@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.FIDES.1.274 → 0.34.1-feature.IDK.11.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/index.cjs +1091 -608
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +112 -710
  4. package/dist/index.d.ts +112 -710
  5. package/dist/index.js +1046 -563
  6. package/dist/index.js.map +1 -1
  7. package/package.json +24 -24
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +145 -10
  9. package/src/index.ts +1 -2
  10. package/src/machine/Siopv2Machine.ts +5 -5
  11. package/src/services/Siopv2MachineService.ts +265 -189
  12. package/src/session/OID4VP.ts +300 -310
  13. package/src/session/OpSession.ts +114 -22
  14. package/src/session/functions.ts +8 -1
  15. package/src/types/IDidAuthSiopOpAuthenticator.ts +59 -6
  16. package/src/types/identifier/index.ts +4 -0
  17. package/src/types/machine/index.ts +1 -1
  18. package/src/types/siop-service/index.ts +10 -12
  19. package/src/utils/CredentialUtils.ts +40 -2
  20. package/src/utils/dcql.ts +19 -22
package/dist/index.js CHANGED
@@ -35,340 +35,344 @@ var require_nl = __commonJS({
35
35
  });
36
36
 
37
37
  // plugin.schema.json
38
- var plugin_schema_default = {
39
- IDidAuthSiopOpAuthenticator: {
40
- components: {
41
- schemas: {
42
- IGetSiopSessionArgs: {
43
- type: "object",
44
- properties: {
45
- sessionId: {
46
- type: "string"
38
+ var require_plugin_schema = __commonJS({
39
+ "plugin.schema.json"(exports, module) {
40
+ module.exports = {
41
+ IDidAuthSiopOpAuthenticator: {
42
+ components: {
43
+ schemas: {
44
+ IGetSiopSessionArgs: {
45
+ type: "object",
46
+ properties: {
47
+ sessionId: {
48
+ type: "string"
49
+ },
50
+ additionalProperties: false
51
+ },
52
+ required: ["sessionId"],
53
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
47
54
  },
48
- additionalProperties: false
49
- },
50
- required: ["sessionId"],
51
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
52
- },
53
- IRegisterSiopSessionArgs: {
54
- type: "object",
55
- properties: {
56
- identifier: {
55
+ IRegisterSiopSessionArgs: {
57
56
  type: "object",
58
57
  properties: {
59
- did: {
58
+ identifier: {
59
+ type: "object",
60
+ properties: {
61
+ did: {
62
+ type: "string"
63
+ },
64
+ alias: {
65
+ type: "string"
66
+ },
67
+ provider: {
68
+ type: "string"
69
+ },
70
+ controllerKeyId: {
71
+ type: "string"
72
+ },
73
+ keys: {
74
+ type: "array",
75
+ items: {
76
+ type: "object",
77
+ properties: {
78
+ additionalProperties: true
79
+ }
80
+ }
81
+ },
82
+ services: {
83
+ type: "array",
84
+ items: {
85
+ type: "object",
86
+ properties: {
87
+ additionalProperties: true
88
+ }
89
+ }
90
+ }
91
+ },
92
+ additionalProperties: false,
93
+ required: ["did", "provider", "keys", "services"]
94
+ },
95
+ sessionId: {
60
96
  type: "string"
61
97
  },
62
- alias: {
98
+ expiresIn: {
99
+ type: "number"
100
+ },
101
+ additionalProperties: false
102
+ },
103
+ required: ["identifier"],
104
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
105
+ },
106
+ IRemoveSiopSessionArgs: {
107
+ type: "object",
108
+ properties: {
109
+ sessionId: {
63
110
  type: "string"
64
111
  },
65
- provider: {
112
+ additionalProperties: false
113
+ },
114
+ required: ["sessionId"],
115
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
116
+ },
117
+ IAuthenticateWithSiopArgs: {
118
+ type: "object",
119
+ properties: {
120
+ sessionId: {
66
121
  type: "string"
67
122
  },
68
- controllerKeyId: {
123
+ stateId: {
69
124
  type: "string"
70
125
  },
71
- keys: {
72
- type: "array",
73
- items: {
74
- type: "object",
75
- properties: {
76
- additionalProperties: true
77
- }
78
- }
126
+ redirectUrl: {
127
+ type: "string"
79
128
  },
80
- services: {
81
- type: "array",
82
- items: {
83
- type: "object",
84
- properties: {
85
- additionalProperties: true
86
- }
87
- }
88
- }
129
+ additionalProperties: false
89
130
  },
90
- additionalProperties: false,
91
- required: ["did", "provider", "keys", "services"]
92
- },
93
- sessionId: {
94
- type: "string"
95
- },
96
- expiresIn: {
97
- type: "number"
131
+ required: ["sessionId", "stateId", "redirectUrl"],
132
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
98
133
  },
99
- additionalProperties: false
100
- },
101
- required: ["identifier"],
102
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
103
- },
104
- IRemoveSiopSessionArgs: {
105
- type: "object",
106
- properties: {
107
- sessionId: {
108
- type: "string"
109
- },
110
- additionalProperties: false
111
- },
112
- required: ["sessionId"],
113
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
114
- },
115
- IAuthenticateWithSiopArgs: {
116
- type: "object",
117
- properties: {
118
- sessionId: {
119
- type: "string"
120
- },
121
- stateId: {
122
- type: "string"
123
- },
124
- redirectUrl: {
125
- type: "string"
126
- },
127
- additionalProperties: false
128
- },
129
- required: ["sessionId", "stateId", "redirectUrl"],
130
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
131
- },
132
- IResponse: {
133
- type: "object",
134
- properties: {
135
- status: {
136
- type: "number"
137
- },
138
- additionalProperties: true
139
- },
140
- required: ["status"],
141
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
142
- },
143
- IGetSiopAuthenticationRequestFromRpArgs: {
144
- type: "object",
145
- properties: {
146
- sessionId: {
147
- type: "string"
148
- },
149
- stateId: {
150
- type: "string"
151
- },
152
- redirectUrl: {
153
- type: "string"
154
- },
155
- additionalProperties: false
156
- },
157
- required: ["sessionId", "stateId", "redirectUrl"],
158
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
159
- },
160
- ParsedAuthenticationRequestURI: {
161
- type: "object",
162
- properties: {
163
- jwt: {
164
- type: "string"
165
- },
166
- requestPayload: {
134
+ IResponse: {
167
135
  type: "object",
168
136
  properties: {
137
+ status: {
138
+ type: "number"
139
+ },
169
140
  additionalProperties: true
170
- }
141
+ },
142
+ required: ["status"],
143
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
171
144
  },
172
- registration: {
145
+ IGetSiopAuthenticationRequestFromRpArgs: {
173
146
  type: "object",
174
147
  properties: {
175
- additionalProperties: true
176
- }
177
- },
178
- additionalProperties: false
179
- },
180
- required: ["jwt", "requestPayload", "registration"],
181
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
182
- },
183
- IGetSiopAuthenticationRequestDetailsArgs: {
184
- type: "object",
185
- properties: {
186
- sessionId: {
187
- type: "string"
148
+ sessionId: {
149
+ type: "string"
150
+ },
151
+ stateId: {
152
+ type: "string"
153
+ },
154
+ redirectUrl: {
155
+ type: "string"
156
+ },
157
+ additionalProperties: false
158
+ },
159
+ required: ["sessionId", "stateId", "redirectUrl"],
160
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
188
161
  },
189
- verifiedAuthenticationRequest: {
162
+ ParsedAuthenticationRequestURI: {
190
163
  type: "object",
191
164
  properties: {
192
- additionalProperties: true
193
- }
165
+ jwt: {
166
+ type: "string"
167
+ },
168
+ requestPayload: {
169
+ type: "object",
170
+ properties: {
171
+ additionalProperties: true
172
+ }
173
+ },
174
+ registration: {
175
+ type: "object",
176
+ properties: {
177
+ additionalProperties: true
178
+ }
179
+ },
180
+ additionalProperties: false
181
+ },
182
+ required: ["jwt", "requestPayload", "registration"],
183
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
194
184
  },
195
- credentialFilter: {
185
+ IGetSiopAuthenticationRequestDetailsArgs: {
196
186
  type: "object",
197
187
  properties: {
198
- additionalProperties: true
199
- }
200
- },
201
- additionalProperties: false
202
- },
203
- required: ["sessionId", "verifiedAuthenticationRequest"],
204
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
205
- },
206
- IAuthRequestDetails: {
207
- type: "object",
208
- properties: {
209
- id: {
210
- type: "string"
211
- },
212
- alsoKnownAs: {
213
- type: "array",
214
- items: {
215
- type: "string"
216
- }
188
+ sessionId: {
189
+ type: "string"
190
+ },
191
+ verifiedAuthenticationRequest: {
192
+ type: "object",
193
+ properties: {
194
+ additionalProperties: true
195
+ }
196
+ },
197
+ credentialFilter: {
198
+ type: "object",
199
+ properties: {
200
+ additionalProperties: true
201
+ }
202
+ },
203
+ additionalProperties: false
204
+ },
205
+ required: ["sessionId", "verifiedAuthenticationRequest"],
206
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
217
207
  },
218
- vpResponseOpts: {
208
+ IAuthRequestDetails: {
219
209
  type: "object",
220
210
  properties: {
221
- additionalProperties: true
222
- }
223
- },
224
- additionalProperties: false
225
- },
226
- required: ["id", "vpResponseOpts"],
227
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
228
- },
229
- IVerifySiopAuthenticationRequestUriArgs: {
230
- type: "object",
231
- properties: {
232
- sessionId: {
233
- type: "string"
