@sphereon/ssi-sdk.sd-jwt 0.34.1-fix.80 → 0.34.1-next.278

package/dist/index.js

@@ -3,9 +3,8 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
 
 // src/action-handler.ts
 import { SDJwt } from "@sd-jwt/core";
-import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
+import { SDJwtVcInstance as SDJwtVcInstance2 } from "@sd-jwt/sd-jwt-vc";
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
-import { decodeBase64url } from "@veramo/utils";
 import Debug from "debug";
 
 // src/defaultCallbacks.ts
@@ -81,8 +80,189 @@ function assertValidTypeMetadata(metadata, vct) {
   }
 }
 __name(assertValidTypeMetadata, "assertValidTypeMetadata");
+function isVcdm2SdJwtPayload(payload) {
+  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
+}
+__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
+function isSdjwtVcPayload(payload) {
+  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
+}
+__name(isSdjwtVcPayload, "isSdjwtVcPayload");
+function getIssuerFromSdJwt(payload) {
+  let issuer;
+  if (isSdjwtVcPayload(payload) || "iss" in payload) {
+    issuer = payload.iss;
+  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
+    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
+  }
+  if (!issuer) {
+    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
+  }
+  return issuer;
+}
+__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
+
+// src/sdJwtVcdm2Instance.ts
+import { SDJwtInstance } from "@sd-jwt/core";
+import { SDJWTException } from "@sd-jwt/utils";
+import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
+
+// src/types.ts
+import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
+var sdJwtPluginContextMethods = [
+  "createSdJwtVc",
+  "createSdJwtPresentation",
+  "verifySdJwtVc",
+  "verifySdJwtPresentation"
+];
+function contextHasSDJwtPlugin(context) {
+  return contextHasPlugin(context, "verifySdJwtVc");
+}
+__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
+function isVcdm2SdJwt(type) {
+  return type === "vc+sd-jwt" || type === "vp+sd-jwt";
+}
+__name(isVcdm2SdJwt, "isVcdm2SdJwt");
+
+// src/sdJwtVcdm2Instance.ts
+var SDJwtVcdmInstanceFactory = class {
+  static {
+    __name(this, "SDJwtVcdmInstanceFactory");
+  }
+  static create(type, config) {
+    if (isVcdm2SdJwt(type)) {
+      return new SDJwtVcdm2Instance(config);
+    }
+    return new SDJwtVcInstance(config);
+  }
+};
+var SDJwtVcdm2Instance = class extends SDJwtInstance {
+  static {
+    __name(this, "SDJwtVcdm2Instance");
+  }
+  /**
+  * The type of the SD-JWT VCDM2 set in the header.typ field.
+  */
+  static type = "vc+sd-jwt";
+  userConfig = {};
+  constructor(userConfig) {
+    super(userConfig);
+    if (userConfig) {
+      this.userConfig = userConfig;
+    }
+  }
+  /**
+  * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+  * @param disclosureFrame
+  */
+  validateReservedFields(disclosureFrame) {
+    if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {
+      const reservedNames = [
+        "iss",
+        "nbf",
+        "exp",
+        "cnf",
+        "@context",
+        "type",
+        "credentialStatus",
+        "credentialSchema",
+        "relatedResource"
+      ];
+      const reservedNamesInDisclosureFrame = disclosureFrame._sd.filter((key) => reservedNames.includes(key));
+      if (reservedNamesInDisclosureFrame.length > 0) {
+        throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(", ")}`);
+      }
+    }
+  }
+  /**
+  * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+  * @param encodedSDJwt
+  * @param options
+  */
+  async verify(encodedSDJwt, options) {
+    const result = await super.verify(encodedSDJwt, options).then((res) => {
+      return {
+        payload: res.payload,
+        header: res.header,
+        kb: res.kb
+      };
+    });
+    return result;
+  }
+  /**
+  * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+  * @param integrity
+  * @param response
+  */
+  async validateIntegrity(response, url, integrity) {
+    if (integrity) {
+      const arrayBuffer = await response.arrayBuffer();
+      const alg = integrity.split("-")[0];
+      const hashBuffer = await this.userConfig.hasher(arrayBuffer, alg);
+      const integrityHash = integrity.split("-")[1];
+      const hash = Array.from(new Uint8Array(hashBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+      if (hash !== integrityHash) {
+        throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`);
+      }
+    }
+  }
+  /**
+  * Fetches the content from the url with a timeout of 10 seconds.
+  * @param url
+  * @param integrity
+  * @returns
+  */
+  async fetch(url, integrity) {
+    try {
+      const response = await fetch(url, {
+        signal: AbortSignal.timeout(this.userConfig.timeout ?? 1e4)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`));
+      }
+      await this.validateIntegrity(response.clone(), url, integrity);
+      return response.json();
+    } catch (error) {
+      if (error.name === "TimeoutError") {
+        throw new Error(`Request to ${url} timed out`);
+      }
+      throw error;
+    }
+  }
+  async issue(payload, disclosureFrame, options) {
+    if (payload.iss && !payload.issuer) {
+      payload.issuer = {
+        id: payload.iss
+      };
+      delete payload.iss;
+    }
+    if (payload.nbf && !payload.validFrom) {
+      payload.validFrom = toVcdm2Date(payload.nbf);
+      delete payload.nbf;
+    }
+    if (payload.exp && !payload.validUntil) {
+      payload.validUntil = toVcdm2Date(payload.exp);
+      delete payload.exp;
+    }
+    if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {
+      payload.credentialSubject.id = payload.sub;
+      delete payload.sub;
+    }
+    return super.issue(payload, disclosureFrame, options);
+  }
+};
+function toVcdm2Date(value) {
+  const num = typeof value === "string" ? Number(value) : value;
+  if (!Number.isFinite(num)) {
+    throw new SDJWTException(`Invalid numeric date: ${value}`);
+  }
+  return new Date(num * 1e3).toISOString();
+}
+__name(toVcdm2Date, "toVcdm2Date");
 
