dvlprsh-dcql-test 0.1.8

package/dist/index.mjs

@@ -0,0 +1,314 @@
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __publicField = (obj, key, value) => {
+  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+
+// src/match.ts
+var pathMatch = /* @__PURE__ */ __name((path, data) => {
+  let selectedElements = [
+    data
+  ];
+  for (const component of path) {
+    const nextSelectedElements = [];
+    for (const element of selectedElements) {
+      if (typeof component === "string") {
+        if (element === null || typeof element !== "object" || Array.isArray(element)) {
+          throw new Error("Path component requires object but found non-object element");
+        }
+        if (component in element) {
+          nextSelectedElements.push(element[component]);
+        }
+      } else if (component === null) {
+        if (element === null || !Array.isArray(element)) {
+          throw new Error("Null path component requires array but found non-array element");
+        }
+        nextSelectedElements.push(...element);
+      } else if (typeof component === "number" && component >= 0 && Number.isInteger(component)) {
+        if (element === null || !Array.isArray(element)) {
+          throw new Error("Numeric path component requires array but found non-array element");
+        }
+        if (component < element.length) {
+          nextSelectedElements.push(element[component]);
+        }
+      } else {
+        throw new Error(`Invalid path component: ${component}`);
+      }
+    }
+    if (nextSelectedElements.length === 0) {
+      throw new Error("No elements selected after processing path component");
+    }
+    selectedElements = nextSelectedElements;
+  }
+  return selectedElements;
+}, "pathMatch");
+
+// src/credentials/sdjwtvc.credential.ts
+var _SdJwtVcCredential = class _SdJwtVcCredential {
+  constructor(id, vct_values, options) {
+    __publicField(this, "id");
+    __publicField(this, "vct_values");
+    __publicField(this, "_multiple");
+    __publicField(this, "_trusted_authorities");
+    __publicField(this, "_require_cryptographic_holder_binding");
+    __publicField(this, "_claims");
+    __publicField(this, "_claim_sets");
+    this.id = id;
+    this.vct_values = vct_values;
+    if (options) {
+      this._multiple = options.multiple;
+      this._trusted_authorities = options.trusted_authorities;
+      this._require_cryptographic_holder_binding = options.require_cryptographic_holder_binding;
+      this._claims = options.claims;
+      this._claim_sets = options.claim_sets;
+    }
+  }
+  setMultiple(multiple) {
+    this._multiple = multiple;
+    return this;
+  }
+  setTrustedAuthorities(trusted_authorities) {
+    this._trusted_authorities = trusted_authorities;
+    return this;
+  }
+  setRequireCryptographicHolderBinding(require_cryptographic_holder_binding) {
+    this._require_cryptographic_holder_binding = require_cryptographic_holder_binding;
+    return this;
+  }
+  setClaims(claims) {
+    this._claims = claims;
+    return this;
+  }
+  setClaimSets(claim_sets) {
+    if (!this._claims || this._claims.length === 0) {
+      throw new Error("Claims must be set before claim sets");
+    }
+    if (!this._claims.every((c) => c.id !== void 0)) {
+      throw new Error("Claims must not have an id before claim sets");
+    }
+    this._claim_sets = claim_sets;
+    return this;
+  }
+  serialize() {
+    return {
+      id: this.id,
+      format: "dc+sd-jwt",
+      meta: {
+        vct_values: this.vct_values
+      },
+      multiple: this._multiple,
+      trusted_authorities: this._trusted_authorities,
+      require_cryptographic_holder_binding: this._require_cryptographic_holder_binding,
+      claims: this._claims,
+      claim_sets: this._claim_sets
+    };
+  }
+  match(data) {
+    if (data["vct"] !== void 0 && !this.vct_values.includes(data["vct"])) {
+      return {
+        match: false
+      };
+    }
+    if (!this._claims || this._claims.length === 0) {
+      return {
+        match: true,
+        matchedClaims: []
+      };
+    }
+    if (this._claim_sets && this._claim_sets.length > 0) {
+      for (const claimSet of this._claim_sets) {
+        const claimsInSet = this._claims.filter((claim) => claim.id !== void 0 && claimSet.includes(claim.id));
+        const allClaimsMatch = claimsInSet.every((claim) => this.matchClaim(claim, data));
+        if (allClaimsMatch && claimsInSet.length > 0) {
+          return {
+            match: true,
+            matchedClaims: claimsInSet
+          };
+        }
+      }
+      return {
+        match: false
+      };
+    } else {
+      const satisfiableClaims = this._claims.every((claim) => this.matchClaim(claim, data));
+      if (satisfiableClaims) {
+        return {
+          match: true,
+          matchedClaims: this._claims
+        };
+      }
+    }
+    return {
+      match: false
+    };
+  }
+  /**
+  * Helper method to check if a specific claim matches against the data
+  * Implements semantics for JSON-based credentials as specified in section 7.1
