@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.29 → 0.34.1-next.299

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/index.cjs +629 -1112
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +710 -112
  4. package/dist/index.d.ts +710 -112
  5. package/dist/index.js +563 -1046
  6. package/dist/index.js.map +1 -1
  7. package/package.json +24 -24
  8. package/src/agent/DidAuthSiopOpAuthenticator.ts +10 -145
  9. package/src/index.ts +2 -1
  10. package/src/machine/Siopv2Machine.ts +5 -5
  11. package/src/services/Siopv2MachineService.ts +189 -265
  12. package/src/session/OID4VP.ts +310 -300
  13. package/src/session/OpSession.ts +22 -114
  14. package/src/session/functions.ts +1 -8
  15. package/src/types/IDidAuthSiopOpAuthenticator.ts +6 -59
  16. package/src/types/identifier/index.ts +0 -4
  17. package/src/types/machine/index.ts +1 -1
  18. package/src/types/siop-service/index.ts +12 -10
  19. package/src/utils/CredentialUtils.ts +2 -40
  20. package/src/utils/dcql.ts +22 -19
package/dist/index.cjs CHANGED
@@ -60,375 +60,371 @@ var require_nl = __commonJS({
60
60
  }
61
61
  });
62
62
 
63
+ // src/index.ts
64
+ var index_exports = {};
65
+ __export(index_exports, {
66
+ DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
67
+ DID_PREFIX: () => DID_PREFIX,
68
+ DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
69
+ LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
70
+ OID4VP: () => OID4VP,
71
+ OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
72
+ OpSession: () => OpSession,
73
+ Siopv2HolderEvent: () => Siopv2HolderEvent,
74
+ Siopv2Machine: () => Siopv2Machine,
75
+ Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
76
+ Siopv2MachineEvents: () => Siopv2MachineEvents,
77
+ Siopv2MachineGuards: () => Siopv2MachineGuards,
78
+ Siopv2MachineServices: () => Siopv2MachineServices,
79
+ Siopv2MachineStates: () => Siopv2MachineStates,
80
+ Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
81
+ SupportedLanguage: () => SupportedLanguage,
82
+ convertToDcqlCredentials: () => convertToDcqlCredentials,
83
+ createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
84
+ createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
85
+ createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
86
+ createOP: () => createOP,
87
+ createOPBuilder: () => createOPBuilder,
88
+ didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
89
+ getSigningAlgo: () => getSigningAlgo,
90
+ schema: () => plugin_schema_default
91
+ });
92
+ module.exports = __toCommonJS(index_exports);
93
+
63
94
  // plugin.schema.json
64
- var require_plugin_schema = __commonJS({
65
- "plugin.schema.json"(exports, module2) {
66
- module2.exports = {
67
- IDidAuthSiopOpAuthenticator: {
68
- components: {
69
- schemas: {
70
- IGetSiopSessionArgs: {
71
- type: "object",
72
- properties: {
73
- sessionId: {
74
- type: "string"
75
- },
76
- additionalProperties: false
77
- },
78
- required: ["sessionId"],
79
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
95
+ var plugin_schema_default = {
96
+ IDidAuthSiopOpAuthenticator: {
97
+ components: {
98
+ schemas: {
99
+ IGetSiopSessionArgs: {
100
+ type: "object",
101
+ properties: {
102
+ sessionId: {
103
+ type: "string"
80
104
  },
81
- IRegisterSiopSessionArgs: {
105
+ additionalProperties: false
106
+ },
107
+ required: ["sessionId"],
108
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
109
+ },
110
+ IRegisterSiopSessionArgs: {
111
+ type: "object",
112
+ properties: {
113
+ identifier: {
82
114
  type: "object",
83
115
  properties: {
84
- identifier: {
85
- type: "object",
86
- properties: {
87
- did: {
88
- type: "string"
89
- },
90
- alias: {
91
- type: "string"
92
- },
93
- provider: {
94
- type: "string"
95
- },
96
- controllerKeyId: {
97
- type: "string"
98
- },
99
- keys: {
100
- type: "array",
101
- items: {
102
- type: "object",
103
- properties: {
104
- additionalProperties: true
105
- }
106
- }
107
- },
108
- services: {
109
- type: "array",
110
- items: {
111
- type: "object",
112
- properties: {
113
- additionalProperties: true
114
- }
115
- }
116
- }
117
- },
118
- additionalProperties: false,
119
- required: ["did", "provider", "keys", "services"]
120
- },
121
- sessionId: {
116
+ did: {
122
117
  type: "string"
123
118
  },
124
- expiresIn: {
125
- type: "number"
126
- },
127
- additionalProperties: false
128
- },
129
- required: ["identifier"],
130
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
131
- },
132
- IRemoveSiopSessionArgs: {
133
- type: "object",
134
- properties: {
135
- sessionId: {
119
+ alias: {
136
120
  type: "string"
137
121
  },
138
- additionalProperties: false
139
- },
140
- required: ["sessionId"],
141
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
142
- },
143
- IAuthenticateWithSiopArgs: {
144
- type: "object",
145
- properties: {
146
- sessionId: {
122
+ provider: {
147
123
  type: "string"
148
124
  },
149
- stateId: {
125
+ controllerKeyId: {
150
126
  type: "string"
151
127
  },
152
- redirectUrl: {
153
- type: "string"
128
+ keys: {
129
+ type: "array",
130
+ items: {
131
+ type: "object",
132
+ properties: {
133
+ additionalProperties: true
134
+ }
135
+ }
154
136
  },
155
- additionalProperties: false
137
+ services: {
138
+ type: "array",
139
+ items: {
140
+ type: "object",
141
+ properties: {
142
+ additionalProperties: true
143
+ }
144
+ }
145
+ }
156
146
  },
157
- required: ["sessionId", "stateId", "redirectUrl"],
158
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
147
+ additionalProperties: false,
148
+ required: ["did", "provider", "keys", "services"]
149
+ },
150
+ sessionId: {
151
+ type: "string"
159
152
  },
160
- IResponse: {
153
+ expiresIn: {
154
+ type: "number"
155
+ },
156
+ additionalProperties: false
157
+ },
158
+ required: ["identifier"],
159
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
160
+ },
161
+ IRemoveSiopSessionArgs: {
162
+ type: "object",
163
+ properties: {
164
+ sessionId: {
165
+ type: "string"
166
+ },
167
+ additionalProperties: false
168
+ },
169
+ required: ["sessionId"],
170
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
171
+ },
172
+ IAuthenticateWithSiopArgs: {
173
+ type: "object",
174
+ properties: {
175
+ sessionId: {
176
+ type: "string"
177
+ },
178
+ stateId: {
179
+ type: "string"
180
+ },
181
+ redirectUrl: {
182
+ type: "string"
183
+ },
184
+ additionalProperties: false
185
+ },
186
+ required: ["sessionId", "stateId", "redirectUrl"],
187
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
188
+ },
189
+ IResponse: {
190
+ type: "object",
191
+ properties: {
192
+ status: {
193
+ type: "number"
194
+ },
195
+ additionalProperties: true
196
+ },
197
+ required: ["status"],
198
+ description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
199
+ },
200
+ IGetSiopAuthenticationRequestFromRpArgs: {
201
+ type: "object",
202
+ properties: {
203
+ sessionId: {
204
+ type: "string"
205
+ },
206
+ stateId: {
207
+ type: "string"
208
+ },
209
+ redirectUrl: {
210
+ type: "string"
211
+ },
212
+ additionalProperties: false
213
+ },
214
+ required: ["sessionId", "stateId", "redirectUrl"],
215
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
216
+ },
217
+ ParsedAuthenticationRequestURI: {
218
+ type: "object",
219
+ properties: {
220
+ jwt: {
221
+ type: "string"
222
+ },
223
+ requestPayload: {
161
224
  type: "object",
162
225
  properties: {
163
- status: {
164
- type: "number"
165
- },
166
226
  additionalProperties: true
167
- },
168
- required: ["status"],
169
- description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
227
+ }
170
228
  },
171
- IGetSiopAuthenticationRequestFromRpArgs: {
229
+ registration: {
172
230
  type: "object",
173
231
  properties: {
174
- sessionId: {
175
- type: "string"
176
- },
177
- stateId: {
178
- type: "string"
179
- },
180
- redirectUrl: {
181
- type: "string"
182
- },
183
- additionalProperties: false
184
- },
185
- required: ["sessionId", "stateId", "redirectUrl"],
186
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
232
+ additionalProperties: true
233
+ }
187
234
  },
188
- ParsedAuthenticationRequestURI: {
235
+ additionalProperties: false
236
+ },
237
+ required: ["jwt", "requestPayload", "registration"],
238
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
239
+ },
240
+ IGetSiopAuthenticationRequestDetailsArgs: {
241
+ type: "object",
242
+ properties: {
243
+ sessionId: {
244
+ type: "string"
245
+ },
246
+ verifiedAuthenticationRequest: {
189
247
  type: "object",
190
248
  properties: {
191
- jwt: {
192
- type: "string"
193
- },
194
- requestPayload: {
195
- type: "object",
196
- properties: {
197
- additionalProperties: true
198
- }
199
- },
200
- registration: {
201
- type: "object",
202
- properties: {
203
- additionalProperties: true
204
- }
205
- },
206
- additionalProperties: false
207
- },
208
- required: ["jwt", "requestPayload", "registration"],
209
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
249
+ additionalProperties: true
250
+ }
210
251
  },
211
- IGetSiopAuthenticationRequestDetailsArgs: {
252
+ credentialFilter: {
212
253
  type: "object",
213
254
  properties: {
214
- sessionId: {
215
- type: "string"
216
- },
217
- verifiedAuthenticationRequest: {
218
- type: "object",
219
- properties: {
220
- additionalProperties: true
221
- }
222
- },
223
- credentialFilter: {
224
- type: "object",
225
- properties: {
226
- additionalProperties: true
227
- }
228
- },
229
- additionalProperties: false
230
- },
231
- required: ["sessionId", "verifiedAuthenticationRequest"],
232
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
255
+ additionalProperties: true
256
+ }
257
+ },
258
+ additionalProperties: false
