@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.299 → 0.34.1-next.322

package/dist/index.js

@@ -368,7 +368,7 @@ var plugin_schema_default = {
 // src/agent/DidAuthSiopOpAuthenticator.ts
 import { decodeUriAsJson } from "@sphereon/did-auth-siop";
 import { ConnectionType as ConnectionType2, CorrelationIdentifierType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store-types";
-import { Loggers as Loggers4, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
+import { Loggers as Loggers5, CredentialRole as CredentialRole2 } from "@sphereon/ssi-types";
 import { v4 as uuidv4 } from "uuid";
 
 // src/session/functions.ts
@@ -523,32 +523,205 @@ function getSigningAlgo(type) {
 __name(getSigningAlgo, "getSigningAlgo");
 
 // src/session/OID4VP.ts
-var OID4VP = class _OID4VP {
-  static {
-    __name(this, "OID4VP");
+import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils/index.js";
+import { isManagedIdentifierDidResult } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
+import { CredentialMapper, DocumentFormat, Loggers } from "@sphereon/ssi-types";
+
+// src/types/IDidAuthSiopOpAuthenticator.ts
+var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
+var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
+
+// src/types/siop-service/index.ts
+var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
+  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
+  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
+  return Siopv2HolderEvent2;
+})({});
+var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
+  SupportedLanguage2["ENGLISH"] = "en";
+  SupportedLanguage2["DUTCH"] = "nl";
+  return SupportedLanguage2;
+})({});
+
+// src/types/machine/index.ts
+var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
+  Siopv2MachineStates2["createConfig"] = "createConfig";
+  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
+  Siopv2MachineStates2["addContact"] = "addContact";
+  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
+  Siopv2MachineStates2["sendResponse"] = "sendResponse";
+  Siopv2MachineStates2["handleError"] = "handleError";
+  Siopv2MachineStates2["aborted"] = "aborted";
+  Siopv2MachineStates2["declined"] = "declined";
+  Siopv2MachineStates2["error"] = "error";
+  Siopv2MachineStates2["done"] = "done";
+  return Siopv2MachineStates2;
+})({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
+  Siopv2MachineAddContactStates2["idle"] = "idle";
+  Siopv2MachineAddContactStates2["executing"] = "executing";
+  Siopv2MachineAddContactStates2["next"] = "next";
+  return Siopv2MachineAddContactStates2;
+})({});
+var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
+  Siopv2MachineEvents2["NEXT"] = "NEXT";
+  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
+  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
+  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
+  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
+  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
+  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
+  return Siopv2MachineEvents2;
+})({});
+var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
+  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
+  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
+  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
+  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
+  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
+  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
+  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
+  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
+  return Siopv2MachineGuards2;
+})({});
+var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
+  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineServices2["sendResponse"] = "sendResponse";
+  Siopv2MachineServices2["createConfig"] = "createConfig";
+  return Siopv2MachineServices2;
+})({});
+
+// src/types/identifier/index.ts
+var DID_PREFIX = "did";
+
+// src/session/OID4VP.ts
+var CLOCK_SKEW = 120;
+var logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+function extractOriginalCredential(credential) {
+  if (typeof credential === "string") {
+    return credential;
+  }
+  if ("digitalCredential" in credential) {
+    const udc = credential;
+    if (udc.originalVerifiableCredential) {
+      return udc.originalVerifiableCredential;
+    }
+    return udc.uniformVerifiableCredential;
   }
-  //private readonly session: OpSession
-  // private readonly allIdentifiers: string[]
-  // private readonly hasher?: HasherSync
-  constructor(args) {
+  if ("original" in credential) {
+    return credential.original;
   }
-  static async init(session, allIdentifiers, hasher) {
-    return new _OID4VP({
-      session,
-      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
-      hasher
-    });
+  return credential;
+}
+__name(extractOriginalCredential, "extractOriginalCredential");
+function getIdentifierString(identifier) {
+  if ("opts" in identifier && "method" in identifier) {
+    if (isManagedIdentifierDidResult(identifier)) {
+      return identifier.did;
+    }
   }
-};
+  return identifier.issuer ?? identifier.kid ?? "";
+}
+__name(getIdentifierString, "getIdentifierString");
+async function createVerifiablePresentationForFormat(credential, identifier, context) {
+  const { nonce, audience, agent, clockSkew = CLOCK_SKEW } = context;
+  const originalCredential = extractOriginalCredential(credential);
+  const documentFormat = CredentialMapper.detectDocumentType(originalCredential);
+  logger.debug(`Creating VP for format: ${documentFormat}`);
+  switch (documentFormat) {
+    case DocumentFormat.SD_JWT_VC: {
+      const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(typeof originalCredential === "string" ? originalCredential : originalCredential.compactSdJwtVc, defaultGenerateDigest);
+      const hashAlg = decodedSdJwt.signedPayload._sd_alg ?? "sha-256";
+      const sdHash = calculateSdHash(decodedSdJwt.compactSdJwtVc, hashAlg, defaultGenerateDigest);
+      const kbJwtPayload = {
+        iat: Math.floor(Date.now() / 1e3 - clockSkew),
+        sd_hash: sdHash,
+        nonce,
+        aud: audience
+      };
+      const presentationResult = await agent.createSdJwtPresentation({
+        presentation: decodedSdJwt.compactSdJwtVc,
+        kb: {
+          payload: kbJwtPayload
+        }
+      });
+      return presentationResult.presentation;
+    }
+    case DocumentFormat.JSONLD: {
+      const vcObject = typeof originalCredential === "string" ? JSON.parse(originalCredential) : originalCredential;
+      const vpObject = {
+        "@context": [
+          "https://www.w3.org/2018/credentials/v1"
+        ],
+        type: [
+          "VerifiablePresentation"
+        ],
+        verifiableCredential: [
+          vcObject
+        ]
+      };
+      return await agent.createVerifiablePresentation({
+        presentation: vpObject,
+        proofFormat: "lds",
+        challenge: nonce,
+        domain: audience,
+        keyRef: identifier.kmsKeyRef || identifier.kid
+      });
+    }
+    case DocumentFormat.MSO_MDOC: {
+      logger.warning("mso_mdoc format has basic support - production use requires proper mdoc VP token implementation");
+      return originalCredential;
+    }
+    default: {
+      const vcJwt = typeof originalCredential === "string" ? originalCredential : JSON.stringify(originalCredential);
+      const identifierString = getIdentifierString(identifier);
+      const vpPayload = {
+        iss: identifierString,
+        aud: audience,
+        nonce,
+        vp: {
+          "@context": [
+            "https://www.w3.org/2018/credentials/v1"
+          ],
+          type: [
+            "VerifiablePresentation"
+          ],
+          holder: identifierString,
+          verifiableCredential: [
+            vcJwt
+          ]
+        },
+        iat: Math.floor(Date.now() / 1e3 - clockSkew),
+        exp: Math.floor(Date.now() / 1e3 + 600 + clockSkew)
+      };
+      const vpJwt = await agent.createVerifiablePresentation({
+        presentation: vpPayload.vp,
+        proofFormat: "jwt",
+        domain: audience,
+        challenge: nonce,
+        keyRef: identifier.kmsKeyRef || identifier.kid
+      });
+      return vpJwt.proof?.jwt || vpJwt;
+    }
+  }
+}
+__name(createVerifiablePresentationForFormat, "createVerifiablePresentationForFormat");
 
