diff --git a/.eslintrc.js b/.eslintrc.js index c669beed73..51535e4a4d 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -99,7 +99,7 @@ module.exports = { }, }, { - files: ['demo/**'], + files: ['demo/**', 'demo-openid/**'], rules: { 'no-console': 'off', }, @@ -112,6 +112,7 @@ module.exports = { 'jest.*.ts', 'samples/**', 'demo/**', + 'demo-openid/**', 'scripts/**', '**/tests/**', ], diff --git a/demo-openid/README.md b/demo-openid/README.md new file mode 100644 index 0000000000..93f14ee99f --- /dev/null +++ b/demo-openid/README.md @@ -0,0 +1,89 @@ +

DEMO

+ +This is the Aries Framework Javascript demo. Walk through the AFJ flow yourself together with agents Alice and Faber. + +Alice, a former student of Faber College, connects with the College, is issued a credential about her degree and then is asked by the College for a proof. + +## Features + +- ✅ Creating a connection +- ✅ Offering a credential +- ✅ Requesting a proof +- ✅ Sending basic messages + +## Getting Started + +### Platform Specific Setup + +In order to use Aries Framework JavaScript some platform specific dependencies and setup is required. See our guides below to quickly set up you project with Aries Framework JavaScript for NodeJS, React Native and Electron. + +- [NodeJS](https://aries.js.org/guides/getting-started/installation/nodejs) + +### Run the demo + +These are the steps for running the AFJ demo: + +Clone the AFJ git repository: + +```sh +git clone https://github.com/hyperledger/aries-framework-javascript.git +``` + +Open two different terminals next to each other and in both, go to the demo folder: + +```sh +cd aries-framework-javascript/demo +``` + +Install the project in one of the terminals: + +```sh +yarn install +``` + +In the left terminal run Alice: + +```sh +yarn alice +``` + +In the right terminal run Faber: + +```sh +yarn faber +``` + +### Usage + +To set up a connection: + +- Select 'receive connection invitation' in Alice and 'create connection invitation' in Faber +- Faber will print a invitation link which you then copy and paste to Alice +- You have now set up a connection! + +To offer a credential: + +- Select 'offer credential' in Faber +- Faber will start with registering a schema and the credential definition accordingly +- You have now send a credential offer to Alice! +- Go to Alice to accept the incoming credential offer by selecting 'yes'. + +To request a proof: + +- Select 'request proof' in Faber +- Faber will create a new proof attribute and will then send a proof request to Alice! +- Go to Alice to accept the incoming proof request + +To send a basic message: + +- Select 'send message' in either one of the Agents +- Type your message and press enter +- Message sent! + +Exit: + +- Select 'exit' to shutdown the agent. + +Restart: + +- Select 'restart', to shutdown the current agent and start a new one diff --git a/demo-openid/package.json b/demo-openid/package.json new file mode 100644 index 0000000000..e3a22d39c5 --- /dev/null +++ b/demo-openid/package.json @@ -0,0 +1,36 @@ +{ + "name": "afj-demo-openid", + "version": "1.0.0", + "private": true, + "repository": { + "type": "git", + "url": "https://github.com/hyperledger/aries-framework-javascript", + "directory": "demo-openid/" + }, + "license": "Apache-2.0", + "scripts": { + "issuer": "ts-node src/IssuerInquirer.ts", + "holder": "ts-node src/HolderInquirer.ts", + "verifier": "ts-node src/VerifierInquirer.ts", + "refresh": "rm -rf ./node_modules ./yarn.lock && yarn" + }, + "dependencies": { + "@aries-framework/openid4vc": "*", + "@hyperledger/anoncreds-nodejs": "^0.2.0-dev.4", + "@hyperledger/aries-askar-nodejs": "^0.2.0-dev.1", + "@hyperledger/indy-vdr-nodejs": "^0.2.0-dev.5", + "express": "^4.18.1", + "inquirer": "^8.2.5" + }, + "devDependencies": { + "@aries-framework/askar": "*", + "@aries-framework/core": "*", + "@aries-framework/node": "*", + "@types/express": "^4.17.13", + "@types/figlet": "^1.5.4", + "@types/inquirer": "^8.2.6", + "clear": "^0.1.0", + "figlet": "^1.5.2", + "ts-node": "^10.4.0" + } +} diff --git a/demo-openid/src/BaseAgent.ts b/demo-openid/src/BaseAgent.ts new file mode 100644 index 0000000000..636a0d74d0 --- /dev/null +++ b/demo-openid/src/BaseAgent.ts @@ -0,0 +1,61 @@ +import type { InitConfig, KeyDidCreateOptions, ModulesMap, VerificationMethod } from '@aries-framework/core' +import type { Express } from 'express' + +import { Agent, DidKey, HttpOutboundTransport, KeyType, TypedArrayEncoder } from '@aries-framework/core' +import { HttpInboundTransport, agentDependencies } from '@aries-framework/node' +import express from 'express' + +import { greenText } from './OutputClass' + +export class BaseAgent { + public app: Express + public port: number + public name: string + public config: InitConfig + public agent: Agent + public did!: string + public didKey!: DidKey + public kid!: string + public verificationMethod!: VerificationMethod + + public constructor({ port, name, modules }: { port: number; name: string; modules: AgentModules }) { + this.name = name + this.port = port + this.app = express() + + const config = { + label: name, + walletConfig: { id: name, key: name }, + } satisfies InitConfig + + this.config = config + + this.agent = new Agent({ config, dependencies: agentDependencies, modules }) + + const httpInboundTransport = new HttpInboundTransport({ app: this.app, port: this.port }) + const httpOutboundTransport = new HttpOutboundTransport() + + this.agent.registerInboundTransport(httpInboundTransport) + this.agent.registerOutboundTransport(httpOutboundTransport) + } + + public async initializeAgent(secretPrivateKey: string) { + await this.agent.initialize() + + const didCreateResult = await this.agent.dids.create({ + method: 'key', + options: { keyType: KeyType.Ed25519 }, + secret: { privateKey: TypedArrayEncoder.fromString(secretPrivateKey) }, + }) + + this.did = didCreateResult.didState.did as string + this.didKey = DidKey.fromDid(this.did) + this.kid = `${this.did}#${this.didKey.key.fingerprint}` + + const verificationMethod = didCreateResult.didState.didDocument?.dereferenceKey(this.kid, ['authentication']) + if (!verificationMethod) throw new Error('No verification method found') + this.verificationMethod = verificationMethod + + console.log(greenText(`\nAgent ${this.name} created!\n`)) + } +} diff --git a/demo-openid/src/BaseInquirer.ts b/demo-openid/src/BaseInquirer.ts new file mode 100644 index 0000000000..358d72b632 --- /dev/null +++ b/demo-openid/src/BaseInquirer.ts @@ -0,0 +1,55 @@ +import { prompt } from 'inquirer' + +import { Title } from './OutputClass' + +export enum ConfirmOptions { + Yes = 'yes', + No = 'no', +} + +export class BaseInquirer { + public optionsInquirer: { type: string; prefix: string; name: string; message: string; choices: string[] } + public inputInquirer: { type: string; prefix: string; name: string; message: string; choices: string[] } + + public constructor() { + this.optionsInquirer = { + type: 'list', + prefix: '', + name: 'options', + message: '', + choices: [], + } + + this.inputInquirer = { + type: 'input', + prefix: '', + name: 'input', + message: '', + choices: [], + } + } + + public inquireOptions(promptOptions: string[]) { + this.optionsInquirer.message = Title.OptionsTitle + this.optionsInquirer.choices = promptOptions + return this.optionsInquirer + } + + public inquireInput(title: string) { + this.inputInquirer.message = title + return this.inputInquirer + } + + public inquireConfirmation(title: string) { + this.optionsInquirer.message = title + this.optionsInquirer.choices = [ConfirmOptions.Yes, ConfirmOptions.No] + return this.optionsInquirer + } + + public async inquireMessage() { + this.inputInquirer.message = Title.MessageTitle + const message = await prompt([this.inputInquirer]) + + return message.input[0] === 'q' ? null : message.input + } +} diff --git a/demo-openid/src/Holder.ts b/demo-openid/src/Holder.ts new file mode 100644 index 0000000000..8a661b4825 --- /dev/null +++ b/demo-openid/src/Holder.ts @@ -0,0 +1,104 @@ +import type { + OpenId4VciResolvedCredentialOffer, + OpenId4VcSiopResolvedAuthorizationRequest, +} from '@aries-framework/openid4vc' + +import { AskarModule } from '@aries-framework/askar' +import { + W3cJwtVerifiableCredential, + W3cJsonLdVerifiableCredential, + DifPresentationExchangeService, +} from '@aries-framework/core' +import { OpenId4VcHolderModule } from '@aries-framework/openid4vc' +import { ariesAskar } from '@hyperledger/aries-askar-nodejs' + +import { BaseAgent } from './BaseAgent' +import { Output } from './OutputClass' + +function getOpenIdHolderModules() { + return { + askar: new AskarModule({ ariesAskar }), + openId4VcHolder: new OpenId4VcHolderModule(), + } as const +} + +export class Holder extends BaseAgent> { + public constructor(port: number, name: string) { + super({ port, name, modules: getOpenIdHolderModules() }) + } + + public static async build(): Promise { + const holder = new Holder(3000, 'OpenId4VcHolder ' + Math.random().toString()) + await holder.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598e') + + return holder + } + + public async resolveCredentialOffer(credentialOffer: string) { + return await this.agent.modules.openId4VcHolder.resolveCredentialOffer(credentialOffer) + } + + public async requestAndStoreCredentials( + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer, + credentialsToRequest: string[] + ) { + const credentials = await this.agent.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode( + resolvedCredentialOffer, + { + credentialsToRequest, + // TODO: add jwk support for holder binding + credentialBindingResolver: async () => ({ + method: 'did', + didUrl: this.verificationMethod.id, + }), + } + ) + + const storedCredentials = await Promise.all( + credentials.map((credential) => { + if (credential instanceof W3cJwtVerifiableCredential || credential instanceof W3cJsonLdVerifiableCredential) { + return this.agent.w3cCredentials.storeCredential({ credential }) + } else { + return this.agent.sdJwtVc.store(credential.compact) + } + }) + ) + + return storedCredentials + } + + public async resolveProofRequest(proofRequest: string) { + const resolvedProofRequest = await this.agent.modules.openId4VcHolder.resolveSiopAuthorizationRequest(proofRequest) + + return resolvedProofRequest + } + + public async acceptPresentationRequest(resolvedPresentationRequest: OpenId4VcSiopResolvedAuthorizationRequest) { + const presentationExchangeService = this.agent.dependencyManager.resolve(DifPresentationExchangeService) + + if (!resolvedPresentationRequest.presentationExchange) { + throw new Error('Missing presentation exchange on resolved authorization request') + } + + const submissionResult = await this.agent.modules.openId4VcHolder.acceptSiopAuthorizationRequest({ + authorizationRequest: resolvedPresentationRequest.authorizationRequest, + presentationExchange: { + credentials: presentationExchangeService.selectCredentialsForRequest( + resolvedPresentationRequest.presentationExchange.credentialsForRequest + ), + }, + }) + + return submissionResult.serverResponse + } + + public async exit() { + console.log(Output.Exit) + await this.agent.shutdown() + process.exit(0) + } + + public async restart() { + await this.agent.shutdown() + } +} diff --git a/demo-openid/src/HolderInquirer.ts b/demo-openid/src/HolderInquirer.ts new file mode 100644 index 0000000000..a4fe1cf1e6 --- /dev/null +++ b/demo-openid/src/HolderInquirer.ts @@ -0,0 +1,201 @@ +import type { SdJwtVcRecord, W3cCredentialRecord } from '@aries-framework/core/src' +import type { + OpenId4VcSiopResolvedAuthorizationRequest, + OpenId4VciResolvedCredentialOffer, +} from '@aries-framework/openid4vc' + +import { DifPresentationExchangeService } from '@aries-framework/core/src' +import console, { clear } from 'console' +import { textSync } from 'figlet' +import { prompt } from 'inquirer' + +import { BaseInquirer, ConfirmOptions } from './BaseInquirer' +import { Holder } from './Holder' +import { Title, greenText, redText } from './OutputClass' + +export const runHolder = async () => { + clear() + console.log(textSync('Holder', { horizontalLayout: 'full' })) + const holder = await HolderInquirer.build() + await holder.processAnswer() +} + +enum PromptOptions { + ResolveCredentialOffer = 'Resolve a credential offer.', + RequestCredential = 'Accept the credential offer.', + ResolveProofRequest = 'Resolve a proof request.', + AcceptPresentationRequest = 'Accept the presentation request.', + Exit = 'Exit', + Restart = 'Restart', +} + +export class HolderInquirer extends BaseInquirer { + public holder: Holder + public resolvedCredentialOffer?: OpenId4VciResolvedCredentialOffer + public resolvedPresentationRequest?: OpenId4VcSiopResolvedAuthorizationRequest + + public constructor(holder: Holder) { + super() + this.holder = holder + } + + public static async build(): Promise { + const holder = await Holder.build() + return new HolderInquirer(holder) + } + + private async getPromptChoice() { + const promptOptions = [PromptOptions.ResolveCredentialOffer, PromptOptions.ResolveProofRequest] + + if (this.resolvedCredentialOffer) promptOptions.push(PromptOptions.RequestCredential) + if (this.resolvedPresentationRequest) promptOptions.push(PromptOptions.AcceptPresentationRequest) + + return prompt([this.inquireOptions(promptOptions.map((o) => o.valueOf()))]) + } + + public async processAnswer() { + const choice = await this.getPromptChoice() + + switch (choice.options) { + case PromptOptions.ResolveCredentialOffer: + await this.resolveCredentialOffer() + break + case PromptOptions.RequestCredential: + await this.requestCredential() + break + case PromptOptions.ResolveProofRequest: + await this.resolveProofRequest() + break + case PromptOptions.AcceptPresentationRequest: + await this.acceptPresentationRequest() + break + case PromptOptions.Exit: + await this.exit() + break + case PromptOptions.Restart: + await this.restart() + return + } + await this.processAnswer() + } + + public async exitUseCase(title: string) { + const confirm = await prompt([this.inquireConfirmation(title)]) + if (confirm.options === ConfirmOptions.No) { + return false + } else if (confirm.options === ConfirmOptions.Yes) { + return true + } + } + + public async resolveCredentialOffer() { + const credentialOffer = await prompt([this.inquireInput('Enter credential offer: ')]) + const resolvedCredentialOffer = await this.holder.resolveCredentialOffer(credentialOffer.input) + this.resolvedCredentialOffer = resolvedCredentialOffer + + console.log(greenText(`Received credential offer for the following credentials.`)) + console.log(greenText(resolvedCredentialOffer.offeredCredentials.map((credential) => credential.id).join('\n'))) + } + + public async requestCredential() { + if (!this.resolvedCredentialOffer) { + throw new Error('No credential offer resolved yet.') + } + + const credentialsThatCanBeRequested = this.resolvedCredentialOffer.offeredCredentials.map( + (credential) => credential.id + ) + + const choice = await prompt([this.inquireOptions(credentialsThatCanBeRequested)]) + + const credentialToRequest = this.resolvedCredentialOffer.offeredCredentials.find( + (credential) => credential.id === choice.options + ) + if (!credentialToRequest) throw new Error('Credential to request not found.') + + console.log(greenText(`Requesting the following credential '${credentialToRequest.id}'`)) + + const credentials = await this.holder.requestAndStoreCredentials( + this.resolvedCredentialOffer, + this.resolvedCredentialOffer.offeredCredentials.map((o) => o.id) + ) + + console.log(greenText(`Received and stored the following credentials.`)) + console.log('') + credentials.forEach(this.printCredential) + } + + public async resolveProofRequest() { + const proofRequestUri = await prompt([this.inquireInput('Enter proof request: ')]) + this.resolvedPresentationRequest = await this.holder.resolveProofRequest(proofRequestUri.input) + + const presentationDefinition = this.resolvedPresentationRequest?.presentationExchange?.definition + console.log(greenText(`Presentation Purpose: '${presentationDefinition?.purpose}'`)) + + if (this.resolvedPresentationRequest?.presentationExchange?.credentialsForRequest.areRequirementsSatisfied) { + const selectedCredentials = Object.values( + this.holder.agent.dependencyManager + .resolve(DifPresentationExchangeService) + .selectCredentialsForRequest(this.resolvedPresentationRequest.presentationExchange.credentialsForRequest) + ).flatMap((e) => e) + console.log( + greenText( + `All requirements for creating the presentation are satisfied. The following credentials will be shared`, + true + ) + ) + selectedCredentials.forEach(this.printCredential) + } else { + console.log(redText(`No credentials available that satisfy the proof request.`)) + } + } + + public async acceptPresentationRequest() { + if (!this.resolvedPresentationRequest) throw new Error('No presentation request resolved yet.') + + console.log(greenText(`Accepting the presentation request.`)) + + const serverResponse = await this.holder.acceptPresentationRequest(this.resolvedPresentationRequest) + + if (serverResponse.status >= 200 && serverResponse.status < 300) { + console.log(`received success status code '${serverResponse.status}'`) + } else { + console.log(`received error status code '${serverResponse.status}'`) + } + } + + public async exit() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.holder.exit() + } + } + + public async restart() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + await this.processAnswer() + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.holder.restart() + await runHolder() + } + } + + private printCredential = (credential: W3cCredentialRecord | SdJwtVcRecord) => { + if (credential.type === 'W3cCredentialRecord') { + console.log(greenText(`W3cCredentialRecord with claim format ${credential.credential.claimFormat}`, true)) + console.log(JSON.stringify(credential.credential.jsonCredential, null, 2)) + console.log('') + } else { + console.log(greenText(`SdJwtVcRecord`, true)) + const prettyClaims = this.holder.agent.sdJwtVc.fromCompact(credential.compactSdJwtVc).prettyClaims + console.log(JSON.stringify(prettyClaims, null, 2)) + console.log('') + } + } +} + +void runHolder() diff --git a/demo-openid/src/Issuer.ts b/demo-openid/src/Issuer.ts new file mode 100644 index 0000000000..0eb75be86f --- /dev/null +++ b/demo-openid/src/Issuer.ts @@ -0,0 +1,181 @@ +import type { DidKey } from '@aries-framework/core' +import type { + OpenId4VcCredentialHolderBinding, + OpenId4VcCredentialHolderDidBinding, + OpenId4VciCredentialRequestToCredentialMapper, + OpenId4VciCredentialSupportedWithId, + OpenId4VcIssuerRecord, +} from '@aries-framework/openid4vc' + +import { AskarModule } from '@aries-framework/askar' +import { + ClaimFormat, + parseDid, + AriesFrameworkError, + W3cCredential, + W3cCredentialSubject, + W3cIssuer, + w3cDate, +} from '@aries-framework/core' +import { OpenId4VcIssuerModule, OpenId4VciCredentialFormatProfile } from '@aries-framework/openid4vc' +import { ariesAskar } from '@hyperledger/aries-askar-nodejs' +import { Router } from 'express' + +import { BaseAgent } from './BaseAgent' +import { Output } from './OutputClass' + +export const universityDegreeCredential = { + id: 'UniversityDegreeCredential', + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'UniversityDegreeCredential'], +} satisfies OpenId4VciCredentialSupportedWithId + +export const openBadgeCredential = { + id: 'OpenBadgeCredential', + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'OpenBadgeCredential'], +} satisfies OpenId4VciCredentialSupportedWithId + +export const universityDegreeCredentialSdJwt = { + id: 'UniversityDegreeCredential-sdjwt', + format: OpenId4VciCredentialFormatProfile.SdJwtVc, + vct: 'UniversityDegreeCredential', +} satisfies OpenId4VciCredentialSupportedWithId + +export const credentialsSupported = [ + universityDegreeCredential, + openBadgeCredential, + universityDegreeCredentialSdJwt, +] satisfies OpenId4VciCredentialSupportedWithId[] + +function getCredentialRequestToCredentialMapper({ + issuerDidKey, +}: { + issuerDidKey: DidKey +}): OpenId4VciCredentialRequestToCredentialMapper { + return async ({ holderBinding, credentialsSupported }) => { + const credentialSupported = credentialsSupported[0] + + if (credentialSupported.id === universityDegreeCredential.id) { + assertDidBasedHolderBinding(holderBinding) + + return { + format: ClaimFormat.JwtVc, + credential: new W3cCredential({ + type: universityDegreeCredential.types, + issuer: new W3cIssuer({ + id: issuerDidKey.did, + }), + credentialSubject: new W3cCredentialSubject({ + id: parseDid(holderBinding.didUrl).did, + }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: `${issuerDidKey.did}#${issuerDidKey.key.fingerprint}`, + } + } + + if (credentialSupported.id === openBadgeCredential.id) { + assertDidBasedHolderBinding(holderBinding) + + return { + format: ClaimFormat.JwtVc, + credential: new W3cCredential({ + type: openBadgeCredential.types, + issuer: new W3cIssuer({ + id: issuerDidKey.did, + }), + credentialSubject: new W3cCredentialSubject({ + id: parseDid(holderBinding.didUrl).did, + }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: `${issuerDidKey.did}#${issuerDidKey.key.fingerprint}`, + } + } + + if (credentialSupported.id === universityDegreeCredentialSdJwt.id) { + return { + format: ClaimFormat.SdJwtVc, + payload: { vct: universityDegreeCredentialSdJwt.vct, university: 'innsbruck', degree: 'bachelor' }, + holder: holderBinding, + issuer: { + method: 'did', + didUrl: `${issuerDidKey.did}#${issuerDidKey.key.fingerprint}`, + }, + disclosureFrame: { university: true, degree: true }, + } + } + + throw new Error('Invalid request') + } +} + +export class Issuer extends BaseAgent<{ + askar: AskarModule + openId4VcIssuer: OpenId4VcIssuerModule +}> { + public issuerRecord!: OpenId4VcIssuerRecord + + public constructor(port: number, name: string) { + const openId4VciRouter = Router() + + super({ + port, + name, + modules: { + askar: new AskarModule({ ariesAskar }), + openId4VcIssuer: new OpenId4VcIssuerModule({ + baseUrl: 'http://localhost:2000/oid4vci', + router: openId4VciRouter, + endpoints: { + credential: { + credentialRequestToCredentialMapper: (...args) => + getCredentialRequestToCredentialMapper({ issuerDidKey: this.didKey })(...args), + }, + }, + }), + }, + }) + + this.app.use('/oid4vci', openId4VciRouter) + } + + public static async build(): Promise { + const issuer = new Issuer(2000, 'OpenId4VcIssuer ' + Math.random().toString()) + await issuer.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598f') + issuer.issuerRecord = await issuer.agent.modules.openId4VcIssuer.createIssuer({ + credentialsSupported, + }) + + return issuer + } + + public async createCredentialOffer(offeredCredentials: string[]) { + const { credentialOffer } = await this.agent.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: this.issuerRecord.issuerId, + offeredCredentials, + preAuthorizedCodeFlowConfig: { userPinRequired: false }, + }) + + return credentialOffer + } + + public async exit() { + console.log(Output.Exit) + await this.agent.shutdown() + process.exit(0) + } + + public async restart() { + await this.agent.shutdown() + } +} + +function assertDidBasedHolderBinding( + holderBinding: OpenId4VcCredentialHolderBinding +): asserts holderBinding is OpenId4VcCredentialHolderDidBinding { + if (holderBinding.method !== 'did') { + throw new AriesFrameworkError('Only did based holder bindings supported for this credential type') + } +} diff --git a/demo-openid/src/IssuerInquirer.ts b/demo-openid/src/IssuerInquirer.ts new file mode 100644 index 0000000000..dca38ed86a --- /dev/null +++ b/demo-openid/src/IssuerInquirer.ts @@ -0,0 +1,88 @@ +import { clear } from 'console' +import { textSync } from 'figlet' +import { prompt } from 'inquirer' + +import { BaseInquirer, ConfirmOptions } from './BaseInquirer' +import { Issuer, credentialsSupported } from './Issuer' +import { Title, purpleText } from './OutputClass' + +export const runIssuer = async () => { + clear() + console.log(textSync('Issuer', { horizontalLayout: 'full' })) + const issuer = await IssuerInquirer.build() + await issuer.processAnswer() +} + +enum PromptOptions { + CreateCredentialOffer = 'Create a credential offer', + Exit = 'Exit', + Restart = 'Restart', +} + +export class IssuerInquirer extends BaseInquirer { + public issuer: Issuer + public promptOptionsString: string[] + + public constructor(issuer: Issuer) { + super() + this.issuer = issuer + this.promptOptionsString = Object.values(PromptOptions) + } + + public static async build(): Promise { + const issuer = await Issuer.build() + return new IssuerInquirer(issuer) + } + + private async getPromptChoice() { + return prompt([this.inquireOptions(this.promptOptionsString)]) + } + + public async processAnswer() { + const choice = await this.getPromptChoice() + + switch (choice.options) { + case PromptOptions.CreateCredentialOffer: + await this.createCredentialOffer() + break + case PromptOptions.Exit: + await this.exit() + break + case PromptOptions.Restart: + await this.restart() + return + } + await this.processAnswer() + } + + public async createCredentialOffer() { + const choice = await prompt([this.inquireOptions(credentialsSupported.map((credential) => credential.id))]) + const offeredCredential = credentialsSupported.find((credential) => credential.id === choice.options) + if (!offeredCredential) throw new Error(`No credential of type ${choice.options} found, that can be offered.`) + const offerRequest = await this.issuer.createCredentialOffer([offeredCredential.id]) + + console.log(purpleText(`credential offer: '${offerRequest}'`)) + } + + public async exit() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.issuer.exit() + } + } + + public async restart() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + await this.processAnswer() + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.issuer.restart() + await runIssuer() + } + } +} + +void runIssuer() diff --git a/demo-openid/src/OutputClass.ts b/demo-openid/src/OutputClass.ts new file mode 100644 index 0000000000..b9e69c72f0 --- /dev/null +++ b/demo-openid/src/OutputClass.ts @@ -0,0 +1,40 @@ +export enum Color { + Green = `\x1b[32m`, + Red = `\x1b[31m`, + Purple = `\x1b[35m`, + Reset = `\x1b[0m`, +} + +export enum Output { + NoConnectionRecordFromOutOfBand = `\nNo connectionRecord has been created from invitation\n`, + ConnectionEstablished = `\nConnection established!`, + MissingConnectionRecord = `\nNo connectionRecord ID has been set yet\n`, + ConnectionLink = `\nRun 'Receive connection invitation' in Alice and paste this invitation link:\n\n`, + Exit = 'Shutting down agent...\nExiting...', +} + +export enum Title { + OptionsTitle = '\nOptions:', + InvitationTitle = '\n\nPaste the invitation url here:', + MessageTitle = '\n\nWrite your message here:\n(Press enter to send or press q to exit)\n', + ConfirmTitle = '\n\nAre you sure?', + CredentialOfferTitle = '\n\nCredential offer received, do you want to accept it?', + ProofRequestTitle = '\n\nProof request received, do you want to accept it?', +} + +export const greenText = (text: string, reset?: boolean) => { + if (reset) return Color.Green + text + Color.Reset + + return Color.Green + text +} + +export const purpleText = (text: string, reset?: boolean) => { + if (reset) return Color.Purple + text + Color.Reset + return Color.Purple + text +} + +export const redText = (text: string, reset?: boolean) => { + if (reset) return Color.Red + text + Color.Reset + + return Color.Red + text +} diff --git a/demo-openid/src/Verifier.ts b/demo-openid/src/Verifier.ts new file mode 100644 index 0000000000..8ab4002d74 --- /dev/null +++ b/demo-openid/src/Verifier.ts @@ -0,0 +1,114 @@ +import type { DifPresentationExchangeDefinitionV2 } from '@aries-framework/core/src' +import type { OpenId4VcVerifierRecord } from '@aries-framework/openid4vc' + +import { AskarModule } from '@aries-framework/askar' +import { OpenId4VcVerifierModule } from '@aries-framework/openid4vc' +import { ariesAskar } from '@hyperledger/aries-askar-nodejs' +import { Router } from 'express' + +import { BaseAgent } from './BaseAgent' +import { Output } from './OutputClass' + +const universityDegreePresentationDefinition = { + id: 'UniversityDegreeCredential', + purpose: 'Present your UniversityDegreeCredential to verify your education level.', + input_descriptors: [ + { + id: 'UniversityDegreeCredentialDescriptor', + constraints: { + fields: [ + { + // Works for JSON-LD, SD-JWT and JWT + path: ['$.vc.type.*', '$.vct', '$.type'], + filter: { + type: 'string', + pattern: 'UniversityDegree', + }, + }, + ], + }, + }, + ], +} + +const openBadgeCredentialPresentationDefinition = { + id: 'OpenBadgeCredential', + purpose: 'Provide proof of employment to confirm your employment status.', + input_descriptors: [ + { + id: 'OpenBadgeCredentialDescriptor', + constraints: { + fields: [ + { + // Works for JSON-LD, SD-JWT and JWT + path: ['$.vc.type.*', '$.vct', '$.type'], + filter: { + type: 'string', + pattern: 'OpenBadgeCredential', + }, + }, + ], + }, + }, + ], +} + +export const presentationDefinitions = [ + universityDegreePresentationDefinition, + openBadgeCredentialPresentationDefinition, +] + +export class Verifier extends BaseAgent<{ askar: AskarModule; openId4VcVerifier: OpenId4VcVerifierModule }> { + public verifierRecord!: OpenId4VcVerifierRecord + + public constructor(port: number, name: string) { + const openId4VcSiopRouter = Router() + + super({ + port, + name, + modules: { + askar: new AskarModule({ ariesAskar }), + openId4VcVerifier: new OpenId4VcVerifierModule({ + baseUrl: 'http://localhost:4000/siop', + }), + }, + }) + + this.app.use('/siop', openId4VcSiopRouter) + } + + public static async build(): Promise { + const verifier = new Verifier(4000, 'OpenId4VcVerifier ' + Math.random().toString()) + await verifier.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598g') + verifier.verifierRecord = await verifier.agent.modules.openId4VcVerifier.createVerifier() + + return verifier + } + + // TODO: add method to show the received presentation submission + public async createProofRequest(presentationDefinition: DifPresentationExchangeDefinitionV2) { + const { authorizationRequestUri } = await this.agent.modules.openId4VcVerifier.createAuthorizationRequest({ + requestSigner: { + method: 'did', + didUrl: this.verificationMethod.id, + }, + verifierId: this.verifierRecord.verifierId, + presentationExchange: { + definition: presentationDefinition, + }, + }) + + return authorizationRequestUri + } + + public async exit() { + console.log(Output.Exit) + await this.agent.shutdown() + process.exit(0) + } + + public async restart() { + await this.agent.shutdown() + } +} diff --git a/demo-openid/src/VerifierInquirer.ts b/demo-openid/src/VerifierInquirer.ts new file mode 100644 index 0000000000..8877242fb6 --- /dev/null +++ b/demo-openid/src/VerifierInquirer.ts @@ -0,0 +1,89 @@ +import { clear } from 'console' +import { textSync } from 'figlet' +import { prompt } from 'inquirer' + +import { BaseInquirer, ConfirmOptions } from './BaseInquirer' +import { Title, purpleText } from './OutputClass' +import { Verifier, presentationDefinitions } from './Verifier' + +export const runVerifier = async () => { + clear() + console.log(textSync('Verifier', { horizontalLayout: 'full' })) + const verifier = await VerifierInquirer.build() + await verifier.processAnswer() +} + +enum PromptOptions { + CreateProofOffer = 'Request the presentation of a credential.', + Exit = 'Exit', + Restart = 'Restart', +} + +export class VerifierInquirer extends BaseInquirer { + public verifier: Verifier + public promptOptionsString: string[] + + public constructor(verifier: Verifier) { + super() + this.verifier = verifier + this.promptOptionsString = Object.values(PromptOptions) + } + + public static async build(): Promise { + const verifier = await Verifier.build() + return new VerifierInquirer(verifier) + } + + private async getPromptChoice() { + return prompt([this.inquireOptions(this.promptOptionsString)]) + } + + public async processAnswer() { + const choice = await this.getPromptChoice() + + switch (choice.options) { + case PromptOptions.CreateProofOffer: + await this.createProofRequest() + break + case PromptOptions.Exit: + await this.exit() + break + case PromptOptions.Restart: + await this.restart() + return + } + await this.processAnswer() + } + + public async createProofRequest() { + const choice = await prompt([this.inquireOptions(presentationDefinitions.map((p) => p.id))]) + const presentationDefinition = presentationDefinitions.find((p) => p.id === choice.options) + if (!presentationDefinition) throw new Error('No presentation definition found') + + const proofRequest = await this.verifier.createProofRequest(presentationDefinition) + + console.log(purpleText(`Proof request for the presentation of an ${choice.options}.\n'${proofRequest}'`)) + } + + public async exit() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.verifier.exit() + } + } + + public async restart() { + const confirm = await prompt([this.inquireConfirmation(Title.ConfirmTitle)]) + if (confirm.options === ConfirmOptions.No) { + await this.processAnswer() + return + } else if (confirm.options === ConfirmOptions.Yes) { + await this.verifier.restart() + await runVerifier() + } + } +} + +void runVerifier() diff --git a/demo-openid/tsconfig.json b/demo-openid/tsconfig.json new file mode 100644 index 0000000000..b7d9de6c8e --- /dev/null +++ b/demo-openid/tsconfig.json @@ -0,0 +1,6 @@ +{ + "extends": "../tsconfig.json", + "compilerOptions": { + "skipLibCheck": true + } +} diff --git a/demo/src/BaseAgent.ts b/demo/src/BaseAgent.ts index c2e787e32a..e78d35b564 100644 --- a/demo/src/BaseAgent.ts +++ b/demo/src/BaseAgent.ts @@ -32,14 +32,12 @@ import { Agent, HttpOutboundTransport, } from '@aries-framework/core' -import { IndySdkAnonCredsRegistry, IndySdkModule, IndySdkSovDidResolver } from '@aries-framework/indy-sdk' import { IndyVdrIndyDidResolver, IndyVdrAnonCredsRegistry, IndyVdrModule } from '@aries-framework/indy-vdr' import { agentDependencies, HttpInboundTransport } from '@aries-framework/node' import { anoncreds } from '@hyperledger/anoncreds-nodejs' import { ariesAskar } from '@hyperledger/aries-askar-nodejs' import { indyVdr } from '@hyperledger/indy-vdr-nodejs' import { randomUUID } from 'crypto' -import indySdk from 'indy-sdk' import { greenText } from './OutputClass' @@ -167,46 +165,3 @@ function getAskarAnonCredsIndyModules() { }), } as const } - -function getLegacyIndySdkModules() { - const legacyIndyCredentialFormatService = new LegacyIndyCredentialFormatService() - const legacyIndyProofFormatService = new LegacyIndyProofFormatService() - - return { - connections: new ConnectionsModule({ - autoAcceptConnections: true, - }), - credentials: new CredentialsModule({ - autoAcceptCredentials: AutoAcceptCredential.ContentApproved, - credentialProtocols: [ - new V1CredentialProtocol({ - indyCredentialFormat: legacyIndyCredentialFormatService, - }), - new V2CredentialProtocol({ - credentialFormats: [legacyIndyCredentialFormatService], - }), - ], - }), - proofs: new ProofsModule({ - autoAcceptProofs: AutoAcceptProof.ContentApproved, - proofProtocols: [ - new V1ProofProtocol({ - indyProofFormat: legacyIndyProofFormatService, - }), - new V2ProofProtocol({ - proofFormats: [legacyIndyProofFormatService], - }), - ], - }), - anoncreds: new AnonCredsModule({ - registries: [new IndySdkAnonCredsRegistry()], - }), - indySdk: new IndySdkModule({ - indySdk, - networks: [indyNetworkConfig], - }), - dids: new DidsModule({ - resolvers: [new IndySdkSovDidResolver()], - }), - } as const -} diff --git a/package.json b/package.json index df9133150f..d773b4143c 100644 --- a/package.json +++ b/package.json @@ -5,6 +5,7 @@ "workspaces": [ "packages/*", "demo", + "demo-openid", "samples/*" ], "repository": { diff --git a/packages/anoncreds-rs/tests/anoncredsSetup.ts b/packages/anoncreds-rs/tests/anoncredsSetup.ts index 2ce0a49fee..8e62c72486 100644 --- a/packages/anoncreds-rs/tests/anoncredsSetup.ts +++ b/packages/anoncreds-rs/tests/anoncredsSetup.ts @@ -55,6 +55,7 @@ import { LocalDidResolver } from './LocalDidResolver' // Helper type to get the type of the agents (with the custom modules) for the credential tests export type AnonCredsTestsAgent = Agent< + // eslint-disable-next-line @typescript-eslint/no-explicit-any ReturnType & { mediationRecipient?: any; mediator?: any } > diff --git a/packages/anoncreds/src/models/exchange.ts b/packages/anoncreds/src/models/exchange.ts index 5213153ff9..7d483a602f 100644 --- a/packages/anoncreds/src/models/exchange.ts +++ b/packages/anoncreds/src/models/exchange.ts @@ -90,6 +90,7 @@ export interface AnonCredsProof { predicates: Record } // TODO: extend types for proof property + // eslint-disable-next-line @typescript-eslint/no-explicit-any proof: any identifiers: Array<{ schema_id: string diff --git a/packages/anoncreds/src/utils/credential.ts b/packages/anoncreds/src/utils/credential.ts index 33a7a05c41..c60dbfc6ce 100644 --- a/packages/anoncreds/src/utils/credential.ts +++ b/packages/anoncreds/src/utils/credential.ts @@ -1,7 +1,7 @@ import type { AnonCredsSchema, AnonCredsCredentialValues } from '../models' import type { CredentialPreviewAttributeOptions, LinkedAttachment } from '@aries-framework/core' -import { AriesFrameworkError, Hasher, encodeAttachment, Buffer } from '@aries-framework/core' +import { AriesFrameworkError, Hasher, encodeAttachment } from '@aries-framework/core' import BigNumber from 'bn.js' const isString = (value: unknown): value is string => typeof value === 'string' @@ -150,7 +150,7 @@ export function encodeCredentialValue(value: unknown) { value = 'None' } - return new BigNumber(Hasher.hash(Buffer.from(value as string), 'sha2-256')).toString() + return new BigNumber(Hasher.hash(String(value).toString(), 'sha2-256')).toString() } export function assertAttributesMatch(schema: AnonCredsSchema, attributes: CredentialPreviewAttributeOptions[]) { diff --git a/packages/anoncreds/tests/InMemoryAnonCredsRegistry.ts b/packages/anoncreds/tests/InMemoryAnonCredsRegistry.ts index da51aa12ec..796245135d 100644 --- a/packages/anoncreds/tests/InMemoryAnonCredsRegistry.ts +++ b/packages/anoncreds/tests/InMemoryAnonCredsRegistry.ts @@ -353,9 +353,7 @@ export class InMemoryAnonCredsRegistry implements AnonCredsRegistry { * Does this by hashing the schema id, transforming the hash to a number and taking the first 6 digits. */ function getSeqNoFromSchemaId(schemaId: string) { - const seqNo = Number( - new BigNumber(Hasher.hash(TypedArrayEncoder.fromString(schemaId), 'sha2-256')).toString().slice(0, 5) - ) + const seqNo = Number(new BigNumber(Hasher.hash(schemaId, 'sha2-256')).toString().slice(0, 5)) return seqNo } diff --git a/packages/anoncreds/tests/legacyAnonCredsSetup.ts b/packages/anoncreds/tests/legacyAnonCredsSetup.ts index baef3eac54..b8bc25d359 100644 --- a/packages/anoncreds/tests/legacyAnonCredsSetup.ts +++ b/packages/anoncreds/tests/legacyAnonCredsSetup.ts @@ -74,7 +74,9 @@ import { // Helper type to get the type of the agents (with the custom modules) for the credential tests export type AnonCredsTestsAgent = + // eslint-disable-next-line @typescript-eslint/no-explicit-any | Agent & { mediationRecipient?: any; mediator?: any }> + // eslint-disable-next-line @typescript-eslint/no-explicit-any | Agent & { mediationRecipient?: any; mediator?: any }> export const getLegacyAnonCredsModules = ({ diff --git a/packages/askar/src/wallet/AskarWallet.ts b/packages/askar/src/wallet/AskarWallet.ts index d284dbaf65..afe0b1fa6a 100644 --- a/packages/askar/src/wallet/AskarWallet.ts +++ b/packages/askar/src/wallet/AskarWallet.ts @@ -22,7 +22,6 @@ import { inject, injectable } from 'tsyringe' import { AskarErrorCode, isAskarError, keyDerivationMethodToStoreKeyMethod, uriFromWalletConfig } from '../utils' import { AskarBaseWallet } from './AskarBaseWallet' -import { AskarProfileWallet } from './AskarProfileWallet' /** * @todo: rename after 0.5.0, as we now have multiple types of AskarWallet @@ -87,14 +86,6 @@ export class AskarWallet extends AskarBaseWallet { await this.close() } - /** - * TODO: we can add this method, and add custom logic in the tenants module - * or we can try to register the store on the agent context - */ - public async getProfileWallet() { - return new AskarProfileWallet(this.store, this.logger, this.signingKeyProviderRegistry) - } - /** * @throws {WalletDuplicateError} if the wallet already exists * @throws {WalletError} if another error occurs diff --git a/packages/cheqd/src/anoncreds/services/CheqdAnonCredsRegistry.ts b/packages/cheqd/src/anoncreds/services/CheqdAnonCredsRegistry.ts index 391ce13d92..cc4cf60bfd 100644 --- a/packages/cheqd/src/anoncreds/services/CheqdAnonCredsRegistry.ts +++ b/packages/cheqd/src/anoncreds/services/CheqdAnonCredsRegistry.ts @@ -14,7 +14,7 @@ import type { } from '@aries-framework/anoncreds' import type { AgentContext } from '@aries-framework/core' -import { AriesFrameworkError, Buffer, Hasher, JsonTransformer, TypedArrayEncoder, utils } from '@aries-framework/core' +import { AriesFrameworkError, Hasher, JsonTransformer, TypedArrayEncoder, utils } from '@aries-framework/core' import { CheqdDidResolver, CheqdDidRegistrar } from '../../dids' import { cheqdSdkAnonCredsRegistryIdentifierRegex, parseCheqdDid } from '../utils/identifiers' @@ -142,7 +142,7 @@ export class CheqdAnonCredsRegistry implements AnonCredsRegistry { } const credDefName = `${schema.schema.name}-${credentialDefinition.tag}` - const credDefNameHashBuffer = Hasher.hash(Buffer.from(credDefName), 'sha2-256') + const credDefNameHashBuffer = Hasher.hash(credDefName, 'sha2-256') const credDefResource = { id: utils.uuid(), diff --git a/packages/cheqd/src/anoncreds/utils/identifiers.ts b/packages/cheqd/src/anoncreds/utils/identifiers.ts index ff21b32065..5dd622787d 100644 --- a/packages/cheqd/src/anoncreds/utils/identifiers.ts +++ b/packages/cheqd/src/anoncreds/utils/identifiers.ts @@ -9,18 +9,23 @@ const IDENTIFIER = `((?:${ID_CHAR}*:)*(${ID_CHAR}+))` const PATH = `(/[^#?]*)?` const QUERY = `([?][^#]*)?` const VERSION_ID = `(.*?)` +const FRAGMENT = `([#].*)?` export const cheqdSdkAnonCredsRegistryIdentifierRegex = new RegExp( - `^did:cheqd:${NETWORK}:${IDENTIFIER}${PATH}${QUERY}$` + `^did:cheqd:${NETWORK}:${IDENTIFIER}${PATH}${QUERY}${FRAGMENT}$` ) -export const cheqdDidRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}${QUERY}$`) -export const cheqdDidVersionRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/version/${VERSION_ID}${QUERY}$`) -export const cheqdDidVersionsRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/versions${QUERY}$`) -export const cheqdDidMetadataRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/metadata${QUERY}$`) -export const cheqdResourceRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/resources/${IDENTIFIER}${QUERY}$`) +export const cheqdDidRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}${QUERY}${FRAGMENT}$`) +export const cheqdDidVersionRegex = new RegExp( + `^did:cheqd:${NETWORK}:${IDENTIFIER}/version/${VERSION_ID}${QUERY}${FRAGMENT}$` +) +export const cheqdDidVersionsRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/versions${QUERY}${FRAGMENT}$`) +export const cheqdDidMetadataRegex = new RegExp(`^did:cheqd:${NETWORK}:${IDENTIFIER}/metadata${QUERY}${FRAGMENT}$`) +export const cheqdResourceRegex = new RegExp( + `^did:cheqd:${NETWORK}:${IDENTIFIER}/resources/${IDENTIFIER}${QUERY}${FRAGMENT}$` +) export const cheqdResourceMetadataRegex = new RegExp( - `^did:cheqd:${NETWORK}:${IDENTIFIER}/resources/${IDENTIFIER}/metadata${QUERY}` + `^did:cheqd:${NETWORK}:${IDENTIFIER}/resources/${IDENTIFIER}/metadata${QUERY}${FRAGMENT}` ) export type ParsedCheqdDid = ParsedDid & { network: string } diff --git a/packages/core/package.json b/packages/core/package.json index 04813c5fdd..dbc9021b1f 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -27,15 +27,13 @@ "@digitalcredentials/jsonld-signatures": "^9.3.1", "@digitalcredentials/vc": "^1.1.2", "@multiformats/base-x": "^4.0.1", - "@sphereon/pex": "^2.2.2", - "@sphereon/pex-models": "^2.1.2", - "@sphereon/ssi-types": "^0.17.5", + "@sd-jwt/core": "^0.2.0", + "@sd-jwt/decode": "^0.2.0", + "@sphereon/pex": "^3.0.1", + "@sphereon/pex-models": "^2.1.5", + "@sphereon/ssi-types": "^0.18.1", "@stablelib/ed25519": "^1.0.2", - "@stablelib/random": "^1.0.1", "@stablelib/sha256": "^1.0.1", - "@sphereon/pex": "^2.2.2", - "@sphereon/pex-models": "^2.1.2", - "@sphereon/ssi-types": "^0.17.5", "@types/ws": "^8.5.4", "abort-controller": "^3.0.0", "big-integer": "^1.6.51", diff --git a/packages/core/src/agent/AgentModules.ts b/packages/core/src/agent/AgentModules.ts index faf87ecec7..efe603a40f 100644 --- a/packages/core/src/agent/AgentModules.ts +++ b/packages/core/src/agent/AgentModules.ts @@ -14,6 +14,7 @@ import { MessagePickupModule } from '../modules/message-pickup' import { OutOfBandModule } from '../modules/oob' import { ProofsModule } from '../modules/proofs' import { MediationRecipientModule, MediatorModule } from '../modules/routing' +import { SdJwtVcModule } from '../modules/sd-jwt-vc' import { W3cCredentialsModule } from '../modules/vc' import { WalletModule } from '../wallet' @@ -133,6 +134,7 @@ function getDefaultAgentModules() { w3cCredentials: () => new W3cCredentialsModule(), cache: () => new CacheModule(), pex: () => new DifPresentationExchangeModule(), + sdJwtVc: () => new SdJwtVcModule(), } as const } diff --git a/packages/core/src/agent/BaseAgent.ts b/packages/core/src/agent/BaseAgent.ts index f265f6418a..4cabc81211 100644 --- a/packages/core/src/agent/BaseAgent.ts +++ b/packages/core/src/agent/BaseAgent.ts @@ -18,6 +18,7 @@ import { MessagePickupApi } from '../modules/message-pickup/MessagePickupApi' import { OutOfBandApi } from '../modules/oob' import { ProofsApi } from '../modules/proofs' import { MediatorApi, MediationRecipientApi } from '../modules/routing' +import { SdJwtVcApi } from '../modules/sd-jwt-vc' import { W3cCredentialsApi } from '../modules/vc/W3cCredentialsApi' import { StorageUpdateService } from '../storage' import { UpdateAssistant } from '../storage/migration/UpdateAssistant' @@ -58,6 +59,7 @@ export abstract class BaseAgent> @@ -106,6 +108,7 @@ export abstract class BaseAgent Promise | Jwk export interface VerifyJwsResult { isValid: boolean signerKeys: Key[] + + jws: JwsFlattenedFormat } diff --git a/packages/core/src/crypto/jose/jwt/Jwt.ts b/packages/core/src/crypto/jose/jwt/Jwt.ts index 33bb5c9178..eb73ca05dc 100644 --- a/packages/core/src/crypto/jose/jwt/Jwt.ts +++ b/packages/core/src/crypto/jose/jwt/Jwt.ts @@ -1,4 +1,5 @@ import type { Buffer } from '../../../utils' +import type { JwkJson } from '../jwk' import { AriesFrameworkError } from '../../../error' import { JsonEncoder, TypedArrayEncoder } from '../../../utils' @@ -9,6 +10,7 @@ import { JwtPayload } from './JwtPayload' interface JwtHeader { alg: string kid?: string + jwk?: JwkJson [key: string]: unknown } diff --git a/packages/core/src/index.ts b/packages/core/src/index.ts index 46b4dbddc1..5e196602e2 100644 --- a/packages/core/src/index.ts +++ b/packages/core/src/index.ts @@ -38,7 +38,7 @@ export { Repository } from './storage/Repository' export * from './storage/RepositoryEvents' export { StorageService, Query, SimpleQuery, BaseRecordConstructor } from './storage/StorageService' export * from './storage/migration' -export { getDirFromFilePath } from './utils/path' +export { getDirFromFilePath, joinUriParts } from './utils/path' export { InjectionSymbols } from './constants' export * from './wallet' export type { TransportSession } from './agent/TransportService' @@ -61,6 +61,8 @@ export * from './modules/oob' export * from './modules/dids' export * from './modules/vc' export * from './modules/cache' +export * from './modules/dif-presentation-exchange' +export * from './modules/sd-jwt-vc' export { JsonEncoder, JsonTransformer, @@ -69,6 +71,8 @@ export { TypedArrayEncoder, Buffer, deepEquality, + asArray, + equalsIgnoreOrder, } from './utils' export * from './logger' export * from './error' @@ -86,6 +90,8 @@ export { LinkedAttachment, LinkedAttachmentOptions } from './utils/LinkedAttachm import { parseInvitationUrl } from './utils/parseInvitation' import { uuid, isValidUuid } from './utils/uuid' +export type { Optional } from './utils/type' + const utils = { uuid, isValidUuid, diff --git a/packages/core/src/modules/dids/DidsApi.ts b/packages/core/src/modules/dids/DidsApi.ts index 4f0cf294bf..d5329299f8 100644 --- a/packages/core/src/modules/dids/DidsApi.ts +++ b/packages/core/src/modules/dids/DidsApi.ts @@ -175,4 +175,12 @@ export class DidsApi { }, }) } + + public get supportedResolverMethods() { + return this.didResolverService.supportedMethods + } + + public get supportedRegistrarMethods() { + return this.didRegistrarService.supportedMethods + } } diff --git a/packages/core/src/modules/dids/methods/web/WebDidResolver.ts b/packages/core/src/modules/dids/methods/web/WebDidResolver.ts index 77d9b1e295..63b9976b2a 100644 --- a/packages/core/src/modules/dids/methods/web/WebDidResolver.ts +++ b/packages/core/src/modules/dids/methods/web/WebDidResolver.ts @@ -28,6 +28,13 @@ export class WebDidResolver implements DidResolver { const result = await this.resolver[parsed.method](did, parsed, this._resolverInstance, didResolutionOptions) let didDocument = null + + // If the did document uses the deprecated publicKey property + // we map it to the newer verificationMethod property + if (!result.didDocument?.verificationMethod && result.didDocument?.publicKey) { + result.didDocument.verificationMethod = result.didDocument.publicKey + } + if (result.didDocument) { didDocument = JsonTransformer.fromJSON(result.didDocument, DidDocument) } diff --git a/packages/core/src/modules/dids/services/DidRegistrarService.ts b/packages/core/src/modules/dids/services/DidRegistrarService.ts index cb59457aa0..861110f7a6 100644 --- a/packages/core/src/modules/dids/services/DidRegistrarService.ts +++ b/packages/core/src/modules/dids/services/DidRegistrarService.ts @@ -153,4 +153,11 @@ export class DidRegistrarService { private findRegistrarForMethod(method: string): DidRegistrar | null { return this.didsModuleConfig.registrars.find((r) => r.supportedMethods.includes(method)) ?? null } + + /** + * Get all supported did methods for the did registrar. + */ + public get supportedMethods() { + return Array.from(new Set(this.didsModuleConfig.registrars.flatMap((r) => r.supportedMethods))) + } } diff --git a/packages/core/src/modules/dids/services/DidResolverService.ts b/packages/core/src/modules/dids/services/DidResolverService.ts index 7f97d3f9d1..baf342b89e 100644 --- a/packages/core/src/modules/dids/services/DidResolverService.ts +++ b/packages/core/src/modules/dids/services/DidResolverService.ts @@ -71,4 +71,11 @@ export class DidResolverService { private findResolver(parsed: ParsedDid): DidResolver | null { return this.didsModuleConfig.resolvers.find((r) => r.supportedMethods.includes(parsed.method)) ?? null } + + /** + * Get all supported did methods for the did resolver. + */ + public get supportedMethods() { + return Array.from(new Set(this.didsModuleConfig.resolvers.flatMap((r) => r.supportedMethods))) + } } diff --git a/packages/core/src/modules/dif-presentation-exchange/DifPresentationExchangeService.ts b/packages/core/src/modules/dif-presentation-exchange/DifPresentationExchangeService.ts index eab8642230..673cb7c31d 100644 --- a/packages/core/src/modules/dif-presentation-exchange/DifPresentationExchangeService.ts +++ b/packages/core/src/modules/dif-presentation-exchange/DifPresentationExchangeService.ts @@ -6,21 +6,29 @@ import type { DifPresentationExchangeSubmission, DifPresentationExchangeDefinitionV2, } from './models' +import type { PresentationToCreate } from './utils' import type { AgentContext } from '../../agent' import type { Query } from '../../storage/StorageService' import type { VerificationMethod } from '../dids' -import type { W3cCredentialRecord, W3cVerifiableCredential, W3cVerifiablePresentation } from '../vc' -import type { PresentationSignCallBackParams, Validated, VerifiablePresentationResult } from '@sphereon/pex' +import type { SdJwtVc, SdJwtVcRecord } from '../sd-jwt-vc' +import type { W3cVerifiablePresentation, W3cCredentialRecord } from '../vc' +import type { + PresentationSignCallBackParams, + SdJwtDecodedVerifiableCredentialWithKbJwtInput, + Validated, + VerifiablePresentationResult, +} from '@sphereon/pex' import type { InputDescriptorV2, PresentationDefinitionV1 } from '@sphereon/pex-models' -import type { OriginalVerifiableCredential, OriginalVerifiablePresentation } from '@sphereon/ssi-types' +import type { W3CVerifiablePresentation } from '@sphereon/ssi-types' import { Status, PEVersion, PEX } from '@sphereon/pex' import { injectable } from 'tsyringe' import { getJwkFromKey } from '../../crypto' import { AriesFrameworkError } from '../../error' -import { JsonTransformer } from '../../utils' +import { Hasher, JsonTransformer } from '../../utils' import { DidsApi, getKeyFromVerificationMethod } from '../dids' +import { SdJwtVcApi } from '../sd-jwt-vc' import { ClaimFormat, SignatureSuiteRegistry, @@ -32,32 +40,28 @@ import { import { DifPresentationExchangeError } from './DifPresentationExchangeError' import { DifPresentationExchangeSubmissionLocation } from './models' import { + getVerifiablePresentationFromEncoded, + getSphereonOriginalVerifiablePresentation, getCredentialsForRequest, + getPresentationsToCreate, getSphereonOriginalVerifiableCredential, - getSphereonW3cVerifiablePresentation, - getW3cVerifiablePresentationInstance, } from './utils' -export type ProofStructure = Record>> - +/** + * @todo create a public api for using dif presentation exchange + */ @injectable() export class DifPresentationExchangeService { - private pex = new PEX() + private pex = new PEX({ hasher: Hasher.hash }) + + public constructor(private w3cCredentialService: W3cCredentialService) {} public async getCredentialsForRequest( agentContext: AgentContext, presentationDefinition: DifPresentationExchangeDefinition ): Promise { const credentialRecords = await this.queryCredentialForPresentationDefinition(agentContext, presentationDefinition) - - // FIXME: why are we resolving all created dids here? - // If we want to do this we should extract all dids from the credential records and only - // fetch the dids for the queried credential records - const didsApi = agentContext.dependencyManager.resolve(DidsApi) - const didRecords = await didsApi.getCreatedDids() - const holderDids = didRecords.map((didRecord) => didRecord.did) - - return getCredentialsForRequest(presentationDefinition, credentialRecords, holderDids) + return getCredentialsForRequest(this.pex, presentationDefinition, credentialRecords) } /** @@ -80,7 +84,7 @@ export class DifPresentationExchangeService { } // We pick the first matching VC if we are auto-selecting - credentials[submission.inputDescriptorId].push(submission.verifiableCredentials[0].credential) + credentials[submission.inputDescriptorId].push(submission.verifiableCredentials[0]) } } @@ -105,11 +109,11 @@ export class DifPresentationExchangeService { public validatePresentation( presentationDefinition: DifPresentationExchangeDefinition, - presentation: W3cVerifiablePresentation + presentation: W3cVerifiablePresentation | SdJwtVc ) { const { errors } = this.pex.evaluatePresentation( presentationDefinition, - presentation.encoded as OriginalVerifiablePresentation + getSphereonOriginalVerifiablePresentation(presentation) ) if (errors) { @@ -128,107 +132,6 @@ export class DifPresentationExchangeService { .filter((r): r is string => Boolean(r)) } - /** - * Queries the wallet for credentials that match the given presentation definition. This only does an initial query based on the - * schema of the input descriptors. It does not do any further filtering based on the constraints in the input descriptors. - */ - private async queryCredentialForPresentationDefinition( - agentContext: AgentContext, - presentationDefinition: DifPresentationExchangeDefinition - ): Promise> { - const w3cCredentialRepository = agentContext.dependencyManager.resolve(W3cCredentialRepository) - const query: Array> = [] - const presentationDefinitionVersion = PEX.definitionVersionDiscovery(presentationDefinition) - - if (!presentationDefinitionVersion.version) { - throw new DifPresentationExchangeError( - `Unable to determine the Presentation Exchange version from the presentation definition - `, - presentationDefinitionVersion.error ? { additionalMessages: [presentationDefinitionVersion.error] } : {} - ) - } - - if (presentationDefinitionVersion.version === PEVersion.v1) { - const pd = presentationDefinition as PresentationDefinitionV1 - - // The schema.uri can contain either an expanded type, or a context uri - for (const inputDescriptor of pd.input_descriptors) { - for (const schema of inputDescriptor.schema) { - query.push({ - $or: [{ expandedType: [schema.uri] }, { contexts: [schema.uri] }, { type: [schema.uri] }], - }) - } - } - } else if (presentationDefinitionVersion.version === PEVersion.v2) { - // FIXME: As PE version 2 does not have the `schema` anymore, we can't query by schema anymore. - // For now we retrieve ALL credentials, as we did the same for V1 with JWT credentials. We probably need - // to find some way to do initial filtering, hopefully if there's a filter on the `type` field or something. - } else { - throw new DifPresentationExchangeError( - `Unsupported presentation definition version ${presentationDefinitionVersion.version as unknown as string}` - ) - } - - // query the wallet ourselves first to avoid the need to query the pex library for all - // credentials for every proof request - const credentialRecords = - query.length > 0 - ? await w3cCredentialRepository.findByQuery(agentContext, { - $or: query, - }) - : await w3cCredentialRepository.getAll(agentContext) - - return credentialRecords - } - - private addCredentialToSubjectInputDescriptor( - subjectsToInputDescriptors: ProofStructure, - subjectId: string, - inputDescriptorId: string, - credential: W3cVerifiableCredential - ) { - const inputDescriptorsToCredentials = subjectsToInputDescriptors[subjectId] ?? {} - const credentials = inputDescriptorsToCredentials[inputDescriptorId] ?? [] - - credentials.push(credential) - inputDescriptorsToCredentials[inputDescriptorId] = credentials - subjectsToInputDescriptors[subjectId] = inputDescriptorsToCredentials - } - - private getPresentationFormat( - presentationDefinition: DifPresentationExchangeDefinition, - credentials: Array - ): ClaimFormat.JwtVp | ClaimFormat.LdpVp { - const allCredentialsAreJwtVc = credentials?.every((c) => typeof c === 'string') - const allCredentialsAreLdpVc = credentials?.every((c) => typeof c !