@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-next.54 → 0.33.1-feature.jose.vcdm.55

package/src/session/OpSession.ts

@@ -20,21 +20,21 @@ import { encodeBase64url } from '@sphereon/ssi-sdk.core'
 import {
   CompactSdJwtVc,
   CredentialMapper,
-  Hasher,
+  HasherSync,
   OriginalVerifiableCredential,
   parseDid,
   PresentationSubmission,
   W3CVerifiablePresentation,
 } from '@sphereon/ssi-types'
 import { IIdentifier, IVerifyResult, TKeyType } from '@veramo/core'
-import Debug from 'debug'
 import { v4 } from 'uuid'
 import { IOPOptions, IOpSessionArgs, IOpSessionGetOID4VPArgs, IOpsSendSiopAuthorizationResponseArgs, IRequiredContext } from '../types'
 import { createOP } from './functions'
 import { OID4VP } from './OID4VP'
 import { PEX } from '@sphereon/pex'
+import { Loggers } from '@sphereon/ssi-types'
 
-const debug = Debug(`sphereon:sdk:siop:op-session`)
+const logger = Loggers.DEFAULT.get('sphereon:oid4vp:OpSession')
 
 export class OpSession {
   public readonly ts = new Date().getDate()
@@ -100,9 +100,9 @@ export class OpSession {
   public async getSupportedDIDMethods(didPrefix?: boolean): Promise<string[]> {
     const agentMethods = this.getAgentDIDMethodsSupported({ didPrefix })
     let rpMethods = await this.getRPDIDMethodsSupported({ didPrefix, agentMethods })
-    debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`)
+    logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`)
     if (rpMethods.dids.length === 0) {
-      debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`)
+      logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`)
       return []
     }
 
@@ -125,7 +125,7 @@ export class OpSession {
 
   private getAgentDIDMethodsSupported(opts: { didPrefix?: boolean }) {
     const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix))
-    debug(`agent methods: ${JSON.stringify(agentMethods)}`)
+    logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`)
     return agentMethods
   }
 
@@ -139,17 +139,17 @@ export class OpSession {
     let keyType: TKeyType | undefined
     const agentMethods =
       (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? []
-    debug(`agent methods supported: ${JSON.stringify(agentMethods)}`)
+    logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`)
     const authReq = await this.getAuthorizationRequest()
     const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported
       ?.map((method) => convertDidMethod(method, opts.didPrefix))
       .filter((val) => !val.startsWith('did'))
-    debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`)
+    logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`)
     const aud = await authReq.authorizationRequest.getMergedProperty<string>('aud')
     let rpMethods: string[] = []
     if (aud && aud.startsWith('did:')) {
       const didMethod = convertDidMethod(parseDid(aud).method, opts.didPrefix)
-      debug(`aud did method: ${didMethod}`)
+      logger.debug(`aud did method: ${didMethod}`)
 
       // The RP knows our DID, so we can use it to determine the supported DID methods
       // If the aud did:method is not in the supported types, there still is something wrong, unless the RP signals to support all did methods
@@ -172,7 +172,7 @@ export class OpSession {
       (authReq.issuer?.includes('.ebsi.eu') || (await authReq.authorizationRequest.getMergedProperty<string>('client_id'))?.includes('.ebsi.eu'))
     let codecName: string | undefined = undefined
     if (isEBSI && (!aud || !aud.startsWith('http'))) {
-      debug(`EBSI detected, adding did:key to supported DID methods for RP`)
+      logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`)
       const didKeyMethod = convertDidMethod('did:key', opts.didPrefix)
       if (!agentMethods?.includes(didKeyMethod)) {
         throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`)
@@ -187,7 +187,7 @@ export class OpSession {
   public async getSupportedIdentifiers(opts?: { createInCaseNoDIDFound?: boolean }): Promise<IIdentifier[]> {
     // todo: we also need to check signature algo
     const methods = await this.getSupportedDIDMethods(true)
-    debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`)
+    logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`)
     if (methods.length === 0) {
       throw Error(`No DID methods are supported`)
     }
@@ -195,7 +195,7 @@ export class OpSession {
       .didManagerFind()
       .then((ids: IIdentifier[]) => ids.filter((id) => methods.includes(id.provider)))
     if (identifiers.length === 0) {
-      debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`)
+      logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`)
       if (opts?.createInCaseNoDIDFound !== false) {
         const { codecName, keyType } = await this.getRPDIDMethodsSupported({
           didPrefix: true,
@@ -205,11 +205,11 @@ export class OpSession {
           provider: methods[0],
           options: { codecName, keyType, type: keyType }, // both keyType and type, because not every did provider has the same param
         })
-        debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`)
+        logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`)
         identifiers.push(identifier)
       }
     }
-    debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`)
+    logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`)
     return identifiers
   }
 
