@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-next.54 → 0.33.1-feature.vcdm2.4

package/src/services/Siopv2MachineService.ts

@@ -2,9 +2,9 @@ import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
 import { IPresentationDefinition, PEX } from '@sphereon/pex'
 import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
+import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, Hasher, Loggers, PresentationSubmission } from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { OID4VP, OpSession } from '../session'
 import {
   DidAgents,
@@ -19,7 +19,10 @@ import {
 } from '../types'
 import { IAgentContext, IDIDManager } from '@veramo/core'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
+import { convertToDcqlCredentials } from '../utils/dcql'
+import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -49,13 +52,14 @@ export const siopSendAuthorizationResponse = async (
     verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
-    hasher?: Hasher
+    hasher?: HasherSync
+    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
   const agentContext = { ...context, agent: context.agent as DidAgents }
-  let { idOpts, isFirstParty, hasher } = args
+  let { idOpts, isFirstParty, hasher = defaultHasher } = args
 
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
@@ -125,11 +129,18 @@ export const siopSendAuthorizationResponse = async (
           break
         // TODO other implementations?
         default:
-          // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-          identifier = await session.context.agent.identifierManagedGetByKid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-            kmsKeyRef: digitalCredential.kmsKeyRef,
-          })
+          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          } else {
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          }
       }
     }
 
@@ -155,17 +166,116 @@ export const siopSendAuthorizationResponse = async (
 
     idOpts = presentationsAndDefs[0].idOpts
     presentationSubmission = presentationsAndDefs[0].presentationSubmission
+
+    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
+    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
+    return await session.sendAuthorizationResponse({
+      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
+      ...(presentationSubmission && { presentationSubmission }),
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts!,
+      isFirstParty,
+    })
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
+      const domain =
+        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+        request.issuer ??
+        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+          ? 'https://self-issued.me/v2/openid-vc'
+          : 'https://self-issued.me/v2')
+      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+      const firstUniqueDC = vcs[0]
+      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+      }
+
+      let identifier: ManagedIdentifierOptsOrResult
+      const digitalCredential = firstUniqueDC.digitalCredential
+      const firstVC = firstUniqueDC.uniformVerifiableCredential
+      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+        ? firstVC.decodedPayload.cnf?.jwk
+          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+          : firstVC.decodedPayload.sub
+        : Array.isArray(firstVC.credentialSubject)
+          ? firstVC.credentialSubject[0].id
+          : firstVC.credentialSubject.id
+      if (!digitalCredential.kmsKeyRef) {
+        // In case the store does not have the kmsKeyRef lets search for the holder
+
+        if (!holder) {
+          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+        }
+        try {
+          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+        } catch (e) {
+          logger.debug(`Holder DID not found: ${holder}`)
+          throw e
+        }
+      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+        })
+      } else {
+        switch (digitalCredential.subjectCorrelationType) {
+          case 'DID':
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+            break
+          // TODO other implementations?
+          default:
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+        }
+      }
+      console.log(`Identifier`, identifier)
+
+      const dcqlRepresentations: DcqlCredential[] = []
+      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher)
+        if (rep) {
+          dcqlRepresentations.push(rep)
+        }
+      })
+
+      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
+      const presentation: Record<string, DcqlCredentialPresentation> = {}
+
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [value]
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
+            }
+            presentation[key] =
+              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
+          }
+        })
+      }
+
+      const response = session.sendAuthorizationResponse({
+        responseSignerOpts: identifier,
+        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
+      })
+
+      logger.debug(`Response: `, response)
+
+      return response
+    }
   }
-  logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
-  logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
-  const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
-  return await session.sendAuthorizationResponse({
-    ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
-    ...(presentationSubmission && { presentationSubmission }),
-    // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-    responseSignerOpts: idOpts!,
-    isFirstParty,
-  })
+  throw Error('Presentation Definition or DCQL is required')
 }
 
