@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.26.RP.58 → 0.34.1-feature.SSISDK.44.finish.dcql.310

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/index.cjs +667 -1065
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +723 -118
  4. package/dist/index.d.ts +723 -118
  5. package/dist/index.js +627 -1025
  6. package/dist/index.js.map +1 -1
  7. package/package.json +23 -23
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +10 -145
  9. package/src/index.ts +2 -1
  10. package/src/machine/Siopv2Machine.ts +5 -5
  11. package/src/services/Siopv2MachineService.ts +140 -267
  12. package/src/session/OID4VP.ts +180 -286
  13. package/src/session/OpSession.ts +11 -119
  14. package/src/session/functions.ts +1 -8
  15. package/src/types/IDidAuthSiopOpAuthenticator.ts +6 -59
  16. package/src/types/identifier/index.ts +0 -4
  17. package/src/types/machine/index.ts +1 -1
  18. package/src/types/siop-service/index.ts +12 -10
  19. package/src/utils/CredentialUtils.ts +2 -40
  20. package/src/utils/dcql.ts +22 -19
package/dist/index.js CHANGED
@@ -35,344 +35,340 @@ var require_nl = __commonJS({
35
35
  });
36
36
 
37
37
  // plugin.schema.json
38
- var require_plugin_schema = __commonJS({
39
- "plugin.schema.json"(exports, module) {
40
- module.exports = {
41
- IDidAuthSiopOpAuthenticator: {
42
- components: {
43
- schemas: {
44
- IGetSiopSessionArgs: {
45
- type: "object",
46
- properties: {
47
- sessionId: {
48
- type: "string"
49
- },
50
- additionalProperties: false
51
- },
52
- required: ["sessionId"],
53
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
38
+ var plugin_schema_default = {
39
+ IDidAuthSiopOpAuthenticator: {
40
+ components: {
41
+ schemas: {
42
+ IGetSiopSessionArgs: {
43
+ type: "object",
44
+ properties: {
45
+ sessionId: {
46
+ type: "string"
54
47
  },
55
- IRegisterSiopSessionArgs: {
48
+ additionalProperties: false
49
+ },
50
+ required: ["sessionId"],
51
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
52
+ },
53
+ IRegisterSiopSessionArgs: {
54
+ type: "object",
55
+ properties: {
56
+ identifier: {
56
57
  type: "object",
57
58
  properties: {
58
- identifier: {
59
- type: "object",
60
- properties: {
61
- did: {
62
- type: "string"
63
- },
64
- alias: {
65
- type: "string"
66
- },
67
- provider: {
68
- type: "string"
69
- },
70
- controllerKeyId: {
71
- type: "string"
72
- },
73
- keys: {
74
- type: "array",
75
- items: {
76
- type: "object",
77
- properties: {
78
- additionalProperties: true
79
- }
80
- }
81
- },
82
- services: {
83
- type: "array",
84
- items: {
85
- type: "object",
86
- properties: {
87
- additionalProperties: true
88
- }
89
- }
90
- }
91
- },
92
- additionalProperties: false,
93
- required: ["did", "provider", "keys", "services"]
94
- },
95
- sessionId: {
59
+ did: {
96
60
  type: "string"
97
61
  },
98
- expiresIn: {
99
- type: "number"
100
- },
101
- additionalProperties: false
102
- },
103
- required: ["identifier"],
104
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
105
- },
106
- IRemoveSiopSessionArgs: {
107
- type: "object",
108
- properties: {
109
- sessionId: {
62
+ alias: {
110
63
  type: "string"
111
64
  },
112
- additionalProperties: false
113
- },
114
- required: ["sessionId"],
115
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
116
- },
117
- IAuthenticateWithSiopArgs: {
118
- type: "object",
119
- properties: {
120
- sessionId: {
65
+ provider: {
121
66
  type: "string"
122
67
  },
123
- stateId: {
68
+ controllerKeyId: {
124
69
  type: "string"
125
70
  },
126
- redirectUrl: {
127
- type: "string"
71
+ keys: {
72
+ type: "array",
73
+ items: {
74
+ type: "object",
75
+ properties: {
76
+ additionalProperties: true
77
+ }
78
+ }
128
79
  },
129
- additionalProperties: false
80
+ services: {
81
+ type: "array",
82
+ items: {
83
+ type: "object",
84
+ properties: {
85
+ additionalProperties: true
86
+ }
87
+ }
88
+ }
130
89
  },
131
- required: ["sessionId", "stateId", "redirectUrl"],
132
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
90
+ additionalProperties: false,
91
+ required: ["did", "provider", "keys", "services"]
92
+ },
93
+ sessionId: {
94
+ type: "string"
95
+ },
96
+ expiresIn: {
97
+ type: "number"
98
+ },
99
+ additionalProperties: false
100
+ },
101
+ required: ["identifier"],
102
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
103
+ },
104
+ IRemoveSiopSessionArgs: {
105
+ type: "object",
106
+ properties: {
107
+ sessionId: {
108
+ type: "string"
109
+ },
110
+ additionalProperties: false
111
+ },
112
+ required: ["sessionId"],
113
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
114
+ },
115
+ IAuthenticateWithSiopArgs: {
116
+ type: "object",
117
+ properties: {
118
+ sessionId: {
119
+ type: "string"
120
+ },
121
+ stateId: {
122
+ type: "string"
123
+ },
124
+ redirectUrl: {
125
+ type: "string"
126
+ },
127
+ additionalProperties: false
128
+ },
129
+ required: ["sessionId", "stateId", "redirectUrl"],
130
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
131
+ },
132
+ IResponse: {
133
+ type: "object",
134
+ properties: {
135
+ status: {
136
+ type: "number"
137
+ },
138
+ additionalProperties: true
139
+ },
140
+ required: ["status"],
141
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
142
+ },
143
+ IGetSiopAuthenticationRequestFromRpArgs: {
144
+ type: "object",
145
+ properties: {
146
+ sessionId: {
147
+ type: "string"
133
148
  },
134
- IResponse: {
149
+ stateId: {
150
+ type: "string"
151
+ },
152
+ redirectUrl: {
153
+ type: "string"
154
+ },
155
+ additionalProperties: false
156
+ },
157
+ required: ["sessionId", "stateId", "redirectUrl"],
158
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
159
+ },
160
+ ParsedAuthenticationRequestURI: {
161
+ type: "object",
162
+ properties: {
163
+ jwt: {
164
+ type: "string"
165
+ },
166
+ requestPayload: {
135
167
  type: "object",
136
168
  properties: {
137
- status: {
138
- type: "number"
139
- },
140
169
  additionalProperties: true
141
- },
142
- required: ["status"],
143
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
170
+ }
144
171
  },
145
- IGetSiopAuthenticationRequestFromRpArgs: {
172
+ registration: {
146
173
  type: "object",
147
174
  properties: {
148
- sessionId: {
149
- type: "string"
150
- },
151
- stateId: {
152
- type: "string"
153
- },
154
- redirectUrl: {
155
- type: "string"
156
- },
157
- additionalProperties: false
158
- },
159
- required: ["sessionId", "stateId", "redirectUrl"],
160
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
175
+ additionalProperties: true
176
+ }
161
177
  },
162
- ParsedAuthenticationRequestURI: {
178
+ additionalProperties: false
179
+ },
180
+ required: ["jwt", "requestPayload", "registration"],
181
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
182
+ },
183
+ IGetSiopAuthenticationRequestDetailsArgs: {
184
+ type: "object",
185
+ properties: {
186
+ sessionId: {
187
+ type: "string"
188
+ },
189
+ verifiedAuthenticationRequest: {
163
190
  type: "object",
164
191
  properties: {
165
- jwt: {
166
- type: "string"
167
- },
168
- requestPayload: {
169
- type: "object",
170
- properties: {
171
- additionalProperties: true
172
- }
173
- },
174
- registration: {
175
- type: "object",
176
- properties: {
177
- additionalProperties: true
178
- }
179
- },
180
- additionalProperties: false
181
- },
182
- required: ["jwt", "requestPayload", "registration"],
183
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
192
+ additionalProperties: true
193
+ }
184
194
  },
185
- IGetSiopAuthenticationRequestDetailsArgs: {
195
+ credentialFilter: {
186
196
  type: "object",
187
197
  properties: {
188
- sessionId: {
189
- type: "string"
190
- },
191
- verifiedAuthenticationRequest: {
192
- type: "object",
193
- properties: {
194
- additionalProperties: true
195
- }
196
- },
197
- credentialFilter: {
198
- type: "object",
199
- properties: {
200
- additionalProperties: true
201
- }
202
- },
203
- additionalProperties: false
204
- },
205
- required: ["sessionId", "verifiedAuthenticationRequest"],
206
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
198
+ additionalProperties: true
199
+ }
207
200
  },
208
- IAuthRequestDetails: {
201
+ additionalProperties: false
202
+ },
203
+ required: ["sessionId", "verifiedAuthenticationRequest"],
204
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
205
+ },
206
+ IAuthRequestDetails: {
207
+ type: "object",
208
+ properties: {
209
+ id: {
210
+ type: "string"
211
+ },
212
+ alsoKnownAs: {
213
+ type: "array",
214
+ items: {
215
+ type: "string"
216
+ }
217
+ },
218
+ vpResponseOpts: {
209
219
  type: "object",
210
220
  properties: {
211
- id: {
212
- type: "string"
213
- },
214
- alsoKnownAs: {
215
- type: "array",
216
- items: {
217
- type: "string"
218
- }
219
- },
220
- vpResponseOpts: {
221
- type: "object",
222
- properties: {
223
- additionalProperties: true
224
- }
225
- },
226
- additionalProperties: false
227
- },
228
- required: ["id", "vpResponseOpts"],
229
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
221
+ additionalProperties: true
222
+ }
223
+ },
224
+ additionalProperties: false
225
+ },
226
+ required: ["id", "vpResponseOpts"],
227
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
228
+ },
229
+ IVerifySiopAuthenticationRequestUriArgs: {
230
+ type: "object",
231
+ properties: {
232
+ sessionId: {
233
+ type: "string"
230
234
  },
231
- IVerifySiopAuthenticationRequestUriArgs: {
235
+ ParsedAuthenticationRequestURI: {
232
236
  type: "object",
233
237
  properties: {
234
- sessionId: {
235
- type: "string"
236
- },
237
- ParsedAuthenticationRequestURI: {
238
- type: "object",
239
- properties: {
240
- additionalProperties: true
241
- }
242
- },
243
- additionalProperties: false
244
- },
245
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
246
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
238
+ additionalProperties: true
239
+ }
247
240
  },
248
- VerifiedAuthorizationRequest: {
241
+ additionalProperties: false
242
+ },
243
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
244
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
245
+ },
246
+ VerifiedAuthorizationRequest: {
247
+ type: "object",
248
+ properties: {
249
+ payload: {
249
250
  type: "object",
250
251
  properties: {
251
- payload: {
252
- type: "object",
253
- properties: {
254
- additionalProperties: true
255
- }
256
- },
257
- presentationDefinitions: {
258
- type: "object",
259
- properties: {
260
- additionalProperties: true
261
- }
262
- },
263
- verifyOpts: {
264
- type: "object",
265
- properties: {
266
- additionalProperties: true
267
- }
268
- },
269
- additionalProperties: false
270
- },
271
- required: ["payload", "verifyOpts"],
272
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
252
+ additionalProperties: true
253
+ }
273
254
  },
274
- ISendSiopAuthenticationResponseArgs: {
255
+ presentationDefinitions: {
275
256
  type: "object",
276
257
  properties: {
277
- sessionId: {
278
- type: "string"
279
- },
280
- verifiedAuthenticationRequest: {
281
- type: "object",
282
- properties: {
283
- additionalProperties: true
284
- }
285
- },
286
- verifiablePresentationResponse: {
287
- type: "object",
288
- properties: {
289
- additionalProperties: true
290
- }
291
- },
292
- additionalProperties: false
293
- },
294
- required: ["sessionId", "verifiedAuthenticationRequest"],
295
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
296
- }
297
- },
298
- methods: {
299
- getSessionForSiop: {
300
- description: "Get SIOP session",
301
- arguments: {
302
- $ref: "#/components/schemas/IGetSiopSessionArgs"
303
- },
304
- returnType: "object"
305
- },
306
- registerSessionForSiop: {
307
- description: "Register SIOP session",
308
- arguments: {
309
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
310
- },
311
- returnType: "object"
312
- },
313
- removeSessionForSiop: {
314
- description: "Remove SIOP session",
315
- arguments: {
316
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
317
- },
318
- returnType: "boolean"
319
- },
320
- authenticateWithSiop: {
321
- description: "Authenticate using DID Auth SIOP",
322
- arguments: {
323
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
324
- },
325
- returnType: {
326
- $ref: "#/components/schemas/Response"
258
+ additionalProperties: true
327
259
  }
328
260
  },
329
- getSiopAuthenticationRequestFromRP: {
330
- description: "Get authentication request from RP",
331
- arguments: {
332
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
333
- },
334
- returnType: {
335
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
261
+ verifyOpts: {
262
+ type: "object",
263
+ properties: {
264
+ additionalProperties: true
336
265
  }
337
266
  },
338
- getSiopAuthenticationRequestDetails: {
339
- description: "Get authentication request details",
340
- arguments: {
341
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
342
- },
343
- returnType: {
344
- $ref: "#/components/schemas/IAuthRequestDetails"
345
- }
267
+ additionalProperties: false
268
+ },
269
+ required: ["payload", "verifyOpts"],
270
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
271
+ },
272
+ ISendSiopAuthenticationResponseArgs: {
273
+ type: "object",
274
+ properties: {
275
+ sessionId: {
276
+ type: "string"
346
277
  },
347
- verifySiopAuthenticationRequestURI: {
348
- description: "Verify authentication request URI",
349
- arguments: {
350
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
351
- },
352
- returnType: {
353
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
278
+ verifiedAuthenticationRequest: {
279
+ type: "object",
280
+ properties: {
281
+ additionalProperties: true
354
282
  }
355
283
  },
356
- sendSiopAuthenticationResponse: {
357
- description: "Send authentication response",
358
- arguments: {
359
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
360
- },
361
- returnType: {
362
- $ref: "#/components/schemas/IRequiredContext"
284
+ verifiablePresentationResponse: {
285
+ type: "object",
286
+ properties: {
287
+ additionalProperties: true
363
288
  }
364
- }
289
+ },
290
+ additionalProperties: false
291
+ },
292
+ required: ["sessionId", "verifiedAuthenticationRequest"],
293
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
294
+ }
295
+ },
296
+ methods: {
297
+ getSessionForSiop: {
298
+ description: "Get SIOP session",
299
+ arguments: {
300
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
301
+ },
302
+ returnType: "object"
303
+ },
304
+ registerSessionForSiop: {
305
+ description: "Register SIOP session",
306
+ arguments: {
307
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
308
+ },
309
+ returnType: "object"
310
+ },
311
+ removeSessionForSiop: {
312
+ description: "Remove SIOP session",
313
+ arguments: {
314
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
315
+ },
316
+ returnType: "boolean"
317
+ },
318
+ authenticateWithSiop: {
319
+ description: "Authenticate using DID Auth SIOP",
320
+ arguments: {
321
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
322
+ },
323
+ returnType: {
324
+ $ref: "#/components/schemas/Response"
325
+ }
326
+ },
327
+ getSiopAuthenticationRequestFromRP: {
328
+ description: "Get authentication request from RP",
329
+ arguments: {
330
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
331
+ },
332
+ returnType: {
333
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
334
+ }
335
+ },
336
+ getSiopAuthenticationRequestDetails: {
337
+ description: "Get authentication request details",
338
+ arguments: {
339
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
340
+ },
341
+ returnType: {
342
+ $ref: "#/components/schemas/IAuthRequestDetails"
343
+ }
344
+ },
345
+ verifySiopAuthenticationRequestURI: {
346
+ description: "Verify authentication request URI",
347
+ arguments: {
348
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
349
+ },
350
+ returnType: {
351
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
352
+ }
353
+ },
354
+ sendSiopAuthenticationResponse: {
355
+ description: "Send authentication response",
356
+ arguments: {
357
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
358
+ },
359
+ returnType: {
360
+ $ref: "#/components/schemas/IRequiredContext"
365
361
  }
366
362
  }
367
363
  }
368
- };
364
+ }
369
365
  }
370
- });
366
+ };
371
367
 
372
368
  // src/agent/DidAuthSiopOpAuthenticator.ts
373
- import { decodeUriAsJson, SupportedVersion as SupportedVersion3 } from "@sphereon/did-auth-siop";
374
- import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialDocumentFormat, CredentialRole as CredentialRole2, DocumentType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
375
- import { Loggers as Loggers4 } from "@sphereon/ssi-types";
369
+ import { decodeUriAsJson } from "@sphereon/did-auth-siop";
370
+ import { ConnectionType as ConnectionType2, CorrelationIdentifierType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store-types";
371
+ import { Loggers as Loggers5, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
376
372
  import { v4 as uuidv4 } from "uuid";
377
373
 
378
374
  // src/session/functions.ts
@@ -398,10 +394,8 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
398
394
  async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
399
395
  const eventEmitter = opOptions.eventEmitter ?? new EventEmitter();
400
396
  const builder = OP.builder().withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
401
- SupportedVersion.SIOPv2_ID1,
402
- SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
403
- SupportedVersion.SIOPv2_D11,
404
- SupportedVersion.SIOPv2_D12_OID4VP_D18
397
+ SupportedVersion.OID4VP_v1,
398
+ SupportedVersion.SIOPv2_OID4VP_D28
405
399
  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
406
400
  passBy: PassBy.VALUE
407
401
  });
@@ -529,34 +523,29 @@ function getSigningAlgo(type) {
529
523
  __name(getSigningAlgo, "getSigningAlgo");
530
524
 
531
525
  // src/session/OID4VP.ts
532
- import { PresentationExchange } from "@sphereon/did-auth-siop";
533
- import { Status } from "@sphereon/pex";
534
- import { isManagedIdentifierDidResult, isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
535
- import { defaultHasher } from "@sphereon/ssi-sdk.core";
536
- import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
526
+ import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils/index.js";
527
+ import { isManagedIdentifierDidResult } from "@sphereon/ssi-sdk-ext.identifier-resolution";
528
+ import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
529
+ import { CredentialMapper, Loggers } from "@sphereon/ssi-types";
537
530
 
