@trustvc/trustvc 1.6.0-alpha.5 → 1.6.0-alpha.7

package/README.md

@@ -16,15 +16,16 @@ TrustVC is a comprehensive wrapper library designed to simplify the signing and
     - [2. **Signing**](#2-signing)
       - [a) OpenAttestation Signing (signOA) v2 v3](#a-openattestation-signing-signoa-v2-v3)
       - [b) TrustVC W3C Signing (signW3C)](#b-trustvc-w3c-signing-signw3c)
-    - [3. **Verifying**](#3-verifying)
-    - [4. **Encryption**](#4-encryption)
-    - [5. **Decryption**](#5-decryption)
-    - [6. **TradeTrust Token Registry**](#6-tradetrust-token-registry)
+    - [3. **Deriving (Selective Disclosure)**](#3-deriving-selective-disclosure)
+    - [4. **Verifying**](#4-verifying)
+    - [5. **Encryption**](#5-encryption)
+    - [6. **Decryption**](#6-decryption)
+    - [7. **TradeTrust Token Registry**](#7-tradetrust-token-registry)
       - [Usage](#usage-2)
       - [TradeTrustToken](#tradetrusttoken)
       - [a) Token Registry v4](#a-token-registry-v4)
       - [b) Token Registry V5](#b-token-registry-v5)
-    - [7. **Document Builder**](#7-document-builder)
+    - [8. **Document Builder**](#8-document-builder)
 
 ## Installation
 
@@ -154,15 +155,17 @@ const signedWrappedDocument = await signOA(wrappedDocument, {
 
