@sphereon/ssi-sdk.sd-jwt 0.36.1-feature.integration.fides.68 → 0.36.1-feature.integration.fides.74

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.cjs +2 -2
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +2 -2
  4. package/dist/index.js.map +1 -1
  5. package/package.json +14 -14
  6. package/src/action-handler.ts +2 -3
package/dist/index.cjs CHANGED
@@ -682,7 +682,7 @@ var SDJwtPlugin = class {
682
682
  if (!didDoc) {
683
683
  throw new Error("invalid_issuer: issuer did not resolve to a did document");
684
684
  }
685
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
685
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid);
686
686
  if (!didDocumentKey) {
687
687
  throw new Error("invalid_issuer: issuer did document does not include referenced key");
688
688
  }
@@ -695,7 +695,7 @@ var SDJwtPlugin = class {
695
695
  if (!didDoc) {
696
696
  throw new Error("invalid_issuer: issuer did not resolve to a did document");
697
697
  }
698
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
698
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid);
699
699
  if (!didDocumentKey) {
700
700
  throw new Error("invalid_issuer: issuer did document does not include referenced key");
701
701
  }
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/sdJwtVcdm2Instance.ts","../src/types.ts"],"sourcesContent":["export { SDJwtPlugin } from './action-handler'\nexport { defaultGenerateDigest } from './defaultCallbacks'\nexport * from './utils'\nexport * from './types'\n","import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'\nimport { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport type { IAgentPlugin } from '@veramo/core'\n// import { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport {\n assertValidTypeMetadata,\n fetchUrlWithErrorHandling,\n getIssuerFromSdJwt,\n isSdjwtVcPayload,\n isVcdm2SdJwtPayload,\n validateIntegrity,\n} from './utils'\nimport type {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\nimport { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const payload = args.credentialPayload\n const isVcdm2 = isVcdm2SdJwtPayload(payload)\n const isSdJwtVc = isSdjwtVcPayload(payload)\n const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')\n\n const issuer = getIssuerFromSdJwt(args.credentialPayload)\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const signAlg = alg ?? signingKey?.alg ?? 'ES256'\n const hashAlg: HashAlgorithm = /(\\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg,\n hashAlg,\n })\n\n const header = {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n ...(type && { typ: type }),\n }\n let credential: string\n if (isVcdm2) {\n credential = await (sdjwt as SDJwtVcdm2Instance).issue(\n payload,\n // @ts-ignore\n args.disclosureFrame as DisclosureFrame<typeof payload>,\n { header },\n )\n } else if (isSdJwtVc) {\n credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })\n } else {\n return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))\n }\n\n return { type, credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const type = args.type ?? 'dc+sd-jwt'\n\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { type, presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n\n const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)\n const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, { verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function\n // For now a workaround is to ad 5 days of skew seconds, yuck\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential, { skewSeconds: 60 * 60 * 24 * 5 })\n\n return { type, header, payload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n\n // TODO add aud verification\n\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verifyCallbackImpl(\n sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload\n const issuer: string = getIssuerFromSdJwt(payload)\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c?.length) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) => this.verifyKb(context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n const verifierOpts: VerifierOptions = {\n requiredClaimKeys: args.requiredClaimKeys,\n keyBindingNonce: args.keyBindingNonce,\n }\n\n return sdjwt.verify(args.presentation, verifierOpts)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import type { SdJwtPayload } from '@sd-jwt/core'\nimport type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\nimport type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n\nexport function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {\n return (\n 'type' in payload &&\n Array.isArray(payload.type) &&\n payload.type.includes('VerifiableCredential') &&\n '@context' in payload &&\n ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||\n (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))\n )\n}\n\nexport function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {\n return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'\n}\n\nexport function getIssuerFromSdJwt(payload: SdJwtPayload): string {\n let issuer: string | undefined\n if (isSdjwtVcPayload(payload) || 'iss' in payload) {\n issuer = payload.iss as string\n } else if (isVcdm2SdJwtPayload(payload) || ('issuer' in payload && payload.issuer)) {\n issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id\n }\n\n if (!issuer) {\n throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')\n }\n return issuer\n}\n\nexport function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string {\n const digest = hasher(compactSdJwtVc, alg)\n return u8a.toString(digest, 'base64url')\n}\n","import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'\nimport type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'\nimport { SDJWTException } from '@sd-jwt/utils'\nimport { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'\nimport { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'\nimport { isVcdm2SdJwt } from './types'\n\ninterface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {\n payload: SdJwtVcdm2Payload\n}\n\nexport class SDJwtVcdmInstanceFactory {\n static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {\n if (isVcdm2SdJwt(type)) {\n return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)\n }\n return new SDJwtVcInstance(config as SDJWTVCConfig)\n }\n}\n\n// @ts-ignore\nexport class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {\n /**\n * The type of the SD-JWT VCDM2 set in the header.typ field.\n */\n protected static type = 'vc+sd-jwt'\n\n protected userConfig: SDJWTVCDM2Config = {}\n\n constructor(userConfig?: SDJWTVCDM2Config) {\n super(userConfig)\n if (userConfig) {\n this.userConfig = userConfig\n }\n }\n\n /**\n * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.\n * @param disclosureFrame\n */\n protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {\n //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2\n // @ts-ignore\n if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {\n const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']\n // check if there is any reserved names in the disclosureFrame._sd array\n const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))\n if (reservedNamesInDisclosureFrame.length > 0) {\n throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)\n }\n }\n }\n\n /**\n * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.\n * @param encodedSDJwt\n * @param options\n */\n async verify(encodedSDJwt: string, options?: VerifierOptions) {\n // Call the parent class's verify method\n const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {\n return {\n payload: res.payload as SdJwtVcdm2Payload,\n header: res.header,\n kb: res.kb,\n }\n })\n\n // await this.verifyStatus(result, options)\n\n return result\n }\n\n /**\n * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.\n * @param integrity\n * @param response\n */\n private async validateIntegrity(response: Response, url: string, integrity?: string) {\n if (integrity) {\n // validate the integrity of the response according to https://www.w3.org/TR/SRI/\n const arrayBuffer = await response.arrayBuffer()\n const alg = integrity.split('-')[0]\n //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec\n const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)\n const integrityHash = integrity.split('-')[1]\n const hash = Array.from(new Uint8Array(hashBuffer))\n .map((byte) => byte.toString(16).padStart(2, '0'))\n .join('')\n if (hash !== integrityHash) {\n throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)\n }\n }\n }\n\n /**\n * Fetches the content from the url with a timeout of 10 seconds.\n * @param url\n * @param integrity\n * @returns\n */\n protected async fetch<T>(url: string, integrity?: string): Promise<T> {\n try {\n const response = await fetch(url, {\n signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),\n })\n if (!response.ok) {\n const errorText = await response.text()\n return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))\n }\n await this.validateIntegrity(response.clone(), url, integrity)\n return response.json() as Promise<T>\n } catch (error) {\n if ((error as Error).name === 'TimeoutError') {\n throw new Error(`Request to ${url} timed out`)\n }\n throw error\n }\n }\n\n public async issue<Payload extends SdJwtVcdm2Payload>(\n payload: Payload,\n disclosureFrame?: DisclosureFrame<Payload>,\n options?: {\n header?: object // This is for customizing the header of the jwt\n },\n ): Promise<SDJWTCompact> {\n if (payload.iss && !payload.issuer) {\n payload.issuer = { id: payload.iss }\n delete payload.iss\n }\n if (payload.nbf && !payload.validFrom) {\n payload.validFrom = toVcdm2Date(payload.nbf)\n delete payload.nbf\n }\n if (payload.exp && !payload.validUntil) {\n payload.validUntil = toVcdm2Date(payload.exp)\n delete payload.exp\n }\n if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {\n payload.credentialSubject.id = payload.sub\n delete payload.sub\n }\n return super.issue(payload, disclosureFrame, options)\n }\n}\n\nfunction toVcdm2Date(value: number | string): string {\n const num = typeof value === 'string' ? Number(value) : value\n if (!Number.isFinite(num)) {\n throw new SDJWTException(`Invalid numeric date: ${value}`)\n }\n // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)\n return new Date(num * 1000).toISOString()\n}\n","import { SdJwtPayload } from '@sd-jwt/core'\nimport { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport {\n HasherSync,\n JoseSignatureAlgorithm,\n JsonWebKey,\n SdJwtType,\n SdJwtTypeMetadata,\n SdJwtVcdm2Payload,\n SdJwtVcKbJwtHeader,\n SdJwtVcKbJwtPayload,\n SdJwtVcType,\n SdJwtVpType,\n} from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends OrigSdJwtVcPayload {\n x5c?: string[]\n}\n\nexport type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'\n\nexport function isVcdm2SdJwt(type: SdJwtType | string): Boolean {\n return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'\n}\n\nexport interface ICreateSdJwtVcArgs {\n type?: SdJwtVcType\n credentialPayload: SdJwtPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n type: SdJwtVcType\n\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n\n type?: SdJwtVpType\n\n vcdm2Enveloped?: Vcdm2Enveloped\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n\n type: SdJwtVpType\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n type: SdJwtVcType\n payload: SdJwtVcPayload | SdJwtVcdm2Payload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n /**\n * nonce used to verify the key binding jwt to prevent replay attacks.\n */\n keyBindingNonce?: string\n\n /**\n * Audience used to verify the key binding jwt\n */\n keyBindingAud?: string\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n\nexport type PartialSdJwtKbJwt = {\n header: Partial<SdJwtVcKbJwtHeader>\n payload: Partial<SdJwtVcKbJwtPayload>\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;ACAA,IAAAA,eAAoE;AACpE,IAAAC,oBAAqD;AAErD,IAAAC,sBAAkE;AAKlE,mBAAkB;;;ACRlB,yBAAmC;AACnC,uBAAqD;AACrD,kBAAmB;AAEnB,yBAA2B;AAGpB,IAAMC,wBAAoC,wBAACC,MAAgDC,QAAAA;AAChG,aAAOC,uCAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,eAAWK,+BAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,aAAOC,gBAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,2BAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACDF,UAAqB;AAErB,uBAAyB;AAGzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,QAAOK,2BAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;AAMT,SAASG,oBAAoBC,SAAqB;AACvD,SACE,UAAUA,WACVC,MAAMC,QAAQF,QAAQG,IAAI,KAC1BH,QAAQG,KAAKC,SAAS,sBAAA,KACtB,cAAcJ,YACZ,OAAOA,QAAQ,UAAA,MAAgB,YAAYA,QAAQ,UAAA,EAAYK,SAAS,KACvEJ,MAAMC,QAAQF,QAAQ,UAAA,CAAW,KAAKA,QAAQ,UAAA,EAAYK,SAAS,KAAKL,QAAQ,UAAA,EAAYI,SAAS,sCAAA;AAE5G;AATgBL;AAWT,SAASO,iBAAiBN,SAAqB;AACpD,SAAO,CAACD,oBAAoBC,OAAAA,KAAY,SAASA,WAAW,OAAOA,QAAQF,QAAQ;AACrF;AAFgBQ;AAIT,SAASC,mBAAmBP,SAAqB;AACtD,MAAIQ;AACJ,MAAIF,iBAAiBN,OAAAA,KAAY,SAASA,SAAS;AACjDQ,aAASR,QAAQS;EACnB,WAAWV,oBAAoBC,OAAAA,KAAa,YAAYA,WAAWA,QAAQQ,QAAS;AAClFA,aAAS,OAAOR,QAAQQ,WAAW,WAAWR,QAAQQ,SAAUR,QAAQQ,QAAgBE;EAC1F;AAEA,MAAI,CAACF,QAAQ;AACX,UAAM,IAAIhC,MAAM,kFAAA;EAClB;AACA,SAAOgC;AACT;AAZgBD;AAcT,SAASI,gBAAgBC,gBAAwBtB,KAAaD,QAAc;AACjF,QAAMwB,SAASxB,OAAOuB,gBAAgBtB,GAAAA;AACtC,SAAWK,aAASkB,QAAQ,WAAA;AAC9B;AAHgBF;;;ACpGhB,kBAAoD;AAEpD,mBAA+B;AAE/B,uBAA6E;;;ACE7E,qBAAiC;AAgB1B,IAAMG,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,aAAOC,iCAAiBD,SAAS,eAAA;AACnC;AAFgBD;AAgBT,SAASG,aAAaC,MAAwB;AACnD,SAAOA,SAAS,eAAeA,SAAS;AAC1C;AAFgBD;;;AD9FT,IAAME,2BAAN,MAAMA;EAXb,OAWaA;;;EACX,OAAOC,OAAOC,MAAiBC,QAAgF;AAC7G,QAAIC,aAAaF,IAAAA,GAAO;AACtB,aAAO,IAAIG,mBAAmBF,MAAAA;IAChC;AACA,WAAO,IAAIG,iCAAgBH,MAAAA;EAC7B;AACF;AAGO,IAAME,qBAAN,cAAiCE,0BAAAA;EArBxC,OAqBwCA;;;;;;EAItC,OAAiBL,OAAO;EAEdM,aAA+B,CAAC;EAE1C,YAAYA,YAA+B;AACzC,UAAMA,UAAAA;AACN,QAAIA,YAAY;AACd,WAAKA,aAAaA;IACpB;EACF;;;;;EAMUC,uBAAuBC,iBAA2D;AAG1F,QAAIA,iBAAiBC,OAAOC,MAAMC,QAAQH,gBAAgBC,GAAG,KAAKD,gBAAgBC,IAAIG,SAAS,GAAG;AAChG,YAAMC,gBAAgB;QAAC;QAAO;QAAO;QAAO;QAAO;QAAY;QAAQ;QAAoB;QAAoB;;AAE/G,YAAMC,iCAAkCN,gBAAgBC,IAAiBM,OAAO,CAACC,QAAQH,cAAcI,SAASD,GAAAA,CAAAA;AAChH,UAAIF,+BAA+BF,SAAS,GAAG;AAC7C,cAAM,IAAIM,4BAAe,uCAAuCJ,+BAA+BK,KAAK,IAAA,CAAA,EAAO;MAC7G;IACF;EACF;;;;;;EAOA,MAAMC,OAAOC,cAAsBC,SAA2B;AAE5D,UAAMC,SAAuC,MAAM,MAAMH,OAAOC,cAAcC,OAAAA,EAASE,KAAK,CAACC,QAAAA;AAC3F,aAAO;QACLC,SAASD,IAAIC;QACbC,QAAQF,IAAIE;QACZC,IAAIH,IAAIG;MACV;IACF,CAAA;AAIA,WAAOL;EACT;;;;;;EAOA,MAAcM,kBAAkBC,UAAoBC,KAAaC,WAAoB;AACnF,QAAIA,WAAW;AAEb,YAAMC,cAAc,MAAMH,SAASG,YAAW;AAC9C,YAAMC,MAAMF,UAAUG,MAAM,GAAA,EAAK,CAAA;AAEjC,YAAMC,aAAa,MAAO,KAAK9B,WAAW+B,OAAkBJ,aAAaC,GAAAA;AACzE,YAAMI,gBAAgBN,UAAUG,MAAM,GAAA,EAAK,CAAA;AAC3C,YAAMI,OAAO7B,MAAM8B,KAAK,IAAIC,WAAWL,UAAAA,CAAAA,EACpCM,IAAI,CAACC,SAASA,KAAKC,SAAS,EAAA,EAAIC,SAAS,GAAG,GAAA,CAAA,EAC5C1B,KAAK,EAAA;AACR,UAAIoB,SAASD,eAAe;AAC1B,cAAM,IAAIQ,MAAM,uBAAuBf,GAAAA,eAAkBQ,IAAAA,kBAAsBD,aAAAA,EAAe;MAChG;IACF;EACF;;;;;;;EAQA,MAAgBS,MAAShB,KAAaC,WAAgC;AACpE,QAAI;AACF,YAAMF,WAAW,MAAMiB,MAAMhB,KAAK;QAChCiB,QAAQC,YAAYC,QAAQ,KAAK5C,WAAW4C,WAAW,GAAA;MACzD,CAAA;AACA,UAAI,CAACpB,SAASqB,IAAI;AAChB,cAAMC,YAAY,MAAMtB,SAASuB,KAAI;AACrC,eAAOC,QAAQC,OAAO,IAAIT,MAAM,kBAAkBf,GAAAA,KAAQD,SAAS0B,MAAM,IAAI1B,SAAS2B,UAAU,MAAML,SAAAA,EAAW,CAAA;MACnH;AACA,YAAM,KAAKvB,kBAAkBC,SAAS4B,MAAK,GAAI3B,KAAKC,SAAAA;AACpD,aAAOF,SAAS6B,KAAI;IACtB,SAASC,OAAO;AACd,UAAKA,MAAgBC,SAAS,gBAAgB;AAC5C,cAAM,IAAIf,MAAM,cAAcf,GAAAA,YAAe;MAC/C;AACA,YAAM6B;IACR;EACF;EAEA,MAAaE,MACXpC,SACAlB,iBACAc,SAGuB;AACvB,QAAII,QAAQqC,OAAO,CAACrC,QAAQsC,QAAQ;AAClCtC,cAAQsC,SAAS;QAAEC,IAAIvC,QAAQqC;MAAI;AACnC,aAAOrC,QAAQqC;IACjB;AACA,QAAIrC,QAAQwC,OAAO,CAACxC,QAAQyC,WAAW;AACrCzC,cAAQyC,YAAYC,YAAY1C,QAAQwC,GAAG;AAC3C,aAAOxC,QAAQwC;IACjB;AACA,QAAIxC,QAAQ2C,OAAO,CAAC3C,QAAQ4C,YAAY;AACtC5C,cAAQ4C,aAAaF,YAAY1C,QAAQ2C,GAAG;AAC5C,aAAO3C,QAAQ2C;IACjB;AACA,QAAI3C,QAAQ6C,OAAO,CAAC7D,MAAMC,QAAQe,QAAQ8C,iBAAiB,KAAK,CAAC9C,QAAQ8C,kBAAkBP,IAAI;AAC7FvC,cAAQ8C,kBAAkBP,KAAKvC,QAAQ6C;AACvC,aAAO7C,QAAQ6C;IACjB;AACA,WAAO,MAAMT,MAAMpC,SAASlB,iBAAiBc,OAAAA;EAC/C;AACF;AAEA,SAAS8C,YAAYK,OAAsB;AACzC,QAAMC,MAAM,OAAOD,UAAU,WAAWE,OAAOF,KAAAA,IAASA;AACxD,MAAI,CAACE,OAAOC,SAASF,GAAAA,GAAM;AACzB,UAAM,IAAIxD,4BAAe,yBAAyBuD,KAAAA,EAAO;EAC3D;AAEA,SAAO,IAAII,KAAKH,MAAM,GAAA,EAAMI,YAAW;AACzC;AAPSV;;;AJzGT,IAAAW,OAAqB;AAErB,IAAMC,YAAQC,aAAAA,SAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAlDb,OAkDaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,UAAUlB,KAAKmB;AACrB,UAAMC,UAAUC,oBAAoBH,OAAAA;AACpC,UAAMI,YAAYC,iBAAiBL,OAAAA;AACnC,UAAMM,OAAOxB,KAAKwB,SAASJ,UAAU,cAAc;AAEnD,UAAMK,SAASC,mBAAmB1B,KAAKmB,iBAAiB;AACxD,QAAI,CAACM,QAAQ;AACX,YAAM,IAAIE,MAAM,qCAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYuB;MAAQtB,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAM2B,UAAUhB,OAAOJ,YAAYI,OAAO;AAC1C