@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.26.RP.58 → 0.34.1-feature.SSISDK.44.finish.dcql.310

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/index.cjs +667 -1065
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +723 -118
  4. package/dist/index.d.ts +723 -118
  5. package/dist/index.js +627 -1025
  6. package/dist/index.js.map +1 -1
  7. package/package.json +23 -23
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +10 -145
  9. package/src/index.ts +2 -1
  10. package/src/machine/Siopv2Machine.ts +5 -5
  11. package/src/services/Siopv2MachineService.ts +140 -267
  12. package/src/session/OID4VP.ts +180 -286
  13. package/src/session/OpSession.ts +11 -119
  14. package/src/session/functions.ts +1 -8
  15. package/src/types/IDidAuthSiopOpAuthenticator.ts +6 -59
  16. package/src/types/identifier/index.ts +0 -4
  17. package/src/types/machine/index.ts +1 -1
  18. package/src/types/siop-service/index.ts +12 -10
  19. package/src/utils/CredentialUtils.ts +2 -40
  20. package/src/utils/dcql.ts +22 -19
package/dist/index.cjs CHANGED
@@ -60,375 +60,371 @@ var require_nl = __commonJS({
60
60
  }
61
61
  });
62
62
 
63
+ // src/index.ts
64
+ var index_exports = {};
65
+ __export(index_exports, {
66
+ DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
67
+ DID_PREFIX: () => DID_PREFIX,
68
+ DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
69
+ LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
70
+ OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
71
+ OpSession: () => OpSession,
72
+ Siopv2HolderEvent: () => Siopv2HolderEvent,
73
+ Siopv2Machine: () => Siopv2Machine,
74
+ Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
75
+ Siopv2MachineEvents: () => Siopv2MachineEvents,
76
+ Siopv2MachineGuards: () => Siopv2MachineGuards,
77
+ Siopv2MachineServices: () => Siopv2MachineServices,
78
+ Siopv2MachineStates: () => Siopv2MachineStates,
79
+ Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
80
+ SupportedLanguage: () => SupportedLanguage,
81
+ convertToDcqlCredentials: () => convertToDcqlCredentials,
82
+ createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
83
+ createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
84
+ createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
85
+ createOP: () => createOP,
86
+ createOPBuilder: () => createOPBuilder,
87
+ createVerifiablePresentationForFormat: () => createVerifiablePresentationForFormat,
88
+ didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
89
+ getSigningAlgo: () => getSigningAlgo,
90
+ schema: () => plugin_schema_default
91
+ });
92
+ module.exports = __toCommonJS(index_exports);
93
+
63
94
  // plugin.schema.json
64
- var require_plugin_schema = __commonJS({
65
- "plugin.schema.json"(exports, module2) {
66
- module2.exports = {
67
- IDidAuthSiopOpAuthenticator: {
68
- components: {
69
- schemas: {
70
- IGetSiopSessionArgs: {
71
- type: "object",
72
- properties: {
73
- sessionId: {
74
- type: "string"
75
- },
76
- additionalProperties: false
77
- },
78
- required: ["sessionId"],
79
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
95
+ var plugin_schema_default = {
96
+ IDidAuthSiopOpAuthenticator: {
97
+ components: {
98
+ schemas: {
99
+ IGetSiopSessionArgs: {
100
+ type: "object",
101
+ properties: {
102
+ sessionId: {
103
+ type: "string"
80
104
  },
81
- IRegisterSiopSessionArgs: {
105
+ additionalProperties: false
106
+ },
107
+ required: ["sessionId"],
108
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
109
+ },
110
+ IRegisterSiopSessionArgs: {
111
+ type: "object",
112
+ properties: {
113
+ identifier: {
82
114
  type: "object",
83
115
  properties: {
84
- identifier: {
85
- type: "object",
86
- properties: {
87
- did: {
88
- type: "string"
89
- },
90
- alias: {
91
- type: "string"
92
- },
93
- provider: {
94
- type: "string"
95
- },
96
- controllerKeyId: {
97
- type: "string"
98
- },
99
- keys: {
100
- type: "array",
101
- items: {
102
- type: "object",
103
- properties: {
104
- additionalProperties: true
105
- }
106
- }
107
- },
108
- services: {
109
- type: "array",
110
- items: {
111
- type: "object",
112
- properties: {
113
- additionalProperties: true
114
- }
115
- }
116
- }
117
- },
118
- additionalProperties: false,
119
- required: ["did", "provider", "keys", "services"]
120
- },
121
- sessionId: {
116
+ did: {
122
117
  type: "string"
123
118
  },
124
- expiresIn: {
125
- type: "number"
126
- },
127
- additionalProperties: false
128
- },
129
- required: ["identifier"],
130
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
131
- },
132
- IRemoveSiopSessionArgs: {
133
- type: "object",
134
- properties: {
135
- sessionId: {
119
+ alias: {
136
120
  type: "string"
137
121
  },
138
- additionalProperties: false
139
- },
140
- required: ["sessionId"],
141
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
142
- },
143
- IAuthenticateWithSiopArgs: {
144
- type: "object",
145
- properties: {
146
- sessionId: {
122
+ provider: {
147
123
  type: "string"
148
124
  },
149
- stateId: {
125
+ controllerKeyId: {
150
126
  type: "string"
151
127
  },
152
- redirectUrl: {
153
- type: "string"
128
+ keys: {
129
+ type: "array",
130
+ items: {
131
+ type: "object",
132
+ properties: {
133
+ additionalProperties: true
134
+ }
135
+ }
154
136
  },
155
- additionalProperties: false
137
+ services: {
138
+ type: "array",
139
+ items: {
140
+ type: "object",
141
+ properties: {
142
+ additionalProperties: true
143
+ }
144
+ }
145
+ }
156
146
  },
157
- required: ["sessionId", "stateId", "redirectUrl"],
158
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
147
+ additionalProperties: false,
148
+ required: ["did", "provider", "keys", "services"]
149
+ },
150
+ sessionId: {
151
+ type: "string"
152
+ },
153
+ expiresIn: {
154
+ type: "number"
155
+ },
156
+ additionalProperties: false
157
+ },
158
+ required: ["identifier"],
159
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
160
+ },
161
+ IRemoveSiopSessionArgs: {
162
+ type: "object",
163
+ properties: {
164
+ sessionId: {
165
+ type: "string"
166
+ },
167
+ additionalProperties: false
168
+ },
169
+ required: ["sessionId"],
170
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
171
+ },
172
+ IAuthenticateWithSiopArgs: {
173
+ type: "object",
174
+ properties: {
175
+ sessionId: {
176
+ type: "string"
159
177
  },
160
- IResponse: {
178
+ stateId: {
179
+ type: "string"
180
+ },
181
+ redirectUrl: {
182
+ type: "string"
183
+ },
184
+ additionalProperties: false
185
+ },
186
+ required: ["sessionId", "stateId", "redirectUrl"],
187
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
188
+ },
189
+ IResponse: {
190
+ type: "object",
191
+ properties: {
192
+ status: {
193
+ type: "number"
194
+ },
195
+ additionalProperties: true
196
+ },
197
+ required: ["status"],
198
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
199
+ },
200
+ IGetSiopAuthenticationRequestFromRpArgs: {
201
+ type: "object",
202
+ properties: {
203
+ sessionId: {
204
+ type: "string"
205
+ },
206
+ stateId: {
207
+ type: "string"
208
+ },
209
+ redirectUrl: {
210
+ type: "string"
211
+ },
212
+ additionalProperties: false
213
+ },
214
+ required: ["sessionId", "stateId", "redirectUrl"],
215
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
216
+ },
217
+ ParsedAuthenticationRequestURI: {
218
+ type: "object",
219
+ properties: {
220
+ jwt: {
221
+ type: "string"
222
+ },
223
+ requestPayload: {
161
224
  type: "object",
162
225
  properties: {
163
- status: {
164
- type: "number"
165
- },
166
226
  additionalProperties: true
167
- },
168
- required: ["status"],
169
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
227
+ }
170
228
  },
171
- IGetSiopAuthenticationRequestFromRpArgs: {
229
+ registration: {
172
230
  type: "object",
173
231
  properties: {
174
- sessionId: {
175
- type: "string"
176
- },
177
- stateId: {
178
- type: "string"
179
- },
180
- redirectUrl: {
181
- type: "string"
182
- },
183
- additionalProperties: false
184
- },
185
- required: ["sessionId", "stateId", "redirectUrl"],
186
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
232
+ additionalProperties: true
233
+ }
187
234
  },
188
- ParsedAuthenticationRequestURI: {
235
+ additionalProperties: false
236
+ },
237
+ required: ["jwt", "requestPayload", "registration"],
238
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
239
+ },
240
+ IGetSiopAuthenticationRequestDetailsArgs: {
241
+ type: "object",
242
+ properties: {
243
+ sessionId: {
244
+ type: "string"
245
+ },
246
+ verifiedAuthenticationRequest: {
189
247
  type: "object",
190
248
  properties: {
191
- jwt: {
192
- type: "string"
193
- },
194
- requestPayload: {
195
- type: "object",
196
- properties: {
197
- additionalProperties: true
198
- }
199
- },
200
- registration: {
201
- type: "object",
202
- properties: {
203
- additionalProperties: true
204
- }
205
- },
206
- additionalProperties: false
207
- },
208
- required: ["jwt", "requestPayload", "registration"],
209
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
249
+ additionalProperties: true
250
+ }
210
251
  },
211
- IGetSiopAuthenticationRequestDetailsArgs: {
252
+ credentialFilter: {
212
253
  type: "object",
213
254
  properties: {
214
- sessionId: {
215
- type: "string"
216
- },
217
- verifiedAuthenticationRequest: {
218
- type: "object",
219
- properties: {
220
- additionalProperties: true
221
- }
222
- },
223
- credentialFilter: {
224
- type: "object",
225
- properties: {
226
- additionalProperties: true
227
- }
228
- },
229
- additionalProperties: false
230
- },
231
- required: ["sessionId", "verifiedAuthenticationRequest"],
232