 #### b) TrustVC W3C Signing (signW3C)
 
+The `signW3C` function signs W3C Verifiable Credentials using the provided cryptographic suite and key pair. By default, it uses the **ecdsa-sd-2023** crypto suite unless otherwise specified.
+
 ```ts
 import { signW3C, VerificationType } from '@trustvc/trustvc';
 
 const rawDocument = {
   '@context': [
-    'https://www.w3.org/2018/credentials/v1',
-    'https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v1.jsonld',
-    'https://w3id.org/security/bbs/v1',
+    'https://www.w3.org/ns/credentials/v2',
+    'https://w3id.org/security/data-integrity/v2',
     'https://w3id.org/vc/status-list/2021/v1',
+    'https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v2.jsonld',
   ],
   credentialStatus: {
     id: 'https://trustvc.github.io/did/credentials/statuslist/1#1',
@@ -172,29 +175,113 @@ const rawDocument = {
     statusListCredential: 'https://trustvc.github.io/did/credentials/statuslist/1',
   },
   credentialSubject: {
-    name: 'TrustVC',
+    type: ['Person']
+    givenName: 'TrustVC',
     birthDate: '2024-04-01T12:19:52Z',
-    type: ['PermanentResident', 'Person'],
   },
-  expirationDate: '2029-12-03T12:19:52Z',
   issuer: 'did:web:trustvc.github.io:did:1',
   type: ['VerifiableCredential'],
-  issuanceDate: '2024-04-01T12:19:52Z',
+  validFrom: '2024-04-01T12:19:52Z',
+  validUntil: '2029-12-03T12:19:52Z'
 };
 
+// Using default ecdsa-sd-2023 crypto suite
 const signingResult = await signW3C(rawDocument, {
-  id: 'did:web:trustvc.github.io:did:1#keys-1',
+  '@context': 'https://w3id.org/security/multikey/v1',
+  id: 'did:web:trustvc.github.io:did:1#multikey-1',
+  type: VerificationType.Multikey,
   controller: 'did:web:trustvc.github.io:did:1',
-  type: VerificationType.Bls12381G2Key2020,
-  publicKeyBase58:
-    'oRfEeWFresvhRtXCkihZbxyoi2JER7gHTJ5psXhHsdCoU1MttRMi3Yp9b9fpjmKh7bMgfWKLESiK2YovRd8KGzJsGuamoAXfqDDVhckxuc9nmsJ84skCSTijKeU4pfAcxeJ',
-  privateKeyBase58: '<privateKeyBase58>',
+  publicKeyMultibase: 'zDnaemDNwi4G5eTzGfRooFFu5Kns3be6yfyVNtiaMhWkZbwtc',
+  secretKeyMultibase: '<secretKeyMultibase>'
+});
+
+// You can also specify mandatory pointers for selective disclosure with ecdsa-sd-2023
+const signingResultWithPointers = await signW3C(
+  rawDocument,
+  {
+    '@context': 'https://w3id.org/security/multikey/v1',
+    id: 'did:web:trustvc.github.io:did:1#multikey-1',
+    type: VerificationType.Multikey,
+    controller: 'did:web:trustvc.github.io:did:1',
+    publicKeyMultibase: 'zDnaemDNwi4G5eTzGfRooFFu5Kns3be6yfyVNtiaMhWkZbwtc',
+    secretKeyMultibase: '<secretKeyMultibase>'
+  },
+  'ecdsa-sd-2023',
+  {
+    mandatoryPointers: ['/credentialStatus']
+  }
+);
+
+// Alternatively, specify a different crypto suite. Ensure the context is updated to include the crypto suite.
+const signingResultWithBbs = await signW3C(
+  rawDocument,
+  {
+    id: 'did:web:trustvc.github.io:did:1#keys-1',
+    controller: 'did:web:trustvc.github.io:did:1',
+    type: VerificationType.Bls12381G2Key2020,
+    publicKeyBase58: 'oRfEeWFresvhRtXCkihZbxyoi2JER7gHTJ5psXhHsdCoU1MttRMi3Yp9b9fpjmKh7bMgfWKLESiK2YovRd8KGzJsGuamoAXfqDDVhckxuc9nmsJ84skCSTijKeU4pfAcxeJ',
+    privateKeyBase58: '<privateKeyBase58>',
+  },
+  'BbsBlsSignature2020'
+);
+
+```
+
+---
+
+### 3. **Deriving (Selective Disclosure)**
+
+> When using ECDSA-SD-2023 crypto suite, we can derive a new credential with selective disclosure. This means you can choose which parts of the credential to reveal while keeping others hidden.
+
+```ts
+import { deriveW3C } from '@trustvc/trustvc';
+
+// This is a signed document using ecdsa-sd-2023
+const signedDocument = {
+  '@context': [
+    'https://www.w3.org/ns/credentials/v2',
+    'https://w3id.org/security/data-integrity/v2',
+    'https://w3id.org/vc/status-list/2021/v1',
+    'https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v2.jsonld'
+  ],
+  credentialStatus: {
+    id: 'https://trustvc.github.io/did/credentials/statuslist/1#1',
+    type: 'StatusList2021Entry',
+    statusPurpose: 'revocation',
+    statusListIndex: '10',
+    statusListCredential: 'https://trustvc.github.io/did/credentials/statuslist/1'
+  },
+  credentialSubject: {
+    type: ['Person'],
+    givenName: 'TrustVC',
+    birthDate: '2024-04-01T12:19:52Z'
+  },
+  issuer: 'did:web:trustvc.github.io:did:1',
+  type: ['VerifiableCredential'],
+  validFrom: '2024-04-01T12:19:52Z',
+  validUntil: '2029-12-03T12:19:52Z',
+  id: 'urn:uuid:0198bd9e-6686-7ccd-9b2a-ce763ae710d7',
+  proof: {
+    type: 'DataIntegrityProof',
+    created: '2025-08-18T14:38:51Z',
+    verificationMethod: 'did:web:trustvc.github.io:did:1#multikey-1',
+    cryptosuite: 'ecdsa-sd-2023',
+    proofPurpose: 'assertionMethod',
+    proofValue: 'u2V0AhVhAxfLFkbv8J_O3zJAQrSWrEY3sgeMwN02b2eaHEgjnJYu1rnCBYORfZUVZwRoRuNIiY1NTGHmQpzlgqtQz7A0R3FgjgCQDzt3_aUvSMrlIZdsyVcB4KPHHjA4BbSv-PZ4Bbm4GpY5YIA1mQ8LYmpjJ7vNvN3DsfIengZrnziTLO9exbZjn1KqFilhA0lp1y6BZ-fhiUdWsojYesLDSzCy6Tq_AICaIvCjYSJMEaY7SomJnCkdpuhM0GQHDTy5kjzb7sSzowACqDDf9OVhAfOC7vg4WQGrI6M3dvLZW3KlBzp1SurRz1PPeHcqOGEDrqybzIlolwNXMhc2T8rcVLl-E04wNsiVjamvqWAQN-lhA4HmVqIxKuR0QvCMEVq3cjUU7G1pQbgMdp9HZDasOT9nh_k5l3JfcXB1_qtRblljXWN0FRKAr9T-DhxzDzGl3-lhA4nNDzd-6xl74rWqr_7U9XZE7LoE-mbgBsyOAOlfHGumMxwddnEZp2iD2uZ7lLXX8Q-nSDXJVvUqKLksy1l2vqVhAm3daNYjH1kVrTW7V-DElcj3K_QfbHEvjd1F2TGVGtBVhF8o01yCxXRX0vzk-AZLZnpDnAUBTSTF5Q8rF-t7L9lhAO7NeIXQtQsdncqtLm2qk1XzFYL2FM5Hx4GZOX39VyT4T0AlFRZQuY9WXYnvMZSvacRvJaSJk5S3cZ6uBminQgVhAExuTEvJQu42-SiaOJ_6M0EjuQfqIgJE-JHirmYs3AAoH_4EKUtPU3y_jRB8XFZxA-wtFDv3KJjqXtNo5aA_6f1hAaokZPSJghFufTaVR8LAwHpXOncGJblKpUZQjKWuA_o2s6tGmx-ja0wgpsqSxvAGMTtkhFTMOI2-tzUuGE05tk1hAzABtV2yEX-RAQFpxkuV0XydAsJDh2dPscrpPHqMfmORsC3xRNL73uDaqqlaL99CvOgq4kJWmChw7TUYO62yaSVhA5-F-snwj-OZtws7_qMwvBgeNK9wvkZTlFLjRV6GDYx6r5TaLkR05GVzyBMv0Qs2z-cXPRZByS7p7_hbeykoYSYJnL2lzc3VlcmovdmFsaWRGcm9t'
+  }
+};
+
+// Derive a new credential with only specific fields disclosed
+const derivationResult = await deriveW3C(signedDocument, {
+  // Only reveal the credential type and givenName, hide birthDate
+  selectivePointers: ['/type', '/credentialSubject/givenName']
 });
+
 ```
 
 ---
 
-### 3. **Verifying**
+### 4. **Verifying**
 
 > TrustVC simplifies the verification process with a single function that supports both W3C Verifiable Credentials (VCs) and OpenAttestation Verifiable Documents (VDs). Whether you're working with W3C standards or OpenAttestation standards, TrustVC handles the verification seamlessly.
 
@@ -239,7 +326,7 @@ const resultFragments = await verifyDocument(signedDocument);
 
 ---
 
-### 4. **Encryption**
+### 5. **Encryption**
 
 > The `encrypt` function encrypts plaintext messages using the **ChaCha20** encryption algorithm, ensuring the security and integrity of the input data. It supports custom keys and nonces, returning the encrypted message in hexadecimal format.
 
@@ -316,7 +403,7 @@ It also relies on the `ts-chacha20` library for encryption operations.
 
 ---
 
-### 5. **Decryption**
+### 6. **Decryption**
 
 > The `decrypt` function decrypts messages encrypted with the **ChaCha20** algorithm. It converts the input from a hexadecimal format back into plaintext using the provided key and nonce.
 