 // src/session/OpSession.ts
 import { OP as OP2, URI } from "@sphereon/did-auth-siop";
 import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
 import { encodeBase64url } from "@sphereon/ssi-sdk.core";
-import { parseDid } from "@sphereon/ssi-types";
+import { Loggers as Loggers2, parseDid } from "@sphereon/ssi-types";
 import { v4 } from "uuid";
-import { Loggers } from "@sphereon/ssi-types";
-var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
+var logger2 = Loggers2.DEFAULT.get("sphereon:oid4vp:OpSession");
 var OpSession = class _OpSession {
   static {
     __name(this, "OpSession");
@@ -612,9 +785,9 @@ var OpSession = class _OpSession {
       didPrefix,
       agentMethods
     });
-    logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+    logger2.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
     if (rpMethods.dids.length === 0) {
-      logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+      logger2.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
       return [];
     }
     let intersection;
@@ -632,7 +805,7 @@ var OpSession = class _OpSession {
   }
   getAgentDIDMethodsSupported(opts) {
     const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
-    logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
+    logger2.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
     return agentMethods;
   }
   async getSubjectSyntaxTypesSupported() {
@@ -643,15 +816,15 @@ var OpSession = class _OpSession {
   async getRPDIDMethodsSupported(opts) {
     let keyType;
     const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
-    logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
+    logger2.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
     const authReq = await this.getAuthorizationRequest();
     const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
-    logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
+    logger2.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
     const aud = await authReq.authorizationRequest.getMergedProperty("aud");
     let rpMethods = [];
     if (aud && aud.startsWith("did:")) {
       const didMethod = convertDidMethod(parseDid(aud).method, opts.didPrefix);
-      logger.debug(`aud did method: ${didMethod}`);
+      logger2.debug(`aud did method: ${didMethod}`);
       if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
         throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
       }
@@ -666,7 +839,7 @@ var OpSession = class _OpSession {
     const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
     let codecName = void 0;
     if (isEBSI && (!aud || !aud.startsWith("http"))) {
-      logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
+      logger2.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
       const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
       if (!agentMethods?.includes(didKeyMethod)) {
         throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
@@ -685,13 +858,13 @@ var OpSession = class _OpSession {
   }
   async getSupportedIdentifiers(opts) {
     const methods = await this.getSupportedDIDMethods(true);
-    logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
+    logger2.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
     if (methods.length === 0) {
       throw Error(`No DID methods are supported`);
     }
     const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
     if (identifiers.length === 0) {
-      logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
+      logger2.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
       if (opts?.createInCaseNoDIDFound !== false) {
         const { codecName, keyType } = await this.getRPDIDMethodsSupported({
           didPrefix: true,
@@ -705,11 +878,11 @@ var OpSession = class _OpSession {
             type: keyType
           }
         });
-        logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
+        logger2.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
         identifiers.push(identifier);
       }
     }
-    logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
+    logger2.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
     return identifiers;
   }
   async getSupportedDIDs() {
@@ -718,9 +891,6 @@ var OpSession = class _OpSession {
   async getRedirectUri() {
     return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
   }
-  async getOID4VP(args) {
-    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
-  }
   async createJarmResponseCallback({ responseOpts }) {
     const agent = this.context.agent;
     return /* @__PURE__ */ __name(async function jarmResponse(opts) {
@@ -800,80 +970,6 @@ function convertDidMethod(didMethod, didPrefix) {
 }
 __name(convertDidMethod, "convertDidMethod");
 
