@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth 0.32.1-next.54 → 0.33.1-feature.vcdm2.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth",
-  "version": "0.32.1-next.54+3b988a2b",
+  "version": "0.33.1-feature.vcdm2.4+9f634bdb",
   "source": "src/index.ts",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -14,26 +14,27 @@
     "build:clean": "tsc --build --clean && tsc --build"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.16.1-next.339",
-    "@sphereon/did-auth-siop-adapter": "0.16.1-next.339",
-    "@sphereon/oid4vc-common": "0.16.1-next.339",
+    "@sphereon/did-auth-siop": "0.17.0",
+    "@sphereon/did-auth-siop-adapter": "0.17.0",
+    "@sphereon/oid4vc-common": "0.17.0",
     "@sphereon/pex": "5.0.0-unstable.28",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.27.0",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.27.0",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.27.0",
-    "@sphereon/ssi-sdk.core": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.credential-validation": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.kv-store-temp": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.pd-manager": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.sd-jwt": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.32.1-next.54+3b988a2b",
-    "@sphereon/ssi-types": "0.32.1-next.54+3b988a2b",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.28.0",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.28.0",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.28.0",
+    "@sphereon/ssi-sdk.core": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.credential-validation": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.kv-store-temp": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.pd-manager": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.sd-jwt": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.33.1-feature.vcdm2.4+9f634bdb",
+    "@sphereon/ssi-types": "0.33.1-feature.vcdm2.4+9f634bdb",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
     "cross-fetch": "^3.1.8",
+    "dcql": "0.2.19",
     "uuid": "^9.0.1"
   },
   "devDependencies": {
@@ -73,5 +74,5 @@
     "Authenticator"
   ],
   "nx": {},
-  "gitHead": "3b988a2bb62a7c4534a2670ea3a0985fd93d00f2"
+  "gitHead": "9f634bdb714061141e277508c124b08d626f6036"
 }

package/src/agent/SIOPv2RP.ts

@@ -7,8 +7,20 @@ import {
   VerifiedAuthorizationResponse,
 } from '@sphereon/did-auth-siop'
 import { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
-import { AdditionalClaims, CredentialMapper, Hasher, ICredentialSubject, IVerifiableCredential } from '@sphereon/ssi-types'
-import { OriginalVerifiablePresentation } from '@sphereon/ssi-types'
+import {
+  AdditionalClaims,
+  CredentialMapper,
+  HasherSync,
+  ICredentialSubject,
+  IPresentation,
+  IVerifiableCredential,
+  IVerifiablePresentation,
+  JwtDecodedVerifiablePresentation,
+  MdocDeviceResponse,
+  MdocOid4vpMdocVpToken,
+  OriginalVerifiablePresentation,
+  SdJwtDecodedVerifiableCredential,
+} from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import {
   AuthorizationResponseStateWithVerifiedData,
@@ -33,6 +45,7 @@ import { RPInstance } from '../RPInstance'
 
 import { ISIOPv2RP } from '../types/ISIOPv2RP'
 import { shaHasher as defaultHasher } from '@sphereon/ssi-sdk.core'
+import { DcqlQuery } from 'dcql'
 
 export class SIOPv2RP implements IAgentPlugin {
   private readonly opts: ISiopv2RPOpts
@@ -117,7 +130,7 @@ export class SIOPv2RP implements IAgentPlugin {
       args.includeVerifiedData &&
       args.includeVerifiedData !== VerifiedDataMode.NONE
     ) {
-      let hasher: Hasher | undefined
+      let hasher: HasherSync | undefined
       if (
         CredentialMapper.isSdJwtEncoded(responseState.response.payload.vp_token as OriginalVerifiablePresentation) &&
         (!rpInstance.rpOptions.credentialOpts?.hasher || typeof rpInstance.rpOptions.credentialOpts?.hasher !== 'function')
@@ -130,14 +143,13 @@ export class SIOPv2RP implements IAgentPlugin {
         //todo: later we want to conditionally pass in options for mdl-mdoc here
         hasher,
       )
-      const presentation = CredentialMapper.toUniformPresentation(presentationDecoded as OriginalVerifiablePresentation)
       switch (args.includeVerifiedData) {
         case VerifiedDataMode.VERIFIED_PRESENTATION:
-          responseState.response.payload.verifiedData = presentation
+          responseState.response.payload.verifiedData = this.presentationOrClaimsFrom(presentationDecoded)
           break
-        case VerifiedDataMode.CREDENTIAL_SUBJECT_FLATTENED:
+        case VerifiedDataMode.CREDENTIAL_SUBJECT_FLATTENED: // TODO debug cs-flat for SD-JWT
           const allClaims: AdditionalClaims = {}
-          for (const credential of presentation.verifiableCredential || []) {
+          for (const credential of this.presentationOrClaimsFrom(presentationDecoded).verifiableCredential || []) {
             const vc = credential as IVerifiableCredential
             const schemaValidationResult = await context.agent.cvVerifySchema({
               credential,
@@ -168,6 +180,18 @@ export class SIOPv2RP implements IAgentPlugin {
     return responseState
   }
 
