@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.FIDES.1.274 → 0.34.1-feature.IDK.11.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/index.cjs +1091 -608
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +112 -710
  4. package/dist/index.d.ts +112 -710
  5. package/dist/index.js +1046 -563
  6. package/dist/index.js.map +1 -1
  7. package/package.json +24 -24
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +145 -10
  9. package/src/index.ts +1 -2
  10. package/src/machine/Siopv2Machine.ts +5 -5
  11. package/src/services/Siopv2MachineService.ts +265 -189
  12. package/src/session/OID4VP.ts +300 -310
  13. package/src/session/OpSession.ts +114 -22
  14. package/src/session/functions.ts +8 -1
  15. package/src/types/IDidAuthSiopOpAuthenticator.ts +59 -6
  16. package/src/types/identifier/index.ts +4 -0
  17. package/src/types/machine/index.ts +1 -1
  18. package/src/types/siop-service/index.ts +10 -12
  19. package/src/utils/CredentialUtils.ts +40 -2
  20. package/src/utils/dcql.ts +19 -22
package/dist/index.cjs CHANGED
@@ -60,371 +60,375 @@ var require_nl = __commonJS({
60
60
  }
61
61
  });
62
62
 
63
- // src/index.ts
64
- var index_exports = {};
65
- __export(index_exports, {
66
- DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
67
- DID_PREFIX: () => DID_PREFIX,
68
- DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
69
- LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
70
- OID4VP: () => OID4VP,
71
- OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
72
- OpSession: () => OpSession,
73
- Siopv2HolderEvent: () => Siopv2HolderEvent,
74
- Siopv2Machine: () => Siopv2Machine,
75
- Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
76
- Siopv2MachineEvents: () => Siopv2MachineEvents,
77
- Siopv2MachineGuards: () => Siopv2MachineGuards,
78
- Siopv2MachineServices: () => Siopv2MachineServices,
79
- Siopv2MachineStates: () => Siopv2MachineStates,
80
- Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
81
- SupportedLanguage: () => SupportedLanguage,
82
- convertToDcqlCredentials: () => convertToDcqlCredentials,
83
- createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
84
- createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
85
- createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
86
- createOP: () => createOP,
87
- createOPBuilder: () => createOPBuilder,
88
- didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
89
- getSigningAlgo: () => getSigningAlgo,
90
- schema: () => plugin_schema_default
91
- });
92
- module.exports = __toCommonJS(index_exports);
93
-
94
63
  // plugin.schema.json
95
- var plugin_schema_default = {
96
- IDidAuthSiopOpAuthenticator: {
97
- components: {
98
- schemas: {
99
- IGetSiopSessionArgs: {
100
- type: "object",
101
- properties: {
102
- sessionId: {
103
- type: "string"
64
+ var require_plugin_schema = __commonJS({
65
+ "plugin.schema.json"(exports, module2) {
66
+ module2.exports = {
67
+ IDidAuthSiopOpAuthenticator: {
68
+ components: {
69
+ schemas: {
70
+ IGetSiopSessionArgs: {
71
+ type: "object",
72
+ properties: {
73
+ sessionId: {
74
+ type: "string"
75
+ },
76
+ additionalProperties: false
77
+ },
78
+ required: ["sessionId"],
79
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
104
80
  },
105
- additionalProperties: false
106
- },
107
- required: ["sessionId"],
108
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
109
- },
110
- IRegisterSiopSessionArgs: {
111
- type: "object",
112
- properties: {
113
- identifier: {
81
+ IRegisterSiopSessionArgs: {
114
82
  type: "object",
115
83
  properties: {
116
- did: {
84
+ identifier: {
85
+ type: "object",
86
+ properties: {
87
+ did: {
88
+ type: "string"
89
+ },
90
+ alias: {
91
+ type: "string"
92
+ },
93
+ provider: {
94
+ type: "string"
95
+ },
96
+ controllerKeyId: {
97
+ type: "string"
98
+ },
99
+ keys: {
100
+ type: "array",
101
+ items: {
102
+ type: "object",
103
+ properties: {
104
+ additionalProperties: true
105
+ }
106
+ }
107
+ },
108
+ services: {
109
+ type: "array",
110
+ items: {
111
+ type: "object",
112
+ properties: {
113
+ additionalProperties: true
114
+ }
115
+ }
116
+ }
117
+ },
118
+ additionalProperties: false,
119
+ required: ["did", "provider", "keys", "services"]
120
+ },
121
+ sessionId: {
117
122
  type: "string"
118
123
  },
119
- alias: {
124
+ expiresIn: {
125
+ type: "number"
126
+ },
127
+ additionalProperties: false
128
+ },
129
+ required: ["identifier"],
130
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
131
+ },
132
+ IRemoveSiopSessionArgs: {
133
+ type: "object",
134
+ properties: {
135
+ sessionId: {
120
136
  type: "string"
121
137
  },
122
- provider: {
138
+ additionalProperties: false
139
+ },
140
+ required: ["sessionId"],
141
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
142
+ },
143
+ IAuthenticateWithSiopArgs: {
144
+ type: "object",
145
+ properties: {
146
+ sessionId: {
123
147
  type: "string"
124
148
  },
125
- controllerKeyId: {
149
+ stateId: {
126
150
  type: "string"
127
151
  },
128
- keys: {
129
- type: "array",
130
- items: {
131
- type: "object",
132
- properties: {
133
- additionalProperties: true
134
- }
135
- }
152
+ redirectUrl: {
153
+ type: "string"
136
154
  },
137
- services: {
138
- type: "array",
139
- items: {
140
- type: "object",
141
- properties: {
142
- additionalProperties: true
143
- }
144
- }
145
- }
155
+ additionalProperties: false
146
156
  },
147
- additionalProperties: false,
148
- required: ["did", "provider", "keys", "services"]
149
- },
150
- sessionId: {
151
- type: "string"
152
- },
153
- expiresIn: {
154
- type: "number"
155
- },
156
- additionalProperties: false
157
- },
158
- required: ["identifier"],
159
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
160
- },
161
- IRemoveSiopSessionArgs: {
162
- type: "object",
163
- properties: {
164
- sessionId: {
165
- type: "string"
166
- },
167
- additionalProperties: false
168
- },
169
- required: ["sessionId"],
170
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
171
- },
172
- IAuthenticateWithSiopArgs: {
173
- type: "object",
174
- properties: {
175
- sessionId: {
176
- type: "string"
177
- },
178
- stateId: {
179
- type: "string"
180
- },
181
- redirectUrl: {
182
- type: "string"
183
- },
184
- additionalProperties: false
185
- },
186
- required: ["sessionId", "stateId", "redirectUrl"],
187
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
188
- },
189
- IResponse: {
190
- type: "object",
191
- properties: {
192
- status: {
193
- type: "number"
194
- },
195
- additionalProperties: true
196
- },
197
- required: ["status"],
198
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
199
- },
200
- IGetSiopAuthenticationRequestFromRpArgs: {
201
- type: "object",
202
- properties: {
203
- sessionId: {
204
- type: "string"
205
- },
206
- stateId: {
207
- type: "string"
208
- },
209
- redirectUrl: {
210
- type: "string"
211
- },
212
- additionalProperties: false
213
- },
214
- required: ["sessionId", "stateId", "redirectUrl"],
215
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
216
- },
217
- ParsedAuthenticationRequestURI: {
218
- type: "object",
219
- properties: {
220
- jwt: {
221
- type: "string"
157
+ required: ["sessionId", "stateId", "redirectUrl"],
158
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
222
159
  },
223
- requestPayload: {
160
+ IResponse: {
224
161
  type: "object",
225
162
  properties: {
163
+ status: {
164
+ type: "number"
165
+ },
226
166
  additionalProperties: true
227
- }
167
+ },
168
+ required: ["status"],
169
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
228
170
  },
229
- registration: {
171
+ IGetSiopAuthenticationRequestFromRpArgs: {
230
172
  type: "object",
231
173
  properties: {
232
- additionalProperties: true
233
- }
234
- },
235
- additionalProperties: false
236
- },
237
- required: ["jwt", "requestPayload", "registration"],
238
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
239
- },
240
- IGetSiopAuthenticationRequestDetailsArgs: {
241
- type: "object",
242
- properties: {
243
- sessionId: {
244
- type: "string"
174
+ sessionId: {
175
+ type: "string"
176
+ },
177
+ stateId: {
178
+ type: "string"
179
+ },
180
+ redirectUrl: {
181
+ type: "string"
182
+ },
183
+ additionalProperties: false
184
+ },
185
+ required: ["sessionId", "stateId", "redirectUrl"],
186
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
245
187
  },
246
- verifiedAuthenticationRequest: {
188
+ ParsedAuthenticationRequestURI: {
247
189
  type: "object",
248
190
  properties: {
249
- additionalProperties: true
250
- }
191
+ jwt: {
192
+ type: "string"
193
+ },
194
+ requestPayload: {
195
+ type: "object",
196
+ properties: {
197
+ additionalProperties: true
198
+ }
199
+ },
200
+ registration: {
201
+ type: "object",
202
+ properties: {
203
+ additionalProperties: true
204
+ }
205
+ },
206
+ additionalProperties: false
207
+ },
208
+ required: ["jwt", "requestPayload", "registration"],
209
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
251
210
  },
252
- credentialFilter: {
211
+ IGetSiopAuthenticationRequestDetailsArgs: {
253
212
  type: "object",
254
213
  properties: {
255
- additionalProperties: true
256
- }
257
- },
258
- additionalProperties: false
259
- },
260
- required: ["sessionId", "verifiedAuthenticationRequest"],
261
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
262
- },
263
- IAuthRequestDetails: {
264
- type: "object",
265
- properties: {
266
- id: {
267
- type: "string"
268
- },
269
- alsoKnownAs: {
270
- type: "array",
271
- items: {
272
- type: "string"
273
- }
214
+ sessionId: {
215
+ type: "string"
216
+ },
