@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-next.20 → 0.32.1-next.287

package/src/session/OpSession.ts

@@ -20,7 +20,7 @@ import { encodeBase64url } from '@sphereon/ssi-sdk.core'
 import {
   CompactSdJwtVc,
   CredentialMapper,
-  Hasher,
+  HasherSync,
   OriginalVerifiableCredential,
   parseDid,
   PresentationSubmission,
@@ -240,7 +240,7 @@ export class OpSession {
   private createPresentationVerificationCallback(context: IRequiredContext) {
     async function presentationVerificationCallback(
       args: W3CVerifiablePresentation | CompactSdJwtVc,
-      presentationSubmission: PresentationSubmission,
+      presentationSubmission?: PresentationSubmission,
     ): Promise<PresentationVerificationResult> {
       let result: IVerifyResult
       if (CredentialMapper.isSdJwtEncoded(args)) {
@@ -293,8 +293,8 @@ export class OpSession {
         .jwtEncryptJweCompactJwt({
           recipientKey,
           protectedHeader: {},
-          alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined ?? 'ECDH-ES',
-          enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined ?? 'A256GCM',
+          alg: (requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined) ?? 'ECDH-ES',
+          enc: (requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined) ?? 'A256GCM',
           apv: encodeBase64url(opts.requestObjectPayload.nonce),
           apu: encodeBase64url(v4()),
           payload: authResponse,
@@ -360,12 +360,14 @@ export class OpSession {
     const responseOpts = {
       verification,
       issuer,
+      ...(args.isFirstParty && { isFirstParty: args.isFirstParty }),
       ...(args.verifiablePresentations && {
         presentationExchange: {
           verifiablePresentations,
           presentationSubmission: args.presentationSubmission,
         } as PresentationExchangeResponseOpts,
       }),
+      dcqlQuery: args.dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -378,7 +380,7 @@ export class OpSession {
     }
   }
 
-  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: Hasher) {
+  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
     return verifiablePresentations.reduce((sum, vp) => {
       if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
         return sum + 1

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,4 +1,5 @@
 import {
+  DcqlResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
@@ -18,7 +19,7 @@ import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.cre
 import { Party } from '@sphereon/ssi-sdk.data-store'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { Hasher, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -122,7 +123,9 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
-  hasher?: Hasher
+  dcqlResponse?: DcqlResponseOpts
+  hasher?: HasherSync
+  isFirstParty?: boolean
 }
 
 export enum events {
@@ -159,7 +162,7 @@ export interface IOPOptions {
   presentationSignCallback?: PresentationSignCallback
 
   resolveOpts?: ResolveOpts
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 /*
@@ -182,19 +185,30 @@ export interface VerifiablePresentationWithDefinition extends VerifiablePresenta
 
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IOID4VPArgs {
   session: OpSession
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IGetPresentationExchangeArgs {
   verifiableCredentials: OriginalVerifiableCredential[]
   allIdentifiers?: string[]
-  hasher?: Hasher
-}
+  hasher?: HasherSync
+}
+
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
 
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/machine/index.ts

@@ -18,6 +18,7 @@ export type Siopv2MachineContext = {
   contactAlias: string
   selectableCredentialsMap?: SelectableCredentialsMap
   selectedCredentials: Array<UniqueDigitalCredential>
+  isFirstParty?: boolean
   error?: ErrorDetails
 }
 

package/src/types/siop-service/index.ts

@@ -1,4 +1,9 @@
-import { PresentationDefinitionWithLocation, RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
+import {
+  PresentationDefinitionWithLocation,
+  PresentationSignCallback,
+  RPRegistrationMetadataPayload,
+  VerifiedAuthorizationRequest,
+} from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
 import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
@@ -7,10 +12,15 @@ import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
+import { DcqlQuery } from 'dcql'
+import { HasherSync } from '@sphereon/ssi-types'
 
 export type DidAuthSiopOpAuthenticatorOptions = {
+  presentationSignCallback?: PresentationSignCallback
+  customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
+  hasher?: HasherSync
 }
 
 export type GetMachineArgs = {
@@ -19,12 +29,21 @@ export type GetMachineArgs = {
   stateNavigationListener?: (siopv2Machine: Siopv2MachineInterpreter, state: Siopv2MachineState, navigation?: any) => Promise<void>
 }
 
