gdc-common-utils-ts 1.0.1

package/src/models/jwe.ts

@@ -0,0 +1,132 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/jwe.ts
+
+import { JWK } from "./jwk";
+
+/**
+ * Represents the core components of a JWE (JSON Web Encryption) structure,
+ * based on RFC 7516. This is the standard for encrypted data.
+ */
+
+/**
+ * Decoded protected header claims in a JWE.
+ * @see https://datatracker.ietf.org/doc/html/rfc7516#section-4.1
+ */
+export interface ProtectedHeadersJWE {
+    alg?: string; // CEK encryption algorithm
+    enc?: string; // Content encryption algorithm (e.g., "A256GCM")
+    cty?: string; // Content type
+    jwk?: JWK; // Senders JWK
+    typ?: string; // Type, e.g., "didcomm-envelope-enc"
+    kid?: string; // Recipient's key ID
+    skid?: string; // Sender's key ID
+    zip?: string; // Compression algorithm
+}
+
+/**
+ * Unprotected headers that are not integrity protected.
+ */
+export interface UnprotectedHeadersJWE {
+    jku?: string; // JWK Set URL
+}
+
+/**
+ * Represents the data for a single recipient of the JWE.
+ */
+export interface RecipientDataJWE {
+    encrypted_key?: string;
+    header: {
+        alg: string;
+        kid: string;
+    };
+}
+
+/**
+ * Represents the protected (integrity-protected) header of a JWE.
+ * These parameters are combined with the AAD (Additional Authenticated Data)
+ * to ensure they are not tampered with.
+ *
+ * JWE defines two algorithms:
+ * - 'alg': The algorithm for key encryption (wrapping the CEK). In our case, a PQC KEM like Kyber.
+ *          This is defined per-recipient, not in the main protected header.
+ * - 'enc': The algorithm for content encryption (e.g., 'A256GCM').
+ */
+export interface ProtectedHeadersJWE {
+    /** Algorithm for Content Encryption Key (CEK) wrapping (e.g., Kyber KEM). Defined per-recipient. */
+    alg?: string;
+    /** Content Type of the payload. */
+    cty?: string;
+    /** Encryption Algorithm for the content (e.g., 'A256GCM'). */
+    enc?: string;
+    /** Key ID of the recipient's public key. */
+    kid?: string;
+    /** Sender's public key identifier. */
+    skid?: string;
+    /** Type of the JWE (e.g., 'didcomm-envelope-enc'). */
+    typ?: string;
+    /** Compression algorithm ('DEF' for DEFLATE). */
+    zip?: string;
+}
+
+/**
+ * Represents the unprotected header of a JWE.
+ * These parameters are not integrity-protected.
+ */
+export interface UnprotectedHeadersJWE {
+    /** JWK Set URL, a URL pointing to a set of keys. */
+    jku?: string;
+}
+
+/**
+ * Represents the data specific to a single recipient of a JWE.
+ */
+export interface RecipientDataJWE {
+    /** The Content Encryption Key (CEK), encrypted for this specific recipient. Base64URL encoded. */
+    encrypted_key?: string;
+    /** Unprotected header parameters specific to this recipient. */
+    header: {
+        /** Key Encryption Algorithm used for this recipient (e.g., 'kyber-768-r3'). */
+        alg: string;
+        /** Key ID of the recipient's public key (thumbprint of the JWK). */
+        kid: string;
+    };
+}
+
+/**
+ * Represents a JWE object before encryption.
+ * It contains the plaintext data and the configuration for encryption.
+ */
+export interface UnencryptedJWE {
+    /** The decoded protected header object. This will be base64url encoded. */
+    protectHdersDecoded?: ProtectedHeadersJWE;
+    /** The unprotected header object. */
+    unprotected?: UnprotectedHeadersJWE;
+    /** The list of recipients for whom the content is encrypted. */
+    recipients: RecipientDataJWE[];
+    /** 
+     * The plaintext data to be encrypted, already serialized.
+     * For structured data (like a TenantConfig), this MUST be the result of `JSON.stringify`.
+     * For binary data (like a PDF), this MUST be a Uint8Array.
+     * The cryptography layer does NOT perform serialization.
+     */
+    plaintext: string | Uint8Array;
+}
+
+/**
+ * Represents a JWE (JSON Web Encryption) in the General JSON Serialization format.
+ * This structure supports multiple recipients.
+ */
+export interface JweObject {
+    /** Base64URL encoded, integrity-protected header. */
+    protected: string;
+    /** Unprotected header (not integrity-protected). */
+    unprotected?: UnprotectedHeadersJWE;
+    /** Array of recipient-specific data. */
+    recipients: RecipientDataJWE[];
+    /** Initialization Vector, Base64URL encoded. */
+    iv: string;
+    /** The encrypted plaintext, Base64URL encoded. */
+    ciphertext: string;
+    /** The authentication tag, Base64URL encoded. */
+    tag: string;
+}

