@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/dist/index.cjs +1095 -573
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +111 -709
  4. package/dist/index.d.ts +111 -709
  5. package/dist/index.js +1043 -521
  6. package/dist/index.js.map +1 -1
  7. package/package.json +25 -24
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +144 -9
  9. package/src/index.ts +1 -2
  10. package/src/machine/Siopv2Machine.ts +4 -4
  11. package/src/services/Siopv2MachineService.ts +265 -133
  12. package/src/session/OID4VP.ts +299 -310
  13. package/src/session/OpSession.ts +114 -22
  14. package/src/types/IDidAuthSiopOpAuthenticator.ts +58 -5
  15. package/src/types/identifier/index.ts +4 -0
  16. package/src/types/siop-service/index.ts +3 -1
  17. package/src/utils/CredentialUtils.ts +39 -1
  18. package/src/utils/dcql.ts +19 -21
package/dist/index.js CHANGED
@@ -35,340 +35,344 @@ var require_nl = __commonJS({
35
35
  });
36
36
 
37
37
  // plugin.schema.json
38
- var plugin_schema_default = {
39
- IDidAuthSiopOpAuthenticator: {
40
- components: {
41
- schemas: {
42
- IGetSiopSessionArgs: {
43
- type: "object",
44
- properties: {
45
- sessionId: {
46
- type: "string"
38
+ var require_plugin_schema = __commonJS({
39
+ "plugin.schema.json"(exports, module) {
40
+ module.exports = {
41
+ IDidAuthSiopOpAuthenticator: {
42
+ components: {
43
+ schemas: {
44
+ IGetSiopSessionArgs: {
45
+ type: "object",
46
+ properties: {
47
+ sessionId: {
48
+ type: "string"
49
+ },
50
+ additionalProperties: false
51
+ },
52
+ required: ["sessionId"],
53
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
47
54
  },
48
- additionalProperties: false
49
- },
50
- required: ["sessionId"],
51
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
52
- },
53
- IRegisterSiopSessionArgs: {
54
- type: "object",
55
- properties: {
56
- identifier: {
55
+ IRegisterSiopSessionArgs: {
57
56
  type: "object",
58
57
  properties: {
59
- did: {
58
+ identifier: {
59
+ type: "object",
60
+ properties: {
61
+ did: {
62
+ type: "string"
63
+ },
64
+ alias: {
65
+ type: "string"
66
+ },
67
+ provider: {
68
+ type: "string"
69
+ },
70
+ controllerKeyId: {
71
+ type: "string"
72
+ },
73
+ keys: {
74
+ type: "array",
75
+ items: {
76
+ type: "object",
77
+ properties: {
78
+ additionalProperties: true
79
+ }
80
+ }
81
+ },
82
+ services: {
83
+ type: "array",
84
+ items: {
85
+ type: "object",
86
+ properties: {
87
+ additionalProperties: true
88
+ }
89
+ }
90
+ }
91
+ },
92
+ additionalProperties: false,
93
+ required: ["did", "provider", "keys", "services"]
94
+ },
95
+ sessionId: {
60
96
  type: "string"
61
97
  },
62
- alias: {
98
+ expiresIn: {
99
+ type: "number"
100
+ },
101
+ additionalProperties: false
102
+ },
103
+ required: ["identifier"],
104
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
105
+ },
106
+ IRemoveSiopSessionArgs: {
107
+ type: "object",
108
+ properties: {
109
+ sessionId: {
63
110
  type: "string"
64
111
  },
65
- provider: {
112
+ additionalProperties: false
113
+ },
114
+ required: ["sessionId"],
115
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
116
+ },
117
+ IAuthenticateWithSiopArgs: {
118
+ type: "object",
119
+ properties: {
120
+ sessionId: {
66
121
  type: "string"
67
122
  },
68
- controllerKeyId: {
123
+ stateId: {
69
124
  type: "string"
70
125
  },
71
- keys: {
72
- type: "array",
73
- items: {
74
- type: "object",
75
- properties: {
76
- additionalProperties: true
77
- }
78
- }
126
+ redirectUrl: {
127
+ type: "string"
79
128
  },
80
- services: {
81
- type: "array",
82
- items: {
83
- type: "object",
84
- properties: {
85
- additionalProperties: true
86
- }
87
- }
88
- }
129
+ additionalProperties: false
89
130
  },
90
- additionalProperties: false,
91
- required: ["did", "provider", "keys", "services"]
131
+ required: ["sessionId", "stateId", "redirectUrl"],
132
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
92
133
  },
93
- sessionId: {
94
- type: "string"
95
- },
96
- expiresIn: {
97
- type: "number"
98
- },
99
- additionalProperties: false
100
- },
101
- required: ["identifier"],
102
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
103
- },
104
- IRemoveSiopSessionArgs: {
105
- type: "object",
106
- properties: {
107
- sessionId: {
108
- type: "string"
109
- },
110
- additionalProperties: false
111
- },
112
- required: ["sessionId"],
113
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
114
- },
115
- IAuthenticateWithSiopArgs: {
116
- type: "object",
117
- properties: {
118
- sessionId: {
119
- type: "string"
120
- },
121
- stateId: {
122
- type: "string"
123
- },
124
- redirectUrl: {
125
- type: "string"
126
- },
127
- additionalProperties: false
128
- },
129
- required: ["sessionId", "stateId", "redirectUrl"],
130
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
131
- },
132
- IResponse: {
133
- type: "object",
134
- properties: {
135
- status: {
136
- type: "number"
137
- },
138
- additionalProperties: true
139
- },
140
- required: ["status"],
141
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
142
- },
143
- IGetSiopAuthenticationRequestFromRpArgs: {
144
- type: "object",
145
- properties: {
146
- sessionId: {
147
- type: "string"
148
- },
149
- stateId: {
150
- type: "string"
151
- },
152
- redirectUrl: {
153
- type: "string"
154
- },
155
- additionalProperties: false
156
- },
157
- required: ["sessionId", "stateId", "redirectUrl"],
158
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
159
- },
160
- ParsedAuthenticationRequestURI: {
161
- type: "object",
162
- properties: {
163
- jwt: {
164
- type: "string"
165
- },
166
- requestPayload: {
134
+ IResponse: {
167
135
  type: "object",
168
136
  properties: {
137
+ status: {
138
+ type: "number"
139
+ },
169
140
  additionalProperties: true
170
- }
141
+ },
142
+ required: ["status"],
143
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
171
144
  },
172
- registration: {
145
+ IGetSiopAuthenticationRequestFromRpArgs: {
173
146
  type: "object",
174
147
  properties: {
175
- additionalProperties: true
176
- }
177
- },
178
- additionalProperties: false
179
- },
180
- required: ["jwt", "requestPayload", "registration"],
181
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
182
- },
183
- IGetSiopAuthenticationRequestDetailsArgs: {
184
- type: "object",
185
- properties: {
186
- sessionId: {
187
- type: "string"
148
+ sessionId: {
149
+ type: "string"
150
+ },
151
+ stateId: {
152
+ type: "string"
153
+ },
154
+ redirectUrl: {
155
+ type: "string"
156
+ },
157
+ additionalProperties: false
158
+ },
159
+ required: ["sessionId", "stateId", "redirectUrl"],
160
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
188
161
  },
189
- verifiedAuthenticationRequest: {
162
+ ParsedAuthenticationRequestURI: {
190
163
  type: "object",
191
164
  properties: {
192
- additionalProperties: true
193
- }
165
+ jwt: {
166
+ type: "string"
167
+ },
168
+ requestPayload: {
169
+ type: "object",
170
+ properties: {
171
+ additionalProperties: true
172
+ }
173
+ },
174
+ registration: {
175
+ type: "object",
176
+ properties: {
177
+ additionalProperties: true
178
+ }
179
+ },
180
+ additionalProperties: false
181
+ },
182
+ required: ["jwt", "requestPayload", "registration"],
183
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
194
184
  },
195
- credentialFilter: {
185
+ IGetSiopAuthenticationRequestDetailsArgs: {
196
186
  type: "object",
197
187
  properties: {
198
- additionalProperties: true
199
- }
200
- },
201
- additionalProperties: false
202
- },
203
- required: ["sessionId", "verifiedAuthenticationRequest"],
204
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
205
- },
206
- IAuthRequestDetails: {
207
- type: "object",
208
- properties: {
209
- id: {
210
- type: "string"
211
- },
212
- alsoKnownAs: {
213
- type: "array",
214
- items: {
215
- type: "string"
216
- }
188
+ sessionId: {
189
+ type: "string"
190
+ },
191
+ verifiedAuthenticationRequest: {
192
+ type: "object",
193
+ properties: {
194
+ additionalProperties: true
195
+ }
196
+ },
197
+ credentialFilter: {
198
+ type: "object",
199
+ properties: {
200
+ additionalProperties: true
201
+ }
202
+ },
203
+ additionalProperties: false
204
+ },
205
+ required: ["sessionId", "verifiedAuthenticationRequest"],
206
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
217
207
  },
218
- vpResponseOpts: {
208
+ IAuthRequestDetails: {
219
209
  type: "object",
220
210
  properties: {
221
- additionalProperties: true
222
- }
223
- },
224
- additionalProperties: false
225
- },
226
