { SdJwtVcPayload as SdJwtPayload } from '@sd-jwt/sd-jwt-vc'
 import { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'
 import { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
-import {
-  HasherSync,
-  JoseSignatureAlgorithm,
-  JsonWebKey,
-  SdJwtType,
-  SdJwtTypeMetadata,
-  SdJwtVcdm2Payload,
-  SdJwtVcType,
-  SdJwtVpType,
-} from '@sphereon/ssi-types'
+import { HasherSync, JoseSignatureAlgorithm, JsonWebKey, SdJwtTypeMetadata } from '@sphereon/ssi-types'
 import { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
-import { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
-import { SdJwtPayload } from '@sd-jwt/core'
 
 export const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']
 
@@ -95,19 +85,12 @@ export function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>):
  * @beta
  */
 
-export interface SdJwtVcPayload extends OrigSdJwtVcPayload {
+export interface SdJwtVcPayload extends SdJwtPayload {
   x5c?: string[]
 }
 
-export type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'
-
-export function isVcdm2SdJwt(type: SdJwtType | string): Boolean {
-  return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'
-}
-
 export interface ICreateSdJwtVcArgs {
-  type?: SdJwtVcType
-  credentialPayload: SdJwtPayload
+  credentialPayload: SdJwtVcPayload
 
   // biome-ignore lint/suspicious/noExplicitAny: <explanation>
   disclosureFrame?: IDisclosureFrame
@@ -131,8 +114,6 @@ export interface IDisclosureFrame {
  * @beta
  */
 export interface ICreateSdJwtVcResult {
-  type: SdJwtVcType
-
   /**
    * the encoded sd-jwt credential
    */
@@ -165,10 +146,6 @@ export interface ICreateSdJwtPresentationArgs {
    * Information to include to add key binding.
    */
   kb?: KBOptions
-
-  type?: SdJwtVpType
-
-  vcdm2Enveloped?: Vcdm2Enveloped
 }
 
 /**
@@ -187,8 +164,6 @@ export interface ICreateSdJwtPresentationResult {
    * Encoded presentation.
    */
   presentation: string
-
-  type: SdJwtVpType
 }
 
 /**
@@ -205,8 +180,7 @@ export interface IVerifySdJwtVcArgs {
  * @beta
  */
 export type IVerifySdJwtVcResult = {
-  type: SdJwtVcType
-  payload: SdJwtVcPayload | SdJwtVcdm2Payload
+  payload: SdJwtPayload
   header: Record<string, unknown>
   kb?: { header: kbHeader; payload: kbPayload }
 }
@@ -219,15 +193,7 @@ export interface IVerifySdJwtPresentationArgs {
 
   requiredClaimKeys?: string[]
 
-  /**
-   * nonce used to verify the key binding jwt to prevent replay attacks.
-   */
-  keyBindingNonce?: string
-
-  /**
-   * Audience used to verify the key binding jwt
-   */
-  keyBindingAud?: string
+  kb?: boolean
 }
 
 /**

package/src/utils.ts

@@ -1,9 +1,7 @@
-import type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'
+import { SdJwtTypeMetadata } from '@sphereon/ssi-types'
 // @ts-ignore
 import { toString } from 'uint8arrays/to-string'
 import { Hasher, HasherSync } from '@sd-jwt/types'
-import type { SdJwtPayload } from '@sd-jwt/core'
-import type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
 
 // Helper function to fetch API with error handling
 export async function fetchUrlWithErrorHandling(url: string): Promise<Response> {
@@ -66,32 +64,3 @@ export function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string
     throw new Error('VCT mismatch in metadata and credential')
   }
 }
-
-export function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {
-  return (
-    'type' in payload &&
-    Array.isArray(payload.type) &&
-    payload.type.includes('VerifiableCredential') &&
-    '@context' in payload &&
-    ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||
-      (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))
-  )
-}
-
-export function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {
-  return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'
-}
-
-export function getIssuerFromSdJwt(payload: SdJwtPayload): string {
-  let issuer: string | undefined
-  if (isSdjwtVcPayload(payload) || 'iss' in payload) {
-    issuer = payload.iss as string
-  } else if (isVcdm2SdJwtPayload(payload) || 'issuer' in payload && payload.issuer) {
-    issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id
-  }
-
-  if (!issuer) {
-    throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')
-  }
-  return issuer
-}