,UAAMiB,UAAyB,WAAWC,KAAKF,OAAAA,IAAY,OAAOA,QAAQG,MAAM,EAAC,CAAA,KAAyB;AAC1G,UAAMC,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACT5B;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CwC;MACAC;IACF,CAAA;AAEA,UAAMO,SAAS;MACb,GAAI5B,YAAYG,IAAI0B,QAAQC,UAAa;QAAED,KAAK7B,WAAWG,IAAI0B;MAAI;MACnE,GAAI7B,YAAYG,IAAI4B,QAAQD,UAAa;QAAEC,KAAK/B,WAAWG,IAAI4B;MAAI;MACnE,GAAIf,QAAQ;QAAEgB,KAAKhB;MAAK;IAC1B;AACA,QAAIiB;AACJ,QAAIrB,SAAS;AACXqB,mBAAa,MAAOT,MAA6BU;QAC/CxB;;QAEAlB,KAAK2C;QACL;UAAEP;QAAO;MAAA;IAEb,WAAWd,WAAW;AACpBmB,mBAAa,MAAOT,MAA0BU,MAAMxB,SAASlB,KAAK2C,iBAAoD;QAAEP;MAAO,CAAA;IACjI,OAAO;AACL,aAAOQ,QAAQC,OAAO,IAAIlB,MAAM,iCAAiCH,IAAAA,yBAA6B,CAAA;IAChG;AAEA,WAAO;MAAEA;MAAMiB;IAAW;EAC5B;;;;;;;EAQA,MAAMhC,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClD,cAAQR,WAAW4C,QAAM;QACvB,KAAK;AACHpE,gBAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWoB,KAAKlC,WAAWkC;YAAI;UAAE;QACtF;AACE,cAAI1B,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,mBAAO;cAAE3B;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;cAAgB;YAAE;UAClH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWkC,eAAexC,IAAIsC,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWkD,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMpD,QAAQa,MAAMwC,0BAA0B;QAAEpD;MAAW,CAAA;AACjF,UAAI,CAACmD,eAAe;AAClB,cAAM,IAAI1B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM0C,cAAc1C;AAC1B,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWoC,cAAcpC;UAAWoB,KAAKgB,cAAchB;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMkB,gBAAgB,MAAMtD,QAAQa,MAAM0C,0BAA0B;QAAEtD;MAAW,CAAA;AACjF,UAAI,CAACqD,eAAe;AAClB,cAAM,IAAI5B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM4C,cAAc5C;AAC1B,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClD,UAAIA,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,eAAO;UAAE3B;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;UAAgB;QAAE;MACxH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWkC,eAAexC,IAAIsC,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAMuB,OAAOxB,KAAKwB,QAAQ;AAE1B,UAAMiC,OAAO,MAAMC,mBAAMC,WAAW3D,KAAK4D,cAAc,KAAK7E,0BAA0BG,MAAM;AAE5F,UAAM2E,SAAS,MAAMJ,KAAKK,UAAkB,KAAK/E,0BAA0BG,MAAM;AACjF,QAAI6E;AAEJ,QAAI/D,KAAK+D,QAAQ;AACfA,eAAS/D,KAAK+D;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,mBAASG,4CAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAK3B,KAAK;AAC1B0B,eAASF,OAAOG,KAAK3B;IACvB,WAAWwB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIxC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAY6D;IAAO,GAAG9D,OAAAA;AAElF,UAAM+B,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACTjD,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CgF,UAAU7D;MACV8D,WAAWzD,OAAO;IACpB,CAAA;AAEA,UAAMgD,eAAe,MAAM5B,MAAMsC,QAAQtE,KAAK4D,cAAc5D,KAAKuE,mBAAwD;MAAEC,IAAIxE,KAAKwE;IAAG,CAAA;AAEvI,WAAO;MAAEhD;MAAMoC;IAAa;EAC9B;;;;;;;EAQA,MAAMhE,cAAcI,MAA0BC,SAA0D;AAEtG,UAAMwE,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAE3B,UAAMjB,OAAO,MAAMC,mBAAMC,WAAW3D,KAAKyC,YAAY,KAAK1D,0BAA0BG,MAAM;AAC1F,UAAMsC,OAAOH,oBAAoBoC,KAAKmB,KAAK1D,OAAAA,IAA2B,cAAc;AAEpF,UAAMc,QAAQC,yBAAyBC,OAAOV,MAAM;MAAEiD;MAAUvF,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AAGvI,UAAM,EAAEiD,SAAS,CAAC,GAAGlB,SAASsD,GAAE,IAAK,MAAMxC,MAAM6C,OAAO7E,KAAKyC,YAAY;MAAEqC,aAAa,KAAK,KAAK,KAAK;IAAE,CAAA;AAEzG,WAAO;MAAEtD;MAAMY;MAAQlB;MAASsD;IAAG;EACrC;;;;;;;;;;EAWQO,SAAS9E,SAA2BY,MAAc6D,WAAmBxD,SAAuC;AAClH,QAAI,CAACA,QAAQ8C,KAAK;AAChB,YAAMrC,MAAM,4CAAA;IACd;AAIA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAW,KAAKO,OAAO/D,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMyD,mBACJ3C,OACA/B,SACAY,MACA6D,WACAQ,MACkB;AAClB,UAAMC,YAAY,MAAMnD,MAAMoD,OAAO,GAAGvE,IAAAA,IAAQ6D,SAAAA,EAAW;AAC3D,UAAMxD,UAAyBiE,UAAUP,IAAY1D;AACrD,UAAMO,SAAiBC,mBAAmBR,OAAAA;AAC1C,UAAMkB,SAAU+C,UAAUP,IAAYxC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAI0B,MAAoC7B,OAAO6B;AAC/C,QAAI1B,KAAK8C,QAAQ;AACf,YAAMC,eAAe,oBAAIC,IAAY;WAAI,KAAKzG;OAAkB;AAChE,UAAIwG,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM3F,QAAQa,MAAM+E,2BAA2B;QACjFC,OAAOvD;QACP+C,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOzD,QAAQC,OAAOlB,MAAM,wCAAwCiE,4BAA4BU,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWX,4BAA4BS,iBAAiB,CAAA;AAC9DpC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAO7B,OAAOC,KAAK/B,SAAS,MAAA,GAAS;AACxC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQvE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAACoE,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOxC,OAAOnB,SAAS,MAAA,GAAS;AAEnC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQlF;MAAO,CAAA;AAC/D,UAAI,CAACgF,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAItC,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMpE,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAI+B;AACJ,UAAMyC,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAC3B,UAAMwC,aAAyB,8BAAOrG,MAAc6D,WAAmBxD,YAAwB,KAAK6D,SAAS9E,SAASY,MAAM6D,WAAWxD,OAAAA,GAAxG;AAC/Bc,YAAQ,IAAImF,kCAAgB;MAC1B1C;MACAvF,QAAQ,KAAKH,0BAA0BG;MACvCkI,YAAYF;IACd,CAAA;AAEA,UAAMG,eAAgC;MACpCC,mBAAmBtH,KAAKsH;MACxBC,iBAAiBvH,KAAKuH;IACxB;AAEA,WAAOvF,MAAM6C,OAAO7E,KAAK4D,cAAcyD,YAAAA;EACzC;;;;;;;EAQA,MAAMvH,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuH,KAAKC,cAAcvC,KAAI,IAAKlF;AACpC,UAAM0H,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlJ,YAAAA;AAC5E,UAAIA,WAAUkJ,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjJ,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmJ,YAAY;AACf,iBAAOzF,QAAQC,OAAOlB,MAAM,mCAAmC6F,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlJ,SAAUgG,MAAMhG,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuI,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvI,MAAAA;AAC5C,cAAMsJ,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7I;QAAO,CAAA;AACtG,YAAI,CAACsJ,eAAe;AAClB,iBAAO5F,QAAQC,OAAOlB,MAAM,mCAAmC6F,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3I,iCAAiC;UAAE0H,KAAKO,SAAS,mBAAA;UAAsB7C;QAAK,GAAGjF,OAAAA;AAClH,cAAMiI,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7I,MAAAA;MACtE;AAEA,UAAI6I,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7I,MAAAA;MAChE;AAEA6I,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ/C,wBAAwB/E,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsK,oBAAoB,YAAY;AACxE,aAAO,KAAKtK,0BAA0BsK;IACxC;AAEA,WAAOC,uBAAuBrJ,OAAAA;EAChC;EAEQgF,OAAO/D,SAAiC;AAC9C,QAAIA,QAAQ8C,KAAKC,QAAQ3B,QAAW;AAClC,aAAOpB,QAAQ8C,IAAIC;IACrB,WAAW/C,QAAQ8C,QAAQ1B,UAAa,SAASpB,QAAQ8C,OAAO,OAAO9C,QAAQ8C,IAAI3B,QAAQ,YAAYnB,QAAQ8C,IAAI3B,IAAIe,WAAW,UAAA,GAAa;AAG7I,YAAMmG,UAAU,KAAKC,wBAAwBtI,QAAQ8C,IAAI3B,GAAG;AAC5D,YAAMoH,UAAc3B,cAAa4B,gBAAWH,SAAS,WAAA,GAAc,OAAA;AACnE,YAAM3E,MAAM+E,KAAKC,MAAMH,OAAAA;AACvB,aAAO7E;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQ6H,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAMzE,SAAS,GAAG;AACpB,YAAM,IAAI1D,MAAM,oBAAA;IAClB;AACA,WAAOmI,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;","names":["import_core","import_sd_jwt_vc","import_ssi_sdk_ext","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","isVcdm2SdJwtPayload","payload","Array","isArray","type","includes","length","isSdjwtVcPayload","getIssuerFromSdJwt","issuer","iss","id","calculateSdHash","compactSdJwtVc","digest","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin","isVcdm2SdJwt","type","SDJwtVcdmInstanceFactory","create","type","config","isVcdm2SdJwt","SDJwtVcdm2Instance","SDJwtVcInstance","SDJwtInstance","userConfig","validateReservedFields","disclosureFrame","_sd","Array","isArray","length","reservedNames","reservedNamesInDisclosureFrame","filter","key","includes","SDJWTException","join","verify","encodedSDJwt","options","result","then","res","payload","header","kb","validateIntegrity","response","url","integrity","arrayBuffer","alg","split","hashBuffer","hasher","integrityHash","hash","from","Uint8Array","map","byte","toString","padStart","Error","fetch","signal","AbortSignal","timeout","ok","errorText","text","Promise","reject","status","statusText","clone","json","error","name","issue","iss","issuer","id","nbf","validFrom","toVcdm2Date","exp","validUntil","sub","credentialSubject","value","num","Number","isFinite","Date","toISOString","u8a","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","payload","credentialPayload","isVcdm2","isVcdm2SdJwtPayload","isSdJwtVc","isSdjwtVcPayload","type","issuer","getIssuerFromSdJwt","Error","signAlg","hashAlg","test","slice","sdjwt","SDJwtVcdmInstanceFactory","create","omitTyp","header","kid","undefined","x5c","typ","credential","issue","disclosureFrame","Promise","reject","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verifyCallbackImpl","jwt","verify","skewSeconds","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","length","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","SDJwtVcInstance","kbVerifier","verifierOpts","requiredClaimKeys","keyBindingNonce","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","fromString","JSON","parse","did","parts","split"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/sdJwtVcdm2Instance.ts","../src/types.ts"],"sourcesContent":["export { SDJwtPlugin } from './action-handler'\nexport { defaultGenerateDigest } from './defaultCallbacks'\nexport * from './utils'\nexport * from './types'\n","import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'\nimport { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport type { IAgentPlugin } from '@veramo/core'\n// import { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport {\n assertValidTypeMetadata,\n fetchUrlWithErrorHandling,\n getIssuerFromSdJwt,\n isSdjwtVcPayload,\n isVcdm2SdJwtPayload,\n validateIntegrity,\n} from './utils'\nimport type {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\nimport { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const payload = args.credentialPayload\n const isVcdm2 = isVcdm2SdJwtPayload(payload)\n const isSdJwtVc = isSdjwtVcPayload(payload)\n const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')\n\n const issuer = getIssuerFromSdJwt(args.credentialPayload)\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const signAlg = alg ?? signingKey?.alg ?? 'ES256'\n const hashAlg: HashAlgorithm = /(\\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg,\n hashAlg,\n })\n\n const header = {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n ...(type && { typ: type }),\n }\n let credential: string\n if (isVcdm2) {\n credential = await (sdjwt as SDJwtVcdm2Instance).issue(\n payload,\n // @ts-ignore\n args.disclosureFrame as DisclosureFrame<typeof payload>,\n { header },\n )\n } else if (isSdJwtVc) {\n credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })\n } else {\n return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))\n }\n\n return { type, credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const type = args.type ?? 'dc+sd-jwt'\n\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { type, presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n\n const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)\n const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, { verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function\n // For now a workaround is to ad 5 days of skew seconds, yuck\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential, { skewSeconds: 60 * 60 * 24 * 5 })\n\n return { type, header, payload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n\n // TODO add aud verification\n\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verifyCallbackImpl(\n sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload\n const issuer: string = getIssuerFromSdJwt(payload)\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c?.length) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) => this.verifyKb(context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n const verifierOpts: VerifierOptions = {\n requiredClaimKeys: args.requiredClaimKeys,\n keyBindingNonce: args.keyBindingNonce,\n }\n\n return sdjwt.verify(args.presentation, verifierOpts)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import type { SdJwtPayload } from '@sd-jwt/core'\nimport type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\nimport type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n\nexport function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {\n return (\n 'type' in payload &&\n Array.isArray(payload.type) &&\n payload.type.includes('VerifiableCredential') &&\n '@context' in payload &&\n ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||\n (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))\n )\n}\n\nexport function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {\n return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'\n}\n\nexport function getIssuerFromSdJwt(payload: SdJwtPayload): string {\n let issuer: string | undefined\n if (isSdjwtVcPayload(payload) || 'iss' in payload) {\n issuer = payload.iss as string\n } else if (isVcdm2SdJwtPayload(payload) || ('issuer' in payload && payload.issuer)) {\n issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id\n }\n\n if (!issuer) {\n throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')\n }\n return issuer\n}\n\nexport function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string {\n const digest = hasher(compactSdJwtVc, alg)\n return u8a.toString(digest, 'base64url')\n}\n","import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'\nimport type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'\nimport { SDJWTException } from '@sd-jwt/utils'\nimport { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'\nimport { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'\nimport { isVcdm2SdJwt } from './types'\n\ninterface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {\n payload: SdJwtVcdm2Payload\n}\n\nexport class SDJwtVcdmInstanceFactory {\n static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {\n if (isVcdm2SdJwt(type)) {\n return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)\n }\n return new SDJwtVcInstance(config as SDJWTVCConfig)\n }\n}\n\n// @ts-ignore\nexport class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {\n /**\n * The type of the SD-JWT VCDM2 set in the header.typ field.\n */\n protected static type = 'vc+sd-jwt'\n\n protected userConfig: SDJWTVCDM2Config = {}\n\n constructor(userConfig?: SDJWTVCDM2Config) {\n super(userConfig)\n if (userConfig) {\n this.userConfig = userConfig\n }\n }\n\n /**\n * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.\n * @param disclosureFrame\n */\n protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {\n //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2\n // @ts-ignore\n if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {\n const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']\n // check if there is any reserved names in the disclosureFrame._sd array\n const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))\n if (reservedNamesInDisclosureFrame.length > 0) {\n throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)\n }\n }\n }\n\n /**\n * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.\n * @param encodedSDJwt\n * @param options\n */\n async verify(encodedSDJwt: string, options?: VerifierOptions) {\n // Call the parent class's verify method\n const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {\n return {\n payload: res.payload as SdJwtVcdm2Payload,\n header: res.header,\n kb: res.kb,\n }\n })\n\n // await this.verifyStatus(result, options)\n\n return result\n }\n\n /**\n * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.\n * @param integrity\n * @param response\n */\n private async validateIntegrity(response: Response, url: string, integrity?: string) {\n if (integrity) {\n // validate the integrity of the response according to https://www.w3.org/TR/SRI/\n const arrayBuffer = await response.arrayBuffer()\n const alg = integrity.split('-')[0]\n //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec\n const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)\n const integrityHash = integrity.split('-')[1]\n const hash = Array.from(new Uint8Array(hashBuffer))\n .map((byte) => byte.toString(16).padStart(2, '0'))\n .join('')\n if (hash !== integrityHash) {\n throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)\n }\n }\n }\n\n /**\n * Fetches the content from the url with a timeout of 10 seconds.