@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-fix.117 → 0.34.1-fix.141

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-fix.117+6f692cf3",
+  "version": "0.34.1-fix.141+ea643e42",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -31,21 +31,21 @@
     "@sphereon/oid4vc-common": "0.19.1-feature.DIIPv4.106",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.core": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-types": "0.34.1-fix.117+6f692cf3",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.core": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.data-store": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-types": "0.34.1-fix.141+ea643e42",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
@@ -59,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-fix.117+6f692cf3",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-fix.117+6f692cf3",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-fix.141+ea643e42",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-fix.141+ea643e42",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -102,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "6f692cf3d1fdd6a52c757b80010d830c3daf6799"
+  "gitHead": "ea643e42804501f2a323a73971465d527981123d"
 }

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -1,17 +1,6 @@
-import {
-  decodeUriAsJson,
-  PresentationSignCallback,
-  VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
-import {
-  ConnectionType,
-  CorrelationIdentifierType,
-  CredentialRole,
-  Identity,
-  IdentityOrigin,
-  NonPersistedIdentity,
-  Party,
-} from '@sphereon/ssi-sdk.data-store'
-import { HasherSync, Loggers } from '@sphereon/ssi-types'
+import { decodeUriAsJson, PresentationSignCallback, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
+import { ConnectionType, CorrelationIdentifierType, Identity, IdentityOrigin, NonPersistedIdentity, Party } from '@sphereon/ssi-sdk.data-store'
+import { HasherSync, Loggers, CredentialRole } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
 import { OpSession } from '../session'
@@ -92,13 +81,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   private readonly hasher?: HasherSync
 
   constructor(options?: DidAuthSiopOpAuthenticatorOptions) {
-    const {
-      onContactIdentityCreated,
-      onIdentifierCreated,
-      hasher,
-      customApprovals = {},
-      presentationSignCallback
-    } = { ...options }
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = { ...options }
 
     this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated

package/src/services/Siopv2MachineService.ts

@@ -1,34 +1,17 @@
-import {
-  AuthorizationRequest,
-  Json,
-  SupportedVersion
-} from '@sphereon/did-auth-siop'
+import { AuthorizationRequest, Json, SupportedVersion } from '@sphereon/did-auth-siop'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
-import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import {
-  CredentialMapper,
-  HasherSync,
-  Loggers,
-  OriginalVerifiableCredential,
-  SdJwtDecodedVerifiableCredential
-} from '@sphereon/ssi-types'
+import { ConnectionType } from '@sphereon/ssi-sdk.data-store'
+import { CredentialRole } from '@sphereon/ssi-types'
+
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
 import { OpSession } from '../session'
-import {
-  LOGGER_NAMESPACE,
-  RequiredContext,
-  SelectableCredential,
-  SelectableCredentialsMap,
-  Siopv2HolderEvent
-} from '../types'
+import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
 import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { DcqlPresentation, DcqlQuery } from 'dcql'
 import { convertToDcqlCredentials } from '../utils/dcql'
 import { IAgentContext, IDIDManager } from '@veramo/core'
-import {
-  getOrCreatePrimaryIdentifier,
-  SupportedDidMethodEnum
-} from '@sphereon/ssi-sdk-ext.did-utils'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -76,68 +59,64 @@ export const siopSendAuthorizationResponse = async (
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
-      const domain =
-        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-        request.issuer ??
-        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
-          ? 'https://self-issued.me/v2/openid-vc'
-          : 'https://self-issued.me/v2')
-      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
-
-      const firstUniqueDC = credentials[0]
-      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-      }
+  const domain =
+    ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
+    request.issuer ??
+    (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? 'https://self-issued.me/v2/openid-vc' : 'https://self-issued.me/v2')
+  logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+  const firstUniqueDC = credentials[0]
+  if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+    return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+  }
 
