@vess-id/ai-identity 0.0.1 → 0.0.2

package/dist/index.js

@@ -57,15 +57,20 @@ __export(index_exports, {
   checkPermissionWithVP: () => checkPermissionWithVP,
   configure: () => configure,
   createAjv: () => createAjv,
+  createDidJwk: () => createDidJwk,
   defaultConstraintEvaluator: () => defaultConstraintEvaluator,
   evaluateConstraints: () => evaluateConstraints,
+  extractPublicKey: () => extractPublicKey,
+  extractPublicKeyFromDid: () => extractPublicKeyFromDid,
   generateKeyPair: () => generateKeyPair,
   generateNonce: () => generateNonce,
   getClient: () => getClient,
+  getKeyIdFromDid: () => getKeyIdFromDid,
   getRequiredRelations: () => getRequiredRelations,
   getRequiredScopes: () => getRequiredScopes,
   indexActions: () => indexActions,
   indexCapabilities: () => indexCapabilities,
+  isValidDidJwk: () => isValidDidJwk,
   loadActionRegistryFromFile: () => loadActionRegistryFromFile,
   loadActionRegistryFromObject: () => loadActionRegistryFromObject,
   planDelegationForVC: () => planDelegationForVC,
@@ -427,7 +432,51 @@ async function getVerifier(publicKey) {
   };
 }
 
+// src/did/did-utils.ts
+function createDidJwk(publicKey) {
+  const publicJwk = {
+    kty: publicKey.kty,
+    crv: publicKey.crv,
+    x: publicKey.x,
+    y: publicKey.y,
+    use: publicKey.use,
+    alg: publicKey.alg
+  };
+  const cleanedJwk = Object.fromEntries(
+    Object.entries(publicJwk).filter(([_, v]) => v !== void 0)
+  );
+  const encoded = Buffer.from(JSON.stringify(cleanedJwk)).toString("base64url");
+  return `did:jwk:${encoded}`;
+}
+function extractPublicKey(privateKey) {
+  const { d, key_ops, ...publicKey } = privateKey;
+  return publicKey;
+}
+function extractPublicKeyFromDid(did) {
+  if (!did.startsWith("did:jwk:")) {
+    throw new Error("Only did:jwk format is supported");
+  }
+  const encoded = did.replace("did:jwk:", "");
+  return JSON.parse(Buffer.from(encoded, "base64url").toString());
+}
+function isValidDidJwk(did) {
+  if (!did.startsWith("did:jwk:")) {
+    return false;
+  }
+  try {
+    const encoded = did.replace("did:jwk:", "");
+    const decoded = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    return typeof decoded === "object" && decoded.kty !== void 0;
+  } catch {
+    return false;
+  }
+}
+function getKeyIdFromDid(did) {
+  return `${did}#0`;
+}
+
 // src/utils/sdjwt-client.ts
+var import_node_crypto2 = require("crypto");
 var SDJwtClient = class {
   static instances = /* @__PURE__ */ new Map();
   static keyManager;
@@ -632,6 +681,212 @@ var SDJwtClient = class {
       verifierCount: this.verifierCache.size
     };
   }
+  /**
+   * Create a verifier function from an external public key
+   * This is used for verifying SD-JWTs when you don't have the private key
+   * (e.g., API side verifying credentials issued by MCP)
+   */
+  static async getVerifierFromPublicKey(publicKey) {
+    const key = await import_node_crypto2.subtle.importKey(
+      "jwk",
+      publicKey,
+      {
+        name: "ECDSA",
+        namedCurve: "P-256"
+      },
+      true,
+      ["verify"]
+    );
+    return async (data, signatureBase64url) => {
+      const encoder = new TextEncoder();
+      const signature = Uint8Array.from(
+        atob(signatureBase64url.replace(/-/g, "+").replace(/_/g, "/")),
+        (c) => c.charCodeAt(0)
+      );
+      const isValid = await import_node_crypto2.subtle.verify(
+        {
+          name: "ECDSA",
+          hash: { name: "SHA-256" }
+        },
+        key,
+        signature,
+        encoder.encode(data)
+      );
+      return isValid;
+    };
+  }
+  /**
+   * Get SDJwtVcInstance for verification with an external public key
+   * Used when verifying credentials without having the issuer's private key
+   */
+  static async getVerificationInstance(publicKey) {
+    const cacheKey = `verify:${JSON.stringify(publicKey)}`;
+    if (!this.instances.has(cacheKey)) {
+      const dummySigner = async () => "dummy";
