@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/dist/index.cjs +1095 -573
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +111 -709
  4. package/dist/index.d.ts +111 -709
  5. package/dist/index.js +1043 -521
  6. package/dist/index.js.map +1 -1
  7. package/package.json +25 -24
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +144 -9
  9. package/src/index.ts +1 -2
  10. package/src/machine/Siopv2Machine.ts +4 -4
  11. package/src/services/Siopv2MachineService.ts +265 -133
  12. package/src/session/OID4VP.ts +299 -310
  13. package/src/session/OpSession.ts +114 -22
  14. package/src/types/IDidAuthSiopOpAuthenticator.ts +58 -5
  15. package/src/types/identifier/index.ts +4 -0
  16. package/src/types/siop-service/index.ts +3 -1
  17. package/src/utils/CredentialUtils.ts +39 -1
  18. package/src/utils/dcql.ts +19 -21
package/dist/index.cjs CHANGED
@@ -60,372 +60,376 @@ var require_nl = __commonJS({
60
60
  }
61
61
  });
62
62
 
63
- // src/index.ts
64
- var index_exports = {};
65
- __export(index_exports, {
66
- DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
67
- DID_PREFIX: () => DID_PREFIX,
68
- DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
69
- LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
70
- OID4VP: () => OID4VP,
71
- OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
72
- OpSession: () => OpSession,
73
- Siopv2HolderEvent: () => Siopv2HolderEvent,
74
- Siopv2Machine: () => Siopv2Machine,
75
- Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
76
- Siopv2MachineEvents: () => Siopv2MachineEvents,
77
- Siopv2MachineGuards: () => Siopv2MachineGuards,
78
- Siopv2MachineServices: () => Siopv2MachineServices,
79
- Siopv2MachineStates: () => Siopv2MachineStates,
80
- Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
81
- SupportedLanguage: () => SupportedLanguage,
82
- convertToDcqlCredentials: () => convertToDcqlCredentials,
83
- createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
84
- createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
85
- createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
86
- createOP: () => createOP,
87
- createOPBuilder: () => createOPBuilder,
88
- didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
89
- getSigningAlgo: () => getSigningAlgo,
90
- schema: () => plugin_schema_default
91
- });
92
- module.exports = __toCommonJS(index_exports);
93
-
94
63
  // plugin.schema.json
95
- var plugin_schema_default = {
96
- IDidAuthSiopOpAuthenticator: {
97
- components: {
98
- schemas: {
99
- IGetSiopSessionArgs: {
100
- type: "object",
101
- properties: {
102
- sessionId: {
103
- type: "string"
64
+ var require_plugin_schema = __commonJS({
65
+ "plugin.schema.json"(exports, module2) {
66
+ module2.exports = {
67
+ IDidAuthSiopOpAuthenticator: {
68
+ components: {
69
+ schemas: {
70
+ IGetSiopSessionArgs: {
71
+ type: "object",
72
+ properties: {
73
+ sessionId: {
74
+ type: "string"
75
+ },
76
+ additionalProperties: false
77
+ },
78
+ required: ["sessionId"],
79
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
104
80
  },
105
- additionalProperties: false
106
- },
107
- required: ["sessionId"],
108
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
109
- },
110
- IRegisterSiopSessionArgs: {
111
- type: "object",
112
- properties: {
113
- identifier: {
81
+ IRegisterSiopSessionArgs: {
114
82
  type: "object",
115
83
  properties: {
116
- did: {
84
+ identifier: {
85
+ type: "object",
86
+ properties: {
87
+ did: {
88
+ type: "string"
89
+ },
90
+ alias: {
91
+ type: "string"
92
+ },
93
+ provider: {
94
+ type: "string"
95
+ },
96
+ controllerKeyId: {
97
+ type: "string"
98
+ },
99
+ keys: {
100
+ type: "array",
101
+ items: {
102
+ type: "object",
103
+ properties: {
104
+ additionalProperties: true
105
+ }
106
+ }
107
+ },
108
+ services: {
109
+ type: "array",
110
+ items: {
111
+ type: "object",
112
+ properties: {
113
+ additionalProperties: true
114
+ }
115
+ }
116
+ }
117
+ },
118
+ additionalProperties: false,
119
+ required: ["did", "provider", "keys", "services"]
120
+ },
121
+ sessionId: {
117
122
  type: "string"
118
123
  },
119
- alias: {
124
+ expiresIn: {
125
+ type: "number"
126
+ },
127
+ additionalProperties: false
128
+ },
129
+ required: ["identifier"],
130
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
131
+ },
132
+ IRemoveSiopSessionArgs: {
133
+ type: "object",
134
+ properties: {
135
+ sessionId: {
120
136
  type: "string"
121
137
  },
122
- provider: {
138
+ additionalProperties: false
139
+ },
140
+ required: ["sessionId"],
141
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
142
+ },
143
+ IAuthenticateWithSiopArgs: {
144
+ type: "object",
145
+ properties: {
146
+ sessionId: {
123
147
  type: "string"
124
148
  },
125
- controllerKeyId: {
149
+ stateId: {
126
150
  type: "string"
127
151
  },
128
- keys: {
129
- type: "array",
130
- items: {
131
- type: "object",
132
- properties: {
133
- additionalProperties: true
134
- }
135
- }
152
+ redirectUrl: {
153
+ type: "string"
136
154
  },
137
- services: {
138
- type: "array",
139
- items: {
140
- type: "object",
141
- properties: {
142
- additionalProperties: true
143
- }
144
- }
145
- }
155
+ additionalProperties: false
146
156
  },
147
- additionalProperties: false,
148
- required: ["did", "provider", "keys", "services"]
149
- },
150
- sessionId: {
151
- type: "string"
152
- },
153
- expiresIn: {
154
- type: "number"
155
- },
156
- additionalProperties: false
157
- },
158
- required: ["identifier"],
159
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
160
- },
161
- IRemoveSiopSessionArgs: {
162
- type: "object",
163
- properties: {
164
- sessionId: {
165
- type: "string"
166
- },
167
- additionalProperties: false
168
- },
169
- required: ["sessionId"],
170
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
171
- },
172
- IAuthenticateWithSiopArgs: {
173
- type: "object",
174
- properties: {
175
- sessionId: {
176
- type: "string"
177
- },
178
- stateId: {
179
- type: "string"
180
- },
181
- redirectUrl: {
182
- type: "string"
183
- },
184
- additionalProperties: false
185
- },
186
- required: ["sessionId", "stateId", "redirectUrl"],
187
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
188
- },
189
- IResponse: {
190
- type: "object",
191
- properties: {
192
- status: {
193
- type: "number"
157
+ required: ["sessionId", "stateId", "redirectUrl"],
158
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
194
159
  },
195
- additionalProperties: true
196
- },
197
- required: ["status"],
198
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
199
- },
200
- IGetSiopAuthenticationRequestFromRpArgs: {
201
- type: "object",
202
- properties: {
203
- sessionId: {
204
- type: "string"
205
- },
206
- stateId: {
207
- type: "string"
208
- },
209
- redirectUrl: {
210
- type: "string"
211
- },
212
- additionalProperties: false
213
- },
214
- required: ["sessionId", "stateId", "redirectUrl"],
215
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
216
- },
217
- ParsedAuthenticationRequestURI: {
218
- type: "object",
219
- properties: {
220
- jwt: {
221
- type: "string"
222
- },
223
- requestPayload: {
160
+ IResponse: {
224
161
  type: "object",
225
162
  properties: {
163
+ status: {
164
+ type: "number"
165
+ },
226
166
  additionalProperties: true
227
- }
167
+ },
168
+ required: ["status"],
169
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
228
170
  },
229
- registration: {
171
+ IGetSiopAuthenticationRequestFromRpArgs: {
230
172
  type: "object",
231
173
  properties: {
232
- additionalProperties: true
233
- }
234
- },
235
- additionalProperties: false
236
- },
237
- required: ["jwt", "requestPayload", "registration"],
238
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
239
- },
240
- IGetSiopAuthenticationRequestDetailsArgs: {
241
- type: "object",
242
- properties: {
243
- sessionId: {
244
- type: "string"
174
+ sessionId: {
175
+ type: "string"
176
+ },
177
+ stateId: {
178
+ type: "string"
179
+ },
180
+ redirectUrl: {
181
+ type: "string"
182
+ },
183
+ additionalProperties: false
184
+ },
185
+ required: ["sessionId", "stateId", "redirectUrl"],
186
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
245
187
  },
246
- verifiedAuthenticationRequest: {
188
+ ParsedAuthenticationRequestURI: {
247
189
  type: "object",
248
190
  properties: {
249
- additionalProperties: true
250
- }
191
+ jwt: {
192
+ type: "string"
193
+ },
194
+ requestPayload: {
195
+ type: "object",
196
+ properties: {
197
+ additionalProperties: true
198
+ }
199
+ },
200
+ registration: {
201
+ type: "object",
202
+ properties: {
203
+ additionalProperties: true
204
+ }
205
+ },
206
+ additionalProperties: false
207
+ },
208
+ required: ["jwt", "requestPayload", "registration"],
209
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
251
210
  },
252
- credentialFilter: {
211
+ IGetSiopAuthenticationRequestDetailsArgs: {
253
212
  type: "object",
254
213
  properties: {
255
- additionalProperties: true
256
- }
257
- },
258
- additionalProperties: false
259
- },
260
- required: ["sessionId", "verifiedAuthenticationRequest"],
261
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
262
- },
263
- IAuthRequestDetails: {
264
- type: "object",
265
- properties: {
266
- id: {
267
- type: "string"
268
- },
269
- alsoKnownAs: {
270
- type: "array",
271
- items: {
272
- type: "string"
273
- }
214
+ sessionId: {
215
+ type: "string"
216
+ },
217
+ verifiedAuthenticationRequest: {
218
+ type: "object",
219
+ properties: {
220
