@sphereon/ssi-sdk.sd-jwt 0.34.1-next.6 → 0.34.1-next.85

package/src/__tests__/sd-jwt-vcdm2.test.ts

@@ -0,0 +1,316 @@
+import { beforeAll, describe, expect, it } from 'vitest'
+import { KBJwt } from '@sd-jwt/core'
+import { decodeSdJwt } from '@sd-jwt/decode'
+import { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
+import { DisclosureFrame, kbPayload } from '@sd-jwt/types'
+import { JwkDIDProvider } from '@sphereon/ssi-sdk-ext.did-provider-jwk'
+import { getDidJwkResolver } from '@sphereon/ssi-sdk-ext.did-resolver-jwk'
+import { IdentifierResolution, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { IJwtService, JwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
+import { MemoryKeyStore, MemoryPrivateKeyStore, SphereonKeyManager } from '@sphereon/ssi-sdk-ext.key-manager'
+import { SphereonKeyManagementSystem } from '@sphereon/ssi-sdk-ext.kms-local'
+import { ImDLMdoc, MDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
+import { createAgent, IDIDManager, IKeyManager, IResolver, TAgent } from '@veramo/core'
+import { DIDManager, MemoryDIDStore } from '@veramo/did-manager'
+import { DIDResolverPlugin } from '@veramo/did-resolver'
+import { DIDDocument, Resolver, VerificationMethod } from 'did-resolver'
+import { defaultGenerateDigest } from '../defaultCallbacks'
+import { ISDJwtPlugin, SDJwtPlugin } from '../index'
+import { SdJwtVcdm2Payload } from '@sphereon/ssi-types'
+
+type AgentType = IDIDManager & IKeyManager & IIdentifierResolution & IJwtService & IResolver & ISDJwtPlugin & ImDLMdoc
+
+describe('Agent plugin', () => {
+  let agent: TAgent<AgentType>
+
+  let issuer: string
+
+  let holder: string
+
+  // Issuer Define the claims object with the user's information
+  const claims = {
+    sub: '',
+    credentialSubject: {
+      given_name: 'John',
+      family_name: 'Deo',
+      email: 'johndeo@example.com',
+      phone: '+1-202-555-0101',
+      address: {
+        street_address: '123 Main St',
+        locality: 'Anytown',
+        region: 'Anystate',
+        country: 'US',
+      },
+      birthdate: '1940-01-01',
+    },
+  }
+
+  // Issuer Define the disclosure frame to specify which claims can be disclosed
+  const disclosureFrame: DisclosureFrame<typeof claims> = {
+    credentialSubject: {
+      _sd: ['given_name', 'family_name', 'email', 'phone', 'address', 'birthdate'],
+    },
+  }
+  let testVcdm2SdJwtCredentialPayload: SdJwtVcdm2Payload
+
+  beforeAll(async () => {
+    agent = createAgent<AgentType>({
+      plugins: [
+        new SDJwtPlugin(),
+        new IdentifierResolution(),
+        new JwtService(),
+        new SphereonKeyManager({
+          store: new MemoryKeyStore(),
+          kms: {
+            local: new SphereonKeyManagementSystem(new MemoryPrivateKeyStore()),
+          },
+        }),
+        new DIDResolverPlugin({
+          resolver: new Resolver({
+            ...getDidJwkResolver(),
+          }),
+        }),
+        new DIDManager({
+          store: new MemoryDIDStore(),
+          defaultProvider: 'did:jwk',
+          providers: {
+            'did:jwk': new JwkDIDProvider({
+              defaultKms: 'local',
+            }),
+          },
+        }),
+      ],
+    })
+    issuer = await agent
+      .didManagerCreate({
+        kms: 'local',
+        provider: 'did:jwk',
+        alias: 'issuer',
+        //we use this curve since nodejs does not support ES256k which is the default one.
+        options: { keyType: 'Secp256r1' },
+      })
+      .then((did) => {
+        // we add a key reference
+        return `${did.did}#0`
+      })
+    holder = await agent
+      .didManagerCreate({
+        kms: 'local',
+        provider: 'did:jwk',
+        alias: 'holder',
+        //we use this curve since nodejs does not support ES256k which is the default one.
+        options: { keyType: 'Secp256r1' },
+      })
+      .then((did) => `${did.did}#0`)
+    claims.sub = holder
+
+    testVcdm2SdJwtCredentialPayload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      issuer,
+      validFrom: '2021-01-01T00:00:00Z',
+      // iat: Math.floor(new Date().getTime() / 1000),