538
531
  // src/types/IDidAuthSiopOpAuthenticator.ts
539
532
  var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
540
- var events = /* @__PURE__ */ function(events2) {
541
- events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
542
- return events2;
543
- }({});
544
533
  var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
545
534
 
546
535
  // src/types/siop-service/index.ts
547
- var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
536
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
548
537
  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
549
538
  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
550
539
  return Siopv2HolderEvent2;
551
- }({});
552
- var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
540
+ })({});
541
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
553
542
  SupportedLanguage2["ENGLISH"] = "en";
554
543
  SupportedLanguage2["DUTCH"] = "nl";
555
544
  return SupportedLanguage2;
556
- }({});
545
+ })({});
557
546
 
558
547
  // src/types/machine/index.ts
559
- var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
548
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
560
549
  Siopv2MachineStates2["createConfig"] = "createConfig";
561
550
  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
562
551
  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
@@ -572,14 +561,14 @@ var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
572
561
  Siopv2MachineStates2["error"] = "error";
573
562
  Siopv2MachineStates2["done"] = "done";
574
563
  return Siopv2MachineStates2;
575
- }({});
576
- var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
564
+ })({});
565
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
577
566
  Siopv2MachineAddContactStates2["idle"] = "idle";
578
567
  Siopv2MachineAddContactStates2["executing"] = "executing";
579
568
  Siopv2MachineAddContactStates2["next"] = "next";
580
569
  return Siopv2MachineAddContactStates2;
581
- }({});
582
- var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
570
+ })({});
571
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
583
572
  Siopv2MachineEvents2["NEXT"] = "NEXT";
584
573
  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
585
574
  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
@@ -588,8 +577,8 @@ var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
588
577
  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
589
578
  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
590
579
  return Siopv2MachineEvents2;
591
- }({});
592
- var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
580
+ })({});
581
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
593
582
  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
594
583
  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
595
584
  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
@@ -599,8 +588,8 @@ var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
599
588
  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
600
589
  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
601
590
  return Siopv2MachineGuards2;
602
- }({});
603
- var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
591
+ })({});
592
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
604
593
  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
605
594
  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
606
595
  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
@@ -608,212 +597,156 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
608
597
  Siopv2MachineServices2["sendResponse"] = "sendResponse";
609
598
  Siopv2MachineServices2["createConfig"] = "createConfig";
610
599
  return Siopv2MachineServices2;
611
- }({});
600
+ })({});
612
601
 
613
602
  // src/types/identifier/index.ts
614
603
  var DID_PREFIX = "did";
615
604
 
616
605
  // src/session/OID4VP.ts
617
- var OID4VP = class _OID4VP {
618
- static {
619
- __name(this, "OID4VP");
620
- }
621
- session;
622
- allIdentifiers;
623
- hasher;
624
- constructor(args) {
625
- const { session, allIdentifiers, hasher = defaultHasher } = args;
626
- this.session = session;
627
- this.allIdentifiers = allIdentifiers ?? [];
628
- this.hasher = hasher;
606
+ var CLOCK_SKEW = 120;
607
+ var logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE);
608
+ function extractOriginalCredential(credential) {
609
+ if (typeof credential === "string") {
610
+ return credential;
629
611
  }
630
- static async init(session, allIdentifiers, hasher) {
631
- return new _OID4VP({
632
- session,
633
- allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
634
- hasher
635
- });
636
- }
637
- async getPresentationDefinitions() {
638
- const definitions = await this.session.getPresentationDefinitions();
639
- if (definitions) {
640
- PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
612
+ if ("digitalCredential" in credential) {
613
+ const udc = credential;
614
+ if (udc.originalVerifiableCredential) {
615
+ return udc.originalVerifiableCredential;
641
616
  }
642
- return definitions;
643
- }
644
- getPresentationExchange(args) {
645
- const { verifiableCredentials, allIdentifiers, hasher } = args;
646
- return new PresentationExchange({
647
- allDIDs: allIdentifiers ?? this.allIdentifiers,
648
- allVerifiableCredentials: verifiableCredentials,
649
- hasher: hasher ?? this.hasher
650
- });
617
+ return udc.uniformVerifiableCredential;
651
618
  }
652
- async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
653
- return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
619
+ if ("original" in credential) {
620
+ return credential.original;
654
621
  }
655
- async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
656
- const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
657
- ...opts
658
- };
659
- if (subjectIsHolder && holder) {
660
- throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
622
+ return credential;
623
+ }
624
+ __name(extractOriginalCredential, "extractOriginalCredential");
625
+ function detectCredentialFormat(credential) {
626
+ if (typeof credential === "string") {
627
+ if (credential.includes("~")) {
628
+ return "dc+sd-jwt";
661
629
  }
662
- if (forceNoCredentialsInVP) {
663
- selectedVerifiableCredentials.credentials = [];
664
- } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
665
- throw Error("No verifiable verifiableCredentials provided for presentation definition");
630
+ const parts = credential.split(".");
631
+ if (parts.length === 3) {
632
+ return "jwt_vc_json";
666
633
  }
667
- const proofOptions = {
668
- ...opts?.proofOpts,
669
- challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
670
- domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
671
- };
672
- let idOpts2 = opts?.idOpts;
673
- if (!idOpts2) {
674
- if (opts?.subjectIsHolder) {
675
- if (forceNoCredentialsInVP) {
676
- return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
677
- }
678
- const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
679
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
680
- return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
681
- }
682
- idOpts2 = isOID4VCIssuerIdentifier(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
683
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
684
- }) : await this.session.context.agent.identifierManagedGetByKid({
685
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
686
- kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
687
- });
688
- } else if (opts?.holder) {
689
- idOpts2 = {
690
- identifier: opts.holder
691
- };
692
- }
634
+ } else if (typeof credential === "object") {
635
+ if ("compactSdJwtVc" in credential) {
636
+ return "dc+sd-jwt";
693
637
  }
694
- const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
695
- restrictToFormats: opts?.restrictToFormats,
696
- restrictToDIDMethods: opts?.restrictToDIDMethods,
697
- filterOpts: {
698
- verifiableCredentials: selectedVerifiableCredentials.credentials
699
- }
700
- }) : {
701
- definition: selectedVerifiableCredentials.definition,
702
- credentials: selectedVerifiableCredentials.credentials
703
- };
704
- if (!idOpts2) {
705
- return Promise.reject(Error(`No identifier options present at this point`));
638
+ if ("@context" in credential || "proof" in credential) {
639
+ return "ldp_vc";
640
+ }
641
+ if ("doctype" in credential || "namespaces" in credential) {
642
+ return "mso_mdoc";
706
643
  }
707
- const signCallback = await createOID4VPPresentationSignCallback({
708
- presentationSignCallback: this.session.options.presentationSignCallback,
709
- idOpts: idOpts2,
710
- context: this.session.context,
711
- domain: proofOptions.domain,
712
- challenge: proofOptions.challenge,
713
- format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
714
- skipDidResolution: opts?.skipDidResolution ?? false
715
- });
716
- const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
717
- const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
718
- const presentationResult = await this.getPresentationExchange({
719
- verifiableCredentials,
720
- allIdentifiers: this.allIdentifiers,
721
- hasher: opts?.hasher
722
- }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
723
- proofOptions,
724
- // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
725
- ...identifier && isManagedIdentifierDidResult(identifier) && {
726
- holderDID: identifier.did
727
- }
728
- });
729
- const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
730
- return {
731
- ...presentationResult,
732
- verifiablePresentations,
733
- verifiableCredentials,
734
- definition: selectedVerifiableCredentials.definition,
735
- idOpts: idOpts2
736
- };
737
644
  }
738
- async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
739
- const defs = await this.getPresentationDefinitions();
740
- const result = [];
741
- if (defs) {
742
- for (const definition of defs) {
743
- result.push(await this.filterCredentials(credentialRole, definition, opts));
744
- }
645
+ return "jwt_vc_json";
646
+ }
647
+ __name(detectCredentialFormat, "detectCredentialFormat");
648
+ function getIdentifierString(identifier) {
649
+ if ("opts" in identifier && "method" in identifier) {
650
+ if (isManagedIdentifierDidResult(identifier)) {
651
+ return identifier.did;
745
652
  }
746
- return result;
747
- }
748
- async filterCredentials(credentialRole, presentationDefinition, opts) {
749
- const udcMap = /* @__PURE__ */ new Map();
750
- opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
751
- if (typeof credential === "object" && "digitalCredential" in credential) {
752
- udcMap.set(credential.originalVerifiableCredential, credential);
753
- } else {
754
- udcMap.set(credential, credential);
755
- }
756
- });
757
- const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
758
- ...opts,
759
- filterOpts: {
760
- verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
761
- if (typeof credential === "object" && "digitalCredential" in credential) {
762
- return credential.originalVerifiableCredential;
763
- } else {
764
- return credential;
765
- }
766
- })
767
- }
768
- })).verifiableCredential;
769
- return {
770
- definition: presentationDefinition,
771
- credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
772
- };
773
653
  }
774
- async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
775
- const selectionResults = await this.getPresentationExchange({
776
- verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
777
- }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
778
- if (selectionResults.errors && selectionResults.errors.length > 0) {
779
- throw Error(JSON.stringify(selectionResults.errors));
780
- } else if (selectionResults.areRequiredCredentialsPresent === Status.ERROR) {
781
- throw Error(`Not all required credentials are available to satisfy the relying party's request`);
654
+ return identifier.issuer ?? identifier.kid ?? "";
655
+ }
656
+ __name(getIdentifierString, "getIdentifierString");
657
+ async function createVerifiablePresentationForFormat(credential, identifier, context) {
658
+ const { nonce, audience, agent, clockSkew = CLOCK_SKEW } = context;
659
+ const originalCredential = extractOriginalCredential(credential);
660
+ const format = detectCredentialFormat(originalCredential);
661
+ logger.debug(`Creating VP for format: ${format}`);
662
+ switch (format) {
663
+ case "dc+sd-jwt": {
664
+ const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(typeof originalCredential === "string" ? originalCredential : originalCredential.compactSdJwtVc, defaultGenerateDigest);
665
+ const hashAlg = decodedSdJwt.signedPayload._sd_alg ?? "sha-256";
666
+ const sdHash = calculateSdHash(decodedSdJwt.compactSdJwtVc, hashAlg, defaultGenerateDigest);
667
+ const kbJwtPayload = {
668
+ iat: Math.floor(Date.now() / 1e3 - clockSkew),
669
+ sd_hash: sdHash,
670
+ nonce,
671
+ aud: audience
672
+ };
673
+ const presentationResult = await agent.createSdJwtPresentation({
674
+ presentation: decodedSdJwt.compactSdJwtVc,
675
+ kb: {
676
+ payload: kbJwtPayload
677
+ }
678
+ });
679
+ return presentationResult.presentation;
680
+ }
681
+ case "jwt_vc_json": {
682
+ const vcJwt = typeof originalCredential === "string" ? originalCredential : JSON.stringify(originalCredential);
683
+ const identifierString = getIdentifierString(identifier);
684
+ const vpPayload = {
685
+ iss: identifierString,
686
+ aud: audience,
687
+ nonce,
688
+ vp: {
689
+ "@context": [
690
+ "https://www.w3.org/2018/credentials/v1"
691
+ ],
692
+ type: [
693
+ "VerifiablePresentation"
694
+ ],
695
+ holder: identifierString,
696
+ verifiableCredential: [
697
+ vcJwt
698
+ ]
699
+ },
700
+ iat: Math.floor(Date.now() / 1e3 - clockSkew),
701
+ exp: Math.floor(Date.now() / 1e3 + 600)
702
+ };
703
+ const vpJwt = await agent.createVerifiablePresentation({
704
+ presentation: vpPayload.vp,
705
+ proofFormat: "jwt",
706
+ domain: audience,
707
+ challenge: nonce,
708
+ keyRef: identifier.kmsKeyRef || identifier.kid
709
+ });
710
+ return vpJwt.proof?.jwt || vpJwt;
782
711
  }
783
- const matches = selectionResults.matches;
784
- if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
785
- throw Error(JSON.stringify(selectionResults.errors));
712
+ case "ldp_vc": {
713
+ const vcObject = typeof originalCredential === "string" ? JSON.parse(originalCredential) : originalCredential;
714
+ const vpObject = {
715
+ "@context": [
716
+ "https://www.w3.org/2018/credentials/v1"
717
+ ],
718
+ type: [
719
+ "VerifiablePresentation"
720
+ ],
721
+ verifiableCredential: [
722
+ vcObject
723
+ ]
724
+ };
725
+ return await agent.createVerifiablePresentation({
726
+ presentation: vpObject,
727
+ proofFormat: "lds",
728
+ challenge: nonce,
729
+ domain: audience,
730
+ keyRef: identifier.kmsKeyRef || identifier.kid
731
+ });
786
732
  }
787
- return selectionResults;
788
- }
789
- async getCredentials(credentialRole, filterOpts) {
790
- if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
791
- return filterOpts.verifiableCredentials;
733
+ case "mso_mdoc": {
734
+ logger.warning("mso_mdoc format has basic support - production use requires proper mdoc VP token implementation");
735
+ return originalCredential;
792
736
  }
793
- const filter = verifiableCredentialForRoleFilter(credentialRole, filterOpts?.filter);
794
- const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
795
- filter
796
- });
797
- return uniqueCredentials.map((uniqueVC) => {
798
- const vc = uniqueVC.uniformVerifiableCredential;
799
- const proof = Array.isArray(vc.proof) ? vc.proof : [
800
- vc.proof
801
- ];
802
- const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
803
- return jwtProof ? jwtProof.jwt : vc;
804
- });
737
+ default:
738
+ return Promise.reject(Error(`Unsupported credential format: ${format}`));
805
739
  }
806
- };
740
+ }
741
+ __name(createVerifiablePresentationForFormat, "createVerifiablePresentationForFormat");
807
742
 
