npm - @vidos-id/openid4vc-issuer - Versions diffs - 0.0.0-test1 - Mend

@vidos-id/openid4vc-issuer 0.0.0-test1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,670 @@
+import { execFileSync } from "node:child_process";
+import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { SignJWT, calculateJwkThumbprint, decodeProtectedHeader, exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importJWK, jwtVerify } from "jose";
+import { z } from "zod";
+import { SDJwt } from "@sd-jwt/core";
+import { hasher } from "@sd-jwt/hash";
+import { SDJwtVcInstance } from "@sd-jwt/sd-jwt-vc";
+import { deflateSync } from "node:zlib";
+import { randomBytes } from "node:crypto";
+//#region src/schemas.ts
+const jwkSchema = z.object({
+	kty: z.string().min(1),
+	kid: z.string().min(1).optional(),
+	alg: z.string().min(1).optional(),
+	crv: z.string().min(1).optional(),
+	x: z.string().min(1).optional(),
+	y: z.string().min(1).optional(),
+	d: z.string().min(1).optional(),
+	n: z.string().min(1).optional(),
+	e: z.string().min(1).optional(),
+	use: z.string().min(1).optional(),
+	key_ops: z.array(z.string().min(1)).optional(),
+	x5c: z.array(z.string().min(1)).optional()
+}).catchall(z.unknown());
+const claimSetSchema = z.record(z.string(), z.unknown());
+const credentialConfigurationSchema = z.object({
+	format: z.literal("dc+sd-jwt"),
+	vct: z.string().min(1),
+	scope: z.string().min(1).optional(),
+	claims: z.record(z.string(), z.unknown()).optional(),
+	proof_signing_alg_values_supported: z.array(z.string().min(1)).default([
+		"ES256",
+		"ES384",
+		"EdDSA"
+	])
+});
+const signingAlgSchema = z.enum([
+	"ES256",
+	"ES384",
+	"EdDSA"
+]);
+const statusListBitsSchema = z.union([
+	z.literal(1),
+	z.literal(2),
+	z.literal(4),
+	z.literal(8)
+]);
+const tokenStatusValueSchema = z.number().int().min(0).max(255);
+const credentialStatusListReferenceSchema = z.object({
+	idx: z.number().int().nonnegative(),
+	uri: z.string().min(1)
+});
+const credentialStatusSchema = z.object({ status_list: credentialStatusListReferenceSchema });
+const statusListRecordSchema = z.object({
+	uri: z.string().min(1),
+	bits: statusListBitsSchema.default(1),
+	statuses: z.array(tokenStatusValueSchema).default([]),
+	ttl: z.number().int().positive().optional(),
+	expiresAt: z.number().int().positive().optional(),
+	aggregation_uri: z.string().min(1).optional()
+});
+const createStatusListInputSchema = statusListRecordSchema.omit({ statuses: true });
+const allocateCredentialStatusInputSchema = z.object({
+	statusList: statusListRecordSchema,
+	status: tokenStatusValueSchema.default(0)
+});
+const updateCredentialStatusInputSchema = z.object({
+	statusList: statusListRecordSchema,
+	idx: z.number().int().nonnegative(),
+	status: tokenStatusValueSchema
+});
+const issuerConfigSchema = z.object({
+	issuer: z.string().url(),
+	credentialConfigurationsSupported: z.record(z.string(), credentialConfigurationSchema).refine((value) => Object.keys(value).length > 0, "At least one credential configuration is required"),
+	signingKey: z.object({
+		alg: signingAlgSchema.default("EdDSA"),
+		privateJwk: jwkSchema,
+		publicJwk: jwkSchema
+	}),
+	endpoints: z.object({
+		token: z.string().url().optional(),
+		credential: z.string().url().optional(),
+		nonce: z.string().url().optional()
+	}).optional(),
+	nonceTtlSeconds: z.number().int().positive().default(300),