@@ -399,7 +486,7 @@ It also relies on the `ts-chacha20` library for decryption operations.
 
 ---
 
-### 6. **TradeTrust Token Registry**
+### 7. **TradeTrust Token Registry**
 
 > The Electronic Bill of Lading (eBL) is a digital document that can be used to prove the ownership of goods. It is a standardized document that is accepted by all major shipping lines and customs authorities. The [Token Registry](https://github.com/TradeTrust/token-registry) repository contains both the smart contract (v4 and v5) code for token registry (in `/contracts`) as well as the node package for using this library (in `/src`).
 > The TrustVC library not only simplifies signing and verification but also imports and integrates existing TradeTrust libraries and smart contracts for token registry (V4 and V5), making it a versatile tool for decentralized identity and trust solutions.
@@ -589,8 +676,8 @@ function rejectTransferOwners(bytes calldata _remark) external;
 
 For more information on Token Registry and Title Escrow contracts **version v5**, please visit the readme of [TradeTrust Token Registry V5](https://github.com/TradeTrust/token-registry/blob/master/README.md)
 
-### 7. **Document Builder**
-> The `DocumentBuilder` class helps build and manage W3C Verifiable Credentials (VCs) with credential status features. It supports creating documents with two types of credential statuses: `transferableRecords` and `verifiableDocument`. It can sign the document using a private key, verify its signature, and serialize the document to a JSON format. Additionally, it allows for configuration of document rendering methods and expiration dates.
+### 8. **Document Builder**
+> The `DocumentBuilder` class helps build and manage W3C Verifiable Credentials (VCs) with credential status features, implementing the **W3C VC Data Model 2.0** specification. It supports creating documents with two types of credential statuses: `transferableRecords` and `verifiableDocument`. It can sign the document using a private key, verify its signature, and serialize the document to a JSON format. Additionally, it allows for configuration of document rendering methods and expiration dates.
 
 #### Usage
 
@@ -603,7 +690,7 @@ To learn more about defining custom contexts, check out the [Credential Subject
 // Adds a custom vocabulary used to define terms in the `credentialSubject`.
 // Users can define their own context if they have domain-specific fields or custom data structures.
 const builder = new DocumentBuilder({
-  '@context': 'https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v1.jsonld'
+  '@context': 'https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v2.jsonld'
 });
 ```
 
@@ -612,8 +699,8 @@ Set the subject of the Verifiable Credential, which typically contains informati
 
 ```ts
 builder.credentialSubject({
-  id: 'did:example:123',
-  name: 'John Doe',
+  type: ['Person'],
+  givenName: 'TrustVC',
 });
 ```
 
@@ -649,7 +736,7 @@ builder.credentialStatus({
 ```
 
 ##### Set Expiration Date
-You can set an expiration date for the document.
+You can set a valid until date (expiration) for the document.
 
 ```ts
 builder.expirationDate('2026-01-01T00:00:00Z');
@@ -677,16 +764,17 @@ builder.qrCode({
 ```
 
 ##### Sign the Document
-To sign the document, provide a `PrivateKeyPair` from `@trustvc/trustvc`.
+To sign the document, provide a `PrivateKeyPair` from `@trustvc/trustvc`. The builder uses ECDSA key for signing by default.
 
 ```ts
 const privateKey: PrivateKeyPair = {
-  id: 'did:example:456#key1',
-  controller: 'did:example:456',
-  type: VerificationType.Bls12381G2Key2020,
-  publicKeyBase58: 'your-public-key-base58',
-  privateKeyBase58: 'your-private-key-base58',
-};
+    '@context': 'https://w3id.org/security/multikey/v1',
+    id: 'did:web:example.com#multikey-1',
+    type: VerificationType.Multikey,
+    controller: 'did:web:example.com',
+    publicKeyMultibase: 'your-public-key-multibase',
+    secretKeyMultibase: 'your-secret-key-multibase',
+}
 
 const signedDocument = await builder.sign(privateKey);
 console.log(signedDocument);
@@ -696,19 +784,18 @@ Example Output After Signing
 ```json
 {
   "@context": [
-    "https://www.w3.org/2018/credentials/v1",
-    "https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v1.jsonld",
-    "https://w3id.org/vc/status-list/2021/v1",
-    "https://trustvc.io/context/render-method-context.json",
+    "https://www.w3.org/ns/credentials/v2",
+    "https://w3c-ccg.github.io/citizenship-vocab/contexts/citizenship-v2.jsonld",
+    "https://trustvc.io/context/render-method-context-v2.json",
     "https://trustvc.io/context/qrcode-context.json",
-    "https://w3id.org/security/bbs/v1"
+    "https://w3id.org/security/data-integrity/v2"
   ],
   "type": ["VerifiableCredential"],
   "credentialSubject": {
-    "id": "did:example:123",
-    "name": "John Doe"
+    "type": ["Person"],
+    "givenName": "TrustVC",
   },
-  "expirationDate": "2026-01-01T00:00:00Z",
+  "validUntil": "2026-01-01T00:00:00Z",
   "renderMethod": [
     {
       "id": "https://example.com/rendering-method",
@@ -727,21 +814,30 @@ Example Output After Signing
     "statusListIndex": "<placeholder>",
     "statusListCredential": "https://example.com/status-list"
   },
-  "issuer": "did:example:456",
-  "issuanceDate": "2025-01-01T00:00:00Z",
+  "issuer": "did:web:example.com",
+  "validFrom": "2025-01-01T00:00:00Z",
   "id": "urn:bnid:_:0195fec2-4ae1-7cca-9182-03fd7da5142b",
   "proof": {
-    "type": "BbsBlsSignature2020",
+    "type": "DataIntegrityProof",
     "created": "2025-01-01T00:00:01Z",
+    "verificationMethod": "did:web:example.com#multikey-1",
+    "cryptosuite": "ecdsa-sd-2023",
     "proofPurpose": "assertionMethod",
-    "proofValue": "rV56L+QYozATRy3GOVLomzUo99sXtw2x0Cy9dEkHJ15wi4cS12cQJRIwzONVi3YscdhaSKoqD1jWmwb5A/khLZnDq5eo3QzDgTVClYuV86opL3HJyoS4+t2rRt3wl+chnATy2jqr5zMEvcVJ3gdXpQ==",
-    "verificationMethod": "did:example:456#key1"
+    "proofValue": "u2V0AhVhAh1oLoiuV2AwmSa2ZspbmrG2gCDbpZW.......",
   }
 }
 ```
 
+##### Deriving the Document
+Provide the attributes to reveal to the `derive` method.
+
+```ts
+const derivedDocument = await builder.derive(['/credentialSubject/givenName']);
+console.log(derivedDocument);
+```
+
 ##### Verify the Document
-To verify the signature of the signed document:
+To verify the signature of the signed document, ensure the document is derived first and then call the `verify` method.
 