-// src/types/IDidAuthSiopOpAuthenticator.ts
-var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
-var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
-
-// src/types/siop-service/index.ts
-var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
-  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
-  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
-  return Siopv2HolderEvent2;
-})({});
-var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
-  SupportedLanguage2["ENGLISH"] = "en";
-  SupportedLanguage2["DUTCH"] = "nl";
-  return SupportedLanguage2;
-})({});
-
-// src/types/machine/index.ts
-var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
-  Siopv2MachineStates2["createConfig"] = "createConfig";
-  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
-  Siopv2MachineStates2["addContact"] = "addContact";
-  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
-  Siopv2MachineStates2["sendResponse"] = "sendResponse";
-  Siopv2MachineStates2["handleError"] = "handleError";
-  Siopv2MachineStates2["aborted"] = "aborted";
-  Siopv2MachineStates2["declined"] = "declined";
-  Siopv2MachineStates2["error"] = "error";
-  Siopv2MachineStates2["done"] = "done";
-  return Siopv2MachineStates2;
-})({});
-var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
-  Siopv2MachineAddContactStates2["idle"] = "idle";
-  Siopv2MachineAddContactStates2["executing"] = "executing";
-  Siopv2MachineAddContactStates2["next"] = "next";
-  return Siopv2MachineAddContactStates2;
-})({});
-var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
-  Siopv2MachineEvents2["NEXT"] = "NEXT";
-  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
-  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
-  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
-  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
-  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
-  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
-  return Siopv2MachineEvents2;
-})({});
-var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
-  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
-  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
-  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
-  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
-  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
-  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
-  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
-  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
-  return Siopv2MachineGuards2;
-})({});
-var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
-  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineServices2["sendResponse"] = "sendResponse";
-  Siopv2MachineServices2["createConfig"] = "createConfig";
-  return Siopv2MachineServices2;
-})({});
-
-// src/types/identifier/index.ts
-var DID_PREFIX = "did";
-
 // src/machine/Siopv2Machine.ts
 import { assign, createMachine, interpret } from "xstate";
 
