@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-fix.80 → 0.34.1-next.278

package/dist/index.cjs

@@ -423,8 +423,8 @@ var plugin_schema_default = {
 };
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
-var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
-var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
+var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
+var import_ssi_sdk7 = require("@sphereon/ssi-sdk.data-store-types");
 var import_ssi_types7 = require("@sphereon/ssi-types");
 var import_uuid2 = require("uuid");
 
@@ -451,10 +451,8 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
 async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
   const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
   const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
-    import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
-    import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
-    import_did_auth_siop.SupportedVersion.SIOPv2_D11,
-    import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
+    import_did_auth_siop.SupportedVersion.OID4VP_v1,
+    import_did_auth_siop.SupportedVersion.SIOPv2_OID4VP_D28
   ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
     passBy: import_did_auth_siop.PassBy.VALUE
   });
@@ -864,19 +862,19 @@ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
 var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
 
 // src/types/siop-service/index.ts
-var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
+var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
   Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
   Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
   return Siopv2HolderEvent2;
-}({});
-var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
+})({});
+var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
   SupportedLanguage2["ENGLISH"] = "en";
   SupportedLanguage2["DUTCH"] = "nl";
   return SupportedLanguage2;
-}({});
+})({});
 
 // src/types/machine/index.ts
-var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
+var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
   Siopv2MachineStates2["createConfig"] = "createConfig";
   Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
   Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
@@ -892,14 +890,14 @@ var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
   Siopv2MachineStates2["error"] = "error";
   Siopv2MachineStates2["done"] = "done";
   return Siopv2MachineStates2;
-}({});
-var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
+})({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
   Siopv2MachineAddContactStates2["idle"] = "idle";
   Siopv2MachineAddContactStates2["executing"] = "executing";
   Siopv2MachineAddContactStates2["next"] = "next";
   return Siopv2MachineAddContactStates2;
-}({});
-var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
+})({});
+var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
   Siopv2MachineEvents2["NEXT"] = "NEXT";
   Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
   Siopv2MachineEvents2["DECLINE"] = "DECLINE";
@@ -908,8 +906,8 @@ var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
   Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
   Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
   return Siopv2MachineEvents2;
-}({});
-var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
+})({});
+var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
   Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
   Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
   Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
@@ -919,8 +917,8 @@ var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
   Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
   Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
   return Siopv2MachineGuards2;
-}({});
-var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
+})({});
+var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
   Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
   Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
   Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
@@ -928,7 +926,7 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
   Siopv2MachineServices2["sendResponse"] = "sendResponse";
   Siopv2MachineServices2["createConfig"] = "createConfig";
   return Siopv2MachineServices2;
-}({});
+})({});
 
 // src/types/identifier/index.ts
 var DID_PREFIX = "did";
@@ -1346,12 +1344,14 @@ var Siopv2Machine = class {
 };
 
 // src/services/Siopv2MachineService.ts
-var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
-var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
-var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
-var import_ssi_sdk4 = require("@sphereon/ssi-sdk.data-store");
+var import_utils = require("@sphereon/pex/dist/main/lib/utils/index.js");
+var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
+var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk4 = require("@sphereon/ssi-sdk.credential-store");
+var import_ssi_sdk5 = require("@sphereon/ssi-sdk.data-store-types");
+var import_ssi_sdk6 = require("@sphereon/ssi-sdk.sd-jwt");
 var import_ssi_types6 = require("@sphereon/ssi-types");
-var import_ssi_sdk5 = require("@sphereon/ssi-sdk.core");
 var import_dcql = require("dcql");
 
 // src/utils/dcql.ts
@@ -1392,12 +1392,12 @@ function convertToDcqlCredentials(credential, hasher) {
 __name(convertToDcqlCredentials, "convertToDcqlCredentials");
 