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
255
+ additionalProperties: true
256
+ }
257
+ },
258
+ additionalProperties: false
259
+ },
260
+ required: ["sessionId", "verifiedAuthenticationRequest"],
261
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
262
+ },
263
+ IAuthRequestDetails: {
264
+ type: "object",
265
+ properties: {
266
+ id: {
267
+ type: "string"
233
268
  },
234
- IAuthRequestDetails: {
269
+ alsoKnownAs: {
270
+ type: "array",
271
+ items: {
272
+ type: "string"
273
+ }
274
+ },
275
+ vpResponseOpts: {
235
276
  type: "object",
236
277
  properties: {
237
- id: {
238
- type: "string"
239
- },
240
- alsoKnownAs: {
241
- type: "array",
242
- items: {
243
- type: "string"
244
- }
245
- },
246
- vpResponseOpts: {
247
- type: "object",
248
- properties: {
249
- additionalProperties: true
250
- }
251
- },
252
- additionalProperties: false
253
- },
254
- required: ["id", "vpResponseOpts"],
255
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
278
+ additionalProperties: true
279
+ }
256
280
  },
257
- IVerifySiopAuthenticationRequestUriArgs: {
281
+ additionalProperties: false
282
+ },
283
+ required: ["id", "vpResponseOpts"],
284
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
285
+ },
286
+ IVerifySiopAuthenticationRequestUriArgs: {
287
+ type: "object",
288
+ properties: {
289
+ sessionId: {
290
+ type: "string"
291
+ },
292
+ ParsedAuthenticationRequestURI: {
258
293
  type: "object",
259
294
  properties: {
260
- sessionId: {
261
- type: "string"
262
- },
263
- ParsedAuthenticationRequestURI: {
264
- type: "object",
265
- properties: {
266
- additionalProperties: true
267
- }
268
- },
269
- additionalProperties: false
270
- },
271
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
272
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
295
+ additionalProperties: true
296
+ }
273
297
  },
274
- VerifiedAuthorizationRequest: {
298
+ additionalProperties: false
299
+ },
300
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
301
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
302
+ },
303
+ VerifiedAuthorizationRequest: {
304
+ type: "object",
305
+ properties: {
306
+ payload: {
275
307
  type: "object",
276
308
  properties: {
277
- payload: {
278
- type: "object",
279
- properties: {
280
- additionalProperties: true
281
- }
282
- },
283
- presentationDefinitions: {
284
- type: "object",
285
- properties: {
286
- additionalProperties: true
287
- }
288
- },
289
- verifyOpts: {
290
- type: "object",
291
- properties: {
292
- additionalProperties: true
293
- }
294
- },
295
- additionalProperties: false
296
- },
297
- required: ["payload", "verifyOpts"],
298
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
309
+ additionalProperties: true
310
+ }
299
311
  },
300
- ISendSiopAuthenticationResponseArgs: {
312
+ presentationDefinitions: {
301
313
  type: "object",
302
314
  properties: {
303
- sessionId: {
304
- type: "string"
305
- },
306
- verifiedAuthenticationRequest: {
307
- type: "object",
308
- properties: {
309
- additionalProperties: true
310
- }
311
- },
312
- verifiablePresentationResponse: {
313
- type: "object",
314
- properties: {
315
- additionalProperties: true
316
- }
317
- },
318
- additionalProperties: false
319
- },
320
- required: ["sessionId", "verifiedAuthenticationRequest"],
321
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
322
- }
323
- },
324
- methods: {
325
- getSessionForSiop: {
326
- description: "Get SIOP session",
327
- arguments: {
328
- $ref: "#/components/schemas/IGetSiopSessionArgs"
329
- },
330
- returnType: "object"
331
- },
332
- registerSessionForSiop: {
333
- description: "Register SIOP session",
334
- arguments: {
335
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
336
- },
337
- returnType: "object"
338
- },
339
- removeSessionForSiop: {
340
- description: "Remove SIOP session",
341
- arguments: {
342
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
343
- },
344
- returnType: "boolean"
345
- },
346
- authenticateWithSiop: {
347
- description: "Authenticate using DID Auth SIOP",
348
- arguments: {
349
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
350
- },
351
- returnType: {
352
- $ref: "#/components/schemas/Response"
315
+ additionalProperties: true
353
316
  }
354
317
  },
355
- getSiopAuthenticationRequestFromRP: {
356
- description: "Get authentication request from RP",
357
- arguments: {
358
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
359
- },
360
- returnType: {
361
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
318
+ verifyOpts: {
319
+ type: "object",
320
+ properties: {
321
+ additionalProperties: true
362
322
  }
363
323
  },
364
- getSiopAuthenticationRequestDetails: {
365
- description: "Get authentication request details",
366
- arguments: {
367
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
368
- },
369
- returnType: {
370
- $ref: "#/components/schemas/IAuthRequestDetails"
371
- }
324
+ additionalProperties: false
325
+ },
326
+ required: ["payload", "verifyOpts"],
327
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
328
+ },
329
+ ISendSiopAuthenticationResponseArgs: {
330
+ type: "object",
331
+ properties: {
332
+ sessionId: {
333
+ type: "string"
372
334
  },
373
- verifySiopAuthenticationRequestURI: {
374
- description: "Verify authentication request URI",
375
- arguments: {
376
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
377
- },
378
- returnType: {
379
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
335
+ verifiedAuthenticationRequest: {
336
+ type: "object",
337
+ properties: {
338
+ additionalProperties: true
380
339
  }
381
340
  },
382
- sendSiopAuthenticationResponse: {
383
- description: "Send authentication response",
384
- arguments: {
385
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
386
- },
387
- returnType: {
388
- $ref: "#/components/schemas/IRequiredContext"
341
+ verifiablePresentationResponse: {
342
+ type: "object",
343
+ properties: {
344
+ additionalProperties: true
389
345
  }
390
- }
346
+ },
347
+ additionalProperties: false
348
+ },
349
+ required: ["sessionId", "verifiedAuthenticationRequest"],
350
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
351
+ }
352
+ },
353
+ methods: {
354
+ getSessionForSiop: {
355
+ description: "Get SIOP session",
356
+ arguments: {
357
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
358
+ },
359
+ returnType: "object"
360
+ },
361
+ registerSessionForSiop: {
362
+ description: "Register SIOP session",
363
+ arguments: {
364
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
365
+ },
366
+ returnType: "object"
367
+ },
368
+ removeSessionForSiop: {
369
+ description: "Remove SIOP session",
370
+ arguments: {
371
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
372
+ },
373
+ returnType: "boolean"
374
+ },
375
+ authenticateWithSiop: {
376
+ description: "Authenticate using DID Auth SIOP",
377
+ arguments: {
378
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
379
+ },
380
+ returnType: {
381
+ $ref: "#/components/schemas/Response"
382
+ }
383
+ },
384
+ getSiopAuthenticationRequestFromRP: {
385
+ description: "Get authentication request from RP",
386
+ arguments: {
387
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
388
+ },
389
+ returnType: {
390
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
391
+ }
392
+ },
393
+ getSiopAuthenticationRequestDetails: {
394
+ description: "Get authentication request details",
395
+ arguments: {
396
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
397
+ },
398
+ returnType: {
399
+ $ref: "#/components/schemas/IAuthRequestDetails"
400
+ }
401
+ },
402
+ verifySiopAuthenticationRequestURI: {
403
+ description: "Verify authentication request URI",
404
+ arguments: {
405
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
406
+ },
407
+ returnType: {
408
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
409
+ }
410
+ },
411
+ sendSiopAuthenticationResponse: {
412
+ description: "Send authentication response",
413
+ arguments: {
414
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
415
+ },
416
+ returnType: {
417
+ $ref: "#/components/schemas/IRequiredContext"
391
418
  }
392
419
  }
393
420
  }
394
- };
421
+ }
395
422
  }
396
- });
397
-
398
- // src/index.ts
399
- var index_exports = {};
400
- __export(index_exports, {
401
- DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
402
- DID_PREFIX: () => DID_PREFIX,
403
- DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
404
- LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
405
- OID4VP: () => OID4VP,
406
- OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
407
- OpSession: () => OpSession,
408
- Siopv2HolderEvent: () => Siopv2HolderEvent,
409
- Siopv2Machine: () => Siopv2Machine,
410
- Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
411
- Siopv2MachineEvents: () => Siopv2MachineEvents,
412
- Siopv2MachineGuards: () => Siopv2MachineGuards,
413
- Siopv2MachineServices: () => Siopv2MachineServices,
414
- Siopv2MachineStates: () => Siopv2MachineStates,
415
- Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
416
- SupportedLanguage: () => SupportedLanguage,
417
- createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
418
- createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
419
- createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
420
- createOP: () => createOP,
421
- createOPBuilder: () => createOPBuilder,
422
- didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
423
- events: () => events,
424
- getSigningAlgo: () => getSigningAlgo,
425
- schema: () => schema
426
- });
427
- module.exports = __toCommonJS(index_exports);
423
+ };
428
424
 