\n * @param url\n * @param integrity\n * @returns\n */\n protected async fetch<T>(url: string, integrity?: string): Promise<T> {\n try {\n const response = await fetch(url, {\n signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),\n })\n if (!response.ok) {\n const errorText = await response.text()\n return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))\n }\n await this.validateIntegrity(response.clone(), url, integrity)\n return response.json() as Promise<T>\n } catch (error) {\n if ((error as Error).name === 'TimeoutError') {\n throw new Error(`Request to ${url} timed out`)\n }\n throw error\n }\n }\n\n public async issue<Payload extends SdJwtVcdm2Payload>(\n payload: Payload,\n disclosureFrame?: DisclosureFrame<Payload>,\n options?: {\n header?: object // This is for customizing the header of the jwt\n },\n ): Promise<SDJWTCompact> {\n if (payload.iss && !payload.issuer) {\n payload.issuer = { id: payload.iss }\n delete payload.iss\n }\n if (payload.nbf && !payload.validFrom) {\n payload.validFrom = toVcdm2Date(payload.nbf)\n delete payload.nbf\n }\n if (payload.exp && !payload.validUntil) {\n payload.validUntil = toVcdm2Date(payload.exp)\n delete payload.exp\n }\n if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {\n payload.credentialSubject.id = payload.sub\n delete payload.sub\n }\n return super.issue(payload, disclosureFrame, options)\n }\n}\n\nfunction toVcdm2Date(value: number | string): string {\n const num = typeof value === 'string' ? Number(value) : value\n if (!Number.isFinite(num)) {\n throw new SDJWTException(`Invalid numeric date: ${value}`)\n }\n // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)\n return new Date(num * 1000).toISOString()\n}\n","import { SdJwtPayload } from '@sd-jwt/core'\nimport { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport {\n HasherSync,\n JoseSignatureAlgorithm,\n JsonWebKey,\n SdJwtType,\n SdJwtTypeMetadata,\n SdJwtVcdm2Payload,\n SdJwtVcKbJwtHeader,\n SdJwtVcKbJwtPayload,\n SdJwtVcType,\n SdJwtVpType,\n} from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends OrigSdJwtVcPayload {\n x5c?: string[]\n}\n\nexport type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'\n\nexport function isVcdm2SdJwt(type: SdJwtType | string): Boolean {\n return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'\n}\n\nexport interface ICreateSdJwtVcArgs {\n type?: SdJwtVcType\n credentialPayload: SdJwtPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n type: SdJwtVcType\n\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n\n type?: SdJwtVpType\n\n vcdm2Enveloped?: Vcdm2Enveloped\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n\n type: SdJwtVpType\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n type: SdJwtVcType\n payload: SdJwtVcPayload | SdJwtVcdm2Payload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n /**\n * nonce used to verify the key binding jwt to prevent replay attacks.\n */\n keyBindingNonce?: string\n\n /**\n * Audience used to verify the key binding jwt\n */\n keyBindingAud?: string\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n\nexport type PartialSdJwtKbJwt = {\n header: Partial<SdJwtVcKbJwtHeader>\n payload: Partial<SdJwtVcKbJwtPayload>\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;ACAA,IAAAA,eAAoE;AACpE,IAAAC,oBAAqD;AAErD,IAAAC,sBAAkE;AAKlE,mBAAkB;;;ACRlB,yBAAmC;AACnC,uBAAqD;AACrD,kBAAmB;AAEnB,yBAA2B;AAGpB,IAAMC,wBAAoC,wBAACC,MAAgDC,QAAAA;AAChG,aAAOC,uCAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,eAAWK,+BAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,aAAOC,gBAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,2BAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACDF,UAAqB;AAErB,uBAAyB;AAGzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,QAAOK,2BAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;AAMT,SAASG,oBAAoBC,SAAqB;AACvD,SACE,UAAUA,WACVC,MAAMC,QAAQF,QAAQG,IAAI,KAC1BH,QAAQG,KAAKC,SAAS,sBAAA,KACtB,cAAcJ,YACZ,OAAOA,QAAQ,UAAA,MAAgB,YAAYA,QAAQ,UAAA,EAAYK,SAAS,KACvEJ,MAAMC,QAAQF,QAAQ,UAAA,CAAW,KAAKA,QAAQ,UAAA,EAAYK,SAAS,KAAKL,QAAQ,UAAA,EAAYI,SAAS,sCAAA;AAE5G;AATgBL;AAWT,SAASO,iBAAiBN,SAAqB;AACpD,SAAO,CAACD,oBAAoBC,OAAAA,KAAY,SAASA,WAAW,OAAOA,QAAQF,QAAQ;AACrF;AAFgBQ;AAIT,SAASC,mBAAmBP,SAAqB;AACtD,MAAIQ;AACJ,MAAIF,iBAAiBN,OAAAA,KAAY,SAASA,SAAS;AACjDQ,aAASR,QAAQS;EACnB,WAAWV,oBAAoBC,OAAAA,KAAa,YAAYA,WAAWA,QAAQQ,QAAS;AAClFA,aAAS,OAAOR,QAAQQ,WAAW,WAAWR,QAAQQ,SAAUR,QAAQQ,QAAgBE;EAC1F;AAEA,MAAI,CAACF,QAAQ;AACX,UAAM,IAAIhC,MAAM,kFAAA;EAClB;AACA,SAAOgC;AACT;AAZgBD;AAcT,SAASI,gBAAgBC,gBAAwBtB,KAAaD,QAAc;AACjF,QAAMwB,SAASxB,OAAOuB,gBAAgBtB,GAAAA;AACtC,SAAWK,aAASkB,QAAQ,WAAA;AAC9B;AAHgBF;;;ACpGhB,kBAAoD;AAEpD,mBAA+B;AAE/B,uBAA6E;;;ACE7E,qBAAiC;AAgB1B,IAAMG,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,aAAOC,iCAAiBD,SAAS,eAAA;AACnC;AAFgBD;AAgBT,SAASG,aAAaC,MAAwB;AACnD,SAAOA,SAAS,eAAeA,SAAS;AAC1C;AAFgBD;;;AD9FT,IAAME,2BAAN,MAAMA;EAXb,OAWaA;;;EACX,OAAOC,OAAOC,MAAiBC,QAAgF;AAC7G,QAAIC,aAAaF,IAAAA,GAAO;AACtB,aAAO,IAAIG,mBAAmBF,MAAAA;IAChC;AACA,WAAO,IAAIG,iCAAgBH,MAAAA;EAC7B;AACF;AAGO,IAAME,qBAAN,cAAiCE,0BAAAA;EArBxC,OAqBwCA;;;;;;EAItC,OAAiBL,OAAO;EAEdM,aAA+B,CAAC;EAE1C,YAAYA,YAA+B;AACzC,UAAMA,UAAAA;AACN,QAAIA,YAAY;AACd,WAAKA,aAAaA;IACpB;EACF;;;;;EAMUC,uBAAuBC,iBAA2D;AAG1F,QAAIA,iBAAiBC,OAAOC,MAAMC,QAAQH,gBAAgBC,GAAG,KAAKD,gBAAgBC,IAAIG,SAAS,GAAG;AAChG,YAAMC,gBAAgB;QAAC;QAAO;QAAO;QAAO;QAAO;QAAY;QAAQ;QAAoB;QAAoB;;AAE/G,YAAMC,iCAAkCN,gBAAgBC,IAAiBM,OAAO,CAACC,QAAQH,cAAcI,SAASD,GAAAA,CAAAA;AAChH,UAAIF,+BAA+BF,SAAS,GAAG;AAC7C,cAAM,IAAIM,4BAAe,uCAAuCJ,+BAA+BK,KAAK,IAAA,CAAA,EAAO;MAC7G;IACF;EACF;;;;;;EAOA,MAAMC,OAAOC,cAAsBC,SAA2B;AAE5D,UAAMC,SAAuC,MAAM,MAAMH,OAAOC,cAAcC,OAAAA,EAASE,KAAK,CAACC,QAAAA;AAC3F,aAAO;QACLC,SAASD,IAAIC;QACbC,QAAQF,IAAIE;QACZC,IAAIH,IAAIG;MACV;IACF,CAAA;AAIA,WAAOL;EACT;;;;;;EAOA,MAAcM,kBAAkBC,UAAoBC,KAAaC,WAAoB;AACnF,QAAIA,WAAW;AAEb,YAAMC,cAAc,MAAMH,SAASG,YAAW;AAC9C,YAAMC,MAAMF,UAAUG,MAAM,GAAA,EAAK,CAAA;AAEjC,YAAMC,aAAa,MAAO,KAAK9B,WAAW+B,OAAkBJ,aAAaC,GAAAA;AACzE,YAAMI,gBAAgBN,UAAUG,MAAM,GAAA,EAAK,CAAA;AAC3C,YAAMI,OAAO7B,MAAM8B,KAAK,IAAIC,WAAWL,UAAAA,CAAAA,EACpCM,IAAI,CAACC,SAASA,KAAKC,SAAS,EAAA,EAAIC,SAAS,GAAG,GAAA,CAAA,EAC5C1B,KAAK,EAAA;AACR,UAAIoB,SAASD,eAAe;AAC1B,cAAM,IAAIQ,MAAM,uBAAuBf,GAAAA,eAAkBQ,IAAAA,kBAAsBD,aAAAA,EAAe;MAChG;IACF;EACF;;;;;;;EAQA,MAAgBS,MAAShB,KAAaC,WAAgC;AACpE,QAAI;AACF,YAAMF,WAAW,MAAMiB,MAAMhB,KAAK;QAChCiB,QAAQC,YAAYC,QAAQ,KAAK5C,WAAW4C,WAAW,GAAA;MACzD,CAAA;AACA,UAAI,CAACpB,SAASqB,IAAI;AAChB,cAAMC,YAAY,MAAMtB,SAASuB,KAAI;AACrC,eAAOC,QAAQC,OAAO,IAAIT,MAAM,kBAAkBf,GAAAA,KAAQD,SAAS0B,MAAM,IAAI1B,SAAS2B,UAAU,MAAML,SAAAA,EAAW,CAAA;MACnH;AACA,YAAM,KAAKvB,kBAAkBC,SAAS4B,MAAK,GAAI3B,KAAKC,SAAAA;AACpD,aAAOF,SAAS6B,KAAI;IACtB,SAASC,OAAO;AACd,UAAKA,MAAgBC,SAAS,gBAAgB;AAC5C,cAAM,IAAIf,MAAM,cAAcf,GAAAA,YAAe;MAC/C;AACA,YAAM6B;IACR;EACF;EAEA,MAAaE,MACXpC,SACAlB,iBACAc,SAGuB;AACvB,QAAII,QAAQqC,OAAO,CAACrC,QAAQsC,QAAQ;AAClCtC,cAAQsC,SAAS;QAAEC,IAAIvC,QAAQqC;MAAI;AACnC,aAAOrC,QAAQqC;IACjB;AACA,QAAIrC,QAAQwC,OAAO,CAACxC,QAAQyC,WAAW;AACrCzC,cAAQyC,YAAYC,YAAY1C,QAAQwC,GAAG;AAC3C,aAAOxC,QAAQwC;IACjB;AACA,QAAIxC,QAAQ2C,OAAO,CAAC3C,QAAQ4C,YAAY;AACtC5C,cAAQ4C,aAAaF,YAAY1C,QAAQ2C,GAAG;AAC5C,aAAO3C,QAAQ2C;IACjB;AACA,QAAI3C,QAAQ6C,OAAO,CAAC7D,MAAMC,QAAQe,QAAQ8C,iBAAiB,KAAK,CAAC9C,QAAQ8C,kBAAkBP,IAAI;AAC7FvC,cAAQ8C,kBAAkBP,KAAKvC,QAAQ6C;AACvC,aAAO7C,QAAQ6C;IACjB;AACA,WAAO,MAAMT,MAAMpC,SAASlB,iBAAiBc,OAAAA;EAC/C;AACF;AAEA,SAAS8C,YAAYK,OAAsB;AACzC,QAAMC,MAAM,OAAOD,UAAU,WAAWE,OAAOF,KAAAA,IAASA;AACxD,MAAI,CAACE,OAAOC,SAASF,GAAAA,GAAM;AACzB,UAAM,IAAIxD,4BAAe,yBAAyBuD,KAAAA,EAAO;EAC3D;AAEA,SAAO,IAAII,KAAKH,MAAM,GAAA,EAAMI,YAAW;AACzC;AAPSV;;;AJzGT,IAAAW,OAAqB;AAErB,IAAMC,YAAQC,aAAAA,SAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAlDb,OAkDaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,UAAUlB,KAAKmB;AACrB,UAAMC,UAAUC,oBAAoBH,OAAAA;AACpC,UAAMI,YAAYC,iBAAiBL,OAAAA;AACnC,UAAMM,OAAOxB,KAAKwB,SAASJ,UAAU,cAAc;AAEnD,UAAMK,SAASC,mBAAmB1B,KAAKmB,iBAAiB;AACxD,QAAI,CAACM,QAAQ;AACX,YAAM,IAAIE,MAAM,qCAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYuB;MAAQtB,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAM2B,UAAUhB,OAAOJ,YAAYI,OAAO;AAC1C,UAAMiB,UAAyB,WAAWC,KAAKF,OAAAA,IAAY,OAAOA,QAAQG,MAAM,EAAC,CAAA,KAAyB;AAC1G,UAAMC,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACT5B;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CwC;MACAC;IACF,CAAA;AAEA,UAAMO,SAAS;MACb,GAAI5B,YAAYG,IAAI0B,QAAQC,UAAa;QAAED,KAAK7B,WAAWG,IAAI0B;MAAI;MACnE,GAAI7B,YAAYG,IAAI4B,QAAQD,UAAa;QAAEC,KAAK/B,WAAWG,IAAI4B;MAAI;MACnE,GAAIf,QAAQ;QAAEgB,KAAKhB;MAAK;IAC1B;AACA,QAAIiB;AACJ,QAAIrB,SAAS;AACXqB,mBAAa,MAAOT,MAA6BU;QAC/CxB;;QAEAlB,KAAK2C;QACL;UAAEP;QAAO;MAAA;IAEb,WAAWd,WAAW;AACpBmB,mBAAa,MAAOT,MAA0BU,MAAMxB,SAASlB,KAAK2C,iBAAoD;QAAEP;MAAO,CAAA;IACjI,OAAO;AACL,aAAOQ,QAAQC,OAAO,IAAIlB,MAAM,iCAAiCH,IAAAA,yBAA6B,CAAA;IAChG;AAEA,WAAO;MAAEA;MAAMiB;IAAW;EAC5B;;;;;;;EAQA,MAAMhC,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClD,cAAQR,WAAW4C,QAAM;QACvB,KAAK;AACHpE,gBAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWoB,KAAKlC,WAAWkC;YAAI;UAAE;QACtF;AACE,cAAI1B,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,mBAAO;cAAE3B;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;cAAgB;YAAE;UAClH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWkC,eAAexC,IAAIsC,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWkD,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMpD,QAAQa,MAAMwC,0BAA0B;QAAEpD;MAAW,CAAA;AACjF,UAAI,CAACmD,eAAe;AAClB,cAAM,IAAI1B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM0C,cAAc1C;AAC1B,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWoC,cAAcpC;UAAWoB,KAAKgB,cAAchB;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMkB,gBAAgB,MAAMtD,QAAQa,MAAM0C,0BAA0B;QAAEtD;MAAW,CAAA;AACjF,UAAI,CAACqD,eAAe;AAClB,cAAM,IAAI5B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM4C,cAAc5C;AAC1B,YAAMC,MAAM,UAAMkC,+CAA0B;QAAEnC;MAAI,CAAA;AAClD,UAAIA,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,eAAO;UAAE3B;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;UAAgB;QAAE;MACxH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWkC,eAAexC,IAAIsC,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAMuB,OAAOxB,KAAKwB,QAAQ;AAE1B,UAAMiC,OAAO,MAAMC,mBAAMC,WAAW3D,KAAK4D,cAAc,KAAK7E,0BAA0BG,MAAM;AAE5F,UAAM2E,SAAS,MAAMJ,KAAKK,UAAkB,KAAK/E,0BAA0BG,MAAM;AACjF,QAAI6E;AAEJ,QAAI/D,KAAK+D,QAAQ;AACfA,eAAS/D,KAAK+D;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,mBAASG,4CAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAK3B,KAAK;AAC1B0B,eAASF,OAAOG,KAAK3B;IACvB,WAAWwB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIxC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAY6D;IAAO,GAAG9D,OAAAA;AAElF,UAAM+B,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACTjD,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CgF,UAAU7D;MACV8D,WAAWzD,OAAO;IACpB,CAAA;AAEA,UAAMgD,eAAe,MAAM5B,MAAMsC,QAAQtE,KAAK4D,cAAc5D,KAAKuE,mBAAwD;MAAEC,IAAIxE,KAAKwE;IAAG,CAAA;AAEvI,WAAO;MAAEhD;MAAMoC;IAAa;EAC9B;;;;;;;EAQA,MAAMhE,cAAcI,MAA0BC,SAA0D;AAEtG,UAAMwE,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAE3B,UAAMjB,OAAO,MAAMC,mBAAMC,WAAW3D,KAAKyC,YAAY,KAAK1D,0BAA0BG,MAAM;AAC1F,UAAMsC,OAAOH,oBAAoBoC,KAAKmB,KAAK1D,OAAAA,IAA2B,cAAc;AAEpF,UAAMc,QAAQC,yBAAyBC,OAAOV,MAAM;MAAEiD;MAAUvF,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AAGvI,UAAM,EAAEiD,SAAS,CAAC,GAAGlB,SAASsD,GAAE,IAAK,MAAMxC,MAAM6C,OAAO7E,KAAKyC,YAAY;MAAEqC,aAAa,KAAK,KAAK,KAAK;IAAE,CAAA;AAEzG,WAAO;MAAEtD;MAAMY;MAAQlB;MAASsD;IAAG;EACrC;;;;;;;;;;EAWQO,SAAS9E,SAA2BY,MAAc6D,WAAmBxD,SAAuC;AAClH,QAAI,CAACA,QAAQ8C,KAAK;AAChB,YAAMrC,MAAM,4CAAA;IACd;AAIA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAW,KAAKO,OAAO/D,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMyD,mBACJ3C,OACA/B,SACAY,MACA6D,WACAQ,MACkB;AAClB,UAAMC,YAAY,MAAMnD,MAAMoD,OAAO,GAAGvE,IAAAA,IAAQ6D,SAAAA,EAAW;AAC3D,UAAMxD,UAAyBiE,UAAUP,IAAY1D;AACrD,UAAMO,SAAiBC,mBAAmBR,OAAAA;AAC1C,UAAMkB,SAAU+C,UAAUP,IAAYxC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAI0B,MAAoC7B,OAAO6B;AAC/C,QAAI1B,KAAK8C,QAAQ;AACf,YAAMC,eAAe,oBAAIC,IAAY;WAAI,KAAKzG;OAAkB;AAChE,UAAIwG,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM3F,QAAQa,MAAM+E,2BAA2B;QACjFC,OAAOvD;QACP+C,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOzD,QAAQC,OAAOlB,MAAM,wCAAwCiE,4BAA4BU,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWX,4BAA4BS,iBAAiB,CAAA;AAC9DpC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAO7B,OAAOC,KAAK/B,SAAS,MAAA,GAAS;AACxC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQvE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAACoE,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AACA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,OAAO5E,OAAOC,GAAG;AAClG,UAAI,CAACuE,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOxC,OAAOnB,SAAS,MAAA,GAAS;AAEnC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQlF;MAAO,CAAA;AAC/D,UAAI,CAACgF,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,OAAO5E,OAAOC,GAAG;AAClG,UAAI,CAACuE,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAItC,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMpE,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAI+B;AACJ,UAAMyC,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAC3B,UAAMwC,aAAyB,8BAAOrG,MAAc6D,WAAmBxD,YAAwB,KAAK6D,SAAS9E,SAASY,MAAM6D,WAAWxD,OAAAA,GAAxG;AAC/Bc,YAAQ,IAAImF,kCAAgB;MAC1B1C;MACAvF,QAAQ,KAAKH,0BAA0BG;MACvCkI,YAAYF;IACd,CAAA;AAEA,UAAMG,eAAgC;MACpCC,mBAAmBtH,KAAKsH;MACxBC,iBAAiBvH,KAAKuH;IACxB;AAEA,WAAOvF,MAAM6C,OAAO7E,KAAK4D,cAAcyD,YAAAA;EACzC;;;;;;;EAQA,MAAMvH,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuH,KAAKC,cAAcvC,KAAI,IAAKlF;AACpC,UAAM0H,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlJ,YAAAA;AAC5E,UAAIA,WAAUkJ,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjJ,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmJ,YAAY;AACf,iBAAOzF,QAAQC,OAAOlB,MAAM,mCAAmC6F,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlJ,SAAUgG,MAAMhG,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuI,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvI,MAAAA;AAC5C,cAAMsJ,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7I;QAAO,CAAA;AACtG,YAAI,CAACsJ,eAAe;AAClB,iBAAO5F,QAAQC,OAAOlB,MAAM,mCAAmC6F,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3I,iCAAiC;UAAE0H,KAAKO,SAAS,mBAAA;UAAsB7C;QAAK,GAAGjF,OAAAA;AAClH,cAAMiI,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7I,MAAAA;MACtE;AAEA,UAAI6I,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7I,MAAAA;MAChE;AAEA6I,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ/C,wBAAwB/E,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsK,oBAAoB,YAAY;AACxE,aAAO,KAAKtK,0BAA0BsK;IACxC;AAEA,WAAOC,uBAAuBrJ,OAAAA;EAChC;EAEQgF,OAAO/D,SAAiC;AAC9C,QAAIA,QAAQ8C,KAAKC,QAAQ3B,QAAW;AAClC,aAAOpB,QAAQ8C,IAAIC;IACrB,WAAW/C,QAAQ8C,QAAQ1B,UAAa,SAASpB,QAAQ8C,OAAO,OAAO9C,QAAQ8C,IAAI3B,QAAQ,YAAYnB,QAAQ8C,IAAI3B,IAAIe,WAAW,UAAA,GAAa;AAG7I,YAAMmG,UAAU,KAAKC,wBAAwBtI,QAAQ8C,IAAI3B,GAAG;AAC5D,YAAMoH,UAAc3B,cAAa4B,gBAAWH,SAAS,WAAA,GAAc,OAAA;AACnE,YAAM3E,MAAM+E,KAAKC,MAAMH,OAAAA;AACvB,aAAO7E;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQ6H,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAMzE,SAAS,GAAG;AACpB,YAAM,IAAI1D,MAAM,oBAAA;IAClB;AACA,WAAOmI,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;","names":["import_core","import_sd_jwt_vc","import_ssi_sdk_ext","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","isVcdm2SdJwtPayload","payload","Array","isArray","type","includes","length","isSdjwtVcPayload","getIssuerFromSdJwt","issuer","iss","id","calculateSdHash","compactSdJwtVc","digest","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin","isVcdm2SdJwt","type","SDJwtVcdmInstanceFactory","create","type","config","isVcdm2SdJwt","SDJwtVcdm2Instance","SDJwtVcInstance","SDJwtInstance","userConfig","validateReservedFields","disclosureFrame","_sd","Array","isArray","length","reservedNames","reservedNamesInDisclosureFrame","filter","key","includes","SDJWTException","join","verify","encodedSDJwt","options","result","then","res","payload","header","kb","validateIntegrity","response","url","integrity","arrayBuffer","alg","split","hashBuffer","hasher","integrityHash","hash","from","Uint8Array","map","byte","toString","padStart","Error","fetch","signal","AbortSignal","timeout","ok","errorText","text","Promise","reject","status","statusText","clone","json","error","name","issue","iss","issuer","id","nbf","validFrom","toVcdm2Date","exp","validUntil","sub","credentialSubject","value","num","Number","isFinite","Date","toISOString","u8a","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","payload","credentialPayload","isVcdm2","isVcdm2SdJwtPayload","isSdJwtVc","isSdjwtVcPayload","type","issuer","getIssuerFromSdJwt","Error","signAlg","hashAlg","test","slice","sdjwt","SDJwtVcdmInstanceFactory","create","omitTyp","header","kid","undefined","x5c","typ","credential","issue","disclosureFrame","Promise","reject","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verifyCallbackImpl","jwt","verify","skewSeconds","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","length","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","SDJwtVcInstance","kbVerifier","verifierOpts","requiredClaimKeys","keyBindingNonce","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","fromString","JSON","parse","did","parts","split"]}