- required: ["id", "vpResponseOpts"],
227
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
228
- },
229
- IVerifySiopAuthenticationRequestUriArgs: {
230
- type: "object",
231
- properties: {
232
- sessionId: {
233
- type: "string"
211
+ id: {
212
+ type: "string"
213
+ },
214
+ alsoKnownAs: {
215
+ type: "array",
216
+ items: {
217
+ type: "string"
218
+ }
219
+ },
220
+ vpResponseOpts: {
221
+ type: "object",
222
+ properties: {
223
+ additionalProperties: true
224
+ }
225
+ },
226
+ additionalProperties: false
227
+ },
228
+ required: ["id", "vpResponseOpts"],
229
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
234
230
  },
235
- ParsedAuthenticationRequestURI: {
231
+ IVerifySiopAuthenticationRequestUriArgs: {
236
232
  type: "object",
237
233
  properties: {
238
- additionalProperties: true
239
- }
234
+ sessionId: {
235
+ type: "string"
236
+ },
237
+ ParsedAuthenticationRequestURI: {
238
+ type: "object",
239
+ properties: {
240
+ additionalProperties: true
241
+ }
242
+ },
243
+ additionalProperties: false
244
+ },
245
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
246
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
240
247
  },
241
- additionalProperties: false
242
- },
243
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
244
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
245
- },
246
- VerifiedAuthorizationRequest: {
247
- type: "object",
248
- properties: {
249
- payload: {
248
+ VerifiedAuthorizationRequest: {
250
249
  type: "object",
251
250
  properties: {
252
- additionalProperties: true
253
- }
251
+ payload: {
252
+ type: "object",
253
+ properties: {
254
+ additionalProperties: true
255
+ }
256
+ },
257
+ presentationDefinitions: {
258
+ type: "object",
259
+ properties: {
260
+ additionalProperties: true
261
+ }
262
+ },
263
+ verifyOpts: {
264
+ type: "object",
265
+ properties: {
266
+ additionalProperties: true
267
+ }
268
+ },
269
+ additionalProperties: false
270
+ },
271
+ required: ["payload", "verifyOpts"],
272
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
254
273
  },
255
- presentationDefinitions: {
274
+ ISendSiopAuthenticationResponseArgs: {
256
275
  type: "object",
257
276
  properties: {
258
- additionalProperties: true
259
- }
277
+ sessionId: {
278
+ type: "string"
279
+ },
280
+ verifiedAuthenticationRequest: {
281
+ type: "object",
282
+ properties: {
283
+ additionalProperties: true
284
+ }
285
+ },
286
+ verifiablePresentationResponse: {
287
+ type: "object",
288
+ properties: {
289
+ additionalProperties: true
290
+ }
291
+ },
292
+ additionalProperties: false
293
+ },
294
+ required: ["sessionId", "verifiedAuthenticationRequest"],
295
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
296
+ }
297
+ },
298
+ methods: {
299
+ getSessionForSiop: {
300
+ description: "Get SIOP session",
301
+ arguments: {
302
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
303
+ },
304
+ returnType: "object"
260
305
  },
261
- verifyOpts: {
262
- type: "object",
263
- properties: {
264
- additionalProperties: true
306
+ registerSessionForSiop: {
307
+ description: "Register SIOP session",
308
+ arguments: {
309
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
310
+ },
311
+ returnType: "object"
312
+ },
313
+ removeSessionForSiop: {
314
+ description: "Remove SIOP session",
315
+ arguments: {
316
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
317
+ },
318
+ returnType: "boolean"
319
+ },
320
+ authenticateWithSiop: {
321
+ description: "Authenticate using DID Auth SIOP",
322
+ arguments: {
323
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
324
+ },
325
+ returnType: {
326
+ $ref: "#/components/schemas/Response"
265
327
  }
266
328
  },
267
- additionalProperties: false
268
- },
269
- required: ["payload", "verifyOpts"],
270
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
271
- },
272
- ISendSiopAuthenticationResponseArgs: {
273
- type: "object",
274
- properties: {
275
- sessionId: {
276
- type: "string"
329
+ getSiopAuthenticationRequestFromRP: {
330
+ description: "Get authentication request from RP",
331
+ arguments: {
332
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
333
+ },
334
+ returnType: {
335
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
336
+ }
277
337
  },
278
- verifiedAuthenticationRequest: {
279
- type: "object",
280
- properties: {
281
- additionalProperties: true
338
+ getSiopAuthenticationRequestDetails: {
339
+ description: "Get authentication request details",
340
+ arguments: {
341
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
342
+ },
343
+ returnType: {
344
+ $ref: "#/components/schemas/IAuthRequestDetails"
282
345
  }
283
346
  },
284
- verifiablePresentationResponse: {
285
- type: "object",
286
- properties: {
287
- additionalProperties: true
347
+ verifySiopAuthenticationRequestURI: {
348
+ description: "Verify authentication request URI",
349
+ arguments: {
350
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
351
+ },
352
+ returnType: {
353
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
288
354
  }
289
355
  },
290
- additionalProperties: false
291
- },
292
- required: ["sessionId", "verifiedAuthenticationRequest"],
293
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
294
- }
295
- },
296
- methods: {
297
- getSessionForSiop: {
298
- description: "Get SIOP session",
299
- arguments: {
300
- $ref: "#/components/schemas/IGetSiopSessionArgs"
301
- },
302
- returnType: "object"
303
- },
304
- registerSessionForSiop: {
305
- description: "Register SIOP session",
306
- arguments: {
307
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
308
- },
309
- returnType: "object"
310
- },
311
- removeSessionForSiop: {
312
- description: "Remove SIOP session",
313
- arguments: {
314
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
315
- },
316
- returnType: "boolean"
317
- },
318
- authenticateWithSiop: {
319
- description: "Authenticate using DID Auth SIOP",
320
- arguments: {
321
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
322
- },
323
- returnType: {
324
- $ref: "#/components/schemas/Response"
325
- }
326
- },
327
- getSiopAuthenticationRequestFromRP: {
328
- description: "Get authentication request from RP",
329
- arguments: {
330
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
331
- },
332
- returnType: {
333
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
334
- }
335
- },
336
- getSiopAuthenticationRequestDetails: {
337
- description: "Get authentication request details",
338
- arguments: {
339
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
340
- },
341
- returnType: {
342
- $ref: "#/components/schemas/IAuthRequestDetails"
343
- }
344
- },
345
- verifySiopAuthenticationRequestURI: {
346
- description: "Verify authentication request URI",
347
- arguments: {
348
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
349
- },
350
- returnType: {
351
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
352
- }
353
- },
354
- sendSiopAuthenticationResponse: {
355
- description: "Send authentication response",
356
- arguments: {
357
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
358
- },
359
- returnType: {
360
- $ref: "#/components/schemas/IRequiredContext"
356
+ sendSiopAuthenticationResponse: {
357
+ description: "Send authentication response",
358
+ arguments: {
359
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
360
+ },
361
+ returnType: {
362
+ $ref: "#/components/schemas/IRequiredContext"
363
+ }
364
+ }
361
365
  }
362
366
  }
363
367
  }
364
- }
368
+ };
365
369
  }
366
- };
370
+ });
367
371
 
368
372
  // src/agent/DidAuthSiopOpAuthenticator.ts
369
- import { decodeUriAsJson } from "@sphereon/did-auth-siop";
370
- import { ConnectionType as ConnectionType2, CorrelationIdentifierType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
371
- import { Loggers as Loggers4, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
373
+ import { decodeUriAsJson, SupportedVersion as SupportedVersion3 } from "@sphereon/did-auth-siop";
374
+ import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialDocumentFormat, CredentialRole as CredentialRole2, DocumentType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
375
+ import { Loggers as Loggers4 } from "@sphereon/ssi-types";
372
376
  import { v4 as uuidv4 } from "uuid";
373
377
 
374
378
  // src/session/functions.ts
@@ -524,15 +528,104 @@ function getSigningAlgo(type) {
524
528
  }
525
529
  __name(getSigningAlgo, "getSigningAlgo");
526
530
 
531
+ // src/session/OID4VP.ts
532
+ import { PresentationExchange } from "@sphereon/did-auth-siop";