+	grantTtlSeconds: z.number().int().positive().default(600),
+	tokenTtlSeconds: z.number().int().positive().default(600)
+});
+const createPreAuthorizedGrantInputSchema = z.object({
+	credential_configuration_id: z.string().min(1),
+	claims: claimSetSchema,
+	expires_in: z.number().int().positive().optional()
+});
+const createCredentialOfferInputSchema = createPreAuthorizedGrantInputSchema;
+const preAuthorizedGrantTypeSchema = z.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
+const credentialOfferGrantSchema = z.object({
+	"pre-authorized_code": z.string().min(1),
+	tx_code: z.never().optional()
+});
+const credentialOfferSchema = z.object({
+	credential_issuer: z.string().url(),
+	credential_configuration_ids: z.array(z.string().min(1)).min(1).max(1),
+	grants: z.object({ "urn:ietf:params:oauth:grant-type:pre-authorized_code": credentialOfferGrantSchema })
+});
+const credentialOfferUriSchema = z.string().min(1).refine((value) => {
+	try {
+		return new URL(value).protocol === "openid-credential-offer:";
+	} catch {
+		return false;
+	}
+}, "Credential offer URI must use openid-credential-offer://");
+const issuerMetadataCredentialConfigurationSchema = z.object({
+	format: z.literal("dc+sd-jwt"),
+	vct: z.string().min(1),
+	scope: z.string().min(1),
+	proof_types_supported: z.object({ jwt: z.object({ proof_signing_alg_values_supported: z.array(z.string().min(1)).min(1) }) }),
+	cryptographic_binding_methods_supported: z.array(z.literal("jwk")).min(1),
+	credential_signing_alg_values_supported: z.array(z.string().min(1)).min(1)
+});
+const issuerMetadataSchema = z.object({
+	credential_issuer: z.string().url(),
+	token_endpoint: z.string().url(),
+	credential_endpoint: z.string().url(),
+	nonce_endpoint: z.string().url().optional(),
+	jwks: z.object({ keys: z.array(jwkSchema).min(1) }),
+	credential_configurations_supported: z.record(z.string(), issuerMetadataCredentialConfigurationSchema)
+});
+const preAuthorizedGrantRecordSchema = z.object({
+	preAuthorizedCode: z.string().min(1),
+	credentialConfigurationId: z.string().min(1),
+	claims: claimSetSchema,
+	expiresAt: z.number().int(),
+	used: z.boolean()
+});
+const tokenRequestSchema = z.object({
+	grant_type: preAuthorizedGrantTypeSchema,
+	"pre-authorized_code": z.string().min(1),
+	tx_code: z.string().min(1).optional()
+});
+const tokenResponseSchema = z.object({
+	access_token: z.string().min(1),
+	token_type: z.literal("Bearer"),
+	expires_in: z.number().int().positive(),
+	credential_configuration_id: z.string().min(1),
+	c_nonce: z.string().min(1).optional(),
+	c_nonce_expires_in: z.number().int().positive().optional()
+});
+const exchangePreAuthorizedCodeInputSchema = z.object({
+	tokenRequest: tokenRequestSchema,
+	preAuthorizedGrant: preAuthorizedGrantRecordSchema
+});
+const accessTokenRecordSchema = z.object({
+	accessToken: z.string().min(1),
+	credentialConfigurationId: z.string().min(1),
+	claims: claimSetSchema,
+	expiresAt: z.number().int(),
+	used: z.boolean()
+});
+const issueCredentialInputSchema = z.object({
+	accessToken: accessTokenRecordSchema,
+	credential_configuration_id: z.string().min(1),
+	holderPublicJwk: jwkSchema.optional(),
+	status: credentialStatusSchema.optional()
+});
+const nonceRecordSchema = z.object({
+	c_nonce: z.string().min(1),
+	expiresAt: z.number().int(),
+	used: z.boolean()
