@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.3 → 0.34.1-next.323

package/src/session/OpSession.ts

@@ -2,9 +2,6 @@ import {
   AuthorizationResponsePayload,
   JwksMetadataParams,
   OP,
-  PresentationDefinitionWithLocation,
-  PresentationExchangeResponseOpts,
-  PresentationVerificationResult,
   RequestObjectPayload,
   ResponseIss,
   SupportedVersion,
@@ -17,22 +14,11 @@ import { JwtIssuer } from '@sphereon/oid4vc-common'
 import { getAgentDIDMethods, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import { JweAlg, JweEnc } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { encodeBase64url } from '@sphereon/ssi-sdk.core'
-import {
-  CompactSdJwtVc,
-  CredentialMapper,
-  HasherSync,
-  OriginalVerifiableCredential,
-  parseDid,
-  PresentationSubmission,
-  W3CVerifiablePresentation,
-} from '@sphereon/ssi-types'
-import { IIdentifier, IVerifyResult, TKeyType } from '@veramo/core'
+import { Loggers, parseDid } from '@sphereon/ssi-types'
+import { IIdentifier, TKeyType } from '@veramo/core'
 import { v4 } from 'uuid'
-import { IOPOptions, IOpSessionArgs, IOpSessionGetOID4VPArgs, IOpsSendSiopAuthorizationResponseArgs, IRequiredContext } from '../types'
+import { IOPOptions, IOpSessionArgs, IOpsSendSiopAuthorizationResponseArgs, IRequiredContext } from '../types'
 import { createOP } from './functions'
-import { OID4VP } from './OID4VP'
-import { PEX } from '@sphereon/pex'
-import { Loggers } from '@sphereon/ssi-types'
 
 const logger = Loggers.DEFAULT.get('sphereon:oid4vp:OpSession')
 
@@ -45,14 +31,12 @@ export class OpSession {
   private verifiedAuthorizationRequest?: VerifiedAuthorizationRequest | undefined
   private _nonce?: string
   private _state?: string
-  private readonly _providedPresentationDefinitions?: PresentationDefinitionWithLocation[]
 
   private constructor(options: Required<IOpSessionArgs>) {
     this.id = options.sessionId
     this.options = options.op
     this.context = options.context
     this.requestJwtOrUri = options.requestJwtOrUri
-    this._providedPresentationDefinitions = options.providedPresentationDefinitions
   }
 
   public static async init(options: Required<IOpSessionArgs>): Promise<OpSession> {
@@ -169,7 +153,7 @@ export class OpSession {
     }
     const isEBSI =
       rpMethods.length === 0 &&
-      (authReq.issuer?.includes('.ebsi.eu') || (await authReq.authorizationRequest.getMergedProperty<string>('client_id'))?.includes('.ebsi.eu'))
+      (authReq.issuer?.includes('.ebsi.eu') || authReq.authorizationRequest.getMergedProperty<string>('client_id')?.includes('.ebsi.eu'))
     let codecName: string | undefined = undefined
     if (isEBSI && (!aud || !aud.startsWith('http'))) {
       logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`)
@@ -221,51 +205,6 @@ export class OpSession {
     return Promise.resolve(this.verifiedAuthorizationRequest!.responseURI!)
   }
 