+      const verifier = await this.getVerifierFromPublicKey(publicKey);
+      const instance = new import_sd_jwt_vc.SDJwtVcInstance({
+        signer: dummySigner,
+        verifier,
+        signAlg: import_crypto_nodejs.ES256.alg,
+        hasher: import_crypto_nodejs.digest,
+        hashAlg: "sha-256",
+        saltGenerator: import_crypto_nodejs.generateSalt
+      });
+      this.instances.set(cacheKey, instance);
+    }
+    return this.instances.get(cacheKey);
+  }
+  /**
+   * Get SDJwtVcInstance for decoding without verification
+   */
+  static async getDecodingInstance() {
+    const cacheKey = "decode:dummy";
+    if (!this.instances.has(cacheKey)) {
+      const dummySigner = async () => "dummy";
+      const dummyVerifier = async () => false;
+      const instance = new import_sd_jwt_vc.SDJwtVcInstance({
+        signer: dummySigner,
+        verifier: dummyVerifier,
+        signAlg: import_crypto_nodejs.ES256.alg,
+        hasher: import_crypto_nodejs.digest,
+        hashAlg: "sha-256",
+        saltGenerator: import_crypto_nodejs.generateSalt
+      });
+      this.instances.set(cacheKey, instance);
+    }
+    return this.instances.get(cacheKey);
+  }
+  /**
+   * Verify an SD-JWT with an external public key
+   * Use this when you have the issuer's public key but not their private key
+   *
+   * @param credential - The SD-JWT credential string
+   * @param publicKey - The issuer's public key (JWK format)
+   * @returns Verification result with valid flag and payload
+   *
+   * @example
+   * ```typescript
+   * const publicKey = extractPublicKeyFromDid(issuerDid)
+   * const result = await SDJwtClient.verifyWithExternalKey(credential, publicKey)
+   * if (result.valid) {
+   *   console.log('Verified claims:', result.payload.claims)
+   * }
+   * ```
+   */
+  static async verifyWithExternalKey(credential, publicKey) {
+    try {
+      const sdJwtInstance = await this.getVerificationInstance(publicKey);
+      const verificationResult = await sdJwtInstance.verify(credential, {});
+      if (!verificationResult) {
+        return { valid: false, error: "Verification failed" };
+      }
+      const claims = await sdJwtInstance.getClaims(credential);
+      return {
+        valid: true,
+        payload: verificationResult.payload,
+        claims
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error.message
+      };
+    }
+  }
+  /**
+   * Verify an SD-JWT by extracting the issuer's public key from the DID
+   * Automatically resolves did:jwk DIDs
+   *
+   * @param credential - The SD-JWT credential string
+   * @returns Verification result with valid flag and payload
+   *
+   * @example
+   * ```typescript
+   * const result = await SDJwtClient.verifyWithIssuerDid(credential)
+   * if (result.valid) {
+   *   console.log('Issuer:', result.payload.iss)
+   * }
+   * ```
+   */
+  static async verifyWithIssuerDid(credential) {
+    try {
+      const decoded = await this.decodeWithoutVerification(credential);
+      if (!decoded.payload) {
+        return { valid: false, error: "Failed to decode credential" };
+      }
+      const issuerDid = decoded.payload.iss || decoded.payload.issuer;
+      if (!issuerDid || typeof issuerDid !== "string") {
+        return { valid: false, error: "Issuer DID not found in credential" };
+      }
+      const publicKey = extractPublicKeyFromDid(issuerDid);
+      const result = await this.verifyWithExternalKey(credential, publicKey);
+      return {
+        ...result,
+        issuerDid
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error.message
+      };
+    }
+  }
+  /**
+   * Decode an SD-JWT without verification
+   * Use this when you need to inspect the credential before verification
+   * or when you don't have the issuer's public key
+   *
+   * WARNING: The returned payload has not been verified!
+   * Only use this for inspection purposes, not for authorization decisions.
