@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.26.55 → 0.34.1-feature.SSISDK.26.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/dist/index.cjs +1026 -1547
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +709 -111
  4. package/dist/index.d.ts +709 -111
  5. package/dist/index.js +1036 -1557
  6. package/dist/index.js.map +1 -1
  7. package/package.json +23 -23
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +19 -147
  9. package/src/index.ts +2 -1
  10. package/src/machine/Siopv2Machine.ts +4 -4
  11. package/src/services/Siopv2MachineService.ts +97 -203
  12. package/src/session/OID4VP.ts +310 -299
  13. package/src/session/OpSession.ts +22 -114
  14. package/src/types/IDidAuthSiopOpAuthenticator.ts +5 -58
  15. package/src/types/identifier/index.ts +0 -4
  16. package/src/types/siop-service/index.ts +1 -3
  17. package/src/utils/CredentialUtils.ts +1 -39
  18. package/src/utils/dcql.ts +21 -19
package/dist/index.cjs CHANGED
@@ -60,544 +60,383 @@ var require_nl = __commonJS({
60
60
  }
61
61
  });
62
62
 
63
+ // src/index.ts
64
+ var index_exports = {};
65
+ __export(index_exports, {
66
+ DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
67
+ DID_PREFIX: () => DID_PREFIX,
68
+ DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
69
+ LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
70
+ OID4VP: () => OID4VP,
71
+ OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
72
+ OpSession: () => OpSession,
73
+ Siopv2HolderEvent: () => Siopv2HolderEvent,
74
+ Siopv2Machine: () => Siopv2Machine,
75
+ Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
76
+ Siopv2MachineEvents: () => Siopv2MachineEvents,
77
+ Siopv2MachineGuards: () => Siopv2MachineGuards,
78
+ Siopv2MachineServices: () => Siopv2MachineServices,
79
+ Siopv2MachineStates: () => Siopv2MachineStates,
80
+ Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
81
+ SupportedLanguage: () => SupportedLanguage,
82
+ convertToDcqlCredentials: () => convertToDcqlCredentials,
83
+ createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
84
+ createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
85
+ createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
86
+ createOP: () => createOP,
87
+ createOPBuilder: () => createOPBuilder,
88
+ didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
89
+ getSigningAlgo: () => getSigningAlgo,
90
+ schema: () => plugin_schema_default
91
+ });
92
+ module.exports = __toCommonJS(index_exports);
93
+
63
94
  // plugin.schema.json
64
- var require_plugin_schema = __commonJS({
65
- "plugin.schema.json"(exports, module2) {
66
- module2.exports = {
67
- IDidAuthSiopOpAuthenticator: {
68
- components: {
69
- schemas: {
70
- IGetSiopSessionArgs: {
71
- type: "object",
72
- properties: {
73
- sessionId: {
74
- type: "string"
75
- },
76
- additionalProperties: false
77
- },
78
- required: ["sessionId"],
79
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
95
+ var plugin_schema_default = {
96
+ IDidAuthSiopOpAuthenticator: {
97
+ components: {
98
+ schemas: {
99
+ IGetSiopSessionArgs: {
100
+ type: "object",
101
+ properties: {
102
+ sessionId: {
103
+ type: "string"
80
104
  },
81
- IRegisterSiopSessionArgs: {
105
+ additionalProperties: false
106
+ },
107
+ required: ["sessionId"],
108
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
109
+ },
110
+ IRegisterSiopSessionArgs: {
111
+ type: "object",
112
+ properties: {
113
+ identifier: {
82
114
  type: "object",
83
115
  properties: {
84
- identifier: {
85
- type: "object",
86
- properties: {
87
- did: {
88
- type: "string"
89
- },
90
- alias: {
91
- type: "string"
92
- },
93
- provider: {
94
- type: "string"
95
- },
96
- controllerKeyId: {
97
- type: "string"
98
- },
99
- keys: {
100
- type: "array",
101
- items: {
102
- type: "object",
103
- properties: {
104
- additionalProperties: true
105
- }
106
- }
107
- },
108
- services: {
109
- type: "array",
110
- items: {
111
- type: "object",
112
- properties: {
113
- additionalProperties: true
114
- }
115
- }
116
- }
117
- },
118
- additionalProperties: false,
119
- required: ["did", "provider", "keys", "services"]
120
- },
121
- sessionId: {
116
+ did: {
122
117
  type: "string"
123
118
  },
124
- expiresIn: {
125
- type: "number"
126
- },
127
- additionalProperties: false
128
- },
129
- required: ["identifier"],
130
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
131
- },
132
- IRemoveSiopSessionArgs: {
133
- type: "object",
134
- properties: {
135
- sessionId: {
119
+ alias: {
136
120
  type: "string"
137
121
  },
138
- additionalProperties: false
139
- },
140
- required: ["sessionId"],
141
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
142
- },
143
- IAuthenticateWithSiopArgs: {
144
- type: "object",
145
- properties: {
146
- sessionId: {
122
+ provider: {
147
123
  type: "string"
148
124
  },
149
- stateId: {
125
+ controllerKeyId: {
150
126
  type: "string"
151
127
  },
152
- redirectUrl: {
153
- type: "string"
128
+ keys: {
129
+ type: "array",
130
+ items: {
131
+ type: "object",
132
+ properties: {
133
+ additionalProperties: true
134
+ }
135
+ }
154
136
  },
155
- additionalProperties: false
137
+ services: {
138
+ type: "array",
139
+ items: {
140
+ type: "object",
141
+ properties: {
142
+ additionalProperties: true
143
+ }
144
+ }
145
+ }
156
146
  },
157
- required: ["sessionId", "stateId", "redirectUrl"],
158
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
147
+ additionalProperties: false,
148
+ required: ["did", "provider", "keys", "services"]
149
+ },
150
+ sessionId: {
151
+ type: "string"
152
+ },
153
+ expiresIn: {
154
+ type: "number"
155
+ },
156
+ additionalProperties: false
157
+ },
158
+ required: ["identifier"],
159
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
160
+ },
161
+ IRemoveSiopSessionArgs: {
162
+ type: "object",
163
+ properties: {
164
+ sessionId: {
165
+ type: "string"
159
166
  },
160
- IResponse: {
167
+ additionalProperties: false
168
+ },
169
+ required: ["sessionId"],
170
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
171
+ },
172
+ IAuthenticateWithSiopArgs: {
173
+ type: "object",
174
+ properties: {
175
+ sessionId: {
176
+ type: "string"
177
+ },
178
+ stateId: {
179
+ type: "string"
180
+ },
181
+ redirectUrl: {
182
+ type: "string"
183
+ },
184
+ additionalProperties: false
185
+ },
186
+ required: ["sessionId", "stateId", "redirectUrl"],
187
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
188
+ },
189
+ IResponse: {
190
+ type: "object",
191
+ properties: {
192
+ status: {
193
+ type: "number"
194
+ },
195
+ additionalProperties: true
196
+ },
197
+ required: ["status"],
198
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
199
+ },
200
+ IGetSiopAuthenticationRequestFromRpArgs: {
201
+ type: "object",
202
+ properties: {
203
+ sessionId: {
204
+ type: "string"
205
+ },
206
+ stateId: {
207
+ type: "string"
208
+ },
209
+ redirectUrl: {
210
+ type: "string"
211
+ },
212
+ additionalProperties: false
213
+ },
214
+ required: ["sessionId", "stateId", "redirectUrl"],
215
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
216
+ },
217
+ ParsedAuthenticationRequestURI: {
218
+ type: "object",
219
+ properties: {
220
+ jwt: {
221
+ type: "string"
222
+ },
223
+ requestPayload: {
161
224
  type: "object",
162
225
  properties: {
163
- status: {
164
- type: "number"
165
- },
166
226
  additionalProperties: true
167
- },
168
- required: ["status"],
169
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
227
+ }
170
228
  },
171
- IGetSiopAuthenticationRequestFromRpArgs: {
229
+ registration: {
172
230
  type: "object",
173
231
  properties: {
174
- sessionId: {
175
- type: "string"
176
- },
177
- stateId: {
178
- type: "string"
179
- },
180
- redirectUrl: {
181
- type: "string"
182
- },
183
- additionalProperties: false
184
- },
185
- required: ["sessionId", "stateId", "redirectUrl"],
186
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
232
+ additionalProperties: true
233
+ }
187
234
  },
188
- ParsedAuthenticationRequestURI: {
235
+ additionalProperties: false
236
+ },
237
+ required: ["jwt", "requestPayload", "registration"],
238
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
239
+ },
240
+ IGetSiopAuthenticationRequestDetailsArgs: {
241
+ type: "object",
242
+ properties: {
243
+ sessionId: {
244
+ type: "string"
245
+ },
246
+ verifiedAuthenticationRequest: {
189
247
  type: "object",
190
248
  properties: {
191
- jwt: {
192
- type: "string"
193
- },
194
- requestPayload: {
195
- type: "object",
196
- properties: {
197
- additionalProperties: true
198
- }
199
- },
200
- registration: {
201
- type: "object",
202
- properties: {
203
- additionalProperties: true
204
- }
205
- },
206
- additionalProperties: false
207
- },
208
- required: ["jwt", "requestPayload", "registration"],
209
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
249
+ additionalProperties: true
250
+ }
210
251
  },
211
- IGetSiopAuthenticationRequestDetailsArgs: {
252
+ credentialFilter: {
212
253
  type: "object",
213
254
  properties: {
214
- sessionId: {
215
- type: "string"
216
- },
217
- verifiedAuthenticationRequest: {
218
- type: "object",
219
- properties: {
220
- additionalProperties: true
221
- }
222
- },
223
- credentialFilter: {
224
- type: "object",
225
- properties: {
226
- additionalProperties: true
227
- }
228
- },
229
- additionalProperties: false
230
- },
231
- required: ["sessionId", "verifiedAuthenticationRequest"],
232
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
255
+ additionalProperties: true
256
+ }
257
+ },
258
+ additionalProperties: false
259
+ },
260
+ required: ["sessionId", "verifiedAuthenticationRequest"],
261
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
262
+ },
263
+ IAuthRequestDetails: {
264
+ type: "object",
265
+ properties: {
266
+ id: {
267
+ type: "string"
268
+ },
269
+ alsoKnownAs: {
270
+ type: "array",
271
+ items: {
272
+ type: "string"
273
+ }
233
274
  },
234
- IAuthRequestDetails: {
275
+ vpResponseOpts: {
235
276
  type: "object",
236
277
  properties: {
237
- id: {
238
- type: "string"
239
- },
240
- alsoKnownAs: {
241
- type: "array",
242
- items: {
243
- type: "string"
244
- }
245
- },
246
- vpResponseOpts: {
247
- type: "object",
248
- properties: {
249
- additionalProperties: true
250
- }
251
- },
252
- additionalProperties: false
253
- },
254
- required: ["id", "vpResponseOpts"],
255
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
278
+ additionalProperties: true
279
+ }
280
+ },
281
+ additionalProperties: false
282
+ },
283
+ required: ["id", "vpResponseOpts"],
284
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
285
+ },
286
+ IVerifySiopAuthenticationRequestUriArgs: {
287
+ type: "object",
288
+ properties: {
289
+ sessionId: {
290
+ type: "string"
256
291
  },
257
- IVerifySiopAuthenticationRequestUriArgs: {
292
+ ParsedAuthenticationRequestURI: {
258
293
  type: "object",
259
294
  properties: {
260
- sessionId: {
261
- type: "string"
262
- },
263
- ParsedAuthenticationRequestURI: {
264
- type: "object",
265
- properties: {
266
- additionalProperties: true
267
- }
268
- },
269
- additionalProperties: false
270
- },
271
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
272
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
295
+ additionalProperties: true
296
+ }
273
297
  },
274
- VerifiedAuthorizationRequest: {
298
+ additionalProperties: false
299
+ },
300
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
301
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
302
+ },
303
+ VerifiedAuthorizationRequest: {
304
+ type: "object",
305
+ properties: {
306
+ payload: {
275
307
  type: "object",
276
308
  properties: {
277
- payload: {
278
- type: "object",
279
- properties: {
280
- additionalProperties: true
281
- }
282
- },
283
- presentationDefinitions: {
284
- type: "object",
285
- properties: {
286
- additionalProperties: true
287
- }
288
- },
289
- verifyOpts: {
290
- type: "object",
291
- properties: {
292
- additionalProperties: true
293
- }
294
- },
295
- additionalProperties: false
296
- },
297
- required: ["payload", "verifyOpts"],
298
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
309
+ additionalProperties: true
310
+ }
299
311
  },
300
- ISendSiopAuthenticationResponseArgs: {
312
+ presentationDefinitions: {
301
313
  type: "object",
302
314
  properties: {
303
- sessionId: {
304
- type: "string"
305
- },
306
- verifiedAuthenticationRequest: {
307
- type: "object",
308
- properties: {
309
- additionalProperties: true
310
- }
311
- },
312
- verifiablePresentationResponse: {
313
- type: "object",
314
- properties: {
315
- additionalProperties: true
316
- }
317
- },
318
- additionalProperties: false
319
- },
320
- required: ["sessionId", "verifiedAuthenticationRequest"],
321
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
322
- }
323
- },
324
- methods: {
325
- getSessionForSiop: {
326
- description: "Get SIOP session",
327
- arguments: {
328
- $ref: "#/components/schemas/IGetSiopSessionArgs"
329
- },
330
- returnType: "object"
331
- },
332
- registerSessionForSiop: {
333
- description: "Register SIOP session",
334
- arguments: {
335
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
336
- },
337
- returnType: "object"
338
- },
339
- removeSessionForSiop: {
