@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.78.306 → 0.34.1-feature.SSISDK.82.linkedVP.325

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-feature.SSISDK.78.306+9aff176a",
+  "version": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,26 +26,26 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-next.220",
-    "@sphereon/did-auth-siop-adapter": "0.19.1-next.220",
-    "@sphereon/oid4vc-common": "0.19.1-next.220",
+    "@sphereon/did-auth-siop": "0.19.1-next.226",
+    "@sphereon/did-auth-siop-adapter": "0.19.1-next.226",
+    "@sphereon/oid4vc-common": "0.19.1-next.226",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.data-store-types": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.306+9aff176a",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.data-store-types": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
@@ -59,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.78.306+9aff176a",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.78.306+9aff176a",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-feature.SSISDK.82.linkedVP.325+9de5d4ff",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -102,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "9aff176afa613d6f69fb1ff33d4f6c8c7b811ffd"
+  "gitHead": "9de5d4ff0d17685351d63a9685ec853f6add2d6c"
 }

package/src/services/Siopv2MachineService.ts

@@ -1,23 +1,13 @@
 import { AuthorizationRequest } from '@sphereon/did-auth-siop'
-import type { PartialSdJwtDecodedVerifiableCredential, PartialSdJwtKbJwt } from '@sphereon/pex/dist/main/lib/index.js'
-import { calculateSdHash } from '@sphereon/pex/dist/main/lib/utils/index.js'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType } from '@sphereon/ssi-sdk.data-store-types'
-import { defaultGenerateDigest } from '@sphereon/ssi-sdk.sd-jwt'
-import {
-  CredentialMapper,
-  CredentialRole,
-  HasherSync,
-  Loggers,
-  OriginalVerifiableCredential,
-  SdJwtDecodedVerifiableCredential,
-} from '@sphereon/ssi-types'
+import { CredentialMapper, CredentialRole, HasherSync, Loggers, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import { IAgentContext, IDIDManager } from '@veramo/core'
 import { DcqlPresentation, DcqlQuery } from 'dcql'
-import { OpSession } from '../session'
+import { createVerifiablePresentationForFormat, OpSession, PresentationBuilderContext } from '../session'
 import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
 import { convertToDcqlCredentials } from '../utils/dcql'
 
@@ -81,15 +71,18 @@ export const siopSendAuthorizationResponse = async (
   let identifier: ManagedIdentifierOptsOrResult
   const digitalCredential = firstUniqueDC.digitalCredential
   const firstVC = firstUniqueDC.uniformVerifiableCredential
-  const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-    ? firstVC.decodedPayload.cnf?.jwk
-      ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-      : firstVC.decodedPayload.sub
-    : Array.isArray(firstVC.credentialSubject)
-      ? firstVC.credentialSubject[0].id
-      : firstVC.credentialSubject.id
+
+  // Determine holder DID for identifier resolution
+  let holder: string | undefined
+  if (CredentialMapper.isSdJwtDecodedCredential(firstVC)) {
+    //  TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+    //  doesn't apply to did:jwk only, as you can represent any DID key as a
+    holder = firstVC.decodedPayload.cnf?.jwk ? `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0` : firstVC.decodedPayload.sub
+  } else {
+    holder = Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id
+  }
+
+  // Resolve identifier
   if (!digitalCredential.kmsKeyRef) {
     // In case the store does not have the kmsKeyRef lets search for the holder
 
@@ -132,39 +125,34 @@ export const siopSendAuthorizationResponse = async (
     return Promise.reject(Error('Credentials do not match required query request'))
   }
 
+  // Build presentation context for format-aware VP creation
+  const presentationContext: PresentationBuilderContext = {
+    nonce: request.requestObject?.getPayload()?.nonce ?? session.nonce,
+    audience: domain,
+    agent: context.agent,
+    clockSkew: CLOCK_SKEW,
+    hasher: args.hasher,
+  }
+
+  // Build DCQL presentation with format-aware VPs
   const presentation: DcqlPresentation.Output = {}
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   for (const [key, value] of Object.entries(queryResult.credential_matches)) {
     if (value.success) {
       const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index])
-      const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
+      const vc = matchedCredentials[0] // taking the first match for now
+
       if (!vc) {
         continue
       }
-      const originalVc = retrieveEncodedCredential(vc as UniqueDigitalCredential) // TODO this is not nice // also always a UniqueDigitalCredential
-      if (!originalVc) {
-        continue
-      }
-      // FIXME SSISDK-44
-      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(originalVc as string, defaultGenerateDigest)
-      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain)
-
-      const presentationResult = await context.agent.createSdJwtPresentation({
-        presentation: updatedSdJwt.compactSdJwtVc,
-        kb: {
-          payload: {
-            ...updatedSdJwt.kbJwt?.payload,
-            // FIXME SSISDK-44
-            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject!.getPayload()!.nonce,
-            // FIXME SSISDK-44
-            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
-            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1000 - CLOCK_SKEW),
-          },
-        },
-      })
 
-      if (originalVc) {
-        presentation[key] = presentationResult.presentation
+      try {
+        // Use format-aware presentation builder
+        const vp = await createVerifiablePresentationForFormat(vc, identifier, presentationContext)
+        presentation[key] = vp as any
+      } catch (error) {
+        logger.error(`Failed to create VP for credential ${key}:`, error)
+        throw error
       }
     }
   }
@@ -182,15 +170,6 @@ export const siopSendAuthorizationResponse = async (
   return response
 }
 
-const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
-  return credential.originalVerifiableCredential !== undefined &&
-    credential.originalVerifiableCredential !== null &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
-    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
-    ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
-    : credential.originalVerifiableCredential
-}
-
 export const getSelectableCredentials = async (dcqlQuery: DcqlQuery, context: RequiredContext): Promise<SelectableCredentialsMap> => {
   const agentContext = { ...context, agent: context.agent }
   const { agent } = agentContext
@@ -246,33 +225,3 @@ export const translateCorrelationIdToName = async (correlationId: string, contex
 
   return contacts[0].contact.displayName
 }
-
-const updateSdJwtCredential = (
-  credential: SdJwtDecodedVerifiableCredential,
-  nonce?: string,
-  aud?: string,
-): PartialSdJwtDecodedVerifiableCredential => {
-  const sdJwtCredential = credential as SdJwtDecodedVerifiableCredential
-
-  // extract sd_alg or default to sha-256
-  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? 'sha-256'
-  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest)
-
-  const kbJwt = {
-    // alg MUST be set by the signer
-    header: {
-      typ: 'kb+jwt',
-    },
-    payload: {
-      iat: Math.floor(new Date().getTime() / 1000),
-      sd_hash: sdHash,
-      ...(nonce && { nonce }),
-      ...(aud && { aud }),
-    },
-  } satisfies PartialSdJwtKbJwt
-
-  return {
-    ...sdJwtCredential,
-    kbJwt,
-  } satisfies PartialSdJwtDecodedVerifiableCredential
-}