808
743
  // src/session/OpSession.ts
809
744
  import { OP as OP2, URI } from "@sphereon/did-auth-siop";
810
745
  import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
811
746
  import { encodeBase64url } from "@sphereon/ssi-sdk.core";
812
- import { CredentialMapper, parseDid } from "@sphereon/ssi-types";
747
+ import { Loggers as Loggers2, parseDid } from "@sphereon/ssi-types";
813
748
  import { v4 } from "uuid";
814
- import { PEX } from "@sphereon/pex";
815
- import { Loggers } from "@sphereon/ssi-types";
816
- var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
749
+ var logger2 = Loggers2.DEFAULT.get("sphereon:oid4vp:OpSession");
817
750
  var OpSession = class _OpSession {
818
751
  static {
819
752
  __name(this, "OpSession");
@@ -826,13 +759,11 @@ var OpSession = class _OpSession {
826
759
  verifiedAuthorizationRequest;
827
760
  _nonce;
828
761
  _state;
829
- _providedPresentationDefinitions;
830
762
  constructor(options) {
831
763
  this.id = options.sessionId;
832
764
  this.options = options.op;
833
765
  this.context = options.context;
834
766
  this.requestJwtOrUri = options.requestJwtOrUri;
835
- this._providedPresentationDefinitions = options.providedPresentationDefinitions;
836
767
  }
837
768
  static async init(options) {
838
769
  return new _OpSession(options);
@@ -879,9 +810,9 @@ var OpSession = class _OpSession {
879
810
  didPrefix,
880
811
  agentMethods
881
812
  });
882
- logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
813
+ logger2.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
883
814
  if (rpMethods.dids.length === 0) {
884
- logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
815
+ logger2.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
885
816
  return [];
886
817
  }
887
818
  let intersection;
@@ -899,7 +830,7 @@ var OpSession = class _OpSession {
899
830
  }
900
831
  getAgentDIDMethodsSupported(opts) {
901
832
  const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
902
- logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
833
+ logger2.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
903
834
  return agentMethods;
904
835
  }
905
836
  async getSubjectSyntaxTypesSupported() {
@@ -910,15 +841,15 @@ var OpSession = class _OpSession {
910
841
  async getRPDIDMethodsSupported(opts) {
911
842
  let keyType;
912
843
  const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
913
- logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
844
+ logger2.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
914
845
  const authReq = await this.getAuthorizationRequest();
915
846
  const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
916
- logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
847
+ logger2.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
917
848
  const aud = await authReq.authorizationRequest.getMergedProperty("aud");
918
849
  let rpMethods = [];
919
850
  if (aud && aud.startsWith("did:")) {
920
851
  const didMethod = convertDidMethod(parseDid(aud).method, opts.didPrefix);
921
- logger.debug(`aud did method: ${didMethod}`);
852
+ logger2.debug(`aud did method: ${didMethod}`);
922
853
  if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
923
854
  throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
924
855
  }
@@ -930,10 +861,10 @@ var OpSession = class _OpSession {
930
861
  subjectSyntaxTypesSupported
931
862
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
932
863
  }
933
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
864
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
934
865
  let codecName = void 0;
935
866
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
936
- logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
867
+ logger2.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
937
868
  const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
938
869
  if (!agentMethods?.includes(didKeyMethod)) {
939
870
  throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
@@ -952,13 +883,13 @@ var OpSession = class _OpSession {
952
883
  }
953
884
  async getSupportedIdentifiers(opts) {
954
885
  const methods = await this.getSupportedDIDMethods(true);
955
- logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
886
+ logger2.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
956
887
  if (methods.length === 0) {
957
888
  throw Error(`No DID methods are supported`);
958
889
  }
959
890
  const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
960
891
  if (identifiers.length === 0) {
961
- logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
892
+ logger2.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
962
893
  if (opts?.createInCaseNoDIDFound !== false) {
963
894
  const { codecName, keyType } = await this.getRPDIDMethodsSupported({
964
895
  didPrefix: true,
@@ -972,11 +903,11 @@ var OpSession = class _OpSession {
972
903
  type: keyType
973
904
  }
974
905
  });
975
- logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
906
+ logger2.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
976
907
  identifiers.push(identifier);
977
908
  }
978
909
  }
979
- logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
910
+ logger2.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
980
911
  return identifiers;
981
912
  }
982
913
  async getSupportedDIDs() {
@@ -985,51 +916,6 @@ var OpSession = class _OpSession {
985
916
  async getRedirectUri() {
986
917
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
987
918
  }
988
- async hasPresentationDefinitions() {
989
- const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
990
- return defs !== void 0 && defs.length > 0;
991
- }
992
- async getPresentationDefinitions() {
993
- if (!await this.hasPresentationDefinitions()) {
994
- throw Error(`No presentation definitions found`);
995
- }
996
- return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
997
- }
998
- async getOID4VP(args) {
999
- return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
1000
- }
1001
- createPresentationVerificationCallback(context) {
1002
- async function presentationVerificationCallback(args, presentationSubmission) {
1003
- let result;
1004
- if (CredentialMapper.isSdJwtEncoded(args)) {
1005
- try {
1006
- const sdJwtResult = await context.agent.verifySdJwtPresentation({
1007
- presentation: args
1008
- });
1009
- result = {
1010
- verified: "header" in sdJwtResult,
1011
- error: "header" in sdJwtResult ? void 0 : {
1012
- message: "could not verify SD JWT presentation"
1013
- }
1014
- };
1015
- } catch (error) {
1016
- result = {
1017
- verified: false,
1018
- error: {
1019
- message: error.message
1020
- }
1021
- };
1022
- }
1023
- } else {
1024
- result = await context.agent.verifyPresentation({
1025
- presentation: args
1026
- });
1027
- }
1028
- return result;
1029
- }
1030
- __name(presentationVerificationCallback, "presentationVerificationCallback");
1031
- return presentationVerificationCallback;
1032
- }
1033
919
  async createJarmResponseCallback({ responseOpts }) {
1034
920
  const agent = this.context.agent;
1035
921
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
@@ -1056,6 +942,7 @@ var OpSession = class _OpSession {
1056
942
  }, "jarmResponse");
1057
943
  }
1058
944
  async sendAuthorizationResponse(args) {
945
+ const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
1059
946
  const resolveOpts = this.options.resolveOpts ?? {
1060
947
  resolver: getAgentResolver(this.context, {
1061
948
  uniresolverResolution: true,
@@ -1066,23 +953,7 @@ var OpSession = class _OpSession {
1066
953
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
1067
954
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
1068
955
  }
1069
- const verification = {
1070
- presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1071
- };
1072
956
  const request = await this.getAuthorizationRequest();
1073
- const hasDefinitions = await this.hasPresentationDefinitions();
1074
- if (hasDefinitions) {
1075
- const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1076
- return sum + pd.definition.input_descriptors.length;
1077
- }, 0);
1078
- const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1079
- if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1080
- throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1081
- } else if (!args.presentationSubmission) {
1082
- throw Error(`Presentation submission is required when verifiable presentations are required`);
1083
- }
1084
- }
1085
- const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
1086
957
  const op = await createOP({
1087
958
  opOptions: {
1088
959
  ...this.options,
@@ -1094,23 +965,16 @@ var OpSession = class _OpSession {
1094
965
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
1095
966
  supportedVersions: request.versions
1096
967
  },
1097
- idOpts: args.responseSignerOpts,
968
+ idOpts: responseSignerOpts,
1098
969
  context: this.context
1099
970
  });
1100
- let issuer = args.responseSignerOpts.issuer;
971
+ let issuer = responseSignerOpts.issuer;
1101
972
  const responseOpts = {
1102
- verification,
1103
973
  issuer,
1104
- ...args.isFirstParty && {
1105
- isFirstParty: args.isFirstParty
1106
- },
1107
- ...args.verifiablePresentations && {
1108
- presentationExchange: {
1109
- verifiablePresentations,
1110
- presentationSubmission: args.presentationSubmission
1111
- }
974
+ ...isFirstParty && {
975
+ isFirstParty
1112
976
  },
1113
- dcqlQuery: args.dcqlResponse
977
+ dcqlResponse
1114
978
  };
1115
979
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
1116
980
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -1122,24 +986,6 @@ var OpSession = class _OpSession {
1122
986
  return response;
1123
987
  }
1124
988
  }
1125
- countVCsInAllVPs(verifiablePresentations, hasher) {
1126
- return verifiablePresentations.reduce((sum, vp) => {
1127
- if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1128
- return sum + 1;
1129
- }
1130
- const uvp = CredentialMapper.toUniformPresentation(vp, {
1131
- hasher: hasher ?? this.options.hasher
1132
- });
1133
- if (uvp.verifiableCredential?.length) {
1134
- return sum + uvp.verifiableCredential?.length;
1135
- }
1136
- const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp);
1137
- if (isSdJWT || uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1138
- return sum + 1;
1139
- }
1140
- return sum;
1141
- }, 0);
1142
- }
1143
989
  };
1144
990
  function convertDidMethod(didMethod, didPrefix) {
1145
991
  if (didPrefix === false) {
@@ -1149,11 +995,6 @@ function convertDidMethod(didMethod, didPrefix) {
1149
995
  }
1150
996
  __name(convertDidMethod, "convertDidMethod");
1151
997
 
