npm - @sphereon/ssi-sdk.siopv2-oid4vp-op-auth - Versions diffs - 0.34.1-feature.FIDES.1.274 → 0.34.1-feature.IDK.11.48 - Mend

@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.FIDES.1.274 → 0.34.1-feature.IDK.11.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/index.cjs +1091 -608
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +112 -710
package/dist/index.d.ts +112 -710
package/dist/index.js +1046 -563
package/dist/index.js.map +1 -1
package/package.json +24 -24
package/src/agent/DidAuthSiopOpAuthenticator.ts +145 -10
package/src/index.ts +1 -2
package/src/machine/Siopv2Machine.ts +5 -5
package/src/services/Siopv2MachineService.ts +265 -189
package/src/session/OID4VP.ts +300 -310
package/src/session/OpSession.ts +114 -22
package/src/session/functions.ts +8 -1
package/src/types/IDidAuthSiopOpAuthenticator.ts +59 -6
package/src/types/identifier/index.ts +4 -0
package/src/types/machine/index.ts +1 -1
package/src/types/siop-service/index.ts +10 -12
package/src/utils/CredentialUtils.ts +40 -2
package/src/utils/dcql.ts +19 -22

package/src/services/Siopv2MachineService.ts CHANGED Viewed

@@ -1,31 +1,31 @@
-import { AuthorizationRequest } from '@sphereon/did-auth-siop'
-import type { PartialSdJwtDecodedVerifiableCredential, PartialSdJwtKbJwt } from '@sphereon/pex/dist/main/lib/index.js'
-import { calculateSdHash } from '@sphereon/pex/dist/main/lib/utils/index.js'
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
+import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
+import { IPresentationDefinition, PEX } from '@sphereon/pex'
+import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
-import { ConnectionType } from '@sphereon/ssi-sdk.data-store-types'
-import { defaultGenerateDigest } from '@sphereon/ssi-sdk.sd-jwt'
+import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
+import { OID4VP, OpSession } from '../session'
 import {
-  CredentialMapper,
-  CredentialRole,
-  HasherSync,
-  Loggers,
-  OriginalVerifiableCredential,
-  SdJwtDecodedVerifiableCredential,
-} from '@sphereon/ssi-types'
+  DidAgents,
+  LOGGER_NAMESPACE,
+  RequiredContext,
+  SelectableCredential,
+  SelectableCredentialsMap,
+  Siopv2HolderEvent,
+  SuitableCredentialAgents,
+  VerifiableCredentialsWithDefinition,
+  VerifiablePresentationWithDefinition,
+} from '../types'
 import { IAgentContext, IDIDManager } from '@veramo/core'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
-import { OpSession } from '../session'
-import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
+import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
 import { convertToDcqlCredentials } from '../utils/dcql'
-const CLOCK_SKEW = 120
+import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
-// @ts-ignore
 const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): Promise<ManagedIdentifierOptsOrResult> => {
   logger.log(`No EBSI key present yet. Creating a new one...`)
   const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
@@ -39,10 +39,9 @@ const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): P
   return await agentContext.agent.identifierManagedGetByDid({ identifier: newIdentifier.did })
 }
-// @ts-ignore
 const hasEbsiClient = async (authorizationRequest: AuthorizationRequest) => {
-  const clientId = authorizationRequest.getMergedProperty<string>('client_id')
-  const redirectUri = authorizationRequest.getMergedProperty<string>('redirect_uri')
+  const clientId = await authorizationRequest.getMergedProperty<string>('client_id')
+  const redirectUri = await authorizationRequest.getMergedProperty<string>('redirect_uri')
   return clientId?.toLowerCase().includes('.ebsi.eu') || redirectUri?.toLowerCase().includes('.ebsi.eu')
 }
@@ -50,186 +49,293 @@ export const siopSendAuthorizationResponse = async (
   connectionType: ConnectionType,
   args: {
     sessionId: string
-    credentials: Array<UniqueDigitalCredential | OriginalVerifiableCredential>
+    verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
     hasher?: HasherSync
+    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
-  const { credentials } = args
+  const agentContext = { ...context, agent: context.agent as DidAgents }
+  let { idOpts, isFirstParty, hasher = defaultHasher } = args
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
   }
   const session: OpSession = await agent.siopGetOPSession({ sessionId: args.sessionId })
   const request = await session.getAuthorizationRequest()
-  const aud = request.authorizationRequest.getMergedProperty<string>('aud')
+  const aud = await request.authorizationRequest.getMergedProperty<string>('aud')
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
-  const domain = ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ?? request.issuer ?? 'https://self-issued.me/v2'
-  logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
-  const firstUniqueDC = credentials[0]
-  if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-    return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-  }
-  let identifier: ManagedIdentifierOptsOrResult
-  const digitalCredential = firstUniqueDC.digitalCredential
-  const firstVC = firstUniqueDC.uniformVerifiableCredential
-  const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-    ? firstVC.decodedPayload.cnf?.jwk
-      ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-      : firstVC.decodedPayload.sub
-    : Array.isArray(firstVC.credentialSubject)
-      ? firstVC.credentialSubject[0].id
-      : firstVC.credentialSubject.id
-  if (!digitalCredential.kmsKeyRef) {
-    // In case the store does not have the kmsKeyRef lets search for the holder
-    if (!holder) {
-      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-    }
-    try {
-      identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-    } catch (e) {
-      logger.debug(`Holder DID not found: ${holder}`)
-      throw e
+  let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
+  let presentationSubmission: PresentationSubmission | undefined
+  if (await session.hasPresentationDefinitions()) {
+    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
+    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
+      ? args.verifiableCredentialsWithDefinition
+      : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER)
+    const domain =
+      ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+      request.issuer ??
+      (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+        ? 'https://self-issued.me/v2/openid-vc'
+        : 'https://self-issued.me/v2')
+    logger.log(`NONCE: ${session.nonce}, domain: ${domain}`)
+    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0]
+    if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+      return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
     }
-  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-      identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
-    })
-  } else {
-    switch (digitalCredential.subjectCorrelationType) {
-      case 'DID':
-        identifier = await session.context.agent.identifierManagedGetByDid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder,
-          kmsKeyRef: digitalCredential.kmsKeyRef,
-        })
-        break
-      // TODO other implementations?
-      default:
-        // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-        identifier = await session.context.agent.identifierManagedGetByKid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-          kmsKeyRef: digitalCredential.kmsKeyRef,
-        })
+    let identifier: ManagedIdentifierOptsOrResult
+    const digitalCredential = firstUniqueDC.digitalCredential
+    const firstVC = firstUniqueDC.uniformVerifiableCredential
+    const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+      ? firstVC.decodedPayload.cnf?.jwk
+        ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+          //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+          `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+        : firstVC.decodedPayload.sub
+      : Array.isArray(firstVC.credentialSubject)
+        ? firstVC.credentialSubject[0].id
+        : firstVC.credentialSubject.id
+    if (!digitalCredential.kmsKeyRef) {
+      // In case the store does not have the kmsKeyRef lets search for the holder
+      if (!holder) {
+        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+      }
+      try {
+        identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+      } catch (e) {
+        logger.debug(`Holder DID not found: ${holder}`)
+        throw e
+      }
+    } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+        identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+      })
+    } else {
+      switch (digitalCredential.subjectCorrelationType) {
+        case 'DID':
+          identifier = await session.context.agent.identifierManagedGetByDid({
+            identifier: digitalCredential.subjectCorrelationId ?? holder,
+            kmsKeyRef: digitalCredential.kmsKeyRef,
+          })
+          break
+        // TODO other implementations?
+        default:
+          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          } else {
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          }
+      }
     }
-  }
-  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
+    if (identifier === undefined && idOpts !== undefined && (await hasEbsiClient(request.authorizationRequest))) {
+      identifier = await createEbsiIdentifier(agentContext)
+    }
+    logger.debug(`Identifier`, identifier)
-  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+    // TODO Add mdoc support
-  if (!queryResult.can_be_satisfied) {
-    return Promise.reject(Error('Credentials do not match required query request'))
-  }
+    presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
+      idOpts: identifier,
+      proofOpts: {
+        nonce: session.nonce,
+        domain,
+      },
+    })
+    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
+      throw Error('No verifiable presentations could be created')
+    } else if (presentationsAndDefs.length > 1) {
+      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`)
+    }
-  const presentation: DcqlPresentation.Output = {}
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (value.success) {
-      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index])
-      const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
-      if (!vc) {
-        continue
+    idOpts = presentationsAndDefs[0].idOpts
+    presentationSubmission = presentationsAndDefs[0].presentationSubmission
+    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
+    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
+    return await session.sendAuthorizationResponse({
+      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
+      ...(presentationSubmission && { presentationSubmission }),
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts!,
+      isFirstParty,
+    })
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
+      const domain =
+        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+        request.issuer ??
+        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
+          ? 'https://self-issued.me/v2/openid-vc'
+          : 'https://self-issued.me/v2')
+      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+      const firstUniqueDC = vcs[0]
+      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
       }
-      const originalVc = retrieveEncodedCredential(vc as UniqueDigitalCredential) // TODO this is not nice // also always a UniqueDigitalCredential
-      if (!originalVc) {
-        continue
+      let identifier: ManagedIdentifierOptsOrResult
+      const digitalCredential = firstUniqueDC.digitalCredential
+      const firstVC = firstUniqueDC.uniformVerifiableCredential
+      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+        ? firstVC.decodedPayload.cnf?.jwk
+          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+          : firstVC.decodedPayload.sub
+        : Array.isArray(firstVC.credentialSubject)
+          ? firstVC.credentialSubject[0].id
+          : firstVC.credentialSubject.id
+      if (!digitalCredential.kmsKeyRef) {
+        // In case the store does not have the kmsKeyRef lets search for the holder
+        if (!holder) {
+          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+        }
+        try {
+          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+        } catch (e) {
+          logger.debug(`Holder DID not found: ${holder}`)
+          throw e
+        }
+      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+        })
+      } else {
+        switch (digitalCredential.subjectCorrelationType) {
+          case 'DID':
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+            break
+          // TODO other implementations?
+          default:
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+        }
       }
-      // FIXME SSISDK-44
-      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(originalVc as string, defaultGenerateDigest)
-      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain)
-      const presentationResult = await context.agent.createSdJwtPresentation({
-        presentation: updatedSdJwt.compactSdJwtVc,
-        kb: {
-          payload: {
-            ...updatedSdJwt.kbJwt?.payload,
-            // FIXME SSISDK-44
-            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject!.getPayload()!.nonce,
-            // FIXME SSISDK-44
-            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
-            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1000 - CLOCK_SKEW),
-          },
-        },
+      console.log(`Identifier`, identifier)
+      const dcqlRepresentations: DcqlCredential[] = []
+      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher)
+        if (rep) {
+          dcqlRepresentations.push(rep)
+        }
       })
-      if (originalVc) {
-        presentation[key] = presentationResult.presentation
+      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
+      const presentation: Record<string, DcqlCredentialPresentation> = {}
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [value]
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
+            }
+            presentation[key] =
+              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
+          }
+        })
       }
-    }
-  }
-  const dcqlPresentation = DcqlPresentation.parse(presentation)
+      const response = session.sendAuthorizationResponse({