+  */
+  matchClaim(claim, data) {
+    try {
+      const selectedElements = pathMatch(claim.path, data);
+      if (selectedElements.length === 0) {
+        return false;
+      }
+      if (!claim.value || claim.value.length === 0) {
+        return true;
+      }
+      return selectedElements.some((element) => claim.value.some((val) => val === element));
+    } catch (error) {
+      return false;
+    }
+  }
+  static parseSdJwtCredential(c) {
+    if (!this.validateCredential(c)) {
+      throw new Error("Invalid credential");
+    }
+    const sdJwtVcCredential = new _SdJwtVcCredential(c.id, c.meta.vct_values, {
+      multiple: c.multiple,
+      trusted_authorities: c.trusted_authorities,
+      require_cryptographic_holder_binding: c.require_cryptographic_holder_binding,
+      claims: c.claims,
+      claim_sets: c.claim_sets
+    });
+    return sdJwtVcCredential;
+  }
+  static validateCredential(c) {
+    if (c.format !== "dc+sd-jwt") {
+      throw new Error("Invalid credential format");
+    }
+    if (!c.meta || !("vct_values" in c.meta)) {
+      throw new Error("Invalid credential meta");
+    }
+    return true;
+  }
+};
+__name(_SdJwtVcCredential, "SdJwtVcCredential");
+var SdJwtVcCredential = _SdJwtVcCredential;
+
+// src/dcql.ts
+var _DCQL = class _DCQL {
+  constructor({ credentials, credential_sets }) {
+    __publicField(this, "_credentials", []);
+    __publicField(this, "_credential_sets");
+    this._credentials = credentials ?? [];
+    this._credential_sets = credential_sets;
+  }
+  addCredential(credential) {
+    this._credentials.push(credential);
+    return this;
+  }
+  addCredentialSet(credential_set) {
+    if (!this._credential_sets) {
+      this._credential_sets = [];
+    }
+    this._credential_sets.push(credential_set);
+    return this;
+  }
+  serialize() {
+    return {
+      credentials: this._credentials.map((c) => c.serialize()),
+      credential_sets: this._credential_sets
+    };
+  }
+  static parse(raw) {
+    const credentials = raw.credentials.map((c) => {
+      if (c.format === "dc+sd-jwt") {
+        return SdJwtVcCredential.parseSdJwtCredential(c);
+      }
+      throw new Error("Invalid credential format");
+    });
+    return new _DCQL({
+      credentials,
+      credential_sets: raw.credential_sets
+    });
+  }
+  /**
+  * Match credentials against an array of data records according to section 6.4.2 rules.
+  *
+  * If credential_sets is not provided, all credentials in credentials are requested.
+  * Otherwise, the Verifier requests credentials satisfying:
+  * - All required credential sets (where required is true or omitted)
+  * - Optionally, any other credential sets
+  *
+  * @param dataRecords Array of data records to match against
+  * @returns Object containing match result and matched credentials with their claims
+  */
+  match(dataRecords) {
+    if (this._credentials.length === 0) {
+      return {
+        match: false
+      };
+    }
+    const allMatches = [];
+    this._credentials.forEach((credential) => {
+      dataRecords.forEach((data, index) => {
+        const result = credential.match(data);
+        if (result.match) {
+          allMatches.push({
+            credential: data,
+            dcqlCredential: credential,
+            matchedClaims: result.matchedClaims,
+            dataIndex: index
+          });
+        }
+      });
+    });
+    if (allMatches.length === 0) {
+      return {
+        match: false
+      };
+    }
+    if (!this._credential_sets || this._credential_sets.length === 0) {
+      return {
+        match: true,
+        matchedCredentials: allMatches
+      };
+    }
+    const matchedIds = new Set(allMatches.map((match) => {
+      const serialized = match.dcqlCredential.serialize();
+      return serialized.id;
+    }));
+    const requiredSets = this._credential_sets.filter((set) => set.required === void 0 || set.required === true);
+    const satisfiedRequiredSets = requiredSets.every((set) => this.isCredentialSetSatisfied(set, matchedIds));
+    if (!satisfiedRequiredSets) {
+      return {
+        match: false
+      };
+    }
+    return {
+      match: true,
+      matchedCredentials: allMatches.map((matches) => {
+        return {
+          credential: matches.credential,
+          matchedClaims: matches.matchedClaims,
+          dataIndex: matches.dataIndex
+        };
+      })
+    };
+  }
+  /**
+  * Check if a credential set is satisfied by the matched credential IDs
+  * A credential set is satisfied if at least one of its options is satisfied
+  */
+  isCredentialSetSatisfied(set, matchedIds) {
+    return set.options.some((option) => {
+      return option.every((credentialId) => matchedIds.has(credentialId));
+    });
+  }
+};
+__name(_DCQL, "DCQL");
+var DCQL = _DCQL;
+
+// src/credentials/credential.ts
+var _CredentialBase = class _CredentialBase {
+};
+__name(_CredentialBase, "CredentialBase");
+var CredentialBase = _CredentialBase;
+export {
+  CredentialBase,
+  DCQL,
+  SdJwtVcCredential
+};