package/dist/index.js CHANGED
@@ -635,7 +635,7 @@ var SDJwtPlugin = class {
635
635
  if (!didDoc) {
636
636
  throw new Error("invalid_issuer: issuer did not resolve to a did document");
637
637
  }
638
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
638
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid);
639
639
  if (!didDocumentKey) {
640
640
  throw new Error("invalid_issuer: issuer did document does not include referenced key");
641
641
  }
@@ -648,7 +648,7 @@ var SDJwtPlugin = class {
648
648
  if (!didDoc) {
649
649
  throw new Error("invalid_issuer: issuer did not resolve to a did document");
650
650
  }
651
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
651
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid);
652
652
  if (!didDocumentKey) {
653
653
  throw new Error("invalid_issuer: issuer did document does not include referenced key");
654
654
  }
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/sdJwtVcdm2Instance.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'\nimport { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport type { IAgentPlugin } from '@veramo/core'\n// import { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport {\n assertValidTypeMetadata,\n fetchUrlWithErrorHandling,\n getIssuerFromSdJwt,\n isSdjwtVcPayload,\n isVcdm2SdJwtPayload,\n validateIntegrity,\n} from './utils'\nimport type {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\nimport { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const payload = args.credentialPayload\n const isVcdm2 = isVcdm2SdJwtPayload(payload)\n const isSdJwtVc = isSdjwtVcPayload(payload)\n const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')\n\n const issuer = getIssuerFromSdJwt(args.credentialPayload)\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const signAlg = alg ?? signingKey?.alg ?? 'ES256'\n const hashAlg: HashAlgorithm = /(\\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg,\n hashAlg,\n })\n\n const header = {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n ...(type && { typ: type }),\n }\n let credential: string\n if (isVcdm2) {\n credential = await (sdjwt as SDJwtVcdm2Instance).issue(\n payload,\n // @ts-ignore\n args.disclosureFrame as DisclosureFrame<typeof payload>,\n { header },\n )\n } else if (isSdJwtVc) {\n credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })\n } else {\n return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))\n }\n\n return { type, credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const type = args.type ?? 'dc+sd-jwt'\n\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { type, presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n\n const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)\n const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, { verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function\n // For now a workaround is to ad 5 days of skew seconds, yuck\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential, { skewSeconds: 60 * 60 * 24 * 5 })\n\n return { type, header, payload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n\n // TODO add aud verification\n\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verifyCallbackImpl(\n sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload\n const issuer: string = getIssuerFromSdJwt(payload)\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c?.length) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) => this.verifyKb(context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n const verifierOpts: VerifierOptions = {\n requiredClaimKeys: args.requiredClaimKeys,\n keyBindingNonce: args.keyBindingNonce,\n }\n\n return sdjwt.verify(args.presentation, verifierOpts)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import type { SdJwtPayload } from '@sd-jwt/core'\nimport type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\nimport type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n\nexport function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {\n return (\n 'type' in payload &&\n Array.isArray(payload.type) &&\n payload.type.includes('VerifiableCredential') &&\n '@context' in payload &&\n ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||\n (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))\n )\n}\n\nexport function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {\n return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'\n}\n\nexport function getIssuerFromSdJwt(payload: SdJwtPayload): string {\n let issuer: string | undefined\n if (isSdjwtVcPayload(payload) || 'iss' in payload) {\n issuer = payload.iss as string\n } else if (isVcdm2SdJwtPayload(payload) || ('issuer' in payload && payload.issuer)) {\n issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id\n }\n\n if (!issuer) {\n throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')\n }\n return issuer\n}\n\nexport function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string {\n const digest = hasher(compactSdJwtVc, alg)\n return u8a.toString(digest, 'base64url')\n}\n","import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'\nimport type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'\nimport { SDJWTException } from '@sd-jwt/utils'\nimport { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'\nimport { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'\nimport { isVcdm2SdJwt } from './types'\n\ninterface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {\n payload: SdJwtVcdm2Payload\n}\n\nexport class SDJwtVcdmInstanceFactory {\n static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {\n if (isVcdm2SdJwt(type)) {\n return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)\n }\n return new SDJwtVcInstance(config as SDJWTVCConfig)\n }\n}\n\n// @ts-ignore\nexport class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {\n /**\n * The type of the SD-JWT VCDM2 set in the header.typ field.\n */\n protected static type = 'vc+sd-jwt'\n\n protected userConfig: SDJWTVCDM2Config = {}\n\n constructor(userConfig?: SDJWTVCDM2Config) {\n super(userConfig)\n if (userConfig) {\n this.userConfig = userConfig\n }\n }\n\n /**\n * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.\n * @param disclosureFrame\n */\n protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {\n //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2\n // @ts-ignore\n if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {\n const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']\n // check if there is any reserved names in the disclosureFrame._sd array\n const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))\n if (reservedNamesInDisclosureFrame.length > 0) {\n throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)\n }\n }\n }\n\n /**\n * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.\n * @param encodedSDJwt\n * @param options\n */\n async verify(encodedSDJwt: string, options?: VerifierOptions) {\n // Call the parent class's verify method\n const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {\n return {\n payload: res.payload as SdJwtVcdm2Payload,\n header: res.header,\n kb: res.kb,\n }\n })\n\n // await this.verifyStatus(result, options)\n\n return result\n }\n\n /**\n * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.\n * @param integrity\n * @param response\n */\n private async validateIntegrity(response: Response, url: string, integrity?: string) {\n if (integrity) {\n // validate the integrity of the response according to https://www.w3.org/TR/SRI/\n const arrayBuffer = await response.arrayBuffer()\n const alg = integrity.split('-')[0]\n //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec\n const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)\n const integrityHash = integrity.split('-')[1]\n const hash = Array.from(new Uint8Array(hashBuffer))\n .map((byte) => byte.toString(16).padStart(2, '0'))\n .join('')\n if (hash !== integrityHash) {\n throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)\n }\n }\n }\n\n /**\n * Fetches the content from the url with a timeout of 10 seconds.\n * @param url\n * @param integrity\n * @returns\n */\n protected async fetch<T>(url: string, integrity?: string): Promise<T> {\n try {\n const response = await fetch(url, {\n signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),\n })\n if (!response.ok) {\n const errorText = await response.text()\n return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))\n }\n await this.validateIntegrity(response.clone(), url, integrity)\n return response.json() as Promise<T>\n } catch (error) {\n if ((error as Error).name === 'TimeoutError') {\n throw new Error(`Request to ${url} timed out`)\n }\n throw error\n }\n }\n\n public async issue<Payload extends SdJwtVcdm2Payload>(\n payload: Payload,\n disclosureFrame?: DisclosureFrame<Payload>,\n options?: {\n header?: object // This is for customizing the header of the jwt\n },\n ): Promise<SDJWTCompact> {\n if (payload.iss && !payload.issuer) {\n payload.issuer = { id: payload.iss }\n delete payload.iss\n }\n if (payload.nbf && !payload.validFrom) {\n payload.validFrom = toVcdm2Date(payload.nbf)\n delete payload.nbf\n }\n if (payload.exp && !payload.validUntil) {\n payload.validUntil = toVcdm2Date(payload.exp)\n delete payload.exp\n }\n if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {\n payload.credentialSubject.id = payload.sub\n delete payload.sub\n }\n return super.issue(payload, disclosureFrame, options)\n }\n}\n\nfunction toVcdm2Date(value: number | string): string {\n const num = typeof value === 'string' ? Number(value) : value\n if (!Number.isFinite(num)) {\n throw new SDJWTException(`Invalid numeric date: ${value}`)\n }\n // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)\n return new Date(num * 1000).toISOString()\n}\n","import { SdJwtPayload } from '@sd-jwt/core'\nimport { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport {\n HasherSync,\n JoseSignatureAlgorithm,\n JsonWebKey,\n SdJwtType,\n SdJwtTypeMetadata,\n SdJwtVcdm2Payload,\n SdJwtVcKbJwtHeader,\n SdJwtVcKbJwtPayload,\n SdJwtVcType,\n SdJwtVpType,\n} from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends OrigSdJwtVcPayload {\n x5c?: string[]\n}\n\nexport type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'\n\nexport function isVcdm2SdJwt(type: SdJwtType | string): Boolean {\n return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'\n}\n\nexport interface ICreateSdJwtVcArgs {\n type?: SdJwtVcType\n credentialPayload: SdJwtPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n type: SdJwtVcType\n\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n\n type?: SdJwtVpType\n\n vcdm2Enveloped?: Vcdm2Enveloped\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n\n type: SdJwtVpType\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n type: SdJwtVcType\n payload: SdJwtVcPayload | SdJwtVcdm2Payload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n /**\n * nonce used to verify the key binding jwt to prevent replay attacks.\n */\n keyBindingNonce?: string\n\n /**\n * Audience used to verify the key binding jwt\n */\n keyBindingAud?: string\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n\nexport type PartialSdJwtKbJwt = {\n header: Partial<SdJwtVcKbJwtHeader>\n payload: Partial<SdJwtVcKbJwtPayload>\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAsD;AACpE,SAASC,mBAAAA,wBAA4C;AAErD,SAASC,wBAAwBC,iCAAiC;AAKlE,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAAgDC,QAAAA;AAChG,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACDF,YAAYC,SAAS;AAErB,SAASC,YAAAA,iBAAgB;AAGzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,UAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;AAMT,SAASG,oBAAoBC,SAAqB;AACvD,SACE,UAAUA,WACVC,MAAMC,QAAQF,QAAQG,IAAI,KAC1BH,QAAQG,KAAKC,SAAS,sBAAA,KACtB,cAAcJ,YACZ,OAAOA,QAAQ,UAAA,MAAgB,YAAYA,QAAQ,UAAA,EAAYK,SAAS,KACvEJ,MAAMC,QAAQF,QAAQ,UAAA,CAAW,KAAKA,QAAQ,UAAA,EAAYK,SAAS,KAAKL,QAAQ,UAAA,EAAYI,SAAS,sCAAA;AAE5G;AATgBL;AAWT,SAASO,iBAAiBN,SAAqB;AACpD,SAAO,CAACD,oBAAoBC,OAAAA,KAAY,SAASA,WAAW,OAAOA,QAAQF,QAAQ;AACrF;AAFgBQ;AAIT,SAASC,mBAAmBP,SAAqB;AACtD,MAAIQ;AACJ,MAAIF,iBAAiBN,OAAAA,KAAY,SAASA,SAAS;AACjDQ,aAASR,QAAQS;EACnB,WAAWV,oBAAoBC,OAAAA,KAAa,YAAYA,WAAWA,QAAQQ,QAAS;AAClFA,aAAS,OAAOR,QAAQQ,WAAW,WAAWR,QAAQQ,SAAUR,QAAQQ,QAAgBE;EAC1F;AAEA,MAAI,CAACF,QAAQ;AACX,UAAM,IAAIhC,MAAM,kFAAA;EAClB;AACA,SAAOgC;AACT;AAZgBD;AAcT,SAASI,gBAAgBC,gBAAwBtB,KAAaD,QAAc;AACjF,QAAMwB,SAASxB,OAAOuB,gBAAgBtB,GAAAA;AACtC,SAAWK,aAASkB,QAAQ,WAAA;AAC9B;AAHgBF;;;ACpGhB,SAASG,qBAA2C;AAEpD,SAASC,sBAAsB;AAE/B,SAA6BC,uBAAgD;;;ACE7E,SAASC,wBAAwB;AAgB1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;AAgBT,SAASG,aAAaC,MAAwB;AACnD,SAAOA,SAAS,eAAeA,SAAS;AAC1C;AAFgBD;;;AD9FT,IAAME,2BAAN,MAAMA;EAXb,OAWaA;;;EACX,OAAOC,OAAOC,MAAiBC,QAAgF;AAC7G,QAAIC,aAAaF,IAAAA,GAAO;AACtB,aAAO,IAAIG,mBAAmBF,MAAAA;IAChC;AACA,WAAO,IAAIG,gBAAgBH,MAAAA;EAC7B;AACF;AAGO,IAAME,qBAAN,cAAiCE,cAAAA;EArBxC,OAqBwCA;;;;;;EAItC,OAAiBL,OAAO;EAEdM,aAA+B,CAAC;EAE1C,YAAYA,YAA+B;AACzC,UAAMA,UAAAA;AACN,QAAIA,YAAY;AACd,WAAKA,aAAaA;IACpB;EACF;;;;;EAMUC,uBAAuBC,iBAA2D;AAG1F,QAAIA,iBAAiBC,OAAOC,MAAMC,QAAQH,gBAAgBC,GAAG,KAAKD,gBAAgBC,IAAIG,SAAS,GAAG;AAChG,YAAMC,gBAAgB;QAAC;QAAO;QAAO;QAAO;QAAO;QAAY;QAAQ;QAAoB;QAAoB;;AAE/G,YAAMC,iCAAkCN,gBAAgBC,IAAiBM,OAAO,CAACC,QAAQH,cAAcI,SAASD,GAAAA,CAAAA;AAChH,UAAIF,+BAA+BF,SAAS,GAAG;AAC7C,cAAM,IAAIM,eAAe,uCAAuCJ,+BAA+BK,KAAK,IAAA,CAAA,EAAO;MAC7G;IACF;EACF;;;;;;EAOA,MAAMC,OAAOC,cAAsBC,SAA2B;AAE5D,UAAMC,SAAuC,MAAM,MAAMH,OAAOC,cAAcC,OAAAA,EAASE,KAAK,CAACC,QAAAA;AAC3F,aAAO;QACLC,SAASD,IAAIC;QACbC,QAAQF,IAAIE;QACZC,IAAIH,IAAIG;MACV;IACF,CAAA;AAIA,WAAOL;EACT;;;;;;EAOA,MAAcM,kBAAkBC,UAAoBC,KAAaC,WAAoB;AACnF,QAAIA,WAAW;AAEb,YAAMC,cAAc,MAAMH,SAASG,YAAW;AAC9C,YAAMC,MAAMF,UAAUG,MAAM,GAAA,EAAK,CAAA;AAEjC,YAAMC,aAAa,MAAO,KAAK9B,WAAW+B,OAAkBJ,aAAaC,GAAAA;AACzE,YAAMI,gBAAgBN,UAAUG,MAAM,GAAA,EAAK,CAAA;AAC3C,YAAMI,OAAO7B,MAAM8B,KAAK,IAAIC,WAAWL,UAAAA,CAAAA,EACpCM,IAAI,CAACC,SAASA,KAAKC,SAAS,EAAA,EAAIC,SAAS,GAAG,GAAA,CAAA,EAC5C1B,KAAK,EAAA;AACR,UAAIoB,SAASD,eAAe;AAC1B,cAAM,IAAIQ,MAAM,uBAAuBf,GAAAA,eAAkBQ,IAAAA,kBAAsBD,aAAAA,EAAe;MAChG;IACF;EACF;;;;;;;EAQA,MAAgBS,MAAShB,KAAaC,WAAgC;AACpE,QAAI;AACF,YAAMF,WAAW,MAAMiB,MAAMhB,KAAK;QAChCiB,QAAQC,YAAYC,QAAQ,KAAK5C,WAAW4C,WAAW,GAAA;MACzD,CAAA;AACA,UAAI,CAACpB,SAASqB,IAAI;AAChB,cAAMC,YAAY,MAAMtB,SAASuB,KAAI;AACrC,eAAOC,QAAQC,OAAO,IAAIT,MAAM,kBAAkBf,GAAAA,KAAQD,SAAS0B,MAAM,IAAI1B,SAAS2B,UAAU,MAAML,SAAAA,EAAW,CAAA;MACnH;AACA,YAAM,KAAKvB,kBAAkBC,SAAS4B,MAAK,GAAI3B,KAAKC,SAAAA;AACpD,aAAOF,SAAS6B,KAAI;IACtB,SAASC,OAAO;AACd,UAAKA,MAAgBC,SAAS,gBAAgB;AAC5C,cAAM,IAAIf,MAAM,cAAcf,GAAAA,YAAe;MAC/C;AACA,YAAM6B;IACR;EACF;EAEA,MAAaE,MACXpC,SACAlB,iBACAc,SAGuB;AACvB,QAAII,QAAQqC,OAAO,CAACrC,QAAQsC,QAAQ;AAClCtC,cAAQsC,SAAS;QAAEC,IAAIvC,QAAQqC;MAAI;AACnC,aAAOrC,QAAQqC;IACjB;AACA,QAAIrC,QAAQwC,OAAO,CAACxC,QAAQyC,WAAW;AACrCzC,cAAQyC,YAAYC,YAAY1C,QAAQwC,GAAG;AAC3C,aAAOxC,QAAQwC;IACjB;AACA,QAAIxC,QAAQ2C,OAAO,CAAC3C,QAAQ4C,YAAY;AACtC5C,cAAQ4C,aAAaF,YAAY1C,QAAQ2C,GAAG;AAC5C,aAAO3C,QAAQ2C;IACjB;AACA,QAAI3C,QAAQ6C,OAAO,CAAC7D,MAAMC,QAAQe,QAAQ8C,iBAAiB,KAAK,CAAC9C,QAAQ8C,kBAAkBP,IAAI;AAC7FvC,cAAQ8C,kBAAkBP,KAAKvC,QAAQ6C;AACvC,aAAO7C,QAAQ6C;IACjB;AACA,WAAO,MAAMT,MAAMpC,SAASlB,iBAAiBc,OAAAA;EAC/C;AACF;AAEA,SAAS8C,YAAYK,OAAsB;AACzC,QAAMC,MAAM,OAAOD,UAAU,WAAWE,OAAOF,KAAAA,IAASA;AACxD,MAAI,CAACE,OAAOC,SAASF,GAAAA,GAAM;AACzB,UAAM,IAAIxD,eAAe,yBAAyBuD,KAAAA,EAAO;EAC3D;AAEA,SAAO,IAAII,KAAKH,MAAM,GAAA,EAAMI,YAAW;AACzC;AAPSV;;;AJzGT,YAAYW,UAAS;AAErB,IAAMC,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAlDb,OAkDaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,UAAUlB,KAAKmB;AACrB,UAAMC,UAAUC,oBAAoBH,OAAAA;AACpC,UAAMI,YAAYC,iBAAiBL,OAAAA;AACnC,UAAMM,OAAOxB,KAAKwB,SAASJ,UAAU,cAAc;AAEnD,UAAMK,SAASC,mBAAmB1B,KAAKmB,iBAAiB;AACxD,QAAI,CAACM,QAAQ;AACX,YAAM,IAAIE,MAAM,qCAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYuB;MAAQtB,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAM2B,UAAUhB,OAAOJ,YAAYI,OAAO;AAC1C,UAAMiB,UAAyB,WAAWC,KAAKF,OAAAA,IAAY,OAAOA,QAAQG,MAAM,EAAC,CAAA,KAAyB;AAC1G,UAAMC,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACT5B;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CwC;MACAC;IACF,CAAA;AAEA,UAAMO,SAAS;MACb,GAAI5B,YAAYG,IAAI0B,QAAQC,UAAa;QAAED,KAAK7B,WAAWG,IAAI0B;MAAI;MACnE,GAAI7B,YAAYG,IAAI4B,QAAQD,UAAa;QAAEC,KAAK/B,WAAWG,IAAI4B;MAAI;MACnE,GAAIf,QAAQ;QAAEgB,KAAKhB;MAAK;IAC1B;AACA,QAAIiB;AACJ,QAAIrB,SAAS;AACXqB,mBAAa,MAAOT,MAA6BU;QAC/CxB;;QAEAlB,KAAK2C;QACL;UAAEP;QAAO;MAAA;IAEb,WAAWd,WAAW;AACpBmB,mBAAa,MAAOT,MAA0BU,MAAMxB,SAASlB,KAAK2C,iBAAoD;QAAEP;MAAO,CAAA;IACjI,OAAO;AACL,aAAOQ,QAAQC,OAAO,IAAIlB,MAAM,iCAAiCH,IAAAA,yBAA6B,CAAA;IAChG;AAEA,WAAO;MAAEA;MAAMiB;IAAW;EAC5B;;;;;;;EAQA,MAAMhC,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,cAAQR,WAAW4C,QAAM;QACvB,KAAK;AACHpE,gBAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWoB,KAAKlC,WAAWkC;YAAI;UAAE;QACtF;AACE,cAAI1B,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,mBAAO;cAAE3B;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;cAAgB;YAAE;UAClH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWkC,eAAexC,IAAIsC,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWkD,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMpD,QAAQa,MAAMwC,0BAA0B;QAAEpD;MAAW,CAAA;AACjF,UAAI,CAACmD,eAAe;AAClB,cAAM,IAAI1B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM0C,cAAc1C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWoC,cAAcpC;UAAWoB,KAAKgB,cAAchB;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMkB,gBAAgB,MAAMtD,QAAQa,MAAM0C,0BAA0B;QAAEtD;MAAW,CAAA;AACjF,UAAI,CAACqD,eAAe;AAClB,cAAM,IAAI5B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM4C,cAAc5C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,UAAIA,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,eAAO;UAAE3B;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;UAAgB;QAAE;MACxH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWkC,eAAexC,IAAIsC,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAMuB,OAAOxB,KAAKwB,QAAQ;AAE1B,UAAMiC,OAAO,MAAMC,MAAMC,WAAW3D,KAAK4D,cAAc,KAAK7E,0BAA0BG,MAAM;AAE5F,UAAM2E,SAAS,MAAMJ,KAAKK,UAAkB,KAAK/E,0BAA0BG,MAAM;AACjF,QAAI6E;AAEJ,QAAI/D,KAAK+D,QAAQ;AACfA,eAAS/D,KAAK+D;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAK3B,KAAK;AAC1B0B,eAASF,OAAOG,KAAK3B;IACvB,WAAWwB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIxC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAY6D;IAAO,GAAG9D,OAAAA;AAElF,UAAM+B,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACTjD,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CgF,UAAU7D;MACV8D,WAAWzD,OAAO;IACpB,CAAA;AAEA,UAAMgD,eAAe,MAAM5B,MAAMsC,QAAQtE,KAAK4D,cAAc5D,KAAKuE,mBAAwD;MAAEC,IAAIxE,KAAKwE;IAAG,CAAA;AAEvI,WAAO;MAAEhD;MAAMoC;IAAa;EAC9B;;;;;;;EAQA,MAAMhE,cAAcI,MAA0BC,SAA0D;AAEtG,UAAMwE,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAE3B,UAAMjB,OAAO,MAAMC,MAAMC,WAAW3D,KAAKyC,YAAY,KAAK1D,0BAA0BG,MAAM;AAC1F,UAAMsC,OAAOH,oBAAoBoC,KAAKmB,KAAK1D,OAAAA,IAA2B,cAAc;AAEpF,UAAMc,QAAQC,yBAAyBC,OAAOV,MAAM;MAAEiD;MAAUvF,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AAGvI,UAAM,EAAEiD,SAAS,CAAC,GAAGlB,SAASsD,GAAE,IAAK,MAAMxC,MAAM6C,OAAO7E,KAAKyC,YAAY;MAAEqC,aAAa,KAAK,KAAK,KAAK;IAAE,CAAA;AAEzG,WAAO;MAAEtD;MAAMY;MAAQlB;MAASsD;IAAG;EACrC;;;;;;;;;;EAWQO,SAAS9E,SAA2BY,MAAc6D,WAAmBxD,SAAuC;AAClH,QAAI,CAACA,QAAQ8C,KAAK;AAChB,YAAMrC,MAAM,4CAAA;IACd;AAIA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAW,KAAKO,OAAO/D,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMyD,mBACJ3C,OACA/B,SACAY,MACA6D,WACAQ,MACkB;AAClB,UAAMC,YAAY,MAAMnD,MAAMoD,OAAO,GAAGvE,IAAAA,IAAQ6D,SAAAA,EAAW;AAC3D,UAAMxD,UAAyBiE,UAAUP,IAAY1D;AACrD,UAAMO,SAAiBC,mBAAmBR,OAAAA;AAC1C,UAAMkB,SAAU+C,UAAUP,IAAYxC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAI0B,MAAoC7B,OAAO6B;AAC/C,QAAI1B,KAAK8C,QAAQ;AACf,YAAMC,eAAe,oBAAIC,IAAY;WAAI,KAAKzG;OAAkB;AAChE,UAAIwG,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM3F,QAAQa,MAAM+E,2BAA2B;QACjFC,OAAOvD;QACP+C,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOzD,QAAQC,OAAOlB,MAAM,wCAAwCiE,4BAA4BU,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWX,4BAA4BS,iBAAiB,CAAA;AAC9DpC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAO7B,OAAOC,KAAK/B,SAAS,MAAA,GAAS;AACxC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQvE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAACoE,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOxC,OAAOnB,SAAS,MAAA,GAAS;AAEnC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQlF;MAAO,CAAA;AAC/D,UAAI,CAACgF,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,EAAE;AACnF,UAAI,CAACJ,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAItC,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMpE,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAI+B;AACJ,UAAMyC,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAC3B,UAAMwC,aAAyB,8BAAOrG,MAAc6D,WAAmBxD,YAAwB,KAAK6D,SAAS9E,SAASY,MAAM6D,WAAWxD,OAAAA,GAAxG;AAC/Bc,YAAQ,IAAImF,iBAAgB;MAC1B1C;MACAvF,QAAQ,KAAKH,0BAA0BG;MACvCkI,YAAYF;IACd,CAAA;AAEA,UAAMG,eAAgC;MACpCC,mBAAmBtH,KAAKsH;MACxBC,iBAAiBvH,KAAKuH;IACxB;AAEA,WAAOvF,MAAM6C,OAAO7E,KAAK4D,cAAcyD,YAAAA;EACzC;;;;;;;EAQA,MAAMvH,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuH,KAAKC,cAAcvC,KAAI,IAAKlF;AACpC,UAAM0H,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlJ,YAAAA;AAC5E,UAAIA,WAAUkJ,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjJ,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmJ,YAAY;AACf,iBAAOzF,QAAQC,OAAOlB,MAAM,mCAAmC6F,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlJ,SAAUgG,MAAMhG,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuI,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvI,MAAAA;AAC5C,cAAMsJ,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7I;QAAO,CAAA;AACtG,YAAI,CAACsJ,eAAe;AAClB,iBAAO5F,QAAQC,OAAOlB,MAAM,mCAAmC6F,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3I,iCAAiC;UAAE0H,KAAKO,SAAS,mBAAA;UAAsB7C;QAAK,GAAGjF,OAAAA;AAClH,cAAMiI,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7I,MAAAA;MACtE;AAEA,UAAI6I,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7I,MAAAA;MAChE;AAEA6I,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ/C,wBAAwB/E,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsK,oBAAoB,YAAY;AACxE,aAAO,KAAKtK,0BAA0BsK;IACxC;AAEA,WAAOC,uBAAuBrJ,OAAAA;EAChC;EAEQgF,OAAO/D,SAAiC;AAC9C,QAAIA,QAAQ8C,KAAKC,QAAQ3B,QAAW;AAClC,aAAOpB,QAAQ8C,IAAIC;IACrB,WAAW/C,QAAQ8C,QAAQ1B,UAAa,SAASpB,QAAQ8C,OAAO,OAAO9C,QAAQ8C,IAAI3B,QAAQ,YAAYnB,QAAQ8C,IAAI3B,IAAIe,WAAW,UAAA,GAAa;AAG7I,YAAMmG,UAAU,KAAKC,wBAAwBtI,QAAQ8C,IAAI3B,GAAG;AAC5D,YAAMoH,UAAc3B,cAAa4B,gBAAWH,SAAS,WAAA,GAAc,OAAA;AACnE,YAAM3E,MAAM+E,KAAKC,MAAMH,OAAAA;AACvB,aAAO7E;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQ6H,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAMzE,SAAS,GAAG;AACpB,YAAM,IAAI1D,MAAM,oBAAA;IAClB;AACA,WAAOmI,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","u8a","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","isVcdm2SdJwtPayload","payload","Array","isArray","type","includes","length","isSdjwtVcPayload","getIssuerFromSdJwt","issuer","iss","id","calculateSdHash","compactSdJwtVc","digest","SDJwtInstance","SDJWTException","SDJwtVcInstance","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin","isVcdm2SdJwt","type","SDJwtVcdmInstanceFactory","create","type","config","isVcdm2SdJwt","SDJwtVcdm2Instance","SDJwtVcInstance","SDJwtInstance","userConfig","validateReservedFields","disclosureFrame","_sd","Array","isArray","length","reservedNames","reservedNamesInDisclosureFrame","filter","key","includes","SDJWTException","join","verify","encodedSDJwt","options","result","then","res","payload","header","kb","validateIntegrity","response","url","integrity","arrayBuffer","alg","split","hashBuffer","hasher","integrityHash","hash","from","Uint8Array","map","byte","toString","padStart","Error","fetch","signal","AbortSignal","timeout","ok","errorText","text","Promise","reject","status","statusText","clone","json","error","name","issue","iss","issuer","id","nbf","validFrom","toVcdm2Date","exp","validUntil","sub","credentialSubject","value","num","Number","isFinite","Date","toISOString","u8a","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","payload","credentialPayload","isVcdm2","isVcdm2SdJwtPayload","isSdJwtVc","isSdjwtVcPayload","type","issuer","getIssuerFromSdJwt","Error","signAlg","hashAlg","test","slice","sdjwt","SDJwtVcdmInstanceFactory","create","omitTyp","header","kid","undefined","x5c","typ","credential","issue","disclosureFrame","Promise","reject","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verifyCallbackImpl","jwt","verify","skewSeconds","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","length","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","SDJwtVcInstance","kbVerifier","verifierOpts","requiredClaimKeys","keyBindingNonce","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","fromString","JSON","parse","did","parts","split"]}
1
+ {"version":3,"sources":["../src/action-handler.ts","../src/defaultCallbacks.ts","../src/trustAnchors.ts","../src/utils.ts","../src/sdJwtVcdm2Instance.ts","../src/types.ts"],"sourcesContent":["import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'\nimport { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'\nimport { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'\nimport type { IAgentPlugin } from '@veramo/core'\n// import { decodeBase64url } from '@veramo/utils'\nimport Debug from 'debug'\nimport { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'\nimport { funkeTestCA, sphereonCA } from './trustAnchors'\nimport {\n assertValidTypeMetadata,\n fetchUrlWithErrorHandling,\n getIssuerFromSdJwt,\n isSdjwtVcPayload,\n isVcdm2SdJwtPayload,\n validateIntegrity,\n} from './utils'\nimport type {\n Claims,\n FetchSdJwtTypeMetadataFromVctUrlArgs,\n GetSignerForIdentifierArgs,\n GetSignerResult,\n ICreateSdJwtPresentationArgs,\n ICreateSdJwtPresentationResult,\n ICreateSdJwtVcArgs,\n ICreateSdJwtVcResult,\n IRequiredContext,\n ISDJwtPlugin,\n IVerifySdJwtPresentationArgs,\n IVerifySdJwtPresentationResult,\n IVerifySdJwtVcArgs,\n IVerifySdJwtVcResult,\n SdJWTImplementation,\n SdJwtVerifySignature,\n SignKeyArgs,\n SignKeyResult,\n} from './types'\nimport { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst debug = Debug('@sphereon/ssi-sdk.sd-jwt')\n\n/**\n * @beta\n * SD-JWT plugin\n */\nexport class SDJwtPlugin implements IAgentPlugin {\n // @ts-ignore\n private readonly trustAnchorsInPEM: string[]\n private readonly registeredImplementations: SdJWTImplementation\n private _signers: Record<string, Signer>\n private _defaultSigner?: Signer\n\n constructor(\n registeredImplementations?: SdJWTImplementation & {\n signers?: Record<string, Signer>\n defaultSigner?: Signer\n },\n trustAnchorsInPEM?: string[],\n ) {\n this.trustAnchorsInPEM = trustAnchorsInPEM ?? []\n if (!registeredImplementations) {\n registeredImplementations = {}\n }\n if (typeof registeredImplementations?.hasher !== 'function') {\n registeredImplementations.hasher = defaultGenerateDigest\n }\n if (typeof registeredImplementations?.saltGenerator !== 'function') {\n registeredImplementations.saltGenerator = defaultGenerateSalt\n }\n this.registeredImplementations = registeredImplementations\n this._signers = registeredImplementations?.signers ?? {}\n this._defaultSigner = registeredImplementations?.defaultSigner\n\n // Verify signature default is used below in the methods if not provided here, as it needs the context of the agent\n }\n\n // map the methods your plugin is declaring to their implementation\n readonly methods: ISDJwtPlugin = {\n createSdJwtVc: this.createSdJwtVc.bind(this),\n createSdJwtPresentation: this.createSdJwtPresentation.bind(this),\n verifySdJwtVc: this.verifySdJwtVc.bind(this),\n verifySdJwtPresentation: this.verifySdJwtPresentation.bind(this),\n fetchSdJwtTypeMetadataFromVctUrl: this.fetchSdJwtTypeMetadataFromVctUrl.bind(this),\n }\n\n private async getSignerForIdentifier(args: GetSignerForIdentifierArgs, context: IRequiredContext): Promise<GetSignerResult> {\n const { identifier, resolution } = args\n if (Object.keys(this._signers).includes(identifier) && typeof this._signers[identifier] === 'function') {\n return { signer: this._signers[identifier] }\n } else if (typeof this._defaultSigner === 'function') {\n return { signer: this._defaultSigner }\n }\n const signingKey = await this.getSignKey({ identifier, vmRelationship: 'assertionMethod', resolution }, context)\n const { key, alg } = signingKey\n\n const signer: Signer = async (data: string): Promise<string> => {\n return context.agent.keyManagerSign({ keyRef: key.kmsKeyRef, data })\n }\n\n return { signer, alg, signingKey }\n }\n\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT credential.\n */\n async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {\n const payload = args.credentialPayload\n const isVcdm2 = isVcdm2SdJwtPayload(payload)\n const isSdJwtVc = isSdjwtVcPayload(payload)\n const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')\n\n const issuer = getIssuerFromSdJwt(args.credentialPayload)\n if (!issuer) {\n throw new Error('credential.issuer must not be empty')\n }\n const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)\n const signAlg = alg ?? signingKey?.alg ?? 'ES256'\n const hashAlg: HashAlgorithm = /(\\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n signer,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n signAlg,\n hashAlg,\n })\n\n const header = {\n ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),\n ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),\n ...(type && { typ: type }),\n }\n let credential: string\n if (isVcdm2) {\n credential = await (sdjwt as SDJwtVcdm2Instance).issue(\n payload,\n // @ts-ignore\n args.disclosureFrame as DisclosureFrame<typeof payload>,\n { header },\n )\n } else if (isSdJwtVc) {\n credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })\n } else {\n return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))\n }\n\n return { type, credential }\n }\n\n /**\n * Get the key to sign the SD-JWT\n * @param args - consists of twp arguments: identifier like a did and other forms of identifiers and vmRelationship which represents the purpose of the key\n * @param context - agent instance\n * @returns the key to sign the SD-JWT\n */\n async getSignKey(args: SignKeyArgs, context: IRequiredContext): Promise<SignKeyResult> {\n // TODO Using identifierManagedGetByDid now (new managed identifier resolution). Evaluate of we need to implement more identifier types here\n const { identifier, resolution } = { ...args }\n if (resolution) {\n const key = resolution.key\n const alg = await signatureAlgorithmFromKey({ key })\n switch (resolution.method) {\n case 'did':\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n return { alg, key: { ...key, kmsKeyRef: resolution.kmsKeyRef, kid: resolution.kid } }\n default:\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: resolution.kid, kmsKeyRef: resolution.kmsKeyRef } }\n }\n }\n } else if (identifier.startsWith('did:')) {\n const didIdentifier = await context.agent.identifierManagedGetByDid({ identifier })\n if (!didIdentifier) {\n throw new Error(`No identifier found with the given did: ${identifier}`)\n }\n const key = didIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n debug(`Signing key ${key.publicKeyHex} found for identifier ${identifier}`)\n\n return { alg, key: { ...key, kmsKeyRef: didIdentifier.kmsKeyRef, kid: didIdentifier.kid } }\n } else {\n const kidIdentifier = await context.agent.identifierManagedGetByKid({ identifier })\n if (!kidIdentifier) {\n throw new Error(`No identifier found with the given kid: ${identifier}`)\n }\n const key = kidIdentifier.key\n const alg = await signatureAlgorithmFromKey({ key })\n if (key.meta?.x509 && key.meta.x509.x5c) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, x5c: key.meta.x509.x5c as string[] } }\n } else if (key.meta?.jwkThumbprint) {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef, jwkThumbprint: key.meta.jwkThumbprint } }\n } else {\n return { alg, key: { kid: kidIdentifier.kid, kmsKeyRef: kidIdentifier.kmsKeyRef } }\n }\n }\n }\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns A signed SD-JWT presentation.\n */\n async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {\n const type = args.type ?? 'dc+sd-jwt'\n\n const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)\n\n const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)\n let holder: string\n // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.\n if (args.holder) {\n holder = args.holder\n } else if (claims.cnf?.jwk) {\n const jwk = claims.cnf.jwk\n holder = calculateJwkThumbprint({ jwk: jwk as JWK })\n } else if (claims.cnf?.kid) {\n holder = claims.cnf?.kid\n } else if (claims.sub) {\n holder = claims.sub as string\n } else {\n throw new Error('invalid_argument: credential does not include a holder reference')\n }\n const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, {\n omitTyp: true,\n hasher: this.registeredImplementations.hasher,\n saltGenerator: this.registeredImplementations.saltGenerator,\n kbSigner: signer,\n kbSignAlg: alg ?? 