211
+ id: {
212
+ type: "string"
213
+ },
214
+ alsoKnownAs: {
215
+ type: "array",
216
+ items: {
217
+ type: "string"
218
+ }
219
+ },
220
+ vpResponseOpts: {
221
+ type: "object",
222
+ properties: {
223
+ additionalProperties: true
224
+ }
225
+ },
226
+ additionalProperties: false
227
+ },
228
+ required: ["id", "vpResponseOpts"],
229
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
234
230
  },
235
- ParsedAuthenticationRequestURI: {
231
+ IVerifySiopAuthenticationRequestUriArgs: {
236
232
  type: "object",
237
233
  properties: {
238
- additionalProperties: true
239
- }
234
+ sessionId: {
235
+ type: "string"
236
+ },
237
+ ParsedAuthenticationRequestURI: {
238
+ type: "object",
239
+ properties: {
240
+ additionalProperties: true
241
+ }
242
+ },
243
+ additionalProperties: false
244
+ },
245
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
246
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
240
247
  },
241
- additionalProperties: false
242
- },
243
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
244
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
245
- },
246
- VerifiedAuthorizationRequest: {
247
- type: "object",
248
- properties: {
249
- payload: {
248
+ VerifiedAuthorizationRequest: {
250
249
  type: "object",
251
250
  properties: {
252
- additionalProperties: true
253
- }
251
+ payload: {
252
+ type: "object",
253
+ properties: {
254
+ additionalProperties: true
255
+ }
256
+ },
257
+ presentationDefinitions: {
258
+ type: "object",
259
+ properties: {
260
+ additionalProperties: true
261
+ }
262
+ },
263
+ verifyOpts: {
264
+ type: "object",
265
+ properties: {
266
+ additionalProperties: true
267
+ }
268
+ },
269
+ additionalProperties: false
270
+ },
271
+ required: ["payload", "verifyOpts"],
272
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
254
273
  },
255
- presentationDefinitions: {
274
+ ISendSiopAuthenticationResponseArgs: {
256
275
  type: "object",
257
276
  properties: {
258
- additionalProperties: true
259
- }
277
+ sessionId: {
278
+ type: "string"
279
+ },
280
+ verifiedAuthenticationRequest: {
281
+ type: "object",
282
+ properties: {
283
+ additionalProperties: true
284
+ }
285
+ },
286
+ verifiablePresentationResponse: {
287
+ type: "object",
288
+ properties: {
289
+ additionalProperties: true
290
+ }
291
+ },
292
+ additionalProperties: false
293
+ },
294
+ required: ["sessionId", "verifiedAuthenticationRequest"],
295
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
296
+ }
297
+ },
298
+ methods: {
299
+ getSessionForSiop: {
300
+ description: "Get SIOP session",
301
+ arguments: {
302
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
303
+ },
304
+ returnType: "object"
260
305
  },
261
- verifyOpts: {
262
- type: "object",
263
- properties: {
264
- additionalProperties: true
306
+ registerSessionForSiop: {
307
+ description: "Register SIOP session",
308
+ arguments: {
309
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
310
+ },
311
+ returnType: "object"
312
+ },
313
+ removeSessionForSiop: {
314
+ description: "Remove SIOP session",
315
+ arguments: {
316
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
317
+ },
318
+ returnType: "boolean"
319
+ },
320
+ authenticateWithSiop: {
321
+ description: "Authenticate using DID Auth SIOP",
322
+ arguments: {
323
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
324
+ },
325
+ returnType: {
326
+ $ref: "#/components/schemas/Response"
265
327
  }
266
328
  },
267
- additionalProperties: false
268
- },
269
- required: ["payload", "verifyOpts"],
270
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
271
- },
272
- ISendSiopAuthenticationResponseArgs: {
273
- type: "object",
274
- properties: {
275
- sessionId: {
276
- type: "string"
329
+ getSiopAuthenticationRequestFromRP: {
330
+ description: "Get authentication request from RP",
331
+ arguments: {
332
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
333
+ },
334
+ returnType: {
335
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
336
+ }
277
337
  },
278
- verifiedAuthenticationRequest: {
279
- type: "object",
280
- properties: {
281
- additionalProperties: true
338
+ getSiopAuthenticationRequestDetails: {
339
+ description: "Get authentication request details",
340
+ arguments: {
341
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
342
+ },
343
+ returnType: {
344
+ $ref: "#/components/schemas/IAuthRequestDetails"
282
345
  }
283
346
  },
284
- verifiablePresentationResponse: {
285
- type: "object",
286
- properties: {
287
- additionalProperties: true
347
+ verifySiopAuthenticationRequestURI: {
348
+ description: "Verify authentication request URI",
349
+ arguments: {
350
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
351
+ },
352
+ returnType: {
353
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
288
354
  }
289
355
  },
290
- additionalProperties: false
291
- },
292
- required: ["sessionId", "verifiedAuthenticationRequest"],
293
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
294
- }
295
- },
296
- methods: {
297
- getSessionForSiop: {
298
- description: "Get SIOP session",
299
- arguments: {
300
- $ref: "#/components/schemas/IGetSiopSessionArgs"
301
- },
302
- returnType: "object"
303
- },
304
- registerSessionForSiop: {
305
- description: "Register SIOP session",
306
- arguments: {
307
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
308
- },
309
- returnType: "object"
310
- },
311
- removeSessionForSiop: {
312
- description: "Remove SIOP session",
313
- arguments: {
314
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
315
- },
316
- returnType: "boolean"
317
- },
318
- authenticateWithSiop: {
319
- description: "Authenticate using DID Auth SIOP",
320
- arguments: {
321
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
322
- },
323
- returnType: {
324
- $ref: "#/components/schemas/Response"
325
- }
326
- },
327
- getSiopAuthenticationRequestFromRP: {
328
- description: "Get authentication request from RP",
329
- arguments: {
330
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
331
- },
332
- returnType: {
333
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
334
- }
335
- },
336
- getSiopAuthenticationRequestDetails: {
337
- description: "Get authentication request details",
338
- arguments: {
339
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
340
- },
341
- returnType: {
342
- $ref: "#/components/schemas/IAuthRequestDetails"
343
- }
344
- },
345
- verifySiopAuthenticationRequestURI: {
346
- description: "Verify authentication request URI",
347
- arguments: {
348
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
349
- },
350
- returnType: {
351
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
352
- }
353
- },
354
- sendSiopAuthenticationResponse: {
355
- description: "Send authentication response",
356
- arguments: {
357
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
358
- },
359
- returnType: {
360
- $ref: "#/components/schemas/IRequiredContext"
356
+ sendSiopAuthenticationResponse: {
357
+ description: "Send authentication response",
358
+ arguments: {
359
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
360
+ },
361
+ returnType: {
362
+ $ref: "#/components/schemas/IRequiredContext"
363
+ }
364
+ }
361
365
  }
362
366
  }
363
367
  }
364
- }
368
+ };
365
369
  }
366
- };
370
+ });
367
371
 
368
372
  // src/agent/DidAuthSiopOpAuthenticator.ts
369
- import { decodeUriAsJson } from "@sphereon/did-auth-siop";
370
- import { ConnectionType as ConnectionType2, CorrelationIdentifierType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store-types";
371
- import { Loggers as Loggers4, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
373
+ import { decodeUriAsJson, SupportedVersion as SupportedVersion3 } from "@sphereon/did-auth-siop";
374
+ import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialDocumentFormat, CredentialRole as CredentialRole2, DocumentType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
375
+ import { Loggers as Loggers4 } from "@sphereon/ssi-types";
372
376
  import { v4 as uuidv4 } from "uuid";
373
377
 
374
378
  // src/session/functions.ts
@@ -394,8 +398,10 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
394
398
  async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
395
399
  const eventEmitter = opOptions.eventEmitter ?? new EventEmitter();
396
400
  const builder = OP.builder().withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
397
- SupportedVersion.OID4VP_v1,
398
- SupportedVersion.SIOPv2_OID4VP_D28
401
+ SupportedVersion.SIOPv2_ID1,
402
+ SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
403
+ SupportedVersion.SIOPv2_D11,
404
+ SupportedVersion.SIOPv2_D12_OID4VP_D18
399
405
  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
400
406
  passBy: PassBy.VALUE
401
407
  });
@@ -522,15 +528,104 @@ function getSigningAlgo(type) {
522
528
  }
523
529
  __name(getSigningAlgo, "getSigningAlgo");
524