533
+ import { Status } from "@sphereon/pex";
534
+ import { isManagedIdentifierDidResult, isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
535
+ import { defaultHasher } from "@sphereon/ssi-sdk.core";
536
+ import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
537
+
538
+ // src/types/IDidAuthSiopOpAuthenticator.ts
539
+ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
540
+ var events = /* @__PURE__ */ (function(events2) {
541
+ events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
542
+ return events2;
543
+ })({});
544
+ var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
545
+
546
+ // src/types/siop-service/index.ts
547
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
548
+ Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
549
+ Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
550
+ return Siopv2HolderEvent2;
551
+ })({});
552
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
553
+ SupportedLanguage2["ENGLISH"] = "en";
554
+ SupportedLanguage2["DUTCH"] = "nl";
555
+ return SupportedLanguage2;
556
+ })({});
557
+
558
+ // src/types/machine/index.ts
559
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
560
+ Siopv2MachineStates2["createConfig"] = "createConfig";
561
+ Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
562
+ Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
563
+ Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
564
+ Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
565
+ Siopv2MachineStates2["addContact"] = "addContact";
566
+ Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
567
+ Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
568
+ Siopv2MachineStates2["sendResponse"] = "sendResponse";
569
+ Siopv2MachineStates2["handleError"] = "handleError";
570
+ Siopv2MachineStates2["aborted"] = "aborted";
571
+ Siopv2MachineStates2["declined"] = "declined";
572
+ Siopv2MachineStates2["error"] = "error";
573
+ Siopv2MachineStates2["done"] = "done";
574
+ return Siopv2MachineStates2;
575
+ })({});
576
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
577
+ Siopv2MachineAddContactStates2["idle"] = "idle";
578
+ Siopv2MachineAddContactStates2["executing"] = "executing";
579
+ Siopv2MachineAddContactStates2["next"] = "next";
580
+ return Siopv2MachineAddContactStates2;
581
+ })({});
582
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
583
+ Siopv2MachineEvents2["NEXT"] = "NEXT";
584
+ Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
585
+ Siopv2MachineEvents2["DECLINE"] = "DECLINE";
586
+ Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
587
+ Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
588
+ Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
589
+ Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
590
+ return Siopv2MachineEvents2;
591
+ })({});
592
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
593
+ Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
594
+ Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
595
+ Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
596
+ Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
597
+ Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
598
+ Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
599
+ Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
600
+ Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
601
+ return Siopv2MachineGuards2;
602
+ })({});
603
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
604
+ Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
605
+ Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
606
+ Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
607
+ Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
608
+ Siopv2MachineServices2["sendResponse"] = "sendResponse";
609
+ Siopv2MachineServices2["createConfig"] = "createConfig";
610
+ return Siopv2MachineServices2;
611
+ })({});
612
+
613
+ // src/types/identifier/index.ts
614
+ var DID_PREFIX = "did";
615
+
527
616
  // src/session/OID4VP.ts
528
617
  var OID4VP = class _OID4VP {
529
618
  static {
530
619
  __name(this, "OID4VP");
531
620
  }
532
- //private readonly session: OpSession
533
- // private readonly allIdentifiers: string[]
534
- // private readonly hasher?: HasherSync
621
+ session;
622
+ allIdentifiers;
623
+ hasher;
535
624
  constructor(args) {
625
+ const { session, allIdentifiers, hasher = defaultHasher } = args;
626
+ this.session = session;
627
+ this.allIdentifiers = allIdentifiers ?? [];
628
+ this.hasher = hasher;
536
629
  }
537
630
  static async init(session, allIdentifiers, hasher) {
538
631
  return new _OID4VP({
@@ -541,14 +634,184 @@ var OID4VP = class _OID4VP {
541
634
  hasher
542
635
  });
543
636
  }
637
+ async getPresentationDefinitions() {
638
+ const definitions = await this.session.getPresentationDefinitions();
639
+ if (definitions) {
640
+ PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
641
+ }
642
+ return definitions;
643
+ }
644
+ getPresentationExchange(args) {
645
+ const { verifiableCredentials, allIdentifiers, hasher } = args;
646
+ return new PresentationExchange({
647
+ allDIDs: allIdentifiers ?? this.allIdentifiers,
648
+ allVerifiableCredentials: verifiableCredentials,
649
+ hasher: hasher ?? this.hasher
650
+ });
651
+ }
652
+ async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
653
+ return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
654
+ }
655
+ async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
656
+ const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
657
+ ...opts
658
+ };
659
+ if (subjectIsHolder && holder) {
660
+ throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
661
+ }
662
+ if (forceNoCredentialsInVP) {
663
+ selectedVerifiableCredentials.credentials = [];
664
+ } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
665
+ throw Error("No verifiable verifiableCredentials provided for presentation definition");
666
+ }
667
+ const proofOptions = {
668
+ ...opts?.proofOpts,
669
+ challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
670
+ domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
671
+ };
672
+ let idOpts2 = opts?.idOpts;
673
+ if (!idOpts2) {
674
+ if (opts?.subjectIsHolder) {
675
+ if (forceNoCredentialsInVP) {
676
+ return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
677
+ }
678
+ const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
679
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
680
+ return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
681
+ }
682
+ idOpts2 = isOID4VCIssuerIdentifier(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
683
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
684
+ }) : await this.session.context.agent.identifierManagedGetByKid({
685
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
686
+ kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
687
+ });
688
+ } else if (opts?.holder) {
689
+ idOpts2 = {
690
+ identifier: opts.holder
691
+ };
692
+ }
693
+ }
694
+ const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
695
+ restrictToFormats: opts?.restrictToFormats,
696
+ restrictToDIDMethods: opts?.restrictToDIDMethods,
697
+ filterOpts: {
698
+ verifiableCredentials: selectedVerifiableCredentials.credentials
699
+ }
700
+ }) : {
701
+ definition: selectedVerifiableCredentials.definition,
702
+ credentials: selectedVerifiableCredentials.credentials
703
+ };
704
+ if (!idOpts2) {
705
+ return Promise.reject(Error(`No identifier options present at this point`));
706
+ }
707
+ const signCallback = await createOID4VPPresentationSignCallback({
708
+ presentationSignCallback: this.session.options.presentationSignCallback,
709
+ idOpts: idOpts2,
710
+ context: this.session.context,
711
+ domain: proofOptions.domain,
712
+ challenge: proofOptions.challenge,
713
+ format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
714
+ skipDidResolution: opts?.skipDidResolution ?? false
715
+ });
716
+ const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
717
+ const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
718
+ const presentationResult = await this.getPresentationExchange({
719
+ verifiableCredentials,
720
+ allIdentifiers: this.allIdentifiers,
721
+ hasher: opts?.hasher
722
+ }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
723
+ proofOptions,
724
+ // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
725
+ ...identifier && isManagedIdentifierDidResult(identifier) && {
726
+ holderDID: identifier.did
727
+ }
728
+ });
729
+ const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