+ additionalProperties: true
221
+ }
222
+ },
223
+ credentialFilter: {
224
+ type: "object",
225
+ properties: {
226
+ additionalProperties: true
227
+ }
228
+ },
229
+ additionalProperties: false
230
+ },
231
+ required: ["sessionId", "verifiedAuthenticationRequest"],
232
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
274
233
  },
275
- vpResponseOpts: {
234
+ IAuthRequestDetails: {
276
235
  type: "object",
277
236
  properties: {
278
- additionalProperties: true
279
- }
280
- },
281
- additionalProperties: false
282
- },
283
- required: ["id", "vpResponseOpts"],
284
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
285
- },
286
- IVerifySiopAuthenticationRequestUriArgs: {
287
- type: "object",
288
- properties: {
289
- sessionId: {
290
- type: "string"
237
+ id: {
238
+ type: "string"
239
+ },
240
+ alsoKnownAs: {
241
+ type: "array",
242
+ items: {
243
+ type: "string"
244
+ }
245
+ },
246
+ vpResponseOpts: {
247
+ type: "object",
248
+ properties: {
249
+ additionalProperties: true
250
+ }
251
+ },
252
+ additionalProperties: false
253
+ },
254
+ required: ["id", "vpResponseOpts"],
255
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
291
256
  },
292
- ParsedAuthenticationRequestURI: {
257
+ IVerifySiopAuthenticationRequestUriArgs: {
293
258
  type: "object",
294
259
  properties: {
295
- additionalProperties: true
296
- }
260
+ sessionId: {
261
+ type: "string"
262
+ },
263
+ ParsedAuthenticationRequestURI: {
264
+ type: "object",
265
+ properties: {
266
+ additionalProperties: true
267
+ }
268
+ },
269
+ additionalProperties: false
270
+ },
271
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
272
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
297
273
  },
298
- additionalProperties: false
299
- },
300
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
301
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
302
- },
303
- VerifiedAuthorizationRequest: {
304
- type: "object",
305
- properties: {
306
- payload: {
274
+ VerifiedAuthorizationRequest: {
307
275
  type: "object",
308
276
  properties: {
309
- additionalProperties: true
310
- }
277
+ payload: {
278
+ type: "object",
279
+ properties: {
280
+ additionalProperties: true
281
+ }
282
+ },
283
+ presentationDefinitions: {
284
+ type: "object",
285
+ properties: {
286
+ additionalProperties: true
287
+ }
288
+ },
289
+ verifyOpts: {
290
+ type: "object",
291
+ properties: {
292
+ additionalProperties: true
293
+ }
294
+ },
295
+ additionalProperties: false
296
+ },
297
+ required: ["payload", "verifyOpts"],
298
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
311
299
  },
312
- presentationDefinitions: {
300
+ ISendSiopAuthenticationResponseArgs: {
313
301
  type: "object",
314
302
  properties: {
315
- additionalProperties: true
316
- }
303
+ sessionId: {
304
+ type: "string"
305
+ },
306
+ verifiedAuthenticationRequest: {
307
+ type: "object",
308
+ properties: {
309
+ additionalProperties: true
310
+ }
311
+ },
312
+ verifiablePresentationResponse: {
313
+ type: "object",
314
+ properties: {
315
+ additionalProperties: true
316
+ }
317
+ },
318
+ additionalProperties: false
319
+ },
320
+ required: ["sessionId", "verifiedAuthenticationRequest"],
321
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
322
+ }
323
+ },
324
+ methods: {
325
+ getSessionForSiop: {
326
+ description: "Get SIOP session",
327
+ arguments: {
328
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
329
+ },
330
+ returnType: "object"
317
331
  },
318
- verifyOpts: {
319
- type: "object",
320
- properties: {
321
- additionalProperties: true
332
+ registerSessionForSiop: {
333
+ description: "Register SIOP session",
334
+ arguments: {
335
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
336
+ },
337
+ returnType: "object"
338
+ },
339
+ removeSessionForSiop: {
340
+ description: "Remove SIOP session",
341
+ arguments: {
342
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
343
+ },
344
+ returnType: "boolean"
345
+ },
346
+ authenticateWithSiop: {
347
+ description: "Authenticate using DID Auth SIOP",
348
+ arguments: {
349
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
350
+ },
351
+ returnType: {
352
+ $ref: "#/components/schemas/Response"
322
353
  }
323
354
  },
324
- additionalProperties: false
325
- },
326
- required: ["payload", "verifyOpts"],
327
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
328
- },
329
- ISendSiopAuthenticationResponseArgs: {
330
- type: "object",
331
- properties: {
332
- sessionId: {
333
- type: "string"
355
+ getSiopAuthenticationRequestFromRP: {
356
+ description: "Get authentication request from RP",
357
+ arguments: {
358
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
359
+ },
360
+ returnType: {
361
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
362
+ }
334
363
  },
335
- verifiedAuthenticationRequest: {
336
- type: "object",
337
- properties: {
338
- additionalProperties: true
364
+ getSiopAuthenticationRequestDetails: {
365
+ description: "Get authentication request details",
366
+ arguments: {
367
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
368
+ },
369
+ returnType: {
370
+ $ref: "#/components/schemas/IAuthRequestDetails"
339
371
  }
340
372
  },
341
- verifiablePresentationResponse: {
342
- type: "object",
343
- properties: {
344
- additionalProperties: true
373
+ verifySiopAuthenticationRequestURI: {
374
+ description: "Verify authentication request URI",
375
+ arguments: {
376
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
377
+ },
378
+ returnType: {
379
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
345
380
  }
346
381
  },
347
- additionalProperties: false
348
- },
349
- required: ["sessionId", "verifiedAuthenticationRequest"],
350
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
351
- }
352
- },
353
- methods: {
354
- getSessionForSiop: {
355
- description: "Get SIOP session",
356
- arguments: {
357
- $ref: "#/components/schemas/IGetSiopSessionArgs"
358
- },
359
- returnType: "object"
360
- },
361
- registerSessionForSiop: {
362
- description: "Register SIOP session",
363
- arguments: {
364
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
365
- },
366
- returnType: "object"
367
- },
368
- removeSessionForSiop: {
369
- description: "Remove SIOP session",
370
- arguments: {
371
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
372
- },
373
- returnType: "boolean"
374
- },
375
- authenticateWithSiop: {
376
- description: "Authenticate using DID Auth SIOP",
377
- arguments: {
378
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
379
- },
380
- returnType: {
381
- $ref: "#/components/schemas/Response"
382
- }
383
- },
384
- getSiopAuthenticationRequestFromRP: {
385
- description: "Get authentication request from RP",
386
- arguments: {
387
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
388
- },
389
- returnType: {
390
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
391
- }
392
- },
393
- getSiopAuthenticationRequestDetails: {
394
- description: "Get authentication request details",
395
- arguments: {
396
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
397
- },
398
- returnType: {
399
- $ref: "#/components/schemas/IAuthRequestDetails"
400
- }
401
- },
402
- verifySiopAuthenticationRequestURI: {
403
- description: "Verify authentication request URI",
404
- arguments: {
405
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
406
- },
407
- returnType: {
408
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
409
- }
410
- },
411
- sendSiopAuthenticationResponse: {
412
- description: "Send authentication response",
413
- arguments: {
414
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
415
- },
416
- returnType: {
417
- $ref: "#/components/schemas/IRequiredContext"
382
+ sendSiopAuthenticationResponse: {
383
+ description: "Send authentication response",
384
+ arguments: {
385
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
386
+ },
387
+ returnType: {
388
+ $ref: "#/components/schemas/IRequiredContext"
389
+ }
390
+ }
418
391
  }
419
392
  }
420
393
  }
421
- }
394
+ };
422
395
  }
423
- };
396
+ });
397
+
398
+ // src/index.ts
399
+ var index_exports = {};
400
+ __export(index_exports, {
401
+ DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
402
+ DID_PREFIX: () => DID_PREFIX,
403
+ DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
404
+ LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
405
+ OID4VP: () => OID4VP,
406
+ OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
407
+ OpSession: () => OpSession,
408
+ Siopv2HolderEvent: () => Siopv2HolderEvent,
409
+ Siopv2Machine: () => Siopv2Machine,
410
+ Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
411
+ Siopv2MachineEvents: () => Siopv2MachineEvents,
412
+ Siopv2MachineGuards: () => Siopv2MachineGuards,
413
+ Siopv2MachineServices: () => Siopv2MachineServices,
414
+ Siopv2MachineStates: () => Siopv2MachineStates,
415
+ Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
416
+ SupportedLanguage: () => SupportedLanguage,
417
+ createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
418
+ createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
419
+ createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
420
+ createOP: () => createOP,
421
+ createOPBuilder: () => createOPBuilder,
422
+ didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
423
+ events: () => events,
424
+ getSigningAlgo: () => getSigningAlgo,
425
+ schema: () => schema
426
+ });
427
+ module.exports = __toCommonJS(index_exports);
424
428
 