+});
+const nonceResponseSchema = z.object({
+	c_nonce: z.string().min(1),
+	c_nonce_expires_in: z.number().int().positive()
+});
+const credentialRequestProofSchema = z.object({
+	proof_type: z.literal("jwt"),
+	jwt: z.string().min(1)
+});
+const credentialRequestSchema = z.object({
+	format: z.literal("dc+sd-jwt").optional(),
+	credential_configuration_id: z.string().min(1),
+	proofs: z.object({ jwt: z.array(credentialRequestProofSchema).min(1) })
+});
+const credentialResponseSchema = z.object({
+	format: z.literal("dc+sd-jwt"),
+	credential: z.string().min(1),
+	c_nonce: z.string().min(1).optional(),
+	c_nonce_expires_in: z.number().int().positive().optional()
+});
+const validateProofJwtInputSchema = z.object({
+	jwt: z.string().min(1),
+	nonce: nonceRecordSchema
+});
+//#endregion
+//#region src/crypto.ts
+const cleanupFingerprint = (value) => value.replace(/^sha256 fingerprint=/i, "").replaceAll(":", "").trim();
+const certificatePemToX5c = (certificatePem) => [certificatePem.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace(/\s+/g, "")];
+const generateIssuerTrustMaterial = async (input) => {
+	const kid = input?.kid ?? "issuer-key-1";
+	const subject = input?.subject ?? "/CN=Demo Issuer/O=openid4vc-tools";
+	const daysValid = input?.daysValid ?? 365;
+	const alg = input?.alg ?? "EdDSA";
+	const { privateKey, publicKey } = alg === "EdDSA" ? await generateKeyPair("EdDSA", {
+		crv: "Ed25519",
+		extractable: true
+	}) : await generateKeyPair(alg, { extractable: true });
+	const privateJwk = jwkSchema.parse({
+		...await exportJWK(privateKey),
+		kid,
+		alg,
+		use: "sig"
+	});
+	const publicJwk = jwkSchema.parse({
+		...await exportJWK(publicKey),
+		kid,
+		alg,
+		use: "sig"
+	});
+	const privateKeyPem = await exportPKCS8(privateKey);
+	const publicKeyPem = await exportSPKI(publicKey);
+	const dir = await mkdtemp(join(tmpdir(), "issuer-trust-"));
+	const keyPath = join(dir, "issuer-key.pem");
+	const certPath = join(dir, "issuer-cert.pem");
+	try {
+		await writeFile(keyPath, privateKeyPem, "utf8");
+		execFileSync("openssl", [
+			"req",
+			"-x509",
+			"-new",
+			"-key",
+			keyPath,
+			"-out",
+			certPath,
+			"-subj",
+			subject,
+			"-days",
+			String(daysValid)
+		], { stdio: "ignore" });
+		const certificatePem = await readFile(certPath, "utf8");
+		const certificateFingerprintSha256 = cleanupFingerprint(execFileSync("openssl", [
+			"x509",
+			"-noout",
+			"-fingerprint",
+			"-sha256",
+			"-in",
+			certPath
+		], { encoding: "utf8" }));
+		const x5c = certificatePemToX5c(certificatePem);
+		const publicJwkWithCertificate = jwkSchema.parse({
+			...publicJwk,
+			x5c
+		});
+		const jwks = { keys: [publicJwkWithCertificate] };
+		return {
+			alg,
+			kid,
+			privateJwk,
+			publicJwk: publicJwkWithCertificate,
+			privateKeyPem,
+			publicKeyPem,
+			certificatePem,
+			certificateFingerprintSha256,
+			jwks,
+			trustArtifact: {
+				kid,
+				alg,
+				jwks,
+				publicKeyPem,
+				certificatePem,
+				certificateFingerprintSha256
+			}
+		};
+	} finally {
+		await rm(dir, {
+			recursive: true,
+			force: true
+		});
+	}
+};
+//#endregion
+//#region src/errors.ts
+var IssuerError = class extends Error {
+	constructor(code, message) {
+		super(message);
+		this.code = code;
+		this.name = "IssuerError";
+	}
+};
+//#endregion
+//#region src/openid4vci.ts