730
+ return {
731
+ ...presentationResult,
732
+ verifiablePresentations,
733
+ verifiableCredentials,
734
+ definition: selectedVerifiableCredentials.definition,
735
+ idOpts: idOpts2
736
+ };
737
+ }
738
+ async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
739
+ const defs = await this.getPresentationDefinitions();
740
+ const result = [];
741
+ if (defs) {
742
+ for (const definition of defs) {
743
+ result.push(await this.filterCredentials(credentialRole, definition, opts));
744
+ }
745
+ }
746
+ return result;
747
+ }
748
+ async filterCredentials(credentialRole, presentationDefinition, opts) {
749
+ const udcMap = /* @__PURE__ */ new Map();
750
+ opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
751
+ if (typeof credential === "object" && "digitalCredential" in credential) {
752
+ udcMap.set(credential.originalVerifiableCredential, credential);
753
+ } else {
754
+ udcMap.set(credential, credential);
755
+ }
756
+ });
757
+ const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
758
+ ...opts,
759
+ filterOpts: {
760
+ verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
761
+ if (typeof credential === "object" && "digitalCredential" in credential) {
762
+ return credential.originalVerifiableCredential;
763
+ } else {
764
+ return credential;
765
+ }
766
+ })
767
+ }
768
+ })).verifiableCredential;
769
+ return {
770
+ definition: presentationDefinition,
771
+ credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
772
+ };
773
+ }
774
+ async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
775
+ const selectionResults = await this.getPresentationExchange({
776
+ verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
777
+ }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
778
+ if (selectionResults.errors && selectionResults.errors.length > 0) {
779
+ throw Error(JSON.stringify(selectionResults.errors));
780
+ } else if (selectionResults.areRequiredCredentialsPresent === Status.ERROR) {
781
+ throw Error(`Not all required credentials are available to satisfy the relying party's request`);
782
+ }
783
+ const matches = selectionResults.matches;
784
+ if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
785
+ throw Error(JSON.stringify(selectionResults.errors));
786
+ }
787
+ return selectionResults;
788
+ }
789
+ async getCredentials(credentialRole, filterOpts) {
790
+ if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
791
+ return filterOpts.verifiableCredentials;
792
+ }
793
+ const filter = verifiableCredentialForRoleFilter(credentialRole, filterOpts?.filter);
794
+ const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
795
+ filter
796
+ });
797
+ return uniqueCredentials.map((uniqueVC) => {
798
+ const vc = uniqueVC.uniformVerifiableCredential;
799
+ const proof = Array.isArray(vc.proof) ? vc.proof : [
800
+ vc.proof
801
+ ];
802
+ const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
803
+ return jwtProof ? jwtProof.jwt : vc;
804
+ });
805
+ }
544
806
  };
545
807
 
546
808
  // src/session/OpSession.ts
547
809
  import { OP as OP2, URI } from "@sphereon/did-auth-siop";
548
810
  import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
549
811
  import { encodeBase64url } from "@sphereon/ssi-sdk.core";
550
- import { parseDid } from "@sphereon/ssi-types";
812
+ import { CredentialMapper, parseDid } from "@sphereon/ssi-types";
551
813
  import { v4 } from "uuid";
814
+ import { PEX } from "@sphereon/pex";
552
815
  import { Loggers } from "@sphereon/ssi-types";
553
816
  var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
554
817
  var OpSession = class _OpSession {
@@ -563,11 +826,13 @@ var OpSession = class _OpSession {
563
826
  verifiedAuthorizationRequest;
564
827
  _nonce;
565
828
  _state;
829
+ _providedPresentationDefinitions;
566
830
  constructor(options) {
567
831
  this.id = options.sessionId;
568
832
  this.options = options.op;
569
833
  this.context = options.context;
570
834
  this.requestJwtOrUri = options.requestJwtOrUri;
835
+ this._providedPresentationDefinitions = options.providedPresentationDefinitions;
571
836
  }
572
837
  static async init(options) {
573
838
  return new _OpSession(options);
@@ -665,7 +930,7 @@ var OpSession = class _OpSession {
665
930
  subjectSyntaxTypesSupported
666
931
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
667
932
  }
668
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
933
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
669
934
  let codecName = void 0;
670
935
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
671
936
  logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -720,9 +985,51 @@ var OpSession = class _OpSession {
720
985
  async getRedirectUri() {
721
986
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
722
987
  }
988
+ async hasPresentationDefinitions() {
989
+ const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
990
+ return defs !== void 0 && defs.length > 0;
991
+ }
992
+ async getPresentationDefinitions() {
993
+ if (!await this.hasPresentationDefinitions()) {
994
+ throw Error(`No presentation definitions found`);
995
+ }
996
+ return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
997
+ }
723
998
  async getOID4VP(args) {
724
999
  return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
725
1000
  }
1001
+ createPresentationVerificationCallback(context) {
1002
+ async function presentationVerificationCallback(args, presentationSubmission) {
1003
+ let result;
1004
+ if (CredentialMapper.isSdJwtEncoded(args)) {
1005
+ try {
1006
+ const sdJwtResult = await context.agent.verifySdJwtPresentation({
1007
+ presentation: args
1008
+ });
1009
+ result = {
1010
+ verified: "header" in sdJwtResult,
1011
+ error: "header" in sdJwtResult ? void 0 : {
1012
+ message: "could not verify SD JWT presentation"
1013
+ }
1014
+ };
1015
+ } catch (error) {
1016
+ result = {
1017
+ verified: false,
1018
+ error: {
1019
+ message: error.message
1020
+ }
1021
+ };
1022
+ }
1023
+ } else {
1024
+ result = await context.agent.verifyPresentation({
1025
+ presentation: args
1026
+ });
1027
+ }
1028
+ return result;
1029
+ }
1030
+ __name(presentationVerificationCallback, "presentationVerificationCallback");
1031
+ return presentationVerificationCallback;
1032
+ }
726
1033
  async createJarmResponseCallback({ responseOpts }) {
727
1034
  const agent = this.context.agent;
728
1035
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
@@ -749,7 +1056,6 @@ var OpSession = class _OpSession {
749
1056
  }, "jarmResponse");
750
1057
  }
751
1058
  async sendAuthorizationResponse(args) {
752
- const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
753
1059
  const resolveOpts = this.options.resolveOpts ?? {
754
1060
  resolver: getAgentResolver(this.context, {
755
1061
  uniresolverResolution: true,
@@ -760,7 +1066,23 @@ var OpSession = class _OpSession {
760
1066
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
761
1067
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
762
1068
  }
1069
+ const verification = {
1070
+ presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1071
+ };
763
1072
  const request = await this.getAuthorizationRequest();
1073
+ const hasDefinitions = await this.hasPresentationDefinitions();
1074
+ if (hasDefinitions) {
1075
+ const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1076
+ return sum + pd.definition.input_descriptors.length;
1077
+ }, 0);
1078
+ const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1079
+ if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1080
+ throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1081
+ } else if (!args.presentationSubmission) {
1082
+ throw Error(`Presentation submission is required when verifiable presentations are required`);
1083
+ }
1084
+ }
1085
+ const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
764
1086
  const op = await createOP({
765
1087
  opOptions: {
766
1088
  ...this.options,
@@ -772,16 +1094,23 @@ var OpSession = class _OpSession {
772
1094
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
773
1095
  supportedVersions: request.versions
774
1096
  },
775
- idOpts: responseSignerOpts,
1097
+ idOpts: args.responseSignerOpts,
776
1098
  context: this.context
777
1099
  });
778
- let issuer = responseSignerOpts.issuer;
1100
+ let issuer = args.responseSignerOpts.issuer;
779
1101
  const responseOpts = {
1102
+ verification,
780
1103
  issuer,
781
- ...isFirstParty && {
782
- isFirstParty
1104
+ ...args.isFirstParty && {
1105
+ isFirstParty: args.isFirstParty
783
1106