-export type CreateConfigArgs = Pick<Siopv2MachineContext, 'url'>
+export type CreateConfigArgs = { url: string }
 export type CreateConfigResult = Omit<DidAuthConfig, 'stateId' | 'idOpts'>
-export type GetSiopRequestArgs = Pick<Siopv2MachineContext, 'didAuthConfig' | 'url'>
+export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>; url: string }
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type RetrieveContactArgs = Pick<Siopv2MachineContext, 'url' | 'authorizationRequestData'>
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type AddIdentityArgs = Pick<Siopv2MachineContext, 'contact' | 'authorizationRequestData'>
-export type SendResponseArgs = Pick<Siopv2MachineContext, 'didAuthConfig' | 'authorizationRequestData' | 'selectedCredentials' | 'idOpts'>
+export type SendResponseArgs = {
+  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>
+  authorizationRequestData?: Siopv2AuthorizationRequestData
+  selectedCredentials: Array<UniqueDigitalCredential>
+  idOpts?: ManagedIdentifierOptsOrResult
+  isFirstParty?: boolean
+}
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type GetSelectableCredentialsArgs = Pick<Siopv2MachineContext, 'authorizationRequestData'>
 
 export enum Siopv2HolderEvent {
@@ -38,7 +57,7 @@ export enum SupportedLanguage {
 }
 
 export type Siopv2AuthorizationResponseData = {
-  body?: string
+  body?: string | Record<string, any>
   url?: string
   queryParams?: Record<string, any>
 }
@@ -51,6 +70,7 @@ export type Siopv2AuthorizationRequestData = {
   uri?: URL
   clientId?: string
   presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQuery
 }
 
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>

package/src/utils/CredentialUtils.ts

@@ -0,0 +1,71 @@
+import { CredentialMapper, HasherSync, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { VerifiableCredential } from '@veramo/core'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+
+/**
+ * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
+ * @param credential The input credential
+ */
+export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
+  if (!credential.type) {
+    return 'Verifiable Credential'
+  } else if (typeof credential.type === 'string') {
+    return credential.type
+  }
+  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
+}
+
+/**
+ * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
+ * @param uniqueVCs The Unique VCs to search in
+ * @param searchVC The VC to search for in the unique VCs array
+ */
+export const getMatchingUniqueDigitalCredential = (
+  uniqueVCs: UniqueDigitalCredential[],
+  searchVC: OriginalVerifiableCredential,
+): UniqueDigitalCredential | undefined => {
+  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
+  return uniqueVCs.find(
+    (uniqueVC: UniqueDigitalCredential) =>
+      (typeof searchVC !== 'string' &&
+        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
+          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
+      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
+      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
+      (typeof searchVC === 'string' &&
+        CredentialMapper.isSdJwtEncoded(searchVC) &&
+        uniqueVC.uniformVerifiableCredential?.proof &&
+        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
+        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
+  )
+}
+
+type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
+
+/**
+ * Get an original verifiable credential. Maps to wrapped Verifiable Credential first, to get an original JWT as Veramo stores these with a special proof value
+ * @param credential The input VC
+ */
+
+export const getOriginalVerifiableCredential = (credential: InputCredential): OriginalVerifiableCredential => {
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential)
+  }
+
+  return getCredentialFromProofOrWrapped(credential)
+}
+
+const getCredentialFromProofOrWrapped = (cred: any, hasher?: HasherSync): OriginalVerifiableCredential => {
+  if (typeof cred === 'object' && 'proof' in cred && 'jwt' in cred.proof && CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
+    return cred.proof.jwt
+  }
+
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+}
+
+export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {
+  return (credential as UniqueDigitalCredential).digitalCredential !== undefined
+}

package/src/utils/dcql.ts

@@ -0,0 +1,36 @@
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { isUniqueDigitalCredential } from './CredentialUtils'
+
+export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: HasherSync): DcqlCredential {
+  let payload
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+  } else {
+    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+  }
+
+  if (!payload) {
+    throw new Error('No payload found')
+  }
+
+  if ('decodedPayload' in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload
+  }
+
+  if ('vct' in payload!) {
+    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
+  } else if ('docType' in payload! && 'namespaces' in payload) {
+    // mdoc
+    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
+  } else {
+    return {
+      claims: payload,
+      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
+    } as DcqlW3cVcCredential
+  }
+}