@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-fix.80 → 0.34.1-next.278

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-fix.80+f71b3901",
+  "version": "0.34.1-next.278+0eacb25b",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,26 +26,26 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-feature.DIIPv4.86",
-    "@sphereon/did-auth-siop-adapter": "0.19.1-feature.DIIPv4.86",
-    "@sphereon/oid4vc-common": "0.19.1-feature.DIIPv4.86",
+    "@sphereon/did-auth-siop": "0.19.1-next.220",
+    "@sphereon/did-auth-siop-adapter": "0.19.1-next.220",
+    "@sphereon/oid4vc-common": "0.19.1-next.220",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.core": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-types": "0.34.1-fix.80+f71b3901",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.core": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.data-store-types": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-types": "0.34.1-next.278+0eacb25b",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
@@ -59,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-fix.80+f71b3901",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-fix.80+f71b3901",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-next.278+0eacb25b",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-next.278+0eacb25b",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -102,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "f71b39017a0bd9ac33fab56d2d61287d8d5c14f4"
+  "gitHead": "0eacb25b6e38cef88d04d696d84e3c2ebcf89ede"
 }

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -1,17 +1,6 @@
-import {
-  decodeUriAsJson,
-  PresentationSignCallback,
-  VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
-import {
-  ConnectionType,
-  CorrelationIdentifierType,
-  CredentialRole,
-  Identity,
-  IdentityOrigin,
-  NonPersistedIdentity,
-  Party,
-} from '@sphereon/ssi-sdk.data-store'
-import { HasherSync, Loggers } from '@sphereon/ssi-types'
+import { decodeUriAsJson, PresentationSignCallback, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
+import { ConnectionType, CorrelationIdentifierType, Identity, IdentityOrigin, NonPersistedIdentity, Party } from '@sphereon/ssi-sdk.data-store-types'
+import { HasherSync, Loggers, CredentialRole } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
 import { OpSession } from '../session'
@@ -92,13 +81,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   private readonly hasher?: HasherSync
 
   constructor(options?: DidAuthSiopOpAuthenticatorOptions) {
-    const {
-      onContactIdentityCreated,
-      onIdentifierCreated,
-      hasher,
-      customApprovals = {},
-      presentationSignCallback
-    } = { ...options }
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = { ...options }
 
     this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated
@@ -231,7 +214,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       (args.url.includes('request_uri')
         ? decodeURIComponent(args.url.split('?request_uri=')[1].trim())
         : (verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id))
-    const uri: URL | undefined = url.includes('://') ? new URL(url) : undefined
+    const uri: URL | undefined = url?.includes('://') ? new URL(url) : undefined
     const correlationId: string = uri?.hostname ?? (await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context))
     const clientId: string | undefined = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty<string>('client_id')
 

package/src/machine/Siopv2Machine.ts

@@ -1,5 +1,5 @@
 import { VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
-import { DidAuthConfig, Identity, Party } from '@sphereon/ssi-sdk.data-store'
+import { DidAuthConfig, Identity, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { assign, createMachine, DoneInvokeEvent, interpret } from 'xstate'
 import { translate } from '../localization/Localization'
 import { ErrorDetails } from '../types'

package/src/services/Siopv2MachineService.ts

@@ -1,34 +1,27 @@
-import {
-  AuthorizationRequest,
-  Json,
-  SupportedVersion
-} from '@sphereon/did-auth-siop'
+import { AuthorizationRequest } from '@sphereon/did-auth-siop'
+import type { PartialSdJwtDecodedVerifiableCredential, PartialSdJwtKbJwt } from '@sphereon/pex/dist/main/lib/index.js'
+import { calculateSdHash } from '@sphereon/pex/dist/main/lib/utils/index.js'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
-import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
+import { ConnectionType } from '@sphereon/ssi-sdk.data-store-types'
+import { defaultGenerateDigest } from '@sphereon/ssi-sdk.sd-jwt'
 import {
   CredentialMapper,
+  CredentialRole,
   HasherSync,
   Loggers,
   OriginalVerifiableCredential,
-  SdJwtDecodedVerifiableCredential
+  SdJwtDecodedVerifiableCredential,
 } from '@sphereon/ssi-types'
-import { OpSession } from '../session'
-import {
-  LOGGER_NAMESPACE,
-  RequiredContext,
-  SelectableCredential,
-  SelectableCredentialsMap,
-  Siopv2HolderEvent
-} from '../types'
-import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { IAgentContext, IDIDManager } from '@veramo/core'
 import { DcqlPresentation, DcqlQuery } from 'dcql'
+import { OpSession } from '../session'
+import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
 import { convertToDcqlCredentials } from '../utils/dcql'
-import { IAgentContext, IDIDManager } from '@veramo/core'
-import {
-  getOrCreatePrimaryIdentifier,
-  SupportedDidMethodEnum
-} from '@sphereon/ssi-sdk-ext.did-utils'
+
+const CLOCK_SKEW = 120
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
@@ -76,68 +69,62 @@ export const siopSendAuthorizationResponse = async (
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
-      const domain =
-        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-        request.issuer ??
-        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
-          ? 'https://self-issued.me/v2/openid-vc'
-          : 'https://self-issued.me/v2')
-      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
-
-      const firstUniqueDC = credentials[0]
-      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-      }
+  const domain = ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ?? request.issuer ?? 'https://self-issued.me/v2'
+
+  logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
+
+  const firstUniqueDC = credentials[0]
+  if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+    return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+  }
+
+  let identifier: ManagedIdentifierOptsOrResult
+  const digitalCredential = firstUniqueDC.digitalCredential
+  const firstVC = firstUniqueDC.uniformVerifiableCredential
+  const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+    ? firstVC.decodedPayload.cnf?.jwk
+      ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+      : firstVC.decodedPayload.sub
+    : Array.isArray(firstVC.credentialSubject)
+      ? firstVC.credentialSubject[0].id
+      : firstVC.credentialSubject.id
+  if (!digitalCredential.kmsKeyRef) {
+    // In case the store does not have the kmsKeyRef lets search for the holder
 
