@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.58.host.nonce.endpoint.194 → 0.34.1-feature.SSISDK.62.219

package/dist/index.d.cts

@@ -533,7 +533,7 @@ type OnContactIdentityCreatedArgs = {
 type OnIdentifierCreatedArgs = {
     identifier: IIdentifier;
 };
-type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding>;
+type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding & ISDJwtPlugin>;
 
 type Siopv2MachineContext = {
     url: string;

package/dist/index.d.ts

@@ -533,7 +533,7 @@ type OnContactIdentityCreatedArgs = {
 type OnIdentifierCreatedArgs = {
     identifier: IIdentifier;
 };
-type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding>;
+type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding & ISDJwtPlugin>;
 
 type Siopv2MachineContext = {
     url: string;

package/dist/index.js

@@ -1287,13 +1287,14 @@ var Siopv2Machine = class {
 };
 
 // src/services/Siopv2MachineService.ts
-import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
+import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils";
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
 import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
 import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
 import { ConnectionType } from "@sphereon/ssi-sdk.data-store";
-import { CredentialRole } from "@sphereon/ssi-types";
-import { CredentialMapper as CredentialMapper3, Loggers as Loggers3 } from "@sphereon/ssi-types";
-import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
+import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
+import { CredentialMapper as CredentialMapper3, CredentialRole, Loggers as Loggers3 } from "@sphereon/ssi-types";
 import { DcqlPresentation, DcqlQuery } from "dcql";
 
 // src/utils/dcql.ts
@@ -1334,7 +1335,7 @@ function convertToDcqlCredentials(credential, hasher) {
 __name(convertToDcqlCredentials, "convertToDcqlCredentials");
 
 // src/services/Siopv2MachineService.ts
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
+var CLOCK_SKEW = 120;
 var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
 var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
   const { agent } = context;
@@ -1349,7 +1350,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   const aud = request.authorizationRequest.getMergedProperty("aud");
   logger3.debug(`AUD: ${aud}`);
   logger3.debug(JSON.stringify(request.authorizationRequest));
-  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
   logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
   const firstUniqueDC = credentials[0];
   if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
@@ -1415,8 +1416,23 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       if (!originalVc) {
         continue;
       }
+      const decodedSdJwt = await CredentialMapper3.decodeSdJwtVcAsync(originalVc, defaultGenerateDigest);
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
+          }
+        }
+      });
       if (originalVc) {
-        presentation[key] = originalVc;
+        presentation[key] = presentationResult.presentation;
       }
     }
   }
@@ -1509,6 +1525,31 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
   }
   return contacts[0].contact.displayName;
 }, "translateCorrelationIdToName");
+var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
+  const sdJwtCredential = credential;
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
+  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest);
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: "kb+jwt"
+    },
+    payload: {
+      iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
+      sd_hash: sdHash,
+      ...nonce && {
+        nonce
+      },
+      ...aud && {
+        aud
+      }
+    }
+  };
+  return {
+    ...sdJwtCredential,
+    kbJwt
+  };
+}, "updateSdJwtCredential");
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
 var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);