259
+ },
260
+ required: ["sessionId", "verifiedAuthenticationRequest"],
261
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
262
+ },
263
+ IAuthRequestDetails: {
264
+ type: "object",
265
+ properties: {
266
+ id: {
267
+ type: "string"
268
+ },
269
+ alsoKnownAs: {
270
+ type: "array",
271
+ items: {
272
+ type: "string"
273
+ }
233
274
  },
234
- IAuthRequestDetails: {
275
+ vpResponseOpts: {
235
276
  type: "object",
236
277
  properties: {
237
- id: {
238
- type: "string"
239
- },
240
- alsoKnownAs: {
241
- type: "array",
242
- items: {
243
- type: "string"
244
- }
245
- },
246
- vpResponseOpts: {
247
- type: "object",
248
- properties: {
249
- additionalProperties: true
250
- }
251
- },
252
- additionalProperties: false
253
- },
254
- required: ["id", "vpResponseOpts"],
255
- description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
278
+ additionalProperties: true
279
+ }
256
280
  },
257
- IVerifySiopAuthenticationRequestUriArgs: {
281
+ additionalProperties: false
282
+ },
283
+ required: ["id", "vpResponseOpts"],
284
+ description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
285
+ },
286
+ IVerifySiopAuthenticationRequestUriArgs: {
287
+ type: "object",
288
+ properties: {
289
+ sessionId: {
290
+ type: "string"
291
+ },
292
+ ParsedAuthenticationRequestURI: {
258
293
  type: "object",
259
294
  properties: {
260
- sessionId: {
261
- type: "string"
262
- },
263
- ParsedAuthenticationRequestURI: {
264
- type: "object",
265
- properties: {
266
- additionalProperties: true
267
- }
268
- },
269
- additionalProperties: false
270
- },
271
- required: ["sessionId", "ParsedAuthenticationRequestURI"],
272
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
295
+ additionalProperties: true
296
+ }
273
297
  },
274
- VerifiedAuthorizationRequest: {
298
+ additionalProperties: false
299
+ },
300
+ required: ["sessionId", "ParsedAuthenticationRequestURI"],
301
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
302
+ },
303
+ VerifiedAuthorizationRequest: {
304
+ type: "object",
305
+ properties: {
306
+ payload: {
275
307
  type: "object",
276
308
  properties: {
277
- payload: {
278
- type: "object",
279
- properties: {
280
- additionalProperties: true
281
- }
282
- },
283
- presentationDefinitions: {
284
- type: "object",
285
- properties: {
286
- additionalProperties: true
287
- }
288
- },
289
- verifyOpts: {
290
- type: "object",
291
- properties: {
292
- additionalProperties: true
293
- }
294
- },
295
- additionalProperties: false
296
- },
297
- required: ["payload", "verifyOpts"],
298
- description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
309
+ additionalProperties: true
310
+ }
299
311
  },
300
- ISendSiopAuthenticationResponseArgs: {
312
+ presentationDefinitions: {
301
313
  type: "object",
302
314
  properties: {
303
- sessionId: {
304
- type: "string"
305
- },
306
- verifiedAuthenticationRequest: {
307
- type: "object",
308
- properties: {
309
- additionalProperties: true
310
- }
311
- },
312
- verifiablePresentationResponse: {
313
- type: "object",
314
- properties: {
315
- additionalProperties: true
316
- }
317
- },
318
- additionalProperties: false
319
- },
320
- required: ["sessionId", "verifiedAuthenticationRequest"],
321
- description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
322
- }
323
- },
324
- methods: {
325
- getSessionForSiop: {
326
- description: "Get SIOP session",
327
- arguments: {
328
- $ref: "#/components/schemas/IGetSiopSessionArgs"
329
- },
330
- returnType: "object"
331
- },
332
- registerSessionForSiop: {
333
- description: "Register SIOP session",
334
- arguments: {
335
- $ref: "#/components/schemas/IRegisterSiopSessionArgs"
336
- },
337
- returnType: "object"
338
- },
339
- removeSessionForSiop: {
340
- description: "Remove SIOP session",
341
- arguments: {
342
- $ref: "#/components/schemas/IRemoveSiopSessionArgs"
343
- },
344
- returnType: "boolean"
345
- },
346
- authenticateWithSiop: {
347
- description: "Authenticate using DID Auth SIOP",
348
- arguments: {
349
- $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
350
- },
351
- returnType: {
352
- $ref: "#/components/schemas/Response"
315
+ additionalProperties: true
353
316
  }
354
317
  },
355
- getSiopAuthenticationRequestFromRP: {
356
- description: "Get authentication request from RP",
357
- arguments: {
358
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
359
- },
360
- returnType: {
361
- $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
318
+ verifyOpts: {
319
+ type: "object",
320
+ properties: {
321
+ additionalProperties: true
362
322
  }
363
323
  },
364
- getSiopAuthenticationRequestDetails: {
365
- description: "Get authentication request details",
366
- arguments: {
367
- $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
368
- },
369
- returnType: {
370
- $ref: "#/components/schemas/IAuthRequestDetails"
371
- }
324
+ additionalProperties: false
325
+ },
326
+ required: ["payload", "verifyOpts"],
327
+ description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
328
+ },
329
+ ISendSiopAuthenticationResponseArgs: {
330
+ type: "object",
331
+ properties: {
332
+ sessionId: {
333
+ type: "string"
372
334
  },
373
- verifySiopAuthenticationRequestURI: {
374
- description: "Verify authentication request URI",
375
- arguments: {
376
- $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
377
- },
378
- returnType: {
379
- $ref: "#/components/schemas/VerifiedAuthorizationRequest"
335
+ verifiedAuthenticationRequest: {
336
+ type: "object",
337
+ properties: {
338
+ additionalProperties: true
380
339
  }
381
340
  },
382
- sendSiopAuthenticationResponse: {
383
- description: "Send authentication response",
384
- arguments: {
385
- $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
386
- },
387
- returnType: {
388
- $ref: "#/components/schemas/IRequiredContext"
341
+ verifiablePresentationResponse: {
342
+ type: "object",
343
+ properties: {
344
+ additionalProperties: true
389
345
  }
390
- }
346
+ },
347
+ additionalProperties: false
348
+ },
349
+ required: ["sessionId", "verifiedAuthenticationRequest"],
350
+ description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
351
+ }
352
+ },
353
+ methods: {
354
+ getSessionForSiop: {
355
+ description: "Get SIOP session",
356
+ arguments: {
357
+ $ref: "#/components/schemas/IGetSiopSessionArgs"
358
+ },
359
+ returnType: "object"
360
+ },
361
+ registerSessionForSiop: {
362
+ description: "Register SIOP session",
363
+ arguments: {
364
+ $ref: "#/components/schemas/IRegisterSiopSessionArgs"
365
+ },
366
+ returnType: "object"
367
+ },
368
+ removeSessionForSiop: {
369
+ description: "Remove SIOP session",
370
+ arguments: {
371
+ $ref: "#/components/schemas/IRemoveSiopSessionArgs"
372
+ },
373
+ returnType: "boolean"
374
+ },
375
+ authenticateWithSiop: {
376
+ description: "Authenticate using DID Auth SIOP",
377
+ arguments: {
378
+ $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
379
+ },
380
+ returnType: {
381
+ $ref: "#/components/schemas/Response"
382
+ }
383
+ },
384
+ getSiopAuthenticationRequestFromRP: {
385
+ description: "Get authentication request from RP",
386
+ arguments: {
387
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
388
+ },
389
+ returnType: {
390
+ $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
391
+ }
392
+ },
393
+ getSiopAuthenticationRequestDetails: {
394
+ description: "Get authentication request details",
395
+ arguments: {
396
+ $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
397
+ },
398
+ returnType: {
399
+ $ref: "#/components/schemas/IAuthRequestDetails"
400
+ }
401
+ },
402
+ verifySiopAuthenticationRequestURI: {
403
+ description: "Verify authentication request URI",
404
+ arguments: {
405
+ $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
406
+ },
407
+ returnType: {
408
+ $ref: "#/components/schemas/VerifiedAuthorizationRequest"
409
+ }
410
+ },
411
+ sendSiopAuthenticationResponse: {
412
+ description: "Send authentication response",
413
+ arguments: {
414
+ $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
415
+ },
416
+ returnType: {
417
+ $ref: "#/components/schemas/IRequiredContext"
391
418
  }
392
419
  }
393
420
  }
394
- };
421
+ }
395
422
  }
396
- });
397
-
398
- // src/index.ts
399
- var index_exports = {};
400
- __export(index_exports, {
401
- DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
402
- DID_PREFIX: () => DID_PREFIX,
403
- DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
404
- LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
405
- OID4VP: () => OID4VP,
406
- OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
407
- OpSession: () => OpSession,
408
- Siopv2HolderEvent: () => Siopv2HolderEvent,
409
- Siopv2Machine: () => Siopv2Machine,
410
- Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
411
- Siopv2MachineEvents: () => Siopv2MachineEvents,
412
- Siopv2MachineGuards: () => Siopv2MachineGuards,
413
- Siopv2MachineServices: () => Siopv2MachineServices,
414
- Siopv2MachineStates: () => Siopv2MachineStates,
415
- Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
416
- SupportedLanguage: () => SupportedLanguage,
417
- createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
418
- createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
419
- createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
420
- createOP: () => createOP,
421
- createOPBuilder: () => createOPBuilder,
422
- didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
423
- events: () => events,
424
- getSigningAlgo: () => getSigningAlgo,
425
- schema: () => schema
426
- });
427
- module.exports = __toCommonJS(index_exports);
423
+ };
428
424
 
