@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feat.SSISDK.35.64 → 0.34.1-feature.DIIPv4.41

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-feat.SSISDK.35.64+019dde38",
+  "version": "0.34.1-feature.DIIPv4.41+76a5bfab",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,30 +26,31 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-feat.SSISDK.34.74",
-    "@sphereon/did-auth-siop-adapter": "0.19.1-feat.SSISDK.34.74",
-    "@sphereon/oid4vc-common": "0.19.1-feat.SSISDK.34.74",
+    "@sphereon/did-auth-siop": "0.19.1-next.2",
+    "@sphereon/did-auth-siop-adapter": "0.19.1-next.2",
+    "@sphereon/oid4vc-common": "0.19.1-next.2",
+    "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.core": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-types": "0.34.1-feat.SSISDK.35.64+019dde38",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.core": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.data-store": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-types": "0.34.1-feature.DIIPv4.41+76a5bfab",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
-    "cross-fetch": "^4.1.0",
-    "dcql": "1.0.1",
+    "cross-fetch": "^3.1.8",
+    "dcql": "0.2.19",
     "did-jwt-vc": "3.1.3",
     "i18n-js": "^3.9.2",
     "lodash.memoize": "^4.1.2",
@@ -58,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feat.SSISDK.35.64+019dde38",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-feat.SSISDK.35.64+019dde38",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.DIIPv4.41+76a5bfab",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.DIIPv4.41+76a5bfab",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -101,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "019dde38f18f2d6c32621ecfe6e7ad9477c51c32"
+  "gitHead": "76a5bfabd8c8feb79b3ac823f19f5bc91e5bce3e"
 }

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -1,20 +1,23 @@
-import {
-  decodeUriAsJson,
-  PresentationSignCallback,
-  VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
+import { decodeUriAsJson, PresentationSignCallback, SupportedVersion, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
 import {
   ConnectionType,
   CorrelationIdentifierType,
+  CredentialDocumentFormat,
   CredentialRole,
+  DocumentType,
   Identity,
   IdentityOrigin,
   NonPersistedIdentity,
   Party,
 } from '@sphereon/ssi-sdk.data-store'
-import { HasherSync, Loggers } from '@sphereon/ssi-types'
+import { HasherSync, Loggers, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
+
 import { OpSession } from '../session'
+import { PEX, Status } from '@sphereon/pex'
+import { computeEntryHash } from '@veramo/utils'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { EventEmitter } from 'events'
 import {
   DidAuthSiopOpAuthenticatorOptions,
@@ -26,11 +29,14 @@ import {
   IRemoveCustomApprovalForSiopArgs,
   IRemoveSiopSessionArgs,
   IRequiredContext,
+  Json,
   LOGGER_NAMESPACE,
   RequiredContext,
   SelectableCredentialsMap,
   Siopv2AuthorizationResponseData,
+  VerifiableCredentialsWithDefinition,
 } from '../types'
+
 import {
   AddIdentityArgs,
   CreateConfigArgs,
@@ -45,6 +51,7 @@ import {
   Siopv2Machine as Siopv2MachineId,
   Siopv2MachineInstanceOpts,
 } from '../types'
+import { DcqlCredential, DcqlPresentation, DcqlQuery, DcqlSdJwtVcCredential } from 'dcql'
 import { Siopv2Machine } from '../machine/Siopv2Machine'
 import { getSelectableCredentials, siopSendAuthorizationResponse, translateCorrelationIdToName } from '../services/Siopv2MachineService'
 import { schema } from '..'
@@ -92,18 +99,12 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   private readonly hasher?: HasherSync
 
   constructor(options?: DidAuthSiopOpAuthenticatorOptions) {
-    const {
-      onContactIdentityCreated,
-      onIdentifierCreated,
-      hasher,
-      customApprovals = {},
-      presentationSignCallback
-    } = { ...options }
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = { ...options }
 
