@sphereon/ssi-sdk.sd-jwt 0.36.1-next.11 → 0.36.1-next.115

package/dist/index.d.cts

@@ -1,12 +1,51 @@
-import { SdJwtVcPayload as SdJwtVcPayload$1, VerificationResult, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
-import { SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, DisclosureFrame, SDJWTCompact, HasherSync as HasherSync$1 } from '@sd-jwt/types';
+import { VerificationResult, SdJwtVcPayload as SdJwtVcPayload$1, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
+import { DisclosureFrame, SDJWTCompact, SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, HasherSync as HasherSync$1 } from '@sd-jwt/types';
 import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils';
-import { HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtVcdm2Payload, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SDJWTVCDM2Config } from '@sphereon/ssi-types';
+import { SdJwtVcdm2Payload, SDJWTVCDM2Config, HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload } from '@sphereon/ssi-types';
 import { IPluginMethodMap, IAgentContext, IDIDManager, IResolver, IKeyManager, DIDDocumentSection, IAgentPlugin } from '@veramo/core';
+import { SDJwtInstance, VerifierOptions, SdJwtPayload } from '@sd-jwt/core';
 import { ManagedIdentifierResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc';
-import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
+
+interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
+    payload: SdJwtVcdm2Payload;
+}
+declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
+    /**
+     * The type of the SD-JWT VCDM2 set in the header.typ field.
+     */
+    protected static type: string;
+    protected userConfig: SDJWTVCDM2Config;
+    constructor(userConfig?: SDJWTVCDM2Config);
+    /**
+     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+     * @param disclosureFrame
+     */
+    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
+    /**
+     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+     * @param encodedSDJwt
+     * @param options
+     */
+    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
+    /**
+     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+     * @param integrity
+     * @param response
+     */
+    private validateIntegrity;
+    /**
+     * Fetches the content from the url with a timeout of 10 seconds.
+     * @param url
+     * @param integrity
+     * @returns
+     */
+    protected fetch<T>(url: string, integrity?: string): Promise<T>;
+    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+        header?: object;
+    }): Promise<SDJWTCompact>;
+}
 
 declare const sdJwtPluginContextMethods: Array<string>;
 /**
@@ -248,45 +287,10 @@ type GetSignerResult = {
     alg?: string;
     signingKey?: SignKeyResult;
 };
-
-interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
-    payload: SdJwtVcdm2Payload;
-}
-declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
-    /**
-     * The type of the SD-JWT VCDM2 set in the header.typ field.
-     */
-    protected static type: string;
-    protected userConfig: SDJWTVCDM2Config;
-    constructor(userConfig?: SDJWTVCDM2Config);
-    /**
-     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-     * @param disclosureFrame
-     */
-    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
-    /**
-     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-     * @param encodedSDJwt
-     * @param options
-     */
-    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
-    /**
-     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-     * @param integrity
-     * @param response
-     */
-    private validateIntegrity;
-    /**
-     * Fetches the content from the url with a timeout of 10 seconds.
-     * @param url
-     * @param integrity
-     * @returns
-     */
-    protected fetch<T>(url: string, integrity?: string): Promise<T>;
-    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
-        header?: object;
-    }): Promise<SDJWTCompact>;
-}
+type PartialSdJwtKbJwt = {
+    header: Partial<SdJwtVcKbJwtHeader>;
+    payload: Partial<SdJwtVcKbJwtPayload>;
+};
 
 /**
  * @beta
@@ -390,5 +394,6 @@ declare function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: strin
 declare function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload;
 declare function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload$1;
 declare function getIssuerFromSdJwt(payload: SdJwtPayload): string;
+declare function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string;
 