== 'string') - - const inputDescriptorsNotSupportingJwtVc = ( - presentationDefinition.input_descriptors as Array - ).filter((d) => d.format && d.format.jwt_vc === undefined) - - const inputDescriptorsNotSupportingLdpVc = ( - presentationDefinition.input_descriptors as Array - ).filter((d) => d.format && d.format.ldp_vc === undefined) - - if ( - allCredentialsAreJwtVc && - (presentationDefinition.format === undefined || presentationDefinition.format.jwt_vc) && - inputDescriptorsNotSupportingJwtVc.length === 0 - ) { - return ClaimFormat.JwtVp - } else if ( - allCredentialsAreLdpVc && - (presentationDefinition.format === undefined || presentationDefinition.format.ldp_vc) && - inputDescriptorsNotSupportingLdpVc.length === 0 - ) { - return ClaimFormat.LdpVp - } else { - throw new DifPresentationExchangeError( - 'No suitable presentation format found for the given presentation definition, and credentials' - ) - } - } - public async createPresentation( agentContext: AgentContext, options: { @@ -238,85 +141,65 @@ export class DifPresentationExchangeService { * Defaults to {@link DifPresentationExchangeSubmissionLocation.PRESENTATION} */ presentationSubmissionLocation?: DifPresentationExchangeSubmissionLocation - challenge?: string + challenge: string domain?: string - nonce?: string } ) { - const { presentationDefinition, challenge, nonce, domain, presentationSubmissionLocation } = options - - const proofStructure: ProofStructure = {} - - Object.entries(options.credentialsForInputDescriptor).forEach(([inputDescriptorId, credentials]) => { - credentials.forEach((credential) => { - const subjectId = credential.credentialSubjectIds[0] - if (!subjectId) { - throw new DifPresentationExchangeError('Missing required credential subject for creating the presentation.') - } - - this.addCredentialToSubjectInputDescriptor(proofStructure, subjectId, inputDescriptorId, credential) - }) - }) + const { presentationDefinition, domain, challenge } = options + const presentationSubmissionLocation = + options.presentationSubmissionLocation ?? DifPresentationExchangeSubmissionLocation.PRESENTATION const verifiablePresentationResultsWithFormat: Array<{ verifiablePresentationResult: VerifiablePresentationResult - format: ClaimFormat.LdpVp | ClaimFormat.JwtVp + claimFormat: PresentationToCreate['claimFormat'] }> = [] - const subjectToInputDescriptors = Object.entries(proofStructure) - for (const [subjectId, subjectInputDescriptorsToCredentials] of subjectToInputDescriptors) { - // Determine a suitable verification method for the presentation - const verificationMethod = await this.getVerificationMethodForSubjectId(agentContext, subjectId) - - if (!verificationMethod) { - throw new DifPresentationExchangeError(`No verification method found for subject id '${subjectId}'.`) - } - + const presentationsToCreate = getPresentationsToCreate(options.credentialsForInputDescriptor) + for (const presentationToCreate of presentationsToCreate) { // We create a presentation for each subject // Thus for each subject we need to filter all the related input descriptors and credentials // FIXME: cast to V1, as tsc errors for strange reasons if not - const inputDescriptorsForSubject = (presentationDefinition as PresentationDefinitionV1).input_descriptors.filter( - (inputDescriptor) => inputDescriptor.id in subjectInputDescriptorsToCredentials + const inputDescriptorIds = presentationToCreate.verifiableCredentials.map((c) => c.inputDescriptorId) + const inputDescriptorsForPresentation = ( + presentationDefinition as PresentationDefinitionV1 + ).input_descriptors.filter((inputDescriptor) => inputDescriptorIds.includes(inputDescriptor.id)) + + // Get all the credentials for the presentation + const credentialsForPresentation = presentationToCreate.verifiableCredentials.map((c) => + getSphereonOriginalVerifiableCredential(c.credential) ) - // Get all the credentials associated with the input descriptors - const credentialsForSubject = Object.values(subjectInputDescriptorsToCredentials) - .flat() - .map(getSphereonOriginalVerifiableCredential) - const presentationDefinitionForSubject: DifPresentationExchangeDefinition = { ...presentationDefinition, - input_descriptors: inputDescriptorsForSubject, + input_descriptors: inputDescriptorsForPresentation, // We remove the submission requirements, as it will otherwise fail to create the VP submission_requirements: undefined, } - const format = this.getPresentationFormat(presentationDefinitionForSubject, credentialsForSubject) - - // FIXME: Q1: is holder always subject id, what if there are multiple subjects??? - // FIXME: Q2: What about proofType, proofPurpose verification method for multiple subjects? const verifiablePresentationResult = await this.pex.verifiablePresentationFrom( presentationDefinitionForSubject, - credentialsForSubject, - this.getPresentationSignCallback(agentContext, verificationMethod, format), + credentialsForPresentation, + this.getPresentationSignCallback(agentContext, presentationToCreate), { - holderDID: subjectId, - proofOptions: { challenge, domain, nonce }, - signatureOptions: { verificationMethod: verificationMethod?.id }, + proofOptions: { domain, challenge }, + signatureOptions: {}, presentationSubmissionLocation: presentationSubmissionLocation ?? DifPresentationExchangeSubmissionLocation.PRESENTATION, } ) - verifiablePresentationResultsWithFormat.push({ verifiablePresentationResult, format }) + verifiablePresentationResultsWithFormat.push({ + verifiablePresentationResult, + claimFormat: presentationToCreate.claimFormat, + }) } - if (!verifiablePresentationResultsWithFormat[0]) { + if (verifiablePresentationResultsWithFormat.length === 0) { throw new DifPresentationExchangeError('No verifiable presentations created') } - if (subjectToInputDescriptors.length !== verifiablePresentationResultsWithFormat.length) { + if (presentationsToCreate.length !== verifiablePresentationResultsWithFormat.length) { throw new DifPresentationExchangeError('Invalid amount of verifiable presentations created') } @@ -327,14 +210,38 @@ export class DifPresentationExchangeService { descriptor_map: [], } - for (const vpf of verifiablePresentationResultsWithFormat) { - const { verifiablePresentationResult } = vpf - presentationSubmission.descriptor_map.push(...verifiablePresentationResult.presentationSubmission.descriptor_map) - } + verifiablePresentationResultsWithFormat.forEach(({ verifiablePresentationResult }, index) => { + // FIXME: path_nested should not be used for sd-jwt. + // Can be removed once https://github.com/Sphereon-Opensource/PEX/pull/140 is released + const descriptorMap = verifiablePresentationResult.presentationSubmission.descriptor_map.map((d) => { + const descriptor = { ...d } + + // when multiple presentations are submitted, path should be $[0], $[1] + // FIXME: this should be addressed in the PEX/OID4VP lib. + // See https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/62 + if ( + presentationSubmissionLocation === DifPresentationExchangeSubmissionLocation.EXTERNAL && + verifiablePresentationResultsWithFormat.length > 1 + ) { + descriptor.path = `$[${index}]` + } + + if (descriptor.format === 'vc+sd-jwt' && descriptor.path_nested) { + delete descriptor.path_nested + } + + return descriptor + }) + + presentationSubmission.descriptor_map.push(...descriptorMap) + }) return { - verifiablePresentations: verifiablePresentationResultsWithFormat.map((r) => - getW3cVerifiablePresentationInstance(r.verifiablePresentationResult.verifiablePresentation) + verifiablePresentations: verifiablePresentationResultsWithFormat.map((resultWithFormat) => + getVerifiablePresentationFromEncoded( + agentContext, + resultWithFormat.verifiablePresentationResult.verifiablePresentation + ) ), presentationSubmission, presentationSubmissionLocation: @@ -445,77 +352,119 @@ export class DifPresentationExchangeService { // For each of the supported algs, find the key types, then find the proof types const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry) - const supportedSignatureSuite = signatureSuiteRegistry.getByVerificationMethodType(verificationMethod.type) - if (!supportedSignatureSuite) { + const key = getKeyFromVerificationMethod(verificationMethod) + const supportedSignatureSuites = signatureSuiteRegistry.getByKeyType(key.keyType) + if (supportedSignatureSuites.length === 0) { throw new DifPresentationExchangeError( - `Couldn't find a supported signature suite for the given verification method type '${verificationMethod.type}'` + `Couldn't find a supported signature suite for the given key type '${key.keyType}'` ) } if (suitableSignatureSuites) { - if (suitableSignatureSuites.includes(supportedSignatureSuite.proofType) === false) { + const foundSignatureSuite = supportedSignatureSuites.find((suite) => + suitableSignatureSuites.includes(suite.proofType) + ) + + if (!foundSignatureSuite) { throw new DifPresentationExchangeError( [ 'No possible signature suite found for the given verification method.', `Verification method type: ${verificationMethod.type}`, - `SupportedSignatureSuite '${supportedSignatureSuite.proofType}'`, + `Key type: ${key.keyType}`, + `SupportedSignatureSuites: '${supportedSignatureSuites.map((s) => s.proofType).join(', ')}'`, `SuitableSignatureSuites: ${suitableSignatureSuites.join(', ')}`, ].join('\n') ) } - return supportedSignatureSuite.proofType + return supportedSignatureSuites[0].proofType } - return supportedSignatureSuite.proofType + return supportedSignatureSuites[0].proofType } - public getPresentationSignCallback( - agentContext: AgentContext, - verificationMethod: VerificationMethod, - vpFormat: ClaimFormat.LdpVp | ClaimFormat.JwtVp - ) { - const w3cCredentialService = agentContext.dependencyManager.resolve(W3cCredentialService) - + private getPresentationSignCallback(agentContext: AgentContext, presentationToCreate: PresentationToCreate) { return async (callBackParams: PresentationSignCallBackParams) => { // The created partial proof and presentation, as well as original supplied options - const { presentation: presentationJson, options, presentationDefinition } = callBackParams - const { challenge, domain, nonce } = options.proofOptions ?? {} - const { verificationMethod: verificationMethodId } = options.signatureOptions ?? {} + const { presentation: presentationInput, options, presentationDefinition } = callBackParams + const { challenge, domain } = options.proofOptions ?? {} - if (verificationMethodId && verificationMethodId !== verificationMethod.id) { - throw new DifPresentationExchangeError( - `Verification method from signing options ${verificationMethodId} does not match verification method ${verificationMethod.id}` - ) + if (!challenge) { + throw new AriesFrameworkError('challenge MUST be provided when signing a VP') } - let signedPresentation: W3cVerifiablePresentation - if (vpFormat === 'jwt_vp') { - signedPresentation = await w3cCredentialService.signPresentation(agentContext, { + if (presentationToCreate.claimFormat === ClaimFormat.JwtVp) { + // Determine a suitable verification method for the presentation + const verificationMethod = await this.getVerificationMethodForSubjectId( + agentContext, + presentationToCreate.subjectIds[0] + ) + + const w3cPresentation = JsonTransformer.fromJSON(presentationInput, W3cPresentation) + w3cPresentation.holder = verificationMethod.controller + + const signedPresentation = await this.w3cCredentialService.signPresentation(agentContext, { format: ClaimFormat.JwtVp, alg: this.getSigningAlgorithmForJwtVc(presentationDefinition, verificationMethod), verificationMethod: verificationMethod.id, - presentation: JsonTransformer.fromJSON(presentationJson, W3cPresentation), - challenge: challenge ?? nonce ?? (await agentContext.wallet.generateNonce()), + presentation: w3cPresentation, + challenge, domain, }) - } else if (vpFormat === 'ldp_vp') { - signedPresentation = await w3cCredentialService.signPresentation(agentContext, { + + return signedPresentation.encoded as W3CVerifiablePresentation + } else if (presentationToCreate.claimFormat === ClaimFormat.LdpVp) { + // Determine a suitable verification method for the presentation + const verificationMethod = await this.getVerificationMethodForSubjectId( + agentContext, + presentationToCreate.subjectIds[0] + ) + + const w3cPresentation = JsonTransformer.fromJSON(presentationInput, W3cPresentation) + w3cPresentation.holder = verificationMethod.controller + + const signedPresentation = await this.w3cCredentialService.signPresentation(agentContext, { format: ClaimFormat.LdpVp, + // TODO: we should move the check for which proof to use for a presentation to earlier + // as then we know when determining which VPs to submit already if the proof types are supported + // by the verifier, and we can then just add this to the vpToCreate interface proofType: this.getProofTypeForLdpVc(agentContext, presentationDefinition, verificationMethod), proofPurpose: 'authentication', verificationMethod: verificationMethod.id, - presentation: JsonTransformer.fromJSON(presentationJson, W3cPresentation), - challenge: challenge ?? nonce ?? (await agentContext.wallet.generateNonce()), + presentation: w3cPresentation, + challenge, domain, }) + + return signedPresentation.encoded as W3CVerifiablePresentation + } else if (presentationToCreate.claimFormat === ClaimFormat.SdJwtVc) { + const sdJwtInput = presentationInput as SdJwtDecodedVerifiableCredentialWithKbJwtInput + + if (!domain) { + throw new AriesFrameworkError( + "Missing 'domain' property, unable to set required 'aud' property in SD-JWT KB-JWT" + ) + } + + const sdJwtVcApi = this.getSdJwtVcApi(agentContext) + const sdJwtVc = await sdJwtVcApi.present({ + compactSdJwtVc: sdJwtInput.compactSdJwtVc, + // SD is already handled by PEX + presentationFrame: true, + verifierMetadata: { + audience: domain, + nonce: challenge, + // TODO: we should make this optional + issuedAt: Math.floor(Date.now() / 1000), + }, + }) + + return sdJwtVc } else { throw new DifPresentationExchangeError( - `Only JWT credentials or JSONLD credentials are supported for a single presentation` + `Only JWT, SD-JWT-VC, JSONLD credentials are supported for a single presentation` ) } - - return getSphereonW3cVerifiablePresentation(signedPresentation) } } @@ -545,4 +494,78 @@ export class DifPresentationExchangeService { return verificationMethod } + + /** + * Queries the wallet for credentials that match the given presentation definition. This only does an initial query based on the + * schema of the input descriptors. It does not do any further filtering based on the constraints in the input descriptors. + */ + private async queryCredentialForPresentationDefinition( + agentContext: AgentContext, + presentationDefinition: DifPresentationExchangeDefinition + ): Promise> { + const w3cCredentialRepository = agentContext.dependencyManager.resolve(W3cCredentialRepository) + const w3cQuery: Array> = [] + const sdJwtVcQuery: Array> = [] + const presentationDefinitionVersion = PEX.definitionVersionDiscovery(presentationDefinition) + + if (!presentationDefinitionVersion.version) { + throw new DifPresentationExchangeError( + `Unable to determine the Presentation Exchange version from the presentation definition`, + presentationDefinitionVersion.error ? { additionalMessages: [presentationDefinitionVersion.error] } : {} + ) + } + + // FIXME: in the query we should take into account the supported proof types of the verifier + // this could help enormously in the amount of credentials we have to retrieve from storage. + // NOTE: for now we don't support SD-JWT for v1, as I don't know what the schema.uri should be? + if (presentationDefinitionVersion.version === PEVersion.v1) { + const pd = presentationDefinition as PresentationDefinitionV1 + + // The schema.uri can contain either an expanded type, or a context uri + for (const inputDescriptor of pd.input_descriptors) { + for (const schema of inputDescriptor.schema) { + w3cQuery.push({ + $or: [{ expandedType: [schema.uri] }, { contexts: [schema.uri] }, { type: [schema.uri] }], + }) + } + } + } else if (presentationDefinitionVersion.version === PEVersion.v2) { + // FIXME: As PE version 2 does not have the `schema` anymore, we can't query by schema anymore. + // For now we retrieve ALL credentials, as we did the same for V1 with JWT credentials. We probably need + // to find some way to do initial filtering, hopefully if there's a filter on the `type` field or something. + } else { + throw new DifPresentationExchangeError( + `Unsupported presentation definition version ${presentationDefinitionVersion.version as unknown as string}` + ) + } + + const allRecords: Array = [] + + // query the wallet ourselves first to avoid the need to query the pex library for all + // credentials for every proof request + const w3cCredentialRecords = + w3cQuery.length > 0 + ? await w3cCredentialRepository.findByQuery(agentContext, { + $or: w3cQuery, + }) + : await w3cCredentialRepository.getAll(agentContext) + + allRecords.push(...w3cCredentialRecords) + + const sdJwtVcApi = this.getSdJwtVcApi(agentContext) + const sdJwtVcRecords = + sdJwtVcQuery.length > 0 + ? await sdJwtVcApi.findAllByQuery({ + $or: sdJwtVcQuery, + }) + : await sdJwtVcApi.getAll() + + allRecords.push(...sdJwtVcRecords) + + return allRecords + } + + private getSdJwtVcApi(agentContext: AgentContext) { + return agentContext.dependencyManager.resolve(SdJwtVcApi) + } } diff --git a/packages/core/src/modules/dif-presentation-exchange/models/DifPexCredentialsForRequest.ts b/packages/core/src/modules/dif-presentation-exchange/models/DifPexCredentialsForRequest.ts index ec2e83d17e..9ded2b1688 100644 --- a/packages/core/src/modules/dif-presentation-exchange/models/DifPexCredentialsForRequest.ts +++ b/packages/core/src/modules/dif-presentation-exchange/models/DifPexCredentialsForRequest.ts @@ -1,4 +1,5 @@ -import type { W3cCredentialRecord, W3cVerifiableCredential } from '../../vc' +import type { SdJwtVcRecord } from '../../sd-jwt-vc' +import type { W3cCredentialRecord } from '../../vc' export interface DifPexCredentialsForRequest { /** @@ -110,10 +111,10 @@ export interface DifPexCredentialsForRequestSubmissionEntry { * If the value is an empty list, it means the input descriptor could * not be satisfied. */ - verifiableCredentials: W3cCredentialRecord[] + verifiableCredentials: Array } /** * Mapping of selected credentials for an input descriptor */ -export type DifPexInputDescriptorToCredentials = Record> +export type DifPexInputDescriptorToCredentials = Record> diff --git a/packages/core/src/modules/dif-presentation-exchange/utils/credentialSelection.ts b/packages/core/src/modules/dif-presentation-exchange/utils/credentialSelection.ts index 1fca34b943..c1ef770b36 100644 --- a/packages/core/src/modules/dif-presentation-exchange/utils/credentialSelection.ts +++ b/packages/core/src/modules/dif-presentation-exchange/utils/credentialSelection.ts @@ -1,13 +1,13 @@ +import type { SdJwtVcRecord } from '../../sd-jwt-vc' import type { W3cCredentialRecord } from '../../vc' import type { DifPexCredentialsForRequest, DifPexCredentialsForRequestRequirement, DifPexCredentialsForRequestSubmissionEntry, } from '../models' -import type { IPresentationDefinition, SelectResults, SubmissionRequirementMatch } from '@sphereon/pex' +import type { IPresentationDefinition, SelectResults, SubmissionRequirementMatch, PEX } from '@sphereon/pex' import type { InputDescriptorV1, InputDescriptorV2, SubmissionRequirement } from '@sphereon/pex-models' -import { PEX } from '@sphereon/pex' import { Rules } from '@sphereon/pex-models' import { default as jp } from 'jsonpath' @@ -17,40 +17,42 @@ import { DifPresentationExchangeError } from '../DifPresentationExchangeError' import { getSphereonOriginalVerifiableCredential } from './transform' export async function getCredentialsForRequest( + // PEX instance with hasher defined + pex: PEX, presentationDefinition: IPresentationDefinition, - credentialRecords: Array, - holderDIDs: Array + credentialRecords: Array ): Promise { - if (!presentationDefinition) { - throw new DifPresentationExchangeError('Presentation Definition is required to select credentials for submission.') - } - - const pex = new PEX() - - const encodedCredentials = credentialRecords.map((c) => getSphereonOriginalVerifiableCredential(c.credential)) - - // FIXME: there is a function for this in the VP library, but it is not usable atm - const selectResultsRaw = pex.selectFrom(presentationDefinition, encodedCredentials, { - holderDIDs, - // limitDisclosureSignatureSuites: [], - // restrictToDIDMethods, - // restrictToFormats - }) + const encodedCredentials = credentialRecords.map((c) => getSphereonOriginalVerifiableCredential(c)) + const selectResultsRaw = pex.selectFrom(presentationDefinition, encodedCredentials) const selectResults = { ...selectResultsRaw, // Map the encoded credential to their respective w3c credential record - verifiableCredential: selectResultsRaw.verifiableCredential?.map((encoded) => { - const credentialRecord = credentialRecords.find((record) => { - const originalVc = getSphereonOriginalVerifiableCredential(record.credential) - return deepEquality(originalVc, encoded) + verifiableCredential: selectResultsRaw.verifiableCredential?.map((selectedEncoded) => { + const credentialRecordIndex = encodedCredentials.findIndex((encoded) => { + if ( + typeof selectedEncoded === 'string' && + selectedEncoded.includes('~') && + typeof encoded === 'string' && + encoded.includes('~') + ) { + // FIXME: pex applies SD-JWT, so we actually can't match the record anymore :( + // We take the first part of the sd-jwt, as that will never change, and should + // be unique on it's own + const [encodedJwt] = encoded.split('~') + const [selectedEncodedJwt] = selectedEncoded.split('~') + + return encodedJwt === selectedEncodedJwt + } else { + return deepEquality(selectedEncoded, encoded) + } }) - if (!credentialRecord) { + if (credentialRecordIndex === -1) { throw new DifPresentationExchangeError('Unable to find credential in credential records.') } - return credentialRecord + return credentialRecords[credentialRecordIndex] }), } @@ -95,7 +97,7 @@ export async function getCredentialsForRequest( function getSubmissionRequirements( presentationDefinition: IPresentationDefinition, - selectResults: W3cCredentialRecordSelectResults + selectResults: CredentialRecordSelectResults ): Array { const submissionRequirements: Array = [] @@ -141,7 +143,7 @@ function getSubmissionRequirements( function getSubmissionRequirementsForAllInputDescriptors( inputDescriptors: Array | Array, - selectResults: W3cCredentialRecordSelectResults + selectResults: CredentialRecordSelectResults ): Array { const submissionRequirements: Array = [] @@ -162,7 +164,7 @@ function getSubmissionRequirementsForAllInputDescriptors( function getSubmissionRequirementRuleAll( submissionRequirement: SubmissionRequirement, presentationDefinition: IPresentationDefinition, - selectResults: W3cCredentialRecordSelectResults + selectResults: CredentialRecordSelectResults ) { // Check if there's a 'from'. If not the structure is not as we expect it if (!submissionRequirement.from) @@ -201,7 +203,7 @@ function getSubmissionRequirementRuleAll( function getSubmissionRequirementRulePick( submissionRequirement: SubmissionRequirement, presentationDefinition: IPresentationDefinition, - selectResults: W3cCredentialRecordSelectResults + selectResults: CredentialRecordSelectResults ) { // Check if there's a 'from'. If not the structure is not as we expect it if (!submissionRequirement.from) { @@ -257,7 +259,7 @@ function getSubmissionRequirementRulePick( function getSubmissionForInputDescriptor( inputDescriptor: InputDescriptorV1 | InputDescriptorV2, - selectResults: W3cCredentialRecordSelectResults + selectResults: CredentialRecordSelectResults ): DifPexCredentialsForRequestSubmissionEntry { // https://github.com/Sphereon-Opensource/PEX/issues/116 // If the input descriptor doesn't contain a name, the name of the match will be the id of the input descriptor that satisfied it @@ -292,9 +294,9 @@ function getSubmissionForInputDescriptor( function extractCredentialsFromMatch( match: SubmissionRequirementMatch, - availableCredentials?: Array + availableCredentials?: Array ) { - const verifiableCredentials: Array = [] + const verifiableCredentials: Array = [] for (const vcPath of match.vc_path) { const [verifiableCredential] = jp.query({ verifiableCredential: availableCredentials }, vcPath) as [ @@ -307,8 +309,8 @@ function extractCredentialsFromMatch( } /** - * Custom SelectResults that include the W3cCredentialRecord instead of the encoded verifiable credential + * Custom SelectResults that includes the AFJ records instead of the encoded verifiable credential */ -export type W3cCredentialRecordSelectResults = Omit & { - verifiableCredential?: Array +type CredentialRecordSelectResults = Omit & { + verifiableCredential?: Array } diff --git a/packages/core/src/modules/dif-presentation-exchange/utils/index.ts b/packages/core/src/modules/dif-presentation-exchange/utils/index.ts index aaf44fa1b6..18fe3ad53c 100644 --- a/packages/core/src/modules/dif-presentation-exchange/utils/index.ts +++ b/packages/core/src/modules/dif-presentation-exchange/utils/index.ts @@ -1,2 +1,3 @@ export * from './transform' export * from './credentialSelection' +export * from './presentationsToCreate' diff --git a/packages/core/src/modules/dif-presentation-exchange/utils/presentationsToCreate.ts b/packages/core/src/modules/dif-presentation-exchange/utils/presentationsToCreate.ts new file mode 100644 index 0000000000..47cb5202ca --- /dev/null +++ b/packages/core/src/modules/dif-presentation-exchange/utils/presentationsToCreate.ts @@ -0,0 +1,89 @@ +import type { SdJwtVcRecord } from '../../sd-jwt-vc' +import type { DifPexInputDescriptorToCredentials } from '../models' + +import { W3cCredentialRecord, ClaimFormat } from '../../vc' +import { DifPresentationExchangeError } from '../DifPresentationExchangeError' + +// - the credentials included in the presentation +export interface SdJwtVcPresentationToCreate { + claimFormat: ClaimFormat.SdJwtVc + subjectIds: [] // subject is included in the cnf of the sd-jwt and automatically extracted by PEX + verifiableCredentials: [ + { + credential: SdJwtVcRecord + inputDescriptorId: string + } + ] // only one credential supported for SD-JWT-VC +} + +export interface JwtVpPresentationToCreate { + claimFormat: ClaimFormat.JwtVp + subjectIds: [string] // only one subject id supported for JWT VP + verifiableCredentials: Array<{ + credential: W3cCredentialRecord + inputDescriptorId: string + }> // multiple credentials supported for JWT VP +} + +export interface LdpVpPresentationToCreate { + claimFormat: ClaimFormat.LdpVp + // NOTE: we only support one subject id at the moment as we don't have proper + // support yet for adding multiple proofs to an LDP-VP + subjectIds: [string] + verifiableCredentials: Array<{ + credential: W3cCredentialRecord + inputDescriptorId: string + }> // multiple credentials supported for LDP VP +} + +export type PresentationToCreate = SdJwtVcPresentationToCreate | JwtVpPresentationToCreate | LdpVpPresentationToCreate + +// FIXME: we should extract supported format form top-level presentation definition, and input_descriptor as well +// to make sure the presentation we are going to create is a presentation format supported by the verifier. +// In addition we should allow to pass an override 'format' object, as specification like OID4VP do not use the +// PD formats, but define their own. +export function getPresentationsToCreate(credentialsForInputDescriptor: DifPexInputDescriptorToCredentials) { + const presentationsToCreate: Array = [] + + // We map all credentials for a input descriptor to the different subject ids. Each subjectId will need + // to create a separate proof (either on the same presentation or if not allowed by proof format on separate) + // presentations + for (const [inputDescriptorId, credentials] of Object.entries(credentialsForInputDescriptor)) { + for (const credential of credentials) { + if (credential instanceof W3cCredentialRecord) { + const subjectId = credential.credential.credentialSubjectIds[0] + if (!subjectId) { + throw new DifPresentationExchangeError('Missing required credential subject for creating the presentation.') + } + + // NOTE: we only support one subjectId per VP -- once we have proper support + // for multiple proofs on an LDP-VP we can add multiple subjectIds to a single VP for LDP-vp only + const expectedClaimFormat = + credential.credential.claimFormat === ClaimFormat.LdpVc ? ClaimFormat.LdpVp : ClaimFormat.JwtVp + const matchingClaimFormatAndSubject = presentationsToCreate.find( + (p): p is JwtVpPresentationToCreate => + p.claimFormat === expectedClaimFormat && p.subjectIds.includes(subjectId) + ) + + if (matchingClaimFormatAndSubject) { + matchingClaimFormatAndSubject.verifiableCredentials.push({ inputDescriptorId, credential }) + } else { + presentationsToCreate.push({ + claimFormat: expectedClaimFormat, + subjectIds: [subjectId], + verifiableCredentials: [{ credential, inputDescriptorId }], + }) + } + } else { + // SD-JWT-VC always needs it's own presentation + presentationsToCreate.push({ + claimFormat: ClaimFormat.SdJwtVc, + subjectIds: [], + verifiableCredentials: [{ inputDescriptorId, credential }], + }) + } + } + } + + return presentationsToCreate +} diff --git a/packages/core/src/modules/dif-presentation-exchange/utils/transform.ts b/packages/core/src/modules/dif-presentation-exchange/utils/transform.ts index e4d5f694c9..636b106d51 100644 --- a/packages/core/src/modules/dif-presentation-exchange/utils/transform.ts +++ b/packages/core/src/modules/dif-presentation-exchange/utils/transform.ts @@ -1,78 +1,54 @@ -import type { W3cVerifiableCredential, W3cVerifiablePresentation } from '../../vc' +import type { AgentContext } from '../../../agent' +import type { SdJwtVcRecord, SdJwtVc } from '../../sd-jwt-vc' +import type { W3cVerifiablePresentation } from '../../vc' +import type { W3cJsonPresentation } from '../../vc/models/presentation/W3cJsonPresentation' import type { OriginalVerifiableCredential as SphereonOriginalVerifiableCredential, - W3CVerifiableCredential as SphereonW3cVerifiableCredential, - W3CVerifiablePresentation as SphereonW3cVerifiablePresentation, + OriginalVerifiablePresentation as SphereonOriginalVerifiablePresentation, + W3CVerifiablePresentation as SphereonW3CVerifiablePresentation, } from '@sphereon/ssi-types' +import { AriesFrameworkError } from '../../../error' import { JsonTransformer } from '../../../utils' -import { - W3cJsonLdVerifiableCredential, - W3cJsonLdVerifiablePresentation, - W3cJwtVerifiableCredential, - W3cJwtVerifiablePresentation, - ClaimFormat, -} from '../../vc' -import { DifPresentationExchangeError } from '../DifPresentationExchangeError' +import { SdJwtVcApi } from '../../sd-jwt-vc' +import { W3cCredentialRecord, W3cJsonLdVerifiablePresentation, W3cJwtVerifiablePresentation } from '../../vc' export function getSphereonOriginalVerifiableCredential( - w3cVerifiableCredential: W3cVerifiableCredential + credentialRecord: W3cCredentialRecord | SdJwtVcRecord ): SphereonOriginalVerifiableCredential { - if (w3cVerifiableCredential.claimFormat === ClaimFormat.LdpVc) { - return JsonTransformer.toJSON(w3cVerifiableCredential) as SphereonOriginalVerifiableCredential - } else if (w3cVerifiableCredential.claimFormat === ClaimFormat.JwtVc) { - return w3cVerifiableCredential.serializedJwt + if (credentialRecord instanceof W3cCredentialRecord) { + return credentialRecord.credential.encoded as SphereonOriginalVerifiableCredential } else { - throw new DifPresentationExchangeError( - `Unsupported claim format. Only ${ClaimFormat.LdpVc} and ${ClaimFormat.JwtVc} are supported.` - ) + return credentialRecord.compactSdJwtVc } } -export function getSphereonW3cVerifiableCredential( - w3cVerifiableCredential: W3cVerifiableCredential -): SphereonW3cVerifiableCredential { - if (w3cVerifiableCredential.claimFormat === ClaimFormat.LdpVc) { - return JsonTransformer.toJSON(w3cVerifiableCredential) as SphereonW3cVerifiableCredential - } else if (w3cVerifiableCredential.claimFormat === ClaimFormat.JwtVc) { - return w3cVerifiableCredential.serializedJwt +export function getSphereonOriginalVerifiablePresentation( + verifiablePresentation: W3cVerifiablePresentation | SdJwtVc +): SphereonOriginalVerifiablePresentation { + if ( + verifiablePresentation instanceof W3cJwtVerifiablePresentation || + verifiablePresentation instanceof W3cJsonLdVerifiablePresentation + ) { + return verifiablePresentation.encoded as SphereonOriginalVerifiablePresentation } else { - throw new DifPresentationExchangeError( - `Unsupported claim format. Only ${ClaimFormat.LdpVc} and ${ClaimFormat.JwtVc} are supported.` - ) + return verifiablePresentation.compact } } -export function getSphereonW3cVerifiablePresentation( - w3cVerifiablePresentation: W3cVerifiablePresentation -): SphereonW3cVerifiablePresentation { - if (w3cVerifiablePresentation instanceof W3cJsonLdVerifiablePresentation) { - return JsonTransformer.toJSON(w3cVerifiablePresentation) as SphereonW3cVerifiablePresentation - } else if (w3cVerifiablePresentation instanceof W3cJwtVerifiablePresentation) { - return w3cVerifiablePresentation.serializedJwt +// TODO: we might want to move this to some generic vc transformation util +export function getVerifiablePresentationFromEncoded( + agentContext: AgentContext, + encodedVerifiablePresentation: string | W3cJsonPresentation | SphereonW3CVerifiablePresentation +) { + if (typeof encodedVerifiablePresentation === 'string' && encodedVerifiablePresentation.includes('~')) { + const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi) + return sdJwtVcApi.fromCompact(encodedVerifiablePresentation) + } else if (typeof encodedVerifiablePresentation === 'string') { + return W3cJwtVerifiablePresentation.fromSerializedJwt(encodedVerifiablePresentation) + } else if (typeof encodedVerifiablePresentation === 'object' && '@context' in encodedVerifiablePresentation) { + return JsonTransformer.fromJSON(encodedVerifiablePresentation, W3cJsonLdVerifiablePresentation) } else { - throw new DifPresentationExchangeError( - `Unsupported claim format. Only ${ClaimFormat.LdpVc} and ${ClaimFormat.JwtVc} are supported.` - ) - } -} - -export function getW3cVerifiablePresentationInstance( - w3cVerifiablePresentation: SphereonW3cVerifiablePresentation -): W3cVerifiablePresentation { - if (typeof w3cVerifiablePresentation === 'string') { - return W3cJwtVerifiablePresentation.fromSerializedJwt(w3cVerifiablePresentation) - } else { - return JsonTransformer.fromJSON(w3cVerifiablePresentation, W3cJsonLdVerifiablePresentation) - } -} - -export function getW3cVerifiableCredentialInstance( - w3cVerifiableCredential: SphereonW3cVerifiableCredential -): W3cVerifiableCredential { - if (typeof w3cVerifiableCredential === 'string') { - return W3cJwtVerifiableCredential.fromSerializedJwt(w3cVerifiableCredential) - } else { - return JsonTransformer.fromJSON(w3cVerifiableCredential, W3cJsonLdVerifiableCredential) + throw new AriesFrameworkError('Unsupported verifiable presentation format') } } diff --git a/packages/core/src/modules/proofs/formats/dif-presentation-exchange/DifPresentationExchangeProofFormatService.ts b/packages/core/src/modules/proofs/formats/dif-presentation-exchange/DifPresentationExchangeProofFormatService.ts index 3260e806d2..2445da80ce 100644 --- a/packages/core/src/modules/proofs/formats/dif-presentation-exchange/DifPresentationExchangeProofFormatService.ts +++ b/packages/core/src/modules/proofs/formats/dif-presentation-exchange/DifPresentationExchangeProofFormatService.ts @@ -28,7 +28,10 @@ import type { import { Attachment, AttachmentData } from '../../../../decorators/attachment/Attachment' import { AriesFrameworkError } from '../../../../error' import { deepEquality, JsonTransformer } from '../../../../utils' -import { DifPresentationExchangeService } from '../../../dif-presentation-exchange' +import { + DifPresentationExchangeService, + DifPresentationExchangeSubmissionLocation, +} from '../../../dif-presentation-exchange' import { W3cCredentialService, ClaimFormat, @@ -185,28 +188,18 @@ export class PresentationExchangeProofFormatService implements ProofFormatServic const { presentation_definition: presentationDefinition, options } = requestAttachment.getDataAsJson() - const credentials: DifPexInputDescriptorToCredentials = proofFormats?.presentationExchange?.credentials ?? {} - if (Object.keys(credentials).length === 0) { - const { areRequirementsSatisfied, requirements } = await ps.getCredentialsForRequest( - agentContext, - presentationDefinition - ) - - if (!areRequirementsSatisfied) { - throw new AriesFrameworkError('Requirements of the presentation definition could not be satisfied') - } - - requirements.forEach((r) => { - r.submissionEntry.forEach((r) => { - credentials[r.inputDescriptorId] = r.verifiableCredentials.map((c) => c.credential) - }) - }) + let credentials: DifPexInputDescriptorToCredentials + if (proofFormats?.presentationExchange?.credentials) { + credentials = proofFormats.presentationExchange.credentials + } else { + const credentialsForRequest = await ps.getCredentialsForRequest(agentContext, presentationDefinition) + credentials = ps.selectCredentialsForRequest(credentialsForRequest) } const presentation = await ps.createPresentation(agentContext, { presentationDefinition, credentialsForInputDescriptor: credentials, - challenge: options?.challenge, + challenge: options?.challenge ?? (await agentContext.wallet.generateNonce()), domain: options?.domain, }) @@ -214,9 +207,19 @@ export class PresentationExchangeProofFormatService implements ProofFormatServic throw new AriesFrameworkError('Invalid amount of verifiable presentations. Only one is allowed.') } + if (presentation.presentationSubmissionLocation === DifPresentationExchangeSubmissionLocation.EXTERNAL) { + throw new AriesFrameworkError('External presentation submission is not supported.') + } + const firstPresentation = presentation.verifiablePresentations[0] - const attachmentData = firstPresentation.encoded as DifPresentationExchangePresentation - const attachment = this.getFormatData(attachmentData, format.attachmentId) + + // TODO: they should all have `encoded` property so it's easy to use the resulting VP + const encodedFirstPresentation = + firstPresentation instanceof W3cJwtVerifiablePresentation || + firstPresentation instanceof W3cJsonLdVerifiablePresentation + ? firstPresentation.encoded + : firstPresentation?.compact + const attachment = this.getFormatData(encodedFirstPresentation, format.attachmentId) return { attachment, format } } @@ -235,10 +238,15 @@ export class PresentationExchangeProofFormatService implements ProofFormatServic // TODO: we should probably move this transformation logic into the VC module, so it // can be reused in AFJ when we need to go from encoded -> parsed - if (typeof presentation === 'string') { + if (typeof presentation === 'string' && presentation.includes('~')) { + // NOTE: we need to define in the PEX RFC where to put the presentation_submission + throw new AriesFrameworkError('Received SD-JWT VC in PEX proof format. This is not supported yet.') + } else if (typeof presentation === 'string') { + // If it's a string, we expect it to be a JWT VP parsedPresentation = W3cJwtVerifiablePresentation.fromSerializedJwt(presentation) jsonPresentation = parsedPresentation.presentation.toJSON() } else { + // Otherwise we expect it to be a JSON-LD VP parsedPresentation = JsonTransformer.fromJSON(presentation, W3cJsonLdVerifiablePresentation) jsonPresentation = parsedPresentation.toJSON() } diff --git a/packages/core/src/modules/sd-jwt-vc/SdJwtVcApi.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcApi.ts new file mode 100644 index 0000000000..17dbd81273 --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/SdJwtVcApi.ts @@ -0,0 +1,87 @@ +import type { + SdJwtVcSignOptions, + SdJwtVcHeader, + SdJwtVcPayload, + SdJwtVcPresentOptions, + SdJwtVcVerifyOptions, +} from './SdJwtVcOptions' +import type { SdJwtVcRecord } from './repository' +import type { Query } from '../../storage/StorageService' + +import { AgentContext } from '../../agent' +import { injectable } from '../../plugins' + +import { SdJwtVcService } from './SdJwtVcService' + +/** + * @public + */ +@injectable() +export class SdJwtVcApi { + private agentContext: AgentContext + private sdJwtVcService: SdJwtVcService + + public constructor(agentContext: AgentContext, sdJwtVcService: SdJwtVcService) { + this.agentContext = agentContext + this.sdJwtVcService = sdJwtVcService + } + + public async sign(options: SdJwtVcSignOptions) { + return await this.sdJwtVcService.sign(this.agentContext, options) + } + + /** + * + * Create a compact presentation of the sd-jwt. + * This presentation can be send in- or out-of-band to the verifier. + * + * Also, whether to include the holder key binding. + */ + public async present
( + options: SdJwtVcPresentOptions + ): Promise { + return await this.sdJwtVcService.present(this.agentContext, options) + } + + /** + * + * Verify an incoming sd-jwt. It will check whether everything is valid, but also returns parts of the validation. + * + * For example, you might still want to continue with a flow if not all the claims are included, but the signature is valid. + * + */ + public async verify
(options: SdJwtVcVerifyOptions) { + return await this.sdJwtVcService.verify(this.agentContext, options) + } + + /** + * Get and validate a sd-jwt-vc from a serialized JWT. + */ + public fromCompact
(sdJwtVcCompact: string) { + return this.sdJwtVcService.fromCompact(sdJwtVcCompact) + } + + public async store(compactSdJwtVc: string) { + return await this.sdJwtVcService.store(this.agentContext, compactSdJwtVc) + } + + public async getById(id: string): Promise { + return await this.sdJwtVcService.getById(this.agentContext, id) + } + + public async getAll(): Promise> { + return await this.sdJwtVcService.getAll(this.agentContext) + } + + public async findAllByQuery(query: Query): Promise> { + return await this.sdJwtVcService.findByQuery(this.agentContext, query) + } + + public async deleteById(id: string) { + return await this.sdJwtVcService.deleteById(this.agentContext, id) + } + + public async update(sdJwtVcRecord: SdJwtVcRecord) { + return await this.sdJwtVcService.update(this.agentContext, sdJwtVcRecord) + } +} diff --git a/packages/core/src/modules/sd-jwt-vc/SdJwtVcError.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcError.ts new file mode 100644 index 0000000000..42b8943bfb --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/SdJwtVcError.ts @@ -0,0 +1,3 @@ +import { AriesFrameworkError } from '../../error' + +export class SdJwtVcError extends AriesFrameworkError {} diff --git a/packages/sd-jwt-vc/src/SdJwtVcModule.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcModule.ts similarity index 63% rename from packages/sd-jwt-vc/src/SdJwtVcModule.ts rename to packages/core/src/modules/sd-jwt-vc/SdJwtVcModule.ts index eea361477f..08a931ad74 100644 --- a/packages/sd-jwt-vc/src/SdJwtVcModule.ts +++ b/packages/core/src/modules/sd-jwt-vc/SdJwtVcModule.ts @@ -1,6 +1,6 @@ -import type { DependencyManager, Module } from '@aries-framework/core' +import type { Module, DependencyManager } from '../../plugins' -import { AgentConfig } from '@aries-framework/core' +import { AgentConfig } from '../../agent/AgentConfig' import { SdJwtVcApi } from './SdJwtVcApi' import { SdJwtVcService } from './SdJwtVcService' @@ -20,12 +20,9 @@ export class SdJwtVcModule implements Module { dependencyManager .resolve(AgentConfig) .logger.warn( - "The '@aries-framework/sd-jwt-vc' module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." + "The 'SdJwtVc' module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." ) - // Api - dependencyManager.registerContextScoped(this.api) - // Services dependencyManager.registerSingleton(SdJwtVcService) diff --git a/packages/core/src/modules/sd-jwt-vc/SdJwtVcOptions.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcOptions.ts new file mode 100644 index 0000000000..23a8ff5627 --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/SdJwtVcOptions.ts @@ -0,0 +1,86 @@ +import type { JwkJson, Jwk } from '../../crypto' +import type { HashName } from '../../utils' +import type { DisclosureFrame, PresentationFrame } from '@sd-jwt/core' + +// TODO: extend with required claim names for input (e.g. vct) +export type SdJwtVcPayload = Record +export type SdJwtVcHeader = Record + +export interface SdJwtVcHolderDidBinding { + method: 'did' + didUrl: string +} + +export interface SdJwtVcHolderJwkBinding { + method: 'jwk' + jwk: JwkJson | Jwk +} + +export interface SdJwtVcIssuerDid { + method: 'did' + // didUrl referencing a specific key in a did document. + didUrl: string +} + +// We support jwk and did based binding for the holder at the moment +export type SdJwtVcHolderBinding = SdJwtVcHolderDidBinding | SdJwtVcHolderJwkBinding + +// We only support did based issuance currently, but we might want to add support +// for x509 or issuer metadata (as defined in SD-JWT VC) in the future +export type SdJwtVcIssuer = SdJwtVcIssuerDid + +export interface SdJwtVcSignOptions { + payload: Payload + holder: SdJwtVcHolderBinding + issuer: SdJwtVcIssuer + disclosureFrame?: DisclosureFrame + + /** + * Default of sha2-256 will be used if not provided + */ + hashingAlgorithm?: HashName +} + +export type SdJwtVcPresentOptions = { + compactSdJwtVc: string + + /** + * Use true to disclose everything + */ + presentationFrame: PresentationFrame | true + + /** + * This information is received out-of-band from the verifier. + * The claims will be used to create a normal JWT, used for key binding. + */ + verifierMetadata: { + audience: string + nonce: string + issuedAt: number + } +} + +export type SdJwtVcVerifyOptions = { + compactSdJwtVc: string + + /** + * If the key binding object is present, the sd-jwt is required to have a key binding jwt attached + * and will be validated against the provided key binding options. + */ + keyBinding?: { + /** + * The expected `aud` value in the payload of the KB-JWT. The value of this is dependant on the + * exchange protocol used. + */ + audience: string + + /** + * The expected `nonce` value in the payload of the KB-JWT. The value of this is dependant on the + * exchange protocol used. + */ + nonce: string + } + + // TODO: update to requiredClaimFrame + requiredClaimKeys?: Array +} diff --git a/packages/core/src/modules/sd-jwt-vc/SdJwtVcService.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcService.ts new file mode 100644 index 0000000000..95281d2ba2 --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/SdJwtVcService.ts @@ -0,0 +1,425 @@ +import type { + SdJwtVcSignOptions, + SdJwtVcPresentOptions, + SdJwtVcVerifyOptions, + SdJwtVcPayload, + SdJwtVcHeader, + SdJwtVcHolderBinding, + SdJwtVcIssuer, +} from './SdJwtVcOptions' +import type { AgentContext } from '../../agent' +import type { JwkJson, Key } from '../../crypto' +import type { Query } from '../../storage/StorageService' +import type { Signer, SdJwtVcVerificationResult, Verifier, HasherAndAlgorithm, DisclosureItem } from '@sd-jwt/core' + +import { KeyBinding, SdJwtVc as _SdJwtVc, HasherAlgorithm } from '@sd-jwt/core' +import { decodeSdJwtVc } from '@sd-jwt/decode' +import { injectable } from 'tsyringe' + +import { Jwk, getJwkFromJson, getJwkFromKey } from '../../crypto' +import { TypedArrayEncoder, Hasher, Buffer } from '../../utils' +import { DidResolverService, parseDid, getKeyFromVerificationMethod } from '../dids' + +import { SdJwtVcError } from './SdJwtVcError' +import { SdJwtVcRecord, SdJwtVcRepository } from './repository' + +export { SdJwtVcVerificationResult, DisclosureItem } + +export interface SdJwtVc< + Header extends SdJwtVcHeader = SdJwtVcHeader, + Payload extends SdJwtVcPayload = SdJwtVcPayload +> { + compact: string + header: Header + + // TODO: payload type here is a lie, as it is the signed payload (so fields replaced with _sd) + payload: Payload + prettyClaims: Payload +} + +/** + * @internal + */ +@injectable() +export class SdJwtVcService { + private sdJwtVcRepository: SdJwtVcRepository + + public constructor(sdJwtVcRepository: SdJwtVcRepository) { + this.sdJwtVcRepository = sdJwtVcRepository + } + + public async sign(agentContext: AgentContext, options: SdJwtVcSignOptions) { + const { payload, disclosureFrame, hashingAlgorithm } = options + + // default is sha2-256 + if (hashingAlgorithm && hashingAlgorithm !== 'sha2-256') { + throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`) + } + + const issuer = await this.extractKeyFromIssuer(agentContext, options.issuer) + const holderBinding = await this.extractKeyFromHolderBinding(agentContext, options.holder) + + const header = { + alg: issuer.alg, + typ: 'vc+sd-jwt', + kid: issuer.kid, + } as const + + const sdJwtVc = new _SdJwtVc({}, { disclosureFrame }) + .withHasher(this.hasher) + .withSigner(this.signer(agentContext, issuer.key)) + .withSaltGenerator(agentContext.wallet.generateNonce) + .withHeader(header) + .withPayload({ ...payload }) + + // Add the `cnf` claim for the holder key binding + sdJwtVc.addPayloadClaim('cnf', holderBinding.cnf) + + // Add `iss` claim + sdJwtVc.addPayloadClaim('iss', issuer.iss) + + // Add the issued at (iat) claim + sdJwtVc.addPayloadClaim('iat', Math.floor(new Date().getTime() / 1000)) + + const compact = await sdJwtVc.toCompact() + if (!sdJwtVc.signature) { + throw new SdJwtVcError('Invalid sd-jwt-vc state. Signature should have been set when calling `toCompact`.') + } + + return { + compact, + prettyClaims: await sdJwtVc.getPrettyClaims(), + header: sdJwtVc.header, + payload: sdJwtVc.payload, + } satisfies SdJwtVc + } + + public fromCompact
( + compactSdJwtVc: string + ): SdJwtVc { + // NOTE: we use decodeSdJwtVc so we can make this method sync + const { decodedPayload, header, signedPayload } = decodeSdJwtVc(compactSdJwtVc, Hasher.hash) + + return { + compact: compactSdJwtVc, + header: header as Header, + payload: signedPayload as Payload, + prettyClaims: decodedPayload as Payload, + } + } + + public async present
( + agentContext: AgentContext, + { compactSdJwtVc, presentationFrame, verifierMetadata }: SdJwtVcPresentOptions + ): Promise { + const sdJwtVc = _SdJwtVc.fromCompact
(compactSdJwtVc).withHasher(this.hasher) + const holder = await this.extractKeyFromHolderBinding(agentContext, this.parseHolderBindingFromCredential(sdJwtVc)) + + // FIXME: we create the SD-JWT in two steps as the _sd_hash is currently not included in the SD-JWT library + // so we add it ourselves, but for that we need the contents of the derived SD-JWT first + const compactDerivedSdJwtVc = await sdJwtVc.present(presentationFrame === true ? undefined : presentationFrame) + + let sdAlg: string + try { + sdAlg = sdJwtVc.getClaimInPayload('_sd_alg') + } catch (error) { + sdAlg = 'sha-256' + } + + const header = { + alg: holder.alg, + typ: 'kb+jwt', + } as const + + const payload = { + iat: verifierMetadata.issuedAt, + nonce: verifierMetadata.nonce, + aud: verifierMetadata.audience, + + // FIXME: _sd_hash is missing. See + // https://github.com/berendsliedrecht/sd-jwt-ts/issues/8 + _sd_hash: TypedArrayEncoder.toBase64URL(Hasher.hash(compactDerivedSdJwtVc, sdAlg)), + } + + const compactKbJwt = await new KeyBinding({ header, payload }) + .withSigner(this.signer(agentContext, holder.key)) + .toCompact() + + return `${compactDerivedSdJwtVc}${compactKbJwt}` + } + + public async verify
( + agentContext: AgentContext, + { compactSdJwtVc, keyBinding, requiredClaimKeys }: SdJwtVcVerifyOptions + ) { + const sdJwtVc = _SdJwtVc.fromCompact(compactSdJwtVc).withHasher(this.hasher) + + const issuer = await this.extractKeyFromIssuer(agentContext, this.parseIssuerFromCredential(sdJwtVc)) + const holder = await this.extractKeyFromHolderBinding(agentContext, this.parseHolderBindingFromCredential(sdJwtVc)) + + // FIXME: we currently pass in the required keys in the verification method and based on the header.typ we + // check if we need to use the issuer or holder key. Once better support in sd-jwt lib is available we can + // update this. + // See https://github.com/berendsliedrecht/sd-jwt-ts/pull/34 + // See https://github.com/berendsliedrecht/sd-jwt-ts/issues/15 + const verificationResult = await sdJwtVc.verify( + this.verifier(agentContext, { + issuer: issuer.key, + holder: holder.key, + }), + requiredClaimKeys, + holder.cnf + ) + + // If keyBinding is present, verify the key binding + try { + if (keyBinding) { + if (!sdJwtVc.keyBinding || !sdJwtVc.keyBinding.payload) { + throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc') + } + + let sdAlg: string + try { + sdAlg = sdJwtVc.getClaimInPayload('_sd_alg') + } catch (error) { + sdAlg = 'sha-256' + } + + // FIXME: Calculate _sd_hash. can be removed once below is resolved + // https://github.com/berendsliedrecht/sd-jwt-ts/issues/8 + const sdJwtParts = compactSdJwtVc.split('~') + sdJwtParts.pop() // remove kb-jwt + const sdJwtWithoutKbJwt = `${sdJwtParts.join('~')}~` + const sdHash = TypedArrayEncoder.toBase64URL(Hasher.hash(sdJwtWithoutKbJwt, sdAlg)) + + // Assert `aud` and `nonce` claims + sdJwtVc.keyBinding.assertClaimInPayload('aud', keyBinding.audience) + sdJwtVc.keyBinding.assertClaimInPayload('nonce', keyBinding.nonce) + sdJwtVc.keyBinding.assertClaimInPayload('_sd_hash', sdHash) + } + } catch (error) { + verificationResult.isKeyBindingValid = false + verificationResult.isValid = false + } + + return { + verification: verificationResult, + sdJwtVc: { + payload: sdJwtVc.payload, + header: sdJwtVc.header, + compact: compactSdJwtVc, + prettyClaims: await sdJwtVc.getPrettyClaims(), + } satisfies SdJwtVc, + } + } + + public async store(agentContext: AgentContext, compactSdJwtVc: string) { + const sdJwtVcRecord = new SdJwtVcRecord({ + compactSdJwtVc, + }) + await this.sdJwtVcRepository.save(agentContext, sdJwtVcRecord) + + return sdJwtVcRecord + } + + public async getById(agentContext: AgentContext, id: string): Promise { + return await this.sdJwtVcRepository.getById(agentContext, id) + } + + public async getAll(agentContext: AgentContext): Promise> { + return await this.sdJwtVcRepository.getAll(agentContext) + } + + public async findByQuery(agentContext: AgentContext, query: Query): Promise> { + return await this.sdJwtVcRepository.findByQuery(agentContext, query) + } + + public async deleteById(agentContext: AgentContext, id: string) { + await this.sdJwtVcRepository.deleteById(agentContext, id) + } + + public async update(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) { + await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord) + } + + private async resolveDidUrl(agentContext: AgentContext, didUrl: string) { + const didResolver = agentContext.dependencyManager.resolve(DidResolverService) + const didDocument = await didResolver.resolveDidDocument(agentContext, didUrl) + + return { + verificationMethod: didDocument.dereferenceKey(didUrl, ['assertionMethod']), + didDocument, + } + } + + private get hasher(): HasherAndAlgorithm { + return { + algorithm: HasherAlgorithm.Sha256, + hasher: Hasher.hash, + } + } + + /** + * @todo validate the JWT header (alg) + */ + private signer
(agentContext: AgentContext, key: Key): Signer
{ + return async (input: string) => agentContext.wallet.sign({ key, data: TypedArrayEncoder.fromString(input) }) + } + + /** + * @todo validate the JWT header (alg) + */ + private verifier
( + agentContext: AgentContext, + verificationKeys: { + issuer: Key + holder: Key + } + ): Verifier
{ + return async ({ message, signature, publicKeyJwk, header }) => { + const keyFromPublicKeyJwk = publicKeyJwk ? getJwkFromJson(publicKeyJwk as JwkJson).key : undefined + + let key: Key + if (header.typ === 'kb+jwt') { + key = verificationKeys.holder + } else if (header.typ === 'vc+sd-jwt') { + key = verificationKeys.issuer + } else { + throw new SdJwtVcError(`Unsupported JWT type '${header.typ}'`) + } + + if (keyFromPublicKeyJwk && key.fingerprint !== keyFromPublicKeyJwk.fingerprint) { + throw new SdJwtVcError('The key used to verify the signature does not match the expected key') + } + + return await agentContext.wallet.verify({ + signature: Buffer.from(signature), + key, + data: TypedArrayEncoder.fromString(message), + }) + } + } + + private async extractKeyFromIssuer(agentContext: AgentContext, issuer: SdJwtVcIssuer) { + if (issuer.method === 'did') { + const parsedDid = parseDid(issuer.didUrl) + if (!parsedDid.fragment) { + throw new SdJwtVcError( + `didUrl '${issuer.didUrl}' does not contain a '#'. Unable to derive key from did document` + ) + } + + const { verificationMethod } = await this.resolveDidUrl(agentContext, issuer.didUrl) + const key = getKeyFromVerificationMethod(verificationMethod) + const alg = getJwkFromKey(key).supportedSignatureAlgorithms[0] + + return { + alg, + key, + iss: parsedDid.did, + kid: `#${parsedDid.fragment}`, + } + } + + throw new SdJwtVcError("Unsupported credential issuer. Only 'did' is supported at the moment.") + } + + private parseIssuerFromCredential
( + sdJwtVc: _SdJwtVc + ): SdJwtVcIssuer { + const iss = sdJwtVc.getClaimInPayload('iss') + + if (iss.startsWith('did:')) { + // If `did` is used, we require a relative KID to be present to identify + // the key used by issuer to sign the sd-jwt-vc + sdJwtVc.assertClaimInHeader('kid') + const issuerKid = sdJwtVc.getClaimInHeader('kid') + + let didUrl: string + if (issuerKid.startsWith('#')) { + didUrl = `${iss}${issuerKid}` + } else if (issuerKid.startsWith('did:')) { + const didFromKid = parseDid(issuerKid) + if (didFromKid.did !== iss) { + throw new SdJwtVcError( + `kid in header is an absolute DID URL, but the did (${didFromKid.did}) does not match with the 'iss' did (${iss})` + ) + } + + didUrl = issuerKid + } else { + throw new SdJwtVcError( + 'Invalid issuer kid for did. Only absolute or relative (starting with #) did urls are supported.' + ) + } + + return { + method: 'did', + didUrl, + } + } + throw new SdJwtVcError("Unsupported 'iss' value. Only did is supported at the moment.") + } + + private parseHolderBindingFromCredential