429
425
  // src/agent/DidAuthSiopOpAuthenticator.ts
430
- var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
431
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
426
+ var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
427
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.data-store-types");
432
428
  var import_ssi_types7 = require("@sphereon/ssi-types");
433
429
  var import_uuid2 = require("uuid");
434
430
 
@@ -455,10 +451,8 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
455
451
  async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
456
452
  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
457
453
  const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
458
- import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
459
- import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
460
- import_did_auth_siop.SupportedVersion.SIOPv2_D11,
461
- import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
454
+ import_did_auth_siop.SupportedVersion.OID4VP_v1,
455
+ import_did_auth_siop.SupportedVersion.SIOPv2_OID4VP_D28
462
456
  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
463
457
  passBy: import_did_auth_siop.PassBy.VALUE
464
458
  });
@@ -586,34 +580,29 @@ function getSigningAlgo(type) {
586
580
  __name(getSigningAlgo, "getSigningAlgo");
587
581
 
588
582
  // src/session/OID4VP.ts
589
- var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
590
- var import_pex = require("@sphereon/pex");
583
+ var import_utils = require("@sphereon/pex/dist/main/lib/utils/index.js");
591
584
  var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
592
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
593
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
585
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.sd-jwt");
586
+ var import_ssi_types = require("@sphereon/ssi-types");
594
587
 
595
588
  // src/types/IDidAuthSiopOpAuthenticator.ts
596
589
  var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
597
- var events = /* @__PURE__ */ function(events2) {
598
- events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
599
- return events2;
600
- }({});
601
590
  var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
602
591
 
603
592
  // src/types/siop-service/index.ts
604
- var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
593
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
605
594
  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
606
595
  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
607
596
  return Siopv2HolderEvent2;
608
- }({});
609
- var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
597
+ })({});
598
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
610
599
  SupportedLanguage2["ENGLISH"] = "en";
611
600
  SupportedLanguage2["DUTCH"] = "nl";
612
601
  return SupportedLanguage2;
613
- }({});
602
+ })({});
614
603
 
615
604
  // src/types/machine/index.ts
616
- var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
605
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
617
606
  Siopv2MachineStates2["createConfig"] = "createConfig";
618
607
  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
619
608
  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
@@ -629,14 +618,14 @@ var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
629
618
  Siopv2MachineStates2["error"] = "error";
630
619
  Siopv2MachineStates2["done"] = "done";
631
620
  return Siopv2MachineStates2;
632
- }({});
633
- var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
621
+ })({});
622
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
634
623
  Siopv2MachineAddContactStates2["idle"] = "idle";
635
624
  Siopv2MachineAddContactStates2["executing"] = "executing";
636
625
  Siopv2MachineAddContactStates2["next"] = "next";
637
626
  return Siopv2MachineAddContactStates2;
638
- }({});
639
- var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
627
+ })({});
628
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
640
629
  Siopv2MachineEvents2["NEXT"] = "NEXT";
641
630
  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
642
631
  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
@@ -645,8 +634,8 @@ var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
645
634
  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
646
635
  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
647
636
  return Siopv2MachineEvents2;
648
- }({});
649
- var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
637
+ })({});
638
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
650
639
  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
651
640
  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
652
641
  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
@@ -656,8 +645,8 @@ var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
656
645
  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
657
646
  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
658
647
  return Siopv2MachineGuards2;
659
- }({});
660
- var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
648
+ })({});
649
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
661
650
  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
662
651
  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
663
652
  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
@@ -665,212 +654,156 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
665
654
  Siopv2MachineServices2["sendResponse"] = "sendResponse";
666
655
  Siopv2MachineServices2["createConfig"] = "createConfig";
667
656
  return Siopv2MachineServices2;
668
- }({});
657
+ })({});
669
658
 
670
659
  // src/types/identifier/index.ts
671
660
  var DID_PREFIX = "did";
672
661
 