530
 
531
+ // src/session/OID4VP.ts
532
+ import { PresentationExchange } from "@sphereon/did-auth-siop";
533
+ import { Status } from "@sphereon/pex";
534
+ import { isManagedIdentifierDidResult, isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
535
+ import { defaultHasher } from "@sphereon/ssi-sdk.core";
536
+ import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
537
+
538
+ // src/types/IDidAuthSiopOpAuthenticator.ts
539
+ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
540
+ var events = /* @__PURE__ */ (function(events2) {
541
+ events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
542
+ return events2;
543
+ })({});
544
+ var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
545
+
546
+ // src/types/siop-service/index.ts
547
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
548
+ Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
549
+ Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
550
+ return Siopv2HolderEvent2;
551
+ })({});
552
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
553
+ SupportedLanguage2["ENGLISH"] = "en";
554
+ SupportedLanguage2["DUTCH"] = "nl";
555
+ return SupportedLanguage2;
556
+ })({});
557
+
558
+ // src/types/machine/index.ts
559
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
560
+ Siopv2MachineStates2["createConfig"] = "createConfig";
561
+ Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
562
+ Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
563
+ Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
564
+ Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
565
+ Siopv2MachineStates2["addContact"] = "addContact";
566
+ Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
567
+ Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
568
+ Siopv2MachineStates2["sendResponse"] = "sendResponse";
569
+ Siopv2MachineStates2["handleError"] = "handleError";
570
+ Siopv2MachineStates2["aborted"] = "aborted";
571
+ Siopv2MachineStates2["declined"] = "declined";
572
+ Siopv2MachineStates2["error"] = "error";
573
+ Siopv2MachineStates2["done"] = "done";
574
+ return Siopv2MachineStates2;
575
+ })({});
576
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
577
+ Siopv2MachineAddContactStates2["idle"] = "idle";
578
+ Siopv2MachineAddContactStates2["executing"] = "executing";
579
+ Siopv2MachineAddContactStates2["next"] = "next";
580
+ return Siopv2MachineAddContactStates2;
581
+ })({});
582
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
583
+ Siopv2MachineEvents2["NEXT"] = "NEXT";
584
+ Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
585
+ Siopv2MachineEvents2["DECLINE"] = "DECLINE";
586
+ Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
587
+ Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
588
+ Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
589
+ Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
590
+ return Siopv2MachineEvents2;
591
+ })({});
592
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
593
+ Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
594
+ Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
595
+ Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
596
+ Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
597
+ Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
598
+ Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
599
+ Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
600
+ Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
601
+ return Siopv2MachineGuards2;
602
+ })({});
603
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
604
+ Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
605
+ Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
606
+ Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
607
+ Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
608
+ Siopv2MachineServices2["sendResponse"] = "sendResponse";
609
+ Siopv2MachineServices2["createConfig"] = "createConfig";
610
+ return Siopv2MachineServices2;
611
+ })({});
612
+
613
+ // src/types/identifier/index.ts
614
+ var DID_PREFIX = "did";
615
+
525
616
  // src/session/OID4VP.ts
526
617
  var OID4VP = class _OID4VP {
527
618
  static {
528
619
  __name(this, "OID4VP");
529
620
  }
530
- //private readonly session: OpSession
531
- // private readonly allIdentifiers: string[]
532
- // private readonly hasher?: HasherSync
621
+ session;
622
+ allIdentifiers;
623
+ hasher;
533
624
  constructor(args) {
625
+ const { session, allIdentifiers, hasher = defaultHasher } = args;
626
+ this.session = session;
627
+ this.allIdentifiers = allIdentifiers ?? [];
628
+ this.hasher = hasher;
534
629
  }
535
630
  static async init(session, allIdentifiers, hasher) {
536
631
  return new _OID4VP({
@@ -539,14 +634,184 @@ var OID4VP = class _OID4VP {
539
634
  hasher
540
635
  });
541
636
  }
637
+ async getPresentationDefinitions() {
638
+ const definitions = await this.session.getPresentationDefinitions();
639
+ if (definitions) {
640
+ PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
641
+ }
642
+ return definitions;
643
+ }
644
+ getPresentationExchange(args) {
645
+ const { verifiableCredentials, allIdentifiers, hasher } = args;
646
+ return new PresentationExchange({
647
+ allDIDs: allIdentifiers ?? this.allIdentifiers,
648
+ allVerifiableCredentials: verifiableCredentials,
649
+ hasher: hasher ?? this.hasher
650
+ });
651
+ }
652
+ async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
653
+ return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
654
+ }
655
+ async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
656
+ const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
657
+ ...opts
658
+ };
659
+ if (subjectIsHolder && holder) {
660
+ throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
661
+ }
662
+ if (forceNoCredentialsInVP) {
663
+ selectedVerifiableCredentials.credentials = [];
664
+ } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
665
+ throw Error("No verifiable verifiableCredentials provided for presentation definition");
666
+ }
667
+ const proofOptions = {
668
+ ...opts?.proofOpts,
669
+ challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
670
+ domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
671
+ };
672
+ let idOpts2 = opts?.idOpts;
673
+ if (!idOpts2) {
674
+ if (opts?.subjectIsHolder) {
675
+ if (forceNoCredentialsInVP) {
676
+ return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
677
+ }
678
+ const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
679
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
680
+ return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
681
+ }
682
+ idOpts2 = isOID4VCIssuerIdentifier(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
683
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
684
+ }) : await this.session.context.agent.identifierManagedGetByKid({
685
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
686
+ kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
687
+ });
688
+ } else if (opts?.holder) {
689
+ idOpts2 = {
690
+ identifier: opts.holder
691
+ };
692
+ }
693
+ }
694
+ const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
695
+ restrictToFormats: opts?.restrictToFormats,
696
+ restrictToDIDMethods: opts?.restrictToDIDMethods,
697
+ filterOpts: {
698
+ verifiableCredentials: selectedVerifiableCredentials.credentials
699
+ }
700
+ }) : {
701
+ definition: selectedVerifiableCredentials.definition,
702
+ credentials: selectedVerifiableCredentials.credentials
703
+ };
704
+ if (!idOpts2) {
705
+ return Promise.reject(Error(`No identifier options present at this point`));
706
+ }
707
+ const signCallback = await createOID4VPPresentationSignCallback({
708
+ presentationSignCallback: this.session.options.presentationSignCallback,
709
+ idOpts: idOpts2,
710
+ context: this.session.context,
711
+ domain: proofOptions.domain,
712
+ challenge: proofOptions.challenge,
713
+ format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
714
+ skipDidResolution: opts?.skipDidResolution ?? false
715
+ });
716
+ const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
717
+ const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
718
+ const presentationResult = await this.getPresentationExchange({
719
+ verifiableCredentials,
720
+ allIdentifiers: this.allIdentifiers,
721
+ hasher: opts?.hasher
722
+ }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
723
+ proofOptions,
724
+ // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
725
+ ...identifier && isManagedIdentifierDidResult(identifier) && {
726
+ holderDID: identifier.did
727
+ }
728
+ });
729
+ const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
730
+ return {
731
+ ...presentationResult,
732
+ verifiablePresentations,
733
+ verifiableCredentials,
734
+ definition: selectedVerifiableCredentials.definition,
735
+ idOpts: idOpts2
736
+ };
737
+ }
738
+ async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
739