package/src/__tests__/sd-jwt-vcdm2.test.ts

@@ -1,316 +0,0 @@
-import { beforeAll, describe, expect, it } from 'vitest'
-import { KBJwt } from '@sd-jwt/core'
-import { decodeSdJwt } from '@sd-jwt/decode'
-import { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
-import { DisclosureFrame, kbPayload } from '@sd-jwt/types'
-import { JwkDIDProvider } from '@sphereon/ssi-sdk-ext.did-provider-jwk'
-import { getDidJwkResolver } from '@sphereon/ssi-sdk-ext.did-resolver-jwk'
-import { IdentifierResolution, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { IJwtService, JwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
-import { MemoryKeyStore, MemoryPrivateKeyStore, SphereonKeyManager } from '@sphereon/ssi-sdk-ext.key-manager'
-import { SphereonKeyManagementSystem } from '@sphereon/ssi-sdk-ext.kms-local'
-import { ImDLMdoc, MDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
-import { createAgent, IDIDManager, IKeyManager, IResolver, TAgent } from '@veramo/core'
-import { DIDManager, MemoryDIDStore } from '@veramo/did-manager'
-import { DIDResolverPlugin } from '@veramo/did-resolver'
-import { DIDDocument, Resolver, VerificationMethod } from 'did-resolver'
-import { defaultGenerateDigest } from '../defaultCallbacks'
-import { ISDJwtPlugin, SDJwtPlugin } from '../index'
-import { SdJwtVcdm2Payload } from '@sphereon/ssi-types'
-
-type AgentType = IDIDManager & IKeyManager & IIdentifierResolution & IJwtService & IResolver & ISDJwtPlugin & ImDLMdoc
-
-describe('Agent plugin', () => {
-  let agent: TAgent<AgentType>
-
-  let issuer: string
-
-  let holder: string
-
-  // Issuer Define the claims object with the user's information
-  const claims = {
-    sub: '',
-    credentialSubject: {
-      given_name: 'John',
-      family_name: 'Deo',
-      email: 'johndeo@example.com',
-      phone: '+1-202-555-0101',
-      address: {
-        street_address: '123 Main St',
-        locality: 'Anytown',
-        region: 'Anystate',
-        country: 'US',
-      },
-      birthdate: '1940-01-01',
-    },
-  }
-
-  // Issuer Define the disclosure frame to specify which claims can be disclosed
-  const disclosureFrame: DisclosureFrame<typeof claims> = {
-    credentialSubject: {
-      _sd: ['given_name', 'family_name', 'email', 'phone', 'address', 'birthdate'],
-    },
-  }
-  let testVcdm2SdJwtCredentialPayload: SdJwtVcdm2Payload
-
-  beforeAll(async () => {
-    agent = createAgent<AgentType>({
-      plugins: [
-        new SDJwtPlugin(),
-        new IdentifierResolution(),
-        new JwtService(),
-        new SphereonKeyManager({
-          store: new MemoryKeyStore(),
-          kms: {
-            local: new SphereonKeyManagementSystem(new MemoryPrivateKeyStore()),
-          },
-        }),
-        new DIDResolverPlugin({
-          resolver: new Resolver({
-            ...getDidJwkResolver(),
-          }),
-        }),
-        new DIDManager({
-          store: new MemoryDIDStore(),
-          defaultProvider: 'did:jwk',
-          providers: {
-            'did:jwk': new JwkDIDProvider({
-              defaultKms: 'local',
-            }),
-          },
-        }),
-      ],
-    })
-    issuer = await agent
-      .didManagerCreate({
-        kms: 'local',
-        provider: 'did:jwk',
-        alias: 'issuer',
-        //we use this curve since nodejs does not support ES256k which is the default one.
-        options: { keyType: 'Secp256r1' },
-      })
-      .then((did) => {
-        // we add a key reference
-        return `${did.did}#0`
-      })
-    holder = await agent
-      .didManagerCreate({
-        kms: 'local',
-        provider: 'did:jwk',
-        alias: 'holder',
-        //we use this curve since nodejs does not support ES256k which is the default one.
-        options: { keyType: 'Secp256r1' },
-      })
-      .then((did) => `${did.did}#0`)
-    claims.sub = holder
-
-    testVcdm2SdJwtCredentialPayload = {
-      ...claims,
-      '@context': ['https://www.w3.org/ns/credentials/v2'],
-      type: ['VerifiableCredential'],
-      issuer,
-      validFrom: '2021-01-01T00:00:00Z',
-      // iat: Math.floor(new Date().getTime() / 1000),
-    }
-  })
-
-  it('create a sd-jwt vcdm2', async () => {
-    const credentialPayload: SdJwtVcdm2Payload = {
-      ...claims,
-      '@context': ['https://www.w3.org/ns/credentials/v2'],
-      type: ['VerifiableCredential'],
-      issuer,
-      validFrom: '2021-01-01T00:00:00Z',
-      iat: Math.floor(new Date().getTime() / 1000),
-    }
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    expect(credential).toBeDefined()
-  })
-
-  it('create sd-jwt vcdm2 without an issuer', async () => {
-    const credentialPayload = {
-      ...claims,
-      '@context': ['https://www.w3.org/ns/credentials/v2'],
-      type: ['VerifiableCredential'],
-      validFrom: '2021-01-01T00:00:00Z',
-      // iat: Math.floor(new Date().getTime() / 1000),
-    }
-    await expect(
-      agent.createSdJwtVc({
