@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.58.host.nonce.endpoint.194 → 0.34.1-feature.SSISDK.62.219

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/index.cjs +77 -36
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +1 -1
  4. package/dist/index.d.ts +1 -1
  5. package/dist/index.js +48 -7
  6. package/dist/index.js.map +1 -1
  7. package/package.json +22 -22
  8. package/src/services/Siopv2MachineService.ts +69 -13
  9. package/src/types/siop-service/index.ts +10 -6
  10. package/src/utils/CredentialUtils.ts +1 -1
package/dist/index.cjs CHANGED
@@ -423,9 +423,9 @@ var plugin_schema_default = {
423
423
  };
424
424
 
425
425
  // src/agent/DidAuthSiopOpAuthenticator.ts
426
- var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
427
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
428
- var import_ssi_types8 = require("@sphereon/ssi-types");
426
+ var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
427
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.data-store");
428
+ var import_ssi_types7 = require("@sphereon/ssi-types");
429
429
  var import_uuid2 = require("uuid");
430
430
 
431
431
  // src/session/functions.ts
@@ -1344,13 +1344,14 @@ var Siopv2Machine = class {
1344
1344
  };
1345
1345
 
1346
1346
  // src/services/Siopv2MachineService.ts
1347
- var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1348
- var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1349
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
1350
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.data-store");
1347
+ var import_utils = require("@sphereon/pex/dist/main/lib/utils");
1348
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
1349
+ var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1350
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
1351
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.credential-store");
1352
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.data-store");
1353
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.sd-jwt");
1351
1354
  var import_ssi_types6 = require("@sphereon/ssi-types");
1352
- var import_ssi_types7 = require("@sphereon/ssi-types");
1353
- var import_ssi_sdk5 = require("@sphereon/ssi-sdk.core");
1354
1355
  var import_dcql = require("dcql");
1355
1356
 
1356
1357
  // src/utils/dcql.ts
@@ -1391,12 +1392,12 @@ function convertToDcqlCredentials(credential, hasher) {
1391
1392
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1392
1393
 
1393
1394
  // src/services/Siopv2MachineService.ts
1394
- var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
1395
- var logger3 = import_ssi_types7.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1395
+ var CLOCK_SKEW = 120;
1396
+ var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1396
1397
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1397
1398
  const { agent } = context;
1398
1399
  const { credentials } = args;
1399
- if (connectionType !== import_ssi_sdk4.ConnectionType.SIOPv2_OpenID4VP) {
1400
+ if (connectionType !== import_ssi_sdk5.ConnectionType.SIOPv2_OpenID4VP) {
1400
1401
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1401
1402
  }
1402
1403
  const session = await agent.siopGetOPSession({
@@ -1406,7 +1407,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1406
1407
  const aud = request.authorizationRequest.getMergedProperty("aud");
1407
1408
  logger3.debug(`AUD: ${aud}`);
1408
1409
  logger3.debug(JSON.stringify(request.authorizationRequest));
1409
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1410
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1410
1411
  logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1411
1412
  const firstUniqueDC = credentials[0];
1412
1413
  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
@@ -1415,9 +1416,9 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1415
1416
  let identifier;
1416
1417
  const digitalCredential = firstUniqueDC.digitalCredential;
1417
1418
  const firstVC = firstUniqueDC.uniformVerifiableCredential;
1418
- const holder = import_ssi_types7.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1419
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1419
1420
  //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1420
- `did:jwk:${(0, import_ssi_sdk5.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1421
+ `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1421
1422
  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1422
1423
  if (!digitalCredential.kmsKeyRef) {
1423
1424
  if (!holder) {
@@ -1431,7 +1432,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1431
1432
  logger3.debug(`Holder DID not found: ${holder}`);
1432
1433
  throw e;
1433
1434
  }
1434
- } else if ((0, import_ssi_sdk_ext3.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1435
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1435
1436
  identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1436
1437
  identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1437
1438
  });
@@ -1472,8 +1473,23 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
1472
1473
  if (!originalVc) {
1473
1474
  continue;
1474
1475
  }
1476
+ const decodedSdJwt = await import_ssi_types6.CredentialMapper.decodeSdJwtVcAsync(originalVc, import_ssi_sdk6.defaultGenerateDigest);
1477
+ const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
1478
+ const presentationResult = await context.agent.createSdJwtPresentation({
1479
+ presentation: updatedSdJwt.compactSdJwtVc,
1480
+ kb: {
1481
+ payload: {
1482
+ ...updatedSdJwt.kbJwt?.payload,
1483
+ // FIXME SSISDK-44
1484
+ nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
1485
+ // FIXME SSISDK-44
1486
+ aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
1487
+ iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
1488
+ }
1489
+ }
1490
+ });
1475
1491
  if (originalVc) {
1476
- presentation[key] = originalVc;
1492
+ presentation[key] = presentationResult.presentation;
1477
1493
  }
1478
1494
  }
1479
1495
  }
@@ -1497,7 +1513,7 @@ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context)
1497
1513
  };
1498
1514
  const { agent } = agentContext;
1499
1515
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1500
- filter: (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1516
+ filter: (0, import_ssi_sdk4.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1501
1517
  });
1502
1518
  const branding = await agent.ibGetCredentialBranding();
1503
1519
  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
@@ -1566,9 +1582,34 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
1566
1582
  }
1567
1583
  return contacts[0].contact.displayName;
1568
1584
  }, "translateCorrelationIdToName");
1585
+ var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
1586
+ const sdJwtCredential = credential;
1587
+ const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
1588
+ const sdHash = (0, import_utils.calculateSdHash)(sdJwtCredential.compactSdJwtVc, hashAlg, import_ssi_sdk6.defaultGenerateDigest);
1589
+ const kbJwt = {
1590
+ // alg MUST be set by the signer
1591
+ header: {
1592
+ typ: "kb+jwt"
1593
+ },
1594
+ payload: {
1595
+ iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
1596
+ sd_hash: sdHash,
1597
+ ...nonce && {
1598
+ nonce
1599
+ },
1600
+ ...aud && {
1601
+ aud
1602
+ }
1603
+ }
1604
+ };
1605
+ return {
1606
+ ...sdJwtCredential,
1607
+ kbJwt
1608
+ };
1609
+ }, "updateSdJwtCredential");
1569
1610
 