 ```ts
 const isVerified = await builder.verify();

package/dist/cjs/core/documentBuilder.js

@@ -1,5 +1,6 @@
 'use strict';
 
+var w3cIssuer = require('@trustvc/w3c-issuer');
 var w3c = require('../w3c');
 var w3cCredentialStatus = require('@trustvc/w3c-credential-status');
 var w3cVc = require('@trustvc/w3c-vc');
@@ -9,6 +10,7 @@ var tokenRegistryV5$1 = require('@tradetrust-tt/token-registry-v5');
 var tokenRegistryV4 = require('../token-registry-v4');
 var tokenRegistryV5 = require('../token-registry-v5');
 var utils = require('../utils');
+var w3cContext = require('@trustvc/w3c-context');
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
@@ -30,6 +32,8 @@ class DocumentBuilder {
   // Required fields that must be present in the document.
   isSigned = false;
   // Tracks if a document is signed
+  isDerived = false;
+  // Tracks if a document is derived
   /**
    * Constructor to initialize the document builder.
    * @param {Partial<VerifiableCredential>} input - The input document.
@@ -63,18 +67,17 @@ class DocumentBuilder {
         tokenRegistry: config.tokenRegistry
       };
       this.rpcProviderUrl = config.rpcProviderUrl;
-      this.addContext("https://trustvc.io/context/transferable-records-context.json");
+      this.addContext(w3cContext.TR_CONTEXT_URL);
     } else if (isVerifiable) {
       this.selectedStatusType = "verifiableDocument";
       this.statusConfig = {
         id: `${config.url}#${config.index}`,
-        type: "StatusList2021Entry",
+        type: "BitstringStatusListEntry",
         statusPurpose: config.purpose || "revocation",
         // Set status purpose to "revocation" by default.
         statusListIndex: config.index,
         statusListCredential: config.url
       };
-      this.addContext("https://w3id.org/vc/status-list/2021/v1");
     } else {
       throw new Error("Configuration Error: Missing required fields for credential status.");
     }
@@ -83,25 +86,25 @@ class DocumentBuilder {
   // Sets the expiration date of the document.
   expirationDate(date) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
-    this.document.expirationDate = typeof date === "string" ? date : date.toISOString();
+    this.document.validUntil = typeof date === "string" ? date : date.toISOString();
     return this;
   }
   // Defines the rendering method for the document.
   renderMethod(method) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     this.document.renderMethod = [method];
-    this.addContext("https://trustvc.io/context/render-method-context.json");
+    this.addContext(w3cContext.RENDER_CONTEXT_V2_URL);
     return this;
   }
   // Defines the qrcode for the document.
   qrCode(method) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     this.document.qrCode = method;
-    this.addContext("https://trustvc.io/context/qrcode-context.json");
+    this.addContext(w3cContext.QRCODE_CONTEXT_URL);
     return this;
   }
   // Sign the document using the provided private key and an optional cryptographic suite.
-  async sign(privateKey, cryptoSuite) {
+  async sign(privateKey, cryptoSuite, options) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     if (this.selectedStatusType) {
       this.document.credentialStatus = this.statusConfig;
@@ -119,16 +122,36 @@ class DocumentBuilder {
       await this.verifyTokenRegistry();
     }
     this.document.issuer = privateKey.id.split("#")[0];
-    this.document.issuanceDate = this.document.issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
-    this.addContext("https://w3id.org/security/bbs/v1");
-    const signedVC = await w3c.signW3C(this.document, privateKey, cryptoSuite);
+    this.document.validFrom = this.document.validFrom || (/* @__PURE__ */ new Date()).toISOString();
+    if (!cryptoSuite || cryptoSuite === "ecdsa-sd-2023") {
+      this.addContext(w3cContext.DATA_INTEGRITY_V2_URL);
+    } else {
+      this.addContext(w3cContext.BBS_V1_URL);
+    }
+    const signedVC = await w3c.signW3C(this.document, privateKey, cryptoSuite, options);
     if (signedVC.error) throw new Error(`Signing Error: ${signedVC.error}`);
     this.isSigned = true;
     return signedVC.signed;
   }
+  async derive(revealedAttributes) {
+    if (!this.isSigned) throw new Error("Configuration Error: Document is not signed yet.");
+    if (this.isDerived) throw new Error("Configuration Error: Document is already derived.");
+    const derivedCredential = await w3c.deriveW3C(
+      this.document,
+      revealedAttributes
+    );
+    if (derivedCredential.error) throw new Error(`Derivation Error: ${derivedCredential.error}`);
+    this.document = derivedCredential.derived;
+    this.isDerived = true;
+    return derivedCredential.derived;
+  }
   // Verify the document.
   async verify() {
     if (!this.isSigned) throw new Error("Verification Error: Document is not signed yet.");
+    const cryptosuite = this.document?.proof?.cryptosuite;
+    if (cryptosuite === w3cIssuer.CryptoSuite.EcdsaSd2023 && !this.isDerived) {
+      throw new Error("Verification Error: Document is not derived yet. Use derive() first.");
+    }
     const verificationResult = await w3c.verifyW3CSignature(
       this.document
     );
@@ -167,10 +190,11 @@ class DocumentBuilder {
   }
   // Private helper method to build the context for the document, ensuring uniqueness and adding the default W3C context.
   buildContext(context) {
-    return [
-      "https://www.w3.org/2018/credentials/v1",
-      ...Array.isArray(context) ? context : context ? [context] : []
-    ].filter((v, i, a) => a.indexOf(v) === i);
+    const arrayContext = Array.isArray(context) ? context : context ? [context] : [];
+    if (arrayContext.includes(w3cContext.VC_V1_URL)) {
+      throw new Error("Document builder does not support data model v1.1.");
+    }
+    return [w3cContext.VC_V2_URL, ...arrayContext].filter((v, i, a) => a.indexOf(v) === i);
   }
   // Private helper method to add a new context to the document if it does not already exist.
   addContext(context) {

