@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-next.18 → 0.32.1-next.287

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.32.1-next.18+7d08055e",
+  "version": "0.32.1-next.287+5f85ee8f",
   "source": "src/index.ts",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -14,30 +14,31 @@
     "build:clean": "tsc --build --clean && tsc --build"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.16.1-next.233",
-    "@sphereon/did-auth-siop-adapter": "0.16.1-next.233",
-    "@sphereon/oid4vc-common": "0.16.1-next.233",
+    "@sphereon/did-auth-siop": "0.17.0",
+    "@sphereon/did-auth-siop-adapter": "0.17.0",
+    "@sphereon/oid4vc-common": "0.17.0",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.27.0",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.27.0",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.27.0",
-    "@sphereon/ssi-sdk.contact-manager": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.core": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.credential-store": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.credential-validation": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.data-store": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.issuance-branding": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.pd-manager": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.sd-jwt": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.32.1-next.18+7d08055e",
-    "@sphereon/ssi-types": "0.32.1-next.18+7d08055e",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.28.0",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.28.0",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.28.0",
+    "@sphereon/ssi-sdk.contact-manager": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.core": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.credential-store": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.credential-validation": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.data-store": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.issuance-branding": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.pd-manager": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.sd-jwt": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.32.1-next.287+5f85ee8f",
+    "@sphereon/ssi-types": "0.32.1-next.287+5f85ee8f",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
     "cross-fetch": "^3.1.8",
+    "dcql": "0.2.19",
     "did-jwt-vc": "3.1.3",
     "i18n-js": "^3.9.2",
     "lodash.memoize": "^4.1.2",
@@ -46,19 +47,21 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.27.0",
-    "@sphereon/ssi-sdk.agent-config": "0.32.1-next.18+7d08055e",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.28.0",
+    "@sphereon/ssi-sdk.agent-config": "0.32.1-next.287+5f85ee8f",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
     "@types/uuid": "^9.0.8",
+    "@veramo/data-store": "4.2.0",
     "@veramo/did-provider-key": "4.2.0",
     "@veramo/did-resolver": "4.2.0",
     "@veramo/remote-client": "4.2.0",
     "@veramo/remote-server": "4.2.0",
     "@veramo/utils": "4.2.0",
     "did-resolver": "^4.1.0",
-    "nock": "^13.5.4"
+    "nock": "^13.5.4",
+    "typeorm": "^0.3.21"
   },
   "files": [
     "dist/**/*",
@@ -88,5 +91,5 @@
     "Authenticator"
   ],
   "nx": {},
-  "gitHead": "7d08055e7c148eff0a031196ea1007519f6398b9"
+  "gitHead": "5f85ee8fef1e0fce3d20d150f187b00c7c70f093"
 }

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -2,19 +2,22 @@ import { decodeUriAsJson, PresentationSignCallback, SupportedVersion, VerifiedAu
 import {
   ConnectionType,
   CorrelationIdentifierType,
+  CredentialDocumentFormat,
   CredentialRole,
+  DocumentType,
   Identity,
   IdentityOrigin,
   NonPersistedIdentity,
   Party,
 } from '@sphereon/ssi-sdk.data-store'
-import { Loggers } from '@sphereon/ssi-types'
+import { HasherSync, Loggers, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
 import {
   DidAuthSiopOpAuthenticatorOptions,
   GetSelectableCredentialsArgs,
   IOpSessionArgs,
+  Json,
   LOGGER_NAMESPACE,
   RequiredContext,
   schema,
@@ -25,6 +28,10 @@ import {
 import { Siopv2Machine } from '../machine/Siopv2Machine'
 import { getSelectableCredentials, siopSendAuthorizationResponse, translateCorrelationIdToName } from '../services/Siopv2MachineService'
 import { OpSession } from '../session'
+import { PEX, Status } from '@sphereon/pex'
+import { computeEntryHash } from '@veramo/utils'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { EventEmitter } from 'events'
 import {
   IDidAuthSiopOpAuthenticator,
   IGetSiopSessionArgs,
@@ -32,8 +39,7 @@ import {
   IRemoveCustomApprovalForSiopArgs,
   IRemoveSiopSessionArgs,
   IRequiredContext,
-} from '../types/IDidAuthSiopOpAuthenticator'
-import { Siopv2Machine as Siopv2MachineId, Siopv2MachineInstanceOpts } from '../types/machine'
+} from '../types'
 