429
425
  // src/agent/DidAuthSiopOpAuthenticator.ts
430
- var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
431
- var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
426
+ var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
427
+ var import_ssi_sdk7 = require("@sphereon/ssi-sdk.data-store-types");
432
428
  var import_ssi_types7 = require("@sphereon/ssi-types");
433
429
  var import_uuid2 = require("uuid");
434
430
 
@@ -455,10 +451,8 @@ __name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallba
455
451
  async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
456
452
  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
457
453
  const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
458
- import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
459
- import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
460
- import_did_auth_siop.SupportedVersion.SIOPv2_D11,
461
- import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
454
+ import_did_auth_siop.SupportedVersion.OID4VP_v1,
455
+ import_did_auth_siop.SupportedVersion.SIOPv2_OID4VP_D28
462
456
  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
463
457
  passBy: import_did_auth_siop.PassBy.VALUE
464
458
  });
@@ -563,126 +557,37 @@ __name(getVerifyJwtCallback, "getVerifyJwtCallback");
563
557
  async function createOP({ opOptions, idOpts: idOpts1, context }) {
564
558
  return (await createOPBuilder({
565
559
  opOptions,
566
- idOpts: idOpts1,
567
- context
568
- })).build();
569
- }
570
- __name(createOP, "createOP");
571
- function getSigningAlgo(type) {
572
- switch (type) {
573
- case "Ed25519":
574
- return import_oid4vc_common.SigningAlgo.EDDSA;
575
- case "Secp256k1":
576
- return import_oid4vc_common.SigningAlgo.ES256K;
577
- case "Secp256r1":
578
- return import_oid4vc_common.SigningAlgo.ES256;
579
- // @ts-ignore
580
- case "RSA":
581
- return import_oid4vc_common.SigningAlgo.RS256;
582
- default:
583
- throw Error("Key type not yet supported");
584
- }
585
- }
586
- __name(getSigningAlgo, "getSigningAlgo");
587
-
588
- // src/session/OID4VP.ts
589
- var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
590
- var import_pex = require("@sphereon/pex");
591
- var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
592
- var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
593
- var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
594
-
595
- // src/types/IDidAuthSiopOpAuthenticator.ts
596
- var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
597
- var events = /* @__PURE__ */ function(events2) {
598
- events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
599
- return events2;
600
- }({});
601
- var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
602
-
603
- // src/types/siop-service/index.ts
604
- var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
605
- Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
606
- Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
607
- return Siopv2HolderEvent2;
608
- }({});
609
- var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
610
- SupportedLanguage2["ENGLISH"] = "en";
611
- SupportedLanguage2["DUTCH"] = "nl";
612
- return SupportedLanguage2;
613
- }({});
614
-
615
- // src/types/machine/index.ts
616
- var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
617
- Siopv2MachineStates2["createConfig"] = "createConfig";
618
- Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
619
- Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
620
- Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
621
- Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
622
- Siopv2MachineStates2["addContact"] = "addContact";
623
- Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
624
- Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
625
- Siopv2MachineStates2["sendResponse"] = "sendResponse";
626
- Siopv2MachineStates2["handleError"] = "handleError";
627
- Siopv2MachineStates2["aborted"] = "aborted";
628
- Siopv2MachineStates2["declined"] = "declined";
629
- Siopv2MachineStates2["error"] = "error";
630
- Siopv2MachineStates2["done"] = "done";
631
- return Siopv2MachineStates2;
632
- }({});
633
- var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
634
- Siopv2MachineAddContactStates2["idle"] = "idle";
635
- Siopv2MachineAddContactStates2["executing"] = "executing";
636
- Siopv2MachineAddContactStates2["next"] = "next";
637
- return Siopv2MachineAddContactStates2;
638
- }({});
639
- var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
640
- Siopv2MachineEvents2["NEXT"] = "NEXT";
641
- Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
642
- Siopv2MachineEvents2["DECLINE"] = "DECLINE";
643
- Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
644
- Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
645
- Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
646
- Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
647
- return Siopv2MachineEvents2;
648
- }({});
649
- var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
650
- Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
651
- Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
652
- Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
653
- Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
654
- Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
655
- Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
656
- Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
657
- Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
658
- return Siopv2MachineGuards2;
659
- }({});
660
- var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
661
- Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
662
- Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
663
- Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
664
- Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
665
- Siopv2MachineServices2["sendResponse"] = "sendResponse";
666
- Siopv2MachineServices2["createConfig"] = "createConfig";
667
- return Siopv2MachineServices2;
668
- }({});
669
-
670
- // src/types/identifier/index.ts
671
- var DID_PREFIX = "did";
560
+ idOpts: idOpts1,
561
+ context
562
+ })).build();
563
+ }
564
+ __name(createOP, "createOP");
565
+ function getSigningAlgo(type) {
566
+ switch (type) {
567
+ case "Ed25519":
568
+ return import_oid4vc_common.SigningAlgo.EDDSA;
569
+ case "Secp256k1":
570
+ return import_oid4vc_common.SigningAlgo.ES256K;
571
+ case "Secp256r1":
572
+ return import_oid4vc_common.SigningAlgo.ES256;
573
+ // @ts-ignore
574
+ case "RSA":
575
+ return import_oid4vc_common.SigningAlgo.RS256;
576
+ default:
577
+ throw Error("Key type not yet supported");
578
+ }
579
+ }
580
+ __name(getSigningAlgo, "getSigningAlgo");
672
581
 
