@sphereon/ssi-sdk.sd-jwt 0.36.1-next.47 → 0.36.1-next.70

package/dist/index.d.cts

@@ -1,13 +1,52 @@
-import { SdJwtVcPayload as SdJwtVcPayload$1, VerificationResult, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
-import { SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, DisclosureFrame, SDJWTCompact, HasherSync as HasherSync$1 } from '@sd-jwt/types';
+import { VerificationResult, SdJwtVcPayload as SdJwtVcPayload$1, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
+import { DisclosureFrame, SDJWTCompact, SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, HasherSync as HasherSync$1 } from '@sd-jwt/types';
 import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils';
-import { HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtVcdm2Payload, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload, SDJWTVCDM2Config } from '@sphereon/ssi-types';
+import { SdJwtVcdm2Payload, SDJWTVCDM2Config, HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload } from '@sphereon/ssi-types';
 import { IPluginMethodMap, IAgentContext, IDIDManager, IResolver, IKeyManager, DIDDocumentSection, IAgentPlugin } from '@veramo/core';
-import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
+import { SDJwtInstance, VerifierOptions, SdJwtPayload } from '@sd-jwt/core';
 import { ManagedIdentifierResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc';
 
+interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
+    payload: SdJwtVcdm2Payload;
+}
+declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
+    /**
+     * The type of the SD-JWT VCDM2 set in the header.typ field.
+     */
+    protected static type: string;
+    protected userConfig: SDJWTVCDM2Config;
+    constructor(userConfig?: SDJWTVCDM2Config);
+    /**
+     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+     * @param disclosureFrame
+     */
+    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
+    /**
+     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+     * @param encodedSDJwt
+     * @param options
+     */
+    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
+    /**
+     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+     * @param integrity
+     * @param response
+     */
+    private validateIntegrity;
+    /**
+     * Fetches the content from the url with a timeout of 10 seconds.
+     * @param url
+     * @param integrity
+     * @returns
+     */
+    protected fetch<T>(url: string, integrity?: string): Promise<T>;
+    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+        header?: object;
+    }): Promise<SDJWTCompact>;
+}
+
 declare const sdJwtPluginContextMethods: Array<string>;
 /**
  * My Agent Plugin description.
@@ -253,45 +292,6 @@ type PartialSdJwtKbJwt = {
     payload: Partial<SdJwtVcKbJwtPayload>;
 };
 
-interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
-    payload: SdJwtVcdm2Payload;
-}
-declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
-    /**
-     * The type of the SD-JWT VCDM2 set in the header.typ field.
-     */
-    protected static type: string;
-    protected userConfig: SDJWTVCDM2Config;
-    constructor(userConfig?: SDJWTVCDM2Config);
-    /**
-     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-     * @param disclosureFrame
-     */
-    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
-    /**
-     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-     * @param encodedSDJwt
-     * @param options
-     */
-    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
-    /**
-     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-     * @param integrity
-     * @param response
-     */
-    private validateIntegrity;
-    /**
-     * Fetches the content from the url with a timeout of 10 seconds.
-     * @param url
-     * @param integrity
-     * @returns
-     */
-    protected fetch<T>(url: string, integrity?: string): Promise<T>;
-    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
-        header?: object;
-    }): Promise<SDJWTCompact>;
-}
-
 /**
  * @beta
  * SD-JWT plugin

package/dist/index.d.ts

@@ -1,13 +1,52 @@
-import { SdJwtVcPayload as SdJwtVcPayload$1, VerificationResult, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
-import { SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, DisclosureFrame, SDJWTCompact, HasherSync as HasherSync$1 } from '@sd-jwt/types';
+import { VerificationResult, SdJwtVcPayload as SdJwtVcPayload$1, SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
+import { DisclosureFrame, SDJWTCompact, SaltGenerator, KBOptions, kbHeader, kbPayload, Hasher, Signer, HasherSync as HasherSync$1 } from '@sd-jwt/types';
 import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils';
-import { HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtVcdm2Payload, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload, SDJWTVCDM2Config } from '@sphereon/ssi-types';
+import { SdJwtVcdm2Payload, SDJWTVCDM2Config, HasherSync, JsonWebKey, SdJwtVcType, SdJwtVpType, SdJwtTypeMetadata, JoseSignatureAlgorithm, SdJwtType, SdJwtVcKbJwtHeader, SdJwtVcKbJwtPayload } from '@sphereon/ssi-types';
 import { IPluginMethodMap, IAgentContext, IDIDManager, IResolver, IKeyManager, DIDDocumentSection, IAgentPlugin } from '@veramo/core';
-import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
+import { SDJwtInstance, VerifierOptions, SdJwtPayload } from '@sd-jwt/core';
 import { ManagedIdentifierResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc';
 
+interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
+    payload: SdJwtVcdm2Payload;
+}
+declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
+    /**
+     * The type of the SD-JWT VCDM2 set in the header.typ field.
+     */
+    protected static type: string;
+    protected userConfig: SDJWTVCDM2Config;
+    constructor(userConfig?: SDJWTVCDM2Config);
+    /**
+     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
+     * @param disclosureFrame
+     */
+    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
+    /**
+     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
+     * @param encodedSDJwt
+     * @param options
+     */
+    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
+    /**
+     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
+     * @param integrity
+     * @param response
+     */
+    private validateIntegrity;
+    /**
+     * Fetches the content from the url with a timeout of 10 seconds.
+     * @param url
+     * @param integrity
+     * @returns
+     */
+    protected fetch<T>(url: string, integrity?: string): Promise<T>;
+    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+        header?: object;
+    }): Promise<SDJWTCompact>;
+}
+
 declare const sdJwtPluginContextMethods: Array<string>;
 /**
  * My Agent Plugin description.
@@ -253,45 +292,6 @@ type PartialSdJwtKbJwt = {
     payload: Partial<SdJwtVcKbJwtPayload>;
 };
 
-interface SdJwtVcdm2VerificationResult extends Omit<VerificationResult, 'payload'> {
-    payload: SdJwtVcdm2Payload;
-}
-declare class SDJwtVcdm2Instance extends SDJwtInstance<SdJwtVcdm2Payload> {
-    /**
-     * The type of the SD-JWT VCDM2 set in the header.typ field.
-     */
-    protected static type: string;
-    protected userConfig: SDJWTVCDM2Config;
-    constructor(userConfig?: SDJWTVCDM2Config);
-    /**
-     * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error.
-     * @param disclosureFrame
-     */
-    protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcdm2Payload>): void;
-    /**
-     * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
-     * @param encodedSDJwt
-     * @param options
-     */
-    verify(encodedSDJwt: string, options?: VerifierOptions): Promise<SdJwtVcdm2VerificationResult>;
-    /**
-     * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown.
-     * @param integrity
-     * @param response
-     */
-    private validateIntegrity;
-    /**
-     * Fetches the content from the url with a timeout of 10 seconds.
-     * @param url
-     * @param integrity
-     * @returns
-     */
-    protected fetch<T>(url: string, integrity?: string): Promise<T>;
-    issue<Payload extends SdJwtVcdm2Payload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
-        header?: object;
-    }): Promise<SDJWTCompact>;
-}
-
 /**
  * @beta
  * SD-JWT plugin

package/dist/index.js

@@ -6,6 +6,7 @@ import { SDJwt } from "@sd-jwt/core";
 import { SDJwtVcInstance as SDJwtVcInstance2 } from "@sd-jwt/sd-jwt-vc";
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from "@sphereon/ssi-sdk-ext.key-utils";
 import Debug from "debug";
+import * as u8a2 from "uint8arrays";
 
 // src/defaultCallbacks.ts
 import { digestMethodParams } from "@sphereon/ssi-sdk-ext.key-utils";
@@ -27,87 +28,6 @@ var defaultVerifySignature = /* @__PURE__ */ __name((context) => async (data, si
   return !result.error;
 }, "defaultVerifySignature");
 