+ const defs = await this.getPresentationDefinitions();
740
+ const result = [];
741
+ if (defs) {
742
+ for (const definition of defs) {
743
+ result.push(await this.filterCredentials(credentialRole, definition, opts));
744
+ }
745
+ }
746
+ return result;
747
+ }
748
+ async filterCredentials(credentialRole, presentationDefinition, opts) {
749
+ const udcMap = /* @__PURE__ */ new Map();
750
+ opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
751
+ if (typeof credential === "object" && "digitalCredential" in credential) {
752
+ udcMap.set(credential.originalVerifiableCredential, credential);
753
+ } else {
754
+ udcMap.set(credential, credential);
755
+ }
756
+ });
757
+ const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
758
+ ...opts,
759
+ filterOpts: {
760
+ verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
761
+ if (typeof credential === "object" && "digitalCredential" in credential) {
762
+ return credential.originalVerifiableCredential;
763
+ } else {
764
+ return credential;
765
+ }
766
+ })
767
+ }
768
+ })).verifiableCredential;
769
+ return {
770
+ definition: presentationDefinition,
771
+ credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
772
+ };
773
+ }
774
+ async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
775
+ const selectionResults = await this.getPresentationExchange({
776
+ verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
777
+ }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
778
+ if (selectionResults.errors && selectionResults.errors.length > 0) {
779
+ throw Error(JSON.stringify(selectionResults.errors));
780
+ } else if (selectionResults.areRequiredCredentialsPresent === Status.ERROR) {
781
+ throw Error(`Not all required credentials are available to satisfy the relying party's request`);
782
+ }
783
+ const matches = selectionResults.matches;
784
+ if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
785
+ throw Error(JSON.stringify(selectionResults.errors));
786
+ }
787
+ return selectionResults;
788
+ }
789
+ async getCredentials(credentialRole, filterOpts) {
790
+ if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
791
+ return filterOpts.verifiableCredentials;
792
+ }
793
+ const filter = verifiableCredentialForRoleFilter(credentialRole, filterOpts?.filter);
794
+ const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
795
+ filter
796
+ });
797
+ return uniqueCredentials.map((uniqueVC) => {
798
+ const vc = uniqueVC.uniformVerifiableCredential;
799
+ const proof = Array.isArray(vc.proof) ? vc.proof : [
800
+ vc.proof
801
+ ];
802
+ const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
803
+ return jwtProof ? jwtProof.jwt : vc;
804
+ });
805
+ }
542
806
  };
543
807
 
544
808
  // src/session/OpSession.ts
545
809
  import { OP as OP2, URI } from "@sphereon/did-auth-siop";
546
810
  import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
547
811
  import { encodeBase64url } from "@sphereon/ssi-sdk.core";
548
- import { parseDid } from "@sphereon/ssi-types";
812
+ import { CredentialMapper, parseDid } from "@sphereon/ssi-types";
549
813
  import { v4 } from "uuid";
814
+ import { PEX } from "@sphereon/pex";
550
815
  import { Loggers } from "@sphereon/ssi-types";
551
816
  var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
552
817
  var OpSession = class _OpSession {
@@ -561,11 +826,13 @@ var OpSession = class _OpSession {
561
826
  verifiedAuthorizationRequest;
562
827
  _nonce;
563
828
  _state;
829
+ _providedPresentationDefinitions;
564
830
  constructor(options) {
565
831
  this.id = options.sessionId;
566
832
  this.options = options.op;
567
833
  this.context = options.context;
568
834
  this.requestJwtOrUri = options.requestJwtOrUri;
835
+ this._providedPresentationDefinitions = options.providedPresentationDefinitions;
569
836
  }
570
837
  static async init(options) {
571
838
  return new _OpSession(options);
@@ -663,7 +930,7 @@ var OpSession = class _OpSession {
663
930
  subjectSyntaxTypesSupported
664
931
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
665
932
  }
666
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
933
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
667
934
  let codecName = void 0;
668
935
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
669
936
  logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -718,9 +985,51 @@ var OpSession = class _OpSession {
718
985
  async getRedirectUri() {
719
986
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
720
987
  }
988
+ async hasPresentationDefinitions() {
989
+ const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
990
+ return defs !== void 0 && defs.length > 0;
991
+ }
992
+ async getPresentationDefinitions() {
993
+ if (!await this.hasPresentationDefinitions()) {
994
+ throw Error(`No presentation definitions found`);
995
+ }
996
+ return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
997
+ }
721
998
  async getOID4VP(args) {
722
999
  return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
723
1000
  }
1001
+ createPresentationVerificationCallback(context) {
1002
+ async function presentationVerificationCallback(args, presentationSubmission) {
1003
+ let result;
1004
+ if (CredentialMapper.isSdJwtEncoded(args)) {
1005
+ try {
1006
+ const sdJwtResult = await context.agent.verifySdJwtPresentation({
1007
+ presentation: args
1008
+ });
1009
+ result = {
1010
+ verified: "header" in sdJwtResult,
1011
+ error: "header" in sdJwtResult ? void 0 : {
1012
+ message: "could not verify SD JWT presentation"
1013
+ }
1014
+ };
1015
+ } catch (error) {
1016
+ result = {
1017
+ verified: false,
1018
+ error: {
1019
+ message: error.message
1020
+ }
1021
+ };
1022
+ }
1023
+ } else {
1024
+ result = await context.agent.verifyPresentation({
1025
+ presentation: args
1026
+ });
1027
+ }
1028
+ return result;
1029
+ }
1030
+ __name(presentationVerificationCallback, "presentationVerificationCallback");
1031
+ return presentationVerificationCallback;
1032
+ }
724
1033
  async createJarmResponseCallback({ responseOpts }) {
725
1034
  const agent = this.context.agent;
726
1035
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
@@ -747,7 +1056,6 @@ var OpSession = class _OpSession {
747
1056
  }, "jarmResponse");
748
1057
  }
749
1058
  async sendAuthorizationResponse(args) {
750
- const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
751
1059
  const resolveOpts = this.options.resolveOpts ?? {
752
1060
  resolver: getAgentResolver(this.context, {
753
1061
  uniresolverResolution: true,
@@ -758,7 +1066,23 @@ var OpSession = class _OpSession {
758
1066
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
759
1067
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
760
1068
  }
1069
+ const verification = {
1070
+ presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1071
+ };
761
1072
  const request = await this.getAuthorizationRequest();
1073
+ const hasDefinitions = await this.hasPresentationDefinitions();
1074
+ if (hasDefinitions) {
1075
+ const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1076
+ return sum + pd.definition.input_descriptors.length;
1077
+ }, 0);
1078
+ const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1079
+ if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1080
+ throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1081
+ } else if (!args.presentationSubmission) {
1082
+ throw Error(`Presentation submission is required when verifiable presentations are required`);
1083
+ }
1084
+ }
1085
+ const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
762
1086
  const op = await createOP({
763
1087
  opOptions: {
764
1088
  ...this.options,
@@ -770,16 +1094,23 @@ var OpSession = class _OpSession {
770
1094
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
771
1095
  supportedVersions: request.versions
772
1096
  },
773
- idOpts: responseSignerOpts,
1097
+ idOpts: args.responseSignerOpts,
774
1098
  context: this.context
775
1099
  });
776
- let issuer = responseSignerOpts.issuer;
1100
+ let issuer = args.responseSignerOpts.issuer;
777
1101
  const responseOpts = {
1102
+ verification,
778
1103
  issuer,
779
- ...isFirstParty && {
780
- isFirstParty
1104
+ ...args.isFirstParty && {
1105
+ isFirstParty: args.isFirstParty
1106
+ },
1107
+ ...args.verifiablePresentations && {
1108
+ presentationExchange: {
1109
+ verifiablePresentations,
1110
+ presentationSubmission: args.presentationSubmission
1111
+ }
781
1112
  },
782
- dcqlResponse
1113
+ dcqlQuery: args.dcqlResponse
783
1114
  };
784
1115
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
785
1116
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -791,6 +1122,24 @@ var OpSession = class _OpSession {
791
1122
  return response;
792
1123
  }
793
1124
  }
1125
+ countVCsInAllVPs(verifiablePresentations, hasher) {
1126
+ return verifiablePresentations.reduce((sum, vp) => {
1127
+ if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1128
+ return sum + 1;
