@sphereon/ssi-types 0.37.2-next.28 → 0.37.2-next.46

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@sphereon/ssi-types",
   "description": "SSI Common Types",
-  "version": "0.37.2-next.28+0fa1686a",
+  "version": "0.37.2-next.46+f19cac5e",
   "source": "./src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -59,5 +59,5 @@
     "Verifiable Credentials",
     "DIDs"
   ],
-  "gitHead": "0fa1686a6609f7a0aed8bbc8c7594639071cf88b"
+  "gitHead": "f19cac5ecfea9c564f576bd4efbc5aa55de6f103"
 }

package/src/mapper/credential-mapper.ts

@@ -73,7 +73,7 @@ export class CredentialMapper {
    */
   static decodeVerifiablePresentation(
     presentation: OriginalVerifiablePresentation,
-    hasher?: HasherSync
+    hasher?: HasherSync,
   ): JwtDecodedVerifiablePresentation | IVerifiablePresentation | SdJwtDecodedVerifiableCredential | MdocOid4vpMdocVpToken | MdocDeviceResponse {
     if (CredentialMapper.isJwtEncoded(presentation)) {
       const payload = jwtDecode(presentation as string) as JwtDecodedVerifiablePresentation
@@ -116,8 +116,8 @@ export class CredentialMapper {
    */
   static decodeVerifiableCredential(
     credential: OriginalVerifiableCredential,
-    hasher?: HasherSync
-  ): JwtDecodedVerifiableCredential | IVerifiableCredential | SdJwtDecodedVerifiableCredential {
+    hasher?: HasherSync,
+  ): JwtDecodedVerifiableCredential | IVerifiableCredential | SdJwtDecodedVerifiableCredential | MdocDocument {
     if (CredentialMapper.isJwtEncoded(credential)) {
       const payload = jwtDecode(credential as string) as JwtDecodedVerifiableCredential
       const header = jwtDecode(credential as string, { header: true }) as Record<string, any>
@@ -138,6 +138,11 @@ export class CredentialMapper {
       return decodeSdJwtVc(credential, hasher ?? sha256)
     } else if (CredentialMapper.isSdJwtDecodedCredential(credential)) {
       return credential
+    } else if (CredentialMapper.isMsoMdocOid4VPEncoded(credential)) {
+      // ISO 18013-5/-7 mdoc IssuerSigned in base64url. Mirrors decodeVerifiablePresentation, which already handles mdoc.
+      return decodeMdocIssuerSigned(credential)
+    } else if (CredentialMapper.isMsoMdocDecodedCredential(credential)) {
+      return credential
     } else {
       return credential as IVerifiableCredential
     }
@@ -155,7 +160,7 @@ export class CredentialMapper {
    */
   static toWrappedVerifiablePresentation(
     originalPresentation: OriginalVerifiablePresentation,
-    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync }
+    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync },
   ): WrappedVerifiablePresentation {
     // MSO_MDOC
     if (CredentialMapper.isMsoMdocDecodedPresentation(originalPresentation) || CredentialMapper.isMsoMdocOid4VPEncoded(originalPresentation)) {
@@ -170,7 +175,7 @@ export class CredentialMapper {
       }
 
       const mdocCredentials = deviceResponse.documents?.map(
-        (doc) => CredentialMapper.toWrappedVerifiableCredential(doc, opts) as WrappedMdocCredential
+        (doc) => CredentialMapper.toWrappedVerifiableCredential(doc, opts) as WrappedMdocCredential,
       )
       if (!mdocCredentials || mdocCredentials.length === 0) {
         throw new Error('could not extract any mdoc credentials from mdoc device response')
@@ -210,7 +215,7 @@ export class CredentialMapper {
       typeof originalPresentation !== 'string' && CredentialMapper.hasJWTProofType(originalPresentation) ? proof?.jwt : originalPresentation
     if (!original) {
       throw Error(
-        'Could not determine original presentation, probably it was a converted JWT presentation, that is now missing the JWT value in the proof'
+        'Could not determine original presentation, probably it was a converted JWT presentation, that is now missing the JWT value in the proof',
       )
     }
     const decoded = CredentialMapper.decodeVerifiablePresentation(original) as IVerifiablePresentation | JwtDecodedVerifiablePresentation
@@ -238,7 +243,7 @@ export class CredentialMapper {
       ? []
       : (CredentialMapper.toWrappedVerifiableCredentials(
           vp.verifiableCredential ?? [] /*.map(value => value.original)*/,
-          opts
+          opts,
         ) as WrappedW3CVerifiableCredential[])
 