package/src/models/jwk.ts

@@ -0,0 +1,50 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/jwk.ts
+
+/**
+ * Represents a JSON Web Key (JWK), a standard format for representing cryptographic keys.
+ * This interface supports both symmetric (oct) and asymmetric keys (EC, RSA, OKP, and Post-Quantum).
+ * Based on RFC 7517.
+ */
+export interface JWK {
+    /** Algorithm intended for use with a ML-DSA or other signature keys (e.g., 'ES256'). */
+    alg?: string;
+    /** Key Operations for which the key is intended (e.g., ['sign', 'verify']). */
+    key_ops?: string[];
+    /** Key ID - a unique identifier for the key (e.g., RFC 7638 thumbprint). */
+    kid?: string;
+    /** Key Type (e.g., 'AKP' for ML-DSA, 'OKP' for ML-KEM, 'EC' for Elliptic Curve, 'RSA', ...). */
+    kty?: string;
+    /** Public Key Use ('sig' for signature, 'enc' for encryption). */
+    use?: string;
+    
+    // --- Asymmetric Key Parameters ---
+    /** The curve for an ML-KEM or EC key (e.g., 'P-256'). */
+    crv?: string;
+    /** The private key component for ML-KEM or EC asymmetric keys. */
+    d?: string;
+    /** The public key for ML-KEM or 'x' coordinate for an EC key. */
+    x?: string;
+    /** The public 'y' coordinate for an EC key. */
+    y?: string;
+
+    // --- Post-Quantum ML-DSA (Dilithium) Parameters ---
+    /** The public key component for an ML-DSA key. */
+    pub?: string;
+    /** The private key component for an ML-DSA key. */
+    priv?: string;
+
+    // --- Symmetric Key Parameters ---
+    /** The symmetric key value. */
+    k?: string;
+    
+    /** Any other custom JWK properties. */
+    [propName: string]: unknown;
+}
+
+/**
+ * Represents a set of JSON Web Keys (JWKs).
+ */
+export interface JwkSet {
+    keys: JWK[];
+}

package/src/models/jws.ts

@@ -0,0 +1,42 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/jws.ts
+
+import { JWK } from './jwk';
+
+/**
+ * Represents the header parameters of a JSON Web Signature (JWS).
+ */
+export interface JwsHeader {
+    /** Algorithm used to secure the JWS. Must not be "none". */
+    alg: string;
+    /** Key ID that indicates which key was used for the JWS signature. */
+    kid: string;
+    /** Content type, usually "didcomm-signed+json". */
+    cty?: string;
+    /** Type of the message, usually "jwt". */
+    typ?: string;
+    /** The full public key, used in bootstrapping scenarios. */
+    jwk?: JWK;
+}
+
+/**
+ * Represents a signature entry in a JWS using the General JSON Serialization format.
+ */
+export interface JwsDetachedSignParts {
+    /** The Base64URL encoded protected (signed) header. */
+    protected: string;
+    /** The Base64URL encoded signature. */
+    signature: string;
+}
+
+/**
+ * Represents a JWS (JSON Web Signature) in the General JSON Serialization format.
+ * This structure supports multiple signatures.
+ */
+export interface JwsMultiSign {
+    /** The Base64URL encoded payload. */
+    payload: string;
+    /** An array of one or more signatures. */
+    signatures: JwsDetachedSignParts[];
+}
+