-      let identifier: ManagedIdentifierOptsOrResult
-      const digitalCredential = firstUniqueDC.digitalCredential
-      const firstVC = firstUniqueDC.uniformVerifiableCredential
-      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-        ? firstVC.decodedPayload.cnf?.jwk
-          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-          : firstVC.decodedPayload.sub
-        : Array.isArray(firstVC.credentialSubject)
-          ? firstVC.credentialSubject[0].id
-          : firstVC.credentialSubject.id
-      if (!digitalCredential.kmsKeyRef) {
-        // In case the store does not have the kmsKeyRef lets search for the holder
-
-        if (!holder) {
-          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-        }
-        try {
-          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-        } catch (e) {
-          logger.debug(`Holder DID not found: ${holder}`)
-          throw e
-        }
-      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+  let identifier: ManagedIdentifierOptsOrResult
+  const digitalCredential = firstUniqueDC.digitalCredential
+  const firstVC = firstUniqueDC.uniformVerifiableCredential
+  const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+    ? firstVC.decodedPayload.cnf?.jwk
+      ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+      : firstVC.decodedPayload.sub
+    : Array.isArray(firstVC.credentialSubject)
+      ? firstVC.credentialSubject[0].id
+      : firstVC.credentialSubject.id
+  if (!digitalCredential.kmsKeyRef) {
+    // In case the store does not have the kmsKeyRef lets search for the holder
+
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+    } catch (e) {
+      logger.debug(`Holder DID not found: ${holder}`)
+      throw e
+    }
+  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+    })
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case 'DID':
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
         })
-      } else {
-        switch (digitalCredential.subjectCorrelationType) {
-          case 'DID':
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-            break
-          // TODO other implementations?
-          default:
-            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-        }
-      }
+        break
+      // TODO other implementations?
+      default:
+        // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
+        })
+    }
+  }
 
-  const dcqlCredentialsWithCredentials = new Map(
-    credentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
 
   const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
 
@@ -149,7 +128,7 @@ export const siopSendAuthorizationResponse = async (
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   for (const [key, value] of Object.entries(queryResult.credential_matches)) {
     if (value.success) {
-      const matchedCredentials = value.valid_credentials.map(cred => uniqueCredentials[cred.input_credential_index])
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index])
       const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
       if (!vc) {
         continue
@@ -159,22 +138,22 @@ export const siopSendAuthorizationResponse = async (
         continue
       }
       if (originalVc) {
-        presentation[key] = originalVc as | string | { [x: string]: Json }
+        presentation[key] = originalVc as string | { [x: string]: Json }
       }
     }
   }
 
   const dcqlPresentation = DcqlPresentation.parse(presentation)
 
-      const response = session.sendAuthorizationResponse({
-        responseSignerOpts: identifier,
-        dcqlResponse: {
-          dcqlPresentation
-        }
-      })
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation,
+    },
+  })
 
-      logger.debug(`Response: `, response)
-      return response
+  logger.debug(`Response: `, response)
+  return response
 }
 
 const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
@@ -186,19 +165,14 @@ const retrieveEncodedCredential = (credential: UniqueDigitalCredential): Origina
     : credential.originalVerifiableCredential
 }
 
-export const getSelectableCredentials = async (
-  dcqlQuery: DcqlQuery,
-  context: RequiredContext,
-): Promise<SelectableCredentialsMap> => {
+export const getSelectableCredentials = async (dcqlQuery: DcqlQuery, context: RequiredContext): Promise<SelectableCredentialsMap> => {
   const agentContext = { ...context, agent: context.agent }
   const { agent } = agentContext
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
   const branding = await agent.ibGetCredentialBranding()
-  const dcqlCredentialsWithCredentials = new Map(
-    uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
   const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
@@ -208,7 +182,7 @@ export const getSelectableCredentials = async (
       continue
     }
 
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async cred => {
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
       const matchedCredential = uniqueCredentials[cred.input_credential_index]
       const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
       const issuerPartyIdentity = await agent.cmGetContacts({