     const presentation = {
@@ -266,7 +271,7 @@ export class CredentialMapper {
    */
   static toWrappedVerifiableCredentials(
     verifiableCredentials: OriginalVerifiableCredential[],
-    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync }
+    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync },
   ): WrappedVerifiableCredential[] {
     return verifiableCredentials.map((vc) => CredentialMapper.toWrappedVerifiableCredential(vc, opts))
   }
@@ -282,7 +287,7 @@ export class CredentialMapper {
    */
   static toWrappedVerifiableCredential(
     verifiableCredential: OriginalVerifiableCredential,
-    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync }
+    opts?: { maxTimeSkewInMS?: number; hasher?: HasherSync },
   ): WrappedVerifiableCredential {
     // MSO_MDOC
     if (CredentialMapper.isMsoMdocDecodedCredential(verifiableCredential) || CredentialMapper.isMsoMdocOid4VPEncoded(verifiableCredential)) {
@@ -322,10 +327,10 @@ export class CredentialMapper {
 
     // If the VC is not an encoded/decoded SD-JWT, we assume it will be a W3C VC
     const proof = CredentialMapper.getFirstProof(verifiableCredential)
-    const original = CredentialMapper.hasJWTProofType(verifiableCredential) && proof ? proof.jwt ?? verifiableCredential : verifiableCredential
+    const original = CredentialMapper.hasJWTProofType(verifiableCredential) && proof ? (proof.jwt ?? verifiableCredential) : verifiableCredential
     if (!original) {
       throw Error(
-        'Could not determine original credential, probably it was a converted JWT credential, that is now missing the JWT value in the proof'
+        'Could not determine original credential, probably it was a converted JWT credential, that is now missing the JWT value in the proof',
       )
     }
     const decoded = CredentialMapper.decodeVerifiableCredential(original) as JwtDecodedVerifiableCredential | IVerifiableCredential
@@ -441,7 +446,7 @@ export class CredentialMapper {
   }
 
   public static isW3cPresentation(
-    presentation: UniformVerifiablePresentation | IPresentation | SdJwtDecodedVerifiableCredential | DeviceResponseCbor
+    presentation: UniformVerifiablePresentation | IPresentation | SdJwtDecodedVerifiableCredential | DeviceResponseCbor,
   ): presentation is IPresentation {
     return (
       typeof presentation === 'object' &&
@@ -451,7 +456,7 @@ export class CredentialMapper {
   }
 
   public static isSdJwtDecodedCredentialPayload(
-    credential: ICredential | SdJwtDecodedVerifiableCredentialPayload
+    credential: ICredential | SdJwtDecodedVerifiableCredentialPayload,
   ): credential is SdJwtDecodedVerifiableCredentialPayload {
     return typeof credential === 'object' && 'vct' in credential
   }
@@ -483,7 +488,7 @@ export class CredentialMapper {
   }
 
   public static isSdJwtDecodedCredential(
-    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation
+    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation,
   ): original is SdJwtDecodedVerifiableCredential {
     return (
       typeof original === 'object' &&
@@ -492,7 +497,7 @@ export class CredentialMapper {
   }
 
   public static isSdJwtVcdm2DecodedCredential(
-    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation
+    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation,
   ): original is SdJwtDecodedVerifiableCredential {
     if (typeof original !== 'object') {
       return false
@@ -502,7 +507,7 @@ export class CredentialMapper {
   }
 
   public static isMsoMdocDecodedCredential(
-    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation
+    original: OriginalVerifiableCredential | OriginalVerifiablePresentation | ICredential | IPresentation,
   ): original is MdocDocument {
     return typeof original === 'object' && 'issuerSigned' in original && (<MdocDocument>original).issuerSigned !== undefined
   }
@@ -537,7 +542,7 @@ export class CredentialMapper {
   static jwtEncodedPresentationToUniformPresentation(
     jwt: string,
     makeCredentialsUniform: boolean = true,
-    opts?: { maxTimeSkewInMS?: number }
+    opts?: { maxTimeSkewInMS?: number },
   ): IPresentation {
     return CredentialMapper.jwtDecodedPresentationToUniformPresentation(jwtDecode(jwt), makeCredentialsUniform, opts)
   }
@@ -545,7 +550,7 @@ export class CredentialMapper {
   static jwtDecodedPresentationToUniformPresentation(
     decoded: JwtDecodedVerifiablePresentation,
     makeCredentialsUniform: boolean = true,
-    opts?: { maxTimeSkewInMS?: number }
+    opts?: { maxTimeSkewInMS?: number },
   ): IVerifiablePresentation {
     const { iss, aud, jti, vp, ...rest } = decoded
 