1129
+ }
1130
+ const uvp = CredentialMapper.toUniformPresentation(vp, {
1131
+ hasher: hasher ?? this.options.hasher
1132
+ });
1133
+ if (uvp.verifiableCredential?.length) {
1134
+ return sum + uvp.verifiableCredential?.length;
1135
+ }
1136
+ const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp);
1137
+ if (isSdJWT || uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1138
+ return sum + 1;
1139
+ }
1140
+ return sum;
1141
+ }, 0);
1142
+ }
794
1143
  };
795
1144
  function convertDidMethod(didMethod, didPrefix) {
796
1145
  if (didPrefix === false) {
@@ -800,79 +1149,10 @@ function convertDidMethod(didMethod, didPrefix) {
800
1149
  }
801
1150
  __name(convertDidMethod, "convertDidMethod");
802
1151
 
803
- // src/types/IDidAuthSiopOpAuthenticator.ts
804
- var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
805
- var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
806
-
807
- // src/types/siop-service/index.ts
808
- var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
809
- Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
810
- Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
811
- return Siopv2HolderEvent2;
812
- })({});
813
- var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
814
- SupportedLanguage2["ENGLISH"] = "en";
815
- SupportedLanguage2["DUTCH"] = "nl";
816
- return SupportedLanguage2;
817
- })({});
818
-
819
- // src/types/machine/index.ts
820
- var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
821
- Siopv2MachineStates2["createConfig"] = "createConfig";
822
- Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
823
- Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
824
- Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
825
- Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
826
- Siopv2MachineStates2["addContact"] = "addContact";
827
- Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
828
- Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
829
- Siopv2MachineStates2["sendResponse"] = "sendResponse";
830
- Siopv2MachineStates2["handleError"] = "handleError";
831
- Siopv2MachineStates2["aborted"] = "aborted";
832
- Siopv2MachineStates2["declined"] = "declined";
833
- Siopv2MachineStates2["error"] = "error";
834
- Siopv2MachineStates2["done"] = "done";
835
- return Siopv2MachineStates2;
836
- })({});
837
- var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
838
- Siopv2MachineAddContactStates2["idle"] = "idle";
839
- Siopv2MachineAddContactStates2["executing"] = "executing";
840
- Siopv2MachineAddContactStates2["next"] = "next";
841
- return Siopv2MachineAddContactStates2;
842
- })({});
843
- var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
844
- Siopv2MachineEvents2["NEXT"] = "NEXT";
845
- Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
846
- Siopv2MachineEvents2["DECLINE"] = "DECLINE";
847
- Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
848
- Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
849
- Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
850
- Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
851
- return Siopv2MachineEvents2;
852
- })({});
853
- var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
854
- Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
855
- Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
856
- Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
857
- Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
858
- Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
859
- Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
860
- Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
861
- Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
862
- return Siopv2MachineGuards2;
863
- })({});
864
- var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
865
- Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
866
- Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
867
- Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
868
- Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
869
- Siopv2MachineServices2["sendResponse"] = "sendResponse";
870
- Siopv2MachineServices2["createConfig"] = "createConfig";
871
- return Siopv2MachineServices2;
872
- })({});
873
-
874
- // src/types/identifier/index.ts
875
- var DID_PREFIX = "did";
1152
+ // src/agent/DidAuthSiopOpAuthenticator.ts
1153
+ import { PEX as PEX3, Status as Status2 } from "@sphereon/pex";
1154
+ import { computeEntryHash } from "@veramo/utils";
1155
+ import { DcqlQuery as DcqlQuery2 } from "dcql";
876
1156
 
877
1157
  // src/machine/Siopv2Machine.ts
878
1158
  import { assign, createMachine, interpret } from "xstate";
@@ -941,7 +1221,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
941
1221
  if (!contact) {
942
1222
  throw new Error("Missing contact request data in context");
943
1223
  }
944
- return authorizationRequestData.dcqlQuery !== void 0;
1224
+ return authorizationRequestData.presentationDefinitions !== void 0;
945
1225
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
946
1226
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
947
1227
  const { contactAlias, hasContactConsent } = _ctx;
@@ -952,7 +1232,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
952
1232
  if (authorizationRequestData === void 0) {
953
1233
  throw new Error("Missing authorization request data in context");
954
1234
  }
955
- if (authorizationRequestData.dcqlQuery === void 0) {
1235
+ if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
956
1236
  throw Error("No presentation definitions present");
957
1237
  }
958
1238
  return _ctx.selectedCredentials.length > 0;
@@ -962,7 +1242,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
962
1242
  if (authorizationRequestData === void 0) {
963
1243
  throw new Error("Missing authorization request data in context");
964
1244
  }
965
- return authorizationRequestData.dcqlQuery === void 0;
1245
+ return authorizationRequestData.presentationDefinitions === void 0;
966
1246
  }, "Siopv2IsSiopOnlyGuard");
967
1247
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
968
1248
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -972,7 +1252,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
972
1252
  if (!selectableCredentialsMap) {
973
1253
  throw new Error("Missing selectableCredentialsMap in context");
974
1254
  }
975
- return authorizationRequestData.dcqlQuery !== void 0;
1255
+ return authorizationRequestData.presentationDefinitions !== void 0;
976
1256
  }, "Siopv2IsSiopWithOID4VPGuard");
977
1257
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
978
1258
  const { url, idOpts: idOpts2 } = opts;
@@ -1287,59 +1567,115 @@ var Siopv2Machine = class {
1287
1567
  };
1288
1568
 
1289
1569
  // src/services/Siopv2MachineService.ts
1290
- import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils/index.js";
1570
+ import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
1571
+ import { PEX as PEX2 } from "@sphereon/pex";
1572
+ import { isOID4VCIssuerIdentifier as isOID4VCIssuerIdentifier2 } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1573
+ import { verifiableCredentialForRoleFilter as verifiableCredentialForRoleFilter2 } from "@sphereon/ssi-sdk.credential-store";
1574
+ import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
1575
+ import { CredentialMapper as CredentialMapper4, Loggers as Loggers3 } from "@sphereon/ssi-types";
1291
1576
  import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
1292
- import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1293
- import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1294
- import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
1295
- import { ConnectionType } from "@sphereon/ssi-sdk.data-store-types";
1296
- import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
1297
- import { CredentialMapper as CredentialMapper3, CredentialRole, Loggers as Loggers3 } from "@sphereon/ssi-types";
1577
+ import { defaultHasher as defaultHasher2, encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1298
1578
  import { DcqlPresentation, DcqlQuery } from "dcql";
1299
1579
 
1300
1580
  // src/utils/dcql.ts
1301
- import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
1302
- import { Dcql } from "@sphereon/did-auth-siop";
1581
+ import { CredentialMapper as CredentialMapper3 } from "@sphereon/ssi-types";
1303
1582
 
1304
1583
  // src/utils/CredentialUtils.ts
1305
- import { CredentialMapper } from "@sphereon/ssi-types";
1584
+ import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
1585
+ var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1586
+ if (isUniqueDigitalCredential(credential)) {
1587
+ if (!credential.originalVerifiableCredential) {
1588
+ throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1589
+ }
1590
+ return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1591
+ }
1592
+ return getCredentialFromProofOrWrapped(credential);
1593
+ }, "getOriginalVerifiableCredential");
1594