340
- description: "Remove SIOP session",
341
- arguments: {
342
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
343
- },
344
- returnType: "boolean"
345
- },
346
- authenticateWithSiop: {
347
- description: "Authenticate using DID Auth SIOP",
348
- arguments: {
349
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
350
- },
351
- returnType: {
352
- $ref: "#/components/schemas/Response"
315
+ additionalProperties: true
353
316
  }
354
317
  },
355
- getSiopAuthenticationRequestFromRP: {
356
- description: "Get authentication request from RP",
357
- arguments: {
358
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
359
- },
360
- returnType: {
361
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
318
+ verifyOpts: {
319
+ type: "object",
320
+ properties: {
321
+ additionalProperties: true
362
322
  }
363
323
  },
364
- getSiopAuthenticationRequestDetails: {
365
- description: "Get authentication request details",
366
- arguments: {
367
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
368
- },
369
- returnType: {
370
- $ref: "#/components/schemas/IAuthRequestDetails"
371
- }
324
+ additionalProperties: false
325
+ },
326
+ required: ["payload", "verifyOpts"],
327
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
328
+ },
329
+ ISendSiopAuthenticationResponseArgs: {
330
+ type: "object",
331
+ properties: {
332
+ sessionId: {
333
+ type: "string"
372
334
  },
373
- verifySiopAuthenticationRequestURI: {
374
- description: "Verify authentication request URI",
375
- arguments: {
376
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
377
- },
378
- returnType: {
379
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
335
+ verifiedAuthenticationRequest: {
336
+ type: "object",
337
+ properties: {
338
+ additionalProperties: true
380
339
  }
381
340
  },
382
- sendSiopAuthenticationResponse: {
383
- description: "Send authentication response",
384
- arguments: {
385
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
386
- },
387
- returnType: {
388
- $ref: "#/components/schemas/IRequiredContext"
341
+ verifiablePresentationResponse: {
342
+ type: "object",
343
+ properties: {
344
+ additionalProperties: true
389
345
  }
390
- }
346
+ },
347
+ additionalProperties: false
348
+ },
349
+ required: ["sessionId", "verifiedAuthenticationRequest"],
350
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
351
+ }
352
+ },
353
+ methods: {
354
+ getSessionForSiop: {
355
+ description: "Get SIOP session",
356
+ arguments: {
357
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
358
+ },
359
+ returnType: "object"
360
+ },
361
+ registerSessionForSiop: {
362
+ description: "Register SIOP session",
363
+ arguments: {
364
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
365
+ },
366
+ returnType: "object"
367
+ },
368
+ removeSessionForSiop: {
369
+ description: "Remove SIOP session",
370
+ arguments: {
371
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
372
+ },
373
+ returnType: "boolean"
374
+ },
375
+ authenticateWithSiop: {
376
+ description: "Authenticate using DID Auth SIOP",
377
+ arguments: {
378
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
379
+ },
380
+ returnType: {
381
+ $ref: "#/components/schemas/Response"
382
+ }
383
+ },
384
+ getSiopAuthenticationRequestFromRP: {
385
+ description: "Get authentication request from RP",
386
+ arguments: {
387
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
388
+ },
389
+ returnType: {
390
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
391
+ }
392
+ },
393
+ getSiopAuthenticationRequestDetails: {
394
+ description: "Get authentication request details",
395
+ arguments: {
396
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
397
+ },
398
+ returnType: {
399
+ $ref: "#/components/schemas/IAuthRequestDetails"
400
+ }
401
+ },
402
+ verifySiopAuthenticationRequestURI: {
403
+ description: "Verify authentication request URI",
404
+ arguments: {
405
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
406
+ },
407
+ returnType: {
408
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
409
+ }
410
+ },
411
+ sendSiopAuthenticationResponse: {
412
+ description: "Send authentication response",
413
+ arguments: {
414
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
415
+ },
416
+ returnType: {
417
+ $ref: "#/components/schemas/IRequiredContext"
391
418
  }
392
419
  }
393
420
  }
394
- };
421
+ }
395
422
  }
396
- });
397
-
398
- // src/index.ts
399
- var index_exports = {};
400
- __export(index_exports, {
401
- DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
402
- DID_PREFIX: () => DID_PREFIX,
403
- DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
404
- LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
405
- OID4VP: () => OID4VP,
406
- OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
407
- OpSession: () => OpSession,
408
- Siopv2HolderEvent: () => Siopv2HolderEvent,
409
- Siopv2Machine: () => Siopv2Machine,
410
- Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
411
- Siopv2MachineEvents: () => Siopv2MachineEvents,
412
- Siopv2MachineGuards: () => Siopv2MachineGuards,
413
- Siopv2MachineServices: () => Siopv2MachineServices,
414
- Siopv2MachineStates: () => Siopv2MachineStates,
415
- Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
416
- SupportedLanguage: () => SupportedLanguage,
417
- createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
418
- createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
419
- createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
420
- createOP: () => createOP,
421
- createOPBuilder: () => createOPBuilder,
422
- didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
423
- events: () => events,
424
- getSigningAlgo: () => getSigningAlgo,
425
- schema: () => schema
426
- });
427
- module.exports = __toCommonJS(index_exports);
423
+ };
428
424
 
429
425
  // src/agent/DidAuthSiopOpAuthenticator.ts
430
426
  var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
431
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
427
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
432
428
  var import_ssi_types7 = require("@sphereon/ssi-types");
433
429
  var import_uuid2 = require("uuid");
434
430
 
435
- // src/session/functions.ts
436
- var import_did_auth_siop = require("@sphereon/did-auth-siop");
437
- var import_oid4vc_common = require("@sphereon/oid4vc-common");
438
- var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
439
- var import_ssi_sdk = require("@sphereon/ssi-sdk.presentation-exchange");
440
- var import_events = require("events");
441
- async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
442
- if (typeof presentationSignCallback === "function") {
443
- return presentationSignCallback;
444
- }
445
- return (0, import_ssi_sdk.createPEXPresentationSignCallback)({
446
- idOpts: idOpts1,
447
- fetchRemoteContexts,
448
- domain,
449
- challenge,
450
- format,
451
- skipDidResolution
452
- }, context);
453
- }
454
- __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
455
- async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
456
- const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
457
- const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
458
- import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
459
- import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
460
- import_did_auth_siop.SupportedVersion.SIOPv2_D11,
461
- import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
462
- ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
463
- passBy: import_did_auth_siop.PassBy.VALUE
464
- });
465
- const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
466
- const result = await context.agent.cvVerifyCredential({
467
- credential: args.credential,
468
- fetchRemoteContexts: true
469
- });
470
- return {
471
- verified: result.result
472
- };
473
- };
474
- builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
475
- verifyOpts: {
476
- wellknownDIDVerifyCallback,
477
- checkLinkedDomain: "if_present"
478
- }
479
- }, context));
480
- if (idOpts1) {
481
- if (opOptions.skipDidResolution && (0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
482
- idOpts1.offlineWhenNoDIDRegistered = true;
483
- }
484
- const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
485
- builder.withCreateJwtCallback(createJwtCallback);
486
- builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
487
- presentationSignCallback: opOptions.presentationSignCallback,
488
- skipDidResolution: opOptions.skipDidResolution ?? false,
489
- idOpts: idOpts1,
490
- context
491
- }));
492
- } else {
493
- const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
494
- builder.withCreateJwtCallback(createJwtCallback);
495
- }
496
- return builder;
497
- }
498
- __name(createOPBuilder, "createOPBuilder");
499
- function createJwtCallbackWithIdOpts(idOpts1, context) {
500
- return async (jwtIssuer, jwt) => {
501
- let issuer;
502
- if ((0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
503
- issuer = {
504
- ...idOpts1,
505
- method: idOpts1.method,
506
- noIdentifierInHeader: false
507
- };
508
- } else if ((0, import_ssi_sdk_ext.isManagedIdentifierX5cOpts)(idOpts1)) {
509
- issuer = {
510
- ...idOpts1,
511
- method: idOpts1.method,
512
- noIdentifierInHeader: false
513
- };
514
- } else {
515
- return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
516
- }
517
- const result = await context.agent.jwtCreateJwsCompactSignature({
518
- issuer,
519
- protectedHeader: jwt.header,
520
- payload: jwt.payload
521
- });
522
- return result.jwt;
523
- };
524
- }
525
- __name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
526
- function createJwtCallbackWithOpOpts(opOpts, context) {
527
- return async (jwtIssuer, jwt) => {
528
- let identifier;
529
- if (jwtIssuer.method == "did") {
530
- identifier = jwtIssuer.didUrl;
531
- } else if (jwtIssuer.method == "x5c") {
532
- identifier = jwtIssuer.x5c;
533
- } else {
534
- return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
535
- }
536
- const result = await context.agent.jwtCreateJwsCompactSignature({
537
- // FIXME fix cose-key inference
538
- // @ts-ignore
539
- issuer: {
540
- identifier,
541
- kmsKeyRef: idOpts.kmsKeyRef,
542
- noIdentifierInHeader: false
543
- },
544
- // FIXME fix JWK key_ops
545
- // @ts-ignore
546
- protectedHeader: jwt.header,
547
- payload: jwt.payload
548
- });
549
- return result.jwt;
550
- };
551
- }
552
- __name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
553
- function getVerifyJwtCallback(_opts, context) {
554
- return async (_jwtVerifier, jwt) => {
555
- const result = await context.agent.jwtVerifyJwsSignature({
556
- jws: jwt.raw
557
- });
558
- console.log(result.message);
559
- return !result.error;
560
- };
561
- }
562
- __name(getVerifyJwtCallback, "getVerifyJwtCallback");
563
- async function createOP({ opOptions, idOpts: idOpts1, context }) {
564
- return (await createOPBuilder({
565
- opOptions,
566
- idOpts: idOpts1,
567
- context
568
- })).build();
569
- }
570
- __name(createOP, "createOP");
571
- function getSigningAlgo(type) {
572
- switch (type) {
573
- case "Ed25519":
574
- return import_oid4vc_common.SigningAlgo.EDDSA;
575
- case "Secp256k1":
576
- return import_oid4vc_common.SigningAlgo.ES256K;
577
- case "Secp256r1":
578
- return import_oid4vc_common.SigningAlgo.ES256;
579
- // @ts-ignore
580
- case "RSA":
581
- return import_oid4vc_common.SigningAlgo.RS256;
582
- default:
583
- throw Error("Key type not yet supported");
584
- }
585
- }
586
- __name(getSigningAlgo, "getSigningAlgo");
431
+ // src/machine/Siopv2Machine.ts
432
+ var import_xstate = require("xstate");
587
433
 
588
- // src/session/OID4VP.ts
589
- var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
590
- var import_pex = require("@sphereon/pex");
591
- var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
592
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
593
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
434
+ // src/localization/Localization.ts
435
+ var import_i18n_js = __toESM(require("i18n-js"), 1);
436
+ var import_lodash = __toESM(require("lodash.memoize"), 1);
594
437
 
595
438
  // src/types/IDidAuthSiopOpAuthenticator.ts
596
439
  var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
597
- var events = /* @__PURE__ */ function(events2) {
598
- events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
599
- return events2;
600
- }({});
601
440
  var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
602
441
 
603
442
  // src/types/siop-service/index.ts
@@ -670,615 +509,69 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
670
509
  // src/types/identifier/index.ts
671
510
  var DID_PREFIX = "did";
672
511
 
673
- // src/session/OID4VP.ts
674
- var OID4VP = class _OID4VP {
512
+ // src/localization/Localization.ts
513
+ var Localization = class Localization2 {
675
514
  static {
676
- __name(this, "OID4VP");
677
- }
678
- session;
679
- allIdentifiers;
680
- hasher;
681
- constructor(args) {
682
- const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
683
- this.session = session;
684
- this.allIdentifiers = allIdentifiers ?? [];
685
- this.hasher = hasher;
686
- }
687
- static async init(session, allIdentifiers, hasher) {
688