@@ -592,7 +597,7 @@ export class CredentialMapper {
     opts?: {
       maxTimeSkewInMS?: number
       hasher?: HasherSync
-    }
+    },
   ): IVerifiableCredential {
     if (CredentialMapper.isMsoMdocDecodedCredential(verifiableCredential)) {
       return mdocDecodedCredentialToUniformCredential(verifiableCredential)
@@ -606,7 +611,7 @@ export class CredentialMapper {
         : verifiableCredential
     if (!original) {
       throw Error(
-        'Could not determine original credential from passed in credential. Probably because a JWT proof type was present, but now is not available anymore'
+        'Could not determine original credential from passed in credential. Probably because a JWT proof type was present, but now is not available anymore',
       )
     }
     const decoded = CredentialMapper.decodeVerifiableCredential(original, opts?.hasher ?? sha256)
@@ -629,7 +634,7 @@ export class CredentialMapper {
 
   static toUniformPresentation(
     presentation: OriginalVerifiablePresentation,
-    opts?: { maxTimeSkewInMS?: number; addContextIfMissing?: boolean; hasher?: HasherSync }
+    opts?: { maxTimeSkewInMS?: number; addContextIfMissing?: boolean; hasher?: HasherSync },
   ): IVerifiablePresentation {
     if (CredentialMapper.isSdJwtDecodedCredential(presentation)) {
       throw new Error('Converting SD-JWT VC to uniform VP is not supported.')
@@ -641,7 +646,7 @@ export class CredentialMapper {
     const original = typeof presentation !== 'string' && CredentialMapper.hasJWTProofType(presentation) ? proof?.jwt : presentation
     if (!original) {
       throw Error(
-        'Could not determine original presentation, probably it was a converted JWT presentation, that is now missing the JWT value in the proof'
+        'Could not determine original presentation, probably it was a converted JWT presentation, that is now missing the JWT value in the proof',
       )
     }
     const decoded = CredentialMapper.decodeVerifiablePresentation(original, opts?.hasher ?? sha256)
@@ -658,7 +663,7 @@ export class CredentialMapper {
     }
 
     uniformPresentation.verifiableCredential = uniformPresentation.verifiableCredential?.map((vc) =>
-      CredentialMapper.toUniformCredential(vc, opts)
+      CredentialMapper.toUniformCredential(vc, opts),
     ) as IVerifiableCredential[] // We cast it because we IPresentation needs a VC. The internal Credential doesn't have the required Proof anymore (that is intended)
     return uniformPresentation
   }
@@ -667,14 +672,14 @@ export class CredentialMapper {
     jwt: string,
     opts?: {
       maxTimeSkewInMS?: number
-    }
+    },
   ): IVerifiableCredential {
     return CredentialMapper.jwtDecodedCredentialToUniformCredential(jwtDecode(jwt), opts)
   }
 
   static jwtDecodedCredentialToUniformCredential(
     decoded: JwtDecodedVerifiableCredential,
-    opts?: { maxTimeSkewInMS?: number }
+    opts?: { maxTimeSkewInMS?: number },
   ): IVerifiableCredential {
     const { exp, nbf, iss, vc, sub, jti, ...rest } = decoded
     const credential: IVerifiableCredential = {
@@ -842,7 +847,7 @@ export class CredentialMapper {
   }
 
   static toCompactJWT(
-    jwtDocument: W3CVerifiableCredential | JwtDecodedVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiablePresentation | string
+    jwtDocument: W3CVerifiableCredential | JwtDecodedVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiablePresentation | string,
   ): string {
     if (!jwtDocument || CredentialMapper.detectDocumentType(jwtDocument) !== DocumentFormat.JWT) {
       throw Error('Cannot convert non JWT credential to JWT')
@@ -872,7 +877,7 @@ export class CredentialMapper {
       | JwtDecodedVerifiablePresentation
       | SdJwtDecodedVerifiableCredential
       | MdocDeviceResponse
-      | MdocDocument
+      | MdocDocument,
   ): DocumentFormat {
     if (this.isMsoMdocOid4VPEncoded(document as any) || this.isMsoMdocDecodedCredential(document as any)) {
       return DocumentFormat.MSO_MDOC
@@ -900,7 +905,7 @@ export class CredentialMapper {
   }
 
   private static hasJWTProofType(
-    document: W3CVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiableCredential | JwtDecodedVerifiablePresentation
+    document: W3CVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiableCredential | JwtDecodedVerifiablePresentation,
   ): boolean {
     if (typeof document === 'string') {
       return false
@@ -909,7 +914,7 @@ export class CredentialMapper {
   }
 
   private static getFirstProof(
-    document: W3CVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiableCredential | JwtDecodedVerifiablePresentation
+    document: W3CVerifiableCredential | W3CVerifiablePresentation | JwtDecodedVerifiableCredential | JwtDecodedVerifiablePresentation,
   ): IProof | undefined {
     if (!document || typeof document === 'string') {
       return undefined

package/src/types/sd-jwt-type-metadata.ts

@@ -152,6 +152,11 @@ export interface SdJwtSimpleRenderingMetadata {
    */
   logo?: SdJwtLogoMetadata
 
+  /**
+   * OPTIONAL. Metadata for the background image.
+   */
+  background_image?: SdJwtImageMetadata
+
   /**
    * OPTIONAL. Background color for the credential.
    */
@@ -163,6 +168,26 @@ export interface SdJwtSimpleRenderingMetadata {
   text_color?: string
 }
 
+/**
+ * Represents metadata for an image (logo, background image, etc.).
+ */
+export interface SdJwtImageMetadata {
+  /**
+   * REQUIRED. URI pointing to the image.
+   */
+  uri: string
+
+  /**
+   * OPTIONAL. Integrity metadata string for the 'uri' field.
+   */
+  ['uri#integrity']?: string
+
+  /**
+   * OPTIONAL. Alternative text for the image.
+   */
+  alt_text?: string
+}
+
 /**
  * Represents metadata for a logo.
  */

package/src/utils/mdoc.ts

@@ -79,36 +79,76 @@ export function decodeMdocDeviceResponse(vpToken: MdocOid4vpMdocVpToken): MdocDe
   return deviceResponse
 }
 
+function bytesToImageDataUri(value: unknown, mimeType = 'image/jpeg'): string {
+  if (typeof value === 'string') {
+    if (value.startsWith('data:image/')) return value
+    // Convert base64url to standard base64 if needed
+    let b64 = value.replace(/-/g, '+').replace(/_/g, '/')
+    const pad = b64.length % 4
+    if (pad) b64 += '='.repeat(4 - pad)
+    return `data:${mimeType};base64,${b64}`
+  }
+  // Int8Array or Uint8Array from CBOR byte string decoder
+  if (value && typeof value === 'object' && ('length' in value || Symbol.iterator in Object(value))) {
+    try {
+      const int8 = value instanceof Int8Array ? value : new Int8Array(value as ArrayLike<number>)
+      const base64 = com.sphereon.kmp.encodeTo(int8, com.sphereon.kmp.Encoding.BASE64)
+      return `data:${mimeType};base64,${base64}`
+    } catch {
+      // Fallback: try manual base64 encoding for Uint8Array
+      const bytes = value instanceof Uint8Array ? value : new Uint8Array(value as ArrayLike<number>)
+      let binary = ''
+      for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i])
+      const base64 = typeof btoa === 'function' ? btoa(binary) : com.sphereon.kmp.encodeTo(new Int8Array(bytes), com.sphereon.kmp.Encoding.BASE64)
+      return `data:${mimeType};base64,${base64}`
+    }
+  }
+  return String(value)
+}
+
 // TODO naive implementation of mapping a mdoc onto a IVerifiableCredential. Needs some fixes and further implementation and needs to be moved out of ssi-types
 export const mdocDecodedCredentialToUniformCredential = (
   decoded: MdocDocument,
   // @ts-ignore
-  opts?: { maxTimeSkewInMS?: number },
+  opts?: { maxTimeSkewInMS?: number; issuer?: string },
 ): IVerifiableCredential => {
   const document = decoded.toJson()
   const json = document.toJsonDTO<DocumentJson>()
-  const type = 'Personal Identification Data'
   const MSO = document.MSO
   if (!MSO || !json.issuerSigned?.nameSpaces) {
     throw Error(`Cannot access Mobile Security Object or Issuer Signed items from the Mdoc`)
   }
   const nameSpaces = json.issuerSigned.nameSpaces as unknown as Record<string, IssuerSignedItemJson[]>
-  if (!('eu.europa.ec.eudi.pid.1' in nameSpaces)) {
-    throw Error(`Only PID supported at present`)
+  const nameSpaceKeys = Object.keys(nameSpaces)
+  if (nameSpaceKeys.length === 0) {
+    throw Error(`No namespaces found in issuer signed items`)
+  }
+  // Collect items from all namespaces
+  const items: IssuerSignedItemJson[] = []
+  for (const ns of nameSpaceKeys) {
+    items.push(...(nameSpaces[ns] || []))
   }
-  const items = nameSpaces['eu.europa.ec.eudi.pid.1']
-  if (!items || items.length === 0) {
+  if (items.length === 0) {
     throw Error(`No issuer signed items were found`)
   }
   type DisclosuresAccumulator = {
     [key: string]: any
   }
 