1152
- // src/agent/DidAuthSiopOpAuthenticator.ts
1153
- import { PEX as PEX3, Status as Status2 } from "@sphereon/pex";
1154
- import { computeEntryHash } from "@veramo/utils";
1155
- import { DcqlQuery as DcqlQuery2 } from "dcql";
1156
-
1157
998
  // src/machine/Siopv2Machine.ts
1158
999
  import { assign, createMachine, interpret } from "xstate";
1159
1000
 
@@ -1199,8 +1040,8 @@ var Localization = class Localization2 {
1199
1040
  var translate = Localization.translate;
1200
1041
 
1201
1042
  // src/machine/Siopv2Machine.ts
1202
- import { Loggers as Loggers2 } from "@sphereon/ssi-types";
1203
- var logger2 = Loggers2.DEFAULT.get(LOGGER_NAMESPACE);
1043
+ import { Loggers as Loggers3 } from "@sphereon/ssi-types";
1044
+ var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
1204
1045
  var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1205
1046
  const { contact } = _ctx;
1206
1047
  return contact === void 0;
@@ -1221,7 +1062,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
1221
1062
  if (!contact) {
1222
1063
  throw new Error("Missing contact request data in context");
1223
1064
  }
1224
- return authorizationRequestData.presentationDefinitions !== void 0;
1065
+ return authorizationRequestData.dcqlQuery !== void 0;
1225
1066
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1226
1067
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1227
1068
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1232,7 +1073,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1232
1073
  if (authorizationRequestData === void 0) {
1233
1074
  throw new Error("Missing authorization request data in context");
1234
1075
  }
1235
- if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
1076
+ if (authorizationRequestData.dcqlQuery === void 0) {
1236
1077
  throw Error("No presentation definitions present");
1237
1078
  }
1238
1079
  return _ctx.selectedCredentials.length > 0;
@@ -1242,7 +1083,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1242
1083
  if (authorizationRequestData === void 0) {
1243
1084
  throw new Error("Missing authorization request data in context");
1244
1085
  }
1245
- return authorizationRequestData.presentationDefinitions === void 0;
1086
+ return authorizationRequestData.dcqlQuery === void 0;
1246
1087
  }, "Siopv2IsSiopOnlyGuard");
1247
1088
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1248
1089
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1252,7 +1093,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1252
1093
  if (!selectableCredentialsMap) {
1253
1094
  throw new Error("Missing selectableCredentialsMap in context");
1254
1095
  }
1255
- return authorizationRequestData.presentationDefinitions !== void 0;
1096
+ return authorizationRequestData.dcqlQuery !== void 0;
1256
1097
  }, "Siopv2IsSiopWithOID4VPGuard");
1257
1098
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1258
1099
  const { url, idOpts: idOpts2 } = opts;
@@ -1530,7 +1371,7 @@ var Siopv2Machine = class {
1530
1371
  __name(this, "Siopv2Machine");
1531
1372
  }
1532
1373
  static newInstance(opts) {
1533
- logger2.info("New Siopv2Machine instance");
1374
+ logger3.info("New Siopv2Machine instance");
1534
1375
  const interpreter = interpret(createSiopv2Machine(opts).withConfig({
1535
1376
  services: {
1536
1377
  ...opts?.services
@@ -1558,7 +1399,7 @@ var Siopv2Machine = class {
1558
1399
  });
1559
1400
  }
1560
1401
  interpreter.onTransition((snapshot) => {
1561
- logger2.info("onTransition to new state", snapshot.value);
1402
+ logger3.info("onTransition to new state", snapshot.value);
1562
1403
  });
1563
1404
  return {
1564
1405
  interpreter
@@ -1567,115 +1408,57 @@ var Siopv2Machine = class {
1567
1408
  };
1568
1409
 
1569
1410
  // src/services/Siopv2MachineService.ts
1570
- import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
1571
- import { PEX as PEX2 } from "@sphereon/pex";
1572
- import { isOID4VCIssuerIdentifier as isOID4VCIssuerIdentifier2 } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1573
- import { verifiableCredentialForRoleFilter as verifiableCredentialForRoleFilter2 } from "@sphereon/ssi-sdk.credential-store";
1574
- import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
1575
- import { CredentialMapper as CredentialMapper4, Loggers as Loggers3 } from "@sphereon/ssi-types";
1576
1411
  import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
1577
- import { defaultHasher as defaultHasher2, encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1412
+ import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1413
+ import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1414
+ import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
1415
+ import { ConnectionType } from "@sphereon/ssi-sdk.data-store-types";
1416
+ import { CredentialMapper as CredentialMapper4, CredentialRole, Loggers as Loggers4 } from "@sphereon/ssi-types";
1578
1417
  import { DcqlPresentation, DcqlQuery } from "dcql";
1579
1418
 
1580
1419
  // src/utils/dcql.ts
1581
1420
  import { CredentialMapper as CredentialMapper3 } from "@sphereon/ssi-types";
1421
+ import { Dcql } from "@sphereon/did-auth-siop";
1582
1422
 