- return new _OID4VP({
689
- session,
690
- allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
691
- hasher
692
- });
693
- }
694
- async getPresentationDefinitions() {
695
- const definitions = await this.session.getPresentationDefinitions();
696
- if (definitions) {
697
- import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
698
- }
699
- return definitions;
700
- }
701
- getPresentationExchange(args) {
702
- const { verifiableCredentials, allIdentifiers, hasher } = args;
703
- return new import_did_auth_siop2.PresentationExchange({
704
- allDIDs: allIdentifiers ?? this.allIdentifiers,
705
- allVerifiableCredentials: verifiableCredentials,
706
- hasher: hasher ?? this.hasher
707
- });
708
- }
709
- async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
710
- return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
515
+ __name(this, "Localization");
711
516
  }
712
- async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
713
- const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
714
- ...opts
715
- };
716
- if (subjectIsHolder && holder) {
717
- throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
718
- }
719
- if (forceNoCredentialsInVP) {
720
- selectedVerifiableCredentials.credentials = [];
721
- } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
722
- throw Error("No verifiable verifiableCredentials provided for presentation definition");
723
- }
724
- const proofOptions = {
725
- ...opts?.proofOpts,
726
- challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
727
- domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
728
- };
729
- let idOpts2 = opts?.idOpts;
730
- if (!idOpts2) {
731
- if (opts?.subjectIsHolder) {
732
- if (forceNoCredentialsInVP) {
733
- return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
734
- }
735
- const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
736
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
737
- return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
517
+ static translationGetters = {
518
+ [SupportedLanguage.ENGLISH]: () => require_en(),
519
+ [SupportedLanguage.DUTCH]: () => require_nl()
520
+ };
521
+ static translate = (0, import_lodash.default)((key, config) => {
522
+ if (Object.keys(import_i18n_js.default.translations).length === 0) {
523
+ import_i18n_js.default.translations = {
524
+ [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
525
+ };
526
+ import_i18n_js.default.locale = SupportedLanguage.ENGLISH;
527
+ } else {
528
+ import_i18n_js.default.translations = {
529
+ [import_i18n_js.default.locale]: {
530
+ ...import_i18n_js.default.translations[import_i18n_js.default.locale],
531
+ ...Localization2.translationGetters[this.findSupportedLanguage(import_i18n_js.default.locale) || SupportedLanguage.ENGLISH]()
738
532
  }
739
- idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
740
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
741
- }) : await this.session.context.agent.identifierManagedGetByKid({
742
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
743
- kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
744
- });
745
- } else if (opts?.holder) {
746
- idOpts2 = {
747
- identifier: opts.holder
748
- };
749
- }
750
- }
751
- const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
752
- restrictToFormats: opts?.restrictToFormats,
753
- restrictToDIDMethods: opts?.restrictToDIDMethods,
754
- filterOpts: {
755
- verifiableCredentials: selectedVerifiableCredentials.credentials
756
- }
757
- }) : {
758
- definition: selectedVerifiableCredentials.definition,
759
- credentials: selectedVerifiableCredentials.credentials
760
- };
761
- if (!idOpts2) {
762
- return Promise.reject(Error(`No identifier options present at this point`));
763
- }
764
- const signCallback = await createOID4VPPresentationSignCallback({
765
- presentationSignCallback: this.session.options.presentationSignCallback,
766
- idOpts: idOpts2,
767
- context: this.session.context,
768
- domain: proofOptions.domain,
769
- challenge: proofOptions.challenge,
770
- format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
771
- skipDidResolution: opts?.skipDidResolution ?? false
772
- });
773
- const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
774
- const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
775
- const presentationResult = await this.getPresentationExchange({
776
- verifiableCredentials,
777
- allIdentifiers: this.allIdentifiers,
778
- hasher: opts?.hasher
779
- }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
780
- proofOptions,
781
- // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
782
- ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
783
- holderDID: identifier.did
784
- }
785
- });
786
- const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
787
- return {
788
- ...presentationResult,
789
- verifiablePresentations,
790
- verifiableCredentials,
791
- definition: selectedVerifiableCredentials.definition,
792
- idOpts: idOpts2
793
- };
794
- }
795
- async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
796
- const defs = await this.getPresentationDefinitions();
797
- const result = [];
798
- if (defs) {
799
- for (const definition of defs) {
800
- result.push(await this.filterCredentials(credentialRole, definition, opts));
801
- }
533
+ };
802
534
  }
803
- return result;
804
- }
805
- async filterCredentials(credentialRole, presentationDefinition, opts) {
806
- const udcMap = /* @__PURE__ */ new Map();
807
- opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
808
- if (typeof credential === "object" && "digitalCredential" in credential) {
809
- udcMap.set(credential.originalVerifiableCredential, credential);
810
- } else {
811
- udcMap.set(credential, credential);
812
- }
813
- });
814
- const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
815
- ...opts,
816
- filterOpts: {
817
- verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
818
- if (typeof credential === "object" && "digitalCredential" in credential) {
819
- return credential.originalVerifiableCredential;
820
- } else {
821
- return credential;
822
- }
823
- })
535
+ return import_i18n_js.default.t(key, config);
536
+ }, (key, config) => config ? key + JSON.stringify(config) : key);
537
+ static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
538
+ for (const language of Object.values(SupportedLanguage)) {
539
+ if (language === locale) {
540
+ return language;
824
541
  }
825
- })).verifiableCredential;
826
- return {
827
- definition: presentationDefinition,
828
- credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
829
- };
830
- }
831
- async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
832
- const selectionResults = await this.getPresentationExchange({
833
- verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
834
- }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
835
- if (selectionResults.errors && selectionResults.errors.length > 0) {
836
- throw Error(JSON.stringify(selectionResults.errors));
837
- } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
838
- throw Error(`Not all required credentials are available to satisfy the relying party's request`);
839
- }
840
- const matches = selectionResults.matches;
841
- if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
842
- throw Error(JSON.stringify(selectionResults.errors));
843
- }
844
- return selectionResults;
845
- }
846
- async getCredentials(credentialRole, filterOpts) {
847
- if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
848
- return filterOpts.verifiableCredentials;
849
542
  }
850
- const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
851
- const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
852
- filter
853
- });
854
- return uniqueCredentials.map((uniqueVC) => {
855
- const vc = uniqueVC.uniformVerifiableCredential;
856
- const proof = Array.isArray(vc.proof) ? vc.proof : [
857
- vc.proof
858
- ];
859
- const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
860
- return jwtProof ? jwtProof.jwt : vc;
861
- });
862
- }
543
+ return void 0;
544
+ }, "findSupportedLanguage");
545
+ static getLocale = /* @__PURE__ */ __name(() => {
546
+ return import_i18n_js.default.locale || SupportedLanguage.ENGLISH;
547
+ }, "getLocale");
863
548
  };
549
+ var translate = Localization.translate;
864
550
 
865
- // src/session/OpSession.ts
866
- var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
867
- var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
868
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
551
+ // src/machine/Siopv2Machine.ts
869
552
  var import_ssi_types = require("@sphereon/ssi-types");
870
- var import_uuid = require("uuid");
871
- var import_pex2 = require("@sphereon/pex");
872
- var import_ssi_types2 = require("@sphereon/ssi-types");
873
- var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
874
- var OpSession = class _OpSession {
875
- static {
876
- __name(this, "OpSession");
877
- }
878
- ts = (/* @__PURE__ */ new Date()).getDate();
879
- id;
880
- options;
881
- context;
882
- requestJwtOrUri;
883
- verifiedAuthorizationRequest;
884
- _nonce;
885
- _state;
886
- _providedPresentationDefinitions;
887
- constructor(options) {
888
- this.id = options.sessionId;
889
- this.options = options.op;
890
- this.context = options.context;
891
- this.requestJwtOrUri = options.requestJwtOrUri;
892
- this._providedPresentationDefinitions = options.providedPresentationDefinitions;
893
- }
894
- static async init(options) {
895
- return new _OpSession(options);
896
- }
897
- async getAuthorizationRequest() {
898
- if (!this.verifiedAuthorizationRequest) {
899
- const op = await createOP({
900
- opOptions: this.options,
901
- context: this.context
902
- });
903
- this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
904
- this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
905
- this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
906
- await this.getSupportedDIDMethods();
907
- }
908
- return this.verifiedAuthorizationRequest;
909
- }
910
- async getAuthorizationRequestURI() {
911
- return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
912
- }
913
- get nonce() {
914
- if (!this._nonce) {
915
- throw Error("No nonce available. Please get authorization request first");
916
- }
917
- return this._nonce;
918
- }
919
- get state() {
920
- if (!this._state) {
921
- throw Error("No state available. Please get authorization request first");
922
- }
923
- return this._state;
924
- }
925
- clear() {
926
- this._nonce = void 0;
927
- this._state = void 0;
928
- this.verifiedAuthorizationRequest = void 0;
929
- return this;
930
- }
931
- async getSupportedDIDMethods(didPrefix) {
932
- const agentMethods = this.getAgentDIDMethodsSupported({
933
- didPrefix
934
- });
935
- let rpMethods = await this.getRPDIDMethodsSupported({
936
- didPrefix,
937
- agentMethods
938
- });
939
- logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
940
- if (rpMethods.dids.length === 0) {
941
- logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
942
- return [];
943
- }
944
- let intersection;
945
- if (rpMethods.dids.includes("did")) {
946
- intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext3.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
947
- } else if (!agentMethods || agentMethods.length === 0) {
948
- intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
949
- } else {
950
- intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
951
- }
952
- if (intersection.length === 0) {
953
- throw Error("No matching DID methods between agent and relying party");
954
- }
955
- return intersection.map((value) => convertDidMethod(value, didPrefix));
956
- }
957
- getAgentDIDMethodsSupported(opts) {
958
- const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
959
- logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
960
- return agentMethods;
961
- }
962
- async getSubjectSyntaxTypesSupported() {
963
- const authReq = await this.getAuthorizationRequest();
964
- const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
965
- return subjectSyntaxTypesSupported ?? [];
966
- }
967
- async getRPDIDMethodsSupported(opts) {
968
- let keyType;
969
- const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
970
- logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
971
- const authReq = await this.getAuthorizationRequest();
972
- const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
973
- logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
974
- const aud = await authReq.authorizationRequest.getMergedProperty("aud");
975
- let rpMethods = [];
976
- if (aud && aud.startsWith("did:")) {
977
- const didMethod = convertDidMethod((0, import_ssi_types.parseDid)(aud).method, opts.didPrefix);
978
- logger.debug(`aud did method: ${didMethod}`);
979
- if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
980
- throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
981
- }
982
- rpMethods = [
983
- didMethod
984
- ];
985
- } else if (subjectSyntaxTypesSupported) {
986
- rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
987
- subjectSyntaxTypesSupported
988
- ]).map((method) => convertDidMethod(method, opts.didPrefix));
989
- }
990
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
991