package/dist/cjs/verify/fragments/document-integrity/ecdsaW3CSignatureIntegrity.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var __ = require('../../..');
+var verify = require('../../../w3c/verify');
 var w3cVc = require('@trustvc/w3c-vc');
 
 var __defProp = Object.defineProperty;
@@ -42,11 +42,11 @@ const ecdsaW3CSignatureIntegrity = {
       };
     }
     try {
-      let verificationResult = await __.verifyW3CSignature(document, verifierOptions);
+      let verificationResult = await verify.verifyW3CSignature(document, verifierOptions);
       let isDerived = true;
       if (!verificationResult.verified && verificationResult.error?.includes(DERIVE_CREDENTIAL_ERROR)) {
         const derivedCredential = await w3cVc.deriveCredential(document, []);
-        verificationResult = await __.verifyW3CSignature(derivedCredential.derived, verifierOptions);
+        verificationResult = await verify.verifyW3CSignature(derivedCredential.derived, verifierOptions);
         isDerived = false;
       }
       if (verificationResult.verified) {

package/dist/cjs/verify/fragments/document-integrity/w3cSignatureIntegrity.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var __ = require('../../..');
+var verify = require('../../../w3c/verify');
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
@@ -23,7 +23,7 @@ const w3cSignatureIntegrity = {
   }, "test"),
   verify: /* @__PURE__ */ __name(async (document, verifierOptions) => {
     const doc = document;
-    const verificationResult = await __.verifyW3CSignature(doc, verifierOptions);
+    const verificationResult = await verify.verifyW3CSignature(doc, verifierOptions);
     if (verificationResult.verified) {
       return {
         type: "DOCUMENT_INTEGRITY",

package/dist/cjs/w3c/derive.js

@@ -0,0 +1,11 @@
+'use strict';
+
+var w3cVc = require('@trustvc/w3c-vc');
+
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+const deriveW3C = /* @__PURE__ */ __name(async (credential, revealedAttributes) => {
+  return w3cVc.deriveCredential(credential, revealedAttributes);
+}, "deriveW3C");
+
+exports.deriveW3C = deriveW3C;

package/dist/cjs/w3c/index.js

@@ -7,6 +7,7 @@ var sign = require('./sign');
 var types = require('./types');
 var vc = require('./vc');
 var verify = require('./verify');
+var derive = require('./derive');
 
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -55,3 +56,9 @@ Object.keys(verify).forEach(function (k) {
     get: function () { return verify[k]; }
   });
 });
+Object.keys(derive).forEach(function (k) {
+  if (k !== 'default' && !Object.prototype.hasOwnProperty.call(exports, k)) Object.defineProperty(exports, k, {
+    enumerable: true,
+    get: function () { return derive[k]; }
+  });
+});

package/dist/cjs/w3c/sign.js

@@ -4,8 +4,8 @@ var w3cVc = require('@trustvc/w3c-vc');
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-const signW3C = /* @__PURE__ */ __name(async (credential, keyPair, cryptoSuite = "BbsBlsSignature2020") => {
-  return w3cVc.signCredential(credential, keyPair, cryptoSuite);
+const signW3C = /* @__PURE__ */ __name(async (credential, keyPair, cryptoSuite = "ecdsa-sd-2023", options) => {
+  return w3cVc.signCredential(credential, keyPair, cryptoSuite, options);
 }, "signW3C");
 
 exports.signW3C = signW3C;

