@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.7 → 0.34.1-next.86

package/src/services/Siopv2MachineService.ts

@@ -1,31 +1,38 @@
-import { AuthorizationRequest, SupportedVersion } from '@sphereon/did-auth-siop'
-import { IPresentationDefinition, PEX } from '@sphereon/pex'
-import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
+import {
+  AuthorizationRequest,
+  Json,
+  SupportedVersion
+} from '@sphereon/did-auth-siop'
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
-import { OID4VP, OpSession } from '../session'
 import {
-  DidAgents,
+  CredentialMapper,
+  HasherSync,
+  Loggers,
+  OriginalVerifiableCredential,
+  SdJwtDecodedVerifiableCredential
+} from '@sphereon/ssi-types'
+import { OpSession } from '../session'
+import {
   LOGGER_NAMESPACE,
   RequiredContext,
   SelectableCredential,
   SelectableCredentialsMap,
-  Siopv2HolderEvent,
-  SuitableCredentialAgents,
-  VerifiableCredentialsWithDefinition,
-  VerifiablePresentationWithDefinition,
+  Siopv2HolderEvent
 } from '../types'
-import { IAgentContext, IDIDManager } from '@veramo/core'
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
-import { defaultHasher, encodeJoseBlob } from '@sphereon/ssi-sdk.core'
-import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
+import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
+import { DcqlPresentation, DcqlQuery } from 'dcql'
 import { convertToDcqlCredentials } from '../utils/dcql'
-import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
+import { IAgentContext, IDIDManager } from '@veramo/core'
+import {
+  getOrCreatePrimaryIdentifier,
+  SupportedDidMethodEnum
+} from '@sphereon/ssi-sdk-ext.did-utils'
 
 export const logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE)
 
+// @ts-ignore
 const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): Promise<ManagedIdentifierOptsOrResult> => {
   logger.log(`No EBSI key present yet. Creating a new one...`)
   const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
@@ -39,9 +46,10 @@ const createEbsiIdentifier = async (agentContext: IAgentContext<IDIDManager>): P
   return await agentContext.agent.identifierManagedGetByDid({ identifier: newIdentifier.did })
 }
 
+// @ts-ignore
 const hasEbsiClient = async (authorizationRequest: AuthorizationRequest) => {
-  const clientId = await authorizationRequest.getMergedProperty<string>('client_id')
-  const redirectUri = await authorizationRequest.getMergedProperty<string>('redirect_uri')
+  const clientId = authorizationRequest.getMergedProperty<string>('client_id')
+  const redirectUri = authorizationRequest.getMergedProperty<string>('redirect_uri')
   return clientId?.toLowerCase().includes('.ebsi.eu') || redirectUri?.toLowerCase().includes('.ebsi.eu')
 }
 
@@ -49,137 +57,25 @@ export const siopSendAuthorizationResponse = async (
   connectionType: ConnectionType,
   args: {
     sessionId: string
-    verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
+    credentials: Array<UniqueDigitalCredential | OriginalVerifiableCredential>
     idOpts?: ManagedIdentifierOptsOrResult
     isFirstParty?: boolean
     hasher?: HasherSync
-    dcqlQuery?: DcqlQuery
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
-  const agentContext = { ...context, agent: context.agent as DidAgents }
-  let { idOpts, isFirstParty, hasher = defaultHasher } = args
-
+  const { credentials } = args
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
   }
+
   const session: OpSession = await agent.siopGetOPSession({ sessionId: args.sessionId })
   const request = await session.getAuthorizationRequest()
-  const aud = await request.authorizationRequest.getMergedProperty<string>('aud')
+  const aud = request.authorizationRequest.getMergedProperty<string>('aud')
   logger.debug(`AUD: ${aud}`)
   logger.debug(JSON.stringify(request.authorizationRequest))
 