+  private presentationOrClaimsFrom = (
+    presentationDecoded:
+      | JwtDecodedVerifiablePresentation
+      | IVerifiablePresentation
+      | SdJwtDecodedVerifiableCredential
+      | MdocOid4vpMdocVpToken
+      | MdocDeviceResponse,
+  ): AdditionalClaims | IPresentation =>
+    CredentialMapper.isSdJwtDecodedCredential(presentationDecoded)
+      ? presentationDecoded.decodedPayload
+      : CredentialMapper.toUniformPresentation(presentationDecoded as OriginalVerifiablePresentation)
+
   private async siopUpdateRequestState(args: IUpdateRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState> {
     if (args.state !== 'sent') {
       throw Error(`Only 'sent' status is supported for this method at this point`)
@@ -203,7 +227,8 @@ export class SIOPv2RP implements IAgentPlugin {
       rp.get(context).then((rp) =>
         rp.verifyAuthorizationResponse(authResponse, {
           correlationId: args.correlationId,
-          presentationDefinitions: args.presentationDefinitions,
+          ...(args.presentationDefinitions && !args.dcqlQuery ? { presentationDefinitions: args.presentationDefinitions } : {}),
+          ...(args.dcqlQuery ? { dcqlQuery: args.dcqlQuery as DcqlQuery } : {}), // TODO BEFORE PR, check compatibility and whether we can remove local type
           audience: args.audience,
         }),
       ),
@@ -213,15 +238,17 @@ export class SIOPv2RP implements IAgentPlugin {
   private async siopImportDefinitions(args: ImportDefinitionsArgs, context: IRequiredContext): Promise<void> {
     const { definitions, tenantId, version, versionControlMode } = args
     await Promise.all(
-      definitions.map(async (definition) => {
-        await context.agent.pexValidateDefinition({ definition: definition })
+      definitions.map(async (definitionPair) => {
+        const definitionPayload = definitionPair.definitionPayload
+        await context.agent.pexValidateDefinition({ definition: definitionPayload })
 
-        console.log(`persisting definition ${definition.id} / ${definition.name} with versionControlMode ${versionControlMode}`)
+        console.log(`persisting definition ${definitionPayload.id} / ${definitionPayload.name} with versionControlMode ${versionControlMode}`)
         return context.agent.pdmPersistDefinition({
           definitionItem: {
             tenantId: tenantId,
             version: version,
-            definitionPayload: definition,
+            definitionPayload,
+            dcqlPayload: definitionPair.dcqlPayload,
           },
           opts: { versionControlMode: versionControlMode },
         })

package/src/functions.ts

@@ -16,10 +16,11 @@ import {
   SupportedVersion,
   VerifyJwtCallback,
 } from '@sphereon/did-auth-siop'
-import { CreateJwtCallback, JwtHeader, JwtIssuer, JwtPayload } from '@sphereon/oid4vc-common'
+import { CreateJwtCallback, JwtHeader, JwtIssuer, JwtPayload, SigningAlgo } from '@sphereon/oid4vc-common'
 import { IPresentationDefinition } from '@sphereon/pex'
 import { getAgentDIDMethods, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import {
+  isExternalIdentifierOIDFEntityIdOpts,
   isManagedIdentifierDidOpts,
   isManagedIdentifierDidResult,
   isManagedIdentifierX5cOpts,
@@ -27,17 +28,16 @@ import {
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { JwtCompactResult } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { IVerifySdJwtPresentationResult } from '@sphereon/ssi-sdk.sd-jwt'
-import { SigningAlgo } from '@sphereon/oid4vc-common'
 import { CredentialMapper, Hasher, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { IVerifyCallbackArgs, IVerifyCredentialResult, VerifyCallback } from '@sphereon/wellknown-dids-client'
 // import { KeyAlgo, SuppliedSigner } from '@sphereon/ssi-sdk.core'
 import { TKeyType } from '@veramo/core'
-import { createHash } from 'crypto'
 import { JWTVerifyOptions } from 'did-jwt'
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
 import { IPEXOptions, IRequiredContext, IRPOptions, ISIOPIdentifierOptions } from './types/ISIOPv2RP'
-import { isExternalIdentifierOIDFEntityIdOpts } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { DcqlQuery } from 'dcql'
+import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
 export function getRequestVersion(rpOptions: IRPOptions): SupportedVersion {
   if (Array.isArray(rpOptions.supportedVersions) && rpOptions.supportedVersions.length > 0) {
@@ -80,14 +80,14 @@ export function getPresentationVerificationCallback(
       if (context.agent.mdocOid4vpRPVerify === undefined) {
         return Promise.reject('ImDLMdoc agent plugin must be enabled to support MsoMdoc types')
       }
-      if (!presentationSubmission) {
-        return Promise.reject('No presentationSubmission present')
+      if (presentationSubmission !== undefined && presentationSubmission !== null) {
+        const verifyResult = await context.agent.mdocOid4vpRPVerify({
+          vp_token: args,
+          presentation_submission: presentationSubmission,
+        })
+        return { verified: !verifyResult.error }
       }
-      const verifyResult = await context.agent.mdocOid4vpRPVerify({
-        vp_token: args,
-        presentation_submission: presentationSubmission,
-      })
-      return { verified: !verifyResult.error }
+      throw Error(`mdocOid4vpRPVerify(...) method requires a presentation submission`)
     }
 