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "dvlprsh-dcql-test",
+  "version": "0.1.8",
+  "description": "DCQL implementation in typescript",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hopae-official/Verifiable-Digital-Credentials.git"
+  },
+  "bugs": {
+    "url": "https://github.com/hopae-official/Verifiable-Digital-Credentials/issues"
+  },
+  "homepage": "https://vdcs.js.org",
+  "scripts": {
+    "build": "rm -rf **/dist && tsup",
+    "lint": "biome lint ./src",
+    "test": "pnpm run test:node && pnpm run test:browser && pnpm run test:cov",
+    "test:node": "vitest run ./src/test/*.spec.ts",
+    "test:browser": "vitest run ./src/test/*.spec.ts --environment jsdom",
+    "test:cov": "vitest run --coverage"
+  },
+  "keywords": [
+    "openid",
+    "openid4vp",
+    "vcdm",
+    "jwt",
+    "sd-jwt",
+    "mdl"
+  ],
+  "engines": {
+    "node": ">=16"
+  },
+  "author": "Lukas.J.Han <lukas.j.han@gmail.com>",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "tsup": {
+    "entry": [
+      "./src/index.ts"
+    ],
+    "sourceMap": true,
+    "splitting": false,
+    "clean": true,
+    "dts": true,
+    "format": [
+      "cjs",
+      "esm"
+    ]
+  }
+}

package/src/credentials/credential.ts

@@ -0,0 +1,12 @@
+import { Credential, MatchResult } from '../type';
+
+/**
+ * This class represent a credential
+ *
+ *
+ */
+export abstract class CredentialBase {
+  abstract serialize(): Credential;
+
+  abstract match(data: Record<string, unknown>): MatchResult;
+}