- let codecName = void 0;
992
- if (isEBSI && (!aud || !aud.startsWith("http"))) {
993
- logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
994
- const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
995
- if (!agentMethods?.includes(didKeyMethod)) {
996
- throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
997
- }
998
- rpMethods = [
999
- didKeyMethod
1000
- ];
1001
- keyType = "Secp256r1";
1002
- codecName = "jwk_jcs-pub";
1003
- }
1004
- return {
1005
- dids: rpMethods,
1006
- codecName,
1007
- keyType
1008
- };
1009
- }
1010
- async getSupportedIdentifiers(opts) {
1011
- const methods = await this.getSupportedDIDMethods(true);
1012
- logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
1013
- if (methods.length === 0) {
1014
- throw Error(`No DID methods are supported`);
1015
- }
1016
- const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
1017
- if (identifiers.length === 0) {
1018
- logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
1019
- if (opts?.createInCaseNoDIDFound !== false) {
1020
- const { codecName, keyType } = await this.getRPDIDMethodsSupported({
1021
- didPrefix: true,
1022
- agentMethods: methods
1023
- });
1024
- const identifier = await this.context.agent.didManagerCreate({
1025
- provider: methods[0],
1026
- options: {
1027
- codecName,
1028
- keyType,
1029
- type: keyType
1030
- }
1031
- });
1032
- logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
1033
- identifiers.push(identifier);
1034
- }
1035
- }
1036
- logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
1037
- return identifiers;
1038
- }
1039
- async getSupportedDIDs() {
1040
- return (await this.getSupportedIdentifiers()).map((id) => id.did);
1041
- }
1042
- async getRedirectUri() {
1043
- return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
1044
- }
1045
- async hasPresentationDefinitions() {
1046
- const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1047
- return defs !== void 0 && defs.length > 0;
1048
- }
1049
- async getPresentationDefinitions() {
1050
- if (!await this.hasPresentationDefinitions()) {
1051
- throw Error(`No presentation definitions found`);
1052
- }
1053
- return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1054
- }
1055
- async getOID4VP(args) {
1056
- return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
1057
- }
1058
- createPresentationVerificationCallback(context) {
1059
- async function presentationVerificationCallback(args, presentationSubmission) {
1060
- let result;
1061
- if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
1062
- try {
1063
- const sdJwtResult = await context.agent.verifySdJwtPresentation({
1064
- presentation: args
1065
- });
1066
- result = {
1067
- verified: "header" in sdJwtResult,
1068
- error: "header" in sdJwtResult ? void 0 : {
1069
- message: "could not verify SD JWT presentation"
1070
- }
1071
- };
1072
- } catch (error) {
1073
- result = {
1074
- verified: false,
1075
- error: {
1076
- message: error.message
1077
- }
1078
- };
1079
- }
1080
- } else {
1081
- result = await context.agent.verifyPresentation({
1082
- presentation: args
1083
- });
1084
- }
1085
- return result;
1086
- }
1087
- __name(presentationVerificationCallback, "presentationVerificationCallback");
1088
- return presentationVerificationCallback;
1089
- }
1090
- async createJarmResponseCallback({ responseOpts }) {
1091
- const agent = this.context.agent;
1092
- return /* @__PURE__ */ __name(async function jarmResponse(opts) {
1093
- const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
1094
- const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
1095
- const recipientKey = await agent.identifierExternalResolveByJwk({
1096
- identifier: jwk
1097
- });
1098
- return await agent.jwtEncryptJweCompactJwt({
1099
- recipientKey,
1100
- protectedHeader: {},
1101
- alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
1102
- enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
1103
- apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
1104
- apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
1105
- payload: authResponse,
1106
- issuer: responseOpts.issuer,
1107
- audience: responseOpts.audience
1108
- }).then((result) => {
1109
- return {
1110
- response: result.jwt
1111
- };
1112
- });
1113
- }, "jarmResponse");
1114
- }
1115
- async sendAuthorizationResponse(args) {
1116
- const resolveOpts = this.options.resolveOpts ?? {
1117
- resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
1118
- uniresolverResolution: true,
1119
- localResolution: true,
1120
- resolverResolution: true
1121
- })
1122
- };
1123
- if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
1124
- resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
1125
- }
1126
- const verification = {
1127
- presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1128
- };
1129
- const request = await this.getAuthorizationRequest();
1130
- const hasDefinitions = await this.hasPresentationDefinitions();
1131
- if (hasDefinitions) {
1132
- const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1133
- return sum + pd.definition.input_descriptors.length;
1134
- }, 0);
1135
- const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1136
- if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1137
- throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1138
- } else if (!args.presentationSubmission) {
1139
- throw Error(`Presentation submission is required when verifiable presentations are required`);
1140
- }
1141
- }
1142
- const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
1143
- const op = await createOP({
1144
- opOptions: {
1145
- ...this.options,
1146
- resolveOpts: {
1147
- ...this.options.resolveOpts
1148
- },
1149
- eventEmitter: this.options.eventEmitter,
1150
- presentationSignCallback: this.options.presentationSignCallback,
1151
- wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
1152
- supportedVersions: request.versions
1153
- },
1154
- idOpts: args.responseSignerOpts,
1155
- context: this.context
1156
- });
1157
- let issuer = args.responseSignerOpts.issuer;
1158
- const responseOpts = {
1159
- verification,
1160
- issuer,
1161
- ...args.isFirstParty && {
1162
- isFirstParty: args.isFirstParty
1163
- },
1164
- ...args.verifiablePresentations && {
1165
- presentationExchange: {
1166
- verifiablePresentations,
1167
- presentationSubmission: args.presentationSubmission
1168
- }
1169
- },
1170
- dcqlQuery: args.dcqlResponse
1171
- };
1172
- const authResponse = await op.createAuthorizationResponse(request, responseOpts);
1173
- const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
1174
- responseOpts
1175
- }));
1176
- if (response.status >= 400) {
1177
- throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
1178
- } else {
1179
- return response;
1180
- }
1181
- }
1182
- countVCsInAllVPs(verifiablePresentations, hasher) {
1183
- return verifiablePresentations.reduce((sum, vp) => {
1184
- if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1185
- return sum + 1;
1186
- }
1187
- const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
1188
- hasher: hasher ?? this.options.hasher
1189
- });
1190
- if (uvp.verifiableCredential?.length) {
1191
- return sum + uvp.verifiableCredential?.length;
1192
- }
1193
- const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
1194
- if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1195
- return sum + 1;
1196
- }
1197
- return sum;
1198
- }, 0);
1199
- }
1200
- };
1201
- function convertDidMethod(didMethod, didPrefix) {
1202
- if (didPrefix === false) {
1203
- return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
1204
- }
1205
- return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
1206
- }
1207
- __name(convertDidMethod, "convertDidMethod");
1208
-
1209
- // src/agent/DidAuthSiopOpAuthenticator.ts
1210
- var import_pex4 = require("@sphereon/pex");
1211
- var import_utils = require("@veramo/utils");
1212
- var import_dcql3 = require("dcql");
1213
-
1214
- // src/machine/Siopv2Machine.ts
1215
- var import_xstate = require("xstate");
1216
-
1217
- // src/localization/Localization.ts
1218
- var import_i18n_js = __toESM(require("i18n-js"), 1);
1219
- var import_lodash = __toESM(require("lodash.memoize"), 1);
1220
- var Localization = class Localization2 {
1221
- static {
1222
- __name(this, "Localization");
1223
- }
1224
- static translationGetters = {
1225
- [SupportedLanguage.ENGLISH]: () => require_en(),
1226
- [SupportedLanguage.DUTCH]: () => require_nl()
1227
- };
1228
- static translate = (0, import_lodash.default)((key, config) => {
1229
- if (Object.keys(import_i18n_js.default.translations).length === 0) {
1230
- import_i18n_js.default.translations = {
1231
- [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
1232
- };
1233
- import_i18n_js.default.locale = SupportedLanguage.ENGLISH;
1234
- } else {
1235
- import_i18n_js.default.translations = {
1236
- [import_i18n_js.default.locale]: {
1237
- ...import_i18n_js.default.translations[import_i18n_js.default.locale],
1238
- ...Localization2.translationGetters[this.findSupportedLanguage(import_i18n_js.default.locale) || SupportedLanguage.ENGLISH]()
1239
- }
1240
- };
1241
- }
1242
- return import_i18n_js.default.t(key, config);
1243
- }, (key, config) => config ? key + JSON.stringify(config) : key);
1244
- static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
1245
- for (const language of Object.values(SupportedLanguage)) {
1246
- if (language === locale) {
1247
- return language;
1248
- }
1249
- }
1250
- return void 0;
1251
- }, "findSupportedLanguage");
1252
- static getLocale = /* @__PURE__ */ __name(() => {
1253
- return import_i18n_js.default.locale || SupportedLanguage.ENGLISH;
1254
- }, "getLocale");
1255
- };
1256
- var translate = Localization.translate;
1257
-
1258
- // src/machine/Siopv2Machine.ts
1259
- var import_ssi_types3 = require("@sphereon/ssi-types");
1260
- var logger2 = import_ssi_types3.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1261
- var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1262
- const { contact } = _ctx;
1263
- return contact === void 0;
1264
- }, "Siopv2HasNoContactGuard");
1265
- var Siopv2HasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1266
- const { contact } = _ctx;
1267
- return contact !== void 0;
1268
- }, "Siopv2HasContactGuard");
1269
- var Siopv2HasAuthorizationRequestGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1270
- const { authorizationRequestData } = _ctx;
1271
- return authorizationRequestData !== void 0;
1272
- }, "Siopv2HasAuthorizationRequestGuard");
1273
- var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1274
- const { authorizationRequestData, contact } = _ctx;
1275
- if (!authorizationRequestData) {
1276
- throw new Error("Missing authorization request data in context");
553
+ var logger = import_ssi_types.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
554
+ var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
555
+ const { contact } = _ctx;
556
+ return contact === void 0;
557
+ }, "Siopv2HasNoContactGuard");
558
+ var Siopv2HasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
559
+ const { contact } = _ctx;
560
+ return contact !== void 0;
561
+ }, "Siopv2HasContactGuard");
562
+ var Siopv2HasAuthorizationRequestGuard = /* @__PURE__ */ __name((_ctx, _event) => {
563
+ const { authorizationRequestData } = _ctx;
564
+ return authorizationRequestData !== void 0;
565
+ }, "Siopv2HasAuthorizationRequestGuard");
566
+ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
567
+ const { authorizationRequestData, contact } = _ctx;
568
+ if (!authorizationRequestData) {
569
+ throw new Error("Missing authorization request data in context");
1277
570
  }
1278
571
  if (!contact) {
1279
572
  throw new Error("Missing contact request data in context");
1280
573
  }
1281
- return authorizationRequestData.presentationDefinitions !== void 0;
574
+ return authorizationRequestData.dcqlQuery !== void 0;
1282
575
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1283
576
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1284
577
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1289,7 +582,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1289
582
  if (authorizationRequestData === void 0) {
1290
583
  throw new Error("Missing authorization request data in context");
1291
584
  }
1292
- if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
585
+ if (authorizationRequestData.dcqlQuery === void 0) {
1293
586
  throw Error("No presentation definitions present");
1294
587
  }
1295
588
  return _ctx.selectedCredentials.length > 0;
@@ -1299,7 +592,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1299
592
  if (authorizationRequestData === void 0) {
1300
593
  throw new Error("Missing authorization request data in context");
1301
594
  }
1302
- return authorizationRequestData.presentationDefinitions === void 0;
595
+ return authorizationRequestData.dcqlQuery === void 0;
1303
596
  }, "Siopv2IsSiopOnlyGuard");
1304
597
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1305
598
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1309,7 +602,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1309
602
  if (!selectableCredentialsMap) {
1310
603