package/dist/esm/core/documentBuilder.js

@@ -1,4 +1,5 @@
-import { signW3C, verifyW3CSignature } from '../w3c';
+import { CryptoSuite } from '@trustvc/w3c-issuer';
+import { signW3C, deriveW3C, verifyW3CSignature } from '../w3c';
 import { assertCredentialStatus, assertTransferableRecords } from '@trustvc/w3c-credential-status';
 import { verifyCredentialStatus } from '@trustvc/w3c-vc';
 import { ethers } from 'ethers';
@@ -7,6 +8,7 @@ import { constants as constants$1 } from '@tradetrust-tt/token-registry-v5';
 import { v4Contracts } from '../token-registry-v4';
 import { v5Contracts } from '../token-registry-v5';
 import { SUPPORTED_CHAINS } from '../utils';
+import { TR_CONTEXT_URL, RENDER_CONTEXT_V2_URL, QRCODE_CONTEXT_URL, DATA_INTEGRITY_V2_URL, BBS_V1_URL, VC_V1_URL, VC_V2_URL } from '@trustvc/w3c-context';
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
@@ -28,6 +30,8 @@ class DocumentBuilder {
   // Required fields that must be present in the document.
   isSigned = false;
   // Tracks if a document is signed
+  isDerived = false;
+  // Tracks if a document is derived
   /**
    * Constructor to initialize the document builder.
    * @param {Partial<VerifiableCredential>} input - The input document.
@@ -61,18 +65,17 @@ class DocumentBuilder {
         tokenRegistry: config.tokenRegistry
       };
       this.rpcProviderUrl = config.rpcProviderUrl;
-      this.addContext("https://trustvc.io/context/transferable-records-context.json");
+      this.addContext(TR_CONTEXT_URL);
     } else if (isVerifiable) {
       this.selectedStatusType = "verifiableDocument";
       this.statusConfig = {
         id: `${config.url}#${config.index}`,
-        type: "StatusList2021Entry",
+        type: "BitstringStatusListEntry",
         statusPurpose: config.purpose || "revocation",
         // Set status purpose to "revocation" by default.
         statusListIndex: config.index,
         statusListCredential: config.url
       };
-      this.addContext("https://w3id.org/vc/status-list/2021/v1");
     } else {
       throw new Error("Configuration Error: Missing required fields for credential status.");
     }
@@ -81,25 +84,25 @@ class DocumentBuilder {
   // Sets the expiration date of the document.
   expirationDate(date) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
-    this.document.expirationDate = typeof date === "string" ? date : date.toISOString();
+    this.document.validUntil = typeof date === "string" ? date : date.toISOString();
     return this;
   }
   // Defines the rendering method for the document.
   renderMethod(method) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     this.document.renderMethod = [method];
-    this.addContext("https://trustvc.io/context/render-method-context.json");
+    this.addContext(RENDER_CONTEXT_V2_URL);
     return this;
   }
   // Defines the qrcode for the document.
   qrCode(method) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     this.document.qrCode = method;
-    this.addContext("https://trustvc.io/context/qrcode-context.json");
+    this.addContext(QRCODE_CONTEXT_URL);
     return this;
   }
   // Sign the document using the provided private key and an optional cryptographic suite.
-  async sign(privateKey, cryptoSuite) {
+  async sign(privateKey, cryptoSuite, options) {
     if (this.isSigned) throw new Error("Configuration Error: Document is already signed.");
     if (this.selectedStatusType) {
       this.document.credentialStatus = this.statusConfig;
@@ -117,16 +120,36 @@ class DocumentBuilder {
       await this.verifyTokenRegistry();
     }
     this.document.issuer = privateKey.id.split("#")[0];
-    this.document.issuanceDate = this.document.issuanceDate || (/* @__PURE__ */ new Date()).toISOString();
-    this.addContext("https://w3id.org/security/bbs/v1");
-    const signedVC = await signW3C(this.document, privateKey, cryptoSuite);
+    this.document.validFrom = this.document.validFrom || (/* @__PURE__ */ new Date()).toISOString();
+    if (!cryptoSuite || cryptoSuite === "ecdsa-sd-2023") {
+      this.addContext(DATA_INTEGRITY_V2_URL);
+    } else {
+      this.addContext(BBS_V1_URL);
+    }
+    const signedVC = await signW3C(this.document, privateKey, cryptoSuite, options);
     if (signedVC.error) throw new Error(`Signing Error: ${signedVC.error}`);
     this.isSigned = true;
     return signedVC.signed;
   }
+  async derive(revealedAttributes) {
+    if (!this.isSigned) throw new Error("Configuration Error: Document is not signed yet.");
+    if (this.isDerived) throw new Error("Configuration Error: Document is already derived.");
+    const derivedCredential = await deriveW3C(
+      this.document,
+      revealedAttributes
+    );
+    if (derivedCredential.error) throw new Error(`Derivation Error: ${derivedCredential.error}`);
+    this.document = derivedCredential.derived;
+    this.isDerived = true;
+    return derivedCredential.derived;
+  }
   // Verify the document.
   async verify() {
     if (!this.isSigned) throw new Error("Verification Error: Document is not signed yet.");
+    const cryptosuite = this.document?.proof?.cryptosuite;
+    if (cryptosuite === CryptoSuite.EcdsaSd2023 && !this.isDerived) {
+      throw new Error("Verification Error: Document is not derived yet. Use derive() first.");
+    }
     const verificationResult = await verifyW3CSignature(
       this.document
     );
@@ -165,10 +188,11 @@ class DocumentBuilder {
   }
   // Private helper method to build the context for the document, ensuring uniqueness and adding the default W3C context.
   buildContext(context) {
-    return [
-      "https://www.w3.org/2018/credentials/v1",
-      ...Array.isArray(context) ? context : context ? [context] : []
-    ].filter((v, i, a) => a.indexOf(v) === i);
+    const arrayContext = Array.isArray(context) ? context : context ? [context] : [];
+    if (arrayContext.includes(VC_V1_URL)) {
+      throw new Error("Document builder does not support data model v1.1.");
+    }
+    return [VC_V2_URL, ...arrayContext].filter((v, i, a) => a.indexOf(v) === i);
   }
   // Private helper method to add a new context to the document if it does not already exist.
   addContext(context) {

package/dist/esm/verify/fragments/document-integrity/ecdsaW3CSignatureIntegrity.js

@@ -1,4 +1,4 @@
-import { verifyW3CSignature } from '../../..';
+import { verifyW3CSignature } from '../../../w3c/verify';
 import { deriveCredential } from '@trustvc/w3c-vc';
 
 var __defProp = Object.defineProperty;

package/dist/esm/verify/fragments/document-integrity/w3cSignatureIntegrity.js

@@ -1,4 +1,4 @@
-import { verifyW3CSignature } from '../../..';
+import { verifyW3CSignature } from '../../../w3c/verify';
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });

package/dist/esm/w3c/derive.js

@@ -0,0 +1,9 @@
+import { deriveCredential } from '@trustvc/w3c-vc';
+
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+const deriveW3C = /* @__PURE__ */ __name(async (credential, revealedAttributes) => {
+  return deriveCredential(credential, revealedAttributes);
+}, "deriveW3C");
+
+export { deriveW3C };

package/dist/esm/w3c/index.js

@@ -9,3 +9,4 @@ export * from './types';
 import * as vc from './vc';
 export { vc };
 export * from './verify';
+export * from './derive';

package/dist/esm/w3c/sign.js

@@ -2,8 +2,8 @@ import { signCredential } from '@trustvc/w3c-vc';
 