+const OPENID_CREDENTIAL_OFFER_WELL_KNOWN = "/.well-known/openid-credential-issuer";
+function createIssuerMetadata(config) {
+	const parsed = issuerConfigSchema.parse(config);
+	const tokenEndpoint = parsed.endpoints?.token ?? new URL("/token", parsed.issuer).toString();
+	const credentialEndpoint = parsed.endpoints?.credential ?? new URL("/credential", parsed.issuer).toString();
+	const nonceEndpoint = parsed.endpoints?.nonce ?? new URL("/nonce", parsed.issuer).toString();
+	return issuerMetadataSchema.parse({
+		credential_issuer: parsed.issuer,
+		token_endpoint: tokenEndpoint,
+		credential_endpoint: credentialEndpoint,
+		nonce_endpoint: nonceEndpoint,
+		jwks: { keys: [parsed.signingKey.publicJwk] },
+		credential_configurations_supported: Object.fromEntries(Object.entries(parsed.credentialConfigurationsSupported).map(([id, entry]) => [id, {
+			format: entry.format,
+			vct: entry.vct,
+			scope: entry.scope ?? id,
+			proof_types_supported: { jwt: { proof_signing_alg_values_supported: entry.proof_signing_alg_values_supported } },
+			cryptographic_binding_methods_supported: ["jwk"],
+			credential_signing_alg_values_supported: [parsed.signingKey.alg]
+		}]))
+	});
+}
+function serializeCredentialOfferUri(offer) {
+	const parsed = credentialOfferSchema.parse(offer);
+	const url = new URL("openid-credential-offer://");
+	url.searchParams.set("credential_offer", JSON.stringify(parsed));
+	return credentialOfferUriSchema.parse(url.toString());
+}
+function serializeCredentialOfferReferenceUri(credentialOfferUrl) {
+	const parsed = new URL(credentialOfferUrl).toString();
+	const url = new URL("openid-credential-offer://");
+	url.searchParams.set("credential_offer_uri", parsed);
+	return credentialOfferUriSchema.parse(url.toString());
+}
+function getCredentialIssuerMetadataUrl(credentialIssuer) {
+	const issuerUrl = new URL(credentialIssuer);
+	const issuerPath = issuerUrl.pathname === "/" ? "" : issuerUrl.pathname;
+	return new URL(`${OPENID_CREDENTIAL_OFFER_WELL_KNOWN}${issuerPath}`, issuerUrl.origin).toString();
+}
+//#endregion
+//#region src/status-list.ts
+const maxStatusValue = (bits) => (1 << bits) - 1;
+function assertStatusValueFits(bits, value) {
+	if (value > maxStatusValue(bits)) throw new Error(`Status value ${value} does not fit in a ${bits}-bit status list`);
+}
+function createStatusList(input) {
+	const parsed = createStatusListInputSchema.parse(input);
+	return statusListRecordSchema.parse({
+		...parsed,
+		statuses: []
+	});
+}
+function allocateCredentialStatus(input) {
+	const parsed = allocateCredentialStatusInputSchema.parse(input);
+	assertStatusValueFits(parsed.statusList.bits, parsed.status);
+	const idx = parsed.statusList.statuses.length;
+	const updatedStatusList = statusListRecordSchema.parse({
+		...parsed.statusList,
+		statuses: [...parsed.statusList.statuses, parsed.status]
+	});
+	return {
+		credentialStatus: { status_list: {
+			idx,
+			uri: parsed.statusList.uri
+		} },
+		updatedStatusList
+	};
+}
+function updateCredentialStatus(input) {
+	const parsed = updateCredentialStatusInputSchema.parse(input);
+	assertStatusValueFits(parsed.statusList.bits, parsed.status);
+	if (parsed.idx >= parsed.statusList.statuses.length) throw new Error(`Status list index ${parsed.idx} is out of bounds`);
+	const statuses = [...parsed.statusList.statuses];