217
+ verifiedAuthenticationRequest: {
218
+ type: "object",
219
+ properties: {
220
+ additionalProperties: true
221
+ }
222
+ },
223
+ credentialFilter: {
224
+ type: "object",
225
+ properties: {
226
+ additionalProperties: true
227
+ }
228
+ },
229
+ additionalProperties: false
230
+ },
231
+ required: ["sessionId", "verifiedAuthenticationRequest"],
232
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
274
233
  },
275
- vpResponseOpts: {
234
+ IAuthRequestDetails: {
276
235
  type: "object",
277
236
  properties: {
278
- additionalProperties: true
279
- }
280
- },
281
- additionalProperties: false
282
- },
283
- required: ["id", "vpResponseOpts"],
284
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
285
- },
286
- IVerifySiopAuthenticationRequestUriArgs: {
287
- type: "object",
288
- properties: {
289
- sessionId: {
290
- type: "string"
237
+ id: {
238
+ type: "string"
239
+ },
240
+ alsoKnownAs: {
241
+ type: "array",
242
+ items: {
243
+ type: "string"
244
+ }
245
+ },
246
+ vpResponseOpts: {
247
+ type: "object",
248
+ properties: {
249
+ additionalProperties: true
250
+ }
251
+ },
252
+ additionalProperties: false
253
+ },
254
+ required: ["id", "vpResponseOpts"],
255
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
291
256
  },
292
- ParsedAuthenticationRequestURI: {
257
+ IVerifySiopAuthenticationRequestUriArgs: {
293
258
  type: "object",
294
259
  properties: {
295
- additionalProperties: true
296
- }
260
+ sessionId: {
261
+ type: "string"
262
+ },
263
+ ParsedAuthenticationRequestURI: {
264
+ type: "object",
265
+ properties: {
266
+ additionalProperties: true
267
+ }
268
+ },
269
+ additionalProperties: false
270
+ },
271
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
272
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
297
273
  },
298
- additionalProperties: false
299
- },
300
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
301
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
302
- },
303
- VerifiedAuthorizationRequest: {
304
- type: "object",
305
- properties: {
306
- payload: {
274
+ VerifiedAuthorizationRequest: {
307
275
  type: "object",
308
276
  properties: {
309
- additionalProperties: true
310
- }
277
+ payload: {
278
+ type: "object",
279
+ properties: {
280
+ additionalProperties: true
281
+ }
282
+ },
283
+ presentationDefinitions: {
284
+ type: "object",
285
+ properties: {
286
+ additionalProperties: true
287
+ }
288
+ },
289
+ verifyOpts: {
290
+ type: "object",
291
+ properties: {
292
+ additionalProperties: true
293
+ }
294
+ },
295
+ additionalProperties: false
296
+ },
297
+ required: ["payload", "verifyOpts"],
298
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
311
299
  },
312
- presentationDefinitions: {
300
+ ISendSiopAuthenticationResponseArgs: {
313
301
  type: "object",
314
302
  properties: {
315
- additionalProperties: true
316
- }
303
+ sessionId: {
304
+ type: "string"
305
+ },
306
+ verifiedAuthenticationRequest: {
307
+ type: "object",
308
+ properties: {
309
+ additionalProperties: true
310
+ }
311
+ },
312
+ verifiablePresentationResponse: {
313
+ type: "object",
314
+ properties: {
315
+ additionalProperties: true
316
+ }
317
+ },
318
+ additionalProperties: false
319
+ },
320
+ required: ["sessionId", "verifiedAuthenticationRequest"],
321
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
322
+ }
323
+ },
324
+ methods: {
325
+ getSessionForSiop: {
326
+ description: "Get SIOP session",
327
+ arguments: {
328
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
329
+ },
330
+ returnType: "object"
317
331
  },
318
- verifyOpts: {
319
- type: "object",
320
- properties: {
321
- additionalProperties: true
332
+ registerSessionForSiop: {
333
+ description: "Register SIOP session",
334
+ arguments: {
335
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
336
+ },
337
+ returnType: "object"
338
+ },
339
+ removeSessionForSiop: {
340
+ description: "Remove SIOP session",
341
+ arguments: {
342
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
343
+ },
344
+ returnType: "boolean"
345
+ },
346
+ authenticateWithSiop: {
347
+ description: "Authenticate using DID Auth SIOP",
348
+ arguments: {
349
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
350
+ },
351
+ returnType: {
352
+ $ref: "#/components/schemas/Response"
322
353
  }
323
354
  },
324
- additionalProperties: false
325
- },
326
- required: ["payload", "verifyOpts"],
327
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
328
- },
329
- ISendSiopAuthenticationResponseArgs: {
330
- type: "object",
331
- properties: {
332
- sessionId: {
333
- type: "string"
355
+ getSiopAuthenticationRequestFromRP: {
356
+ description: "Get authentication request from RP",
357
+ arguments: {
358
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
359
+ },
360
+ returnType: {
361
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
362
+ }
334
363
  },
335
- verifiedAuthenticationRequest: {
336
- type: "object",
337
- properties: {
338
- additionalProperties: true
364
+ getSiopAuthenticationRequestDetails: {
365
+ description: "Get authentication request details",
366
+ arguments: {
367
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
368
+ },
369
+ returnType: {
370
+ $ref: "#/components/schemas/IAuthRequestDetails"
339
371
  }
340
372
  },
341
- verifiablePresentationResponse: {
342
- type: "object",
343
- properties: {
344
- additionalProperties: true
373
+ verifySiopAuthenticationRequestURI: {
374
+ description: "Verify authentication request URI",
375
+ arguments: {
376
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
377
+ },
378
+ returnType: {
379
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
345
380
  }
346
381
  },
347
- additionalProperties: false
348
- },
349
- required: ["sessionId", "verifiedAuthenticationRequest"],
350
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
351
- }
352
- },
353
- methods: {
354
- getSessionForSiop: {
355
- description: "Get SIOP session",
356
- arguments: {
357
- $ref: "#/components/schemas/IGetSiopSessionArgs"
358
- },
359
- returnType: "object"
360
- },
361
- registerSessionForSiop: {
362
- description: "Register SIOP session",
363
- arguments: {
364
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
365
- },
366
- returnType: "object"
367
- },
368
- removeSessionForSiop: {
369
- description: "Remove SIOP session",
370
- arguments: {
371
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
372
- },
373
- returnType: "boolean"
374
- },
375
- authenticateWithSiop: {
376
- description: "Authenticate using DID Auth SIOP",
377
- arguments: {
378
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
379
- },
380
- returnType: {
381
- $ref: "#/components/schemas/Response"
382
- }
383
- },
384
- getSiopAuthenticationRequestFromRP: {
385
- description: "Get authentication request from RP",
386
- arguments: {
387
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
388
- },
389
- returnType: {
390
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
391
- }
392
- },
393
- getSiopAuthenticationRequestDetails: {
394
- description: "Get authentication request details",
395
- arguments: {
396
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
397
- },
398
- returnType: {
399
- $ref: "#/components/schemas/IAuthRequestDetails"
400
- }
401
- },
402
- verifySiopAuthenticationRequestURI: {
403
- description: "Verify authentication request URI",
404
- arguments: {
405
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
406
- },
407
- returnType: {
408
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
409
- }
410
- },
411
- sendSiopAuthenticationResponse: {
412
- description: "Send authentication response",
413
- arguments: {
414
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
415
- },
416
- returnType: {
417
- $ref: "#/components/schemas/IRequiredContext"
382
+ sendSiopAuthenticationResponse: {
383
+ description: "Send authentication response",
384
+ arguments: {
385
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
386
+ },
387
+ returnType: {
388
+ $ref: "#/components/schemas/IRequiredContext"
389
+ }
390
+ }
418
391
  }
419
392
  }
420
393
  }
421
- }
394
+ };
422
395
  }
423
- };
396
+ });
397
+
398
+ // src/index.ts
399
+ var index_exports = {};
400
+ __export(index_exports, {
401
+ DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
402
+ DID_PREFIX: () => DID_PREFIX,
403
+ DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
404
+ LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
405
+ OID4VP: () => OID4VP,
406
+ OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
407
+ OpSession: () => OpSession,
408
+ Siopv2HolderEvent: () => Siopv2HolderEvent,
409
+ Siopv2Machine: () => Siopv2Machine,
410
+ Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
411
+ Siopv2MachineEvents: () => Siopv2MachineEvents,
412
+ Siopv2MachineGuards: () => Siopv2MachineGuards,
413
+ Siopv2MachineServices: () => Siopv2MachineServices,
414
+ Siopv2MachineStates: () => Siopv2MachineStates,
415
+ Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
416
+ SupportedLanguage: () => SupportedLanguage,
417
+ createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
418
+ createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
419
+ createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
420
+ createOP: () => createOP,
421
+ createOPBuilder: () => createOPBuilder,
422
+ didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
423
+ events: () => events,
424
+ getSigningAlgo: () => getSigningAlgo,
425
+ schema: () => schema
426
+ });
427
+ module.exports = __toCommonJS(index_exports);
424
428
 