-        credentialPayload: credentialPayload as unknown as SdJwtVcPayload,
-        disclosureFrame,
-      }),
-    ).rejects.toThrow('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')
-  })
-
-  it('verify a sd-jwt vcdm2', async () => {
-    const credential = await agent.createSdJwtVc({
-      credentialPayload: testVcdm2SdJwtCredentialPayload,
-      disclosureFrame: disclosureFrame,
-    })
-    const result = await agent.verifySdJwtVc({
-      credential: credential.credential,
-    })
-    expect(result.payload).toBeDefined()
-  }, 5000)
-
-  it('create a presentation', async () => {
-    const credentialPayload = testVcdm2SdJwtCredentialPayload
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    const presentation = await agent.createSdJwtPresentation({
-      presentation: credential.credential,
-      presentationFrame: { given_name: true },
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
-        },
-      },
-    })
-    expect(presentation).toBeDefined()
-    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
-    expect(decoded.kbJwt).toBeDefined()
-    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
-  })
-
-  it('create presentation with cnf', async () => {
-    const did = await agent.didManagerFind({ alias: 'holder' }).then((dids) => dids[0])
-    const resolvedDid = await agent.resolveDid({ didUrl: `${did.did}#0` })
-    const jwk: JsonWebKey = ((resolvedDid.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
-    const credentialPayload = {
-      ...testVcdm2SdJwtCredentialPayload,
-      cnf: {
-        jwk,
-      },
-    }
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    const presentation = await agent.createSdJwtPresentation({
-      presentation: credential.credential,
-      presentationFrame: { given_name: true },
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
-        },
-      },
-    })
-    expect(presentation).toBeDefined()
-    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
-    expect(decoded.kbJwt).toBeDefined()
-    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
-  })
-
-  it('includes no holder reference', async () => {
-    const newClaims = JSON.parse(JSON.stringify(claims))
-    newClaims.sub = undefined
-    const credentialPayload: SdJwtVcPayload = {
-      ...newClaims,
-      iss: issuer,
-      iat: Math.floor(new Date().getTime() / 1000),
-      vct: '',
-    }
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    const presentation = agent.createSdJwtPresentation({
-      presentation: credential.credential,
-      presentationFrame: { given_name: true },
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
-        },
-      },
-    })
-    await expect(presentation).rejects.toThrow('credential does not include a holder reference')
-  })
-
-  it('verify a presentation', async () => {
-    const holderDId = await agent.resolveDid({ didUrl: holder })
-    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
-    const credentialPayload: SdJwtVcPayload = {
-      ...claims,
-      iss: issuer,
-      iat: Math.floor(new Date().getTime() / 1000),
-      vct: '',
-      cnf: {
-        jwk,
-      },
-    }
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    const presentation = await agent.createSdJwtPresentation({
-      presentation: credential.credential,
-      presentationFrame: { credentialSubject: {given_name: true} },
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
-        },
-      },
-    })
-    const result = await agent.verifySdJwtPresentation({
-      presentation: presentation.presentation,
-      requiredClaimKeys: ['credentialSubject.given_name'],
-      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
-      keyBindingAud: '1',
-      keyBindingNonce: '342',
-    })
-    expect(result).toBeDefined()
-    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
-  })
-
-  it('verify a presentation with sub set', async () => {
-    const holderDId = await agent.resolveDid({ didUrl: holder })
-    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
-    const credentialPayload: SdJwtVcPayload = {
-      ...claims,
-      iss: issuer,
-      iat: Math.floor(new Date().getTime() / 1000),
-      vct: '',
-      cnf: {
-        jwk,
-      },
-    }
-    const credential = await agent.createSdJwtVc({
-      credentialPayload,
-      disclosureFrame,
-    })
-    const presentation = await agent.createSdJwtPresentation({
-      presentation: credential.credential,
-      presentationFrame: { credentialSubject: {given_name: true} },
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
-        },
-      },
-    })
-    const result = await agent.verifySdJwtPresentation({
-      presentation: presentation.presentation,
-      requiredClaimKeys: ['credentialSubject.given_name'],
-      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
-      keyBindingAud: '1',
-      keyBindingNonce: '342',
-    })
-    expect(result).toBeDefined()
-    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
-  })
-})