     this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated
     this.onIdentifierCreated = onIdentifierCreated
-    this.presentationSignCallback = presentationSignCallback // TODO do we still need this?
+    this.presentationSignCallback = presentationSignCallback
     this.sessions = new Map<string, OpSession>()
     this.customApprovals = customApprovals
   }
@@ -233,7 +234,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
         : (verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id))
     const uri: URL | undefined = url.includes('://') ? new URL(url) : undefined
     const correlationId: string = uri?.hostname ?? (await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context))
-    const clientId: string | undefined = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty<string>('client_id')
+    const clientId: string | undefined = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty<string>('client_id')
 
     return {
       issuer: verifiedAuthorizationRequest.issuer,
@@ -242,6 +243,13 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       uri,
       name: clientName,
       clientId,
+      presentationDefinitions:
+        (await verifiedAuthorizationRequest.authorizationRequest.containsResponseType('vp_token')) ||
+        (verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) &&
+          verifiedAuthorizationRequest.presentationDefinitions &&
+          verifiedAuthorizationRequest.presentationDefinitions.length > 0)
+          ? verifiedAuthorizationRequest.presentationDefinitions
+          : undefined,
       dcqlQuery: verifiedAuthorizationRequest.dcqlQuery,
     }
   }
@@ -341,14 +349,87 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       return Promise.reject(Error('Missing authorization request data in context'))
     }
 
+    const pex = new PEX({ hasher: this.hasher })
+    const verifiableCredentialsWithDefinition: Array<VerifiableCredentialsWithDefinition> = []
+    const dcqlCredentialsWithCredentials: Map<DcqlCredential, UniqueDigitalCredential> = new Map()
+
+    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
+      try {
+        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
+          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
+            presentationDefinition.definition,
+            selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
+          )
+
+          if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
+            let uniqueDigitalCredentials: UniqueDigitalCredential[] = []
+            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
+              // @ts-ignore FIXME Funke
+              const hash = typeof vc === 'string' ? computeEntryHash(vc.split('~'[0])) : computeEntryHash(vc)
+              const udc = selectedCredentials.find((udc) => udc.hash == hash || udc.originalVerifiableCredential == vc)
+
+              if (!udc) {
+                throw Error(
+                  `UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`,
+                )
+              }
+              return udc
+            })
+            verifiableCredentialsWithDefinition.push({
+              definition: presentationDefinition,
+              credentials: uniqueDigitalCredentials,
+            })
+          }
+        })
+      } catch (e) {
+        return Promise.reject(e)
+      }
+
+      if (verifiableCredentialsWithDefinition.length === 0) {
+        return Promise.reject(Error('None of the selected credentials match any of the presentation definitions.'))
+      }
+    } else if (authorizationRequestData.dcqlQuery) {
+      //TODO Only SD-JWT and MSO MDOC are supported at the moment
+      if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
+        try {
+          selectedCredentials.forEach((vc) => {
+            if (this.isSdJwtCredential(vc)) {
+              const payload = (vc.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).decodedPayload
+              const result: DcqlSdJwtVcCredential = {
+                claims: payload as { [x: string]: Json },
+                vct: payload.vct,
+                credential_format: 'vc+sd-jwt',
+              }
+              dcqlCredentialsWithCredentials.set(result, vc)
+              //FIXME MDoc namespaces are incompatible: array of strings vs complex object - https://sphereon.atlassian.net/browse/SPRIND-143
+            } else {
+              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`)
+            }
+          })
+        } catch (e) {
+          return Promise.reject(e)
+        }
+
+        const dcqlPresentationRecord: DcqlPresentation.Output = {}
+        const queryResult = DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+        for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+          if (value.success) {
+            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output)!) as
+              | string
+              | { [x: string]: Json }
+          }
+        }
+      }
+    }
+
     const response = await siopSendAuthorizationResponse(
       ConnectionType.SIOPv2_OpenID4VP,
       {
         sessionId: didAuthConfig.sessionId,
         ...(args.idOpts && { idOpts: args.idOpts }),
+        ...(authorizationRequestData.presentationDefinitions !== undefined && { verifiableCredentialsWithDefinition }),
         isFirstParty,
         hasher: this.hasher,
-        credentials: selectedCredentials,
       },
       context,
     )
@@ -368,13 +449,50 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     }
   }
 