673
582
  // src/session/OID4VP.ts
674
583
  var OID4VP = class _OID4VP {
675
584
  static {
676
585
  __name(this, "OID4VP");
677
586
  }
678
- session;
679
- allIdentifiers;
680
- hasher;
587
+ //private readonly session: OpSession
588
+ // private readonly allIdentifiers: string[]
589
+ // private readonly hasher?: HasherSync
681
590
  constructor(args) {
682
- const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
683
- this.session = session;
684
- this.allIdentifiers = allIdentifiers ?? [];
685
- this.hasher = hasher;
686
591
  }
687
592
  static async init(session, allIdentifiers, hasher) {
688
593
  return new _OID4VP({
@@ -691,184 +596,14 @@ var OID4VP = class _OID4VP {
691
596
  hasher
692
597
  });
693
598
  }
694
- async getPresentationDefinitions() {
695
- const definitions = await this.session.getPresentationDefinitions();
696
- if (definitions) {
697
- import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
698
- }
699
- return definitions;
700
- }
701
- getPresentationExchange(args) {
702
- const { verifiableCredentials, allIdentifiers, hasher } = args;
703
- return new import_did_auth_siop2.PresentationExchange({
704
- allDIDs: allIdentifiers ?? this.allIdentifiers,
705
- allVerifiableCredentials: verifiableCredentials,
706
- hasher: hasher ?? this.hasher
707
- });
708
- }
709
- async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
710
- return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
711
- }
712
- async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
713
- const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
714
- ...opts
715
- };
716
- if (subjectIsHolder && holder) {
717
- throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
718
- }
719
- if (forceNoCredentialsInVP) {
720
- selectedVerifiableCredentials.credentials = [];
721
- } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
722
- throw Error("No verifiable verifiableCredentials provided for presentation definition");
723
- }
724
- const proofOptions = {
725
- ...opts?.proofOpts,
726
- challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
727
- domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
728
- };
729
- let idOpts2 = opts?.idOpts;
730
- if (!idOpts2) {
731
- if (opts?.subjectIsHolder) {
732
- if (forceNoCredentialsInVP) {
733
- return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
734
- }
735
- const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
736
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
737
- return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
738
- }
739
- idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
740
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
741
- }) : await this.session.context.agent.identifierManagedGetByKid({
742
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
743
- kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
744
- });
745
- } else if (opts?.holder) {
746
- idOpts2 = {
747
- identifier: opts.holder
748
- };
749
- }
750
- }
751
- const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
752
- restrictToFormats: opts?.restrictToFormats,
753
- restrictToDIDMethods: opts?.restrictToDIDMethods,
754
- filterOpts: {
755
- verifiableCredentials: selectedVerifiableCredentials.credentials
756
- }
757
- }) : {
758
- definition: selectedVerifiableCredentials.definition,
759
- credentials: selectedVerifiableCredentials.credentials
760
- };
761
- if (!idOpts2) {
762
- return Promise.reject(Error(`No identifier options present at this point`));
763
- }
764
- const signCallback = await createOID4VPPresentationSignCallback({
765
- presentationSignCallback: this.session.options.presentationSignCallback,
766
- idOpts: idOpts2,
767
- context: this.session.context,
768
- domain: proofOptions.domain,
769
- challenge: proofOptions.challenge,
770
- format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
771
- skipDidResolution: opts?.skipDidResolution ?? false
772
- });
773
- const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
774
- const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
775
- const presentationResult = await this.getPresentationExchange({
776
- verifiableCredentials,
777
- allIdentifiers: this.allIdentifiers,
778
- hasher: opts?.hasher
779
- }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
780
- proofOptions,
781
- // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
782
- ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
783
- holderDID: identifier.did
784
- }
785
- });
786
- const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
787
- return {
788
- ...presentationResult,
789
- verifiablePresentations,
790
- verifiableCredentials,
791
- definition: selectedVerifiableCredentials.definition,
792
- idOpts: idOpts2
793
- };
794
- }
795
- async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
796
- const defs = await this.getPresentationDefinitions();
797
- const result = [];
798
- if (defs) {
799
- for (const definition of defs) {
800
- result.push(await this.filterCredentials(credentialRole, definition, opts));
801
- }
802
- }
803
- return result;
804
- }
805
- async filterCredentials(credentialRole, presentationDefinition, opts) {
806
- const udcMap = /* @__PURE__ */ new Map();
807
- opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
808
- if (typeof credential === "object" && "digitalCredential" in credential) {
809
- udcMap.set(credential.originalVerifiableCredential, credential);
810
- } else {
811
- udcMap.set(credential, credential);
812
- }
813
- });
814
- const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
815
- ...opts,
816
- filterOpts: {
817
- verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
818
- if (typeof credential === "object" && "digitalCredential" in credential) {
819
- return credential.originalVerifiableCredential;
820
- } else {
821
- return credential;
822
- }
823
- })
824
- }
825
- })).verifiableCredential;
826
- return {
827
- definition: presentationDefinition,
828
- credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
829
- };
830
- }
831
- async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
832
- const selectionResults = await this.getPresentationExchange({
833
- verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
834
- }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
835
- if (selectionResults.errors && selectionResults.errors.length > 0) {
836
- throw Error(JSON.stringify(selectionResults.errors));
837
- } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
838
- throw Error(`Not all required credentials are available to satisfy the relying party's request`);
839
- }
840
- const matches = selectionResults.matches;
841
- if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
842
- throw Error(JSON.stringify(selectionResults.errors));
843
- }
844
- return selectionResults;
845
- }
846
- async getCredentials(credentialRole, filterOpts) {
847
- if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
848
- return filterOpts.verifiableCredentials;
849
- }
850
- const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
851
- const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
852
- filter
853
- });
854
- return uniqueCredentials.map((uniqueVC) => {
855
- const vc = uniqueVC.uniformVerifiableCredential;
856
- const proof = Array.isArray(vc.proof) ? vc.proof : [
857
- vc.proof
858
- ];
859
- const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
860
- return jwtProof ? jwtProof.jwt : vc;
861
- });
862
- }
863
599
  };
864
600
 
865
601
  // src/session/OpSession.ts
866
- var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
867
- var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
868
- var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
602
+ var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
603
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
604
+ var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
869
605
  var import_ssi_types = require("@sphereon/ssi-types");
870
606
  var import_uuid = require("uuid");
871
- var import_pex2 = require("@sphereon/pex");
872
607
  var import_ssi_types2 = require("@sphereon/ssi-types");
873
608
  var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
874
609
  var OpSession = class _OpSession {
@@ -883,13 +618,11 @@ var OpSession = class _OpSession {
883
618
  verifiedAuthorizationRequest;
884
619
  _nonce;
885
620
  _state;
886
- _providedPresentationDefinitions;
887
621
  constructor(options) {
888
622
  this.id = options.sessionId;
889
623
  this.options = options.op;
890
624
  this.context = options.context;
891
625
  this.requestJwtOrUri = options.requestJwtOrUri;
892
- this._providedPresentationDefinitions = options.providedPresentationDefinitions;
893
626
  }
894
627
  static async init(options) {
895
628
  return new _OpSession(options);
@@ -908,7 +641,7 @@ var OpSession = class _OpSession {
908
641
  return this.verifiedAuthorizationRequest;
909
642
  }
910
643
  async getAuthorizationRequestURI() {
911
- return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
644
+ return await import_did_auth_siop2.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
912
645
  }
913
646
  get nonce() {
914
647
  if (!this._nonce) {
@@ -943,7 +676,7 @@ var OpSession = class _OpSession {
943
676
  }
944
677
  let intersection;
945
678
  if (rpMethods.dids.includes("did")) {
946
- intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext3.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
679
+ intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext2.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
947
680
  } else if (!agentMethods || agentMethods.length === 0) {
948
681
  intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
949
682
  } else {
@@ -987,7 +720,7 @@ var OpSession = class _OpSession {
987
720
  subjectSyntaxTypesSupported
988
721
  ]).map((method) => convertDidMethod(method, opts.didPrefix));
989
722
  }
990
- const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
723
+ const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
991
724
  let codecName = void 0;
992
725
  if (isEBSI && (!aud || !aud.startsWith("http"))) {
993
726
  logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -1042,56 +775,14 @@ var OpSession = class _OpSession {
1042
775
  async getRedirectUri() {
1043
776
  return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
1044
777
  }
1045
- async hasPresentationDefinitions() {
1046
- const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1047
- return defs !== void 0 && defs.length > 0;
1048
- }
1049
- async getPresentationDefinitions() {
1050
- if (!await this.hasPresentationDefinitions()) {
1051
- throw Error(`No presentation definitions found`);
1052
- }
1053
- return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
1054
- }
1055
778
  async getOID4VP(args) {
1056
779
  return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
1057
780
  }
1058
- createPresentationVerificationCallback(context) {
1059
- async function presentationVerificationCallback(args, presentationSubmission) {
1060
- let result;
1061
- if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
1062
- try {
1063
- const sdJwtResult = await context.agent.verifySdJwtPresentation({
1064
- presentation: args
1065
- });
1066
- result = {
1067
- verified: "header" in sdJwtResult,
1068
- error: "header" in sdJwtResult ? void 0 : {
1069
- message: "could not verify SD JWT presentation"
1070
- }
1071
- };
1072
- } catch (error) {
1073
- result = {
1074
- verified: false,
1075
- error: {
1076
- message: error.message
1077
- }
1078
- };
1079
- }
1080
- } else {
1081
- result = await context.agent.verifyPresentation({
1082
- presentation: args
1083
- });
1084
- }
1085
- return result;
1086
- }
1087
- __name(presentationVerificationCallback, "presentationVerificationCallback");
1088
- return presentationVerificationCallback;
1089
- }
1090
781
  async createJarmResponseCallback({ responseOpts }) {
1091
782
  const agent = this.context.agent;
1092
783
  return /* @__PURE__ */ __name(async function jarmResponse(opts) {
1093
784
  const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
1094
- const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
785
+ const jwk = await import_did_auth_siop2.OP.extractEncJwksFromClientMetadata(clientMetadata);
1095
786
  const recipientKey = await agent.identifierExternalResolveByJwk({
1096
787
  identifier: jwk
1097
788
  });
@@ -1100,8 +791,8 @@ var OpSession = class _OpSession {
1100
791
  protectedHeader: {},
1101
792
  alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
1102
793
  enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
1103
- apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
1104
- apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
794
+ apv: (0, import_ssi_sdk2.encodeBase64url)(opts.requestObjectPayload.nonce),
795
+ apu: (0, import_ssi_sdk2.encodeBase64url)((0, import_uuid.v4)()),
1105
796
  payload: authResponse,
1106
797
  issuer: responseOpts.issuer,
1107
798
  audience: responseOpts.audience
@@ -1113,8 +804,9 @@ var OpSession = class _OpSession {
1113
804
  }, "jarmResponse");
1114
805
  }
1115
806
  async sendAuthorizationResponse(args) {
807
+ const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
1116
808
  const resolveOpts = this.options.resolveOpts ?? {
1117
- resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
809
+ resolver: (0, import_ssi_sdk_ext2.getAgentResolver)(this.context, {
1118
810
  uniresolverResolution: true,
1119
811
  localResolution: true,
1120
812
  resolverResolution: true
@@ -1123,23 +815,7 @@ var OpSession = class _OpSession {
1123
815
  if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
1124
816
  resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
1125
817
  }
1126
- const verification = {
1127
- presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
1128
- };
1129
818
  const request = await this.getAuthorizationRequest();
1130
- const hasDefinitions = await this.hasPresentationDefinitions();
1131
- if (hasDefinitions) {
1132
- const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
1133
- return sum + pd.definition.input_descriptors.length;
1134
- }, 0);
1135
- const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
1136
- if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
1137
- throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
1138
- } else if (!args.presentationSubmission) {
1139
- throw Error(`Presentation submission is required when verifiable presentations are required`);
1140
- }
1141
- }
1142
- const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
1143
819
  const op = await createOP({
1144
820
  opOptions: {
1145
821
  ...this.options,
@@ -1151,23 +827,16 @@ var OpSession = class _OpSession {
1151
827
  wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
1152
828
  supportedVersions: request.versions
1153
829
  },
1154
- idOpts: args.responseSignerOpts,
830
+ idOpts: responseSignerOpts,
1155
831
  context: this.context
1156
832
  });
1157
- let issuer = args.responseSignerOpts.issuer;
833
+ let issuer = responseSignerOpts.issuer;
1158
834
  const responseOpts = {
1159
- verification,
1160
835
  issuer,
1161
- ...args.isFirstParty && {
1162
- isFirstParty: args.isFirstParty
1163
- },
1164
- ...args.verifiablePresentations && {
1165
- presentationExchange: {
1166
- verifiablePresentations,
1167
- presentationSubmission: args.presentationSubmission
1168
- }
836
+ ...isFirstParty && {
837
+ isFirstParty
1169
838
  },
1170
- dcqlQuery: args.dcqlResponse
839
+ dcqlResponse
1171
840
  };
1172
841
  const authResponse = await op.createAuthorizationResponse(request, responseOpts);
1173
842
  const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -1179,24 +848,6 @@ var OpSession = class _OpSession {
1179
848
  return response;
1180
849
  }
1181
850
  }
1182
- countVCsInAllVPs(verifiablePresentations, hasher) {
1183
- return verifiablePresentations.reduce((sum, vp) => {
1184
- if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
1185
- return sum + 1;
1186
- }
1187
- const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
1188
- hasher: hasher ?? this.options.hasher
1189
- });
1190
- if (uvp.verifiableCredential?.length) {
1191
- return sum + uvp.verifiableCredential?.length;
1192
- }
1193
- const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
1194
- if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
1195
- return sum + 1;
1196
- }
1197
- return sum;
1198
- }, 0);
1199
- }
1200
851
  };
1201
852
  function convertDidMethod(didMethod, didPrefix) {
1202
853
  if (didPrefix === false) {
@@ -1206,10 +857,79 @@ function convertDidMethod(didMethod, didPrefix) {
1206
857
  }
1207
858
  __name(convertDidMethod, "convertDidMethod");
1208
859
 