+	statuses[parsed.idx] = parsed.status;
+	return statusListRecordSchema.parse({
+		...parsed.statusList,
+		statuses
+	});
+}
+function encodeStatusList(statusList) {
+	const parsed = statusListRecordSchema.parse(statusList);
+	const packed = packStatuses(parsed.statuses, parsed.bits);
+	return {
+		bits: parsed.bits,
+		lst: deflateSync(packed).toString("base64url"),
+		aggregation_uri: parsed.aggregation_uri
+	};
+}
+async function createStatusListJwt(input) {
+	const payload = encodeStatusList(input.statusList);
+	const claims = {
+		iss: input.issuer,
+		status_list: payload
+	};
+	if (input.statusList.ttl) claims.ttl = input.statusList.ttl;
+	const jwt = new SignJWT(claims).setProtectedHeader({
+		alg: input.signingKey.alg,
+		typ: "statuslist+jwt",
+		kid: input.signingKey.publicJwk.kid,
+		x5c: input.signingKey.publicJwk.x5c
+	}).setSubject(input.statusList.uri).setIssuedAt(input.now());
+	if (input.statusList.expiresAt) jwt.setExpirationTime(input.statusList.expiresAt);
+	return jwt.sign(input.signingKey.privateKey);
+}
+function packStatuses(statuses, bits) {
+	const byteLength = Math.ceil(statuses.length * bits / 8);
+	const output = new Uint8Array(byteLength);
+	for (const [idx, status] of statuses.entries()) {
+		assertStatusValueFits(bits, status);
+		const bitOffset = idx * bits;
+		const byteIndex = Math.floor(bitOffset / 8);
+		const intraByteOffset = bitOffset % 8;
+		output[byteIndex] = (output[byteIndex] ?? 0) | status << intraByteOffset;
+	}
+	return output;
+}
+//#endregion
+//#region src/utils.ts
+const nowInSeconds = () => Math.floor(Date.now() / 1e3);
+const randomToken = () => randomBytes(24).toString("base64url");
+const cloneJson = (value) => structuredClone(value);
+const toBase64Url = (input) => Buffer.from(input).toString("base64url");
+const fromBase64Url = (input) => new Uint8Array(Buffer.from(input, "base64url"));
+//#endregion
+//#region src/issuer.ts
+const RESERVED_CREDENTIAL_CLAIMS = new Set([
+	"iss",
+	"nbf",
+	"exp",
+	"cnf",
+	"vct",
+	"status",
+	"iat"
+]);
+const deriveDisclosureFrame = (claims) => {
+	const topLevelClaims = Object.keys(claims).filter((claim) => !RESERVED_CREDENTIAL_CLAIMS.has(claim));
+	if (topLevelClaims.length === 0) return;
+	return { _sd: topLevelClaims };
+};
+const sanitizeCredentialClaims = (claims) => Object.fromEntries(Object.entries(claims).filter(([claim]) => !RESERVED_CREDENTIAL_CLAIMS.has(claim)));
+const subtleAlgorithm = (alg) => {
+	if (alg === "EdDSA") return "Ed25519";
+	if (alg === "ES384") return {
+		name: "ECDSA",
+		hash: "SHA-384"
+	};
+	return {
+		name: "ECDSA",
+		hash: "SHA-256"
+	};
+};
+const createSdJwtSigner = (privateKey, alg) => async (input) => {
+	const signature = await crypto.subtle.sign(subtleAlgorithm(alg), privateKey, new TextEncoder().encode(input));
+	return toBase64Url(new Uint8Array(signature));
+};
+const createSdJwtVerifier = (publicKey, alg) => async (input, signature) => {
+	return crypto.subtle.verify(subtleAlgorithm(alg), publicKey, fromBase64Url(signature), new TextEncoder().encode(input));
+};
+const holderJwkSchema = jwkSchema.refine((value) => Boolean(value.kty && (value.x || value.n)), "Holder proof must contain an embedded public JWK");
+const proofPayloadSchema = z.object({
+	aud: z.union([z.string().min(1), z.array(z.string().min(1)).min(1)]),
+	nonce: z.string().min(1),