 import {
   AddIdentityArgs,
@@ -46,11 +52,10 @@ import {
   SendResponseArgs,
   Siopv2AuthorizationRequestData,
   Siopv2HolderEvent,
-} from '../types/siop-service'
-import { PEX, Status } from '@sphereon/pex'
-import { computeEntryHash } from '@veramo/utils'
-import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import { EventEmitter } from 'events'
+  Siopv2Machine as Siopv2MachineId,
+  Siopv2MachineInstanceOpts,
+} from '../types'
+import { DcqlCredential, DcqlPresentation, DcqlQuery, DcqlSdJwtVcCredential } from 'dcql'
 
 const logger = Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE)
 
@@ -89,23 +94,20 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   private readonly sessions: Map<string, OpSession>
   private readonly customApprovals: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   private readonly presentationSignCallback?: PresentationSignCallback
-
   private readonly onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   private readonly onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
   private readonly eventEmitter?: EventEmitter
+  private readonly hasher?: HasherSync
+
+  constructor(options?: DidAuthSiopOpAuthenticatorOptions) {
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = { ...options }
 
-  constructor(
-    presentationSignCallback?: PresentationSignCallback,
-    customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>,
-    options?: DidAuthSiopOpAuthenticatorOptions,
-  ) {
-    const { onContactIdentityCreated, onIdentifierCreated } = options ?? {}
+    this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated
     this.onIdentifierCreated = onIdentifierCreated
-
-    this.sessions = new Map<string, OpSession>()
-    this.customApprovals = customApprovals || {}
     this.presentationSignCallback = presentationSignCallback
+    this.sessions = new Map<string, OpSession>()
+    this.customApprovals = customApprovals
   }
 
   public async onEvent(event: any, context: RequiredContext): Promise<void> {
@@ -185,8 +187,8 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     return Siopv2Machine.newInstance(siopv2MachineOpts)
   }
 
-  private async siopCreateConfig(args: CreateConfigArgs): Promise<CreateConfigResult> {
-    const { url } = args
+  private async siopCreateConfig<TContext extends CreateConfigArgs>(context: TContext): Promise<CreateConfigResult> {
+    const { url } = context
 
     if (!url) {
       return Promise.reject(Error('Missing request uri in context'))
@@ -213,9 +215,14 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     }
     const { sessionId, redirectUrl } = didAuthConfig
 
-    const session: OpSession = await agent
-      .siopGetOPSession({ sessionId })
-      .catch(async () => await agent.siopRegisterOPSession({ requestJwtOrUri: redirectUrl, sessionId, op: { eventEmitter: this.eventEmitter } }))
+    const session: OpSession = await agent.siopGetOPSession({ sessionId }).catch(
+      async () =>
+        await agent.siopRegisterOPSession({
+          requestJwtOrUri: redirectUrl,
+          sessionId,
+          op: { eventEmitter: this.eventEmitter, hasher: this.hasher },
+        }),
+    )
 
     logger.debug(`session: ${JSON.stringify(session.id, null, 2)}`)
     const verifiedAuthorizationRequest = await session.getAuthorizationRequest()
@@ -244,6 +251,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
           verifiedAuthorizationRequest.presentationDefinitions.length > 0)
           ? verifiedAuthorizationRequest.presentationDefinitions
           : undefined,
+      dcqlQuery: verifiedAuthorizationRequest.dcqlQuery,
     }
   }
 