( + sdJwtVc: _SdJwtVc + ): SdJwtVcHolderBinding { + const cnf = sdJwtVc.getClaimInPayload<{ jwk?: JwkJson; kid?: string }>('cnf') + + if (cnf.jwk) { + return { + method: 'jwk', + jwk: cnf.jwk, + } + } else if (cnf.kid) { + if (!cnf.kid.startsWith('did:') || !cnf.kid.includes('#')) { + throw new SdJwtVcError('Invalid holder kid for did. Only absolute KIDs for cnf are supported') + } + return { + method: 'did', + didUrl: cnf.kid, + } + } + + throw new SdJwtVcError("Unsupported credential holder binding. Only 'did' and 'jwk' are supported at the moment.") + } + + private async extractKeyFromHolderBinding(agentContext: AgentContext, holder: SdJwtVcHolderBinding) { + if (holder.method === 'did') { + const parsedDid = parseDid(holder.didUrl) + if (!parsedDid.fragment) { + throw new SdJwtVcError( + `didUrl '${holder.didUrl}' does not contain a '#'. Unable to derive key from did document` + ) + } + + const { verificationMethod } = await this.resolveDidUrl(agentContext, holder.didUrl) + const key = getKeyFromVerificationMethod(verificationMethod) + const alg = getJwkFromKey(key).supportedSignatureAlgorithms[0] + + return { + alg, + key, + cnf: { + // We need to include the whole didUrl here, otherwise the verifier + // won't know which did it is associated with + kid: holder.didUrl, + }, + } + } else if (holder.method === 'jwk') { + const jwk = holder.jwk instanceof Jwk ? holder.jwk : getJwkFromJson(holder.jwk) + const key = jwk.key + const alg = jwk.supportedSignatureAlgorithms[0] + + return { + alg, + key, + cnf: { + jwk: jwk.toJson(), + }, + } + } + + throw new SdJwtVcError("Unsupported credential holder binding. Only 'did' and 'jwk' are supported at the moment.") + } +} diff --git a/packages/sd-jwt-vc/src/__tests__/SdJwtVcModule.test.ts b/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcModule.test.ts similarity index 81% rename from packages/sd-jwt-vc/src/__tests__/SdJwtVcModule.test.ts rename to packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcModule.test.ts index 0adc239614..8a58e9c512 100644 --- a/packages/sd-jwt-vc/src/__tests__/SdJwtVcModule.test.ts +++ b/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcModule.test.ts @@ -1,6 +1,5 @@ import type { DependencyManager } from '@aries-framework/core' -import { SdJwtVcApi } from '../SdJwtVcApi' import { SdJwtVcModule } from '../SdJwtVcModule' import { SdJwtVcService } from '../SdJwtVcService' import { SdJwtVcRepository } from '../repository' @@ -17,9 +16,6 @@ describe('SdJwtVcModule', () => { const sdJwtVcModule = new SdJwtVcModule() sdJwtVcModule.register(dependencyManager) - expect(dependencyManager.registerContextScoped).toHaveBeenCalledTimes(1) - expect(dependencyManager.registerContextScoped).toHaveBeenCalledWith(SdJwtVcApi) - expect(dependencyManager.registerSingleton).toHaveBeenCalledTimes(2) expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(SdJwtVcService) expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(SdJwtVcRepository) diff --git a/packages/sd-jwt-vc/src/__tests__/SdJwtVcService.test.ts b/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcService.test.ts similarity index 50% rename from packages/sd-jwt-vc/src/__tests__/SdJwtVcService.test.ts rename to packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcService.test.ts index a0347e3c46..c49afc452e 100644 --- a/packages/sd-jwt-vc/src/__tests__/SdJwtVcService.test.ts +++ b/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcService.test.ts @@ -1,7 +1,23 @@ -import type { Key, Logger } from '@aries-framework/core' +import type { SdJwtVcHeader } from '../SdJwtVcOptions' +import type { Jwk, Key } from '@aries-framework/core' + +import { AskarModule } from '../../../../../askar/src' +import { askarModuleConfig } from '../../../../../askar/tests/helpers' +import { agentDependencies } from '../../../../tests' +import { SdJwtVcService } from '../SdJwtVcService' +import { SdJwtVcRepository } from '../repository' -import { AskarModule } from '@aries-framework/askar' import { + complexSdJwtVc, + complexSdJwtVcPresentation, + sdJwtVcWithSingleDisclosure, + sdJwtVcWithSingleDisclosurePresentation, + simpleJwtVc, + simpleJwtVcPresentation, +} from './sdjwtvc.fixtures' + +import { + parseDid, getJwkFromKey, DidKey, DidsModule, @@ -12,25 +28,17 @@ import { Agent, TypedArrayEncoder, } from '@aries-framework/core' -import { ariesAskar } from '@hyperledger/aries-askar-nodejs' - -import { agentDependencies } from '../../../core/tests' -import { SdJwtVcService } from '../SdJwtVcService' -import { SdJwtVcRepository } from '../repository' -import { - complexSdJwtVc, - complexSdJwtVcPresentation, - sdJwtVcWithSingleDisclosure, - sdJwtVcWithSingleDisclosurePresentation, - simpleJwtVc, - simpleJwtVcPresentation, -} from './sdjwtvc.fixtures' +const jwkJsonWithoutUse = (jwk: Jwk) => { + const jwkJson = jwk.toJson() + delete jwkJson.use + return jwkJson +} const agent = new Agent({ config: { label: 'sdjwtvcserviceagent', walletConfig: { id: utils.uuid(), key: utils.uuid() } }, modules: { - askar: new AskarModule({ ariesAskar }), + askar: new AskarModule(askarModuleConfig), dids: new DidsModule({ resolvers: [new KeyDidResolver()], registrars: [new KeyDidRegistrar()], @@ -39,7 +47,6 @@ const agent = new Agent({ dependencies: agentDependencies, }) -const logger = jest.fn() as unknown as Logger agent.context.wallet.generateNonce = jest.fn(() => Promise.resolve('salt')) Date.prototype.getTime = jest.fn(() => 1698151532000) @@ -49,7 +56,6 @@ const SdJwtVcRepositoryMock = SdJwtVcRepository as jest.Mock describe('SdJwtVcService', () => { const verifierDid = 'did:key:zUC74VEqqhEHQcgv4zagSPkqFJxuNWuoBPKjJuHETEUeHLoSqWt92viSsmaWjy82y' let issuerDidUrl: string - let holderDidUrl: string let issuerKey: Key let holderKey: Key let sdJwtVcService: SdJwtVcService @@ -74,88 +80,109 @@ describe('SdJwtVcService', () => { const holderDidKey = new DidKey(holderKey) const holderDidDocument = holderDidKey.didDocument - holderDidUrl = (holderDidDocument.verificationMethod ?? [])[0].id await agent.dids.import({ didDocument: holderDidDocument, did: holderDidDocument.id }) const sdJwtVcRepositoryMock = new SdJwtVcRepositoryMock() - sdJwtVcService = new SdJwtVcService(sdJwtVcRepositoryMock, logger) + sdJwtVcService = new SdJwtVcService(sdJwtVcRepositoryMock) }) - describe('SdJwtVcService.create', () => { - test('Create sd-jwt-vc from a basic payload without disclosures', async () => { - const { compact, sdJwtVcRecord } = await sdJwtVcService.create( - agent.context, - { + describe('SdJwtVcService.sign', () => { + test('Sign sd-jwt-vc from a basic payload without disclosures', async () => { + const { compact } = await sdJwtVcService.sign(agent.context, { + payload: { claim: 'some-claim', - type: 'IdentityCredential', + vct: 'IdentityCredential', }, - { - issuerDidUrl, - holderDidUrl, - } - ) + holder: { + // FIXME: is it nicer API to just pass either didUrl or JWK? + // Or none if you don't want to bind it? + method: 'jwk', + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, + issuer: { + method: 'did', + didUrl: issuerDidUrl, + }, + }) expect(compact).toStrictEqual(simpleJwtVc) - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + const sdJwtVc = await sdJwtVcService.fromCompact(compact) + + expect(sdJwtVc.header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ + expect(sdJwtVc.prettyClaims).toEqual({ claim: 'some-claim', - type: 'IdentityCredential', + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), - iss: issuerDidUrl.split('#')[0], + iss: parseDid(issuerDidUrl).did, cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) }) test('Create sd-jwt-vc from a basic payload with a disclosure', async () => { - const { compact, sdJwtVcRecord } = await sdJwtVcService.create( - agent.context, - { claim: 'some-claim', type: 'IdentityCredential' }, - { - issuerDidUrl, - holderDidUrl, - disclosureFrame: { claim: true }, - } - ) + const { compact, header, prettyClaims, payload } = await sdJwtVcService.sign(agent.context, { + payload: { claim: 'some-claim', vct: 'IdentityCredential' }, + disclosureFrame: { claim: true }, + holder: { + method: 'jwk', + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, + issuer: { + method: 'did', + didUrl: issuerDidUrl, + }, + }) expect(compact).toStrictEqual(sdJwtVcWithSingleDisclosure) - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + expect(header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ - type: 'IdentityCredential', + expect(payload).toEqual({ + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), iss: issuerDidUrl.split('#')[0], _sd: ['vcvFU4DsFKTqQ1vl4nelJWXTb_-0dNoBks6iqNFptyg'], _sd_alg: 'sha-256', cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) - expect(sdJwtVcRecord.sdJwtVc.payload).not.toContain({ + expect(prettyClaims).toEqual({ + vct: 'IdentityCredential', + iat: Math.floor(new Date().getTime() / 1000), + iss: issuerDidUrl.split('#')[0], claim: 'some-claim', + cnf: { + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, }) - - expect(sdJwtVcRecord.sdJwtVc.disclosures).toEqual(expect.arrayContaining([['salt', 'claim', 'some-claim']])) }) test('Create sd-jwt-vc from a basic payload with multiple (nested) disclosure', async () => { - const { compact, sdJwtVcRecord } = await sdJwtVcService.create( - agent.context, - { - type: 'IdentityCredential', + const { compact, header, payload, prettyClaims } = await sdJwtVcService.sign(agent.context, { + disclosureFrame: { + is_over_65: true, + is_over_21: true, + is_over_18: true, + birthdate: true, + email: true, + address: { region: true, country: true }, + given_name: true, + }, + payload: { + vct: 'IdentityCredential', given_name: 'John', family_name: 'Doe', email: 'johndoe@example.com', @@ -171,31 +198,26 @@ describe('SdJwtVcService', () => { is_over_21: true, is_over_65: true, }, - { - issuerDidUrl: issuerDidUrl, - holderDidUrl: holderDidUrl, - disclosureFrame: { - is_over_65: true, - is_over_21: true, - is_over_18: true, - birthdate: true, - email: true, - address: { region: true, country: true }, - given_name: true, - }, - } - ) + holder: { + method: 'jwk', + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, + issuer: { + method: 'did', + didUrl: issuerDidUrl, + }, + }) expect(compact).toStrictEqual(complexSdJwtVc) - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + expect(header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ - type: 'IdentityCredential', + expect(payload).toEqual({ + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), address: { _sd: ['NJnmct0BqBME1JfBlC6jRQVRuevpEONiYw7A7MHuJyQ', 'om5ZztZHB-Gd00LG21CV_xM4FaENSoiaOXnTAJNczB4'], @@ -215,109 +237,94 @@ describe('SdJwtVcService', () => { ], _sd_alg: 'sha-256', cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) - expect(sdJwtVcRecord.sdJwtVc.payload).not.toContain({ - family_name: 'Doe', - phone_number: '+1-202-555-0101', + expect(prettyClaims).toEqual({ + vct: 'IdentityCredential', + iat: Math.floor(new Date().getTime() / 1000), address: { region: 'Anystate', country: 'US', + locality: 'Anytown', + street_address: '123 Main St', }, + email: 'johndoe@example.com', + given_name: 'John', + phone_number: '+1-202-555-0101', + family_name: 'Doe', + iss: issuerDidUrl.split('#')[0], birthdate: '1940-01-01', is_over_18: true, is_over_21: true, is_over_65: true, + cnf: { + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, }) - - expect(sdJwtVcRecord.sdJwtVc.disclosures).toEqual( - expect.arrayContaining([ - ['salt', 'is_over_65', true], - ['salt', 'is_over_21', true], - ['salt', 'is_over_18', true], - ['salt', 'birthdate', '1940-01-01'], - ['salt', 'email', 'johndoe@example.com'], - ['salt', 'region', 'Anystate'], - ['salt', 'country', 'US'], - ['salt', 'given_name', 'John'], - ]) - ) }) }) describe('SdJwtVcService.receive', () => { test('Receive sd-jwt-vc from a basic payload without disclosures', async () => { - const sdJwtVc = simpleJwtVc + const sdJwtVc = await sdJwtVcService.fromCompact(simpleJwtVc) + const sdJwtVcRecord = await sdJwtVcService.store(agent.context, sdJwtVc.compact) + expect(sdJwtVcRecord.compactSdJwtVc).toEqual(simpleJwtVc) - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { - issuerDidUrl, - holderDidUrl, - }) - - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + expect(sdJwtVc.header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ + expect(sdJwtVc.payload).toEqual({ claim: 'some-claim', - type: 'IdentityCredential', + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), iss: issuerDidUrl.split('#')[0], cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) }) test('Receive sd-jwt-vc from a basic payload with a disclosure', async () => { - const sdJwtVc = sdJwtVcWithSingleDisclosure - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { - issuerDidUrl, - holderDidUrl, - }) + const sdJwtVc = await sdJwtVcService.fromCompact(sdJwtVcWithSingleDisclosure) - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + expect(sdJwtVc.header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ - type: 'IdentityCredential', + expect(sdJwtVc.payload).toEqual({ + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), iss: issuerDidUrl.split('#')[0], _sd: ['vcvFU4DsFKTqQ1vl4nelJWXTb_-0dNoBks6iqNFptyg'], _sd_alg: 'sha-256', cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) - expect(sdJwtVcRecord.sdJwtVc.payload).not.toContain({ + expect(sdJwtVc.payload).not.toContain({ claim: 'some-claim', }) - - expect(sdJwtVcRecord.sdJwtVc.disclosures).toEqual(expect.arrayContaining([['salt', 'claim', 'some-claim']])) }) test('Receive sd-jwt-vc from a basic payload with multiple (nested) disclosure', async () => { - const sdJwtVc = complexSdJwtVc - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) + const sdJwtVc = await sdJwtVcService.fromCompact(complexSdJwtVc) - expect(sdJwtVcRecord.sdJwtVc.header).toEqual({ + expect(sdJwtVc.header).toEqual({ alg: 'EdDSA', typ: 'vc+sd-jwt', - kid: 'z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', }) - expect(sdJwtVcRecord.sdJwtVc.payload).toEqual({ - type: 'IdentityCredential', + expect(sdJwtVc.payload).toEqual({ + vct: 'IdentityCredential', iat: Math.floor(new Date().getTime() / 1000), family_name: 'Doe', iss: issuerDidUrl.split('#')[0], @@ -326,6 +333,7 @@ describe('SdJwtVcService', () => { locality: 'Anytown', street_address: '123 Main St', }, + _sd_alg: 'sha-256', phone_number: '+1-202-555-0101', _sd: [ '1Cur2k2A2oIB5CshSIf_A_Kg-l26u_qKuWQ79P0Vdas', @@ -335,50 +343,59 @@ describe('SdJwtVcService', () => { 'psauKUNWEi09nu3Cl89xKXgmpWENZl5uy1N1nyn_jMk', 'sN_ge0pHXF6qmsYnX1A9SdwJ8ch8aENkxbODsT74YwI', ], - _sd_alg: 'sha-256', cnf: { - jwk: getJwkFromKey(holderKey).toJson(), + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), }, }) - expect(sdJwtVcRecord.sdJwtVc.payload).not.toContain({ - family_name: 'Doe', - phone_number: '+1-202-555-0101', + expect(sdJwtVc.payload).not.toContain({ address: { region: 'Anystate', country: 'US', }, + family_name: 'Doe', + phone_number: '+1-202-555-0101', + email: 'johndoe@example.com', + given_name: 'John', birthdate: '1940-01-01', is_over_18: true, is_over_21: true, is_over_65: true, }) - expect(sdJwtVcRecord.sdJwtVc.disclosures).toEqual( - expect.arrayContaining([ - ['salt', 'is_over_65', true], - ['salt', 'is_over_21', true], - ['salt', 'is_over_18', true], - ['salt', 'birthdate', '1940-01-01'], - ['salt', 'email', 'johndoe@example.com'], - ['salt', 'region', 'Anystate'], - ['salt', 'country', 'US'], - ['salt', 'given_name', 'John'], - ]) - ) + expect(sdJwtVc.prettyClaims).toEqual({ + vct: 'IdentityCredential', + iat: Math.floor(new Date().getTime() / 1000), + family_name: 'Doe', + iss: issuerDidUrl.split('#')[0], + phone_number: '+1-202-555-0101', + email: 'johndoe@example.com', + given_name: 'John', + birthdate: '1940-01-01', + is_over_18: true, + is_over_21: true, + is_over_65: true, + address: { + region: 'Anystate', + country: 'US', + locality: 'Anytown', + street_address: '123 Main St', + }, + cnf: { + jwk: jwkJsonWithoutUse(getJwkFromKey(holderKey)), + }, + }) }) }) describe('SdJwtVcService.present', () => { test('Present sd-jwt-vc from a basic payload without disclosures', async () => { - const sdJwtVc = simpleJwtVc - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { issuerDidUrl, holderDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { + const presentation = await sdJwtVcService.present(agent.context, { + compactSdJwtVc: simpleJwtVc, + presentationFrame: {}, verifierMetadata: { issuedAt: new Date().getTime() / 1000, - verifierDid, + audience: verifierDid, nonce: await agent.context.wallet.generateNonce(), }, }) @@ -387,34 +404,47 @@ describe('SdJwtVcService', () => { }) test('Present sd-jwt-vc from a basic payload with a disclosure', async () => { - const sdJwtVc = sdJwtVcWithSingleDisclosure - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { + const presentation = await sdJwtVcService.present(agent.context, { + compactSdJwtVc: sdJwtVcWithSingleDisclosure, + presentationFrame: { + claim: true, + }, verifierMetadata: { issuedAt: new Date().getTime() / 1000, - verifierDid, + audience: verifierDid, nonce: await agent.context.wallet.generateNonce(), }, - includedDisclosureIndices: [0], }) expect(presentation).toStrictEqual(sdJwtVcWithSingleDisclosurePresentation) }) test('Present sd-jwt-vc from a basic payload with multiple (nested) disclosure', async () => { - const sdJwtVc = complexSdJwtVc - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { + const presentation = await sdJwtVcService.present< + Record, + { + // FIXME: when not passing a payload, adding nested presentationFrame is broken + // Needs to be fixed in sd-jwt library + address: { + country: string + } + } + >(agent.context, { + compactSdJwtVc: complexSdJwtVc, verifierMetadata: { issuedAt: new Date().getTime() / 1000, - verifierDid, + audience: verifierDid, nonce: await agent.context.wallet.generateNonce(), }, - includedDisclosureIndices: [0, 1, 4, 6, 7], + presentationFrame: { + is_over_65: true, + is_over_21: true, + email: true, + address: { + country: true, + }, + given_name: true, + }, }) expect(presentation).toStrictEqual(complexSdJwtVcPresentation) @@ -423,27 +453,28 @@ describe('SdJwtVcService', () => { describe('SdJwtVcService.verify', () => { test('Verify sd-jwt-vc without disclosures', async () => { - const sdJwtVc = simpleJwtVc - - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { + const nonce = await agent.context.wallet.generateNonce() + const presentation = await sdJwtVcService.present(agent.context, { + compactSdJwtVc: simpleJwtVc, + // no disclosures + presentationFrame: {}, verifierMetadata: { issuedAt: new Date().getTime() / 1000, - verifierDid, - nonce: await agent.context.wallet.generateNonce(), + audience: verifierDid, + nonce, }, }) - const { validation } = await sdJwtVcService.verify(agent.context, presentation, { - challenge: { verifierDid }, - holderDidUrl, + const { verification } = await sdJwtVcService.verify(agent.context, { + compactSdJwtVc: presentation, + keyBinding: { audience: verifierDid, nonce }, requiredClaimKeys: ['claim'], }) - expect(validation).toEqual({ + expect(verification).toEqual({ isSignatureValid: true, containsRequiredVcProperties: true, + containsExpectedKeyBinding: true, areRequiredClaimsIncluded: true, isValid: true, isKeyBindingValid: true, @@ -451,53 +482,67 @@ describe('SdJwtVcService', () => { }) test('Verify sd-jwt-vc with a disclosure', async () => { - const sdJwtVc = sdJwtVcWithSingleDisclosure + const nonce = await agent.context.wallet.generateNonce() - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { + const presentation = await sdJwtVcService.present(agent.context, { + compactSdJwtVc: sdJwtVcWithSingleDisclosure, verifierMetadata: { issuedAt: new Date().getTime() / 1000, - verifierDid, - nonce: await agent.context.wallet.generateNonce(), + audience: verifierDid, + nonce, + }, + presentationFrame: { + claim: true, }, - includedDisclosureIndices: [0], }) - const { validation } = await sdJwtVcService.verify(agent.context, presentation, { - challenge: { verifierDid }, - holderDidUrl, - requiredClaimKeys: ['type', 'cnf', 'claim', 'iat'], + const { verification } = await sdJwtVcService.verify(agent.context, { + compactSdJwtVc: presentation, + keyBinding: { audience: verifierDid, nonce }, + requiredClaimKeys: ['vct', 'cnf', 'claim', 'iat'], }) - expect(validation).toEqual({ + expect(verification).toEqual({ isSignatureValid: true, containsRequiredVcProperties: true, areRequiredClaimsIncluded: true, isValid: true, isKeyBindingValid: true, + containsExpectedKeyBinding: true, }) }) test('Verify sd-jwt-vc with multiple (nested) disclosure', async () => { - const sdJwtVc = complexSdJwtVc + const nonce = await agent.context.wallet.generateNonce() - const sdJwtVcRecord = await sdJwtVcService.storeCredential(agent.context, sdJwtVc, { holderDidUrl, issuerDidUrl }) - - const presentation = await sdJwtVcService.present(agent.context, sdJwtVcRecord, { - verifierMetadata: { - issuedAt: new Date().getTime() / 1000, - verifierDid, - nonce: await agent.context.wallet.generateNonce(), - }, - includedDisclosureIndices: [0, 1, 4, 6, 7], - }) + const presentation = await sdJwtVcService.present( + agent.context, + { + compactSdJwtVc: complexSdJwtVc, + verifierMetadata: { + issuedAt: new Date().getTime() / 1000, + audience: verifierDid, + nonce, + }, + presentationFrame: { + is_over_65: true, + is_over_21: true, + email: true, + address: { + country: true, + }, + given_name: true, + }, + } + ) - const { validation } = await sdJwtVcService.verify(agent.context, presentation, { - challenge: { verifierDid }, - holderDidUrl, + const { verification } = await sdJwtVcService.verify(agent.context, { + compactSdJwtVc: presentation, + keyBinding: { audience: verifierDid, nonce }, + // FIXME: this should be a requiredFrame to be consistent with the other methods + // using frames requiredClaimKeys: [ - 'type', + 'vct', 'family_name', 'phone_number', 'address', @@ -514,13 +559,30 @@ describe('SdJwtVcService', () => { ], }) - expect(validation).toEqual({ + expect(verification).toEqual({ isSignatureValid: true, areRequiredClaimsIncluded: true, + containsExpectedKeyBinding: true, containsRequiredVcProperties: true, isValid: true, isKeyBindingValid: true, }) }) + + test('Verify did holder-bound sd-jwt-vc with disclosures and kb-jwt', async () => { + const verificationResult = await sdJwtVcService.verify( + agent.context, + { + compactSdJwtVc: + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rcnpRUEJyNHB5cUM3NzZLS3RyejEzU2NoTTVlUFBic3N1UHVRWmI1dDR1S1EifQ.eyJ2Y3QiOiJPcGVuQmFkZ2VDcmVkZW50aWFsIiwiZGVncmVlIjoiYmFjaGVsb3IiLCJjbmYiOnsia2lkIjoiZGlkOmtleTp6Nk1rcEdSNGdzNFJjM1pwaDR2ajh3Um5qbkF4Z0FQU3hjUjhNQVZLdXRXc3BRemMjejZNa3BHUjRnczRSYzNacGg0dmo4d1Juam5BeGdBUFN4Y1I4TUFWS3V0V3NwUXpjIn0sImlzcyI6ImRpZDprZXk6ejZNa3J6UVBCcjRweXFDNzc2S0t0cnoxM1NjaE01ZVBQYnNzdVB1UVpiNXQ0dUtRIiwiaWF0IjoxNzA2MjY0ODQwLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyJTSm81ME0xX3NUQWRPSjFObF82ekJzZWg3Ynd4czhhbDhleVotQl9nTXZFIiwiYTJjT2xWOXY4TUlWNTRvMVFrODdBMDRNZ0c3Q0hiaFZUN1lkb00zUnM4RSJdfQ.PrZtmLFPr8tBY0FKsv2yHJeqzds8m0Rlrof-Z36o7ksNvON3ZSrKHOD8fFDJaQ8oFJcZAnjpUS6pY9kwAgU1Ag~WyI5Mjg3NDM3NDQyMTg0ODk1NTU3OTA1NTkiLCJ1bml2ZXJzaXR5IiwiaW5uc2JydWNrIl0~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE3MDYyNjQ4NDAsIm5vbmNlIjoiODExNzMxNDIwNTMxODQ3NzAwNjM2ODUiLCJhdWQiOiJkaWQ6a2V5Ono2TWt0aVFRRXFtMnlhcFhCRHQxV0VWQjNkcWd2eXppOTZGdUZBTlltcmdUcktWOSIsIl9zZF9oYXNoIjoiSVd0cTEtOGUtLU9wWWpXa3Z1RTZrRjlaa2h5aDVfV3lOYXItaWtVT0FscyJ9.cJNnYH16lHn0PsF9tOQPofpONGoY19bQB5k6Ezux9TvQWS_Opnd-3m_fO9yKu8S0pmjyG2mu3Uzn1pUNqhL9AQ', + keyBinding: { + audience: 'did:key:z6MktiQQEqm2yapXBDt1WEVB3dqgvyzi96FuFANYmrgTrKV9', + nonce: '81173142053184770063685', + }, + } + ) + + expect(verificationResult.verification.isValid).toBe(true) + }) }) }) diff --git a/packages/core/src/modules/sd-jwt-vc/__tests__/sdJwtVc.e2e.test.ts b/packages/core/src/modules/sd-jwt-vc/__tests__/sdJwtVc.e2e.test.ts new file mode 100644 index 0000000000..aeffd08876 --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/__tests__/sdJwtVc.e2e.test.ts @@ -0,0 +1,241 @@ +import type { Key } from '@aries-framework/core' + +import { AskarModule } from '../../../../../askar/src' +import { askarModuleConfig } from '../../../../../askar/tests/helpers' +import { agentDependencies } from '../../../../tests' + +import { + Agent, + DidKey, + DidsModule, + getJwkFromKey, + KeyDidRegistrar, + KeyDidResolver, + KeyType, + TypedArrayEncoder, + utils, +} from '@aries-framework/core' + +const getAgent = (label: string) => + new Agent({ + config: { label, walletConfig: { id: utils.uuid(), key: utils.uuid() } }, + modules: { + askar: new AskarModule(askarModuleConfig), + dids: new DidsModule({ + resolvers: [new KeyDidResolver()], + registrars: [new KeyDidRegistrar()], + }), + }, + dependencies: agentDependencies, + }) + +describe('sd-jwt-vc end to end test', () => { + const issuer = getAgent('sdjwtvcissueragent') + let issuerKey: Key + let issuerDidUrl: string + + const holder = getAgent('sdjwtvcholderagent') + let holderKey: Key + + const verifier = getAgent('sdjwtvcverifieragent') + const verifierDid = 'did:key:zUC74VEqqhEHQcgv4zagSPkqFJxuNWuoBPKjJuHETEUeHLoSqWt92viSsmaWjy82y' + + beforeAll(async () => { + await issuer.initialize() + issuerKey = await issuer.context.wallet.createKey({ + keyType: KeyType.Ed25519, + seed: TypedArrayEncoder.fromString('00000000000000000000000000000000'), + }) + + const issuerDidKey = new DidKey(issuerKey) + const issuerDidDocument = issuerDidKey.didDocument + issuerDidUrl = (issuerDidDocument.verificationMethod ?? [])[0].id + await issuer.dids.import({ didDocument: issuerDidDocument, did: issuerDidDocument.id }) + + await holder.initialize() + holderKey = await holder.context.wallet.createKey({ + keyType: KeyType.Ed25519, + seed: TypedArrayEncoder.fromString('00000000000000000000000000000001'), + }) + + await verifier.initialize() + }) + + test('end to end flow', async () => { + const credential = { + vct: 'IdentityCredential', + given_name: 'John', + family_name: 'Doe', + email: 'johndoe@example.com', + phone_number: '+1-202-555-0101', + address: { + street_address: '123 Main St', + locality: 'Anytown', + region: 'Anystate', + country: 'US', + }, + birthdate: '1940-01-01', + is_over_18: true, + is_over_21: true, + is_over_65: true, + } as const + + const { compact, header, payload } = await issuer.sdJwtVc.sign({ + payload: credential, + holder: { + method: 'jwk', + jwk: getJwkFromKey(holderKey), + }, + issuer: { + didUrl: issuerDidUrl, + method: 'did', + }, + disclosureFrame: { + is_over_65: true, + is_over_21: true, + is_over_18: true, + birthdate: true, + email: true, + address: { country: true, region: true, locality: true, __decoyCount: 2, street_address: true }, + __decoyCount: 2, + given_name: true, + family_name: true, + phone_number: true, + }, + }) + + type Payload = typeof payload + type Header = typeof header + + // parse SD-JWT + const sdJwtVc = holder.sdJwtVc.fromCompact(compact) + expect(sdJwtVc).toEqual({ + compact: expect.any(String), + header: { + alg: 'EdDSA', + kid: '#z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + typ: 'vc+sd-jwt', + }, + payload: { + _sd: [ + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + ], + _sd_alg: 'sha-256', + address: { + _sd: [ + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + expect.any(String), + ], + }, + cnf: { + jwk: { + crv: 'Ed25519', + kty: 'OKP', + x: 'oENVsxOUiH54X8wJLaVkicCRk00wBIQ4sRgbk54N8Mo', + }, + }, + iat: expect.any(Number), + iss: 'did:key:z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + vct: 'IdentityCredential', + }, + prettyClaims: { + address: { + country: 'US', + locality: 'Anytown', + region: 'Anystate', + street_address: '123 Main St', + }, + birthdate: '1940-01-01', + cnf: { + jwk: { + crv: 'Ed25519', + kty: 'OKP', + x: 'oENVsxOUiH54X8wJLaVkicCRk00wBIQ4sRgbk54N8Mo', + }, + }, + email: 'johndoe@example.com', + family_name: 'Doe', + given_name: 'John', + iat: expect.any(Number), + is_over_18: true, + is_over_21: true, + is_over_65: true, + iss: 'did:key:z6MktqtXNG8CDUY9PrrtoStFzeCnhpMmgxYL1gikcW3BzvNW', + phone_number: '+1-202-555-0101', + vct: 'IdentityCredential', + }, + }) + + // Verify SD-JWT (does not require key binding) + const { verification } = await holder.sdJwtVc.verify({ + compactSdJwtVc: compact, + }) + expect(verification.isValid).toBe(true) + + // Store credential + await holder.sdJwtVc.store(compact) + + // Metadata created by the verifier and send out of band by the verifier to the holder + const verifierMetadata = { + audience: verifierDid, + issuedAt: new Date().getTime() / 1000, + nonce: await verifier.wallet.generateNonce(), + } + + const presentation = await holder.sdJwtVc.present({ + compactSdJwtVc: compact, + verifierMetadata, + presentationFrame: { + vct: true, + given_name: true, + family_name: true, + email: true, + phone_number: true, + address: { + street_address: true, + locality: true, + region: true, + country: true, + }, + birthdate: true, + is_over_18: true, + is_over_21: true, + is_over_65: true, + }, + }) + + const { verification: presentationVerification } = await verifier.sdJwtVc.verify({ + compactSdJwtVc: presentation, + keyBinding: { audience: verifierDid, nonce: verifierMetadata.nonce }, + requiredClaimKeys: [ + 'is_over_65', + 'is_over_21', + 'is_over_18', + 'birthdate', + 'email', + 'country', + 'region', + 'locality', + 'street_address', + 'given_name', + 'family_name', + 'phone_number', + ], + }) + + expect(presentationVerification.isValid).toBeTruthy() + }) +}) diff --git a/packages/core/src/modules/sd-jwt-vc/__tests__/sdjwtvc.fixtures.ts b/packages/core/src/modules/sd-jwt-vc/__tests__/sdjwtvc.fixtures.ts new file mode 100644 index 0000000000..1cbb1b112c --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/__tests__/sdjwtvc.fixtures.ts @@ -0,0 +1,17 @@ +export const simpleJwtVc = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJjbGFpbSI6InNvbWUtY2xhaW0iLCJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoib0VOVnN4T1VpSDU0WDh3SkxhVmtpY0NSazAwd0JJUTRzUmdiazU0TjhNbyJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlciLCJpYXQiOjE2OTgxNTE1MzJ9.hcNF6_PnQO4Gm0vqD_iblyBknUG0PeQLbIpPJ5s0P4UCQ7YdSSNCNL7VNOfzzAxZRWbH5knhje0_xYl6OXQ-CA~' + +export const simpleJwtVcPresentation = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJjbGFpbSI6InNvbWUtY2xhaW0iLCJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoib0VOVnN4T1VpSDU0WDh3SkxhVmtpY0NSazAwd0JJUTRzUmdiazU0TjhNbyJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlciLCJpYXQiOjE2OTgxNTE1MzJ9.hcNF6_PnQO4Gm0vqD_iblyBknUG0PeQLbIpPJ5s0P4UCQ7YdSSNCNL7VNOfzzAxZRWbH5knhje0_xYl6OXQ-CA~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkiLCJfc2RfaGFzaCI6IkN4SnFuQ1Btd0d6bjg4YTlDdGhta2pHZXFXbnlKVTVKc2NLMXJ1VThOS28ifQ.0QaDyJrvZO91o7gdKPduKQIj5Z1gBAdWPNE8-PFqhj_rC56_I5aL8QtlwL8Mdl6iSjpUPDQ4LAN2JgB2nNOFBw' + +export const sdJwtVcWithSingleDisclosure = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoib0VOVnN4T1VpSDU0WDh3SkxhVmtpY0NSazAwd0JJUTRzUmdiazU0TjhNbyJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlciLCJpYXQiOjE2OTgxNTE1MzIsIl9zZF9hbGciOiJzaGEtMjU2IiwiX3NkIjpbInZjdkZVNERzRktUcVExdmw0bmVsSldYVGJfLTBkTm9Ca3M2aXFORnB0eWciXX0.Op3rwd7t6ZsdMSMa1EchAm31bP5aqLF6pB-Z1y-h3CFJYGmhNTkMpTeft1I3hSWq7QmbqBo1GKBEiZc7D9B9DA~WyJzYWx0IiwiY2xhaW0iLCJzb21lLWNsYWltIl0~' + +export const sdJwtVcWithSingleDisclosurePresentation = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoib0VOVnN4T1VpSDU0WDh3SkxhVmtpY0NSazAwd0JJUTRzUmdiazU0TjhNbyJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlciLCJpYXQiOjE2OTgxNTE1MzIsIl9zZF9hbGciOiJzaGEtMjU2IiwiX3NkIjpbInZjdkZVNERzRktUcVExdmw0bmVsSldYVGJfLTBkTm9Ca3M2aXFORnB0eWciXX0.Op3rwd7t6ZsdMSMa1EchAm31bP5aqLF6pB-Z1y-h3CFJYGmhNTkMpTeft1I3hSWq7QmbqBo1GKBEiZc7D9B9DA~WyJzYWx0IiwiY2xhaW0iLCJzb21lLWNsYWltIl0~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkiLCJfc2RfaGFzaCI6IlBNbEo3bjhjdVdvUU9YTFZ4cTRhaWRaNHJTY2FrVUtMT1hUaUtWYjYtYTQifQ.5iYVLw6U7NIdW7Eoo2jYYBsR3fSJZ-ocOtI6rxl-GYUj8ZeCx_-IZ2rbwCMf71tq6M16x4ROooKGAdfWUSWQAg' + +export const complexSdJwtVc = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJmYW1pbHlfbmFtZSI6IkRvZSIsInBob25lX251bWJlciI6IisxLTIwMi01NTUtMDEwMSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxMjMgTWFpbiBTdCIsImxvY2FsaXR5IjoiQW55dG93biIsIl9zZCI6WyJOSm5tY3QwQnFCTUUxSmZCbEM2alJRVlJ1ZXZwRU9OaVl3N0E3TUh1SnlRIiwib201Wnp0WkhCLUdkMDBMRzIxQ1ZfeE00RmFFTlNvaWFPWG5UQUpOY3pCNCJdfSwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyIxQ3VyMmsyQTJvSUI1Q3NoU0lmX0FfS2ctbDI2dV9xS3VXUTc5UDBWZGFzIiwiUjF6VFV2T1lIZ2NlcGowakh5cEdIejlFSHR0VktmdDB5c3diYzlFVFBiVSIsImVEcVFwZFRYSlhiV2hmLUVzSTd6dzVYNk92WW1GTi1VWlFRTWVzWHdLUHciLCJwZERrMl9YQUtIbzdnT0Fmd0YxYjdPZENVVlRpdDJrSkhheFNFQ1E5eGZjIiwicHNhdUtVTldFaTA5bnUzQ2w4OXhLWGdtcFdFTlpsNXV5MU4xbnluX2pNayIsInNOX2dlMHBIWEY2cW1zWW5YMUE5U2R3SjhjaDhhRU5reGJPRHNUNzRZd0kiXX0.coOK8NzJmEWz4qx-qRhjo-RK7aejrSkQM9La9Cw3eWmzcja9DXrkBoQZKbIJtNoSzSPLjwK2V71W78z0miZsDQ~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8xOCIsdHJ1ZV0~WyJzYWx0IiwiYmlydGhkYXRlIiwiMTk0MC0wMS0wMSJd~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwicmVnaW9uIiwiQW55c3RhdGUiXQ~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~' + +export const complexSdJwtVcPresentation = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1rdHF0WE5HOENEVVk5UHJydG9TdEZ6ZUNuaHBNbWd4WUwxZ2lrY1czQnp2TlcifQ.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJmYW1pbHlfbmFtZSI6IkRvZSIsInBob25lX251bWJlciI6IisxLTIwMi01NTUtMDEwMSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxMjMgTWFpbiBTdCIsImxvY2FsaXR5IjoiQW55dG93biIsIl9zZCI6WyJOSm5tY3QwQnFCTUUxSmZCbEM2alJRVlJ1ZXZwRU9OaVl3N0E3TUh1SnlRIiwib201Wnp0WkhCLUdkMDBMRzIxQ1ZfeE00RmFFTlNvaWFPWG5UQUpOY3pCNCJdfSwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyIxQ3VyMmsyQTJvSUI1Q3NoU0lmX0FfS2ctbDI2dV9xS3VXUTc5UDBWZGFzIiwiUjF6VFV2T1lIZ2NlcGowakh5cEdIejlFSHR0VktmdDB5c3diYzlFVFBiVSIsImVEcVFwZFRYSlhiV2hmLUVzSTd6dzVYNk92WW1GTi1VWlFRTWVzWHdLUHciLCJwZERrMl9YQUtIbzdnT0Fmd0YxYjdPZENVVlRpdDJrSkhheFNFQ1E5eGZjIiwicHNhdUtVTldFaTA5bnUzQ2w4OXhLWGdtcFdFTlpsNXV5MU4xbnluX2pNayIsInNOX2dlMHBIWEY2cW1zWW5YMUE5U2R3SjhjaDhhRU5reGJPRHNUNzRZd0kiXX0.coOK8NzJmEWz4qx-qRhjo-RK7aejrSkQM9La9Cw3eWmzcja9DXrkBoQZKbIJtNoSzSPLjwK2V71W78z0miZsDQ~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkiLCJfc2RfaGFzaCI6Ii1kTUd4OGZhUnpOQm91a2EwU0R6V2JkS3JYckw1TFVmUlNQTHN2Q2xPMFkifQ.TQQLqc4ZzoKjQfAghAzC_4aaU3KCS8YqzxAJtzT124guzkv9XSHtPN8d3z181_v-ca2ATXjTRoRciozitE6wBA' diff --git a/packages/sd-jwt-vc/src/index.ts b/packages/core/src/modules/sd-jwt-vc/index.ts similarity index 82% rename from packages/sd-jwt-vc/src/index.ts rename to packages/core/src/modules/sd-jwt-vc/index.ts index 18d611ca76..0d1891ea62 100644 --- a/packages/sd-jwt-vc/src/index.ts +++ b/packages/core/src/modules/sd-jwt-vc/index.ts @@ -2,4 +2,5 @@ export * from './SdJwtVcApi' export * from './SdJwtVcModule' export * from './SdJwtVcService' export * from './SdJwtVcError' +export * from './SdJwtVcOptions' export * from './repository' diff --git a/packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRecord.ts b/packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRecord.ts new file mode 100644 index 0000000000..e2a77a73bb --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRecord.ts @@ -0,0 +1,66 @@ +import type { JwaSignatureAlgorithm } from '../../../crypto' +import type { TagsBase } from '../../../storage/BaseRecord' +import type { Constructable } from '../../../utils/mixins' + +import { SdJwtVc } from '@sd-jwt/core' + +import { BaseRecord } from '../../../storage/BaseRecord' +import { JsonTransformer } from '../../../utils' +import { uuid } from '../../../utils/uuid' + +export type DefaultSdJwtVcRecordTags = { + vct: string + + /** + * The sdAlg is the alg used for creating digests for selective disclosures + */ + sdAlg: string + + /** + * The alg is the alg used to sign the SD-JWT + */ + alg: JwaSignatureAlgorithm +} + +export type SdJwtVcRecordStorageProps = { + id?: string + createdAt?: Date + tags?: TagsBase + compactSdJwtVc: string +} + +export class SdJwtVcRecord extends BaseRecord { + public static readonly type = 'SdJwtVcRecord' + public readonly type = SdJwtVcRecord.type + + // We store the sdJwtVc in compact format. + public compactSdJwtVc!: string + + // TODO: should we also store the pretty claims so it's not needed to + // re-calculate the hashes each time? I think for now it's fine to re-calculate + public constructor(props: SdJwtVcRecordStorageProps) { + super() + + if (props) { + this.id = props.id ?? uuid() + this.createdAt = props.createdAt ?? new Date() + this.compactSdJwtVc = props.compactSdJwtVc + this._tags = props.tags ?? {} + } + } + + public getTags() { + const sdJwtVc = SdJwtVc.fromCompact(this.compactSdJwtVc) + + return { + ...this._tags, + vct: sdJwtVc.getClaimInPayload('vct'), + sdAlg: (sdJwtVc.payload._sd_alg as string | undefined) ?? 'sha-256', + alg: sdJwtVc.getClaimInHeader('alg'), + } + } + + public clone(): this { + return JsonTransformer.fromJSON(JsonTransformer.toJSON(this), this.constructor as Constructable) + } +} diff --git a/packages/sd-jwt-vc/src/repository/SdJwtVcRepository.ts b/packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRepository.ts similarity index 54% rename from packages/sd-jwt-vc/src/repository/SdJwtVcRepository.ts rename to packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRepository.ts index 7ad7c2ecb8..0aa8bbce3d 100644 --- a/packages/sd-jwt-vc/src/repository/SdJwtVcRepository.ts +++ b/packages/core/src/modules/sd-jwt-vc/repository/SdJwtVcRepository.ts @@ -1,4 +1,8 @@ -import { EventEmitter, InjectionSymbols, inject, injectable, Repository, StorageService } from '@aries-framework/core' +import { EventEmitter } from '../../../agent/EventEmitter' +import { InjectionSymbols } from '../../../constants' +import { inject, injectable } from '../../../plugins' +import { Repository } from '../../../storage/Repository' +import { StorageService } from '../../../storage/StorageService' import { SdJwtVcRecord } from './SdJwtVcRecord' diff --git a/packages/core/src/modules/sd-jwt-vc/repository/__tests__/SdJwtVcRecord.test.ts b/packages/core/src/modules/sd-jwt-vc/repository/__tests__/SdJwtVcRecord.test.ts new file mode 100644 index 0000000000..e08cf28d34 --- /dev/null +++ b/packages/core/src/modules/sd-jwt-vc/repository/__tests__/SdJwtVcRecord.test.ts @@ -0,0 +1,68 @@ +import { SdJwtVcRecord } from '../SdJwtVcRecord' + +import { JsonTransformer } from '@aries-framework/core' + +describe('SdJwtVcRecord', () => { + test('sets the values passed in the constructor on the record', () => { + const compactSdJwtVc = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJmYW1pbHlfbmFtZSI6IkRvZSIsInBob25lX251bWJlciI6IisxLTIwMi01NTUtMDEwMSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxMjMgTWFpbiBTdCIsImxvY2FsaXR5IjoiQW55dG93biIsIl9zZCI6WyJOSm5tY3QwQnFCTUUxSmZCbEM2alJRVlJ1ZXZwRU9OaVl3N0E3TUh1SnlRIiwib201Wnp0WkhCLUdkMDBMRzIxQ1ZfeE00RmFFTlNvaWFPWG5UQUpOY3pCNCJdfSwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyIxQ3VyMmsyQTJvSUI1Q3NoU0lmX0FfS2ctbDI2dV9xS3VXUTc5UDBWZGFzIiwiUjF6VFV2T1lIZ2NlcGowakh5cEdIejlFSHR0VktmdDB5c3diYzlFVFBiVSIsImVEcVFwZFRYSlhiV2hmLUVzSTd6dzVYNk92WW1GTi1VWlFRTWVzWHdLUHciLCJwZERrMl9YQUtIbzdnT0Fmd0YxYjdPZENVVlRpdDJrSkhheFNFQ1E5eGZjIiwicHNhdUtVTldFaTA5bnUzQ2w4OXhLWGdtcFdFTlpsNXV5MU4xbnluX2pNayIsInNOX2dlMHBIWEY2cW1zWW5YMUE5U2R3SjhjaDhhRU5reGJPRHNUNzRZd0kiXX0.Yz5U__nC0Nccza-NNfqhp-GueKXqeFNjm_NNtC1AJ2KdmERhCHdO6KNjM7bOiruHlo4oAlj-xObuB9LRiKXeCw~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8xOCIsdHJ1ZV0~WyJzYWx0IiwiYmlydGhkYXRlIiwiMTk0MC0wMS0wMSJd~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwicmVnaW9uIiwiQW55c3RhdGUiXQ~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~' + const createdAt = new Date() + const sdJwtVcRecord = new SdJwtVcRecord({ + id: 'sdjwt-id', + createdAt, + tags: { + some: 'tag', + }, + compactSdJwtVc, + }) + + expect(sdJwtVcRecord.type).toBe('SdJwtVcRecord') + expect(sdJwtVcRecord.id).toBe('sdjwt-id') + expect(sdJwtVcRecord.createdAt).toBe(createdAt) + expect(sdJwtVcRecord.getTags()).toEqual({ + some: 'tag', + alg: 'EdDSA', + sdAlg: 'sha-256', + vct: 'IdentityCredential', + }) + expect(sdJwtVcRecord.compactSdJwtVc).toEqual(compactSdJwtVc) + }) + + test('serializes and deserializes', () => { + const compactSdJwtVc = + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ2Y3QiOiJJZGVudGl0eUNyZWRlbnRpYWwiLCJmYW1pbHlfbmFtZSI6IkRvZSIsInBob25lX251bWJlciI6IisxLTIwMi01NTUtMDEwMSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxMjMgTWFpbiBTdCIsImxvY2FsaXR5IjoiQW55dG93biIsIl9zZCI6WyJOSm5tY3QwQnFCTUUxSmZCbEM2alJRVlJ1ZXZwRU9OaVl3N0E3TUh1SnlRIiwib201Wnp0WkhCLUdkMDBMRzIxQ1ZfeE00RmFFTlNvaWFPWG5UQUpOY3pCNCJdfSwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyIxQ3VyMmsyQTJvSUI1Q3NoU0lmX0FfS2ctbDI2dV9xS3VXUTc5UDBWZGFzIiwiUjF6VFV2T1lIZ2NlcGowakh5cEdIejlFSHR0VktmdDB5c3diYzlFVFBiVSIsImVEcVFwZFRYSlhiV2hmLUVzSTd6dzVYNk92WW1GTi1VWlFRTWVzWHdLUHciLCJwZERrMl9YQUtIbzdnT0Fmd0YxYjdPZENVVlRpdDJrSkhheFNFQ1E5eGZjIiwicHNhdUtVTldFaTA5bnUzQ2w4OXhLWGdtcFdFTlpsNXV5MU4xbnluX2pNayIsInNOX2dlMHBIWEY2cW1zWW5YMUE5U2R3SjhjaDhhRU5reGJPRHNUNzRZd0kiXX0.Yz5U__nC0Nccza-NNfqhp-GueKXqeFNjm_NNtC1AJ2KdmERhCHdO6KNjM7bOiruHlo4oAlj-xObuB9LRiKXeCw~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8xOCIsdHJ1ZV0~WyJzYWx0IiwiYmlydGhkYXRlIiwiMTk0MC0wMS0wMSJd~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwicmVnaW9uIiwiQW55c3RhdGUiXQ~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~' + const createdAt = new Date('2022-02-02') + const sdJwtVcRecord = new SdJwtVcRecord({ + id: 'sdjwt-id', + createdAt, + tags: { + some: 'tag', + }, + compactSdJwtVc, + }) + + const json = sdJwtVcRecord.toJSON() + expect(json).toMatchObject({ + id: 'sdjwt-id', + createdAt: '2022-02-02T00:00:00.000Z', + metadata: {}, + _tags: { + some: 'tag', + }, + compactSdJwtVc, + }) + + const instance = JsonTransformer.deserialize(JSON.stringify(json), SdJwtVcRecord) + + expect(instance.type).toBe('SdJwtVcRecord') + expect(instance.id).toBe('sdjwt-id') + expect(instance.createdAt.getTime()).toBe(createdAt.getTime()) + expect(instance.getTags()).toEqual({ + some: 'tag', + alg: 'EdDSA', + sdAlg: 'sha-256', + vct: 'IdentityCredential', + }) + expect(instance.compactSdJwtVc).toBe(compactSdJwtVc) + }) +}) diff --git a/packages/sd-jwt-vc/src/repository/index.ts b/packages/core/src/modules/sd-jwt-vc/repository/index.ts similarity index 100% rename from packages/sd-jwt-vc/src/repository/index.ts rename to packages/core/src/modules/sd-jwt-vc/repository/index.ts diff --git a/packages/core/src/modules/vc/W3cCredentialService.ts b/packages/core/src/modules/vc/W3cCredentialService.ts index 1cca4272de..035a997f50 100644 --- a/packages/core/src/modules/vc/W3cCredentialService.ts +++ b/packages/core/src/modules/vc/W3cCredentialService.ts @@ -54,14 +54,16 @@ export class W3cCredentialService { * @param credential the credential to be signed * @returns the signed credential */ - public async signCredential( + public async signCredential( agentContext: AgentContext, - options: W3cSignCredentialOptions - ): Promise> { + options: W3cSignCredentialOptions + ): Promise> { if (options.format === ClaimFormat.JwtVc) { - return this.w3cJwtCredentialService.signCredential(agentContext, options) + const signed = await this.w3cJwtCredentialService.signCredential(agentContext, options) + return signed as W3cVerifiableCredential } else if (options.format === ClaimFormat.LdpVc) { - return this.w3cJsonLdCredentialService.signCredential(agentContext, options) + const signed = await this.w3cJsonLdCredentialService.signCredential(agentContext, options) + return signed as W3cVerifiableCredential } else { throw new AriesFrameworkError(`Unsupported format in options. Format must be either 'jwt_vc' or 'ldp_vc'`) } @@ -110,14 +112,16 @@ export class W3cCredentialService { * @param presentation the presentation to be signed * @returns the signed presentation */ - public async signPresentation( + public async signPresentation( agentContext: AgentContext, - options: W3cSignPresentationOptions - ): Promise> { + options: W3cSignPresentationOptions + ): Promise> { if (options.format === ClaimFormat.JwtVp) { - return this.w3cJwtCredentialService.signPresentation(agentContext, options) + const signed = await this.w3cJwtCredentialService.signPresentation(agentContext, options) + return signed as W3cVerifiablePresentation } else if (options.format === ClaimFormat.LdpVp) { - return this.w3cJsonLdCredentialService.signPresentation(agentContext, options) + const signed = await this.w3cJsonLdCredentialService.signPresentation(agentContext, options) + return signed as W3cVerifiablePresentation } else { throw new AriesFrameworkError(`Unsupported format in options. Format must be either 'jwt_vp' or 'ldp_vp'`) } diff --git a/packages/core/src/modules/vc/W3cCredentialServiceOptions.ts b/packages/core/src/modules/vc/W3cCredentialServiceOptions.ts index 6f15025e1c..3a9b892e89 100644 --- a/packages/core/src/modules/vc/W3cCredentialServiceOptions.ts +++ b/packages/core/src/modules/vc/W3cCredentialServiceOptions.ts @@ -8,9 +8,24 @@ import type { W3cPresentation } from './models/presentation/W3cPresentation' import type { JwaSignatureAlgorithm } from '../../crypto/jose/jwa' import type { SingleOrArray } from '../../utils/type' -export type W3cSignCredentialOptions = W3cJwtSignCredentialOptions | W3cJsonLdSignCredentialOptions -export type W3cVerifyCredentialOptions = W3cJwtVerifyCredentialOptions | W3cJsonLdVerifyCredentialOptions -export type W3cSignPresentationOptions = W3cJwtSignPresentationOptions | W3cJsonLdSignPresentationOptions +export type W3cSignCredentialOptions = + Format extends ClaimFormat.JwtVc + ? W3cJwtSignCredentialOptions + : Format extends ClaimFormat.LdpVc + ? W3cJsonLdSignCredentialOptions + : W3cJwtSignCredentialOptions | W3cJsonLdSignCredentialOptions +export type W3cVerifyCredentialOptions = + Format extends ClaimFormat.JwtVc + ? W3cJwtVerifyCredentialOptions + : Format extends ClaimFormat.LdpVc + ? W3cJsonLdVerifyCredentialOptions + : W3cJwtVerifyCredentialOptions | W3cJsonLdVerifyCredentialOptions +export type W3cSignPresentationOptions = + Format extends ClaimFormat.JwtVp + ? W3cJwtSignPresentationOptions + : Format extends ClaimFormat.LdpVp + ? W3cJsonLdSignPresentationOptions + : W3cJwtSignPresentationOptions | W3cJsonLdSignPresentationOptions export type W3cVerifyPresentationOptions = W3cJwtVerifyPresentationOptions | W3cJsonLdVerifyPresentationOptions interface W3cSignCredentialOptionsBase { diff --git a/packages/core/src/modules/vc/W3cCredentialsApi.ts b/packages/core/src/modules/vc/W3cCredentialsApi.ts index bb86cbb8f5..a378974992 100644 --- a/packages/core/src/modules/vc/W3cCredentialsApi.ts +++ b/packages/core/src/modules/vc/W3cCredentialsApi.ts @@ -1,5 +1,12 @@ -import type { StoreCredentialOptions } from './W3cCredentialServiceOptions' -import type { W3cVerifiableCredential } from './models' +import type { + StoreCredentialOptions, + W3cCreatePresentationOptions, + W3cSignCredentialOptions, + W3cSignPresentationOptions, + W3cVerifyCredentialOptions, + W3cVerifyPresentationOptions, +} from './W3cCredentialServiceOptions' +import type { W3cVerifiableCredential, ClaimFormat } from './models' import type { W3cCredentialRecord } from './repository' import type { Query } from '../../storage/StorageService' @@ -40,4 +47,28 @@ export class W3cCredentialsApi { public async findCredentialRecordsByQuery(query: Query): Promise { return this.w3cCredentialService.findCredentialsByQuery(this.agentContext, query) } + + public async signCredential( + options: W3cSignCredentialOptions + ) { + return this.w3cCredentialService.signCredential(this.agentContext, options) + } + + public async verifyCredential(options: W3cVerifyCredentialOptions) { + return this.w3cCredentialService.verifyCredential(this.agentContext, options) + } + + public async createPresentation(options: W3cCreatePresentationOptions) { + return this.w3cCredentialService.createPresentation(options) + } + + public async signPresentation( + options: W3cSignPresentationOptions + ) { + return this.w3cCredentialService.signPresentation(this.agentContext, options) + } + + public async verifyPresentation(options: W3cVerifyPresentationOptions) { + return this.w3cCredentialService.verifyPresentation(this.agentContext, options) + } } diff --git a/packages/core/src/modules/vc/data-integrity/SignatureSuiteRegistry.ts b/packages/core/src/modules/vc/data-integrity/SignatureSuiteRegistry.ts index d7cd6e37b4..815dc961e6 100644 --- a/packages/core/src/modules/vc/data-integrity/SignatureSuiteRegistry.ts +++ b/packages/core/src/modules/vc/data-integrity/SignatureSuiteRegistry.ts @@ -27,12 +27,15 @@ export class SignatureSuiteRegistry { return this.suiteMapping.map((x) => x.proofType) } + /** + * @deprecated recommended to always search by key type instead as that will have broader support + */ public getByVerificationMethodType(verificationMethodType: string) { return this.suiteMapping.find((x) => x.verificationMethodTypes.includes(verificationMethodType)) } public getByKeyType(keyType: KeyType) { - return this.suiteMapping.find((x) => x.keyTypes.includes(keyType)) + return this.suiteMapping.filter((x) => x.keyTypes.includes(keyType)) } public getByProofType(proofType: string) { diff --git a/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts b/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts index 841271fa39..d2b347a7e2 100644 --- a/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts +++ b/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts @@ -318,16 +318,6 @@ export class W3cJsonLdCredentialService { return this.signatureSuiteRegistry.getByProofType(proofType).keyTypes } - public getProofTypeByVerificationMethodType(verificationMethodType: string): string { - const suite = this.signatureSuiteRegistry.getByVerificationMethodType(verificationMethodType) - - if (!suite) { - throw new AriesFrameworkError(`No suite found for verification method type ${verificationMethodType}}`) - } - - return suite.proofType - } - public async getExpandedTypesForCredential(agentContext: AgentContext, credential: W3cJsonLdVerifiableCredential) { // Get the expanded types const expandedTypes: SingleOrArray = ( diff --git a/packages/core/src/modules/vc/data-integrity/deriveProof.ts b/packages/core/src/modules/vc/data-integrity/deriveProof.ts index a98bf1a064..78e13826de 100644 --- a/packages/core/src/modules/vc/data-integrity/deriveProof.ts +++ b/packages/core/src/modules/vc/data-integrity/deriveProof.ts @@ -38,6 +38,7 @@ export interface W3cJsonLdDeriveProofOptions { export const deriveProof = async ( proofDocument: JsonObject, revealDocument: JsonObject, + // eslint-disable-next-line @typescript-eslint/no-explicit-any { suite, skipProofCompaction, documentLoader, expansionMap, nonce }: any ): Promise => { if (!suite) { diff --git a/packages/core/src/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.ts b/packages/core/src/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.ts index 2fad970565..c0a281a7ba 100644 --- a/packages/core/src/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.ts +++ b/packages/core/src/modules/vc/data-integrity/models/W3cJsonLdVerifiableCredential.ts @@ -1,5 +1,6 @@ import type { LinkedDataProofOptions } from './LinkedDataProof' import type { W3cCredentialOptions } from '../../models/credential/W3cCredential' +import type { W3cJsonCredential } from '../../models/credential/W3cJsonCredential' import { ValidateNested } from 'class-validator' @@ -41,6 +42,10 @@ export class W3cJsonLdVerifiableCredential extends W3cCredential { return JsonTransformer.toJSON(this) } + public static fromJson(json: Record) { + return JsonTransformer.fromJSON(json, W3cJsonLdVerifiableCredential) + } + /** * The {@link ClaimFormat} of the credential. For JSON-LD credentials this is always `ldp_vc`. */ @@ -55,4 +60,8 @@ export class W3cJsonLdVerifiableCredential extends W3cCredential { public get encoded() { return this.toJson() } + + public get jsonCredential(): W3cJsonCredential { + return this.toJson() as W3cJsonCredential + } } diff --git a/packages/core/src/modules/vc/data-integrity/proof-purposes/ProofPurpose.ts b/packages/core/src/modules/vc/data-integrity/proof-purposes/ProofPurpose.ts index 2695f3276c..af04ec9f41 100644 --- a/packages/core/src/modules/vc/data-integrity/proof-purposes/ProofPurpose.ts +++ b/packages/core/src/modules/vc/data-integrity/proof-purposes/ProofPurpose.ts @@ -1 +1,2 @@ +// eslint-disable-next-line @typescript-eslint/no-explicit-any export type ProofPurpose = any diff --git a/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts b/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts index 87bf4b476c..0dedea6879 100644 --- a/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts +++ b/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts @@ -509,7 +509,7 @@ export class W3cJwtCredentialService { verificationMethod = didDocument.dereferenceKey(kid, purpose) if (signerId && didDocument.id !== signerId) { - throw new AriesFrameworkError(`kid '${kid}' does not match id of signer (holder/issuer) '${signerId}'`) + throw new AriesFrameworkError(`kid '${kid}' does not match id of signer (holder/issuer) '${didDocument.id}'`) } } else { if (!signerId) { diff --git a/packages/core/src/modules/vc/jwt-vc/W3cJwtVerifiableCredential.ts b/packages/core/src/modules/vc/jwt-vc/W3cJwtVerifiableCredential.ts index c9d3852a35..869f00121e 100644 --- a/packages/core/src/modules/vc/jwt-vc/W3cJwtVerifiableCredential.ts +++ b/packages/core/src/modules/vc/jwt-vc/W3cJwtVerifiableCredential.ts @@ -1,6 +1,8 @@ import type { W3cCredential } from '../models/credential/W3cCredential' +import type { W3cJsonCredential } from '../models/credential/W3cJsonCredential' import { Jwt } from '../../../crypto/jose/jwt/Jwt' +import { JsonTransformer } from '../../../utils' import { ClaimFormat } from '../models/ClaimFormat' import { getCredentialFromJwtPayload } from './credentialTransformer' @@ -117,4 +119,8 @@ export class W3cJwtVerifiableCredential { public get encoded() { return this.serializedJwt } + + public get jsonCredential(): W3cJsonCredential { + return JsonTransformer.toJSON(this.credential) as W3cJsonCredential + } } diff --git a/packages/core/src/modules/vc/models/ClaimFormat.ts b/packages/core/src/modules/vc/models/ClaimFormat.ts index f6c8cc909d..50ff6c58c9 100644 --- a/packages/core/src/modules/vc/models/ClaimFormat.ts +++ b/packages/core/src/modules/vc/models/ClaimFormat.ts @@ -9,4 +9,5 @@ export enum ClaimFormat { Ldp = 'ldp', LdpVc = 'ldp_vc', LdpVp = 'ldp_vp', + SdJwtVc = 'vc+sd-jwt', } diff --git a/packages/core/src/modules/vc/models/credential/W3cVerifiableCredential.ts b/packages/core/src/modules/vc/models/credential/W3cVerifiableCredential.ts index ae16558744..f935bb08e0 100644 --- a/packages/core/src/modules/vc/models/credential/W3cVerifiableCredential.ts +++ b/packages/core/src/modules/vc/models/credential/W3cVerifiableCredential.ts @@ -39,7 +39,7 @@ export function W3cVerifiableCredentialTransformer() { export type W3cVerifiableCredential = Format extends ClaimFormat.JwtVc - ? W3cJsonLdVerifiableCredential - : Format extends ClaimFormat.LdpVc ? W3cJwtVerifiableCredential + : Format extends ClaimFormat.LdpVc + ? W3cJsonLdVerifiableCredential : W3cJsonLdVerifiableCredential | W3cJwtVerifiableCredential diff --git a/packages/core/src/modules/vc/models/presentation/W3cVerifiablePresentation.ts b/packages/core/src/modules/vc/models/presentation/W3cVerifiablePresentation.ts index 65e7b68a4b..8ce1304a19 100644 --- a/packages/core/src/modules/vc/models/presentation/W3cVerifiablePresentation.ts +++ b/packages/core/src/modules/vc/models/presentation/W3cVerifiablePresentation.ts @@ -4,7 +4,7 @@ import type { ClaimFormat } from '../ClaimFormat' export type W3cVerifiablePresentation = Format extends ClaimFormat.JwtVp - ? W3cJsonLdVerifiablePresentation - : Format extends ClaimFormat.LdpVp ? W3cJwtVerifiablePresentation + : Format extends ClaimFormat.LdpVp + ? W3cJsonLdVerifiablePresentation : W3cJsonLdVerifiablePresentation | W3cJwtVerifiablePresentation diff --git a/packages/core/src/modules/vc/repository/W3cCredentialRecord.ts b/packages/core/src/modules/vc/repository/W3cCredentialRecord.ts index a5aa1fe070..01171ab68d 100644 --- a/packages/core/src/modules/vc/repository/W3cCredentialRecord.ts +++ b/packages/core/src/modules/vc/repository/W3cCredentialRecord.ts @@ -31,6 +31,7 @@ export type DefaultW3cCredentialTags = { claimFormat: W3cVerifiableCredential['claimFormat'] proofTypes?: Array + types: Array algs?: Array } @@ -64,6 +65,7 @@ export class W3cCredentialRecord extends BaseRecord { proofTypes: credential.proofTypes, givenId: credential.id, expandedTypes: ['https://expanded.tag#1'], + types: ['VerifiableCredential', 'UniversityDegreeCredential'], }) }) }) diff --git a/packages/core/src/plugins/index.ts b/packages/core/src/plugins/index.ts index faee88c0f1..bf419032f6 100644 --- a/packages/core/src/plugins/index.ts +++ b/packages/core/src/plugins/index.ts @@ -1,3 +1,4 @@ export * from './DependencyManager' export * from './Module' +export * from './utils' export { inject, injectable, Disposable, injectAll } from 'tsyringe' diff --git a/packages/core/src/plugins/utils.ts b/packages/core/src/plugins/utils.ts new file mode 100644 index 0000000000..34ad85a7b9 --- /dev/null +++ b/packages/core/src/plugins/utils.ts @@ -0,0 +1,34 @@ +import type { ApiModule, Module } from './Module' +import type { AgentContext } from '../agent' + +export function getRegisteredModuleByInstance( + agentContext: AgentContext, + moduleType: { new (...args: unknown[]): M } +): M | undefined { + const module = Object.values(agentContext.dependencyManager.registeredModules).find( + (module): module is M => module instanceof moduleType + ) + + return module +} + +export function getRegisteredModuleByName( + agentContext: AgentContext, + constructorName: string +): M | undefined { + const module = Object.values(agentContext.dependencyManager.registeredModules).find( + (module): module is M => module.constructor.name === constructorName + ) + + return module +} + +export function getApiForModuleByName( + agentContext: AgentContext, + constructorName: string +): InstanceType | undefined { + const module = getRegisteredModuleByName(agentContext, constructorName) + if (!module || !module.api) return undefined + + return agentContext.dependencyManager.resolve(module.api) as InstanceType +} diff --git a/packages/core/src/storage/migration/updates.ts b/packages/core/src/storage/migration/updates.ts index 4e1d09a898..9ee3a080e0 100644 --- a/packages/core/src/storage/migration/updates.ts +++ b/packages/core/src/storage/migration/updates.ts @@ -6,6 +6,7 @@ import { updateV0_1ToV0_2 } from './updates/0.1-0.2' import { updateV0_2ToV0_3 } from './updates/0.2-0.3' import { updateV0_3ToV0_3_1 } from './updates/0.3-0.3.1' import { updateV0_3_1ToV0_4 } from './updates/0.3.1-0.4' +import { updateV0_4ToV0_5 } from './updates/0.4-0.5' export const INITIAL_STORAGE_VERSION = '0.1' @@ -46,6 +47,11 @@ export const supportedUpdates = [ toVersion: '0.4', doUpdate: updateV0_3_1ToV0_4, }, + { + fromVersion: '0.3.1', + toVersion: '0.4', + doUpdate: updateV0_4ToV0_5, + }, ] as const // Current version is last toVersion from the supported updates diff --git a/packages/core/src/storage/migration/updates/0.4-0.5/__tests__/w3cCredentialRecord.test.ts b/packages/core/src/storage/migration/updates/0.4-0.5/__tests__/w3cCredentialRecord.test.ts new file mode 100644 index 0000000000..d366426d82 --- /dev/null +++ b/packages/core/src/storage/migration/updates/0.4-0.5/__tests__/w3cCredentialRecord.test.ts @@ -0,0 +1,63 @@ +import { getAgentConfig, getAgentContext, mockFunction } from '../../../../../../tests/helpers' +import { Agent } from '../../../../../agent/Agent' +import { W3cCredentialRecord, W3cJsonLdVerifiableCredential } from '../../../../../modules/vc' +import { Ed25519Signature2018Fixtures } from '../../../../../modules/vc/data-integrity/__tests__/fixtures' +import { JsonTransformer } from '../../../../../utils' +import * as testModule from '../w3cCredentialRecord' + +const agentConfig = getAgentConfig('Migration W3cCredentialRecord 0.4-0.5') +const agentContext = getAgentContext() + +const repository = { + getAll: jest.fn(), + update: jest.fn(), +} + +jest.mock('../../../../../agent/Agent', () => { + return { + Agent: jest.fn(() => ({ + config: agentConfig, + context: agentContext, + dependencyManager: { + resolve: jest.fn(() => repository), + }, + })), + } +}) + +// Mock typed object +const AgentMock = Agent as jest.Mock + +describe('0.4-0.5 | W3cCredentialRecord', () => { + let agent: Agent + + beforeEach(() => { + agent = new AgentMock() + }) + + describe('migrateW3cCredentialRecordToV0_5()', () => { + it('should fetch all w3c credential records and re-save them', async () => { + const records = [ + new W3cCredentialRecord({ + tags: {}, + id: '3b3cf6ca-fa09-4498-b891-e280fbbb7fa7', + credential: JsonTransformer.fromJSON( + Ed25519Signature2018Fixtures.TEST_LD_DOCUMENT_SIGNED, + W3cJsonLdVerifiableCredential + ), + }), + ] + + mockFunction(repository.getAll).mockResolvedValue(records) + + await testModule.migrateW3cCredentialRecordToV0_5(agent) + + expect(repository.getAll).toHaveBeenCalledTimes(1) + expect(repository.getAll).toHaveBeenCalledWith(agent.context) + expect(repository.update).toHaveBeenCalledTimes(1) + + const [, record] = mockFunction(repository.update).mock.calls[0] + expect(record.getTags().types).toEqual(['VerifiableCredential', 'UniversityDegreeCredential']) + }) + }) +}) diff --git a/packages/core/src/storage/migration/updates/0.4-0.5/index.ts b/packages/core/src/storage/migration/updates/0.4-0.5/index.ts new file mode 100644 index 0000000000..8b1a9428b9 --- /dev/null +++ b/packages/core/src/storage/migration/updates/0.4-0.5/index.ts @@ -0,0 +1,7 @@ +import type { BaseAgent } from '../../../../agent/BaseAgent' + +import { migrateW3cCredentialRecordToV0_5 } from './w3cCredentialRecord' + +export async function updateV0_4ToV0_5(agent: Agent): Promise { + await migrateW3cCredentialRecordToV0_5(agent) +} diff --git a/packages/core/src/storage/migration/updates/0.4-0.5/w3cCredentialRecord.ts b/packages/core/src/storage/migration/updates/0.4-0.5/w3cCredentialRecord.ts new file mode 100644 index 0000000000..44adf36171 --- /dev/null +++ b/packages/core/src/storage/migration/updates/0.4-0.5/w3cCredentialRecord.ts @@ -0,0 +1,28 @@ +import type { BaseAgent } from '../../../../agent/BaseAgent' + +import { W3cCredentialRepository } from '../../../../modules/vc/repository' + +/** + * Re-saves the w3c credential records to add the new claimFormat tag. + */ +export async function migrateW3cCredentialRecordToV0_5(agent: Agent) { + agent.config.logger.info('Migration w3c credential records records to storage version 0.5') + + const w3cCredentialRepository = agent.dependencyManager.resolve(W3cCredentialRepository) + + agent.config.logger.debug(`Fetching all w3c credential records from storage`) + const records = await w3cCredentialRepository.getAll(agent.context) + + agent.config.logger.debug(`Found a total of ${records.length} w3c credential records to update.