+	cnf: z.object({ jwk: holderJwkSchema }).optional()
+});
+var DemoIssuer = class {
+	config;
+	now;
+	idGenerator;
+	issuerPrivateKeyPromise;
+	issuerPublicKeyPromise;
+	sdJwtVc;
+	constructor(config, options) {
+		this.config = issuerConfigSchema.parse(config);
+		this.now = options?.now ?? nowInSeconds;
+		this.idGenerator = options?.idGenerator ?? randomToken;
+		this.issuerPrivateKeyPromise = importJWK(this.config.signingKey.privateJwk, this.config.signingKey.alg, { extractable: false });
+		this.issuerPublicKeyPromise = importJWK(this.config.signingKey.publicJwk, this.config.signingKey.alg, { extractable: true });
+		this.sdJwtVc = Promise.all([this.issuerPrivateKeyPromise, this.issuerPublicKeyPromise]).then(([privateKey, publicKey]) => new SDJwtVcInstance({
+			signer: createSdJwtSigner(privateKey, this.config.signingKey.alg),
+			signAlg: this.config.signingKey.alg,
+			verifier: createSdJwtVerifier(publicKey, this.config.signingKey.alg),
+			hasher,
+			hashAlg: "sha-256",
+			saltGenerator: async (length = 16) => toBase64Url(crypto.getRandomValues(new Uint8Array(length)))
+		}));
+	}
+	getJwks() {
+		return { keys: [cloneJson(this.config.signingKey.publicJwk)] };
+	}
+	getMetadata() {
+		return issuerMetadataSchema.parse(createIssuerMetadata(this.config));
+	}
+	createStatusList(input) {
+		return createStatusList(input);
+	}
+	allocateCredentialStatus(input) {
+		return allocateCredentialStatus(input);
+	}
+	updateCredentialStatus(input) {
+		return updateCredentialStatus(input);
+	}
+	async createStatusListToken(statusList) {
+		return createStatusListJwt({
+			issuer: this.config.issuer,
+			signingKey: {
+				alg: this.config.signingKey.alg,
+				privateKey: await this.issuerPrivateKeyPromise,
+				publicJwk: this.config.signingKey.publicJwk
+			},
+			statusList,
+			now: this.now
+		});
+	}
+	createPreAuthorizedGrant(input) {
+		const parsed = createPreAuthorizedGrantInputSchema.parse(input);
+		if (!this.config.credentialConfigurationsSupported[parsed.credential_configuration_id]) throw new IssuerError("unsupported_credential_configuration", "Unsupported credential_configuration_id");
+		const preAuthorizedCode = this.idGenerator();
+		const expiresAt = this.now() + (parsed.expires_in ?? this.config.grantTtlSeconds);
+		const preAuthorizedGrant = {
+			preAuthorizedCode,
+			credentialConfigurationId: parsed.credential_configuration_id,
+			claims: cloneJson(parsed.claims),
+			expiresAt,
+			used: false
+		};
+		return {
+			preAuthorizedCode,
+			expiresAt,
+			credential_configuration_id: parsed.credential_configuration_id,
+			preAuthorizedGrant
+		};
+	}
+	createCredentialOffer(input) {
+		const parsed = createCredentialOfferInputSchema.parse(input);
+		const grant = this.createPreAuthorizedGrant(parsed);
+		return {
+			...credentialOfferSchema.parse({
+				credential_issuer: this.config.issuer,
+				credential_configuration_ids: [grant.credential_configuration_id],
+				grants: { "urn:ietf:params:oauth:grant-type:pre-authorized_code": { "pre-authorized_code": grant.preAuthorizedCode } }
+			}),
+			preAuthorizedGrant: grant.preAuthorizedGrant
+		};
+	}
+	createCredentialOfferUri(input) {
+		return serializeCredentialOfferUri(this.createCredentialOffer(input));
+	}
+	createCredentialOfferReferenceUri(credentialOfferUrl) {
+		return serializeCredentialOfferReferenceUri(credentialOfferUrl);