 function buildPartialPD(

package/src/session/OID4VP.ts

@@ -2,15 +2,15 @@ import { PresentationDefinitionWithLocation, PresentationExchange } from '@spher
 import { SelectResults, Status, SubmissionRequirementMatch } from '@sphereon/pex'
 import { Format } from '@sphereon/pex-models'
 import {
-  isOID4VCIssuerIdentifier,
   isManagedIdentifierDidResult,
+  isOID4VCIssuerIdentifier,
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { ProofOptions } from '@sphereon/ssi-sdk.core'
+import { defaultHasher, ProofOptions } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { CredentialRole, FindDigitalCredentialArgs } from '@sphereon/ssi-sdk.data-store'
-import { CompactJWT, Hasher, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { CompactJWT, HasherSync, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import {
   DEFAULT_JWT_PROOF_TYPE,
   IGetPresentationExchangeArgs,
@@ -24,17 +24,17 @@ import { OpSession } from './OpSession'
 export class OID4VP {
   private readonly session: OpSession
   private readonly allIdentifiers: string[]
-  private readonly hasher?: Hasher
+  private readonly hasher?: HasherSync
 
   private constructor(args: IOID4VPArgs) {
-    const { session, allIdentifiers, hasher } = args
+    const { session, allIdentifiers, hasher = defaultHasher } = args
 
     this.session = session
     this.allIdentifiers = allIdentifiers ?? []
     this.hasher = hasher
   }
 
-  public static async init(session: OpSession, allIdentifiers: string[], hasher?: Hasher): Promise<OID4VP> {
+  public static async init(session: OpSession, allIdentifiers: string[], hasher?: HasherSync): Promise<OID4VP> {
     return new OID4VP({ session, allIdentifiers: allIdentifiers ?? (await session.getSupportedDIDs()), hasher })
   }
 
@@ -68,7 +68,7 @@ export class OID4VP {
       skipDidResolution?: boolean
       holderDID?: string
       subjectIsHolder?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
       applyFilter?: boolean
     },
   ): Promise<VerifiablePresentationWithDefinition[]> {
@@ -88,7 +88,7 @@ export class OID4VP {
       holder?: string
       subjectIsHolder?: boolean
       applyFilter?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
     },
   ): Promise<VerifiablePresentationWithDefinition> {
     const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = { ...opts }

package/src/session/OpSession.ts

@@ -20,7 +20,7 @@ import { encodeBase64url } from '@sphereon/ssi-sdk.core'
 import {
   CompactSdJwtVc,
   CredentialMapper,
-  Hasher,
+  HasherSync,
   OriginalVerifiableCredential,
   parseDid,
   PresentationSubmission,
@@ -293,8 +293,8 @@ export class OpSession {
         .jwtEncryptJweCompactJwt({
           recipientKey,
           protectedHeader: {},
-          alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined ?? 'ECDH-ES',
-          enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined ?? 'A256GCM',
+          alg: (requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined) ?? 'ECDH-ES',
+          enc: (requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined) ?? 'A256GCM',
           apv: encodeBase64url(opts.requestObjectPayload.nonce),
           apu: encodeBase64url(v4()),
           payload: authResponse,
@@ -367,6 +367,7 @@ export class OpSession {
           presentationSubmission: args.presentationSubmission,
         } as PresentationExchangeResponseOpts,
       }),
+      dcqlQuery: args.dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -379,7 +380,7 @@ export class OpSession {
     }
   }
 
-  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: Hasher) {
+  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
     return verifiablePresentations.reduce((sum, vp) => {
       if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
         return sum + 1

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,4 +1,5 @@
 import {
+  DcqlResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
@@ -18,7 +19,7 @@ import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.cre
 import { Party } from '@sphereon/ssi-sdk.data-store'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { Hasher, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -122,7 +123,8 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
-  hasher?: Hasher
+  dcqlResponse?: DcqlResponseOpts
+  hasher?: HasherSync
   isFirstParty?: boolean
 }
 
@@ -160,7 +162,7 @@ export interface IOPOptions {
   presentationSignCallback?: PresentationSignCallback
 
   resolveOpts?: ResolveOpts
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 /*
@@ -183,19 +185,30 @@ export interface VerifiablePresentationWithDefinition extends VerifiablePresenta
 
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IOID4VPArgs {
   session: OpSession
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IGetPresentationExchangeArgs {
   verifiableCredentials: OriginalVerifiableCredential[]
   allIdentifiers?: string[]
-  hasher?: Hasher
-}
+  hasher?: HasherSync
+}
+
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
 