`) + + for (const record of records) { + agent.config.logger.debug( + `Re-saving w3c credential record with id ${record.id} to add claimFormat tag for storage version 0.5` + ) + + // Save updated record + await w3cCredentialRepository.update(agent.context, record) + + agent.config.logger.debug(`Successfully migrated w3c credential record with id ${record.id} to storage version 0.5`) + } +} diff --git a/packages/core/src/utils/Hasher.ts b/packages/core/src/utils/Hasher.ts index 023a69c708..760a4956fc 100644 --- a/packages/core/src/utils/Hasher.ts +++ b/packages/core/src/utils/Hasher.ts @@ -1,6 +1,9 @@ import { hash as sha256 } from '@stablelib/sha256' -export type HashName = 'sha2-256' +import { TypedArrayEncoder } from './TypedArrayEncoder' + +// TODO: use JWA Hashing Algorithm names +export type HashName = 'sha2-256' | 'sha-256' type HashingMap = { [key in HashName]: (data: Uint8Array) => Uint8Array @@ -8,16 +11,17 @@ type HashingMap = { const hashingMap: HashingMap = { 'sha2-256': (data) => sha256(data), + 'sha-256': (data) => sha256(data), } export class Hasher { - public static hash(data: Uint8Array, hashName: HashName): Uint8Array { - const hashFn = hashingMap[hashName] - - if (!hashFn) { - throw new Error(`Unsupported hash name '${hashName}'`) + public static hash(data: Uint8Array | string, hashName: HashName | string): Uint8Array { + const dataAsUint8Array = typeof data === 'string' ? TypedArrayEncoder.fromString(data) : data + if (hashName in hashingMap) { + const hashFn = hashingMap[hashName as HashName] + return hashFn(dataAsUint8Array) } - return hashFn(data) + throw new Error(`Unsupported hash name '${hashName}'`) } } diff --git a/packages/core/src/utils/MultiHashEncoder.ts b/packages/core/src/utils/MultiHashEncoder.ts index 43a333d495..be4ed42456 100644 --- a/packages/core/src/utils/MultiHashEncoder.ts +++ b/packages/core/src/utils/MultiHashEncoder.ts @@ -14,6 +14,7 @@ type MultiHashCodeMap = { const multiHashNameMap: MultiHashNameMap = { 'sha2-256': 0x12, + 'sha-256': 0x12, } const multiHashCodeMap: MultiHashCodeMap = Object.entries(multiHashNameMap).reduce( @@ -31,7 +32,7 @@ export class MultiHashEncoder { * * @returns a multihash */ - public static encode(data: Uint8Array, hashName: 'sha2-256'): Buffer { + public static encode(data: Uint8Array, hashName: HashName): Buffer { const hash = Hasher.hash(data, hashName) const hashCode = multiHashNameMap[hashName] diff --git a/packages/core/src/utils/deepEquality.ts b/packages/core/src/utils/deepEquality.ts index a8bb286d73..b2f2ac7aad 100644 --- a/packages/core/src/utils/deepEquality.ts +++ b/packages/core/src/utils/deepEquality.ts @@ -26,7 +26,7 @@ export function deepEquality(x: any, y: any): boolean { /** * @note This will only work for primitive array equality */ -function equalsIgnoreOrder(a: Array, b: Array): boolean { +export function equalsIgnoreOrder(a: Array, b: Array): boolean { if (a.length !== b.length) return false return a.every((k) => b.includes(k)) } diff --git a/packages/core/src/utils/path.ts b/packages/core/src/utils/path.ts index 8b4dc2c26b..605a712d93 100644 --- a/packages/core/src/utils/path.ts +++ b/packages/core/src/utils/path.ts @@ -7,3 +7,29 @@ export function getDirFromFilePath(path: string) { return path.substring(0, Math.max(path.lastIndexOf('/'), path.lastIndexOf('\\'))) } + +/** + * Combine multiple uri parts into a single uri taking into account slashes. + * + * @param parts the parts to combine + * @returns the combined url + */ +export function joinUriParts(base: string, parts: string[]) { + if (parts.length === 0) return base + + // take base without trailing / + let combined = base.endsWith('/') ? base.slice(0, base.length - 1) : base + + for (const part of parts) { + // Remove leading and trailing / + let strippedPart = part.startsWith('/') ? part.slice(1) : part + strippedPart = strippedPart.endsWith('/') ? strippedPart.slice(0, strippedPart.length - 1) : strippedPart + + // Don't want to add if empty + if (strippedPart === '') continue + + combined += `/${strippedPart}` + } + + return combined +} diff --git a/packages/core/tests/index.ts b/packages/core/tests/index.ts index 2822fb23e1..62d138bcde 100644 --- a/packages/core/tests/index.ts +++ b/packages/core/tests/index.ts @@ -4,6 +4,6 @@ export * from './events' export * from './helpers' export * from './indySdk' -import testLogger from './logger' +import testLogger, { TestLogger } from './logger' -export { testLogger } +export { testLogger, TestLogger } diff --git a/packages/indy-sdk/src/anoncreds/services/IndySdkVerifierService.ts b/packages/indy-sdk/src/anoncreds/services/IndySdkVerifierService.ts index 80aee7be6f..0f619c8ab8 100644 --- a/packages/indy-sdk/src/anoncreds/services/IndySdkVerifierService.ts +++ b/packages/indy-sdk/src/anoncreds/services/IndySdkVerifierService.ts @@ -1,4 +1,4 @@ -import type { AnonCredsProof, AnonCredsVerifierService, VerifyProofOptions } from '@aries-framework/anoncreds' +import type { AnonCredsVerifierService, VerifyProofOptions } from '@aries-framework/anoncreds' import type { AgentContext } from '@aries-framework/core' import type { CredentialDefs, Schemas, RevocRegDefs, RevRegs, IndyProofRequest, IndyProof } from 'indy-sdk' diff --git a/packages/indy-sdk/src/ledger/serializeRequestForSignature.ts b/packages/indy-sdk/src/ledger/serializeRequestForSignature.ts index 630dcbab2b..55322fc803 100644 --- a/packages/indy-sdk/src/ledger/serializeRequestForSignature.ts +++ b/packages/indy-sdk/src/ledger/serializeRequestForSignature.ts @@ -1,9 +1,10 @@ -import { Hasher, TypedArrayEncoder } from '@aries-framework/core' +import { Hasher } from '@aries-framework/core' const ATTRIB_TYPE = '100' const GET_ATTR_TYPE = '104' /// Generate the normalized form of a ledger transaction request for signing +// eslint-disable-next-line @typescript-eslint/no-explicit-any export function serializeRequestForSignature(v: any): string { const type = v?.operation?.type @@ -17,6 +18,7 @@ export function serializeRequestForSignature(v: any): string { * * @see https://github.com/hyperledger/indy-shared-rs/blob/6af1e939586d1f16341dc03b62970cf28b32d118/indy-utils/src/txn_signature.rs#L10 */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any function _serializeRequestForSignature(v: any, isTopLevel: boolean, _type?: string): string { const vType = typeof v @@ -46,7 +48,7 @@ function _serializeRequestForSignature(v: any, isTopLevel: boolean, _type?: stri if ((_type == ATTRIB_TYPE || _type == GET_ATTR_TYPE) && (vKey == 'raw' || vKey == 'hash' || vKey == 'enc')) { // do it only for attribute related request if (typeof value !== 'string') throw new Error('Value must be a string for hash') - const hash = Hasher.hash(TypedArrayEncoder.fromString(value), 'sha2-256') + const hash = Hasher.hash(value, 'sha2-256') value = Buffer.from(hash).toString('hex') } diff --git a/packages/openid4vc-client/CHANGELOG.md b/packages/openid4vc-client/CHANGELOG.md deleted file mode 100644 index 0c03004490..0000000000 --- a/packages/openid4vc-client/CHANGELOG.md +++ /dev/null @@ -1,27 +0,0 @@ -# Change Log - -All notable changes to this project will be documented in this file. -See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. - -## [0.4.2](https://github.com/hyperledger/aries-framework-javascript/compare/v0.4.1...v0.4.2) (2023-10-05) - -**Note:** Version bump only for package @aries-framework/openid4vc-client - -## [0.4.1](https://github.com/hyperledger/aries-framework-javascript/compare/v0.4.0...v0.4.1) (2023-08-28) - -**Note:** Version bump only for package @aries-framework/openid4vc-client - -# [0.4.0](https://github.com/hyperledger/aries-framework-javascript/compare/v0.3.3...v0.4.0) (2023-06-03) - -### Bug Fixes - -- remove scope check from response ([#1450](https://github.com/hyperledger/aries-framework-javascript/issues/1450)) ([7dd4061](https://github.com/hyperledger/aries-framework-javascript/commit/7dd406170c75801529daf4bebebde81e84a4cb79)) - -### Features - -- **core:** add W3cCredentialsApi ([c888736](https://github.com/hyperledger/aries-framework-javascript/commit/c888736cb6b51014e23f5520fbc4074cf0e49e15)) -- **openid4vc-client:** openid authorization flow ([#1384](https://github.com/hyperledger/aries-framework-javascript/issues/1384)) ([996c08f](https://github.com/hyperledger/aries-framework-javascript/commit/996c08f8e32e58605408f5ed5b6d8116cea3b00c)) -- **openid4vc-client:** pre-authorized ([#1243](https://github.com/hyperledger/aries-framework-javascript/issues/1243)) ([3d86e78](https://github.com/hyperledger/aries-framework-javascript/commit/3d86e78a4df87869aa5df4e28b79cd91787b61fb)) -- **openid4vc:** jwt format and more crypto ([#1472](https://github.com/hyperledger/aries-framework-javascript/issues/1472)) ([bd4932d](https://github.com/hyperledger/aries-framework-javascript/commit/bd4932d34f7314a6d49097b6460c7570e1ebc7a8)) -- outbound message send via session ([#1335](https://github.com/hyperledger/aries-framework-javascript/issues/1335)) ([582c711](https://github.com/hyperledger/aries-framework-javascript/commit/582c711728db12b7d38a0be2e9fa78dbf31b34c6)) -- support more key types in jws service ([#1453](https://github.com/hyperledger/aries-framework-javascript/issues/1453)) ([8a3f03e](https://github.com/hyperledger/aries-framework-javascript/commit/8a3f03eb0dffcf46635556defdcebe1d329cf428)) diff --git a/packages/openid4vc-client/README.md b/packages/openid4vc-client/README.md deleted file mode 100644 index 540339fef7..0000000000 --- a/packages/openid4vc-client/README.md +++ /dev/null @@ -1,167 +0,0 @@ -

-
- Hyperledger Aries logo -

-

Aries Framework JavaScript Open ID Connect For Verifiable Credentials Client Module

-

- License - typescript - @aries-framework/openid4vc-client version - -

-
- -Open ID Connect For Verifiable Credentials Client Module for [Aries Framework JavaScript](https://github.com/hyperledger/aries-framework-javascript). - -### Installation - -Make sure you have set up the correct version of Aries Framework JavaScript according to the AFJ repository. - -```sh -yarn add @aries-framework/openid4vc-client -``` - -### Quick start - -#### Requirements - -Before a credential can be requested, you need the issuer URI. This URI starts with `openid-initiate-issuance://` and is provided by the issuer. The issuer URI is commonly acquired by scanning a QR code. - -#### Module registration - -In order to get this module to work, we need to inject it into the agent. This makes the module's functionality accessible through the agent's `modules` api. - -```ts -import { OpenId4VcClientModule } from '@aries-framework/openid4vc-client' - -const agent = new Agent({ - config: { - /* config */ - }, - dependencies: agentDependencies, - modules: { - openId4VcClient: new OpenId4VcClientModule(), - /* other custom modules */ - }, -}) - -await agent.initialize() -``` - -How the module is injected and the agent has been initialized, you can access the module's functionality through `agent.modules.openId4VcClient`. - -#### Preparing a DID - -In order to request a credential, you'll need to provide a DID that the issuer will use for setting the credential subject. In the following snippet we create one for the sake of the example, but this can be any DID that has a _authentication verification method_ with key type `Ed25519`. - -```ts -// first we create the DID -const did = await agent.dids.create({ - method: 'key', - options: { - keyType: KeyType.Ed25519, - }, -}) - -// next we do some assertions and extract the key identifier (kid) - -if ( - !did.didState.didDocument || - !did.didState.didDocument.authentication || - did.didState.didDocument.authentication.length === 0 -) { - throw new Error("Error creating did document, or did document has no 'authentication' verificationMethods") -} - -const [verificationMethod] = did.didState.didDocument.authentication -const kid = typeof verificationMethod === 'string' ? verificationMethod : verificationMethod.id -``` - -#### Requesting the credential (Pre-Authorized) - -Now a credential issuance can be requested as follows. - -```ts -const w3cCredentialRecord = await agent.modules.openId4VcClient.requestCredentialPreAuthorized({ - issuerUri, - kid, - checkRevocationState: false, -}) - -console.log(w3cCredentialRecord) -``` - -#### Full example - -```ts -import { OpenId4VcClientModule } from '@aries-framework/openid4vc-client' -import { agentDependencies } from '@aries-framework/node' // use @aries-framework/react-native for React Native -import { Agent, KeyDidCreateOptions } from '@aries-framework/core' - -const run = async () => { - const issuerUri = '' // The obtained issuer URI - - // Create the Agent - const agent = new Agent({ - config: { - /* config */ - }, - dependencies: agentDependencies, - modules: { - openId4VcClient: new OpenId4VcClientModule(), - /* other custom modules */ - }, - }) - - // Initialize the Agent - await agent.initialize() - - // Create a DID - const did = await agent.dids.create({ - method: 'key', - options: { - keyType: KeyType.Ed25519, - }, - }) - - // Assert DIDDocument is valid - if ( - !did.didState.didDocument || - !did.didState.didDocument.authentication || - did.didState.didDocument.authentication.length === 0 - ) { - throw new Error("Error creating did document, or did document has no 'authentication' verificationMethods") - } - - // Extract key identified (kid) for authentication verification method - const [verificationMethod] = did.didState.didDocument.authentication - const kid = typeof verificationMethod === 'string' ? verificationMethod : verificationMethod.id - - // Request the credential - const w3cCredentialRecord = await agent.modules.openId4VcClient.requestCredentialPreAuthorized({ - issuerUri, - kid, - checkRevocationState: false, - }) - - // Log the received credential - console.log(w3cCredentialRecord) -} -``` diff --git a/packages/openid4vc-client/jest.config.ts b/packages/openid4vc-client/jest.config.ts deleted file mode 100644 index 93c0197296..0000000000 --- a/packages/openid4vc-client/jest.config.ts +++ /dev/null @@ -1,13 +0,0 @@ -import type { Config } from '@jest/types' - -import base from '../../jest.config.base' - -import packageJson from './package.json' - -const config: Config.InitialOptions = { - ...base, - displayName: packageJson.name, - setupFilesAfterEnv: ['./tests/setup.ts'], -} - -export default config diff --git a/packages/openid4vc-client/src/OpenId4VcClientApi.ts b/packages/openid4vc-client/src/OpenId4VcClientApi.ts deleted file mode 100644 index a423a0c174..0000000000 --- a/packages/openid4vc-client/src/OpenId4VcClientApi.ts +++ /dev/null @@ -1,53 +0,0 @@ -import type { - GenerateAuthorizationUrlOptions, - PreAuthCodeFlowOptions, - AuthCodeFlowOptions, -} from './OpenId4VcClientServiceOptions' -import type { W3cCredentialRecord } from '@aries-framework/core' - -import { AgentContext, injectable } from '@aries-framework/core' - -import { OpenId4VcClientService } from './OpenId4VcClientService' -import { AuthFlowType } from './OpenId4VcClientServiceOptions' - -/** - * @public - */ -@injectable() -export class OpenId4VcClientApi { - private agentContext: AgentContext - private openId4VcClientService: OpenId4VcClientService - - public constructor(agentContext: AgentContext, openId4VcClientService: OpenId4VcClientService) { - this.agentContext = agentContext - this.openId4VcClientService = openId4VcClientService - } - - public async requestCredentialUsingPreAuthorizedCode( - options: PreAuthCodeFlowOptions - ): Promise { - // set defaults - const verifyRevocationState = options.verifyCredentialStatus ?? true - - return this.openId4VcClientService.requestCredential(this.agentContext, { - ...options, - verifyCredentialStatus: verifyRevocationState, - flowType: AuthFlowType.PreAuthorizedCodeFlow, - }) - } - - public async requestCredentialUsingAuthorizationCode(options: AuthCodeFlowOptions): Promise { - // set defaults - const checkRevocationState = options.verifyCredentialStatus ?? true - - return this.openId4VcClientService.requestCredential(this.agentContext, { - ...options, - verifyCredentialStatus: checkRevocationState, - flowType: AuthFlowType.AuthorizationCodeFlow, - }) - } - - public async generateAuthorizationUrl(options: GenerateAuthorizationUrlOptions) { - return this.openId4VcClientService.generateAuthorizationUrl(options) - } -} diff --git a/packages/openid4vc-client/src/OpenId4VcClientModule.ts b/packages/openid4vc-client/src/OpenId4VcClientModule.ts deleted file mode 100644 index 0c452e8201..0000000000 --- a/packages/openid4vc-client/src/OpenId4VcClientModule.ts +++ /dev/null @@ -1,31 +0,0 @@ -import type { DependencyManager, Module } from '@aries-framework/core' - -import { AgentConfig } from '@aries-framework/core' - -import { OpenId4VcClientApi } from './OpenId4VcClientApi' -import { OpenId4VcClientService } from './OpenId4VcClientService' - -/** - * @public - */ -export class OpenId4VcClientModule implements Module { - public readonly api = OpenId4VcClientApi - - /** - * Registers the dependencies of the openid4vc-client module on the dependency manager. - */ - public register(dependencyManager: DependencyManager) { - // Warn about experimental module - dependencyManager - .resolve(AgentConfig) - .logger.warn( - "The '@aries-framework/openid4vc-client' module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." - ) - - // Api - dependencyManager.registerContextScoped(OpenId4VcClientApi) - - // Services - dependencyManager.registerSingleton(OpenId4VcClientService) - } -} diff --git a/packages/openid4vc-client/src/OpenId4VcClientService.ts b/packages/openid4vc-client/src/OpenId4VcClientService.ts deleted file mode 100644 index d4ad452c2b..0000000000 --- a/packages/openid4vc-client/src/OpenId4VcClientService.ts +++ /dev/null @@ -1,488 +0,0 @@ -import type { - GenerateAuthorizationUrlOptions, - RequestCredentialOptions, - ProofOfPossessionVerificationMethodResolver, - SupportedCredentialFormats, - ProofOfPossessionRequirements, -} from './OpenId4VcClientServiceOptions' -import type { - AgentContext, - W3cVerifiableCredential, - VerificationMethod, - JwaSignatureAlgorithm, - W3cCredentialRecord, - W3cVerifyCredentialResult, -} from '@aries-framework/core' -import type { CredentialMetadata, CredentialResponse, Jwt, OpenIDResponse } from '@sphereon/openid4vci-client' - -import { - ClaimFormat, - getJwkClassFromJwaSignatureAlgorithm, - W3cJwtVerifiableCredential, - AriesFrameworkError, - getKeyFromVerificationMethod, - Hasher, - inject, - injectable, - InjectionSymbols, - JsonEncoder, - JsonTransformer, - JwsService, - Logger, - TypedArrayEncoder, - W3cCredentialService, - W3cJsonLdVerifiableCredential, - getJwkFromKey, - getSupportedVerificationMethodTypesFromKeyType, - getJwkClassFromKeyType, - parseDid, - SignatureSuiteRegistry, -} from '@aries-framework/core' -import { - AuthzFlowType, - CodeChallengeMethod, - CredentialRequestClientBuilder, - OpenID4VCIClient, - ProofOfPossessionBuilder, -} from '@sphereon/openid4vci-client' -import { randomStringForEntropy } from '@stablelib/random' - -import { supportedCredentialFormats, AuthFlowType } from './OpenId4VcClientServiceOptions' - -const flowTypeMapping = { - [AuthFlowType.AuthorizationCodeFlow]: AuthzFlowType.AUTHORIZATION_CODE_FLOW, - [AuthFlowType.PreAuthorizedCodeFlow]: AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW, -} - -/** - * @internal - */ -@injectable() -export class OpenId4VcClientService { - private logger: Logger - private w3cCredentialService: W3cCredentialService - private jwsService: JwsService - - public constructor( - @inject(InjectionSymbols.Logger) logger: Logger, - w3cCredentialService: W3cCredentialService, - jwsService: JwsService - ) { - this.w3cCredentialService = w3cCredentialService - this.jwsService = jwsService - this.logger = logger - } - - private generateCodeVerifier(): string { - return randomStringForEntropy(256) - } - - public async generateAuthorizationUrl(options: GenerateAuthorizationUrlOptions) { - this.logger.debug('Generating authorization url') - - if (!options.scope || options.scope.length === 0) { - throw new AriesFrameworkError( - 'Only scoped based authorization requests are supported at this time. Please provide at least one scope' - ) - } - - const client = await OpenID4VCIClient.initiateFromURI({ - issuanceInitiationURI: options.initiationUri, - flowType: AuthzFlowType.AUTHORIZATION_CODE_FLOW, - }) - const codeVerifier = this.generateCodeVerifier() - const codeVerifierSha256 = Hasher.hash(TypedArrayEncoder.fromString(codeVerifier), 'sha2-256') - const base64Url = TypedArrayEncoder.toBase64URL(codeVerifierSha256) - - this.logger.debug('Converted code_verifier to code_challenge', { - codeVerifier: codeVerifier, - sha256: codeVerifierSha256.toString(), - base64Url: base64Url, - }) - - const authorizationUrl = client.createAuthorizationRequestUrl({ - clientId: options.clientId, - codeChallengeMethod: CodeChallengeMethod.SHA256, - codeChallenge: base64Url, - redirectUri: options.redirectUri, - scope: options.scope?.join(' '), - }) - - return { - authorizationUrl, - codeVerifier, - } - } - - public async requestCredential(agentContext: AgentContext, options: RequestCredentialOptions) { - const receivedCredentials: W3cCredentialRecord[] = [] - const supportedJwaSignatureAlgorithms = this.getSupportedJwaSignatureAlgorithms(agentContext) - - const allowedProofOfPossessionSignatureAlgorithms = options.allowedProofOfPossessionSignatureAlgorithms - ? options.allowedProofOfPossessionSignatureAlgorithms.filter((algorithm) => - supportedJwaSignatureAlgorithms.includes(algorithm) - ) - : supportedJwaSignatureAlgorithms - - // Take the allowed credential formats from the options or use the default - const allowedCredentialFormats = options.allowedCredentialFormats ?? supportedCredentialFormats - - const flowType = flowTypeMapping[options.flowType] - if (!flowType) { - throw new AriesFrameworkError( - `Unsupported flowType ${options.flowType}. Valid values are ${Object.values(AuthFlowType)}` - ) - } - - const client = await OpenID4VCIClient.initiateFromURI({ - issuanceInitiationURI: options.issuerUri, - flowType, - }) - - // acquire the access token - // NOTE: only scope based flow is supported for authorized flow. However there's not clear mapping between - // the scope property and which credential to request (this is out of scope of the spec), so it will still - // just request all credentials that have been offered in the credential offer. We may need to add some extra - // input properties that allows to define the credential type(s) to request. - const accessToken = - options.flowType === AuthFlowType.AuthorizationCodeFlow - ? await client.acquireAccessToken({ - clientId: options.clientId, - code: options.authorizationCode, - codeVerifier: options.codeVerifier, - redirectUri: options.redirectUri, - }) - : await client.acquireAccessToken({}) - - const serverMetadata = await client.retrieveServerMetadata() - - this.logger.info('Fetched server metadata', { - issuer: serverMetadata.issuer, - credentialEndpoint: serverMetadata.credential_endpoint, - tokenEndpoint: serverMetadata.token_endpoint, - }) - - const credentialsSupported = client.getCredentialsSupported(true) - - this.logger.debug('Full server metadata', serverMetadata) - - // Loop through all the credentialTypes in the credential offer - for (const credentialType of client.getCredentialTypesFromInitiation()) { - const credentialMetadata = credentialsSupported[credentialType] - - // Get all options for the credential request (such as which kid to use, the signature algorithm, etc) - const { verificationMethod, credentialFormat, signatureAlgorithm } = await this.getCredentialRequestOptions( - agentContext, - { - allowedCredentialFormats, - allowedProofOfPossessionSignatureAlgorithms, - credentialMetadata, - credentialType, - proofOfPossessionVerificationMethodResolver: options.proofOfPossessionVerificationMethodResolver, - } - ) - - // Create the proof of possession - const proofInput = await ProofOfPossessionBuilder.fromAccessTokenResponse({ - accessTokenResponse: accessToken, - callbacks: { - signCallback: this.signCallback(agentContext, verificationMethod), - }, - }) - .withEndpointMetadata(serverMetadata) - .withAlg(signatureAlgorithm) - .withKid(verificationMethod.id) - .build() - - this.logger.debug('Generated JWS', proofInput) - - // Acquire the credential - const credentialRequestClient = CredentialRequestClientBuilder.fromIssuanceInitiationURI({ - uri: options.issuerUri, - metadata: serverMetadata, - }) - .withTokenFromResponse(accessToken) - .build() - - const credentialResponse = await credentialRequestClient.acquireCredentialsUsingProof({ - proofInput, - credentialType, - format: credentialFormat, - }) - - const storedCredential = await this.handleCredentialResponse(agentContext, credentialResponse, { - verifyCredentialStatus: options.verifyCredentialStatus, - }) - - receivedCredentials.push(storedCredential) - } - - return receivedCredentials - } - - /** - * Get the options for the credential request. Internally this will resolve the proof of possession - * requirements, and based on that it will call the proofOfPossessionVerificationMethodResolver to - * allow the caller to select the correct verification method based on the requirements for the proof - * of possession. - */ - private async getCredentialRequestOptions( - agentContext: AgentContext, - options: { - proofOfPossessionVerificationMethodResolver: ProofOfPossessionVerificationMethodResolver - allowedCredentialFormats: SupportedCredentialFormats[] - allowedProofOfPossessionSignatureAlgorithms: JwaSignatureAlgorithm[] - credentialMetadata: CredentialMetadata - credentialType: string - } - ) { - const { credentialFormat, signatureAlgorithm, supportedDidMethods, supportsAllDidMethods } = - this.getProofOfPossessionRequirements(agentContext, { - credentialType: options.credentialType, - credentialMetadata: options.credentialMetadata, - allowedCredentialFormats: options.allowedCredentialFormats, - allowedProofOfPossessionSignatureAlgorithms: options.allowedProofOfPossessionSignatureAlgorithms, - }) - - const JwkClass = getJwkClassFromJwaSignatureAlgorithm(signatureAlgorithm) - - if (!JwkClass) { - throw new AriesFrameworkError( - `Could not determine JWK key type based on JWA signature algorithm '${signatureAlgorithm}'` - ) - } - - const supportedVerificationMethods = getSupportedVerificationMethodTypesFromKeyType(JwkClass.keyType) - - // Now we need to determine the did method and alg based on the cryptographic suite - const verificationMethod = await options.proofOfPossessionVerificationMethodResolver({ - credentialFormat, - proofOfPossessionSignatureAlgorithm: signatureAlgorithm, - supportedVerificationMethods, - keyType: JwkClass.keyType, - credentialType: options.credentialType, - supportsAllDidMethods, - supportedDidMethods, - }) - - // Make sure the verification method uses a supported did method - if ( - !supportsAllDidMethods && - !supportedDidMethods.find((supportedDidMethod) => verificationMethod.id.startsWith(supportedDidMethod)) - ) { - const { method } = parseDid(verificationMethod.id) - const supportedDidMethodsString = supportedDidMethods.join(', ') - throw new AriesFrameworkError( - `Verification method uses did method '${method}', but issuer only supports '${supportedDidMethodsString}'` - ) - } - - // Make sure the verification method uses a supported verification method type - if (!supportedVerificationMethods.includes(verificationMethod.type)) { - const supportedVerificationMethodsString = supportedVerificationMethods.join(', ') - throw new AriesFrameworkError( - `Verification method uses verification method type '${verificationMethod.type}', but only '${supportedVerificationMethodsString}' verification methods are supported for key type '${JwkClass.keyType}'` - ) - } - - return { verificationMethod, signatureAlgorithm, credentialFormat } - } - - /** - * Get the requirements for creating the proof of possession. Based on the allowed - * credential formats, the allowed proof of possession signature algorithms, and the - * credential type, this method will select the best credential format and signature - * algorithm to use, based on the order of preference. - */ - private getProofOfPossessionRequirements( - agentContext: AgentContext, - options: { - allowedCredentialFormats: SupportedCredentialFormats[] - credentialMetadata: CredentialMetadata - allowedProofOfPossessionSignatureAlgorithms: JwaSignatureAlgorithm[] - credentialType: string - } - ): ProofOfPossessionRequirements { - // Find the potential credentialFormat to use - const potentialCredentialFormats = options.allowedCredentialFormats.filter( - (allowedFormat) => options.credentialMetadata.formats[allowedFormat] !== undefined - ) - - // TODO: we may want to add a logging statement here if the supported formats of the wallet - // DOES support one of the issuer formats, but it is not in the allowedFormats - if (potentialCredentialFormats.length === 0) { - const formatsString = Object.keys(options.credentialMetadata.formats).join(', ') - throw new AriesFrameworkError( - `Issuer only supports formats '${formatsString}' for credential type '${ - options.credentialType - }', but the wallet only allows formats '${options.allowedCredentialFormats.join(', ')}'` - ) - } - - // Loop through all the potential credential formats and find the first one that we have a matching - // cryptographic suite supported for. - for (const potentialCredentialFormat of potentialCredentialFormats) { - const credentialFormat = options.credentialMetadata.formats[potentialCredentialFormat] - const issuerSupportedCryptographicSuites = credentialFormat.cryptographic_suites_supported ?? [] - // FIXME: somehow the MATTR Launchpad returns binding_methods_supported instead of cryptographic_binding_methods_supported - const issuerSupportedBindingMethods: string[] = - credentialFormat.cryptographic_binding_methods_supported ?? credentialFormat.binding_methods_supported ?? [] - - // For each of the supported algs, find the key types, then find the proof types - const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry) - - let potentialSignatureAlgorithm: JwaSignatureAlgorithm | undefined - - switch (potentialCredentialFormat) { - case ClaimFormat.JwtVc: - potentialSignatureAlgorithm = options.allowedProofOfPossessionSignatureAlgorithms.find((signatureAlgorithm) => - issuerSupportedCryptographicSuites.includes(signatureAlgorithm) - ) - break - case ClaimFormat.LdpVc: - // We need to find it based on the JSON-LD proof type - potentialSignatureAlgorithm = options.allowedProofOfPossessionSignatureAlgorithms.find( - (signatureAlgorithm) => { - const JwkClass = getJwkClassFromJwaSignatureAlgorithm(signatureAlgorithm) - if (!JwkClass) return false - - // TODO: getByKeyType should return a list - const matchingSuite = signatureSuiteRegistry.getByKeyType(JwkClass.keyType) - if (!matchingSuite) return false - - return issuerSupportedCryptographicSuites.includes(matchingSuite.proofType) - } - ) - break - } - - // If no match, continue to the next one. - if (!potentialSignatureAlgorithm) continue - - const supportsAllDidMethods = issuerSupportedBindingMethods.includes('did') - const supportedDidMethods = issuerSupportedBindingMethods.filter((method) => method.startsWith('did:')) - - // Make sure that the issuer supports the 'did' binding method, or at least one specific did method - if (!supportsAllDidMethods && supportedDidMethods.length === 0) continue - - return { - credentialFormat: potentialCredentialFormat, - signatureAlgorithm: potentialSignatureAlgorithm, - supportedDidMethods, - supportsAllDidMethods, - } - } - - throw new AriesFrameworkError( - 'Could not determine the correct credential format and signature algorithm to use for the proof of possession.' - ) - } - - /** - * Returns the JWA Signature Algorithms that are supported by the wallet. - * - * This is an approximation based on the supported key types of the wallet. - * This is not 100% correct as a supporting a key type does not mean you support - * all the algorithms for that key type. However, this needs refactoring of the wallet - * that is planned for the 0.5.0 release. - */ - private getSupportedJwaSignatureAlgorithms(agentContext: AgentContext): JwaSignatureAlgorithm[] { - const supportedKeyTypes = agentContext.wallet.supportedKeyTypes - - // Extract the supported JWS algs based on the key types the wallet support. - const supportedJwaSignatureAlgorithms = supportedKeyTypes - // Map the supported key types to the supported JWK class - .map(getJwkClassFromKeyType) - // Filter out the undefined values - .filter((jwkClass): jwkClass is Exclude => jwkClass !== undefined) - // Extract the supported JWA signature algorithms from the JWK class - .map((jwkClass) => jwkClass.supportedSignatureAlgorithms) - // Flatten the array of arrays - .reduce((allAlgorithms, algorithms) => [...allAlgorithms, ...algorithms], []) - - return supportedJwaSignatureAlgorithms - } - - private async handleCredentialResponse( - agentContext: AgentContext, - credentialResponse: OpenIDResponse, - options: { verifyCredentialStatus: boolean } - ) { - this.logger.debug('Credential request response', credentialResponse) - - if (!credentialResponse.successBody) { - throw new AriesFrameworkError('Did not receive a successful credential response') - } - - let credential: W3cVerifiableCredential - let result: W3cVerifyCredentialResult - if (credentialResponse.successBody.format === ClaimFormat.LdpVc) { - credential = JsonTransformer.fromJSON(credentialResponse.successBody.credential, W3cJsonLdVerifiableCredential) - result = await this.w3cCredentialService.verifyCredential(agentContext, { - credential, - verifyCredentialStatus: options.verifyCredentialStatus, - }) - } else if (credentialResponse.successBody.format === ClaimFormat.JwtVc) { - credential = W3cJwtVerifiableCredential.fromSerializedJwt(credentialResponse.successBody.credential as string) - result = await this.w3cCredentialService.verifyCredential(agentContext, { - credential, - verifyCredentialStatus: options.verifyCredentialStatus, - }) - } else { - throw new AriesFrameworkError(`Unsupported credential format ${credentialResponse.successBody.format}`) - } - - if (!result || !result.isValid) { - throw new AriesFrameworkError(`Failed to validate credential, error = ${result.error}`) - } - - const storedCredential = await this.w3cCredentialService.storeCredential(agentContext, { - credential, - }) - this.logger.info(`Stored credential with id: ${storedCredential.id}`) - this.logger.debug('Full credential', storedCredential) - - return storedCredential - } - - private signCallback(agentContext: AgentContext, verificationMethod: VerificationMethod) { - return async (jwt: Jwt, kid: string) => { - if (!jwt.header) { - throw new AriesFrameworkError('No header present on JWT') - } - - if (!jwt.payload) { - throw new AriesFrameworkError('No payload present on JWT') - } - - // We have determined the verification method before and already passed that when creating the callback, - // however we just want to make sure that the kid matches the verification method id - if (verificationMethod.id !== kid) { - throw new AriesFrameworkError(`kid ${kid} does not match verification method id ${verificationMethod.id}`) - } - - const key = getKeyFromVerificationMethod(verificationMethod) - const jwk = getJwkFromKey(key) - - const payload = JsonEncoder.toBuffer(jwt.payload) - if (!jwk.supportsSignatureAlgorithm(jwt.header.alg)) { - throw new AriesFrameworkError( - `kid ${kid} refers to a key of type '${jwk.keyType}', which does not support the JWS signature alg '${jwt.header.alg}'` - ) - } - - // We don't support these properties, remove them, so we can pass all other header properties to the JWS service - if (jwt.header.x5c || jwt.header.jwk) throw new AriesFrameworkError('x5c and jwk are not supported') - // eslint-disable-next-line @typescript-eslint/no-unused-vars - const { x5c: _x5c, jwk: _jwk, ...supportedHeaderOptions } = jwt.header - - const jws = await this.jwsService.createJwsCompact(agentContext, { - key, - payload, - protectedHeaderOptions: supportedHeaderOptions, - }) - - return jws - } - } -} diff --git a/packages/openid4vc-client/src/OpenId4VcClientServiceOptions.ts b/packages/openid4vc-client/src/OpenId4VcClientServiceOptions.ts deleted file mode 100644 index 8bd580a863..0000000000 --- a/packages/openid4vc-client/src/OpenId4VcClientServiceOptions.ts +++ /dev/null @@ -1,170 +0,0 @@ -import type { JwaSignatureAlgorithm, KeyType, VerificationMethod } from '@aries-framework/core' - -import { ClaimFormat } from '@aries-framework/core' - -/** - * The credential formats that are supported by the openid4vc client - */ -export type SupportedCredentialFormats = ClaimFormat.JwtVc | ClaimFormat.LdpVc -export const supportedCredentialFormats = [ClaimFormat.JwtVc, ClaimFormat.LdpVc] satisfies SupportedCredentialFormats[] - -/** - * Options that are used for the pre-authorized code flow. - */ -export interface PreAuthCodeFlowOptions { - issuerUri: string - verifyCredentialStatus: boolean - - /** - * A list of allowed credential formats in order of preference. - * - * If the issuer supports one of the allowed formats, that first format that is supported - * from the list will be used. - * - * If the issuer doesn't support any of the allowed formats, an error is thrown - * and the request is aborted. - */ - allowedCredentialFormats?: SupportedCredentialFormats[] - - /** - * A list of allowed proof of possession signature algorithms in order of preference. - * - * Note that the signature algorithms must be supported by the wallet implementation. - * Signature algorithms that are not supported by the wallet will be ignored. - * - * The proof of possession (pop) signature algorithm is used in the credential request - * to bind the credential to a did. In most cases the JWA signature algorithm - * that is used in the pop will determine the cryptographic suite that is used - * for signing the credential, but this not a requirement for the spec. E.g. if the - * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020. - */ - allowedProofOfPossessionSignatureAlgorithms?: JwaSignatureAlgorithm[] - - /** - * A function that should resolve a verification method based on the options passed. - * This method will be called once for each of the credentials that are included - * in the credential offer. - * - * Based on the credential format, JWA signature algorithm, verification method types - * and did methods, the resolver must return a verification method that will be used - * for the proof of possession signature. - */ - proofOfPossessionVerificationMethodResolver: ProofOfPossessionVerificationMethodResolver -} - -/** - * Options that are used for the authorization code flow. - * Extends the pre-authorized code flow options. - */ -export interface AuthCodeFlowOptions extends PreAuthCodeFlowOptions { - clientId: string - authorizationCode: string - codeVerifier: string - redirectUri: string -} - -/** - * The options that are used to generate the authorization url. - * - * NOTE: The `code_challenge` property is omitted here - * because we assume it will always be SHA256 - * as clear text code challenges are unsafe. - */ -export interface GenerateAuthorizationUrlOptions { - initiationUri: string - clientId: string - redirectUri: string - scope?: string[] -} - -export interface ProofOfPossessionVerificationMethodResolverOptions { - /** - * The credential format that will be requested from the issuer. - * E.g. `jwt_vc` or `ldp_vc`. - */ - credentialFormat: SupportedCredentialFormats - - /** - * The JWA Signature Algorithm that will be used in the proof of possession. - * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed - * to the request credential method, and the supported signature algorithms. - */ - proofOfPossessionSignatureAlgorithm: JwaSignatureAlgorithm - - /** - * This is a list of verification methods types that are supported - * for creating the proof of possession signature. The returned - * verification method type must be of one of these types. - */ - supportedVerificationMethods: string[] - - /** - * The key type that will be used to create the proof of possession signature. - * This is related to the verification method and the signature algorithm, and - * is added for convenience. - */ - keyType: KeyType - - /** - * The credential type that will be requested from the issuer. This is - * based on the credential types that are included the credential offer. - */ - credentialType: string - - /** - * Whether the issuer supports the `did` cryptographic binding method, - * indicating they support all did methods. In most cases, they do not - * support all did methods, and it means we have to make an assumption - * about the did methods they support. - * - * If this value is `false`, the `supportedDidMethods` property will - * contain a list of supported did methods. - */ - supportsAllDidMethods: boolean - - /** - * A list of supported did methods. This is only used if the `supportsAllDidMethods` - * property is `false`. When this array is populated, the returned verification method - * MUST be based on one of these did methods. - * - * The did methods are returned in the format `did:`, e.g. `did:web`. - */ - supportedDidMethods: string[] -} - -/** - * The proof of possession verification method resolver is a function that can be passed by the - * user of the framework and allows them to determine which verification method should be used - * for the proof of possession signature. - */ -export type ProofOfPossessionVerificationMethodResolver = ( - options: ProofOfPossessionVerificationMethodResolverOptions -) => Promise | VerificationMethod - -/** - * @internal - */ -export interface ProofOfPossessionRequirements { - credentialFormat: SupportedCredentialFormats - signatureAlgorithm: JwaSignatureAlgorithm - supportedDidMethods: string[] - supportsAllDidMethods: boolean -} - -/** - * @internal - */ -export enum AuthFlowType { - AuthorizationCodeFlow, - PreAuthorizedCodeFlow, -} - -type WithFlowType = Options & { flowType: FlowType } - -/** - * The options that are used to request a credential from an issuer. - * @internal - */ -export type RequestCredentialOptions = - | WithFlowType - | WithFlowType diff --git a/packages/openid4vc-client/src/index.ts b/packages/openid4vc-client/src/index.ts deleted file mode 100644 index 1ca13fe3b1..0000000000 --- a/packages/openid4vc-client/src/index.ts +++ /dev/null @@ -1,14 +0,0 @@ -export * from './OpenId4VcClientModule' -export * from './OpenId4VcClientApi' -export * from './OpenId4VcClientService' - -// Contains internal types, so we don't export everything -export { - AuthCodeFlowOptions, - PreAuthCodeFlowOptions, - GenerateAuthorizationUrlOptions, - RequestCredentialOptions, - SupportedCredentialFormats, - ProofOfPossessionVerificationMethodResolver, - ProofOfPossessionVerificationMethodResolverOptions, -} from './OpenId4VcClientServiceOptions' diff --git a/packages/openid4vc-client/tests/fixtures.ts b/packages/openid4vc-client/tests/fixtures.ts deleted file mode 100644 index b8b322a428..0000000000 --- a/packages/openid4vc-client/tests/fixtures.ts +++ /dev/null @@ -1,326 +0,0 @@ -export const mattrLaunchpadJsonLd = { - credentialOffer: - 'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential&pre-authorized_code=krBcsBIlye2T-G4-rHHnRZUCah9uzDKwohJK6ABNvL-', - getMetadataResponse: { - authorization_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/authorize', - token_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/token', - jwks_uri: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/jwks', - token_endpoint_auth_methods_supported: [ - 'none', - 'client_secret_basic', - 'client_secret_jwt', - 'client_secret_post', - 'private_key_jwt', - ], - code_challenge_methods_supported: ['S256'], - grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'], - response_modes_supported: ['form_post', 'fragment', 'query'], - response_types_supported: ['code id_token', 'code', 'id_token', 'none'], - scopes_supported: ['OpenBadgeCredential', 'AcademicAward', 'LearnerProfile', 'PermanentResidentCard'], - token_endpoint_auth_signing_alg_values_supported: ['HS256', 'RS256', 'PS256', 'ES256', 'EdDSA'], - credential_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/credential', - credentials_supported: { - OpenBadgeCredential: { - formats: { - ldp_vc: { - name: 'JFF x vc-edu PlugFest 2', - description: "MATTR's submission for JFF Plugfest 2", - types: ['OpenBadgeCredential'], - binding_methods_supported: ['did'], - cryptographic_suites_supported: ['Ed25519Signature2018'], - }, - }, - }, - AcademicAward: { - formats: { - ldp_vc: { - name: 'Example Academic Award', - description: 'Microcredential from the MyCreds Network.', - types: ['AcademicAward'], - binding_methods_supported: ['did'], - cryptographic_suites_supported: ['Ed25519Signature2018'], - }, - }, - }, - LearnerProfile: { - formats: { - ldp_vc: { - name: 'Digitary Learner Profile', - description: 'Example', - types: ['LearnerProfile'], - binding_methods_supported: ['did'], - cryptographic_suites_supported: ['Ed25519Signature2018'], - }, - }, - }, - PermanentResidentCard: { - formats: { - ldp_vc: { - name: 'Permanent Resident Card', - description: 'Government of Kakapo', - types: ['PermanentResidentCard'], - binding_methods_supported: ['did'], - cryptographic_suites_supported: ['Ed25519Signature2018'], - }, - }, - }, - }, - }, - - acquireAccessTokenResponse: { - access_token: '7nikUotMQefxn7oRX56R7MDNE7KJTGfwGjOkHzGaUIG', - expires_in: 3600, - scope: 'OpenBadgeCredential', - token_type: 'Bearer', - }, - credentialResponse: { - format: 'ldp_vc', - credential: { - type: ['VerifiableCredential', 'VerifiableCredentialExtension', 'OpenBadgeCredential'], - issuer: { - id: 'did:web:launchpad.vii.electron.mattrlabs.io', - name: 'Jobs for the Future (JFF)', - iconUrl: 'https://w3c-ccg.github.io/vc-ed/plugfest-1-2022/images/JFF_LogoLockup.png', - image: 'https://w3c-ccg.github.io/vc-ed/plugfest-1-2022/images/JFF_LogoLockup.png', - }, - name: 'JFF x vc-edu PlugFest 2', - description: "MATTR's submission for JFF Plugfest 2", - credentialBranding: { - backgroundColor: '#464c49', - }, - issuanceDate: '2023-01-25T16:58:06.292Z', - credentialSubject: { - id: 'did:key:z6MkpGR4gs4Rc3Zph4vj8wRnjnAxgAPSxcR8MAVKutWspQzc', - type: ['AchievementSubject'], - achievement: { - id: 'urn:uuid:bd6d9316-f7ae-4073-a1e5-2f7f5bd22922', - name: 'JFF x vc-edu PlugFest 2 Interoperability', - type: ['Achievement'], - image: { - id: 'https://w3c-ccg.github.io/vc-ed/plugfest-2-2022/images/JFF-VC-EDU-PLUGFEST2-badge-image.png', - type: 'Image', - }, - criteria: { - type: 'Criteria', - narrative: - 'Solutions providers earned this badge by demonstrating interoperability between multiple providers based on the OBv3 candidate final standard, with some additional required fields. Credential issuers earning this badge successfully issued a credential into at least two wallets. Wallet implementers earning this badge successfully displayed credentials issued by at least two different credential issuers.', - }, - description: - 'This credential solution supports the use of OBv3 and w3c Verifiable Credentials and is interoperable with at least two other solutions. This was demonstrated successfully during JFF x vc-edu PlugFest 2.', - }, - }, - '@context': [ - 'https://www.w3.org/2018/credentials/v1', - { - '@vocab': 'https://w3id.org/security/undefinedTerm#', - }, - 'https://mattr.global/contexts/vc-extensions/v1', - 'https://purl.imsglobal.org/spec/ob/v3p0/context.json', - 'https://w3c-ccg.github.io/vc-status-rl-2020/contexts/vc-revocation-list-2020/v1.jsonld', - ], - credentialStatus: { - id: 'https://launchpad.vii.electron.mattrlabs.io/core/v1/revocation-lists/b4aa46a0-5539-4a6b-aa03-8f6791c22ce3#49', - type: 'RevocationList2020Status', - revocationListIndex: '49', - revocationListCredential: - 'https://launchpad.vii.electron.mattrlabs.io/core/v1/revocation-lists/b4aa46a0-5539-4a6b-aa03-8f6791c22ce3', - }, - proof: { - type: 'Ed25519Signature2018', - created: '2023-01-25T16:58:07Z', - jws: 'eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..PrpRKt60yXOzMNiQY5bELX40F6Svwm-FyQ-Jv02VJDfTTH8GPPByjtOb_n3YfWidQVgySfGQ_H7VmCGjvsU6Aw', - proofPurpose: 'assertionMethod', - verificationMethod: 'did:web:launchpad.vii.electron.mattrlabs.io#6BhFMCGTJg', - }, - }, - }, -} - -export const waltIdJffJwt = { - credentialOffer: - 'openid-initiate-issuance://?issuer=https%3A%2F%2Fjff.walt.id%2Fissuer-api%2Fdefault%2Foidc%2F&credential_type=VerifiableId&pre-authorized_code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI4YmI0NWZiNC0zNDc1LTQ5YzItODVjNy0wYjkxZjY4N2RhNDQiLCJwcmUtYXV0aG9yaXplZCI6dHJ1ZX0.R8nHseZJvU3uVL3Ox-97i1HUnvjZH6wKSWDO_i8D12I&user_pin_required=false', - getMetadataResponse: { - authorization_endpoint: 'https://jff.walt.id/issuer-api/default/oidc/fulfillPAR', - token_endpoint: 'https://jff.walt.id/issuer-api/default/oidc/token', - pushed_authorization_request_endpoint: 'https://jff.walt.id/issuer-api/default/oidc/par', - issuer: 'https://jff.walt.id/issuer-api/default', - jwks_uri: 'https://jff.walt.id/issuer-api/default/oidc', - grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'], - request_uri_parameter_supported: true, - credentials_supported: { - VerifiableId: { - display: [{ name: 'VerifiableId' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableId'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableId'], - }, - }, - }, - VerifiableDiploma: { - display: [{ name: 'VerifiableDiploma' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableDiploma'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableDiploma'], - }, - }, - }, - VerifiableVaccinationCertificate: { - display: [{ name: 'VerifiableVaccinationCertificate' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableVaccinationCertificate'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableVaccinationCertificate'], - }, - }, - }, - ProofOfResidence: { - display: [{ name: 'ProofOfResidence' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'VerifiableAttestation', 'ProofOfResidence'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'VerifiableAttestation', 'ProofOfResidence'], - }, - }, - }, - ParticipantCredential: { - display: [{ name: 'ParticipantCredential' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'ParticipantCredential'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'ParticipantCredential'], - }, - }, - }, - Europass: { - display: [{ name: 'Europass' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'VerifiableAttestation', 'Europass'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'VerifiableAttestation', 'Europass'], - }, - }, - }, - OpenBadgeCredential: { - display: [{ name: 'OpenBadgeCredential' }], - formats: { - ldp_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: [ - 'Ed25519Signature2018', - 'Ed25519Signature2020', - 'EcdsaSecp256k1Signature2019', - 'RsaSignature2018', - 'JsonWebSignature2020', - 'JcsEd25519Signature2020', - ], - types: ['VerifiableCredential', 'OpenBadgeCredential'], - }, - jwt_vc: { - cryptographic_binding_methods_supported: ['did'], - cryptographic_suites_supported: ['ES256', 'ES256K', 'EdDSA', 'RS256', 'PS256'], - types: ['VerifiableCredential', 'OpenBadgeCredential'], - }, - }, - }, - }, - credential_issuer: { display: [{ locale: null, name: 'https://jff.walt.id/issuer-api/default' }] }, - credential_endpoint: 'https://jff.walt.id/issuer-api/default/oidc/credential', - subject_types_supported: ['public'], - }, - - acquireAccessTokenResponse: { - access_token: '8bb45fb4-3475-49c2-85c7-0b91f687da44', - refresh_token: 'WEjORX8NZccRGtRN4yvXFdYE8MeAOaLLmmGlcRbutq4', - c_nonce: 'cbad6376-f882-44c5-ae88-19bccc0de124', - id_token: - 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI4YmI0NWZiNC0zNDc1LTQ5YzItODVjNy0wYjkxZjY4N2RhNDQifQ.Mca0Ln1AvNlxBJftYc1PZKQBlGdBmrHsFRQSBDoCgD0', - token_type: 'Bearer', - expires_in: 300, - }, - - credentialResponse: { - credential: - 'eyJraWQiOiJkaWQ6andrOmV5SnJkSGtpT2lKUFMxQWlMQ0oxYzJVaU9pSnphV2NpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpYTJsa0lqb2lOMlEyWTJKbU1qUTRPV0l6TkRJM05tSXhOekl4T1RBMU5EbGtNak01TVRnaUxDSjRJam9pUm01RlZWVmhkV1J0T1RsT016QmlPREJxY3poV2REUkJiazk0ZGxKM1dIUm5VbU5MY1ROblFrbDFPQ0lzSW1Gc1p5STZJa1ZrUkZOQkluMCMwIiwidHlwIjoiSldUIiwiYWxnIjoiRWREU0EifQ.eyJpc3MiOiJkaWQ6andrOmV5SnJkSGtpT2lKUFMxQWlMQ0oxYzJVaU9pSnphV2NpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpYTJsa0lqb2lOMlEyWTJKbU1qUTRPV0l6TkRJM05tSXhOekl4T1RBMU5EbGtNak01TVRnaUxDSjRJam9pUm01RlZWVmhkV1J0T1RsT016QmlPREJxY3poV2REUkJiazk0ZGxKM1dIUm5VbU5MY1ROblFrbDFPQ0lzSW1Gc1p5STZJa1ZrUkZOQkluMCIsInN1YiI6ImRpZDprZXk6ekRuYWVpcFdnOURNWFB0OWpjbUFCcWFZUlZLYzE5dFgxeGZCUldGc0pTUG9VZE1udiIsIm5iZiI6MTY4NTM1MDc4OSwiaWF0IjoxNjg1MzUwNzg5LCJ2YyI6eyJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiVmVyaWZpYWJsZUlkIl0sIkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6NTljZTRhYzItZWM2NS00YjhmLThmOTYtZWE3ODUxMmRmOWQzIiwiaXNzdWVyIjoiZGlkOmp3azpleUpyZEhraU9pSlBTMUFpTENKMWMyVWlPaUp6YVdjaUxDSmpjbllpT2lKRlpESTFOVEU1SWl3aWEybGtJam9pTjJRMlkySm1NalE0T1dJek5ESTNObUl4TnpJeE9UQTFORGxrTWpNNU1UZ2lMQ0o0SWpvaVJtNUZWVlZoZFdSdE9UbE9NekJpT0RCcWN6aFdkRFJCYms5NGRsSjNXSFJuVW1OTGNUTm5Ra2wxT0NJc0ltRnNaeUk2SWtWa1JGTkJJbjAiLCJpc3N1YW5jZURhdGUiOiIyMDIzLTA1LTI5VDA4OjU5OjQ5WiIsImlzc3VlZCI6IjIwMjMtMDUtMjlUMDg6NTk6NDlaIiwidmFsaWRGcm9tIjoiMjAyMy0wNS0yOVQwODo1OTo0OVoiLCJjcmVkZW50aWFsU2NoZW1hIjp7ImlkIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3dhbHQtaWQvd2FsdGlkLXNzaWtpdC12Y2xpYi9tYXN0ZXIvc3JjL3Rlc3QvcmVzb3VyY2VzL3NjaGVtYXMvVmVyaWZpYWJsZUlkLmpzb24iLCJ0eXBlIjoiRnVsbEpzb25TY2hlbWFWYWxpZGF0b3IyMDIxIn0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmtleTp6RG5hZWlwV2c5RE1YUHQ5amNtQUJxYVlSVktjMTl0WDF4ZkJSV0ZzSlNQb1VkTW52IiwiY3VycmVudEFkZHJlc3MiOlsiMSBCb3VsZXZhcmQgZGUgbGEgTGliZXJ0w6ksIDU5ODAwIExpbGxlIl0sImRhdGVPZkJpcnRoIjoiMTk5My0wNC0wOCIsImZhbWlseU5hbWUiOiJET0UiLCJmaXJzdE5hbWUiOiJKYW5lIiwiZ2VuZGVyIjoiRkVNQUxFIiwibmFtZUFuZEZhbWlseU5hbWVBdEJpcnRoIjoiSmFuZSBET0UiLCJwZXJzb25hbElkZW50aWZpZXIiOiIwOTA0MDA4MDg0SCIsInBsYWNlT2ZCaXJ0aCI6IkxJTExFLCBGUkFOQ0UifSwiZXZpZGVuY2UiOlt7ImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXSwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWNhbCIsInR5cGUiOlsiRG9jdW1lbnRWZXJpZmljYXRpb24iXSwidmVyaWZpZXIiOiJkaWQ6ZWJzaToyQTlCWjlTVWU2QmF0YWNTcHZzMVY1Q2RqSHZMcFE3YkVzaTJKYjZMZEhLblF4YU4ifV19LCJqdGkiOiJ1cm46dXVpZDo1OWNlNGFjMi1lYzY1LTRiOGYtOGY5Ni1lYTc4NTEyZGY5ZDMifQ.6Wn8X2tEQJ9CmX3-meCxDuGmevRdtivnjVkGPXzfnJ-1M6AU4SFxxon0JmMjdmO_h4P9sCEe9RTtyTJou2yeCA', - format: 