1209
- // src/agent/DidAuthSiopOpAuthenticator.ts
1210
- var import_pex4 = require("@sphereon/pex");
1211
- var import_utils = require("@veramo/utils");
1212
- var import_dcql3 = require("dcql");
860
+ // src/types/IDidAuthSiopOpAuthenticator.ts
861
+ var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
862
+ var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
863
+
864
+ // src/types/siop-service/index.ts
865
+ var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
866
+ Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
867
+ Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
868
+ return Siopv2HolderEvent2;
869
+ })({});
870
+ var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
871
+ SupportedLanguage2["ENGLISH"] = "en";
872
+ SupportedLanguage2["DUTCH"] = "nl";
873
+ return SupportedLanguage2;
874
+ })({});
875
+
876
+ // src/types/machine/index.ts
877
+ var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
878
+ Siopv2MachineStates2["createConfig"] = "createConfig";
879
+ Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
880
+ Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
881
+ Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
882
+ Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
883
+ Siopv2MachineStates2["addContact"] = "addContact";
884
+ Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
885
+ Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
886
+ Siopv2MachineStates2["sendResponse"] = "sendResponse";
887
+ Siopv2MachineStates2["handleError"] = "handleError";
888
+ Siopv2MachineStates2["aborted"] = "aborted";
889
+ Siopv2MachineStates2["declined"] = "declined";
890
+ Siopv2MachineStates2["error"] = "error";
891
+ Siopv2MachineStates2["done"] = "done";
892
+ return Siopv2MachineStates2;
893
+ })({});
894
+ var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
895
+ Siopv2MachineAddContactStates2["idle"] = "idle";
896
+ Siopv2MachineAddContactStates2["executing"] = "executing";
897
+ Siopv2MachineAddContactStates2["next"] = "next";
898
+ return Siopv2MachineAddContactStates2;
899
+ })({});
900
+ var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
901
+ Siopv2MachineEvents2["NEXT"] = "NEXT";
902
+ Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
903
+ Siopv2MachineEvents2["DECLINE"] = "DECLINE";
904
+ Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
905
+ Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
906
+ Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
907
+ Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
908
+ return Siopv2MachineEvents2;
909
+ })({});
910
+ var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
911
+ Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
912
+ Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
913
+ Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
914
+ Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
915
+ Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
916
+ Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
917
+ Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
918
+ Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
919
+ return Siopv2MachineGuards2;
920
+ })({});
921
+ var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
922
+ Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
923
+ Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
924
+ Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
925
+ Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
926
+ Siopv2MachineServices2["sendResponse"] = "sendResponse";
927
+ Siopv2MachineServices2["createConfig"] = "createConfig";
928
+ return Siopv2MachineServices2;
929
+ })({});
930
+
931
+ // src/types/identifier/index.ts
932
+ var DID_PREFIX = "did";
1213
933
 
1214
934
  // src/machine/Siopv2Machine.ts
1215
935
  var import_xstate = require("xstate");
@@ -1278,7 +998,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
1278
998
  if (!contact) {
1279
999
  throw new Error("Missing contact request data in context");
1280
1000
  }
1281
- return authorizationRequestData.presentationDefinitions !== void 0;
1001
+ return authorizationRequestData.dcqlQuery !== void 0;
1282
1002
  }, "Siopv2HasSelectableCredentialsAndContactGuard");
1283
1003
  var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1284
1004
  const { contactAlias, hasContactConsent } = _ctx;
@@ -1289,7 +1009,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
1289
1009
  if (authorizationRequestData === void 0) {
1290
1010
  throw new Error("Missing authorization request data in context");
1291
1011
  }
1292
- if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
1012
+ if (authorizationRequestData.dcqlQuery === void 0) {
1293
1013
  throw Error("No presentation definitions present");
1294
1014
  }
1295
1015
  return _ctx.selectedCredentials.length > 0;
@@ -1299,7 +1019,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1299
1019
  if (authorizationRequestData === void 0) {
1300
1020
  throw new Error("Missing authorization request data in context");
1301
1021
  }
1302
- return authorizationRequestData.presentationDefinitions === void 0;
1022
+ return authorizationRequestData.dcqlQuery === void 0;
1303
1023
  }, "Siopv2IsSiopOnlyGuard");
1304
1024
  var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1305
1025
  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1309,7 +1029,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
1309
1029
  if (!selectableCredentialsMap) {
1310
1030
  throw new Error("Missing selectableCredentialsMap in context");
1311
1031
  }
1312
- return authorizationRequestData.presentationDefinitions !== void 0;
1032
+ return authorizationRequestData.dcqlQuery !== void 0;
1313
1033
  }, "Siopv2IsSiopWithOID4VPGuard");
1314
1034
  var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
1315
1035
  const { url, idOpts: idOpts2 } = opts;
@@ -1624,368 +1344,223 @@ var Siopv2Machine = class {
1624
1344
  };
1625
1345
 
1626
1346
  // src/services/Siopv2MachineService.ts
1627
- var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
1628
- var import_pex3 = require("@sphereon/pex");
1347
+ var import_utils = require("@sphereon/pex/dist/main/lib/utils/index.js");
1348
+ var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
1629
1349
  var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
1630
- var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
1631
- var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
1350
+ var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
1351
+ var import_ssi_sdk4 = require("@sphereon/ssi-sdk.credential-store");
1352
+ var import_ssi_sdk5 = require("@sphereon/ssi-sdk.data-store-types");
1353
+ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.sd-jwt");
1632
1354
  var import_ssi_types6 = require("@sphereon/ssi-types");
1633
- var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
1634
- var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
1635
1355
  var import_dcql = require("dcql");
1636
1356
 