673
662
  // src/session/OID4VP.ts
674
- var OID4VP = class _OID4VP {
675
- static {
676
- __name(this, "OID4VP");
663
+ var CLOCK_SKEW = 120;
664
+ var logger = import_ssi_types.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
665
+ function extractOriginalCredential(credential) {
666
+ if (typeof credential === "string") {
667
+ return credential;
677
668
  }
678
- session;
679
- allIdentifiers;
680
- hasher;
681
- constructor(args) {
682
- const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
683
- this.session = session;
684
- this.allIdentifiers = allIdentifiers ?? [];
685
- this.hasher = hasher;
686
- }
687
- static async init(session, allIdentifiers, hasher) {
688
- return new _OID4VP({
689
- session,
690
- allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
691
- hasher
692
- });
693
- }
694
- async getPresentationDefinitions() {
695
- const definitions = await this.session.getPresentationDefinitions();
696
- if (definitions) {
697
- import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
669
+ if ("digitalCredential" in credential) {
670
+ const udc = credential;
671
+ if (udc.originalVerifiableCredential) {
672
+ return udc.originalVerifiableCredential;
698
673
  }
699
- return definitions;
700
- }
701
- getPresentationExchange(args) {
702
- const { verifiableCredentials, allIdentifiers, hasher } = args;
703
- return new import_did_auth_siop2.PresentationExchange({
704
- allDIDs: allIdentifiers ?? this.allIdentifiers,
705
- allVerifiableCredentials: verifiableCredentials,
706
- hasher: hasher ?? this.hasher
707
- });
674
+ return udc.uniformVerifiableCredential;
708
675
  }
709
- async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
710
- return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
676
+ if ("original" in credential) {
677
+ return credential.original;
711
678
  }
712
- async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
713
- const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
714
- ...opts
715
- };
716
- if (subjectIsHolder && holder) {
717
- throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
679
+ return credential;
680
+ }
681
+ __name(extractOriginalCredential, "extractOriginalCredential");
682
+ function detectCredentialFormat(credential) {
683
+ if (typeof credential === "string") {
684
+ if (credential.includes("~")) {
685
+ return "dc+sd-jwt";
718
686
  }
719
- if (forceNoCredentialsInVP) {
720
- selectedVerifiableCredentials.credentials = [];
721
- } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
722
- throw Error("No verifiable verifiableCredentials provided for presentation definition");
687
+ const parts = credential.split(".");
688
+ if (parts.length === 3) {
689
+ return "jwt_vc_json";
723
690
  }
724
- const proofOptions = {
725
- ...opts?.proofOpts,
726
- challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
727
- domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
728
- };
729
- let idOpts2 = opts?.idOpts;
730
- if (!idOpts2) {
731
- if (opts?.subjectIsHolder) {
732
- if (forceNoCredentialsInVP) {
733
- return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
734
- }
735
- const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
736
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
737
- return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
738
- }
739
- idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
740
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
741
- }) : await this.session.context.agent.identifierManagedGetByKid({
742
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
743
- kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
744
- });
745
- } else if (opts?.holder) {
746
- idOpts2 = {
747
- identifier: opts.holder
748
- };
749
- }
691
+ } else if (typeof credential === "object") {
692
+ if ("compactSdJwtVc" in credential) {
693
+ return "dc+sd-jwt";
750
694
  }
751
- const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
752
- restrictToFormats: opts?.restrictToFormats,
753
- restrictToDIDMethods: opts?.restrictToDIDMethods,
754
- filterOpts: {
755
- verifiableCredentials: selectedVerifiableCredentials.credentials
756
- }
757
- }) : {
758
- definition: selectedVerifiableCredentials.definition,
759
- credentials: selectedVerifiableCredentials.credentials
760
- };
761
- if (!idOpts2) {
762
- return Promise.reject(Error(`No identifier options present at this point`));
695
+ if ("@context" in credential || "proof" in credential) {
696
+ return "ldp_vc";
697
+ }
698
+ if ("doctype" in credential || "namespaces" in credential) {
699
+ return "mso_mdoc";
763
700
  }
764
- const signCallback = await createOID4VPPresentationSignCallback({
765
- presentationSignCallback: this.session.options.presentationSignCallback,
766
- idOpts: idOpts2,
767
- context: this.session.context,
768
- domain: proofOptions.domain,
769
- challenge: proofOptions.challenge,
770
- format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
771
- skipDidResolution: opts?.skipDidResolution ?? false
772
- });
773
- const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
774
- const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
775
- const presentationResult = await this.getPresentationExchange({
776
- verifiableCredentials,
777
- allIdentifiers: this.allIdentifiers,
778
- hasher: opts?.hasher
779
- }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
780
- proofOptions,
781
- // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
782
- ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
783
- holderDID: identifier.did
784
- }
785
- });
786
- const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
787
- return {
788
- ...presentationResult,
789
- verifiablePresentations,
790
- verifiableCredentials,
791
- definition: selectedVerifiableCredentials.definition,
792
- idOpts: idOpts2
793
- };
794
701
  }
795
- async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
796
- const defs = await this.getPresentationDefinitions();
797
- const result = [];
798
- if (defs) {
799
- for (const definition of defs) {
800
- result.push(await this.filterCredentials(credentialRole, definition, opts));
801
- }
702
+ return "jwt_vc_json";
703
+ }
704
+ __name(detectCredentialFormat, "detectCredentialFormat");
705
+ function getIdentifierString(identifier) {
706
+ if ("opts" in identifier && "method" in identifier) {
707
+ if ((0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier)) {
708
+ return identifier.did;
802
709
  }
803
- return result;
804
- }
805
- async filterCredentials(credentialRole, presentationDefinition, opts) {
806
- const udcMap = /* @__PURE__ */ new Map();
807
- opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
808
- if (typeof credential === "object" && "digitalCredential" in credential) {
809
- udcMap.set(credential.originalVerifiableCredential, credential);
810
- } else {
811
- udcMap.set(credential, credential);
812
- }
813
- });
814
- const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
815
- ...opts,
816
- filterOpts: {
817
- verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
818
- if (typeof credential === "object" && "digitalCredential" in credential) {
819
- return credential.originalVerifiableCredential;
820
- } else {
821
- return credential;
822
- }
823
- })
824
- }
825
- })).verifiableCredential;
826
- return {
827
- definition: presentationDefinition,
828
- credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
829
- };
830
710
  }
831
- async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
832
- const selectionResults = await this.getPresentationExchange({
833
- verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
834
- }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
835
- if (selectionResults.errors && selectionResults.errors.length > 0) {
836
- throw Error(JSON.stringify(selectionResults.errors));
837
- } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
838
- throw Error(`Not all required credentials are available to satisfy the relying party's request`);
711
+ return identifier.issuer ?? identifier.kid ?? "";
712
+ }
713
+ __name(getIdentifierString, "getIdentifierString");
714
+ async function createVerifiablePresentationForFormat(credential, identifier, context) {
715
+ const { nonce, audience, agent, clockSkew = CLOCK_SKEW } = context;
716
+ const originalCredential = extractOriginalCredential(credential);
717
+ const format = detectCredentialFormat(originalCredential);
718
+ logger.debug(`Creating VP for format: ${format}`);
719
+ switch (format) {
720
+ case "dc+sd-jwt": {
721
+ const decodedSdJwt = await import_ssi_types.CredentialMapper.decodeSdJwtVcAsync(typeof originalCredential === "string" ? originalCredential : originalCredential.compactSdJwtVc, import_ssi_sdk2.defaultGenerateDigest);
722
+ const hashAlg = decodedSdJwt.signedPayload._sd_alg ?? "sha-256";
723
+ const sdHash = (0, import_utils.calculateSdHash)(decodedSdJwt.compactSdJwtVc, hashAlg, import_ssi_sdk2.defaultGenerateDigest);
724
+ const kbJwtPayload = {
725
+ iat: Math.floor(Date.now() / 1e3 - clockSkew),
726
+ sd_hash: sdHash,
727
+ nonce,
728
+ aud: audience
729
+ };
730
+ const presentationResult = await agent.createSdJwtPresentation({
731
+ presentation: decodedSdJwt.compactSdJwtVc,
732
+ kb: {
733
+ payload: kbJwtPayload
734
+ }
735
+ });
736
+ return presentationResult.presentation;
737
+ }
738
+ case "jwt_vc_json": {
739
+ const vcJwt = typeof originalCredential === "string" ? originalCredential : JSON.stringify(originalCredential);
740
+ const identifierString = getIdentifierString(identifier);
741
+ const vpPayload = {
742
+ iss: identifierString,
743
+ aud: audience,
744
+ nonce,
745
+ vp: {
746
+ "@context": [
747
+ "https://www.w3.org/2018/credentials/v1"
748
+ ],
749
+ type: [
750
+ "VerifiablePresentation"
751
+ ],
752
+ holder: identifierString,
753
+ verifiableCredential: [
754
+ vcJwt
755
+ ]
756
+ },
757
+ iat: Math.floor(Date.now() / 1e3 - clockSkew),
758
+ exp: Math.floor(Date.now() / 1e3 + 600)
759
+ };
760
+ const vpJwt = await agent.createVerifiablePresentation({
761
+ presentation: vpPayload.vp,
762
+ proofFormat: "jwt",
763
+ domain: audience,
764
+ challenge: nonce,
765
+ keyRef: identifier.kmsKeyRef || identifier.kid
766
+ });
767
+ return vpJwt.proof?.jwt || vpJwt;
839
768
  }
840
- const matches = selectionResults.matches;
841
- if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
842
- throw Error(JSON.stringify(selectionResults.errors));
769
+ case "ldp_vc": {
770
+ const vcObject = typeof originalCredential === "string" ? JSON.parse(originalCredential) : originalCredential;
771
+ const vpObject = {
772
+ "@context": [
773
+ "https://www.w3.org/2018/credentials/v1"
774
+ ],
775
+ type: [
776
+ "VerifiablePresentation"
777
+ ],
778
+ verifiableCredential: [
779
+ vcObject
780
+ ]
781
+ };
782
+ return await agent.createVerifiablePresentation({
783
+ presentation: vpObject,
784
+ proofFormat: "lds",
785
+ challenge: nonce,
786
+ domain: audience,
787
+ keyRef: identifier.kmsKeyRef || identifier.kid
788
+ });
843
789
  }
844
- return selectionResults;
845
- }
846
- async getCredentials(credentialRole, filterOpts) {
847
- if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
848
- return filterOpts.verifiableCredentials;
790
+ case "mso_mdoc": {
791
+ logger.warning("mso_mdoc format has basic support - production use requires proper mdoc VP token implementation");
792
+ return originalCredential;
849
793
  }
850
- const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
851
- const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
852
- filter
853
- });
854
- return uniqueCredentials.map((uniqueVC) => {
855
- const vc = uniqueVC.uniformVerifiableCredential;
856
- const proof = Array.isArray(vc.proof) ? vc.proof : [
857
- vc.proof
858
- ];
859
- const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
860
- return jwtProof ? jwtProof.jwt : vc;
861
- });
794
+ default:
795
+ return Promise.reject(Error(`Unsupported credential format: ${format}`));
862
796
  }
863
- };
797
+ }
798
+ __name(createVerifiablePresentationForFormat, "createVerifiablePresentationForFormat");
864
799
 