1583
1423
  // src/utils/CredentialUtils.ts
1584
1424
  import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
1585
- var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1586
- if (isUniqueDigitalCredential(credential)) {
1587
- if (!credential.originalVerifiableCredential) {
1588
- throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1589
- }
1590
- return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1591
- }
1592
- return getCredentialFromProofOrWrapped(credential);
1593
- }, "getOriginalVerifiableCredential");
1594
- var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1595
- if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && CredentialMapper2.isSdJwtEncoded(cred.proof.jwt)) {
1596
- return cred.proof.jwt;
1597
- }
1598
- return CredentialMapper2.toWrappedVerifiableCredential(cred, {
1599
- hasher
1600
- }).original;
1601
- }, "getCredentialFromProofOrWrapped");
1602
1425
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1603
1426
  return credential.digitalCredential !== void 0;
1604
1427
  }, "isUniqueDigitalCredential");
1605
1428
 
1606
1429
  // src/utils/dcql.ts
1607
1430
  function convertToDcqlCredentials(credential, hasher) {
1608
- let payload;
1431
+ let originalVerifiableCredential;
1609
1432
  if (isUniqueDigitalCredential(credential)) {
1610
1433
  if (!credential.originalVerifiableCredential) {
1611
1434
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1612
1435
  }
1613
- payload = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1436
+ originalVerifiableCredential = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1614
1437
  } else {
1615
- payload = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
1438
+ originalVerifiableCredential = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
1616
1439
  }
1617
- if (!payload) {
1440
+ if (!originalVerifiableCredential) {
1618
1441
  throw new Error("No payload found");
1619
1442
  }
1620
- if ("decodedPayload" in payload && payload.decodedPayload) {
1621
- payload = payload.decodedPayload;
1622
- }
1623
- if ("vct" in payload) {
1624
- return {
1625
- vct: payload.vct,
1626
- claims: payload,
1627
- credential_format: "dc+sd-jwt"
1628
- };
1629
- } else if ("docType" in payload && "namespaces" in payload) {
1630
- return {
1631
- docType: payload.docType,
1632
- namespaces: payload.namespaces,
1633
- claims: payload
1634
- };
1635
- } else {
1636
- return {
1637
- claims: payload,
1638
- credential_format: "jwt_vc_json"
1639
- };
1443
+ if (CredentialMapper3.isJwtDecodedCredential(originalVerifiableCredential)) {
1444
+ return Dcql.toDcqlJwtCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
1445
+ } else if (CredentialMapper3.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1446
+ return Dcql.toDcqlSdJwtCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
1447
+ } else if (CredentialMapper3.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1448
+ return Dcql.toDcqlMdocCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
1449
+ } else if (CredentialMapper3.isW3cCredential(originalVerifiableCredential)) {
1450
+ return Dcql.toDcqlJsonLdCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
1640
1451
  }
1452
+ throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1641
1453
  }
1642
1454
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1643
1455
 