-// src/trustAnchors.ts
-var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
-var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
-
-// src/utils.ts
-import * as u8a from "uint8arrays";
-import { toString as toString2 } from "uint8arrays/to-string";
-async function fetchUrlWithErrorHandling(url) {
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new Error(`${response.status}: ${response.statusText}`);
-  }
-  return response;
-}
-__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
-function extractHashAlgFromIntegrity(integrityValue) {
-  const val = integrityValue?.toLowerCase().trim().split("-")[0];
-  if (val === "sha256" || val === "sha384" || val === "sha512") {
-    return val;
-  }
-  return void 0;
-}
-__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
-function extractHashFromIntegrity(integrityValue) {
-  return integrityValue?.toLowerCase().trim().split("-")[1];
-}
-__name(extractHashFromIntegrity, "extractHashFromIntegrity");
-async function validateIntegrity({ input, integrityValue, hasher }) {
-  if (!integrityValue) {
-    return true;
-  }
-  const alg = extractHashAlgFromIntegrity(integrityValue);
-  if (!alg) {
-    return false;
-  }
-  const calculatedHash = await createIntegrity({
-    hasher,
-    input,
-    alg
-  });
-  return calculatedHash == integrityValue;
-}
-__name(validateIntegrity, "validateIntegrity");
-async function createIntegrity({ input, hasher, alg = "sha256" }) {
-  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
-  return `${alg}-${toString2(calculatedHash, "base64")}`;
-}
-__name(createIntegrity, "createIntegrity");
-function assertValidTypeMetadata(metadata, vct) {
-  if (metadata.vct !== vct) {
-    throw new Error("VCT mismatch in metadata and credential");
-  }
-}
-__name(assertValidTypeMetadata, "assertValidTypeMetadata");
-function isVcdm2SdJwtPayload(payload) {
-  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
-}
-__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
-function isSdjwtVcPayload(payload) {
-  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
-}
-__name(isSdjwtVcPayload, "isSdjwtVcPayload");
-function getIssuerFromSdJwt(payload) {
-  let issuer;
-  if (isSdjwtVcPayload(payload) || "iss" in payload) {
-    issuer = payload.iss;
-  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
-    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
-  }
-  if (!issuer) {
-    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
-  }
-  return issuer;
-}
-__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
-function calculateSdHash(compactSdJwtVc, alg, hasher) {
-  const digest = hasher(compactSdJwtVc, alg);
-  return u8a.toString(digest, "base64url");
-}
-__name(calculateSdHash, "calculateSdHash");
-
 // src/sdJwtVcdm2Instance.ts
 import { SDJwtInstance } from "@sd-jwt/core";
 import { SDJWTException } from "@sd-jwt/utils";
@@ -267,9 +187,99 @@ function toVcdm2Date(value) {
 }
 __name(toVcdm2Date, "toVcdm2Date");
 
