@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-feature.SPRIND.89.53 → 0.32.1-feature.SSISDK.5.credential.offer.uri.204

package/src/services/Siopv2MachineService.ts

@@ -2,9 +2,9 @@ import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
 import { IPresentationDefinition, PEX } from '@sphereon/pex'
 import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
+import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, Hasher, Loggers, PresentationSubmission } from '@sphereon/ssi-types'
+import { CredentialMapper, Hasher, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { OID4VP, OpSession } from '../session'
 import {
   DidAgents,
@@ -20,6 +20,9 @@ import {
 import { IAgentContext, IDIDManager } from '@veramo/core'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlCredential, DcqlQuery, DcqlCredentialPresentation, DcqlPresentation } from 'dcql'
+import { convertToDcqlCredentials } from '../utils/dcql'
+import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -50,6 +53,7 @@ export const siopSendAuthorizationResponse = async (
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
     hasher?: Hasher
+    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
@@ -155,17 +159,116 @@ export const siopSendAuthorizationResponse = async (
 
     idOpts = presentationsAndDefs[0].idOpts
     presentationSubmission = presentationsAndDefs[0].presentationSubmission
-  }
-  logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
-  logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
-  const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
-  return await session.sendAuthorizationResponse({
-    ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
-    ...(presentationSubmission && { presentationSubmission }),
-    // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-    responseSignerOpts: idOpts!,
+
+    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
+    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
+    return await session.sendAuthorizationResponse({
+      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
+      ...(presentationSubmission && { presentationSubmission }),
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts!,
     isFirstParty,
-  })
+    })
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
+      const domain =
+        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+        request.issuer ??
+        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+          ? 'https://self-issued.me/v2/openid-vc'
+          : 'https://self-issued.me/v2')
+      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+      const firstUniqueDC = vcs[0]
+      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+      }
+
+      let identifier: ManagedIdentifierOptsOrResult
+      const digitalCredential = firstUniqueDC.digitalCredential
+      const firstVC = firstUniqueDC.uniformVerifiableCredential
+      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+        ? firstVC.decodedPayload.cnf?.jwk
+          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+          : firstVC.decodedPayload.sub
+        : Array.isArray(firstVC.credentialSubject)
+          ? firstVC.credentialSubject[0].id
+          : firstVC.credentialSubject.id
+      if (!digitalCredential.kmsKeyRef) {
+        // In case the store does not have the kmsKeyRef lets search for the holder
+
+        if (!holder) {
+          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+        }
+        try {
+          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+        } catch (e) {
+          logger.debug(`Holder DID not found: ${holder}`)
+          throw e
+        }
+      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+        })
+      } else {
+        switch (digitalCredential.subjectCorrelationType) {
+          case 'DID':
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+            break
+          // TODO other implementations?
+          default:
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+        }
+      }
+      console.log(`Identifier`, identifier)
+
+      const dcqlRepresentations: DcqlCredential[] = []
+      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher)
+        if (rep) {
+          dcqlRepresentations.push(rep)
+        }
+      })
+
+      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
+      const presentation: Record<string, DcqlCredentialPresentation> = {}
+
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [value]
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
+            }
+            presentation[key] =
+              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
+          }
+        })
+      }
+
+      const response = session.sendAuthorizationResponse({
+        responseSignerOpts: identifier,
+        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
+      })
+
+      logger.debug(`Response: `, response)
+
+      return response
+    }
+  }
+  throw Error('Presentation Definition or DCQL is required')
 }
 