+        responseSignerOpts: identifier,
+        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
+      })
-  const response = session.sendAuthorizationResponse({
-    responseSignerOpts: identifier,
-    dcqlResponse: {
-      dcqlPresentation,
-    },
-  })
+      logger.debug(`Response: `, response)
-  logger.debug(`Response: `, response)
-  return response
+      return response
+    }
+  }
+  throw Error('Presentation Definition or DCQL is required')
 }
-const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
-  return credential.originalVerifiableCredential !== undefined &&
-    credential.originalVerifiableCredential !== null &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
-    ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
-    : credential.originalVerifiableCredential
+function buildPartialPD(
+  inputDescriptor: InputDescriptorV1 | InputDescriptorV2,
+  presentationDefinition: PresentationDefinitionV1 | PresentationDefinitionV2,
+): IPresentationDefinition {
+  return {
+    ...presentationDefinition,
+    input_descriptors: [inputDescriptor],
+  } as IPresentationDefinition
 }
-export const getSelectableCredentials = async (dcqlQuery: DcqlQuery, context: RequiredContext): Promise<SelectableCredentialsMap> => {
-  const agentContext = { ...context, agent: context.agent }
+export const getSelectableCredentials = async (
+  presentationDefinition: IPresentationDefinition,
+  context: RequiredContext,
+): Promise<SelectableCredentialsMap> => {
+  const agentContext = { ...context, agent: context.agent as SuitableCredentialAgents }
   const { agent } = agentContext
+  const pex = new PEX()
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
-  const branding = await agent.ibGetCredentialBranding()
-  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
-  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
+  const credentialBranding = await agent.ibGetCredentialBranding()
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (!value.valid_credentials) {
-      continue
-    }
+  for (const inputDescriptor of presentationDefinition.input_descriptors) {
+    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition)
+    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
+      return CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential!) // ( ! is valid for verifiableCredentialForRoleFilter )
+    })
+    const selectionResults = pex.selectFrom(partialPD, originalCredentials)
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
-      const matchedCredential = uniqueCredentials[cred.input_credential_index]
-      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
-      const issuerPartyIdentity = await agent.cmGetContacts({
-        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.issuerDid } } }],
-      })
-      const subjectPartyIdentity = await agent.cmGetContacts({
-        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.subjectDid } } }],
+    const selectableCredentials: Array<SelectableCredential> = []
+    for (const selectedCredential of selectionResults.verifiableCredential || []) {
+      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
+        const proof = uniqueVC.uniformVerifiableCredential!.proof
+        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential
       })
-      return {
-        credential: matchedCredential,
-        credentialBranding: credentialBranding[0]?.localeBranding,
-        issuerParty: issuerPartyIdentity?.[0],
-        subjectParty: subjectPartyIdentity?.[0],
-      }
-    })
+      if (filteredUniqueVC) {
+        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash)
+        const issuerPartyIdentity = await agent.cmGetContacts({
+          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.issuerDid } } }],
+        })
+        const subjectPartyIdentity = await agent.cmGetContacts({
+          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.subjectDid } } }],
+        })
-    const selectableCredentials: Array<SelectableCredential> = await Promise.all(mapSelectableCredentialPromises)
-    selectableCredentialsMap.set(key, selectableCredentials)
+        selectableCredentials.push({
+          credential: filteredUniqueVC,
+          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
+          issuerParty: issuerPartyIdentity?.[0],
+          subjectParty: subjectPartyIdentity?.[0],
+        })
+      }
+    }
+    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials)
   }
   return selectableCredentialsMap
 }
@@ -246,33 +352,3 @@ export const translateCorrelationIdToName = async (correlationId: string, contex
   return contacts[0].contact.displayName
 }
-const updateSdJwtCredential = (
-  credential: SdJwtDecodedVerifiableCredential,
-  nonce?: string,
-  aud?: string,
-): PartialSdJwtDecodedVerifiableCredential => {
-  const sdJwtCredential = credential as SdJwtDecodedVerifiableCredential
-  // extract sd_alg or default to sha-256
-  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? 'sha-256'
-  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest)
-  const kbJwt = {
-    // alg MUST be set by the signer
-    header: {
-      typ: 'kb+jwt',
-    },
-    payload: {
-      iat: Math.floor(new Date().getTime() / 1000),
-      sd_hash: sdHash,
-      ...(nonce && { nonce }),
-      ...(aud && { aud }),
-    },
-  } satisfies PartialSdJwtKbJwt
-  return {
-    ...sdJwtCredential,
-    kbJwt,
-  } satisfies PartialSdJwtDecodedVerifiableCredential
-}