  },
784
- dcqlResponse
1107
+ ...args.verifiablePresentations && {
1108
+ presentationExchange: {
1109
+ verifiablePresentations,
1110
+ presentationSubmission: args.presentationSubmission
1111
+ }
1112
+ },
1113
+ dcqlQuery: args.dcqlResponse
785
1114
  };
786
1115
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
787
1116
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -793,6 +1122,24 @@ var OpSession = class _OpSession {
793
1122
  return response;
794
1123
  }
795
1124
  }
1125
+ countVCsInAllVPs(verifiablePresentations, hasher) {
1126
+ return verifiablePresentations.reduce((sum, vp) => {
1127
+ if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1128
+ return sum + 1;
1129
+ }
1130
+ const uvp = CredentialMapper.toUniformPresentation(vp, {
1131
+ hasher: hasher ?? this.options.hasher
1132
+ });
1133
+ if (uvp.verifiableCredential?.length) {
1134
+ return sum + uvp.verifiableCredential?.length;
1135
+ }
1136
+ const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp);
1137
+ if (isSdJWT || uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1138
+ return sum + 1;
1139
+ }
1140
+ return sum;
1141
+ }, 0);
1142
+ }
796
1143
  };
797
1144
  function convertDidMethod(didMethod, didPrefix) {
798
1145
  if (didPrefix === false) {
@@ -802,79 +1149,10 @@ function convertDidMethod(didMethod, didPrefix) {
802
1149
  }
803
1150
  __name(convertDidMethod, "convertDidMethod");
804
1151
 
805
- // src/types/IDidAuthSiopOpAuthenticator.ts
806
- var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
807
- var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
808
-
809
- // src/types/siop-service/index.ts
810
- var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
811
- Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
812
- Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
813
- return Siopv2HolderEvent2;
814
- }({});
815
- var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
816
- SupportedLanguage2["ENGLISH"] = "en";
817
- SupportedLanguage2["DUTCH"] = "nl";
818
- return SupportedLanguage2;
819
- }({});
820
-
821
- // src/types/machine/index.ts
822
- var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
823
- Siopv2MachineStates2["createConfig"] = "createConfig";
824
- Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
825
- Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
826
- Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
827
- Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
828
- Siopv2MachineStates2["addContact"] = "addContact";
829
- Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
830
- Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
831
- Siopv2MachineStates2["sendResponse"] = "sendResponse";
832
- Siopv2MachineStates2["handleError"] = "handleError";
833
- Siopv2MachineStates2["aborted"] = "aborted";
834
- Siopv2MachineStates2["declined"] = "declined";
835
- Siopv2MachineStates2["error"] = "error";
836
- Siopv2MachineStates2["done"] = "done";
837
- return Siopv2MachineStates2;
838
- }({});
839
- var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
840
- Siopv2MachineAddContactStates2["idle"] = "idle";
841
- Siopv2MachineAddContactStates2["executing"] = "executing";
842
- Siopv2MachineAddContactStates2["next"] = "next";
843
- return Siopv2MachineAddContactStates2;
844
- }({});
845
- var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
846
- Siopv2MachineEvents2["NEXT"] = "NEXT";
847
- Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
848
- Siopv2MachineEvents2["DECLINE"] = "DECLINE";
849
- Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
850
- Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
851
- Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
852
- Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
853
- return Siopv2MachineEvents2;
854
- }({});
855
- var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
856
- Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
857
- Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
858
- Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
859
- Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
860
- Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
861
- Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
862
- Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
863
- Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
864
- return Siopv2MachineGuards2;
865
- }({});
866
- var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
867
- Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
868
- Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
869
- Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
870
- Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
871
- Siopv2MachineServices2["sendResponse"] = "sendResponse";
872
- Siopv2MachineServices2["createConfig"] = "createConfig";
873
- return Siopv2MachineServices2;
874
- }({});
875
-
876
- // src/types/identifier/index.ts
877
- var DID_PREFIX = "did";
1152
+ // src/agent/DidAuthSiopOpAuthenticator.ts
1153
+ import { PEX as PEX3, Status as Status2 } from "@sphereon/pex";
1154
+ import { computeEntryHash } from "@veramo/utils";
1155
+ import { DcqlQuery as DcqlQuery2 } from "dcql";
878
1156
 
879
1157
  // src/machine/Siopv2Machine.ts
880
1158
  import { assign, createMachine, interpret } from "xstate";
@@ -943,7 +1221,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
943
1221
  if (!contact) {
944
1222
  throw new Error("Missing contact request data in context");
945
1223
  }
946
- return authorizationRequestData.dcqlQuery !== void 0;
1224
+ return authorizationRequestData.presentationDefinitions !== void 0;
947
1225
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
948
1226
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
949
1227
  const { contactAlias, hasContactConsent } = _ctx;
@@ -954,7 +1232,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
954
1232
  if (authorizationRequestData === void 0) {
955
1233
  throw new Error("Missing authorization request data in context");
956
1234
  }
957
- if (authorizationRequestData.dcqlQuery === void 0) {
1235
+ if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
958
1236
  throw Error("No presentation definitions present");
959
1237
  }
960
1238
  return _ctx.selectedCredentials.length > 0;
@@ -964,7 +1242,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
964
1242
  if (authorizationRequestData === void 0) {
965
1243
  throw new Error("Missing authorization request data in context");
966
1244
  }
967
- return authorizationRequestData.dcqlQuery === void 0;
1245
+ return authorizationRequestData.presentationDefinitions === void 0;
968
1246
  }, "Siopv2IsSiopOnlyGuard");
969
1247
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
970
1248
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -974,7 +1252,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
974
1252
  if (!selectableCredentialsMap) {
975
1253
  throw new Error("Missing selectableCredentialsMap in context");
976
1254
  }
977
- return authorizationRequestData.dcqlQuery !== void 0;
1255
+ return authorizationRequestData.presentationDefinitions !== void 0;
978
1256
  }, "Siopv2IsSiopWithOID4VPGuard");
979
1257
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
980
1258
  const { url, idOpts: idOpts2 } = opts;
@@ -1290,57 +1568,114 @@ var Siopv2Machine = class {
1290
1568
 
1291
1569
  // src/services/Siopv2MachineService.ts
1292
1570
  import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
1293
- import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1294
- import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
1295
- import { ConnectionType } from "@sphereon/ssi-sdk.data-store";
1296
- import { CredentialRole } from "@sphereon/ssi-types";
1297
- import { CredentialMapper as CredentialMapper3, Loggers as Loggers3 } from "@sphereon/ssi-types";
1298
- import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1571
+ import { PEX as PEX2 } from "@sphereon/pex";
1572
+ import { isOID4VCIssuerIdentifier as isOID4VCIssuerIdentifier2 } from "@sphereon/ssi-sdk-ext.identifier-resolution";
1573
+ import { verifiableCredentialForRoleFilter as verifiableCredentialForRoleFilter2 } from "@sphereon/ssi-sdk.credential-store";
1574
+ import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
1575
+ import { CredentialMapper as CredentialMapper4, Loggers as Loggers3 } from "@sphereon/ssi-types";
1576
+ import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
1577
+ import { defaultHasher as defaultHasher2, encodeJoseBlob } from "@sphereon/ssi-sdk.core";