'ES256',\n })\n\n const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })\n\n return { type, presentation }\n }\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verify a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {\n // callback\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n\n const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)\n const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'\n\n const sdjwt = SDJwtVcdmInstanceFactory.create(type, { verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })\n // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function\n // For now a workaround is to ad 5 days of skew seconds, yuck\n const { header = {}, payload, kb } = await sdjwt.verify(args.credential, { skewSeconds: 60 * 60 * 24 * 5 })\n\n return { type, header, payload, kb }\n }\n\n /**\n * Verify the key binding of a SD-JWT by validating the signature of the key bound to the SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @param payload - The payload of the SD-JWT\n * @returns\n */\n private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {\n if (!payload.cnf) {\n throw Error('other method than cnf is not supported yet')\n }\n\n // TODO add aud verification\n\n return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))\n }\n\n /**\n * Validates the signature of a SD-JWT\n * @param sdjwt - SD-JWT instance\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @param data - signed data\n * @param signature - The signature\n * @returns\n */\n async verifyCallbackImpl(\n sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,\n context: IRequiredContext,\n data: string,\n signature: string,\n opts?: { x5cValidation?: X509CertificateChainValidationOpts },\n ): Promise<boolean> {\n const decodedVC = await sdjwt.decode(`${data}.${signature}`)\n const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload\n const issuer: string = getIssuerFromSdJwt(payload)\n const header = (decodedVC.jwt as Jwt).header as Record<string, any>\n const x5c: string[] | undefined = header?.x5c as string[]\n let jwk: JWK | JsonWebKey | undefined = header.jwk\n if (x5c?.length) {\n const trustAnchors = new Set<string>([...this.trustAnchorsInPEM])\n if (trustAnchors.size === 0) {\n trustAnchors.add(sphereonCA)\n trustAnchors.add(funkeTestCA)\n }\n const certificateValidationResult = await context.agent.x509VerifyCertificateChain({\n chain: x5c,\n trustAnchors: Array.from(trustAnchors),\n // TODO: Defaults to allowing untrusted certs! Fine for now, not when wallets go mainstream\n opts: opts?.x5cValidation ?? { trustRootWhenNoAnchors: true, allowNoTrustAnchorsFound: true },\n })\n\n if (certificateValidationResult.error || !certificateValidationResult?.certificateChain) {\n return Promise.reject(Error(`Certificate chain validation failed. ${certificateValidationResult.message}`))\n }\n const certInfo = certificateValidationResult.certificateChain[0]\n jwk = certInfo.publicKeyJWK as JWK\n }\n\n if (!jwk && header.kid?.includes('did:')) {\n const didDoc = await context.agent.resolveDid({ didUrl: header.kid })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk && issuer.includes('did:')) {\n // TODO refactor\n const didDoc = await context.agent.resolveDid({ didUrl: issuer })\n if (!didDoc) {\n throw new Error('invalid_issuer: issuer did not resolve to a did document')\n }\n //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id\n const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)\n if (!didDocumentKey) {\n throw new Error('invalid_issuer: issuer did document does not include referenced key')\n }\n //FIXME SDK-21: in case it's another did method, the value of the key can be also encoded as a base64url\n // needs more checks. some DID methods do not expose the keys as publicKeyJwk\n jwk = didDocumentKey.publicKeyJwk as JsonWebKey\n }\n\n if (!jwk) {\n throw new Error('No valid public key found for signature verification')\n }\n\n return this.verifySignatureCallback(context)(data, signature, jwk)\n }\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verify a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {\n let sdjwt: SDJwtVcInstance\n const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)\n const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) => this.verifyKb(context, data, signature, payload)\n sdjwt = new SDJwtVcInstance({\n verifier,\n hasher: this.registeredImplementations.hasher,\n kbVerifier: verifierKb,\n })\n\n const verifierOpts: VerifierOptions = {\n requiredClaimKeys: args.requiredClaimKeys,\n keyBindingNonce: args.keyBindingNonce,\n }\n\n return sdjwt.verify(args.presentation, verifierOpts)\n }\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n * @returns\n */\n async fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata> {\n const { vct, vctIntegrity, opts } = args\n const url = new URL(vct)\n\n const response = await fetchUrlWithErrorHandling(url.toString())\n const metadata: SdJwtTypeMetadata = (await response.json()) as SdJwtTypeMetadata\n assertValidTypeMetadata(metadata, vct)\n\n const validate = async (vct: string, input: unknown, integrityValue?: string, hasher?: Hasher | HasherSync) => {\n if (hasher && integrityValue) {\n const validation = await validateIntegrity({ integrityValue, input, hasher })\n if (!validation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, extends: ${metadata.extends}, integrity: ${integrityValue}}`))\n }\n }\n }\n\n const hasher = (opts?.hasher ?? this.registeredImplementations.hasher ?? defaultGenerateDigest) as Hasher | HasherSync | undefined\n if (hasher) {\n if (vctIntegrity) {\n await validate(vct, metadata, vctIntegrity, hasher)\n const vctValidation = await validateIntegrity({ integrityValue: vctIntegrity, input: metadata, hasher })\n if (!vctValidation) {\n return Promise.reject(Error(`Integrity check failed for vct: ${vct}, integrity: ${vctIntegrity}`))\n }\n }\n\n if (metadata['extends#integrity']) {\n const extendsMetadata = await this.fetchSdJwtTypeMetadataFromVctUrl({ vct: metadata['extends#integrity'], opts }, context)\n await validate(vct, extendsMetadata, metadata['extends#integrity'], hasher)\n }\n\n if (metadata['schema_uri#integrity']) {\n const schemaResponse = await fetchUrlWithErrorHandling(metadata.schema_uri!)\n const schema = await schemaResponse.json()\n await validate(vct, schema, metadata['schema_uri#integrity'], hasher)\n }\n\n metadata.display?.forEach((display) => {\n const simpleLogoIntegrity = display.rendering?.simple?.logo?.['uri#integrity']\n if (simpleLogoIntegrity) {\n console.log('TODO: Logo integrity check')\n }\n })\n }\n\n return metadata\n }\n\n private verifySignatureCallback(context: IRequiredContext): SdJwtVerifySignature {\n if (typeof this.registeredImplementations.verifySignature === 'function') {\n return this.registeredImplementations.verifySignature\n }\n\n return defaultVerifySignature(context)\n }\n\n private getJwk(payload: JwtPayload): JsonWebKey {\n if (payload.cnf?.jwk !== undefined) {\n return payload.cnf.jwk as JsonWebKey\n } else if (payload.cnf !== undefined && 'kid' in payload.cnf && typeof payload.cnf.kid === 'string' && payload.cnf.kid.startsWith('did:jwk:')) {\n // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one\n // FIXME this is a quick-fix to make verification but we need a real solution\n const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)\n const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')\n const jwt = JSON.parse(decoded)\n return jwt as JsonWebKey\n }\n throw Error('Unable to extract JWK from SD-JWT payload')\n }\n\n private extractBase64FromDIDJwk(did: string): string {\n const parts = did.split(':')\n if (parts.length < 3) {\n throw new Error('Invalid DID format')\n }\n return parts[2].split('#')[0]\n }\n}\n","import { digestMethodParams } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { HasherSync, JsonWebKey, JWK, Loggers } from '@sphereon/ssi-types'\nimport { v4 } from 'uuid'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { IRequiredContext, SdJwtVerifySignature } from './types'\n\nexport const defaultGenerateDigest: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, alg: string): Uint8Array => {\n return digestMethodParams(alg.includes('256') ? 'SHA-256' : 'SHA-512').hash(\n typeof data === 'string' ? fromString(data, 'utf-8') : new Uint8Array(data),\n )\n}\n\nexport const defaultGenerateSalt = (): string => {\n return v4()\n}\n\nexport const defaultVerifySignature =\n (context: IRequiredContext): SdJwtVerifySignature =>\n async (data: string, signature: string, publicKey: JsonWebKey): Promise<boolean> => {\n // The data and signature from the sd-jwt lib are a jwt header.payload and signature, so let's recombine into a compact jwt\n const result = await context.agent.jwtVerifyJwsSignature({ jws: `${data}.${signature}`, jwk: publicKey as JWK })\n Loggers.DEFAULT.get('sd-jwt').info(`SD-JWT signature verified. Result: ${result.message}`)\n return !result.error\n }\n","export const funkeTestCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\\n' +\n '-----END CERTIFICATE-----'\n\nexport const sphereonCA =\n '-----BEGIN CERTIFICATE-----\\n' +\n 'MIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\\n' +\n 'MQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\\n' +\n 'LlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\\n' +\n 'MDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\\n' +\n 'BAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\\n' +\n 'BgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\\n' +\n 'BEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\\n' +\n 'T1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\\n' +\n 'sywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\\n' +\n 'BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\\n' +\n 'QlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\\n' +\n '-----END CERTIFICATE-----'\n","import type { SdJwtPayload } from '@sd-jwt/core'\nimport type { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, HasherSync } from '@sd-jwt/types'\nimport type { SdJwtTypeMetadata, SdJwtVcdm2Payload } from '@sphereon/ssi-types'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n\n// Helper function to fetch API with error handling\nexport async function fetchUrlWithErrorHandling(url: string): Promise<Response> {\n const response = await fetch(url)\n if (!response.ok) {\n throw new Error(`${response.status}: ${response.statusText}`)\n }\n return response\n}\n\nexport type IntegrityAlg = 'sha256' | 'sha384' | 'sha512'\n\nfunction extractHashAlgFromIntegrity(integrityValue?: string): IntegrityAlg | undefined {\n const val = integrityValue?.toLowerCase().trim().split('-')[0]\n if (val === 'sha256' || val === 'sha384' || val === 'sha512') {\n return val as IntegrityAlg\n }\n return undefined\n}\n\nexport function extractHashFromIntegrity(integrityValue?: string): string | undefined {\n return integrityValue?.toLowerCase().trim().split('-')[1]\n}\n\nexport async function validateIntegrity({\n input,\n integrityValue,\n hasher,\n}: {\n input: any\n integrityValue?: string\n hasher: HasherSync | Hasher\n}): Promise<boolean> {\n if (!integrityValue) {\n return true\n }\n const alg = extractHashAlgFromIntegrity(integrityValue)\n if (!alg) {\n return false\n }\n const calculatedHash = await createIntegrity({ hasher, input, alg })\n return calculatedHash == integrityValue\n}\n\nexport async function createIntegrity({\n input,\n hasher,\n alg = 'sha256',\n}: {\n input: any\n hasher: HasherSync | Hasher\n alg?: IntegrityAlg\n}): Promise<string> {\n const calculatedHash = await hasher(typeof input === 'string' ? input : JSON.stringify(input), alg)\n return `${alg}-${toString(calculatedHash, 'base64')}`\n}\n\nexport function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: string): void {\n if (metadata.vct !== vct) {\n throw new Error('VCT mismatch in metadata and credential')\n }\n}\n\nexport function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload {\n return (\n 'type' in payload &&\n Array.isArray(payload.type) &&\n payload.type.includes('VerifiableCredential') &&\n '@context' in payload &&\n ((typeof payload['@context'] === 'string' && payload['@context'].length > 0) ||\n (Array.isArray(payload['@context']) && payload['@context'].length > 0 && payload['@context'].includes('https://www.w3.org/ns/credentials/v2')))\n )\n}\n\nexport function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload {\n return !isVcdm2SdJwtPayload(payload) && 'vct' in payload && typeof payload.vct === 'string'\n}\n\nexport function getIssuerFromSdJwt(payload: SdJwtPayload): string {\n let issuer: string | undefined\n if (isSdjwtVcPayload(payload) || 'iss' in payload) {\n issuer = payload.iss as string\n } else if (isVcdm2SdJwtPayload(payload) || ('issuer' in payload && payload.issuer)) {\n issuer = typeof payload.issuer === 'string' ? payload.issuer : (payload.issuer as any)?.id\n }\n\n if (!issuer) {\n throw new Error('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')\n }\n return issuer\n}\n\nexport function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string {\n const digest = hasher(compactSdJwtVc, alg)\n return u8a.toString(digest, 'base64url')\n}\n","import { SDJwtInstance, type VerifierOptions } from '@sd-jwt/core'\nimport type { DisclosureFrame, Hasher, SDJWTCompact } from '@sd-jwt/types'\nimport { SDJWTException } from '@sd-jwt/utils'\nimport { type SdJwtType, type SDJWTVCDM2Config, type SdJwtVcdm2Payload } from '@sphereon/ssi-types'\nimport { type SDJWTVCConfig, SDJwtVcInstance, type VerificationResult } from '@sd-jwt/sd-jwt-vc'\nimport { isVcdm2SdJwt } from './types'\n\ninterface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {\n payload: SdJwtVcdm2Payload\n}\n\nexport class SDJwtVcdmInstanceFactory {\n static create(type: SdJwtType, config: SDJWTVCConfig | SDJWTVCDM2Config): SDJwtVcdm2Instance | SDJwtVcInstance {\n if (isVcdm2SdJwt(type)) {\n return new SDJwtVcdm2Instance(config as SDJWTVCDM2Config)\n }\n return new SDJwtVcInstance(config as SDJWTVCConfig)\n }\n}\n\n// @ts-ignore\nexport class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {\n /**\n * The type of the SD-JWT VCDM2 set in the header.typ field.\n */\n protected static type = 'vc+sd-jwt'\n\n protected userConfig: SDJWTVCDM2Config = {}\n\n constructor(userConfig?: SDJWTVCDM2Config) {\n super(userConfig)\n if (userConfig) {\n this.userConfig = userConfig\n }\n }\n\n /**\n * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.\n * @param disclosureFrame\n */\n protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void {\n //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.2.2.2\n // @ts-ignore\n if (disclosureFrame?._sd && Array.isArray(disclosureFrame._sd) && disclosureFrame._sd.length > 0) {\n const reservedNames = ['iss', 'nbf', 'exp', 'cnf', '@context', 'type', 'credentialStatus', 'credentialSchema', 'relatedResource']\n // check if there is any reserved names in the disclosureFrame._sd array\n const reservedNamesInDisclosureFrame = (disclosureFrame._sd as string[]).filter((key) => reservedNames.includes(key))\n if (reservedNamesInDisclosureFrame.length > 0) {\n throw new SDJWTException(`Cannot disclose protected field(s): ${reservedNamesInDisclosureFrame.join(', ')}`)\n }\n }\n }\n\n /**\n * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.\n * @param encodedSDJwt\n * @param options\n */\n async verify(encodedSDJwt: string, options?: VerifierOptions) {\n // Call the parent class's verify method\n const result: SdJwtVcdm2VerificationResult = await super.verify(encodedSDJwt, options).then((res) => {\n return {\n payload: res.payload as SdJwtVcdm2Payload,\n header: res.header,\n kb: res.kb,\n }\n })\n\n // await this.verifyStatus(result, options)\n\n return result\n }\n\n /**\n * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.\n * @param integrity\n * @param response\n */\n private async validateIntegrity(response: Response, url: string, integrity?: string) {\n if (integrity) {\n // validate the integrity of the response according to https://www.w3.org/TR/SRI/\n const arrayBuffer = await response.arrayBuffer()\n const alg = integrity.split('-')[0]\n //TODO: error handling when a hasher is passed that is not supporting the required algorithm acording to the spec\n const hashBuffer = await (this.userConfig.hasher as Hasher)(arrayBuffer, alg)\n const integrityHash = integrity.split('-')[1]\n const hash = Array.from(new Uint8Array(hashBuffer))\n .map((byte) => byte.toString(16).padStart(2, '0'))\n .join('')\n if (hash !== integrityHash) {\n throw new Error(`Integrity check for ${url} failed: is ${hash}, but expected ${integrityHash}`)\n }\n }\n }\n\n /**\n * Fetches the content from the url with a timeout of 10 seconds.\n * @param url\n * @param integrity\n * @returns\n */\n protected async fetch<T>(url: string, integrity?: string): Promise<T> {\n try {\n const response = await fetch(url, {\n signal: AbortSignal.timeout(this.userConfig.timeout ?? 