+    }
+  })
+
+  it('create a sd-jwt vcdm2', async () => {
+    const credentialPayload: SdJwtVcdm2Payload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      issuer,
+      validFrom: '2021-01-01T00:00:00Z',
+      iat: Math.floor(new Date().getTime() / 1000),
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    expect(credential).toBeDefined()
+  })
+
+  it('create sd-jwt vcdm2 without an issuer', async () => {
+    const credentialPayload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      validFrom: '2021-01-01T00:00:00Z',
+      // iat: Math.floor(new Date().getTime() / 1000),
+    }
+    await expect(
+      agent.createSdJwtVc({
+        credentialPayload: credentialPayload as unknown as SdJwtVcPayload,
+        disclosureFrame,
+      }),
+    ).rejects.toThrow('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')
+  })
+
+  it('verify a sd-jwt vcdm2', async () => {
+    const credential = await agent.createSdJwtVc({
+      credentialPayload: testVcdm2SdJwtCredentialPayload,
+      disclosureFrame: disclosureFrame,
+    })
+    const result = await agent.verifySdJwtVc({
+      credential: credential.credential,
+    })
+    expect(result.payload).toBeDefined()
+  }, 5000)
+
+  it('create a presentation', async () => {
+    const credentialPayload = testVcdm2SdJwtCredentialPayload
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    expect(presentation).toBeDefined()
+    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
+    expect(decoded.kbJwt).toBeDefined()
+    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
+  })
+
+  it('create presentation with cnf', async () => {
+    const did = await agent.didManagerFind({ alias: 'holder' }).then((dids) => dids[0])
+    const resolvedDid = await agent.resolveDid({ didUrl: `${did.did}#0` })
+    const jwk: JsonWebKey = ((resolvedDid.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload = {
+      ...testVcdm2SdJwtCredentialPayload,
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    expect(presentation).toBeDefined()
+    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
+    expect(decoded.kbJwt).toBeDefined()
+    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
+  })
+
+  it('includes no holder reference', async () => {
+    const newClaims = JSON.parse(JSON.stringify(claims))
+    newClaims.sub = undefined
+    const credentialPayload: SdJwtVcPayload = {
+      ...newClaims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    await expect(presentation).rejects.toThrow('credential does not include a holder reference')
+  })
+
+  it('verify a presentation', async () => {
+    const holderDId = await agent.resolveDid({ didUrl: holder })
+    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload: SdJwtVcPayload = {
+      ...claims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { credentialSubject: {given_name: true} },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    const result = await agent.verifySdJwtPresentation({
+      presentation: presentation.presentation,
+      requiredClaimKeys: ['credentialSubject.given_name'],
+      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
+      keyBindingAud: '1',
+      keyBindingNonce: '342',
+    })
+    expect(result).toBeDefined()
+    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
+  })
+
+  it('verify a presentation with sub set', async () => {
+    const holderDId = await agent.resolveDid({ didUrl: holder })
+    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload: SdJwtVcPayload = {
+      ...claims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { credentialSubject: {given_name: true} },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    const result = await agent.verifySdJwtPresentation({
+      presentation: presentation.presentation,
+      requiredClaimKeys: ['credentialSubject.given_name'],
+      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
+      keyBindingAud: '1',
+      keyBindingNonce: '342',
+    })
+    expect(result).toBeDefined()
+    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
+  })
+})