1299
1578
  import { DcqlPresentation, DcqlQuery } from "dcql";
1300
1579
 
1301
1580
  // src/utils/dcql.ts
1302
- import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
1303
- import { Dcql } from "@sphereon/did-auth-siop";
1581
+ import { CredentialMapper as CredentialMapper3 } from "@sphereon/ssi-types";
1304
1582
 
1305
1583
  // src/utils/CredentialUtils.ts
1306
- import { CredentialMapper } from "@sphereon/ssi-types";
1584
+ import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
1585
+ var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1586
+ if (isUniqueDigitalCredential(credential)) {
1587
+ if (!credential.originalVerifiableCredential) {
1588
+ throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1589
+ }
1590
+ return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1591
+ }
1592
+ return getCredentialFromProofOrWrapped(credential);
1593
+ }, "getOriginalVerifiableCredential");
1594
+ var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1595
+ if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && CredentialMapper2.isSdJwtEncoded(cred.proof.jwt)) {
1596
+ return cred.proof.jwt;
1597
+ }
1598
+ return CredentialMapper2.toWrappedVerifiableCredential(cred, {
1599
+ hasher
1600
+ }).original;
1601
+ }, "getCredentialFromProofOrWrapped");
1307
1602
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1308
1603
  return credential.digitalCredential !== void 0;
1309
1604
  }, "isUniqueDigitalCredential");
1310
1605
 
1311
1606
  // src/utils/dcql.ts
1312
1607
  function convertToDcqlCredentials(credential, hasher) {
1313
- let originalVerifiableCredential;
1608
+ let payload;
1314
1609
  if (isUniqueDigitalCredential(credential)) {
1315
1610
  if (!credential.originalVerifiableCredential) {
1316
1611
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1317
1612
  }
1318
- originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1613
+ payload = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1319
1614
  } else {
1320
- originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
1615
+ payload = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
1321
1616
  }
1322
- if (!originalVerifiableCredential) {
1617
+ if (!payload) {
1323
1618
  throw new Error("No payload found");
1324
1619
  }
1325
- if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
1326
- return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1327
- } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1328
- return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1329
- } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1330
- return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1331
- } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
1332
- return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
1620
+ if ("decodedPayload" in payload && payload.decodedPayload) {
1621
+ payload = payload.decodedPayload;
1622
+ }
1623
+ if ("vct" in payload) {
1624
+ return {
1625
+ vct: payload.vct,
1626
+ claims: payload,
1627
+ credential_format: "vc+sd-jwt"
1628
+ };
1629
+ } else if ("docType" in payload && "namespaces" in payload) {
1630
+ return {
1631
+ docType: payload.docType,
1632
+ namespaces: payload.namespaces,
1633
+ claims: payload
1634
+ };
1635
+ } else {
1636
+ return {
1637
+ claims: payload,
1638
+ credential_format: "jwt_vc_json"
1639
+ };
1333
1640
  }
1334
- throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1335
1641
  }
1336
1642
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1337
1643
 
1338
1644
  // src/services/Siopv2MachineService.ts
1339
- import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
1340
1645
  var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
1646
+ var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1647
+ logger3.log(`No EBSI key present yet. Creating a new one...`);
1648
+ const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
1649
+ method: SupportedDidMethodEnum.DID_KEY,
1650
+ createOpts: {
1651
+ options: {
1652
+ codecName: "jwk_jcs-pub",
1653
+ type: "Secp256r1"
1654
+ }
1655
+ }
1656
+ });
1657
+ logger3.log(`EBSI key created: ${newIdentifier.did}`);
1658
+ if (created) {
1659
+ await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1660
+ result: newIdentifier
1661
+ });
1662
+ }
1663
+ return await agentContext.agent.identifierManagedGetByDid({
1664
+ identifier: newIdentifier.did
1665
+ });
1666
+ }, "createEbsiIdentifier");
1667
+ var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1668
+ const clientId = await authorizationRequest.getMergedProperty("client_id");
1669
+ const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1670
+ return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1671
+ }, "hasEbsiClient");
1341
1672
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1342
1673
  const { agent } = context;
1343
- const { credentials } = args;
1674
+ const agentContext = {
1675
+ ...context,
1676
+ agent: context.agent
1677
+ };
1678
+ let { idOpts: idOpts2, isFirstParty, hasher = defaultHasher2 } = args;
1344
1679
  if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
1345
1680
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1346
1681
  }
@@ -1348,148 +1683,252 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1348
1683
  sessionId: args.sessionId
1349
1684
  });
1350
1685
  const request = await session.getAuthorizationRequest();
1351
- const aud = request.authorizationRequest.getMergedProperty("aud");
1686
+ const aud = await request.authorizationRequest.getMergedProperty("aud");
1352
1687
  logger3.debug(`AUD: ${aud}`);
1353
1688
  logger3.debug(JSON.stringify(request.authorizationRequest));
1354
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1355
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1356
- const firstUniqueDC = credentials[0];
1357
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1358
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1359
- }
1360
- let identifier;
1361
- const digitalCredential = firstUniqueDC.digitalCredential;
1362
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1363
- const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1364
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1365
- `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1366
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1367
- if (!digitalCredential.kmsKeyRef) {
1368
- if (!holder) {
1369
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1370
- }
1371
- try {
1372
- identifier = await session.context.agent.identifierManagedGet({
1373
- identifier: holder
1689
+ let presentationsAndDefs;
1690
+ let presentationSubmission;
1691
+ if (await session.hasPresentationDefinitions()) {
1692
+ const oid4vp = await session.getOID4VP({
1693
+ hasher
1694
+ });
1695
+ const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER);
1696
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1697
+ logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1698
+ const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1699
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1700
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1701
+ }
1702
+ let identifier;
1703
+ const digitalCredential = firstUniqueDC.digitalCredential;
1704
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1705
+ const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1706
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1707
+ `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1708
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1709
+ if (!digitalCredential.kmsKeyRef) {
1710
+ if (!holder) {
1711
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1712
+ }
1713
+ try {
1714
+ identifier = await session.context.agent.identifierManagedGet({
1715
+ identifier: holder
1716
+ });
1717
+ } catch (e) {
1718
+ logger3.debug(`Holder DID not found: ${holder}`);
1719
+ throw e;
1720
+ }
1721
+ } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1722
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1723
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1374
1724
  });
1375
- } catch (e) {
1376
- logger3.debug(`Holder DID not found: ${holder}`);
1377
- throw e;
1725
+ } else {
1726
+ switch (digitalCredential.subjectCorrelationType) {
1727
+ case "DID":
1728
+ identifier = await session.context.agent.identifierManagedGetByDid({
1729
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1730
+ kmsKeyRef: digitalCredential.kmsKeyRef
1731
+ });
1732
+ break;
1733
+ // TODO other implementations?