'jwt_vc', - }, -} diff --git a/packages/openid4vc-client/tests/openid4vc-client.e2e.test.ts b/packages/openid4vc-client/tests/openid4vc-client.e2e.test.ts deleted file mode 100644 index 556f1c07b4..0000000000 --- a/packages/openid4vc-client/tests/openid4vc-client.e2e.test.ts +++ /dev/null @@ -1,302 +0,0 @@ -import type { KeyDidCreateOptions } from '@aries-framework/core' - -import { - ClaimFormat, - JwaSignatureAlgorithm, - Agent, - KeyType, - TypedArrayEncoder, - W3cCredentialRecord, - W3cCredentialsModule, - DidKey, -} from '@aries-framework/core' -import nock, { cleanAll, enableNetConnect } from 'nock' - -import { AskarModule } from '../../askar/src' -import { askarModuleConfig } from '../../askar/tests/helpers' -import { customDocumentLoader } from '../../core/src/modules/vc/data-integrity/__tests__/documentLoader' -import { getAgentOptions } from '../../core/tests' - -import { mattrLaunchpadJsonLd, waltIdJffJwt } from './fixtures' - -import { OpenId4VcClientModule } from '@aries-framework/openid4vc-client' - -const modules = { - openId4VcClient: new OpenId4VcClientModule(), - w3cCredentials: new W3cCredentialsModule({ - documentLoader: customDocumentLoader, - }), - askar: new AskarModule(askarModuleConfig), -} - -describe('OpenId4VcClient', () => { - let agent: Agent - - beforeEach(async () => { - const agentOptions = getAgentOptions('OpenId4VcClient Agent', {}, modules) - - agent = new Agent(agentOptions) - - await agent.initialize() - }) - - afterEach(async () => { - await agent.shutdown() - await agent.wallet.delete() - }) - - describe('Pre-authorized flow', () => { - afterEach(() => { - cleanAll() - enableNetConnect() - }) - - it('Should successfully execute the pre-authorized flow using a did:key Ed25519 subject and JSON-LD credential', async () => { - /** - * Below we're setting up some mock HTTP responses. - * These responses are based on the openid-initiate-issuance URI above - * */ - - // setup temporary redirect mock - nock('https://launchpad.mattrlabs.com').get('/.well-known/openid-credential-issuer').reply(307, undefined, { - Location: 'https://launchpad.vii.electron.mattrlabs.io/.well-known/openid-credential-issuer', - }) - - // setup server metadata response - const httpMock = nock('https://launchpad.vii.electron.mattrlabs.io') - .get('/.well-known/openid-credential-issuer') - .reply(200, mattrLaunchpadJsonLd.getMetadataResponse) - - // setup access token response - httpMock.post('/oidc/v1/auth/token').reply(200, mattrLaunchpadJsonLd.acquireAccessTokenResponse) - - // setup credential request response - httpMock.post('/oidc/v1/auth/credential').reply(200, mattrLaunchpadJsonLd.credentialResponse) - - const did = await agent.dids.create({ - method: 'key', - options: { - keyType: KeyType.Ed25519, - }, - secret: { - privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598e'), - }, - }) - - const didKey = DidKey.fromDid(did.didState.did as string) - const kid = `${did.didState.did as string}#${didKey.key.fingerprint}` - const verificationMethod = did.didState.didDocument?.dereferenceKey(kid, ['authentication']) - if (!verificationMethod) throw new Error('No verification method found') - - const w3cCredentialRecords = await agent.modules.openId4VcClient.requestCredentialUsingPreAuthorizedCode({ - issuerUri: mattrLaunchpadJsonLd.credentialOffer, - verifyCredentialStatus: false, - // We only allow EdDSa, as we've created a did with keyType ed25519. If we create - // or determine the did dynamically we could use any signature algorithm - allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], - proofOfPossessionVerificationMethodResolver: () => verificationMethod, - }) - - expect(w3cCredentialRecords).toHaveLength(1) - const w3cCredentialRecord = w3cCredentialRecords[0] - expect(w3cCredentialRecord).toBeInstanceOf(W3cCredentialRecord) - - expect(w3cCredentialRecord.credential.type).toEqual([ - 'VerifiableCredential', - 'VerifiableCredentialExtension', - 'OpenBadgeCredential', - ]) - - expect(w3cCredentialRecord.credential.credentialSubjectIds[0]).toEqual(did.didState.did) - }) - - it('Should successfully execute the pre-authorized flow using a did:key P256 subject and JWT credential', async () => { - /** - * Below we're setting up some mock HTTP responses. - * These responses are based on the openid-initiate-issuance URI above - */ - // setup server metadata response - const httpMock = nock('https://jff.walt.id/issuer-api/default/oidc') - .get('/.well-known/openid-credential-issuer') - .reply(200, waltIdJffJwt.getMetadataResponse) - // setup access token response - httpMock.post('/token').reply(200, waltIdJffJwt.credentialResponse) - // setup credential request response - httpMock.post('/credential').reply(200, waltIdJffJwt.credentialResponse) - - const did = await agent.dids.create({ - method: 'key', - options: { - keyType: KeyType.P256, - }, - secret: { - privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598e'), - }, - }) - - const didKey = DidKey.fromDid(did.didState.did as string) - const kid = `${didKey.did}#${didKey.key.fingerprint}` - const verificationMethod = did.didState.didDocument?.dereferenceKey(kid, ['authentication']) - if (!verificationMethod) throw new Error('No verification method found') - - const w3cCredentialRecords = await agent.modules.openId4VcClient.requestCredentialUsingPreAuthorizedCode({ - issuerUri: waltIdJffJwt.credentialOffer, - allowedCredentialFormats: [ClaimFormat.JwtVc], - allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.ES256], - proofOfPossessionVerificationMethodResolver: () => verificationMethod, - verifyCredentialStatus: false, - }) - - expect(w3cCredentialRecords[0]).toBeInstanceOf(W3cCredentialRecord) - const w3cCredentialRecord = w3cCredentialRecords[0] - - expect(w3cCredentialRecord.credential.type).toEqual([ - 'VerifiableCredential', - 'VerifiableAttestation', - 'VerifiableId', - ]) - - expect(w3cCredentialRecord.credential.credentialSubjectIds[0]).toEqual(did.didState.did) - }) - }) - - describe('Authorization flow', () => { - beforeAll(async () => { - /** - * Below we're setting up some mock HTTP responses. - * These responses are based on the openid-initiate-issuance URI above - * */ - - // setup temporary redirect mock - nock('https://launchpad.mattrlabs.com').get('/.well-known/openid-credential-issuer').reply(307, undefined, { - Location: 'https://launchpad.vii.electron.mattrlabs.io/.well-known/openid-credential-issuer', - }) - - // setup server metadata response - const httpMock = nock('https://launchpad.vii.electron.mattrlabs.io') - .get('/.well-known/openid-credential-issuer') - .reply(200, mattrLaunchpadJsonLd.getMetadataResponse) - - // setup access token response - httpMock.post('/oidc/v1/auth/token').reply(200, mattrLaunchpadJsonLd.acquireAccessTokenResponse) - - // setup credential request response - httpMock.post('/oidc/v1/auth/credential').reply(200, mattrLaunchpadJsonLd.credentialResponse) - }) - - afterAll(async () => { - cleanAll() - enableNetConnect() - }) - - it('should generate a valid authorization url', async () => { - const clientId = 'test-client' - - const redirectUri = 'https://example.com/cb' - const scope = ['TestCredential'] - const initiationUri = - 'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential' - const { authorizationUrl } = await agent.modules.openId4VcClient.generateAuthorizationUrl({ - clientId, - redirectUri, - scope, - initiationUri, - }) - - const parsedUrl = new URL(authorizationUrl) - expect(authorizationUrl.startsWith('https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/authorize')).toBe( - true - ) - expect(parsedUrl.searchParams.get('response_type')).toBe('code') - expect(parsedUrl.searchParams.get('client_id')).toBe(clientId) - expect(parsedUrl.searchParams.get('code_challenge_method')).toBe('S256') - expect(parsedUrl.searchParams.get('redirect_uri')).toBe(redirectUri) - }) - it('should throw if no scope is provided', async () => { - // setup temporary redirect mock - nock('https://launchpad.mattrlabs.com').get('/.well-known/openid-credential-issuer').reply(307, undefined, { - Location: 'https://launchpad.vii.electron.mattrlabs.io/.well-known/openid-credential-issuer', - }) - - // setup server metadata response - nock('https://launchpad.vii.electron.mattrlabs.io') - .get('/.well-known/openid-credential-issuer') - .reply(200, mattrLaunchpadJsonLd.getMetadataResponse) - - const clientId = 'test-client' - const redirectUri = 'https://example.com/cb' - const initiationUri = - 'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential' - expect( - agent.modules.openId4VcClient.generateAuthorizationUrl({ - clientId, - redirectUri, - scope: [], - initiationUri, - }) - ).rejects.toThrow() - }) - it('should successfully execute request a credential', async () => { - // setup temporary redirect mock - nock('https://launchpad.mattrlabs.com').get('/.well-known/openid-credential-issuer').reply(307, undefined, { - Location: 'https://launchpad.vii.electron.mattrlabs.io/.well-known/openid-credential-issuer', - }) - - // setup server metadata response - nock('https://launchpad.vii.electron.mattrlabs.io') - .get('/.well-known/openid-credential-issuer') - .reply(200, mattrLaunchpadJsonLd.getMetadataResponse) - - const did = await agent.dids.create({ - method: 'key', - options: { - keyType: KeyType.Ed25519, - }, - secret: { - privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598e'), - }, - }) - - const didKey = DidKey.fromDid(did.didState.did as string) - const kid = `${did.didState.did as string}#${didKey.key.fingerprint}` - const verificationMethod = did.didState.didDocument?.dereferenceKey(kid, ['authentication']) - if (!verificationMethod) throw new Error('No verification method found') - - const clientId = 'test-client' - - const redirectUri = 'https://example.com/cb' - const initiationUri = - 'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential' - - const scope = ['TestCredential'] - const { codeVerifier } = await agent.modules.openId4VcClient.generateAuthorizationUrl({ - clientId, - redirectUri, - scope, - initiationUri, - }) - const w3cCredentialRecords = await agent.modules.openId4VcClient.requestCredentialUsingAuthorizationCode({ - clientId: clientId, - authorizationCode: 'test-code', - codeVerifier: codeVerifier, - verifyCredentialStatus: false, - proofOfPossessionVerificationMethodResolver: () => verificationMethod, - allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], - issuerUri: initiationUri, - redirectUri: redirectUri, - }) - - expect(w3cCredentialRecords).toHaveLength(1) - const w3cCredentialRecord = w3cCredentialRecords[0] - expect(w3cCredentialRecord).toBeInstanceOf(W3cCredentialRecord) - - expect(w3cCredentialRecord.credential.type).toEqual([ - 'VerifiableCredential', - 'VerifiableCredentialExtension', - 'OpenBadgeCredential', - ]) - - expect(w3cCredentialRecord.credential.credentialSubjectIds[0]).toEqual(did.didState.did) - }) - }) -}) diff --git a/packages/openid4vc/README.md b/packages/openid4vc/README.md new file mode 100644 index 0000000000..04917ab764 --- /dev/null +++ b/packages/openid4vc/README.md @@ -0,0 +1,177 @@ +

+
+ Hyperledger Aries logo +

+

Aries Framework JavaScript Open ID Connect For Verifiable Credentials Client Module

+

+ License + typescript + @aries-framework/openid4vc-holder version + +

+
+ +Open ID Connect For Verifiable Credentials Holder Module for [Aries Framework JavaScript](https://github.com/hyperledger/aries-framework-javascript). + +### Installation + +Make sure you have set up the correct version of Aries Framework JavaScript according to the AFJ repository. + +```sh +yarn add @aries-framework/openid4vc-holder +``` + +### Quick start + +#### Requirements + +Before a credential can be requested, you need the issuer URI. This URI starts with `openid-initiate-issuance://` and is provided by the issuer. The issuer URI is commonly acquired by scanning a QR code. + +#### Module registration + +In order to get this module to work, we need to inject it into the agent. This makes the module's functionality accessible through the agent's `modules` api. + +```ts +import { OpenId4VcHolderModule } from '@aries-framework/openid4vc-holder' + +const agent = new Agent({ + config: { + /* config */ + }, + dependencies: agentDependencies, + modules: { + openId4VcHolder: new OpenId4VcHolderModule(), + /* other custom modules */ + }, +}) + +await agent.initialize() +``` + +How the module is injected and the agent has been initialized, you can access the module's functionality through `agent.modules.openId4VcHolder`. + +#### Preparing a DID + +In order to request a credential, you'll need to provide a DID that the issuer will use for setting the credential subject. In the following snippet we create one for the sake of the example, but this can be any DID that has a _authentication verification method_ with key type `Ed25519`. + +```ts +// first we create the DID +const did = await agent.dids.create({ + method: 'key', + options: { + keyType: KeyType.Ed25519, + }, +}) + +// next we do some assertions and extract the key identifier (kid) +if ( + !did.didState.didDocument || + !did.didState.didDocument.authentication || + did.didState.didDocument.authentication.length === 0 +) { + throw new Error("Error creating did document, or did document has no 'authentication' verificationMethods") +} + +const [verificationMethod] = did.didState.didDocument.authentication +const kid = typeof verificationMethod === 'string' ? verificationMethod : verificationMethod.id +``` + +#### Requesting the credential (Pre-Authorized) + +```ts +// To request credentials(s), you need a credential offer. +// The credential offer be provided as actual payload, +// the credential offer URL or issuance initiation URL +const credentialOffer = + 'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fjff.walt.id%2Fissuer-api%2Fdefault%2Foidc%22%2C%22credentials%22%3A%5B%22VerifiableId%22%2C%20%22VerifiableDiploma%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22ABC%22%7D%7D%7D' + +// The first step is to resolve the credential offer and +// get all metadata required for the issuance of the credentials. +const resolvedCredentialOffer = await agent.modules.openId4VcHolder.resolveCredentialOffer(credentialOffer) + +// The second (optional) step is to filter out the credentials which you want to request. +const selectedCredentialsForRequest = resolvedCredentialOffer.credentialsToRequest.filter((credential) => { + return credential.format === OpenIdCredentialFormatProfile.JwtVcJson && credential.types.includes('VerifiableId') +}) + +// The third step is to accept the credential offer. +// If no credentialsToRequest are specified all offered credentials are requested. +const w3cCredentialRecords = await agent.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode( + resolvedCredentialOffer, + { + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.ES256], + proofOfPossessionVerificationMethodResolver: () => verificationMethod, + verifyCredentialStatus: false, + credentialsToRequest: selectedCredentialsForRequest, + } +) + +console.log(w3cCredentialRecords) +``` + +#### Requesting the credential (Authorization Code Flow) + +Requesting credentials via the Authorization Code Flow function conceptually similar, +except that there is an intermediary step involved to resolve the authorization request, and then manually get the authorization code. + +```ts +// To request credentials(s), you need a credential offer. +// The credential offer be provided as actual payload, +// the credential offer URL or issuance initiation URL +const credentialOffer = `openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.portal.walt.id%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22OpenBadgeCredential%22%5D%2C%22credential_definition%22%3A%7B%22%40context%22%3A%5B%22https%3A%2F%2Fwww.w3.org%2F2018%2Fcredentials%2Fv1%22%2C%22https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Fob%2Fv3p0%2Fcontext.json%22%5D%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22OpenBadgeCredential%22%5D%7D%7D%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%22b0e16785-d722-42a5-a04f-4beab28e03ea%22%7D%2C%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJiMGUxNjc4NS1kNzIyLTQyYTUtYTA0Zi00YmVhYjI4ZTAzZWEiLCJpc3MiOiJodHRwczovL2lzc3Vlci5wb3J0YWwud2FsdC5pZCIsImF1ZCI6IlRPS0VOIn0.ibEpHFaHFBLWyhEf4SotDQZBeh_FMrfncWapNox1Iv1kdQWQ2cLQeS1VrCyVmPsbx0tN2MAyDFG7DnAaq8MiAA%22%2C%22user_pin_required%22%3Afalse%7D%7D%7D` + +// The first step is to resolve the credential offer and +// get all metadata required for the issuance of the credentials. +const resolvedCredentialOffer = await agent.modules.openId4VcHolder.resolveCredentialOffer(credentialOffer) + +// The second step is the resolve the authorization request. +const resolvedAuthorizationRequest = await agent.modules.openId4VcHolder.resolveAuthorizationRequest(resolved, { + clientId: 'test-client', + redirectUri: 'http://blank', + scope: ['openid', 'OpenBadgeCredential'], +}) + +// The resolved authorization request contains the authorizationRequestUri, +// which can be used to obtain the actual authorization code. +// Currently, this needs to be done manually +const code = + 'eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJiMGUxNjc4NS1kNzIyLTQyYTUtYTA0Zi00YmVhYjI4ZTAzZWEiLCJpc3MiOiJodHRwczovL2lzc3Vlci5wb3J0YWwud2FsdC5pZCIsImF1ZCI6IlRPS0VOIn0.ibEpHFaHFBLWyhEf4SotDQZBeh_FMrfncWapNox1Iv1kdQWQ2cLQeS1VrCyVmPsbx0tN2MAyDFG7DnAaq8MiAA' + +// The third (optional) step is to filter out the credentials which you want to request. +const selectedCredentialsForRequest = resolvedCredentialOffer.credentialsToRequest.filter((credential) => { + return credential.format === OpenIdCredentialFormatProfile.JwtVcJson && credential.types.includes('VerifiableId') +}) + +// The fourth step is to accept the credential offer. +// If no credentialsToRequest are specified all offered credentials are requested. +const w3cCredentialRecords = await agent.modules.openId4VcHolder.acceptCredentialOfferUsingAuthorizationCode( + resolvedCredentialOffer, + resolvedAuthorizationRequest, + code, + { + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.ES256], + proofOfPossessionVerificationMethodResolver: () => verificationMethod, + verifyCredentialStatus: false, + credentialsToRequest: selectedCredentialsForRequest, + } +) + +console.log(w3cCredentialRecords) +``` diff --git a/packages/sd-jwt-vc/jest.config.ts b/packages/openid4vc/jest.config.ts similarity index 99% rename from packages/sd-jwt-vc/jest.config.ts rename to packages/openid4vc/jest.config.ts index 93c0197296..8641cf4d67 100644 --- a/packages/sd-jwt-vc/jest.config.ts +++ b/packages/openid4vc/jest.config.ts @@ -6,6 +6,7 @@ import packageJson from './package.json' const config: Config.InitialOptions = { ...base, + displayName: packageJson.name, setupFilesAfterEnv: ['./tests/setup.ts'], } diff --git a/packages/openid4vc-client/package.json b/packages/openid4vc/package.json similarity index 58% rename from packages/openid4vc-client/package.json rename to packages/openid4vc/package.json index a0bcdf214f..8cd74b9926 100644 --- a/packages/openid4vc-client/package.json +++ b/packages/openid4vc/package.json @@ -1,5 +1,5 @@ { - "name": "@aries-framework/openid4vc-client", + "name": "@aries-framework/openid4vc", "main": "build/index", "types": "build/index", "version": "0.4.2", @@ -10,26 +10,31 @@ "publishConfig": { "access": "public" }, - "homepage": "https://github.com/hyperledger/aries-framework-javascript/tree/main/packages/openid4vc-client", + "homepage": "https://github.com/hyperledger/aries-framework-javascript/tree/main/packages/openid4vc", "repository": { "type": "git", "url": "https://github.com/hyperledger/aries-framework-javascript", - "directory": "packages/openid4vc-client" + "directory": "packages/openid4vc" }, "scripts": { "build": "yarn run clean && yarn run compile", "clean": "rimraf ./build", "compile": "tsc -p tsconfig.build.json", "prepublishOnly": "yarn run build", - "test": "jest" + "test": "jest --forceExit --detectOpenHandles" }, "dependencies": { "@aries-framework/core": "0.4.2", - "@sphereon/openid4vci-client": "^0.4.0", - "@stablelib/random": "^1.0.2" + "@sphereon/ssi-types": "^0.18.1", + "@sphereon/oid4vci-client": "0.8.2-next.46", + "@sphereon/oid4vci-common": "0.8.2-next.46", + "@sphereon/oid4vci-issuer": "0.8.2-next.46", + "@sphereon/did-auth-siop": "0.6.0-unstable.3" }, "devDependencies": { - "@aries-framework/node": "0.4.2", + "@aries-framework/tenants": "0.4.2", + "@types/express": "^4.17.21", + "express": "^4.18.2", "nock": "^13.3.0", "rimraf": "^4.4.0", "typescript": "~4.9.5" diff --git a/packages/openid4vc/src/index.ts b/packages/openid4vc/src/index.ts new file mode 100644 index 0000000000..222f8329c6 --- /dev/null +++ b/packages/openid4vc/src/index.ts @@ -0,0 +1,4 @@ +export * from './openid4vc-holder' +export * from './openid4vc-verifier' +export * from './openid4vc-issuer' +export * from './shared' diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderApi.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderApi.ts new file mode 100644 index 0000000000..257fa5a60d --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderApi.ts @@ -0,0 +1,127 @@ +import type { + OpenId4VciResolvedCredentialOffer, + OpenId4VciResolvedAuthorizationRequest, + OpenId4VciAuthCodeFlowOptions, + OpenId4VciAcceptCredentialOfferOptions, +} from './OpenId4VciHolderServiceOptions' +import type { OpenId4VcSiopAcceptAuthorizationRequestOptions } from './OpenId4vcSiopHolderServiceOptions' + +import { injectable, AgentContext } from '@aries-framework/core' + +import { OpenId4VciHolderService } from './OpenId4VciHolderService' +import { OpenId4VcSiopHolderService } from './OpenId4vcSiopHolderService' + +/** + * @public + */ +@injectable() +export class OpenId4VcHolderApi { + public constructor( + private agentContext: AgentContext, + private openId4VciHolderService: OpenId4VciHolderService, + private openId4VcSiopHolderService: OpenId4VcSiopHolderService + ) {} + + /** + * Resolves the authentication request given as URI or JWT to a unified format, and + * verifies the validity of the request. + * + * The resolved request can be accepted with the @see acceptSiopAuthorizationRequest. + * + * If the authorization request uses OpenID4VP and included presentation definitions, + * a `presentationExchange` property will be defined with credentials that satisfy the + * incoming request. When `presentationExchange` is present, you MUST supply `presentationExchange` + * when calling `acceptSiopAuthorizationRequest` as well. + * + * @param requestJwtOrUri JWT or an SIOPv2 request URI + * @returns the resolved and verified authentication request. + */ + public async resolveSiopAuthorizationRequest(requestJwtOrUri: string) { + return this.openId4VcSiopHolderService.resolveAuthorizationRequest(this.agentContext, requestJwtOrUri) + } + + /** + * Accepts the authentication request after it has been resolved and verified with {@link resolveSiopAuthorizationRequest}. + * + * If the resolved authorization request included a `presentationExchange` property, you MUST supply `presentationExchange` + * in the `options` parameter. + * + * If no `presentationExchange` property is present, you MUST supply `openIdTokenIssuer` in the `options` parameter. + */ + public async acceptSiopAuthorizationRequest(options: OpenId4VcSiopAcceptAuthorizationRequestOptions) { + return await this.openId4VcSiopHolderService.acceptAuthorizationRequest(this.agentContext, options) + } + + /** + * Resolves a credential offer given as credential offer URL, or issuance initiation URL, + * into a unified format with metadata. + * + * @param credentialOffer the credential offer to resolve + * @returns The uniform credential offer payload, the issuer metadata, protocol version, and the offered credentials with metadata. + */ + public async resolveCredentialOffer(credentialOffer: string) { + return await this.openId4VciHolderService.resolveCredentialOffer(credentialOffer) + } + + /** + * This function is to be used to receive an credential in OpenID4VCI using the Authorization Code Flow. + * + * Not to be confused with the {@link resolveSiopAuthorizationRequest}, which is only used for SIOP requests. + * + * It will generate the authorization request URI based on the provided options. + * The authorization request URI is used to obtain the authorization code. Currently this needs to be done manually. + * + * Authorization to request credentials can be requested via authorization_details or scopes. + * This function automatically generates the authorization_details for all offered credentials. + * If scopes are provided, the provided scopes are sent alongside the authorization_details. + * + * @param resolvedCredentialOffer Obtained through @see resolveCredentialOffer + * @param authCodeFlowOptions + * @returns The authorization request URI alongside the code verifier and original @param authCodeFlowOptions + */ + public async resolveIssuanceAuthorizationRequest( + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer, + authCodeFlowOptions: OpenId4VciAuthCodeFlowOptions + ) { + return await this.openId4VciHolderService.resolveAuthorizationRequest( + this.agentContext, + resolvedCredentialOffer, + authCodeFlowOptions + ) + } + + /** + * Accepts a credential offer using the pre-authorized code flow. + * @param resolvedCredentialOffer Obtained through @see resolveCredentialOffer + * @param acceptCredentialOfferOptions + */ + public async acceptCredentialOfferUsingPreAuthorizedCode( + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer, + acceptCredentialOfferOptions: OpenId4VciAcceptCredentialOfferOptions + ) { + return this.openId4VciHolderService.acceptCredentialOffer(this.agentContext, { + resolvedCredentialOffer, + acceptCredentialOfferOptions, + }) + } + + /** + * Accepts a credential offer using the authorization code flow. + * @param resolvedCredentialOffer Obtained through @see resolveCredentialOffer + * @param resolvedAuthorizationRequest Obtained through @see resolveIssuanceAuthorizationRequest + * @param code The authorization code obtained via the authorization request URI + * @param acceptCredentialOfferOptions + */ + public async acceptCredentialOfferUsingAuthorizationCode( + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer, + resolvedAuthorizationRequest: OpenId4VciResolvedAuthorizationRequest, + code: string, + acceptCredentialOfferOptions: OpenId4VciAcceptCredentialOfferOptions + ) { + return this.openId4VciHolderService.acceptCredentialOffer(this.agentContext, { + resolvedCredentialOffer, + resolvedAuthorizationRequestWithCode: { ...resolvedAuthorizationRequest, code }, + acceptCredentialOfferOptions, + }) + } +} diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderModule.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderModule.ts new file mode 100644 index 0000000000..a804058def --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderModule.ts @@ -0,0 +1,34 @@ +import type { DependencyManager, Module } from '@aries-framework/core' + +import { AgentConfig } from '@aries-framework/core' + +import { OpenId4VcHolderApi } from './OpenId4VcHolderApi' +import { OpenId4VciHolderService } from './OpenId4VciHolderService' +import { OpenId4VcSiopHolderService } from './OpenId4vcSiopHolderService' + +/** + * @public @module OpenId4VcHolderModule + * This module provides the functionality to assume the role of owner in relation to the OpenId4VC specification suite. + */ +export class OpenId4VcHolderModule implements Module { + public readonly api = OpenId4VcHolderApi + + /** + * Registers the dependencies of the question answer module on the dependency manager. + */ + public register(dependencyManager: DependencyManager) { + // Warn about experimental module + dependencyManager + .resolve(AgentConfig) + .logger.warn( + "The '@aries-framework/openid4vc' Holder module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." + ) + + // Api + dependencyManager.registerContextScoped(OpenId4VcHolderApi) + + // Services + dependencyManager.registerSingleton(OpenId4VciHolderService) + dependencyManager.registerSingleton(OpenId4VcSiopHolderService) + } +} diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts new file mode 100644 index 0000000000..ff5e5b559c --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts @@ -0,0 +1,719 @@ +import type { + OpenId4VciCredentialOfferPayload, + OpenId4VciCredentialSupported, + OpenId4VciCredentialSupportedWithId, + OpenId4VciIssuerMetadata, +} from '../shared' +import type { + AgentContext, + JwaSignatureAlgorithm, + W3cVerifiableCredential, + Key, + JwkJson, + SdJwtVc, +} from '@aries-framework/core' +import type { + AccessTokenResponse, + CredentialResponse, + Jwt, + OpenIDResponse, + PushedAuthorizationResponse, + AuthorizationDetails, + AuthorizationDetailsJwtVcJson, +} from '@sphereon/oid4vci-common' + +import { + SdJwtVcApi, + getJwkFromJson, + DidsApi, + AriesFrameworkError, + Hasher, + InjectionSymbols, + JsonEncoder, + JwsService, + Logger, + SignatureSuiteRegistry, + TypedArrayEncoder, + W3cCredentialService, + W3cJsonLdVerifiableCredential, + W3cJwtVerifiableCredential, + getJwkClassFromJwaSignatureAlgorithm, + getJwkFromKey, + getKeyFromVerificationMethod, + getSupportedVerificationMethodTypesFromKeyType, + inject, + injectable, + parseDid, +} from '@aries-framework/core' +import { + AccessTokenClient, + CredentialRequestClientBuilder, + ProofOfPossessionBuilder, + formPost, + OpenID4VCIClient, +} from '@sphereon/oid4vci-client' +import { CodeChallengeMethod, ResponseType, convertJsonToURI, JsonURIMode } from '@sphereon/oid4vci-common' + +import { OpenId4VciCredentialFormatProfile } from '../shared' +import { + getTypesFromCredentialSupported, + handleAuthorizationDetails, + getOfferedCredentials, +} from '../shared/issuerMetadataUtils' +import { getSupportedJwaSignatureAlgorithms } from '../shared/utils' + +import { + type OpenId4VciAuthCodeFlowOptions, + type OpenId4VciAcceptCredentialOfferOptions, + type OpenId4VciProofOfPossessionRequirements, + type OpenId4VciCredentialBindingResolver, + type OpenId4VciResolvedCredentialOffer, + type OpenId4VciResolvedAuthorizationRequest, + type OpenId4VciResolvedAuthorizationRequestWithCode, + type OpenId4VciSupportedCredentialFormats, + openId4VciSupportedCredentialFormats, +} from './OpenId4VciHolderServiceOptions' + +@injectable() +export class OpenId4VciHolderService { + private logger: Logger + private w3cCredentialService: W3cCredentialService + private jwsService: JwsService + + public constructor( + @inject(InjectionSymbols.Logger) logger: Logger, + w3cCredentialService: W3cCredentialService, + jwsService: JwsService + ) { + this.w3cCredentialService = w3cCredentialService + this.jwsService = jwsService + this.logger = logger + } + + public async resolveCredentialOffer(credentialOffer: string): Promise { + const client = await OpenID4VCIClient.fromURI({ + uri: credentialOffer, + resolveOfferUri: true, + retrieveServerMetadata: true, + }) + + if (!client.credentialOffer?.credential_offer) { + throw new AriesFrameworkError(`Could not resolve credential offer from '${credentialOffer}'`) + } + const credentialOfferPayload: OpenId4VciCredentialOfferPayload = client.credentialOffer?.credential_offer + + const metadata = await client.retrieveServerMetadata() + if (!metadata.credentialIssuerMetadata) { + throw new AriesFrameworkError(`Could not retrieve issuer metadata from '${metadata.issuer}'`) + } + const issuerMetadata = metadata.credentialIssuerMetadata as OpenId4VciIssuerMetadata + + this.logger.info('Fetched server metadata', { + issuer: metadata.issuer, + credentialEndpoint: metadata.credential_endpoint, + tokenEndpoint: metadata.token_endpoint, + }) + + this.logger.debug('Full server metadata', metadata) + + return { + metadata: { + ...metadata, + credentialIssuerMetadata: issuerMetadata, + }, + credentialOfferPayload, + offeredCredentials: getOfferedCredentials( + credentialOfferPayload.credentials, + issuerMetadata.credentials_supported + ), + version: client.version(), + } + } + + private getAuthDetailsFromOfferedCredential( + offeredCredential: OpenId4VciCredentialSupported, + authDetailsLocation: string | undefined + ): AuthorizationDetails | undefined { + const { format } = offeredCredential + const type = 'openid_credential' + + const locations = authDetailsLocation ? [authDetailsLocation] : undefined + if (format === OpenId4VciCredentialFormatProfile.JwtVcJson) { + return { type, format, types: offeredCredential.types, locations } satisfies AuthorizationDetailsJwtVcJson + } else if ( + format === OpenId4VciCredentialFormatProfile.LdpVc || + format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd + ) { + const credential_definition = { + '@context': offeredCredential['@context'], + credentialSubject: offeredCredential.credentialSubject, + types: offeredCredential.types, + } + + return { type, format, locations, credential_definition } + } else if (format === OpenId4VciCredentialFormatProfile.SdJwtVc) { + return { + type, + format, + locations, + vct: offeredCredential.vct, + claims: offeredCredential.claims, + } + } else { + throw new AriesFrameworkError(`Cannot create authorization_details. Unsupported credential format '${format}'.`) + } + } + + public async resolveAuthorizationRequest( + agentContext: AgentContext, + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer, + authCodeFlowOptions: OpenId4VciAuthCodeFlowOptions + ): Promise { + const { credentialOfferPayload, metadata, offeredCredentials } = resolvedCredentialOffer + const codeVerifier = `${await agentContext.wallet.generateNonce()}${await agentContext.wallet.generateNonce()}` + const codeVerifierSha256 = Hasher.hash(codeVerifier, 'sha2-256') + const codeChallenge = TypedArrayEncoder.toBase64URL(codeVerifierSha256) + + this.logger.debug('Converted code_verifier to code_challenge', { + codeVerifier: codeVerifier, + sha256: codeVerifierSha256.toString(), + base64Url: codeChallenge, + }) + + const authDetailsLocation = metadata.credentialIssuerMetadata.authorization_server + ? metadata.credentialIssuerMetadata.authorization_server + : undefined + const authDetails = offeredCredentials + .map((credential) => this.getAuthDetailsFromOfferedCredential(credential, authDetailsLocation)) + .filter((authDetail): authDetail is AuthorizationDetails => authDetail !== undefined) + + const { clientId, redirectUri, scope } = authCodeFlowOptions + const authorizationRequestUri = await createAuthorizationRequestUri({ + clientId, + codeChallenge, + redirectUri, + credentialOffer: credentialOfferPayload, + codeChallengeMethod: CodeChallengeMethod.SHA256, + // TODO: Read HAIP SdJwtVc's should always be requested via scopes + // TODO: should we now always use scopes instead of authDetails? or both???? + scope: scope ?? [], + authDetails, + metadata, + }) + + return { + ...authCodeFlowOptions, + codeVerifier, + authorizationRequestUri, + } + } + + public async acceptCredentialOffer( + agentContext: AgentContext, + options: { + resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer + acceptCredentialOfferOptions: OpenId4VciAcceptCredentialOfferOptions + resolvedAuthorizationRequestWithCode?: OpenId4VciResolvedAuthorizationRequestWithCode + } + ) { + const { resolvedCredentialOffer, acceptCredentialOfferOptions, resolvedAuthorizationRequestWithCode } = options + const { credentialOfferPayload, metadata, version, offeredCredentials } = resolvedCredentialOffer + + const { credentialsToRequest, userPin, credentialBindingResolver, verifyCredentialStatus } = + acceptCredentialOfferOptions + + if (credentialsToRequest?.length === 0) { + this.logger.warn(`Accepting 0 credential offers. Returning`) + return [] + } + + this.logger.info(`Accepting the following credential offers '${credentialsToRequest}'`) + + const supportedJwaSignatureAlgorithms = getSupportedJwaSignatureAlgorithms(agentContext) + + const allowedProofOfPossessionSigAlgs = acceptCredentialOfferOptions.allowedProofOfPossessionSignatureAlgorithms + const possibleProofOfPossessionSigAlgs = allowedProofOfPossessionSigAlgs + ? allowedProofOfPossessionSigAlgs.filter((algorithm) => supportedJwaSignatureAlgorithms.includes(algorithm)) + : supportedJwaSignatureAlgorithms + + if (possibleProofOfPossessionSigAlgs.length === 0) { + throw new AriesFrameworkError( + [ + `No possible proof of possession signature algorithm found.`, + `Signature algorithms supported by the Agent '${supportedJwaSignatureAlgorithms.join(', ')}'`, + `Allowed Signature algorithms '${allowedProofOfPossessionSigAlgs?.join(', ')}'`, + ].join('\n') + ) + } + + // acquire the access token + let accessTokenResponse: OpenIDResponse + + const accessTokenClient = new AccessTokenClient() + if (resolvedAuthorizationRequestWithCode) { + const { code, codeVerifier, redirectUri } = resolvedAuthorizationRequestWithCode + accessTokenResponse = await accessTokenClient.acquireAccessToken({ + metadata: metadata, + credentialOffer: { credential_offer: credentialOfferPayload }, + pin: userPin, + code, + codeVerifier, + redirectUri, + }) + } else { + accessTokenResponse = await accessTokenClient.acquireAccessToken({ + metadata: metadata, + credentialOffer: { credential_offer: credentialOfferPayload }, + pin: userPin, + }) + } + + if (!accessTokenResponse.successBody) { + throw new AriesFrameworkError( + `could not acquire access token from '${metadata.issuer}'. ${accessTokenResponse.errorBody?.error}: ${accessTokenResponse.errorBody?.error_description}` + ) + } + + this.logger.debug('Requested OpenId4VCI Access Token.') + + const accessToken = accessTokenResponse.successBody + const receivedCredentials: Array = [] + let newCNonce: string | undefined + + const credentialsSupportedToRequest = + credentialsToRequest + ?.map((id) => offeredCredentials.find((credential) => credential.id === id)) + .filter((c, i): c is OpenId4VciCredentialSupportedWithId => { + if (!c) { + const offeredCredentialIds = offeredCredentials.map((c) => c.id).join(', ') + throw new AriesFrameworkError( + `Credential to request '${credentialsToRequest[i]}' is not present in offered credentials. Offered credentials are ${offeredCredentialIds}` + ) + } + + return true + }) ?? offeredCredentials + + for (const offeredCredential of credentialsSupportedToRequest) { + // Get all options for the credential request (such as which kid to use, the signature algorithm, etc) + const { credentialBinding, signatureAlgorithm } = await this.getCredentialRequestOptions(agentContext, { + possibleProofOfPossessionSignatureAlgorithms: possibleProofOfPossessionSigAlgs, + offeredCredential, + credentialBindingResolver, + }) + + // Create the proof of possession + const proofOfPossessionBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({ + accessTokenResponse: accessToken, + callbacks: { signCallback: this.proofOfPossessionSignCallback(agentContext) }, + version, + }) + .withEndpointMetadata(metadata) + .withAlg(signatureAlgorithm) + + if (credentialBinding.method === 'did') { + proofOfPossessionBuilder.withClientId(parseDid(credentialBinding.didUrl).did).withKid(credentialBinding.didUrl) + } else if (credentialBinding.method === 'jwk') { + proofOfPossessionBuilder.withJWK(credentialBinding.jwk.toJson()) + } + + if (newCNonce) proofOfPossessionBuilder.withAccessTokenNonce(newCNonce) + + const proofOfPossession = await proofOfPossessionBuilder.build() + this.logger.debug('Generated JWS', proofOfPossession) + + // Acquire the credential + const credentialRequestBuilder = new CredentialRequestClientBuilder() + credentialRequestBuilder + .withVersion(version) + .withCredentialEndpoint(metadata.credential_endpoint) + .withTokenFromResponse(accessToken) + + const credentialRequestClient = credentialRequestBuilder.build() + const credentialResponse = await credentialRequestClient.acquireCredentialsUsingProof({ + proofInput: proofOfPossession, + credentialTypes: getTypesFromCredentialSupported(offeredCredential), + format: offeredCredential.format, + }) + + newCNonce = credentialResponse.successBody?.c_nonce + + // Create credential, but we don't store it yet (only after the user has accepted the credential) + const credential = await this.handleCredentialResponse(agentContext, credentialResponse, { + verifyCredentialStatus: verifyCredentialStatus ?? false, + }) + + this.logger.debug('Full credential', credential) + receivedCredentials.push(credential) + } + + return receivedCredentials + } + + /** + * Get the options for the credential request. Internally this will resolve the proof of possession + * requirements, and based on that it will call the proofOfPossessionVerificationMethodResolver to + * allow the caller to select the correct verification method based on the requirements for the proof + * of possession. + */ + private async getCredentialRequestOptions( + agentContext: AgentContext, + options: { + credentialBindingResolver: OpenId4VciCredentialBindingResolver + possibleProofOfPossessionSignatureAlgorithms: JwaSignatureAlgorithm[] + offeredCredential: OpenId4VciCredentialSupportedWithId + } + ) { + const { signatureAlgorithm, supportedDidMethods, supportsAllDidMethods, supportsJwk } = + this.getProofOfPossessionRequirements(agentContext, { + credentialToRequest: options.offeredCredential, + possibleProofOfPossessionSignatureAlgorithms: options.possibleProofOfPossessionSignatureAlgorithms, + }) + + const JwkClass = getJwkClassFromJwaSignatureAlgorithm(signatureAlgorithm) + if (!JwkClass) { + throw new AriesFrameworkError( + `Could not determine JWK key type of the JWA signature algorithm '${signatureAlgorithm}'` + ) + } + + const supportedVerificationMethods = getSupportedVerificationMethodTypesFromKeyType(JwkClass.keyType) + + const format = options.offeredCredential.format as OpenId4VciSupportedCredentialFormats + + // Now we need to determine how the credential will be bound to us + const credentialBinding = await options.credentialBindingResolver({ + credentialFormat: format, + signatureAlgorithm, + supportedVerificationMethods, + keyType: JwkClass.keyType, + supportedCredentialId: options.offeredCredential.id, + supportsAllDidMethods, + supportedDidMethods, + supportsJwk, + }) + + // Make sure the issuer of proof of possession is valid according to openid issuer metadata + if ( + credentialBinding.method === 'did' && + !supportsAllDidMethods && + // If supportedDidMethods is undefined, it means the issuer didn't include the binding methods in the metadata + // The user can still select a verification method, but we can't validate it + supportedDidMethods !== undefined && + !supportedDidMethods.find((supportedDidMethod) => credentialBinding.didUrl.startsWith(supportedDidMethod)) + ) { + const { method } = parseDid(credentialBinding.didUrl) + const supportedDidMethodsString = supportedDidMethods.join(', ') + throw new AriesFrameworkError( + `Resolved credential binding for proof of possession uses did method '${method}', but issuer only supports '${supportedDidMethodsString}'` + ) + } else if (credentialBinding.method === 'jwk' && !supportsJwk) { + throw new AriesFrameworkError( + `Resolved credential binding for proof of possession uses jwk, but openid issuer does not support 'jwk' cryptographic binding method` + ) + } + + // FIXME: we don't have the verification method here + // Make sure the verification method uses a supported verification method type + // if (!supportedVerificationMethods.includes(verificationMethod.type)) { + // const supportedVerificationMethodsString = supportedVerificationMethods.join(', ') + // throw new AriesFrameworkError( + // `Verification method uses verification method type '${verificationMethod.type}', but only '${supportedVerificationMethodsString}' verification methods are supported for key type '${JwkClass.keyType}'` + // ) + // } + + return { credentialBinding, signatureAlgorithm } + } + + /** + * Get the requirements for creating the proof of possession. Based on the allowed + * credential formats, the allowed proof of possession signature algorithms, and the + * credential type, this method will select the best credential format and signature + * algorithm to use, based on the order of preference. + */ + private getProofOfPossessionRequirements( + agentContext: AgentContext, + options: { + credentialToRequest: OpenId4VciCredentialSupportedWithId + possibleProofOfPossessionSignatureAlgorithms: JwaSignatureAlgorithm[] + } + ): OpenId4VciProofOfPossessionRequirements { + const { credentialToRequest } = options + + if ( + !openId4VciSupportedCredentialFormats.includes(credentialToRequest.format as OpenId4VciSupportedCredentialFormats) + ) { + throw new AriesFrameworkError( + [ + `Requested credential with format '${credentialToRequest.format}',`, + `for the credential with id '${credentialToRequest.id},`, + `but the wallet only supports the following formats '${openId4VciSupportedCredentialFormats.join(', ')}'`, + ].join('\n') + ) + } + + // For each of the supported algs, find the key types, then find the proof types + const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry) + + let signatureAlgorithm: JwaSignatureAlgorithm | undefined + + const issuerSupportedCryptographicSuites = credentialToRequest.cryptographic_suites_supported + const issuerSupportedBindingMethods = credentialToRequest.cryptographic_binding_methods_supported + + // If undefined, it means the issuer didn't include the cryptographic suites in the metadata + // We just guess that the first one is supported + if (issuerSupportedCryptographicSuites === undefined) { + signatureAlgorithm = options.possibleProofOfPossessionSignatureAlgorithms[0] + } else { + switch (credentialToRequest.format) { + case OpenId4VciCredentialFormatProfile.JwtVcJson: + case OpenId4VciCredentialFormatProfile.JwtVcJsonLd: + case OpenId4VciCredentialFormatProfile.SdJwtVc: + signatureAlgorithm = options.possibleProofOfPossessionSignatureAlgorithms.find((signatureAlgorithm) => + issuerSupportedCryptographicSuites.includes(signatureAlgorithm) + ) + break + case OpenId4VciCredentialFormatProfile.LdpVc: + signatureAlgorithm = options.possibleProofOfPossessionSignatureAlgorithms.find((signatureAlgorithm) => { + const JwkClass = getJwkClassFromJwaSignatureAlgorithm(signatureAlgorithm) + if (!JwkClass) return false + + const matchingSuite = signatureSuiteRegistry.getByKeyType(JwkClass.keyType) + if (matchingSuite.length === 0) return false + + return issuerSupportedCryptographicSuites.includes(matchingSuite[0].proofType) + }) + break + default: + throw new AriesFrameworkError(`Unsupported credential format.`) + } + } + + if (!signatureAlgorithm) { + throw new AriesFrameworkError( + `Could not establish signature algorithm for format ${credentialToRequest.format} and id ${credentialToRequest.id}` + ) + } + + const supportsAllDidMethods = issuerSupportedBindingMethods?.includes('did') ?? false + const supportedDidMethods = issuerSupportedBindingMethods?.filter((method) => method.startsWith('did:')) + const supportsJwk = issuerSupportedBindingMethods?.includes('jwk') ?? false + + return { + signatureAlgorithm, + supportedDidMethods, + supportsAllDidMethods, + supportsJwk, + } + } + + private async handleCredentialResponse( + agentContext: AgentContext, + credentialResponse: OpenIDResponse, + options: { verifyCredentialStatus: boolean } + ): Promise { + const { verifyCredentialStatus } = options + this.logger.debug('Credential request response', credentialResponse) + + if (!credentialResponse.successBody || !credentialResponse.successBody.credential) { + throw new AriesFrameworkError( + `Did not receive a successful credential response. ${credentialResponse.errorBody?.error}: ${credentialResponse.errorBody?.error_description}` + ) + } + + const format = credentialResponse.successBody.format + if (format === OpenId4VciCredentialFormatProfile.SdJwtVc) { + if (typeof credentialResponse.successBody.credential !== 'string') + throw new AriesFrameworkError( + `Received a credential of format ${ + OpenId4VciCredentialFormatProfile.SdJwtVc + }, but the credential is not a string. ${JSON.stringify(credentialResponse.successBody.credential)}` + ) + + const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi) + const { verification, sdJwtVc } = await sdJwtVcApi.verify({ + compactSdJwtVc: credentialResponse.successBody.credential, + }) + + if (!verification.isValid) { + agentContext.config.logger.error('Failed to validate credential', { verification }) + throw new AriesFrameworkError( + `Failed to validate sd-jwt-vc credential. Results = ${JSON.stringify(verification)}` + ) + } + + return sdJwtVc + } else if ( + format === OpenId4VciCredentialFormatProfile.JwtVcJson || + format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd + ) { + const credential = W3cJwtVerifiableCredential.fromSerializedJwt( + credentialResponse.successBody.credential as string + ) + const result = await this.w3cCredentialService.verifyCredential(agentContext, { + credential, + verifyCredentialStatus, + }) + if (!result.isValid) { + agentContext.config.logger.error('Failed to validate credential', { result }) + throw new AriesFrameworkError(`Failed to validate credential, error = ${result.error?.message ?? 'Unknown'}`) + } + + return credential + } else if (format === OpenId4VciCredentialFormatProfile.LdpVc) { + const credential = W3cJsonLdVerifiableCredential.fromJson( + credentialResponse.successBody.credential as Record + ) + const result = await this.w3cCredentialService.verifyCredential(agentContext, { + credential, + verifyCredentialStatus, + }) + if (!result.isValid) { + agentContext.config.logger.error('Failed to validate credential', { result }) + throw new AriesFrameworkError(`Failed to validate credential, error = ${result.error?.message ?? 'Unknown'}`) + } + + return credential + } + + throw new AriesFrameworkError(`Unsupported credential format ${credentialResponse.successBody.format}`) + } + + private proofOfPossessionSignCallback(agentContext: AgentContext) { + return async (jwt: Jwt, kid?: string) => { + if (!jwt.header) throw new AriesFrameworkError('No header present on JWT') + if (!jwt.payload) throw new AriesFrameworkError('No payload present on JWT') + if (kid && jwt.header.jwk) { + throw new AriesFrameworkError('Both KID and JWK are present in the callback. Only one can be present') + } + + let key: Key + + if (kid) { + if (!kid.startsWith('did:')) { + throw new AriesFrameworkError(`kid '${kid}' is not a DID. Only dids are supported for kid`) + } else if (!kid.includes('#')) { + throw new AriesFrameworkError( + `kid '${kid}' does not contain a fragment. kid MUST point to a specific key in the did document.` + ) + } + + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const didDocument = await didsApi.resolveDidDocument(kid) + const verificationMethod = didDocument.dereferenceKey(kid, ['authentication']) + + key = getKeyFromVerificationMethod(verificationMethod) + } else if (jwt.header.jwk) { + key = getJwkFromJson(jwt.header.jwk as JwkJson).key + } else { + throw new AriesFrameworkError('No KID or JWK is present in the callback') + } + + const jwk = getJwkFromKey(key) + if (!jwk.supportsSignatureAlgorithm(jwt.header.alg)) { + throw new AriesFrameworkError( + `key type '${jwk.keyType}', does not support the JWS signature alg '${jwt.header.alg}'` + ) + } + + // We don't support these properties, remove them, so we can pass all other header properties to the JWS service + if (jwt.header.x5c) throw new AriesFrameworkError('x5c is not supported') + + // eslint-disable-next-line @typescript-eslint/no-unused-vars + const { x5c: _x5c, ...supportedHeaderOptions } = jwt.header + + const jws = await this.jwsService.createJwsCompact(agentContext, { + key, + payload: JsonEncoder.toBuffer(jwt.payload), + protectedHeaderOptions: { + ...supportedHeaderOptions, + // only pass jwk if it was present in the header + jwk: jwt.header.jwk ? jwk : undefined, + }, + }) + + return jws + } + } +} + +// NOTE: this is also defined in the sphereon lib, but we use +// this custom method to get PAR working and because we don't +// use the oid4vci client in sphereon's lib +// Once PAR is supported in the sphereon lib, we should to try remove this +// and use the one from the sphereon lib +async function createAuthorizationRequestUri(options: { + credentialOffer: OpenId4VciCredentialOfferPayload + metadata: OpenId4VciResolvedCredentialOffer['metadata'] + clientId: string + codeChallenge: string + codeChallengeMethod: CodeChallengeMethod + authDetails?: AuthorizationDetails | AuthorizationDetails[] + redirectUri: string + scope?: string[] +}) { + const { scope, authDetails, metadata, clientId, codeChallenge, codeChallengeMethod, redirectUri } = options + let nonEmptyScope = !scope || scope.length === 0 ? undefined : scope + const nonEmptyAuthDetails = !authDetails || authDetails.length === 0 ? undefined : authDetails + + // Scope and authorization_details can be used in the same authorization request + // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param + if (!nonEmptyScope && !nonEmptyAuthDetails) { + throw new AriesFrameworkError(`Please provide a 'scope' or 'authDetails' via the options.