+  private hasMDocCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
+    return credentials.some(this.isMDocCredential)
+  }
+
+  private isMDocCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC &&
+      credential.digitalCredential.documentType === DocumentType.VC
+    )
+  }
+
+  private hasSdJwtCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
+    return credentials.some(this.isSdJwtCredential)
+  }
+
+  private isSdJwtCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC
+    )
+  }
+
+  private retrieveEncodedCredential = (credential: UniqueDigitalCredential) => {
+    return credential.originalVerifiableCredential !== undefined &&
+      credential.originalVerifiableCredential !== null &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
+      ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
+      : credential.originalVerifiableCredential
+  }
+
   private async siopGetSelectableCredentials(args: GetSelectableCredentialsArgs, context: RequiredContext): Promise<SelectableCredentialsMap> {
     const { authorizationRequestData } = args
 
-    if (!authorizationRequestData?.dcqlQuery) {
-      return Promise.reject(Error('Missing required dcql query in context'))
+    if (
+      !authorizationRequestData ||
+      !authorizationRequestData.presentationDefinitions ||
+      authorizationRequestData.presentationDefinitions.length === 0
+    ) {
+      return Promise.reject(Error('Missing required fields in arguments or context'))
+    }
+    if (authorizationRequestData.presentationDefinitions.length > 1) {
+      return Promise.reject(Error('Multiple presentation definitions present'))
     }
 
-    return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context)
+    return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context)
   }
 }

package/src/index.ts

@@ -1,7 +1,7 @@
 /**
  * @public
  */
-import schema from '../plugin.schema.json'
+const schema = require('../plugin.schema.json')
 export { schema }
 export { DidAuthSiopOpAuthenticator, didAuthSiopOpAuthenticatorMethods } from './agent/DidAuthSiopOpAuthenticator'
 export { Siopv2Machine } from './machine/Siopv2Machine'
@@ -9,4 +9,3 @@ export * from './machine/CallbackStateListener'
 export * from './session'
 export * from './types'
 export * from './link-handler'
-export * from './utils/dcql'

package/src/machine/Siopv2Machine.ts

@@ -51,7 +51,7 @@ const Siopv2HasSelectableCredentialsAndContactGuard = (_ctx: Siopv2MachineContex
     throw new Error('Missing contact request data in context')
   }
 
-  return authorizationRequestData.dcqlQuery !== undefined
+  return authorizationRequestData.presentationDefinitions !== undefined
 }
 
 const Siopv2CreateContactGuard = (_ctx: Siopv2MachineContext, _event: Siopv2MachineEventTypes): boolean => {
@@ -67,7 +67,7 @@ const Siopv2HasSelectedRequiredCredentialsGuard = (_ctx: Siopv2MachineContext, _
     throw new Error('Missing authorization request data in context')
   }
 
-  if (authorizationRequestData.dcqlQuery === undefined) {
+  if (authorizationRequestData.presentationDefinitions === undefined || authorizationRequestData.presentationDefinitions.length === 0) {
     throw Error('No presentation definitions present')
   }
 
@@ -87,7 +87,7 @@ const Siopv2IsSiopOnlyGuard = (_ctx: Siopv2MachineContext, _event: Siopv2Machine
     throw new Error('Missing authorization request data in context')
   }
 
-  return authorizationRequestData.dcqlQuery === undefined
+  return authorizationRequestData.presentationDefinitions === undefined
 }
 
 const Siopv2IsSiopWithOID4VPGuard = (_ctx: Siopv2MachineContext, _event: Siopv2MachineEventTypes): boolean => {
@@ -101,7 +101,7 @@ const Siopv2IsSiopWithOID4VPGuard = (_ctx: Siopv2MachineContext, _event: Siopv2M
     throw new Error('Missing selectableCredentialsMap in context')
   }
 
-  return authorizationRequestData.dcqlQuery !== undefined
+  return authorizationRequestData.presentationDefinitions !== undefined
 }
 
 const createSiopv2Machine = (opts: CreateSiopv2MachineOpts): Siopv2StateMachine => {