@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.29 → 0.34.1-next.299

package/src/services/Siopv2MachineService.ts

@@ -1,31 +1,31 @@
-import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
-import { IPresentationDefinition, PEX } from '@sphereon/pex'
-import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
+import { AuthorizationRequest } from '@sphereon/did-auth-siop'
+import type { PartialSdJwtDecodedVerifiableCredential, PartialSdJwtKbJwt } from '@sphereon/pex/dist/main/lib/index.js'
+import { calculateSdHash } from '@sphereon/pex/dist/main/lib/utils/index.js'
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
-import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
-import { OID4VP, OpSession } from '../session'
+import { ConnectionType } from '@sphereon/ssi-sdk.data-store-types'
+import { defaultGenerateDigest } from '@sphereon/ssi-sdk.sd-jwt'
 import {
-  DidAgents,
-  LOGGER_NAMESPACE,
-  RequiredContext,
-  SelectableCredential,
-  SelectableCredentialsMap,
-  Siopv2HolderEvent,
-  SuitableCredentialAgents,
-  VerifiableCredentialsWithDefinition,
-  VerifiablePresentationWithDefinition,
-} from '../types'
+  CredentialMapper,
+  CredentialRole,
+  HasherSync,
+  Loggers,
+  OriginalVerifiableCredential,
+  SdJwtDecodedVerifiableCredential,
+} from '@sphereon/ssi-types'
 import { IAgentContext, IDIDManager } from '@veramo/core'
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
-import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
-import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
+import { DcqlPresentation, DcqlQuery } from 'dcql'
+import { OpSession } from '../session'
+import { LOGGER_NAMESPACE, RequiredContext, SelectableCredential, SelectableCredentialsMap, Siopv2HolderEvent } from '../types'
 import { convertToDcqlCredentials } from '../utils/dcql'
-import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
+
+const CLOCK_SKEW = 120
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
+// @ts-ignore
 const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): Promise<ManagedIdentifierOptsOrResult> => {
   logger.log(`No EBSI key present yet. Creating a new one...`)
   const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
@@ -39,9 +39,10 @@ const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): P
   return await agentContext.agent.identifierManagedGetByDid({ identifier: newIdentifier.did })
 }
 
+// @ts-ignore
 const hasEbsiClient = async (authorizationRequest: AuthorizationRequest) => {
-  const clientId = await authorizationRequest.getMergedProperty<string>('client_id')
-  const redirectUri = await authorizationRequest.getMergedProperty<string>('redirect_uri')
+  const clientId = authorizationRequest.getMergedProperty<string>('client_id')
+  const redirectUri = authorizationRequest.getMergedProperty<string>('redirect_uri')
   return clientId?.toLowerCase().includes('.ebsi.eu') || redirectUri?.toLowerCase().includes('.ebsi.eu')
 }
 
@@ -49,293 +50,186 @@ export const siopSendAuthorizationResponse = async (
   connectionType: ConnectionType,
   args: {
     sessionId: string
-    verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
+    credentials: Array<UniqueDigitalCredential | OriginalVerifiableCredential>
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
     hasher?: HasherSync
-    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
-  const agentContext = { ...context, agent: context.agent as DidAgents }
-  let { idOpts, isFirstParty, hasher = defaultHasher } = args
-
+  const { credentials } = args
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
   }
+
   const session: OpSession = await agent.siopGetOPSession({ sessionId: args.sessionId })
   const request = await session.getAuthorizationRequest()
-  const aud = await request.authorizationRequest.getMergedProperty<string>('aud')
+  const aud = request.authorizationRequest.getMergedProperty<string>('aud')
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
-  let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
-  let presentationSubmission: PresentationSubmission | undefined
-  if (await session.hasPresentationDefinitions()) {
-    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
-
-    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
-      ? args.verifiableCredentialsWithDefinition
-      : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER)
-    const domain =
-      ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-      request.issuer ??
-      (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
-        ? 'https://self-issued.me/v2/openid-vc'
-        : 'https://self-issued.me/v2')
-    logger.log(`NONCE: ${session.nonce}, domain: ${domain}`)
-
-    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0]
-    if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-      return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-    }
+  const domain = ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ?? request.issuer ?? 'https://self-issued.me/v2'
 
-    let identifier: ManagedIdentifierOptsOrResult
-    const digitalCredential = firstUniqueDC.digitalCredential
-    const firstVC = firstUniqueDC.uniformVerifiableCredential
-    const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-      ? firstVC.decodedPayload.cnf?.jwk
-        ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-          //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-          `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-        : firstVC.decodedPayload.sub
-      : Array.isArray(firstVC.credentialSubject)
-        ? firstVC.credentialSubject[0].id
-        : firstVC.credentialSubject.id
-    if (!digitalCredential.kmsKeyRef) {
-      // In case the store does not have the kmsKeyRef lets search for the holder
-
-      if (!holder) {
-        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-      }
-      try {
-        identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-      } catch (e) {
-        logger.debug(`Holder DID not found: ${holder}`)
-        throw e
-      }
-    } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-        identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
-      })
-    } else {
-      switch (digitalCredential.subjectCorrelationType) {
-        case 'DID':
-          identifier = await session.context.agent.identifierManagedGetByDid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder,
-            kmsKeyRef: digitalCredential.kmsKeyRef,
-          })
-          break
-        // TODO other implementations?
-        default:
-          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-          } else {
-            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-          }
-      }
-    }
-
-    if (identifier === undefined && idOpts !== undefined && (await hasEbsiClient(request.authorizationRequest))) {
-      identifier = await createEbsiIdentifier(agentContext)
-    }
-    logger.debug(`Identifier`, identifier)
+  logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
 
