@sphereon/ssi-sdk.vc-status-list 0.32.1-next.13 → 0.32.1-next.145

package/src/impl/StatusList2021.ts

@@ -0,0 +1,223 @@
+import { IAgentContext, ICredentialPlugin, ProofFormat as VeramoProofFormat } from '@veramo/core'
+import { IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { CredentialMapper, DocumentFormat, IIssuer, ProofFormat, StatusListCredential, StatusListType } from '@sphereon/ssi-types'
+
+import { StatusList } from '@sphereon/vc-status-list'
+import { IStatusList } from './IStatusList'
+import {
+  CheckStatusIndexArgs,
+  CreateStatusListArgs,
+  Status2021,
+  StatusListResult,
+  ToStatusListDetailsArgs,
+  UpdateStatusListFromEncodedListArgs,
+  UpdateStatusListIndexArgs,
+} from '../types'
+import { assertValidProofType, getAssertedProperty, getAssertedValue, getAssertedValues } from '../utils'
+
+export const DEFAULT_LIST_LENGTH = 250000
+export const DEFAULT_PROOF_FORMAT = 'lds' as VeramoProofFormat
+
+export class StatusList2021Implementation implements IStatusList {
+  async createNewStatusList(
+    args: CreateStatusListArgs,
+    context: IAgentContext<ICredentialPlugin & IIdentifierResolution>,
+  ): Promise<StatusListResult> {
+    const length = args?.length ?? DEFAULT_LIST_LENGTH
+    const proofFormat: ProofFormat = args?.proofFormat ?? DEFAULT_PROOF_FORMAT
+    assertValidProofType(StatusListType.StatusList2021, proofFormat)
+    const veramoProofFormat: VeramoProofFormat = proofFormat as VeramoProofFormat
+
+    const { issuer, id } = args
+    const correlationId = getAssertedValue('correlationId', args.correlationId)
+
+    const list = new StatusList({ length })
+    const encodedList = await list.encode()
+    const statusPurpose = 'revocation'
+
+    const statusListCredential = await this.createVerifiableCredential(
+      {
+        ...args,
+        encodedList,
+        proofFormat: veramoProofFormat,
+      },
+      context,
+    )
+
+    return {
+      encodedList,
+      statusListCredential: statusListCredential,
+      statusList2021: {
+        statusPurpose,
+        indexingDirection: 'rightToLeft',
+      },
+      length,
+      type: StatusListType.StatusList2021,
+      proofFormat,
+      id,
+      correlationId,
+      issuer,
+    }
+  }
+
+  async updateStatusListIndex(
+    args: UpdateStatusListIndexArgs,
+    context: IAgentContext<ICredentialPlugin & IIdentifierResolution>,
+  ): Promise<StatusListResult> {
+    const credential = args.statusListCredential
+    const uniform = CredentialMapper.toUniformCredential(credential)
+    const { issuer, credentialSubject } = uniform
+    const id = getAssertedValue('id', uniform.id)
+    const origEncodedList = getAssertedProperty('encodedList', credentialSubject)
+
+    const index = typeof args.statusListIndex === 'number' ? args.statusListIndex : parseInt(args.statusListIndex)
+    const statusList = await StatusList.decode({ encodedList: origEncodedList })
+    statusList.setStatus(index, args.value != 0)
+    const encodedList = await statusList.encode()
+
+    const updatedCredential = await this.createVerifiableCredential(
+      {
+        ...args,
+        id,
+        issuer,
+        encodedList,
+        proofFormat: CredentialMapper.detectDocumentType(credential) === DocumentFormat.JWT ? 'jwt' : 'lds',
+      },
+      context,
+    )
+
+    return {
+      statusListCredential: updatedCredential,
+      encodedList,
+      statusList2021: {
+        ...('statusPurpose' in credentialSubject ? { statusPurpose: credentialSubject.statusPurpose } : {}),
+        indexingDirection: 'rightToLeft',
+      },
+      length: statusList.length - 1,
+      type: StatusListType.StatusList2021,
+      proofFormat: CredentialMapper.detectDocumentType(credential) === DocumentFormat.JWT ? 'jwt' : 'lds',
+      id,
+      issuer,
+    }
+  }
+
+  async updateStatusListFromEncodedList(
+    args: UpdateStatusListFromEncodedListArgs,
+    context: IAgentContext<ICredentialPlugin & IIdentifierResolution>,
+  ): Promise<StatusListResult> {
+    if (!args.statusList2021) {
+      throw new Error('statusList2021 options required for type StatusList2021')
+    }
+    const proofFormat: ProofFormat = args?.proofFormat ?? DEFAULT_PROOF_FORMAT
+    assertValidProofType(StatusListType.StatusList2021, proofFormat)
+    const veramoProofFormat: VeramoProofFormat = proofFormat as VeramoProofFormat
+
+    const { issuer, id } = getAssertedValues(args)
+    const statusList = await StatusList.decode({ encodedList: args.encodedList })
+    const index = typeof args.statusListIndex === 'number' ? args.statusListIndex : parseInt(args.statusListIndex)
+    statusList.setStatus(index, args.value)
+
+    const newEncodedList = await statusList.encode()
+    const credential = await this.createVerifiableCredential(
+      {
+        id,
+        issuer,
+        encodedList: newEncodedList,
+        proofFormat: veramoProofFormat,
+        keyRef: args.keyRef,
+      },
+      context,
+    )
+
+    return {
+      type: StatusListType.StatusList2021,
+      statusListCredential: credential,
+      encodedList: newEncodedList,
+      statusList2021: {
+        statusPurpose: args.statusList2021.statusPurpose,
+        indexingDirection: 'rightToLeft',
+      },
+      length: statusList.length,
+      proofFormat: args.proofFormat ?? 'lds',
+      id: id,
+      issuer: issuer,
+    }
+  }
+
+  async checkStatusIndex(args: CheckStatusIndexArgs): Promise<number | Status2021> {
+    const uniform = CredentialMapper.toUniformCredential(args.statusListCredential)
+    const { credentialSubject } = uniform
+    const encodedList = getAssertedProperty('encodedList', credentialSubject)
+
+    const statusList = await StatusList.decode({ encodedList })
+    const status = statusList.getStatus(typeof args.statusListIndex === 'number' ? args.statusListIndex : parseInt(args.statusListIndex))
+    return status ? Status2021.Invalid : Status2021.Valid
+  }
+
+  async toStatusListDetails(args: ToStatusListDetailsArgs): Promise<StatusListResult> {
+    const { statusListPayload } = args
+    const uniform = CredentialMapper.toUniformCredential(statusListPayload)
+    const { issuer, credentialSubject } = uniform
+    const id = getAssertedValue('id', uniform.id)
+    const encodedList = getAssertedProperty('encodedList', credentialSubject)
+    const proofFormat: ProofFormat = CredentialMapper.detectDocumentType(statusListPayload) === DocumentFormat.JWT ? 'jwt' : 'lds'
+
+    const statusPurpose = getAssertedProperty('statusPurpose', credentialSubject)
+    const list = await StatusList.decode({ encodedList })
+
+    return {
+      id,
+      encodedList,
+      issuer,
+      type: StatusListType.StatusList2021,
+      proofFormat,
+      length: list.length,
+      statusListCredential: statusListPayload,
+      statusList2021: {
+        indexingDirection: 'rightToLeft',
+        statusPurpose,
+      },
+      ...(args.correlationId && { correlationId: args.correlationId }),
+      ...(args.driverType && { driverType: args.driverType }),
+    }
+  }
+
+  private async createVerifiableCredential(
+    args: {
+      id: string
+      issuer: string | IIssuer
+      encodedList: string
+      proofFormat: VeramoProofFormat
+      keyRef?: string
+    },
+    context: IAgentContext<ICredentialPlugin & IIdentifierResolution>,
+  ): Promise<StatusListCredential> {
+    const identifier = await context.agent.identifierManagedGet({
+      identifier: typeof args.issuer === 'string' ? args.issuer : args.issuer.id,
+      vmRelationship: 'assertionMethod',
+      offlineWhenNoDIDRegistered: true,
+    })
+
+    const credential = {
+      '@context': ['https://www.w3.org/2018/credentials/v1', 'https://w3id.org/vc/status-list/2021/v1'],
+      id: args.id,
+      issuer: args.issuer,
+      type: ['VerifiableCredential', 'StatusList2021Credential'],
+      credentialSubject: {
+        id: args.id,
+        type: 'StatusList2021',
+        statusPurpose: 'revocation',
+        encodedList: args.encodedList,
+      },
+    }
+
+    const verifiableCredential = await context.agent.createVerifiableCredential({
+      credential,
+      keyRef: args.keyRef ?? identifier.kmsKeyRef,
+      proofFormat: args.proofFormat,
+      fetchRemoteContexts: true,
+    })
+
+    return CredentialMapper.toWrappedVerifiableCredential(verifiableCredential as StatusListCredential).original as StatusListCredential
+  }
+}

package/src/impl/StatusListFactory.ts

@@ -0,0 +1,34 @@
+import { IStatusList } from './IStatusList'
+import { StatusList2021Implementation } from './StatusList2021'
+import { OAuthStatusListImplementation } from './OAuthStatusList'
+import { StatusListType } from '@sphereon/ssi-types'
+
+export class StatusListFactory {
+  private static instance: StatusListFactory
+  private implementations: Map<StatusListType, IStatusList>
+
+  private constructor() {
+    this.implementations = new Map()
+    this.implementations.set(StatusListType.StatusList2021, new StatusList2021Implementation())
+    this.implementations.set(StatusListType.OAuthStatusList, new OAuthStatusListImplementation())
+  }
+
+  public static getInstance(): StatusListFactory {
+    if (!StatusListFactory.instance) {
+      StatusListFactory.instance = new StatusListFactory()
+    }
+    return StatusListFactory.instance
+  }
+
+  public getByType(type: StatusListType): IStatusList {
+    const statusList = this.implementations.get(type)
+    if (!statusList) {
+      throw new Error(`No implementation found for status list type: ${type}`)
+    }
+    return statusList
+  }
+}
+
+export function getStatusListImplementation(type: StatusListType): IStatusList {
+  return StatusListFactory.getInstance().getByType(type)
+}

package/src/impl/encoding/cbor.ts

@@ -0,0 +1,171 @@
+import { StatusList } from '@sd-jwt/jwt-status-list'
+import { deflate, inflate } from 'pako'
+import { com, kotlin } from '@sphereon/kmp-cbor'
+import base64url from 'base64url'
+import { IRequiredContext, SignedStatusListData } from '../../types'
+import { DecodedStatusListPayload, resolveIdentifier } from './common'
+import { BitsPerStatus } from '@sd-jwt/jwt-status-list/dist'
+
+const cbor = com.sphereon.cbor
+const kmp = com.sphereon.kmp
+const decompressRawStatusList = (StatusList as any).decodeStatusList.bind(StatusList)
+
+const CWT_CLAIMS = {
+  SUBJECT: 2,
+  ISSUER: 1,
+  ISSUED_AT: 6,
+  EXPIRATION: 4,
+  TIME_TO_LIVE: 65534,
+  STATUS_LIST: 65533,
+} as const
+
+export const createSignedCbor = async (
+  context: IRequiredContext,
+  statusList: StatusList,
+  issuerString: string,
+  id: string,
+  expiresAt?: Date,
+  keyRef?: string,
+): Promise<SignedStatusListData> => {
+  const identifier = await resolveIdentifier(context, issuerString, keyRef)
+
+  const encodeStatusList = statusList.encodeStatusList()
+  const compressedList = deflate(encodeStatusList, { level: 9 })
+  const compressedBytes = new Int8Array(compressedList)
+
+  const statusListMap = new cbor.CborMap(
+    kotlin.collections.KtMutableMap.fromJsMap(
+      new Map<com.sphereon.cbor.CborString, com.sphereon.cbor.CborItem<any>>([
+        [new cbor.CborString('bits'), new cbor.CborUInt(kmp.LongKMP.fromNumber(statusList.getBitsPerStatus()))],
+        [new cbor.CborString('lst'), new cbor.CborByteString(compressedBytes)],
+      ]),
+    ),
+  )
+
+  const protectedHeader = new cbor.CborMap(
+    kotlin.collections.KtMutableMap.fromJsMap(
+      new Map([[new cbor.CborUInt(kmp.LongKMP.fromNumber(16)), new cbor.CborString('statuslist+cwt')]]), // "type"
+    ),
+  )
+  const protectedHeaderEncoded = cbor.Cbor.encode(protectedHeader)
+  const claimsMap = buildClaimsMap(id, issuerString, statusListMap, expiresAt)
+  const claimsEncoded: Int8Array = cbor.Cbor.encode(claimsMap)
+
+  const signedCWT: string = await context.agent.keyManagerSign({
+    keyRef: identifier.kmsKeyRef,
+    data: base64url.encode(Buffer.from(claimsEncoded)), // TODO test on RN
+    encoding: undefined,
+  })
+
+  const protectedHeaderEncodedInt8 = new Int8Array(protectedHeaderEncoded)
+  const claimsEncodedInt8 = new Int8Array(claimsEncoded)
+  const signatureBytes = base64url.decode(signedCWT)
+  const signatureInt8 = new Int8Array(Buffer.from(signatureBytes))
+
+  const cwtArrayElements: Array<com.sphereon.cbor.CborItem<any>> = [
+    new cbor.CborByteString(protectedHeaderEncodedInt8),
+    new cbor.CborByteString(claimsEncodedInt8),
+    new cbor.CborByteString(signatureInt8),
+  ]
+  const cwtArray = new cbor.CborArray(kotlin.collections.KtMutableList.fromJsArray(cwtArrayElements))
+  const cwtEncoded = cbor.Cbor.encode(cwtArray)
+  const cwtBuffer = Buffer.from(cwtEncoded)
+  return {
+    statusListCredential: base64url.encode(cwtBuffer),
+    encodedList: base64url.encode(compressedList as Buffer), // JS in @sd-jwt/jwt-status-list drops it in like this, so keep the same method
+  }
+}
+
+function buildClaimsMap(
+  id: string,
+  issuerString: string,
+  statusListMap: com.sphereon.cbor.CborMap<com.sphereon.cbor.CborString, com.sphereon.cbor.CborItem<any>>,
+  expiresAt?: Date,
+) {
+  const ttl = 65535 // FIXME figure out what value should be / come from and what the difference is with exp
+  const claimsEntries: Array<[com.sphereon.cbor.CborUInt, com.sphereon.cbor.CborItem<any>]> = [
+    [new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.SUBJECT)), new cbor.CborString(id)], // "sub"
+    [new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.ISSUER)), new cbor.CborString(issuerString)], // "iss"
+    [
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.ISSUED_AT)),
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(Math.floor(Date.now() / 1000))), // "iat"
+    ],
+  ]
+
+  if (expiresAt) {
+    claimsEntries.push([
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.EXPIRATION)),
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(Math.floor(expiresAt.getTime() / 1000))), // "exp"
+    ])
+  }
+
+  if (ttl) {
+    claimsEntries.push([
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.TIME_TO_LIVE)),
+      new cbor.CborUInt(kmp.LongKMP.fromNumber(ttl)), // "time to live"
+    ])
+  }
+
+  claimsEntries.push([new cbor.CborUInt(kmp.LongKMP.fromNumber(CWT_CLAIMS.STATUS_LIST)), statusListMap])
+
+  const claimsMap = new cbor.CborMap(kotlin.collections.KtMutableMap.fromJsMap(new Map(claimsEntries)))
+  return claimsMap
+}
+
+const getCborValueFromMap = <T>(map: Map<com.sphereon.cbor.CborItem<any>, com.sphereon.cbor.CborItem<any>>, key: number): T => {
+  const value = getCborOptionalValueFromMap<T>(map, key)
+  if (value === undefined) {
+    throw new Error(`Required claim ${key} not found`)
+  }
+  return value
+}
+
+const getCborOptionalValueFromMap = <T>(
+  map: Map<com.sphereon.cbor.CborItem<any>, com.sphereon.cbor.CborItem<any>>,
+  key: number,
+): T | undefined | never => {
+  const value = map.get(new com.sphereon.cbor.CborUInt(kmp.LongKMP.fromNumber(key)))
+  if (!value) {
+    return undefined
+  }
+  return value.value as T
+}
+
+export const decodeStatusListCWT = (cwt: string): DecodedStatusListPayload => {
+  const encodedCbor = base64url.toBuffer(cwt)
+  const encodedCborArray = new Int8Array(encodedCbor)
+  const decodedCbor = com.sphereon.cbor.Cbor.decode(encodedCborArray)
+
+  if (!(decodedCbor instanceof com.sphereon.cbor.CborArray)) {
+    throw new Error('Invalid CWT format: Expected a CBOR array')
+  }
+
+  const [, payload] = decodedCbor.value.asJsArrayView()
+  if (!(payload instanceof com.sphereon.cbor.CborByteString)) {
+    throw new Error('Invalid payload format: Expected a CBOR ByteString')
+  }
+
+  const claims = com.sphereon.cbor.Cbor.decode(payload.value)
+  if (!(claims instanceof com.sphereon.cbor.CborMap)) {
+    throw new Error('Invalid claims format: Expected a CBOR map')
+  }
+
+  const claimsMap = claims.value.asJsMapView()
+
+  const statusListMap = claimsMap.get(new com.sphereon.cbor.CborUInt(kmp.LongKMP.fromNumber(65533))).value.asJsMapView()
+
+  const bits = Number(statusListMap.get(new com.sphereon.cbor.CborString('bits')).value) as BitsPerStatus
+  const decoded = new Uint8Array(statusListMap.get(new com.sphereon.cbor.CborString('lst')).value)
+  const uint8Array = inflate(decoded)
+  const rawStatusList = decompressRawStatusList(uint8Array, bits)
+  const statusList = new StatusList(rawStatusList, bits)
+
+  return {
+    issuer: getCborValueFromMap<string>(claimsMap, CWT_CLAIMS.ISSUER),
+    id: getCborValueFromMap<string>(claimsMap, CWT_CLAIMS.SUBJECT),
+    statusList,
+    iat: Number(getCborValueFromMap<number>(claimsMap, CWT_CLAIMS.ISSUED_AT)),
+    exp: getCborOptionalValueFromMap<number>(claimsMap, CWT_CLAIMS.EXPIRATION),
+    ttl: getCborOptionalValueFromMap<number>(claimsMap, CWT_CLAIMS.TIME_TO_LIVE),
+  }
+}

package/src/impl/encoding/common.ts

@@ -0,0 +1,25 @@
+import { IRequiredContext } from '../../types'
+import { StatusList } from '@sd-jwt/jwt-status-list'
+
+export interface DecodedStatusListPayload {
+  issuer: string
+  id: string
+  statusList: StatusList
+  exp?: number
+  ttl?: number
+  iat: number
+}
+
+export const resolveIdentifier = async (context: IRequiredContext, issuer: string, keyRef?: string) => {
+  if (keyRef) {
+    return await context.agent.identifierManagedGetByKid({
+      identifier: keyRef,
+    })
+  }
+
+  return await context.agent.identifierManagedGet({
+    identifier: issuer,
+    vmRelationship: 'assertionMethod',
+    offlineWhenNoDIDRegistered: true,
+  })
+}

package/src/impl/encoding/jwt.ts

@@ -0,0 +1,80 @@
+import { CompactJWT, JoseSignatureAlgorithm } from '@sphereon/ssi-types'
+import { createHeaderAndPayload, StatusList, StatusListJWTHeaderParameters, StatusListJWTPayload } from '@sd-jwt/jwt-status-list'
+import base64url from 'base64url'
+import { JWTPayload } from 'did-jwt'
+import { IRequiredContext, SignedStatusListData } from '../../types'
+import { DecodedStatusListPayload, resolveIdentifier } from './common'
+import { TKeyType } from '@veramo/core'
+import { ensureManagedIdentifierResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+
+const STATUS_LIST_JWT_TYP = 'statuslist+jwt'
+
+export const createSignedJwt = async (
+  context: IRequiredContext,
+  statusList: StatusList,
+  issuerString: string,
+  id: string,
+  expiresAt?: Date,
+  keyRef?: string,
+): Promise<SignedStatusListData> => {
+  const identifier = await resolveIdentifier(context, issuerString, keyRef)
+  const resolution = await ensureManagedIdentifierResult(identifier, context)
+
+  const payload: JWTPayload = {
+    iss: issuerString,
+    sub: id,
+    iat: Math.floor(Date.now() / 1000),
+    ...(expiresAt && { exp: Math.floor(expiresAt.getTime() / 1000) }),
+  }
+
+  const header: StatusListJWTHeaderParameters = {
+    alg: getSigningAlgo(resolution.key.type),
+    typ: STATUS_LIST_JWT_TYP,
+  }
+  const values = createHeaderAndPayload(statusList, payload, header)
+  const signedJwt = await context.agent.jwtCreateJwsCompactSignature({
+    issuer: { ...identifier, noIssPayloadUpdate: false },
+    protectedHeader: values.header,
+    payload: values.payload,
+  })
+
+  return {
+    statusListCredential: signedJwt.jwt,
+    encodedList: (values.payload as StatusListJWTPayload).status_list.lst,
+  }
+}
+
+export const decodeStatusListJWT = (jwt: CompactJWT): DecodedStatusListPayload => {
+  const [, payloadBase64] = jwt.split('.')
+  const payload = JSON.parse(base64url.decode(payloadBase64))
+
+  if (!payload.iss || !payload.sub || !payload.status_list) {
+    throw new Error('Missing required fields in JWT payload')
+  }
+
+  const statusList = StatusList.decompressStatusList(payload.status_list.lst, payload.status_list.bits)
+
+  return {
+    issuer: payload.iss,
+    id: payload.sub,
+    statusList,
+    exp: payload.exp,
+    ttl: payload.ttl,
+    iat: payload.iat,
+  }
+}
+
+export const getSigningAlgo = (type: TKeyType): JoseSignatureAlgorithm => {
+  switch (type) {
+    case 'Ed25519':
+      return JoseSignatureAlgorithm.EdDSA
+    case 'Secp256k1':
+      return JoseSignatureAlgorithm.ES256K
+    case 'Secp256r1':
+      return JoseSignatureAlgorithm.ES256
+    case 'RSA':
+      return JoseSignatureAlgorithm.RS256
+    default:
+      throw Error('Key type not yet supported')
+  }
+}