1734
+ default:
1735
+ if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1736
+ identifier = await session.context.agent.identifierManagedGetByDid({
1737
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1738
+ kmsKeyRef: digitalCredential.kmsKeyRef
1739
+ });
1740
+ } else {
1741
+ identifier = await session.context.agent.identifierManagedGetByKid({
1742
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1743
+ kmsKeyRef: digitalCredential.kmsKeyRef
1744
+ });
1745
+ }
1746
+ }
1747
+ }
1748
+ if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1749
+ identifier = await createEbsiIdentifier(agentContext);
1378
1750
  }
1379
- } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
1380
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1381
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1751
+ logger3.debug(`Identifier`, identifier);
1752
+ presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
1753
+ idOpts: identifier,
1754
+ proofOpts: {
1755
+ nonce: session.nonce,
1756
+ domain
1757
+ }
1382
1758
  });
1383
- } else {
1384
- switch (digitalCredential.subjectCorrelationType) {
1385
- case "DID":
1386
- identifier = await session.context.agent.identifierManagedGetByDid({
1387
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1388
- kmsKeyRef: digitalCredential.kmsKeyRef
1389
- });
1390
- break;
1391
- // TODO other implementations?
1392
- default:
1393
- identifier = await session.context.agent.identifierManagedGetByKid({
1394
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1395
- kmsKeyRef: digitalCredential.kmsKeyRef
1396
- });
1759
+ if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1760
+ throw Error("No verifiable presentations could be created");
1761
+ } else if (presentationsAndDefs.length > 1) {
1762
+ throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1397
1763
  }
1398
- }
1399
- const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1400
- convertToDcqlCredentials(vc),
1401
- vc
1402
- ]));
1403
- const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1404
- if (!queryResult.can_be_satisfied) {
1405
- return Promise.reject(Error("Credentials do not match required query request"));
1406
- }
1407
- const presentation = {};
1408
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1409
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1410
- if (value.success) {
1411
- const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1412
- const vc = matchedCredentials[0];
1413
- if (!vc) {
1414
- continue;
1764
+ idOpts2 = presentationsAndDefs[0].idOpts;
1765
+ presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1766
+ logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1767
+ logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1768
+ const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1769
+ return await session.sendAuthorizationResponse({
1770
+ ...presentationsAndDefs && {
1771
+ verifiablePresentations: mergedVerifiablePresentations
1772
+ },
1773
+ ...presentationSubmission && {
1774
+ presentationSubmission
1775
+ },
1776
+ // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1777
+ responseSignerOpts: idOpts2,
1778
+ isFirstParty
1779
+ });
1780
+ } else if (request.dcqlQuery) {
1781
+ if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1782
+ const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1783
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1784
+ logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1785
+ const firstUniqueDC = vcs[0];
1786
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1787
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1415
1788
  }
1416
- const originalVc = retrieveEncodedCredential(vc);
1417
- if (!originalVc) {
1418
- continue;
1789
+ let identifier;
1790
+ const digitalCredential = firstUniqueDC.digitalCredential;
1791
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1792
+ const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1793
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1794
+ `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
1795
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1796
+ if (!digitalCredential.kmsKeyRef) {
1797
+ if (!holder) {
1798
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1799
+ }
1800
+ try {
1801
+ identifier = await session.context.agent.identifierManagedGet({
1802
+ identifier: holder
1803
+ });
1804
+ } catch (e) {
1805
+ logger3.debug(`Holder DID not found: ${holder}`);
1806
+ throw e;
1807
+ }
1808
+ } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
1809
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1810
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1811
+ });
1812
+ } else {
1813
+ switch (digitalCredential.subjectCorrelationType) {
1814
+ case "DID":
1815
+ identifier = await session.context.agent.identifierManagedGetByDid({
1816
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1817
+ kmsKeyRef: digitalCredential.kmsKeyRef
1818
+ });
1819
+ break;
1820
+ // TODO other implementations?
1821
+ default:
1822
+ identifier = await session.context.agent.identifierManagedGetByKid({
1823
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1824
+ kmsKeyRef: digitalCredential.kmsKeyRef
1825
+ });
1826
+ }
1419
1827
  }
1420
- if (originalVc) {
1421
- presentation[key] = originalVc;
1828
+ console.log(`Identifier`, identifier);
1829
+ const dcqlRepresentations = [];
1830
+ vcs.forEach((vc) => {
1831
+ const rep = convertToDcqlCredentials(vc, args.hasher);
1832
+ if (rep) {
1833
+ dcqlRepresentations.push(rep);
1834
+ }
1835
+ });
1836
+ const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1837
+ const presentation = {};
1838
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1839
+ const allMatches = Array.isArray(value) ? value : [
1840
+ value
1841
+ ];
1842
+ allMatches.forEach((match) => {
1843
+ if (match.success) {
1844
+ const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1845
+ if (!originalCredential) {
1846
+ throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1847
+ }
1848
+ presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1849
+ }
1850
+ });
1422
1851
  }
1852
+ const response = session.sendAuthorizationResponse({
1853
+ responseSignerOpts: identifier,
1854
+ ...{
1855
+ dcqlQuery: {
1856
+ dcqlPresentation: DcqlPresentation.parse(presentation)
1857
+ }
1858
+ }
1859
+ });
1860
+ logger3.debug(`Response: `, response);
1861
+ return response;
1423
1862
  }
1424
1863
  }
1425
- const dcqlPresentation = DcqlPresentation.parse(presentation);
1426
- const response = session.sendAuthorizationResponse({
1427
- responseSignerOpts: identifier,
1428
- dcqlResponse: {
1429
- dcqlPresentation
1430
- }
1431
- });
1432
- logger3.debug(`Response: `, response);
1433
- return response;
1864
+ throw Error("Presentation Definition or DCQL is required");
1434
1865
  }, "siopSendAuthorizationResponse");
1435
- var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1436
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1437
- }, "retrieveEncodedCredential");
1438
- var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1866
+ function buildPartialPD(inputDescriptor, presentationDefinition) {
1867
+ return {
1868
+ ...presentationDefinition,
1869
+ input_descriptors: [
1870
+ inputDescriptor
1871
+ ]
1872
+ };
1873
+ }
1874
+ __name(buildPartialPD, "buildPartialPD");
1875
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1439
1876
  const agentContext = {
1440
1877
  ...context,
1441
1878
  agent: context.agent
1442
1879
  };
1443
1880
  const { agent } = agentContext;
1881
+ const pex = new PEX2();
1444
1882
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1445
- filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
1883
+ filter: verifiableCredentialForRoleFilter2(CredentialRole.HOLDER)
1446
1884
  });
1447
- const branding = await agent.ibGetCredentialBranding();
1448
- const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1449
- convertToDcqlCredentials(vc),
1450
- vc
1451
- ]));
1452
- const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1453
- const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1885
+ const credentialBranding = await agent.ibGetCredentialBranding();
1454
1886
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1455
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1456
- if (!value.valid_credentials) {
1457
- continue;
1458
- }
1459
- const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1460
- const matchedCredential = uniqueCredentials[cred.input_credential_index];
1461
- const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1462
- const issuerPartyIdentity = await agent.cmGetContacts({
1463
- filter: [
1464
- {
1465
- identities: {
1466
- identifier: {
1467
- correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1887
+ for (const inputDescriptor of presentationDefinition.input_descriptors) {
1888
+ const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1889
+ const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1890