425
429
  // src/agent/DidAuthSiopOpAuthenticator.ts
426
- var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
427
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.data-store-types");
430
+ var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
431
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
428
432
  var import_ssi_types7 = require("@sphereon/ssi-types");
429
433
  var import_uuid2 = require("uuid");
430
434
 
@@ -451,8 +455,10 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
451
455
  async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
452
456
  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
453
457
  const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
454
- import_did_auth_siop.SupportedVersion.OID4VP_v1,
455
- import_did_auth_siop.SupportedVersion.SIOPv2_OID4VP_D28
458
+ import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
459
+ import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
460
+ import_did_auth_siop.SupportedVersion.SIOPv2_D11,
461
+ import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
456
462
  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
457
463
  passBy: import_did_auth_siop.PassBy.VALUE
458
464
  });
@@ -579,15 +585,104 @@ function getSigningAlgo(type) {
579
585
  }
580
586
  __name(getSigningAlgo, "getSigningAlgo");
581
587
 
588
+ // src/session/OID4VP.ts
589
+ var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
590
+ var import_pex = require("@sphereon/pex");
591
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
592
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
593
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
594
+
595
+ // src/types/IDidAuthSiopOpAuthenticator.ts
596
+ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
597
+ var events = /* @__PURE__ */ (function(events2) {
598
+ events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
599
+ return events2;
600
+ })({});
601
+ var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
602
+
603
+ // src/types/siop-service/index.ts
604
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
605
+ Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
606
+ Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
607
+ return Siopv2HolderEvent2;
608
+ })({});
609
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
610
+ SupportedLanguage2["ENGLISH"] = "en";
611
+ SupportedLanguage2["DUTCH"] = "nl";
612
+ return SupportedLanguage2;
613
+ })({});
614
+
615
+ // src/types/machine/index.ts
616
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
617
+ Siopv2MachineStates2["createConfig"] = "createConfig";
618
+ Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
619
+ Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
620
+ Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
621
+ Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
622
+ Siopv2MachineStates2["addContact"] = "addContact";
623
+ Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
624
+ Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
625
+ Siopv2MachineStates2["sendResponse"] = "sendResponse";
626
+ Siopv2MachineStates2["handleError"] = "handleError";
627
+ Siopv2MachineStates2["aborted"] = "aborted";
628
+ Siopv2MachineStates2["declined"] = "declined";
629
+ Siopv2MachineStates2["error"] = "error";
630
+ Siopv2MachineStates2["done"] = "done";
631
+ return Siopv2MachineStates2;
632
+ })({});
633
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
634
+ Siopv2MachineAddContactStates2["idle"] = "idle";
635
+ Siopv2MachineAddContactStates2["executing"] = "executing";
636
+ Siopv2MachineAddContactStates2["next"] = "next";
637
+ return Siopv2MachineAddContactStates2;
638
+ })({});
639
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
640
+ Siopv2MachineEvents2["NEXT"] = "NEXT";
641
+ Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
642
+ Siopv2MachineEvents2["DECLINE"] = "DECLINE";
643
+ Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
644
+ Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
645
+ Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
646
+ Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
647
+ return Siopv2MachineEvents2;
648
+ })({});
649
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
650
+ Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
651
+ Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
652
+ Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
653
+ Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
654
+ Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
655
+ Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
656
+ Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
657
+ Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
658
+ return Siopv2MachineGuards2;
659
+ })({});
660
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
661
+ Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
662
+ Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
663
+ Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
664
+ Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
665
+ Siopv2MachineServices2["sendResponse"] = "sendResponse";
666
+ Siopv2MachineServices2["createConfig"] = "createConfig";
667
+ return Siopv2MachineServices2;
668
+ })({});
669
+
670
+ // src/types/identifier/index.ts
671
+ var DID_PREFIX = "did";
672
+
582
673
  // src/session/OID4VP.ts
583
674
  var OID4VP = class _OID4VP {
584
675
  static {
585
676
  __name(this, "OID4VP");
586
677
  }
587
- //private readonly session: OpSession
588
- // private readonly allIdentifiers: string[]
589
- // private readonly hasher?: HasherSync
678
+ session;
679
+ allIdentifiers;
680
+ hasher;
590
681
  constructor(args) {
682
+ const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
683
+ this.session = session;
684
+ this.allIdentifiers = allIdentifiers ?? [];
685
+ this.hasher = hasher;
591
686
  }
592
687
  static async init(session, allIdentifiers, hasher) {
593
688
  return new _OID4VP({
@@ -596,14 +691,184 @@ var OID4VP = class _OID4VP {
596
691
  hasher
597
692
  });
598
693
  }
694
+ async getPresentationDefinitions() {
695
+ const definitions = await this.session.getPresentationDefinitions();
696
+ if (definitions) {
697
+ import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
698
+ }
699
+ return definitions;
700
+ }
701
+ getPresentationExchange(args) {
702
+ const { verifiableCredentials, allIdentifiers, hasher } = args;
703
+ return new import_did_auth_siop2.PresentationExchange({
704
+ allDIDs: allIdentifiers ?? this.allIdentifiers,
705
+ allVerifiableCredentials: verifiableCredentials,
706
+ hasher: hasher ?? this.hasher
707
+ });
708
+ }
709
+ async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
710
+ return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
711
+ }
712
+ async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
713
+ const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
714
+ ...opts
715
+ };
716
+ if (subjectIsHolder && holder) {
717
+ throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
718
+ }
719
+ if (forceNoCredentialsInVP) {
720
+ selectedVerifiableCredentials.credentials = [];
721
+ } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
722
+ throw Error("No verifiable verifiableCredentials provided for presentation definition");
723
+ }
724
+ const proofOptions = {
725
+ ...opts?.proofOpts,
726
+ challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
727
+ domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
728
+ };
729
+ let idOpts2 = opts?.idOpts;
730
+ if (!idOpts2) {
731
+ if (opts?.subjectIsHolder) {
732
+ if (forceNoCredentialsInVP) {
733
+ return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
734
+ }
735
+ const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
736
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
737
+ return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
738
+ }
739
+ idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
740
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
741
+ }) : await this.session.context.agent.identifierManagedGetByKid({
742
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
743
+ kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
744
+ });
745
+ } else if (opts?.holder) {
746
+ idOpts2 = {
747
+ identifier: opts.holder
748
+ };
749
+ }
750
+ }
751
+ const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
752
+ restrictToFormats: opts?.restrictToFormats,
753
+ restrictToDIDMethods: opts?.restrictToDIDMethods,
754
+ filterOpts: {
755
+ verifiableCredentials: selectedVerifiableCredentials.credentials
756
+ }
757
+ }) : {
758
+ definition: selectedVerifiableCredentials.definition,
759
+ credentials: selectedVerifiableCredentials.credentials
760
+ };
761
+ if (!idOpts2) {
762
+ return Promise.reject(Error(`No identifier options present at this point`));
763
+ }
764
+ const signCallback = await createOID4VPPresentationSignCallback({
765
+ presentationSignCallback: this.session.options.presentationSignCallback,
766
+ idOpts: idOpts2,
767
+ context: this.session.context,
768
+ domain: proofOptions.domain,
769
+ challenge: proofOptions.challenge,
770
+ format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
771
+ skipDidResolution: opts?.skipDidResolution ?? false
772
+ });
773
+ const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
774
+ const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
775
+ const presentationResult = await this.getPresentationExchange({
776
+ verifiableCredentials,
777
+ allIdentifiers: this.allIdentifiers,
778
+ hasher: opts?.hasher
779
+ }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
780
+ proofOptions,
781
+ // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
782
+ ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
783
+ holderDID: identifier.did
784
+ }
785
+ });
786
+ const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
787
+ return {
788
+ ...presentationResult,
789
+ verifiablePresentations,
790
+ verifiableCredentials,
791
+ definition: selectedVerifiableCredentials.definition,
792
+ idOpts: idOpts2
793
+ };
794
+ }
795
+ async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
796
+ const defs = await this.getPresentationDefinitions();
797
+ const result = [];
798
+ if (defs) {
799
+ for (const definition of defs) {
800
+ result.push(await this.filterCredentials(credentialRole, definition, opts));
801
+ }
802
+ }
803
+ return result;
804
+ }
805
+ async filterCredentials(credentialRole, presentationDefinition, opts) {
806
+ const udcMap = /* @__PURE__ */ new Map();
807
+ opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
808
+ if (typeof credential === "object" && "digitalCredential" in credential) {
809
+ udcMap.set(credential.originalVerifiableCredential, credential);
810
+ } else {
811
+ udcMap.set(credential, credential);
812
+ }
813
+ });
814
+ const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
815
+ ...opts,
816
+ filterOpts: {
817
+ verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
818
+ if (typeof credential === "object" && "digitalCredential" in credential) {
819
+ return credential.originalVerifiableCredential;
820
+ } else {
821
+ return credential;
822
+ }
823
+ })
824
+ }
825
+ })).verifiableCredential;
826
+ return {
827
+ definition: presentationDefinition,
828
+ credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
829
+ };
830
+ }
831
+ async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
832
+ const selectionResults = await this.getPresentationExchange({
833
+ verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
834
+ }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
835
+ if (selectionResults.errors && selectionResults.errors.length > 0) {
836
+ throw Error(JSON.stringify(selectionResults.errors));
837
+ } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
838
+ throw Error(`Not all required credentials are available to satisfy the relying party's request`);
839
+ }
840
+ const matches = selectionResults.matches;
841
+ if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
842
+ throw Error(JSON.stringify(selectionResults.errors));
843
+ }
844
+ return selectionResults;
845
+ }
846
+ async getCredentials(credentialRole, filterOpts) {
847
+ if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
848
+ return filterOpts.verifiableCredentials;
849
+ }
850
+ const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
851
+ const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
852
+ filter
853
+ });
854
+ return uniqueCredentials.map((uniqueVC) => {
855
+ const vc = uniqueVC.uniformVerifiableCredential;
856
+ const proof = Array.isArray(vc.proof) ? vc.proof : [
857
+ vc.proof
858
+ ];
859
+ const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
860
+ return jwtProof ? jwtProof.jwt : vc;
861
+ });
862
+ }
599
863
  };
600
864
 