     const result = await context.agent.verifyPresentation({
@@ -105,11 +105,13 @@ export async function createRPBuilder(args: {
   rpOpts: IRPOptions
   pexOpts?: IPEXOptions | undefined
   definition?: IPresentationDefinition
+  dcql?: DcqlQuery
   context: IRequiredContext
 }): Promise<RPBuilder> {
   const { rpOpts, pexOpts, context } = args
   const { identifierOpts } = rpOpts
   let definition: IPresentationDefinition | undefined = args.definition
+  let dcqlQuery: DcqlQuery | undefined = args.dcql
 
   if (!definition && pexOpts && pexOpts.definitionId) {
     const presentationDefinitionItems = await context.agent.pdmGetDefinitions({
@@ -122,7 +124,13 @@ export async function createRPBuilder(args: {
       ],
     })
 
-    definition = presentationDefinitionItems.length > 0 ? presentationDefinitionItems[0].definitionPayload : undefined
+    if (presentationDefinitionItems.length > 0) {
+      const presentationDefinitionItem = presentationDefinitionItems[0]
+      definition = presentationDefinitionItem.definitionPayload
+      if (!dcqlQuery && presentationDefinitionItem.dcqlPayload) {
+        dcqlQuery = presentationDefinitionItem.dcqlPayload as DcqlQuery // cast from DcqlQueryREST back to valibot DcqlQuery
+      }
+    }
   }
 
   const didMethods = identifierOpts.supportedDIDMethods ?? (await getAgentDIDMethods(context))
@@ -155,7 +163,7 @@ export async function createRPBuilder(args: {
   //todo: probably wise to first look and see if we actually need the hasher to begin with
   let hasher: Hasher | undefined = rpOpts.credentialOpts?.hasher
   if (!rpOpts.credentialOpts?.hasher || typeof rpOpts.credentialOpts?.hasher !== 'function') {
-    hasher = (data, algorithm) => createHash(algorithm).update(data).digest()
+    hasher = defaultHasher
   }
 
   const builder = RP.builder({ requestVersion: getRequestVersion(rpOpts) })
@@ -217,6 +225,9 @@ export async function createRPBuilder(args: {
   if (definition) {
     builder.withPresentationDefinition({ definition }, PropertyTarget.REQUEST_OBJECT)
   }
+  if (dcqlQuery) {
+    builder.withDcqlQuery(dcqlQuery)
+  }
 
   if (rpOpts.responseRedirectUri) {
     builder.withResponseRedirectUri(rpOpts.responseRedirectUri)

package/src/types/ISIOPv2RP.ts

@@ -1,13 +1,10 @@
-import { ClientMetadataOpts, VerifyJwtCallback } from '@sphereon/did-auth-siop'
-import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { IAgentContext, ICredentialIssuer, ICredentialVerifier, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
-import { AdditionalClaims, Hasher, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import {
   AuthorizationRequestPayload,
   AuthorizationRequestState,
   AuthorizationResponsePayload,
   AuthorizationResponseState,
   ClaimPayloadCommonOpts,
+  ClientMetadataOpts,
   IRPSessionManager,
   PresentationDefinitionWithLocation,
   PresentationVerificationCallback,
@@ -17,10 +14,12 @@ import {
   SupportedVersion,
   VerifiablePresentationTypeFormat,
   VerifiedAuthorizationResponse,
+  VerifyJwtCallback,
   VPTokenLocation,
 } from '@sphereon/did-auth-siop'
-
-import { ExternalIdentifierOIDFEntityIdOpts } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { ExternalIdentifierOIDFEntityIdOpts, IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { IAgentContext, ICredentialIssuer, ICredentialVerifier, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
+import { AdditionalClaims, DcqlQueryREST, HasherSync, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 
 import { Resolvable } from 'did-resolver'
 import { DIDDocument } from '@sphereon/did-uni-client'
@@ -112,10 +111,16 @@ export interface IVerifyAuthResponseStateArgs {
   correlationId: string
   audience?: string
   presentationDefinitions?: PresentationDefinitionWithLocation | PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQueryREST
+}
+
+export interface IDefinitionPair {
+  definitionPayload: IPresentationDefinition
+  dcqlPayload?: DcqlQueryREST
 }
 
 export interface ImportDefinitionsArgs {
-  definitions: Array<IPresentationDefinition>
+  definitions: Array<IDefinitionPair>
   tenantId?: string
   version?: string
   versionControlMode?: VersionControlMode
@@ -202,7 +207,7 @@ export interface ISIOPIdentifierOptions extends Omit<IDIDOptions, 'idOpts'> {
 
 // todo make the necessary changes for mdl-mdoc types
 export type CredentialOpts = {
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface AuthorizationResponseStateWithVerifiedData extends AuthorizationResponseState {