package/src/models/jwt.ts

@@ -0,0 +1,15 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/jwt.ts
+
+import { JwsDetachedSignParts } from "./jws";
+
+export interface JwtCompactParts extends JwsDetachedSignParts {
+  payload: string,
+}
+
+export interface DataCompactJWT {
+  protected: object, // header protected by the signature (compact does not have unprotected header but JSON JWT does)
+  payload: object,
+  signature?: Uint8Array,
+}
+

package/src/models/multibase58.ts

@@ -0,0 +1,46 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/multibase58.ts
+
+import baseX from "base-x";
+
+const BASE58_BTC_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+const base58btc = baseX(BASE58_BTC_ALPHABET);
+
+/**
+ * Encode bytes into multibase base58btc string (prefixed with 'z').
+ * Equivalent to multiformats base58btc.encode.
+ */
+export function encodeMultibase58btc(data: Uint8Array): string {
+  return "z" + base58btc.encode(Buffer.from(data));
+}
+
+/**
+ * Decode a multibase base58btc string (must start with 'z').
+ * Equivalent to multiformats base58btc.decode.
+ */
+export function decodeMultibase58btc(multibaseStr: string): Uint8Array {
+  if (!multibaseStr.startsWith("z")) {
+    throw new Error("Invalid multibase58btc string: missing 'z' prefix");
+  }
+  return new Uint8Array(base58btc.decode(multibaseStr.slice(1)));
+}
+
+// HEX ➜ multibase base58btc (quita guiones si los hay)
+export function encodeHexToMultibase58btc(hexStr: string): string {
+  const hexClean = hexStr.replace(/-/g, "").toLowerCase();
+  if (!/^[0-9a-f]{32}$/i.test(hexClean)) throw new Error("Invalid 16-byte hex string");
+  const bytes = new Uint8Array(hexClean.match(/.{1,2}/g)!.map(b => parseInt(b, 16)));
+  return encodeMultibase58btc(bytes);
+}
+
+// multibase base58btc ➜ hex (no hyppens)
+export function decodeMultibase58btcToHex(b58str: string): string {
+  const bytes = decodeMultibase58btc(b58str);
+  return Array.from(bytes).map(b => b.toString(16).padStart(2, "0")).join("");
+}
+
+// multibase base58btc ➜ UUID (with hyppens)
+export function decodeMultibase58btcToUUID(b58str: string): string {
+  const hex = decodeMultibase58btcToHex(b58str);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}

package/src/models/oidc4ida.common.model.ts

@@ -0,0 +1,39 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/oidc4ida.common.model.ts
+
+/** Digest object represents a cryptographic hash of some bytes (e.g.: the content of a document).
+ *  It has 'alg' and 'value' (Base64 encoded, not hexadecimal such as in W3C format).
+ */
+export interface DigestResultOpenIdData {
+    alg:    string; // REQUIRED. Specifies the algorithm used for the calculation of the cryptographic hash. The algorithm has been negotiated previously between RP and OP during Client Registration or Management.
+    value:  string; // REQUIRED. Base64 encoded representation of the cryptographic hash.
+}
+
+/** Attachment OpenID
+ *  The "digest" is REQUIRED: digest.alg and digest.value (Base64 encoded, not Base64Url).
+ *  The "url" is REQUIRED to be "urn:uuid:<uuidv4>" for the resource/record (same as the FHIR "fullUrl" property with urn:uuid:<uuidv4>).
+ */
+export interface AttachmentExternalDLT {
+    digest: DigestResultOpenIdData;  // REQUIRED. JSON object representing a cryptographic hash of the document content.
+    url?:    string; // URI where the content can be recovered (NOTE: do not store on blockchain personal identifiers, just the URN with the UUID of the record/resoruce)
+}
+
+/** CheckDetails is a JSON array representing the checks done in relation to the evidence.
+ *  The "check_method" is REQUIRED (see https://bitbucket.org/openid/ekyc-ida/wiki/identifiers#check_methods):
+ *  - check_method: REQUIRED. String representing the check done, this includes processes such as checking the authenticity of the document, or verifying the user's biometric against an identity document (e.g.: vcrypt, vdig, vpip, vpvp...)
+ *  - organization: OPTIONAL. String denoting the legal entity that performed the check. This SHOULD be included if the OP did not perform the check itself.
+ *  - txn: OPTIONAL. Identifier referring to the identity verification transaction. The OP MUST ensure that this is present when evidence_ref element is used. The OP MUST ensure that the transaction identifier can be resolved into transaction details during an audit.
+ *  - time: OPTIONAL. Time stamp in ISO 8601 [ISO8601] YYYY-MM-DDThh:mm[:ss]TZD format representing the date when the check was completed.
+ */
+export interface CheckDetails {
+    check_method: string; // REQUIRED. String representing the check done, this includes processes such as checking the authenticity of the document, or verifying the user's biometric against an identity document. For information on predefined check_details values see Section 14.
+    organization?: string; // OPTIONAL. String (did:web or URN) denoting the legal entity that performed the check. This SHOULD be included if the OP did not perform the check itself.
+    txn?: string; // OPTIONAL. Identifier referring to the identity verification transaction. The OP MUST ensure that this is present when evidence_ref element is used. The OP MUST ensure that the transaction identifier can be resolved into transaction details during an audit.
+    time?: string; // OPTIONAL. Time stamp in ISO 8601 [ISO8601] YYYY-MM-DDThh:mm[:ss]TZD format representing the date when the check was completed.
+}
+
+/** 'organization' is the organization ID which performed the verification on behalf of the OP */
+export interface VerifierDLT {
+    organization:   string; // organization (did:web or URN) which performed the verification on behalf of the OP.
+    txn?:           string; // evidence transaction ID (base58) for audit (added by SC)
+}

package/src/models/oidc4ida.document.model.ts

@@ -0,0 +1,61 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/oidc4ida.document.model.ts
+
+import { AttachmentExternalDLT, CheckDetails, VerifierDLT } from './oidc4ida.common.model';
+import { IssuerElectronicRecordDLT } from './oidc4ida.electronicRecord.model';
+
+/** Common for Document and Bill evidences  */
+export interface EvidenceCommonSubElementDLT {
+    method:               string;                   // REQUIRED. The method used to verify it: pipp (Physical In-Person Proofing), sripp (Supervised remote In-Person Proofing), eid (Online verification of an electronic ID card), uripp (Unsupervised remote in-person proofing with video capture of the ID document, user self-portrait video and liveness checks). Predefined values are given in Verification Methods
+    time?:                string;                   // OPTIONAL. Time stamp in ISO 8601:2004 [ISO8601-2004] YYYY-MM-DDThh:mm[:ss]TZD format representing the date when it was verified
+}
+
+/** Predefined method values are given in Verification Methods (https://bitbucket.org/openid/ekyc-ida/wiki/identifiers)
+ * - pipp (Physical In-Person Proofing)
+ * - sripp (Supervised remote In-Person Proofing)
+ * - eid (Online verification of an electronic ID card)
+ * - uripp (Unsupervised remote in-person proofing with video capture of the ID document, user self-portrait video and liveness checks).
+ */
+export interface EvidenceDocumentDLT extends
+    EvidenceCommonSubElementDLT  // method, time
+{
+    attachments?:       AttachmentExternalDLT;    // OPTIONAL. Representing proofs of attachments like photocopies of documents or certificates.
+    check_details?:     CheckDetails[];      // OPTIONAL. Checks done in relation to the evidence. https://bitbucket.org/openid/ekyc-ida/wiki/identifiers
+    document_details?:  DocumentDetailsDLT;       // OPTIONAL. Object representing the id document used to perform the identity verification.
+    method:             string;                   // REQUIRED. The method used to verify it: pipp (Physical In-Person Proofing), sripp (Supervised remote In-Person Proofing), eid (Online verification of an electronic ID card), uripp (Unsupervised remote in-person proofing with video capture of the ID document, user self-portrait video and liveness checks). Predefined values are given in Verification Methods
+    time?:              string;                   // OPTIONAL. Time stamp in ISO 8601:2004 [ISO8601-2004] YYYY-MM-DDThh:mm[:ss]TZD format representing the date when it was verified
+    type:               'document';               // REQUIRED. Value MUST be set to 'document'. Note: id_document is an alias for document for backward compatibilty purposes but will be deprecated in future releases, implementers are recommended to use document.
+    verifier:           VerifierDLT;              // txn is required: legal entity that performed the identity verification on behalf of the OP.
+}
+
+/** OpenID 'document' evidence sub-element.
+ * - 'type' of the (physical) document (standarized).
+ * - 'date_of_issuance' is the date the document was issued as ISO 8601:2004 YYYY-MM-DD format.
+ * - 'date_of_expiry' is the date the document will expire as ISO 8601:2004 YYYY-MM-DD format.
+ * - 'serial_number' is the model of the document irrespective of any personalization information (usually physical artefacts and is present before personalization).
+ * - 'document_number' is the unique document ID that was issued to the End-User and will change if it is reissued, e.g., a passport number, certificate number, etc.
+ *  Note: number can be used as an alias for 'document_number' for backward compatibilty purposes but will be deprecated in future releases, implementers are recommended to use document_number.
+ */
+ export interface DocumentDetailsBase {
+    date_of_expiry?:    string;     // OPTIONAL. If this attribute exists for the particular type of document. The date the document will expire as ISO 8601:2004 YYYY-MM-DD format.
+    date_of_issuance?:  string;     // OPTIONAL. If this attribute exists for the particular type of document. The date the document was issued as ISO 8601:2004 YYYY-MM-DD format.
+    document_number?:   string;     // OPTIONAL. Unique document ID that was issued to the End-User. This is used on one document and will change if it is reissued, e.g., a passport number, certificate number, etc. Note: number can be used as an alias for 'document_number' for backward compatibilty purposes but will be deprecated in future releases, implementers are recommended to use document_number.
+    serial_number?:     string;     // OPTIONAL. Model of document irrespective of any personalization information (usually physical artefacts and is present before personalization).
+    type:               string;     // REQUIRED. Standardized values are defined in the Identity Documents section. The OP MAY use other than the predefined values in which case the RPs will either be unable to process the assertion, just store this value for audit purposes, or apply bespoken business logic to it.
+}
+
+/** JSON object representing the document used to perform the identity verification.
+ *  - type: REQUIRED. Standardized values are defined in the Identity Documents section. The OP MAY use other than the predefined values in which case the RPs will either be unable to process the assertion, just store this value for audit purposes, or apply bespoken business logic to it.
+ *  - personal_number: OPTIONAL. It is the subject's DID URI (can be also the holder).
+ *  - issuer: OPTIONAL. JSON object containing information about the issuer of this document.
+ *  - date_of_issuance: REQUIRED. If this attribute exists for the particular type of document. The date the document was issued as ISO 8601:2004 YYYY-MM-DD format.
+ *  - date_of_expiry: REQUIRED. If this attribute exists for the particular type of document. The date the document will expire as ISO 8601:2004 YYYY-MM-DD format.
+ *  - document_number: OPTIONAL. Unique document ID that was issued to the End-User. This is used on one document and will change if it is reissued, e.g., a passport number, certificate number, etc. Note: number can be used as an alias for 'document_number' for backward compatibilty purposes but will be deprecated in future releases, implementers are recommended to use document_number.
+ *  - serial_number: OPTIONAL. Model of document irrespective of any personalization information (usually physical artefacts and is present before personalization).
+ */
+export interface DocumentDetailsDLT extends
+    DocumentDetailsBase // type, date_of_issuance, date_of_expiry, document_number, serial_number (model of the document irrespective of any personalization information)
+{
+    issuer?:            IssuerElectronicRecordDLT;  // OPTIONAL. Object containing information about the issuer of this document.
+    personal_number?:   string;                     // OPTIONAL. Holder.id / subjectId
+}

package/src/models/oidc4ida.electronicRecord.model.ts

@@ -0,0 +1,86 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/oidc4ida.electronicRecord.model.ts
+
+import { AttachmentExternalDLT, CheckDetails, VerifierDLT } from './oidc4ida.common.model';
+
+// TODO: IssuerElectronicRecordOpenID with personal_number
+
+/** OpenID 'electronic_record' evidence sub-element base data
+ *  to be extended with 'attachments' and 'record' elements for blockchain or OpenID Evidence of Electronic Record
+ *  The electronic health record can be about a VC, SHC, DGC, FHIR Bundle or single resource (e.g.: a single medical record).
+ *  - 'type': always 'electronic_record.
+ *  - 'check_details': OPTIONAL. Checks done in relation to the evidence. https://bitbucket.org/openid/ekyc-ida/wiki/identifiers
+ *  - 'verifier': legal entity that performed the identity verification on behalf of the OP (OpenID Provider)
+ *  - 'time': Time stamp in ISO 8601:2004 format representing the date when it was verified.
+ */
+export interface EvidenceElectronicRecordBase {
+    check_details?: CheckDetails[];      // OPTIONAL. Checks done in relation to the evidence. https://bitbucket.org/openid/ekyc-ida/wiki/identifiers
+    time?:          string;                   // OPTIONAL. Time stamp in ISO 8601:2004 [ISO8601-2004] YYYY-MM-DDThh:mm[:ss]TZD format representing the date when it was verified
+    type?:          'electronic_record';      // REQUIRED but not stored on blockchain in case of FHIR resources (they always are 'electronic_records').
+    verifier?:      VerifierDLT;              // OPTIONAL. A JSON object denoting the legal entity that performed the identity verification on behalf of the OP.
+}
+
+/** OpenID 'electronic_record' evidence sub-element for blockchain.
+ *  The electronic health record can be about a VC, SHC, DGC, FHIR Bundle or single resource (e.g.: a single medical record).
+ *  - 'record': 'source' (issuer), 'personal_number' (subject's DID), 'created_at', 'date_of_expiry', 'type' ('idcard' or 'vc', 'shc', 'dgc', 'fhir', etc: see 'Electronic Records' at https://bitbucket.org/openid/ekyc-ida/wiki/identifiers)
+ *  - 'attachments': only external attachments are allowed for blockchain certification (no inline data)
+ *  - 'type': always 'electronic_record.
+ *  - 'validation_method': how the authenticity of the document was determined.
+ *  - 'verification_method': how the user was proven to be the owner of the claims.
+ *  - 'verifier': legal entity that performed the identity verification on behalf of the OP (OpenID Provider)
+ *  - 'time': Time stamp in ISO 8601:2004 format representing the date when it was verified.
+ *
+ *  NOTE: 'document_details' is not for electronic records (use 'record' instead).
+ */
+export interface EvidenceElectronicRecordDLT extends
+    EvidenceElectronicRecordBase    // 'type', 'validation_method', 'verification_method', 'verifier', 'time'
+{
+    attachments?:   AttachmentExternalDLT[];  // OPTIONAL. Array of JSON objects representing attachments like photocopies of documents or certificates.
+    record?:        ElectronicRecordDLT;      // JSON object representing the id document used to perform the id verification
+}
+
+/** OpenID 'electronic_record' evidence sub-element can be about an ID card, VC, SHC, DGC, etc.
+ *  - 'type': can be 'idcard', 'vc', 'shc', 'dgc', 'fhir', etc (see 'Electronic Records' at https://bitbucket.org/openid/ekyc-ida/wiki/identifiers)
+ *  - 'created_at': is the same as 'validFrom' property in a W3C credential.
+ *  - 'date_of_expiry': it the same as 'validUntil' in a W3C credential.
+ *  - 'personal_number' is the subject's DID URI, similar to 'holder.id' property in a W3C credential.
+ *
+ *  NOTE: 'personal_number' (subject DID URI) is not excluded for now?
+ */
+export interface ElectronicRecordBase {
+    type:               string;             // REQUIRED. string;denoting the type of electronic record. See https://bitbucket.org/openid/ekyc-ida/wiki/identifiers
+    created_at?:        string;             // OPTIONAL. The time the record was created as ISO 8601:2004 [ISO8601-2004] YYYY-MM-DDThh:mm[:ss]TZD format    date_of_expiry?:    string; // REQUIRED. If this attribute exists for the particular type of document. The date the document will expire as ISO 8601:2004 YYYY-MM-DD format.
+    date_of_expiry?:    string;             // OPTIONAL. The date the evidence will expire as ISO 8601:2004 [ISO8601-2004] YYYY-MM-DD format.
+    source?:            IssuerElectronicRecordBase; // OPTIONAL. Issuer as source of the record (can have jurisdiction and )
+    // personal_number?:   string;                     // OPTIONAL. Subject DID URI (it can be also the holder ID).
+}
+
+/** OpenID 'electronic_record' evidence sub-element can be about a VC, SHC of DGC.
+ *  - 'type': String denoting the type of electronic record. It can be a predefined value (idcard, etc) or 'vc', 'shc', 'dgc', 'fhir', etc (see 'Electronic Records' at https://bitbucket.org/openid/ekyc-ida/wiki/identifiers)
+ *  - 'created_at' is the issued property.
+ *  - 'date_of_expiry' it the periodEnd.
+ *  NOTE:
+ *  - 'personal_number' (subject DID) is excluded for now? (it is also the same as the 'holder.id' property in VC).
+ */
+export interface ElectronicRecordDLT extends
+    ElectronicRecordBase    // 'type', 'personal_number', 'created_at', 'date_of_expiry'
+{
+    source?: IssuerElectronicRecordDLT; // OPTIONAL. Issuer as source of the record (API can set the name and jurisdiction for the OpenID source element)
+}
+
+/** Issuer's anonymized information (can be used for research purposes) */
+export interface IssuerElectronicRecordBase {
+    country_code?:  string; // ISO 3166/ICAO 3-letter codes [ICAO-Doc9303]. 2-letter ISO 3166/ICAO codes MAY be used in some circumstances for compatibility reasons.
+    jurisdiction?:  string; // ISO: String containing the region(s) / state(s) / province(s) / municipality(ies) that source has jurisdiction over
+    // postal_code?:string; // Zip code or postal code component.
+}
+
+/** It replaces the issuer 'name' by 'id' and 'type' (for blockchain)
+ *  and also includes 'country' and 'region' (but not 'postal_code', 'locality' or 'stree_address').
+ */
+export interface IssuerElectronicRecordDLT extends
+    IssuerElectronicRecordBase
+{
+    id?:            string; // custom UHC property instead of 'name'
+    type?:          string; // custom UHC property
+}