601
865
  // src/session/OpSession.ts
602
- var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
603
- var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
604
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
866
+ var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
867
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
868
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
605
869
  var import_ssi_types = require("@sphereon/ssi-types");
606
870
  var import_uuid = require("uuid");
871
+ var import_pex2 = require("@sphereon/pex");
607
872
  var import_ssi_types2 = require("@sphereon/ssi-types");
608
873
  var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
609
874
  var OpSession = class _OpSession {
@@ -618,11 +883,13 @@ var OpSession = class _OpSession {
618
883
  verifiedAuthorizationRequest;
619
884
  _nonce;
620
885
  _state;
886
+ _providedPresentationDefinitions;
621
887
  constructor(options) {
622
888
  this.id = options.sessionId;
623
889
  this.options = options.op;
624
890
  this.context = options.context;
625
891
  this.requestJwtOrUri = options.requestJwtOrUri;
892
+ this._providedPresentationDefinitions = options.providedPresentationDefinitions;
626
893
  }
627
894
  static async init(options) {
628
895
  return new _OpSession(options);
@@ -641,7 +908,7 @@ var OpSession = class _OpSession {
641
908
  return this.verifiedAuthorizationRequest;
642
909
  }
643
910
  async getAuthorizationRequestURI() {
644
- return await import_did_auth_siop2.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
911
+ return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
645
912
  }
646
913
  get nonce() {
647
914
  if (!this._nonce) {
@@ -676,7 +943,7 @@ var OpSession = class _OpSession {
676
943
  }
677
944
  let intersection;
678
945
  if (rpMethods.dids.includes("did")) {
679
- intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext2.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
946
+ intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext3.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
680
947
  } else if (!agentMethods || agentMethods.length === 0) {
681
948
  intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
682
949
  } else {
@@ -720,7 +987,7 @@ var OpSession = class _OpSession {
720
987
  subjectSyntaxTypesSupported
721
988
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
722
989
  }
723
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
990
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
724
991
  let codecName = void 0;
725
992
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
726
993
  logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -775,14 +1042,56 @@ var OpSession = class _OpSession {
775
1042
  async getRedirectUri() {
776
1043
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
777
1044
  }
1045
+ async hasPresentationDefinitions() {
1046
+ const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1047
+ return defs !== void 0 && defs.length > 0;
1048
+ }
1049
+ async getPresentationDefinitions() {
1050
+ if (!await this.hasPresentationDefinitions()) {
1051
+ throw Error(`No presentation definitions found`);
1052
+ }
1053
+ return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1054
+ }
778
1055
  async getOID4VP(args) {
779
1056
  return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
780
1057
  }
1058
+ createPresentationVerificationCallback(context) {
1059
+ async function presentationVerificationCallback(args, presentationSubmission) {
1060
+ let result;
1061
+ if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
1062
+ try {
1063
+ const sdJwtResult = await context.agent.verifySdJwtPresentation({
1064
+ presentation: args
1065
+ });
1066
+ result = {
1067
+ verified: "header" in sdJwtResult,
1068
+ error: "header" in sdJwtResult ? void 0 : {
1069
+ message: "could not verify SD JWT presentation"
1070
+ }
1071
+ };
1072
+ } catch (error) {
1073
+ result = {
1074
+ verified: false,
1075
+ error: {
1076
+ message: error.message
1077
+ }
1078
+ };
1079
+ }
1080
+ } else {
1081
+ result = await context.agent.verifyPresentation({
1082
+ presentation: args
1083
+ });
1084
+ }
1085
+ return result;
1086
+ }
1087
+ __name(presentationVerificationCallback, "presentationVerificationCallback");
1088
+ return presentationVerificationCallback;
1089
+ }
781
1090
  async createJarmResponseCallback({ responseOpts }) {
782
1091
  const agent = this.context.agent;
783
1092
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
784
1093
  const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
785
- const jwk = await import_did_auth_siop2.OP.extractEncJwksFromClientMetadata(clientMetadata);
1094
+ const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
786
1095
  const recipientKey = await agent.identifierExternalResolveByJwk({
787
1096
  identifier: jwk
788
1097
  });
@@ -791,8 +1100,8 @@ var OpSession = class _OpSession {
791
1100
  protectedHeader: {},
792
1101
  alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
793
1102
  enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
794
- apv: (0, import_ssi_sdk2.encodeBase64url)(opts.requestObjectPayload.nonce),
795
- apu: (0, import_ssi_sdk2.encodeBase64url)((0, import_uuid.v4)()),
1103
+ apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
1104
+ apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
796
1105
  payload: authResponse,
797
1106
  issuer: responseOpts.issuer,
798
1107
  audience: responseOpts.audience
@@ -804,9 +1113,8 @@ var OpSession = class _OpSession {
804
1113
  }, "jarmResponse");
805
1114
  }
806
1115
  async sendAuthorizationResponse(args) {
807
- const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
808
1116
  const resolveOpts = this.options.resolveOpts ?? {
809
- resolver: (0, import_ssi_sdk_ext2.getAgentResolver)(this.context, {
1117
+ resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
810
1118
  uniresolverResolution: true,
811
1119
  localResolution: true,
812
1120
  resolverResolution: true
@@ -815,7 +1123,23 @@ var OpSession = class _OpSession {
815
1123
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
816
1124
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
817
1125
  }
1126
+ const verification = {
1127
+ presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1128
+ };
818
1129
  const request = await this.getAuthorizationRequest();
1130
+ const hasDefinitions = await this.hasPresentationDefinitions();
1131
+ if (hasDefinitions) {
1132
+ const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1133
+ return sum + pd.definition.input_descriptors.length;
1134
+ }, 0);
1135
+ const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1136
+ if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1137
+ throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1138
+ } else if (!args.presentationSubmission) {
1139
+ throw Error(`Presentation submission is required when verifiable presentations are required`);
1140
+ }
1141
+ }
1142
+ const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
819
1143
  const op = await createOP({
820
1144
  opOptions: {
821
1145
  ...this.options,
@@ -827,16 +1151,23 @@ var OpSession = class _OpSession {
827
1151
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
828
1152
  supportedVersions: request.versions
829
1153
  },
830
- idOpts: responseSignerOpts,
1154
+ idOpts: args.responseSignerOpts,
831
1155
  context: this.context
832
1156
  });
833
- let issuer = responseSignerOpts.issuer;
1157
+ let issuer = args.responseSignerOpts.issuer;
834
1158
  const responseOpts = {
1159
+ verification,
835
1160
  issuer,
836
- ...isFirstParty && {
837
- isFirstParty
1161
+ ...args.isFirstParty && {
1162
+ isFirstParty: args.isFirstParty
1163
+ },
1164
+ ...args.verifiablePresentations && {
1165
+ presentationExchange: {
1166
+ verifiablePresentations,
1167
+ presentationSubmission: args.presentationSubmission
1168
+ }
838
1169
  },
839
- dcqlResponse
1170
+ dcqlQuery: args.dcqlResponse
840
1171
  };
841
1172
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
842
1173
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -848,6 +1179,24 @@ var OpSession = class _OpSession {
848
1179
  return response;
849
1180
  }
850
1181
  }
1182
+ countVCsInAllVPs(verifiablePresentations, hasher) {
1183
+ return verifiablePresentations.reduce((sum, vp) => {
1184
+ if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1185
+ return sum + 1;
1186
+ }
1187
+ const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
1188
+ hasher: hasher ?? this.options.hasher
1189
+ });
1190
+ if (uvp.verifiableCredential?.length) {
1191
+ return sum + uvp.verifiableCredential?.length;
1192
+ }
1193
+ const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
1194
+ if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1195
+ return sum + 1;
1196
+ }
1197
+ return sum;
1198
+ }, 0);
1199
+ }
851
1200
  };
852
1201
  function convertDidMethod(didMethod, didPrefix) {
853
1202
  if (didPrefix === false) {
@@ -857,79 +1206,10 @@ function convertDidMethod(didMethod, didPrefix) {
857
1206
  }
858
1207
  __name(convertDidMethod, "convertDidMethod");
859
1208
 