10000),\n })\n if (!response.ok) {\n const errorText = await response.text()\n return Promise.reject(new Error(`Error fetching ${url}: ${response.status} ${response.statusText} - ${errorText}`))\n }\n await this.validateIntegrity(response.clone(), url, integrity)\n return response.json() as Promise<T>\n } catch (error) {\n if ((error as Error).name === 'TimeoutError') {\n throw new Error(`Request to ${url} timed out`)\n }\n throw error\n }\n }\n\n public async issue<Payload extends SdJwtVcdm2Payload>(\n payload: Payload,\n disclosureFrame?: DisclosureFrame<Payload>,\n options?: {\n header?: object // This is for customizing the header of the jwt\n },\n ): Promise<SDJWTCompact> {\n if (payload.iss && !payload.issuer) {\n payload.issuer = { id: payload.iss }\n delete payload.iss\n }\n if (payload.nbf && !payload.validFrom) {\n payload.validFrom = toVcdm2Date(payload.nbf)\n delete payload.nbf\n }\n if (payload.exp && !payload.validUntil) {\n payload.validUntil = toVcdm2Date(payload.exp)\n delete payload.exp\n }\n if (payload.sub && !Array.isArray(payload.credentialSubject) && !payload.credentialSubject.id) {\n payload.credentialSubject.id = payload.sub\n delete payload.sub\n }\n return super.issue(payload, disclosureFrame, options)\n }\n}\n\nfunction toVcdm2Date(value: number | string): string {\n const num = typeof value === 'string' ? Number(value) : value\n if (!Number.isFinite(num)) {\n throw new SDJWTException(`Invalid numeric date: ${value}`)\n }\n // Convert JWT NumericDate (seconds since epoch) to W3C VCDM 2 date-time string (RFC 3339 / ISO 8601)\n return new Date(num * 1000).toISOString()\n}\n","import { SdJwtPayload } from '@sd-jwt/core'\nimport { SdJwtVcPayload as OrigSdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'\nimport { Hasher, kbHeader, KBOptions, kbPayload, SaltGenerator, Signer } from '@sd-jwt/types'\nimport { IIdentifierResolution, ManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'\nimport { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'\nimport { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'\nimport { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'\nimport {\n HasherSync,\n JoseSignatureAlgorithm,\n JsonWebKey,\n SdJwtType,\n SdJwtTypeMetadata,\n SdJwtVcdm2Payload,\n SdJwtVcKbJwtHeader,\n SdJwtVcKbJwtPayload,\n SdJwtVcType,\n SdJwtVpType,\n} from '@sphereon/ssi-types'\nimport { DIDDocumentSection, IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'\n\nexport const sdJwtPluginContextMethods: Array<string> = ['createSdJwtVc', 'createSdJwtPresentation', 'verifySdJwtVc', 'verifySdJwtPresentation']\n\n/**\n * My Agent Plugin description.\n *\n * This is the interface that describes what your plugin can do.\n * The methods listed here, will be directly available to the veramo agent where your plugin is going to be used.\n * Depending on the agent configuration, other agent plugins, as well as the application where the agent is used\n * will be able to call these methods.\n *\n * To build a schema for your plugin using standard tools, you must link to this file in your package.json.\n * Example:\n * ```\n * \"veramo\": {\n * \"pluginInterfaces\": {\n * \"IMyAgentPlugin\": \"./src/types/IMyAgentPlugin.ts\"\n * }\n * },\n * ```\n *\n * @beta\n */\nexport interface ISDJwtPlugin extends IPluginMethodMap {\n /**\n * Your plugin method description\n *\n * @param args - Input parameters for this method\n * @param context - The required context where this method can run.\n * Declaring a context type here lets other developers know which other plugins\n * need to also be installed for this method to work.\n */\n /**\n * Create a signed SD-JWT credential.\n * @param args - Arguments necessary for the creation of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult>\n\n /**\n * Create a signed SD-JWT presentation.\n * @param args - Arguments necessary for the creation of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult>\n\n /**\n * Verify a signed SD-JWT credential.\n * @param args - Arguments necessary for the verification of a SD-JWT credential.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult>\n\n /**\n * Verify a signed SD-JWT presentation.\n * @param args - Arguments necessary for the verification of a SD-JWT presentation.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult>\n\n /**\n * Fetch and validate Type Metadata.\n * @param args - Arguments necessary for fetching and validating the type metadata.\n * @param context - This reserved param is automatically added and handled by the framework, *do not override*\n */\n fetchSdJwtTypeMetadataFromVctUrl(args: FetchSdJwtTypeMetadataFromVctUrlArgs, context: IRequiredContext): Promise<SdJwtTypeMetadata>\n}\n\nexport function contextHasSDJwtPlugin(context: IAgentContext<IPluginMethodMap>): context is IAgentContext<ISDJwtPlugin> {\n return contextHasPlugin(context, 'verifySdJwtVc')\n}\n\n/**\n * ICreateSdJwtVcArgs\n *\n * @beta\n */\n\nexport interface SdJwtVcPayload extends OrigSdJwtVcPayload {\n x5c?: string[]\n}\n\nexport type Vcdm2Enveloped = 'EnvelopedVerifiableCredential' | 'EnvelopedVerifiablePresentation'\n\nexport function isVcdm2SdJwt(type: SdJwtType | string): Boolean {\n return type === 'vc+sd-jwt' || type === 'vp+sd-jwt'\n}\n\nexport interface ICreateSdJwtVcArgs {\n type?: SdJwtVcType\n credentialPayload: SdJwtPayload\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n disclosureFrame?: IDisclosureFrame\n\n resolution?: ManagedIdentifierResult\n}\n\n/**\n * @beta\n */\nexport interface IDisclosureFrame {\n _sd?: string[]\n _sd_decoy?: number\n\n [x: string]: string[] | number | IDisclosureFrame | undefined\n}\n\n/**\n * ICreateSdJwtVcResult\n *\n * @beta\n */\nexport interface ICreateSdJwtVcResult {\n type: SdJwtVcType\n\n /**\n * the encoded sd-jwt credential\n */\n credential: string\n}\n\n/**\n *\n * @beta\n */\nexport interface ICreateSdJwtPresentationArgs {\n /**\n * Encoded SD-JWT credential\n */\n presentation: string\n\n /*\n * The keys to use for selective disclosure for presentation\n * if not provided, all keys will be disclosed\n * if empty object, no keys will be disclosed\n */\n presentationFrame?: IPresentationFrame\n\n /**\n * Allows to override the holder. Normally it will be looked up from the cnf or sub values\n */\n holder?: string\n\n /**\n * Information to include to add key binding.\n */\n kb?: KBOptions\n\n type?: SdJwtVpType\n\n vcdm2Enveloped?: Vcdm2Enveloped\n}\n\n/**\n * @beta\n */\nexport interface IPresentationFrame {\n [x: string]: boolean | IPresentationFrame\n}\n\n/**\n * Created presentation\n * @beta\n */\nexport interface ICreateSdJwtPresentationResult {\n /**\n * Encoded presentation.\n */\n presentation: string\n\n type: SdJwtVpType\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtVcArgs {\n credential: string\n opts?: {\n x5cValidation?: X509CertificateChainValidationOpts\n }\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtVcResult = {\n type: SdJwtVcType\n payload: SdJwtVcPayload | SdJwtVcdm2Payload\n header: Record<string, unknown>\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\n/**\n * @beta\n */\nexport interface IVerifySdJwtPresentationArgs {\n presentation: string\n\n requiredClaimKeys?: string[]\n\n /**\n * nonce used to verify the key binding jwt to prevent replay attacks.\n */\n keyBindingNonce?: string\n\n /**\n * Audience used to verify the key binding jwt\n */\n keyBindingAud?: string\n}\n\n/**\n * @beta\n */\nexport type IVerifySdJwtPresentationResult = {\n payload: unknown //fixme: maybe this can be `SdJwtPayload`\n header: Record<string, unknown> | undefined\n kb?: { header: kbHeader; payload: kbPayload }\n}\n\nexport type SignKeyArgs = {\n identifier: string\n vmRelationship: DIDDocumentSection\n resolution?: ManagedIdentifierResult\n}\n\nexport type SignKeyResult = {\n alg: JoseSignatureAlgorithm\n key: {\n kid?: string\n kmsKeyRef: string\n x5c?: string[]\n jwkThumbprint?: string\n }\n}\n/**\n * This context describes the requirements of this plugin.\n * For this plugin to function properly, the agent needs to also have other plugins installed that implement the\n * interfaces declared here.\n * You can also define requirements on a more granular level, for each plugin method or event handler of your plugin.\n *\n * @beta\n */\nexport type IRequiredContext = IAgentContext<IDIDManager & IIdentifierResolution & IJwtService & IResolver & IKeyManager & ImDLMdoc>\n\nexport type SdJwtVerifySignature = (data: string, signature: string, publicKey: JsonWebKey) => Promise<boolean>\nexport interface SdJWTImplementation {\n saltGenerator?: SaltGenerator\n hasher?: HasherSync\n verifySignature?: SdJwtVerifySignature\n}\n\nexport interface Claims {\n /**\n * Subject of the SD-JWT\n */\n sub?: string\n cnf?: {\n jwk?: JsonWebKey\n kid?: string\n }\n\n [key: string]: unknown\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlArgs = {\n vct: string\n vctIntegrity?: string\n opts?: FetchSdJwtTypeMetadataFromVctUrlOpts\n}\n\nexport type FetchSdJwtTypeMetadataFromVctUrlOpts = {\n hasher?: HasherSync | Hasher\n}\n\nexport type GetSignerForIdentifierArgs = {\n identifier: string\n resolution?: ManagedIdentifierResult\n}\n\nexport type GetSignerResult = {\n signer: Signer\n alg?: string\n signingKey?: SignKeyResult\n}\n\nexport type PartialSdJwtKbJwt = {\n header: Partial<SdJwtVcKbJwtHeader>\n payload: Partial<SdJwtVcKbJwtPayload>\n}\n"],"mappings":";;;;AAAA,SAAcA,aAAsD;AACpE,SAASC,mBAAAA,wBAA4C;AAErD,SAASC,wBAAwBC,iCAAiC;AAKlE,OAAOC,WAAW;;;ACRlB,SAASC,0BAA0B;AACnC,SAAsCC,eAAe;AACrD,SAASC,UAAU;AAEnB,SAASC,kBAAkB;AAGpB,IAAMC,wBAAoC,wBAACC,MAAgDC,QAAAA;AAChG,SAAOC,mBAAmBD,IAAIE,SAAS,KAAA,IAAS,YAAY,SAAA,EAAWC,KACrE,OAAOJ,SAAS,WAAWK,WAAWL,MAAM,OAAA,IAAW,IAAIM,WAAWN,IAAAA,CAAAA;AAE1E,GAJiD;AAM1C,IAAMO,sBAAsB,6BAAA;AACjC,SAAOC,GAAAA;AACT,GAFmC;AAI5B,IAAMC,yBACX,wBAACC,YACD,OAAOV,MAAcW,WAAmBC,cAAAA;AAEtC,QAAMC,SAAS,MAAMH,QAAQI,MAAMC,sBAAsB;IAAEC,KAAK,GAAGhB,IAAAA,IAAQW,SAAAA;IAAaM,KAAKL;EAAiB,CAAA;AAC9GM,UAAQC,QAAQC,IAAI,QAAA,EAAUC,KAAK,sCAAsCR,OAAOS,OAAO,EAAE;AACzF,SAAO,CAACT,OAAOU;AACjB,GANA;;;AClBK,IAAMC,cACX;AAIK,IAAMC,aACX;;;ACDF,YAAYC,SAAS;AAErB,SAASC,YAAAA,iBAAgB;AAGzB,eAAsBC,0BAA0BC,KAAW;AACzD,QAAMC,WAAW,MAAMC,MAAMF,GAAAA;AAC7B,MAAI,CAACC,SAASE,IAAI;AAChB,UAAM,IAAIC,MAAM,GAAGH,SAASI,MAAM,KAAKJ,SAASK,UAAU,EAAE;EAC9D;AACA,SAAOL;AACT;AANsBF;AAUtB,SAASQ,4BAA4BC,gBAAuB;AAC1D,QAAMC,MAAMD,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAIH,QAAQ,YAAYA,QAAQ,YAAYA,QAAQ,UAAU;AAC5D,WAAOA;EACT;AACA,SAAOI;AACT;AANSN;AAQF,SAASO,yBAAyBN,gBAAuB;AAC9D,SAAOA,gBAAgBE,YAAAA,EAAcC,KAAAA,EAAOC,MAAM,GAAA,EAAK,CAAA;AACzD;AAFgBE;AAIhB,eAAsBC,kBAAkB,EACtCC,OACAR,gBACAS,OAAM,GAKP;AACC,MAAI,CAACT,gBAAgB;AACnB,WAAO;EACT;AACA,QAAMU,MAAMX,4BAA4BC,cAAAA;AACxC,MAAI,CAACU,KAAK;AACR,WAAO;EACT;AACA,QAAMC,iBAAiB,MAAMC,gBAAgB;IAAEH;IAAQD;IAAOE;EAAI,CAAA;AAClE,SAAOC,kBAAkBX;AAC3B;AAlBsBO;AAoBtB,eAAsBK,gBAAgB,EACpCJ,OACAC,QACAC,MAAM,SAAQ,GAKf;AACC,QAAMC,iBAAiB,MAAMF,OAAO,OAAOD,UAAU,WAAWA,QAAQK,KAAKC,UAAUN,KAAAA,GAAQE,GAAAA;AAC/F,SAAO,GAAGA,GAAAA,IAAOK,UAASJ,gBAAgB,QAAA,CAAA;AAC5C;AAXsBC;AAaf,SAASI,wBAAwBC,UAA6BC,KAAW;AAC9E,MAAID,SAASC,QAAQA,KAAK;AACxB,UAAM,IAAItB,MAAM,yCAAA;EAClB;AACF;AAJgBoB;AAMT,SAASG,oBAAoBC,SAAqB;AACvD,SACE,UAAUA,WACVC,MAAMC,QAAQF,QAAQG,IAAI,KAC1BH,QAAQG,KAAKC,SAAS,sBAAA,KACtB,cAAcJ,YACZ,OAAOA,QAAQ,UAAA,MAAgB,YAAYA,QAAQ,UAAA,EAAYK,SAAS,KACvEJ,MAAMC,QAAQF,QAAQ,UAAA,CAAW,KAAKA,QAAQ,UAAA,EAAYK,SAAS,KAAKL,QAAQ,UAAA,EAAYI,SAAS,sCAAA;AAE5G;AATgBL;AAWT,SAASO,iBAAiBN,SAAqB;AACpD,SAAO,CAACD,oBAAoBC,OAAAA,KAAY,SAASA,WAAW,OAAOA,QAAQF,QAAQ;AACrF;AAFgBQ;AAIT,SAASC,mBAAmBP,SAAqB;AACtD,MAAIQ;AACJ,MAAIF,iBAAiBN,OAAAA,KAAY,SAASA,SAAS;AACjDQ,aAASR,QAAQS;EACnB,WAAWV,oBAAoBC,OAAAA,KAAa,YAAYA,WAAWA,QAAQQ,QAAS;AAClFA,aAAS,OAAOR,QAAQQ,WAAW,WAAWR,QAAQQ,SAAUR,QAAQQ,QAAgBE;EAC1F;AAEA,MAAI,CAACF,QAAQ;AACX,UAAM,IAAIhC,MAAM,kFAAA;EAClB;AACA,SAAOgC;AACT;AAZgBD;AAcT,SAASI,gBAAgBC,gBAAwBtB,KAAaD,QAAc;AACjF,QAAMwB,SAASxB,OAAOuB,gBAAgBtB,GAAAA;AACtC,SAAWK,aAASkB,QAAQ,WAAA;AAC9B;AAHgBF;;;ACpGhB,SAASG,qBAA2C;AAEpD,SAASC,sBAAsB;AAE/B,SAA6BC,uBAAgD;;;ACE7E,SAASC,wBAAwB;AAgB1B,IAAMC,4BAA2C;EAAC;EAAiB;EAA2B;EAAiB;;AAmE/G,SAASC,sBAAsBC,SAAwC;AAC5E,SAAOC,iBAAiBD,SAAS,eAAA;AACnC;AAFgBD;AAgBT,SAASG,aAAaC,MAAwB;AACnD,SAAOA,SAAS,eAAeA,SAAS;AAC1C;AAFgBD;;;AD9FT,IAAME,2BAAN,MAAMA;EAXb,OAWaA;;;EACX,OAAOC,OAAOC,MAAiBC,QAAgF;AAC7G,QAAIC,aAAaF,IAAAA,GAAO;AACtB,aAAO,IAAIG,mBAAmBF,MAAAA;IAChC;AACA,WAAO,IAAIG,gBAAgBH,MAAAA;EAC7B;AACF;AAGO,IAAME,qBAAN,cAAiCE,cAAAA;EArBxC,OAqBwCA;;;;;;EAItC,OAAiBL,OAAO;EAEdM,aAA+B,CAAC;EAE1C,YAAYA,YAA+B;AACzC,UAAMA,UAAAA;AACN,QAAIA,YAAY;AACd,WAAKA,aAAaA;IACpB;EACF;;;;;EAMUC,uBAAuBC,iBAA2D;AAG1F,QAAIA,iBAAiBC,OAAOC,MAAMC,QAAQH,gBAAgBC,GAAG,KAAKD,gBAAgBC,IAAIG,SAAS,GAAG;AAChG,YAAMC,gBAAgB;QAAC;QAAO;QAAO;QAAO;QAAO;QAAY;QAAQ;QAAoB;QAAoB;;AAE/G,YAAMC,iCAAkCN,gBAAgBC,IAAiBM,OAAO,CAACC,QAAQH,cAAcI,SAASD,GAAAA,CAAAA;AAChH,UAAIF,+BAA+BF,SAAS,GAAG;AAC7C,cAAM,IAAIM,eAAe,uCAAuCJ,+BAA+BK,KAAK,IAAA,CAAA,EAAO;MAC7G;IACF;EACF;;;;;;EAOA,MAAMC,OAAOC,cAAsBC,SAA2B;AAE5D,UAAMC,SAAuC,MAAM,MAAMH,OAAOC,cAAcC,OAAAA,EAASE,KAAK,CAACC,QAAAA;AAC3F,aAAO;QACLC,SAASD,IAAIC;QACbC,QAAQF,IAAIE;QACZC,IAAIH,IAAIG;MACV;IACF,CAAA;AAIA,WAAOL;EACT;;;;;;EAOA,MAAcM,kBAAkBC,UAAoBC,KAAaC,WAAoB;AACnF,QAAIA,WAAW;AAEb,YAAMC,cAAc,MAAMH,SAASG,YAAW;AAC9C,YAAMC,MAAMF,UAAUG,MAAM,GAAA,EAAK,CAAA;AAEjC,YAAMC,aAAa,MAAO,KAAK9B,WAAW+B,OAAkBJ,aAAaC,GAAAA;AACzE,YAAMI,gBAAgBN,UAAUG,MAAM,GAAA,EAAK,CAAA;AAC3C,YAAMI,OAAO7B,MAAM8B,KAAK,IAAIC,WAAWL,UAAAA,CAAAA,EACpCM,IAAI,CAACC,SAASA,KAAKC,SAAS,EAAA,EAAIC,SAAS,GAAG,GAAA,CAAA,EAC5C1B,KAAK,EAAA;AACR,UAAIoB,SAASD,eAAe;AAC1B,cAAM,IAAIQ,MAAM,uBAAuBf,GAAAA,eAAkBQ,IAAAA,kBAAsBD,aAAAA,EAAe;MAChG;IACF;EACF;;;;;;;EAQA,MAAgBS,MAAShB,KAAaC,WAAgC;AACpE,QAAI;AACF,YAAMF,WAAW,MAAMiB,MAAMhB,KAAK;QAChCiB,QAAQC,YAAYC,QAAQ,KAAK5C,WAAW4C,WAAW,GAAA;MACzD,CAAA;AACA,UAAI,CAACpB,SAASqB,IAAI;AAChB,cAAMC,YAAY,MAAMtB,SAASuB,KAAI;AACrC,eAAOC,QAAQC,OAAO,IAAIT,MAAM,kBAAkBf,GAAAA,KAAQD,SAAS0B,MAAM,IAAI1B,SAAS2B,UAAU,MAAML,SAAAA,EAAW,CAAA;MACnH;AACA,YAAM,KAAKvB,kBAAkBC,SAAS4B,MAAK,GAAI3B,KAAKC,SAAAA;AACpD,aAAOF,SAAS6B,KAAI;IACtB,SAASC,OAAO;AACd,UAAKA,MAAgBC,SAAS,gBAAgB;AAC5C,cAAM,IAAIf,MAAM,cAAcf,GAAAA,YAAe;MAC/C;AACA,YAAM6B;IACR;EACF;EAEA,MAAaE,MACXpC,SACAlB,iBACAc,SAGuB;AACvB,QAAII,QAAQqC,OAAO,CAACrC,QAAQsC,QAAQ;AAClCtC,cAAQsC,SAAS;QAAEC,IAAIvC,QAAQqC;MAAI;AACnC,aAAOrC,QAAQqC;IACjB;AACA,QAAIrC,QAAQwC,OAAO,CAACxC,QAAQyC,WAAW;AACrCzC,cAAQyC,YAAYC,YAAY1C,QAAQwC,GAAG;AAC3C,aAAOxC,QAAQwC;IACjB;AACA,QAAIxC,QAAQ2C,OAAO,CAAC3C,QAAQ4C,YAAY;AACtC5C,cAAQ4C,aAAaF,YAAY1C,QAAQ2C,GAAG;AAC5C,aAAO3C,QAAQ2C;IACjB;AACA,QAAI3C,QAAQ6C,OAAO,CAAC7D,MAAMC,QAAQe,QAAQ8C,iBAAiB,KAAK,CAAC9C,QAAQ8C,kBAAkBP,IAAI;AAC7FvC,cAAQ8C,kBAAkBP,KAAKvC,QAAQ6C;AACvC,aAAO7C,QAAQ6C;IACjB;AACA,WAAO,MAAMT,MAAMpC,SAASlB,iBAAiBc,OAAAA;EAC/C;AACF;AAEA,SAAS8C,YAAYK,OAAsB;AACzC,QAAMC,MAAM,OAAOD,UAAU,WAAWE,OAAOF,KAAAA,IAASA;AACxD,MAAI,CAACE,OAAOC,SAASF,GAAAA,GAAM;AACzB,UAAM,IAAIxD,eAAe,yBAAyBuD,KAAAA,EAAO;EAC3D;AAEA,SAAO,IAAII,KAAKH,MAAM,GAAA,EAAMI,YAAW;AACzC;AAPSV;;;AJzGT,YAAYW,UAAS;AAErB,IAAMC,QAAQC,MAAM,0BAAA;AAMb,IAAMC,cAAN,MAAMA;EAlDb,OAkDaA;;;;EAEMC;EACAC;EACTC;EACAC;EAER,YACEF,2BAIAD,mBACA;AACA,SAAKA,oBAAoBA,qBAAqB,CAAA;AAC9C,QAAI,CAACC,2BAA2B;AAC9BA,kCAA4B,CAAC;IAC/B;AACA,QAAI,OAAOA,2BAA2BG,WAAW,YAAY;AAC3DH,gCAA0BG,SAASC;IACrC;AACA,QAAI,OAAOJ,2BAA2BK,kBAAkB,YAAY;AAClEL,gCAA0BK,gBAAgBC;IAC5C;AACA,SAAKN,4BAA4BA;AACjC,SAAKC,WAAWD,2BAA2BO,WAAW,CAAC;AACvD,SAAKL,iBAAiBF,2BAA2BQ;EAGnD;;EAGSC,UAAwB;IAC/BC,eAAe,KAAKA,cAAcC,KAAK,IAAI;IAC3CC,yBAAyB,KAAKA,wBAAwBD,KAAK,IAAI;IAC/DE,eAAe,KAAKA,cAAcF,KAAK,IAAI;IAC3CG,yBAAyB,KAAKA,wBAAwBH,KAAK,IAAI;IAC/DI,kCAAkC,KAAKA,iCAAiCJ,KAAK,IAAI;EACnF;EAEA,MAAcK,uBAAuBC,MAAkCC,SAAqD;AAC1H,UAAM,EAAEC,YAAYC,WAAU,IAAKH;AACnC,QAAII,OAAOC,KAAK,KAAKrB,QAAQ,EAAEsB,SAASJ,UAAAA,KAAe,OAAO,KAAKlB,SAASkB,UAAAA,MAAgB,YAAY;AACtG,aAAO;QAAEK,QAAQ,KAAKvB,SAASkB,UAAAA;MAAY;IAC7C,WAAW,OAAO,KAAKjB,mBAAmB,YAAY;AACpD,aAAO;QAAEsB,QAAQ,KAAKtB;MAAe;IACvC;AACA,UAAMuB,aAAa,MAAM,KAAKC,WAAW;MAAEP;MAAYQ,gBAAgB;MAAmBP;IAAW,GAAGF,OAAAA;AACxG,UAAM,EAAEU,KAAKC,IAAG,IAAKJ;AAErB,UAAMD,SAAiB,8BAAOM,SAAAA;AAC5B,aAAOZ,QAAQa,MAAMC,eAAe;QAAEC,QAAQL,IAAIM;QAAWJ;MAAK,CAAA;IACpE,GAFuB;AAIvB,WAAO;MAAEN;MAAQK;MAAKJ;IAAW;EACnC;;;;;;;EAQA,MAAMf,cAAcO,MAA0BC,SAA0D;AACtG,UAAMiB,UAAUlB,KAAKmB;AACrB,UAAMC,UAAUC,oBAAoBH,OAAAA;AACpC,UAAMI,YAAYC,iBAAiBL,OAAAA;AACnC,UAAMM,OAAOxB,KAAKwB,SAASJ,UAAU,cAAc;AAEnD,UAAMK,SAASC,mBAAmB1B,KAAKmB,iBAAiB;AACxD,QAAI,CAACM,QAAQ;AACX,YAAM,IAAIE,MAAM,qCAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,QAAQC,WAAU,IAAK,MAAM,KAAKT,uBAAuB;MAAEG,YAAYuB;MAAQtB,YAAYH,KAAKG;IAAW,GAAGF,OAAAA;AAC3H,UAAM2B,UAAUhB,OAAOJ,YAAYI,OAAO;AAC1C,UAAMiB,UAAyB,WAAWC,KAAKF,OAAAA,IAAY,OAAOA,QAAQG,MAAM,EAAC,CAAA,KAAyB;AAC1G,UAAMC,