  throw new Error("Missing selectableCredentialsMap in context");
1311
604
  }
1312
- return authorizationRequestData.presentationDefinitions !== void 0;
605
+ return authorizationRequestData.dcqlQuery !== void 0;
1313
606
  }, "Siopv2IsSiopWithOID4VPGuard");
1314
607
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1315
608
  const { url, idOpts: idOpts2 } = opts;
@@ -1587,7 +880,7 @@ var Siopv2Machine = class {
1587
880
  __name(this, "Siopv2Machine");
1588
881
  }
1589
882
  static newInstance(opts) {
1590
- logger2.info("New Siopv2Machine instance");
883
+ logger.info("New Siopv2Machine instance");
1591
884
  const interpreter = (0, import_xstate.interpret)(createSiopv2Machine(opts).withConfig({
1592
885
  services: {
1593
886
  ...opts?.services
@@ -1604,409 +897,678 @@ var Siopv2Machine = class {
1604
897
  ...opts?.guards
1605
898
  }
1606
899
  }));
1607
- if (typeof opts?.subscription === "function") {
1608
- interpreter.onTransition(opts.subscription);
900
+ if (typeof opts?.subscription === "function") {
901
+ interpreter.onTransition(opts.subscription);
902
+ }
903
+ if (opts?.requireCustomNavigationHook !== true) {
904
+ interpreter.onTransition((snapshot) => {
905
+ if (opts.stateNavigationListener !== void 0) {
906
+ void opts.stateNavigationListener(interpreter, snapshot);
907
+ }
908
+ });
909
+ }
910
+ interpreter.onTransition((snapshot) => {
911
+ logger.info("onTransition to new state", snapshot.value);
912
+ });
913
+ return {
914
+ interpreter
915
+ };
916
+ }
917
+ };
918
+
919
+ // src/services/Siopv2MachineService.ts
920
+ var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
921
+ var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
922
+ var import_ssi_sdk = require("@sphereon/ssi-sdk.credential-store");
923
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.data-store");
924
+ var import_ssi_types4 = require("@sphereon/ssi-types");
925
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
926
+ var import_dcql = require("dcql");
927
+
928
+ // src/utils/dcql.ts
929
+ var import_ssi_types3 = require("@sphereon/ssi-types");
930
+ var import_did_auth_siop = require("@sphereon/did-auth-siop");
931
+
932
+ // src/utils/CredentialUtils.ts
933
+ var import_ssi_types2 = require("@sphereon/ssi-types");
934
+ var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
935
+ return credential.digitalCredential !== void 0;
936
+ }, "isUniqueDigitalCredential");
937
+
938
+ // src/utils/dcql.ts
939
+ function convertToDcqlCredentials(credential, hasher) {
940
+ let originalVerifiableCredential;
941
+ if (isUniqueDigitalCredential(credential)) {
942
+ if (!credential.originalVerifiableCredential) {
943
+ throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
944
+ }
945
+ originalVerifiableCredential = import_ssi_types3.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
946
+ } else {
947
+ originalVerifiableCredential = import_ssi_types3.CredentialMapper.decodeVerifiableCredential(credential, hasher);
948
+ }
949
+ if (!originalVerifiableCredential) {
950
+ throw new Error("No payload found");
951
+ }
952
+ if (import_ssi_types3.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
953
+ return import_did_auth_siop.Dcql.toDcqlJwtCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
954
+ } else if (import_ssi_types3.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
955
+ return import_did_auth_siop.Dcql.toDcqlSdJwtCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
956
+ } else if (import_ssi_types3.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
957
+ return import_did_auth_siop.Dcql.toDcqlMdocCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
958
+ } else if (import_ssi_types3.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
959
+ return import_did_auth_siop.Dcql.toDcqlJsonLdCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
960
+ }
961
+ throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
962
+ }
963
+ __name(convertToDcqlCredentials, "convertToDcqlCredentials");
964
+
965
+ // src/services/Siopv2MachineService.ts
966
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
967
+ var logger2 = import_ssi_types4.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
968
+ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
969
+ const { agent } = context;
970
+ const { credentials } = args;
971
+ if (connectionType !== import_ssi_sdk2.ConnectionType.SIOPv2_OpenID4VP) {
972
+ return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
973
+ }
974
+ const session = await agent.siopGetOPSession({
975
+ sessionId: args.sessionId
976
+ });
977
+ const request = await session.getAuthorizationRequest();
978
+ const aud = request.authorizationRequest.getMergedProperty("aud");
979
+ logger2.debug(`AUD: ${aud}`);
980
+ logger2.debug(JSON.stringify(request.authorizationRequest));
981
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop2.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
982
+ logger2.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
983
+ const firstUniqueDC = credentials[0];
984
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
985
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
986
+ }
987
+ let identifier;
988
+ const digitalCredential = firstUniqueDC.digitalCredential;
989
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
990
+ const holder = import_ssi_types4.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
991
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
992
+ `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
993
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
994
+ if (!digitalCredential.kmsKeyRef) {
995
+ if (!holder) {
996
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
997
+ }
998
+ try {
999
+ identifier = await session.context.agent.identifierManagedGet({
1000
+ identifier: holder
1001
+ });
1002
+ } catch (e) {
1003
+ logger2.debug(`Holder DID not found: ${holder}`);
1004
+ throw e;
1005
+ }
1006
+ } else if ((0, import_ssi_sdk_ext.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1007
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1008
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1009
+ });
1010
+ } else {
1011
+ switch (digitalCredential.subjectCorrelationType) {
1012
+ case "DID":
1013
+ identifier = await session.context.agent.identifierManagedGetByDid({
1014
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1015
+ kmsKeyRef: digitalCredential.kmsKeyRef
1016
+ });
1017
+ break;
1018
+ // TODO other implementations?
1019
+ default:
1020
+ identifier = await session.context.agent.identifierManagedGetByKid({
1021
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1022
+ kmsKeyRef: digitalCredential.kmsKeyRef
1023
+ });
1024
+ }
1025
+ }
1026
+ const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1027
+ convertToDcqlCredentials(vc),
1028
+ vc
1029
+ ]));
1030
+ const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1031
+ if (!queryResult.can_be_satisfied) {
1032
+ return Promise.reject(Error("Credentials do not match required query request"));
1033
+ }
1034
+ const presentation = {};
1035
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1036
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1037
+ if (value.success) {
1038
+ const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1039
+ const vc = matchedCredentials[0];
1040
+ if (!vc) {
1041
+ continue;
1042
+ }
1043
+ const originalVc = retrieveEncodedCredential(vc);
1044
+ if (!originalVc) {
1045
+ continue;
1046
+ }
1047
+ if (originalVc) {
1048
+ presentation[key] = originalVc;
1049
+ }
1050
+ }
1051
+ }
1052
+ const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
1053
+ const response = session.sendAuthorizationResponse({
1054
+ responseSignerOpts: identifier,
1055
+ dcqlResponse: {
1056
+ dcqlPresentation
1057
+ }
1058
+ });
1059
+ logger2.debug(`Response: `, response);
1060
+ return response;
1061
+ }, "siopSendAuthorizationResponse");
1062
+ var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1063
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1064
+ }, "retrieveEncodedCredential");
1065
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1066
+ const agentContext = {
1067
+ ...context,
1068
+ agent: context.agent
1069
+ };
1070
+ const { agent } = agentContext;
1071
+ const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1072
+ filter: (0, import_ssi_sdk.verifiableCredentialForRoleFilter)(import_ssi_sdk2.CredentialRole.HOLDER)
1073
+ });
1074
+ const branding = await agent.ibGetCredentialBranding();
1075
+ const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1076
+ convertToDcqlCredentials(vc),
1077
+ vc
1078
+ ]));
1079
+ const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1080
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1081
+ const selectableCredentialsMap = /* @__PURE__ */ new Map();
1082
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1083
+ if (!value.valid_credentials) {
1084
+ continue;
1085
+ }
1086
+ const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1087
+ const matchedCredential = uniqueCredentials[cred.input_credential_index];
1088
+ const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1089
+ const issuerPartyIdentity = await agent.cmGetContacts({
1090
+ filter: [
1091
+ {
1092
+ identities: {
1093
+ identifier: {
1094
+ correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1095
+ }
1096
+ }
1097
+ }
1098
+ ]
1099
+ });
1100
+ const subjectPartyIdentity = await agent.cmGetContacts({
1101
+ filter: [
1102
+ {
1103
+ identities: {
1104
+ identifier: {
1105
+ correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1106
+ }
1107
+ }
1108
+ }
1109
+ ]
1110
+ });
1111
+ return {
1112
+ credential: matchedCredential,
1113
+ credentialBranding: credentialBranding[0]?.localeBranding,
1114
+ issuerParty: issuerPartyIdentity?.[0],
1115
+ subjectParty: subjectPartyIdentity?.[0]
1116
+ };
1117
+ });
1118
+ const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1119
+ selectableCredentialsMap.set(key, selectableCredentials);
1120
+ }
1121
+ return selectableCredentialsMap;
1122
+ }, "getSelectableCredentials");
1123
+ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
1124
+ const { agent } = context;
1125
+ const contacts = await agent.cmGetContacts({
1126
+ filter: [
1127
+ {
1128
+ identities: {
1129
+ identifier: {
1130
+ correlationId
1131
+ }
1132
+ }
1133
+ }
1134
+ ]
1135
+ });
1136
+ if (contacts.length === 0) {
1137
+ return void 0;
1138
+ }
1139
+ return contacts[0].contact.displayName;
1140
+ }, "translateCorrelationIdToName");
1141
+
1142
+ // src/session/functions.ts
1143
+ var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
1144
+ var import_oid4vc_common = require("@sphereon/oid4vc-common");
1145
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1146
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.presentation-exchange");
1147
+ var import_events = require("events");
1148
+ async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
1149
+ if (typeof presentationSignCallback === "function") {
1150
+ return presentationSignCallback;
1151
+ }
1152
+ return (0, import_ssi_sdk4.createPEXPresentationSignCallback)({
1153
+ idOpts: idOpts1,
1154
+ fetchRemoteContexts,
1155
+ domain,
1156
+ challenge,
1157
+ format,
1158
+ skipDidResolution
1159
+ }, context);
1160
+ }
1161
+ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
1162
+ async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
1163
+ const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
1164
+ const builder = import_did_auth_siop3.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop3.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
1165
+ import_did_auth_siop3.SupportedVersion.SIOPv2_ID1,
1166
+ import_did_auth_siop3.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
1167
+ import_did_auth_siop3.SupportedVersion.SIOPv2_D11,
1168
+ import_did_auth_siop3.SupportedVersion.SIOPv2_D12_OID4VP_D18
1169
+ ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
1170
+ passBy: import_did_auth_siop3.PassBy.VALUE
1171
+ });
1172
+ const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
1173
+ const result = await context.agent.cvVerifyCredential({
1174
+ credential: args.credential,
1175
+ fetchRemoteContexts: true
1176
+ });
1177
+ return {
1178
+ verified: result.result
1179
+ };
1180
+ };
1181
+ builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
1182
+ verifyOpts: {
1183
+ wellknownDIDVerifyCallback,
1184
+ checkLinkedDomain: "if_present"
1185
+ }
1186
+ }, context));
1187
+ if (idOpts1) {
1188
+ if (opOptions.skipDidResolution && (0, import_ssi_sdk_ext3.isManagedIdentifierDidOpts)(idOpts1)) {
1189
+ idOpts1.offlineWhenNoDIDRegistered = true;
1190
+ }
1191
+ const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
1192
+ builder.withCreateJwtCallback(createJwtCallback);
1193
+ builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
1194
+ presentationSignCallback: opOptions.presentationSignCallback,
1195
+ skipDidResolution: opOptions.skipDidResolution ?? false,
1196
+ idOpts: idOpts1,
1197
+ context
1198
+ }));
1199
+ } else {
1200
+ const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
1201
+ builder.withCreateJwtCallback(createJwtCallback);
1202
+ }
1203
+ return builder;
1204
+ }
1205