+   *
+   * @param credential - The SD-JWT credential string
+   * @returns Decoded JWT payload, header, and disclosures
+   *
+   * @example
+   * ```typescript
+   * const decoded = await SDJwtClient.decodeWithoutVerification(credential)
+   * console.log('Issuer (unverified):', decoded.payload?.iss)
+   * console.log('Disclosures:', decoded.disclosures?.length)
+   * ```
+   */
+  static async decodeWithoutVerification(credential) {
+    try {
+      const sdJwtInstance = await this.getDecodingInstance();
+      const decoded = await sdJwtInstance.decode(credential);
+      if (!decoded || !decoded.jwt) {
+        return { error: "Failed to decode SD-JWT" };
+      }
+      const claims = await decoded.getClaims(import_crypto_nodejs.digest);
+      return {
+        payload: decoded.jwt.payload,
+        header: decoded.jwt.header,
+        disclosures: decoded.disclosures,
+        claims
+      };
+    } catch (error) {
+      return { error: error.message };
+    }
+  }
+  /**
+   * Extract issuer DID from an SD-JWT without verification
+   * Useful for determining the issuer before verification
+   *
+   * @param credential - The SD-JWT credential string
+   * @returns The issuer DID or null if not found
+   */
+  static extractIssuerDid(credential) {
+    try {
+      const parts = credential.split("~");
+      if (parts.length === 0) return null;
+      const jwt = parts[0];
+      const jwtParts = jwt.split(".");
+      if (jwtParts.length !== 3) return null;
+      const payload = JSON.parse(Buffer.from(jwtParts[1], "base64url").toString());
+      return payload.iss || payload.issuer || null;
+    } catch {
+      return null;
+    }
+  }
 };
 
 // src/agent/agent-did-manager.ts
@@ -647,7 +902,7 @@ var AgentDIDManager = class {
    */
   async generateAgentDID(agentId) {
     const keyPair = await SDJwtClient.generateKeyPair();
-    const did = this.createDidJwk(keyPair.publicKey);
+    const did = createDidJwk(keyPair.publicKey);
     await this.keyManager.storeKey(did, keyPair.privateKey);
     this.agentDIDMap.set(agentId, did);
     await this.saveAgentDIDMapping(agentId, did);
@@ -689,7 +944,7 @@ var AgentDIDManager = class {
     }
     return {
       privateKey,
-      publicKey: this.extractPublicKey(privateKey)
+      publicKey: extractPublicKey(privateKey)
     };
   }
   /**
@@ -731,31 +986,6 @@ var AgentDIDManager = class {
       return [];
     }
   }
-  /**
-   * Create did:jwk from public key
-   */
-  createDidJwk(publicKey) {
-    const publicJwk = {
-      kty: publicKey.kty,
-      crv: publicKey.crv,
-      x: publicKey.x,
-      y: publicKey.y,
-      use: publicKey.use,
-      alg: publicKey.alg
-    };
-    const encoded = Buffer.from(JSON.stringify(publicJwk)).toString("base64url");
-    return `did:jwk:${encoded}`;
-  }
-  /**
-   * Extract public key from private key
-   */
-  extractPublicKey(privateKey) {
-    const { d, key_ops, ...publicKey } = privateKey;
-    return {
-      ...publicKey
-      // Remove key_ops for public key
-    };
-  }
   /**
    * Save agent ID -> DID mapping to persistent storage
    */
@@ -972,7 +1202,7 @@ var UserIdentityManager = class {
    */
   async createUserDID() {
     const keyPair = await SDJwtClient.generateKeyPair();
-    const did = this.createDidJwk(keyPair.publicKey);
+    const did = createDidJwk(keyPair.publicKey);
     await this.keyManager.storeKey(did, keyPair.privateKey);
     await this.saveUserDID(did);
     this.currentUserDID = did;
@@ -989,7 +1219,7 @@ var UserIdentityManager = class {
     }
     return {
       privateKey,
-      publicKey: this.extractPublicKey(privateKey)
+      publicKey: extractPublicKey(privateKey)
     };
   }
   /**
@@ -1030,34 +1260,11 @@ var UserIdentityManager = class {
     await this.clearUserDID();
     return await this.createUserDID();
   }
-  /**
-   * Create did:jwk from public key
-   */
-  createDidJwk(publicKey) {
-    const publicJwk = {
-      kty: publicKey.kty,
-      crv: publicKey.crv,
-      x: publicKey.x,
-      y: publicKey.y,
-      use: publicKey.use,
-      alg: publicKey.alg
-    };
-    const encoded = Buffer.from(JSON.stringify(publicJwk)).toString("base64url");
-    return `did:jwk:${encoded}`;
-  }
-  /**
-   * Extract public key from private key
-   */
-  extractPublicKey(privateKey) {
-    const { d, key_ops, ...publicKey } = privateKey;
-    return publicKey;
-  }
   /**
    * Resolve did:jwk locally
    */
   resolveDidJwkLocally(did) {
-    const encoded = did.replace("did:jwk:", "");
-    const publicJwk = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    const publicJwk = extractPublicKeyFromDid(did);
     return this.createDidDocument(did, publicJwk);
   }
   /**
@@ -3028,7 +3235,7 @@ var MetricsManager = class {
   /**
    * End tracking an operation
    */
-  endOperation(operationId, success, error) {
+  endOperation(_operationId, success, error) {
     const endTime = performance.now();
     const operation = this.operations[this.operations.length - 1];
     if (operation) {
@@ -4551,15 +4758,20 @@ var version = "0.0.1";
   checkPermissionWithVP,
   configure,
   createAjv,
+  createDidJwk,
   defaultConstraintEvaluator,
   evaluateConstraints,
+  extractPublicKey,
+  extractPublicKeyFromDid,
   generateKeyPair,
   generateNonce,
   getClient,
+  getKeyIdFromDid,
   getRequiredRelations,
   getRequiredScopes,
   indexActions,
   indexCapabilities,
+  isValidDidJwk,
   loadActionRegistryFromFile,
   loadActionRegistryFromObject,
   planDelegationForVC,