`) + } + + // Authorization servers supporting PAR SHOULD include the URL of their pushed authorization request endpoint in their authorization server metadata document + // Note that the presence of pushed_authorization_request_endpoint is sufficient for a client to determine that it may use the PAR flow. + const parEndpoint = metadata.credentialIssuerMetadata.pushed_authorization_request_endpoint + + const authorizationEndpoint = metadata.credentialIssuerMetadata?.authorization_endpoint + + if (!authorizationEndpoint && !parEndpoint) { + throw new AriesFrameworkError( + "Server metadata does not contain an 'authorization_endpoint' which is required for the 'Authorization Code Flow'" + ) + } + + // add 'openid' scope if not present + if (nonEmptyScope && !nonEmptyScope?.includes('openid')) { + nonEmptyScope = ['openid', ...nonEmptyScope] + } + + const queryObj: Record = { + client_id: clientId, + response_type: ResponseType.AUTH_CODE, + code_challenge_method: codeChallengeMethod, + code_challenge: codeChallenge, + redirect_uri: redirectUri, + } + + if (nonEmptyScope) queryObj['scope'] = nonEmptyScope.join(' ') + + if (nonEmptyAuthDetails) + queryObj['authorization_details'] = JSON.stringify(handleAuthorizationDetails(nonEmptyAuthDetails, metadata)) + + const issuerState = options.credentialOffer.grants?.authorization_code?.issuer_state + if (issuerState) queryObj['issuer_state'] = issuerState + + if (parEndpoint) { + const body = new URLSearchParams(queryObj) + const response = await formPost(parEndpoint, body) + if (!response.successBody) { + throw new AriesFrameworkError(`Could not acquire the authorization request uri from '${parEndpoint}'`) + } + return convertJsonToURI( + { request_uri: response.successBody.request_uri, client_id: clientId, response_type: ResponseType.AUTH_CODE }, + { + baseUrl: authorizationEndpoint, + uriTypeProperties: ['request_uri', 'client_id', 'response_type'], + mode: JsonURIMode.X_FORM_WWW_URLENCODED, + } + ) + } else { + return convertJsonToURI(queryObj, { + baseUrl: authorizationEndpoint, + uriTypeProperties: ['redirect_uri', 'scope', 'authorization_details', 'issuer_state'], + mode: JsonURIMode.X_FORM_WWW_URLENCODED, + }) + } +} diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts new file mode 100644 index 0000000000..a3756ff771 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts @@ -0,0 +1,191 @@ +import type { + OpenId4VcCredentialHolderBinding, + OpenId4VciCredentialOfferPayload, + OpenId4VciCredentialSupportedWithId, + OpenId4VciIssuerMetadata, +} from '../shared' +import type { JwaSignatureAlgorithm, KeyType } from '@aries-framework/core' +import type { AuthorizationServerMetadata, EndpointMetadataResult, OpenId4VCIVersion } from '@sphereon/oid4vci-common' + +import { OpenId4VciCredentialFormatProfile } from '../shared/models/OpenId4VciCredentialFormatProfile' + +export type OpenId4VciSupportedCredentialFormats = + | OpenId4VciCredentialFormatProfile.JwtVcJson + | OpenId4VciCredentialFormatProfile.JwtVcJsonLd + | OpenId4VciCredentialFormatProfile.SdJwtVc + | OpenId4VciCredentialFormatProfile.LdpVc + +export const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[] = [ + OpenId4VciCredentialFormatProfile.JwtVcJson, + OpenId4VciCredentialFormatProfile.JwtVcJsonLd, + OpenId4VciCredentialFormatProfile.SdJwtVc, + OpenId4VciCredentialFormatProfile.LdpVc, +] + +export interface OpenId4VciResolvedCredentialOffer { + metadata: EndpointMetadataResult & { + credentialIssuerMetadata: Partial & OpenId4VciIssuerMetadata + } + credentialOfferPayload: OpenId4VciCredentialOfferPayload + offeredCredentials: OpenId4VciCredentialSupportedWithId[] + version: OpenId4VCIVersion +} + +export interface OpenId4VciResolvedAuthorizationRequest extends OpenId4VciAuthCodeFlowOptions { + codeVerifier: string + authorizationRequestUri: string +} + +export interface OpenId4VciResolvedAuthorizationRequestWithCode extends OpenId4VciResolvedAuthorizationRequest { + code: string +} + +/** + * Options that are used to accept a credential offer for both the pre-authorized code flow and authorization code flow. + */ +export interface OpenId4VciAcceptCredentialOfferOptions { + /** + * String value containing a user PIN. This value MUST be present if user_pin_required was set to true in the Credential Offer. + * This parameter MUST only be used, if the grant_type is urn:ietf:params:oauth:grant-type:pre-authorized_code. + */ + userPin?: string + + /** + * This is the list of credentials that will be requested from the issuer. + * Should be a list of ids of the credentials that are included in the credential offer. + * If not provided all offered credentials will be requested. + */ + credentialsToRequest?: string[] + + verifyCredentialStatus?: boolean + + /** + * A list of allowed proof of possession signature algorithms in order of preference. + * + * Note that the signature algorithms must be supported by the wallet implementation. + * Signature algorithms that are not supported by the wallet will be ignored. + * + * The proof of possession (pop) signature algorithm is used in the credential request + * to bind the credential to a did. In most cases the JWA signature algorithm + * that is used in the pop will determine the cryptographic suite that is used + * for signing the credential, but this not a requirement for the spec. E.g. if the + * pop uses EdDsa, the credential will most commonly also use EdDsa, or Ed25519Signature2018/2020. + */ + allowedProofOfPossessionSignatureAlgorithms?: JwaSignatureAlgorithm[] + + /** + * A function that should resolve key material for binding the to-be-issued credential + * to the holder based on the options passed. This key material will be used for signing + * the proof of possession included in the credential request. + * + * This method will be called once for each of the credentials that are included + * in the credential offer. + * + * Based on the credential format, JWA signature algorithm, verification method types + * and binding methods (did methods, jwk), the resolver must return an object + * conformant to the `CredentialHolderBinding` interface, which will be used + * for the proof of possession signature. + */ + credentialBindingResolver: OpenId4VciCredentialBindingResolver +} + +/** + * Options that are used for the authorization code flow. + * Extends the pre-authorized code flow options. + */ +export interface OpenId4VciAuthCodeFlowOptions { + clientId: string + redirectUri: string + scope?: string[] +} + +export interface OpenId4VciCredentialBindingOptions { + /** + * The credential format that will be requested from the issuer. + * E.g. `jwt_vc` or `ldp_vc`. + */ + credentialFormat: OpenId4VciSupportedCredentialFormats + + /** + * The JWA Signature Algorithm that will be used in the proof of possession. + * This is based on the `allowedProofOfPossessionSignatureAlgorithms` passed + * to the request credential method, and the supported signature algorithms. + */ + signatureAlgorithm: JwaSignatureAlgorithm + + /** + * This is a list of verification methods types that are supported + * for creating the proof of possession signature. The returned + * verification method type must be of one of these types. + */ + supportedVerificationMethods: string[] + + /** + * The key type that will be used to create the proof of possession signature. + * This is related to the verification method and the signature algorithm, and + * is added for convenience. + */ + keyType: KeyType + + /** + * The credential type that will be requested from the issuer. This is + * based on the credential types that are included the credential offer. + * + * If the offered credential is an inline credential offer, the value + * will be `undefined`. + */ + supportedCredentialId?: string + + /** + * Whether the issuer supports the `did` cryptographic binding method, + * indicating they support all did methods. In most cases, they do not + * support all did methods, and it means we have to make an assumption + * about the did methods they support. + * + * If this value is `false`, the `supportedDidMethods` property will + * contain a list of supported did methods. + */ + supportsAllDidMethods: boolean + + /** + * A list of supported did methods. This is only used if the `supportsAllDidMethods` + * property is `false`. When this array is populated, the returned verification method + * MUST be based on one of these did methods. + * + * The did methods are returned in the format `did:`, e.g. `did:web`. + * + * The value is undefined in the case the supported did methods could not be extracted. + * This is the case when an inline credential was used, or when the issuer didn't include + * the supported did methods in the issuer metadata. + * + * NOTE: an empty array (no did methods supported) has a different meaning from the value + * being undefined (the supported did methods could not be extracted). If `supportsAllDidMethods` + * is true, the value of this property MUST be ignored. + */ + supportedDidMethods?: string[] + + /** + * Whether the issuer supports the `jwk` cryptographic binding method, + * indicating they support proof of possession signatures bound to a jwk. + */ + supportsJwk: boolean +} + +/** + * The proof of possession verification method resolver is a function that can be passed by the + * user of the framework and allows them to determine which verification method should be used + * for the proof of possession signature. + */ +export type OpenId4VciCredentialBindingResolver = ( + options: OpenId4VciCredentialBindingOptions +) => Promise | OpenId4VcCredentialHolderBinding + +/** + * @internal + */ +export interface OpenId4VciProofOfPossessionRequirements { + signatureAlgorithm: JwaSignatureAlgorithm + supportedDidMethods?: string[] + supportsAllDidMethods: boolean + supportsJwk: boolean +} diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderService.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderService.ts new file mode 100644 index 0000000000..fb8ebd25b1 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderService.ts @@ -0,0 +1,309 @@ +import type { + OpenId4VcSiopAcceptAuthorizationRequestOptions, + OpenId4VcSiopResolvedAuthorizationRequest, +} from './OpenId4vcSiopHolderServiceOptions' +import type { OpenId4VcJwtIssuer } from '../shared' +import type { AgentContext, SdJwtVc, W3cVerifiablePresentation } from '@aries-framework/core' +import type { VerifiedAuthorizationRequest, PresentationExchangeResponseOpts } from '@sphereon/did-auth-siop' + +import { + Hasher, + W3cJwtVerifiablePresentation, + parseDid, + AriesFrameworkError, + DidsApi, + injectable, + W3cJsonLdVerifiablePresentation, + asArray, + DifPresentationExchangeService, + DifPresentationExchangeSubmissionLocation, +} from '@aries-framework/core' +import { + CheckLinkedDomain, + OP, + ResponseIss, + ResponseMode, + SupportedVersion, + VPTokenLocation, + VerificationMode, +} from '@sphereon/did-auth-siop' + +import { getSphereonVerifiablePresentation } from '../shared/transform' +import { getSphereonDidResolver, getSphereonSuppliedSignatureFromJwtIssuer } from '../shared/utils' + +@injectable() +export class OpenId4VcSiopHolderService { + public constructor(private presentationExchangeService: DifPresentationExchangeService) {} + + public async resolveAuthorizationRequest( + agentContext: AgentContext, + requestJwtOrUri: string + ): Promise { + const openidProvider = await this.getOpenIdProvider(agentContext, {}) + + // parsing happens automatically in verifyAuthorizationRequest + const verifiedAuthorizationRequest = await openidProvider.verifyAuthorizationRequest(requestJwtOrUri, { + verification: { + // FIXME: we want custom verification, but not supported currently + // https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/55 + mode: VerificationMode.INTERNAL, + resolveOpts: { resolver: getSphereonDidResolver(agentContext), noUniversalResolverFallback: true }, + }, + }) + + agentContext.config.logger.debug( + `verified SIOP Authorization Request for issuer '${verifiedAuthorizationRequest.issuer}'` + ) + agentContext.config.logger.debug(`requestJwtOrUri '${requestJwtOrUri}'`) + + if ( + verifiedAuthorizationRequest.presentationDefinitions && + verifiedAuthorizationRequest.presentationDefinitions.length > 1 + ) { + throw new AriesFrameworkError('Only a single presentation definition is supported.') + } + + const presentationDefinition = verifiedAuthorizationRequest.presentationDefinitions?.[0]?.definition + + return { + authorizationRequest: verifiedAuthorizationRequest, + + // Parameters related to DIF Presentation Exchange + presentationExchange: presentationDefinition + ? { + definition: presentationDefinition, + credentialsForRequest: await this.presentationExchangeService.getCredentialsForRequest( + agentContext, + presentationDefinition + ), + } + : undefined, + } + } + + public async acceptAuthorizationRequest( + agentContext: AgentContext, + options: OpenId4VcSiopAcceptAuthorizationRequestOptions + ) { + const { authorizationRequest, presentationExchange } = options + let openIdTokenIssuer = options.openIdTokenIssuer + let presentationExchangeOptions: PresentationExchangeResponseOpts | undefined = undefined + + // Handle presentation exchange part + if (authorizationRequest.presentationDefinitions && authorizationRequest.presentationDefinitions.length > 0) { + if (!presentationExchange) { + throw new AriesFrameworkError( + 'Authorization request included presentation definition. `presentationExchange` MUST be supplied to accept authorization requests.' + ) + } + + const nonce = await authorizationRequest.authorizationRequest.getMergedProperty('nonce') + if (!nonce) { + throw new AriesFrameworkError("Unable to extract 'nonce' from authorization request") + } + + const clientId = await authorizationRequest.authorizationRequest.getMergedProperty('client_id') + if (!clientId) { + throw new AriesFrameworkError("Unable to extract 'client_id' from authorization request") + } + + const { verifiablePresentations, presentationSubmission } = + await this.presentationExchangeService.createPresentation(agentContext, { + credentialsForInputDescriptor: presentationExchange.credentials, + presentationDefinition: authorizationRequest.presentationDefinitions[0].definition, + challenge: nonce, + domain: clientId, + presentationSubmissionLocation: DifPresentationExchangeSubmissionLocation.EXTERNAL, + }) + + presentationExchangeOptions = { + verifiablePresentations: verifiablePresentations.map((vp) => getSphereonVerifiablePresentation(vp)), + presentationSubmission, + vpTokenLocation: VPTokenLocation.AUTHORIZATION_RESPONSE, + } + + if (!openIdTokenIssuer) { + openIdTokenIssuer = this.getOpenIdTokenIssuerFromVerifiablePresentation(verifiablePresentations[0]) + } + } else if (options.presentationExchange) { + throw new AriesFrameworkError( + '`presentationExchange` was supplied, but no presentation definition was found in the presentation request.' + ) + } + + if (!openIdTokenIssuer) { + throw new AriesFrameworkError( + 'Unable to create authorization response. openIdTokenIssuer MUST be supplied when no presentation is active.' + ) + } + + this.assertValidTokenIssuer(authorizationRequest, openIdTokenIssuer) + const openidProvider = await this.getOpenIdProvider(agentContext, { + openIdTokenIssuer, + }) + + const suppliedSignature = await getSphereonSuppliedSignatureFromJwtIssuer(agentContext, openIdTokenIssuer) + const authorizationResponseWithCorrelationId = await openidProvider.createAuthorizationResponse( + authorizationRequest, + { + signature: suppliedSignature, + issuer: suppliedSignature.did, + verification: { + resolveOpts: { resolver: getSphereonDidResolver(agentContext), noUniversalResolverFallback: true }, + mode: VerificationMode.INTERNAL, + }, + presentationExchange: presentationExchangeOptions, + // https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#name-aud-of-a-request-object + audience: authorizationRequest.authorizationRequestPayload.client_id, + } + ) + + const response = await openidProvider.submitAuthorizationResponse(authorizationResponseWithCorrelationId) + let responseDetails: string | Record | undefined = undefined + try { + responseDetails = await response.text() + if (responseDetails.includes('{')) { + responseDetails = JSON.parse(responseDetails) + } + } catch (error) { + // no-op + } + + return { + serverResponse: { + status: response.status, + body: responseDetails, + }, + submittedResponse: authorizationResponseWithCorrelationId.response.payload, + } + } + + private async getOpenIdProvider( + agentContext: AgentContext, + options: { + openIdTokenIssuer?: OpenId4VcJwtIssuer + } = {} + ) { + const { openIdTokenIssuer } = options + + const builder = OP.builder() + .withExpiresIn(6000) + .withIssuer(ResponseIss.SELF_ISSUED_V2) + .withResponseMode(ResponseMode.POST) + .withSupportedVersions([SupportedVersion.SIOPv2_D11, SupportedVersion.SIOPv2_D12_OID4VP_D18]) + .withCustomResolver(getSphereonDidResolver(agentContext)) + .withCheckLinkedDomain(CheckLinkedDomain.NEVER) + .withHasher(Hasher.hash) + + if (openIdTokenIssuer) { + const suppliedSignature = await getSphereonSuppliedSignatureFromJwtIssuer(agentContext, openIdTokenIssuer) + builder.withSignature(suppliedSignature) + } + + // Add did methods + const supportedDidMethods = agentContext.dependencyManager.resolve(DidsApi).supportedResolverMethods + for (const supportedDidMethod of supportedDidMethods) { + builder.addDidMethod(supportedDidMethod) + } + + const openidProvider = builder.build() + + return openidProvider + } + + private getOpenIdTokenIssuerFromVerifiablePresentation( + verifiablePresentation: W3cVerifiablePresentation | SdJwtVc + ): OpenId4VcJwtIssuer { + let openIdTokenIssuer: OpenId4VcJwtIssuer + + if (verifiablePresentation instanceof W3cJsonLdVerifiablePresentation) { + const [firstProof] = asArray(verifiablePresentation.proof) + if (!firstProof) throw new AriesFrameworkError('Verifiable presentation does not contain a proof') + + if (!firstProof.verificationMethod.startsWith('did:')) { + throw new AriesFrameworkError( + 'Verifiable presentation proof verificationMethod is not a did. Unable to extract openIdTokenIssuer from verifiable presentation' + ) + } + + openIdTokenIssuer = { + method: 'did', + didUrl: firstProof.verificationMethod, + } + } else if (verifiablePresentation instanceof W3cJwtVerifiablePresentation) { + const kid = verifiablePresentation.jwt.header.kid + + if (!kid) throw new AriesFrameworkError('Verifiable Presentation does not contain a kid in the jwt header') + if (kid.startsWith('#') && verifiablePresentation.presentation.holderId) { + openIdTokenIssuer = { + didUrl: `${verifiablePresentation.presentation.holderId}${kid}`, + method: 'did', + } + } else if (kid.startsWith('did:')) { + openIdTokenIssuer = { + didUrl: kid, + method: 'did', + } + } else { + throw new AriesFrameworkError( + "JWT W3C Verifiable presentation does not include did in JWT header 'kid'. Unable to extract openIdTokenIssuer from verifiable presentation" + ) + } + } else { + const cnf = verifiablePresentation.payload.cnf + // FIXME: SD-JWT VC should have better payload typing, so this doesn't become so ugly + if ( + !cnf || + typeof cnf !== 'object' || + !('kid' in cnf) || + typeof cnf.kid !== 'string' || + !cnf.kid.startsWith('did:') || + !cnf.kid.includes('#') + ) { + throw new AriesFrameworkError( + "SD-JWT Verifiable presentation has no 'cnf' claim or does not include 'cnf' claim where 'kid' is a didUrl pointing to a key. Unable to extract openIdTokenIssuer from verifiable presentation" + ) + } + + openIdTokenIssuer = { + didUrl: cnf.kid, + method: 'did', + } + } + + return openIdTokenIssuer + } + + private assertValidTokenIssuer( + authorizationRequest: VerifiedAuthorizationRequest, + openIdTokenIssuer: OpenId4VcJwtIssuer + ) { + // TODO: jwk thumbprint support + const subjectSyntaxTypesSupported = authorizationRequest.registrationMetadataPayload.subject_syntax_types_supported + if (!subjectSyntaxTypesSupported) { + throw new AriesFrameworkError( + 'subject_syntax_types_supported is not supplied in the registration metadata. subject_syntax_types is REQUIRED.' + ) + } + + let allowedSubjectSyntaxTypes: string[] = [] + if (openIdTokenIssuer.method === 'did') { + const parsedDid = parseDid(openIdTokenIssuer.didUrl) + + // Either did: or did (for all did methods) is allowed + allowedSubjectSyntaxTypes = [`did:${parsedDid.method}`, 'did'] + } else { + throw new AriesFrameworkError("Only 'did' is supported as openIdTokenIssuer at the moment") + } + + // At least one of the allowed subject syntax types must be supported by the RP + if (!allowedSubjectSyntaxTypes.some((allowed) => subjectSyntaxTypesSupported.includes(allowed))) { + throw new AriesFrameworkError( + [ + 'The provided openIdTokenIssuer is not supported by the relying party.', + `Supported subject syntax types: '${subjectSyntaxTypesSupported.join(', ')}'`, + ].join('\n') + ) + } + } +} diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.ts new file mode 100644 index 0000000000..7f901793f1 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.ts @@ -0,0 +1,58 @@ +import type { + OpenId4VcJwtIssuer, + OpenId4VcSiopVerifiedAuthorizationRequest, + OpenId4VcSiopAuthorizationResponsePayload, +} from '../shared' +import type { + DifPexCredentialsForRequest, + DifPexInputDescriptorToCredentials, + DifPresentationExchangeDefinition, +} from '@aries-framework/core' + +export interface OpenId4VcSiopResolvedAuthorizationRequest { + /** + * Parameters related to DIF Presentation Exchange. Only defined when + * the request included + */ + presentationExchange?: { + definition: DifPresentationExchangeDefinition + credentialsForRequest: DifPexCredentialsForRequest + } + + /** + * The verified authorization request. + */ + authorizationRequest: OpenId4VcSiopVerifiedAuthorizationRequest +} + +export interface OpenId4VcSiopAcceptAuthorizationRequestOptions { + /** + * Parameters related to DIF Presentation Exchange. MUST be present when the resolved + * authorization request included a `presentationExchange` parameter. + */ + presentationExchange?: { + credentials: DifPexInputDescriptorToCredentials + } + + /** + * The issuer of the ID Token. + * + * REQUIRED when presentation exchange is not used. + * + * In case presentation exchange is used, and `openIdTokenIssuer` is not provided, the issuer of the ID Token + * will be extracted from the signer of the first verifiable presentation. + */ + openIdTokenIssuer?: OpenId4VcJwtIssuer + + /** + * The verified authorization request. + */ + authorizationRequest: OpenId4VcSiopVerifiedAuthorizationRequest +} + +// FIXME: rethink properties +export interface OpenId4VcSiopAuthorizationResponseSubmission { + ok: boolean + status: number + submittedResponse: OpenId4VcSiopAuthorizationResponsePayload +} diff --git a/packages/openid4vc-client/src/__tests__/OpenId4VcClientModule.test.ts b/packages/openid4vc/src/openid4vc-holder/__tests__/OpenId4VcHolderModule.test.ts similarity index 56% rename from packages/openid4vc-client/src/__tests__/OpenId4VcClientModule.test.ts rename to packages/openid4vc/src/openid4vc-holder/__tests__/OpenId4VcHolderModule.test.ts index be2ad9fd39..79092044f1 100644 --- a/packages/openid4vc-client/src/__tests__/OpenId4VcClientModule.test.ts +++ b/packages/openid4vc/src/openid4vc-holder/__tests__/OpenId4VcHolderModule.test.ts @@ -1,8 +1,9 @@ import type { DependencyManager } from '@aries-framework/core' -import { OpenId4VcClientApi } from '../OpenId4VcClientApi' -import { OpenId4VcClientModule } from '../OpenId4VcClientModule' -import { OpenId4VcClientService } from '../OpenId4VcClientService' +import { OpenId4VcHolderApi } from '../OpenId4VcHolderApi' +import { OpenId4VcHolderModule } from '../OpenId4VcHolderModule' +import { OpenId4VciHolderService } from '../OpenId4VciHolderService' +import { OpenId4VcSiopHolderService } from '../OpenId4vcSiopHolderService' const dependencyManager = { registerInstance: jest.fn(), @@ -11,15 +12,16 @@ const dependencyManager = { resolve: jest.fn().mockReturnValue({ logger: { warn: jest.fn() } }), } as unknown as DependencyManager -describe('OpenId4VcClientModule', () => { +describe('OpenId4VcHolderModule', () => { test('registers dependencies on the dependency manager', () => { - const openId4VcClientModule = new OpenId4VcClientModule() + const openId4VcClientModule = new OpenId4VcHolderModule() openId4VcClientModule.register(dependencyManager) expect(dependencyManager.registerContextScoped).toHaveBeenCalledTimes(1) - expect(dependencyManager.registerContextScoped).toHaveBeenCalledWith(OpenId4VcClientApi) + expect(dependencyManager.registerContextScoped).toHaveBeenCalledWith(OpenId4VcHolderApi) - expect(dependencyManager.registerSingleton).toHaveBeenCalledTimes(1) - expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcClientService) + expect(dependencyManager.registerSingleton).toHaveBeenCalledTimes(2) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VciHolderService) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcSiopHolderService) }) }) diff --git a/packages/openid4vc/src/openid4vc-holder/__tests__/fixtures.ts b/packages/openid4vc/src/openid4vc-holder/__tests__/fixtures.ts new file mode 100644 index 0000000000..ea84c90eb3 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/__tests__/fixtures.ts @@ -0,0 +1,342 @@ +export const matrrLaunchpadDraft11JwtVcJson = { + credentialOffer: + 'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%22613ecbbb-0a4c-4041-bb78-c64943139d5f%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22Jd6TUmLJct1DNyJpKKmt0i85scznBoJrEe_y_SlMW0j%22%7D%7D%7D', + getMetadataResponse: { + issuer: 'https://launchpad.vii.electron.mattrlabs.io', + authorization_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/authorize', + token_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/token', + jwks_uri: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/jwks', + token_endpoint_auth_methods_supported: [ + 'none', + 'client_secret_basic', + 'client_secret_jwt', + 'client_secret_post', + 'private_key_jwt', + ], + code_challenge_methods_supported: ['S256'], + grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'], + response_modes_supported: ['form_post', 'fragment', 'query'], + response_types_supported: ['code id_token', 'code', 'id_token', 'none'], + scopes_supported: ['OpenBadgeCredential', 'Passport'], + token_endpoint_auth_signing_alg_values_supported: ['HS256', 'RS256', 'PS256', 'ES256', 'EdDSA'], + credential_endpoint: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/credential', + credentials_supported: [ + { + id: 'd2662472-891c-413d-b3c6-e2f0109001c5', + format: 'ldp_vc', + types: ['VerifiableCredential', 'OpenBadgeCredential'], + cryptographic_binding_methods_supported: ['did:key'], + cryptographic_suites_supported: ['Ed25519Signature2018'], + display: [ + { + name: 'Example University Degree', + description: 'JFF Plugfest 3 OpenBadge Credential', + background_color: '#464c49', + logo: {}, + }, + ], + }, + { + id: 'b4c4cdf5-ccc9-4945-8c19-9334558653b2', + format: 'ldp_vc', + types: ['VerifiableCredential', 'Passport'], + cryptographic_binding_methods_supported: ['did:key'], + cryptographic_suites_supported: ['Ed25519Signature2018'], + display: [ + { + name: 'Passport', + description: 'Passport of the Kingdom of Kākāpō', + background_color: '#171717', + logo: { url: 'https://static.mattr.global/credential-assets/government-of-kakapo/web/logo.svg' }, + }, + ], + }, + { + id: '613ecbbb-0a4c-4041-bb78-c64943139d5f', + format: 'jwt_vc_json', + types: ['VerifiableCredential', 'OpenBadgeCredential'], + cryptographic_binding_methods_supported: ['did:key'], + cryptographic_suites_supported: ['EdDSA'], + display: [ + { + name: 'Example University Degree', + description: 'JFF Plugfest 3 OpenBadge Credential', + background_color: '#464c49', + logo: {}, + }, + ], + }, + { + id: 'c3db5513-ae2b-46e9-8a0d-fbfd0ce52b6a', + format: 'jwt_vc_json', + types: ['VerifiableCredential', 'Passport'], + cryptographic_binding_methods_supported: ['did:key'], + cryptographic_suites_supported: ['EdDSA'], + display: [ + { + name: 'Passport', + description: 'Passport of the Kingdom of Kākāpō', + background_color: '#171717', + logo: { url: 'https://static.mattr.global/credential-assets/government-of-kakapo/web/logo.svg' }, + }, + ], + }, + ], + }, + + wellKnownDid: { + id: 'did:web:launchpad.vii.electron.mattrlabs.io', + '@context': 'https://w3.org/ns/did/v1', + // Uses deprecated publicKey, but the did:web resolver transforms + // it to the newer verificationMethod + publicKey: [ + { + id: 'did:web:launchpad.vii.electron.mattrlabs.io#Ck99k8Rd75', + type: 'Ed25519VerificationKey2018', + controller: 'did:web:launchpad.vii.electron.mattrlabs.io', + publicKeyBase58: 'Ck99k8Rd75V3THNexmMYYA6McqUJi9QgcPh4B1BBUTX7', + }, + ], + keyAgreement: [ + { + id: 'did:web:launchpad.vii.electron.mattrlabs.io#Dd3FUiBvRy', + type: 'X25519KeyAgreementKey2019', + controller: 'did:web:launchpad.vii.electron.mattrlabs.io', + publicKeyBase58: 'Dd3FUiBvRyBcAbcywjGy99BtPaV2DXnvjbYPCu8MYs68', + }, + ], + authentication: ['did:web:launchpad.vii.electron.mattrlabs.io#Ck99k8Rd75'], + assertionMethod: ['did:web:launchpad.vii.electron.mattrlabs.io#Ck99k8Rd75'], + capabilityDelegation: ['did:web:launchpad.vii.electron.mattrlabs.io#Ck99k8Rd75'], + capabilityInvocation: ['did:web:launchpad.vii.electron.mattrlabs.io#Ck99k8Rd75'], + }, + + acquireAccessTokenResponse: { + access_token: 'i3iOTQe5TOskOOUnkIDX29M8AuygT7Lfv3MkaHprL4p', + expires_in: 3600, + scope: 'OpenBadgeCredential', + token_type: 'Bearer', + }, + + credentialResponse: { + credential: + 'eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6bGF1bmNocGFkLnZpaS5lbGVjdHJvbi5tYXR0cmxhYnMuaW8jQ2s5OWs4UmQ3NSJ9.eyJpc3MiOiJkaWQ6d2ViOmxhdW5jaHBhZC52aWkuZWxlY3Ryb24ubWF0dHJsYWJzLmlvIiwic3ViIjoiZGlkOmtleTp6Nk1rcEdSNGdzNFJjM1pwaDR2ajh3Um5qbkF4Z0FQU3hjUjhNQVZLdXRXc3BRemMiLCJuYmYiOjE3MDU4NDAzMDksImV4cCI6MTczNzQ2MjcwOSwidmMiOnsibmFtZSI6IkV4YW1wbGUgVW5pdmVyc2l0eSBEZWdyZWUiLCJkZXNjcmlwdGlvbiI6IkpGRiBQbHVnZmVzdCAzIE9wZW5CYWRnZSBDcmVkZW50aWFsIiwiY3JlZGVudGlhbEJyYW5kaW5nIjp7ImJhY2tncm91bmRDb2xvciI6IiM0NjRjNDkifSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL21hdHRyLmdsb2JhbC9jb250ZXh0cy92Yy1leHRlbnNpb25zL3YyIiwiaHR0cHM6Ly9wdXJsLmltc2dsb2JhbC5vcmcvc3BlYy9vYi92M3AwL2NvbnRleHQtMy4wLjIuanNvbiIsImh0dHBzOi8vcHVybC5pbXNnbG9iYWwub3JnL3NwZWMvb2IvdjNwMC9leHRlbnNpb25zLmpzb24iLCJodHRwczovL3czaWQub3JnL3ZjLXJldm9jYXRpb24tbGlzdC0yMDIwL3YxIiwiaHR0cHM6Ly93M2lkLm9yZy92Yy1yZXZvY2F0aW9uLWxpc3QtMjAyMC92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiT3BlbkJhZGdlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDprZXk6ejZNa3BHUjRnczRSYzNacGg0dmo4d1Juam5BeGdBUFN4Y1I4TUFWS3V0V3NwUXpjIiwidHlwZSI6WyJBY2hpZXZlbWVudFN1YmplY3QiXSwiYWNoaWV2ZW1lbnQiOnsiaWQiOiJodHRwczovL2V4YW1wbGUuY29tL2FjaGlldmVtZW50cy8yMXN0LWNlbnR1cnktc2tpbGxzL3RlYW13b3JrIiwibmFtZSI6IlRlYW13b3JrIiwidHlwZSI6WyJBY2hpZXZlbWVudCJdLCJpbWFnZSI6eyJpZCI6Imh0dHBzOi8vdzNjLWNjZy5naXRodWIuaW8vdmMtZWQvcGx1Z2Zlc3QtMy0yMDIzL2ltYWdlcy9KRkYtVkMtRURVLVBMVUdGRVNUMy1iYWRnZS1pbWFnZS5wbmciLCJ0eXBlIjoiSW1hZ2UifSwiY3JpdGVyaWEiOnsibmFycmF0aXZlIjoiVGVhbSBtZW1iZXJzIGFyZSBub21pbmF0ZWQgZm9yIHRoaXMgYmFkZ2UgYnkgdGhlaXIgcGVlcnMgYW5kIHJlY29nbml6ZWQgdXBvbiByZXZpZXcgYnkgRXhhbXBsZSBDb3JwIG1hbmFnZW1lbnQuIn0sImRlc2NyaXB0aW9uIjoiVGhpcyBiYWRnZSByZWNvZ25pemVzIHRoZSBkZXZlbG9wbWVudCBvZiB0aGUgY2FwYWNpdHkgdG8gY29sbGFib3JhdGUgd2l0aGluIGEgZ3JvdXAgZW52aXJvbm1lbnQuIn19LCJpc3N1ZXIiOnsiaWQiOiJkaWQ6d2ViOmxhdW5jaHBhZC52aWkuZWxlY3Ryb24ubWF0dHJsYWJzLmlvIiwibmFtZSI6IkV4YW1wbGUgVW5pdmVyc2l0eSIsImljb25VcmwiOiJodHRwczovL3czYy1jY2cuZ2l0aHViLmlvL3ZjLWVkL3BsdWdmZXN0LTEtMjAyMi9pbWFnZXMvSkZGX0xvZ29Mb2NrdXAucG5nIiwiaW1hZ2UiOiJodHRwczovL3czYy1jY2cuZ2l0aHViLmlvL3ZjLWVkL3BsdWdmZXN0LTEtMjAyMi9pbWFnZXMvSkZGX0xvZ29Mb2NrdXAucG5nIn19fQ.u33C1y8qwlKQSIq5NjgjXq-fG_u5-bP87HAZPiaTtXhUzd5hxToyrEUb3GAEa4dkLY2TVQA1LtC6sNSUmGevBQ', + format: 'jwt_vc_json', + }, +} + +export const waltIdDraft11JwtVcJson = { + credentialOffer: + 'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.portal.walt.id%22%2C%22credentials%22%3A%5B%22UniversityDegree%22%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%22efc2f5dd-0f44-4f38-a902-3204e732c391%22%7D%2C%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJlZmMyZjVkZC0wZjQ0LTRmMzgtYTkwMi0zMjA0ZTczMmMzOTEiLCJpc3MiOiJodHRwczovL2lzc3Vlci5wb3J0YWwud2FsdC5pZCIsImF1ZCI6IlRPS0VOIn0.OHzYTP_u6I95hHBmjF3RchydGidq3nsT0QHdgJ1AXyR5AFkrTfJwsW4FQIdOdda93uS7FOh_vSVGY0Qngzm7Ag%22%2C%22user_pin_required%22%3Afalse%7D%7D%7D', + getMetadataResponse: { + issuer: 'https://issuer.portal.walt.id', + authorization_endpoint: 'https://issuer.portal.walt.id/authorize', + pushed_authorization_request_endpoint: 'https://issuer.portal.walt.id/par', + token_endpoint: 'https://issuer.portal.walt.id/token', + jwks_uri: 'https://issuer.portal.walt.id/jwks', + scopes_supported: ['openid'], + response_modes_supported: ['query', 'fragment'], + grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'], + subject_types_supported: ['public'], + credential_issuer: 'https://issuer.portal.walt.id/.well-known/openid-credential-issuer', + credential_endpoint: 'https://issuer.portal.walt.id/credential', + credentials_supported: [ + { + format: 'jwt_vc_json', + id: 'BankId', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'BankId'], + }, + { + format: 'jwt_vc_json', + id: 'KycChecksCredential', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'KycChecksCredential'], + }, + { + format: 'jwt_vc_json', + id: 'KycDataCredential', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'KycDataCredential'], + }, + { + format: 'jwt_vc_json', + id: 'PassportCh', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableId', 'PassportCh'], + }, + { + format: 'jwt_vc_json', + id: 'PND91Credential', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'PND91Credential'], + }, + { + format: 'jwt_vc_json', + id: 'MortgageEligibility', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableId', 'MortgageEligibility'], + }, + { + format: 'jwt_vc_json', + id: 'PortableDocumentA1', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'PortableDocumentA1'], + }, + { + format: 'jwt_vc_json', + id: 'OpenBadgeCredential', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'OpenBadgeCredential'], + }, + { + format: 'jwt_vc_json', + id: 'VaccinationCertificate', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'VaccinationCertificate'], + }, + { + format: 'jwt_vc_json', + id: 'WalletHolderCredential', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'WalletHolderCredential'], + }, + { + format: 'jwt_vc_json', + id: 'UniversityDegree', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'UniversityDegree'], + }, + { + format: 'jwt_vc_json', + id: 'VerifiableId', + cryptographic_binding_methods_supported: ['did'], + cryptographic_suites_supported: ['EdDSA', 'ES256', 'ES256K', 'RSA'], + types: ['VerifiableCredential', 'VerifiableAttestation', 'VerifiableId'], + }, + ], + batch_credential_endpoint: 'https://issuer.portal.walt.id/batch_credential', + deferred_credential_endpoint: 'https://issuer.portal.walt.id/credential_deferred', + }, + + acquireAccessTokenResponse: { + access_token: + 'eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJjMDQyMmUxMy1kNTU0LTQwMmUtOTQ0OS0yZjA0ZjAyNjMzNTMiLCJpc3MiOiJodHRwczovL2lzc3Vlci5wb3J0YWwud2FsdC5pZCIsImF1ZCI6IkFDQ0VTUyJ9.pkNF05uUy72QAoZwdf1Uz1XRc4aGs1hhnim-x1qIeMe17TMUYV2D6BOATQtDItxnnhQz2MBfqUSQKYi7CFirDA', + token_type: 'bearer', + c_nonce: 'd4364dac-f026-4380-a4c3-2bfe2d2df52a', + c_nonce_expires_in: 27, + }, + + authorizationCode: + 'eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkZDYyOGQxYy1kYzg4LTQ2OGItYjI5Yi05ODQwMzFlNzg3OWEiLCJpc3MiOiJodHRwczovL2lzc3Vlci5wb3J0YWwud2FsdC5pZCIsImF1ZCI6IlRPS0VOIn0.86LfW1y7QwNObIhJej40E4Ea8PGjBbIeq1KBkOWOLNnOs5rRvtDkazA52npsKrBKqfoqCPmOHcVAvPZPWJhKAA', + + par: { + request_uri: 'urn:ietf:params:oauth:request_uri:738f2ac2-18ac-4162-b0a8-5e0e6ba2270b', + expires_in: 'PT3M46.132011234S', + }, + + credentialResponse: { + credential: + 'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDpqd2s6ZXlKcmRIa2lPaUpQUzFBaUxDSmpjbllpT2lKRlpESTFOVEU1SWl3aWEybGtJam9pUTBaUkxVNXlZVFY1Ym5sQ2MyWjRkM2szWVU1bU9HUjFRVVZWUTAxc1RVbHlVa2x5UkdjMlJFbDVOQ0lzSW5naU9pSm9OVzVpZHpaWU9VcHRTVEJDZG5WUk5VMHdTbGhtZWs4NGN6SmxSV0pRWkZZeU9YZHpTRlJNT1hCckluMCJ9.eyJpc3MiOiJkaWQ6andrOmV5SnJkSGtpT2lKUFMxQWlMQ0pqY25ZaU9pSkZaREkxTlRFNUlpd2lhMmxrSWpvaVEwWlJMVTV5WVRWNWJubENjMlo0ZDNrM1lVNW1PR1IxUVVWVlEwMXNUVWx5VWtseVJHYzJSRWw1TkNJc0luZ2lPaUpvTlc1aWR6WllPVXB0U1RCQ2RuVlJOVTB3U2xobWVrODRjekpsUldKUVpGWXlPWGR6U0ZSTU9YQnJJbjAiLCJzdWIiOiJkaWQ6a2V5Ono2TWtwR1I0Z3M0UmMzWnBoNHZqOHdSbmpuQXhnQVBTeGNSOE1BVkt1dFdzcFF6YyN6Nk1rcEdSNGdzNFJjM1pwaDR2ajh3Um5qbkF4Z0FQU3hjUjhNQVZLdXRXc3BRemMiLCJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImlkIjoidXJuOnV1aWQ6NmU2ODVlOGUtNmRmNS00NzhkLTlkNWQtNDk2ZTcxMDJkYmFhIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlVuaXZlcnNpdHlEZWdyZWUiXSwiaXNzdWVyIjp7ImlkIjoiZGlkOmp3azpleUpyZEhraU9pSlBTMUFpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpYTJsa0lqb2lRMFpSTFU1eVlUVjVibmxDYzJaNGQzazNZVTVtT0dSMVFVVlZRMDFzVFVseVVrbHlSR2MyUkVsNU5DSXNJbmdpT2lKb05XNWlkelpZT1VwdFNUQkNkblZSTlUwd1NsaG1lazg0Y3pKbFJXSlFaRll5T1hkelNGUk1PWEJySW4wIn0sImlzc3VhbmNlRGF0ZSI6IjIwMjQtMDEtMjFUMTI6NDU6NDYuOTU1MjU0MDg3WiIsImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmtleTp6Nk1rcEdSNGdzNFJjM1pwaDR2ajh3Um5qbkF4Z0FQU3hjUjhNQVZLdXRXc3BRemMjejZNa3BHUjRnczRSYzNacGg0dmo4d1Juam5BeGdBUFN4Y1I4TUFWS3V0V3NwUXpjIiwiZGVncmVlIjp7InR5cGUiOiJCYWNoZWxvckRlZ3JlZSIsIm5hbWUiOiJCYWNoZWxvciBvZiBTY2llbmNlIGFuZCBBcnRzIn19fSwianRpIjoidXJuOnV1aWQ6NmU2ODVlOGUtNmRmNS00NzhkLTlkNWQtNDk2ZTcxMDJkYmFhIiwiaWF0IjoxNzA1ODQxMTQ2LCJuYmYiOjE3MDU4NDEwNTZ9.sEudi9lL4YSvMdfjRaeDoRl2_p6dpfuxw_qkPXeBx8FRIQ41t-fyH_S_CDTVYH7wwL-RDbVMK1cza2FQH65hCg', + format: 'jwt_vc_json', + }, +} + +export const animoOpenIdPlaygroundDraft11SdJwtVc = { + credentialOffer: + 'openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221076398228999891821960009%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22AnimoOpenId4VcPlaygroundSdJwtVcJwk%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc.animo.id%2Foid4vci%2F0bbfb1c0-9f45-478c-a139-08f6ed610a37%22%7D', + getMetadataResponse: { + credential_issuer: 'https://openid4vc.animo.id/oid4vci/0bbfb1c0-9f45-478c-a139-08f6ed610a37', + token_endpoint: 'https://openid4vc.animo.id/oid4vci/0bbfb1c0-9f45-478c-a139-08f6ed610a37/token', + credential_endpoint: 'https://openid4vc.animo.id/oid4vci/0bbfb1c0-9f45-478c-a139-08f6ed610a37/credential', + credentials_supported: [ + { + id: 'AnimoOpenId4VcPlaygroundSdJwtVcDid', + format: 'vc+sd-jwt', + vct: 'AnimoOpenId4VcPlayground', + cryptographic_binding_methods_supported: ['did:key', 'did:jwk'], + cryptographic_suites_supported: ['EdDSA'], + display: [ + { + name: 'Animo OpenID4VC Playground - SD-JWT-VC (did holder binding)', + description: "Issued using Animo's OpenID4VC Playground", + background_color: '#FFFFFF', + locale: 'en', + text_color: '#E17471', + }, + ], + }, + { + id: 'AnimoOpenId4VcPlaygroundSdJwtVcJwk', + format: 'vc+sd-jwt', + vct: 'AnimoOpenId4VcPlayground', + cryptographic_binding_methods_supported: ['jwk'], + cryptographic_suites_supported: ['EdDSA'], + display: [ + { + name: 'Animo OpenID4VC Playground - SD-JWT-VC (jwk holder binding)', + description: "Issued using Animo's OpenID4VC Playground", + background_color: '#FFFFFF', + locale: 'en', + text_color: '#E17471', + }, + ], + }, + { + id: 'AnimoOpenId4VcPlaygroundJwtVc', + format: 'jwt_vc_json', + types: ['AnimoOpenId4VcPlayground'], + cryptographic_binding_methods_supported: ['did:key', 'did:jwk'], + cryptographic_suites_supported: ['EdDSA'], + display: [ + { + name: 'Animo OpenID4VC Playground - JWT VC', + description: "Issued using Animo's OpenID4VC Playground", + background_color: '#FFFFFF', + locale: 'en', + text_color: '#E17471', + }, + ], + }, + ], + display: [ + { + background_color: '#FFFFFF', + description: 'Animo OpenID4VC Playground', + name: 'Animo OpenID4VC Playground', + locale: 'en', + logo: { alt_text: 'Animo logo', url: 'https://i.imgur.com/8B37E4a.png' }, + text_color: '#E17471', + }, + ], + }, + + acquireAccessTokenResponse: { + access_token: + 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im5fQ05IM3c1dWpQaDNsTmVaR05Ta0hiT2pSTnNudkJpNXIzcXhINGZwd1UifX0.eyJpc3MiOiJodHRwczovL29wZW5pZDR2Yy5hbmltby5pZC9vaWQ0dmNpLzBiYmZiMWMwLTlmNDUtNDc4Yy1hMTM5LTA4ZjZlZDYxMGEzNyIsImV4cCI6MTgwMDAwLCJpYXQiOjE3MDU4NDM1NzM1ODh9.3JC_R4zXK0GLMG6MS7ClVWm9bK-9v7mA2iS_0hqYdmZRwXJI3ME6TAslPZNNdxCTp5ZYzzsFuLd2L3l7kULmBQ', + token_type: 'bearer', + expires_in: 180000, + c_nonce: '725150697872293881791236', + c_nonce_expires_in: 300000, + authorization_pending: false, + }, + + credentialResponse: { + credential: + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1raDVITlBDQ0pXWm42V1JMalJQdHR5dllaQnNrWlVkU0pmVGlad2NVU2llcXgifQ.eyJ2Y3QiOiJBbmltb09wZW5JZDRWY1BsYXlncm91bmQiLCJwbGF5Z3JvdW5kIjp7ImZyYW1ld29yayI6IkFyaWVzIEZyYW1ld29yayBKYXZhU2NyaXB0IiwiY3JlYXRlZEJ5IjoiQW5pbW8gU29sdXRpb25zIiwiX3NkIjpbImZZM0ZqUHpZSEZOcHlZZnRnVl9kX25DMlRHSVh4UnZocE00VHdrMk1yMDQiLCJwTnNqdmZJeVBZOEQwTks1c1l0alR2Nkc2R0FNVDNLTjdaZDNVNDAwZ1pZIl19LCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoia2MydGxwaGNadzFBSUt5a3pNNnBjY2k2UXNLQW9jWXpGTC01RmUzNmg2RSJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1raDVITlBDQ0pXWm42V1JMalJQdHR5dllaQnNrWlVkU0pmVGlad2NVU2llcXgiLCJpYXQiOjE3MDU4NDM1NzQsIl9zZF9hbGciOiJzaGEtMjU2In0.2iAjaCFcuiHXTfQsrxXo6BghtwzqTrfDmhmarAAJAhY8r9yKXY3d10JY1dry2KnaEYWpq2R786thjdA5BXlPAQ~WyI5MzM3MTM0NzU4NDM3MjYyODY3NTE4NzkiLCJsYW5ndWFnZSIsIlR5cGVTY3JpcHQiXQ~WyIxMTQ3MDA5ODk2Nzc2MDYzOTc1MDUwOTMxIiwidmVyc2lvbiIsIjEuMCJd~', + format: 'vc+sd-jwt', + c_nonce: '98b487cb-f6e5-4f9b-b963-ad69b8fe5e29', + c_nonce_expires_in: 300000, + }, +} diff --git a/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vci-holder.e2e.test.ts b/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vci-holder.e2e.test.ts new file mode 100644 index 0000000000..83c7a2b0cc --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vci-holder.e2e.test.ts @@ -0,0 +1,295 @@ +import type { Key, SdJwtVc } from '@aries-framework/core' + +import { + getJwkFromKey, + Agent, + DidKey, + JwaSignatureAlgorithm, + KeyType, + TypedArrayEncoder, + W3cJwtVerifiableCredential, +} from '@aries-framework/core' +import nock, { cleanAll, enableNetConnect } from 'nock' + +import { AskarModule } from '../../../../askar/src' +import { askarModuleConfig } from '../../../../askar/tests/helpers' +import { agentDependencies } from '../../../../node/src' +import { OpenId4VcHolderModule } from '../OpenId4VcHolderModule' + +import { animoOpenIdPlaygroundDraft11SdJwtVc, matrrLaunchpadDraft11JwtVcJson, waltIdDraft11JwtVcJson } from './fixtures' + +const holder = new Agent({ + config: { + label: 'OpenId4VcHolder Test28', + walletConfig: { id: 'openid4vc-holder-test27', key: 'openid4vc-holder-test27' }, + }, + dependencies: agentDependencies, + modules: { + openId4VcHolder: new OpenId4VcHolderModule(), + askar: new AskarModule(askarModuleConfig), + }, +}) + +describe('OpenId4VcHolder', () => { + let holderKey: Key + let holderDid: string + let holderVerificationMethod: string + + beforeEach(async () => { + await holder.initialize() + + holderKey = await holder.wallet.createKey({ + keyType: KeyType.Ed25519, + privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598e'), + }) + const holderDidKey = new DidKey(holderKey) + holderDid = holderDidKey.did + holderVerificationMethod = `${holderDidKey.did}#${holderDidKey.key.fingerprint}` + }) + + afterEach(async () => { + await holder.shutdown() + await holder.wallet.delete() + }) + + describe('[DRAFT 11]: Pre-authorized flow', () => { + afterEach(() => { + cleanAll() + enableNetConnect() + }) + + it('Should successfully receive credential from MATTR launchpad using the pre-authorized flow using a did:key Ed25519 subject and jwt_vc_json credential', async () => { + const fixture = matrrLaunchpadDraft11JwtVcJson + + /** + * Below we're setting up some mock HTTP responses. + * These responses are based on the openid-initiate-issuance URI above + * */ + // setup temporary redirect mock + nock('https://launchpad.mattrlabs.com').get('/.well-known/openid-credential-issuer').reply(307, undefined, { + Location: 'https://launchpad.vii.electron.mattrlabs.io/.well-known/openid-credential-issuer', + }) + + // setup server metadata response + nock('https://launchpad.vii.electron.mattrlabs.io') + .get('/.well-known/did.json') + .reply(200, fixture.wellKnownDid) + + .get('/.well-known/openid-configuration') + .reply(404) + + .get('/.well-known/oauth-authorization-server') + .reply(404) + + .get('/.well-known/openid-credential-issuer') + .reply(200, fixture.getMetadataResponse) + + // setup access token response + .post('/oidc/v1/auth/token') + .reply(200, fixture.acquireAccessTokenResponse) + + // setup credential request response + .post('/oidc/v1/auth/credential') + .reply(200, fixture.credentialResponse) + + .get('/.well-known/did.json') + .reply(200, fixture.wellKnownDid) + + const resolved = await holder.modules.openId4VcHolder.resolveCredentialOffer(fixture.credentialOffer) + const credentials = await holder.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode(resolved, { + verifyCredentialStatus: false, + // We only allow EdDSa, as we've created a did with keyType ed25519. If we create + // or determine the did dynamically we could use any signature algorithm + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], + credentialsToRequest: resolved.offeredCredentials.filter((c) => c.format === 'jwt_vc_json').map((m) => m.id), + credentialBindingResolver: () => ({ method: 'did', didUrl: holderVerificationMethod }), + }) + + expect(credentials).toHaveLength(1) + const w3cCredential = credentials[0] as W3cJwtVerifiableCredential + expect(w3cCredential).toBeInstanceOf(W3cJwtVerifiableCredential) + + expect(w3cCredential.credential.type).toEqual(['VerifiableCredential', 'OpenBadgeCredential']) + expect(w3cCredential.credential.credentialSubjectIds[0]).toEqual(holderDid) + }) + + it('Should successfully receive credential from walt.id using the pre-authorized flow using a did:key Ed25519 subject and jwt_vc_json credential', async () => { + const fixture = waltIdDraft11JwtVcJson + + // setup server metadata response + nock('https://issuer.portal.walt.id') + // openid configuration is same as issuer metadata for walt.id + .get('/.well-known/openid-configuration') + .reply(200, fixture.getMetadataResponse) + + .get('/.well-known/oauth-authorization-server') + .reply(404) + + .get('/.well-known/openid-credential-issuer') + .reply(200, fixture.getMetadataResponse) + + // setup access token response + .post('/token') + .reply(200, fixture.acquireAccessTokenResponse) + + // setup credential request response + .post('/credential') + .reply(200, fixture.credentialResponse) + + const resolved = await holder.modules.openId4VcHolder.resolveCredentialOffer(fixture.credentialOffer) + + await expect(() => + holder.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode(resolved, { + verifyCredentialStatus: false, + // We only allow EdDSa, as we've created a did with keyType ed25519. If we create + // or determine the did dynamically we could use any signature algorithm + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], + credentialsToRequest: resolved.offeredCredentials.filter((c) => c.format === 'jwt_vc_json').map((m) => m.id), + credentialBindingResolver: () => ({ method: 'did', didUrl: holderVerificationMethod }), + }) + ) + // FIXME: walt.id issues jwt where nbf and issuanceDate do not match + .rejects.toThrowError('JWT nbf and vc.issuanceDate do not match') + }) + + it('Should successfully receive credential from animo openid4vc playground using the pre-authorized flow using a jwk EdDSA subject and vc+sd-jwt credential', async () => { + const fixture = animoOpenIdPlaygroundDraft11SdJwtVc + + // setup server metadata response + nock('https://openid4vc.animo.id/oid4vci/0bbfb1c0-9f45-478c-a139-08f6ed610a37') + .get('/.well-known/openid-configuration') + .reply(404) + + .get('/.well-known/oauth-authorization-server') + .reply(404) + + .get('/.well-known/openid-credential-issuer') + .reply(200, fixture.getMetadataResponse) + + // setup access token response + .post('/token') + .reply(200, fixture.acquireAccessTokenResponse) + + // setup credential request response + .post('/credential') + .reply(200, fixture.credentialResponse) + + const resolved = await holder.modules.openId4VcHolder.resolveCredentialOffer(fixture.credentialOffer) + + const credentials = await holder.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode(resolved, { + verifyCredentialStatus: false, + // We only allow EdDSa, as we've created a did with keyType ed25519. If we create + // or determine the did dynamically we could use any signature algorithm + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], + credentialsToRequest: resolved.offeredCredentials.filter((c) => c.format === 'vc+sd-jwt').map((m) => m.id), + credentialBindingResolver: () => ({ method: 'jwk', jwk: getJwkFromKey(holderKey) }), + }) + + expect(credentials).toHaveLength(1) + const credential = credentials[0] as SdJwtVc + expect(credential).toEqual({ + compact: + 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6IiN6Nk1raDVITlBDQ0pXWm42V1JMalJQdHR5dllaQnNrWlVkU0pmVGlad2NVU2llcXgifQ.eyJ2Y3QiOiJBbmltb09wZW5JZDRWY1BsYXlncm91bmQiLCJwbGF5Z3JvdW5kIjp7ImZyYW1ld29yayI6IkFyaWVzIEZyYW1ld29yayBKYXZhU2NyaXB0IiwiY3JlYXRlZEJ5IjoiQW5pbW8gU29sdXRpb25zIiwiX3NkIjpbImZZM0ZqUHpZSEZOcHlZZnRnVl9kX25DMlRHSVh4UnZocE00VHdrMk1yMDQiLCJwTnNqdmZJeVBZOEQwTks1c1l0alR2Nkc2R0FNVDNLTjdaZDNVNDAwZ1pZIl19LCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4Ijoia2MydGxwaGNadzFBSUt5a3pNNnBjY2k2UXNLQW9jWXpGTC01RmUzNmg2RSJ9fSwiaXNzIjoiZGlkOmtleTp6Nk1raDVITlBDQ0pXWm42V1JMalJQdHR5dllaQnNrWlVkU0pmVGlad2NVU2llcXgiLCJpYXQiOjE3MDU4NDM1NzQsIl9zZF9hbGciOiJzaGEtMjU2In0.2iAjaCFcuiHXTfQsrxXo6BghtwzqTrfDmhmarAAJAhY8r9yKXY3d10JY1dry2KnaEYWpq2R786thjdA5BXlPAQ~WyI5MzM3MTM0NzU4NDM3MjYyODY3NTE4NzkiLCJsYW5ndWFnZSIsIlR5cGVTY3JpcHQiXQ~WyIxMTQ3MDA5ODk2Nzc2MDYzOTc1MDUwOTMxIiwidmVyc2lvbiIsIjEuMCJd~', + header: { + alg: 'EdDSA', + kid: '#z6Mkh5HNPCCJWZn6WRLjRPttyvYZBskZUdSJfTiZwcUSieqx', + typ: 'vc+sd-jwt', + }, + payload: { + _sd_alg: 'sha-256', + cnf: { + jwk: { + crv: 'Ed25519', + kty: 'OKP', + x: 'kc2tlphcZw1AIKykzM6pcci6QsKAocYzFL-5Fe36h6E', + }, + }, + iat: 1705843574, + iss: 'did:key:z6Mkh5HNPCCJWZn6WRLjRPttyvYZBskZUdSJfTiZwcUSieqx', + playground: { + _sd: ['fY3FjPzYHFNpyYftgV_d_nC2TGIXxRvhpM4Twk2Mr04', 'pNsjvfIyPY8D0NK5sYtjTv6G6GAMT3KN7Zd3U400gZY'], + createdBy: 'Animo Solutions', + framework: 'Aries Framework JavaScript', + }, + vct: 'AnimoOpenId4VcPlayground', + }, + prettyClaims: { + cnf: { + jwk: { + crv: 'Ed25519', + kty: 'OKP', + x: 'kc2tlphcZw1AIKykzM6pcci6QsKAocYzFL-5Fe36h6E', + }, + }, + iat: 1705843574, + iss: 'did:key:z6Mkh5HNPCCJWZn6WRLjRPttyvYZBskZUdSJfTiZwcUSieqx', + playground: { + createdBy: 'Animo Solutions', + framework: 'Aries Framework JavaScript', + language: 'TypeScript', + version: '1.0', + }, + vct: 'AnimoOpenId4VcPlayground', + }, + }) + }) + }) + + describe('[DRAFT 11]: Authorization flow', () => { + afterAll(() => { + cleanAll() + enableNetConnect() + }) + + it('Should successfully receive credential from walt.id using the authorized flow using a did:key Ed25519 subject and jwt_vc_json credential', async () => { + const fixture = waltIdDraft11JwtVcJson + + // setup temporary redirect mock + nock('https://issuer.portal.walt.id') + .get('/.well-known/openid-credential-issuer') + .reply(200, fixture.getMetadataResponse) + .get('/.well-known/openid-configuration') + .reply(200, fixture.getMetadataResponse) + .get('/.well-known/oauth-authorization-server') + .reply(404) + .post('/par') + .reply(200, fixture.par) + // setup access token response + .post('/token') + .reply(200, fixture.acquireAccessTokenResponse) + // setup credential request response + .post('/credential') + .reply(200, fixture.credentialResponse) + + .get('/.well-known/oauth-authorization-server') + .reply(404) + + const resolved = await holder.modules.openId4VcHolder.resolveCredentialOffer(fixture.credentialOffer) + + const resolvedAuthorizationRequest = await holder.modules.openId4VcHolder.resolveIssuanceAuthorizationRequest( + resolved, + { + clientId: 'test-client', + redirectUri: 'http://example.com', + scope: ['openid', 'UniversityDegree'], + } + ) + + await expect( + holder.modules.openId4VcHolder.acceptCredentialOfferUsingAuthorizationCode( + resolved, + resolvedAuthorizationRequest, + fixture.authorizationCode, + { + allowedProofOfPossessionSignatureAlgorithms: [JwaSignatureAlgorithm.EdDSA], + credentialBindingResolver: () => ({ method: 'did', didUrl: holderVerificationMethod }), + verifyCredentialStatus: false, + } + ) + ) + // FIXME: credential returned by walt.id has nbf and issuanceDate that do not match + // but we know that we at least received the credential if we got to this error + .rejects.toThrowError('JWT nbf and vc.issuanceDate do not match') + }) + }) +}) diff --git a/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vp-holder.e2e.test.ts b/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vp-holder.e2e.test.ts new file mode 100644 index 0000000000..8b511cc99a --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/__tests__/openid4vp-holder.e2e.test.ts @@ -0,0 +1,110 @@ +import type { AgentType } from '../../../tests/utils' +import type { OpenId4VcVerifierRecord } from '../../openid4vc-verifier/repository' +import type { Express } from 'express' +import type { Server } from 'http' + +import express from 'express' + +import { OpenId4VcHolderModule } from '..' +import { AskarModule } from '../../../../askar/src' +import { askarModuleConfig } from '../../../../askar/tests/helpers' +import { createAgentFromModules } from '../../../tests/utils' +import { OpenId4VcVerifierModule } from '../../openid4vc-verifier' + +const port = 3121 +const verificationEndpointPath = '/proofResponse' +const verifierBaseUrl = `http://localhost:${port}` + +const holderModules = { + openId4VcHolder: new OpenId4VcHolderModule(), + askar: new AskarModule(askarModuleConfig), +} + +const verifierModules = { + openId4VcVerifier: new OpenId4VcVerifierModule({ + baseUrl: verifierBaseUrl, + endpoints: { + authorization: { + endpointPath: verificationEndpointPath, + }, + }, + }), + askar: new AskarModule(askarModuleConfig), +} + +describe('OpenId4VcHolder | OpenID4VP', () => { + let openIdVerifier: OpenId4VcVerifierRecord + let verifier: AgentType + let holder: AgentType + let verifierApp: Express + + // eslint-disable-next-line @typescript-eslint/no-explicit-any + let verifierServer: Server + + beforeEach(async () => { + verifier = await createAgentFromModules('verifier', verifierModules, '96213c3d7fc8d4d6754c7a0fd969598f') + openIdVerifier = await verifier.agent.modules.openId4VcVerifier.createVerifier() + holder = await createAgentFromModules('holder', holderModules, '96213c3d7fc8d4d6754c7a0fd969598e') + verifierApp = express() + + verifierApp.use('/', verifier.agent.modules.openId4VcVerifier.config.router) + verifierServer = verifierApp.listen(port) + }) + + afterEach(async () => { + verifierServer?.close() + await holder.agent.shutdown() + await holder.agent.wallet.delete() + await verifier.agent.shutdown() + await verifier.agent.wallet.delete() + }) + + it('siop authorization request without presentation exchange', async () => { + const { authorizationRequestUri } = await verifier.agent.modules.openId4VcVerifier.createAuthorizationRequest({ + requestSigner: { + method: 'did', + didUrl: verifier.kid, + }, + verifierId: openIdVerifier.verifierId, + }) + + const resolvedAuthorizationRequest = await holder.agent.modules.openId4VcHolder.resolveSiopAuthorizationRequest( + authorizationRequestUri + ) + + const { submittedResponse, serverResponse } = + await holder.agent.modules.openId4VcHolder.acceptSiopAuthorizationRequest({ + authorizationRequest: resolvedAuthorizationRequest.authorizationRequest, + // When no VP is created, we need to provide the did we want to use for authentication + openIdTokenIssuer: { + method: 'did', + didUrl: holder.kid, + }, + }) + + expect(serverResponse).toEqual({ + status: 200, + body: '', + }) + + expect(submittedResponse).toMatchObject({ + expires_in: 6000, + id_token: expect.any(String), + state: expect.any(String), + }) + + const { idToken, presentationExchange } = + await verifier.agent.modules.openId4VcVerifier.verifyAuthorizationResponse({ + authorizationResponse: submittedResponse, + verifierId: openIdVerifier.verifierId, + }) + + expect(presentationExchange).toBeUndefined() + expect(idToken).toMatchObject({ + payload: { + state: expect.any(String), + nonce: expect.any(String), + }, + }) + }) +}) diff --git a/packages/openid4vc/src/openid4vc-holder/index.ts b/packages/openid4vc/src/openid4vc-holder/index.ts new file mode 100644 index 0000000000..2b7a8d1d5b --- /dev/null +++ b/packages/openid4vc/src/openid4vc-holder/index.ts @@ -0,0 +1,6 @@ +export * from './OpenId4VcHolderApi' +export * from './OpenId4VcHolderModule' +export * from './OpenId4VciHolderService' +export * from './OpenId4VciHolderServiceOptions' +export * from './OpenId4vcSiopHolderService' +export * from './OpenId4vcSiopHolderServiceOptions' diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerApi.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerApi.ts new file mode 100644 index 0000000000..f015eef416 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerApi.ts @@ -0,0 +1,103 @@ +import type { + OpenId4VciCreateCredentialResponseOptions, + OpenId4VciCreateCredentialOfferOptions, +} from './OpenId4VcIssuerServiceOptions' +import type { OpenId4VcIssuerRecordProps } from './repository' +import type { OpenId4VciCredentialOfferPayload } from '../shared' + +import { injectable, AgentContext } from '@aries-framework/core' + +import { OpenId4VcIssuerModuleConfig } from './OpenId4VcIssuerModuleConfig' +import { OpenId4VcIssuerService } from './OpenId4VcIssuerService' + +/** + * @public + * This class represents the API for interacting with the OpenID4VC Issuer service. + * It provides methods for creating a credential offer, creating a response to a credential issuance request, + * and retrieving a credential offer from a URI. + */ +@injectable() +export class OpenId4VcIssuerApi { + public constructor( + public readonly config: OpenId4VcIssuerModuleConfig, + private agentContext: AgentContext, + private openId4VcIssuerService: OpenId4VcIssuerService + ) {} + + public async getAllIssuers() { + return this.openId4VcIssuerService.getAllIssuers(this.agentContext) + } + + public async getByIssuerId(issuerId: string) { + return this.openId4VcIssuerService.getByIssuerId(this.agentContext, issuerId) + } + + /** + * Creates an issuer and stores the corresponding issuer metadata. Multiple issuers can be created, to allow different sets of + * credentials to be issued with each issuer. + */ + public async createIssuer(options: Pick) { + return this.openId4VcIssuerService.createIssuer(this.agentContext, options) + } + + /** + * Rotate the key used for signing access tokens for the issuer with the given issuerId. + */ + public async rotateAccessTokenSigningKey(issuerId: string) { + const issuer = await this.openId4VcIssuerService.getByIssuerId(this.agentContext, issuerId) + return this.openId4VcIssuerService.rotateAccessTokenSigningKey(this.agentContext, issuer) + } + + public async getIssuerMetadata(issuerId: string) { + const issuer = await this.openId4VcIssuerService.getByIssuerId(this.agentContext, issuerId) + return this.openId4VcIssuerService.getIssuerMetadata(this.agentContext, issuer) + } + + public async updateIssuerMetadata( + options: Pick + ) { + const issuer = await this.openId4VcIssuerService.getByIssuerId(this.agentContext, options.issuerId) + + issuer.credentialsSupported = options.credentialsSupported + issuer.display = options.display + + return this.openId4VcIssuerService.updateIssuer(this.agentContext, issuer) + } + + /** + * Creates a credential offer. Either the preAuthorizedCodeFlowConfig or the authorizationCodeFlowConfig must be provided. + * + * @returns Object containing the payload of the credential offer and the credential offer request, which can be sent to the wallet. + */ + public async createCredentialOffer(options: OpenId4VciCreateCredentialOfferOptions & { issuerId: string }) { + const { issuerId, ...rest } = options + const issuer = await this.openId4VcIssuerService.getByIssuerId(this.agentContext, issuerId) + return await this.openId4VcIssuerService.createCredentialOffer(this.agentContext, { ...rest, issuer }) + } + + /** + * This function retrieves the credential offer referenced by the given URI. + * Retrieving a credential offer from a URI is possible after a credential offer was created with + * @see createCredentialOffer and the credentialOfferUri option. + * + * @throws if no credential offer can found for the given URI. + * @param uri - The URI referencing the credential offer. + * @returns The credential offer payload associated with the given URI. + */ + public async getCredentialOfferFromUri(uri: string): Promise { + return await this.openId4VcIssuerService.getCredentialOfferFromUri(this.agentContext, uri) + } + + /** + * This function creates a response which can be send to the holder after receiving a credential issuance request. + * + * @param options.credentialRequest - The credential request, for which to create a response. + * @param options.credential - The credential to be issued. + * @param options.verificationMethod - The verification method used for signing the credential. + */ + public async createCredentialResponse(options: OpenId4VciCreateCredentialResponseOptions & { issuerId: string }) { + const { issuerId, ...rest } = options + const issuer = await this.openId4VcIssuerService.getByIssuerId(this.agentContext, issuerId) + return await this.openId4VcIssuerService.createCredentialResponse(this.agentContext, { ...rest, issuer }) + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModule.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModule.ts new file mode 100644 index 0000000000..f986603b71 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModule.ts @@ -0,0 +1,133 @@ +import type { OpenId4VcIssuerModuleConfigOptions } from './OpenId4VcIssuerModuleConfig' +import type { OpenId4VcIssuanceRequest } from './router' +import type { AgentContext, DependencyManager, Module } from '@aries-framework/core' + +import { AgentConfig } from '@aries-framework/core' + +import { getAgentContextForActorId, getRequestContext, importExpress } from '../shared/router' + +import { OpenId4VcIssuerApi } from './OpenId4VcIssuerApi' +import { OpenId4VcIssuerModuleConfig } from './OpenId4VcIssuerModuleConfig' +import { OpenId4VcIssuerService } from './OpenId4VcIssuerService' +import { OpenId4VcIssuerRepository } from './repository/OpenId4VcIssuerRepository' +import { configureAccessTokenEndpoint, configureCredentialEndpoint, configureIssuerMetadataEndpoint } from './router' + +/** + * @public + */ +export class OpenId4VcIssuerModule implements Module { + public readonly api = OpenId4VcIssuerApi + public readonly config: OpenId4VcIssuerModuleConfig + + public constructor(options: OpenId4VcIssuerModuleConfigOptions) { + this.config = new OpenId4VcIssuerModuleConfig(options) + } + + /** + * Registers the dependencies of the question answer module on the dependency manager. + */ + public register(dependencyManager: DependencyManager) { + // Warn about experimental module + dependencyManager + .resolve(AgentConfig) + .logger.warn( + "The '@aries-framework/openid4vc' Issuer module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." + ) + + // Register config + dependencyManager.registerInstance(OpenId4VcIssuerModuleConfig, this.config) + + // Api + dependencyManager.registerContextScoped(OpenId4VcIssuerApi) + + // Services + dependencyManager.registerSingleton(OpenId4VcIssuerService) + + // Repository + dependencyManager.registerSingleton(OpenId4VcIssuerRepository) + } + + public async initialize(rootAgentContext: AgentContext): Promise { + this.configureRouter(rootAgentContext) + } + + /** + * Registers the endpoints on the router passed to this module. + */ + private configureRouter(rootAgentContext: AgentContext) { + const { Router, json, urlencoded } = importExpress() + + // TODO: it is currently not possible to initialize an agent + // shut it down, and then start it again, as the + // express router is configured with a specific `AgentContext` instance + // and dependency manager. One option is to always create a new router + // but then users cannot pass their own router implementation. + // We need to find a proper way to fix this. + + // We use separate context router and endpoint router. Context router handles the linking of the request + // to a specific agent context. Endpoint router only knows about a single context + const endpointRouter = Router() + const contextRouter = this.config.router + + // parse application/x-www-form-urlencoded + contextRouter.use(urlencoded({ extended: false })) + // parse application/json + contextRouter.use(json()) + + contextRouter.param('issuerId', async (req: OpenId4VcIssuanceRequest, _res, next, issuerId: string) => { + if (!issuerId) { + rootAgentContext.config.logger.debug('No issuerId provided for incoming oid4vci request, returning 404') + _res.status(404).send('Not found') + } + + let agentContext: AgentContext | undefined = undefined + + try { + // FIXME: should we create combined openId actor record? + agentContext = await getAgentContextForActorId(rootAgentContext, issuerId) + const issuerApi = agentContext.dependencyManager.resolve(OpenId4VcIssuerApi) + const issuer = await issuerApi.getByIssuerId(issuerId) + + req.requestContext = { + agentContext, + issuer, + } + } catch (error) { + agentContext?.config.logger.error( + 'Failed to correlate incoming oid4vci request to existing tenant and issuer', + { + error, + } + ) + // If the opening failed + await agentContext?.endSession() + + return _res.status(404).send('Not found') + } + + next() + }) + + contextRouter.use('/:issuerId', endpointRouter) + + // Configure endpoints + configureIssuerMetadataEndpoint(endpointRouter) + configureAccessTokenEndpoint(endpointRouter, this.config.accessTokenEndpoint) + configureCredentialEndpoint(endpointRouter, this.config.credentialEndpoint) + + // First one will be called for all requests (when next is called) + contextRouter.use(async (req: OpenId4VcIssuanceRequest, _res: unknown, next) => { + const { agentContext } = getRequestContext(req) + await agentContext.endSession() + next() + }) + + // This one will be called for all errors that are thrown + // eslint-disable-next-line @typescript-eslint/no-explicit-any + contextRouter.use(async (_error: unknown, req: OpenId4VcIssuanceRequest, _res: unknown, next: any) => { + const { agentContext } = getRequestContext(req) + await agentContext.endSession() + next() + }) + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts new file mode 100644 index 0000000000..d4efe593b4 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts @@ -0,0 +1,119 @@ +import type { OpenId4VciAccessTokenEndpointConfig, OpenId4VciCredentialEndpointConfig } from './router' +import type { AgentContext, Optional } from '@aries-framework/core' +import type { CNonceState, CredentialOfferSession, IStateManager, URIState } from '@sphereon/oid4vci-common' +import type { Router } from 'express' + +import { MemoryStates } from '@sphereon/oid4vci-issuer' + +import { importExpress } from '../shared/router' + +const DEFAULT_C_NONCE_EXPIRES_IN = 5 * 60 * 1000 // 5 minutes +const DEFAULT_TOKEN_EXPIRES_IN = 3 * 60 * 1000 // 3 minutes +const DEFAULT_PRE_AUTH_CODE_EXPIRES_IN = 3 * 60 * 1000 // 3 minutes + +export interface OpenId4VcIssuerModuleConfigOptions { + /** + * Base url at which the issuer endpoints will be hosted. All endpoints will be exposed with + * this path as prefix. + */ + baseUrl: string + + /** + * Express router on which the openid4vci endpoints will be registered. If + * no router is provided, a new one will be created. + * + * NOTE: you must manually register the router on your express app and + * expose this on a public url that is reachable when `baseUrl` is called. + */ + router?: Router + + endpoints: { + credential: Optional + accessToken?: Optional< + OpenId4VciAccessTokenEndpointConfig, + 'cNonceExpiresInSeconds' | 'endpointPath' | 'preAuthorizedCodeExpirationInSeconds' | 'tokenExpiresInSeconds' + > + } +} + +export class OpenId4VcIssuerModuleConfig { + private options: OpenId4VcIssuerModuleConfigOptions + public readonly router: Router + + private credentialOfferSessionManagerMap: Map> + private uriStateManagerMap: Map> + private cNonceStateManagerMap: Map> + + public constructor(options: OpenId4VcIssuerModuleConfigOptions) { + this.uriStateManagerMap = new Map() + this.credentialOfferSessionManagerMap = new Map() + this.cNonceStateManagerMap = new Map() + this.options = options + + this.router = options.router ?? importExpress().Router() + } + + public get baseUrl() { + return this.options.baseUrl + } + + /** + * Get the credential endpoint config, with default values set + */ + public get credentialEndpoint(): OpenId4VciCredentialEndpointConfig { + // Use user supplied options, or return defaults. + const userOptions = this.options.endpoints.credential + + return { + ...userOptions, + endpointPath: userOptions.endpointPath ?? '/credential', + } + } + + /** + * Get the access token endpoint config, with default values set + */ + public get accessTokenEndpoint(): OpenId4VciAccessTokenEndpointConfig { + // Use user supplied options, or return defaults. + const userOptions = this.options.endpoints.accessToken ?? {} + + return { + ...userOptions, + endpointPath: userOptions.endpointPath ?? '/token', + cNonceExpiresInSeconds: userOptions.cNonceExpiresInSeconds ?? DEFAULT_C_NONCE_EXPIRES_IN, + preAuthorizedCodeExpirationInSeconds: + userOptions.preAuthorizedCodeExpirationInSeconds ?? DEFAULT_PRE_AUTH_CODE_EXPIRES_IN, + tokenExpiresInSeconds: userOptions.tokenExpiresInSeconds ?? DEFAULT_TOKEN_EXPIRES_IN, + } + } + + // FIXME: rework (no in-memory) + public getUriStateManager(agentContext: AgentContext) { + const value = this.uriStateManagerMap.get(agentContext.contextCorrelationId) + if (value) return value + + const newValue = new MemoryStates() + this.uriStateManagerMap.set(agentContext.contextCorrelationId, newValue) + return newValue + } + + // FIXME: rework (no in-memory) + public getCredentialOfferSessionStateManager(agentContext: AgentContext) { + const value = this.credentialOfferSessionManagerMap.get(agentContext.contextCorrelationId) + if (value) return value + + const newValue = new MemoryStates() + this.credentialOfferSessionManagerMap.set(agentContext.contextCorrelationId, newValue) + return newValue + } + + // FIXME: rework (no in-memory) + public getCNonceStateManager(agentContext: AgentContext) { + const value = this.cNonceStateManagerMap.get(agentContext.contextCorrelationId) + if (value) return value + + const newValue = new MemoryStates() + this.cNonceStateManagerMap.set(agentContext.contextCorrelationId, newValue) + return newValue + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts new file mode 100644 index 0000000000..8e630a0e7d --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts @@ -0,0 +1,535 @@ +import type { + OpenId4VciCreateCredentialResponseOptions, + OpenId4VciAuthorizationCodeFlowConfig, + OpenId4VciCreateCredentialOfferOptions, + OpenId4VciCreateIssuerOptions, + OpenId4VciPreAuthorizedCodeFlowConfig, + OpenId4VcIssuerMetadata, + OpenId4VciSignSdJwtCredential, + OpenId4VciSignW3cCredential, +} from './OpenId4VcIssuerServiceOptions' +import type { + OpenId4VcCredentialHolderBinding, + OpenId4VciCredentialOfferPayload, + OpenId4VciCredentialRequest, + OpenId4VciCredentialSupported, +} from '../shared' +import type { AgentContext, DidDocument } from '@aries-framework/core' +import type { Grant, JWTVerifyCallback } from '@sphereon/oid4vci-common' +import type { + CredentialDataSupplier, + CredentialDataSupplierArgs, + CredentialIssuanceInput, + CredentialSignerCallback, +} from '@sphereon/oid4vci-issuer' +import type { ICredential } from '@sphereon/ssi-types' + +import { + SdJwtVcApi, + AriesFrameworkError, + ClaimFormat, + DidsApi, + equalsIgnoreOrder, + getJwkFromJson, + getJwkFromKey, + getKeyFromVerificationMethod, + injectable, + joinUriParts, + JsonEncoder, + JsonTransformer, + JwsService, + Jwt, + KeyType, + utils, + W3cCredentialService, +} from '@aries-framework/core' +import { IssueStatus } from '@sphereon/oid4vci-common' +import { VcIssuerBuilder } from '@sphereon/oid4vci-issuer' + +import { getOfferedCredentials, OpenId4VciCredentialFormatProfile } from '../shared' +import { storeActorIdForContextCorrelationId } from '../shared/router' +import { getSphereonVerifiableCredential } from '../shared/transform' +import { getProofTypeFromKey } from '../shared/utils' + +import { OpenId4VcIssuerModuleConfig } from './OpenId4VcIssuerModuleConfig' +import { OpenId4VcIssuerRepository, OpenId4VcIssuerRecord } from './repository' + +const w3cOpenId4VcFormats = [ + OpenId4VciCredentialFormatProfile.JwtVcJson, + OpenId4VciCredentialFormatProfile.JwtVcJsonLd, + OpenId4VciCredentialFormatProfile.LdpVc, +] + +/** + * @internal + */ +@injectable() +export class OpenId4VcIssuerService { + private w3cCredentialService: W3cCredentialService + private jwsService: JwsService + private openId4VcIssuerConfig: OpenId4VcIssuerModuleConfig + private openId4VcIssuerRepository: OpenId4VcIssuerRepository + + public constructor( + w3cCredentialService: W3cCredentialService, + jwsService: JwsService, + openId4VcIssuerConfig: OpenId4VcIssuerModuleConfig, + openId4VcIssuerRepository: OpenId4VcIssuerRepository + ) { + this.w3cCredentialService = w3cCredentialService + this.jwsService = jwsService + this.openId4VcIssuerConfig = openId4VcIssuerConfig + this.openId4VcIssuerRepository = openId4VcIssuerRepository + } + + public getIssuerMetadata(agentContext: AgentContext, issuerRecord: OpenId4VcIssuerRecord): OpenId4VcIssuerMetadata { + const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig) + const issuerUrl = joinUriParts(config.baseUrl, [issuerRecord.issuerId]) + + const issuerMetadata = { + issuerUrl, + tokenEndpoint: joinUriParts(issuerUrl, [config.accessTokenEndpoint.endpointPath]), + credentialEndpoint: joinUriParts(issuerUrl, [config.credentialEndpoint.endpointPath]), + credentialsSupported: issuerRecord.credentialsSupported, + issuerDisplay: issuerRecord.display, + } satisfies OpenId4VcIssuerMetadata + + return issuerMetadata + } + + public async createCredentialOffer( + agentContext: AgentContext, + options: OpenId4VciCreateCredentialOfferOptions & { issuer: OpenId4VcIssuerRecord } + ) { + const { preAuthorizedCodeFlowConfig, authorizationCodeFlowConfig, issuer, offeredCredentials } = options + + const vcIssuer = this.getVcIssuer(agentContext, issuer) + + // this checks if the structure of the credentials is correct + // it throws an error if a offered credential cannot be found in the credentialsSupported + getOfferedCredentials(options.offeredCredentials, vcIssuer.issuerMetadata.credentials_supported) + + const { uri, session } = await vcIssuer.createCredentialOfferURI({ + grants: await this.getGrantsFromConfig(agentContext, preAuthorizedCodeFlowConfig, authorizationCodeFlowConfig), + credentials: offeredCredentials, + // TODO: support hosting of credential offers within AFJ + credentialOfferUri: options.hostedCredentialOfferUrl, + baseUri: options.baseUri, + }) + + const credentialOfferPayload: OpenId4VciCredentialOfferPayload = session.credentialOffer.credential_offer + return { + credentialOfferPayload, + credentialOffer: uri, + } + } + + public async getCredentialOfferFromUri(agentContext: AgentContext, uri: string) { + const { credentialOfferSessionId, credentialOfferSession } = await this.getCredentialOfferSessionFromUri( + agentContext, + uri + ) + + credentialOfferSession.lastUpdatedAt = +new Date() + credentialOfferSession.status = IssueStatus.OFFER_URI_RETRIEVED + await this.openId4VcIssuerConfig + .getCredentialOfferSessionStateManager(agentContext) + .set(credentialOfferSessionId, credentialOfferSession) + + return credentialOfferSession.credentialOffer.credential_offer + } + + public async createCredentialResponse( + agentContext: AgentContext, + options: OpenId4VciCreateCredentialResponseOptions & { issuer: OpenId4VcIssuerRecord } + ) { + const { credentialRequest, issuer } = options + if (!credentialRequest.proof) throw new AriesFrameworkError('No proof defined in the credentialRequest.') + + const vcIssuer = this.getVcIssuer(agentContext, issuer) + const issueCredentialResponse = await vcIssuer.issueCredential({ + credentialRequest, + tokenExpiresIn: this.openId4VcIssuerConfig.accessTokenEndpoint.tokenExpiresInSeconds, + + // This can just be combined with signing callback right? + credentialDataSupplier: this.getCredentialDataSupplier(agentContext, options), + newCNonce: undefined, + responseCNonce: undefined, + }) + + if (!issueCredentialResponse.credential) { + throw new AriesFrameworkError('No credential found in the issueCredentialResponse.') + } + + if (issueCredentialResponse.acceptance_token) { + throw new AriesFrameworkError('Acceptance token not yet supported.') + } + + return issueCredentialResponse + } + + public async getAllIssuers(agentContext: AgentContext) { + return this.openId4VcIssuerRepository.getAll(agentContext) + } + + public async getByIssuerId(agentContext: AgentContext, issuerId: string) { + return this.openId4VcIssuerRepository.getByIssuerId(agentContext, issuerId) + } + + public async updateIssuer(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord) { + return this.openId4VcIssuerRepository.update(agentContext, issuer) + } + + public async createIssuer(agentContext: AgentContext, options: OpenId4VciCreateIssuerOptions) { + // TODO: ideally we can store additional data with a key, such as: + // - createdAt + // - purpose + const accessTokenSignerKey = await agentContext.wallet.createKey({ + keyType: KeyType.Ed25519, + }) + const openId4VcIssuer = new OpenId4VcIssuerRecord({ + issuerId: utils.uuid(), + display: options.display, + accessTokenPublicKeyFingerprint: accessTokenSignerKey.fingerprint, + credentialsSupported: options.credentialsSupported, + }) + + await this.openId4VcIssuerRepository.save(agentContext, openId4VcIssuer) + await storeActorIdForContextCorrelationId(agentContext, openId4VcIssuer.issuerId) + return openId4VcIssuer + } + + public async rotateAccessTokenSigningKey(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord) { + const accessTokenSignerKey = await agentContext.wallet.createKey({ + keyType: KeyType.Ed25519, + }) + + // TODO: ideally we can remove the previous key + issuer.accessTokenPublicKeyFingerprint = accessTokenSignerKey.fingerprint + await this.openId4VcIssuerRepository.update(agentContext, issuer) + } + + private async getCredentialOfferSessionFromUri(agentContext: AgentContext, uri: string) { + const uriState = await this.openId4VcIssuerConfig.getUriStateManager(agentContext).get(uri) + if (!uriState) throw new AriesFrameworkError(`Credential offer uri '${uri}' not found.`) + + const credentialOfferSessionId = uriState.preAuthorizedCode ?? uriState.issuerState + if (!credentialOfferSessionId) { + throw new AriesFrameworkError( + `Credential offer uri '${uri}' is not associated with a preAuthorizedCode or issuerState.` + ) + } + + const credentialOfferSession = await this.openId4VcIssuerConfig + .getCredentialOfferSessionStateManager(agentContext) + .get(credentialOfferSessionId) + if (!credentialOfferSession) + throw new AriesFrameworkError( + `Credential offer session for '${uri}' with id '${credentialOfferSessionId}' not found.` + ) + + return { credentialOfferSessionId, credentialOfferSession } + } + + private getJwtVerifyCallback = (agentContext: AgentContext): JWTVerifyCallback => { + return async (opts) => { + let didDocument = undefined as DidDocument | undefined + const { isValid, jws } = await this.jwsService.verifyJws(agentContext, { + jws: opts.jwt, + // Only handles kid as did resolution. JWK is handled by jws service + jwkResolver: async ({ protectedHeader: { kid } }) => { + if (!kid) throw new AriesFrameworkError('Missing kid in protected header.') + if (!kid.startsWith('did:')) throw new AriesFrameworkError('Only did is supported for kid identifier') + + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + didDocument = await didsApi.resolveDidDocument(kid) + const verificationMethod = didDocument.dereferenceKey(kid, ['authentication', 'assertionMethod']) + const key = getKeyFromVerificationMethod(verificationMethod) + return getJwkFromKey(key) + }, + }) + + if (!isValid) throw new AriesFrameworkError('Could not verify JWT signature.') + + // TODO: the jws service should return some better decoded metadata also from the resolver + // as currently is less useful if you afterwards need properties from the JWS + const firstJws = jws.signatures[0] + const protectedHeader = JsonEncoder.fromBase64(firstJws.protected) + return { + jwt: { header: protectedHeader, payload: JsonEncoder.fromBase64(jws.payload) }, + kid: protectedHeader.kid, + jwk: protectedHeader.jwk ? getJwkFromJson(protectedHeader.jwk) : undefined, + did: didDocument?.id, + alg: protectedHeader.alg, + didDocument, + } + } + } + + private getVcIssuer(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord) { + const issuerMetadata = this.getIssuerMetadata(agentContext, issuer) + + const builder = new VcIssuerBuilder() + .withCredentialIssuer(issuerMetadata.issuerUrl) + .withCredentialEndpoint(issuerMetadata.credentialEndpoint) + .withTokenEndpoint(issuerMetadata.tokenEndpoint) + .withCredentialsSupported(issuerMetadata.credentialsSupported) + .withCNonceStateManager(this.openId4VcIssuerConfig.getCNonceStateManager(agentContext)) + .withCredentialOfferStateManager(this.openId4VcIssuerConfig.getCredentialOfferSessionStateManager(agentContext)) + .withCredentialOfferURIStateManager(this.openId4VcIssuerConfig.getUriStateManager(agentContext)) + .withJWTVerifyCallback(this.getJwtVerifyCallback(agentContext)) + .withCredentialSignerCallback(() => { + throw new AriesFrameworkError('Credential signer callback should be overwritten. This is a no-op') + }) + + if (issuerMetadata.authorizationServer) { + builder.withAuthorizationServer(issuerMetadata.authorizationServer) + } + + if (issuerMetadata.issuerDisplay) { + builder.withIssuerDisplay(issuerMetadata.issuerDisplay) + } + + return builder.build() + } + + private async getGrantsFromConfig( + agentContext: AgentContext, + preAuthorizedCodeFlowConfig?: OpenId4VciPreAuthorizedCodeFlowConfig, + authorizationCodeFlowConfig?: OpenId4VciAuthorizationCodeFlowConfig + ) { + if (!preAuthorizedCodeFlowConfig && !authorizationCodeFlowConfig) { + throw new AriesFrameworkError( + `Either preAuthorizedCodeFlowConfig or authorizationCodeFlowConfig must be provided.` + ) + } + + const grants: Grant = { + 'urn:ietf:params:oauth:grant-type:pre-authorized_code': preAuthorizedCodeFlowConfig && { + 'pre-authorized_code': + preAuthorizedCodeFlowConfig.preAuthorizedCode ?? (await agentContext.wallet.generateNonce()), + user_pin_required: preAuthorizedCodeFlowConfig.userPinRequired ?? false, + }, + + authorization_code: authorizationCodeFlowConfig && { + issuer_state: authorizationCodeFlowConfig.issuerState ?? (await agentContext.wallet.generateNonce()), + }, + } + + return grants + } + + private findOfferedCredentialsMatchingRequest( + credentialOffer: OpenId4VciCredentialOfferPayload, + credentialRequest: OpenId4VciCredentialRequest, + credentialsSupported: OpenId4VciCredentialSupported[] + ): OpenId4VciCredentialSupported[] { + const offeredCredentials = getOfferedCredentials(credentialOffer.credentials, credentialsSupported) + + return offeredCredentials.filter((offeredCredential) => { + if (offeredCredential.format !== credentialRequest.format) return false + + if ( + credentialRequest.format === OpenId4VciCredentialFormatProfile.JwtVcJson && + offeredCredential.format === credentialRequest.format + ) { + return equalsIgnoreOrder(offeredCredential.types, credentialRequest.types) + } else if ( + credentialRequest.format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd && + offeredCredential.format === credentialRequest.format + ) { + return equalsIgnoreOrder(offeredCredential.types, credentialRequest.credential_definition.types) + } else if ( + credentialRequest.format === OpenId4VciCredentialFormatProfile.LdpVc && + offeredCredential.format === credentialRequest.format + ) { + return equalsIgnoreOrder(offeredCredential.types, credentialRequest.credential_definition.types) + } else if ( + credentialRequest.format === OpenId4VciCredentialFormatProfile.SdJwtVc && + offeredCredential.format === credentialRequest.format + ) { + return offeredCredential.vct === credentialRequest.vct + } + + return false + }) + } + + private getSdJwtVcCredentialSigningCallback = ( + agentContext: AgentContext, + options: OpenId4VciSignSdJwtCredential + ): CredentialSignerCallback => { + return async () => { + const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi) + + const sdJwtVc = await sdJwtVcApi.sign(options) + return getSphereonVerifiableCredential(sdJwtVc) + } + } + + private getW3cCredentialSigningCallback = ( + agentContext: AgentContext, + options: OpenId4VciSignW3cCredential + ): CredentialSignerCallback => { + return async (opts) => { + const { jwtVerifyResult, format } = opts + const { kid, didDocument: holderDidDocument } = jwtVerifyResult + + if (!kid) throw new AriesFrameworkError('Missing Kid. Cannot create the holder binding') + if (!holderDidDocument) throw new AriesFrameworkError('Missing did document. Cannot create the holder binding.') + if (!format) throw new AriesFrameworkError('Missing format. Cannot issue credential.') + + const formatMap: Record = { + [OpenId4VciCredentialFormatProfile.JwtVcJson]: ClaimFormat.JwtVc, + [OpenId4VciCredentialFormatProfile.JwtVcJsonLd]: ClaimFormat.JwtVc, + [OpenId4VciCredentialFormatProfile.LdpVc]: ClaimFormat.LdpVc, + } + const w3cServiceFormat = formatMap[format] + + // Set the binding on the first credential subject if not set yet + // on any subject + if (!options.credential.credentialSubjectIds.includes(holderDidDocument.id)) { + const credentialSubject = Array.isArray(options.credential.credentialSubject) + ? options.credential.credentialSubject[0] + : options.credential.credentialSubject + credentialSubject.id = holderDidDocument.id + } + + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const issuerDidDocument = await didsApi.resolveDidDocument(options.verificationMethod) + const verificationMethod = issuerDidDocument.dereferenceVerificationMethod(options.verificationMethod) + + if (w3cServiceFormat === ClaimFormat.JwtVc) { + const key = getKeyFromVerificationMethod(verificationMethod) + const alg = getJwkFromKey(key).supportedSignatureAlgorithms[0] + + if (!alg) { + throw new AriesFrameworkError(`No supported JWA signature algorithms for key type ${key.keyType}`) + } + + const signed = await this.w3cCredentialService.signCredential(agentContext, { + format: w3cServiceFormat, + credential: options.credential, + verificationMethod: options.verificationMethod, + alg, + }) + + return getSphereonVerifiableCredential(signed) + } else { + const key = getKeyFromVerificationMethod(verificationMethod) + const proofType = getProofTypeFromKey(agentContext, key) + + const signed = await this.w3cCredentialService.signCredential(agentContext, { + format: w3cServiceFormat, + credential: options.credential, + verificationMethod: options.verificationMethod, + proofType: proofType, + }) + + return getSphereonVerifiableCredential(signed) + } + } + } + + private async getHolderBindingFromRequest(credentialRequest: OpenId4VciCredentialRequest) { + if (!credentialRequest.proof?.jwt) throw new AriesFrameworkError('Received a credential request without a proof') + + const jwt = Jwt.fromSerializedJwt(credentialRequest.proof.jwt) + + if (jwt.header.kid) { + if (!jwt.header.kid.startsWith('did:')) { + throw new AriesFrameworkError("Only did is supported for 'kid' identifier") + } else if (!jwt.header.kid.includes('#')) { + throw new AriesFrameworkError( + `kid containing did MUST point to a specific key within the did document: ${jwt.header.kid}` + ) + } + + return { + method: 'did', + didUrl: jwt.header.kid, + } satisfies OpenId4VcCredentialHolderBinding + } else if (jwt.header.jwk) { + return { + method: 'jwk', + jwk: getJwkFromJson(jwt.header.jwk), + } satisfies OpenId4VcCredentialHolderBinding + } else { + throw new AriesFrameworkError('Either kid or jwk must be present in credential request proof header') + } + } + + private getCredentialDataSupplier = ( + agentContext: AgentContext, + options: OpenId4VciCreateCredentialResponseOptions & { issuer: OpenId4VcIssuerRecord } + ): CredentialDataSupplier => { + return async (args: CredentialDataSupplierArgs) => { + const { credentialRequest, credentialOffer } = args + const issuerMetadata = this.getIssuerMetadata(agentContext, options.issuer) + + const offeredCredentialsMatchingRequest = this.findOfferedCredentialsMatchingRequest( + credentialOffer.credential_offer, + credentialRequest, + issuerMetadata.credentialsSupported + ) + + if (offeredCredentialsMatchingRequest.length === 0) { + throw new AriesFrameworkError('No offered credentials match the credential request.') + } + + if (offeredCredentialsMatchingRequest.length > 1) { + agentContext.config.logger.debug( + 'Multiple credentials from credentials supported matching request, picking first one.' + ) + } + + const holderBinding = await this.getHolderBindingFromRequest(credentialRequest) + const mapper = + options.credentialRequestToCredentialMapper ?? + this.openId4VcIssuerConfig.credentialEndpoint.credentialRequestToCredentialMapper + const signOptions = await mapper({ + agentContext, + holderBinding, + + credentialOffer, + credentialRequest, + + credentialsSupported: offeredCredentialsMatchingRequest, + }) + + if (signOptions.format === ClaimFormat.JwtVc || signOptions.format === ClaimFormat.LdpVc) { + if (!w3cOpenId4VcFormats.includes(credentialRequest.format as OpenId4VciCredentialFormatProfile)) { + throw new AriesFrameworkError( + `The credential to be issued does not match the request. Cannot issue a W3cCredential if the client expects a credential of format '${credentialRequest.format}'.` + ) + } + + return { + format: credentialRequest.format, + credential: JsonTransformer.toJSON(signOptions.credential) as ICredential, + signCallback: this.getW3cCredentialSigningCallback(agentContext, signOptions), + } + } else if (signOptions.format === ClaimFormat.SdJwtVc) { + if (credentialRequest.format !== OpenId4VciCredentialFormatProfile.SdJwtVc) { + throw new AriesFrameworkError( + `Invalid credential format. Expected '${OpenId4VciCredentialFormatProfile.SdJwtVc}', received '${credentialRequest.format}'.` + ) + } + if (credentialRequest.vct !== signOptions.payload.vct) { + throw new AriesFrameworkError( + `The types of the offered credentials do not match the types of the requested credential. Offered '${signOptions.payload.vct}' Requested '${credentialRequest.vct}'.` + ) + } + + return { + format: credentialRequest.format, + // NOTE: we don't use the credential value here as we pass the credential directly to the singer + credential: { ...signOptions.payload } as unknown as CredentialIssuanceInput, + signCallback: this.getSdJwtVcCredentialSigningCallback(agentContext, signOptions), + } + } else { + throw new AriesFrameworkError(`Unsupported credential format`) + } + } + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerServiceOptions.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerServiceOptions.ts new file mode 100644 index 0000000000..f7c5d9cf33 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerServiceOptions.ts @@ -0,0 +1,112 @@ +import type { OpenId4VcIssuerRecordProps } from './repository' +import type { + OpenId4VcCredentialHolderBinding, + OpenId4VciCredentialOffer, + OpenId4VciCredentialRequest, + OpenId4VciCredentialSupported, + OpenId4VciIssuerMetadataDisplay, +} from '../shared' +import type { AgentContext, ClaimFormat, W3cCredential, SdJwtVcSignOptions } from '@aries-framework/core' + +export interface OpenId4VciPreAuthorizedCodeFlowConfig { + preAuthorizedCode?: string + userPinRequired?: boolean +} + +export type OpenId4VciAuthorizationCodeFlowConfig = { + issuerState?: string +} + +export type OpenId4VcIssuerMetadata = { + // The Credential Issuer's identifier. (URL using the https scheme) + issuerUrl: string + credentialEndpoint: string + tokenEndpoint: string + authorizationServer?: string + + issuerDisplay?: OpenId4VciIssuerMetadataDisplay[] + credentialsSupported: OpenId4VciCredentialSupported[] +} + +export type OpenId4VciCreateIssuerOptions = Pick + +export interface OpenId4VciCreateCredentialOfferOptions { + // NOTE: v11 of OID4VCI supports both inline and referenced (to credentials_supported.id) credential offers. + // In draft 12 the inline credential offers have been removed and to make the migration to v12 easier + // we only support referenced credentials in an offer + offeredCredentials: string[] + + /** + * baseUri for the credential offer uri. By default `openid-credential-offer://` will be used + * if no value is provided. If a value is provided, make sure it contains the scheme as well as `://`. + */ + baseUri?: string + + preAuthorizedCodeFlowConfig?: OpenId4VciPreAuthorizedCodeFlowConfig + authorizationCodeFlowConfig?: OpenId4VciAuthorizationCodeFlowConfig + + /** + * You can provide a `hostedCredentialOfferUrl` if the created credential offer + * should points to a hosted credential offer in the `credential_offer_uri` field + * of the credential offer. + */ + hostedCredentialOfferUrl?: string +} + +export interface OpenId4VciCreateCredentialResponseOptions { + credentialRequest: OpenId4VciCredentialRequest + + /** + * You can optionally provide a credential request to credential mapper that will be + * dynamically invoked to return credential data based on the credential request. + * + * If not provided, the `credentialRequestToCredentialMapper` from the agent config + * will be used. + */ + credentialRequestToCredentialMapper?: OpenId4VciCredentialRequestToCredentialMapper +} + +// FIXME: Flows: +// - provide credential data at time of offer creation (NOT SUPPORTED) +// - provide credential data at time of calling createCredentialResponse (partially supported by passing in mapper to this method -> preferred as it gives you request data dynamically) +// - provide credential data dynamically using this method (SUPPORTED) +// mapper should get input data passed (which is supplied to offer or create response) like credentialDataSupplierInput in sphereon lib +export type OpenId4VciCredentialRequestToCredentialMapper = (options: { + agentContext: AgentContext + + /** + * The credential request received from the wallet + */ + credentialRequest: OpenId4VciCredentialRequest + + /** + * The offer associated with the credential request + */ + credentialOffer: OpenId4VciCredentialOffer + + /** + * Verified key binding material that should be included in the credential + * + * Can either be bound to did or a JWK (in case of for ex. SD-JWT) + */ + holderBinding: OpenId4VcCredentialHolderBinding + + /** + * The credentials supported entries from the issuer metadata that were offered + * and match the incoming request + * + * NOTE: in v12 this will probably become a single entry, as it will be matched on id + */ + credentialsSupported: OpenId4VciCredentialSupported[] +}) => Promise | OpenId4VciSignCredential + +export type OpenId4VciSignCredential = OpenId4VciSignSdJwtCredential | OpenId4VciSignW3cCredential +export interface OpenId4VciSignSdJwtCredential extends SdJwtVcSignOptions { + format: ClaimFormat.SdJwtVc | `${ClaimFormat.SdJwtVc}` +} + +export interface OpenId4VciSignW3cCredential { + format: ClaimFormat.JwtVc | `${ClaimFormat.JwtVc}` | ClaimFormat.LdpVc | `${ClaimFormat.LdpVc}` + verificationMethod: string + credential: W3cCredential +} diff --git a/packages/openid4vc/src/openid4vc-issuer/__tests__/OpenId4VcIsserModule.test.ts b/packages/openid4vc/src/openid4vc-issuer/__tests__/OpenId4VcIsserModule.test.ts new file mode 100644 index 0000000000..6d6929c847 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/__tests__/OpenId4VcIsserModule.test.ts @@ -0,0 +1,54 @@ +import type { DependencyManager } from '@aries-framework/core' + +import { Router } from 'express' + +import { getAgentContext } from '../../../../core/tests' +import { OpenId4VcIssuerApi } from '../OpenId4VcIssuerApi' +import { OpenId4VcIssuerModule } from '../OpenId4VcIssuerModule' +import { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig' +import { OpenId4VcIssuerService } from '../OpenId4VcIssuerService' +import { OpenId4VcIssuerRepository } from '../repository/OpenId4VcIssuerRepository' + +const dependencyManager = { + registerInstance: jest.fn(), + registerSingleton: jest.fn(), + registerContextScoped: jest.fn(), + resolve: jest.fn().mockReturnValue({ logger: { warn: jest.fn() } }), +} as unknown as DependencyManager + +const agentContext = getAgentContext() + +describe('OpenId4VcIssuerModule', () => { + test('registers dependencies on the dependency manager', async () => { + const options = { + baseUrl: 'http://localhost:3000', + endpoints: { + credential: { + credentialRequestToCredentialMapper: () => { + throw new Error('Not implemented') + }, + }, + }, + router: Router(), + } as const + const openId4VcClientModule = new OpenId4VcIssuerModule(options) + openId4VcClientModule.register(dependencyManager) + + expect(dependencyManager.registerInstance).toHaveBeenCalledTimes(1) + expect(dependencyManager.registerInstance).toHaveBeenCalledWith( + OpenId4VcIssuerModuleConfig, + new OpenId4VcIssuerModuleConfig(options) + ) + + expect(dependencyManager.registerContextScoped).toHaveBeenCalledTimes(1) + expect(dependencyManager.registerContextScoped).toHaveBeenCalledWith(OpenId4VcIssuerApi) + + expect(dependencyManager.registerSingleton).toHaveBeenCalledTimes(2) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcIssuerService) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcIssuerRepository) + + await openId4VcClientModule.initialize(agentContext) + + expect(openId4VcClientModule.config.router).toBeDefined() + }) +}) diff --git a/packages/openid4vc/src/openid4vc-issuer/__tests__/openid4vc-issuer.e2e.test.ts b/packages/openid4vc/src/openid4vc-issuer/__tests__/openid4vc-issuer.e2e.test.ts new file mode 100644 index 0000000000..a8be5d1e7a --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/__tests__/openid4vc-issuer.e2e.test.ts @@ -0,0 +1,740 @@ +import type { OpenId4VciCredentialRequest, OpenId4VciCredentialSupportedWithId } from '../../shared' +import type { + OpenId4VcIssuerMetadata, + OpenId4VciCredentialRequestToCredentialMapper, +} from '../OpenId4VcIssuerServiceOptions' +import type { OpenId4VcIssuerRecord } from '../repository' +import type { + AgentContext, + KeyDidCreateOptions, + VerificationMethod, + W3cVerifiableCredential, + W3cVerifyCredentialResult, +} from '@aries-framework/core' +import type { OriginalVerifiableCredential as SphereonW3cVerifiableCredential } from '@sphereon/ssi-types' + +import { + SdJwtVcApi, + JwtPayload, + Agent, + AriesFrameworkError, + DidKey, + DidsApi, + JsonTransformer, + JwsService, + KeyType, + TypedArrayEncoder, + W3cCredential, + W3cCredentialService, + W3cCredentialSubject, + W3cIssuer, + W3cJsonLdVerifiableCredential, + W3cJwtVerifiableCredential, + equalsIgnoreOrder, + getJwkFromKey, + getKeyFromVerificationMethod, + w3cDate, +} from '@aries-framework/core' + +import { AskarModule } from '../../../../askar/src' +import { askarModuleConfig } from '../../../../askar/tests/helpers' +import { agentDependencies } from '../../../../node/src' +import { OpenId4VciCredentialFormatProfile } from '../../shared' +import { OpenId4VcIssuerModule } from '../OpenId4VcIssuerModule' +import { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig' + +const openBadgeCredential = { + id: 'https://openid4vc-issuer.com/credentials/OpenBadgeCredential', + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'OpenBadgeCredential'], +} satisfies OpenId4VciCredentialSupportedWithId + +const universityDegreeCredential = { + id: 'https://openid4vc-issuer.com/credentials/UniversityDegreeCredential', + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'UniversityDegreeCredential'], +} satisfies OpenId4VciCredentialSupportedWithId + +const universityDegreeCredentialLd = { + id: 'https://openid4vc-issuer.com/credentials/UniversityDegreeCredentialLd', + format: OpenId4VciCredentialFormatProfile.JwtVcJsonLd, + '@context': [], + types: ['VerifiableCredential', 'UniversityDegreeCredential'], +} satisfies OpenId4VciCredentialSupportedWithId + +const universityDegreeCredentialSdJwt = { + id: 'https://openid4vc-issuer.com/credentials/UniversityDegreeCredentialSdJwt', + format: OpenId4VciCredentialFormatProfile.SdJwtVc, + vct: 'UniversityDegreeCredential', +} satisfies OpenId4VciCredentialSupportedWithId + +const modules = { + openId4VcIssuer: new OpenId4VcIssuerModule({ + baseUrl: 'https://openid4vc-issuer.com', + endpoints: { + credential: { + credentialRequestToCredentialMapper: () => { + throw new Error('Not implemented') + }, + }, + }, + }), + askar: new AskarModule(askarModuleConfig), +} + +const jwsService = new JwsService() + +const createCredentialRequest = async ( + agentContext: AgentContext, + options: { + issuerMetadata: OpenId4VcIssuerMetadata + credentialSupported: OpenId4VciCredentialSupportedWithId + nonce: string + kid: string + clientId?: string // use with the authorization code flow, + } +): Promise => { + const { credentialSupported, kid, nonce, issuerMetadata, clientId } = options + + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const didDocument = await didsApi.resolveDidDocument(kid) + if (!didDocument.verificationMethod) { + throw new AriesFrameworkError(`No verification method found for kid ${kid}`) + } + + const verificationMethod = didDocument.dereferenceKey(kid, ['authentication', 'assertionMethod']) + const key = getKeyFromVerificationMethod(verificationMethod) + const jwk = getJwkFromKey(key) + + const jws = await jwsService.createJwsCompact(agentContext, { + protectedHeaderOptions: { alg: jwk.supportedSignatureAlgorithms[0], kid, typ: 'openid4vci-proof+jwt' }, + payload: new JwtPayload({ + iat: Math.floor(Date.now() / 1000), // unix time + iss: clientId, + aud: issuerMetadata.issuerUrl, + additionalClaims: { + nonce, + }, + }), + key, + }) + + if (credentialSupported.format === OpenId4VciCredentialFormatProfile.JwtVcJson) { + return { ...credentialSupported, proof: { jwt: jws, proof_type: 'jwt' } } + } else if ( + credentialSupported.format === OpenId4VciCredentialFormatProfile.JwtVcJsonLd || + credentialSupported.format === OpenId4VciCredentialFormatProfile.LdpVc + ) { + return { + format: credentialSupported.format, + credential_definition: { '@context': credentialSupported['@context'], types: credentialSupported.types }, + proof: { jwt: jws, proof_type: 'jwt' }, + } + } else if (credentialSupported.format === OpenId4VciCredentialFormatProfile.SdJwtVc) { + return { ...credentialSupported, proof: { jwt: jws, proof_type: 'jwt' } } + } + + throw new Error('Unsupported format') +} + +const issuer = new Agent({ + config: { + label: 'OpenId4VcIssuer Test323', + walletConfig: { + id: 'openid4vc-Issuer-test323', + key: 'openid4vc-Issuer-test323', + }, + }, + dependencies: agentDependencies, + modules, +}) + +const holder = new Agent({ + config: { + label: 'OpenId4VciIssuer(Holder) Test323', + walletConfig: { + id: 'openid4vc-Issuer(Holder)-test323', + key: 'openid4vc-Issuer(Holder)-test323', + }, + }, + dependencies: agentDependencies, + modules, +}) + +describe('OpenId4VcIssuer', () => { + let issuerVerificationMethod: VerificationMethod + let issuerDid: string + let openId4VcIssuer: OpenId4VcIssuerRecord + + let holderKid: string + let holderVerificationMethod: VerificationMethod + let holderDid: string + + beforeEach(async () => { + await issuer.initialize() + await holder.initialize() + + const holderDidCreateResult = await holder.dids.create({ + method: 'key', + options: { keyType: KeyType.Ed25519 }, + secret: { privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598e') }, + }) + + holderDid = holderDidCreateResult.didState.did as string + const holderDidKey = DidKey.fromDid(holderDid) + holderKid = `${holderDid}#${holderDidKey.key.fingerprint}` + const _holderVerificationMethod = holderDidCreateResult.didState.didDocument?.dereferenceKey(holderKid, [ + 'authentication', + ]) + if (!_holderVerificationMethod) throw new Error('No verification method found') + holderVerificationMethod = _holderVerificationMethod + + const issuerDidCreateResult = await issuer.dids.create({ + method: 'key', + options: { keyType: KeyType.Ed25519 }, + secret: { privateKey: TypedArrayEncoder.fromString('96213c3d7fc8d4d6754c7a0fd969598f') }, + }) + + issuerDid = issuerDidCreateResult.didState.did as string + + const issuerDidKey = DidKey.fromDid(issuerDid) + const issuerKid = `${issuerDid}#${issuerDidKey.key.fingerprint}` + const _issuerVerificationMethod = issuerDidCreateResult.didState.didDocument?.dereferenceKey(issuerKid, [ + 'authentication', + ]) + if (!_issuerVerificationMethod) throw new Error('No verification method found') + issuerVerificationMethod = _issuerVerificationMethod + + openId4VcIssuer = await issuer.modules.openId4VcIssuer.createIssuer({ + credentialsSupported: [ + openBadgeCredential, + universityDegreeCredential, + universityDegreeCredentialLd, + universityDegreeCredentialSdJwt, + ], + }) + }) + + afterEach(async () => { + await issuer.shutdown() + await issuer.wallet.delete() + + await holder.shutdown() + await holder.wallet.delete() + }) + + // This method is available on the holder service, + // would be nice to reuse + async function handleCredentialResponse( + agentContext: AgentContext, + sphereonVerifiableCredential: SphereonW3cVerifiableCredential, + credentialSupported: OpenId4VciCredentialSupportedWithId + ) { + if (credentialSupported.format === 'vc+sd-jwt' && typeof sphereonVerifiableCredential === 'string') { + const api = agentContext.dependencyManager.resolve(SdJwtVcApi) + await api.verify({ compactSdJwtVc: sphereonVerifiableCredential }) + return + } + + const w3cCredentialService = holder.context.dependencyManager.resolve(W3cCredentialService) + + let result: W3cVerifyCredentialResult + let w3cVerifiableCredential: W3cVerifiableCredential + + if (typeof sphereonVerifiableCredential === 'string') { + if (credentialSupported.format !== 'jwt_vc_json' && credentialSupported.format !== 'jwt_vc_json-ld') { + throw new Error(`Invalid format. ${credentialSupported.format}`) + } + w3cVerifiableCredential = W3cJwtVerifiableCredential.fromSerializedJwt(sphereonVerifiableCredential) + result = await w3cCredentialService.verifyCredential(holder.context, { credential: w3cVerifiableCredential }) + } else if (credentialSupported.format === 'ldp_vc') { + if (credentialSupported.format !== 'ldp_vc') throw new Error('Invalid format') + // validate jwt credentials + + w3cVerifiableCredential = JsonTransformer.fromJSON(sphereonVerifiableCredential, W3cJsonLdVerifiableCredential) + result = await w3cCredentialService.verifyCredential(holder.context, { credential: w3cVerifiableCredential }) + } else { + throw new AriesFrameworkError(`Unsupported credential format`) + } + + if (!result.isValid) { + holder.context.config.logger.error('Failed to validate credential', { result }) + throw new AriesFrameworkError(`Failed to validate credential, error = ${result.error?.message ?? 'Unknown'}`) + } + + if (equalsIgnoreOrder(w3cVerifiableCredential.type, credentialSupported.types) === false) { + throw new Error('Invalid credential type') + } + return w3cVerifiableCredential + } + + it('pre authorized code flow (sd-jwt-vc)', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.modules.openId4VcIssuer.config + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openId4VcIssuer.issuerId, + offeredCredentials: [universityDegreeCredentialSdJwt.id], + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOfferPayload).toEqual({ + credential_issuer: `https://openid4vc-issuer.com/${openId4VcIssuer.issuerId}`, + credentials: ['https://openid4vc-issuer.com/credentials/UniversityDegreeCredentialSdJwt'], + grants: { + authorization_code: undefined, + 'urn:ietf:params:oauth:grant-type:pre-authorized_code': { + 'pre-authorized_code': '1234567890', + user_pin_required: false, + }, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FUniversityDegreeCredentialSdJwt%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + const credentialRequest = await createCredentialRequest(holder.context, { + credentialSupported: universityDegreeCredentialSdJwt, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }) + + const issueCredentialResponse = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest, + + credentialRequestToCredentialMapper: () => ({ + format: 'vc+sd-jwt', + payload: { vct: 'UniversityDegreeCredential', university: 'innsbruck', degree: 'bachelor' }, + issuer: { method: 'did', didUrl: issuerVerificationMethod.id }, + holder: { method: 'did', didUrl: holderVerificationMethod.id }, + disclosureFrame: { university: true, degree: true }, + }), + }) + + const sphereonW3cCredential = issueCredentialResponse.credential + if (!sphereonW3cCredential) throw new Error('No credential found') + + expect(issueCredentialResponse).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'vc+sd-jwt', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential, universityDegreeCredentialSdJwt) + }) + + it('pre authorized code flow (jwt-vc-json)', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openId4VcIssuer.issuerId, + offeredCredentials: [openBadgeCredential.id], + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + const issueCredentialResponse = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequestToCredentialMapper: () => ({ + format: 'jwt_vc', + credential: new W3cCredential({ + type: openBadgeCredential.types, + issuer: new W3cIssuer({ id: issuerDid }), + credentialSubject: new W3cCredentialSubject({ id: holderDid }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: issuerVerificationMethod.id, + }), + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: openBadgeCredential, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }), + }) + + const sphereonW3cCredential = issueCredentialResponse.credential + if (!sphereonW3cCredential) throw new Error('No credential found') + + expect(issueCredentialResponse).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'jwt_vc_json', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential, openBadgeCredential) + }) + + it('credential id not in credential supported errors', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + await expect( + issuer.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openId4VcIssuer.issuerId, + offeredCredentials: ['invalid id'], + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + ).rejects.toThrowError( + "Offered credential 'invalid id' is not part of credentials_supported of the issuer metadata." + ) + }) + + it('issuing non offered credential errors', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openId4VcIssuer.issuerId, + offeredCredentials: [openBadgeCredential.id], + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + await expect( + issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: universityDegreeCredential, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }), + credentialRequestToCredentialMapper: () => { + throw new Error('Not implemented') + }, + }) + ).rejects.toThrowError('No offered credentials match the credential request.') + }) + + it('pre authorized code flow using multiple credentials_supported', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + offeredCredentials: [openBadgeCredential.id, universityDegreeCredentialLd.id], + issuerId: openId4VcIssuer.issuerId, + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%2C%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FUniversityDegreeCredentialLd%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + const issueCredentialResponse = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: universityDegreeCredentialLd, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }), + credentialRequestToCredentialMapper: () => ({ + format: 'jwt_vc', + credential: new W3cCredential({ + type: universityDegreeCredentialLd.types, + issuer: new W3cIssuer({ id: issuerDid }), + credentialSubject: new W3cCredentialSubject({ id: holderDid }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: issuerVerificationMethod.id, + }), + }) + + const sphereonW3cCredential = issueCredentialResponse.credential + if (!sphereonW3cCredential) throw new Error('No credential found') + + expect(issueCredentialResponse).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'jwt_vc_json-ld', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential, universityDegreeCredentialLd) + }) + + it('requesting non offered credential errors', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + offeredCredentials: [openBadgeCredential.id], + issuerId: openId4VcIssuer.issuerId, + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + await expect( + issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: { + id: 'someid', + format: openBadgeCredential.format, + types: universityDegreeCredential.types, + }, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }), + credentialRequestToCredentialMapper: () => { + throw new Error('Not implemented') + }, + }) + ).rejects.toThrowError('No offered credentials match the credential request.') + }) + + it('authorization code flow', async () => { + const cNonce = '1234' + const issuerState = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), issuerState }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + offeredCredentials: [openBadgeCredential.id], + issuerId: openId4VcIssuer.issuerId, + authorizationCodeFlowConfig: { + issuerState, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%221234567890%22%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + const issueCredentialResponse = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: openBadgeCredential, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + clientId: 'required', + }), + credentialRequestToCredentialMapper: () => ({ + format: 'jwt_vc', + credential: new W3cCredential({ + type: ['VerifiableCredential', 'OpenBadgeCredential'], + issuer: new W3cIssuer({ id: issuerDid }), + credentialSubject: new W3cCredentialSubject({ id: holderDid }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: issuerVerificationMethod.id, + }), + }) + + const sphereonW3cCredential = issueCredentialResponse.credential + if (!sphereonW3cCredential) throw new Error('No credential found') + + expect(issueCredentialResponse).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'jwt_vc_json', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential, openBadgeCredential) + }) + + it('create credential offer and retrieve it from the uri (pre authorized flow)', async () => { + const preAuthorizedCode = '1234567890' + + const hostedCredentialOfferUrl = 'https://openid4vc-issuer.com/credential-offer-uri' + + const { credentialOffer, credentialOfferPayload } = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openId4VcIssuer.issuerId, + offeredCredentials: [openBadgeCredential.id], + hostedCredentialOfferUrl, + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(credentialOffer).toEqual(`openid-credential-offer://?credential_offer_uri=${hostedCredentialOfferUrl}`) + + const credentialOfferReceivedByUri = await issuer.modules.openId4VcIssuer.getCredentialOfferFromUri( + hostedCredentialOfferUrl + ) + + expect(credentialOfferPayload).toEqual(credentialOfferReceivedByUri) + }) + + it('create credential offer and retrieve it from the uri (authorizationCodeFlow)', async () => { + const hostedCredentialOfferUrl = 'https://openid4vc-issuer.com/credential-offer-uri' + + const { credentialOffer, credentialOfferPayload } = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + offeredCredentials: [openBadgeCredential.id], + issuerId: openId4VcIssuer.issuerId, + hostedCredentialOfferUrl, + authorizationCodeFlowConfig: { issuerState: '1234567890' }, + }) + + expect(credentialOffer).toEqual(`openid-credential-offer://?credential_offer_uri=${hostedCredentialOfferUrl}`) + + const credentialOfferReceivedByUri = await issuer.modules.openId4VcIssuer.getCredentialOfferFromUri( + hostedCredentialOfferUrl + ) + + expect(credentialOfferPayload).toEqual(credentialOfferReceivedByUri) + }) + + it('offer and request multiple credentials', async () => { + const cNonce = '1234' + const preAuthorizedCode = '1234567890' + + await issuer.context.dependencyManager + .resolve(OpenId4VcIssuerModuleConfig) + .getCNonceStateManager(issuer.context) + .set(cNonce, { cNonce: cNonce, createdAt: Date.now(), preAuthorizedCode }) + + const result = await issuer.modules.openId4VcIssuer.createCredentialOffer({ + offeredCredentials: [openBadgeCredential.id, universityDegreeCredential.id], + issuerId: openId4VcIssuer.issuerId, + preAuthorizedCodeFlowConfig: { + preAuthorizedCode, + userPinRequired: false, + }, + }) + + expect(result.credentialOffer).toEqual( + `openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%221234567890%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FOpenBadgeCredential%22%2C%22https%3A%2F%2Fopenid4vc-issuer.com%2Fcredentials%2FUniversityDegreeCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fopenid4vc-issuer.com%2F${openId4VcIssuer.issuerId}%22%7D` + ) + + const credentialRequestToCredentialMapper: OpenId4VciCredentialRequestToCredentialMapper = ({ + credentialsSupported, + }) => ({ + format: 'jwt_vc', + credential: new W3cCredential({ + type: + credentialsSupported[0].id === openBadgeCredential.id + ? openBadgeCredential.types + : universityDegreeCredential.types, + issuer: new W3cIssuer({ id: issuerDid }), + credentialSubject: new W3cCredentialSubject({ id: holderDid }), + issuanceDate: w3cDate(Date.now()), + }), + verificationMethod: issuerVerificationMethod.id, + }) + + const issuerMetadata = await issuer.modules.openId4VcIssuer.getIssuerMetadata(openId4VcIssuer.issuerId) + const issueCredentialResponse = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: openBadgeCredential, + issuerMetadata, + kid: holderKid, + nonce: cNonce, + }), + credentialRequestToCredentialMapper, + }) + + const sphereonW3cCredential = issueCredentialResponse.credential + if (!sphereonW3cCredential) throw new Error('No credential found') + + expect(issueCredentialResponse).