425
429
  // src/agent/DidAuthSiopOpAuthenticator.ts
426
430
  var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
427
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
428
- var import_ssi_types8 = require("@sphereon/ssi-types");
431
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
432
+ var import_ssi_types7 = require("@sphereon/ssi-types");
429
433
  var import_uuid2 = require("uuid");
430
434
 
431
435
  // src/session/functions.ts
@@ -581,15 +585,104 @@ function getSigningAlgo(type) {
581
585
  }
582
586
  __name(getSigningAlgo, "getSigningAlgo");
583
587
 
588
+ // src/session/OID4VP.ts
589
+ var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
590
+ var import_pex = require("@sphereon/pex");
591
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
592
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
593
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
594
+
595
+ // src/types/IDidAuthSiopOpAuthenticator.ts
596
+ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
597
+ var events = /* @__PURE__ */ (function(events2) {
598
+ events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
599
+ return events2;
600
+ })({});
601
+ var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
602
+
603
+ // src/types/siop-service/index.ts
604
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
605
+ Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
606
+ Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
607
+ return Siopv2HolderEvent2;
608
+ })({});
609
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
610
+ SupportedLanguage2["ENGLISH"] = "en";
611
+ SupportedLanguage2["DUTCH"] = "nl";
612
+ return SupportedLanguage2;
613
+ })({});
614
+
615
+ // src/types/machine/index.ts
616
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
617
+ Siopv2MachineStates2["createConfig"] = "createConfig";
618
+ Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
619
+ Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
620
+ Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
621
+ Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
622
+ Siopv2MachineStates2["addContact"] = "addContact";
623
+ Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
624
+ Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
625
+ Siopv2MachineStates2["sendResponse"] = "sendResponse";
626
+ Siopv2MachineStates2["handleError"] = "handleError";
627
+ Siopv2MachineStates2["aborted"] = "aborted";
628
+ Siopv2MachineStates2["declined"] = "declined";
629
+ Siopv2MachineStates2["error"] = "error";
630
+ Siopv2MachineStates2["done"] = "done";
631
+ return Siopv2MachineStates2;
632
+ })({});
633
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
634
+ Siopv2MachineAddContactStates2["idle"] = "idle";
635
+ Siopv2MachineAddContactStates2["executing"] = "executing";
636
+ Siopv2MachineAddContactStates2["next"] = "next";
637
+ return Siopv2MachineAddContactStates2;
638
+ })({});
639
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
640
+ Siopv2MachineEvents2["NEXT"] = "NEXT";
641
+ Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
642
+ Siopv2MachineEvents2["DECLINE"] = "DECLINE";
643
+ Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
644
+ Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
645
+ Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
646
+ Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
647
+ return Siopv2MachineEvents2;
648
+ })({});
649
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
650
+ Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
651
+ Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
652
+ Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
653
+ Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
654
+ Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
655
+ Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
656
+ Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
657
+ Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
658
+ return Siopv2MachineGuards2;
659
+ })({});
660
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
661
+ Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
662
+ Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
663
+ Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
664
+ Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
665
+ Siopv2MachineServices2["sendResponse"] = "sendResponse";
666
+ Siopv2MachineServices2["createConfig"] = "createConfig";
667
+ return Siopv2MachineServices2;
668
+ })({});
669
+
670
+ // src/types/identifier/index.ts
671
+ var DID_PREFIX = "did";
672
+
584
673
  // src/session/OID4VP.ts
585
674
  var OID4VP = class _OID4VP {
586
675
  static {
587
676
  __name(this, "OID4VP");
588
677
  }
589
- //private readonly session: OpSession
590
- // private readonly allIdentifiers: string[]
591
- // private readonly hasher?: HasherSync
678
+ session;
679
+ allIdentifiers;
680
+ hasher;
592
681
  constructor(args) {
682
+ const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
683
+ this.session = session;
684
+ this.allIdentifiers = allIdentifiers ?? [];
685
+ this.hasher = hasher;
593
686
  }
594
687
  static async init(session, allIdentifiers, hasher) {
595
688
  return new _OID4VP({
@@ -598,14 +691,184 @@ var OID4VP = class _OID4VP {
598
691
  hasher
599
692
  });
600
693
  }
694
+ async getPresentationDefinitions() {
695
+ const definitions = await this.session.getPresentationDefinitions();
696
+ if (definitions) {
697
+ import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
698
+ }
699
+ return definitions;
700
+ }
701
+ getPresentationExchange(args) {
702
+ const { verifiableCredentials, allIdentifiers, hasher } = args;
703
+ return new import_did_auth_siop2.PresentationExchange({
704
+ allDIDs: allIdentifiers ?? this.allIdentifiers,
705
+ allVerifiableCredentials: verifiableCredentials,
706
+ hasher: hasher ?? this.hasher
707
+ });
708
+ }
709
+ async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
710
+ return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
711
+ }
712
+ async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
713
+ const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
714
+ ...opts
715
+ };
716
+ if (subjectIsHolder && holder) {
717
+ throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
718
+ }
719
+ if (forceNoCredentialsInVP) {
720
+ selectedVerifiableCredentials.credentials = [];
721
+ } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
722
+ throw Error("No verifiable verifiableCredentials provided for presentation definition");
723
+ }
724
+ const proofOptions = {
725
+ ...opts?.proofOpts,
726
+ challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
727
+ domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
728
+ };
729
+ let idOpts2 = opts?.idOpts;
730
+ if (!idOpts2) {
731
+ if (opts?.subjectIsHolder) {
732
+ if (forceNoCredentialsInVP) {
733
+ return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
734
+ }
735
+ const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
736
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
737
+ return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
738
+ }
739
+ idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
740
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
741
+ }) : await this.session.context.agent.identifierManagedGetByKid({
742
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
743
+ kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
744
+ });
745
+ } else if (opts?.holder) {
746
+ idOpts2 = {
747
+ identifier: opts.holder
748
+ };
749
+ }
750
+ }
751
+ const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
752
+ restrictToFormats: opts?.restrictToFormats,
753
+ restrictToDIDMethods: opts?.restrictToDIDMethods,
754
+ filterOpts: {
755
+ verifiableCredentials: selectedVerifiableCredentials.credentials
756
+ }
757
+ }) : {
758
+ definition: selectedVerifiableCredentials.definition,
759
+ credentials: selectedVerifiableCredentials.credentials
760
+ };
761
+ if (!idOpts2) {
762
+ return Promise.reject(Error(`No identifier options present at this point`));
763
+ }
764
+ const signCallback = await createOID4VPPresentationSignCallback({
765
+ presentationSignCallback: this.session.options.presentationSignCallback,
766
+ idOpts: idOpts2,
767
+ context: this.session.context,
768
+ domain: proofOptions.domain,
769
+ challenge: proofOptions.challenge,
770
+ format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
771
+ skipDidResolution: opts?.skipDidResolution ?? false
772
+ });
773
+ const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
774
+ const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
775
+ const presentationResult = await this.getPresentationExchange({
776
+ verifiableCredentials,
777
+ allIdentifiers: this.allIdentifiers,
778
+ hasher: opts?.hasher
779
+ }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
780
+ proofOptions,
781
+ // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
782
+ ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
783
+ holderDID: identifier.did
784
+ }
785
+ });
786
+ const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
787
+ return {
788
+ ...presentationResult,
789
+ verifiablePresentations,
790
+ verifiableCredentials,
791
+ definition: selectedVerifiableCredentials.definition,
792
+ idOpts: idOpts2
793
+ };
794
+ }
795
+ async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
796
+ const defs = await this.getPresentationDefinitions();
797
+ const result = [];
798
+ if (defs) {
799
+ for (const definition of defs) {
800
+ result.push(await this.filterCredentials(credentialRole, definition, opts));
801
+ }
802
+ }
803
+ return result;
804
+ }
805
+ async filterCredentials(credentialRole, presentationDefinition, opts) {
806
+ const udcMap = /* @__PURE__ */ new Map();
807
+ opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
808
+ if (typeof credential === "object" && "digitalCredential" in credential) {
809
+ udcMap.set(credential.originalVerifiableCredential, credential);
810
+ } else {
811
+ udcMap.set(credential, credential);
812
+ }
813
+ });
814
+ const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
815
+ ...opts,
816
+ filterOpts: {
817
+ verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
818
+ if (typeof credential === "object" && "digitalCredential" in credential) {
819
+ return credential.originalVerifiableCredential;
820
+ } else {
821
+ return credential;
822
+ }
823
+ })
824
+ }
825
+ })).verifiableCredential;
826
+ return {
827
+ definition: presentationDefinition,
828
+ credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
829
+ };
830
+ }
831
+ async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
832
+ const selectionResults = await this.getPresentationExchange({
833
+ verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
834
+ }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
835
+ if (selectionResults.errors && selectionResults.errors.length > 0) {
836
+ throw Error(JSON.stringify(selectionResults.errors));
837
+ } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
838
+ throw Error(`Not all required credentials are available to satisfy the relying party's request`);
839
+ }
840
+ const matches = selectionResults.matches;
841
+ if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
842
+ throw Error(JSON.stringify(selectionResults.errors));
843
+ }
844
+ return selectionResults;
845
+ }
846
+ async getCredentials(credentialRole, filterOpts) {
847
+ if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
848
+ return filterOpts.verifiableCredentials;
849
+ }
850
+ const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
851
+ const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
852
+ filter
853
+ });
854
+ return uniqueCredentials.map((uniqueVC) => {
855
+ const vc = uniqueVC.uniformVerifiableCredential;
856
+ const proof = Array.isArray(vc.proof) ? vc.proof : [
857
+ vc.proof
858
+ ];
859
+ const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
860
+ return jwtProof ? jwtProof.jwt : vc;
861
+ });
862
+ }
601
863
  };
602
864
 