865
800
  // src/session/OpSession.ts
866
- var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
801
+ var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
867
802
  var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
868
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
869
- var import_ssi_types = require("@sphereon/ssi-types");
870
- var import_uuid = require("uuid");
871
- var import_pex2 = require("@sphereon/pex");
803
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
872
804
  var import_ssi_types2 = require("@sphereon/ssi-types");
873
- var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
805
+ var import_uuid = require("uuid");
806
+ var logger2 = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
874
807
  var OpSession = class _OpSession {
875
808
  static {
876
809
  __name(this, "OpSession");
@@ -883,13 +816,11 @@ var OpSession = class _OpSession {
883
816
  verifiedAuthorizationRequest;
884
817
  _nonce;
885
818
  _state;
886
- _providedPresentationDefinitions;
887
819
  constructor(options) {
888
820
  this.id = options.sessionId;
889
821
  this.options = options.op;
890
822
  this.context = options.context;
891
823
  this.requestJwtOrUri = options.requestJwtOrUri;
892
- this._providedPresentationDefinitions = options.providedPresentationDefinitions;
893
824
  }
894
825
  static async init(options) {
895
826
  return new _OpSession(options);
@@ -908,7 +839,7 @@ var OpSession = class _OpSession {
908
839
  return this.verifiedAuthorizationRequest;
909
840
  }
910
841
  async getAuthorizationRequestURI() {
911
- return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
842
+ return await import_did_auth_siop2.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
912
843
  }
913
844
  get nonce() {
914
845
  if (!this._nonce) {
@@ -936,9 +867,9 @@ var OpSession = class _OpSession {
936
867
  didPrefix,
937
868
  agentMethods
938
869
  });
939
- logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
870
+ logger2.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
940
871
  if (rpMethods.dids.length === 0) {
941
- logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
872
+ logger2.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
942
873
  return [];
943
874
  }
944
875
  let intersection;
@@ -956,7 +887,7 @@ var OpSession = class _OpSession {
956
887
  }
957
888
  getAgentDIDMethodsSupported(opts) {
958
889
  const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
959
- logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
890
+ logger2.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
960
891
  return agentMethods;
961
892
  }
962
893
  async getSubjectSyntaxTypesSupported() {
@@ -967,15 +898,15 @@ var OpSession = class _OpSession {
967
898
  async getRPDIDMethodsSupported(opts) {
968
899
  let keyType;
969
900
  const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
970
- logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
901
+ logger2.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
971
902
  const authReq = await this.getAuthorizationRequest();
972
903
  const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
973
- logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
904
+ logger2.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
974
905
  const aud = await authReq.authorizationRequest.getMergedProperty("aud");
975
906
  let rpMethods = [];
976
907
  if (aud && aud.startsWith("did:")) {
977
- const didMethod = convertDidMethod((0, import_ssi_types.parseDid)(aud).method, opts.didPrefix);
978
- logger.debug(`aud did method: ${didMethod}`);
908
+ const didMethod = convertDidMethod((0, import_ssi_types2.parseDid)(aud).method, opts.didPrefix);
909
+ logger2.debug(`aud did method: ${didMethod}`);
979
910
  if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
980
911
  throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
981
912
  }
@@ -987,10 +918,10 @@ var OpSession = class _OpSession {
987
918
  subjectSyntaxTypesSupported
988
919
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
989
920
  }
990
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
921
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
991
922
  let codecName = void 0;
992
923
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
993
- logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
924
+ logger2.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
994
925
  const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
995
926
  if (!agentMethods?.includes(didKeyMethod)) {
996
927
  throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
@@ -1009,13 +940,13 @@ var OpSession = class _OpSession {
1009
940
  }
1010
941
  async getSupportedIdentifiers(opts) {
1011
942
  const methods = await this.getSupportedDIDMethods(true);
1012
- logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
943
+ logger2.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
1013
944
  if (methods.length === 0) {
1014
945
  throw Error(`No DID methods are supported`);
1015
946
  }
1016
947
  const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
1017
948
  if (identifiers.length === 0) {
1018
- logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
949
+ logger2.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
1019
950
  if (opts?.createInCaseNoDIDFound !== false) {
1020
951
  const { codecName, keyType } = await this.getRPDIDMethodsSupported({
1021
952
  didPrefix: true,
@@ -1029,11 +960,11 @@ var OpSession = class _OpSession {
1029
960
  type: keyType
1030
961
  }
1031
962
  });
1032
- logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
963
+ logger2.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
1033
964
  identifiers.push(identifier);
1034
965
  }
1035
966
  }
1036
- logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
967
+ logger2.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
1037
968
  return identifiers;
1038
969
  }
1039
970
  async getSupportedDIDs() {
@@ -1042,56 +973,11 @@ var OpSession = class _OpSession {
1042
973
  async getRedirectUri() {
1043
974
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
1044
975
  }
1045
- async hasPresentationDefinitions() {
1046
- const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1047
- return defs !== void 0 && defs.length > 0;
1048
- }
1049
- async getPresentationDefinitions() {
1050
- if (!await this.hasPresentationDefinitions()) {
1051
- throw Error(`No presentation definitions found`);
1052
- }
1053
- return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1054
- }
1055
- async getOID4VP(args) {
1056
- return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
1057
- }
1058
- createPresentationVerificationCallback(context) {
1059
- async function presentationVerificationCallback(args, presentationSubmission) {
1060
- let result;
1061
- if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
1062
- try {
1063
- const sdJwtResult = await context.agent.verifySdJwtPresentation({
1064
- presentation: args
1065
- });
1066
- result = {
1067
- verified: "header" in sdJwtResult,
1068
- error: "header" in sdJwtResult ? void 0 : {
1069
- message: "could not verify SD JWT presentation"
1070
- }
1071
- };
1072
- } catch (error) {
1073
- result = {
1074
- verified: false,
1075
- error: {
1076
- message: error.message
1077
- }
1078
- };
1079
- }
1080
- } else {
1081
- result = await context.agent.verifyPresentation({
1082
- presentation: args
1083
- });
1084
- }
1085
- return result;
1086
- }
1087
- __name(presentationVerificationCallback, "presentationVerificationCallback");
1088
- return presentationVerificationCallback;
1089
- }
1090
976
  async createJarmResponseCallback({ responseOpts }) {
1091
977
  const agent = this.context.agent;
1092
978
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
1093
979
  const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
1094
- const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
980
+ const jwk = await import_did_auth_siop2.OP.extractEncJwksFromClientMetadata(clientMetadata);
1095
981
  const recipientKey = await agent.identifierExternalResolveByJwk({
1096
982
  identifier: jwk
1097
983
  });
@@ -1100,8 +986,8 @@ var OpSession = class _OpSession {
1100
986
  protectedHeader: {},
1101
987
  alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
1102
988
  enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
1103
- apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
1104
- apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
989
+ apv: (0, import_ssi_sdk3.encodeBase64url)(opts.requestObjectPayload.nonce),
990
+ apu: (0, import_ssi_sdk3.encodeBase64url)((0, import_uuid.v4)()),
1105
991
  payload: authResponse,
1106
992
  issuer: responseOpts.issuer,
1107
993
  audience: responseOpts.audience
@@ -1113,6 +999,7 @@ var OpSession = class _OpSession {
1113
999
  }, "jarmResponse");
1114
1000
  }
1115
1001
  async sendAuthorizationResponse(args) {
1002
+ const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
1116
1003
  const resolveOpts = this.options.resolveOpts ?? {
1117
1004
  resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
1118
1005
  uniresolverResolution: true,
@@ -1123,23 +1010,7 @@ var OpSession = class _OpSession {
1123
1010
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
1124
1011
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
1125
1012
  }
1126
- const verification = {
1127
- presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1128
- };
1129
1013
  const request = await this.getAuthorizationRequest();
1130
- const hasDefinitions = await this.hasPresentationDefinitions();
1131
- if (hasDefinitions) {
1132
- const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1133
- return sum + pd.definition.input_descriptors.length;
1134
- }, 0);
1135
- const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1136
- if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1137
- throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1138
- } else if (!args.presentationSubmission) {
1139
- throw Error(`Presentation submission is required when verifiable presentations are required`);
1140
- }
1141
- }
1142
- const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
1143
1014
  const op = await createOP({
1144
1015
  opOptions: {
1145
1016
  ...this.options,
@@ -1151,23 +1022,16 @@ var OpSession = class _OpSession {
1151
1022
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
1152
1023
  supportedVersions: request.versions
1153
1024
  },
1154
- idOpts: args.responseSignerOpts,
1025
+ idOpts: responseSignerOpts,
1155
1026
  context: this.context
1156
1027
  });
1157
- let issuer = args.responseSignerOpts.issuer;
1028
+ let issuer = responseSignerOpts.issuer;
1158
1029
  const responseOpts = {
1159
- verification,
1160
1030
  issuer,
1161
- ...args.isFirstParty && {
1162
- isFirstParty: args.isFirstParty
1031
+ ...isFirstParty && {
1032
+ isFirstParty
1163
1033
  },
1164
- ...args.verifiablePresentations && {
1165
- presentationExchange: {
1166
- verifiablePresentations,
1167
- presentationSubmission: args.presentationSubmission
1168
- }
1169
- },
1170
- dcqlQuery: args.dcqlResponse
1034
+ dcqlResponse
1171
1035
  };
1172
1036
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
1173
1037
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -1179,24 +1043,6 @@ var OpSession = class _OpSession {
1179
1043
  return response;
1180
1044
  }
1181
1045
  }
1182
- countVCsInAllVPs(verifiablePresentations, hasher) {
1183
- return verifiablePresentations.reduce((sum, vp) => {
1184
- if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1185
- return sum + 1;
1186
- }
1187
- const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
1188
- hasher: hasher ?? this.options.hasher
1189
- });
1190
- if (uvp.verifiableCredential?.length) {
1191
- return sum + uvp.verifiableCredential?.length;
1192
- }
1193
- const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
1194
- if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1195
- return sum + 1;
1196
- }
1197
- return sum;
1198
- }, 0);
1199
- }
1200
1046
  };
1201
1047
  function convertDidMethod(didMethod, didPrefix) {
1202
1048
  if (didPrefix === false) {
@@ -1206,11 +1052,6 @@ function convertDidMethod(didMethod, didPrefix) {
1206
1052
  }
1207
1053
  __name(convertDidMethod, "convertDidMethod");
1208
1054
 
1209
- // src/agent/DidAuthSiopOpAuthenticator.ts
1210
- var import_pex4 = require("@sphereon/pex");
1211
- var import_utils = require("@veramo/utils");
1212
- var import_dcql3 = require("dcql");
1213
-
1214
1055
  // src/machine/Siopv2Machine.ts
1215
1056
  var import_xstate = require("xstate");
1216
1057
 
@@ -1257,7 +1098,7 @@ var translate = Localization.translate;
1257
1098
 
1258
1099
  // src/machine/Siopv2Machine.ts
1259
1100
  var import_ssi_types3 = require("@sphereon/ssi-types");
1260
- var logger2 = import_ssi_types3.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1101
+ var logger3 = import_ssi_types3.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1261
1102
  var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1262
1103
  const { contact } = _ctx;
1263
1104
  return contact === void 0;
@@ -1278,7 +1119,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
1278
1119
  if (!contact) {
1279
1120
  throw new Error("Missing contact request data in context");
1280
1121
  }
1281
- return authorizationRequestData.presentationDefinitions !== void 0;
1122
+ return authorizationRequestData.dcqlQuery !== void 0;
1282
1123
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1283
1124
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1284
1125
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1289,7 +1130,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1289
1130
  if (authorizationRequestData === void 0) {
1290
1131
  throw new Error("Missing authorization request data in context");
1291
1132
  }
1292
- if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
1133
+ if (authorizationRequestData.dcqlQuery === void 0) {
1293
1134
  throw Error("No presentation definitions present");
1294
1135
  }
1295
1136
  return _ctx.selectedCredentials.length > 0;
@@ -1299,7 +1140,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1299
1140
  if (authorizationRequestData === void 0) {
1300
1141
  throw new Error("Missing authorization request data in context");
1301
1142
  }
1302
- return authorizationRequestData.presentationDefinitions === void 0;
1143
+ return authorizationRequestData.dcqlQuery === void 0;
1303
1144
  }, "Siopv2IsSiopOnlyGuard");
1304
1145
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1305
1146
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1309,7 +1150,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1309
1150
  if (!selectableCredentialsMap) {
1310
1151
  throw new Error("Missing selectableCredentialsMap in context");
1311
1152
  }
1312
- return authorizationRequestData.presentationDefinitions !== void 0;
1153
+ return authorizationRequestData.dcqlQuery !== void 0;
1313
1154
  }, "Siopv2IsSiopWithOID4VPGuard");
1314
1155
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1315
1156
  const { url, idOpts: idOpts2 } = opts;
@@ -1587,7 +1428,7 @@ var Siopv2Machine = class {
1587
1428
  __name(this, "Siopv2Machine");
1588
1429
  }
1589
1430
  static newInstance(opts) {
1590
- logger2.info("New Siopv2Machine instance");
1431
+ logger3.info("New Siopv2Machine instance");
1591
1432
  const interpreter = (0, import_xstate.interpret)(createSiopv2Machine(opts).withConfig({
1592
1433
  services: {
1593
1434
  ...opts?.services
@@ -1615,7 +1456,7 @@ var Siopv2Machine = class {
1615
1456
  });
1616
1457
  }
1617
1458
  interpreter.onTransition((snapshot) => {
1618
- logger2.info("onTransition to new state", snapshot.value);
1459
+ logger3.info("onTransition to new state", snapshot.value);
1619
1460
  });
1620
1461
  return {
1621
1462
  interpreter
@@ -1624,115 +1465,57 @@ var Siopv2Machine = class {
1624
1465
  };
1625
1466
 