@@ -293,8 +293,8 @@ export class OpSession {
         .jwtEncryptJweCompactJwt({
           recipientKey,
           protectedHeader: {},
-          alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined ?? 'ECDH-ES',
-          enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined ?? 'A256GCM',
+          alg: (requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined) ?? 'ECDH-ES',
+          enc: (requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined) ?? 'A256GCM',
           apv: encodeBase64url(opts.requestObjectPayload.nonce),
           apu: encodeBase64url(v4()),
           payload: authResponse,
@@ -367,6 +367,7 @@ export class OpSession {
           presentationSubmission: args.presentationSubmission,
         } as PresentationExchangeResponseOpts,
       }),
+      dcqlQuery: args.dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -379,7 +380,7 @@ export class OpSession {
     }
   }
 
-  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: Hasher) {
+  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
     return verifiablePresentations.reduce((sum, vp) => {
       if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
         return sum + 1

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,4 +1,5 @@
 import {
+  DcqlResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
@@ -18,7 +19,7 @@ import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.cre
 import { Party } from '@sphereon/ssi-sdk.data-store'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { Hasher, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -122,7 +123,8 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
-  hasher?: Hasher
+  dcqlResponse?: DcqlResponseOpts
+  hasher?: HasherSync
   isFirstParty?: boolean
 }
 
@@ -160,7 +162,7 @@ export interface IOPOptions {
   presentationSignCallback?: PresentationSignCallback
 
   resolveOpts?: ResolveOpts
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 /*
@@ -183,19 +185,30 @@ export interface VerifiablePresentationWithDefinition extends VerifiablePresenta
 
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IOID4VPArgs {
   session: OpSession
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IGetPresentationExchangeArgs {
   verifiableCredentials: OriginalVerifiableCredential[]
   allIdentifiers?: string[]
-  hasher?: Hasher
-}
+  hasher?: HasherSync
+}
+
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
 
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/siop-service/index.ts

@@ -1,7 +1,8 @@
 import {
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
-  RPRegistrationMetadataPayload, VerifiedAuthorizationRequest
+  RPRegistrationMetadataPayload,
+  VerifiedAuthorizationRequest,
 } from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
@@ -11,14 +12,15 @@ import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
-import { Hasher } from '@sphereon/ssi-types'
+import { DcqlQuery } from 'dcql'
+import { HasherSync } from '@sphereon/ssi-types'
 
 export type DidAuthSiopOpAuthenticatorOptions = {
   presentationSignCallback?: PresentationSignCallback
   customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export type GetMachineArgs = {
@@ -29,14 +31,14 @@ export type GetMachineArgs = {
 
 export type CreateConfigArgs = { url: string }
 export type CreateConfigResult = Omit<DidAuthConfig, 'stateId' | 'idOpts'>
-export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>, url: string }
+export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>; url: string }
 // FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type RetrieveContactArgs = Pick<Siopv2MachineContext, 'url' | 'authorizationRequestData'>
 // FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type AddIdentityArgs = Pick<Siopv2MachineContext, 'contact' | 'authorizationRequestData'>
 export type SendResponseArgs = {
-  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>,
-  authorizationRequestData?: Siopv2AuthorizationRequestData,
+  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>
+  authorizationRequestData?: Siopv2AuthorizationRequestData
   selectedCredentials: Array<UniqueDigitalCredential>
   idOpts?: ManagedIdentifierOptsOrResult
   isFirstParty?: boolean
@@ -68,6 +70,7 @@ export type Siopv2AuthorizationRequestData = {
   uri?: URL
   clientId?: string
   presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQuery
 }
 
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>

package/src/utils/CredentialUtils.ts

@@ -0,0 +1,71 @@
+import { CredentialMapper, HasherSync, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { VerifiableCredential } from '@veramo/core'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+
+/**
+ * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
+ * @param credential The input credential
+ */
+export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
+  if (!credential.type) {
+    return 'Verifiable Credential'
+  } else if (typeof credential.type === 'string') {
+    return credential.type
+  }
+  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
+}
+
+/**
+ * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
+ * @param uniqueVCs The Unique VCs to search in
+ * @param searchVC The VC to search for in the unique VCs array
+ */
+export const getMatchingUniqueDigitalCredential = (
+  uniqueVCs: UniqueDigitalCredential[],
+  searchVC: OriginalVerifiableCredential,
+): UniqueDigitalCredential | undefined => {
+  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
+  return uniqueVCs.find(
+    (uniqueVC: UniqueDigitalCredential) =>
+      (typeof searchVC !== 'string' &&
+        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
+          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
+      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
+      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
+      (typeof searchVC === 'string' &&
+        CredentialMapper.isSdJwtEncoded(searchVC) &&
+        uniqueVC.uniformVerifiableCredential?.proof &&
+        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
+        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
+  )
+}
+
+type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
+
+/**
+ * Get an original verifiable credential. Maps to wrapped Verifiable Credential first, to get an original JWT as Veramo stores these with a special proof value
+ * @param credential The input VC
+ */
+
+export const getOriginalVerifiableCredential = (credential: InputCredential): OriginalVerifiableCredential => {
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential)
+  }
+
+  return getCredentialFromProofOrWrapped(credential)
+}
+
+const getCredentialFromProofOrWrapped = (cred: any, hasher?: HasherSync): OriginalVerifiableCredential => {
+  if (typeof cred === 'object' && 'proof' in cred && 'jwt' in cred.proof && CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
+    return cred.proof.jwt
+  }
+
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+}
+
+export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {
+  return (credential as UniqueDigitalCredential).digitalCredential !== undefined
+}