603
865
  // src/session/OpSession.ts
604
- var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
605
- var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
606
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
866
+ var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
867
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
868
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
607
869
  var import_ssi_types = require("@sphereon/ssi-types");
608
870
  var import_uuid = require("uuid");
871
+ var import_pex2 = require("@sphereon/pex");
609
872
  var import_ssi_types2 = require("@sphereon/ssi-types");
610
873
  var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
611
874
  var OpSession = class _OpSession {
@@ -620,11 +883,13 @@ var OpSession = class _OpSession {
620
883
  verifiedAuthorizationRequest;
621
884
  _nonce;
622
885
  _state;
886
+ _providedPresentationDefinitions;
623
887
  constructor(options) {
624
888
  this.id = options.sessionId;
625
889
  this.options = options.op;
626
890
  this.context = options.context;
627
891
  this.requestJwtOrUri = options.requestJwtOrUri;
892
+ this._providedPresentationDefinitions = options.providedPresentationDefinitions;
628
893
  }
629
894
  static async init(options) {
630
895
  return new _OpSession(options);
@@ -643,7 +908,7 @@ var OpSession = class _OpSession {
643
908
  return this.verifiedAuthorizationRequest;
644
909
  }
645
910
  async getAuthorizationRequestURI() {
646
- return await import_did_auth_siop2.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
911
+ return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
647
912
  }
648
913
  get nonce() {
649
914
  if (!this._nonce) {
@@ -678,7 +943,7 @@ var OpSession = class _OpSession {
678
943
  }
679
944
  let intersection;
680
945
  if (rpMethods.dids.includes("did")) {
681
- intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext2.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
946
+ intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext3.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
682
947
  } else if (!agentMethods || agentMethods.length === 0) {
683
948
  intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
684
949
  } else {
@@ -722,7 +987,7 @@ var OpSession = class _OpSession {
722
987
  subjectSyntaxTypesSupported
723
988
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
724
989
  }
725
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
990
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
726
991
  let codecName = void 0;
727
992
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
728
993
  logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -777,14 +1042,56 @@ var OpSession = class _OpSession {
777
1042
  async getRedirectUri() {
778
1043
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
779
1044
  }
1045
+ async hasPresentationDefinitions() {
1046
+ const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1047
+ return defs !== void 0 && defs.length > 0;
1048
+ }
1049
+ async getPresentationDefinitions() {
1050
+ if (!await this.hasPresentationDefinitions()) {
1051
+ throw Error(`No presentation definitions found`);
1052
+ }
1053
+ return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1054
+ }
780
1055
  async getOID4VP(args) {
781
1056
  return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
782
1057
  }
1058
+ createPresentationVerificationCallback(context) {
1059
+ async function presentationVerificationCallback(args, presentationSubmission) {
1060
+ let result;
1061
+ if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
1062
+ try {
1063
+ const sdJwtResult = await context.agent.verifySdJwtPresentation({
1064
+ presentation: args
1065
+ });
1066
+ result = {
1067
+ verified: "header" in sdJwtResult,
1068
+ error: "header" in sdJwtResult ? void 0 : {
1069
+ message: "could not verify SD JWT presentation"
1070
+ }
1071
+ };
1072
+ } catch (error) {
1073
+ result = {
1074
+ verified: false,
1075
+ error: {
1076
+ message: error.message
1077
+ }
1078
+ };
1079
+ }
1080
+ } else {
1081
+ result = await context.agent.verifyPresentation({
1082
+ presentation: args
1083
+ });
1084
+ }
1085
+ return result;
1086
+ }
1087
+ __name(presentationVerificationCallback, "presentationVerificationCallback");
1088
+ return presentationVerificationCallback;
1089
+ }
783
1090
  async createJarmResponseCallback({ responseOpts }) {
784
1091
  const agent = this.context.agent;
785
1092
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
786
1093
  const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
787
- const jwk = await import_did_auth_siop2.OP.extractEncJwksFromClientMetadata(clientMetadata);
1094
+ const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
788
1095
  const recipientKey = await agent.identifierExternalResolveByJwk({
789
1096
  identifier: jwk
790
1097
  });
@@ -793,8 +1100,8 @@ var OpSession = class _OpSession {
793
1100
  protectedHeader: {},
794
1101
  alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
795
1102
  enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
796
- apv: (0, import_ssi_sdk2.encodeBase64url)(opts.requestObjectPayload.nonce),
797
- apu: (0, import_ssi_sdk2.encodeBase64url)((0, import_uuid.v4)()),
1103
+ apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
1104
+ apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
798
1105
  payload: authResponse,
799
1106
  issuer: responseOpts.issuer,
800
1107
  audience: responseOpts.audience
@@ -806,9 +1113,8 @@ var OpSession = class _OpSession {
806
1113
  }, "jarmResponse");
807
1114
  }
808
1115
  async sendAuthorizationResponse(args) {
809
- const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
810
1116
  const resolveOpts = this.options.resolveOpts ?? {
811
- resolver: (0, import_ssi_sdk_ext2.getAgentResolver)(this.context, {
1117
+ resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
812
1118
  uniresolverResolution: true,
813
1119
  localResolution: true,
814
1120
  resolverResolution: true
@@ -817,7 +1123,23 @@ var OpSession = class _OpSession {
817
1123
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
818
1124
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
819
1125
  }
1126
+ const verification = {
1127
+ presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1128
+ };
820
1129
  const request = await this.getAuthorizationRequest();
1130
+ const hasDefinitions = await this.hasPresentationDefinitions();
1131
+ if (hasDefinitions) {
1132
+ const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1133
+ return sum + pd.definition.input_descriptors.length;
1134
+ }, 0);
1135
+ const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1136
+ if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1137
+ throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1138
+ } else if (!args.presentationSubmission) {
1139
+ throw Error(`Presentation submission is required when verifiable presentations are required`);
1140
+ }
1141
+ }
1142
+ const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
821
1143
  const op = await createOP({
822
1144
  opOptions: {
823
1145
  ...this.options,
@@ -829,16 +1151,23 @@ var OpSession = class _OpSession {
829
1151
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
830
1152
  supportedVersions: request.versions
831
1153
  },
832
- idOpts: responseSignerOpts,
1154
+ idOpts: args.responseSignerOpts,
833
1155
  context: this.context
834
1156
  });
835
- let issuer = responseSignerOpts.issuer;
1157
+ let issuer = args.responseSignerOpts.issuer;
836
1158
  const responseOpts = {
1159
+ verification,
837
1160
  issuer,
838
- ...isFirstParty && {
839
- isFirstParty
1161
+ ...args.isFirstParty && {
1162
+ isFirstParty: args.isFirstParty
840
1163
  },
841
- dcqlResponse
1164
+ ...args.verifiablePresentations && {
1165
+ presentationExchange: {
1166
+ verifiablePresentations,
1167
+ presentationSubmission: args.presentationSubmission
1168
+ }
1169
+ },
1170
+ dcqlQuery: args.dcqlResponse
842
1171
  };
843
1172
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
844
1173
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -850,6 +1179,24 @@ var OpSession = class _OpSession {
850
1179
  return response;
851
1180
  }
852
1181
  }
1182
+ countVCsInAllVPs(verifiablePresentations, hasher) {
1183
+ return verifiablePresentations.reduce((sum, vp) => {
1184
+ if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1185
+ return sum + 1;
1186
+ }
1187
+ const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
1188
+ hasher: hasher ?? this.options.hasher
1189
+ });
1190
+ if (uvp.verifiableCredential?.length) {
1191
+ return sum + uvp.verifiableCredential?.length;
1192
+ }
1193
+ const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
1194
+ if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1195
+ return sum + 1;
1196
+ }
1197
+ return sum;
1198
+ }, 0);
1199
+ }
853
1200
  };
854
1201
  function convertDidMethod(didMethod, didPrefix) {
855
1202
  if (didPrefix === false) {
@@ -859,79 +1206,10 @@ function convertDidMethod(didMethod, didPrefix) {
859
1206
  }
860
1207
  __name(convertDidMethod, "convertDidMethod");
861
1208
 