860
- // src/types/IDidAuthSiopOpAuthenticator.ts
861
- var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
862
- var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
863
-
864
- // src/types/siop-service/index.ts
865
- var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
866
- Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
867
- Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
868
- return Siopv2HolderEvent2;
869
- })({});
870
- var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
871
- SupportedLanguage2["ENGLISH"] = "en";
872
- SupportedLanguage2["DUTCH"] = "nl";
873
- return SupportedLanguage2;
874
- })({});
875
-
876
- // src/types/machine/index.ts
877
- var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
878
- Siopv2MachineStates2["createConfig"] = "createConfig";
879
- Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
880
- Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
881
- Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
882
- Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
883
- Siopv2MachineStates2["addContact"] = "addContact";
884
- Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
885
- Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
886
- Siopv2MachineStates2["sendResponse"] = "sendResponse";
887
- Siopv2MachineStates2["handleError"] = "handleError";
888
- Siopv2MachineStates2["aborted"] = "aborted";
889
- Siopv2MachineStates2["declined"] = "declined";
890
- Siopv2MachineStates2["error"] = "error";
891
- Siopv2MachineStates2["done"] = "done";
892
- return Siopv2MachineStates2;
893
- })({});
894
- var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
895
- Siopv2MachineAddContactStates2["idle"] = "idle";
896
- Siopv2MachineAddContactStates2["executing"] = "executing";
897
- Siopv2MachineAddContactStates2["next"] = "next";
898
- return Siopv2MachineAddContactStates2;
899
- })({});
900
- var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
901
- Siopv2MachineEvents2["NEXT"] = "NEXT";
902
- Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
903
- Siopv2MachineEvents2["DECLINE"] = "DECLINE";
904
- Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
905
- Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
906
- Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
907
- Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
908
- return Siopv2MachineEvents2;
909
- })({});
910
- var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
911
- Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
912
- Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
913
- Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
914
- Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
915
- Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
916
- Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
917
- Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
918
- Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
919
- return Siopv2MachineGuards2;
920
- })({});
921
- var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
922
- Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
923
- Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
924
- Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
925
- Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
926
- Siopv2MachineServices2["sendResponse"] = "sendResponse";
927
- Siopv2MachineServices2["createConfig"] = "createConfig";
928
- return Siopv2MachineServices2;
929
- })({});
930
-
931
- // src/types/identifier/index.ts
932
- var DID_PREFIX = "did";
1209
+ // src/agent/DidAuthSiopOpAuthenticator.ts
1210
+ var import_pex4 = require("@sphereon/pex");
1211
+ var import_utils = require("@veramo/utils");
1212
+ var import_dcql3 = require("dcql");
933
1213
 
934
1214
  // src/machine/Siopv2Machine.ts
935
1215
  var import_xstate = require("xstate");
@@ -998,7 +1278,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
998
1278
  if (!contact) {
999
1279
  throw new Error("Missing contact request data in context");
1000
1280
  }
1001
- return authorizationRequestData.dcqlQuery !== void 0;
1281
+ return authorizationRequestData.presentationDefinitions !== void 0;
1002
1282
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1003
1283
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1004
1284
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1009,7 +1289,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1009
1289
  if (authorizationRequestData === void 0) {
1010
1290
  throw new Error("Missing authorization request data in context");
1011
1291
  }
1012
- if (authorizationRequestData.dcqlQuery === void 0) {
1292
+ if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
1013
1293
  throw Error("No presentation definitions present");
1014
1294
  }
1015
1295
  return _ctx.selectedCredentials.length > 0;
@@ -1019,7 +1299,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1019
1299
  if (authorizationRequestData === void 0) {
1020
1300
  throw new Error("Missing authorization request data in context");
1021
1301
  }
1022
- return authorizationRequestData.dcqlQuery === void 0;
1302
+ return authorizationRequestData.presentationDefinitions === void 0;
1023
1303
  }, "Siopv2IsSiopOnlyGuard");
1024
1304
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1025
1305
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1029,7 +1309,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1029
1309
  if (!selectableCredentialsMap) {
1030
1310
  throw new Error("Missing selectableCredentialsMap in context");
1031
1311
  }
1032
- return authorizationRequestData.dcqlQuery !== void 0;
1312
+ return authorizationRequestData.presentationDefinitions !== void 0;
1033
1313
  }, "Siopv2IsSiopWithOID4VPGuard");
1034
1314
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1035
1315
  const { url, idOpts: idOpts2 } = opts;
@@ -1344,223 +1624,368 @@ var Siopv2Machine = class {
1344
1624
  };
1345
1625
 
1346
1626
  // src/services/Siopv2MachineService.ts
1347
- var import_utils = require("@sphereon/pex/dist/main/lib/utils/index.js");
1348
- var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
1627
+ var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1628
+ var import_pex3 = require("@sphereon/pex");
1349
1629
  var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1350
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
1351
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.credential-store");
1352
- var import_ssi_sdk5 = require("@sphereon/ssi-sdk.data-store-types");
1353
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.sd-jwt");
1630
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
1631
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
1354
1632
  var import_ssi_types6 = require("@sphereon/ssi-types");
1633
+ var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
1634
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
1355
1635
  var import_dcql = require("dcql");
1356
1636
 