1637
1357
  // src/utils/dcql.ts
1638
1358
  var import_ssi_types5 = require("@sphereon/ssi-types");
1359
+ var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
1639
1360
 
1640
1361
  // src/utils/CredentialUtils.ts
1641
1362
  var import_ssi_types4 = require("@sphereon/ssi-types");
1642
- var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
1643
- if (isUniqueDigitalCredential(credential)) {
1644
- if (!credential.originalVerifiableCredential) {
1645
- throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1646
- }
1647
- return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
1648
- }
1649
- return getCredentialFromProofOrWrapped(credential);
1650
- }, "getOriginalVerifiableCredential");
1651
- var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
1652
- if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
1653
- return cred.proof.jwt;
1654
- }
1655
- return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
1656
- hasher
1657
- }).original;
1658
- }, "getCredentialFromProofOrWrapped");
1659
1363
  var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
1660
1364
  return credential.digitalCredential !== void 0;
1661
1365
  }, "isUniqueDigitalCredential");
1662
1366
 
1663
1367
  // src/utils/dcql.ts
1664
1368
  function convertToDcqlCredentials(credential, hasher) {
1665
- let payload;
1369
+ let originalVerifiableCredential;
1666
1370
  if (isUniqueDigitalCredential(credential)) {
1667
1371
  if (!credential.originalVerifiableCredential) {
1668
1372
  throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
1669
1373
  }
1670
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1374
+ originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
1671
1375
  } else {
1672
- payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1376
+ originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
1673
1377
  }
1674
- if (!payload) {
1378
+ if (!originalVerifiableCredential) {
1675
1379
  throw new Error("No payload found");
1676
1380
  }
1677
- if ("decodedPayload" in payload && payload.decodedPayload) {
1678
- payload = payload.decodedPayload;
1679
- }
1680
- if ("vct" in payload) {
1681
- return {
1682
- vct: payload.vct,
1683
- claims: payload,
1684
- credential_format: "vc+sd-jwt"
1685
- };
1686
- } else if ("docType" in payload && "namespaces" in payload) {
1687
- return {
1688
- docType: payload.docType,
1689
- namespaces: payload.namespaces,
1690
- claims: payload
1691
- };
1692
- } else {
1693
- return {
1694
- claims: payload,
1695
- credential_format: "jwt_vc_json"
1696
- };
1381
+ if (import_ssi_types5.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
1382
+ return import_did_auth_siop3.Dcql.toDcqlJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1383
+ } else if (import_ssi_types5.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
1384
+ return import_did_auth_siop3.Dcql.toDcqlSdJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1385
+ } else if (import_ssi_types5.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
1386
+ return import_did_auth_siop3.Dcql.toDcqlMdocCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1387
+ } else if (import_ssi_types5.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
1388
+ return import_did_auth_siop3.Dcql.toDcqlJsonLdCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
1697
1389
  }
1390
+ throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
1698
1391
  }
1699
1392
  __name(convertToDcqlCredentials, "convertToDcqlCredentials");
1700
1393
 