862
- // src/types/IDidAuthSiopOpAuthenticator.ts
863
- var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
864
- var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
865
-
866
- // src/types/siop-service/index.ts
867
- var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
868
- Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
869
- Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
870
- return Siopv2HolderEvent2;
871
- }({});
872
- var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
873
- SupportedLanguage2["ENGLISH"] = "en";
874
- SupportedLanguage2["DUTCH"] = "nl";
875
- return SupportedLanguage2;
876
- }({});
877
-
878
- // src/types/machine/index.ts
879
- var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
880
- Siopv2MachineStates2["createConfig"] = "createConfig";
881
- Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
882
- Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
883
- Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
884
- Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
885
- Siopv2MachineStates2["addContact"] = "addContact";
886
- Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
887
- Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
888
- Siopv2MachineStates2["sendResponse"] = "sendResponse";
889
- Siopv2MachineStates2["handleError"] = "handleError";
890
- Siopv2MachineStates2["aborted"] = "aborted";
891
- Siopv2MachineStates2["declined"] = "declined";
892
- Siopv2MachineStates2["error"] = "error";
893
- Siopv2MachineStates2["done"] = "done";
894
- return Siopv2MachineStates2;
895
- }({});
896
- var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
897
- Siopv2MachineAddContactStates2["idle"] = "idle";
898
- Siopv2MachineAddContactStates2["executing"] = "executing";
899
- Siopv2MachineAddContactStates2["next"] = "next";
900
- return Siopv2MachineAddContactStates2;
901
- }({});
902
- var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
903
- Siopv2MachineEvents2["NEXT"] = "NEXT";
904
- Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
905
- Siopv2MachineEvents2["DECLINE"] = "DECLINE";
906
- Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
907
- Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
908
- Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
909
- Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
910
- return Siopv2MachineEvents2;
911
- }({});
912
- var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
913
- Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
914
- Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
915
- Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
916
- Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
917
- Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
918
- Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
919
- Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
920
- Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
921
- return Siopv2MachineGuards2;
922
- }({});
923
- var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
924
- Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
925
- Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
926
- Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
927
- Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
928
- Siopv2MachineServices2["sendResponse"] = "sendResponse";
929
- Siopv2MachineServices2["createConfig"] = "createConfig";
930
- return Siopv2MachineServices2;
931
- }({});
932
-
933
- // src/types/identifier/index.ts
934
- var DID_PREFIX = "did";
1209
+ // src/agent/DidAuthSiopOpAuthenticator.ts
1210
+ var import_pex4 = require("@sphereon/pex");
1211
+ var import_utils = require("@veramo/utils");
1212
+ var import_dcql3 = require("dcql");
935
1213
 
936
1214
  // src/machine/Siopv2Machine.ts
937
1215
  var import_xstate = require("xstate");
@@ -1000,7 +1278,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
1000
1278
  if (!contact) {
1001
1279
  throw new Error("Missing contact request data in context");
1002
1280
  }
1003
- return authorizationRequestData.dcqlQuery !== void 0;
1281
+ return authorizationRequestData.presentationDefinitions !== void 0;
1004
1282
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1005
1283
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1006
1284
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1011,7 +1289,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1011
1289
  if (authorizationRequestData === void 0) {
1012
1290
  throw new Error("Missing authorization request data in context");
1013
1291
  }
1014
- if (authorizationRequestData.dcqlQuery === void 0) {
1292
+ if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
1015
1293
  throw Error("No presentation definitions present");
1016
1294
  }
1017
1295
  return _ctx.selectedCredentials.length > 0;
@@ -1021,7 +1299,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1021
1299
  if (authorizationRequestData === void 0) {
1022
1300
  throw new Error("Missing authorization request data in context");
1023
1301
  }
1024
- return authorizationRequestData.dcqlQuery === void 0;
1302
+ return authorizationRequestData.presentationDefinitions === void 0;
1025
1303
  }, "Siopv2IsSiopOnlyGuard");
1026
1304
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1027
1305
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1031,7 +1309,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1031
1309
  if (!selectableCredentialsMap) {
1032
1310
  throw new Error("Missing selectableCredentialsMap in context");
1033
1311
  }
1034
- return authorizationRequestData.dcqlQuery !== void 0;
1312
+ return authorizationRequestData.presentationDefinitions !== void 0;
1035
1313
  }, "Siopv2IsSiopWithOID4VPGuard");
1036
1314
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1037
1315
  const { url, idOpts: idOpts2 } = opts;
@@ -1347,206 +1625,367 @@ var Siopv2Machine = class {
1347
1625
 
1348
1626
  // src/services/Siopv2MachineService.ts
1349
1627
  var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1350
- var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1351
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
1352
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.data-store");
1628
+ var import_pex3 = require("@sphereon/pex");
1629
+ var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1630
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
1631
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
1353
1632
  var import_ssi_types6 = require("@sphereon/ssi-types");
1354
- var import_ssi_types7 = require("@sphereon/ssi-types");
1355
- var import_ssi_sdk5 = require("@sphereon/ssi-sdk.core");
1633
+ var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
1634
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
1356
1635
  var import_dcql = require("dcql");
1357
1636
 