+ __name(createOPBuilder, "createOPBuilder");
1206
+ function createJwtCallbackWithIdOpts(idOpts1, context) {
1207
+ return async (jwtIssuer, jwt) => {
1208
+ let issuer;
1209
+ if ((0, import_ssi_sdk_ext3.isManagedIdentifierDidOpts)(idOpts1)) {
1210
+ issuer = {
1211
+ ...idOpts1,
1212
+ method: idOpts1.method,
1213
+ noIdentifierInHeader: false
1214
+ };
1215
+ } else if ((0, import_ssi_sdk_ext3.isManagedIdentifierX5cOpts)(idOpts1)) {
1216
+ issuer = {
1217
+ ...idOpts1,
1218
+ method: idOpts1.method,
1219
+ noIdentifierInHeader: false
1220
+ };
1221
+ } else {
1222
+ return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
1609
1223
  }
1610
- if (opts?.requireCustomNavigationHook !== true) {
1611
- interpreter.onTransition((snapshot) => {
1612
- if (opts.stateNavigationListener !== void 0) {
1613
- void opts.stateNavigationListener(interpreter, snapshot);
1614
- }
1615
- });
1224
+ const result = await context.agent.jwtCreateJwsCompactSignature({
1225
+ issuer,
1226
+ protectedHeader: jwt.header,
1227
+ payload: jwt.payload
1228
+ });
1229
+ return result.jwt;
1230
+ };
1231
+ }
1232
+ __name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
1233
+ function createJwtCallbackWithOpOpts(opOpts, context) {
1234
+ return async (jwtIssuer, jwt) => {
1235
+ let identifier;
1236
+ if (jwtIssuer.method == "did") {
1237
+ identifier = jwtIssuer.didUrl;
1238
+ } else if (jwtIssuer.method == "x5c") {
1239
+ identifier = jwtIssuer.x5c;
1240
+ } else {
1241
+ return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
1616
1242
  }
1617
- interpreter.onTransition((snapshot) => {
1618
- logger2.info("onTransition to new state", snapshot.value);
1243
+ const result = await context.agent.jwtCreateJwsCompactSignature({
1244
+ // FIXME fix cose-key inference
1245
+ // @ts-ignore
1246
+ issuer: {
1247
+ identifier,
1248
+ kmsKeyRef: idOpts.kmsKeyRef,
1249
+ noIdentifierInHeader: false
1250
+ },
1251
+ // FIXME fix JWK key_ops
1252
+ // @ts-ignore
1253
+ protectedHeader: jwt.header,
1254
+ payload: jwt.payload
1255
+ });
1256
+ return result.jwt;
1257
+ };
1258
+ }
1259
+ __name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
1260
+ function getVerifyJwtCallback(_opts, context) {
1261
+ return async (_jwtVerifier, jwt) => {
1262
+ const result = await context.agent.jwtVerifyJwsSignature({
1263
+ jws: jwt.raw
1264
+ });
1265
+ console.log(result.message);
1266
+ return !result.error;
1267
+ };
1268
+ }
1269
+ __name(getVerifyJwtCallback, "getVerifyJwtCallback");
1270
+ async function createOP({ opOptions, idOpts: idOpts1, context }) {
1271
+ return (await createOPBuilder({
1272
+ opOptions,
1273
+ idOpts: idOpts1,
1274
+ context
1275
+ })).build();
1276
+ }
1277
+ __name(createOP, "createOP");
1278
+ function getSigningAlgo(type) {
1279
+ switch (type) {
1280
+ case "Ed25519":
1281
+ return import_oid4vc_common.SigningAlgo.EDDSA;
1282
+ case "Secp256k1":
1283
+ return import_oid4vc_common.SigningAlgo.ES256K;
1284
+ case "Secp256r1":
1285
+ return import_oid4vc_common.SigningAlgo.ES256;
1286
+ // @ts-ignore
1287
+ case "RSA":
1288
+ return import_oid4vc_common.SigningAlgo.RS256;
1289
+ default:
1290
+ throw Error("Key type not yet supported");
1291
+ }
1292
+ }
1293
+ __name(getSigningAlgo, "getSigningAlgo");
1294
+
1295
+ // src/session/OID4VP.ts
1296
+ var OID4VP = class _OID4VP {
1297
+ static {
1298
+ __name(this, "OID4VP");
1299
+ }
1300
+ //private readonly session: OpSession
1301
+ // private readonly allIdentifiers: string[]
1302
+ // private readonly hasher?: HasherSync
1303
+ constructor(args) {
1304
+ }
1305
+ static async init(session, allIdentifiers, hasher) {
1306
+ return new _OID4VP({
1307
+ session,
1308
+ allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
1309
+ hasher
1619
1310
  });
1620
- return {
1621
- interpreter
1622
- };
1623
1311
  }
1624
1312
  };
1625
1313
 
1626
- // src/services/Siopv2MachineService.ts
1314
+ // src/session/OpSession.ts
1627
1315
  var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1628
- var import_pex3 = require("@sphereon/pex");
1629
- var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1630
- var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
1631
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
1632
- var import_ssi_types6 = require("@sphereon/ssi-types");
1633
- var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
1634
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
1635
- var import_dcql = require("dcql");
1636
-
1637
- // src/utils/dcql.ts
1316
+ var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
1317
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.core");
1638
1318
  var import_ssi_types5 = require("@sphereon/ssi-types");
1639
-
1640
- // src/utils/CredentialUtils.ts
1641
- var import_ssi_types4 = require("@sphereon/ssi-types");
1642
- var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1643
- if (isUniqueDigitalCredential(credential)) {
1644
- if (!credential.originalVerifiableCredential) {
1645
- throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1646
- }
1647
- return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1648
- }
1649
- return getCredentialFromProofOrWrapped(credential);
1650
- }, "getOriginalVerifiableCredential");
1651
- var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1652
- if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
1653
- return cred.proof.jwt;
1654
- }
1655
- return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
1656
- hasher
1657
- }).original;
1658
- }, "getCredentialFromProofOrWrapped");
1659
- var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1660
- return credential.digitalCredential !== void 0;
1661
- }, "isUniqueDigitalCredential");
1662
-
1663
- // src/utils/dcql.ts
1664
- function convertToDcqlCredentials(credential, hasher) {
1665
- let payload;
1666
- if (isUniqueDigitalCredential(credential)) {
1667
- if (!credential.originalVerifiableCredential) {
1668
- throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1669
- }
1670
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1671
- } else {
1672
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1319
+ var import_uuid = require("uuid");
1320
+ var import_ssi_types6 = require("@sphereon/ssi-types");
1321
+ var logger3 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
1322
+ var OpSession = class _OpSession {
1323
+ static {
1324
+ __name(this, "OpSession");
1673
1325
  }
1674
- if (!payload) {
1675
- throw new Error("No payload found");
1326
+ ts = (/* @__PURE__ */ new Date()).getDate();
1327
+ id;
1328
+ options;
1329
+ context;
1330
+ requestJwtOrUri;
1331
+ verifiedAuthorizationRequest;
1332
+ _nonce;
1333
+ _state;
1334
+ constructor(options) {
1335
+ this.id = options.sessionId;
1336
+ this.options = options.op;
1337
+ this.context = options.context;
1338
+ this.requestJwtOrUri = options.requestJwtOrUri;
1676
1339
  }
1677
- if ("decodedPayload" in payload && payload.decodedPayload) {
1678
- payload = payload.decodedPayload;
1340
+ static async init(options) {
1341
+ return new _OpSession(options);
1679
1342
  }
1680
- if ("vct" in payload) {
1681
- return {
1682
- vct: payload.vct,
1683
- claims: payload,
1684
- credential_format: "dc+sd-jwt"
1685
- };
1686
- } else if ("docType" in payload && "namespaces" in payload) {
1687
- return {
1688
- docType: payload.docType,
1689
- namespaces: payload.namespaces,
1690
- claims: payload
1691
- };
1692
- } else {
1693
- return {
1694
- claims: payload,
1695
- credential_format: "jwt_vc_json"
1696
- };
1343
+ async getAuthorizationRequest() {
1344
+ if (!this.verifiedAuthorizationRequest) {
1345
+ const op = await createOP({
1346
+ opOptions: this.options,
1347
+ context: this.context
1348
+ });
1349
+ this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
1350
+ this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
1351
+ this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
1352
+ await this.getSupportedDIDMethods();
1353
+ }
1354
+ return this.verifiedAuthorizationRequest;
1697
1355
  }
1698
- }
1699
- __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1700
-
1701
- // src/services/Siopv2MachineService.ts
1702
- var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1703
- var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1704
- logger3.log(`No EBSI key present yet. Creating a new one...`);
1705
- const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
1706
- method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
1707
- createOpts: {
1708
- options: {
1709
- codecName: "jwk_jcs-pub",
1710
- type: "Secp256r1"
1711
- }
1356
+ async getAuthorizationRequestURI() {
1357
+ return await import_did_auth_siop4.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
1358
+ }
1359
+ get nonce() {
1360
+ if (!this._nonce) {
1361
+ throw Error("No nonce available. Please get authorization request first");
1362
+ }
1363
+ return this._nonce;
1364
+ }
1365
+ get state() {
1366
+ if (!this._state) {
1367
+ throw Error("No state available. Please get authorization request first");
1712
1368
  }
1713
- });
1714
- logger3.log(`EBSI key created: ${newIdentifier.did}`);
1715
- if (created) {
1716
- await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1717
- result: newIdentifier
1718
- });
1369
+ return this._state;
1719
1370
  }
1720
- return await agentContext.agent.identifierManagedGetByDid({
1721
- identifier: newIdentifier.did
1722
- });
1723
- }, "createEbsiIdentifier");
1724
- var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1725
- const clientId = await authorizationRequest.getMergedProperty("client_id");
1726
- const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1727
- return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1728
- }, "hasEbsiClient");
1729
- var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1730
- const { agent } = context;
1731
- const agentContext = {
1732
- ...context,
1733
- agent: context.agent
1734
- };
1735
- let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
1736
- if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
1737
- return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1371
+ clear() {
1372
+ this._nonce = void 0;
1373
+ this._state = void 0;
1374
+ this.verifiedAuthorizationRequest = void 0;
1375
+ return this;
1738
1376
  }
1739
- const session = await agent.siopGetOPSession({
1740
- sessionId: args.sessionId
1741
- });
1742
- const request = await session.getAuthorizationRequest();
1743
- const aud = await request.authorizationRequest.getMergedProperty("aud");
1744
- logger3.debug(`AUD: ${aud}`);
1745
- logger3.debug(JSON.stringify(request.authorizationRequest));
1746
- let presentationsAndDefs;
1747
- let presentationSubmission;
1748
- if (await session.hasPresentationDefinitions()) {
1749
- const oid4vp = await session.getOID4VP({
1750
- hasher
1377
+ async getSupportedDIDMethods(didPrefix) {
1378
+ const agentMethods = this.getAgentDIDMethodsSupported({
1379
+ didPrefix
1751
1380
  });
1752
- const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
1753
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1754
- logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1755
- const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1756
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1757
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1381
+ let rpMethods = await this.getRPDIDMethodsSupported({
1382
+ didPrefix,
1383
+ agentMethods
1384
+ });
1385
+ logger3.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
1386
+ if (rpMethods.dids.length === 0) {
1387
+ logger3.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
1388
+ return [];
1758
1389
  }
1759
- let identifier;
1760
- const digitalCredential = firstUniqueDC.digitalCredential;
1761
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1762
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1763
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1764
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1765
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1766
- if (!digitalCredential.kmsKeyRef) {
1767
- if (!holder) {
1768
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1769
- }
1770
- try {
1771
- identifier = await session.context.agent.identifierManagedGet({
1772
- identifier: holder
1773
- });
1774
- } catch (e) {
1775
- logger3.debug(`Holder DID not found: ${holder}`);
1776
- throw e;
1777
- }
1778
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1779
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1780
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1781
- });
1390
+ let intersection;
1391
+ if (rpMethods.dids.includes("did")) {
1392
+ intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext4.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
1393
+ } else if (!agentMethods || agentMethods.length === 0) {
1394
+ intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
1782
1395
  } else {
1783
- switch (digitalCredential.subjectCorrelationType) {
1784
- case "DID":
1785
- identifier = await session.context.agent.identifierManagedGetByDid({
1786
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1787
- kmsKeyRef: digitalCredential.kmsKeyRef
1788
- });
1789
- break;
1790
- // TODO other implementations?