+ return CredentialMapper4.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1891
+ });
1892
+ const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1893
+ const selectableCredentials = [];
1894
+ for (const selectedCredential of selectionResults.verifiableCredential || []) {
1895
+ const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1896
+ const proof = uniqueVC.uniformVerifiableCredential.proof;
1897
+ return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1898
+ });
1899
+ if (filteredUniqueVC) {
1900
+ const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1901
+ const issuerPartyIdentity = await agent.cmGetContacts({
1902
+ filter: [
1903
+ {
1904
+ identities: {
1905
+ identifier: {
1906
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1907
+ }
1468
1908
  }
1469
1909
  }
1470
- }
1471
- ]
1472
- });
1473
- const subjectPartyIdentity = await agent.cmGetContacts({
1474
- filter: [
1475
- {
1476
- identities: {
1477
- identifier: {
1478
- correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1910
+ ]
1911
+ });
1912
+ const subjectPartyIdentity = await agent.cmGetContacts({
1913
+ filter: [
1914
+ {
1915
+ identities: {
1916
+ identifier: {
1917
+ correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1918
+ }
1479
1919
  }
1480
1920
  }
1481
- }
1482
- ]
1483
- });
1484
- return {
1485
- credential: matchedCredential,
1486
- credentialBranding: credentialBranding[0]?.localeBranding,
1487
- issuerParty: issuerPartyIdentity?.[0],
1488
- subjectParty: subjectPartyIdentity?.[0]
1489
- };
1490
- });
1491
- const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1492
- selectableCredentialsMap.set(key, selectableCredentials);
1921
+ ]
1922
+ });
1923
+ selectableCredentials.push({
1924
+ credential: filteredUniqueVC,
1925
+ credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1926
+ issuerParty: issuerPartyIdentity?.[0],
1927
+ subjectParty: subjectPartyIdentity?.[0]
1928
+ });
1929
+ }
1930
+ }
1931
+ selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1493
1932
  }
1494
1933
  return selectableCredentialsMap;
1495
1934
  }, "getSelectableCredentials");
@@ -1530,7 +1969,7 @@ var DidAuthSiopOpAuthenticator = class {
1530
1969
  static {
1531
1970
  __name(this, "DidAuthSiopOpAuthenticator");
1532
1971
  }
1533
- schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
1972
+ schema = schema.IDidAuthSiopOpAuthenticator;
1534
1973
  methods = {
1535
1974
  siopGetOPSession: this.siopGetOPSession.bind(this),
1536
1975
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -1673,7 +2112,7 @@ var DidAuthSiopOpAuthenticator = class {
1673
2112
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
1674
2113
  const uri = url.includes("://") ? new URL(url) : void 0;
1675
2114
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
1676
- const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2115
+ const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1677
2116
  return {
1678
2117
  issuer: verifiedAuthorizationRequest.issuer,
1679
2118
  correlationId,
@@ -1681,6 +2120,7 @@ var DidAuthSiopOpAuthenticator = class {
1681
2120
  uri,
1682
2121
  name: clientName,
1683
2122
  clientId,
2123
+ presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion3.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
1684
2124
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
1685
2125
  };
1686
2126
  }
@@ -1757,14 +2197,75 @@ var DidAuthSiopOpAuthenticator = class {
1757
2197
  if (authorizationRequestData === void 0) {
1758
2198
  return Promise.reject(Error("Missing authorization request data in context"));
1759
2199
  }
2200
+ const pex = new PEX3({
2201
+ hasher: this.hasher
2202
+ });
2203
+ const verifiableCredentialsWithDefinition = [];
2204
+ const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2205
+ if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2206
+ try {
2207
+ authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2208
+ const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2209
+ if (areRequiredCredentialsPresent !== Status2.ERROR && verifiableCredentials) {
2210
+ let uniqueDigitalCredentials = [];
2211
+ uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2212
+ const hash = typeof vc === "string" ? computeEntryHash(vc.split("~"[0])) : computeEntryHash(vc);
2213
+ const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2214
+ if (!udc) {
2215
+ throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2216
+ }
2217
+ return udc;
2218
+ });
2219
+ verifiableCredentialsWithDefinition.push({
2220
+ definition: presentationDefinition,
2221
+ credentials: uniqueDigitalCredentials
2222
+ });
2223
+ }
2224
+ });
2225
+ } catch (e) {
2226
+ return Promise.reject(e);
2227
+ }
2228
+ if (verifiableCredentialsWithDefinition.length === 0) {
2229
+ return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2230
+ }
2231
+ } else if (authorizationRequestData.dcqlQuery) {
2232
+ if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2233
+ try {
2234
+ selectedCredentials.forEach((vc) => {
2235
+ if (this.isSdJwtCredential(vc)) {
2236
+ const payload = vc.originalVerifiableCredential.decodedPayload;
2237
+ const result = {
2238
+ claims: payload,
2239
+ vct: payload.vct,
2240
+ credential_format: "vc+sd-jwt"
2241
+ };
2242
+ dcqlCredentialsWithCredentials.set(result, vc);
2243
+ } else {
2244
+ throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2245
+ }
2246
+ });
2247
+ } catch (e) {
2248
+ return Promise.reject(e);
2249
+ }
2250
+ const dcqlPresentationRecord = {};
2251
+ const queryResult = DcqlQuery2.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2252
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2253
+ if (value.success) {
2254
+ dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2255
+ }
2256
+ }
2257
+ }
2258
+ }
1760
2259
  const response = await siopSendAuthorizationResponse(ConnectionType2.SIOPv2_OpenID4VP, {
1761
2260
  sessionId: didAuthConfig.sessionId,
1762
2261
  ...args.idOpts && {
1763
2262
  idOpts: args.idOpts
1764
2263
  },
2264
+ ...authorizationRequestData.presentationDefinitions !== void 0 && {
2265
+ verifiableCredentialsWithDefinition
2266
+ },
1765
2267
  isFirstParty,
1766
- hasher: this.hasher,
1767
- credentials: selectedCredentials
2268
+ hasher: this.hasher
1768
2269
  }, context);
1769
2270
  const contentType = response.headers.get("content-type") || "";
1770
2271
  let responseBody = null;
@@ -1778,12 +2279,30 @@ var DidAuthSiopOpAuthenticator = class {
1778
2279
  queryParams: decodeUriAsJson(response?.url)
1779
2280
  };
1780
2281
  }
2282
+ hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2283
+ return credentials.some(this.isMDocCredential);
2284
+ }, "hasMDocCredentials");
2285
+ isMDocCredential = /* @__PURE__ */ __name((credential) => {
2286
+ return credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === DocumentType.VC;
2287
+ }, "isMDocCredential");
2288
+ hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2289
+ return credentials.some(this.isSdJwtCredential);
2290
+ }, "hasSdJwtCredentials");
2291
+ isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2292
+ return credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC;
2293
+ }, "isSdJwtCredential");
2294
+ retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2295
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2296
+ }, "retrieveEncodedCredential");
1781
2297
  async siopGetSelectableCredentials(args, context) {
1782
2298
  const { authorizationRequestData } = args;
1783
- if (!authorizationRequestData?.dcqlQuery) {
1784
- return Promise.reject(Error("Missing required dcql query in context"));
2299
+ if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2300
+ return Promise.reject(Error("Missing required fields in arguments or context"));
2301
+ }
2302
+ if (authorizationRequestData.presentationDefinitions.length > 1) {
2303
+ return Promise.reject(Error("Multiple presentation definitions present"));
1785
2304
  }
1786
- return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2305
+ return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1787
2306
  }
1788
2307
  };
1789
2308
 
@@ -1869,6 +2388,9 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
1869
2388
  }
1870
2389
  }
1871
2390
  };
2391
+
2392
+ // src/index.ts
2393
+ var schema = require_plugin_schema();
1872
2394
  export {
1873
2395
  DEFAULT_JWT_PROOF_TYPE,
1874
2396
  DID_PREFIX,
@@ -1886,14 +2408,14 @@ export {
1886
2408
  Siopv2MachineStates,
1887
2409
  Siopv2OID4VPLinkHandler,
1888
2410
  SupportedLanguage,
1889
- convertToDcqlCredentials,
1890
2411
  createJwtCallbackWithIdOpts,
1891
2412
  createJwtCallbackWithOpOpts,
1892
2413
  createOID4VPPresentationSignCallback,
1893
2414
  createOP,
1894
2415
  createOPBuilder,
1895
2416
  didAuthSiopOpAuthenticatorMethods,
2417
+ events,
1896
2418
  getSigningAlgo,
1897
- plugin_schema_default as schema
2419
+ schema
1898
2420
  };
1899
2421
  //# sourceMappingURL=index.js.map