1358
1637
  // src/utils/dcql.ts
1359
1638
  var import_ssi_types5 = require("@sphereon/ssi-types");
1360
- var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
1361
1639
 
1362
1640
  // src/utils/CredentialUtils.ts
1363
1641
  var import_ssi_types4 = require("@sphereon/ssi-types");
1642
+ var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1643
+ if (isUniqueDigitalCredential(credential)) {
1644
+ if (!credential.originalVerifiableCredential) {
1645
+ throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1646
+ }
1647
+ return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1648
+ }
1649
+ return getCredentialFromProofOrWrapped(credential);
1650
+ }, "getOriginalVerifiableCredential");
1651
+ var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1652
+ if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
1653
+ return cred.proof.jwt;
1654
+ }
1655
+ return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
1656
+ hasher
1657
+ }).original;
1658
+ }, "getCredentialFromProofOrWrapped");
1364
1659
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1365
1660
  return credential.digitalCredential !== void 0;
1366
1661
  }, "isUniqueDigitalCredential");
1367
1662
 
1368
1663
  // src/utils/dcql.ts
1369
1664
  function convertToDcqlCredentials(credential, hasher) {
1370
- let originalVerifiableCredential;
1665
+ let payload;
1371
1666
  if (isUniqueDigitalCredential(credential)) {
1372
1667
  if (!credential.originalVerifiableCredential) {
1373
1668
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1374
1669
  }
1375
- originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1670
+ payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1376
1671
  } else {
1377
- originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1672
+ payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1378
1673
  }
1379
- if (!originalVerifiableCredential) {
1674
+ if (!payload) {
1380
1675
  throw new Error("No payload found");
1381
1676
  }
1382
- if (import_ssi_types5.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
1383
- return import_did_auth_siop3.Dcql.toDcqlJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1384
- } else if (import_ssi_types5.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1385
- return import_did_auth_siop3.Dcql.toDcqlSdJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1386
- } else if (import_ssi_types5.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1387
- return import_did_auth_siop3.Dcql.toDcqlMdocCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1388
- } else if (import_ssi_types5.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
1389
- return import_did_auth_siop3.Dcql.toDcqlJsonLdCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1677
+ if ("decodedPayload" in payload && payload.decodedPayload) {
1678
+ payload = payload.decodedPayload;
1679
+ }
1680
+ if ("vct" in payload) {
1681
+ return {
1682
+ vct: payload.vct,
1683
+ claims: payload,
1684
+ credential_format: "vc+sd-jwt"
1685
+ };
1686
+ } else if ("docType" in payload && "namespaces" in payload) {
1687
+ return {
1688
+ docType: payload.docType,
1689
+ namespaces: payload.namespaces,
1690
+ claims: payload
1691
+ };
1692
+ } else {
1693
+ return {
1694
+ claims: payload,
1695
+ credential_format: "jwt_vc_json"
1696
+ };
1390
1697
  }
1391
- throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1392
1698
  }
1393
1699
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1394
1700
 