-  public async hasPresentationDefinitions(): Promise<boolean> {
-    const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions
-    return defs !== undefined && defs.length > 0
-  }
-
-  public async getPresentationDefinitions(): Promise<Array<PresentationDefinitionWithLocation> | undefined> {
-    if (!(await this.hasPresentationDefinitions())) {
-      throw Error(`No presentation definitions found`)
-    }
-    return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions
-  }
-
-  public async getOID4VP(args: IOpSessionGetOID4VPArgs): Promise<OID4VP> {
-    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher)
-  }
-
-  private createPresentationVerificationCallback(context: IRequiredContext) {
-    async function presentationVerificationCallback(
-      args: W3CVerifiablePresentation | CompactSdJwtVc,
-      presentationSubmission?: PresentationSubmission,
-    ): Promise<PresentationVerificationResult> {
-      let result: IVerifyResult
-      if (CredentialMapper.isSdJwtEncoded(args)) {
-        try {
-          const sdJwtResult = await context.agent.verifySdJwtPresentation({ presentation: args })
-          result = {
-            verified: 'header' in sdJwtResult,
-            error: 'header' in sdJwtResult ? undefined : { message: 'could not verify SD JWT presentation' },
-          }
-        } catch (error: any) {
-          result = {
-            verified: false,
-            error: { message: error.message },
-          }
-        }
-      } else {
-        // @ts-ignore TODO IVerifiablePresentation has too many union types for Veramo
-        result = await context.agent.verifyPresentation({ presentation: args })
-      }
-      return result
-    }
-
-    return presentationVerificationCallback
-  }
-
   private async createJarmResponseCallback({
     responseOpts,
   }: {
@@ -308,6 +247,8 @@ export class OpSession {
   }
 
   public async sendAuthorizationResponse(args: IOpsSendSiopAuthorizationResponseArgs): Promise<Response> {
+    const { responseSignerOpts, dcqlResponse, isFirstParty } = args
+
     const resolveOpts: ResolveOpts = this.options.resolveOpts ?? {
       resolver: getAgentResolver(this.context, {
         uniresolverResolution: true,
@@ -318,30 +259,9 @@ export class OpSession {
     if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
       resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true)
     }
-    //todo: populate with the right verification params. In did-auth-siop we don't have any test that actually passes this parameter
-    const verification: Verification = {
-      presentationVerificationCallback: this.createPresentationVerificationCallback(this.context),
-    }
-    const request = await this.getAuthorizationRequest()
-    const hasDefinitions = await this.hasPresentationDefinitions()
-    if (hasDefinitions) {
-      const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
-        return sum + pd.definition.input_descriptors.length
-      }, 0)
-      const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0
 
-      if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
-        throw Error(
-          `Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`,
-        )
-      } else if (!args.presentationSubmission) {
-        throw Error(`Presentation submission is required when verifiable presentations are required`)
-      }
-    }
+    const request = await this.getAuthorizationRequest()
 
-    const verifiablePresentations = args.verifiablePresentations
-      ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp))
-      : []
     const op = await createOP({
       opOptions: {
         ...this.options,
@@ -351,23 +271,16 @@ export class OpSession {
         wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
         supportedVersions: request.versions,
       },
-      idOpts: args.responseSignerOpts,
+      idOpts: responseSignerOpts,
       context: this.context,
     })
 
     //TODO change this to use the new functionalities by identifier-resolver and get the jwkIssuer for the responseOpts
-    let issuer = args.responseSignerOpts.issuer
+    let issuer = responseSignerOpts.issuer
     const responseOpts = {
-      verification,
       issuer,
-      ...(args.isFirstParty && { isFirstParty: args.isFirstParty }),
-      ...(args.verifiablePresentations && {
-        presentationExchange: {
-          verifiablePresentations,
-          presentationSubmission: args.presentationSubmission,
-        } as PresentationExchangeResponseOpts,
-      }),
-      dcqlQuery: args.dcqlResponse,
+      ...(isFirstParty && { isFirstParty }),
+      dcqlResponse: dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -379,27 +292,6 @@ export class OpSession {
       return response
     }
   }
-
-  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
-    return verifiablePresentations.reduce((sum, vp) => {
-      if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
-        return sum + 1
-      }
-
-      const uvp = CredentialMapper.toUniformPresentation(vp, { hasher: hasher ?? this.options.hasher })
-      if (uvp.verifiableCredential?.length) {
-        return sum + uvp.verifiableCredential?.length
-      }
-      const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp)
-      if (
-        isSdJWT ||
-        (uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential as Array<OriginalVerifiableCredential>))
-      ) {
-        return sum + 1
-      }
-      return sum
-    }, 0)
-  }
 }
 