-    // TODO Add mdoc support
+  const firstUniqueDC = credentials[0]
+  if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
+    return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
+  }
 
-    presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
-      idOpts: identifier,
-      proofOpts: {
-        nonce: session.nonce,
-        domain,
-      },
+  let identifier: ManagedIdentifierOptsOrResult
+  const digitalCredential = firstUniqueDC.digitalCredential
+  const firstVC = firstUniqueDC.uniformVerifiableCredential
+  const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
+    ? firstVC.decodedPayload.cnf?.jwk
+      ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
+        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+      : firstVC.decodedPayload.sub
+    : Array.isArray(firstVC.credentialSubject)
+      ? firstVC.credentialSubject[0].id
+      : firstVC.credentialSubject.id
+  if (!digitalCredential.kmsKeyRef) {
+    // In case the store does not have the kmsKeyRef lets search for the holder
+
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
+    } catch (e) {
+      logger.debug(`Holder DID not found: ${holder}`)
+      throw e
+    }
+  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
     })
-    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
-      throw Error('No verifiable presentations could be created')
-    } else if (presentationsAndDefs.length > 1) {
-      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`)
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case 'DID':
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
+        })
+        break
+      // TODO other implementations?
+      default:
+        // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef,
+        })
     }
+  }
 
-    idOpts = presentationsAndDefs[0].idOpts
-    presentationSubmission = presentationsAndDefs[0].presentationSubmission
-
-    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
-    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
-    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
-    return await session.sendAuthorizationResponse({
-      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
-      ...(presentationSubmission && { presentationSubmission }),
-      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-      responseSignerOpts: idOpts!,
-      isFirstParty,
-    })
-  } else if (request.dcqlQuery) {
-    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
-      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
-      const domain =
-        ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-        request.issuer ??
-        (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
-          ? 'https://self-issued.me/v2/openid-vc'
-          : 'https://self-issued.me/v2')
-      logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
-
-      const firstUniqueDC = vcs[0]
-      if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-        return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-      }
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
 
-      let identifier: ManagedIdentifierOptsOrResult
-      const digitalCredential = firstUniqueDC.digitalCredential
-      const firstVC = firstUniqueDC.uniformVerifiableCredential
-      const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-        ? firstVC.decodedPayload.cnf?.jwk
-          ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-            //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-            `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-          : firstVC.decodedPayload.sub
-        : Array.isArray(firstVC.credentialSubject)
-          ? firstVC.credentialSubject[0].id
-          : firstVC.credentialSubject.id
-      if (!digitalCredential.kmsKeyRef) {
-        // In case the store does not have the kmsKeyRef lets search for the holder
-
-        if (!holder) {
-          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-        }
-        try {
-          identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-        } catch (e) {
-          logger.debug(`Holder DID not found: ${holder}`)
-          throw e
-        }
-      } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
-        })
-      } else {
-        switch (digitalCredential.subjectCorrelationType) {
-          case 'DID':
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-            break
-          // TODO other implementations?
-          default:
-            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-        }
+  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+
+  if (!queryResult.can_be_satisfied) {
+    return Promise.reject(Error('Credentials do not match required query request'))
+  }
+
+  const presentation: DcqlPresentation.Output = {}
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (value.success) {
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index])
+      const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
+      if (!vc) {
+        continue
+      }
+      const originalVc = retrieveEncodedCredential(vc as UniqueDigitalCredential) // TODO this is not nice // also always a UniqueDigitalCredential
+      if (!originalVc) {
+        continue
       }
-      console.log(`Identifier`, identifier)
-
-      const dcqlRepresentations: DcqlCredential[] = []
-      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
-        const rep = convertToDcqlCredentials(vc, args.hasher)
-        if (rep) {
-          dcqlRepresentations.push(rep)
-        }
+      // FIXME SSISDK-44
+      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(originalVc as string, defaultGenerateDigest)
+      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain)
+
+      const presentationResult = await context.agent.createSdJwtPresentation({
+        presentation: updatedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: {
+            ...updatedSdJwt.kbJwt?.payload,
+            // FIXME SSISDK-44
+            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject!.getPayload()!.nonce,
+            // FIXME SSISDK-44
+            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
+            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1000 - CLOCK_SKEW),
+          },
+        },
       })
 