-export { type Claims, type FetchSdJwtTypeMetadataFromVctUrlArgs, type FetchSdJwtTypeMetadataFromVctUrlOpts, type GetSignerForIdentifierArgs, type GetSignerResult, type ICreateSdJwtPresentationArgs, type ICreateSdJwtPresentationResult, type ICreateSdJwtVcArgs, type ICreateSdJwtVcResult, type IDisclosureFrame, type IPresentationFrame, type IRequiredContext, type ISDJwtPlugin, type IVerifySdJwtPresentationArgs, type IVerifySdJwtPresentationResult, type IVerifySdJwtVcArgs, type IVerifySdJwtVcResult, type IntegrityAlg, SDJwtPlugin, type SdJWTImplementation, type SdJwtVcPayload, type SdJwtVerifySignature, type SignKeyArgs, type SignKeyResult, type Vcdm2Enveloped, assertValidTypeMetadata, contextHasSDJwtPlugin, createIntegrity, defaultGenerateDigest, extractHashFromIntegrity, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwt, isVcdm2SdJwtPayload, sdJwtPluginContextMethods, validateIntegrity };
+export { type Claims, type FetchSdJwtTypeMetadataFromVctUrlArgs, type FetchSdJwtTypeMetadataFromVctUrlOpts, type GetSignerForIdentifierArgs, type GetSignerResult, type ICreateSdJwtPresentationArgs, type ICreateSdJwtPresentationResult, type ICreateSdJwtVcArgs, type ICreateSdJwtVcResult, type IDisclosureFrame, type IPresentationFrame, type IRequiredContext, type ISDJwtPlugin, type IVerifySdJwtPresentationArgs, type IVerifySdJwtPresentationResult, type IVerifySdJwtVcArgs, type IVerifySdJwtVcResult, type IntegrityAlg, type PartialSdJwtKbJwt, SDJwtPlugin, type SdJWTImplementation, type SdJwtVcPayload, type SdJwtVerifySignature, type SignKeyArgs, type SignKeyResult, type Vcdm2Enveloped, assertValidTypeMetadata, calculateSdHash, contextHasSDJwtPlugin, createIntegrity, defaultGenerateDigest, extractHashFromIntegrity, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwt, isVcdm2SdJwtPayload, sdJwtPluginContextMethods, validateIntegrity };

package/dist/index.d.ts

@@ -1,12 +1,51 @@
-import { SdJwtVcPayload as SdJwtVcPayload$1, VerificationResult, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
-import { SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, DisclosureFrame, SDJWTCompact, HasherSync as HasherSync$1 } from '@sd-jwt/types';
+import { VerificationResult, SdJwtVcPayload as SdJwtVcPayload$1, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
+import { DisclosureFrame, SDJWTCompact, SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, HasherSync as HasherSync$1 } from '@sd-jwt/types';
 import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils';
-import { HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtVcdm2Payload, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SDJWTVCDM2Config } from '@sphereon/ssi-types';
+import { SdJwtVcdm2Payload, SDJWTVCDM2Config, HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload } from '@sphereon/ssi-types';
 import { IPluginMethodMap, IAgentContext, IDIDManager, IResolver, IKeyManager, DIDDocumentSection, IAgentPlugin } from '@veramo/core';
+import { SDJwtInstance, VerifierOptions, SdJwtPayload } from '@sd-jwt/core';
 import { ManagedIdentifierResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc';
-import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
+
+interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
+    payload: SdJwtVcdm2Payload;
+}
+declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
+    /**
+     * The type of the SD-JWT VCDM2 set in the header.typ field.
+     */
+    protected static type: string;
+    protected userConfig: SDJWTVCDM2Config;
+    constructor(userConfig?: SDJWTVCDM2Config);
+    /**
+     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+     * @param disclosureFrame
+     */
+    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
+    /**
+     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+     * @param encodedSDJwt
+     * @param options
+     */
+    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
+    /**
+     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+     * @param integrity
+     * @param response
+     */
+    private validateIntegrity;
+    /**
+     * Fetches the content from the url with a timeout of 10 seconds.
+     * @param url
+     * @param integrity
+     * @returns
+     */
+    protected fetch<T>(url: string, integrity?: string): Promise<T>;
+    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+        header?: object;
+    }): Promise<SDJWTCompact>;
+}
 