1791
- default:
1792
- if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1793
- identifier = await session.context.agent.identifierManagedGetByDid({
1794
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1795
- kmsKeyRef: digitalCredential.kmsKeyRef
1796
- });
1797
- } else {
1798
- identifier = await session.context.agent.identifierManagedGetByKid({
1799
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1800
- kmsKeyRef: digitalCredential.kmsKeyRef
1801
- });
1802
- }
1803
- }
1396
+ intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
1804
1397
  }
1805
- if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1806
- identifier = await createEbsiIdentifier(agentContext);
1398
+ if (intersection.length === 0) {
1399
+ throw Error("No matching DID methods between agent and relying party");
1807
1400
  }
1808
- logger3.debug(`Identifier`, identifier);
1809
- presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
1810
- idOpts: identifier,
1811
- proofOpts: {
1812
- nonce: session.nonce,
1813
- domain
1401
+ return intersection.map((value) => convertDidMethod(value, didPrefix));
1402
+ }
1403
+ getAgentDIDMethodsSupported(opts) {
1404
+ const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
1405
+ logger3.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
1406
+ return agentMethods;
1407
+ }
1408
+ async getSubjectSyntaxTypesSupported() {
1409
+ const authReq = await this.getAuthorizationRequest();
1410
+ const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
1411
+ return subjectSyntaxTypesSupported ?? [];
1412
+ }
1413
+ async getRPDIDMethodsSupported(opts) {
1414
+ let keyType;
1415
+ const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
1416
+ logger3.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
1417
+ const authReq = await this.getAuthorizationRequest();
1418
+ const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
1419
+ logger3.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
1420
+ const aud = await authReq.authorizationRequest.getMergedProperty("aud");
1421
+ let rpMethods = [];
1422
+ if (aud && aud.startsWith("did:")) {
1423
+ const didMethod = convertDidMethod((0, import_ssi_types5.parseDid)(aud).method, opts.didPrefix);
1424
+ logger3.debug(`aud did method: ${didMethod}`);
1425
+ if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
1426
+ throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
1814
1427
  }
1815
- });
1816
- if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1817
- throw Error("No verifiable presentations could be created");
1818
- } else if (presentationsAndDefs.length > 1) {
1819
- throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1428
+ rpMethods = [
1429
+ didMethod
1430
+ ];
1431
+ } else if (subjectSyntaxTypesSupported) {
1432
+ rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
1433
+ subjectSyntaxTypesSupported
1434
+ ]).map((method) => convertDidMethod(method, opts.didPrefix));
1820
1435
  }
1821
- idOpts2 = presentationsAndDefs[0].idOpts;
1822
- presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1823
- logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1824
- logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1825
- const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1826
- return await session.sendAuthorizationResponse({
1827
- ...presentationsAndDefs && {
1828
- verifiablePresentations: mergedVerifiablePresentations
1829
- },
1830
- ...presentationSubmission && {
1831
- presentationSubmission
1832
- },
1833
- // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1834
- responseSignerOpts: idOpts2,
1835
- isFirstParty
1836
- });
1837
- } else if (request.dcqlQuery) {
1838
- if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1839
- const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1840
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1841
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1842
- const firstUniqueDC = vcs[0];
1843
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1844
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1436
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
1437
+ let codecName = void 0;
1438
+ if (isEBSI && (!aud || !aud.startsWith("http"))) {
1439
+ logger3.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
1440
+ const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
1441
+ if (!agentMethods?.includes(didKeyMethod)) {
1442
+ throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
1845
1443
  }
1846
- let identifier;
1847
- const digitalCredential = firstUniqueDC.digitalCredential;
1848
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1849
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1850
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1851
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1852
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1853
- if (!digitalCredential.kmsKeyRef) {
1854
- if (!holder) {
1855
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1856
- }
1857
- try {
1858
- identifier = await session.context.agent.identifierManagedGet({
1859
- identifier: holder
1860
- });
1861
- } catch (e) {
1862
- logger3.debug(`Holder DID not found: ${holder}`);
1863
- throw e;
1864
- }
1865
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1866
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1867
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1444
+ rpMethods = [
1445
+ didKeyMethod
1446
+ ];
1447
+ keyType = "Secp256r1";
1448
+ codecName = "jwk_jcs-pub";
1449
+ }
1450
+ return {
1451
+ dids: rpMethods,
1452
+ codecName,
1453
+ keyType
1454
+ };
1455
+ }
1456
+ async getSupportedIdentifiers(opts) {
1457
+ const methods = await this.getSupportedDIDMethods(true);
1458
+ logger3.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
1459
+ if (methods.length === 0) {
1460
+ throw Error(`No DID methods are supported`);
1461
+ }
1462
+ const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
1463
+ if (identifiers.length === 0) {
1464
+ logger3.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
1465
+ if (opts?.createInCaseNoDIDFound !== false) {
1466
+ const { codecName, keyType } = await this.getRPDIDMethodsSupported({
1467
+ didPrefix: true,
1468
+ agentMethods: methods
1868
1469
  });
1869
- } else {
1870
- switch (digitalCredential.subjectCorrelationType) {
1871
- case "DID":
1872
- identifier = await session.context.agent.identifierManagedGetByDid({
1873
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1874
- kmsKeyRef: digitalCredential.kmsKeyRef
1875
- });
1876
- break;
1877
- // TODO other implementations?