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-const signW3C = /* @__PURE__ */ __name(async (credential, keyPair, cryptoSuite = "BbsBlsSignature2020") => {
-  return signCredential(credential, keyPair, cryptoSuite);
+const signW3C = /* @__PURE__ */ __name(async (credential, keyPair, cryptoSuite = "ecdsa-sd-2023", options) => {
+  return signCredential(credential, keyPair, cryptoSuite, options);
 }, "signW3C");
 
 export { signW3C };

package/dist/types/core/documentBuilder.d.ts

@@ -1,5 +1,5 @@
 import { PrivateKeyPair } from '@trustvc/w3c-issuer';
-import { VerifiableCredential, CryptoSuiteName, SignedVerifiableCredential } from '@trustvc/w3c-vc';
+import { VerifiableCredential, CryptoSuiteName, SignedVerifiableCredential, ContextDocument } from '@trustvc/w3c-vc';
 
 /**
  * Configuration for a W3C Verifiable Document using a Bitstring Status List.
@@ -39,7 +39,7 @@ interface RenderMethod {
     templateName: string;
 }
 /**
- * Configuration for the qrcoode used in a Verifiable Credential document.
+ * Configuration for the qrcode used in a Verifiable Credential document.
  * @property {string} uri - A unique identifier for the qrcode, typically a URL or URI.
  * @property {string} type - The type of the qrcode method (e.g., 'TrustVCQRCode').
  */
@@ -47,8 +47,16 @@ interface qrCode {
     uri: string;
     type: string;
 }
+/**
+ * Options for signing a document.
+ * @property {string[]} mandatoryPointers - The mandatory pointers to be used for signing the document.
+ */
+interface SignOptions {
+    mandatoryPointers?: string[];
+}
 /**
  * Main class responsible for building, configuring, and signing documents with credential statuses.
+ * This class implements the W3C Verifiable Credentials Data Model 2.0 specification.
  */
 declare class DocumentBuilder {
     private document;
@@ -58,6 +66,7 @@ declare class DocumentBuilder {
     private rpcProviderUrl;
     private requiredFields;
     private isSigned;
+    private isDerived;
     /**
      * Constructor to initialize the document builder.
      * @param {Partial<VerifiableCredential>} input - The input document.
@@ -69,7 +78,8 @@ declare class DocumentBuilder {
     expirationDate(date: string | Date): this;
     renderMethod(method: RenderMethod): this;
     qrCode(method: qrCode): this;
-    sign(privateKey: PrivateKeyPair, cryptoSuite?: CryptoSuiteName): Promise<SignedVerifiableCredential>;
+    sign(privateKey: PrivateKeyPair, cryptoSuite?: CryptoSuiteName, options?: SignOptions): Promise<SignedVerifiableCredential>;
+    derive(revealedAttributes: ContextDocument | string[]): Promise<SignedVerifiableCredential>;
     verify(): Promise<boolean>;
     toString(): string;
     private isTransferableRecordsConfig;
@@ -82,4 +92,4 @@ declare class DocumentBuilder {
     private supportsInterface;
 }
 
-export { DocumentBuilder, type RenderMethod, type W3CTransferableRecordsConfig, type W3CVerifiableDocumentConfig, type qrCode };
+export { DocumentBuilder, type RenderMethod, type SignOptions, type W3CTransferableRecordsConfig, type W3CVerifiableDocumentConfig, type qrCode };

package/dist/types/core/index.d.ts

@@ -7,7 +7,7 @@ export { fetchEventTime, mergeTransfersV4, mergeTransfersV5, sortLogChain } from
 export { getEndorsementChain } from './endorsement-chain/retrieveEndorsementChain.js';
 export { EndorsementChain, ParsedLog, TitleEscrowTransferEvent, TitleEscrowTransferEventType, TokenTransferEvent, TokenTransferEventType, TradeTrustTokenEventType, TransferBaseEvent, TransferEvent, TransferEventType, TypedEvent } from './endorsement-chain/types.js';
 export { TitleEscrowInterface, checkSupportsInterface, fetchEndorsementChain, getDocumentOwner, getTitleEscrowAddress, isTitleEscrowVersion } from './endorsement-chain/useEndorsementChain.js';
-export { DocumentBuilder, RenderMethod, W3CTransferableRecordsConfig, W3CVerifiableDocumentConfig, qrCode } from './documentBuilder.js';
+export { DocumentBuilder, RenderMethod, SignOptions, W3CTransferableRecordsConfig, W3CVerifiableDocumentConfig, qrCode } from './documentBuilder.js';
 import '@trustvc/w3c-vc';
 import 'ethers';
 import '@tradetrust-tt/tt-verify/dist/types/src/types/core';