+ var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1595
+ if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && CredentialMapper2.isSdJwtEncoded(cred.proof.jwt)) {
1596
+ return cred.proof.jwt;
1597
+ }
1598
+ return CredentialMapper2.toWrappedVerifiableCredential(cred, {
1599
+ hasher
1600
+ }).original;
1601
+ }, "getCredentialFromProofOrWrapped");
1306
1602
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1307
1603
  return credential.digitalCredential !== void 0;
1308
1604
  }, "isUniqueDigitalCredential");
1309
1605
 
1310
1606
  // src/utils/dcql.ts
1311
1607
  function convertToDcqlCredentials(credential, hasher) {
1312
- let originalVerifiableCredential;
1608
+ let payload;
1313
1609
  if (isUniqueDigitalCredential(credential)) {
1314
1610
  if (!credential.originalVerifiableCredential) {
1315
1611
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1316
1612
  }
1317
- originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1613
+ payload = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1318
1614
  } else {
1319
- originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
1615
+ payload = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
1320
1616
  }
1321
- if (!originalVerifiableCredential) {
1617
+ if (!payload) {
1322
1618
  throw new Error("No payload found");
1323
1619
  }
1324
- if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
1325
- return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1326
- } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1327
- return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1328
- } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1329
- return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1330
- } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
1331
- return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1620
+ if ("decodedPayload" in payload && payload.decodedPayload) {
1621
+ payload = payload.decodedPayload;
1622
+ }
1623
+ if ("vct" in payload) {
1624
+ return {
1625
+ vct: payload.vct,
1626
+ claims: payload,
1627
+ credential_format: "vc+sd-jwt"
1628
+ };
1629
+ } else if ("docType" in payload && "namespaces" in payload) {
1630
+ return {
1631
+ docType: payload.docType,
1632
+ namespaces: payload.namespaces,
1633
+ claims: payload
1634
+ };
1635
+ } else {
1636
+ return {
1637
+ claims: payload,
1638
+ credential_format: "jwt_vc_json"
1639
+ };
1332
1640
  }
1333
- throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1334
1641
  }
1335
1642
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1336
1643
 
1337
1644
  // src/services/Siopv2MachineService.ts
1338
- var CLOCK_SKEW = 120;
1339
1645
  var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
1646
+ var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1647
+ logger3.log(`No EBSI key present yet. Creating a new one...`);
1648
+ const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
1649
+ method: SupportedDidMethodEnum.DID_KEY,
1650
+ createOpts: {
1651
+ options: {
1652
+ codecName: "jwk_jcs-pub",
1653
+ type: "Secp256r1"
1654
+ }
1655
+ }
1656
+ });
1657
+ logger3.log(`EBSI key created: ${newIdentifier.did}`);
1658
+ if (created) {
1659
+ await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1660
+ result: newIdentifier
1661
+ });
1662
+ }
1663
+ return await agentContext.agent.identifierManagedGetByDid({
1664
+ identifier: newIdentifier.did
1665
+ });
1666
+ }, "createEbsiIdentifier");
1667
+ var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1668
+ const clientId = await authorizationRequest.getMergedProperty("client_id");
1669
+ const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1670
+ return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1671
+ }, "hasEbsiClient");
1340
1672
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1341
1673
  const { agent } = context;
1342
- const { credentials } = args;
1674
+ const agentContext = {
1675
+ ...context,
1676
+ agent: context.agent
1677
+ };
1678
+ let { idOpts: idOpts2, isFirstParty, hasher = defaultHasher2 } = args;
1343
1679
  if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
1344
1680
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1345
1681
  }
@@ -1347,163 +1683,252 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1347
1683
  sessionId: args.sessionId
1348
1684
  });
1349
1685
  const request = await session.getAuthorizationRequest();
1350
- const aud = request.authorizationRequest.getMergedProperty("aud");
1686
+ const aud = await request.authorizationRequest.getMergedProperty("aud");
1351
1687
  logger3.debug(`AUD: ${aud}`);
1352
1688
  logger3.debug(JSON.stringify(request.authorizationRequest));
1353
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1354
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1355
- const firstUniqueDC = credentials[0];
1356
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1357
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1358
- }
1359
- let identifier;
1360
- const digitalCredential = firstUniqueDC.digitalCredential;
1361
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1362
- const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1363
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1364
- `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1365
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1366
- if (!digitalCredential.kmsKeyRef) {
1367
- if (!holder) {
1368
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1369
- }
1370
- try {
1371
- identifier = await session.context.agent.identifierManagedGet({
1372
- identifier: holder
1689
+ let presentationsAndDefs;
1690
+ let presentationSubmission;
1691
+ if (await session.hasPresentationDefinitions()) {
1692
+ const oid4vp = await session.getOID4VP({
1693
+ hasher
1694
+ });
1695
+ const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER);
1696
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1697
+ logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1698
+ const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1699
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1700
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1701
+ }
1702
+ let identifier;
1703
+ const digitalCredential = firstUniqueDC.digitalCredential;
1704
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1705
+ const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1706
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1707
+ `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1708
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1709
+ if (!digitalCredential.kmsKeyRef) {
1710
+ if (!holder) {
1711
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1712
+ }
1713
+ try {
1714
+ identifier = await session.context.agent.identifierManagedGet({
1715
+ identifier: holder
1716
+ });
1717
+ } catch (e) {
1718
+ logger3.debug(`Holder DID not found: ${holder}`);
1719
+ throw e;
1720
+ }
1721
+ } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1722
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1723
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1373
1724
  });
1374
- } catch (e) {
1375
- logger3.debug(`Holder DID not found: ${holder}`);
1376
- throw e;
1725
+ } else {
1726
+ switch (digitalCredential.subjectCorrelationType) {
1727
+ case "DID":
1728
+ identifier = await session.context.agent.identifierManagedGetByDid({
1729
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1730
+ kmsKeyRef: digitalCredential.kmsKeyRef
1731
+ });
1732
+ break;
1733
+ // TODO other implementations?
1734
+ default:
1735
+ if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1736
+ identifier = await session.context.agent.identifierManagedGetByDid({
1737
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1738
+ kmsKeyRef: digitalCredential.kmsKeyRef
1739
+ });
1740
+ } else {
1741
+ identifier = await session.context.agent.identifierManagedGetByKid({
1742
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1743
+ kmsKeyRef: digitalCredential.kmsKeyRef
1744
+ });
1745
+ }
1746
+ }
1377
1747
  }
1378
- } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
1379
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1380
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1748
+ if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1749
+ identifier = await createEbsiIdentifier(agentContext);
1750
+ }
1751
+ logger3.debug(`Identifier`, identifier);
1752
+ presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
1753
+ idOpts: identifier,
1754
+ proofOpts: {
1755
+ nonce: session.nonce,
1756
+ domain
1757
+ }
1381
1758
  });
1382
- } else {
1383
- switch (digitalCredential.subjectCorrelationType) {
1384
- case "DID":
1385
- identifier = await session.context.agent.identifierManagedGetByDid({
1386
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1387
- kmsKeyRef: digitalCredential.kmsKeyRef
1388
- });
1389
- break;
1390
- // TODO other implementations?