package/src/utils/dcql.ts

@@ -0,0 +1,36 @@
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { isUniqueDigitalCredential } from './CredentialUtils'
+
+export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: HasherSync): DcqlCredential {
+  let payload
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+  } else {
+    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+  }
+
+  if (!payload) {
+    throw new Error('No payload found')
+  }
+
+  if ('decodedPayload' in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload
+  }
+
+  if ('vct' in payload!) {
+    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
+  } else if ('docType' in payload! && 'namespaces' in payload) {
+    // mdoc
+    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
+  } else {
+    return {
+      claims: payload,
+      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
+    } as DcqlW3cVcCredential
+  }
+}

package/dist/agent/DidAuthSiopOpAuthenticator.d.ts

@@ -1,31 +0,0 @@
-import { IAgentPlugin } from '@veramo/core';
-import { DidAuthSiopOpAuthenticatorOptions, RequiredContext } from '../index';
-import { IDidAuthSiopOpAuthenticator } from '../types';
-export declare const didAuthSiopOpAuthenticatorMethods: Array<string>;
-export declare class DidAuthSiopOpAuthenticator implements IAgentPlugin {
-    readonly schema: any;
-    readonly methods: IDidAuthSiopOpAuthenticator;
-    private readonly hasher?;
-    private readonly sessions;
-    private readonly customApprovals;
-    private readonly presentationSignCallback?;
-    private readonly onContactIdentityCreated?;
-    private readonly onIdentifierCreated?;
-    private readonly eventEmitter?;
-    constructor(options?: DidAuthSiopOpAuthenticatorOptions);
-    onEvent(event: any, context: RequiredContext): Promise<void>;
-    private siopGetOPSession;
-    private siopRegisterOPSession;
-    private siopRemoveOPSession;
-    private siopRegisterOPCustomApproval;
-    private siopRemoveOPCustomApproval;
-    private siopGetMachineInterpreter;
-    private siopCreateConfig;
-    private siopGetSiopRequest;
-    private determineCorrelationId;
-    private siopRetrieveContact;
-    private siopAddContactIdentity;
-    private siopSendResponse;
-    private siopGetSelectableCredentials;
-}
-//# sourceMappingURL=DidAuthSiopOpAuthenticator.d.ts.map

package/dist/agent/DidAuthSiopOpAuthenticator.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"DidAuthSiopOpAuthenticator.d.ts","sourceRoot":"","sources":["../../src/agent/DidAuthSiopOpAuthenticator.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAE3C,OAAO,EACL,iCAAiC,EAIjC,eAAe,EAKhB,MAAM,UAAU,CAAA;AAQjB,OAAO,EAKL,2BAA2B,EAc5B,MAAM,UAAU,CAAA;AAKjB,eAAO,MAAM,iCAAiC,EAAE,KAAK,CAAC,MAAM,CAW3D,CAAA;AAED,qBAAa,0BAA2B,YAAW,YAAY;IAC7D,QAAQ,CAAC,MAAM,MAAqC;IACpD,QAAQ,CAAC,OAAO,EAAE,2BAA2B,CAc5C;IAED,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAQ;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAwB;IACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkH;IAClJ,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAA0B;IACpE,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAuD;IACjG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAkD;IACvF,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAc;gBAEhC,OAAO,CAAC,EAAE,iCAAiC;IAiB1C,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;YAa3D,gBAAgB;YAShB,qBAAqB;YAcrB,mBAAmB;YAInB,4BAA4B;YAQ5B,0BAA0B;YAI1B,yBAAyB;YAyBzB,gBAAgB;YAehB,kBAAkB;YA+ClB,sBAAsB;YAsBtB,mBAAmB;YAuBnB,sBAAsB;YAuCtB,gBAAgB;YAoEhB,4BAA4B;CAgB3C"}