@@ -919,8 +1015,8 @@ var Localization = class Localization2 {
 var translate = Localization.translate;
 
 // src/machine/Siopv2Machine.ts
-import { Loggers as Loggers2 } from "@sphereon/ssi-types";
-var logger2 = Loggers2.DEFAULT.get(LOGGER_NAMESPACE);
+import { Loggers as Loggers3 } from "@sphereon/ssi-types";
+var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
 var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   const { contact } = _ctx;
   return contact === void 0;
@@ -1250,7 +1346,7 @@ var Siopv2Machine = class {
     __name(this, "Siopv2Machine");
   }
   static newInstance(opts) {
-    logger2.info("New Siopv2Machine instance");
+    logger3.info("New Siopv2Machine instance");
     const interpreter = interpret(createSiopv2Machine(opts).withConfig({
       services: {
         ...opts?.services
@@ -1278,7 +1374,7 @@ var Siopv2Machine = class {
       });
     }
     interpreter.onTransition((snapshot) => {
-      logger2.info("onTransition to new state", snapshot.value);
+      logger3.info("onTransition to new state", snapshot.value);
     });
     return {
       interpreter
@@ -1287,22 +1383,20 @@ var Siopv2Machine = class {
 };
 
 // src/services/Siopv2MachineService.ts
-import { calculateSdHash } from "@sphereon/pex/dist/main/lib/utils/index.js";
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
 import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
 import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
 import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
 import { ConnectionType } from "@sphereon/ssi-sdk.data-store-types";
-import { defaultGenerateDigest } from "@sphereon/ssi-sdk.sd-jwt";
-import { CredentialMapper as CredentialMapper3, CredentialRole, Loggers as Loggers3 } from "@sphereon/ssi-types";
+import { CredentialMapper as CredentialMapper4, CredentialRole, Loggers as Loggers4 } from "@sphereon/ssi-types";
 import { DcqlPresentation, DcqlQuery } from "dcql";
 
 // src/utils/dcql.ts
-import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
+import { CredentialMapper as CredentialMapper3 } from "@sphereon/ssi-types";
 import { Dcql } from "@sphereon/did-auth-siop";
 
 // src/utils/CredentialUtils.ts
-import { CredentialMapper } from "@sphereon/ssi-types";
+import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
 var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
   return credential.digitalCredential !== void 0;
 }, "isUniqueDigitalCredential");
@@ -1314,29 +1408,29 @@ function convertToDcqlCredentials(credential, hasher) {
     if (!credential.originalVerifiableCredential) {
       throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
     }
-    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
+    originalVerifiableCredential = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
   } else {
-    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
+    originalVerifiableCredential = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
   }
   if (!originalVerifiableCredential) {
     throw new Error("No payload found");
   }
-  if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  if (CredentialMapper3.isJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJwtCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper3.isSdJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlSdJwtCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper3.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlMdocCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper3.isW3cCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJsonLdCredential(CredentialMapper3.toWrappedVerifiableCredential(originalVerifiableCredential));
   }
   throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
 }
 __name(convertToDcqlCredentials, "convertToDcqlCredentials");
 