 // src/action-handler.ts
+import * as u8a from "uint8arrays";
 var debug = Debug("@sphereon/ssi-sdk.sd-jwt");
 var SDJwtPlugin = class {
   static {
@@ -152,7 +332,11 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT credential.
   */
   async createSdJwtVc(args, context) {
-    const issuer = args.credentialPayload.iss;
+    const payload = args.credentialPayload;
+    const isVcdm2 = isVcdm2SdJwtPayload(payload);
+    const isSdJwtVc = isSdjwtVcPayload(payload);
+    const type = args.type ?? (isVcdm2 ? "vc+sd-jwt" : "dc+sd-jwt");
+    const issuer = getIssuerFromSdJwt(args.credentialPayload);
     if (!issuer) {
       throw new Error("credential.issuer must not be empty");
     }
@@ -160,24 +344,46 @@ var SDJwtPlugin = class {
       identifier: issuer,
       resolution: args.resolution
     }, context);
-    const sdjwt = new SDJwtVcInstance({
+    const signAlg = alg ?? signingKey?.alg ?? "ES256";
+    const hashAlg = /(\d{3})$/.test(signAlg) ? `sha-${signAlg.slice(-3)}` : "sha-256";
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
       signer,
       hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
-      signAlg: alg ?? "ES256",
-      hashAlg: "sha-256"
+      signAlg,
+      hashAlg
     });
-    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame, {
-      header: {
-        ...signingKey?.key.kid !== void 0 && {
-          kid: signingKey.key.kid
-        },
-        ...signingKey?.key.x5c !== void 0 && {
-          x5c: signingKey.key.x5c
-        }
+    const header = {
+      ...signingKey?.key.kid !== void 0 && {
+        kid: signingKey.key.kid
+      },
+      ...signingKey?.key.x5c !== void 0 && {
+        x5c: signingKey.key.x5c
+      },
+      ...type && {
+        typ: type
       }
-    });
+    };
+    let credential;
+    if (isVcdm2) {
+      credential = await sdjwt.issue(
+        payload,
+        // @ts-ignore
+        args.disclosureFrame,
+        {
+          header
+        }
+      );
+    } else if (isSdJwtVc) {
+      credential = await sdjwt.issue(payload, args.disclosureFrame, {
+        header
+      });
+    } else {
+      return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`));
+    }
     return {
+      type,
       credential
     };
   }
@@ -303,6 +509,7 @@ var SDJwtPlugin = class {
   * @returns A signed SD-JWT presentation.
   */
   async createSdJwtPresentation(args, context) {
+    const type = args.type ?? "dc+sd-jwt";
     const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher);
     const claims = await cred.getClaims(this.registeredImplementations.hasher);
     let holder;
@@ -323,8 +530,9 @@ var SDJwtPlugin = class {
     const { alg, signer } = await this.getSignerForIdentifier({
       identifier: holder
     }, context);
-    const sdjwt = new SDJwtVcInstance({
-      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
+      hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
       kbSigner: signer,
       kbSignAlg: alg ?? "ES256"
@@ -333,6 +541,7 @@ var SDJwtPlugin = class {
       kb: args.kb
     });
     return {
+      type,
       presentation
     };
   }
@@ -343,13 +552,18 @@ var SDJwtPlugin = class {
   * @returns
   */
   async verifySdJwtVc(args, context) {
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
-    const sdjwt = new SDJwtVcInstance({
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
+    const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher);
+    const type = isVcdm2SdJwtPayload(cred.jwt?.payload) ? "vc+sd-jwt" : "dc+sd-jwt";