1357
1637
  // src/utils/dcql.ts
1358
1638
  var import_ssi_types5 = require("@sphereon/ssi-types");
1359
- var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
1360
1639
 
1361
1640
  // src/utils/CredentialUtils.ts
1362
1641
  var import_ssi_types4 = require("@sphereon/ssi-types");
1642
+ var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1643
+ if (isUniqueDigitalCredential(credential)) {
1644
+ if (!credential.originalVerifiableCredential) {
1645
+ throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1646
+ }
1647
+ return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1648
+ }
1649
+ return getCredentialFromProofOrWrapped(credential);
1650
+ }, "getOriginalVerifiableCredential");
1651
+ var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1652
+ if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
1653
+ return cred.proof.jwt;
1654
+ }
1655
+ return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
1656
+ hasher
1657
+ }).original;
1658
+ }, "getCredentialFromProofOrWrapped");
1363
1659
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1364
1660
  return credential.digitalCredential !== void 0;
1365
1661
  }, "isUniqueDigitalCredential");
1366
1662
 
1367
1663
  // src/utils/dcql.ts
1368
1664
  function convertToDcqlCredentials(credential, hasher) {
1369
- let originalVerifiableCredential;
1665
+ let payload;
1370
1666
  if (isUniqueDigitalCredential(credential)) {
1371
1667
  if (!credential.originalVerifiableCredential) {
1372
1668
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1373
1669
  }
1374
- originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1670
+ payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1375
1671
  } else {
1376
- originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1672
+ payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1377
1673
  }
1378
- if (!originalVerifiableCredential) {
1674
+ if (!payload) {
1379
1675
  throw new Error("No payload found");
1380
1676
  }
1381
- if (import_ssi_types5.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
1382
- return import_did_auth_siop3.Dcql.toDcqlJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1383
- } else if (import_ssi_types5.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1384
- return import_did_auth_siop3.Dcql.toDcqlSdJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1385
- } else if (import_ssi_types5.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1386
- return import_did_auth_siop3.Dcql.toDcqlMdocCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1387
- } else if (import_ssi_types5.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
1388
- return import_did_auth_siop3.Dcql.toDcqlJsonLdCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1677
+ if ("decodedPayload" in payload && payload.decodedPayload) {
1678
+ payload = payload.decodedPayload;
1679
+ }
1680
+ if ("vct" in payload) {
1681
+ return {
1682
+ vct: payload.vct,
1683
+ claims: payload,
1684
+ credential_format: "vc+sd-jwt"
1685
+ };
1686
+ } else if ("docType" in payload && "namespaces" in payload) {
1687
+ return {
1688
+ docType: payload.docType,
1689
+ namespaces: payload.namespaces,
1690
+ claims: payload
1691
+ };
1692
+ } else {
1693
+ return {
1694
+ claims: payload,
1695
+ credential_format: "jwt_vc_json"
1696
+ };
1389
1697
  }
1390
- throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1391
1698
  }
1392
1699
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1393
1700
 