+	}
+	exchangePreAuthorizedCode(input) {
+		const parsed = exchangePreAuthorizedCodeInputSchema.parse(input);
+		if (parsed.tokenRequest.tx_code) throw new IssuerError("unsupported_tx_code", "tx_code is not supported in this demo issuer");
+		if (parsed.preAuthorizedGrant.preAuthorizedCode !== parsed.tokenRequest["pre-authorized_code"]) throw new IssuerError("invalid_grant", "Invalid or expired pre-authorized code");
+		if (parsed.preAuthorizedGrant.used || parsed.preAuthorizedGrant.expiresAt <= this.now()) throw new IssuerError("invalid_grant", "Invalid or expired pre-authorized code");
+		const accessToken = this.idGenerator();
+		const expiresIn = this.config.tokenTtlSeconds;
+		const updatedPreAuthorizedGrant = {
+			...parsed.preAuthorizedGrant,
+			used: true
+		};
+		const accessTokenRecord = {
+			accessToken,
+			credentialConfigurationId: parsed.preAuthorizedGrant.credentialConfigurationId,
+			claims: cloneJson(parsed.preAuthorizedGrant.claims),
+			expiresAt: this.now() + expiresIn,
+			used: false
+		};
+		return {
+			access_token: accessToken,
+			token_type: "Bearer",
+			expires_in: expiresIn,
+			credential_configuration_id: parsed.preAuthorizedGrant.credentialConfigurationId,
+			accessTokenRecord,
+			updatedPreAuthorizedGrant
+		};
+	}
+	createNonce() {
+		const c_nonce = this.idGenerator();
+		const expiresIn = this.config.nonceTtlSeconds;
+		return {
+			c_nonce,
+			c_nonce_expires_in: expiresIn,
+			nonce: {
+				c_nonce,
+				expiresAt: this.now() + expiresIn,
+				used: false
+			}
+		};
+	}
+	async validateProofJwt(input) {
+		const parsed = validateProofJwtInputSchema.parse(input);
+		const protectedHeader = decodeProtectedHeader(parsed.jwt);
+		if (protectedHeader.typ !== "openid4vci-proof+jwt") throw new IssuerError("invalid_proof", "Proof JWT typ must be openid4vci-proof+jwt");
+		if (typeof protectedHeader.alg !== "string" || protectedHeader.alg.length === 0) throw new IssuerError("invalid_proof", "Proof JWT alg is required");
+		const embeddedJwk = holderJwkSchema.safeParse(protectedHeader.jwk);
+		if (!embeddedJwk.success) throw new IssuerError("invalid_proof", "Proof JWT must contain an embedded public JWK in the protected header");
+		const importedFromHeader = await importJWK(embeddedJwk.data, protectedHeader.alg, { extractable: true });
+		let verified;
+		try {
+			verified = await jwtVerify(parsed.jwt, importedFromHeader, { audience: this.config.issuer });
+		} catch (error) {
+			throw new IssuerError("invalid_proof", error instanceof Error ? error.message : "Proof JWT verification failed");
+		}
+		const payload = proofPayloadSchema.parse(verified.payload);
+		if (parsed.nonce.c_nonce !== payload.nonce) throw new IssuerError("invalid_proof", "Proof JWT nonce is invalid or expired");
+		if (parsed.nonce.used || parsed.nonce.expiresAt <= this.now()) throw new IssuerError("invalid_proof", "Proof JWT nonce is invalid or expired");
+		const holderPublicJwk = embeddedJwk.data;
+		const updatedNonce = {
+			...parsed.nonce,
+			used: true
+		};
+		return {
+			nonce: payload.nonce,
+			holderPublicJwk,
+			holderKeyThumbprint: await calculateJwkThumbprint(holderPublicJwk),
+			payload: cloneJson(verified?.payload),
+			protectedHeader: cloneJson(protectedHeader),
+			updatedNonce
+		};
+	}
+	async issueCredential(input) {
+		const parsed = issueCredentialInputSchema.parse(input);