package/src/credentials/sdjwtvc.credential.ts

@@ -0,0 +1,208 @@
+import { pathMatch } from '../match';
+import {
+  Claims,
+  ClaimSet,
+  Credential,
+  MatchResult,
+  SdJwtVcCredentialQuery,
+  TrustedAuthority,
+} from '../type';
+import { CredentialBase } from './credential';
+
+export class SdJwtVcCredential implements CredentialBase {
+  private _multiple?: boolean;
+  private _trusted_authorities?: TrustedAuthority[];
+  private _require_cryptographic_holder_binding?: boolean;
+  private _claims?: Claims[];
+  private _claim_sets?: ClaimSet[];
+
+  constructor(
+    public readonly id: string,
+    public readonly vct_values: string[],
+    options?: {
+      multiple?: boolean;
+      trusted_authorities?: TrustedAuthority[];
+      require_cryptographic_holder_binding?: boolean;
+      claims?: Claims[];
+      claim_sets?: ClaimSet[];
+    },
+  ) {
+    if (options) {
+      this._multiple = options.multiple;
+      this._trusted_authorities = options.trusted_authorities;
+      this._require_cryptographic_holder_binding =
+        options.require_cryptographic_holder_binding;
+      this._claims = options.claims;
+      this._claim_sets = options.claim_sets;
+    }
+  }
+
+  setMultiple(multiple: boolean) {
+    this._multiple = multiple;
+    return this;
+  }
+
+  setTrustedAuthorities(trusted_authorities: TrustedAuthority[]) {
+    this._trusted_authorities = trusted_authorities;
+    return this;
+  }
+
+  setRequireCryptographicHolderBinding(
+    require_cryptographic_holder_binding: boolean,
+  ) {
+    this._require_cryptographic_holder_binding =
+      require_cryptographic_holder_binding;
+    return this;
+  }
+
+  setClaims(claims: Claims[]) {
+    this._claims = claims;
+    return this;
+  }
+
+  setClaimSets(claim_sets: ClaimSet[]) {
+    /**
+     * Check if claims are set properly
+     */
+    if (!this._claims || this._claims.length === 0) {
+      throw new Error('Claims must be set before claim sets');
+    }
+
+    if (!this._claims.every((c) => c.id !== undefined)) {
+      throw new Error('Claims must not have an id before claim sets');
+    }
+
+    this._claim_sets = claim_sets;
+    return this;
+  }
+
+  serialize(): Credential {
+    return {
+      id: this.id,
+      format: 'dc+sd-jwt',
+      meta: { vct_values: this.vct_values },
+      multiple: this._multiple,
+      trusted_authorities: this._trusted_authorities,
+      require_cryptographic_holder_binding:
+        this._require_cryptographic_holder_binding,
+      claims: this._claims,
+      claim_sets: this._claim_sets,
+    };
+  }
+
+  match(data: Record<string, unknown>): MatchResult {
+    // First check if the credential type matches
+    if (
+      data['vct'] !== undefined &&
+      !this.vct_values.includes(data['vct'] as string)
+    ) {
+      return { match: false };
+    }
+
+    // If claims is absent, the Verifier is requesting no claims that are selectively disclosable
+    // Return only the mandatory claims
+    if (!this._claims || this._claims.length === 0) {
+      return { match: true, matchedClaims: [] };
+    }
+
+    // If claim_sets is present, the Verifier requests one combination of the claims listed in claim_sets
+    if (this._claim_sets && this._claim_sets.length > 0) {
+      // The order of options in claim_sets expresses the Verifier's preference
+      // Try to match the first option that can be satisfied
+      for (const claimSet of this._claim_sets) {
+        const claimsInSet = this._claims.filter(
+          (claim) => claim.id !== undefined && claimSet.includes(claim.id),
+        );
+
+        // Check if all claims in this set can be satisfied by the data
+        const allClaimsMatch = claimsInSet.every((claim) =>
+          this.matchClaim(claim, data),
+        );
+
+        // If all claims in this set can be satisfied, return the earliest set
+        if (allClaimsMatch && claimsInSet.length > 0) {
+          return {
+            match: true,
+            matchedClaims: claimsInSet,
+          };
+        }
+      }
+
+      // If we can't satisfy any of the claim sets, don't return any claims
+      return { match: false };
+    }
+    // If claims is present but claim_sets is absent, the Verifier requests all claims listed in claims
+    else {
+      const satisfiableClaims = this._claims.every((claim) =>
+        this.matchClaim(claim, data),
+      );
+
+      // Only match if we can satisfy all claims
+      if (satisfiableClaims) {
+        return { match: true, matchedClaims: this._claims };
+      }
+    }
+
+    return { match: false };
+  }
+
+  /**
+   * Helper method to check if a specific claim matches against the data
+   * Implements semantics for JSON-based credentials as specified in section 7.1
+   */
+  private matchClaim(claim: Claims, data: Record<string, unknown>): boolean {
+    try {
+      // Start with the root element (top-level JSON object)
+      const selectedElements = pathMatch(claim.path, data);
+
+      // If no elements were selected, the claim can't be matched
+      if (selectedElements.length === 0) {
+        return false;
+      }
+
+      // If the claim doesn't have a value restriction, any selected value is acceptable
+      if (!claim.value || claim.value.length === 0) {
+        return true;
+      }
+
+      // Check if any of the selected elements match any of the allowed values
+      return selectedElements.some((element) =>
+        claim.value!.some((val) => val === element),
+      );
+    } catch (error) {
+      // If there was an error processing the path, the claim can't be matched
+      return false;
+    }
+  }
+
+  static parseSdJwtCredential(c: Credential): CredentialBase {
+    if (!this.validateCredential(c)) {
+      throw new Error('Invalid credential');
+    }
+
+    const sdJwtVcCredential = new SdJwtVcCredential(c.id, c.meta.vct_values, {
+      multiple: c.multiple,
+      trusted_authorities: c.trusted_authorities,
+      require_cryptographic_holder_binding:
+        c.require_cryptographic_holder_binding,
+      claims: c.claims,
+      claim_sets: c.claim_sets,
+    });
+
+    return sdJwtVcCredential;
+  }
+
+  private static validateCredential(
+    c: Credential,
+  ): c is SdJwtVcCredentialQuery {
+    if (c.format !== 'dc+sd-jwt') {
+      throw new Error('Invalid credential format');
+    }
+
+    if (!c.meta || !('vct_values' in c.meta)) {
+      throw new Error('Invalid credential meta');
+    }
+
+    return true;
+  }
+}