1391
- default:
1392
- identifier = await session.context.agent.identifierManagedGetByKid({
1393
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1394
- kmsKeyRef: digitalCredential.kmsKeyRef
1395
- });
1759
+ if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1760
+ throw Error("No verifiable presentations could be created");
1761
+ } else if (presentationsAndDefs.length > 1) {
1762
+ throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1396
1763
  }
1397
- }
1398
- const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1399
- convertToDcqlCredentials(vc),
1400
- vc
1401
- ]));
1402
- const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1403
- if (!queryResult.can_be_satisfied) {
1404
- return Promise.reject(Error("Credentials do not match required query request"));
1405
- }
1406
- const presentation = {};
1407
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1408
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1409
- if (value.success) {
1410
- const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1411
- const vc = matchedCredentials[0];
1412
- if (!vc) {
1413
- continue;
1764
+ idOpts2 = presentationsAndDefs[0].idOpts;
1765
+ presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1766
+ logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1767
+ logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1768
+ const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1769
+ return await session.sendAuthorizationResponse({
1770
+ ...presentationsAndDefs && {
1771
+ verifiablePresentations: mergedVerifiablePresentations
1772
+ },
1773
+ ...presentationSubmission && {
1774
+ presentationSubmission
1775
+ },
1776
+ // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1777
+ responseSignerOpts: idOpts2,
1778
+ isFirstParty
1779
+ });
1780
+ } else if (request.dcqlQuery) {
1781
+ if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1782
+ const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1783
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1784
+ logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1785
+ const firstUniqueDC = vcs[0];
1786
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1787
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1414
1788
  }
1415
- const originalVc = retrieveEncodedCredential(vc);
1416
- if (!originalVc) {
1417
- continue;
1789
+ let identifier;
1790
+ const digitalCredential = firstUniqueDC.digitalCredential;
1791
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1792
+ const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1793
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1794
+ `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1795
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1796
+ if (!digitalCredential.kmsKeyRef) {
1797
+ if (!holder) {
1798
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1799
+ }
1800
+ try {
1801
+ identifier = await session.context.agent.identifierManagedGet({
1802
+ identifier: holder
1803
+ });
1804
+ } catch (e) {
1805
+ logger3.debug(`Holder DID not found: ${holder}`);
1806
+ throw e;
1807
+ }
1808
+ } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1809
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1810
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1811
+ });
1812
+ } else {
1813
+ switch (digitalCredential.subjectCorrelationType) {
1814
+ case "DID":
1815
+ identifier = await session.context.agent.identifierManagedGetByDid({
1816
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1817
+ kmsKeyRef: digitalCredential.kmsKeyRef
1818
+ });
1819
+ break;
1820
+ // TODO other implementations?
1821
+ default:
1822
+ identifier = await session.context.agent.identifierManagedGetByKid({
1823
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1824
+ kmsKeyRef: digitalCredential.kmsKeyRef
1825
+ });
1826
+ }
1418
1827
  }
1419
- const decodedSdJwt = await CredentialMapper3.decodeSdJwtVcAsync(originalVc, defaultGenerateDigest);
1420
- const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
1421
- const presentationResult = await context.agent.createSdJwtPresentation({
1422
- presentation: updatedSdJwt.compactSdJwtVc,
1423
- kb: {
1424
- payload: {
1425
- ...updatedSdJwt.kbJwt?.payload,
1426
- // FIXME SSISDK-44
1427
- nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
1428
- // FIXME SSISDK-44
1429
- aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
1430
- iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
1431
- }
1828
+ console.log(`Identifier`, identifier);
1829
+ const dcqlRepresentations = [];
1830
+ vcs.forEach((vc) => {
1831
+ const rep = convertToDcqlCredentials(vc, args.hasher);
1832
+ if (rep) {
1833
+ dcqlRepresentations.push(rep);
1432
1834
  }
1433
1835
  });
1434
- if (originalVc) {
1435
- presentation[key] = presentationResult.presentation;
1836
+ const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1837
+ const presentation = {};
1838
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1839
+ const allMatches = Array.isArray(value) ? value : [
1840
+ value
1841
+ ];
1842
+ allMatches.forEach((match) => {
1843
+ if (match.success) {
1844
+ const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1845
+ if (!originalCredential) {
1846
+ throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1847
+ }
1848
+ presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1849
+ }
1850
+ });
1436
1851
  }
1852
+ const response = session.sendAuthorizationResponse({
1853
+ responseSignerOpts: identifier,
1854
+ ...{
1855
+ dcqlQuery: {
1856
+ dcqlPresentation: DcqlPresentation.parse(presentation)
1857
+ }
1858
+ }
1859
+ });
1860
+ logger3.debug(`Response: `, response);
1861
+ return response;
1437
1862
  }
1438
1863
  }
1439
- const dcqlPresentation = DcqlPresentation.parse(presentation);
1440
- const response = session.sendAuthorizationResponse({
1441
- responseSignerOpts: identifier,
1442
- dcqlResponse: {
1443
- dcqlPresentation
1444
- }
1445
- });
1446
- logger3.debug(`Response: `, response);
1447
- return response;
1864
+ throw Error("Presentation Definition or DCQL is required");
1448
1865
  }, "siopSendAuthorizationResponse");
1449
- var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1450
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1451
- }, "retrieveEncodedCredential");
1452
- var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1866
+ function buildPartialPD(inputDescriptor, presentationDefinition) {
1867
+ return {
1868
+ ...presentationDefinition,
1869
+ input_descriptors: [
1870
+ inputDescriptor
1871
+ ]
1872
+ };
1873
+ }
1874
+ __name(buildPartialPD, "buildPartialPD");
1875
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1453
1876
  const agentContext = {
1454
1877
  ...context,
1455
1878
  agent: context.agent
1456
1879
  };
1457
1880
  const { agent } = agentContext;
1881
+ const pex = new PEX2();
1458
1882
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1459
- filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
1883
+ filter: verifiableCredentialForRoleFilter2(CredentialRole.HOLDER)
1460
1884
  });
1461
- const branding = await agent.ibGetCredentialBranding();
1462
- const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1463
- convertToDcqlCredentials(vc),
1464
- vc
1465
- ]));
1466
- const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1467
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1885
+ const credentialBranding = await agent.ibGetCredentialBranding();
1468
1886
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1469
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1470
- if (!value.valid_credentials) {
1471
- continue;
1472
- }
1473
- const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1474
- const matchedCredential = uniqueCredentials[cred.input_credential_index];
1475
- const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1476
- const issuerPartyIdentity = await agent.cmGetContacts({
1477
- filter: [
1478
- {
1479
- identities: {
1480
- identifier: {
1481
- correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1887
+ for (const inputDescriptor of presentationDefinition.input_descriptors) {
1888
+ const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1889
+ const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1890
+ return CredentialMapper4.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1891
+ });
1892
+ const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1893
+ const selectableCredentials = [];
1894
+ for (const selectedCredential of selectionResults.verifiableCredential || []) {
1895
+ const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1896
+ const proof = uniqueVC.uniformVerifiableCredential.proof;
1897
+ return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1898
+ });
1899
+ if (filteredUniqueVC) {
1900
+ const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1901
+ const issuerPartyIdentity = await agent.cmGetContacts({
1902
+ filter: [
1903
+ {
1904
+ identities: {
1905
+ identifier: {
1906
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1907
+ }
1482
1908
  }
1483
1909
  }
1484
- }
1485
- ]
1486
- });
1487
- const subjectPartyIdentity = await agent.cmGetContacts({
1488
- filter: [
1489
- {
1490