1395
1701
  // src/services/Siopv2MachineService.ts
1396
- var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
1397
- var logger3 = import_ssi_types7.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1702
+ var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1703
+ var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1704
+ logger3.log(`No EBSI key present yet. Creating a new one...`);
1705
+ const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
1706
+ method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
1707
+ createOpts: {
1708
+ options: {
1709
+ codecName: "jwk_jcs-pub",
1710
+ type: "Secp256r1"
1711
+ }
1712
+ }
1713
+ });
1714
+ logger3.log(`EBSI key created: ${newIdentifier.did}`);
1715
+ if (created) {
1716
+ await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1717
+ result: newIdentifier
1718
+ });
1719
+ }
1720
+ return await agentContext.agent.identifierManagedGetByDid({
1721
+ identifier: newIdentifier.did
1722
+ });
1723
+ }, "createEbsiIdentifier");
1724
+ var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1725
+ const clientId = await authorizationRequest.getMergedProperty("client_id");
1726
+ const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1727
+ return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1728
+ }, "hasEbsiClient");
1398
1729
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1399
1730
  const { agent } = context;
1400
- const { credentials } = args;
1401
- if (connectionType !== import_ssi_sdk4.ConnectionType.SIOPv2_OpenID4VP) {
1731
+ const agentContext = {
1732
+ ...context,
1733
+ agent: context.agent
1734
+ };
1735
+ let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
1736
+ if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
1402
1737
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1403
1738
  }
1404
1739
  const session = await agent.siopGetOPSession({
1405
1740
  sessionId: args.sessionId
1406
1741
  });
1407
1742
  const request = await session.getAuthorizationRequest();
1408
- const aud = request.authorizationRequest.getMergedProperty("aud");
1743
+ const aud = await request.authorizationRequest.getMergedProperty("aud");
1409
1744
  logger3.debug(`AUD: ${aud}`);
1410
1745
  logger3.debug(JSON.stringify(request.authorizationRequest));
1411
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1412
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1413
- const firstUniqueDC = credentials[0];
1414
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1415
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1416
- }
1417
- let identifier;
1418
- const digitalCredential = firstUniqueDC.digitalCredential;
1419
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1420
- const holder = import_ssi_types7.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1421
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1422
- `did:jwk:${(0, import_ssi_sdk5.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1423
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1424
- if (!digitalCredential.kmsKeyRef) {
1425
- if (!holder) {
1426
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1427
- }
1428
- try {
1429
- identifier = await session.context.agent.identifierManagedGet({
1430
- identifier: holder
1746
+ let presentationsAndDefs;
1747
+ let presentationSubmission;
1748
+ if (await session.hasPresentationDefinitions()) {
1749
+ const oid4vp = await session.getOID4VP({
1750
+ hasher
1751
+ });
1752
+ const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
1753
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1754
+ logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1755
+ const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1756
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1757
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1758
+ }
1759
+ let identifier;
1760
+ const digitalCredential = firstUniqueDC.digitalCredential;
1761
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1762
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1763
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1764
+ `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1765
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1766
+ if (!digitalCredential.kmsKeyRef) {
1767
+ if (!holder) {
1768
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1769
+ }
1770
+ try {
1771
+ identifier = await session.context.agent.identifierManagedGet({
1772
+ identifier: holder
1773
+ });
1774
+ } catch (e) {
1775
+ logger3.debug(`Holder DID not found: ${holder}`);
1776
+ throw e;
1777
+ }
1778
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1779
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1780
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1431
1781
  });
1432
- } catch (e) {
1433
- logger3.debug(`Holder DID not found: ${holder}`);
1434
- throw e;
1782
+ } else {
1783
+ switch (digitalCredential.subjectCorrelationType) {
1784
+ case "DID":
1785
+ identifier = await session.context.agent.identifierManagedGetByDid({
1786
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1787
+ kmsKeyRef: digitalCredential.kmsKeyRef
1788
+ });
1789
+ break;
1790
+ // TODO other implementations?
1791
+ default:
1792
+ if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1793
+ identifier = await session.context.agent.identifierManagedGetByDid({
1794
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1795
+ kmsKeyRef: digitalCredential.kmsKeyRef
1796
+ });
1797
+ } else {
1798
+ identifier = await session.context.agent.identifierManagedGetByKid({
1799
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1800
+ kmsKeyRef: digitalCredential.kmsKeyRef
1801
+ });
1802
+ }
1803
+ }
1804
+ }
1805
+ if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1806
+ identifier = await createEbsiIdentifier(agentContext);
1435
1807
  }
1436
- } else if ((0, import_ssi_sdk_ext3.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1437
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1438
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1808
+ logger3.debug(`Identifier`, identifier);
1809
+ presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
1810
+ idOpts: identifier,
1811
+ proofOpts: {
1812
+ nonce: session.nonce,
1813
+ domain
1814
+ }
1439
1815
  });
1440
- } else {
1441
- switch (digitalCredential.subjectCorrelationType) {
1442
- case "DID":
1443
- identifier = await session.context.agent.identifierManagedGetByDid({
1444
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1445
- kmsKeyRef: digitalCredential.kmsKeyRef
1446
- });
1447
- break;
1448
- // TODO other implementations?
1449
- default:
1450
- identifier = await session.context.agent.identifierManagedGetByKid({
1451
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1452
- kmsKeyRef: digitalCredential.kmsKeyRef
1453
- });
1816
+ if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1817
+ throw Error("No verifiable presentations could be created");
1818
+ } else if (presentationsAndDefs.length > 1) {
1819
+ throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1454
1820
  }
1455
- }
1456
- const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1457
- convertToDcqlCredentials(vc),
1458
- vc
1459
- ]));
1460
- const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1461
- if (!queryResult.can_be_satisfied) {
1462
- return Promise.reject(Error("Credentials do not match required query request"));
1463
- }
1464
- const presentation = {};
1465
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1466
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1467
- if (value.success) {
1468
- const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1469
- const vc = matchedCredentials[0];
1470
- if (!vc) {
1471
- continue;
1821
+ idOpts2 = presentationsAndDefs[0].idOpts;
1822
+ presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1823
+ logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1824
+ logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1825
+ const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1826
+ return await session.sendAuthorizationResponse({
1827
+ ...presentationsAndDefs && {
1828
+ verifiablePresentations: mergedVerifiablePresentations
1829
+ },
1830
+ ...presentationSubmission && {
1831
+ presentationSubmission
1832
+ },
1833
+ // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1834
+ responseSignerOpts: idOpts2,
1835
+ isFirstParty
1836
+ });
1837
+ } else if (request.dcqlQuery) {
1838
+ if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1839
+ const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1840
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1841
+ logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1842
+ const firstUniqueDC = vcs[0];
1843
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1844
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1472
1845
  }
1473
- const originalVc = retrieveEncodedCredential(vc);
1474
- if (!originalVc) {
1475
- continue;
1846
+ let identifier;
1847
+ const digitalCredential = firstUniqueDC.digitalCredential;
1848
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1849
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1850
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1851
+ `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1852
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1853
+ if (!digitalCredential.kmsKeyRef) {
1854
+ if (!holder) {
1855
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1856
+ }
1857
+ try {
1858
+ identifier = await session.context.agent.identifierManagedGet({
1859
+ identifier: holder
1860
+ });
1861
+ } catch (e) {
1862
+ logger3.debug(`Holder DID not found: ${holder}`);
1863
+ throw e;
1864
+ }
1865
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1866
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1867
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1868
+ });
1869
+ } else {
1870
+ switch (digitalCredential.subjectCorrelationType) {
1871
+ case "DID":
1872
+ identifier = await session.context.agent.identifierManagedGetByDid({
1873
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1874
+ kmsKeyRef: digitalCredential.kmsKeyRef
1875
+ });
1876
+ break;
1877
+ // TODO other implementations?
1878
+ default:
1879
+ identifier = await session.context.agent.identifierManagedGetByKid({
1880
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1881
+ kmsKeyRef: digitalCredential.kmsKeyRef
1882
+ });
1883
+ }
1476
1884
  }
1477
- if (originalVc) {
1478
- presentation[key] = originalVc;
1885
+ console.log(`Identifier`, identifier);
1886
+ const dcqlRepresentations = [];
1887
+ vcs.forEach((vc) => {
1888
+ const rep = convertToDcqlCredentials(vc, args.hasher);
1889
+ if (rep) {
1890
+ dcqlRepresentations.push(rep);
1891
+ }
1892
+ });
1893
+ const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1894
+ const presentation = {};
1895
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1896
+ const allMatches = Array.isArray(value) ? value : [
1897
+ value
1898
+ ];
1899
+ allMatches.forEach((match) => {
1900
+ if (match.success) {
1901
+ const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1902
+ if (!originalCredential) {
1903
+ throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1904
+ }
1905
+ presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1906
+ }
1907
+ });
1479
1908
  }
1909
+ const response = session.sendAuthorizationResponse({
1910
+ responseSignerOpts: identifier,
1911
+ ...{
1912
+ dcqlQuery: {
1913
+ dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
1914
+ }
1915
+ }
1916
+ });
1917
+ logger3.debug(`Response: `, response);
1918
+ return response;
1480
1919
  }
1481
1920
  }
1482
- const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
1483
- const response = session.sendAuthorizationResponse({
1484
- responseSignerOpts: identifier,
1485
- dcqlResponse: {
1486
- dcqlPresentation
1487
- }
1488
- });
1489
- logger3.debug(`Response: `, response);
1490
- return response;
1921
+ throw Error("Presentation Definition or DCQL is required");
1491
1922
  }, "siopSendAuthorizationResponse");
1492
- var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1493
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1494
- }, "retrieveEncodedCredential");
1495
- var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1923
+ function buildPartialPD(inputDescriptor, presentationDefinition) {
1924
+ return {
1925
+ ...presentationDefinition,
1926
+ input_descriptors: [
1927
+ inputDescriptor
1928
+ ]
1929
+ };
1930
+ }
1931
+ __name(buildPartialPD, "buildPartialPD");
1932
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1496
1933
  const agentContext = {
1497
1934
  ...context,
1498
1935
  agent: context.agent
1499
1936
  };
1500
1937
  const { agent } = agentContext;
1938
+ const pex = new import_pex3.PEX();
1501
1939
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1502
- filter: (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1940
+ filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
1503
1941
  });
1504
- const branding = await agent.ibGetCredentialBranding();
1505
- const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1506
- convertToDcqlCredentials(vc),
1507
- vc
1508
- ]));
1509
- const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1510
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1942
+ const credentialBranding = await agent.ibGetCredentialBranding();
1511
1943
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1512
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1513
- if (!value.valid_credentials) {
1514
- continue;
1515
- }
1516
- const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1517
- const matchedCredential = uniqueCredentials[cred.input_credential_index];
1518
- const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1519
- const issuerPartyIdentity = await agent.cmGetContacts({
1520
- filter: [
1521
- {
1522
- identities: {
1523
- identifier: {
1524
- correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1944
+ for (const inputDescriptor of presentationDefinition.input_descriptors) {
1945
+ const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1946
+ const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1947
+ return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1948
+ });
1949
+ const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1950
+ const selectableCredentials = [];
1951
+ for (const selectedCredential of selectionResults.verifiableCredential || []) {
1952
+ const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1953
+ const proof = uniqueVC.uniformVerifiableCredential.proof;
1954
+ return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1955
+ });
1956
+ if (filteredUniqueVC) {
1957
+ const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1958
+ const issuerPartyIdentity = await agent.cmGetContacts({
1959
+ filter: [
1960
+ {
1961
+ identities: {
1962
+ identifier: {
1963
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1964
+ }
1525
1965
  }
1526
1966
  }
1527
- }
1528
- ]
1529
- });
1530
- const subjectPartyIdentity = await agent.cmGetContacts({
1531
- filter: [
1532
- {
1533
- identities: {
1534
- identifier: {
1535
- correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1967
+ ]
1968
+ });
1969
+ const subjectPartyIdentity = await agent.cmGetContacts({
1970
+ filter: [
1971
+ {
1972
+ identities: {
1973
+ identifier: {
1974
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1975
+ }
1536
1976
  }
1537
1977
  }
1538
- }
1539
- ]
1540
- });
1541
- return {
1542
- credential: matchedCredential,
1543
- credentialBranding: credentialBranding[0]?.localeBranding,
1544
- issuerParty: issuerPartyIdentity?.[0],
1545
- subjectParty: subjectPartyIdentity?.[0]
1546
- };
1547
- });
1548
- const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1549
- selectableCredentialsMap.set(key, selectableCredentials);
1978
+ ]
1979
+ });
1980
+ selectableCredentials.push({
1981
+ credential: filteredUniqueVC,
1982
+ credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1983
+ issuerParty: issuerPartyIdentity?.[0],
1984
+ subjectParty: subjectPartyIdentity?.[0]
1985
+ });
1986
+ }
1987
+ }
1988
+ selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1550
1989
  }
1551
1990
  return selectableCredentialsMap;
1552
1991
  }, "getSelectableCredentials");
@@ -1570,7 +2009,7 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
1570
2009
  }, "translateCorrelationIdToName");
1571
2010
 