@@ -332,7 +340,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   }
 
   private async siopSendResponse(args: SendResponseArgs, context: RequiredContext): Promise<Siopv2AuthorizationResponseData> {
-    const { didAuthConfig, authorizationRequestData, selectedCredentials } = args
+    const { didAuthConfig, authorizationRequestData, selectedCredentials, isFirstParty } = args
 
     if (didAuthConfig === undefined) {
       return Promise.reject(Error('Missing config in context'))
@@ -342,34 +350,77 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       return Promise.reject(Error('Missing authorization request data in context'))
     }
 
-    const pex = new PEX()
+    const pex = new PEX({ hasher: this.hasher })
     const verifiableCredentialsWithDefinition: Array<VerifiableCredentialsWithDefinition> = []
-
-    authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
-      const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
-        presentationDefinition.definition,
-        selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
-      )
-      if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
-        const uniqueDigitalCredentials: UniqueDigitalCredential[] = verifiableCredentials.map((vc) => {
-          // @ts-ignore FIXME Funke
-          const hash = computeEntryHash(vc)
-          const udc = selectedCredentials.find((udc) => udc.hash == hash)
-
-          if (!udc) {
-            throw Error('UniqueDigitalCredential could not be found')
+    const dcqlCredentialsWithCredentials: Map<DcqlCredential, UniqueDigitalCredential> = new Map()
+
+    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
+      try {
+        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
+          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
+            presentationDefinition.definition,
+            selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
+          )
+
+          if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
+            let uniqueDigitalCredentials: UniqueDigitalCredential[] = []
+            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
+              // @ts-ignore FIXME Funke
+              const hash = typeof vc === 'string' ? computeEntryHash(vc.split('~'[0])) : computeEntryHash(vc)
+              const udc = selectedCredentials.find((udc) => udc.hash == hash || udc.originalVerifiableCredential == vc)
+
+              if (!udc) {
+                throw Error(
+                  `UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`,
+                )
+              }
+              return udc
+            })
+            verifiableCredentialsWithDefinition.push({
+              definition: presentationDefinition,
+              credentials: uniqueDigitalCredentials,
+            })
           }
-          return udc
-        })
-        verifiableCredentialsWithDefinition.push({
-          definition: presentationDefinition,
-          credentials: uniqueDigitalCredentials,
         })
+      } catch (e) {
+        return Promise.reject(e)
       }
-    })
 
-    if (verifiableCredentialsWithDefinition.length === 0) {
-      return Promise.reject(Error('None of the selected credentials match any of the presentation definitions.'))
+      if (verifiableCredentialsWithDefinition.length === 0) {
+        return Promise.reject(Error('None of the selected credentials match any of the presentation definitions.'))
+      }
+    } else if (authorizationRequestData.dcqlQuery) {
+      //TODO Only SD-JWT and MSO MDOC are supported at the moment
+      if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
+        try {
+          selectedCredentials.forEach((vc) => {
+            if (this.isSdJwtCredential(vc)) {
+              const payload = (vc.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).decodedPayload
+              const result: DcqlSdJwtVcCredential = {
+                claims: payload as { [x: string]: Json },
+                vct: payload.vct,
+                credential_format: 'vc+sd-jwt',
+              }
+              dcqlCredentialsWithCredentials.set(result, vc)
+              //FIXME MDoc namespaces are incompatible: array of strings vs complex object - https://sphereon.atlassian.net/browse/SPRIND-143
+            } else {
+              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`)
+            }
+          })
+        } catch (e) {
+          return Promise.reject(e)
+        }
+
+        const dcqlPresentationRecord: DcqlPresentation.Output = {}
+        const queryResult = DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+        for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+          if (value.success) {
+            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output)!) as
+              | string
+              | { [x: string]: Json }
+          }
+        }
+      }
     }
 
     const response = await siopSendAuthorizationResponse(
@@ -378,6 +429,8 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
         sessionId: didAuthConfig.sessionId,
         ...(args.idOpts && { idOpts: args.idOpts }),
         ...(authorizationRequestData.presentationDefinitions !== undefined && { verifiableCredentialsWithDefinition }),
+        isFirstParty,
+        hasher: this.hasher,
       },
       context,
     )
@@ -392,11 +445,41 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
 
     return {
       body: responseBody,
-      url: response.url,
-      queryParams: decodeUriAsJson(response.url),
+      url: response?.url,
+      queryParams: decodeUriAsJson(response?.url),
     }
   }
 