+// src/trustAnchors.ts
+var funkeTestCA = "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUB5E9QVZtmUYcDtCjKB/H3VQv72gwCgYIKoZIzj0EAwIwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMB4XDTI0MDUzMTA2NDgwOVoXDTM0MDUyOTA2NDgwOVowgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHTAbBgNVBAoMFEJ1bmRlc2RydWNrZXJlaSBHbWJIMREwDwYDVQQLDAhUIENTIElERTE2MDQGA1UEAwwtU1BSSU5EIEZ1bmtlIEVVREkgV2FsbGV0IFByb3RvdHlwZSBJc3N1aW5nIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGzdwFDnc7+Kn5ibAvCOM8ke77VQxqfMcwZL8IaIA+WCROcCfmY/giH92qMru5p/kyOivE0RC/IbdMONvDoUyaNmMGQwHQYDVR0OBBYEFNRWGMCJOOgOWIQYyXZiv6u7xZC+MB8GA1UdIwQYMBaAFNRWGMCJOOgOWIQYyXZiv6u7xZC+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0cAMEQCIGEm7wkZKHt/atb4MdFnXW6yrnwMUT2u136gdtl10Y6hAiBuTFqvVYth1rbxzCP0xWZHmQK9kVyxn8GPfX27EIzzsw==\n-----END CERTIFICATE-----";
+var sphereonCA = "-----BEGIN CERTIFICATE-----\nMIICCDCCAa6gAwIBAgITAPMgqwtYzWPBXaobHhxG9iSydTAKBggqhkjOPQQDAjBa\nMQswCQYDVQQGEwJOTDEkMCIGA1UECgwbU3BoZXJlb24gSW50ZXJuYXRpb25hbCBC\nLlYuMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPY2Euc3BoZXJlb24uY29tMB4XDTI0\nMDcyODIxMjY0OVoXDTM0MDcyODIxMjY0OVowWjELMAkGA1UEBhMCTkwxJDAiBgNV\nBAoMG1NwaGVyZW9uIEludGVybmF0aW9uYWwgQi5WLjELMAkGA1UECwwCSVQxGDAW\nBgNVBAMMD2NhLnNwaGVyZW9uLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEiA0KeESSNrOcmCDga8YsBkUTgowZGwqvL2n91JUpAMdRSwvlVFdqdiLXnk2pQq\nT1vZnDG0I+x+iz2EbdsG0aajUzBRMB0GA1UdDgQWBBTnB8pdlVz5yKD+zuNkRR6A\nsywywTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8E\nBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIHH7ie1OAAbff5262rzZVQa8J9zENG8A\nQlHHFydMdgaXAiEA1Ib82mhHIYDziE0DDbHEAXOs98al+7dpo8fPGVGTeKI=\n-----END CERTIFICATE-----";
+
+// src/utils.ts
+import * as u8a from "uint8arrays";
+import { toString as toString2 } from "uint8arrays/to-string";
+async function fetchUrlWithErrorHandling(url) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`${response.status}: ${response.statusText}`);
+  }
+  return response;
+}
+__name(fetchUrlWithErrorHandling, "fetchUrlWithErrorHandling");
+function extractHashAlgFromIntegrity(integrityValue) {
+  const val = integrityValue?.toLowerCase().trim().split("-")[0];
+  if (val === "sha256" || val === "sha384" || val === "sha512") {
+    return val;
+  }
+  return void 0;
+}
+__name(extractHashAlgFromIntegrity, "extractHashAlgFromIntegrity");
+function extractHashFromIntegrity(integrityValue) {
+  return integrityValue?.toLowerCase().trim().split("-")[1];
+}
+__name(extractHashFromIntegrity, "extractHashFromIntegrity");
+async function validateIntegrity({ input, integrityValue, hasher }) {
+  if (!integrityValue) {
+    return true;
+  }
+  const alg = extractHashAlgFromIntegrity(integrityValue);
+  if (!alg) {
+    return false;
+  }
+  const calculatedHash = await createIntegrity({
+    hasher,
+    input,
+    alg
+  });
+  return calculatedHash == integrityValue;
+}
+__name(validateIntegrity, "validateIntegrity");
+async function createIntegrity({ input, hasher, alg = "sha256" }) {
+  const calculatedHash = await hasher(typeof input === "string" ? input : JSON.stringify(input), alg);
+  return `${alg}-${toString2(calculatedHash, "base64")}`;
+}
+__name(createIntegrity, "createIntegrity");
+function assertValidTypeMetadata(metadata, vct) {
+  if (metadata.vct !== vct) {
+    throw new Error("VCT mismatch in metadata and credential");
+  }
+}
+__name(assertValidTypeMetadata, "assertValidTypeMetadata");
+function isVcdm2SdJwtPayload(payload) {
+  return "type" in payload && Array.isArray(payload.type) && payload.type.includes("VerifiableCredential") && "@context" in payload && (typeof payload["@context"] === "string" && payload["@context"].length > 0 || Array.isArray(payload["@context"]) && payload["@context"].length > 0 && payload["@context"].includes("https://www.w3.org/ns/credentials/v2"));
+}
+__name(isVcdm2SdJwtPayload, "isVcdm2SdJwtPayload");
+function isSdjwtVcPayload(payload) {
+  return !isVcdm2SdJwtPayload(payload) && "vct" in payload && typeof payload.vct === "string";
+}
+__name(isSdjwtVcPayload, "isSdjwtVcPayload");
+function getIssuerFromSdJwt(payload) {
+  let issuer;
+  if (isSdjwtVcPayload(payload) || "iss" in payload) {
+    issuer = payload.iss;
+  } else if (isVcdm2SdJwtPayload(payload) || "issuer" in payload && payload.issuer) {
+    issuer = typeof payload.issuer === "string" ? payload.issuer : payload.issuer?.id;
+  }
+  if (!issuer) {
+    throw new Error("No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC");
+  }
+  return issuer;
+}
+__name(getIssuerFromSdJwt, "getIssuerFromSdJwt");
+function calculateSdHash(compactSdJwtVc, alg, hasher) {
+  const digest = hasher(compactSdJwtVc, alg);
+  return u8a.toString(digest, "base64url");
+}
+__name(calculateSdHash, "calculateSdHash");
+
 // src/action-handler.ts
-import * as u8a2 from "uint8arrays";
 var debug = Debug("@sphereon/ssi-sdk.sd-jwt");
+var matchVerificationMethodByKid = /* @__PURE__ */ __name((verificationMethod, kid) => {
+  if (!kid) return false;
+  if (verificationMethod.id === kid) {
+    return true;
+  }
+  if (verificationMethod.id.endsWith(kid)) {
+    return true;
+  }
+  return verificationMethod.id.endsWith(`#${kid}`);
+}, "matchVerificationMethodByKid");
 var SDJwtPlugin = class {
   static {
     __name(this, "SDJwtPlugin");
@@ -635,7 +645,7 @@ var SDJwtPlugin = class {
       if (!didDoc) {
         throw new Error("invalid_issuer: issuer did not resolve to a did document");
       }
-      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => matchVerificationMethodByKid(key, header.kid));
       if (!didDocumentKey) {
         throw new Error("invalid_issuer: issuer did document does not include referenced key");
       }
@@ -648,7 +658,7 @@ var SDJwtPlugin = class {
       if (!didDoc) {
         throw new Error("invalid_issuer: issuer did not resolve to a did document");
       }
-      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => key.id);
+      const didDocumentKey = didDoc.didDocument?.verificationMethod?.find((key) => matchVerificationMethodByKid(key, header.kid));
       if (!didDocumentKey) {
         throw new Error("invalid_issuer: issuer did document does not include referenced key");
       }