package/src/action-handler.ts

@@ -1,16 +1,16 @@
-import { Jwt, SDJwt } from '@sd-jwt/core'
-import { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
-import { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
+import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'
+import { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
+import type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
-import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
-import { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
-import { IAgentPlugin } from '@veramo/core'
-import { decodeBase64url } from '@veramo/utils'
+import type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
+import type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
+import type { IAgentPlugin } from '@veramo/core'
+// import { decodeBase64url } from '@veramo/utils'
 import Debug from 'debug'
 import { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'
 import { funkeTestCA, sphereonCA } from './trustAnchors'
-import { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'
-import {
+import { assertValidTypeMetadata, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwtPayload, validateIntegrity } from './utils'
+import type {
   Claims,
   FetchSdJwtTypeMetadataFromVctUrlArgs,
   GetSignerForIdentifierArgs,
@@ -30,6 +30,10 @@ import {
   SignKeyArgs,
   SignKeyResult,
 } from './types'
+import { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'
+
+// @ts-ignore
+import * as u8a from 'uint8arrays'
 
 const debug = Debug('@sphereon/ssi-sdk.sd-jwt')
 
@@ -101,27 +105,47 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @returns A signed SD-JWT credential.
    */
   async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {
-    const issuer = args.credentialPayload.iss
+    const payload = args.credentialPayload
+    const isVcdm2 = isVcdm2SdJwtPayload(payload)
+    const isSdJwtVc = isSdjwtVcPayload(payload)
+    const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')
+
+    const issuer = getIssuerFromSdJwt(args.credentialPayload)
     if (!issuer) {
       throw new Error('credential.issuer must not be empty')
     }
     const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)
-    const sdjwt = new SDJwtVcInstance({
+    const signAlg = alg ?? signingKey?.alg ?? 'ES256'
+    const hashAlg: HashAlgorithm = /(\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
       signer,
       hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
-      signAlg: alg ?? 'ES256',
-      hashAlg: 'sha-256',
+      signAlg,
+      hashAlg,
     })
 
-    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {
-      header: {
-        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
-        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
-      },
-    })
+    const header = {
+      ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
+      ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
+      ...(type && { typ: type }),
+    }
+    let credential: string
+    if (isVcdm2) {
+      credential = await (sdjwt as SDJwtVcdm2Instance).issue(
+        payload,
+        // @ts-ignore
+        args.disclosureFrame as DisclosureFrame<typeof payload>,
+        { header },
+      )
+    } else if (isSdJwtVc) {
+      credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })
+    } else {
+      return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))
+    }
 
-    return { credential }
+    return { type, credential }
   }
 
   /**
@@ -183,10 +207,13 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @returns A signed SD-JWT presentation.
    */
   async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {
+    const type = args.type ?? 'dc+sd-jwt'
+
     const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)
+
     const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)
     let holder: string
-    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.
+    // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.
     if (args.holder) {
       holder = args.holder
     } else if (claims.cnf?.jwk) {
@@ -201,15 +228,17 @@ export class SDJwtPlugin implements IAgentPlugin {
     }
     const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)
 
-    const sdjwt = new SDJwtVcInstance({
-      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
+      hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
       kbSigner: signer,
       kbSignAlg: alg ?? 'ES256',
     })
+
     const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })
 
-    return { presentation }
+    return { type, presentation }
   }
 
   /**
@@ -220,11 +249,17 @@ export class SDJwtPlugin implements IAgentPlugin {
    */
   async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {
     // callback
-    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
-    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
+    const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
+
+    const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)
+    const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'
+
+
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
     const { header = {}, payload, kb } = await sdjwt.verify(args.credential)
 
-    return { header, payload: payload as SdJwtVcPayload, kb }
+
+    return { type, header, payload, kb }
   }
 
   /**
@@ -236,10 +271,14 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @param payload - The payload of the SD-JWT
    * @returns
    */
-  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
+  private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
     if (!payload.cnf) {
       throw Error('other method than cnf is not supported yet')
     }
+
+    // TODO add aud verification
+
+
     return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))
   }
 
@@ -251,15 +290,16 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @param signature - The signature
    * @returns
    */
-  async verify(
-    sdjwt: SDJwtVcInstance,
+  async verifyCallbackImpl(
+    sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,
     context: IRequiredContext,
     data: string,
     signature: string,
     opts?: { x5cValidation?: X509CertificateChainValidationOpts },
   ): Promise<boolean> {
     const decodedVC = await sdjwt.decode(`${data}.${signature}`)
-    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string
+    const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload
+    const issuer: string = getIssuerFromSdJwt(payload)
     const header = (decodedVC.jwt as Jwt).header as Record<string, any>
     const x5c: string[] | undefined = header?.x5c as string[]
     let jwk: JWK | JsonWebKey | undefined = header.jwk
@@ -329,16 +369,21 @@ export class SDJwtPlugin implements IAgentPlugin {
    */
   async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {
     let sdjwt: SDJwtVcInstance
-    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
+    const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
     const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>
-      this.verifyKb(sdjwt, context, data, signature, payload)
+      this.verifyKb(context, data, signature, payload)
     sdjwt = new SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher,
       kbVerifier: verifierKb,
     })
 
-    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)
+    const verifierOpts: VerifierOptions = {
+      requiredClaimKeys: args.requiredClaimKeys,
+      keyBindingNonce: args.keyBindingNonce,
+    }
+
+    return sdjwt.verify(args.presentation, verifierOpts)
   }
 