 declare const sdJwtPluginContextMethods: Array<string>;
 /**
@@ -248,45 +287,10 @@ type GetSignerResult = {
     alg?: string;
     signingKey?: SignKeyResult;
 };
-
-interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
-    payload: SdJwtVcdm2Payload;
-}
-declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
-    /**
-     * The type of the SD-JWT VCDM2 set in the header.typ field.
-     */
-    protected static type: string;
-    protected userConfig: SDJWTVCDM2Config;
-    constructor(userConfig?: SDJWTVCDM2Config);
-    /**
-     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-     * @param disclosureFrame
-     */
-    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
-    /**
-     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-     * @param encodedSDJwt
-     * @param options
-     */
-    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
-    /**
-     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-     * @param integrity
-     * @param response
-     */
-    private validateIntegrity;
-    /**
-     * Fetches the content from the url with a timeout of 10 seconds.
-     * @param url
-     * @param integrity
-     * @returns
-     */
-    protected fetch<T>(url: string, integrity?: string): Promise<T>;
-    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
-        header?: object;
-    }): Promise<SDJWTCompact>;
-}
+type PartialSdJwtKbJwt = {
+    header: Partial<SdJwtVcKbJwtHeader>;
+    payload: Partial<SdJwtVcKbJwtPayload>;
+};
 
 /**
  * @beta
@@ -390,5 +394,6 @@ declare function assertValidTypeMetadata(metadata: SdJwtTypeMetadata, vct: strin
 declare function isVcdm2SdJwtPayload(payload: SdJwtPayload): payload is SdJwtVcdm2Payload;
 declare function isSdjwtVcPayload(payload: SdJwtPayload): payload is SdJwtVcPayload$1;
 declare function getIssuerFromSdJwt(payload: SdJwtPayload): string;
+declare function calculateSdHash(compactSdJwtVc: string, alg: string, hasher: Hasher): string;
 
-export { type Claims, type FetchSdJwtTypeMetadataFromVctUrlArgs, type FetchSdJwtTypeMetadataFromVctUrlOpts, type GetSignerForIdentifierArgs, type GetSignerResult, type ICreateSdJwtPresentationArgs, type ICreateSdJwtPresentationResult, type ICreateSdJwtVcArgs, type ICreateSdJwtVcResult, type IDisclosureFrame, type IPresentationFrame, type IRequiredContext, type ISDJwtPlugin, type IVerifySdJwtPresentationArgs, type IVerifySdJwtPresentationResult, type IVerifySdJwtVcArgs, type IVerifySdJwtVcResult, type IntegrityAlg, SDJwtPlugin, type SdJWTImplementation, type SdJwtVcPayload, type SdJwtVerifySignature, type SignKeyArgs, type SignKeyResult, type Vcdm2Enveloped, assertValidTypeMetadata, contextHasSDJwtPlugin, createIntegrity, defaultGenerateDigest, extractHashFromIntegrity, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwt, isVcdm2SdJwtPayload, sdJwtPluginContextMethods, validateIntegrity };
+export { type Claims, type FetchSdJwtTypeMetadataFromVctUrlArgs, type FetchSdJwtTypeMetadataFromVctUrlOpts, type GetSignerForIdentifierArgs, type GetSignerResult, type ICreateSdJwtPresentationArgs, type ICreateSdJwtPresentationResult, type ICreateSdJwtVcArgs, type ICreateSdJwtVcResult, type IDisclosureFrame, type IPresentationFrame, type IRequiredContext, type ISDJwtPlugin, type IVerifySdJwtPresentationArgs, type IVerifySdJwtPresentationResult, type IVerifySdJwtVcArgs, type IVerifySdJwtVcResult, type IntegrityAlg, type PartialSdJwtKbJwt, SDJwtPlugin, type SdJWTImplementation, type SdJwtVcPayload, type SdJwtVerifySignature, type SignKeyArgs, type SignKeyResult, type Vcdm2Enveloped, assertValidTypeMetadata, calculateSdHash, contextHasSDJwtPlugin, createIntegrity, defaultGenerateDigest, extractHashFromIntegrity, fetchUrlWithErrorHandling, getIssuerFromSdJwt, isSdjwtVcPayload, isVcdm2SdJwt, isVcdm2SdJwtPayload, sdJwtPluginContextMethods, validateIntegrity };

package/dist/index.js

@@ -6,6 +6,7 @@ import { SDJwt } from "@sd-jwt/core";
 import { SDJwtVcInstance as SDJwtVcInstance2 } from "@sd-jwt/sd-jwt-vc";
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
 import Debug from "debug";
+import * as u8a2 from "uint8arrays";
 