 function convertDidMethod(didMethod: string, didPrefix?: boolean): string {

package/src/session/functions.ts

@@ -60,14 +60,7 @@ export async function createOPBuilder({
   const eventEmitter = opOptions.eventEmitter ?? new EventEmitter()
   const builder = OP.builder()
     .withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST)
-    .withSupportedVersions(
-      opOptions.supportedVersions ?? [
-        SupportedVersion.SIOPv2_ID1,
-        SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
-        SupportedVersion.SIOPv2_D11,
-        SupportedVersion.SIOPv2_D12_OID4VP_D18,
-      ],
-    )
+    .withSupportedVersions(opOptions.supportedVersions ?? [SupportedVersion.OID4VP_v1, SupportedVersion.SIOPv2_OID4VP_D28])
     .withExpiresIn(opOptions.expiresIn ?? 300)
     .withEventEmitter(eventEmitter)
     .withRegistration({

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,25 +1,21 @@
 import {
   DcqlResponseOpts,
-  PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
   SupportedVersion,
   URI,
-  VerifiablePresentationTypeFormat,
   VerifiedAuthorizationRequest,
   VerifyJwtCallback,
-  VPTokenLocation,
 } from '@sphereon/did-auth-siop'
 import { CheckLinkedDomain, ResolveOpts } from '@sphereon/did-auth-siop-adapter'
 import { DIDDocument } from '@sphereon/did-uni-client'
-import { VerifiablePresentationResult } from '@sphereon/pex'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
-import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import { Party } from '@sphereon/ssi-sdk.data-store'
+import { ICredentialStore } from '@sphereon/ssi-sdk.credential-store'
+import { Party } from '@sphereon/ssi-sdk.data-store-types'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -49,6 +45,7 @@ import {
   Siopv2AuthorizationResponseData,
 } from './siop-service'
 import { ICredentialValidation } from '@sphereon/ssi-sdk.credential-validation'
+import { DcqlPresentation, DcqlQuery } from 'dcql'
 
 export const LOGGER_NAMESPACE = 'sphereon:siopv2-oid4vp:op-auth'
 
@@ -81,7 +78,7 @@ export interface IDidAuthSiopOpAuthenticator extends IPluginMethodMap {
 export interface IOpSessionArgs {
   sessionId?: string
   requestJwtOrUri: string | URI
-  providedPresentationDefinitions?: Array<PresentationDefinitionWithLocation>
+  dcqlQuery?: DcqlQuery
   identifierOptions?: ManagedIdentifierOptsOrResult
   context: IRequiredContext
   op?: IOPOptions
@@ -90,17 +87,10 @@ export interface IOpSessionArgs {
 export interface IAuthRequestDetails {
   rpDIDDocument?: DIDDocument
   id: string
-  verifiablePresentationMatches: IPresentationWithDefinition[]
+  verifiablePresentationMatches: DcqlPresentation[]
   alsoKnownAs?: string[]
 }
 
-export interface IPresentationWithDefinition {
-  location: VPTokenLocation
-  definition: PresentationDefinitionWithLocation
-  format: VerifiablePresentationTypeFormat
-  presentation: W3CVerifiablePresentation
-}
-
 export interface IGetSiopSessionArgs {
   sessionId: string
 }
@@ -120,7 +110,6 @@ export interface IRemoveCustomApprovalForSiopArgs {
 
 export interface IOpsSendSiopAuthorizationResponseArgs {
   responseSignerOpts: ManagedIdentifierOptsOrResult
-  // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
   dcqlResponse?: DcqlResponseOpts
@@ -128,10 +117,6 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   isFirstParty?: boolean
 }
 