1626
1467
  // src/services/Siopv2MachineService.ts
1627
- var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1628
- var import_pex3 = require("@sphereon/pex");
1629
- var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1468
+ var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
1469
+ var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1470
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
1630
1471
  var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
1631
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
1472
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store-types");
1632
1473
  var import_ssi_types6 = require("@sphereon/ssi-types");
1633
- var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
1634
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
1635
1474
  var import_dcql = require("dcql");
1636
1475
 
1637
1476
  // src/utils/dcql.ts
1638
1477
  var import_ssi_types5 = require("@sphereon/ssi-types");
1478
+ var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
1639
1479
 
1640
1480
  // src/utils/CredentialUtils.ts
1641
1481
  var import_ssi_types4 = require("@sphereon/ssi-types");
1642
- var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1643
- if (isUniqueDigitalCredential(credential)) {
1644
- if (!credential.originalVerifiableCredential) {
1645
- throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1646
- }
1647
- return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1648
- }
1649
- return getCredentialFromProofOrWrapped(credential);
1650
- }, "getOriginalVerifiableCredential");
1651
- var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1652
- if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
1653
- return cred.proof.jwt;
1654
- }
1655
- return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
1656
- hasher
1657
- }).original;
1658
- }, "getCredentialFromProofOrWrapped");
1659
1482
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1660
1483
  return credential.digitalCredential !== void 0;
1661
1484
  }, "isUniqueDigitalCredential");
1662
1485
 
1663
1486
  // src/utils/dcql.ts
1664
1487
  function convertToDcqlCredentials(credential, hasher) {
1665
- let payload;
1488
+ let originalVerifiableCredential;
1666
1489
  if (isUniqueDigitalCredential(credential)) {
1667
1490
  if (!credential.originalVerifiableCredential) {
1668
1491
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1669
1492
  }
1670
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1493
+ originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1671
1494
  } else {
1672
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1495
+ originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1673
1496
  }
1674
- if (!payload) {
1497
+ if (!originalVerifiableCredential) {
1675
1498
  throw new Error("No payload found");
1676
1499
  }
1677
- if ("decodedPayload" in payload && payload.decodedPayload) {
1678
- payload = payload.decodedPayload;
1679
- }
1680
- if ("vct" in payload) {
1681
- return {
1682
- vct: payload.vct,
1683
- claims: payload,
1684
- credential_format: "dc+sd-jwt"
1685
- };
1686
- } else if ("docType" in payload && "namespaces" in payload) {
1687
- return {
1688
- docType: payload.docType,
1689
- namespaces: payload.namespaces,
1690
- claims: payload
1691
- };
1692
- } else {
1693
- return {
1694
- claims: payload,
1695
- credential_format: "jwt_vc_json"
1696
- };
1500
+ if (import_ssi_types5.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
1501
+ return import_did_auth_siop3.Dcql.toDcqlJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1502
+ } else if (import_ssi_types5.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1503
+ return import_did_auth_siop3.Dcql.toDcqlSdJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1504
+ } else if (import_ssi_types5.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1505
+ return import_did_auth_siop3.Dcql.toDcqlMdocCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1506
+ } else if (import_ssi_types5.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
1507
+ return import_did_auth_siop3.Dcql.toDcqlJsonLdCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1697
1508
  }
1509
+ throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1698
1510
  }
1699
1511
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1700
1512
 