1701
1394
  // src/services/Siopv2MachineService.ts
1395
+ var CLOCK_SKEW = 120;
1702
1396
  var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
1703
- var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
1704
- logger3.log(`No EBSI key present yet. Creating a new one...`);
1705
- const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
1706
- method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
1707
- createOpts: {
1708
- options: {
1709
- codecName: "jwk_jcs-pub",
1710
- type: "Secp256r1"
1711
- }
1712
- }
1713
- });
1714
- logger3.log(`EBSI key created: ${newIdentifier.did}`);
1715
- if (created) {
1716
- await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
1717
- result: newIdentifier
1718
- });
1719
- }
1720
- return await agentContext.agent.identifierManagedGetByDid({
1721
- identifier: newIdentifier.did
1722
- });
1723
- }, "createEbsiIdentifier");
1724
- var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
1725
- const clientId = await authorizationRequest.getMergedProperty("client_id");
1726
- const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
1727
- return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
1728
- }, "hasEbsiClient");
1729
1397
  var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
1730
1398
  const { agent } = context;
1731
- const agentContext = {
1732
- ...context,
1733
- agent: context.agent
1734
- };
1735
- let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
1736
- if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
1399
+ const { credentials } = args;
1400
+ if (connectionType !== import_ssi_sdk5.ConnectionType.SIOPv2_OpenID4VP) {
1737
1401
  return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
1738
1402
  }
1739
1403
  const session = await agent.siopGetOPSession({
1740
1404
  sessionId: args.sessionId
1741
1405
  });
1742
1406
  const request = await session.getAuthorizationRequest();
1743
- const aud = await request.authorizationRequest.getMergedProperty("aud");
1407
+ const aud = request.authorizationRequest.getMergedProperty("aud");
1744
1408
  logger3.debug(`AUD: ${aud}`);
1745
1409
  logger3.debug(JSON.stringify(request.authorizationRequest));
1746
- let presentationsAndDefs;
1747
- let presentationSubmission;
1748
- if (await session.hasPresentationDefinitions()) {
1749
- const oid4vp = await session.getOID4VP({
1750
- hasher
1751
- });
1752
- const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
1753
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1754
- logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
1755
- const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
1756
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1757
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1758
- }
1759
- let identifier;
1760
- const digitalCredential = firstUniqueDC.digitalCredential;
1761
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1762
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1763
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1764
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1765
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1766
- if (!digitalCredential.kmsKeyRef) {
1767
- if (!holder) {
1768
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1769
- }
1770
- try {
1771
- identifier = await session.context.agent.identifierManagedGet({
1772
- identifier: holder
1773
- });
1774
- } catch (e) {
1775
- logger3.debug(`Holder DID not found: ${holder}`);
1776
- throw e;
1777
- }
1778
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1779
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1780
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1410
+ const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
1411
+ logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1412
+ const firstUniqueDC = credentials[0];
1413
+ if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1414
+ return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1415
+ }
1416
+ let identifier;
1417
+ const digitalCredential = firstUniqueDC.digitalCredential;
1418
+ const firstVC = firstUniqueDC.uniformVerifiableCredential;
1419
+ const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1420
+ //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1421
+ `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1422
+ ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1423
+ if (!digitalCredential.kmsKeyRef) {
1424
+ if (!holder) {
1425
+ return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1426
+ }
1427
+ try {
1428
+ identifier = await session.context.agent.identifierManagedGet({
1429
+ identifier: holder
1781
1430
  });
1782
- } else {
1783
- switch (digitalCredential.subjectCorrelationType) {
1784
- case "DID":
1785
- identifier = await session.context.agent.identifierManagedGetByDid({
1786
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1787
- kmsKeyRef: digitalCredential.kmsKeyRef
1788
- });
1789
- break;
1790
- // TODO other implementations?
1791
- default:
1792
- if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
1793
- identifier = await session.context.agent.identifierManagedGetByDid({
1794
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1795
- kmsKeyRef: digitalCredential.kmsKeyRef
1796
- });
1797
- } else {
1798
- identifier = await session.context.agent.identifierManagedGetByKid({
1799
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1800
- kmsKeyRef: digitalCredential.kmsKeyRef
1801
- });
1802
- }
1803
- }
1804
- }
1805
- if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
1806
- identifier = await createEbsiIdentifier(agentContext);
1431
+ } catch (e) {
1432
+ logger3.debug(`Holder DID not found: ${holder}`);
1433
+ throw e;
1807
1434
  }
1808
- logger3.debug(`Identifier`, identifier);
1809
- presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
1810
- idOpts: identifier,
1811
- proofOpts: {
1812
- nonce: session.nonce,
1813
- domain
1814
- }
1815
- });
1816
- if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
1817
- throw Error("No verifiable presentations could be created");
1818
- } else if (presentationsAndDefs.length > 1) {
1819
- throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
1820
- }
1821
- idOpts2 = presentationsAndDefs[0].idOpts;
1822
- presentationSubmission = presentationsAndDefs[0].presentationSubmission;
1823
- logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
1824
- logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
1825
- const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
1826
- return await session.sendAuthorizationResponse({
1827
- ...presentationsAndDefs && {
1828
- verifiablePresentations: mergedVerifiablePresentations
1829
- },
1830
- ...presentationSubmission && {
1831
- presentationSubmission
1832
- },
1833
- // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
1834
- responseSignerOpts: idOpts2,
1835
- isFirstParty
1435
+ } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1436
+ identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1437
+ identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1836
1438
  });
1837
- } else if (request.dcqlQuery) {
1838
- if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
1839
- const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
1840
- const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
1841
- logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
1842
- const firstUniqueDC = vcs[0];
1843
- if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
1844
- return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
1845
- }
1846
- let identifier;
1847
- const digitalCredential = firstUniqueDC.digitalCredential;
1848
- const firstVC = firstUniqueDC.uniformVerifiableCredential;
1849
- const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
1850
- //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
1851
- `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
1852
- ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
1853
- if (!digitalCredential.kmsKeyRef) {
1854
- if (!holder) {
1855
- return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
1856
- }
1857
- try {
1858
- identifier = await session.context.agent.identifierManagedGet({
1859
- identifier: holder
1860
- });
1861
- } catch (e) {
1862
- logger3.debug(`Holder DID not found: ${holder}`);
1863
- throw e;
1864
- }
1865
- } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
1866
- identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
1867
- identifier: firstUniqueDC.digitalCredential.kmsKeyRef
1439
+ } else {
1440
+ switch (digitalCredential.subjectCorrelationType) {
1441
+ case "DID":
1442
+ identifier = await session.context.agent.identifierManagedGetByDid({
1443
+ identifier: digitalCredential.subjectCorrelationId ?? holder,
1444
+ kmsKeyRef: digitalCredential.kmsKeyRef
1868
1445
  });
1869
- } else {
1870
- switch (digitalCredential.subjectCorrelationType) {
1871
- case "DID":
1872
- identifier = await session.context.agent.identifierManagedGetByDid({
1873
- identifier: digitalCredential.subjectCorrelationId ?? holder,
1874
- kmsKeyRef: digitalCredential.kmsKeyRef
1875
- });
1876
- break;
1877
- // TODO other implementations?
1878
- default:
1879
- identifier = await session.context.agent.identifierManagedGetByKid({
1880
- identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1881
- kmsKeyRef: digitalCredential.kmsKeyRef
1882
- });
1883
- }
1884
- }
1885
- console.log(`Identifier`, identifier);
1886
- const dcqlRepresentations = [];
1887
- vcs.forEach((vc) => {
1888
- const rep = convertToDcqlCredentials(vc, args.hasher);
1889
- if (rep) {
1890
- dcqlRepresentations.push(rep);
1891
- }
1892
- });
1893
- const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
1894
- const presentation = {};
1895
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1896
- const allMatches = Array.isArray(value) ? value : [
1897
- value
1898
- ];
1899
- allMatches.forEach((match) => {
1900
- if (match.success) {
1901
- const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
1902
- if (!originalCredential) {
1903
- throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
1904
- }
1905
- presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
1906
- }
1446
+ break;
1447
+ // TODO other implementations?
1448
+ default:
1449
+ identifier = await session.context.agent.identifierManagedGetByKid({
1450
+ identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
1451
+ kmsKeyRef: digitalCredential.kmsKeyRef
1907
1452
  });
1453
+ }
1454
+ }
1455
+ const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
1456
+ convertToDcqlCredentials(vc),
1457
+ vc
1458
+ ]));
1459
+ const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1460
+ if (!queryResult.can_be_satisfied) {
1461
+ return Promise.reject(Error("Credentials do not match required query request"));
1462
+ }
1463
+ const presentation = {};
1464
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1465
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1466
+ if (value.success) {
1467
+ const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
1468
+ const vc = matchedCredentials[0];
1469
+ if (!vc) {
1470
+ continue;
1471
+ }
1472
+ const originalVc = retrieveEncodedCredential(vc);
1473
+ if (!originalVc) {
1474
+ continue;
1908
1475
  }
1909
- const response = session.sendAuthorizationResponse({
1910
- responseSignerOpts: identifier,
1911
- ...{
1912
- dcqlQuery: {
1913
- dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
1476
+ const decodedSdJwt = await import_ssi_types6.CredentialMapper.decodeSdJwtVcAsync(originalVc, import_ssi_sdk6.defaultGenerateDigest);
1477
+ const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
1478
+ const presentationResult = await context.agent.createSdJwtPresentation({
1479
+ presentation: updatedSdJwt.compactSdJwtVc,
1480
+ kb: {
1481
+ payload: {
1482
+ ...updatedSdJwt.kbJwt?.payload,
1483
+ // FIXME SSISDK-44
1484
+ nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
1485
+ // FIXME SSISDK-44
1486
+ aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
1487
+ iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
1914
1488
  }
1915
1489
  }
1916
1490
  });
1917
- logger3.debug(`Response: `, response);
1918
- return response;
1491
+ if (originalVc) {
1492
+ presentation[key] = presentationResult.presentation;
1493
+ }
1919
1494
  }
1920
1495
  }
1921
- throw Error("Presentation Definition or DCQL is required");
1496
+ const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
1497
+ const response = session.sendAuthorizationResponse({
1498
+ responseSignerOpts: identifier,
1499
+ dcqlResponse: {
1500
+ dcqlPresentation
1501
+ }
1502
+ });
1503
+ logger3.debug(`Response: `, response);
1504
+ return response;
1922
1505
  }, "siopSendAuthorizationResponse");
1923
- function buildPartialPD(inputDescriptor, presentationDefinition) {
1924
- return {
1925
- ...presentationDefinition,
1926
- input_descriptors: [
1927
- inputDescriptor
1928
- ]
1929
- };
1930
- }
1931
- __name(buildPartialPD, "buildPartialPD");
1932
- var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
1506
+ var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
1507
+ return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
1508
+ }, "retrieveEncodedCredential");
1509
+ var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
1933
1510
  const agentContext = {
1934
1511
  ...context,
1935
1512
  agent: context.agent
1936
1513
  };
1937
1514
  const { agent } = agentContext;
1938
- const pex = new import_pex3.PEX();
1939
1515
  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
1940
- filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
1516
+ filter: (0, import_ssi_sdk4.verifiableCredentialForRoleFilter)(import_ssi_types6.CredentialRole.HOLDER)
1941
1517
  });
1942
- const credentialBranding = await agent.ibGetCredentialBranding();
1518
+ const branding = await agent.ibGetCredentialBranding();
1519
+ const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
1520
+ convertToDcqlCredentials(vc),
1521
+ vc
1522
+ ]));
1523
+ const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
1524
+ const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
1943
1525
  const selectableCredentialsMap = /* @__PURE__ */ new Map();
1944
- for (const inputDescriptor of presentationDefinition.input_descriptors) {
1945
- const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
1946
- const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
1947
- return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
1948
- });
1949
- const selectionResults = pex.selectFrom(partialPD, originalCredentials);
1950
- const selectableCredentials = [];
1951
- for (const selectedCredential of selectionResults.verifiableCredential || []) {
1952
- const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
1953
- const proof = uniqueVC.uniformVerifiableCredential.proof;
1954
- return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
1955
- });
1956
- if (filteredUniqueVC) {
1957
- const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
1958
- const issuerPartyIdentity = await agent.cmGetContacts({
1959
- filter: [
1960
- {
1961
- identities: {
1962
- identifier: {
1963
- correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
1964
- }
1526
+ for (const [key, value] of Object.entries(queryResult.credential_matches)) {
1527
+ if (!value.valid_credentials) {
1528
+ continue;
1529
+ }
1530
+ const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
1531
+ const matchedCredential = uniqueCredentials[cred.input_credential_index];
1532
+ const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
1533
+ const issuerPartyIdentity = await agent.cmGetContacts({
1534
+ filter: [
1535
+ {
1536
+ identities: {
1537
+ identifier: {
1538
+ correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
1965
1539
  }
1966
1540
  }
1967
- ]
1968
- });
1969
- const subjectPartyIdentity = await agent.cmGetContacts({
1970
- filter: [
1971
- {
1972
- identities: {
1973
- identifier: {
1974
- correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
1975
- }
1541
+ }
1542
+ ]
1543
+ });
1544
+ const subjectPartyIdentity = await agent.cmGetContacts({
1545
+ filter: [
1546
+ {
1547
+ identities: {
1548
+ identifier: {
1549
+ correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
1976
1550
  }
1977
1551
  }
1978
- ]
1979
- });
1980
- selectableCredentials.push({
1981
- credential: filteredUniqueVC,
1982
- credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
1983
- issuerParty: issuerPartyIdentity?.[0],
1984
- subjectParty: subjectPartyIdentity?.[0]
1985
- });
1986
- }
1987
- }
1988
- selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
1552
+ }
1553
+ ]
1554
+ });
1555
+ return {
1556
+ credential: matchedCredential,
1557
+ credentialBranding: credentialBranding[0]?.localeBranding,
1558
+ issuerParty: issuerPartyIdentity?.[0],
1559
+ subjectParty: subjectPartyIdentity?.[0]
1560
+ };
1561
+ });
1562
+ const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
1563
+ selectableCredentialsMap.set(key, selectableCredentials);
1989
1564
  }
1990
1565
  return selectableCredentialsMap;
1991
1566
  }, "getSelectableCredentials");
@@ -2007,6 +1582,31 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
2007
1582
  }
2008
1583
  return contacts[0].contact.displayName;
2009
1584
  }, "translateCorrelationIdToName");
1585
+ var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
1586
+ const sdJwtCredential = credential;
1587
+ const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
1588
+ const sdHash = (0, import_utils.calculateSdHash)(sdJwtCredential.compactSdJwtVc, hashAlg, import_ssi_sdk6.defaultGenerateDigest);
1589
+ const kbJwt = {
1590
+ // alg MUST be set by the signer
1591
+ header: {
1592
+ typ: "kb+jwt"
1593
+ },
1594
+ payload: {
1595
+ iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
1596
+ sd_hash: sdHash,
1597
+ ...nonce && {
1598
+ nonce
1599
+ },
1600
+ ...aud && {
1601
+ aud
1602
+ }
1603
+ }
1604
+ };
1605
+ return {
1606
+ ...sdJwtCredential,
1607
+ kbJwt
1608
+ };
1609
+ }, "updateSdJwtCredential");
2010
1610
 