+  private hasMDocCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
+    return credentials.some(this.isMDocCredential)
+  }
+
+  private isMDocCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC &&
+      credential.digitalCredential.documentType === DocumentType.VC
+    )
+  }
+
+  private hasSdJwtCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
+    return credentials.some(this.isSdJwtCredential)
+  }
+
+  private isSdJwtCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC
+    )
+  }
+
+  private retrieveEncodedCredential = (credential: UniqueDigitalCredential) => {
+    return credential.originalVerifiableCredential !== undefined &&
+      credential.originalVerifiableCredential !== null &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
+      ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
+      : credential.originalVerifiableCredential
+  }
+
   private async siopGetSelectableCredentials(args: GetSelectableCredentialsArgs, context: RequiredContext): Promise<SelectableCredentialsMap> {
     const { authorizationRequestData } = args
 

package/src/services/Siopv2MachineService.ts

@@ -2,9 +2,9 @@ import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
 import { IPresentationDefinition, PEX } from '@sphereon/pex'
 import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
+import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, Loggers, PresentationSubmission } from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { OID4VP, OpSession } from '../session'
 import {
   DidAgents,
@@ -19,7 +19,10 @@ import {
 } from '../types'
 import { IAgentContext, IDIDManager } from '@veramo/core'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
+import { convertToDcqlCredentials } from '../utils/dcql'
+import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -48,12 +51,15 @@ export const siopSendAuthorizationResponse = async (
     sessionId: string
     verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
     idOpts?: ManagedIdentifierOptsOrResult
+    isFirstParty?: boolean
+    hasher?: HasherSync
+    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
   const agentContext = { ...context, agent: context.agent as DidAgents }
-  let { idOpts } = args
+  let { idOpts, isFirstParty, hasher = defaultHasher } = args
 
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
@@ -67,7 +73,7 @@ export const siopSendAuthorizationResponse = async (
   let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
   let presentationSubmission: PresentationSubmission | undefined
   if (await session.hasPresentationDefinitions()) {
-    const oid4vp: OID4VP = await session.getOID4VP({})
+    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
 
     const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
       ? args.verifiableCredentialsWithDefinition
@@ -123,11 +129,18 @@ export const siopSendAuthorizationResponse = async (
           break
         // TODO other implementations?
         default:
-          // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-          identifier = await session.context.agent.identifierManagedGetByKid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-            kmsKeyRef: digitalCredential.kmsKeyRef,
-          })
+          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          } else {
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          }
       }
     }
 