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACT5B;MACArB,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CwC;MACAC;IACF,CAAA;AAEA,UAAMO,SAAS;MACb,GAAI5B,YAAYG,IAAI0B,QAAQC,UAAa;QAAED,KAAK7B,WAAWG,IAAI0B;MAAI;MACnE,GAAI7B,YAAYG,IAAI4B,QAAQD,UAAa;QAAEC,KAAK/B,WAAWG,IAAI4B;MAAI;MACnE,GAAIf,QAAQ;QAAEgB,KAAKhB;MAAK;IAC1B;AACA,QAAIiB;AACJ,QAAIrB,SAAS;AACXqB,mBAAa,MAAOT,MAA6BU;QAC/CxB;;QAEAlB,KAAK2C;QACL;UAAEP;QAAO;MAAA;IAEb,WAAWd,WAAW;AACpBmB,mBAAa,MAAOT,MAA0BU,MAAMxB,SAASlB,KAAK2C,iBAAoD;QAAEP;MAAO,CAAA;IACjI,OAAO;AACL,aAAOQ,QAAQC,OAAO,IAAIlB,MAAM,iCAAiCH,IAAAA,yBAA6B,CAAA;IAChG;AAEA,WAAO;MAAEA;MAAMiB;IAAW;EAC5B;;;;;;;EAQA,MAAMhC,WAAWT,MAAmBC,SAAmD;AAErF,UAAM,EAAEC,YAAYC,WAAU,IAAK;MAAE,GAAGH;IAAK;AAC7C,QAAIG,YAAY;AACd,YAAMQ,MAAMR,WAAWQ;AACvB,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,cAAQR,WAAW4C,QAAM;QACvB,KAAK;AACHpE,gBAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAC1E,iBAAO;YAAEU;YAAKD,KAAK;cAAE,GAAGA;cAAKM,WAAWd,WAAWc;cAAWoB,KAAKlC,WAAWkC;YAAI;UAAE;QACtF;AACE,cAAI1B,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,mBAAO;cAAE3B;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;cAAgB;YAAE;UAClH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;gBAAWkC,eAAexC,IAAIsC,KAAKE;cAAc;YAAE;UACrH,OAAO;AACL,mBAAO;cAAEvC;cAAKD,KAAK;gBAAE0B,KAAKlC,WAAWkC;gBAAKpB,WAAWd,WAAWc;cAAU;YAAE;UAC9E;MACJ;IACF,WAAWf,WAAWkD,WAAW,MAAA,GAAS;AACxC,YAAMC,gBAAgB,MAAMpD,QAAQa,MAAMwC,0BAA0B;QAAEpD;MAAW,CAAA;AACjF,UAAI,CAACmD,eAAe;AAClB,cAAM,IAAI1B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM0C,cAAc1C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClDhC,YAAM,eAAegC,IAAIqC,YAAY,yBAAyB9C,UAAAA,EAAY;AAE1E,aAAO;QAAEU;QAAKD,KAAK;UAAE,GAAGA;UAAKM,WAAWoC,cAAcpC;UAAWoB,KAAKgB,cAAchB;QAAI;MAAE;IAC5F,OAAO;AACL,YAAMkB,gBAAgB,MAAMtD,QAAQa,MAAM0C,0BAA0B;QAAEtD;MAAW,CAAA;AACjF,UAAI,CAACqD,eAAe;AAClB,cAAM,IAAI5B,MAAM,2CAA2CzB,UAAAA,EAAY;MACzE;AACA,YAAMS,MAAM4C,cAAc5C;AAC1B,YAAMC,MAAM,MAAMkC,0BAA0B;QAAEnC;MAAI,CAAA;AAClD,UAAIA,IAAIsC,MAAMC,QAAQvC,IAAIsC,KAAKC,KAAKX,KAAK;AACvC,eAAO;UAAE3B;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWsB,KAAK5B,IAAIsC,KAAKC,KAAKX;UAAgB;QAAE;MACxH,WAAW5B,IAAIsC,MAAME,eAAe;AAClC,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;YAAWkC,eAAexC,IAAIsC,KAAKE;UAAc;QAAE;MAC3H,OAAO;AACL,eAAO;UAAEvC;UAAKD,KAAK;YAAE0B,KAAKkB,cAAclB;YAAKpB,WAAWsC,cAActC;UAAU;QAAE;MACpF;IACF;EACF;;;;;;;EAQA,MAAMtB,wBAAwBK,MAAoCC,SAAoE;AACpI,UAAMuB,OAAOxB,KAAKwB,QAAQ;AAE1B,UAAMiC,OAAO,MAAMC,MAAMC,WAAW3D,KAAK4D,cAAc,KAAK7E,0BAA0BG,MAAM;AAE5F,UAAM2E,SAAS,MAAMJ,KAAKK,UAAkB,KAAK/E,0BAA0BG,MAAM;AACjF,QAAI6E;AAEJ,QAAI/D,KAAK+D,QAAQ;AACfA,eAAS/D,KAAK+D;IAChB,WAAWF,OAAOG,KAAKC,KAAK;AAC1B,YAAMA,MAAMJ,OAAOG,IAAIC;AACvBF,eAASG,uBAAuB;QAAED;MAAgB,CAAA;IACpD,WAAWJ,OAAOG,KAAK3B,KAAK;AAC1B0B,eAASF,OAAOG,KAAK3B;IACvB,WAAWwB,OAAOM,KAAK;AACrBJ,eAASF,OAAOM;IAClB,OAAO;AACL,YAAM,IAAIxC,MAAM,kEAAA;IAClB;AACA,UAAM,EAAEf,KAAKL,OAAM,IAAK,MAAM,KAAKR,uBAAuB;MAAEG,YAAY6D;IAAO,GAAG9D,OAAAA;AAElF,UAAM+B,QAAQC,yBAAyBC,OAAOV,MAAM;MAClDW,SAAS;MACTjD,QAAQ,KAAKH,0BAA0BG;MACvCE,eAAe,KAAKL,0BAA0BK;MAC9CgF,UAAU7D;MACV8D,WAAWzD,OAAO;IACpB,CAAA;AAEA,UAAMgD,eAAe,MAAM5B,MAAMsC,QAAQtE,KAAK4D,cAAc5D,KAAKuE,mBAAwD;MAAEC,IAAIxE,KAAKwE;IAAG,CAAA;AAEvI,WAAO;MAAEhD;MAAMoC;IAAa;EAC9B;;;;;;;EAQA,MAAMhE,cAAcI,MAA0BC,SAA0D;AAEtG,UAAMwE,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAE3B,UAAMjB,OAAO,MAAMC,MAAMC,WAAW3D,KAAKyC,YAAY,KAAK1D,0BAA0BG,MAAM;AAC1F,UAAMsC,OAAOH,oBAAoBoC,KAAKmB,KAAK1D,OAAAA,IAA2B,cAAc;AAEpF,UAAMc,QAAQC,yBAAyBC,OAAOV,MAAM;MAAEiD;MAAUvF,QAAQ,KAAKH,0BAA0BG,UAAUC;IAAsB,CAAA;AAGvI,UAAM,EAAEiD,SAAS,CAAC,GAAGlB,SAASsD,GAAE,IAAK,MAAMxC,MAAM6C,OAAO7E,KAAKyC,YAAY;MAAEqC,aAAa,KAAK,KAAK,KAAK;IAAE,CAAA;AAEzG,WAAO;MAAEtD;MAAMY;MAAQlB;MAASsD;IAAG;EACrC;;;;;;;;;;EAWQO,SAAS9E,SAA2BY,MAAc6D,WAAmBxD,SAAuC;AAClH,QAAI,CAACA,QAAQ8C,KAAK;AAChB,YAAMrC,MAAM,4CAAA;IACd;AAIA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAW,KAAKO,OAAO/D,OAAAA,CAAAA;EAC5E;;;;;;;;;EAUA,MAAMyD,mBACJ3C,OACA/B,SACAY,MACA6D,WACAQ,MACkB;AAClB,UAAMC,YAAY,MAAMnD,MAAMoD,OAAO,GAAGvE,IAAAA,IAAQ6D,SAAAA,EAAW;AAC3D,UAAMxD,UAAyBiE,UAAUP,IAAY1D;AACrD,UAAMO,SAAiBC,mBAAmBR,OAAAA;AAC1C,UAAMkB,SAAU+C,UAAUP,IAAYxC;AACtC,UAAMG,MAA4BH,QAAQG;AAC1C,QAAI0B,MAAoC7B,OAAO6B;AAC/C,QAAI1B,KAAK8C,QAAQ;AACf,YAAMC,eAAe,oBAAIC,IAAY;WAAI,KAAKzG;OAAkB;AAChE,UAAIwG,aAAaE,SAAS,GAAG;AAC3BF,qBAAaG,IAAIC,UAAAA;AACjBJ,qBAAaG,IAAIE,WAAAA;MACnB;AACA,YAAMC,8BAA8B,MAAM3F,QAAQa,MAAM+E,2BAA2B;QACjFC,OAAOvD;QACP+C,cAAcS,MAAMC,KAAKV,YAAAA;;QAEzBJ,MAAMA,MAAMe,iBAAiB;UAAEC,wBAAwB;UAAMC,0BAA0B;QAAK;MAC9F,CAAA;AAEA,UAAIP,4BAA4BQ,SAAS,CAACR,6BAA6BS,kBAAkB;AACvF,eAAOzD,QAAQC,OAAOlB,MAAM,wCAAwCiE,4BAA4BU,OAAO,EAAE,CAAA;MAC3G;AACA,YAAMC,WAAWX,4BAA4BS,iBAAiB,CAAA;AAC9DpC,YAAMsC,SAASC;IACjB;AAEA,QAAI,CAACvC,OAAO7B,OAAOC,KAAK/B,SAAS,MAAA,GAAS;AACxC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQvE,OAAOC;MAAI,CAAA;AACnE,UAAI,CAACoE,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AACA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,OAAO5E,OAAOC,GAAG;AAClG,UAAI,CAACuE,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,OAAOxC,OAAOnB,SAAS,MAAA,GAAS;AAEnC,YAAMmG,SAAS,MAAMxG,QAAQa,MAAM4F,WAAW;QAAEC,QAAQlF;MAAO,CAAA;AAC/D,UAAI,CAACgF,QAAQ;AACX,cAAM,IAAI9E,MAAM,0DAAA;MAClB;AAEA,YAAMiF,iBAAiBH,OAAOI,aAAaC,oBAAoBC,KAAK,CAACpG,QAAQA,IAAIqG,OAAO5E,OAAOC,GAAG;AAClG,UAAI,CAACuE,gBAAgB;AACnB,cAAM,IAAIjF,MAAM,qEAAA;MAClB;AAGAsC,YAAM2C,eAAeK;IACvB;AAEA,QAAI,CAAChD,KAAK;AACR,YAAM,IAAItC,MAAM,sDAAA;IAClB;AAEA,WAAO,KAAKqD,wBAAwB/E,OAAAA,EAASY,MAAM6D,WAAWT,GAAAA;EAChE;;;;;;;EAQA,MAAMpE,wBAAwBG,MAAoCC,SAAoE;AACpI,QAAI+B;AACJ,UAAMyC,WAAqB,8BAAO5D,MAAc6D,cAAsB,KAAKC,mBAAmB3C,OAAO/B,SAASY,MAAM6D,SAAAA,GAAzF;AAC3B,UAAMwC,aAAyB,8BAAOrG,MAAc6D,WAAmBxD,YAAwB,KAAK6D,SAAS9E,SAASY,MAAM6D,WAAWxD,OAAAA,GAAxG;AAC/Bc,YAAQ,IAAImF,iBAAgB;MAC1B1C;MACAvF,QAAQ,KAAKH,0BAA0BG;MACvCkI,YAAYF;IACd,CAAA;AAEA,UAAMG,eAAgC;MACpCC,mBAAmBtH,KAAKsH;MACxBC,iBAAiBvH,KAAKuH;IACxB;AAEA,WAAOvF,MAAM6C,OAAO7E,KAAK4D,cAAcyD,YAAAA;EACzC;;;;;;;EAQA,MAAMvH,iCAAiCE,MAA4CC,SAAuD;AACxI,UAAM,EAAEuH,KAAKC,cAAcvC,KAAI,IAAKlF;AACpC,UAAM0H,MAAM,IAAIC,IAAIH,GAAAA;AAEpB,UAAMI,WAAW,MAAMC,0BAA0BH,IAAII,SAAQ,CAAA;AAC7D,UAAMC,WAA+B,MAAMH,SAASI,KAAI;AACxDC,4BAAwBF,UAAUP,GAAAA;AAElC,UAAMU,WAAW,8BAAOV,MAAaW,OAAgBC,gBAAyBlJ,YAAAA;AAC5E,UAAIA,WAAUkJ,gBAAgB;AAC5B,cAAMC,aAAa,MAAMC,kBAAkB;UAAEF;UAAgBD;UAAOjJ,QAAAA;QAAO,CAAA;AAC3E,YAAI,CAACmJ,YAAY;AACf,iBAAOzF,QAAQC,OAAOlB,MAAM,mCAAmC6F,IAAAA,cAAiBO,SAASQ,OAAO,gBAAgBH,cAAAA,GAAiB,CAAA;QACnI;MACF;IACF,GAPiB;AASjB,UAAMlJ,SAAUgG,MAAMhG,UAAU,KAAKH,0BAA0BG,UAAUC;AACzE,QAAID,QAAQ;AACV,UAAIuI,cAAc;AAChB,cAAMS,SAASV,KAAKO,UAAUN,cAAcvI,MAAAA;AAC5C,cAAMsJ,gBAAgB,MAAMF,kBAAkB;UAAEF,gBAAgBX;UAAcU,OAAOJ;UAAU7I;QAAO,CAAA;AACtG,YAAI,CAACsJ,eAAe;AAClB,iBAAO5F,QAAQC,OAAOlB,MAAM,mCAAmC6F,GAAAA,gBAAmBC,YAAAA,EAAc,CAAA;QAClG;MACF;AAEA,UAAIM,SAAS,mBAAA,GAAsB;AACjC,cAAMU,kBAAkB,MAAM,KAAK3I,iCAAiC;UAAE0H,KAAKO,SAAS,mBAAA;UAAsB7C;QAAK,GAAGjF,OAAAA;AAClH,cAAMiI,SAASV,KAAKiB,iBAAiBV,SAAS,mBAAA,GAAsB7I,MAAAA;MACtE;AAEA,UAAI6I,SAAS,sBAAA,GAAyB;AACpC,cAAMW,iBAAiB,MAAMb,0BAA0BE,SAASY,UAAU;AAC1E,cAAMC,SAAS,MAAMF,eAAeV,KAAI;AACxC,cAAME,SAASV,KAAKoB,QAAQb,SAAS,sBAAA,GAAyB7I,MAAAA;MAChE;AAEA6I,eAASc,SAASC,QAAQ,CAACD,YAAAA;AACzB,cAAME,sBAAsBF,QAAQG,WAAWC,QAAQC,OAAO,eAAA;AAC9D,YAAIH,qBAAqB;AACvBI,kBAAQC,IAAI,4BAAA;QACd;MACF,CAAA;IACF;AAEA,WAAOrB;EACT;EAEQ/C,wBAAwB/E,SAAiD;AAC/E,QAAI,OAAO,KAAKlB,0BAA0BsK,oBAAoB,YAAY;AACxE,aAAO,KAAKtK,0BAA0BsK;IACxC;AAEA,WAAOC,uBAAuBrJ,OAAAA;EAChC;EAEQgF,OAAO/D,SAAiC;AAC9C,QAAIA,QAAQ8C,KAAKC,QAAQ3B,QAAW;AAClC,aAAOpB,QAAQ8C,IAAIC;IACrB,WAAW/C,QAAQ8C,QAAQ1B,UAAa,SAASpB,QAAQ8C,OAAO,OAAO9C,QAAQ8C,IAAI3B,QAAQ,YAAYnB,QAAQ8C,IAAI3B,IAAIe,WAAW,UAAA,GAAa;AAG7I,YAAMmG,UAAU,KAAKC,wBAAwBtI,QAAQ8C,IAAI3B,GAAG;AAC5D,YAAMoH,UAAc3B,cAAa4B,gBAAWH,SAAS,WAAA,GAAc,OAAA;AACnE,YAAM3E,MAAM+E,KAAKC,MAAMH,OAAAA;AACvB,aAAO7E;IACT;AACA,UAAMjD,MAAM,2CAAA;EACd;EAEQ6H,wBAAwBK,KAAqB;AACnD,UAAMC,QAAQD,IAAIE,MAAM,GAAA;AACxB,QAAID,MAAMzE,SAAS,GAAG;AACpB,YAAM,IAAI1D,MAAM,oBAAA;IAClB;AACA,WAAOmI,MAAM,CAAA,EAAGC,MAAM,GAAA,EAAK,CAAA;EAC7B;AACF;","names":["SDJwt","SDJwtVcInstance","calculateJwkThumbprint","signatureAlgorithmFromKey","Debug","digestMethodParams","Loggers","v4","fromString","defaultGenerateDigest","data","alg","digestMethodParams","includes","hash","fromString","Uint8Array","defaultGenerateSalt","v4","defaultVerifySignature","context","signature","publicKey","result","agent","jwtVerifyJwsSignature","jws","jwk","Loggers","DEFAULT","get","info","message","error","funkeTestCA","sphereonCA","u8a","toString","fetchUrlWithErrorHandling","url","response","fetch","ok","Error","status","statusText","extractHashAlgFromIntegrity","integrityValue","val","toLowerCase","trim","split","undefined","extractHashFromIntegrity","validateIntegrity","input","hasher","alg","calculatedHash","createIntegrity","JSON","stringify","toString","assertValidTypeMetadata","metadata","vct","isVcdm2SdJwtPayload","payload","Array","isArray","type","includes","length","isSdjwtVcPayload","getIssuerFromSdJwt","issuer","iss","id","calculateSdHash","compactSdJwtVc","digest","SDJwtInstance","SDJWTException","SDJwtVcInstance","contextHasPlugin","sdJwtPluginContextMethods","contextHasSDJwtPlugin","context","contextHasPlugin","isVcdm2SdJwt","type","SDJwtVcdmInstanceFactory","create","type","config","isVcdm2SdJwt","SDJwtVcdm2Instance","SDJwtVcInstance","SDJwtInstance","userConfig","validateReservedFields","disclosureFrame","_sd","Array","isArray","length","reservedNames","reservedNamesInDisclosureFrame","filter","key","includes","SDJWTException","join","verify","encodedSDJwt","options","result","then","res","payload","header","kb","validateIntegrity","response","url","integrity","arrayBuffer","alg","split","hashBuffer","hasher","integrityHash","hash","from","Uint8Array","map","byte","toString","padStart","Error","fetch","signal","AbortSignal","timeout","ok","errorText","text","Promise","reject","status","statusText","clone","json","error","name","issue","iss","issuer","id","nbf","validFrom","toVcdm2Date","exp","validUntil","sub","credentialSubject","value","num","Number","isFinite","Date","toISOString","u8a","debug","Debug","SDJwtPlugin","trustAnchorsInPEM","registeredImplementations","_signers","_defaultSigner","hasher","defaultGenerateDigest","saltGenerator","defaultGenerateSalt","signers","defaultSigner","methods","createSdJwtVc","bind","createSdJwtPresentation","verifySdJwtVc","verifySdJwtPresentation","fetchSdJwtTypeMetadataFromVctUrl","getSignerForIdentifier","args","context","identifier","resolution","Object","keys","includes","signer","signingKey","getSignKey","vmRelationship","key","alg","data","agent","keyManagerSign","keyRef","kmsKeyRef","payload","credentialPayload","isVcdm2","isVcdm2SdJwtPayload","isSdJwtVc","isSdjwtVcPayload","type","issuer","getIssuerFromSdJwt","Error","signAlg","hashAlg","test","slice","sdjwt","SDJwtVcdmInstanceFactory","create","omitTyp","header","kid","undefined","x5c","typ","credential","issue","disclosureFrame","Promise","reject","signatureAlgorithmFromKey","method","publicKeyHex","meta","x509","jwkThumbprint","startsWith","didIdentifier","identifierManagedGetByDid","kidIdentifier","identifierManagedGetByKid","cred","SDJwt","fromEncode","presentation","claims","getClaims","holder","cnf","jwk","calculateJwkThumbprint","sub","kbSigner","kbSignAlg","present","presentationFrame","kb","verifier","signature","verifyCallbackImpl","jwt","verify","skewSeconds","verifyKb","verifySignatureCallback","getJwk","opts","decodedVC","decode","length","trustAnchors","Set","size","add","sphereonCA","funkeTestCA","certificateValidationResult","x509VerifyCertificateChain","chain","Array","from","x5cValidation","trustRootWhenNoAnchors","allowNoTrustAnchorsFound","error","certificateChain","message","certInfo","publicKeyJWK","didDoc","resolveDid","didUrl","didDocumentKey","didDocument","verificationMethod","find","id","publicKeyJwk","verifierKb","SDJwtVcInstance","kbVerifier","verifierOpts","requiredClaimKeys","keyBindingNonce","vct","vctIntegrity","url","URL","response","fetchUrlWithErrorHandling","toString","metadata","json","assertValidTypeMetadata","validate","input","integrityValue","validation","validateIntegrity","extends","vctValidation","extendsMetadata","schemaResponse","schema_uri","schema","display","forEach","simpleLogoIntegrity","rendering","simple","logo","console","log","verifySignature","defaultVerifySignature","encoded","extractBase64FromDIDJwk","decoded","fromString","JSON","parse","did","parts","split"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.sd-jwt",
3
- "version": "0.36.1-feature.integration.fides.68+e5f2d6af",
3
+ "version": "0.36.1-feature.integration.fides.74+0d17e392",
4
4
  "source": "src/index.ts",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -30,14 +30,14 @@
30
30
  "@sd-jwt/decode": "^0.15.0",
31
31
  "@sd-jwt/sd-jwt-vc": "^0.15.1",
32
32
  "@sd-jwt/types": "^0.15.0",
33
- "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-feature.integration.fides.68+e5f2d6af",
34
- "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-feature.integration.fides.68+e5f2d6af",
35
- "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-feature.integration.fides.68+e5f2d6af",
36
- "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.integration.fides.68+e5f2d6af",
37
- "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.integration.fides.68+e5f2d6af",
38
- "@sphereon/ssi-sdk.agent-config": "0.36.1-feature.integration.fides.68+e5f2d6af",
39
- "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-feature.integration.fides.68+e5f2d6af",
40
- "@sphereon/ssi-types": "0.36.1-feature.integration.fides.68+e5f2d6af",
33
+ "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-feature.integration.fides.74+0d17e392",
34
+ "@sphereon/ssi-sdk-ext.identifier-resolution": "0.36.1-feature.integration.fides.74+0d17e392",
35
+ "@sphereon/ssi-sdk-ext.jwt-service": "0.36.1-feature.integration.fides.74+0d17e392",
36
+ "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.integration.fides.74+0d17e392",
37
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.integration.fides.74+0d17e392",
38
+ "@sphereon/ssi-sdk.agent-config": "0.36.1-feature.integration.fides.74+0d17e392",
39
+ "@sphereon/ssi-sdk.mdl-mdoc": "0.36.1-feature.integration.fides.74+0d17e392",
40
+ "@sphereon/ssi-types": "0.36.1-feature.integration.fides.74+0d17e392",
41
41
  "debug": "^4.3.5",
42
42
  "uint8arrays": "^3.1.1",
43
43
  "uuid": "^9.0.1"
@@ -46,10 +46,10 @@
46
46
  "@sd-jwt/decode": "^0.15.0",
47
47
  "@sd-jwt/types": "^0.15.0",
48
48
  "@sd-jwt/utils": "^0.15.0",
49
- "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.36.1-feature.integration.fides.68+e5f2d6af",
50
- "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.36.1-feature.integration.fides.68+e5f2d6af",
51
- "@sphereon/ssi-sdk-ext.key-manager": "0.36.1-feature.integration.fides.68+e5f2d6af",
52
- "@sphereon/ssi-sdk-ext.kms-local": "0.36.1-feature.integration.fides.68+e5f2d6af",
49
+ "@sphereon/ssi-sdk-ext.did-provider-jwk": "0.36.1-feature.integration.fides.74+0d17e392",
50
+ "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.36.1-feature.integration.fides.74+0d17e392",
51
+ "@sphereon/ssi-sdk-ext.key-manager": "0.36.1-feature.integration.fides.74+0d17e392",
52
+ "@sphereon/ssi-sdk-ext.kms-local": "0.36.1-feature.integration.fides.74+0d17e392",
53
53
  "@types/node": "^20.17.1",
54
54
  "@types/uuid": "^9.0.8",
55
55
  "@veramo/core": "4.2.0",
@@ -84,5 +84,5 @@
84
84
  "Selective Disclosure",
85
85
  "Verifiable Credential"
86
86
  ],
87
- "gitHead": "e5f2d6afc3a7f56a9917d7a105ccb3eb02516713"
87
+ "gitHead": "0d17e392eadbabaf626832e1841493cc29be7787"
88
88
  }
package/src/action-handler.ts CHANGED
@@ -334,8 +334,7 @@ export class SDJwtPlugin implements IAgentPlugin {
334
334
  if (!didDoc) {
335
335
  throw new Error('invalid_issuer: issuer did not resolve to a did document')
336
336
  }
337
- //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
338
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)
337
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)
339
338
  if (!didDocumentKey) {
340
339
  throw new Error('invalid_issuer: issuer did document does not include referenced key')
341
340
  }
@@ -351,7 +350,7 @@ export class SDJwtPlugin implements IAgentPlugin {
351
350
  throw new Error('invalid_issuer: issuer did not resolve to a did document')
352
351
  }
353
352
  //TODO SDK-20: This should be checking for an assertionMethod and not just an verificationMethod with an id
354
- const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id)
353
+ const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id === header.kid)
355
354
  if (!didDocumentKey) {
356
355
  throw new Error('invalid_issuer: issuer did document does not include referenced key')
357
356
  }