1572
2011
  // src/agent/DidAuthSiopOpAuthenticator.ts
1573
- var logger4 = import_ssi_types8.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2012
+ var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1574
2013
  var didAuthSiopOpAuthenticatorMethods = [
1575
2014
  "cmGetContacts",
1576
2015
  "cmGetContact",
@@ -1587,7 +2026,7 @@ var DidAuthSiopOpAuthenticator = class {
1587
2026
  static {
1588
2027
  __name(this, "DidAuthSiopOpAuthenticator");
1589
2028
  }
1590
- schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
2029
+ schema = schema.IDidAuthSiopOpAuthenticator;
1591
2030
  methods = {
1592
2031
  siopGetOPSession: this.siopGetOPSession.bind(this),
1593
2032
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -1730,7 +2169,7 @@ var DidAuthSiopOpAuthenticator = class {
1730
2169
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
1731
2170
  const uri = url.includes("://") ? new URL(url) : void 0;
1732
2171
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
1733
- const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2172
+ const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1734
2173
  return {
1735
2174
  issuer: verifiedAuthorizationRequest.issuer,
1736
2175
  correlationId,
@@ -1738,6 +2177,7 @@ var DidAuthSiopOpAuthenticator = class {
1738
2177
  uri,
1739
2178
  name: clientName,
1740
2179
  clientId,
2180
+ presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
1741
2181
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
1742
2182
  };
1743
2183
  }
@@ -1786,12 +2226,12 @@ var DidAuthSiopOpAuthenticator = class {
1786
2226
  if (correlationId) {
1787
2227
  const identity = {
1788
2228
  alias: correlationId,
1789
- origin: import_ssi_sdk6.IdentityOrigin.EXTERNAL,
2229
+ origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
1790
2230
  roles: [
1791
- import_ssi_types8.CredentialRole.ISSUER
2231
+ import_ssi_sdk8.CredentialRole.ISSUER
1792
2232
  ],
1793
2233
  identifier: {
1794
- type: correlationId.startsWith("did:") ? import_ssi_sdk6.CorrelationIdentifierType.DID : import_ssi_sdk6.CorrelationIdentifierType.URL,
2234
+ type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
1795
2235
  correlationId
1796
2236
  }
1797
2237
  };
@@ -1814,14 +2254,75 @@ var DidAuthSiopOpAuthenticator = class {
1814
2254
  if (authorizationRequestData === void 0) {
1815
2255
  return Promise.reject(Error("Missing authorization request data in context"));
1816
2256
  }
1817
- const response = await siopSendAuthorizationResponse(import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP, {
2257
+ const pex = new import_pex4.PEX({
2258
+ hasher: this.hasher
2259
+ });
2260
+ const verifiableCredentialsWithDefinition = [];
2261
+ const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2262
+ if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2263
+ try {
2264
+ authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2265
+ const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2266
+ if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
2267
+ let uniqueDigitalCredentials = [];
2268
+ uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2269
+ const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
2270
+ const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2271
+ if (!udc) {
2272
+ throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2273
+ }
2274
+ return udc;
2275
+ });
2276
+ verifiableCredentialsWithDefinition.push({
2277
+ definition: presentationDefinition,
2278
+ credentials: uniqueDigitalCredentials
2279
+ });
2280
+ }
2281
+ });
2282
+ } catch (e) {
2283
+ return Promise.reject(e);
2284
+ }
2285
+ if (verifiableCredentialsWithDefinition.length === 0) {
2286
+ return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2287
+ }
2288
+ } else if (authorizationRequestData.dcqlQuery) {
2289
+ if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2290
+ try {
2291
+ selectedCredentials.forEach((vc) => {
2292
+ if (this.isSdJwtCredential(vc)) {
2293
+ const payload = vc.originalVerifiableCredential.decodedPayload;
2294
+ const result = {
2295
+ claims: payload,
2296
+ vct: payload.vct,
2297
+ credential_format: "vc+sd-jwt"
2298
+ };
2299
+ dcqlCredentialsWithCredentials.set(result, vc);
2300
+ } else {
2301
+ throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2302
+ }
2303
+ });
2304
+ } catch (e) {
2305
+ return Promise.reject(e);
2306
+ }
2307
+ const dcqlPresentationRecord = {};
2308
+ const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2309
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2310
+ if (value.success) {
2311
+ dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2312
+ }
2313
+ }
2314
+ }
2315
+ }
2316
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
1818
2317
  sessionId: didAuthConfig.sessionId,
1819
2318
  ...args.idOpts && {
1820
2319
  idOpts: args.idOpts
1821
2320
  },
2321
+ ...authorizationRequestData.presentationDefinitions !== void 0 && {
2322
+ verifiableCredentialsWithDefinition
2323
+ },
1822
2324
  isFirstParty,
1823
- hasher: this.hasher,
1824
- credentials: selectedCredentials
2325
+ hasher: this.hasher
1825
2326
  }, context);
1826
2327
  const contentType = response.headers.get("content-type") || "";
1827
2328
  let responseBody = null;
@@ -1835,21 +2336,39 @@ var DidAuthSiopOpAuthenticator = class {
1835
2336
  queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
1836
2337
  };
1837
2338
  }
2339
+ hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2340
+ return credentials.some(this.isMDocCredential);
2341
+ }, "hasMDocCredentials");
2342
+ isMDocCredential = /* @__PURE__ */ __name((credential) => {
2343
+ return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2344
+ }, "isMDocCredential");
2345
+ hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2346
+ return credentials.some(this.isSdJwtCredential);
2347
+ }, "hasSdJwtCredentials");
2348
+ isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2349
+ return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2350
+ }, "isSdJwtCredential");
2351
+ retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2352
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2353
+ }, "retrieveEncodedCredential");
1838
2354
  async siopGetSelectableCredentials(args, context) {
1839
2355
  const { authorizationRequestData } = args;
1840
- if (!authorizationRequestData?.dcqlQuery) {
1841
- return Promise.reject(Error("Missing required dcql query in context"));
2356
+ if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2357
+ return Promise.reject(Error("Missing required fields in arguments or context"));
1842
2358
  }
1843
- return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2359
+ if (authorizationRequestData.presentationDefinitions.length > 1) {
2360
+ return Promise.reject(Error("Multiple presentation definitions present"));
2361
+ }
2362
+ return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1844
2363
  }
1845
2364
  };
1846
2365
 
1847
2366
  // src/machine/CallbackStateListener.ts
1848
- var import_ssi_types9 = require("@sphereon/ssi-types");
1849
- var logger5 = import_ssi_types9.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
1850
- defaultLogLevel: import_ssi_types9.LogLevel.DEBUG,
2367
+ var import_ssi_types8 = require("@sphereon/ssi-types");
2368
+ var logger5 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
2369
+ defaultLogLevel: import_ssi_types8.LogLevel.DEBUG,
1851
2370
  methods: [
1852
- import_ssi_types9.LogMethod.CONSOLE
2371
+ import_ssi_types8.LogMethod.CONSOLE
1853
2372
  ]
1854
2373
  }).get("sphereon:siopv2-oid4vp:op-auth");
1855
2374
  var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
@@ -1879,12 +2398,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
1879
2398
  }, "OID4VPCallbackStateListener");
1880
2399
 
1881
2400
  // src/link-handler/index.ts
1882
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.agent-config");
1883
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.core");
1884
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1885
- var import_ssi_types10 = require("@sphereon/ssi-types");
1886
- var logger6 = import_ssi_types10.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1887
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
2401
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
2402
+ var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
2403
+ var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2404
+ var import_ssi_types9 = require("@sphereon/ssi-types");
2405
+ var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2406
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
1888
2407
  static {
1889
2408
  __name(this, "Siopv2OID4VPLinkHandler");
1890
2409
  }
@@ -1910,8 +2429,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
1910
2429
  stateNavigationListener: this.stateNavigationListener
1911
2430
  });
1912
2431
  const interpreter = siopv2Machine.interpreter;
1913
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk7.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1914
- const init = await (0, import_ssi_sdk9.interpreterStartOrResume)({
2432
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2433
+ const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
1915
2434
  interpreter,
1916
2435
  context: this.context,
1917
2436
  cleanupAllOtherInstances: true,
@@ -1926,4 +2445,7 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
1926
2445
  }
1927
2446
  }
1928
2447
  };
2448
+
2449
+ // src/index.ts
2450
+ var schema = require_plugin_schema();
1929
2451
  //# sourceMappingURL=index.cjs.map