-      let identifier: ManagedIdentifierOptsOrResult
-      const digitalCredential = firstUniqueDC.digitalCredential
-      const firstVC = firstUniqueDC.uniformVerifiableCredential
-      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-        ? firstVC.decodedPayload.cnf?.jwk
-          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-          : firstVC.decodedPayload.sub
-        : Array.isArray(firstVC.credentialSubject)
-          ? firstVC.credentialSubject[0].id
-          : firstVC.credentialSubject.id
-      if (!digitalCredential.kmsKeyRef) {
-        // In case the store does not have the kmsKeyRef lets search for the holder
-
-        if (!holder) {
-          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-        }
-        try {
-          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-        } catch (e) {
-          logger.debug(`Holder DID not found: ${holder}`)
-          throw e
-        }
-      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+    } catch (e) {
+      logger.debug(`Holder DID not found: ${holder}`)
+      throw e
+    }
+  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+    })
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case 'DID':
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
         })
-      } else {
-        switch (digitalCredential.subjectCorrelationType) {
-          case 'DID':
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-            break
-          // TODO other implementations?
-          default:
-            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-        }
-      }
+        break
+      // TODO other implementations?
+      default:
+        // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
+        })
+    }
+  }
 
-  const dcqlCredentialsWithCredentials = new Map(
-    credentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
 
   const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
 
@@ -149,7 +136,7 @@ export const siopSendAuthorizationResponse = async (
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   for (const [key, value] of Object.entries(queryResult.credential_matches)) {
     if (value.success) {
-      const matchedCredentials = value.valid_credentials.map(cred => uniqueCredentials[cred.input_credential_index])
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index])
       const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
       if (!vc) {
         continue
@@ -158,23 +145,41 @@ export const siopSendAuthorizationResponse = async (
       if (!originalVc) {
         continue
       }
+      // FIXME SSISDK-44
+      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(originalVc as string, defaultGenerateDigest)
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain)
+
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject!.getPayload()!.nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1000 - CLOCK_SKEW),
+          },
+        },
+      })
+
       if (originalVc) {
-        presentation[key] = originalVc as | string | { [x: string]: Json }
+        presentation[key] = presentationResult.presentation
       }
     }
   }
 
   const dcqlPresentation = DcqlPresentation.parse(presentation)
 
-      const response = session.sendAuthorizationResponse({
-        responseSignerOpts: identifier,
-        dcqlResponse: {
-          dcqlPresentation
-        }
-      })
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation,
+    },
+  })
 
-      logger.debug(`Response: `, response)
-      return response
+  logger.debug(`Response: `, response)
+  return response
 }
 
 const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
@@ -186,19 +191,14 @@ const retrieveEncodedCredential = (credential: UniqueDigitalCredential): Origina
     : credential.originalVerifiableCredential
 }
 
-export const getSelectableCredentials = async (
-  dcqlQuery: DcqlQuery,
-  context: RequiredContext,
-): Promise<SelectableCredentialsMap> => {
+export const getSelectableCredentials = async (dcqlQuery: DcqlQuery, context: RequiredContext): Promise<SelectableCredentialsMap> => {
   const agentContext = { ...context, agent: context.agent }
   const { agent } = agentContext
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
   const branding = await agent.ibGetCredentialBranding()
-  const dcqlCredentialsWithCredentials = new Map(
-    uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc])
-  )
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
   const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
@@ -208,7 +208,7 @@ export const getSelectableCredentials = async (
       continue
     }
 
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async cred => {
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
       const matchedCredential = uniqueCredentials[cred.input_credential_index]
       const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
       const issuerPartyIdentity = await agent.cmGetContacts({
@@ -246,3 +246,33 @@ export const translateCorrelationIdToName = async (correlationId: string, contex
 
   return contacts[0].contact.displayName
 }
+
+const updateSdJwtCredential = (
+  credential: SdJwtDecodedVerifiableCredential,
+  nonce?: string,
+  aud?: string,
+): PartialSdJwtDecodedVerifiableCredential => {
+  const sdJwtCredential = credential as SdJwtDecodedVerifiableCredential
+
+  // extract sd_alg or default to sha-256
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? 'sha-256'
+  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest)
+
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: 'kb+jwt',
+    },
+    payload: {
+      iat: Math.floor(new Date().getTime() / 1000),
+      sd_hash: sdHash,
+      ...(nonce && { nonce }),
+      ...(aud && { aud }),
+    },
+  } satisfies PartialSdJwtKbJwt
+
+  return {
+    ...sdJwtCredential,
+    kbJwt,
+  } satisfies PartialSdJwtDecodedVerifiableCredential
+}