1701
1513
  // src/services/Siopv2MachineService.ts
1702
- var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1703
- var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1704
- logger3.log(`No EBSI key present yet. Creating a new one...`);
1705
- const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
1706
- method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
1707
- createOpts: {
1708
- options: {
1709
- codecName: "jwk_jcs-pub",
1710
- type: "Secp256r1"
1711
- }
1712
- }
1713
- });
1714
- logger3.log(`EBSI key created: ${newIdentifier.did}`);
1715
- if (created) {
1716
- await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1717
- result: newIdentifier
1718
- });
1719
- }
1720
- return await agentContext.agent.identifierManagedGetByDid({
1721
- identifier: newIdentifier.did
1722
- });
1723
- }, "createEbsiIdentifier");
1724
- var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1725
- const clientId = await authorizationRequest.getMergedProperty("client_id");
1726
- const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1727
- return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1728
- }, "hasEbsiClient");
1514
+ var CLOCK_SKEW2 = 120;
1515
+ var logger4 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1729
1516
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1730
1517
  const { agent } = context;
1731
- const agentContext = {
1732
- ...context,
1733
- agent: context.agent
1734
- };
1735
- let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
1518
+ const { credentials } = args;
1736
1519
  if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
1737
1520
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1738
1521
  }
@@ -1740,252 +1523,154 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1740
1523
  sessionId: args.sessionId
1741
1524
  });
1742
1525
  const request = await session.getAuthorizationRequest();
1743
- const aud = await request.authorizationRequest.getMergedProperty("aud");
1744
- logger3.debug(`AUD: ${aud}`);
1745
- logger3.debug(JSON.stringify(request.authorizationRequest));
1746
- let presentationsAndDefs;
1747
- let presentationSubmission;
1748
- if (await session.hasPresentationDefinitions()) {
1749
- const oid4vp = await session.getOID4VP({
1750
- hasher
1751
- });
1752
- const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
1753
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1754
- logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1755
- const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1756
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1757
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1526
+ const aud = request.authorizationRequest.getMergedProperty("aud");
1527
+ logger4.debug(`AUD: ${aud}`);
1528
+ logger4.debug(JSON.stringify(request.authorizationRequest));
1529
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1530
+ logger4.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1531
+ const firstUniqueDC = credentials[0];
1532
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1533
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1534
+ }
1535
+ let identifier;
1536
+ const digitalCredential = firstUniqueDC.digitalCredential;
1537
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1538
+ let holder;
1539
+ if (import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC)) {
1540
+ holder = firstVC.decodedPayload.cnf?.jwk ? `did:jwk:${(0, import_ssi_sdk4.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0` : firstVC.decodedPayload.sub;
1541
+ } else {
1542
+ holder = Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1543
+ }
1544
+ if (!digitalCredential.kmsKeyRef) {
1545
+ if (!holder) {
1546
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1758
1547
  }
1759
- let identifier;
1760
- const digitalCredential = firstUniqueDC.digitalCredential;
1761
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1762
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1763
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1764
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1765
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1766
- if (!digitalCredential.kmsKeyRef) {
1767
- if (!holder) {
1768
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1769
- }
1770
- try {
1771
- identifier = await session.context.agent.identifierManagedGet({
1772
- identifier: holder
1773
- });
1774
- } catch (e) {
1775
- logger3.debug(`Holder DID not found: ${holder}`);
1776
- throw e;
1777
- }
1778
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1779
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1780
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1548
+ try {
1549
+ identifier = await session.context.agent.identifierManagedGet({
1550
+ identifier: holder
1781
1551
  });
1782
- } else {
1783
- switch (digitalCredential.subjectCorrelationType) {
1784
- case "DID":
1785
- identifier = await session.context.agent.identifierManagedGetByDid({
1786
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1787
- kmsKeyRef: digitalCredential.kmsKeyRef
1788
- });
1789
- break;
1790
- // TODO other implementations?
1791
- default:
1792
- if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1793
- identifier = await session.context.agent.identifierManagedGetByDid({
1794
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1795
- kmsKeyRef: digitalCredential.kmsKeyRef
1796
- });
1797
- } else {
1798
- identifier = await session.context.agent.identifierManagedGetByKid({
1799
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1800
- kmsKeyRef: digitalCredential.kmsKeyRef
1801
- });
1802
- }
1803
- }
1552
+ } catch (e) {
1553
+ logger4.debug(`Holder DID not found: ${holder}`);
1554
+ throw e;
1804
1555
  }
1805
- if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1806
- identifier = await createEbsiIdentifier(agentContext);
1807
- }
1808
- logger3.debug(`Identifier`, identifier);
1809
- presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
1810
- idOpts: identifier,
1811
- proofOpts: {
1812
- nonce: session.nonce,
1813
- domain
1814
- }
1556
+ } else if ((0, import_ssi_sdk_ext5.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1557
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1558
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1815
1559
  });
1816
- if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1817
- throw Error("No verifiable presentations could be created");
1818
- } else if (presentationsAndDefs.length > 1) {
1819
- throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1820
- }
1821
- idOpts2 = presentationsAndDefs[0].idOpts;
1822
- presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1823
- logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1824
- logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1825
- const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1826
- return await session.sendAuthorizationResponse({
1827
- ...presentationsAndDefs && {
1828
- verifiablePresentations: mergedVerifiablePresentations
1829
- },
1830
- ...presentationSubmission && {
1831
- presentationSubmission
1832
- },
1833
- // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1834
- responseSignerOpts: idOpts2,
1835
- isFirstParty
1836
- });
1837
- } else if (request.dcqlQuery) {
1838
- if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1839
- const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1840
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1841
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1842
- const firstUniqueDC = vcs[0];
1843
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1844
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1845
- }
1846
- let identifier;
1847
- const digitalCredential = firstUniqueDC.digitalCredential;
1848
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1849
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1850
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1851
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1852
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1853
- if (!digitalCredential.kmsKeyRef) {
1854
- if (!holder) {
1855
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1856
- }
1857
- try {
1858
- identifier = await session.context.agent.identifierManagedGet({
1859
- identifier: holder
1860
- });
1861
- } catch (e) {
1862
- logger3.debug(`Holder DID not found: ${holder}`);
1863
- throw e;
1864
- }
1865
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1866
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1867
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1560
+ } else {
1561
+ switch (digitalCredential.subjectCorrelationType) {
1562
+ case "DID":
1563
+ identifier = await session.context.agent.identifierManagedGetByDid({
1564
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1565
+ kmsKeyRef: digitalCredential.kmsKeyRef
1868
1566
  });
1869
- } else {
1870
- switch (digitalCredential.subjectCorrelationType) {
1871
- case "DID":
1872
- identifier = await session.context.agent.identifierManagedGetByDid({
1873
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1874
- kmsKeyRef: digitalCredential.kmsKeyRef
1875
- });
1876
- break;
1877
- // TODO other implementations?
1878
- default:
1879
- identifier = await session.context.agent.identifierManagedGetByKid({
1880
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1881
- kmsKeyRef: digitalCredential.kmsKeyRef
1882
- });
1883
- }
1884
- }
1885
- console.log(`Identifier`, identifier);
1886
- const dcqlRepresentations = [];
1887
- vcs.forEach((vc) => {
1888
- const rep = convertToDcqlCredentials(vc, args.hasher);
1889
- if (rep) {
1890
- dcqlRepresentations.push(rep);
1891
- }
1892
- });
1893
- const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1894
- const presentation = {};
1895
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1896
- const allMatches = Array.isArray(value) ? value : [
1897
- value
1898
- ];
1899
- allMatches.forEach((match) => {
1900
- if (match.success) {
1901
- const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1902
- if (!originalCredential) {
1903
- throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1904
- }
1905
- presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1906
- }
1567
+ break;
1568
+ // TODO other implementations?
1569
+ default:
1570
+ identifier = await session.context.agent.identifierManagedGetByKid({
1571
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1572
+ kmsKeyRef: digitalCredential.kmsKeyRef
1907
1573
  });
1574
+ }
1575
+ }
1576
+ const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1577
+ convertToDcqlCredentials(vc),
1578
+ vc
1579
+ ]));
1580
+ const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1581
+ if (!queryResult.can_be_satisfied) {
1582
+ return Promise.reject(Error("Credentials do not match required query request"));
1583
+ }
1584
+ const presentationContext = {
1585
+ nonce: request.requestObject?.getPayload()?.nonce ?? session.nonce,
1586
+ audience: domain,
1587
+ agent: context.agent,
1588
+ clockSkew: CLOCK_SKEW2,
1589
+ hasher: args.hasher
1590
+ };
1591
+ const presentation = {};
1592
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1593
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1594
+ if (value.success) {
1595
+ const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1596
+ const vc = matchedCredentials[0];
1597
+ if (!vc) {
1598
+ continue;
1599
+ }
1600
+ try {
1601
+ const vp = await createVerifiablePresentationForFormat(vc, identifier, presentationContext);
1602
+ presentation[key] = vp;
1603
+ } catch (error) {
1604
+ logger4.error(`Failed to create VP for credential ${key}:`, error);
1605
+ throw error;
1908
1606
  }
1909
- const response = session.sendAuthorizationResponse({
1910
- responseSignerOpts: identifier,
1911
- ...{
1912
- dcqlQuery: {
1913
- dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
1914
- }
1915
- }
1916
- });
1917
- logger3.debug(`Response: `, response);
1918
- return response;
1919
1607
  }
1920
1608
  }
1921
- throw Error("Presentation Definition or DCQL is required");
1609
+ const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
1610
+ const response = session.sendAuthorizationResponse({
1611
+ responseSignerOpts: identifier,
1612
+ dcqlResponse: {
1613
+ dcqlPresentation
1614
+ }
1615
+ });
1616
+ logger4.debug(`Response: `, response);
1617
+ return response;
1922
1618
  }, "siopSendAuthorizationResponse");
1923
- function buildPartialPD(inputDescriptor, presentationDefinition) {
1924
- return {
1925
- ...presentationDefinition,
1926
- input_descriptors: [
1927
- inputDescriptor
1928
- ]
1929
- };
1930
- }
1931
- __name(buildPartialPD, "buildPartialPD");
1932
- var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1619
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1933
1620
  const agentContext = {
1934
1621
  ...context,
1935
1622
  agent: context.agent
1936
1623
  };
1937
1624
  const { agent } = agentContext;
1938
- const pex = new import_pex3.PEX();
1939
1625
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1940
- filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
1626
+ filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1941
1627
  });
1942
- const credentialBranding = await agent.ibGetCredentialBranding();
1628
+ const branding = await agent.ibGetCredentialBranding();
1629
+ const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1630
+ convertToDcqlCredentials(vc),
1631
+ vc
1632
+ ]));
1633
+ const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1634
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1943
1635
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1944
- for (const inputDescriptor of presentationDefinition.input_descriptors) {
1945
- const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1946
- const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1947
- return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1948
- });
1949
- const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1950
- const selectableCredentials = [];
1951
- for (const selectedCredential of selectionResults.verifiableCredential || []) {
1952
- const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1953
- const proof = uniqueVC.uniformVerifiableCredential.proof;
1954
- return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1955
- });
1956
- if (filteredUniqueVC) {
1957
- const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1958
- const issuerPartyIdentity = await agent.cmGetContacts({
1959
- filter: [
1960
- {
1961
- identities: {
1962
- identifier: {
1963
- correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1964
- }
1636
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1637
+ if (!value.valid_credentials) {
1638
+ continue;
1639
+ }
1640
+ const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1641
+ const matchedCredential = uniqueCredentials[cred.input_credential_index];
1642
+ const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1643
+ const issuerPartyIdentity = await agent.cmGetContacts({
1644
+ filter: [
1645
+ {
1646
+ identities: {
1647
+ identifier: {
1648
+ correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1965
1649
  }
1966
1650
  }
1967
- ]
1968
- });
1969
- const subjectPartyIdentity = await agent.cmGetContacts({
1970
- filter: [
1971
- {
1972
- identities: {
1973
- identifier: {
1974
- correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1975
- }
1651
+ }
1652
+ ]
1653
+ });
1654
+ const subjectPartyIdentity = await agent.cmGetContacts({
1655
+ filter: [
1656
+ {
1657
+ identities: {
1658
+ identifier: {
1659
+ correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1976
1660
  }
1977
1661
  }
1978
- ]
1979
- });
1980
- selectableCredentials.push({
1981
- credential: filteredUniqueVC,
1982
- credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1983
- issuerParty: issuerPartyIdentity?.[0],
1984
- subjectParty: subjectPartyIdentity?.[0]
1985
- });
1986
- }
1987
- }
1988
- selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1662
+ }
1663
+ ]
1664
+ });
1665
+ return {
1666
+ credential: matchedCredential,
1667
+ credentialBranding: credentialBranding[0]?.localeBranding,
1668
+ issuerParty: issuerPartyIdentity?.[0],
1669
+ subjectParty: subjectPartyIdentity?.[0]
1670
+ };
1671
+ });
1672
+ const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1673
+ selectableCredentialsMap.set(key, selectableCredentials);
1989
1674
  }
1990
1675
  return selectableCredentialsMap;
1991
1676
  }, "getSelectableCredentials");
@@ -2009,7 +1694,7 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
2009
1694
  }, "translateCorrelationIdToName");
2010
1695
 