-      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
-      const presentation: Record<string, DcqlCredentialPresentation> = {}
-
-      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-        const allMatches = Array.isArray(value) ? value : [value]
-        allMatches.forEach((match) => {
-          if (match.success) {
-            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
-            if (!originalCredential) {
-              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
-            }
-            presentation[key] =
-              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
-          }
-        })
+      if (originalVc) {
+        presentation[key] = presentationResult.presentation
       }
+    }
+  }
 
-      const response = session.sendAuthorizationResponse({
-        responseSignerOpts: identifier,
-        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
-      })
+  const dcqlPresentation = DcqlPresentation.parse(presentation)
 
-      logger.debug(`Response: `, response)
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation,
+    },
+  })
 
-      return response
-    }
-  }
-  throw Error('Presentation Definition or DCQL is required')
+  logger.debug(`Response: `, response)
+  return response
 }
 
-function buildPartialPD(
-  inputDescriptor: InputDescriptorV1 | InputDescriptorV2,
-  presentationDefinition: PresentationDefinitionV1 | PresentationDefinitionV2,
-): IPresentationDefinition {
-  return {
-    ...presentationDefinition,
-    input_descriptors: [inputDescriptor],
-  } as IPresentationDefinition
+const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
+  return credential.originalVerifiableCredential !== undefined &&
+    credential.originalVerifiableCredential !== null &&
+    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
+    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
+    ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
+    : credential.originalVerifiableCredential
 }
 
-export const getSelectableCredentials = async (
-  presentationDefinition: IPresentationDefinition,
-  context: RequiredContext,
-): Promise<SelectableCredentialsMap> => {
-  const agentContext = { ...context, agent: context.agent as SuitableCredentialAgents }
+export const getSelectableCredentials = async (dcqlQuery: DcqlQuery, context: RequiredContext): Promise<SelectableCredentialsMap> => {
+  const agentContext = { ...context, agent: context.agent }
   const { agent } = agentContext
-  const pex = new PEX()
-
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
-  const credentialBranding = await agent.ibGetCredentialBranding()
-
+  const branding = await agent.ibGetCredentialBranding()
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc]))
+  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
 
-  for (const inputDescriptor of presentationDefinition.input_descriptors) {
-    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition)
-    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
-      return CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential!) // ( ! is valid for verifiableCredentialForRoleFilter )
-    })
-    const selectionResults = pex.selectFrom(partialPD, originalCredentials)
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (!value.valid_credentials) {
+      continue
+    }
 
-    const selectableCredentials: Array<SelectableCredential> = []
-    for (const selectedCredential of selectionResults.verifiableCredential || []) {
-      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
-        const proof = uniqueVC.uniformVerifiableCredential!.proof
-        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
+      const matchedCredential = uniqueCredentials[cred.input_credential_index]
+      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
+      const issuerPartyIdentity = await agent.cmGetContacts({
+        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.issuerDid } } }],
+      })
+      const subjectPartyIdentity = await agent.cmGetContacts({
+        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.subjectDid } } }],
       })
 
-      if (filteredUniqueVC) {
-        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash)
-        const issuerPartyIdentity = await agent.cmGetContacts({
-          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.issuerDid } } }],
-        })
-        const subjectPartyIdentity = await agent.cmGetContacts({
-          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.subjectDid } } }],
-        })
-
-        selectableCredentials.push({
-          credential: filteredUniqueVC,
-          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
-          issuerParty: issuerPartyIdentity?.[0],
-          subjectParty: subjectPartyIdentity?.[0],
-        })
+      return {
+        credential: matchedCredential,
+        credentialBranding: credentialBranding[0]?.localeBranding,
+        issuerParty: issuerPartyIdentity?.[0],
+        subjectParty: subjectPartyIdentity?.[0],
       }
-    }
-    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials)
+    })
+
+    const selectableCredentials: Array<SelectableCredential> = await Promise.all(mapSelectableCredentialPromises)
+    selectableCredentialsMap.set(key, selectableCredentials)
   }
+
   return selectableCredentialsMap
 }
 
@@ -352,3 +246,33 @@ export const translateCorrelationIdToName = async (correlationId: string, contex
 
   return contacts[0].contact.displayName
 }
+
+const updateSdJwtCredential = (
+  credential: SdJwtDecodedVerifiableCredential,
+  nonce?: string,
+  aud?: string,
+): PartialSdJwtDecodedVerifiableCredential => {
+  const sdJwtCredential = credential as SdJwtDecodedVerifiableCredential
+
+  // extract sd_alg or default to sha-256
+  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? 'sha-256'
+  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest)
+
+  const kbJwt = {
+    // alg MUST be set by the signer
+    header: {
+      typ: 'kb+jwt',
+    },
+    payload: {
+      iat: Math.floor(new Date().getTime() / 1000),
+      sd_hash: sdHash,
+      ...(nonce && { nonce }),
+      ...(aud && { aud }),
+    },
+  } satisfies PartialSdJwtKbJwt
+
+  return {
+    ...sdJwtCredential,
+    kbJwt,
+  } satisfies PartialSdJwtDecodedVerifiableCredential
+}