-export enum events {
-  DID_SIOP_AUTHENTICATED = 'didSiopAuthenticated',
-}
-
 export type IRequiredContext = IAgentContext<
   IDataStoreORM &
     IResolver &
@@ -155,34 +140,13 @@ export interface IOPOptions {
   skipDidResolution?: boolean
   eventEmitter?: EventEmitter
   supportedDIDMethods?: string[]
-
   verifyJwtCallback?: VerifyJwtCallback
   wellknownDIDVerifyCallback?: VerifyCallback
-
   presentationSignCallback?: PresentationSignCallback
-
   resolveOpts?: ResolveOpts
   hasher?: HasherSync
 }
 
-/*
-export interface IIdentifierOpts {
-  identifier: IIdentifier
-  verificationMethodSection?: DIDDocumentSection
-  kid?: string
-}*/
-
-export interface VerifiableCredentialsWithDefinition {
-  definition: PresentationDefinitionWithLocation
-  credentials: (UniqueDigitalCredential | OriginalVerifiableCredential)[]
-}
-
-export interface VerifiablePresentationWithDefinition extends VerifiablePresentationResult {
-  definition: PresentationDefinitionWithLocation
-  verifiableCredentials: OriginalVerifiableCredential[]
-  idOpts: ManagedIdentifierOptsOrResult
-}
-
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
   hasher?: HasherSync
@@ -194,21 +158,4 @@ export interface IOID4VPArgs {
   hasher?: HasherSync
 }
 
-export interface IGetPresentationExchangeArgs {
-  verifiableCredentials: OriginalVerifiableCredential[]
-  allIdentifiers?: string[]
-  hasher?: HasherSync
-}
-
-// It was added here because it's not exported from DCQL anymore
-export type Json =
-  | string
-  | number
-  | boolean
-  | null
-  | {
-      [key: string]: Json
-    }
-  | Json[]
-
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/identifier/index.ts

@@ -2,9 +2,6 @@ import { IDIDManager, IIdentifier, IResolver, TAgent, TKeyType } from '@veramo/c
 import { _ExtendedIKey } from '@veramo/utils'
 import { RequiredContext } from '../siop-service'
 import { SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
-import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
-import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
-import { ICredentialStore } from '@sphereon/ssi-sdk.credential-store'
 
 export const DID_PREFIX = 'did'
 
@@ -60,4 +57,3 @@ export type CreateIdentifierOpts = {
 }
 
 export type DidAgents = TAgent<IResolver & IDIDManager>
-export type SuitableCredentialAgents = TAgent<IContactManager & ICredentialStore & IIssuanceBranding>

package/src/types/machine/index.ts

@@ -1,6 +1,6 @@
 import { VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
 import { ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store'
+import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { BaseActionObject, Interpreter, ResolveTypegenMeta, ServiceMap, State, StateMachine, TypegenDisabled } from 'xstate'
 import { ErrorDetails } from '../error'
 import { SelectableCredentialsMap, Siopv2AuthorizationRequestData, Siopv2AuthorizationResponseData } from '../siop-service'

package/src/types/siop-service/index.ts

@@ -1,14 +1,10 @@
-import {
-  PresentationDefinitionWithLocation,
-  PresentationSignCallback,
-  RPRegistrationMetadataPayload,
-  VerifiedAuthorizationRequest,
-} from '@sphereon/did-auth-siop'
+import { PresentationSignCallback, RPRegistrationMetadataPayload, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
 import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import { DidAuthConfig, ICredentialLocaleBranding, Identity, Party } from '@sphereon/ssi-sdk.data-store'
+import { DidAuthConfig, ICredentialLocaleBranding, Identity, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
+import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
 import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core'
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
@@ -69,8 +65,7 @@ export type Siopv2AuthorizationRequestData = {
   name?: string
   uri?: URL
   clientId?: string
-  presentationDefinitions?: PresentationDefinitionWithLocation[]
-  dcqlQuery?: DcqlQuery
+  dcqlQuery: DcqlQuery
 }
 