1570
1611
  // src/agent/DidAuthSiopOpAuthenticator.ts
1571
- var logger4 = import_ssi_types8.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1612
+ var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1572
1613
  var didAuthSiopOpAuthenticatorMethods = [
1573
1614
  "cmGetContacts",
1574
1615
  "cmGetContact",
@@ -1784,12 +1825,12 @@ var DidAuthSiopOpAuthenticator = class {
1784
1825
  if (correlationId) {
1785
1826
  const identity = {
1786
1827
  alias: correlationId,
1787
- origin: import_ssi_sdk6.IdentityOrigin.EXTERNAL,
1828
+ origin: import_ssi_sdk7.IdentityOrigin.EXTERNAL,
1788
1829
  roles: [
1789
- import_ssi_types8.CredentialRole.ISSUER
1830
+ import_ssi_types7.CredentialRole.ISSUER
1790
1831
  ],
1791
1832
  identifier: {
1792
- type: correlationId.startsWith("did:") ? import_ssi_sdk6.CorrelationIdentifierType.DID : import_ssi_sdk6.CorrelationIdentifierType.URL,
1833
+ type: correlationId.startsWith("did:") ? import_ssi_sdk7.CorrelationIdentifierType.DID : import_ssi_sdk7.CorrelationIdentifierType.URL,
1793
1834
  correlationId
1794
1835
  }
1795
1836
  };
@@ -1812,7 +1853,7 @@ var DidAuthSiopOpAuthenticator = class {
1812
1853
  if (authorizationRequestData === void 0) {
1813
1854
  return Promise.reject(Error("Missing authorization request data in context"));
1814
1855
  }
1815
- const response = await siopSendAuthorizationResponse(import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP, {
1856
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk7.ConnectionType.SIOPv2_OpenID4VP, {
1816
1857
  sessionId: didAuthConfig.sessionId,
1817
1858
  ...args.idOpts && {
1818
1859
  idOpts: args.idOpts
@@ -1830,7 +1871,7 @@ var DidAuthSiopOpAuthenticator = class {
1830
1871
  return {
1831
1872
  body: responseBody,
1832
1873
  url: response?.url,
1833
- queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
1874
+ queryParams: (0, import_did_auth_siop4.decodeUriAsJson)(response?.url)
1834
1875
  };
1835
1876
  }
1836
1877
  async siopGetSelectableCredentials(args, context) {
@@ -1843,11 +1884,11 @@ var DidAuthSiopOpAuthenticator = class {
1843
1884
  };
1844
1885
 
1845
1886
  // src/machine/CallbackStateListener.ts
1846
- var import_ssi_types9 = require("@sphereon/ssi-types");
1847
- var logger5 = import_ssi_types9.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
1848
- defaultLogLevel: import_ssi_types9.LogLevel.DEBUG,
1887
+ var import_ssi_types8 = require("@sphereon/ssi-types");
1888
+ var logger5 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
1889
+ defaultLogLevel: import_ssi_types8.LogLevel.DEBUG,
1849
1890
  methods: [
1850
- import_ssi_types9.LogMethod.CONSOLE
1891
+ import_ssi_types8.LogMethod.CONSOLE
1851
1892
  ]
1852
1893
  }).get("sphereon:siopv2-oid4vp:op-auth");
1853
1894
  var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
@@ -1877,12 +1918,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
1877
1918
  }, "OID4VPCallbackStateListener");
1878
1919
 
1879
1920
  // src/link-handler/index.ts
1880
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.agent-config");
1881
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.core");
1882
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1883
- var import_ssi_types10 = require("@sphereon/ssi-types");
1884
- var logger6 = import_ssi_types10.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1885
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
1921
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.agent-config");
1922
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.core");
1923
+ var import_ssi_sdk10 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1924
+ var import_ssi_types9 = require("@sphereon/ssi-types");
1925
+ var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
1926
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
1886
1927
  static {
1887
1928
  __name(this, "Siopv2OID4VPLinkHandler");
1888
1929
  }
@@ -1908,8 +1949,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
1908
1949
  stateNavigationListener: this.stateNavigationListener
1909
1950
  });
1910
1951
  const interpreter = siopv2Machine.interpreter;
1911
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk7.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1912
- const init = await (0, import_ssi_sdk9.interpreterStartOrResume)({
1952
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk8.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1953
+ const init = await (0, import_ssi_sdk10.interpreterStartOrResume)({
1913
1954
  interpreter,
1914
1955
  context: this.context,
1915
1956
  cleanupAllOtherInstances: true,