 function buildPartialPD(

package/src/session/OpSession.ts

@@ -293,8 +293,8 @@ export class OpSession {
         .jwtEncryptJweCompactJwt({
           recipientKey,
           protectedHeader: {},
-          alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined ?? 'ECDH-ES',
-          enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined ?? 'A256GCM',
+          alg: (requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined) ?? 'ECDH-ES',
+          enc: (requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined) ?? 'A256GCM',
           apv: encodeBase64url(opts.requestObjectPayload.nonce),
           apu: encodeBase64url(v4()),
           payload: authResponse,
@@ -367,6 +367,7 @@ export class OpSession {
           presentationSubmission: args.presentationSubmission,
         } as PresentationExchangeResponseOpts,
       }),
+      dcqlQuery: args.dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,4 +1,5 @@
 import {
+  DcqlResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
@@ -122,6 +123,7 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
+  dcqlResponse?: DcqlResponseOpts
   hasher?: Hasher
   isFirstParty?: boolean
 }
@@ -198,4 +200,15 @@ export interface IGetPresentationExchangeArgs {
   hasher?: Hasher
 }
 
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
+
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/siop-service/index.ts

@@ -11,6 +11,7 @@ import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
+import { DcqlQuery } from 'dcql'
 import { Hasher } from '@sphereon/ssi-types'
 
 export type DidAuthSiopOpAuthenticatorOptions = {
@@ -68,6 +69,7 @@ export type Siopv2AuthorizationRequestData = {
   uri?: URL
   clientId?: string
   presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQuery
 }
 
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>

package/src/utils/CredentialUtils.ts

@@ -0,0 +1,71 @@
+import { CredentialMapper, Hasher, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { VerifiableCredential } from '@veramo/core'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+
+/**
+ * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
+ * @param credential The input credential
+ */
+export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
+  if (!credential.type) {
+    return 'Verifiable Credential'
+  } else if (typeof credential.type === 'string') {
+    return credential.type
+  }
+  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
+}
+
+/**
+ * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
+ * @param uniqueVCs The Unique VCs to search in
+ * @param searchVC The VC to search for in the unique VCs array
+ */
+export const getMatchingUniqueDigitalCredential = (
+  uniqueVCs: UniqueDigitalCredential[],
+  searchVC: OriginalVerifiableCredential,
+): UniqueDigitalCredential | undefined => {
+  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
+  return uniqueVCs.find(
+    (uniqueVC: UniqueDigitalCredential) =>
+      (typeof searchVC !== 'string' &&
+        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
+          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
+      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
+      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
+      (typeof searchVC === 'string' &&
+        CredentialMapper.isSdJwtEncoded(searchVC) &&
+        uniqueVC.uniformVerifiableCredential?.proof &&
+        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
+        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
+  )
+}
+
+type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
+
+/**
+ * Get an original verifiable credential. Maps to wrapped Verifiable Credential first, to get an original JWT as Veramo stores these with a special proof value
+ * @param credential The input VC
+ */
+
+export const getOriginalVerifiableCredential = (credential: InputCredential): OriginalVerifiableCredential => {
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential)
+  }
+
+  return getCredentialFromProofOrWrapped(credential)
+}
+
+const getCredentialFromProofOrWrapped = (cred: any, hasher?: Hasher): OriginalVerifiableCredential => {
+  if (typeof cred === 'object' && 'proof' in cred && 'jwt' in cred.proof && CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
+    return cred.proof.jwt
+  }
+
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+}
+
+export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {
+  return (credential as UniqueDigitalCredential).digitalCredential !== undefined
+}

package/src/utils/dcql.ts

@@ -0,0 +1,36 @@
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
+import { CredentialMapper, Hasher, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { isUniqueDigitalCredential } from './CredentialUtils'
+
+export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: Hasher): DcqlCredential {
+  let payload
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+  } else {
+    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+  }
+
+  if (!payload) {
+    throw new Error('No payload found')
+  }
+
+  if ('decodedPayload' in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload
+  }
+
+  if ('vct' in payload!) {
+    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
+  } else if ('docType' in payload! && 'namespaces' in payload) {
+    // mdoc
+    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
+  } else {
+    return {
+      claims: payload,
+      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
+    } as DcqlW3cVcCredential
+  }
+}