package/dist/types/index.d.ts

@@ -24,7 +24,7 @@ export { fetchEventTime, mergeTransfersV4, mergeTransfersV5, sortLogChain } from
 export { getEndorsementChain } from './core/endorsement-chain/retrieveEndorsementChain.js';
 export { EndorsementChain, ParsedLog, TitleEscrowTransferEvent, TitleEscrowTransferEventType, TokenTransferEvent, TokenTransferEventType, TradeTrustTokenEventType, TransferBaseEvent, TransferEvent, TransferEventType, TypedEvent } from './core/endorsement-chain/types.js';
 export { TitleEscrowInterface, checkSupportsInterface, fetchEndorsementChain, getDocumentOwner, getTitleEscrowAddress, isTitleEscrowVersion } from './core/endorsement-chain/useEndorsementChain.js';
-export { DocumentBuilder, RenderMethod, W3CTransferableRecordsConfig, W3CVerifiableDocumentConfig, qrCode } from './core/documentBuilder.js';
+export { DocumentBuilder, RenderMethod, SignOptions, W3CTransferableRecordsConfig, W3CVerifiableDocumentConfig, qrCode } from './core/documentBuilder.js';
 export { signOA } from './open-attestation/sign.js';
 export { KeyPair } from './open-attestation/types.js';
 export { diagnose, getAssetId, getDocumentData, getIssuerAddress, getTemplateURL, isDocumentRevokable, isRawV2Document, isRawV3Document, isSignedWrappedV2Document, isSignedWrappedV3Document, isTransferableAsset, isWrappedV2Document, isWrappedV3Document } from './open-attestation/utils.js';
@@ -40,6 +40,7 @@ export { RawVerifiableCredential, SignedVerifiableCredential, SigningResult, Ver
 export { PrivateKeyPair } from '@trustvc/w3c-issuer';
 export { i as vc } from './index-1ws_BWZW.js';
 export { verifyW3CSignature } from './w3c/verify.js';
+export { deriveW3C } from './w3c/derive.js';
 export { errorMessageHandling, w3cCredentialStatusRevoked, w3cCredentialStatusSuspended } from './utils/fragment/index.js';
 export * from '@tradetrust-tt/tradetrust-utils/constants/network';
 export { generate12ByteNonce, generate32ByteKey, stringToUint8Array } from './utils/stringUtils/index.js';

package/dist/types/w3c/derive.d.ts

@@ -0,0 +1,11 @@
+import { SignedVerifiableCredential, ContextDocument, DerivedResult } from '@trustvc/w3c-vc';
+
+/**
+ * Derives a credential with selective disclosure based on revealed attributes.
+ * @param {object} credential - The verifiable credential to be selectively disclosed.
+ * @param {object|string[]} revealedAttributes - For BBS+: The attributes from the credential that should be revealed. For ECDSA-SD-2023: Array of selective pointers.
+ * @returns {Promise<DerivedResult>} A DerivedResult containing the derived proof or an error message.
+ */
+declare const deriveW3C: (credential: SignedVerifiableCredential, revealedAttributes: ContextDocument | string[]) => Promise<DerivedResult>;
+
+export { deriveW3C };

package/dist/types/w3c/index.d.ts

@@ -6,5 +6,6 @@ export { RawVerifiableCredential, SignedVerifiableCredential, SigningResult, Ver
 export { PrivateKeyPair } from '@trustvc/w3c-issuer';
 export { i as vc } from '../index-1ws_BWZW.js';
 export { verifyW3CSignature } from './verify.js';
+export { deriveW3C } from './derive.js';
 import '@trustvc/w3c-context';
 import '@trustvc/w3c-credential-status';

package/dist/types/w3c/sign.d.ts

@@ -5,9 +5,13 @@ import { PrivateKeyPair } from '@trustvc/w3c-issuer';
  * Signs a W3C Verifiable Credential using the provided cryptographic suite and key pair.
  * @param {RawVerifiableCredential} credential - The verifiable credential object that needs to be signed.
  * @param {PrivateKeyPair} keyPair - The private and public key pair used for signing the credential.
- * @param {CryptoSuiteName} [cryptoSuite='BbsBlsSignature2020'] - The cryptographic suite to be used for signing (default is 'BbsBlsSignature2020').
+ * @param {CryptoSuiteName} [cryptoSuite='ecdsa-sd-2023'] - The cryptographic suite to be used for signing (default is 'ecdsa-sd-2023').
+ * @param {object} [options] - Optional parameters including mandatoryPointers for ECDSA-SD-2023.
+ * @param {string[]} [options.mandatoryPointers] - Optional mandatory pointers for ECDSA-SD-2023.
  * @returns {Promise<SigningResult>} A promise that resolves to the result of the signing operation, which includes the signed credential.
  */
-declare const signW3C: (credential: RawVerifiableCredential, keyPair: PrivateKeyPair, cryptoSuite?: CryptoSuiteName) => Promise<SigningResult>;
+declare const signW3C: (credential: RawVerifiableCredential, keyPair: PrivateKeyPair, cryptoSuite?: CryptoSuiteName, options?: {
+    mandatoryPointers?: string[];
+}) => Promise<SigningResult>;
 
 export { signW3C };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trustvc/trustvc",
-  "version": "1.6.0-alpha.5",
+  "version": "1.6.0-alpha.7",
   "description": "TrustVC library",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
@@ -121,11 +121,11 @@
     "@tradetrust-tt/tradetrust": "^6.10.2",
     "@tradetrust-tt/tradetrust-utils": "^2.4.2",
     "@tradetrust-tt/tt-verify": "^9.5.1",
-    "@trustvc/w3c": "^1.3.0-alpha.5",
-    "@trustvc/w3c-context": "^1.3.0-alpha.5",
-    "@trustvc/w3c-credential-status": "^1.3.0-alpha.5",
+    "@trustvc/w3c": "^1.3.0-alpha.7",
+    "@trustvc/w3c-context": "^1.3.0-alpha.7",
+    "@trustvc/w3c-credential-status": "^1.3.0-alpha.7",
     "@trustvc/w3c-issuer": "^1.3.0-alpha.5",
-    "@trustvc/w3c-vc": "^1.3.0-alpha.5",
+    "@trustvc/w3c-vc": "^1.3.0-alpha.7",
     "ethers": "^5.8.0",
     "ethersV6": "npm:ethers@^6.14.4",
     "js-sha3": "^0.9.3",