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>
@@ -92,5 +87,12 @@ export type OnIdentifierCreatedArgs = {
 }
 
 export type RequiredContext = IAgentContext<
-  IContactManager & IDidAuthSiopOpAuthenticator & IDIDManager & IResolver & IIdentifierResolution & ICredentialStore & IIssuanceBranding
+  IContactManager &
+    IDidAuthSiopOpAuthenticator &
+    IDIDManager &
+    IResolver &
+    IIdentifierResolution &
+    ICredentialStore &
+    IIssuanceBranding &
+    ISDJwtPlugin
 >

package/src/utils/CredentialUtils.ts

@@ -1,45 +1,7 @@
-import { CredentialMapper, HasherSync, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, ICredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import { VerifiableCredential } from '@veramo/core'
 import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 
-/**
- * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
- * @param credential The input credential
- */
-export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
-  if (!credential.type) {
-    return 'Verifiable Credential'
-  } else if (typeof credential.type === 'string') {
-    return credential.type
-  }
-  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
-}
-
-/**
- * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
- * @param uniqueVCs The Unique VCs to search in
- * @param searchVC The VC to search for in the unique VCs array
- */
-export const getMatchingUniqueDigitalCredential = (
-  uniqueVCs: UniqueDigitalCredential[],
-  searchVC: OriginalVerifiableCredential,
-): UniqueDigitalCredential | undefined => {
-  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
-  return uniqueVCs.find(
-    (uniqueVC: UniqueDigitalCredential) =>
-      (typeof searchVC !== 'string' &&
-        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
-          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
-      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
-      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
-      (typeof searchVC === 'string' &&
-        CredentialMapper.isSdJwtEncoded(searchVC) &&
-        uniqueVC.uniformVerifiableCredential?.proof &&
-        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
-        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
-  )
-}
-
 type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
 
 /**
@@ -63,7 +25,7 @@ const getCredentialFromProofOrWrapped = (cred: any, hasher?: HasherSync): Origin
     return cred.proof.jwt
   }
 
-  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original
+  return CredentialMapper.toWrappedVerifiableCredential(cred as OriginalVerifiableCredential, { hasher }).original as OriginalVerifiableCredential // FIXME SSISDK-59
 }
 
 export const isUniqueDigitalCredential = (credential: InputCredential): credential is UniqueDigitalCredential => {

package/src/utils/dcql.ts

@@ -1,36 +1,43 @@
 import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
-import { CredentialMapper, HasherSync, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import {
+  CredentialMapper,
+  HasherSync,
+  OriginalVerifiableCredential,
+  WrappedMdocCredential,
+  type WrappedSdJwtVerifiableCredential,
+  type WrappedW3CVerifiableCredential,
+} from '@sphereon/ssi-types'
+import { Dcql } from '@sphereon/did-auth-siop'
+import { DcqlCredential } from 'dcql'
 import { isUniqueDigitalCredential } from './CredentialUtils'
 
 export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: HasherSync): DcqlCredential {
-  let payload
+  let originalVerifiableCredential
   if (isUniqueDigitalCredential(credential)) {
     if (!credential.originalVerifiableCredential) {
       throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
     }
-    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+    originalVerifiableCredential = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
   } else {
-    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+    originalVerifiableCredential = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
   }
 
-  if (!payload) {
+  if (!originalVerifiableCredential) {
     throw new Error('No payload found')
   }
 
-  if ('decodedPayload' in payload && payload.decodedPayload) {
-    payload = payload.decodedPayload
+  if (CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJwtCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedW3CVerifiableCredential)
+  } else if (CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
+    // FIXME: SD-JWT VC vs VCDM2 + SD-JWT would need to be handled here
+    return Dcql.toDcqlSdJwtCredential(
+      CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedSdJwtVerifiableCredential,
+    )
+  } else if (CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlMdocCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedMdocCredential)
+  } else if (CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJsonLdCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedW3CVerifiableCredential)
   }
 
-  if ('vct' in payload!) {
-    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
-  } else if ('docType' in payload! && 'namespaces' in payload) {
-    // mdoc
-    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
-  } else {
-    return {
-      claims: payload,
-      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
-    } as DcqlW3cVcCredential
-  }
+  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`)
 }