1644
1456
  // src/services/Siopv2MachineService.ts
1645
- var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
1646
- var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1647
- logger3.log(`No EBSI key present yet. Creating a new one...`);
1648
- const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
1649
- method: SupportedDidMethodEnum.DID_KEY,
1650
- createOpts: {
1651
- options: {
1652
- codecName: "jwk_jcs-pub",
1653
- type: "Secp256r1"
1654
- }
1655
- }
1656
- });
1657
- logger3.log(`EBSI key created: ${newIdentifier.did}`);
1658
- if (created) {
1659
- await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1660
- result: newIdentifier
1661
- });
1662
- }
1663
- return await agentContext.agent.identifierManagedGetByDid({
1664
- identifier: newIdentifier.did
1665
- });
1666
- }, "createEbsiIdentifier");
1667
- var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1668
- const clientId = await authorizationRequest.getMergedProperty("client_id");
1669
- const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1670
- return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1671
- }, "hasEbsiClient");
1457
+ var CLOCK_SKEW2 = 120;
1458
+ var logger4 = Loggers4.DEFAULT.get(LOGGER_NAMESPACE);
1672
1459
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1673
1460
  const { agent } = context;
1674
- const agentContext = {
1675
- ...context,
1676
- agent: context.agent
1677
- };
1678
- let { idOpts: idOpts2, isFirstParty, hasher = defaultHasher2 } = args;
1461
+ const { credentials } = args;
1679
1462
  if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
1680
1463
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1681
1464
  }
@@ -1683,252 +1466,154 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1683
1466
  sessionId: args.sessionId
1684
1467
  });
1685
1468
  const request = await session.getAuthorizationRequest();
1686
- const aud = await request.authorizationRequest.getMergedProperty("aud");
1687
- logger3.debug(`AUD: ${aud}`);
1688
- logger3.debug(JSON.stringify(request.authorizationRequest));
1689
- let presentationsAndDefs;
1690
- let presentationSubmission;
1691
- if (await session.hasPresentationDefinitions()) {
1692
- const oid4vp = await session.getOID4VP({
1693
- hasher
1694
- });
1695
- const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER);
1696
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1697
- logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1698
- const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1699
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1700
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1469
+ const aud = request.authorizationRequest.getMergedProperty("aud");
1470
+ logger4.debug(`AUD: ${aud}`);
1471
+ logger4.debug(JSON.stringify(request.authorizationRequest));
1472
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1473
+ logger4.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1474
+ const firstUniqueDC = credentials[0];
1475
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1476
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1477
+ }
1478
+ let identifier;
1479
+ const digitalCredential = firstUniqueDC.digitalCredential;
1480
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1481
+ let holder;
1482
+ if (CredentialMapper4.isSdJwtDecodedCredential(firstVC)) {
1483
+ holder = firstVC.decodedPayload.cnf?.jwk ? `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0` : firstVC.decodedPayload.sub;
1484
+ } else {
1485
+ holder = Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1486
+ }
1487
+ if (!digitalCredential.kmsKeyRef) {
1488
+ if (!holder) {
1489
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1701
1490
  }
1702
- let identifier;
1703
- const digitalCredential = firstUniqueDC.digitalCredential;
1704
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1705
- const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1706
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1707
- `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1708
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1709
- if (!digitalCredential.kmsKeyRef) {
1710
- if (!holder) {
1711
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1712
- }
1713
- try {
1714
- identifier = await session.context.agent.identifierManagedGet({
1715
- identifier: holder
1716
- });
1717
- } catch (e) {
1718
- logger3.debug(`Holder DID not found: ${holder}`);
1719
- throw e;
1720
- }
1721
- } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1722
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1723
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1491
+ try {
1492
+ identifier = await session.context.agent.identifierManagedGet({
1493
+ identifier: holder
1724
1494
  });
1725
- } else {
1726
- switch (digitalCredential.subjectCorrelationType) {
1727
- case "DID":
1728
- identifier = await session.context.agent.identifierManagedGetByDid({
1729
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1730
- kmsKeyRef: digitalCredential.kmsKeyRef
1731
- });
1732
- break;
1733
- // TODO other implementations?
1734
- default:
1735
- if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1736
- identifier = await session.context.agent.identifierManagedGetByDid({
1737
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1738
- kmsKeyRef: digitalCredential.kmsKeyRef
1739
- });
1740
- } else {
1741
- identifier = await session.context.agent.identifierManagedGetByKid({
1742
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1743
- kmsKeyRef: digitalCredential.kmsKeyRef
1744
- });
1745
- }
1746
- }
1747
- }
1748
- if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1749
- identifier = await createEbsiIdentifier(agentContext);
1750
- }
1751
- logger3.debug(`Identifier`, identifier);
1752
- presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
1753
- idOpts: identifier,
1754
- proofOpts: {
1755
- nonce: session.nonce,
1756
- domain
1757
- }
1758
- });
1759
- if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1760
- throw Error("No verifiable presentations could be created");
1761
- } else if (presentationsAndDefs.length > 1) {
1762
- throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1495
+ } catch (e) {
1496
+ logger4.debug(`Holder DID not found: ${holder}`);
1497
+ throw e;
1763
1498
  }
1764
- idOpts2 = presentationsAndDefs[0].idOpts;
1765
- presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1766
- logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1767
- logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1768
- const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1769
- return await session.sendAuthorizationResponse({
1770
- ...presentationsAndDefs && {
1771
- verifiablePresentations: mergedVerifiablePresentations
1772
- },
1773
- ...presentationSubmission && {
1774
- presentationSubmission
1775
- },
1776
- // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1777
- responseSignerOpts: idOpts2,
1778
- isFirstParty
1499
+ } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
1500
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1501
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1779
1502
  });
1780
- } else if (request.dcqlQuery) {
1781
- if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1782
- const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1783
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1784
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1785
- const firstUniqueDC = vcs[0];
1786
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1787
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1788
- }
1789
- let identifier;
1790
- const digitalCredential = firstUniqueDC.digitalCredential;
1791
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1792
- const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1793
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1794
- `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1795
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1796
- if (!digitalCredential.kmsKeyRef) {
1797
- if (!holder) {
1798
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1799
- }
1800
- try {
1801
- identifier = await session.context.agent.identifierManagedGet({
1802
- identifier: holder
1803
- });
1804
- } catch (e) {
1805
- logger3.debug(`Holder DID not found: ${holder}`);
1806
- throw e;
1807
- }
1808
- } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1809
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1810
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1503
+ } else {
1504
+ switch (digitalCredential.subjectCorrelationType) {
1505
+ case "DID":
1506
+ identifier = await session.context.agent.identifierManagedGetByDid({
1507
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1508
+ kmsKeyRef: digitalCredential.kmsKeyRef
1811
1509
  });
1812
- } else {
1813
- switch (digitalCredential.subjectCorrelationType) {
1814
- case "DID":
1815
- identifier = await session.context.agent.identifierManagedGetByDid({
1816
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1817
- kmsKeyRef: digitalCredential.kmsKeyRef
1818
- });
1819
- break;
1820
- // TODO other implementations?
1821
- default:
1822
- identifier = await session.context.agent.identifierManagedGetByKid({
1823
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1824
- kmsKeyRef: digitalCredential.kmsKeyRef
1825
- });
1826
- }
1827
- }
1828
- console.log(`Identifier`, identifier);
1829
- const dcqlRepresentations = [];
1830
- vcs.forEach((vc) => {
1831
- const rep = convertToDcqlCredentials(vc, args.hasher);
1832
- if (rep) {
1833
- dcqlRepresentations.push(rep);
1834
- }
1835
- });
1836
- const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1837
- const presentation = {};
1838
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1839
- const allMatches = Array.isArray(value) ? value : [
1840
- value
1841
- ];
1842
- allMatches.forEach((match) => {
1843
- if (match.success) {
1844
- const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1845
- if (!originalCredential) {
1846
- throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1847
- }
1848
- presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1849
- }
1510
+ break;
1511
+ // TODO other implementations?
1512
+ default:
1513
+ identifier = await session.context.agent.identifierManagedGetByKid({
1514
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1515
+ kmsKeyRef: digitalCredential.kmsKeyRef
1850
1516
  });
1517
+ }
1518
+ }
1519
+ const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1520
+ convertToDcqlCredentials(vc),
1521
+ vc
1522
+ ]));
1523
+ const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1524
+ if (!queryResult.can_be_satisfied) {
1525
+ return Promise.reject(Error("Credentials do not match required query request"));
1526
+ }
1527
+ const presentationContext = {
1528
+ nonce: request.requestObject?.getPayload()?.nonce ?? session.nonce,
1529
+ audience: domain,
1530
+ agent: context.agent,
1531
+ clockSkew: CLOCK_SKEW2,
1532
+ hasher: args.hasher
1533
+ };
1534
+ const presentation = {};
1535
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1536
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1537
+ if (value.success) {
1538
+ const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1539
+ const vc = matchedCredentials[0];
1540
+ if (!vc) {
1541
+ continue;
1542
+ }
1543
+ try {
1544
+ const vp = await createVerifiablePresentationForFormat(vc, identifier, presentationContext);
1545
+ presentation[key] = vp;
1546
+ } catch (error) {
1547
+ logger4.error(`Failed to create VP for credential ${key}:`, error);
1548
+ throw error;
1851
1549
  }
1852
- const response = session.sendAuthorizationResponse({
1853
- responseSignerOpts: identifier,
1854
- ...{
1855
- dcqlQuery: {
1856
- dcqlPresentation: DcqlPresentation.parse(presentation)
1857
- }
1858
- }
1859
- });
1860
- logger3.debug(`Response: `, response);
1861
- return response;
1862
1550
  }
1863
1551
  }
1864
- throw Error("Presentation Definition or DCQL is required");
1552
+ const dcqlPresentation = DcqlPresentation.parse(presentation);
1553
+ const response = session.sendAuthorizationResponse({
1554
+ responseSignerOpts: identifier,
1555
+ dcqlResponse: {
1556
+ dcqlPresentation
1557
+ }
1558
+ });
1559
+ logger4.debug(`Response: `, response);
1560
+ return response;
1865
1561
  }, "siopSendAuthorizationResponse");
1866
- function buildPartialPD(inputDescriptor, presentationDefinition) {
1867
- return {
1868
- ...presentationDefinition,
1869
- input_descriptors: [
1870
- inputDescriptor
1871
- ]
1872
- };
1873
- }
1874
- __name(buildPartialPD, "buildPartialPD");
1875
- var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1562
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1876
1563
  const agentContext = {
1877
1564
  ...context,
1878
1565
  agent: context.agent
1879
1566
  };
1880
1567
  const { agent } = agentContext;
1881
- const pex = new PEX2();
1882
1568
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1883
- filter: verifiableCredentialForRoleFilter2(CredentialRole.HOLDER)
1569
+ filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
1884
1570
  });
1885
- const credentialBranding = await agent.ibGetCredentialBranding();
1571
+ const branding = await agent.ibGetCredentialBranding();
1572
+ const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1573
+ convertToDcqlCredentials(vc),
1574
+ vc
1575
+ ]));
1576
+ const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1577
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1886
1578
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1887
- for (const inputDescriptor of presentationDefinition.input_descriptors) {
1888
- const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1889
- const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1890
- return CredentialMapper4.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1891
- });
1892
- const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1893
- const selectableCredentials = [];
1894
- for (const selectedCredential of selectionResults.verifiableCredential || []) {
1895
- const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1896
- const proof = uniqueVC.uniformVerifiableCredential.proof;
1897
- return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1898
- });
1899
- if (filteredUniqueVC) {
1900
- const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1901
- const issuerPartyIdentity = await agent.cmGetContacts({
1902
- filter: [
1903
- {
1904
- identities: {
1905
- identifier: {
1906
- correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1907
- }
1579
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1580
+ if (!value.valid_credentials) {
1581
+ continue;
1582
+ }
1583
+ const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1584
+ const matchedCredential = uniqueCredentials[cred.input_credential_index];
1585
+ const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1586
+ const issuerPartyIdentity = await agent.cmGetContacts({
1587
+ filter: [
1588
+ {
1589
+ identities: {
1590
+ identifier: {
1591
+ correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1908
1592
  }
1909
1593
  }
1910
- ]
1911
- });
1912
- const subjectPartyIdentity = await agent.cmGetContacts({
1913
- filter: [
1914
- {
1915
- identities: {
1916
- identifier: {
1917
- correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1918
- }
1594
+ }
1595
+ ]
1596
+ });
1597
+ const subjectPartyIdentity = await agent.cmGetContacts({
1598
+ filter: [
1599
+ {
1600
+ identities: {
1601
+ identifier: {
1602
+ correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1919
1603
  }
1920
1604
  }
1921
- ]
1922
- });
1923
- selectableCredentials.push({
1924
- credential: filteredUniqueVC,
1925
- credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1926
- issuerParty: issuerPartyIdentity?.[0],
1927
- subjectParty: subjectPartyIdentity?.[0]
1928
- });
1929
- }
1930
- }
1931
- selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1605
+ }
1606
+ ]
1607
+ });
1608
+ return {
1609
+ credential: matchedCredential,
1610
+ credentialBranding: credentialBranding[0]?.localeBranding,
1611
+ issuerParty: issuerPartyIdentity?.[0],
1612
+ subjectParty: subjectPartyIdentity?.[0]
1613
+ };
1614
+ });
1615
+ const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1616
+ selectableCredentialsMap.set(key, selectableCredentials);
1932
1617
  }
1933
1618
  return selectableCredentialsMap;
1934
1619
  }, "getSelectableCredentials");
@@ -1952,7 +1637,7 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
1952
1637
  }, "translateCorrelationIdToName");
1953
1638
 