1394
1701
  // src/services/Siopv2MachineService.ts
1395
- var CLOCK_SKEW = 120;
1396
1702
  var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1703
+ var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1704
+ logger3.log(`No EBSI key present yet. Creating a new one...`);
1705
+ const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
1706
+ method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
1707
+ createOpts: {
1708
+ options: {
1709
+ codecName: "jwk_jcs-pub",
1710
+ type: "Secp256r1"
1711
+ }
1712
+ }
1713
+ });
1714
+ logger3.log(`EBSI key created: ${newIdentifier.did}`);
1715
+ if (created) {
1716
+ await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1717
+ result: newIdentifier
1718
+ });
1719
+ }
1720
+ return await agentContext.agent.identifierManagedGetByDid({
1721
+ identifier: newIdentifier.did
1722
+ });
1723
+ }, "createEbsiIdentifier");
1724
+ var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1725
+ const clientId = await authorizationRequest.getMergedProperty("client_id");
1726
+ const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1727
+ return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1728
+ }, "hasEbsiClient");
1397
1729
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1398
1730
  const { agent } = context;
1399
- const { credentials } = args;
1400
- if (connectionType !== import_ssi_sdk5.ConnectionType.SIOPv2_OpenID4VP) {
1731
+ const agentContext = {
1732
+ ...context,
1733
+ agent: context.agent
1734
+ };
1735
+ let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
1736
+ if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
1401
1737
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1402
1738
  }
1403
1739
  const session = await agent.siopGetOPSession({
1404
1740
  sessionId: args.sessionId
1405
1741
  });
1406
1742
  const request = await session.getAuthorizationRequest();
1407
- const aud = request.authorizationRequest.getMergedProperty("aud");
1743
+ const aud = await request.authorizationRequest.getMergedProperty("aud");
1408
1744
  logger3.debug(`AUD: ${aud}`);
1409
1745
  logger3.debug(JSON.stringify(request.authorizationRequest));
1410
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1411
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1412
- const firstUniqueDC = credentials[0];
1413
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1414
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1415
- }
1416
- let identifier;
1417
- const digitalCredential = firstUniqueDC.digitalCredential;
1418
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1419
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1420
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1421
- `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1422
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1423
- if (!digitalCredential.kmsKeyRef) {
1424
- if (!holder) {
1425
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1426
- }
1427
- try {
1428
- identifier = await session.context.agent.identifierManagedGet({
1429
- identifier: holder
1746
+ let presentationsAndDefs;
1747
+ let presentationSubmission;
1748
+ if (await session.hasPresentationDefinitions()) {
1749
+ const oid4vp = await session.getOID4VP({
1750
+ hasher
1751
+ });
1752
+ const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
1753
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1754
+ logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1755
+ const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1756
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1757
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1758
+ }
1759
+ let identifier;
1760
+ const digitalCredential = firstUniqueDC.digitalCredential;
1761
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1762
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1763
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1764
+ `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1765
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1766
+ if (!digitalCredential.kmsKeyRef) {
1767
+ if (!holder) {
1768
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1769
+ }
1770
+ try {
1771
+ identifier = await session.context.agent.identifierManagedGet({
1772
+ identifier: holder
1773
+ });
1774
+ } catch (e) {
1775
+ logger3.debug(`Holder DID not found: ${holder}`);
1776
+ throw e;
1777
+ }
1778
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1779
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1780
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1430
1781
  });
1431
- } catch (e) {
1432
- logger3.debug(`Holder DID not found: ${holder}`);
1433
- throw e;
1782
+ } else {
1783
+ switch (digitalCredential.subjectCorrelationType) {
1784
+ case "DID":
1785
+ identifier = await session.context.agent.identifierManagedGetByDid({
1786
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1787
+ kmsKeyRef: digitalCredential.kmsKeyRef
1788
+ });
1789
+ break;
1790
+ // TODO other implementations?
1791
+ default:
1792
+ if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1793
+ identifier = await session.context.agent.identifierManagedGetByDid({
1794
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1795
+ kmsKeyRef: digitalCredential.kmsKeyRef
1796
+ });
1797
+ } else {
1798
+ identifier = await session.context.agent.identifierManagedGetByKid({
1799
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1800
+ kmsKeyRef: digitalCredential.kmsKeyRef
1801
+ });
1802
+ }
1803
+ }
1804
+ }
1805
+ if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1806
+ identifier = await createEbsiIdentifier(agentContext);
1434
1807
  }
1435
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1436
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1437
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1808
+ logger3.debug(`Identifier`, identifier);
1809
+ presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
1810
+ idOpts: identifier,
1811
+ proofOpts: {
1812
+ nonce: session.nonce,
1813
+ domain
1814
+ }
1438
1815
  });
1439
- } else {
1440
- switch (digitalCredential.subjectCorrelationType) {
1441
- case "DID":
1442
- identifier = await session.context.agent.identifierManagedGetByDid({
1443
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1444
- kmsKeyRef: digitalCredential.kmsKeyRef
1445
- });
1446
- break;
1447
- // TODO other implementations?
1448
- default:
1449
- identifier = await session.context.agent.identifierManagedGetByKid({
1450
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1451
- kmsKeyRef: digitalCredential.kmsKeyRef
1452
- });
1816
+ if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1817
+ throw Error("No verifiable presentations could be created");
1818
+ } else if (presentationsAndDefs.length > 1) {
1819
+ throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1453
1820
  }
1454
- }
1455
- const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1456
- convertToDcqlCredentials(vc),
1457
- vc
1458
- ]));
1459
- const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1460
- if (!queryResult.can_be_satisfied) {
1461
- return Promise.reject(Error("Credentials do not match required query request"));
1462
- }
1463
- const presentation = {};
1464
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1465
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1466
- if (value.success) {
1467
- const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1468
- const vc = matchedCredentials[0];
1469
- if (!vc) {
1470
- continue;
1821
+ idOpts2 = presentationsAndDefs[0].idOpts;
1822
+ presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1823
+ logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1824
+ logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1825
+ const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1826
+ return await session.sendAuthorizationResponse({
1827
+ ...presentationsAndDefs && {
1828
+ verifiablePresentations: mergedVerifiablePresentations
1829
+ },
1830
+ ...presentationSubmission && {
1831
+ presentationSubmission
1832
+ },
1833
+ // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1834
+ responseSignerOpts: idOpts2,
1835
+ isFirstParty
1836
+ });
1837
+ } else if (request.dcqlQuery) {
1838
+ if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1839
+ const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1840
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1841
+ logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1842
+ const firstUniqueDC = vcs[0];
1843
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1844
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1471
1845
  }
1472
- const originalVc = retrieveEncodedCredential(vc);
1473
- if (!originalVc) {
1474
- continue;
1846
+ let identifier;
1847
+ const digitalCredential = firstUniqueDC.digitalCredential;
1848
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1849
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1850
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1851
+ `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1852
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1853
+ if (!digitalCredential.kmsKeyRef) {
1854
+ if (!holder) {
1855
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1856
+ }
1857
+ try {
1858
+ identifier = await session.context.agent.identifierManagedGet({
1859
+ identifier: holder
1860
+ });
1861
+ } catch (e) {
1862
+ logger3.debug(`Holder DID not found: ${holder}`);
1863
+ throw e;
1864
+ }
1865
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1866
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1867
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1868
+ });
1869
+ } else {
1870
+ switch (digitalCredential.subjectCorrelationType) {
1871
+ case "DID":
1872
+ identifier = await session.context.agent.identifierManagedGetByDid({
1873
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1874
+ kmsKeyRef: digitalCredential.kmsKeyRef
1875
+ });
1876
+ break;
1877
+ // TODO other implementations?
1878
+ default:
1879
+ identifier = await session.context.agent.identifierManagedGetByKid({
1880
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1881
+ kmsKeyRef: digitalCredential.kmsKeyRef
1882
+ });
1883
+ }
1475
1884
  }
1476
- const decodedSdJwt = await import_ssi_types6.CredentialMapper.decodeSdJwtVcAsync(originalVc, import_ssi_sdk6.defaultGenerateDigest);
1477
- const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
1478
- const presentationResult = await context.agent.createSdJwtPresentation({
1479
- presentation: updatedSdJwt.compactSdJwtVc,
1480
- kb: {
1481
- payload: {
1482
- ...updatedSdJwt.kbJwt?.payload,
1483
- // FIXME SSISDK-44
1484
- nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
1485
- // FIXME SSISDK-44
1486
- aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
1487
- iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
1488
- }
1885
+ console.log(`Identifier`, identifier);
1886
+ const dcqlRepresentations = [];
1887
+ vcs.forEach((vc) => {
1888
+ const rep = convertToDcqlCredentials(vc, args.hasher);
1889
+ if (rep) {
1890
+ dcqlRepresentations.push(rep);
1489
1891
  }
1490
1892
  });
1491
- if (originalVc) {
1492
- presentation[key] = presentationResult.presentation;
1893
+ const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1894
+ const presentation = {};
1895
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1896
+ const allMatches = Array.isArray(value) ? value : [
1897
+ value
1898
+ ];
1899
+ allMatches.forEach((match) => {
1900
+ if (match.success) {
1901
+ const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1902
+ if (!originalCredential) {
1903
+ throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1904
+ }
1905
+ presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1906
+ }
1907
+ });
1493
1908
  }
1909
+ const response = session.sendAuthorizationResponse({
1910
+ responseSignerOpts: identifier,
1911
+ ...{
1912
+ dcqlQuery: {
1913
+ dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
1914
+ }
1915
+ }
1916
+ });
1917
+ logger3.debug(`Response: `, response);
1918
+ return response;
1494
1919
  }
1495
1920
  }
1496
- const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
1497
- const response = session.sendAuthorizationResponse({
1498
- responseSignerOpts: identifier,
1499
- dcqlResponse: {
1500
- dcqlPresentation
1501
- }
1502
- });
1503
- logger3.debug(`Response: `, response);
1504
- return response;
1921
+ throw Error("Presentation Definition or DCQL is required");
1505
1922
  }, "siopSendAuthorizationResponse");
1506
- var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1507
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1508
- }, "retrieveEncodedCredential");
1509
- var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1923
+ function buildPartialPD(inputDescriptor, presentationDefinition) {
1924
+ return {
1925
+ ...presentationDefinition,
1926
+ input_descriptors: [
1927
+ inputDescriptor
1928
+ ]
1929
+ };
1930
+ }
1931
+ __name(buildPartialPD, "buildPartialPD");
1932
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1510
1933
  const agentContext = {
1511
1934
  ...context,
1512
1935
  agent: context.agent
1513
1936
  };
1514
1937
  const { agent } = agentContext;
1938
+ const pex = new import_pex3.PEX();
1515
1939
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1516
- filter: (0, import_ssi_sdk4.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1940
+ filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
1517
1941
  });
1518
- const branding = await agent.ibGetCredentialBranding();
1519
- const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1520
- convertToDcqlCredentials(vc),
1521
- vc
1522
- ]));
1523
- const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1524
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1942
+ const credentialBranding = await agent.ibGetCredentialBranding();
1525
1943
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1526
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1527
- if (!value.valid_credentials) {
1528
- continue;
1529
- }
1530
- const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1531
- const matchedCredential = uniqueCredentials[cred.input_credential_index];
1532
- const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1533
- const issuerPartyIdentity = await agent.cmGetContacts({
1534
- filter: [
1535
- {
1536
- identities: {
1537
- identifier: {
1538
- correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1944
+ for (const inputDescriptor of presentationDefinition.input_descriptors) {
1945
+ const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1946
+ const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1947
+ return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1948
+ });
1949
+ const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1950
+ const selectableCredentials = [];
1951
+ for (const selectedCredential of selectionResults.verifiableCredential || []) {
1952
+ const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1953
+ const proof = uniqueVC.uniformVerifiableCredential.proof;
1954
+ return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1955
+ });
1956
+ if (filteredUniqueVC) {
1957
+ const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1958
+ const issuerPartyIdentity = await agent.cmGetContacts({
1959
+ filter: [
1960
+ {
1961
+ identities: {
1962
+ identifier: {
1963
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1964
+ }
1539
1965
  }
1540
1966
  }
1541
- }
1542
- ]
1543
- });
1544
- const subjectPartyIdentity = await agent.cmGetContacts({
1545
- filter: [
1546
- {
1547
- identities: {
1548
- identifier: {
1549
- correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1967
+ ]
1968
+ });
1969
+ const subjectPartyIdentity = await agent.cmGetContacts({
1970
+ filter: [
1971
+ {
1972
+ identities: {
1973
+ identifier: {
1974
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1975
+ }
1550
1976
  }
1551
1977
  }
1552
- }
1553
- ]
1554
- });
1555
- return {
1556
- credential: matchedCredential,
1557
- credentialBranding: credentialBranding[0]?.localeBranding,
1558
- issuerParty: issuerPartyIdentity?.[0],
1559
- subjectParty: subjectPartyIdentity?.[0]
1560
- };
1561
- });
1562
- const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1563
- selectableCredentialsMap.set(key, selectableCredentials);
1978
+ ]
1979
+ });
1980
+ selectableCredentials.push({
1981
+ credential: filteredUniqueVC,
1982
+ credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1983
+ issuerParty: issuerPartyIdentity?.[0],
1984
+ subjectParty: subjectPartyIdentity?.[0]
1985
+ });
1986
+ }
1987
+ }
1988
+ selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1564
1989
  }
1565
1990
  return selectableCredentialsMap;
1566
1991
  }, "getSelectableCredentials");
@@ -1582,31 +2007,6 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
1582
2007
  }
1583
2008
  return contacts[0].contact.displayName;
1584
2009
  }, "translateCorrelationIdToName");
1585
- var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
1586
- const sdJwtCredential = credential;
1587
- const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
1588
- const sdHash = (0, import_utils.calculateSdHash)(sdJwtCredential.compactSdJwtVc, hashAlg, import_ssi_sdk6.defaultGenerateDigest);
1589
- const kbJwt = {
1590
- // alg MUST be set by the signer
1591
- header: {
1592
- typ: "kb+jwt"
1593
- },
1594
- payload: {
1595
- iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
1596
- sd_hash: sdHash,
1597
- ...nonce && {
1598
- nonce
1599
- },
1600
- ...aud && {
1601
- aud
1602
- }
1603
- }
1604
- };
1605
- return {
1606
- ...sdJwtCredential,
1607
- kbJwt
1608
- };
1609
- }, "updateSdJwtCredential");
1610
2010
 