 // src/services/Siopv2MachineService.ts
-var CLOCK_SKEW = 120;
-var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
+var CLOCK_SKEW2 = 120;
+var logger4 = Loggers4.DEFAULT.get(LOGGER_NAMESPACE);
 var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
   const { agent } = context;
   const { credentials } = args;
@@ -1348,10 +1442,10 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   });
   const request = await session.getAuthorizationRequest();
   const aud = request.authorizationRequest.getMergedProperty("aud");
-  logger3.debug(`AUD: ${aud}`);
-  logger3.debug(JSON.stringify(request.authorizationRequest));
+  logger4.debug(`AUD: ${aud}`);
+  logger4.debug(JSON.stringify(request.authorizationRequest));
   const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? "https://self-issued.me/v2";
-  logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
+  logger4.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
   const firstUniqueDC = credentials[0];
   if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
     return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
@@ -1359,10 +1453,12 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   let identifier;
   const digitalCredential = firstUniqueDC.digitalCredential;
   const firstVC = firstUniqueDC.uniformVerifiableCredential;
-  const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
-    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-    `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+  let holder;
+  if (CredentialMapper4.isSdJwtDecodedCredential(firstVC)) {
+    holder = firstVC.decodedPayload.cnf?.jwk ? `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0` : firstVC.decodedPayload.sub;
+  } else {
+    holder = Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+  }
   if (!digitalCredential.kmsKeyRef) {
     if (!holder) {
       return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
@@ -1372,7 +1468,7 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
         identifier: holder
       });
     } catch (e) {
-      logger3.debug(`Holder DID not found: ${holder}`);
+      logger4.debug(`Holder DID not found: ${holder}`);
       throw e;
     }
   } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
@@ -1403,6 +1499,13 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
   if (!queryResult.can_be_satisfied) {
     return Promise.reject(Error("Credentials do not match required query request"));
   }
+  const presentationContext = {
+    nonce: request.requestObject?.getPayload()?.nonce ?? session.nonce,
+    audience: domain,
+    agent: context.agent,
+    clockSkew: CLOCK_SKEW2,
+    hasher: args.hasher
+  };
   const presentation = {};
   const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
   for (const [key, value] of Object.entries(queryResult.credential_matches)) {
@@ -1412,27 +1515,12 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       if (!vc) {
         continue;
       }
-      const originalVc = retrieveEncodedCredential(vc);
-      if (!originalVc) {
-        continue;
-      }
-      const decodedSdJwt = await CredentialMapper3.decodeSdJwtVcAsync(originalVc, defaultGenerateDigest);
-      const updatedSdJwt = updateSdJwtCredential(decodedSdJwt, request.requestObject?.getPayload()?.nonce, domain);
-      const presentationResult = await context.agent.createSdJwtPresentation({
-        presentation: updatedSdJwt.compactSdJwtVc,
-        kb: {
-          payload: {
-            ...updatedSdJwt.kbJwt?.payload,
-            // FIXME SSISDK-44
-            nonce: updatedSdJwt.kbJwt?.payload.nonce ?? request.requestObject.getPayload().nonce,
-            // FIXME SSISDK-44
-            aud: updatedSdJwt.kbJwt?.payload.aud ?? domain,
-            iat: updatedSdJwt.kbJwt?.payload?.iat ?? Math.floor(Date.now() / 1e3 - CLOCK_SKEW)
-          }
-        }
-      });
-      if (originalVc) {
-        presentation[key] = presentationResult.presentation;
+      try {
+        const vp = await createVerifiablePresentationForFormat(vc, identifier, presentationContext);
+        presentation[key] = vp;
+      } catch (error) {
+        logger4.error(`Failed to create VP for credential ${key}:`, error);
+        throw error;
       }
     }
   }
@@ -1443,12 +1531,9 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
       dcqlPresentation
     }
   });
-  logger3.debug(`Response: `, response);
+  logger4.debug(`Response: `, response);
   return response;
 }, "siopSendAuthorizationResponse");
-var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
-  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
-}, "retrieveEncodedCredential");
 var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
   const agentContext = {
     ...context,
@@ -1525,34 +1610,9 @@ var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId,
   }
   return contacts[0].contact.displayName;
 }, "translateCorrelationIdToName");
-var updateSdJwtCredential = /* @__PURE__ */ __name((credential, nonce, aud) => {
-  const sdJwtCredential = credential;
-  const hashAlg = sdJwtCredential.signedPayload._sd_alg ?? "sha-256";
-  const sdHash = calculateSdHash(sdJwtCredential.compactSdJwtVc, hashAlg, defaultGenerateDigest);
-  const kbJwt = {
-    // alg MUST be set by the signer
-    header: {
-      typ: "kb+jwt"
-    },
-    payload: {
-      iat: Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3),
-      sd_hash: sdHash,
-      ...nonce && {
-        nonce
-      },
-      ...aud && {
-        aud
-      }
-    }
-  };
-  return {
-    ...sdJwtCredential,
-    kbJwt
-  };
-}, "updateSdJwtCredential");
 
 // src/agent/DidAuthSiopOpAuthenticator.ts
-var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
+var logger5 = Loggers5.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
 var didAuthSiopOpAuthenticatorMethods = [
   "cmGetContacts",
   "cmGetContact",
@@ -1706,7 +1766,7 @@ var DidAuthSiopOpAuthenticator = class {
         hasher: this.hasher
       }
     }));
-    logger4.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
+    logger5.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
     const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
     const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
     const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
@@ -1785,7 +1845,7 @@ var DidAuthSiopOpAuthenticator = class {
         contactId: contact.id,
         identity: addedIdentity
       });
-      logger4.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
+      logger5.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
     }
   }
   async siopSendResponse(args, context) {
@@ -1827,8 +1887,8 @@ var DidAuthSiopOpAuthenticator = class {
 };
 
 // src/machine/CallbackStateListener.ts
-import { Loggers as Loggers5, LogLevel, LogMethod } from "@sphereon/ssi-types";
-var logger5 = Loggers5.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
+import { Loggers as Loggers6, LogLevel, LogMethod } from "@sphereon/ssi-types";
+var logger6 = Loggers6.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
   defaultLogLevel: LogLevel.DEBUG,
   methods: [
     LogMethod.CONSOLE
@@ -1837,21 +1897,21 @@ var logger5 = Loggers5.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
 var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
   return async (oid4vciMachine, state) => {
     if (state._event.type === "internal") {
-      logger5.debug("oid4vpCallbackStateListener: internal event");
+      logger6.debug("oid4vpCallbackStateListener: internal event");
       return;
     }
-    logger5.info(`VP state listener state: ${JSON.stringify(state.value)}`);
+    logger6.info(`VP state listener state: ${JSON.stringify(state.value)}`);
     if (!callbacks || callbacks.size === 0) {
-      logger5.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
+      logger6.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
       return;
     }
     for (const [stateKey, callback] of callbacks) {
       if (state.matches(stateKey)) {
-        logger5.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
-        await callback(oid4vciMachine, state).then(() => logger5.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
-          logger5.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
+        logger6.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
+        await callback(oid4vciMachine, state).then(() => logger6.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
+          logger6.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
           if (error.stack) {
-            logger5.error(error.stack);
+            logger6.error(error.stack);
           }
         });
         break;
@@ -1864,8 +1924,8 @@ var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
 import { contextHasPlugin } from "@sphereon/ssi-sdk.agent-config";
 import { LinkHandlerAdapter } from "@sphereon/ssi-sdk.core";
 import { interpreterStartOrResume } from "@sphereon/ssi-sdk.xstate-machine-persistence";
-import { Loggers as Loggers6 } from "@sphereon/ssi-types";
-var logger6 = Loggers6.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
+import { Loggers as Loggers7 } from "@sphereon/ssi-types";
+var logger7 = Loggers7.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
 var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
   static {
     __name(this, "Siopv2OID4VPLinkHandler");
@@ -1885,7 +1945,7 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
     this.idOpts = args.idOpts;
   }
   async handle(url, opts) {
-    logger6.debug(`handling SIOP link: ${url}`);
+    logger7.debug(`handling SIOP link: ${url}`);
     const siopv2Machine = await this.context.agent.siopGetMachineInterpreter({
       url,
       idOpts: opts?.idOpts ?? this.idOpts,
@@ -1901,10 +1961,10 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
         singletonCheck: true,
         noRegistration: this.noStateMachinePersistence
       });
-      logger6.debug(`SIOP machine started for link: ${url}`, init);
+      logger7.debug(`SIOP machine started for link: ${url}`, init);
     } else {
       interpreter.start(opts?.machineState);
-      logger6.debug(`SIOP machine started for link: ${url}`);
+      logger7.debug(`SIOP machine started for link: ${url}`);
     }
   }
 };
@@ -1913,7 +1973,6 @@ export {
   DID_PREFIX,
   DidAuthSiopOpAuthenticator,
   LOGGER_NAMESPACE,
-  OID4VP,
   OID4VPCallbackStateListener,
   OpSession,
   Siopv2HolderEvent,
@@ -1931,6 +1990,7 @@ export {
   createOID4VPPresentationSignCallback,
   createOP,
   createOPBuilder,
+  createVerifiablePresentationForFormat,
   didAuthSiopOpAuthenticatorMethods,
   getSigningAlgo,
   plugin_schema_default as schema