-  let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
-  let presentationSubmission: PresentationSubmission | undefined
-  if (await session.hasPresentationDefinitions()) {
-    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
-
-    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
-      ? args.verifiableCredentialsWithDefinition
-      : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER)
-    const domain =
-      ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
-      request.issuer ??
-      (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1)
-        ? 'https://self-issued.me/v2/openid-vc'
-        : 'https://self-issued.me/v2')
-    logger.log(`NONCE: ${session.nonce}, domain: ${domain}`)
-
-    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0]
-    if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
-      return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
-    }
-
-    let identifier: ManagedIdentifierOptsOrResult
-    const digitalCredential = firstUniqueDC.digitalCredential
-    const firstVC = firstUniqueDC.uniformVerifiableCredential
-    const holder = CredentialMapper.isSdJwtDecodedCredential(firstVC)
-      ? firstVC.decodedPayload.cnf?.jwk
-        ? //TODO SDK-19: convert the JWK to hex and search for the appropriate key and associated DID
-          //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-          `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-        : firstVC.decodedPayload.sub
-      : Array.isArray(firstVC.credentialSubject)
-        ? firstVC.credentialSubject[0].id
-        : firstVC.credentialSubject.id
-    if (!digitalCredential.kmsKeyRef) {
-      // In case the store does not have the kmsKeyRef lets search for the holder
-
-      if (!holder) {
-        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`)
-      }
-      try {
-        identifier = await session.context.agent.identifierManagedGet({ identifier: holder })
-      } catch (e) {
-        logger.debug(`Holder DID not found: ${holder}`)
-        throw e
-      }
-    } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-        identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
-      })
-    } else {
-      switch (digitalCredential.subjectCorrelationType) {
-        case 'DID':
-          identifier = await session.context.agent.identifierManagedGetByDid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder,
-            kmsKeyRef: digitalCredential.kmsKeyRef,
-          })
-          break
-        // TODO other implementations?
-        default:
-          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-          } else {
-            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef,
-            })
-          }
-      }
-    }
-
-    if (identifier === undefined && idOpts !== undefined && (await hasEbsiClient(request.authorizationRequest))) {
-      identifier = await createEbsiIdentifier(agentContext)
-    }
-    logger.debug(`Identifier`, identifier)
-
-    // TODO Add mdoc support
-
-    presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
-      idOpts: identifier,
-      proofOpts: {
-        nonce: session.nonce,
-        domain,
-      },
-    })
-    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
-      throw Error('No verifiable presentations could be created')
-    } else if (presentationsAndDefs.length > 1) {
-      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`)
-    }
-
-    idOpts = presentationsAndDefs[0].idOpts
-    presentationSubmission = presentationsAndDefs[0].presentationSubmission
-
-    logger.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2))
-    logger.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2))
-    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || []
-    return await session.sendAuthorizationResponse({
-      ...(presentationsAndDefs && { verifiablePresentations: mergedVerifiablePresentations }),
-      ...(presentationSubmission && { presentationSubmission }),
-      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-      responseSignerOpts: idOpts!,
-      isFirstParty,
-    })
-  } else if (request.dcqlQuery) {
-    if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
-      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials)
       const domain =
         ((await request.authorizationRequest.getMergedProperty('client_id')) as string) ??
         request.issuer ??
@@ -188,7 +84,7 @@ export const siopSendAuthorizationResponse = async (
           : 'https://self-issued.me/v2')
       logger.debug(`NONCE: ${session.nonce}, domain: ${domain}`)
 
-      const firstUniqueDC = vcs[0]
+      const firstUniqueDC = credentials[0]
       if (typeof firstUniqueDC !== 'object' || !('digitalCredential' in firstUniqueDC)) {
         return Promise.reject(Error('SiopMachine only supports UniqueDigitalCredentials for now'))
       }
@@ -238,104 +134,102 @@ export const siopSendAuthorizationResponse = async (
             })
         }
       }
-      console.log(`Identifier`, identifier)
 
-      const dcqlRepresentations: DcqlCredential[] = []
-      vcs.forEach((vc: UniqueDigitalCredential | OriginalVerifiableCredential) => {
-        const rep = convertToDcqlCredentials(vc, args.hasher)
-        if (rep) {
-          dcqlRepresentations.push(rep)
-        }
-      })
+  const dcqlCredentialsWithCredentials = new Map(
+    credentials.map((vc) => [convertToDcqlCredentials(vc), vc])
+  )
 
-      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations)
-      const presentation: Record<string, DcqlCredentialPresentation> = {}
+  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
 
-      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-        const allMatches = Array.isArray(value) ? value : [value]
-        allMatches.forEach((match) => {
-          if (match.success) {
-            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index])
-            if (!originalCredential) {
-              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`)
-            }
-            presentation[key] =
-              (originalCredential as any)['compactSdJwtVc'] !== undefined ? (originalCredential as any).compactSdJwtVc : originalCredential
-          }
-        })
+  if (!queryResult.can_be_satisfied) {
+    return Promise.reject(Error('Credentials do not match required query request'))
+  }
+
+  const presentation: DcqlPresentation.Output = {}
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (value.success) {
+      const matchedCredentials = value.valid_credentials.map(cred => uniqueCredentials[cred.input_credential_index])
+      const vc = matchedCredentials[0] // taking the first match for now //uniqueCredentials[value.input_credential_index]
+      if (!vc) {
+        continue
+      }
+      const originalVc = retrieveEncodedCredential(vc as UniqueDigitalCredential) // TODO this is not nice // also always a UniqueDigitalCredential
+      if (!originalVc) {
+        continue
       }
+      if (originalVc) {
+        presentation[key] = originalVc as | string | { [x: string]: Json }
+      }
+    }
+  }
+
+  const dcqlPresentation = DcqlPresentation.parse(presentation)
 