@@ -153,16 +166,116 @@ export const siopSendAuthorizationResponse = async (
 
     idOpts = presentationsAndDefs[0].idOpts
     presentationSubmission = presentationsAndDefs[0].presentationSubmission
+
+    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
+    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
+    return await session.sendAuthorizationResponse({
+      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
+      ...(presentationSubmission && { presentationSubmission }),
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts!,
+      isFirstParty,
+    })
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
+      const domain =
+        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+        request.issuer ??
+        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+          ? 'https://self-issued.me/v2/openid-vc'
+          : 'https://self-issued.me/v2')
+      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+      const firstUniqueDC = vcs[0]
+      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+      }
+
+      let identifier: ManagedIdentifierOptsOrResult
+      const digitalCredential = firstUniqueDC.digitalCredential
+      const firstVC = firstUniqueDC.uniformVerifiableCredential
+      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+        ? firstVC.decodedPayload.cnf?.jwk
+          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+          : firstVC.decodedPayload.sub
+        : Array.isArray(firstVC.credentialSubject)
+          ? firstVC.credentialSubject[0].id
+          : firstVC.credentialSubject.id
+      if (!digitalCredential.kmsKeyRef) {
+        // In case the store does not have the kmsKeyRef lets search for the holder
+
+        if (!holder) {
+          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+        }
+        try {
+          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+        } catch (e) {
+          logger.debug(`Holder DID not found: ${holder}`)
+          throw e
+        }
+      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+        })
+      } else {
+        switch (digitalCredential.subjectCorrelationType) {
+          case 'DID':
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+            break
+          // TODO other implementations?
+          default:
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+        }
+      }
+      console.log(`Identifier`, identifier)
+
+      const dcqlRepresentations: DcqlCredential[] = []
+      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher)
+        if (rep) {
+          dcqlRepresentations.push(rep)
+        }
+      })
+
+      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
+      const presentation: Record<string, DcqlCredentialPresentation> = {}
+
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [value]
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
+            }
+            presentation[key] =
+              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
+          }
+        })
+      }
+
+      const response = session.sendAuthorizationResponse({
+        responseSignerOpts: identifier,
+        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
+      })
+
+      logger.debug(`Response: `, response)
+
+      return response
+    }
   }
-  logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
-  logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
-  const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
-  return await session.sendAuthorizationResponse({
-    ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
-    ...(presentationSubmission && { presentationSubmission }),
-    // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-    responseSignerOpts: idOpts!,
-  })
+  throw Error('Presentation Definition or DCQL is required')
 }
 
 function buildPartialPD(

package/src/session/OID4VP.ts

@@ -2,15 +2,15 @@ import { PresentationDefinitionWithLocation, PresentationExchange } from '@spher
 import { SelectResults, Status, SubmissionRequirementMatch } from '@sphereon/pex'
 import { Format } from '@sphereon/pex-models'
 import {
-  isOID4VCIssuerIdentifier,
   isManagedIdentifierDidResult,
+  isOID4VCIssuerIdentifier,
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { ProofOptions } from '@sphereon/ssi-sdk.core'
+import { defaultHasher, ProofOptions } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { CredentialRole, FindDigitalCredentialArgs } from '@sphereon/ssi-sdk.data-store'
-import { CompactJWT, Hasher, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { CompactJWT, HasherSync, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import {
   DEFAULT_JWT_PROOF_TYPE,
   IGetPresentationExchangeArgs,
@@ -24,17 +24,17 @@ import { OpSession } from './OpSession'
 export class OID4VP {
   private readonly session: OpSession
   private readonly allIdentifiers: string[]
-  private readonly hasher?: Hasher
+  private readonly hasher?: HasherSync
 
   private constructor(args: IOID4VPArgs) {
-    const { session, allIdentifiers, hasher } = args
+    const { session, allIdentifiers, hasher = defaultHasher } = args
 
     this.session = session
     this.allIdentifiers = allIdentifiers ?? []
     this.hasher = hasher
   }
 
-  public static async init(session: OpSession, allIdentifiers: string[], hasher?: Hasher): Promise<OID4VP> {
+  public static async init(session: OpSession, allIdentifiers: string[], hasher?: HasherSync): Promise<OID4VP> {
     return new OID4VP({ session, allIdentifiers: allIdentifiers ?? (await session.getSupportedDIDs()), hasher })
   }
 
@@ -68,7 +68,7 @@ export class OID4VP {
       skipDidResolution?: boolean
       holderDID?: string
       subjectIsHolder?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
       applyFilter?: boolean
     },
   ): Promise<VerifiablePresentationWithDefinition[]> {
@@ -88,7 +88,7 @@ export class OID4VP {
       holder?: string
       subjectIsHolder?: boolean
       applyFilter?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
     },
   ): Promise<VerifiablePresentationWithDefinition> {
     const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = { ...opts }