1878
- default:
1879
- identifier = await session.context.agent.identifierManagedGetByKid({
1880
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1881
- kmsKeyRef: digitalCredential.kmsKeyRef
1882
- });
1883
- }
1884
- }
1885
- console.log(`Identifier`, identifier);
1886
- const dcqlRepresentations = [];
1887
- vcs.forEach((vc) => {
1888
- const rep = convertToDcqlCredentials(vc, args.hasher);
1889
- if (rep) {
1890
- dcqlRepresentations.push(rep);
1891
- }
1892
- });
1893
- const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1894
- const presentation = {};
1895
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1896
- const allMatches = Array.isArray(value) ? value : [
1897
- value
1898
- ];
1899
- allMatches.forEach((match) => {
1900
- if (match.success) {
1901
- const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1902
- if (!originalCredential) {
1903
- throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1904
- }
1905
- presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1470
+ const identifier = await this.context.agent.didManagerCreate({
1471
+ provider: methods[0],
1472
+ options: {
1473
+ codecName,
1474
+ keyType,
1475
+ type: keyType
1906
1476
  }
1907
1477
  });
1478
+ logger3.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
1479
+ identifiers.push(identifier);
1908
1480
  }
1909
- const response = session.sendAuthorizationResponse({
1910
- responseSignerOpts: identifier,
1911
- ...{
1912
- dcqlQuery: {
1913
- dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
1914
- }
1915
- }
1916
- });
1917
- logger3.debug(`Response: `, response);
1918
- return response;
1919
1481
  }
1482
+ logger3.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
1483
+ return identifiers;
1920
1484
  }
1921
- throw Error("Presentation Definition or DCQL is required");
1922
- }, "siopSendAuthorizationResponse");
1923
- function buildPartialPD(inputDescriptor, presentationDefinition) {
1924
- return {
1925
- ...presentationDefinition,
1926
- input_descriptors: [
1927
- inputDescriptor
1928
- ]
1929
- };
1930
- }
1931
- __name(buildPartialPD, "buildPartialPD");
1932
- var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1933
- const agentContext = {
1934
- ...context,
1935
- agent: context.agent
1936
- };
1937
- const { agent } = agentContext;
1938
- const pex = new import_pex3.PEX();
1939
- const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1940
- filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
1941
- });
1942
- const credentialBranding = await agent.ibGetCredentialBranding();
1943
- const selectableCredentialsMap = /* @__PURE__ */ new Map();
1944
- for (const inputDescriptor of presentationDefinition.input_descriptors) {
1945
- const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1946
- const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1947
- return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1948
- });
1949
- const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1950
- const selectableCredentials = [];
1951
- for (const selectedCredential of selectionResults.verifiableCredential || []) {
1952
- const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1953
- const proof = uniqueVC.uniformVerifiableCredential.proof;
1954
- return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1485
+ async getSupportedDIDs() {
1486
+ return (await this.getSupportedIdentifiers()).map((id) => id.did);
1487
+ }
1488
+ async getRedirectUri() {
1489
+ return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
1490
+ }
1491
+ async getOID4VP(args) {
1492
+ return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
1493
+ }
1494
+ async createJarmResponseCallback({ responseOpts }) {
1495
+ const agent = this.context.agent;
1496
+ return /* @__PURE__ */ __name(async function jarmResponse(opts) {
1497
+ const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
1498
+ const jwk = await import_did_auth_siop4.OP.extractEncJwksFromClientMetadata(clientMetadata);
1499
+ const recipientKey = await agent.identifierExternalResolveByJwk({
1500
+ identifier: jwk
1955
1501
  });
1956
- if (filteredUniqueVC) {
1957
- const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1958
- const issuerPartyIdentity = await agent.cmGetContacts({
1959
- filter: [
1960
- {
1961
- identities: {
1962
- identifier: {
1963
- correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1964
- }
1965
- }
1966
- }
1967
- ]
1968
- });
1969
- const subjectPartyIdentity = await agent.cmGetContacts({
1970
- filter: [
1971
- {
1972
- identities: {
1973
- identifier: {
1974
- correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1975
- }
1976
- }
1977
- }
1978
- ]
1979
- });
1980
- selectableCredentials.push({
1981
- credential: filteredUniqueVC,
1982
- credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1983
- issuerParty: issuerPartyIdentity?.[0],
1984
- subjectParty: subjectPartyIdentity?.[0]
1985
- });
1986
- }
1502
+ return await agent.jwtEncryptJweCompactJwt({
1503
+ recipientKey,
1504
+ protectedHeader: {},
1505
+ alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
1506
+ enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
1507
+ apv: (0, import_ssi_sdk5.encodeBase64url)(opts.requestObjectPayload.nonce),
1508
+ apu: (0, import_ssi_sdk5.encodeBase64url)((0, import_uuid.v4)()),
1509
+ payload: authResponse,
1510
+ issuer: responseOpts.issuer,
1511
+ audience: responseOpts.audience
1512
+ }).then((result) => {
1513
+ return {
1514
+ response: result.jwt
1515
+ };
1516
+ });
1517
+ }, "jarmResponse");
1518
+ }
1519
+ async sendAuthorizationResponse(args) {
1520
+ const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
1521
+ const resolveOpts = this.options.resolveOpts ?? {
1522
+ resolver: (0, import_ssi_sdk_ext4.getAgentResolver)(this.context, {
1523
+ uniresolverResolution: true,
1524
+ localResolution: true,
1525
+ resolverResolution: true
1526
+ })
1527
+ };
1528
+ if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
1529
+ resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
1530
+ }
1531
+ const request = await this.getAuthorizationRequest();
1532
+ const op = await createOP({
1533
+ opOptions: {
1534
+ ...this.options,
1535
+ resolveOpts: {
1536
+ ...this.options.resolveOpts
1537
+ },
1538
+ eventEmitter: this.options.eventEmitter,
1539
+ presentationSignCallback: this.options.presentationSignCallback,
1540
+ wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
1541
+ supportedVersions: request.versions
1542
+ },
1543
+ idOpts: responseSignerOpts,
1544
+ context: this.context
1545
+ });
1546
+ let issuer = responseSignerOpts.issuer;
1547
+ const responseOpts = {
1548
+ issuer,
1549
+ ...isFirstParty && {
1550
+ isFirstParty
1551
+ },
1552
+ dcqlResponse
1553
+ };
1554
+ const authResponse = await op.createAuthorizationResponse(request, responseOpts);
1555
+ const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
1556
+ responseOpts
1557
+ }));
1558
+ if (response.status >= 400) {
1559
+ throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
1560
+ } else {
1561
+ return response;
1987
1562
  }
1988
- selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1989
1563
  }
1990
- return selectableCredentialsMap;
1991
- }, "getSelectableCredentials");
1992
- var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
1993
- const { agent } = context;
1994
- const contacts = await agent.cmGetContacts({
1995
- filter: [
1996
- {
1997
- identities: {
1998
- identifier: {
1999
- correlationId
2000
- }
2001
- }
2002
- }
2003
- ]
2004
- });
2005
- if (contacts.length === 0) {
2006
- return void 0;
1564
+ };
1565
+ function convertDidMethod(didMethod, didPrefix) {
1566
+ if (didPrefix === false) {
1567
+ return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
2007
1568
  }
2008
- return contacts[0].contact.displayName;
2009
- }, "translateCorrelationIdToName");
1569
+ return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
1570
+ }
1571
+ __name(convertDidMethod, "convertDidMethod");
2010
1572
 
2011
1573
  // src/agent/DidAuthSiopOpAuthenticator.ts
2012
1574
  var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -2026,7 +1588,7 @@ var DidAuthSiopOpAuthenticator = class {
2026
1588
  static {
2027
1589
  __name(this, "DidAuthSiopOpAuthenticator");
2028
1590
  }
2029
- schema = schema.IDidAuthSiopOpAuthenticator;
1591
+ schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
2030
1592
  methods = {
2031
1593
  siopGetOPSession: this.siopGetOPSession.bind(this),
2032
1594
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -2169,7 +1731,7 @@ var DidAuthSiopOpAuthenticator = class {
2169
1731
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
2170
1732
  const uri = url.includes("://") ? new URL(url) : void 0;
2171
1733
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
2172
- const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1734
+ const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2173
1735
  return {
2174
1736
  issuer: verifiedAuthorizationRequest.issuer,
2175
1737
  correlationId,
@@ -2177,7 +1739,6 @@ var DidAuthSiopOpAuthenticator = class {
2177
1739
  uri,
2178
1740
  name: clientName,
2179
1741
  clientId,
2180
- presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
2181
1742
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
2182
1743
  };
2183
1744
  }
@@ -2226,12 +1787,12 @@ var DidAuthSiopOpAuthenticator = class {
2226
1787
  if (correlationId) {
2227
1788
  const identity = {
2228
1789
  alias: correlationId,
2229
- origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
1790
+ origin: import_ssi_sdk6.IdentityOrigin.EXTERNAL,
2230
1791
  roles: [
2231
- import_ssi_sdk8.CredentialRole.ISSUER
1792
+ import_ssi_sdk6.CredentialRole.ISSUER
2232
1793
  ],
2233
1794
  identifier: {
2234
- type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
1795
+ type: correlationId.startsWith("did:") ? import_ssi_sdk6.CorrelationIdentifierType.DID : import_ssi_sdk6.CorrelationIdentifierType.URL,
2235
1796
  correlationId
2236
1797
  }
2237
1798
  };
@@ -2254,75 +1815,14 @@ var DidAuthSiopOpAuthenticator = class {
2254
1815
  if (authorizationRequestData === void 0) {
2255
1816
  return Promise.reject(Error("Missing authorization request data in context"));
2256
1817
  }
2257
- const pex = new import_pex4.PEX({
2258
- hasher: this.hasher
2259
- });
2260
- const verifiableCredentialsWithDefinition = [];
2261
- const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2262
- if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2263
- try {
2264
- authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2265
- const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2266
- if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
2267
- let uniqueDigitalCredentials = [];
2268
- uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2269
- const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
2270
- const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2271
- if (!udc) {
2272
- throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2273
- }
2274
- return udc;
2275
- });
2276
- verifiableCredentialsWithDefinition.push({
2277
- definition: presentationDefinition,
2278
- credentials: uniqueDigitalCredentials
2279
- });
2280
- }
2281
- });
2282
- } catch (e) {
2283
- return Promise.reject(e);
2284
- }
2285
- if (verifiableCredentialsWithDefinition.length === 0) {
2286
- return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2287
- }
2288
- } else if (authorizationRequestData.dcqlQuery) {
2289
- if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2290
- try {
2291
- selectedCredentials.forEach((vc) => {
2292
- if (this.isSdJwtCredential(vc)) {
2293
- const payload = vc.originalVerifiableCredential.decodedPayload;
2294
- const result = {
2295
- claims: payload,
2296
- vct: payload.vct,
2297
- credential_format: "dc+sd-jwt"
2298
- };
2299
- dcqlCredentialsWithCredentials.set(result, vc);
2300
- } else {
2301
- throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2302
- }
2303
- });
2304
- } catch (e) {
2305
- return Promise.reject(e);
2306
- }
2307
- const dcqlPresentationRecord = {};
2308
- const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2309
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2310
- if (value.success) {
2311
- dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2312
- }
2313
- }
2314
- }
2315
- }
2316
- const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
1818
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP, {
2317
1819
  sessionId: didAuthConfig.sessionId,
2318
1820
  ...args.idOpts && {
2319
1821
  idOpts: args.idOpts
2320
1822
  },
2321
- ...authorizationRequestData.presentationDefinitions !== void 0 && {
2322
- verifiableCredentialsWithDefinition
2323
- },
2324
1823
  isFirstParty,
2325
- hasher: this.hasher
1824
+ hasher: this.hasher,
1825
+ credentials: selectedCredentials
2326
1826
  }, context);
2327
1827
  const contentType = response.headers.get("content-type") || "";
2328
1828
  let responseBody = null;
@@ -2336,30 +1836,12 @@ var DidAuthSiopOpAuthenticator = class {
2336
1836
  queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
2337
1837
  };
2338
1838
  }
2339
- hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2340
- return credentials.some(this.isMDocCredential);
2341
- }, "hasMDocCredentials");
2342
- isMDocCredential = /* @__PURE__ */ __name((credential) => {
2343
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2344
- }, "isMDocCredential");
2345
- hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2346
- return credentials.some(this.isSdJwtCredential);
2347
- }, "hasSdJwtCredentials");
2348
- isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2349
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2350
- }, "isSdJwtCredential");
2351
- retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2352
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2353
- }, "retrieveEncodedCredential");
2354
1839
  async siopGetSelectableCredentials(args, context) {
2355
1840
  const { authorizationRequestData } = args;
2356
- if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2357
- return Promise.reject(Error("Missing required fields in arguments or context"));
2358
- }
2359
- if (authorizationRequestData.presentationDefinitions.length > 1) {
2360
- return Promise.reject(Error("Multiple presentation definitions present"));
1841
+ if (!authorizationRequestData?.dcqlQuery) {
1842
+ return Promise.reject(Error("Missing required dcql query in context"));
2361
1843
  }
2362
- return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1844
+ return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2363
1845
  }
2364
1846
  };
2365
1847
 
@@ -2398,12 +1880,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2398
1880
  }, "OID4VPCallbackStateListener");
2399
1881
 
2400
1882
  // src/link-handler/index.ts
2401
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
2402
- var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
2403
- var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1883
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.agent-config");
1884
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.core");
1885
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2404
1886
  var import_ssi_types9 = require("@sphereon/ssi-types");
2405
1887
  var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2406
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
1888
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
2407
1889
  static {
2408
1890
  __name(this, "Siopv2OID4VPLinkHandler");
2409
1891
  }
@@ -2429,8 +1911,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2429
1911
  stateNavigationListener: this.stateNavigationListener
2430
1912
  });
2431
1913
  const interpreter = siopv2Machine.interpreter;
2432
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2433
- const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
1914
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk7.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1915
+ const init = await (0, import_ssi_sdk9.interpreterStartOrResume)({
2434
1916
  interpreter,
2435
1917
  context: this.context,
2436
1918
  cleanupAllOtherInstances: true,
@@ -2445,7 +1927,4 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2445
1927
  }
2446
1928
  }
2447
1929
  };
2448
-
2449
- // src/index.ts
2450
- var schema = require_plugin_schema();
2451
1930
  //# sourceMappingURL=index.cjs.map