 // src/defaultCallbacks.ts
 import { digestMethodParams } from "@sphereon/ssi-sdk-ext.key-utils";
@@ -27,81 +28,6 @@ var defaultVerifySignature = /* @__PURE__ */ __name((context) => async (data, si
   return !result.error;
 }, "defaultVerifySignature");
 
-// src/trustAnchors.ts
-var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
-var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
-
-// src/utils.ts
-import { toString } from "uint8arrays/to-string";
-async function fetchUrlWithErrorHandling(url) {
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new Error(`${response.status}: ${response.statusText}`);
-  }
-  return response;
-}
-__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
-function extractHashAlgFromIntegrity(integrityValue) {
-  const val = integrityValue?.toLowerCase().trim().split("-")[0];
-  if (val === "sha256" || val === "sha384" || val === "sha512") {
-    return val;
-  }
-  return void 0;
-}
-__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
-function extractHashFromIntegrity(integrityValue) {
-  return integrityValue?.toLowerCase().trim().split("-")[1];
-}
-__name(extractHashFromIntegrity, "extractHashFromIntegrity");
-async function validateIntegrity({ input, integrityValue, hasher }) {
-  if (!integrityValue) {
-    return true;
-  }
-  const alg = extractHashAlgFromIntegrity(integrityValue);
-  if (!alg) {
-    return false;
-  }
-  const calculatedHash = await createIntegrity({
-    hasher,
-    input,
-    alg
-  });
-  return calculatedHash == integrityValue;
-}
-__name(validateIntegrity, "validateIntegrity");
-async function createIntegrity({ input, hasher, alg = "sha256" }) {
-  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
-  return `${alg}-${toString(calculatedHash, "base64")}`;
-}
-__name(createIntegrity, "createIntegrity");
-function assertValidTypeMetadata(metadata, vct) {
-  if (metadata.vct !== vct) {
-    throw new Error("VCT mismatch in metadata and credential");
-  }
-}
-__name(assertValidTypeMetadata, "assertValidTypeMetadata");
-function isVcdm2SdJwtPayload(payload) {
-  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
-}
-__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
-function isSdjwtVcPayload(payload) {
-  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
-}
-__name(isSdjwtVcPayload, "isSdjwtVcPayload");
-function getIssuerFromSdJwt(payload) {
-  let issuer;
-  if (isSdjwtVcPayload(payload) || "iss" in payload) {
-    issuer = payload.iss;
-  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
-    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
-  }
-  if (!issuer) {
-    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
-  }
-  return issuer;
-}
-__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
-
 // src/sdJwtVcdm2Instance.ts
 import { SDJwtInstance } from "@sd-jwt/core";
 import { SDJWTException } from "@sd-jwt/utils";
@@ -261,9 +187,99 @@ function toVcdm2Date(value) {
 }
 __name(toVcdm2Date, "toVcdm2Date");
 
