@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-fix.80 → 0.34.1-next.278

package/dist/index.d.cts

@@ -5,7 +5,7 @@ import { DIDDocument } from '@sphereon/did-uni-client';
 import { ManagedIdentifierOptsOrResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { JwsPayload, IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { UniqueDigitalCredential, ICredentialStore } from '@sphereon/ssi-sdk.credential-store';
-import { ICredentialLocaleBranding, Party, DidAuthConfig, Identity } from '@sphereon/ssi-sdk.data-store';
+import { ICredentialLocaleBranding, Party, DidAuthConfig, Identity } from '@sphereon/ssi-sdk.data-store-types';
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager';
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt';
 import { HasherSync, PresentationSubmission, W3CVerifiablePresentation, OriginalVerifiableCredential } from '@sphereon/ssi-types';
@@ -533,7 +533,7 @@ type OnContactIdentityCreatedArgs = {
 type OnIdentifierCreatedArgs = {
     identifier: IIdentifier;
 };
-type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding>;
+type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding & ISDJwtPlugin>;
 
 type Siopv2MachineContext = {
     url: string;

package/dist/index.d.ts

@@ -5,7 +5,7 @@ import { DIDDocument } from '@sphereon/did-uni-client';
 import { ManagedIdentifierOptsOrResult, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution';
 import { JwsPayload, IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service';
 import { UniqueDigitalCredential, ICredentialStore } from '@sphereon/ssi-sdk.credential-store';
-import { ICredentialLocaleBranding, Party, DidAuthConfig, Identity } from '@sphereon/ssi-sdk.data-store';
+import { ICredentialLocaleBranding, Party, DidAuthConfig, Identity } from '@sphereon/ssi-sdk.data-store-types';
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager';
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt';
 import { HasherSync, PresentationSubmission, W3CVerifiablePresentation, OriginalVerifiableCredential } from '@sphereon/ssi-types';
@@ -533,7 +533,7 @@ type OnContactIdentityCreatedArgs = {
 type OnIdentifierCreatedArgs = {
     identifier: IIdentifier;
 };
-type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding>;
+type RequiredContext = IAgentContext<IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding & ISDJwtPlugin>;
 
 type Siopv2MachineContext = {
     url: string;

package/dist/index.js

@@ -367,8 +367,8 @@ var plugin_schema_default = {
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
 import { decodeUriAsJson } from "@sphereon/did-auth-siop";
-import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialRole as CredentialRole2, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
-import { Loggers as Loggers4 } from "@sphereon/ssi-types";
+import { ConnectionType as ConnectionType2, CorrelationIdentifierType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store-types";
+import { Loggers as Loggers4, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
 import { v4 as uuidv4 } from "uuid";
 
 // src/session/functions.ts
@@ -394,10 +394,8 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
 async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
   const eventEmitter = opOptions.eventEmitter ?? new EventEmitter();
   const builder = OP.builder().withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
-    SupportedVersion.SIOPv2_ID1,
-    SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
-    SupportedVersion.SIOPv2_D11,
-    SupportedVersion.SIOPv2_D12_OID4VP_D18
+    SupportedVersion.OID4VP_v1,
+    SupportedVersion.SIOPv2_OID4VP_D28
   ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
     passBy: PassBy.VALUE
   });
@@ -807,19 +805,19 @@ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
 var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
 
 // src/types/siop-service/index.ts
-var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
+var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
   Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
   Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
   return Siopv2HolderEvent2;
-}({});
-var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
+})({});
+var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
   SupportedLanguage2["ENGLISH"] = "en";
   SupportedLanguage2["DUTCH"] = "nl";
   return SupportedLanguage2;
-}({});
+})({});
 
 // src/types/machine/index.ts
-var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
+var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
   Siopv2MachineStates2["createConfig"] = "createConfig";
   Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
   Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
@@ -835,14 +833,14 @@ var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
   Siopv2MachineStates2["error"] = "error";
   Siopv2MachineStates2["done"] = "done";
   return Siopv2MachineStates2;
-}({});
-var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
+})({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
   Siopv2MachineAddContactStates2["idle"] = "idle";
   Siopv2MachineAddContactStates2["executing"] = "executing";
   Siopv2MachineAddContactStates2["next"] = "next";
   return Siopv2MachineAddContactStates2;
-}({});
-var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
+})({});
+var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
   Siopv2MachineEvents2["NEXT"] = "NEXT";
   Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
   Siopv2MachineEvents2["DECLINE"] = "DECLINE";
@@ -851,8 +849,8 @@ var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
   Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
   Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
   return Siopv2MachineEvents2;
-}({});
-var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
+})({});
+var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
   Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
   Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
   Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
@@ -862,8 +860,8 @@ var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
   Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
   Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
   return Siopv2MachineGuards2;
-}({});
-var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
+})({});
+var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
   Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
   Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
   Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
@@ -871,7 +869,7 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
   Siopv2MachineServices2["sendResponse"] = "sendResponse";
   Siopv2MachineServices2["createConfig"] = "createConfig";
   return Siopv2MachineServices2;
-}({});
+})({});
 
 // src/types/identifier/index.ts
 var DID_PREFIX = "did";
@@ -1289,12 +1287,14 @@ var Siopv2Machine = class {
 };
 
 // src/services/Siopv2MachineService.ts
-import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
+import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils/index.js";
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
 import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
-import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
-import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
-import { CredentialMapper as CredentialMapper3, Loggers as Loggers3 } from "@sphereon/ssi-types";
 import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
+import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
+import { ConnectionType } from "@sphereon/ssi-sdk.data-store-types";
+import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
+import { CredentialMapper as CredentialMapper3, CredentialRole, Loggers as Loggers3 } from "@sphereon/ssi-types";
 import { DcqlPresentation, DcqlQuery } from "dcql";
 
 // src/utils/dcql.ts
@@ -1335,7 +1335,7 @@ function convertToDcqlCredentials(credential, hasher) {
 __name(convertToDcqlCredentials, "convertToDcqlCredentials");
 
 // src/services/Siopv2MachineService.ts
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
+var CLOCK_SKEW = 120;
 var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
 var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
   const { agent } = context;
@@ -1350,7 +1350,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   const aud = request.authorizationRequest.getMergedProperty("aud");
   logger3.debug(`AUD: ${aud}`);
   logger3.debug(JSON.stringify(request.authorizationRequest));
-  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
   logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
   const firstUniqueDC = credentials[0];
   if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
@@ -1416,8 +1416,23 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       if (!originalVc) {
         continue;
       }
+      const decodedSdJwt = await CredentialMapper3.decodeSdJwtVcAsync(originalVc, defaultGenerateDigest);
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
+          }
+        }
+      });
       if (originalVc) {
-        presentation[key] = originalVc;
+        presentation[key] = presentationResult.presentation;
       }
     }
   }
@@ -1510,6 +1525,31 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
   }
   return contacts[0].contact.displayName;
 }, "translateCorrelationIdToName");
+var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
+  const sdJwtCredential = credential;
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
+  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest);
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: "kb+jwt"
+    },
+    payload: {
+      iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
+      sd_hash: sdHash,
+      ...nonce && {
+        nonce
+      },
+      ...aud && {
+        aud
+      }
+    }
+  };
+  return {
+    ...sdJwtCredential,
+    kbJwt
+  };
+}, "updateSdJwtCredential");
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
 var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -1670,7 +1710,7 @@ var DidAuthSiopOpAuthenticator = class {
     const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
     const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
     const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
-    const uri = url.includes("://") ? new URL(url) : void 0;
+    const uri = url?.includes("://") ? new URL(url) : void 0;
     const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
     const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
     return {