+		if (parsed.accessToken.used || parsed.accessToken.expiresAt <= this.now()) throw new IssuerError("invalid_token", "Invalid or expired access token");
+		if (parsed.accessToken.credentialConfigurationId !== parsed.credential_configuration_id) throw new IssuerError("invalid_request", "Access token is not valid for credential_configuration_id");
+		const configuration = this.config.credentialConfigurationsSupported[parsed.credential_configuration_id];
+		if (!configuration) throw new IssuerError("unsupported_credential_configuration", "Unsupported credential_configuration_id");
+		const binding = input.proof ? {
+			holderPublicJwk: input.proof.holderPublicJwk,
+			holderKeyThumbprint: input.proof.holderKeyThumbprint
+		} : parsed.holderPublicJwk ? {
+			holderPublicJwk: parsed.holderPublicJwk,
+			holderKeyThumbprint: await calculateJwkThumbprint(parsed.holderPublicJwk)
+		} : {};
+		const sdJwtVc = await this.sdJwtVc;
+		const issuedAt = this.now();
+		const credentialClaims = sanitizeCredentialClaims(parsed.accessToken.claims);
+		const payload = {
+			iss: this.config.issuer,
+			iat: issuedAt,
+			vct: configuration.vct,
+			status: parsed.status ? cloneJson(parsed.status) : void 0,
+			cnf: binding.holderPublicJwk ? { jwk: binding.holderPublicJwk } : void 0,
+			...cloneJson(credentialClaims)
+		};
+		const credential = await sdJwtVc.issue(payload, deriveDisclosureFrame(credentialClaims), { header: {
+			kid: this.config.signingKey.publicJwk.kid,
+			x5c: this.config.signingKey.publicJwk.x5c
+		} });
+		const nonce = this.createNonce();
+		const updatedAccessToken = {
+			...parsed.accessToken,
+			used: true
+		};
+		return {
+			...credentialResponseSchema.parse({
+				format: "dc+sd-jwt",
+				credential,
+				c_nonce: nonce.c_nonce
+			}),
+			format: "dc+sd-jwt",
+			nonce: nonce.nonce,
+			updatedAccessToken
+		};
+	}
+	async parseIssuedCredential(encoded) {
+		const sdJwt = await SDJwt.fromEncode(encoded, hasher);
+		const jwt = await SDJwt.extractJwt(encoded);
+		return {
+			jwt: jwt.encodeJwt(),
+			header: jwt.header,
+			payload: jwt.payload,
+			claims: await sdJwt.getClaims(hasher)
+		};
+	}
+};
+const createIssuer = (config, options) => new DemoIssuer(config, options);
+//#endregion
+export { DemoIssuer, IssuerError, accessTokenRecordSchema, allocateCredentialStatus, claimSetSchema, createCredentialOfferInputSchema, createIssuer, createIssuerMetadata, createPreAuthorizedGrantInputSchema, createStatusList, createStatusListInputSchema, createStatusListJwt, credentialConfigurationSchema, credentialOfferSchema, credentialOfferUriSchema, credentialRequestProofSchema, credentialRequestSchema, credentialResponseSchema, credentialStatusListReferenceSchema, credentialStatusSchema, encodeStatusList, exchangePreAuthorizedCodeInputSchema, generateIssuerTrustMaterial, getCredentialIssuerMetadataUrl, issueCredentialInputSchema, issuerConfigSchema, issuerMetadataCredentialConfigurationSchema, issuerMetadataSchema, jwkSchema, nonceRecordSchema, nonceResponseSchema, preAuthorizedGrantRecordSchema, preAuthorizedGrantTypeSchema, serializeCredentialOfferReferenceUri, serializeCredentialOfferUri, signingAlgSchema, statusListBitsSchema, statusListRecordSchema, tokenRequestSchema, tokenResponseSchema, tokenStatusValueSchema, updateCredentialStatus, validateProofJwtInputSchema };