-// src/action-handler.ts
+// src/trustAnchors.ts
+var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
+var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
+
+// src/utils.ts
 import * as u8a from "uint8arrays";
+import { toString as toString2 } from "uint8arrays/to-string";
+async function fetchUrlWithErrorHandling(url) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`${response.status}: ${response.statusText}`);
+  }
+  return response;
+}
+__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
+function extractHashAlgFromIntegrity(integrityValue) {
+  const val = integrityValue?.toLowerCase().trim().split("-")[0];
+  if (val === "sha256" || val === "sha384" || val === "sha512") {
+    return val;
+  }
+  return void 0;
+}
+__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
+function extractHashFromIntegrity(integrityValue) {
+  return integrityValue?.toLowerCase().trim().split("-")[1];
+}
+__name(extractHashFromIntegrity, "extractHashFromIntegrity");
+async function validateIntegrity({ input, integrityValue, hasher }) {
+  if (!integrityValue) {
+    return true;
+  }
+  const alg = extractHashAlgFromIntegrity(integrityValue);
+  if (!alg) {
+    return false;
+  }
+  const calculatedHash = await createIntegrity({
+    hasher,
+    input,
+    alg
+  });
+  return calculatedHash == integrityValue;
+}
+__name(validateIntegrity, "validateIntegrity");
+async function createIntegrity({ input, hasher, alg = "sha256" }) {
+  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
+  return `${alg}-${toString2(calculatedHash, "base64")}`;
+}
+__name(createIntegrity, "createIntegrity");
+function assertValidTypeMetadata(metadata, vct) {
+  if (metadata.vct !== vct) {
+    throw new Error("VCT mismatch in metadata and credential");
+  }
+}
+__name(assertValidTypeMetadata, "assertValidTypeMetadata");
+function isVcdm2SdJwtPayload(payload) {
+  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
+}
+__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
+function isSdjwtVcPayload(payload) {
+  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
+}
+__name(isSdjwtVcPayload, "isSdjwtVcPayload");
+function getIssuerFromSdJwt(payload) {
+  let issuer;
+  if (isSdjwtVcPayload(payload) || "iss" in payload) {
+    issuer = payload.iss;
+  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
+    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
+  }
+  if (!issuer) {
+    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
+  }
+  return issuer;
+}
+__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
+function calculateSdHash(compactSdJwtVc, alg, hasher) {
+  const digest = hasher(compactSdJwtVc, alg);
+  return u8a.toString(digest, "base64url");
+}
+__name(calculateSdHash, "calculateSdHash");
+
+// src/action-handler.ts
 var debug = Debug("@sphereon/ssi-sdk.sd-jwt");
+var matchVerificationMethodByKid = /* @__PURE__ */ __name((verificationMethod, kid) => {
+  if (!kid) return false;
+  if (verificationMethod.id === kid) {
+    return true;
+  }
+  if (verificationMethod.id.endsWith(kid)) {
+    return true;
+  }
+  return verificationMethod.id.endsWith(`#${kid}`);
+}, "matchVerificationMethodByKid");
 var SDJwtPlugin = class {
   static {
     __name(this, "SDJwtPlugin");
@@ -599,7 +615,7 @@ var SDJwtPlugin = class {
     const header = decodedVC.jwt.header;
     const x5c = header?.x5c;
     let jwk = header.jwk;
-    if (x5c) {
+    if (x5c?.length) {
       const trustAnchors = /* @__PURE__ */ new Set([
         ...this.trustAnchorsInPEM
       ]);
@@ -629,7 +645,7 @@ var SDJwtPlugin = class {
       if (!didDoc) {
         throw new Error("invalid_issuer: issuer did not resolve to a did document");
       }
-      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => matchVerificationMethodByKid(key, header.kid));
       if (!didDocumentKey) {
         throw new Error("invalid_issuer: issuer did document does not include referenced key");
       }
@@ -642,7 +658,7 @@ var SDJwtPlugin = class {
       if (!didDoc) {
         throw new Error("invalid_issuer: issuer did not resolve to a did document");
       }
-      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => matchVerificationMethodByKid(key, header.kid));
       if (!didDocumentKey) {
         throw new Error("invalid_issuer: issuer did document does not include referenced key");
       }
@@ -743,7 +759,7 @@ var SDJwtPlugin = class {
       return payload.cnf.jwk;
     } else if (payload.cnf !== void 0 && "kid" in payload.cnf && typeof payload.cnf.kid === "string" && payload.cnf.kid.startsWith("did:jwk:")) {
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid);
-      const decoded = u8a.toString(u8a.fromString(encoded, "base64url"), "utf-8");
+      const decoded = u8a2.toString(u8a2.fromString(encoded, "base64url"), "utf-8");
       const jwt = JSON.parse(decoded);
       return jwt;
     }
@@ -760,6 +776,7 @@ var SDJwtPlugin = class {
 export {
   SDJwtPlugin,
   assertValidTypeMetadata,
+  calculateSdHash,
   contextHasSDJwtPlugin,
   createIntegrity,
   defaultGenerateDigest,