2011
1611
  // src/agent/DidAuthSiopOpAuthenticator.ts
2012
1612
  var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
@@ -2026,7 +1626,7 @@ var DidAuthSiopOpAuthenticator = class {
2026
1626
  static {
2027
1627
  __name(this, "DidAuthSiopOpAuthenticator");
2028
1628
  }
2029
- schema = schema.IDidAuthSiopOpAuthenticator;
1629
+ schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
2030
1630
  methods = {
2031
1631
  siopGetOPSession: this.siopGetOPSession.bind(this),
2032
1632
  siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -2167,9 +1767,9 @@ var DidAuthSiopOpAuthenticator = class {
2167
1767
  const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
2168
1768
  const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
2169
1769
  const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
2170
- const uri = url.includes("://") ? new URL(url) : void 0;
1770
+ const uri = url?.includes("://") ? new URL(url) : void 0;
2171
1771
  const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
2172
- const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
1772
+ const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
2173
1773
  return {
2174
1774
  issuer: verifiedAuthorizationRequest.issuer,
2175
1775
  correlationId,
@@ -2177,7 +1777,6 @@ var DidAuthSiopOpAuthenticator = class {
2177
1777
  uri,
2178
1778
  name: clientName,
2179
1779
  clientId,
2180
- presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
2181
1780
  dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
2182
1781
  };
2183
1782
  }
@@ -2226,12 +1825,12 @@ var DidAuthSiopOpAuthenticator = class {
2226
1825
  if (correlationId) {
2227
1826
  const identity = {
2228
1827
  alias: correlationId,
2229
- origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
1828
+ origin: import_ssi_sdk7.IdentityOrigin.EXTERNAL,
2230
1829
  roles: [
2231
- import_ssi_sdk8.CredentialRole.ISSUER
1830
+ import_ssi_types7.CredentialRole.ISSUER
2232
1831
  ],
2233
1832
  identifier: {
2234
- type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
1833
+ type: correlationId.startsWith("did:") ? import_ssi_sdk7.CorrelationIdentifierType.DID : import_ssi_sdk7.CorrelationIdentifierType.URL,
2235
1834
  correlationId
2236
1835
  }
2237
1836
  };
@@ -2254,75 +1853,14 @@ var DidAuthSiopOpAuthenticator = class {
2254
1853
  if (authorizationRequestData === void 0) {
2255
1854
  return Promise.reject(Error("Missing authorization request data in context"));
2256
1855
  }
2257
- const pex = new import_pex4.PEX({
2258
- hasher: this.hasher
2259
- });
2260
- const verifiableCredentialsWithDefinition = [];
2261
- const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
2262
- if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
2263
- try {
2264
- authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
2265
- const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
2266
- if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
2267
- let uniqueDigitalCredentials = [];
2268
- uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
2269
- const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
2270
- const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
2271
- if (!udc) {
2272
- throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
2273
- }
2274
- return udc;
2275
- });
2276
- verifiableCredentialsWithDefinition.push({
2277
- definition: presentationDefinition,
2278
- credentials: uniqueDigitalCredentials
2279
- });
2280
- }
2281
- });
2282
- } catch (e) {
2283
- return Promise.reject(e);
2284
- }
2285
- if (verifiableCredentialsWithDefinition.length === 0) {
2286
- return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
2287
- }
2288
- } else if (authorizationRequestData.dcqlQuery) {
2289
- if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
2290
- try {
2291
- selectedCredentials.forEach((vc) => {
2292
- if (this.isSdJwtCredential(vc)) {
2293
- const payload = vc.originalVerifiableCredential.decodedPayload;
2294
- const result = {
2295
- claims: payload,
2296
- vct: payload.vct,
2297
- credential_format: "vc+sd-jwt"
2298
- };
2299
- dcqlCredentialsWithCredentials.set(result, vc);
2300
- } else {
2301
- throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
2302
- }
2303
- });
2304
- } catch (e) {
2305
- return Promise.reject(e);
2306
- }
2307
- const dcqlPresentationRecord = {};
2308
- const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
2309
- for (const [key, value] of Object.entries(queryResult.credential_matches)) {
2310
- if (value.success) {
2311
- dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
2312
- }
2313
- }
2314
- }
2315
- }
2316
- const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
1856
+ const response = await siopSendAuthorizationResponse(import_ssi_sdk7.ConnectionType.SIOPv2_OpenID4VP, {
2317
1857
  sessionId: didAuthConfig.sessionId,
2318
1858
  ...args.idOpts && {
2319
1859
  idOpts: args.idOpts
2320
1860
  },
2321
- ...authorizationRequestData.presentationDefinitions !== void 0 && {
2322
- verifiableCredentialsWithDefinition
2323
- },
2324
1861
  isFirstParty,
2325
- hasher: this.hasher
1862
+ hasher: this.hasher,
1863
+ credentials: selectedCredentials
2326
1864
  }, context);
2327
1865
  const contentType = response.headers.get("content-type") || "";
2328
1866
  let responseBody = null;
@@ -2333,33 +1871,15 @@ var DidAuthSiopOpAuthenticator = class {
2333
1871
  return {
2334
1872
  body: responseBody,
2335
1873
  url: response?.url,
2336
- queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
1874
+ queryParams: (0, import_did_auth_siop4.decodeUriAsJson)(response?.url)
2337
1875
  };
2338
1876
  }
2339
- hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
2340
- return credentials.some(this.isMDocCredential);
2341
- }, "hasMDocCredentials");
2342
- isMDocCredential = /* @__PURE__ */ __name((credential) => {
2343
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2344
- }, "isMDocCredential");
2345
- hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
2346
- return credentials.some(this.isSdJwtCredential);
2347
- }, "hasSdJwtCredentials");
2348
- isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
2349
- return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
2350
- }, "isSdJwtCredential");
2351
- retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
2352
- return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
2353
- }, "retrieveEncodedCredential");
2354
1877
  async siopGetSelectableCredentials(args, context) {
2355
1878
  const { authorizationRequestData } = args;
2356
- if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
2357
- return Promise.reject(Error("Missing required fields in arguments or context"));
2358
- }
2359
- if (authorizationRequestData.presentationDefinitions.length > 1) {
2360
- return Promise.reject(Error("Multiple presentation definitions present"));
1879
+ if (!authorizationRequestData?.dcqlQuery) {
1880
+ return Promise.reject(Error("Missing required dcql query in context"));
2361
1881
  }
2362
- return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
1882
+ return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
2363
1883
  }
2364
1884
  };
2365
1885
 
@@ -2398,12 +1918,12 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
2398
1918
  }, "OID4VPCallbackStateListener");
2399
1919
 
2400
1920
  // src/link-handler/index.ts
2401
- var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
2402
- var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
2403
- var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
1921
+ var import_ssi_sdk8 = require("@sphereon/ssi-sdk.agent-config");
1922
+ var import_ssi_sdk9 = require("@sphereon/ssi-sdk.core");
1923
+ var import_ssi_sdk10 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
2404
1924
  var import_ssi_types9 = require("@sphereon/ssi-types");
2405
1925
  var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
2406
- var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
1926
+ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk9.LinkHandlerAdapter {
2407
1927
  static {
2408
1928
  __name(this, "Siopv2OID4VPLinkHandler");
2409
1929
  }
@@ -2429,8 +1949,8 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2429
1949
  stateNavigationListener: this.stateNavigationListener
2430
1950
  });
2431
1951
  const interpreter = siopv2Machine.interpreter;
2432
- if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
2433
- const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
1952
+ if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk8.contextHasPlugin)(this.context, "machineStatesFindActive")) {
1953
+ const init = await (0, import_ssi_sdk10.interpreterStartOrResume)({
2434
1954
  interpreter,
2435
1955
  context: this.context,
2436
1956
  cleanupAllOtherInstances: true,
@@ -2445,7 +1965,4 @@ var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter
2445
1965
  }
2446
1966
  }
2447
1967
  };
2448
-
2449
- // src/index.ts
2450
- var schema = require_plugin_schema();
2451
1968
  //# sourceMappingURL=index.cjs.map