- identities: {
1491
- identifier: {
1492
- correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1910
+ ]
1911
+ });
1912
+ const subjectPartyIdentity = await agent.cmGetContacts({
1913
+ filter: [
1914
+ {
1915
+ identities: {
1916
+ identifier: {
1917
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1918
+ }
1493
1919
  }
1494
1920
  }
1495
- }
1496
- ]
1497
- });
1498
- return {
1499
- credential: matchedCredential,
1500
- credentialBranding: credentialBranding[0]?.localeBranding,
1501
- issuerParty: issuerPartyIdentity?.[0],
1502
- subjectParty: subjectPartyIdentity?.[0]
1503
- };
1504
- });
1505
- const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1506
- selectableCredentialsMap.set(key, selectableCredentials);
1921
+ ]
1922
+ });
1923
+ selectableCredentials.push({
1924
+ credential: filteredUniqueVC,
1925
+ credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1926
+ issuerParty: issuerPartyIdentity?.[0],
1927
+ subjectParty: subjectPartyIdentity?.[0]
1928
+ });
1929
+ }
1930
+ }
1931
+ selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1507
1932
  }
1508
1933
  return selectableCredentialsMap;
1509
1934
  }, "getSelectableCredentials");
@@ -1525,31 +1950,6 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
1525
1950
  }
1526
1951
  return contacts[0].contact.displayName;
1527
1952
  }, "translateCorrelationIdToName");
1528
- var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
1529
- const sdJwtCredential = credential;
1530
- const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
1531
- const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest);
1532
- const kbJwt = {
1533
- // alg MUST be set by the signer
1534
- header: {
1535
- typ: "kb+jwt"
1536
- },
1537
- payload: {
1538
- iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
1539
- sd_hash: sdHash,
1540
- ...nonce && {
1541
- nonce
1542
- },
1543
- ...aud && {
1544
- aud
1545
- }
1546
- }
1547
- };
1548
- return {
1549
- ...sdJwtCredential,
1550
- kbJwt
1551
- };
1552
- }, "updateSdJwtCredential");
1553
1953
 
1554
1954
  // src/agent/DidAuthSiopOpAuthenticator.ts
1555
1955
  var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -1569,7 +1969,7 @@ var DidAuthSiopOpAuthenticator = class {
1569
1969
  static {
1570
1970
  __name(this, "DidAuthSiopOpAuthenticator");
1571
1971
  }
1572
- schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
1972
+ schema = schema.IDidAuthSiopOpAuthenticator;
1573
1973
  methods = {
1574
1974
  siopGetOPSession: this.siopGetOPSession.bind(this),
1575
1975
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -1710,9 +2110,9 @@ var DidAuthSiopOpAuthenticator = class {
1710
2110
  const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
1711
2111
  const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
1712
2112
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
1713
- const uri = url?.includes("://") ? new URL(url) : void 0;
2113
+ const uri = url.includes("://") ? new URL(url) : void 0;
1714
2114
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
1715
- const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2115
+ const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1716
2116
  return {
1717
2117
  issuer: verifiedAuthorizationRequest.issuer,
1718
2118
  correlationId,
@@ -1720,6 +2120,7 @@ var DidAuthSiopOpAuthenticator = class {
1720
2120
  uri,
1721
2121
  name: clientName,
1722
2122
  clientId,
2123
+ presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion3.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
1723
2124
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
1724
2125
  };
1725
2126
  }
@@ -1796,14 +2197,75 @@ var DidAuthSiopOpAuthenticator = class {
1796
2197
  if (authorizationRequestData === void 0) {
1797
2198
  return Promise.reject(Error("Missing authorization request data in context"));
1798
2199
  }
2200
+ const pex = new PEX3({
2201
+ hasher: this.hasher
2202
+ });
2203
+ const verifiableCredentialsWithDefinition = [];
2204
+ const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2205
+ if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2206
+ try {
2207
+ authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2208
+ const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2209
+ if (areRequiredCredentialsPresent !== Status2.ERROR && verifiableCredentials) {
2210
+ let uniqueDigitalCredentials = [];
2211
+ uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2212
+ const hash = typeof vc === "string" ? computeEntryHash(vc.split("~"[0])) : computeEntryHash(vc);
2213
+ const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2214
+ if (!udc) {
2215
+ throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2216
+ }
2217
+ return udc;
2218
+ });
2219
+ verifiableCredentialsWithDefinition.push({
2220
+ definition: presentationDefinition,
2221
+ credentials: uniqueDigitalCredentials
2222
+ });
2223
+ }
2224
+ });
2225
+ } catch (e) {
2226
+ return Promise.reject(e);
2227
+ }
2228
+ if (verifiableCredentialsWithDefinition.length === 0) {
2229
+ return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2230
+ }
2231
+ } else if (authorizationRequestData.dcqlQuery) {
2232
+ if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2233
+ try {
2234
+ selectedCredentials.forEach((vc) => {
2235
+ if (this.isSdJwtCredential(vc)) {
2236
+ const payload = vc.originalVerifiableCredential.decodedPayload;
2237
+ const result = {
2238
+ claims: payload,
2239
+ vct: payload.vct,
2240
+ credential_format: "vc+sd-jwt"
2241
+ };
2242
+ dcqlCredentialsWithCredentials.set(result, vc);
2243
+ } else {
2244
+ throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2245
+ }
2246
+ });
2247
+ } catch (e) {
2248
+ return Promise.reject(e);
2249
+ }
2250
+ const dcqlPresentationRecord = {};
2251
+ const queryResult = DcqlQuery2.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2252
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2253
+ if (value.success) {
2254
+ dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2255
+ }
2256
+ }
2257
+ }
2258
+ }
1799
2259
  const response = await siopSendAuthorizationResponse(ConnectionType2.SIOPv2_OpenID4VP, {
1800
2260
  sessionId: didAuthConfig.sessionId,
1801
2261
  ...args.idOpts && {
1802
2262
  idOpts: args.idOpts
1803
2263
  },
2264
+ ...authorizationRequestData.presentationDefinitions !== void 0 && {
2265
+ verifiableCredentialsWithDefinition
2266
+ },
1804
2267
  isFirstParty,
1805
- hasher: this.hasher,
1806
- credentials: selectedCredentials
2268
+ hasher: this.hasher
1807
2269
  }, context);
1808
2270
  const contentType = response.headers.get("content-type") || "";
1809
2271
  let responseBody = null;
@@ -1817,12 +2279,30 @@ var DidAuthSiopOpAuthenticator = class {
1817
2279
  queryParams: decodeUriAsJson(response?.url)
1818
2280
  };
1819
2281
  }
2282
+ hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2283
+ return credentials.some(this.isMDocCredential);
2284
+ }, "hasMDocCredentials");
2285
+ isMDocCredential = /* @__PURE__ */ __name((credential) => {
2286
+ return credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === DocumentType.VC;
2287
+ }, "isMDocCredential");
2288
+ hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2289
+ return credentials.some(this.isSdJwtCredential);
2290
+ }, "hasSdJwtCredentials");
2291
+ isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2292
+ return credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC;
2293
+ }, "isSdJwtCredential");
2294
+ retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2295
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2296
+ }, "retrieveEncodedCredential");
1820
2297
  async siopGetSelectableCredentials(args, context) {
1821
2298
  const { authorizationRequestData } = args;
1822
- if (!authorizationRequestData?.dcqlQuery) {
1823
- return Promise.reject(Error("Missing required dcql query in context"));
2299
+ if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2300
+ return Promise.reject(Error("Missing required fields in arguments or context"));
2301
+ }
2302
+ if (authorizationRequestData.presentationDefinitions.length > 1) {
2303
+ return Promise.reject(Error("Multiple presentation definitions present"));
1824
2304
  }
1825
- return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2305
+ return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1826
2306
  }
1827
2307
  };
1828
2308
 
@@ -1908,6 +2388,9 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
1908
2388
  }
1909
2389
  }
1910
2390
  };
2391
+
2392
+ // src/index.ts
2393
+ var schema = require_plugin_schema();
1911
2394
  export {
1912
2395
  DEFAULT_JWT_PROOF_TYPE,
1913
2396
  DID_PREFIX,
@@ -1925,14 +2408,14 @@ export {
1925
2408
  Siopv2MachineStates,
1926
2409
  Siopv2OID4VPLinkHandler,
1927
2410
  SupportedLanguage,
1928
- convertToDcqlCredentials,
1929
2411
  createJwtCallbackWithIdOpts,
1930
2412
  createJwtCallbackWithOpOpts,
1931
2413
  createOID4VPPresentationSignCallback,
1932
2414
  createOP,
1933
2415
  createOPBuilder,
1934
2416
  didAuthSiopOpAuthenticatorMethods,
2417
+ events,
1935
2418
  getSigningAlgo,
1936
- plugin_schema_default as schema
2419
+ schema
1937
2420
  };
1938
2421
  //# sourceMappingURL=index.js.map