2011
1696
  // src/agent/DidAuthSiopOpAuthenticator.ts
2012
- var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1697
+ var logger5 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2013
1698
  var didAuthSiopOpAuthenticatorMethods = [
2014
1699
  "cmGetContacts",
2015
1700
  "cmGetContact",
@@ -2026,7 +1711,7 @@ var DidAuthSiopOpAuthenticator = class {
2026
1711
  static {
2027
1712
  __name(this, "DidAuthSiopOpAuthenticator");
2028
1713
  }
2029
- schema = schema.IDidAuthSiopOpAuthenticator;
1714
+ schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
2030
1715
  methods = {
2031
1716
  siopGetOPSession: this.siopGetOPSession.bind(this),
2032
1717
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -2163,13 +1848,13 @@ var DidAuthSiopOpAuthenticator = class {
2163
1848
  hasher: this.hasher
2164
1849
  }
2165
1850
  }));
2166
- logger4.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
1851
+ logger5.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
2167
1852
  const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
2168
1853
  const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
2169
1854
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
2170
- const uri = url.includes("://") ? new URL(url) : void 0;
1855
+ const uri = url?.includes("://") ? new URL(url) : void 0;
2171
1856
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
2172
- const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1857
+ const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2173
1858
  return {
2174
1859
  issuer: verifiedAuthorizationRequest.issuer,
2175
1860
  correlationId,
@@ -2177,7 +1862,6 @@ var DidAuthSiopOpAuthenticator = class {
2177
1862
  uri,
2178
1863
  name: clientName,
2179
1864
  clientId,
2180
- presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
2181
1865
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
2182
1866
  };
2183
1867
  }
@@ -2226,12 +1910,12 @@ var DidAuthSiopOpAuthenticator = class {
2226
1910
  if (correlationId) {
2227
1911
  const identity = {
2228
1912
  alias: correlationId,
2229
- origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
1913
+ origin: import_ssi_sdk7.IdentityOrigin.EXTERNAL,
2230
1914
  roles: [
2231
- import_ssi_sdk8.CredentialRole.ISSUER
1915
+ import_ssi_types7.CredentialRole.ISSUER
2232
1916
  ],
2233
1917
  identifier: {
2234
- type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
1918
+ type: correlationId.startsWith("did:") ? import_ssi_sdk7.CorrelationIdentifierType.DID : import_ssi_sdk7.CorrelationIdentifierType.URL,
2235
1919
  correlationId
2236
1920
  }
2237
1921
  };
@@ -2243,7 +1927,7 @@ var DidAuthSiopOpAuthenticator = class {
2243
1927
  contactId: contact.id,
2244
1928
  identity: addedIdentity
2245
1929
  });
2246
- logger4.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
1930
+ logger5.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
2247
1931
  }
2248
1932
  }
2249
1933
  async siopSendResponse(args, context) {
@@ -2254,75 +1938,14 @@ var DidAuthSiopOpAuthenticator = class {
2254
1938
  if (authorizationRequestData === void 0) {
2255
1939
  return Promise.reject(Error("Missing authorization request data in context"));
2256
1940
  }
2257
- const pex = new import_pex4.PEX({
2258
- hasher: this.hasher
2259
- });
2260
- const verifiableCredentialsWithDefinition = [];
2261
- const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2262
- if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2263
- try {
2264
- authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2265
- const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2266
- if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
2267
- let uniqueDigitalCredentials = [];
2268
- uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2269
- const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
2270
- const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2271
- if (!udc) {
2272
- throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2273
- }
2274
- return udc;
2275
- });
2276
- verifiableCredentialsWithDefinition.push({
2277
- definition: presentationDefinition,
2278
- credentials: uniqueDigitalCredentials
2279
- });
2280
- }
2281
- });
2282
- } catch (e) {
2283
- return Promise.reject(e);
2284
- }
2285
- if (verifiableCredentialsWithDefinition.length === 0) {
2286
- return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2287
- }
2288
- } else if (authorizationRequestData.dcqlQuery) {
2289
- if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2290
- try {
2291
- selectedCredentials.forEach((vc) => {
2292
- if (this.isSdJwtCredential(vc)) {
2293
- const payload = vc.originalVerifiableCredential.decodedPayload;
2294
- const result = {
2295
- claims: payload,
2296
- vct: payload.vct,
2297
- credential_format: "dc+sd-jwt"
2298
- };
2299
- dcqlCredentialsWithCredentials.set(result, vc);
2300
- } else {
2301
- throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2302
- }
2303
- });
2304
- } catch (e) {
2305
- return Promise.reject(e);
2306
- }
2307
- const dcqlPresentationRecord = {};
2308
- const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2309
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2310
- if (value.success) {
2311
- dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2312
- }
2313
- }
2314
- }
2315
- }
2316
- const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
1941
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk7.ConnectionType.SIOPv2_OpenID4VP, {
2317
1942
  sessionId: didAuthConfig.sessionId,
2318
1943
  ...args.idOpts && {
2319
1944
  idOpts: args.idOpts
2320
1945
  },
2321
- ...authorizationRequestData.presentationDefinitions !== void 0 && {
2322
- verifiableCredentialsWithDefinition
2323
- },
2324
1946
  isFirstParty,
2325
- hasher: this.hasher
1947
+ hasher: this.hasher,
1948
+ credentials: selectedCredentials
2326
1949
  }, context);
2327
1950
  const contentType = response.headers.get("content-type") || "";
2328
1951
  let responseBody = null;
@@ -2333,39 +1956,21 @@ var DidAuthSiopOpAuthenticator = class {
2333
1956
  return {
2334
1957
  body: responseBody,
2335
1958
  url: response?.url,
2336
- queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
1959
+ queryParams: (0, import_did_auth_siop4.decodeUriAsJson)(response?.url)
2337
1960
  };
2338
1961
  }
2339
- hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2340
- return credentials.some(this.isMDocCredential);
2341
- }, "hasMDocCredentials");
2342
- isMDocCredential = /* @__PURE__ */ __name((credential) => {
2343
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2344
- }, "isMDocCredential");
2345
- hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2346
- return credentials.some(this.isSdJwtCredential);
2347
- }, "hasSdJwtCredentials");
2348
- isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2349
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2350
- }, "isSdJwtCredential");
2351
- retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2352
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2353
- }, "retrieveEncodedCredential");
2354
1962
  async siopGetSelectableCredentials(args, context) {
2355
1963
  const { authorizationRequestData } = args;
2356
- if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2357
- return Promise.reject(Error("Missing required fields in arguments or context"));
1964
+ if (!authorizationRequestData?.dcqlQuery) {
1965
+ return Promise.reject(Error("Missing required dcql query in context"));
2358
1966
  }
2359
- if (authorizationRequestData.presentationDefinitions.length > 1) {
2360
- return Promise.reject(Error("Multiple presentation definitions present"));
2361
- }
2362
- return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1967
+ return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2363
1968
  }
2364
1969
  };
2365
1970
 
2366
1971
  // src/machine/CallbackStateListener.ts
2367
1972
  var import_ssi_types8 = require("@sphereon/ssi-types");
2368
- var logger5 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
1973
+ var logger6 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
2369
1974
  defaultLogLevel: import_ssi_types8.LogLevel.DEBUG,
2370
1975
  methods: [
2371
1976
  import_ssi_types8.LogMethod.CONSOLE
@@ -2374,21 +1979,21 @@ var logger5 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:
2374
1979
  var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2375
1980
  return async (oid4vciMachine, state) => {
2376
1981
  if (state._event.type === "internal") {
2377
- logger5.debug("oid4vpCallbackStateListener: internal event");
1982
+ logger6.debug("oid4vpCallbackStateListener: internal event");
2378
1983
  return;
2379
1984
  }
2380
- logger5.info(`VP state listener state: ${JSON.stringify(state.value)}`);
1985
+ logger6.info(`VP state listener state: ${JSON.stringify(state.value)}`);
2381
1986
  if (!callbacks || callbacks.size === 0) {
2382
- logger5.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
1987
+ logger6.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
2383
1988
  return;
2384
1989
  }
2385
1990
  for (const [stateKey, callback] of callbacks) {
2386
1991
  if (state.matches(stateKey)) {
2387
- logger5.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
2388
- await callback(oid4vciMachine, state).then(() => logger5.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
2389
- logger5.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
1992
+ logger6.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
1993
+ await callback(oid4vciMachine, state).then(() => logger6.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
1994
+ logger6.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
2390
1995
  if (error.stack) {
2391
- logger5.error(error.stack);
1996
+ logger6.error(error.stack);
2392
1997
  }
2393
1998
  });
2394
1999
  break;
@@ -2398,12 +2003,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2398
2003
  }, "OID4VPCallbackStateListener");
2399
2004
 
2400
2005
  // src/link-handler/index.ts
2401
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
2402
- var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
2403
- var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2006
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.agent-config");
2007
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.core");
2008
+ var import_ssi_sdk10 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2404
2009
  var import_ssi_types9 = require("@sphereon/ssi-types");
2405
- var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2406
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
2010
+ var logger7 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2011
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
2407
2012
  static {
2408
2013
  __name(this, "Siopv2OID4VPLinkHandler");
2409
2014
  }
@@ -2422,15 +2027,15 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2422
2027
  this.idOpts = args.idOpts;
2423
2028
  }
2424
2029
  async handle(url, opts) {
2425
- logger6.debug(`handling SIOP link: ${url}`);
2030
+ logger7.debug(`handling SIOP link: ${url}`);
2426
2031
  const siopv2Machine = await this.context.agent.siopGetMachineInterpreter({
2427
2032
  url,
2428
2033
  idOpts: opts?.idOpts ?? this.idOpts,
2429
2034
  stateNavigationListener: this.stateNavigationListener
2430
2035
  });
2431
2036
  const interpreter = siopv2Machine.interpreter;
2432
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2433
- const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
2037
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk8.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2038
+ const init = await (0, import_ssi_sdk10.interpreterStartOrResume)({
2434
2039
  interpreter,
2435
2040
  context: this.context,
2436
2041
  cleanupAllOtherInstances: true,
@@ -2438,14 +2043,11 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2438
2043
  singletonCheck: true,
2439
2044
  noRegistration: this.noStateMachinePersistence
2440
2045
  });
2441
- logger6.debug(`SIOP machine started for link: ${url}`, init);
2046
+ logger7.debug(`SIOP machine started for link: ${url}`, init);
2442
2047
  } else {
2443
2048
  interpreter.start(opts?.machineState);
2444
- logger6.debug(`SIOP machine started for link: ${url}`);
2049
+ logger7.debug(`SIOP machine started for link: ${url}`);
2445
2050
  }
2446
2051
  }
2447
2052
  };
2448
-
2449
- // src/index.ts
2450
- var schema = require_plugin_schema();
2451
2053
  //# sourceMappingURL=index.cjs.map