@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.58.host.nonce.endpoint.194 → 0.34.1-feature.SSISDK.62.219

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
+  "version": "0.34.1-feature.SSISDK.62.219+f3e005e9",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,26 +26,26 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-feature.DIIPv4.161",
-    "@sphereon/did-auth-siop-adapter": "0.19.1-feature.DIIPv4.161",
-    "@sphereon/oid4vc-common": "0.19.1-feature.DIIPv4.161",
+    "@sphereon/did-auth-siop": "0.19.1-feature.SSISDK.62.162",
+    "@sphereon/did-auth-siop-adapter": "0.19.1-feature.SSISDK.62.162",
+    "@sphereon/oid4vc-common": "0.19.1-feature.SSISDK.62.162",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.data-store": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.62.219+f3e005e9",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
@@ -59,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.58.host.nonce.endpoint.194+287878cc",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.62.219+f3e005e9",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.62.219+f3e005e9",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -102,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "287878cc3c59e1fe8f3303600e4139ef30258b17"
+  "gitHead": "f3e005e98495aaa97478b4448b86fa2a40ecc4de"
 }

package/src/services/Siopv2MachineService.ts

@@ -1,17 +1,27 @@
-import { AuthorizationRequest, Json, SupportedVersion } from '@sphereon/did-auth-siop'
+import { AuthorizationRequest } from '@sphereon/did-auth-siop'
+import type { PartialSdJwtDecodedVerifiableCredential, PartialSdJwtKbJwt } from '@sphereon/pex/dist/main/lib'
+import { calculateSdHash } from '@sphereon/pex/dist/main/lib/utils'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType } from '@sphereon/ssi-sdk.data-store'
-import { CredentialRole } from '@sphereon/ssi-types'
-
-import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
+import { defaultGenerateDigest } from '@sphereon/ssi-sdk.sd-jwt'
+import {
+  CredentialMapper,
+  CredentialRole,
+  HasherSync,
+  Loggers,
+  OriginalVerifiableCredential,
+  SdJwtDecodedVerifiableCredential,
+} from '@sphereon/ssi-types'
+import { IAgentContext, IDIDManager } from '@veramo/core'
+import { DcqlPresentation, DcqlQuery } from 'dcql'
 import { OpSession } from '../session'
 import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
 import { convertToDcqlCredentials } from '../utils/dcql'
-import { IAgentContext, IDIDManager } from '@veramo/core'
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
+
+const CLOCK_SKEW = 120
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -59,10 +69,8 @@ export const siopSendAuthorizationResponse = async (
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
-  const domain =
-    ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-    request.issuer ??
-    (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? 'https://self-issued.me/v2/openid-vc' : 'https://self-issued.me/v2')
+  const domain = ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ?? request.issuer ?? 'https://self-issued.me/v2'
+
   logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
 
   const firstUniqueDC = credentials[0]
@@ -137,8 +145,26 @@ export const siopSendAuthorizationResponse = async (
       if (!originalVc) {
         continue
       }
+      // FIXME SSISDK-44
+      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(originalVc as string, defaultGenerateDigest)
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain)
+
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject!.getPayload()!.nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1000 - CLOCK_SKEW),
+          },
+        },
+      })
+
       if (originalVc) {
-        presentation[key] = originalVc as string | { [x: string]: Json }
+        presentation[key] = presentationResult.presentation
       }
     }
   }
@@ -220,3 +246,33 @@ export const translateCorrelationIdToName = async (correlationId: string, contex
 
   return contacts[0].contact.displayName
 }
+
+const updateSdJwtCredential = (
+  credential: SdJwtDecodedVerifiableCredential,
+  nonce?: string,
+  aud?: string,
+): PartialSdJwtDecodedVerifiableCredential => {
+  const sdJwtCredential = credential as SdJwtDecodedVerifiableCredential
+
+  // extract sd_alg or default to sha-256
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? 'sha-256'
+  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest)
+
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: 'kb+jwt',
+    },
+    payload: {
+      iat: Math.floor(new Date().getTime() / 1000),
+      sd_hash: sdHash,
+      ...(nonce && { nonce }),
+      ...(aud && { aud }),
+    },
+  } satisfies PartialSdJwtKbJwt
+
+  return {
+    ...sdJwtCredential,
+    kbJwt,
+  } satisfies PartialSdJwtDecodedVerifiableCredential
+}

package/src/types/siop-service/index.ts

@@ -1,13 +1,10 @@
-import {
-  PresentationSignCallback,
-  RPRegistrationMetadataPayload,
-  VerifiedAuthorizationRequest,
-} from '@sphereon/did-auth-siop'
+import { PresentationSignCallback, RPRegistrationMetadataPayload, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
 import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { DidAuthConfig, ICredentialLocaleBranding, Identity, Party } from '@sphereon/ssi-sdk.data-store'
 import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
+import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
@@ -90,5 +87,12 @@ export type OnIdentifierCreatedArgs = {
 }
 
 export type RequiredContext = IAgentContext<
-  IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding
+  IContactManager &
+    IDidAuthSiopOpAuthenticator &
+    IDIDManager &
+    IResolver &
+    IIdentifierResolution &
+    ICredentialStore &
+    IIssuanceBranding &
+    ISDJwtPlugin
 >

package/src/utils/CredentialUtils.ts

@@ -25,7 +25,7 @@ const getCredentialFromProofOrWrapped = (cred: any, hasher?: HasherSync): Origin
     return cred.proof.jwt
   }
 
-  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original as OriginalVerifiableCredential // FIXME SSISDK-59
 }
 
 export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {