@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feat.SSISDK.35.64 → 0.34.1-feature.DIIPv4.41

package/src/services/Siopv2MachineService.ts

@@ -1,38 +1,31 @@
-import {
-  AuthorizationRequest,
-  Json,
-  SupportedVersion
-} from '@sphereon/did-auth-siop'
+import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
+import { IPresentationDefinition, PEX } from '@sphereon/pex'
+import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
+import { OID4VP, OpSession } from '../session'
 import {
-  CredentialMapper,
-  HasherSync,
-  Loggers,
-  OriginalVerifiableCredential,
-  SdJwtDecodedVerifiableCredential
-} from '@sphereon/ssi-types'
-import { OpSession } from '../session'
-import {
+  DidAgents,
   LOGGER_NAMESPACE,
   RequiredContext,
   SelectableCredential,
   SelectableCredentialsMap,
-  Siopv2HolderEvent
+  Siopv2HolderEvent,
+  SuitableCredentialAgents,
+  VerifiableCredentialsWithDefinition,
+  VerifiablePresentationWithDefinition,
 } from '../types'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
-import { convertToDcqlCredentials } from '../utils/dcql'
 import { IAgentContext, IDIDManager } from '@veramo/core'
-import {
-  getOrCreatePrimaryIdentifier,
-  SupportedDidMethodEnum
-} from '@sphereon/ssi-sdk-ext.did-utils'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
+import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
+import { convertToDcqlCredentials } from '../utils/dcql'
+import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
-// @ts-ignore
 const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): Promise<ManagedIdentifierOptsOrResult> => {
   logger.log(`No EBSI key present yet. Creating a new one...`)
   const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
@@ -46,10 +39,9 @@ const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): P
   return await agentContext.agent.identifierManagedGetByDid({ identifier: newIdentifier.did })
 }
 
-// @ts-ignore
 const hasEbsiClient = async (authorizationRequest: AuthorizationRequest) => {
-  const clientId = authorizationRequest.getMergedProperty<string>('client_id')
-  const redirectUri = authorizationRequest.getMergedProperty<string>('redirect_uri')
+  const clientId = await authorizationRequest.getMergedProperty<string>('client_id')
+  const redirectUri = await authorizationRequest.getMergedProperty<string>('redirect_uri')
   return clientId?.toLowerCase().includes('.ebsi.eu') || redirectUri?.toLowerCase().includes('.ebsi.eu')
 }
 
@@ -57,25 +49,137 @@ export const siopSendAuthorizationResponse = async (
   connectionType: ConnectionType,
   args: {
     sessionId: string
-    credentials: Array<UniqueDigitalCredential | OriginalVerifiableCredential>
+    verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
     hasher?: HasherSync
+    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
-  const { credentials } = args
+  const agentContext = { ...context, agent: context.agent as DidAgents }
+  let { idOpts, isFirstParty, hasher = defaultHasher } = args
+
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
   }
-
   const session: OpSession = await agent.siopGetOPSession({ sessionId: args.sessionId })
   const request = await session.getAuthorizationRequest()
-  const aud = request.authorizationRequest.getMergedProperty<string>('aud')
+  const aud = await request.authorizationRequest.getMergedProperty<string>('aud')
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
+  let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
+  let presentationSubmission: PresentationSubmission | undefined
+  if (await session.hasPresentationDefinitions()) {
+    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
+
+    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
+      ? args.verifiableCredentialsWithDefinition
+      : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER)
+    const domain =
+      ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+      request.issuer ??
+      (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+        ? 'https://self-issued.me/v2/openid-vc'
+        : 'https://self-issued.me/v2')
+    logger.log(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0]
+    if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+      return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+    }
+
+    let identifier: ManagedIdentifierOptsOrResult
+    const digitalCredential = firstUniqueDC.digitalCredential
+    const firstVC = firstUniqueDC.uniformVerifiableCredential
+    const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+      ? firstVC.decodedPayload.cnf?.jwk
+        ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+          //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+          `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+        : firstVC.decodedPayload.sub
+      : Array.isArray(firstVC.credentialSubject)
+        ? firstVC.credentialSubject[0].id
+        : firstVC.credentialSubject.id
+    if (!digitalCredential.kmsKeyRef) {
+      // In case the store does not have the kmsKeyRef lets search for the holder
+
+      if (!holder) {
+        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+      }
+      try {
+        identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+      } catch (e) {
+        logger.debug(`Holder DID not found: ${holder}`)
+        throw e
+      }
+    } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+        identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+      })
+    } else {
+      switch (digitalCredential.subjectCorrelationType) {
+        case 'DID':
+          identifier = await session.context.agent.identifierManagedGetByDid({
+            identifier: digitalCredential.subjectCorrelationId ?? holder,
+            kmsKeyRef: digitalCredential.kmsKeyRef,
+          })
+          break
+        // TODO other implementations?
+        default:
+          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          } else {
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          }
+      }
+    }
+
+    if (identifier === undefined && idOpts !== undefined && (await hasEbsiClient(request.authorizationRequest))) {
+      identifier = await createEbsiIdentifier(agentContext)
+    }
+    logger.debug(`Identifier`, identifier)
+
+    // TODO Add mdoc support
+
+    presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
+      idOpts: identifier,
+      proofOpts: {
+        nonce: session.nonce,
+        domain,
+      },
+    })
+    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
+      throw Error('No verifiable presentations could be created')
+    } else if (presentationsAndDefs.length > 1) {
+      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`)
+    }
+
+    idOpts = presentationsAndDefs[0].idOpts
+    presentationSubmission = presentationsAndDefs[0].presentationSubmission
+
+    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
+    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
+    return await session.sendAuthorizationResponse({
+      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
+      ...(presentationSubmission && { presentationSubmission }),
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts!,
+      isFirstParty,
+    })
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
       const domain =
         ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
         request.issuer ??
@@ -84,7 +188,7 @@ export const siopSendAuthorizationResponse = async (
           : 'https://self-issued.me/v2')
       logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
 