1611
2011
  // src/agent/DidAuthSiopOpAuthenticator.ts
1612
2012
  var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -1626,7 +2026,7 @@ var DidAuthSiopOpAuthenticator = class {
1626
2026
  static {
1627
2027
  __name(this, "DidAuthSiopOpAuthenticator");
1628
2028
  }
1629
- schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
2029
+ schema = schema.IDidAuthSiopOpAuthenticator;
1630
2030
  methods = {
1631
2031
  siopGetOPSession: this.siopGetOPSession.bind(this),
1632
2032
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -1767,9 +2167,9 @@ var DidAuthSiopOpAuthenticator = class {
1767
2167
  const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
1768
2168
  const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
1769
2169
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
1770
- const uri = url?.includes("://") ? new URL(url) : void 0;
2170
+ const uri = url.includes("://") ? new URL(url) : void 0;
1771
2171
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
1772
- const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2172
+ const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1773
2173
  return {
1774
2174
  issuer: verifiedAuthorizationRequest.issuer,
1775
2175
  correlationId,
@@ -1777,6 +2177,7 @@ var DidAuthSiopOpAuthenticator = class {
1777
2177
  uri,
1778
2178
  name: clientName,
1779
2179
  clientId,
2180
+ presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
1780
2181
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
1781
2182
  };
1782
2183
  }
@@ -1825,12 +2226,12 @@ var DidAuthSiopOpAuthenticator = class {
1825
2226
  if (correlationId) {
1826
2227
  const identity = {
1827
2228
  alias: correlationId,
1828
- origin: import_ssi_sdk7.IdentityOrigin.EXTERNAL,
2229
+ origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
1829
2230
  roles: [
1830
- import_ssi_types7.CredentialRole.ISSUER
2231
+ import_ssi_sdk8.CredentialRole.ISSUER
1831
2232
  ],
1832
2233
  identifier: {
1833
- type: correlationId.startsWith("did:") ? import_ssi_sdk7.CorrelationIdentifierType.DID : import_ssi_sdk7.CorrelationIdentifierType.URL,
2234
+ type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
1834
2235
  correlationId
1835
2236
  }
1836
2237
  };
@@ -1853,14 +2254,75 @@ var DidAuthSiopOpAuthenticator = class {
1853
2254
  if (authorizationRequestData === void 0) {
1854
2255
  return Promise.reject(Error("Missing authorization request data in context"));
1855
2256
  }
1856
- const response = await siopSendAuthorizationResponse(import_ssi_sdk7.ConnectionType.SIOPv2_OpenID4VP, {
2257
+ const pex = new import_pex4.PEX({
2258
+ hasher: this.hasher
2259
+ });
2260
+ const verifiableCredentialsWithDefinition = [];
2261
+ const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2262
+ if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2263
+ try {
2264
+ authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2265
+ const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2266
+ if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
2267
+ let uniqueDigitalCredentials = [];
2268
+ uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2269
+ const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
2270
+ const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2271
+ if (!udc) {
2272
+ throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2273
+ }
2274
+ return udc;
2275
+ });
2276
+ verifiableCredentialsWithDefinition.push({
2277
+ definition: presentationDefinition,
2278
+ credentials: uniqueDigitalCredentials
2279
+ });
2280
+ }
2281
+ });
2282
+ } catch (e) {
2283
+ return Promise.reject(e);
2284
+ }
2285
+ if (verifiableCredentialsWithDefinition.length === 0) {
2286
+ return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2287
+ }
2288
+ } else if (authorizationRequestData.dcqlQuery) {
2289
+ if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2290
+ try {
2291
+ selectedCredentials.forEach((vc) => {
2292
+ if (this.isSdJwtCredential(vc)) {
2293
+ const payload = vc.originalVerifiableCredential.decodedPayload;
2294
+ const result = {
2295
+ claims: payload,
2296
+ vct: payload.vct,
2297
+ credential_format: "vc+sd-jwt"
2298
+ };
2299
+ dcqlCredentialsWithCredentials.set(result, vc);
2300
+ } else {
2301
+ throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2302
+ }
2303
+ });
2304
+ } catch (e) {
2305
+ return Promise.reject(e);
2306
+ }
2307
+ const dcqlPresentationRecord = {};
2308
+ const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2309
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2310
+ if (value.success) {
2311
+ dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2312
+ }
2313
+ }
2314
+ }
2315
+ }
2316
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
1857
2317
  sessionId: didAuthConfig.sessionId,
1858
2318
  ...args.idOpts && {
1859
2319
  idOpts: args.idOpts
1860
2320
  },
2321
+ ...authorizationRequestData.presentationDefinitions !== void 0 && {
2322
+ verifiableCredentialsWithDefinition
2323
+ },
1861
2324
  isFirstParty,
1862
- hasher: this.hasher,
1863
- credentials: selectedCredentials
2325
+ hasher: this.hasher
1864
2326
  }, context);
1865
2327
  const contentType = response.headers.get("content-type") || "";
1866
2328
  let responseBody = null;
@@ -1871,15 +2333,33 @@ var DidAuthSiopOpAuthenticator = class {
1871
2333
  return {
1872
2334
  body: responseBody,
1873
2335
  url: response?.url,
1874
- queryParams: (0, import_did_auth_siop4.decodeUriAsJson)(response?.url)
2336
+ queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
1875
2337
  };
1876
2338
  }
2339
+ hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2340
+ return credentials.some(this.isMDocCredential);
2341
+ }, "hasMDocCredentials");
2342
+ isMDocCredential = /* @__PURE__ */ __name((credential) => {
2343
+ return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2344
+ }, "isMDocCredential");
2345
+ hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2346
+ return credentials.some(this.isSdJwtCredential);
2347
+ }, "hasSdJwtCredentials");
2348
+ isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2349
+ return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2350
+ }, "isSdJwtCredential");
2351
+ retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2352
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2353
+ }, "retrieveEncodedCredential");
1877
2354
  async siopGetSelectableCredentials(args, context) {
1878
2355
  const { authorizationRequestData } = args;
1879
- if (!authorizationRequestData?.dcqlQuery) {
1880
- return Promise.reject(Error("Missing required dcql query in context"));
2356
+ if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2357
+ return Promise.reject(Error("Missing required fields in arguments or context"));
2358
+ }
2359
+ if (authorizationRequestData.presentationDefinitions.length > 1) {
2360
+ return Promise.reject(Error("Multiple presentation definitions present"));
1881
2361
  }
1882
- return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2362
+ return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1883
2363
  }
1884
2364
  };
1885
2365
 
@@ -1918,12 +2398,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
1918
2398
  }, "OID4VPCallbackStateListener");
1919
2399
 
1920
2400
  // src/link-handler/index.ts
1921
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.agent-config");
1922
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.core");
1923
- var import_ssi_sdk10 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2401
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
2402
+ var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
2403
+ var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1924
2404
  var import_ssi_types9 = require("@sphereon/ssi-types");
1925
2405
  var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1926
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
2406
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
1927
2407
  static {
1928
2408
  __name(this, "Siopv2OID4VPLinkHandler");
1929
2409
  }
@@ -1949,8 +2429,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
1949
2429
  stateNavigationListener: this.stateNavigationListener
1950
2430
  });
1951
2431
  const interpreter = siopv2Machine.interpreter;
1952
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk8.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1953
- const init = await (0, import_ssi_sdk10.interpreterStartOrResume)({
2432
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2433
+ const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
1954
2434
  interpreter,
1955
2435
  context: this.context,
1956
2436
  cleanupAllOtherInstances: true,
@@ -1965,4 +2445,7 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
1965
2445
  }
1966
2446
  }
1967
2447
  };
2448
+
2449
+ // src/index.ts
2450
+ var schema = require_plugin_schema();
1968
2451
  //# sourceMappingURL=index.cjs.map