+  // Known image claims in ISO 18013-5
+  const IMAGE_CLAIMS = new Set(['portrait', 'signature_usual_mark'])
+
   const credentialSubject = items.reduce((acc: DisclosuresAccumulator, item: IssuerSignedItemJson) => {
     if (Array.isArray(item.value)) {
       acc[item.key] = item.value.map((val) => val.value).join(', ')
     } else {
-      acc[item.key] = item.value.value
+      const value = item.value.value
+      if (IMAGE_CLAIMS.has(item.key) && value != null) {
+        // Convert byte string to data URI for image rendering
+        acc[item.key] = bytesToImageDataUri(value)
+      } else {
+        acc[item.key] = value
+      }
     }
     return acc
   }, {})
@@ -123,11 +163,55 @@ export const mdocDecodedCredentialToUniformCredential = (
     throw Error(`JWT issuance date is required but was not present`)
   }
 
-  const credential: Omit<IVerifiableCredential, 'issuer' | 'issuanceDate'> = {
+  // Determine issuer: x5c CN > issuing_authority claim > opts.issuer fallback > docType
+  let issuer: string = opts?.issuer ?? docType
+  // Try issuing_authority from credential claims (present in mDL and some other doctypes)
+  if (credentialSubject.issuing_authority) {
+    issuer = credentialSubject.issuing_authority
+  }
+  // Try to extract CN from x5chain certificate in issuerAuth (most authoritative for mdoc)
+  try {
+    const x5chain = json.issuerSigned?.issuerAuth?.unprotectedHeader?.x5chain ?? json.issuerSigned?.issuerAuth?.protectedHeader?.x5chain
+    if (x5chain && x5chain.length > 0) {
+      // x5chain[0] is base64-encoded DER certificate. Extract CN by searching for OID 2.5.4.3 (55 04 03)
+      const b64 = x5chain[0]
+      let bytes: Uint8Array
+      if (typeof atob === 'function') {
+        const binaryStr = atob(b64)
+        bytes = new Uint8Array(binaryStr.length)
+        for (let i = 0; i < binaryStr.length; i++) bytes[i] = binaryStr.charCodeAt(i)
+      } else {
+        const int8 = com.sphereon.kmp.decodeFrom(b64, com.sphereon.kmp.Encoding.BASE64)
+        bytes = new Uint8Array(int8)
+      }
+      // Find last CN OID (55 04 03) — last occurrence is the subject CN
+      let lastCn: string | undefined
+      for (let i = 0; i < bytes.length - 5; i++) {
+        if (bytes[i] === 0x55 && bytes[i + 1] === 0x04 && bytes[i + 2] === 0x03) {
+          const tag = bytes[i + 3] // 0x0c=UTF8String, 0x13=PrintableString
+          if (tag === 0x0c || tag === 0x13) {
+            const len = bytes[i + 4]
+            if (i + 5 + len <= bytes.length) {
+              const cn = String.fromCharCode(...bytes.slice(i + 5, i + 5 + len))
+              lastCn = cn
+            }
+          }
+        }
+      }
+      if (lastCn) {
+        issuer = lastCn
+      }
+    }
+  } catch {
+    // Certificate parsing failed, keep previous issuer value
+  }
+
+  const credential: Omit<IVerifiableCredential, 'issuanceDate'> = {
     type: [docType], // Mdoc not a W3C VC, so no VerifiableCredential
     '@context': [], // Mdoc has no JSON-LD by default. Certainly not the VC DM1 default context for JSON-LD
+    issuer,
     credentialSubject: {
-      type,
+      type: docType,
       ...credentialSubject,
     },
     issuanceDate,