-      const firstUniqueDC = credentials[0]
+      const firstUniqueDC = vcs[0]
       if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
         return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
       }
@@ -134,102 +238,104 @@ export const siopSendAuthorizationResponse = async (
             })
         }
       }
+      console.log(`Identifier`, identifier)
 
-  const dcqlCredentialsWithCredentials = new Map(
-    credentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
-
-  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+      const dcqlRepresentations: DcqlCredential[] = []
+      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher)
+        if (rep) {
+          dcqlRepresentations.push(rep)
+        }
+      })
 
-  if (!queryResult.can_be_satisfied) {
-    return Promise.reject(Error('Credentials do not match required query request'))
-  }
+      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
+      const presentation: Record<string, DcqlCredentialPresentation> = {}
 
-  const presentation: DcqlPresentation.Output = {}
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (value.success) {
-      const matchedCredentials = value.valid_credentials.map(cred => uniqueCredentials[cred.input_credential_index])
-      const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
-      if (!vc) {
-        continue
-      }
-      const originalVc = retrieveEncodedCredential(vc as UniqueDigitalCredential) // TODO this is not nice // also always a UniqueDigitalCredential
-      if (!originalVc) {
-        continue
-      }
-      if (originalVc) {
-        presentation[key] = originalVc as | string | { [x: string]: Json }
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [value]
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
+            }
+            presentation[key] =
+              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
+          }
+        })
       }
-    }
-  }
-
-  const dcqlPresentation = DcqlPresentation.parse(presentation)
 
       const response = session.sendAuthorizationResponse({
         responseSignerOpts: identifier,
-        dcqlResponse: {
-          dcqlPresentation
-        }
+        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
       })
 
       logger.debug(`Response: `, response)
+
       return response
+    }
+  }
+  throw Error('Presentation Definition or DCQL is required')
 }
 
-const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
-  return credential.originalVerifiableCredential !== undefined &&
-    credential.originalVerifiableCredential !== null &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
-    ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
-    : credential.originalVerifiableCredential
+function buildPartialPD(
+  inputDescriptor: InputDescriptorV1 | InputDescriptorV2,
+  presentationDefinition: PresentationDefinitionV1 | PresentationDefinitionV2,
+): IPresentationDefinition {
+  return {
+    ...presentationDefinition,
+    input_descriptors: [inputDescriptor],
+  } as IPresentationDefinition
 }
 
 export const getSelectableCredentials = async (
-  dcqlQuery: DcqlQuery,
+  presentationDefinition: IPresentationDefinition,
   context: RequiredContext,
 ): Promise<SelectableCredentialsMap> => {
-  const agentContext = { ...context, agent: context.agent }
+  const agentContext = { ...context, agent: context.agent as SuitableCredentialAgents }
   const { agent } = agentContext
+  const pex = new PEX()
+
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
-  const branding = await agent.ibGetCredentialBranding()
-  const dcqlCredentialsWithCredentials = new Map(
-    uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
-  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
+  const credentialBranding = await agent.ibGetCredentialBranding()
+
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
 
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (!value.valid_credentials) {
-      continue
-    }
+  for (const inputDescriptor of presentationDefinition.input_descriptors) {
+    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition)
+    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
+      return CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential!) // ( ! is valid for verifiableCredentialForRoleFilter )
+    })
+    const selectionResults = pex.selectFrom(partialPD, originalCredentials)
 
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async cred => {
-      const matchedCredential = uniqueCredentials[cred.input_credential_index]
-      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
-      const issuerPartyIdentity = await agent.cmGetContacts({
-        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.issuerDid } } }],
-      })
-      const subjectPartyIdentity = await agent.cmGetContacts({
-        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.subjectDid } } }],
+    const selectableCredentials: Array<SelectableCredential> = []
+    for (const selectedCredential of selectionResults.verifiableCredential || []) {
+      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
+        const proof = uniqueVC.uniformVerifiableCredential!.proof
+        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential
       })
 
-      return {
-        credential: matchedCredential,
-        credentialBranding: credentialBranding[0]?.localeBranding,
-        issuerParty: issuerPartyIdentity?.[0],
-        subjectParty: subjectPartyIdentity?.[0],
-      }
-    })
+      if (filteredUniqueVC) {
+        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash)
+        const issuerPartyIdentity = await agent.cmGetContacts({
+          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.issuerDid } } }],
+        })
+        const subjectPartyIdentity = await agent.cmGetContacts({
+          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.subjectDid } } }],
+        })
 
-    const selectableCredentials: Array<SelectableCredential> = await Promise.all(mapSelectableCredentialPromises)
-    selectableCredentialsMap.set(key, selectableCredentials)
+        selectableCredentials.push({
+          credential: filteredUniqueVC,
+          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
+          issuerParty: issuerPartyIdentity?.[0],
+          subjectParty: subjectPartyIdentity?.[0],
+        })
+      }
+    }
+    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials)
   }
-
   return selectableCredentialsMap
 }