1954
1639
  // src/agent/DidAuthSiopOpAuthenticator.ts
1955
- var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1640
+ var logger5 = Loggers5.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1956
1641
  var didAuthSiopOpAuthenticatorMethods = [
1957
1642
  "cmGetContacts",
1958
1643
  "cmGetContact",
@@ -1969,7 +1654,7 @@ var DidAuthSiopOpAuthenticator = class {
1969
1654
  static {
1970
1655
  __name(this, "DidAuthSiopOpAuthenticator");
1971
1656
  }
1972
- schema = schema.IDidAuthSiopOpAuthenticator;
1657
+ schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
1973
1658
  methods = {
1974
1659
  siopGetOPSession: this.siopGetOPSession.bind(this),
1975
1660
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -2106,13 +1791,13 @@ var DidAuthSiopOpAuthenticator = class {
2106
1791
  hasher: this.hasher
2107
1792
  }
2108
1793
  }));
2109
- logger4.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
1794
+ logger5.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
2110
1795
  const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
2111
1796
  const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
2112
1797
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
2113
- const uri = url.includes("://") ? new URL(url) : void 0;
1798
+ const uri = url?.includes("://") ? new URL(url) : void 0;
2114
1799
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
2115
- const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1800
+ const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2116
1801
  return {
2117
1802
  issuer: verifiedAuthorizationRequest.issuer,
2118
1803
  correlationId,
@@ -2120,7 +1805,6 @@ var DidAuthSiopOpAuthenticator = class {
2120
1805
  uri,
2121
1806
  name: clientName,
2122
1807
  clientId,
2123
- presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion3.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
2124
1808
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
2125
1809
  };
2126
1810
  }
@@ -2186,7 +1870,7 @@ var DidAuthSiopOpAuthenticator = class {
2186
1870
  contactId: contact.id,
2187
1871
  identity: addedIdentity
2188
1872
  });
2189
- logger4.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
1873
+ logger5.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
2190
1874
  }
2191
1875
  }
2192
1876
  async siopSendResponse(args, context) {
@@ -2197,75 +1881,14 @@ var DidAuthSiopOpAuthenticator = class {
2197
1881
  if (authorizationRequestData === void 0) {
2198
1882
  return Promise.reject(Error("Missing authorization request data in context"));
2199
1883
  }
2200
- const pex = new PEX3({
2201
- hasher: this.hasher
2202
- });
2203
- const verifiableCredentialsWithDefinition = [];
2204
- const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2205
- if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2206
- try {
2207
- authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2208
- const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2209
- if (areRequiredCredentialsPresent !== Status2.ERROR && verifiableCredentials) {
2210
- let uniqueDigitalCredentials = [];
2211
- uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2212
- const hash = typeof vc === "string" ? computeEntryHash(vc.split("~"[0])) : computeEntryHash(vc);
2213
- const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2214
- if (!udc) {
2215
- throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2216
- }
2217
- return udc;
2218
- });
2219
- verifiableCredentialsWithDefinition.push({
2220
- definition: presentationDefinition,
2221
- credentials: uniqueDigitalCredentials
2222
- });
2223
- }
2224
- });
2225
- } catch (e) {
2226
- return Promise.reject(e);
2227
- }
2228
- if (verifiableCredentialsWithDefinition.length === 0) {
2229
- return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2230
- }
2231
- } else if (authorizationRequestData.dcqlQuery) {
2232
- if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2233
- try {
2234
- selectedCredentials.forEach((vc) => {
2235
- if (this.isSdJwtCredential(vc)) {
2236
- const payload = vc.originalVerifiableCredential.decodedPayload;
2237
- const result = {
2238
- claims: payload,
2239
- vct: payload.vct,
2240
- credential_format: "dc+sd-jwt"
2241
- };
2242
- dcqlCredentialsWithCredentials.set(result, vc);
2243
- } else {
2244
- throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2245
- }
2246
- });
2247
- } catch (e) {
2248
- return Promise.reject(e);
2249
- }
2250
- const dcqlPresentationRecord = {};
2251
- const queryResult = DcqlQuery2.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2252
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2253
- if (value.success) {
2254
- dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2255
- }
2256
- }
2257
- }
2258
- }
2259
1884
  const response = await siopSendAuthorizationResponse(ConnectionType2.SIOPv2_OpenID4VP, {
2260
1885
  sessionId: didAuthConfig.sessionId,
2261
1886
  ...args.idOpts && {
2262
1887
  idOpts: args.idOpts
2263
1888
  },
2264
- ...authorizationRequestData.presentationDefinitions !== void 0 && {
2265
- verifiableCredentialsWithDefinition
2266
- },
2267
1889
  isFirstParty,
2268
- hasher: this.hasher
1890
+ hasher: this.hasher,
1891
+ credentials: selectedCredentials
2269
1892
  }, context);
2270
1893
  const contentType = response.headers.get("content-type") || "";
2271
1894
  let responseBody = null;
@@ -2279,36 +1902,18 @@ var DidAuthSiopOpAuthenticator = class {
2279
1902
  queryParams: decodeUriAsJson(response?.url)
2280
1903
  };
2281
1904
  }
2282
- hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2283
- return credentials.some(this.isMDocCredential);
2284
- }, "hasMDocCredentials");
2285
- isMDocCredential = /* @__PURE__ */ __name((credential) => {
2286
- return credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === DocumentType.VC;
2287
- }, "isMDocCredential");
2288
- hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2289
- return credentials.some(this.isSdJwtCredential);
2290
- }, "hasSdJwtCredentials");
2291
- isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2292
- return credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC;
2293
- }, "isSdJwtCredential");
2294
- retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2295
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2296
- }, "retrieveEncodedCredential");
2297
1905
  async siopGetSelectableCredentials(args, context) {
2298
1906
  const { authorizationRequestData } = args;
2299
- if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2300
- return Promise.reject(Error("Missing required fields in arguments or context"));
1907
+ if (!authorizationRequestData?.dcqlQuery) {
1908
+ return Promise.reject(Error("Missing required dcql query in context"));
2301
1909
  }
2302
- if (authorizationRequestData.presentationDefinitions.length > 1) {
2303
- return Promise.reject(Error("Multiple presentation definitions present"));
2304
- }
2305
- return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1910
+ return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2306
1911
  }
2307
1912
  };
2308
1913
 
2309
1914
  // src/machine/CallbackStateListener.ts
2310
- import { Loggers as Loggers5, LogLevel, LogMethod } from "@sphereon/ssi-types";
2311
- var logger5 = Loggers5.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
1915
+ import { Loggers as Loggers6, LogLevel, LogMethod } from "@sphereon/ssi-types";
1916
+ var logger6 = Loggers6.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
2312
1917
  defaultLogLevel: LogLevel.DEBUG,
2313
1918
  methods: [
2314
1919
  LogMethod.CONSOLE
@@ -2317,21 +1922,21 @@ var logger5 = Loggers5.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
2317
1922
  var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2318
1923
  return async (oid4vciMachine, state) => {
2319
1924
  if (state._event.type === "internal") {
2320
- logger5.debug("oid4vpCallbackStateListener: internal event");
1925
+ logger6.debug("oid4vpCallbackStateListener: internal event");
2321
1926
  return;
2322
1927
  }
2323
- logger5.info(`VP state listener state: ${JSON.stringify(state.value)}`);
1928
+ logger6.info(`VP state listener state: ${JSON.stringify(state.value)}`);
2324
1929
  if (!callbacks || callbacks.size === 0) {
2325
- logger5.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
1930
+ logger6.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
2326
1931
  return;
2327
1932
  }
2328
1933
  for (const [stateKey, callback] of callbacks) {
2329
1934
  if (state.matches(stateKey)) {
2330
- logger5.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
2331
- await callback(oid4vciMachine, state).then(() => logger5.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
2332
- logger5.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
1935
+ logger6.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
1936
+ await callback(oid4vciMachine, state).then(() => logger6.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
1937
+ logger6.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
2333
1938
  if (error.stack) {
2334
- logger5.error(error.stack);
1939
+ logger6.error(error.stack);
2335
1940
  }
2336
1941
  });
2337
1942
  break;
@@ -2344,8 +1949,8 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2344
1949
  import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
2345
1950
  import { LinkHandlerAdapter } from "@sphereon/ssi-sdk.core";
2346
1951
  import { interpreterStartOrResume } from "@sphereon/ssi-sdk.xstate-machine-persistence";
2347
- import { Loggers as Loggers6 } from "@sphereon/ssi-types";
2348
- var logger6 = Loggers6.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1952
+ import { Loggers as Loggers7 } from "@sphereon/ssi-types";
1953
+ var logger7 = Loggers7.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2349
1954
  var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
2350
1955
  static {
2351
1956
  __name(this, "Siopv2OID4VPLinkHandler");
@@ -2365,7 +1970,7 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
2365
1970
  this.idOpts = args.idOpts;
2366
1971
  }
2367
1972
  async handle(url, opts) {
2368
- logger6.debug(`handling SIOP link: ${url}`);
1973
+ logger7.debug(`handling SIOP link: ${url}`);
2369
1974
  const siopv2Machine = await this.context.agent.siopGetMachineInterpreter({
2370
1975
  url,
2371
1976
  idOpts: opts?.idOpts ?? this.idOpts,
@@ -2381,22 +1986,18 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
2381
1986
  singletonCheck: true,
2382
1987
  noRegistration: this.noStateMachinePersistence
2383
1988
  });
2384
- logger6.debug(`SIOP machine started for link: ${url}`, init);
1989
+ logger7.debug(`SIOP machine started for link: ${url}`, init);
2385
1990
  } else {
2386
1991
  interpreter.start(opts?.machineState);
2387
- logger6.debug(`SIOP machine started for link: ${url}`);
1992
+ logger7.debug(`SIOP machine started for link: ${url}`);
2388
1993
  }
2389
1994
  }
2390
1995
  };
2391
-
2392
- // src/index.ts
2393
- var schema = require_plugin_schema();
2394
1996
  export {
2395
1997
  DEFAULT_JWT_PROOF_TYPE,
2396
1998
  DID_PREFIX,
2397
1999
  DidAuthSiopOpAuthenticator,
2398
2000
  LOGGER_NAMESPACE,
2399
- OID4VP,
2400
2001
  OID4VPCallbackStateListener,
2401
2002
  OpSession,
2402
2003
  Siopv2HolderEvent,
@@ -2408,14 +2009,15 @@ export {
2408
2009
  Siopv2MachineStates,
2409
2010
  Siopv2OID4VPLinkHandler,
2410
2011
  SupportedLanguage,
2012
+ convertToDcqlCredentials,
2411
2013
  createJwtCallbackWithIdOpts,
2412
2014
  createJwtCallbackWithOpOpts,
2413
2015
  createOID4VPPresentationSignCallback,
2414
2016
  createOP,
2415
2017
  createOPBuilder,
2018
+ createVerifiablePresentationForFormat,
2416
2019
  didAuthSiopOpAuthenticatorMethods,
2417
- events,
2418
2020
  getSigningAlgo,
2419
- schema
2021
+ plugin_schema_default as schema
2420
2022
  };
2421
2023
  //# sourceMappingURL=index.js.map