package/src/models/oidc4ida.evidence.model.ts

@@ -0,0 +1,69 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/models/oidc4ida.evidence.model.ts
+
+import { EvidenceDocumentDLT } from "./oidc4ida.document.model";
+import { EvidenceElectronicRecordDLT } from "./oidc4ida.electronicRecord.model";
+
+/** W3C Evidence for VCs can be generated by the API from some OpenID evidence stored on blockchain.
+ *  See EBSI v2: https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/Verifiable+Attestation
+ *  - id: OPTIONAL. If present, it MUST contain a URL that points to where more information about this instance of evidence can be found (e.g.: urn:unid:uhc:vc:xyz or e.g.: "https://example.edu/evidence/f2aeec97-fc0d-42bf-8ca7-0548192dxyzab")
+ *  - type: REQUIRED. Defines the evidence type, e.g.: ["DocumentVerification"], ["id_document"], ["utility_bill"], ["qes"]
+ *  - verifier: REQUIRED. Defines entity that has verified documents before Verifiable Attestation issuance, e.g.: "https://example.edu/issuers/14"
+ *  - evidenceDocument: REQUIRED. Defines document(s) which have been verified before Verifiable Attestation issuance, e.g.: "DriversLicense" (TODO: can be used HL7 instead?). QUESTION: Should it be the universal ID instead a description? RESPONSE: No, because it is linked to a credentialSubject within a credential
+ *  - subjectPresence: REQUIRED. Defines if the Verifiable Attestation Subject was physically present in the course of the verification, e.g.: 'Physical' or 'Digital'
+ *  - documentPresence:  REQUIRED. Defines how the document(s) which have been verified before Verifiable Credentials issuance have been provided, e.g.: 'Physical' or 'Digital'
+ */
+export interface EvidenceW3C {
+    id?:                string;
+    type?:              string[];
+    verifier?:          string;
+    evidenceDocument?:  string;
+    subjectPresence?:   string;
+    documentPresence?:  string;
+}
+
+/** OpenID 'electronic_signature' evidence sub-element
+ * 'serial_number' can be the DID of the public key for doing the verification process instead of the serial number of a certificate.
+ */
+export interface EvidenceElectronicSignatureBase{
+    type:           'electronic_signature'; // REQUIRED: Fixed to 'electronic_signature'
+    signature_type: string;                 // REQUIRED. Type of signature used as evidence. The value range might be restricted by the respective trust framework.
+    issuer:         string;                 // REQUIRED. Certification authority that issued the signer's certificate.
+    serial_number:  string;                 // REQUIRED. DID#KID or Serial number of the certificate used to sign.
+    created_at:     string;                 // REQUIRED. The time the signature was created as ISO 8601:2004 YYYY-MM-DDThh:mm:ss±hh format
+}
+
+/** The used language is not specified, but is usually bound to the jurisdiction of the underlying trust framework of the OP. */
+export interface AttachedSignatureDLT {
+  // desc?:          string; // OPTIONAL. Description of the document. This can be the filename or just an explanation of the content (e.g. "Back of id document")
+  content_type:   string; // e.g.: 'jws'
+  content:        string; // e.g. detached signature string (compact JWS) or bytes encoded in Base64
+}
+
+/** OpenID 'electronic_signature' evidence sub-element
+ * 'serial_number' can be the DID of the public key for doing the verification process instead of the serial number of a certificate.
+ * It also contains 'type', 'signature_type', 'issuer', 'serial_number', 'created_at' and external 'attachments' with 'digest.alg' and 'digest.value'.
+ */
+export interface EvidenceElectronicSignatureDLT extends
+    EvidenceElectronicSignatureBase // 'type', 'signature_type', 'issuer', 'serial_number', 'created_at'
+{
+    attachments?:   AttachedSignatureDLT[];   // OPTIONAL. Array of JSON objects containing signatures, e.g. 'jws' or 'Ed25519' signature types.
+}
+
+/** Evidence is the certification of the authenticity of some (physical) document, (electronic) record, (electronic) signature, (utility) bill or vouch.
+ * OpenID Connect for Identity Assurance 1.0: https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html
+ * 5.1.1. Evidence Element - types of evidence:
+ * - document: Verification based on any kind of physical or electronic document provided by the End-User.
+ * - electronic_record: Verification based on data or information obtained electronically from an approved or recognized source.
+ * - vouch: Verification based on an attestation or reference given by an approved or recognized person declaring they believe to the best of their knowledge that the Claim(s) are genuine and true.
+ * - utility_bill: Verification based on a utility bill (this is to be deprecated in future releases and implementers are recommended to use the document type instead).
+ * - electronic_signature: Verification based on an electronic signature.
+ */
+export type EvidenceObjectDLT =
+    EvidenceElectronicRecordDLT         // e.g.: VC, SHC, DGC, FHIR record, etc.
+    | EvidenceDocumentDLT               // e.g.: evidence of a physical document
+    | EvidenceElectronicSignatureDLT    // evidence from a digital certificate signature (e.g. PDF document)
+    // | EvidenceVouchDLT
+    // | EvidenceBillDLT
+
+