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/siop-service/index.ts

@@ -1,7 +1,8 @@
 import {
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
-  RPRegistrationMetadataPayload, VerifiedAuthorizationRequest
+  RPRegistrationMetadataPayload,
+  VerifiedAuthorizationRequest,
 } from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
@@ -11,14 +12,15 @@ import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
-import { Hasher } from '@sphereon/ssi-types'
+import { DcqlQuery } from 'dcql'
+import { HasherSync } from '@sphereon/ssi-types'
 
 export type DidAuthSiopOpAuthenticatorOptions = {
   presentationSignCallback?: PresentationSignCallback
   customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export type GetMachineArgs = {
@@ -29,14 +31,14 @@ export type GetMachineArgs = {
 
 export type CreateConfigArgs = { url: string }
 export type CreateConfigResult = Omit<DidAuthConfig, 'stateId' | 'idOpts'>
-export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>, url: string }
+export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>; url: string }
 // FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type RetrieveContactArgs = Pick<Siopv2MachineContext, 'url' | 'authorizationRequestData'>
 // FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type AddIdentityArgs = Pick<Siopv2MachineContext, 'contact' | 'authorizationRequestData'>
 export type SendResponseArgs = {
-  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>,
-  authorizationRequestData?: Siopv2AuthorizationRequestData,
+  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>
+  authorizationRequestData?: Siopv2AuthorizationRequestData
   selectedCredentials: Array<UniqueDigitalCredential>
   idOpts?: ManagedIdentifierOptsOrResult
   isFirstParty?: boolean
@@ -68,6 +70,7 @@ export type Siopv2AuthorizationRequestData = {
   uri?: URL
   clientId?: string
   presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQuery
 }
 
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>

package/src/utils/CredentialUtils.ts

@@ -0,0 +1,71 @@
+import { CredentialMapper, HasherSync, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { VerifiableCredential } from '@veramo/core'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+
+/**
+ * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
+ * @param credential The input credential
+ */
+export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
+  if (!credential.type) {
+    return 'Verifiable Credential'
+  } else if (typeof credential.type === 'string') {
+    return credential.type
+  }
+  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
+}
+
+/**
+ * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
+ * @param uniqueVCs The Unique VCs to search in
+ * @param searchVC The VC to search for in the unique VCs array
+ */
+export const getMatchingUniqueDigitalCredential = (
+  uniqueVCs: UniqueDigitalCredential[],
+  searchVC: OriginalVerifiableCredential,
+): UniqueDigitalCredential | undefined => {
+  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
+  return uniqueVCs.find(
+    (uniqueVC: UniqueDigitalCredential) =>
+      (typeof searchVC !== 'string' &&
+        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
+          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
+      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
+      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
+      (typeof searchVC === 'string' &&
+        CredentialMapper.isSdJwtEncoded(searchVC) &&
+        uniqueVC.uniformVerifiableCredential?.proof &&
+        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
+        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
+  )
+}
+
+type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
+
+/**
+ * Get an original verifiable credential. Maps to wrapped Verifiable Credential first, to get an original JWT as Veramo stores these with a special proof value
+ * @param credential The input VC
+ */
+
+export const getOriginalVerifiableCredential = (credential: InputCredential): OriginalVerifiableCredential => {
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential)
+  }
+
+  return getCredentialFromProofOrWrapped(credential)
+}
+
+const getCredentialFromProofOrWrapped = (cred: any, hasher?: HasherSync): OriginalVerifiableCredential => {
+  if (typeof cred === 'object' && 'proof' in cred && 'jwt' in cred.proof && CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
+    return cred.proof.jwt
+  }
+
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+}
+
+export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {
+  return (credential as UniqueDigitalCredential).digitalCredential !== undefined
+}

package/src/utils/dcql.ts

@@ -0,0 +1,36 @@
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { isUniqueDigitalCredential } from './CredentialUtils'
+
+export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: HasherSync): DcqlCredential {
+  let payload
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
+    }
+    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+  } else {
+    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+  }
+
+  if (!payload) {
+    throw new Error('No payload found')
+  }
+
+  if ('decodedPayload' in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload
+  }
+
+  if ('vct' in payload!) {
+    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
+  } else if ('docType' in payload! && 'namespaces' in payload) {
+    // mdoc
+    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
+  } else {
+    return {
+      claims: payload,
+      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
+    } as DcqlW3cVcCredential
+  }
+}