   /**
@@ -411,7 +456,7 @@ export class SDJwtPlugin implements IAgentPlugin {
       // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one
       // FIXME this is a quick-fix to make verification but we need a real solution
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)
-      const decoded = decodeBase64url(encoded)
+      const decoded =  u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')
       const jwt = JSON.parse(decoded)
       return jwt as JsonWebKey
     }

package/src/sdJwtVcdm2Instance.ts

@@ -0,0 +1,155 @@
+import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'
+import type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'
+import { SDJWTException } from '@sd-jwt/utils'
+import { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'
+import { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'
+import { isVcdm2SdJwt } from './types'
+
+interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
+  payload: SdJwtVcdm2Payload
+}
+
+export class SDJwtVcdmInstanceFactory {
+  static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {
+    if (isVcdm2SdJwt(type)) {
+      return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)
+    }
+    return new SDJwtVcInstance(config as SDJWTVCConfig)
+  }
+}
+
+// @ts-ignore
+export class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
+  /**
+   * The type of the SD-JWT VCDM2 set in the header.typ field.
+   */
+  protected static type = 'vc+sd-jwt'
+
+  protected userConfig: SDJWTVCDM2Config = {}
+
+  constructor(userConfig?: SDJWTVCDM2Config) {
+    super(userConfig)
+    if (userConfig) {
+      this.userConfig = userConfig
+    }
+  }
+
+  /**
+   * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+   * @param disclosureFrame
+   */
+  protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {
+    //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2
+    // @ts-ignore
+    if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {
+      const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']
+      // check if there is any reserved names in the disclosureFrame._sd array
+      const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))
+      if (reservedNamesInDisclosureFrame.length > 0) {
+        throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)
+      }
+    }
+  }
+
+  /**
+   * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+   * @param encodedSDJwt
+   * @param options
+   */
+  async verify(encodedSDJwt: string, options?: VerifierOptions) {
+    // Call the parent class's verify method
+    const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {
+      return {
+        payload: res.payload as SdJwtVcdm2Payload,
+        header: res.header,
+        kb: res.kb,
+      }
+    })
+
+    // await this.verifyStatus(result, options)
+
+    return result
+  }
+
+  /**
+   * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+   * @param integrity
+   * @param response
+   */
+  private async validateIntegrity(response: Response, url: string, integrity?: string) {
+    if (integrity) {
+      // validate the integrity of the response according to https://www.w3.org/TR/SRI/
+      const arrayBuffer = await response.arrayBuffer()
+      const alg = integrity.split('-')[0]
+      //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec
+      const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)
+      const integrityHash = integrity.split('-')[1]
+      const hash = Array.from(new Uint8Array(hashBuffer))
+        .map((byte) => byte.toString(16).padStart(2, '0'))
+        .join('')
+      if (hash !== integrityHash) {
+        throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)
+      }
+    }
+  }
+
+  /**
+   * Fetches the content from the url with a timeout of 10 seconds.
+   * @param url
+   * @param integrity
+   * @returns
+   */
+  protected async fetch<T>(url: string, integrity?: string): Promise<T> {
+    try {
+      const response = await fetch(url, {
+        signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),
+      })
+      if (!response.ok) {
+        const errorText = await response.text()
+        return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))
+      }
+      await this.validateIntegrity(response.clone(), url, integrity)
+      return response.json() as Promise<T>
+    } catch (error) {
+      if ((error as Error).name === 'TimeoutError') {
+        throw new Error(`Request to ${url} timed out`)
+      }
+      throw error
+    }
+  }
+
+  public async issue<Payload extends SdJwtVcdm2Payload>(
+    payload: Payload,
+    disclosureFrame?: DisclosureFrame<Payload>,
+    options?: {
+      header?: object; // This is for customizing the header of the jwt
+    },
+  ): Promise<SDJWTCompact> {
+    if (payload.iss && !payload.issuer) {
+      payload.issuer = {id: payload.iss}
+      delete payload.iss
+    }
+    if (payload.nbf && !payload.validFrom) {
+      payload.validFrom = toVcdm2Date(payload.nbf)
+      delete payload.nbf
+    }
+    if (payload.exp && !payload.validUntil) {
+      payload.validUntil = toVcdm2Date(payload.exp)
+      delete payload.exp
+    }
+    if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {
+      payload.credentialSubject.id = payload.sub
+      delete payload.sub
+    }
+    return super.issue(payload, disclosureFrame, options)
+  }
+}
+
+function toVcdm2Date(value: number | string): string {
+  const num = typeof value === 'string' ? Number(value) : value
+  if (!Number.isFinite(num)) {
+    throw new SDJWTException(`Invalid numeric date: ${value}`)
+  }
+  // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)
+  return new Date(num * 1000).toISOString()
+}