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
       verifier,
       hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest
     });
-    const { header = {}, payload, kb } = await sdjwt.verify(args.credential);
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential, {
+      skewSeconds: 60 * 60 * 24 * 5
+    });
     return {
+      type,
       header,
       payload,
       kb
@@ -364,7 +578,7 @@ var SDJwtPlugin = class {
   * @param payload - The payload of the SD-JWT
   * @returns
   */
-  verifyKb(sdjwt, context, data, signature, payload) {
+  verifyKb(context, data, signature, payload) {
     if (!payload.cnf) {
       throw Error("other method than cnf is not supported yet");
     }
@@ -378,9 +592,10 @@ var SDJwtPlugin = class {
   * @param signature - The signature
   * @returns
   */
-  async verify(sdjwt, context, data, signature, opts) {
+  async verifyCallbackImpl(sdjwt, context, data, signature, opts) {
     const decodedVC = await sdjwt.decode(`${data}.${signature}`);
-    const issuer = decodedVC.jwt.payload.iss;
+    const payload = decodedVC.jwt.payload;
+    const issuer = getIssuerFromSdJwt(payload);
     const header = decodedVC.jwt.header;
     const x5c = header?.x5c;
     let jwk = header.jwk;
@@ -446,14 +661,18 @@ var SDJwtPlugin = class {
   */
   async verifySdJwtPresentation(args, context) {
     let sdjwt;
-    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verify(sdjwt, context, data, signature), "verifier");
-    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(sdjwt, context, data, signature, payload), "verifierKb");
-    sdjwt = new SDJwtVcInstance({
+    const verifier = /* @__PURE__ */ __name(async (data, signature) => this.verifyCallbackImpl(sdjwt, context, data, signature), "verifier");
+    const verifierKb = /* @__PURE__ */ __name(async (data, signature, payload) => this.verifyKb(context, data, signature, payload), "verifierKb");
+    sdjwt = new SDJwtVcInstance2({
       verifier,
       hasher: this.registeredImplementations.hasher,
       kbVerifier: verifierKb
     });
-    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb);
+    const verifierOpts = {
+      requiredClaimKeys: args.requiredClaimKeys,
+      keyBindingNonce: args.keyBindingNonce
+    };
+    return sdjwt.verify(args.presentation, verifierOpts);
   }
   /**
   * Fetch and validate Type Metadata.
@@ -524,7 +743,7 @@ var SDJwtPlugin = class {
       return payload.cnf.jwk;
     } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
-      const decoded = decodeBase64url(encoded);
+      const decoded = u8a.toString(u8a.fromString(encoded, "base64url"), "utf-8");
       const jwt = JSON.parse(decoded);
       return jwt;
     }
@@ -538,26 +757,18 @@ var SDJwtPlugin = class {
     return parts[2].split("#")[0];
   }
 };
-
-// src/types.ts
-import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
-var sdJwtPluginContextMethods = [
-  "createSdJwtVc",
-  "createSdJwtPresentation",
-  "verifySdJwtVc",
-  "verifySdJwtPresentation"
-];
-function contextHasSDJwtPlugin(context) {
-  return contextHasPlugin(context, "verifySdJwtVc");
-}
-__name(contextHasSDJwtPlugin, "contextHasSDJwtPlugin");
 export {
   SDJwtPlugin,
   assertValidTypeMetadata,
   contextHasSDJwtPlugin,
   createIntegrity,
+  defaultGenerateDigest,
   extractHashFromIntegrity,
   fetchUrlWithErrorHandling,
+  getIssuerFromSdJwt,
+  isSdjwtVcPayload,
+  isVcdm2SdJwt,
+  isVcdm2SdJwtPayload,
   sdJwtPluginContextMethods,
   validateIntegrity
 };