 // src/services/Siopv2MachineService.ts
-var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
+var CLOCK_SKEW = 120;
 var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
 var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
   const { agent } = context;
   const { credentials } = args;
-  if (connectionType !== import_ssi_sdk4.ConnectionType.SIOPv2_OpenID4VP) {
+  if (connectionType !== import_ssi_sdk5.ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
   }
   const session = await agent.siopGetOPSession({
@@ -1407,7 +1407,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   const aud = request.authorizationRequest.getMergedProperty("aud");
   logger3.debug(`AUD: ${aud}`);
   logger3.debug(JSON.stringify(request.authorizationRequest));
-  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
   logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
   const firstUniqueDC = credentials[0];
   if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
@@ -1418,7 +1418,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   const firstVC = firstUniqueDC.uniformVerifiableCredential;
   const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
     //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-    `did:jwk:${(0, import_ssi_sdk5.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
+    `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
   ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
   if (!digitalCredential.kmsKeyRef) {
     if (!holder) {
@@ -1432,7 +1432,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       logger3.debug(`Holder DID not found: ${holder}`);
       throw e;
     }
-  } else if ((0, import_ssi_sdk_ext3.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
+  } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
     identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
       identifier: firstUniqueDC.digitalCredential.kmsKeyRef
     });
@@ -1473,8 +1473,23 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       if (!originalVc) {
         continue;
       }
+      const decodedSdJwt = await import_ssi_types6.CredentialMapper.decodeSdJwtVcAsync(originalVc, import_ssi_sdk6.defaultGenerateDigest);
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
+          }
+        }
+      });
       if (originalVc) {
-        presentation[key] = originalVc;
+        presentation[key] = presentationResult.presentation;
       }
     }
   }
@@ -1498,7 +1513,7 @@ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context)
   };
   const { agent } = agentContext;
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
-    filter: (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(import_ssi_sdk4.CredentialRole.HOLDER)
+    filter: (0, import_ssi_sdk4.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
   });
   const branding = await agent.ibGetCredentialBranding();
   const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
@@ -1567,6 +1582,31 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
   }
   return contacts[0].contact.displayName;
 }, "translateCorrelationIdToName");
+var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
+  const sdJwtCredential = credential;
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
+  const sdHash = (0, import_utils.calculateSdHash)(sdJwtCredential.compactSdJwtVc, hashAlg, import_ssi_sdk6.defaultGenerateDigest);
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: "kb+jwt"
+    },
+    payload: {
+      iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
+      sd_hash: sdHash,
+      ...nonce && {
+        nonce
+      },
+      ...aud && {
+        aud
+      }
+    }
+  };
+  return {
+    ...sdJwtCredential,
+    kbJwt
+  };
+}, "updateSdJwtCredential");
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
 var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -1727,7 +1767,7 @@ var DidAuthSiopOpAuthenticator = class {
     const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
     const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
     const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
-    const uri = url.includes("://") ? new URL(url) : void 0;
+    const uri = url?.includes("://") ? new URL(url) : void 0;
     const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
     const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
     return {
@@ -1785,12 +1825,12 @@ var DidAuthSiopOpAuthenticator = class {
     if (correlationId) {
       const identity = {
         alias: correlationId,
-        origin: import_ssi_sdk6.IdentityOrigin.EXTERNAL,
+        origin: import_ssi_sdk7.IdentityOrigin.EXTERNAL,
         roles: [
-          import_ssi_sdk6.CredentialRole.ISSUER
+          import_ssi_types7.CredentialRole.ISSUER
         ],
         identifier: {
-          type: correlationId.startsWith("did:") ? import_ssi_sdk6.CorrelationIdentifierType.DID : import_ssi_sdk6.CorrelationIdentifierType.URL,
+          type: correlationId.startsWith("did:") ? import_ssi_sdk7.CorrelationIdentifierType.DID : import_ssi_sdk7.CorrelationIdentifierType.URL,
           correlationId
         }
       };
@@ -1813,7 +1853,7 @@ var DidAuthSiopOpAuthenticator = class {
     if (authorizationRequestData === void 0) {
       return Promise.reject(Error("Missing authorization request data in context"));
     }
-    const response = await siopSendAuthorizationResponse(import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP, {
+    const response = await siopSendAuthorizationResponse(import_ssi_sdk7.ConnectionType.SIOPv2_OpenID4VP, {
       sessionId: didAuthConfig.sessionId,
       ...args.idOpts && {
         idOpts: args.idOpts
@@ -1831,7 +1871,7 @@ var DidAuthSiopOpAuthenticator = class {
     return {
       body: responseBody,
       url: response?.url,
-      queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
+      queryParams: (0, import_did_auth_siop4.decodeUriAsJson)(response?.url)
     };
   }
   async siopGetSelectableCredentials(args, context) {
@@ -1878,12 +1918,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
 }, "OID4VPCallbackStateListener");
 
 // src/link-handler/index.ts
-var import_ssi_sdk7 = require("@sphereon/ssi-sdk.agent-config");
-var import_ssi_sdk8 = require("@sphereon/ssi-sdk.core");
-var import_ssi_sdk9 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
+var import_ssi_sdk8 = require("@sphereon/ssi-sdk.agent-config");
+var import_ssi_sdk9 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk10 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
 var import_ssi_types9 = require("@sphereon/ssi-types");
 var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
-var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
+var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
   static {
     __name(this, "Siopv2OID4VPLinkHandler");
   }
@@ -1909,8 +1949,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk8.LinkHandlerAdapter {
       stateNavigationListener: this.stateNavigationListener
     });
     const interpreter = siopv2Machine.interpreter;
-    if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk7.contextHasPlugin)(this.context, "machineStatesFindActive")) {
-      const init = await (0, import_ssi_sdk9.interpreterStartOrResume)({
+    if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk8.contextHasPlugin)(this.context, "machineStatesFindActive")) {
+      const init = await (0, import_ssi_sdk10.interpreterStartOrResume)({
         interpreter,
         context: this.context,
         cleanupAllOtherInstances: true,