       const response = session.sendAuthorizationResponse({
         responseSignerOpts: identifier,
-        ...{ dcqlQuery: { dcqlPresentation: DcqlPresentation.parse(presentation) } },
+        dcqlResponse: {
+          dcqlPresentation
+        }
       })
 
       logger.debug(`Response: `, response)
-
       return response
-    }
-  }
-  throw Error('Presentation Definition or DCQL is required')
 }
 
-function buildPartialPD(
-  inputDescriptor: InputDescriptorV1 | InputDescriptorV2,
-  presentationDefinition: PresentationDefinitionV1 | PresentationDefinitionV2,
-): IPresentationDefinition {
-  return {
-    ...presentationDefinition,
-    input_descriptors: [inputDescriptor],
-  } as IPresentationDefinition
+const retrieveEncodedCredential = (credential: UniqueDigitalCredential): OriginalVerifiableCredential | undefined => {
+  return credential.originalVerifiableCredential !== undefined &&
+    credential.originalVerifiableCredential !== null &&
+    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
+    (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
+    ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
+    : credential.originalVerifiableCredential
 }
 
 export const getSelectableCredentials = async (
-  presentationDefinition: IPresentationDefinition,
+  dcqlQuery: DcqlQuery,
   context: RequiredContext,
 ): Promise<SelectableCredentialsMap> => {
-  const agentContext = { ...context, agent: context.agent as SuitableCredentialAgents }
+  const agentContext = { ...context, agent: context.agent }
   const { agent } = agentContext
-  const pex = new PEX()
-
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
     filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER),
   })
-  const credentialBranding = await agent.ibGetCredentialBranding()
-
+  const branding = await agent.ibGetCredentialBranding()
+  const dcqlCredentialsWithCredentials = new Map(
+    uniqueVerifiableCredentials.map((vc) => [convertToDcqlCredentials(vc), vc])
+  )
+  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values())
   const selectableCredentialsMap: SelectableCredentialsMap = new Map()
 
-  for (const inputDescriptor of presentationDefinition.input_descriptors) {
-    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition)
-    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
-      return CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential!) // ( ! is valid for verifiableCredentialForRoleFilter )
-    })
-    const selectionResults = pex.selectFrom(partialPD, originalCredentials)
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (!value.valid_credentials) {
+      continue
+    }
 
-    const selectableCredentials: Array<SelectableCredential> = []
-    for (const selectedCredential of selectionResults.verifiableCredential || []) {
-      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
-        const proof = uniqueVC.uniformVerifiableCredential!.proof
-        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async cred => {
+      const matchedCredential = uniqueCredentials[cred.input_credential_index]
+      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash)
+      const issuerPartyIdentity = await agent.cmGetContacts({
+        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.issuerDid } } }],
+      })
+      const subjectPartyIdentity = await agent.cmGetContacts({
+        filter: [{ identities: { identifier: { correlationId: matchedCredential.uniformVerifiableCredential!.subjectDid } } }],
       })
 
-      if (filteredUniqueVC) {
-        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash)
-        const issuerPartyIdentity = await agent.cmGetContacts({
-          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.issuerDid } } }],
-        })
-        const subjectPartyIdentity = await agent.cmGetContacts({
-          filter: [{ identities: { identifier: { correlationId: filteredUniqueVC.uniformVerifiableCredential!.subjectDid } } }],
-        })
-
-        selectableCredentials.push({
-          credential: filteredUniqueVC,
-          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
-          issuerParty: issuerPartyIdentity?.[0],
-          subjectParty: subjectPartyIdentity?.[0],
-        })
+      return {
+        credential: matchedCredential,
+        credentialBranding: credentialBranding[0]?.localeBranding,
+        issuerParty: issuerPartyIdentity?.[0],
+        subjectParty: subjectPartyIdentity?.[0],
       }
-    }
-    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials)
+    })
+
+    const selectableCredentials: Array<SelectableCredential> = await Promise.all(mapSelectableCredentialPromises)
+    selectableCredentialsMap.set(key, selectableCredentials)
   }
+
   return selectableCredentialsMap
 }