package/src/sdJwtVcdm2Instance.ts

@@ -1,155 +0,0 @@
-import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'
-import type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'
-import { SDJWTException } from '@sd-jwt/utils'
-import { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'
-import { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'
-import { isVcdm2SdJwt } from './types'
-
-interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
-  payload: SdJwtVcdm2Payload
-}
-
-export class SDJwtVcdmInstanceFactory {
-  static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {
-    if (isVcdm2SdJwt(type)) {
-      return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)
-    }
-    return new SDJwtVcInstance(config as SDJWTVCConfig)
-  }
-}
-
-// @ts-ignore
-export class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
-  /**
-   * The type of the SD-JWT VCDM2 set in the header.typ field.
-   */
-  protected static type = 'vc+sd-jwt'
-
-  protected userConfig: SDJWTVCDM2Config = {}
-
-  constructor(userConfig?: SDJWTVCDM2Config) {
-    super(userConfig)
-    if (userConfig) {
-      this.userConfig = userConfig
-    }
-  }
-
-  /**
-   * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-   * @param disclosureFrame
-   */
-  protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {
-    //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2
-    // @ts-ignore
-    if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {
-      const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']
-      // check if there is any reserved names in the disclosureFrame._sd array
-      const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))
-      if (reservedNamesInDisclosureFrame.length > 0) {
-        throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)
-      }
-    }
-  }
-
-  /**
-   * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-   * @param encodedSDJwt
-   * @param options
-   */
-  async verify(encodedSDJwt: string, options?: VerifierOptions) {
-    // Call the parent class's verify method
-    const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {
-      return {
-        payload: res.payload as SdJwtVcdm2Payload,
-        header: res.header,
-        kb: res.kb,
-      }
-    })
-
-    // await this.verifyStatus(result, options)
-
-    return result
-  }
-
-  /**
-   * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-   * @param integrity
-   * @param response
-   */
-  private async validateIntegrity(response: Response, url: string, integrity?: string) {
-    if (integrity) {
-      // validate the integrity of the response according to https://www.w3.org/TR/SRI/
-      const arrayBuffer = await response.arrayBuffer()
-      const alg = integrity.split('-')[0]
-      //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec
-      const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)
-      const integrityHash = integrity.split('-')[1]
-      const hash = Array.from(new Uint8Array(hashBuffer))
-        .map((byte) => byte.toString(16).padStart(2, '0'))
-        .join('')
-      if (hash !== integrityHash) {
-        throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)
-      }
-    }
-  }
-
-  /**
-   * Fetches the content from the url with a timeout of 10 seconds.
-   * @param url
-   * @param integrity
-   * @returns
-   */
-  protected async fetch<T>(url: string, integrity?: string): Promise<T> {
-    try {
-      const response = await fetch(url, {
-        signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),
-      })
-      if (!response.ok) {
-        const errorText = await response.text()
-        return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))
-      }
-      await this.validateIntegrity(response.clone(), url, integrity)
-      return response.json() as Promise<T>
-    } catch (error) {
-      if ((error as Error).name === 'TimeoutError') {
-        throw new Error(`Request to ${url} timed out`)
-      }
-      throw error
-    }
-  }
-
-  public async issue<Payload extends SdJwtVcdm2Payload>(
-    payload: Payload,
-    disclosureFrame?: DisclosureFrame<Payload>,
-    options?: {
-      header?: object; // This is for customizing the header of the jwt
-    },
-  ): Promise<SDJWTCompact> {
-    if (payload.iss && !payload.issuer) {
-      payload.issuer = {id: payload.iss}
-      delete payload.iss
-    }
-    if (payload.nbf && !payload.validFrom) {
-      payload.validFrom = toVcdm2Date(payload.nbf)
-      delete payload.nbf
-    }
-    if (payload.exp && !payload.validUntil) {
-      payload.validUntil = toVcdm2Date(payload.exp)
-      delete payload.exp
-    }
-    if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {
-      payload.credentialSubject.id = payload.sub
-      delete payload.sub
-    }
-    return super.issue(payload, disclosureFrame, options)
-  }
-}
-
-function toVcdm2Date(value: number | string): string {
-  const num = typeof value === 'string' ? Number(value) : value
-  if (!Number.isFinite(num)) {
-    throw new SDJWTException(`Invalid numeric date: ${value}`)
-  }
-  // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)
-  return new Date(num * 1000).toISOString()
-}