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'jwt_vc_json', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential, openBadgeCredential) + + const issueCredentialResponse2 = await issuer.modules.openId4VcIssuer.createCredentialResponse({ + issuerId: openId4VcIssuer.issuerId, + credentialRequest: await createCredentialRequest(holder.context, { + credentialSupported: universityDegreeCredential, + issuerMetadata, + kid: holderKid, + nonce: issueCredentialResponse.c_nonce ?? cNonce, + }), + credentialRequestToCredentialMapper, + }) + + const sphereonW3cCredential2 = issueCredentialResponse2.credential + if (!sphereonW3cCredential2) throw new Error('No credential found') + + expect(issueCredentialResponse2).toEqual({ + c_nonce: expect.any(String), + c_nonce_expires_in: 300000, + credential: expect.any(String), + format: 'jwt_vc_json', + }) + + await handleCredentialResponse(holder.context, sphereonW3cCredential2, universityDegreeCredential) + }) +}) diff --git a/packages/openid4vc/src/openid4vc-issuer/index.ts b/packages/openid4vc/src/openid4vc-issuer/index.ts new file mode 100644 index 0000000000..ed7cf40ba0 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/index.ts @@ -0,0 +1,6 @@ +export * from './OpenId4VcIssuerApi' +export * from './OpenId4VcIssuerModule' +export * from './OpenId4VcIssuerService' +export * from './OpenId4VcIssuerModuleConfig' +export * from './OpenId4VcIssuerServiceOptions' +export { OpenId4VcIssuerRecord, OpenId4VcIssuerRecordProps, OpenId4VcIssuerRecordTags } from './repository' diff --git a/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts b/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts new file mode 100644 index 0000000000..0ad60a69bb --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts @@ -0,0 +1,60 @@ +import type { OpenId4VciCredentialSupportedWithId, OpenId4VciIssuerMetadataDisplay } from '../../shared' +import type { RecordTags, TagsBase } from '@aries-framework/core' + +import { BaseRecord, utils } from '@aries-framework/core' + +export type OpenId4VcIssuerRecordTags = RecordTags + +export type DefaultOpenId4VcIssuerRecordTags = { + issuerId: string +} + +export interface OpenId4VcIssuerRecordProps { + id?: string + createdAt?: Date + tags?: TagsBase + + issuerId: string + + /** + * The fingerprint (multibase encoded) of the public key used to sign access tokens for + * this issuer. + */ + accessTokenPublicKeyFingerprint: string + + credentialsSupported: OpenId4VciCredentialSupportedWithId[] + display?: OpenId4VciIssuerMetadataDisplay[] +} + +export class OpenId4VcIssuerRecord extends BaseRecord { + public static readonly type = 'OpenId4VcIssuerRecord' + public readonly type = OpenId4VcIssuerRecord.type + + public issuerId!: string + public accessTokenPublicKeyFingerprint!: string + + public credentialsSupported!: OpenId4VciCredentialSupportedWithId[] + public display?: OpenId4VciIssuerMetadataDisplay[] + + public constructor(props: OpenId4VcIssuerRecordProps) { + super() + + if (props) { + this.id = props.id ?? utils.uuid() + this.createdAt = props.createdAt ?? new Date() + this._tags = props.tags ?? {} + + this.issuerId = props.issuerId + this.accessTokenPublicKeyFingerprint = props.accessTokenPublicKeyFingerprint + this.credentialsSupported = props.credentialsSupported + this.display = props.display + } + } + + public getTags() { + return { + ...this._tags, + issuerId: this.issuerId, + } + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts b/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts new file mode 100644 index 0000000000..f6387ef514 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts @@ -0,0 +1,23 @@ +import type { AgentContext } from '@aries-framework/core' + +import { Repository, StorageService, InjectionSymbols, EventEmitter, inject, injectable } from '@aries-framework/core' + +import { OpenId4VcIssuerRecord } from './OpenId4VcIssuerRecord' + +@injectable() +export class OpenId4VcIssuerRepository extends Repository { + public constructor( + @inject(InjectionSymbols.StorageService) storageService: StorageService, + eventEmitter: EventEmitter + ) { + super(OpenId4VcIssuerRecord, storageService, eventEmitter) + } + + public findByIssuerId(agentContext: AgentContext, issuerId: string) { + return this.findSingleByQuery(agentContext, { issuerId }) + } + + public getByIssuerId(agentContext: AgentContext, issuerId: string) { + return this.getSingleByQuery(agentContext, { issuerId }) + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/repository/index.ts b/packages/openid4vc/src/openid4vc-issuer/repository/index.ts new file mode 100644 index 0000000000..8b124ec167 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/repository/index.ts @@ -0,0 +1,2 @@ +export * from './OpenId4VcIssuerRecord' +export * from './OpenId4VcIssuerRepository' diff --git a/packages/openid4vc/src/openid4vc-issuer/router/accessTokenEndpoint.ts b/packages/openid4vc/src/openid4vc-issuer/router/accessTokenEndpoint.ts new file mode 100644 index 0000000000..0fcefe2deb --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/router/accessTokenEndpoint.ts @@ -0,0 +1,161 @@ +import type { OpenId4VcIssuanceRequest } from './requestContext' +import type { AgentContext } from '@aries-framework/core' +import type { JWTSignerCallback } from '@sphereon/oid4vci-common' +import type { NextFunction, Response, Router } from 'express' + +import { + getJwkFromKey, + AriesFrameworkError, + JwsService, + JwtPayload, + getJwkClassFromKeyType, + Key, +} from '@aries-framework/core' +import { + GrantTypes, + PRE_AUTHORIZED_CODE_REQUIRED_ERROR, + TokenError, + TokenErrorResponse, +} from '@sphereon/oid4vci-common' +import { assertValidAccessTokenRequest, createAccessTokenResponse } from '@sphereon/oid4vci-issuer' + +import { getRequestContext, sendErrorResponse } from '../../shared/router' +import { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig' +import { OpenId4VcIssuerService } from '../OpenId4VcIssuerService' + +export interface OpenId4VciAccessTokenEndpointConfig { + /** + * The path at which the token endpoint should be made available. Note that it will be + * hosted at a subpath to take into account multiple tenants and issuers. + * + * @default /token + */ + endpointPath: string + + /** + * The maximum amount of time in seconds that the pre-authorized code is valid. + * @default 360 (5 minutes) + */ + preAuthorizedCodeExpirationInSeconds: number + + /** + * The time after which the cNonce from the access token response will + * expire. + * + * @default 360 (5 minutes) + */ + cNonceExpiresInSeconds: number + + /** + * The time after which the token will expire. + * + * @default 360 (5 minutes) + */ + tokenExpiresInSeconds: number +} + +export function configureAccessTokenEndpoint(router: Router, config: OpenId4VciAccessTokenEndpointConfig) { + router.post( + config.endpointPath, + verifyTokenRequest({ preAuthorizedCodeExpirationInSeconds: config.preAuthorizedCodeExpirationInSeconds }), + handleTokenRequest(config) + ) +} + +function getJwtSignerCallback(agentContext: AgentContext, signerPublicKey: Key): JWTSignerCallback { + return async (jwt, _kid) => { + if (_kid) { + throw new AriesFrameworkError('Kid should not be supplied externally.') + } + if (jwt.header.kid || jwt.header.jwk) { + throw new AriesFrameworkError('kid or jwk should not be present in access token header before signing') + } + + const jwsService = agentContext.dependencyManager.resolve(JwsService) + + const alg = getJwkClassFromKeyType(signerPublicKey.keyType)?.supportedSignatureAlgorithms[0] + if (!alg) { + throw new AriesFrameworkError(`No supported signature algorithms for key type: ${signerPublicKey.keyType}`) + } + + const jwk = getJwkFromKey(signerPublicKey) + const signedJwt = await jwsService.createJwsCompact(agentContext, { + protectedHeaderOptions: { ...jwt.header, jwk, alg }, + payload: new JwtPayload(jwt.payload), + key: signerPublicKey, + }) + + return signedJwt + } +} + +export function handleTokenRequest(config: OpenId4VciAccessTokenEndpointConfig) { + const { tokenExpiresInSeconds, cNonceExpiresInSeconds } = config + + return async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => { + response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' }) + + const requestContext = getRequestContext(request) + const { agentContext, issuer } = requestContext + + if (request.body.grant_type !== GrantTypes.PRE_AUTHORIZED_CODE) { + return response.status(400).json({ + error: TokenErrorResponse.invalid_request, + error_description: PRE_AUTHORIZED_CODE_REQUIRED_ERROR, + }) + } + + const openId4VcIssuerConfig = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig) + const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService) + const issuerMetadata = openId4VcIssuerService.getIssuerMetadata(agentContext, issuer) + const accessTokenSigningKey = Key.fromFingerprint(issuer.accessTokenPublicKeyFingerprint) + + try { + const accessTokenResponse = await createAccessTokenResponse(request.body, { + credentialOfferSessions: openId4VcIssuerConfig.getCredentialOfferSessionStateManager(agentContext), + tokenExpiresIn: tokenExpiresInSeconds, + accessTokenIssuer: issuerMetadata.issuerUrl, + cNonce: await agentContext.wallet.generateNonce(), + cNonceExpiresIn: cNonceExpiresInSeconds, + cNonces: openId4VcIssuerConfig.getCNonceStateManager(agentContext), + accessTokenSignerCallback: getJwtSignerCallback(agentContext, accessTokenSigningKey), + }) + response.status(200).json(accessTokenResponse) + } catch (error) { + sendErrorResponse(response, agentContext.config.logger, 400, TokenErrorResponse.invalid_request, error) + } + + // NOTE: if we don't call next, the agentContext session handler will NOT be called + next() + } +} + +export function verifyTokenRequest(options: { preAuthorizedCodeExpirationInSeconds: number }) { + return async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => { + const { agentContext } = getRequestContext(request) + + try { + const openId4VcIssuerConfig = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig) + await assertValidAccessTokenRequest(request.body, { + // we use seconds instead of milliseconds for consistency + expirationDuration: options.preAuthorizedCodeExpirationInSeconds * 1000, + credentialOfferSessions: openId4VcIssuerConfig.getCredentialOfferSessionStateManager(agentContext), + }) + } catch (error) { + if (error instanceof TokenError) { + sendErrorResponse( + response, + agentContext.config.logger, + error.statusCode, + error.responseError + error.getDescription(), + error + ) + } else { + sendErrorResponse(response, agentContext.config.logger, 400, TokenErrorResponse.invalid_request, error) + } + } + + // NOTE: if we don't call next, the agentContext session handler will NOT be called + next() + } +} diff --git a/packages/openid4vc/src/openid4vc-issuer/router/credentialEndpoint.ts b/packages/openid4vc/src/openid4vc-issuer/router/credentialEndpoint.ts new file mode 100644 index 0000000000..5986be4b1c --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/router/credentialEndpoint.ts @@ -0,0 +1,44 @@ +import type { OpenId4VcIssuanceRequest } from './requestContext' +import type { OpenId4VciCredentialRequest } from '../../shared' +import type { OpenId4VciCredentialRequestToCredentialMapper } from '../OpenId4VcIssuerServiceOptions' +import type { Router, Response } from 'express' + +import { getRequestContext, sendErrorResponse } from '../../shared/router' +import { OpenId4VcIssuerService } from '../OpenId4VcIssuerService' + +export interface OpenId4VciCredentialEndpointConfig { + /** + * The path at which the credential endpoint should be made available. Note that it will be + * hosted at a subpath to take into account multiple tenants and issuers. + * + * @default /credential + */ + endpointPath: string + + /** + * A function mapping a credential request to the credential to be issued. + */ + credentialRequestToCredentialMapper: OpenId4VciCredentialRequestToCredentialMapper +} + +export function configureCredentialEndpoint(router: Router, config: OpenId4VciCredentialEndpointConfig) { + router.post(config.endpointPath, async (request: OpenId4VcIssuanceRequest, response: Response, next) => { + const { agentContext, issuer } = getRequestContext(request) + + try { + const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService) + const credentialRequest = request.body as OpenId4VciCredentialRequest + const issueCredentialResponse = await openId4VcIssuerService.createCredentialResponse(agentContext, { + issuer, + credentialRequest, + }) + + response.json(issueCredentialResponse) + } catch (error) { + sendErrorResponse(response, agentContext.config.logger, 500, 'invalid_request', error) + } + + // NOTE: if we don't call next, the agentContext session handler will NOT be called + next() + }) +} diff --git a/packages/openid4vc/src/openid4vc-issuer/router/index.ts b/packages/openid4vc/src/openid4vc-issuer/router/index.ts new file mode 100644 index 0000000000..fc1bb807ee --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/router/index.ts @@ -0,0 +1,4 @@ +export { configureAccessTokenEndpoint, OpenId4VciAccessTokenEndpointConfig } from './accessTokenEndpoint' +export { configureCredentialEndpoint, OpenId4VciCredentialEndpointConfig } from './credentialEndpoint' +export { configureIssuerMetadataEndpoint } from './metadataEndpoint' +export { OpenId4VcIssuanceRequest } from './requestContext' diff --git a/packages/openid4vc/src/openid4vc-issuer/router/metadataEndpoint.ts b/packages/openid4vc/src/openid4vc-issuer/router/metadataEndpoint.ts new file mode 100644 index 0000000000..b3ecb4edc4 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/router/metadataEndpoint.ts @@ -0,0 +1,35 @@ +import type { OpenId4VcIssuanceRequest } from './requestContext' +import type { CredentialIssuerMetadata } from '@sphereon/oid4vci-common' +import type { Router, Response } from 'express' + +import { getRequestContext, sendErrorResponse } from '../../shared/router' +import { OpenId4VcIssuerService } from '../OpenId4VcIssuerService' + +export function configureIssuerMetadataEndpoint(router: Router) { + router.get( + '/.well-known/openid-credential-issuer', + (_request: OpenId4VcIssuanceRequest, response: Response, next) => { + const { agentContext, issuer } = getRequestContext(_request) + + try { + const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService) + const issuerMetadata = openId4VcIssuerService.getIssuerMetadata(agentContext, issuer) + const transformedMetadata = { + credential_issuer: issuerMetadata.issuerUrl, + token_endpoint: issuerMetadata.tokenEndpoint, + credential_endpoint: issuerMetadata.credentialEndpoint, + authorization_server: issuerMetadata.authorizationServer, + credentials_supported: issuerMetadata.credentialsSupported, + display: issuerMetadata.issuerDisplay, + } satisfies CredentialIssuerMetadata + + response.status(200).json(transformedMetadata) + } catch (e) { + sendErrorResponse(response, agentContext.config.logger, 500, 'invalid_request', e) + } + + // NOTE: if we don't call next, the agentContext session handler will NOT be called + next() + } + ) +} diff --git a/packages/openid4vc/src/openid4vc-issuer/router/requestContext.ts b/packages/openid4vc/src/openid4vc-issuer/router/requestContext.ts new file mode 100644 index 0000000000..69e0caadb3 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-issuer/router/requestContext.ts @@ -0,0 +1,4 @@ +import type { OpenId4VcRequest } from '../../shared/router' +import type { OpenId4VcIssuerRecord } from '../repository' + +export type OpenId4VcIssuanceRequest = OpenId4VcRequest<{ issuer: OpenId4VcIssuerRecord }> diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierService.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierService.ts new file mode 100644 index 0000000000..4d454231fe --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierService.ts @@ -0,0 +1,364 @@ +import type { + OpenId4VcSiopCreateAuthorizationRequestOptions, + OpenId4VcSiopCreateAuthorizationRequestReturn, + OpenId4VcSiopVerifiedAuthorizationResponse, + OpenId4VcSiopVerifyAuthorizationResponseOptions, +} from './OpenId4VcSiopVerifierServiceOptions' +import type { OpenId4VcJwtIssuer } from '../shared' +import type { AgentContext, DifPresentationExchangeDefinition } from '@aries-framework/core' +import type { PresentationVerificationCallback, SigningAlgo } from '@sphereon/did-auth-siop' + +import { + AriesFrameworkError, + DidsApi, + inject, + injectable, + InjectionSymbols, + joinUriParts, + JsonTransformer, + Logger, + SdJwtVcApi, + SignatureSuiteRegistry, + utils, + W3cCredentialService, + W3cJsonLdVerifiablePresentation, + Hasher, +} from '@aries-framework/core' +import { + AuthorizationResponse, + CheckLinkedDomain, + PassBy, + PropertyTarget, + ResponseIss, + ResponseMode, + ResponseType, + RevocationVerification, + RP, + SupportedVersion, + VerificationMode, +} from '@sphereon/did-auth-siop' + +import { storeActorIdForContextCorrelationId } from '../shared/router' +import { getVerifiablePresentationFromSphereonWrapped } from '../shared/transform' +import { + getSphereonDidResolver, + getSphereonSuppliedSignatureFromJwtIssuer, + getSupportedJwaSignatureAlgorithms, +} from '../shared/utils' + +import { OpenId4VcVerifierModuleConfig } from './OpenId4VcVerifierModuleConfig' +import { OpenId4VcVerifierRecord, OpenId4VcVerifierRepository } from './repository' + +/** + * @internal + */ +@injectable() +export class OpenId4VcSiopVerifierService { + public constructor( + @inject(InjectionSymbols.Logger) private logger: Logger, + private w3cCredentialService: W3cCredentialService, + private openId4VcVerifierRepository: OpenId4VcVerifierRepository, + private config: OpenId4VcVerifierModuleConfig + ) {} + + public async createAuthorizationRequest( + agentContext: AgentContext, + options: OpenId4VcSiopCreateAuthorizationRequestOptions & { verifier: OpenId4VcVerifierRecord } + ): Promise { + const nonce = await agentContext.wallet.generateNonce() + const state = await agentContext.wallet.generateNonce() + const correlationId = utils.uuid() + + const relyingParty = await this.getRelyingParty(agentContext, options.verifier, { + presentationDefinition: options.presentationExchange?.definition, + requestSigner: options.requestSigner, + }) + + const authorizationRequest = await relyingParty.createAuthorizationRequest({ + correlationId, + nonce, + state, + }) + + const authorizationRequestUri = await authorizationRequest.uri() + + return { + authorizationRequestUri: authorizationRequestUri.encodedUri, + authorizationRequestPayload: authorizationRequest.payload, + } + } + + public async verifyAuthorizationResponse( + agentContext: AgentContext, + options: OpenId4VcSiopVerifyAuthorizationResponseOptions & { verifier: OpenId4VcVerifierRecord } + ): Promise { + const authorizationResponse = await AuthorizationResponse.fromPayload(options.authorizationResponse).catch(() => { + throw new AriesFrameworkError( + `Unable to parse authorization response payload. ${JSON.stringify(options.authorizationResponse)}` + ) + }) + + const responseNonce = await authorizationResponse.getMergedProperty('nonce', { + hasher: Hasher.hash, + }) + const responseState = await authorizationResponse.getMergedProperty('state', { + hasher: Hasher.hash, + }) + const sessionManager = this.config.getSessionManager(agentContext) + + const correlationId = responseNonce + ? await sessionManager.getCorrelationIdByNonce(responseNonce, false) + : responseState + ? await sessionManager.getCorrelationIdByState(responseState, false) + : undefined + + if (!correlationId) { + throw new AriesFrameworkError( + `Unable to find correlationId for nonce '${responseNonce}' or state '${responseState}'` + ) + } + + const requestSessionState = await sessionManager.getRequestStateByCorrelationId(correlationId) + if (!requestSessionState) { + throw new AriesFrameworkError(`Unable to find request state for correlationId '${correlationId}'`) + } + + const requestClientId = await requestSessionState.request.getMergedProperty('client_id') + const requestNonce = await requestSessionState.request.getMergedProperty('nonce') + const requestState = await requestSessionState.request.getMergedProperty('state') + const presentationDefinitionsWithLocation = await requestSessionState.request.getPresentationDefinitions() + + if (!requestNonce || !requestClientId || !requestState) { + throw new AriesFrameworkError( + `Unable to find nonce, state, or client_id in authorization request for correlationId '${correlationId}'` + ) + } + + const relyingParty = await this.getRelyingParty(agentContext, options.verifier, { + presentationDefinition: presentationDefinitionsWithLocation?.[0]?.definition, + clientId: requestClientId, + }) + + const response = await relyingParty.verifyAuthorizationResponse(authorizationResponse.payload, { + audience: requestClientId, + correlationId, + state: requestState, + presentationDefinitions: presentationDefinitionsWithLocation, + verification: { + presentationVerificationCallback: this.getPresentationVerificationCallback(agentContext, { + nonce: requestNonce, + audience: requestClientId, + }), + // FIXME: Supplied mode is not implemented. + // See https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/55 + mode: VerificationMode.INTERNAL, + resolveOpts: { noUniversalResolverFallback: true, resolver: getSphereonDidResolver(agentContext) }, + }, + }) + + const presentationExchange = response.oid4vpSubmission?.submissionData + ? { + submission: response.oid4vpSubmission.submissionData, + definition: response.oid4vpSubmission.presentationDefinitions[0]?.definition, + presentations: response.oid4vpSubmission?.presentations.map(getVerifiablePresentationFromSphereonWrapped), + } + : undefined + + const idToken = response.authorizationResponse.idToken + ? { + payload: await response.authorizationResponse.idToken.payload(), + } + : undefined + + // TODO: do we need to verify whether idToken or vpToken is present? + // Or is that properly handled by sphereon's library? + return { + // Parameters related to ID Token. + idToken, + + // Parameters related to DIF Presentation Exchange + presentationExchange, + } + } + + public async getAllVerifiers(agentContext: AgentContext) { + return this.openId4VcVerifierRepository.getAll(agentContext) + } + + public async getByVerifierId(agentContext: AgentContext, verifierId: string) { + return this.openId4VcVerifierRepository.getByVerifierId(agentContext, verifierId) + } + + public async updateVerifier(agentContext: AgentContext, verifier: OpenId4VcVerifierRecord) { + return this.openId4VcVerifierRepository.update(agentContext, verifier) + } + + public async createVerifier(agentContext: AgentContext) { + const openId4VcVerifier = new OpenId4VcVerifierRecord({ + verifierId: utils.uuid(), + }) + + await this.openId4VcVerifierRepository.save(agentContext, openId4VcVerifier) + await storeActorIdForContextCorrelationId(agentContext, openId4VcVerifier.verifierId) + return openId4VcVerifier + } + + private async getRelyingParty( + agentContext: AgentContext, + verifier: OpenId4VcVerifierRecord, + { + presentationDefinition, + requestSigner, + clientId, + }: { + presentationDefinition?: DifPresentationExchangeDefinition + requestSigner?: OpenId4VcJwtIssuer + clientId?: string + } + ) { + const authorizationResponseUrl = joinUriParts(this.config.baseUrl, [ + verifier.verifierId, + this.config.authorizationEndpoint.endpointPath, + ]) + + const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry) + + const supportedAlgs = getSupportedJwaSignatureAlgorithms(agentContext) as string[] + const supportedProofTypes = signatureSuiteRegistry.supportedProofTypes + + // Check: audience must be set to the issuer with dynamic disc otherwise self-issued.me/v2. + const builder = RP.builder() + + let _clientId = clientId + if (requestSigner) { + const suppliedSignature = await getSphereonSuppliedSignatureFromJwtIssuer(agentContext, requestSigner) + builder.withSignature(suppliedSignature) + + _clientId = suppliedSignature.did + } + + if (!_clientId) { + throw new AriesFrameworkError("Either 'requestSigner' or 'clientId' must be provided.") + } + + // FIXME: we now manually remove did:peer, we should probably allow the user to configure this + const supportedDidMethods = agentContext.dependencyManager + .resolve(DidsApi) + .supportedResolverMethods.filter((m) => m !== 'peer') + + builder + .withRedirectUri(authorizationResponseUrl) + .withIssuer(ResponseIss.SELF_ISSUED_V2) + .withSupportedVersions([SupportedVersion.SIOPv2_D11, SupportedVersion.SIOPv2_D12_OID4VP_D18]) + // TODO: we should probably allow some dynamic values here + .withClientMetadata({ + client_id: _clientId, + passBy: PassBy.VALUE, + idTokenSigningAlgValuesSupported: supportedAlgs as SigningAlgo[], + responseTypesSupported: [ResponseType.VP_TOKEN, ResponseType.ID_TOKEN], + subject_syntax_types_supported: supportedDidMethods.map((m) => `did:${m}`), + vpFormatsSupported: { + jwt_vc: { + alg: supportedAlgs, + }, + jwt_vc_json: { + alg: supportedAlgs, + }, + jwt_vp: { + alg: supportedAlgs, + }, + ldp_vc: { + proof_type: supportedProofTypes, + }, + ldp_vp: { + proof_type: supportedProofTypes, + }, + 'vc+sd-jwt': { + kb_jwt_alg_values: supportedAlgs, + sd_jwt_alg_values: supportedAlgs, + }, + }, + }) + .withCustomResolver(getSphereonDidResolver(agentContext)) + .withResponseMode(ResponseMode.POST) + .withResponseType(presentationDefinition ? [ResponseType.ID_TOKEN, ResponseType.VP_TOKEN] : ResponseType.ID_TOKEN) + .withScope('openid') + .withHasher(Hasher.hash) + // TODO: support hosting requests within AFJ and passing it by reference + .withRequestBy(PassBy.VALUE) + .withCheckLinkedDomain(CheckLinkedDomain.NEVER) + // FIXME: should allow verification of revocation + // .withRevocationVerificationCallback() + .withRevocationVerification(RevocationVerification.NEVER) + .withSessionManager(this.config.getSessionManager(agentContext)) + .withEventEmitter(this.config.getEventEmitter(agentContext)) + + if (presentationDefinition) { + builder.withPresentationDefinition({ definition: presentationDefinition }, [PropertyTarget.REQUEST_OBJECT]) + } + + for (const supportedDidMethod of supportedDidMethods) { + builder.addDidMethod(supportedDidMethod) + } + + return builder.build() + } + + private getPresentationVerificationCallback( + agentContext: AgentContext, + options: { nonce: string; audience: string } + ): PresentationVerificationCallback { + return async (encodedPresentation, presentationSubmission) => { + this.logger.debug(`Presentation response`, JsonTransformer.toJSON(encodedPresentation)) + this.logger.debug(`Presentation submission`, presentationSubmission) + + if (!encodedPresentation) throw new AriesFrameworkError('Did not receive a presentation for verification.') + + let isValid: boolean + + // TODO: it might be better here to look at the presentation submission to know + // If presentation includes a ~, we assume it's an SD-JWT-VC + if (typeof encodedPresentation === 'string' && encodedPresentation.includes('~')) { + const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi) + + const verificationResult = await sdJwtVcApi.verify({ + compactSdJwtVc: encodedPresentation, + keyBinding: { + audience: options.audience, + nonce: options.nonce, + }, + }) + + isValid = verificationResult.verification.isValid + } else if (typeof encodedPresentation === 'string') { + const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, { + presentation: encodedPresentation, + challenge: options.nonce, + domain: options.audience, + }) + + isValid = verificationResult.isValid + } else { + const verificationResult = await this.w3cCredentialService.verifyPresentation(agentContext, { + presentation: JsonTransformer.fromJSON(encodedPresentation, W3cJsonLdVerifiablePresentation), + challenge: options.nonce, + domain: options.audience, + }) + + isValid = verificationResult.isValid + } + + // FIXME: we throw an error here as there's a bug in sphereon library where they + // don't check the returned 'verified' property and only catch errors thrown. + // Once https://github.com/Sphereon-Opensource/SIOP-OID4VP/pull/70 is merged we + // can remove this. + if (!isValid) { + throw new AriesFrameworkError('Presentation verification failed.') + } + + return { + verified: isValid, + } + } + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.ts new file mode 100644 index 0000000000..e99a8179e8 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.ts @@ -0,0 +1,55 @@ +import type { + OpenId4VcJwtIssuer, + OpenId4VcSiopAuthorizationRequestPayload, + OpenId4VcSiopAuthorizationResponsePayload, + OpenId4VcSiopIdTokenPayload, +} from '../shared' +import type { + DifPresentationExchangeDefinition, + DifPresentationExchangeSubmission, + W3cVerifiablePresentation, + SdJwtVc, + DifPresentationExchangeDefinitionV2, +} from '@aries-framework/core' + +export interface OpenId4VcSiopCreateAuthorizationRequestOptions { + /** + * Signing information for the request JWT. This will be used to sign the request JWT + * and to set the client_id for registration of client_metadata. + */ + requestSigner: OpenId4VcJwtIssuer + + /** + * A DIF Presentation Definition (v2) can be provided to request a Verifiable Presentation using OpenID4VP. + */ + presentationExchange?: { + definition: DifPresentationExchangeDefinitionV2 + } +} + +export interface OpenId4VcSiopVerifyAuthorizationResponseOptions { + /** + * The authorization response received from the OpenID Provider (OP). + */ + authorizationResponse: OpenId4VcSiopAuthorizationResponsePayload +} + +export interface OpenId4VcSiopCreateAuthorizationRequestReturn { + authorizationRequestUri: string + authorizationRequestPayload: OpenId4VcSiopAuthorizationRequestPayload +} + +/** + * Either `idToken` and/or `presentationExchange` will be present, but not none. + */ +export interface OpenId4VcSiopVerifiedAuthorizationResponse { + idToken?: { + payload: OpenId4VcSiopIdTokenPayload + } + + presentationExchange?: { + submission: DifPresentationExchangeSubmission + definition: DifPresentationExchangeDefinition + presentations: Array + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierApi.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierApi.ts new file mode 100644 index 0000000000..ca746f6604 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierApi.ts @@ -0,0 +1,87 @@ +import type { + OpenId4VcSiopCreateAuthorizationRequestOptions, + OpenId4VcSiopVerifyAuthorizationResponseOptions, + OpenId4VcSiopCreateAuthorizationRequestReturn, + OpenId4VcSiopVerifiedAuthorizationResponse, +} from './OpenId4VcSiopVerifierServiceOptions' + +import { injectable, AgentContext } from '@aries-framework/core' + +import { OpenId4VcSiopVerifierService } from './OpenId4VcSiopVerifierService' +import { OpenId4VcVerifierModuleConfig } from './OpenId4VcVerifierModuleConfig' + +/** + * @public + */ +@injectable() +export class OpenId4VcVerifierApi { + public constructor( + public readonly config: OpenId4VcVerifierModuleConfig, + private agentContext: AgentContext, + private openId4VcSiopVerifierService: OpenId4VcSiopVerifierService + ) {} + + /** + * Retrieve all verifier records from storage + */ + public async getAllVerifiers() { + return this.openId4VcSiopVerifierService.getAllVerifiers(this.agentContext) + } + + /** + * Retrieve a verifier record from storage by its verified id + */ + public async getByVerifierId(verifierId: string) { + return this.openId4VcSiopVerifierService.getByVerifierId(this.agentContext, verifierId) + } + + /** + * Create a new verifier and store the new verifier record. + */ + public async createVerifier() { + return this.openId4VcSiopVerifierService.createVerifier(this.agentContext) + } + + /** + * Create an authorization request, acting as a Relying Party (RP). + * + * Currently two types of requests are supported: + * - SIOP Self-Issued ID Token request: request to a Self-Issued OP from an RP + * - SIOP Verifiable Presentation Request: request to a Self-Issued OP from an RP, requesting a Verifiable Presentation using OpenID4VP + * + * Other flows (non-SIOP) are not supported at the moment, but can be added in the future. + * + * See {@link OpenId4VcSiopCreateAuthorizationRequestOptions} for detailed documentation on the options. + */ + public async createAuthorizationRequest({ + verifierId, + ...otherOptions + }: OpenId4VcSiopCreateAuthorizationRequestOptions & { + verifierId: string + }): Promise { + const verifier = await this.getByVerifierId(verifierId) + return await this.openId4VcSiopVerifierService.createAuthorizationRequest(this.agentContext, { + ...otherOptions, + verifier, + }) + } + + /** + * Verifies an authorization response, acting as a Relying Party (RP). + * + * It validates the ID Token, VP Token and the signature(s) of the received Verifiable Presentation(s) + * as well as that the structure of the Verifiable Presentation matches the provided presentation definition. + */ + public async verifyAuthorizationResponse({ + verifierId, + ...otherOptions + }: OpenId4VcSiopVerifyAuthorizationResponseOptions & { + verifierId: string + }): Promise { + const verifier = await this.getByVerifierId(verifierId) + return await this.openId4VcSiopVerifierService.verifyAuthorizationResponse(this.agentContext, { + ...otherOptions, + verifier, + }) + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModule.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModule.ts new file mode 100644 index 0000000000..40a3e644dd --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModule.ts @@ -0,0 +1,129 @@ +import type { OpenId4VcVerifierModuleConfigOptions } from './OpenId4VcVerifierModuleConfig' +import type { OpenId4VcVerificationRequest } from './router' +import type { AgentContext, DependencyManager, Module } from '@aries-framework/core' + +import { AgentConfig } from '@aries-framework/core' + +import { getAgentContextForActorId, getRequestContext, importExpress } from '../shared/router' + +import { OpenId4VcSiopVerifierService } from './OpenId4VcSiopVerifierService' +import { OpenId4VcVerifierApi } from './OpenId4VcVerifierApi' +import { OpenId4VcVerifierModuleConfig } from './OpenId4VcVerifierModuleConfig' +import { OpenId4VcVerifierRepository } from './repository' +import { configureAuthorizationEndpoint } from './router' + +/** + * @public + */ +export class OpenId4VcVerifierModule implements Module { + public readonly api = OpenId4VcVerifierApi + public readonly config: OpenId4VcVerifierModuleConfig + + public constructor(options: OpenId4VcVerifierModuleConfigOptions) { + this.config = new OpenId4VcVerifierModuleConfig(options) + } + + /** + * Registers the dependencies of the question answer module on the dependency manager. + */ + public register(dependencyManager: DependencyManager) { + // Warn about experimental module + const logger = dependencyManager.resolve(AgentConfig).logger + logger.warn( + "The '@aries-framework/openid4vc' Verifier module is experimental and could have unexpected breaking changes. When using this module, make sure to use strict versions for all @aries-framework packages." + ) + + // Register config + dependencyManager.registerInstance(OpenId4VcVerifierModuleConfig, this.config) + + // Api + dependencyManager.registerContextScoped(OpenId4VcVerifierApi) + + // Services + dependencyManager.registerSingleton(OpenId4VcSiopVerifierService) + + // Repository + dependencyManager.registerSingleton(OpenId4VcVerifierRepository) + } + + public async initialize(rootAgentContext: AgentContext): Promise { + this.configureRouter(rootAgentContext) + } + + /** + * Registers the endpoints on the router passed to this module. + */ + private configureRouter(rootAgentContext: AgentContext) { + const { Router, json, urlencoded } = importExpress() + + // FIXME: it is currently not possible to initialize an agent + // shut it down, and then start it again, as the + // express router is configured with a specific `AgentContext` instance + // and dependency manager. One option is to always create a new router + // but then users cannot pass their own router implementation. + // We need to find a proper way to fix this. + + // We use separate context router and endpoint router. Context router handles the linking of the request + // to a specific agent context. Endpoint router only knows about a single context + const endpointRouter = Router() + const contextRouter = this.config.router + + // parse application/x-www-form-urlencoded + contextRouter.use(urlencoded({ extended: false })) + // parse application/json + contextRouter.use(json()) + + contextRouter.param('verifierId', async (req: OpenId4VcVerificationRequest, _res, next, verifierId: string) => { + if (!verifierId) { + rootAgentContext.config.logger.debug( + 'No verifierId provided for incoming authorization response, returning 404' + ) + _res.status(404).send('Not found') + } + + let agentContext: AgentContext | undefined = undefined + + try { + agentContext = await getAgentContextForActorId(rootAgentContext, verifierId) + const verifierApi = agentContext.dependencyManager.resolve(OpenId4VcVerifierApi) + const verifier = await verifierApi.getByVerifierId(verifierId) + + req.requestContext = { + agentContext, + verifier, + } + } catch (error) { + agentContext?.config.logger.error( + 'Failed to correlate incoming openid request to existing tenant and verifier', + { + error, + } + ) + // If the opening failed + await agentContext?.endSession() + return _res.status(404).send('Not found') + } + + next() + }) + + contextRouter.use('/:verifierId', endpointRouter) + + // Configure endpoints + configureAuthorizationEndpoint(endpointRouter, this.config.authorizationEndpoint) + + // First one will be called for all requests (when next is called) + contextRouter.use(async (req: OpenId4VcVerificationRequest, _res: unknown, next) => { + const { agentContext } = getRequestContext(req) + await agentContext.endSession() + next() + }) + + // This one will be called for all errors that are thrown + contextRouter.use(async (_error: unknown, req: OpenId4VcVerificationRequest, _res: unknown, next: any) => { + const { agentContext } = getRequestContext(req) + await agentContext.endSession() + next() + }) + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModuleConfig.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModuleConfig.ts new file mode 100644 index 0000000000..7ede42f371 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcVerifierModuleConfig.ts @@ -0,0 +1,83 @@ +import type { OpenId4VcSiopAuthorizationEndpointConfig } from './router/authorizationEndpoint' +import type { Optional, AgentContext, AgentDependencies } from '@aries-framework/core' +import type { IRPSessionManager } from '@sphereon/did-auth-siop' +import type { Router } from 'express' + +import { InMemoryRPSessionManager } from '@sphereon/did-auth-siop' + +import { importExpress } from '../shared/router' + +export interface OpenId4VcVerifierModuleConfigOptions { + /** + * Base url at which the verifier endpoints will be hosted. All endpoints will be exposed with + * this path as prefix. + */ + baseUrl: string + + /** + * Express router on which the verifier endpoints will be registered. If + * no router is provided, a new one will be created. + * + * NOTE: you must manually register the router on your express app and + * expose this on a public url that is reachable when `baseUrl` is called. + */ + router?: Router + + endpoints?: { + authorization?: Optional + } +} + +export class OpenId4VcVerifierModuleConfig { + private options: OpenId4VcVerifierModuleConfigOptions + public readonly router: Router + + private eventEmitterMap: Map> + private sessionManagerMap: Map + + public constructor(options: OpenId4VcVerifierModuleConfigOptions) { + this.options = options + this.sessionManagerMap = new Map() + this.eventEmitterMap = new Map() + + this.router = options.router ?? importExpress().Router() + } + + public get baseUrl() { + return this.options.baseUrl + } + + public get authorizationEndpoint(): OpenId4VcSiopAuthorizationEndpointConfig { + // Use user supplied options, or return defaults. + const userOptions = this.options.endpoints?.authorization + + return { + ...userOptions, + endpointPath: userOptions?.endpointPath ?? '/authorize', + } + } + + // FIXME: rework (no in-memory) + public getSessionManager(agentContext: AgentContext) { + const val = this.sessionManagerMap.get(agentContext.contextCorrelationId) + if (val) return val + + const eventEmitter = this.getEventEmitter(agentContext) + + const newVal = new InMemoryRPSessionManager(eventEmitter) + this.sessionManagerMap.set(agentContext.contextCorrelationId, newVal) + return newVal + } + + // FIXME: rework (no-memory) + public getEventEmitter(agentContext: AgentContext) { + const EventEmitterClass = agentContext.config.agentDependencies.EventEmitterClass + + const val = this.eventEmitterMap.get(agentContext.contextCorrelationId) + if (val) return val + + const newVal = new EventEmitterClass() + this.eventEmitterMap.set(agentContext.contextCorrelationId, newVal) + return newVal + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/__tests__/OpenId4VcVerifierModule.test.ts b/packages/openid4vc/src/openid4vc-verifier/__tests__/OpenId4VcVerifierModule.test.ts new file mode 100644 index 0000000000..4251c0586e --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/__tests__/OpenId4VcVerifierModule.test.ts @@ -0,0 +1,46 @@ +import type { OpenId4VcVerifierModuleConfigOptions } from '../OpenId4VcVerifierModuleConfig' +import type { DependencyManager } from '@aries-framework/core' + +import { Router } from 'express' + +import { OpenId4VcSiopVerifierService } from '../OpenId4VcSiopVerifierService' +import { OpenId4VcVerifierApi } from '../OpenId4VcVerifierApi' +import { OpenId4VcVerifierModule } from '../OpenId4VcVerifierModule' +import { OpenId4VcVerifierModuleConfig } from '../OpenId4VcVerifierModuleConfig' +import { OpenId4VcVerifierRepository } from '../repository' + +const dependencyManager = { + registerInstance: jest.fn(), + registerSingleton: jest.fn(), + registerContextScoped: jest.fn(), + resolve: jest.fn().mockReturnValue({ logger: { warn: jest.fn() } }), +} as unknown as DependencyManager + +describe('OpenId4VcVerifierModule', () => { + test('registers dependencies on the dependency manager', () => { + const options = { + baseUrl: 'http://localhost:3000', + endpoints: { + authorization: { + endpointPath: '/hello', + }, + }, + router: Router(), + } satisfies OpenId4VcVerifierModuleConfigOptions + const openId4VcClientModule = new OpenId4VcVerifierModule(options) + openId4VcClientModule.register(dependencyManager) + + expect(dependencyManager.registerInstance).toHaveBeenCalledTimes(1) + expect(dependencyManager.registerInstance).toHaveBeenCalledWith( + OpenId4VcVerifierModuleConfig, + new OpenId4VcVerifierModuleConfig(options) + ) + + expect(dependencyManager.registerContextScoped).toHaveBeenCalledTimes(1) + expect(dependencyManager.registerContextScoped).toHaveBeenCalledWith(OpenId4VcVerifierApi) + + expect(dependencyManager.registerSingleton).toHaveBeenCalledTimes(2) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcSiopVerifierService) + expect(dependencyManager.registerSingleton).toHaveBeenCalledWith(OpenId4VcVerifierRepository) + }) +}) diff --git a/packages/openid4vc/src/openid4vc-verifier/__tests__/openid4vc-verifier.e2e.test.ts b/packages/openid4vc/src/openid4vc-verifier/__tests__/openid4vc-verifier.e2e.test.ts new file mode 100644 index 0000000000..106cce5849 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/__tests__/openid4vc-verifier.e2e.test.ts @@ -0,0 +1,71 @@ +import { Jwt } from '@aries-framework/core' +import { SigningAlgo } from '@sphereon/did-auth-siop' +import { cleanAll, enableNetConnect } from 'nock' + +import { AskarModule } from '../../../../askar/src' +import { askarModuleConfig } from '../../../../askar/tests/helpers' +import { createAgentFromModules, type AgentType } from '../../../tests/utils' +import { universityDegreePresentationDefinition } from '../../../tests/utilsVp' +import { OpenId4VcVerifierModule } from '../OpenId4VcVerifierModule' + +const modules = { + openId4VcVerifier: new OpenId4VcVerifierModule({ + baseUrl: 'http://redirect-uri', + }), + askar: new AskarModule(askarModuleConfig), +} + +describe('OpenId4VcVerifier', () => { + let verifier: AgentType + + beforeEach(async () => { + verifier = await createAgentFromModules('verifier', modules, '96213c3d7fc8d4d6754c7a0fd969598f') + }) + + afterEach(async () => { + await verifier.agent.shutdown() + await verifier.agent.wallet.delete() + }) + + describe('Verification', () => { + afterEach(() => { + cleanAll() + enableNetConnect() + }) + + it('check openid proof request format', async () => { + const openIdVerifier = await verifier.agent.modules.openId4VcVerifier.createVerifier() + const { authorizationRequestUri } = await verifier.agent.modules.openId4VcVerifier.createAuthorizationRequest({ + requestSigner: { + method: 'did', + didUrl: verifier.kid, + }, + verifierId: openIdVerifier.verifierId, + presentationExchange: { + definition: universityDegreePresentationDefinition, + }, + }) + + const base = `openid://?redirect_uri=http%3A%2F%2Fredirect-uri%2F${openIdVerifier.verifierId}%2Fauthorize&request=` + expect(authorizationRequestUri.startsWith(base)).toBe(true) + + const _jwt = authorizationRequestUri.substring(base.length) + const jwt = Jwt.fromSerializedJwt(_jwt) + + expect(jwt.header.kid).toEqual(verifier.kid) + expect(jwt.header.alg).toEqual(SigningAlgo.EDDSA) + expect(jwt.header.typ).toEqual('JWT') + expect(jwt.payload.additionalClaims.scope).toEqual('openid') + expect(jwt.payload.additionalClaims.client_id).toEqual(verifier.did) + expect(jwt.payload.additionalClaims.redirect_uri).toEqual( + `http://redirect-uri/${openIdVerifier.verifierId}/authorize` + ) + expect(jwt.payload.additionalClaims.response_mode).toEqual('post') + expect(jwt.payload.additionalClaims.nonce).toBeDefined() + expect(jwt.payload.additionalClaims.state).toBeDefined() + expect(jwt.payload.additionalClaims.response_type).toEqual('id_token vp_token') + expect(jwt.payload.iss).toEqual(verifier.did) + expect(jwt.payload.sub).toEqual(verifier.did) + }) + }) +}) diff --git a/packages/openid4vc/src/openid4vc-verifier/index.ts b/packages/openid4vc/src/openid4vc-verifier/index.ts new file mode 100644 index 0000000000..25a6548336 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/index.ts @@ -0,0 +1,6 @@ +export * from './OpenId4VcVerifierApi' +export * from './OpenId4VcVerifierModule' +export * from './OpenId4VcSiopVerifierService' +export * from './OpenId4VcSiopVerifierServiceOptions' +export * from './OpenId4VcVerifierModuleConfig' +export * from './repository' diff --git a/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts b/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts new file mode 100644 index 0000000000..f6fca64581 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts @@ -0,0 +1,43 @@ +import type { RecordTags, TagsBase } from '@aries-framework/core' + +import { BaseRecord, utils } from '@aries-framework/core' + +export type OpenId4VcVerifierRecordTags = RecordTags + +export type DefaultOpenId4VcVerifierRecordTags = { + verifierId: string +} + +export interface OpenId4VcVerifierRecordProps { + id?: string + createdAt?: Date + tags?: TagsBase + + verifierId: string +} + +export class OpenId4VcVerifierRecord extends BaseRecord { + public static readonly type = 'OpenId4VcVerifierRecord' + public readonly type = OpenId4VcVerifierRecord.type + + public verifierId!: string + + public constructor(props: OpenId4VcVerifierRecordProps) { + super() + + if (props) { + this.id = props.id ?? utils.uuid() + this.createdAt = props.createdAt ?? new Date() + this._tags = props.tags ?? {} + + this.verifierId = props.verifierId + } + } + + public getTags() { + return { + ...this._tags, + verifierId: this.verifierId, + } + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRepository.ts b/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRepository.ts new file mode 100644 index 0000000000..57622b6de8 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/repository/OpenId4VcVerifierRepository.ts @@ -0,0 +1,23 @@ +import type { AgentContext } from '@aries-framework/core' + +import { Repository, StorageService, InjectionSymbols, EventEmitter, inject, injectable } from '@aries-framework/core' + +import { OpenId4VcVerifierRecord } from './OpenId4VcVerifierRecord' + +@injectable() +export class OpenId4VcVerifierRepository extends Repository { + public constructor( + @inject(InjectionSymbols.StorageService) storageService: StorageService, + eventEmitter: EventEmitter + ) { + super(OpenId4VcVerifierRecord, storageService, eventEmitter) + } + + public findByVerifierId(agentContext: AgentContext, verifierId: string) { + return this.findSingleByQuery(agentContext, { verifierId }) + } + + public getByVerifierId(agentContext: AgentContext, verifierId: string) { + return this.getSingleByQuery(agentContext, { verifierId }) + } +} diff --git a/packages/openid4vc/src/openid4vc-verifier/repository/index.ts b/packages/openid4vc/src/openid4vc-verifier/repository/index.ts new file mode 100644 index 0000000000..09bef0307e --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/repository/index.ts @@ -0,0 +1,2 @@ +export * from './OpenId4VcVerifierRecord' +export * from './OpenId4VcVerifierRepository' diff --git a/packages/openid4vc/src/openid4vc-verifier/router/authorizationEndpoint.ts b/packages/openid4vc/src/openid4vc-verifier/router/authorizationEndpoint.ts new file mode 100644 index 0000000000..6bafb8236f --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/router/authorizationEndpoint.ts @@ -0,0 +1,42 @@ +import type { OpenId4VcVerificationRequest } from './requestContext' +import type { AuthorizationResponsePayload } from '@sphereon/did-auth-siop' +import type { Router, Response } from 'express' + +import { getRequestContext, sendErrorResponse } from '../../shared/router' +import { OpenId4VcSiopVerifierService } from '../OpenId4VcSiopVerifierService' + +export interface OpenId4VcSiopAuthorizationEndpointConfig { + /** + * The path at which the authorization endpoint should be made available. Note that it will be + * hosted at a subpath to take into account multiple tenants and verifiers. + * + * @default /authorize + */ + endpointPath: string +} + +export function configureAuthorizationEndpoint(router: Router, config: OpenId4VcSiopAuthorizationEndpointConfig) { + router.post(config.endpointPath, async (request: OpenId4VcVerificationRequest, response: Response, next) => { + const { agentContext, verifier } = getRequestContext(request) + + try { + const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VcSiopVerifierService) + const isVpRequest = request.body.presentation_submission !== undefined + + const authorizationResponse: AuthorizationResponsePayload = request.body + if (isVpRequest) authorizationResponse.presentation_submission = JSON.parse(request.body.presentation_submission) + + // FIXME: we should emit an event here and in other places + await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, { + authorizationResponse: request.body, + verifier, + }) + response.status(200).send() + } catch (error) { + sendErrorResponse(response, agentContext.config.logger, 500, 'invalid_request', error) + } + + // NOTE: if we don't call next, the agentContext session handler will NOT be called + next() + }) +} diff --git a/packages/openid4vc/src/openid4vc-verifier/router/index.ts b/packages/openid4vc/src/openid4vc-verifier/router/index.ts new file mode 100644 index 0000000000..8242556be4 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/router/index.ts @@ -0,0 +1,2 @@ +export { configureAuthorizationEndpoint } from './authorizationEndpoint' +export { OpenId4VcVerificationRequest } from './requestContext' diff --git a/packages/openid4vc/src/openid4vc-verifier/router/requestContext.ts b/packages/openid4vc/src/openid4vc-verifier/router/requestContext.ts new file mode 100644 index 0000000000..4dcb3964d8 --- /dev/null +++ b/packages/openid4vc/src/openid4vc-verifier/router/requestContext.ts @@ -0,0 +1,4 @@ +import type { OpenId4VcRequest } from '../../shared/router' +import type { OpenId4VcVerifierRecord } from '../repository' + +export type OpenId4VcVerificationRequest = OpenId4VcRequest<{ verifier: OpenId4VcVerifierRecord }> diff --git a/packages/openid4vc/src/shared/index.ts b/packages/openid4vc/src/shared/index.ts new file mode 100644 index 0000000000..8eacb927b2 --- /dev/null +++ b/packages/openid4vc/src/shared/index.ts @@ -0,0 +1,2 @@ +export * from './models' +export * from './issuerMetadataUtils' diff --git a/packages/openid4vc/src/shared/issuerMetadataUtils.ts b/packages/openid4vc/src/shared/issuerMetadataUtils.ts new file mode 100644 index 0000000000..076d8361a6 --- /dev/null +++ b/packages/openid4vc/src/shared/issuerMetadataUtils.ts @@ -0,0 +1,83 @@ +import type { OpenId4VciCredentialSupported, OpenId4VciCredentialSupportedWithId } from './models' +import type { AuthorizationDetails, CredentialOfferFormat, EndpointMetadataResult } from '@sphereon/oid4vci-common' + +import { AriesFrameworkError } from '@aries-framework/core' + +/** + * Get all `types` from a `CredentialSupported` object. + * + * Depending on the format, the types may be nested, or have different a different name/type + */ +export function getTypesFromCredentialSupported(credentialSupported: OpenId4VciCredentialSupported) { + if ( + credentialSupported.format === 'jwt_vc_json-ld' || + credentialSupported.format === 'ldp_vc' || + credentialSupported.format === 'jwt_vc_json' || + credentialSupported.format === 'jwt_vc' + ) { + return credentialSupported.types + } else if (credentialSupported.format === 'vc+sd-jwt') { + return [credentialSupported.vct] + } + + throw Error(`Unable to extract types from credentials supported. Unknown format ${credentialSupported.format}`) +} + +/** + * Returns all entries from the credential offer with the associated metadata resolved. For 'id' entries, the associated `credentials_supported` object is resolved from the issuer metadata. + * For inline entries, an error is thrown. + */ +export function getOfferedCredentials( + offeredCredentials: Array, + allCredentialsSupported: OpenId4VciCredentialSupported[] +): OpenId4VciCredentialSupportedWithId[] { + const credentialsSupported: OpenId4VciCredentialSupportedWithId[] = [] + + for (const offeredCredential of offeredCredentials) { + // In draft 12 inline credential offers are removed. It's easier to already remove support now. + if (typeof offeredCredential !== 'string') { + throw new AriesFrameworkError( + 'Only referenced credentials pointing to an id in credentials_supported issuer metadata are supported' + ) + } + + const foundSupportedCredential = allCredentialsSupported.find( + (supportedCredential): supportedCredential is OpenId4VciCredentialSupportedWithId => + supportedCredential.id !== undefined && supportedCredential.id === offeredCredential + ) + + // Make sure the issuer metadata includes the offered credential. + if (!foundSupportedCredential) { + throw new Error( + `Offered credential '${offeredCredential}' is not part of credentials_supported of the issuer metadata.` + ) + } + + credentialsSupported.push(foundSupportedCredential) + } + + return credentialsSupported +} + +// copied from sphereon as the method is only available on the client +export function handleAuthorizationDetails( + authorizationDetails: AuthorizationDetails | AuthorizationDetails[], + metadata: EndpointMetadataResult +): AuthorizationDetails | AuthorizationDetails[] | undefined { + if (Array.isArray(authorizationDetails)) { + return authorizationDetails.map((value) => handleLocations(value, metadata)) + } else { + return handleLocations(authorizationDetails, metadata) + } +} + +// copied from sphereon as the method is only available on the client +function handleLocations(authorizationDetails: AuthorizationDetails, metadata: EndpointMetadataResult) { + if (typeof authorizationDetails === 'string') return authorizationDetails + if (metadata.credentialIssuerMetadata?.authorization_server || metadata.authorization_endpoint) { + if (!authorizationDetails.locations) authorizationDetails.locations = [metadata.issuer] + else if (Array.isArray(authorizationDetails.locations)) authorizationDetails.locations.push(metadata.issuer) + else authorizationDetails.locations = [authorizationDetails.locations as string, metadata.issuer] + } + return authorizationDetails +} diff --git a/packages/openid4vc/src/shared/models/CredentialHolderBinding.ts b/packages/openid4vc/src/shared/models/CredentialHolderBinding.ts new file mode 100644 index 0000000000..641df91c2c --- /dev/null +++ b/packages/openid4vc/src/shared/models/CredentialHolderBinding.ts @@ -0,0 +1,13 @@ +import type { Jwk } from '@aries-framework/core' + +export type OpenId4VcCredentialHolderDidBinding = { + method: 'did' + didUrl: string +} + +export type OpenId4VcCredentialHolderJwkBinding = { + method: 'jwk' + jwk: Jwk +} + +export type OpenId4VcCredentialHolderBinding = OpenId4VcCredentialHolderDidBinding | OpenId4VcCredentialHolderJwkBinding diff --git a/packages/openid4vc/src/shared/models/OpenId4VcJwtIssuer.ts b/packages/openid4vc/src/shared/models/OpenId4VcJwtIssuer.ts new file mode 100644 index 0000000000..5165628db1 --- /dev/null +++ b/packages/openid4vc/src/shared/models/OpenId4VcJwtIssuer.ts @@ -0,0 +1,13 @@ +interface OpenId4VcJwtIssuerDid { + method: 'did' + didUrl: string +} + +// TODO: enable once supported in sphereon lib +// See https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/67 +// interface OpenId4VcJwtIssuerJwk { +// method: 'jwk' +// jwk: Jwk +// } + +export type OpenId4VcJwtIssuer = OpenId4VcJwtIssuerDid diff --git a/packages/openid4vc/src/shared/models/OpenId4VciCredentialFormatProfile.ts b/packages/openid4vc/src/shared/models/OpenId4VciCredentialFormatProfile.ts new file mode 100644 index 0000000000..628e65c12e --- /dev/null +++ b/packages/openid4vc/src/shared/models/OpenId4VciCredentialFormatProfile.ts @@ -0,0 +1,6 @@ +export enum OpenId4VciCredentialFormatProfile { + JwtVcJson = 'jwt_vc_json', + JwtVcJsonLd = 'jwt_vc_json-ld', + LdpVc = 'ldp_vc', + SdJwtVc = 'vc+sd-jwt', +} diff --git a/packages/openid4vc/src/shared/models/index.ts b/packages/openid4vc/src/shared/models/index.ts new file mode 100644 index 0000000000..dc37fafeb8 --- /dev/null +++ b/packages/openid4vc/src/shared/models/index.ts @@ -0,0 +1,37 @@ +import type { + VerifiedAuthorizationRequest, + AuthorizationRequestPayload, + AuthorizationResponsePayload, + IDTokenPayload, +} from '@sphereon/did-auth-siop' +import type { + AssertedUniformCredentialOffer, + CredentialIssuerMetadata, + CredentialOfferPayloadV1_0_11, + CredentialRequestJwtVcJson, + CredentialRequestJwtVcJsonLdAndLdpVc, + CredentialRequestSdJwtVc, + CredentialSupported, + MetadataDisplay, + UniformCredentialRequest, +} from '@sphereon/oid4vci-common' + +export type OpenId4VciCredentialSupportedWithId = CredentialSupported & { id: string } +export type OpenId4VciCredentialSupported = CredentialSupported +export type OpenId4VciIssuerMetadata = CredentialIssuerMetadata +export type OpenId4VciIssuerMetadataDisplay = MetadataDisplay +export type OpenId4VciCredentialRequest = UniformCredentialRequest +export type OpenId4VciCredentialRequestJwtVcJson = CredentialRequestJwtVcJson +export type OpenId4VciCredentialRequestJwtVcJsonLdAndLdpVc = CredentialRequestJwtVcJsonLdAndLdpVc +export type OpenId4VciCredentialRequestSdJwtVc = CredentialRequestSdJwtVc +export type OpenId4VciCredentialOffer = AssertedUniformCredentialOffer +export type OpenId4VciCredentialOfferPayload = CredentialOfferPayloadV1_0_11 + +export type OpenId4VcSiopVerifiedAuthorizationRequest = VerifiedAuthorizationRequest +export type OpenId4VcSiopAuthorizationRequestPayload = AuthorizationRequestPayload +export type OpenId4VcSiopAuthorizationResponsePayload = AuthorizationResponsePayload +export type OpenId4VcSiopIdTokenPayload = IDTokenPayload + +export * from './OpenId4VcJwtIssuer' +export * from './CredentialHolderBinding' +export * from './OpenId4VciCredentialFormatProfile' diff --git a/packages/openid4vc/src/shared/router/context.ts b/packages/openid4vc/src/shared/router/context.ts new file mode 100644 index 0000000000..bfd0afacc6 --- /dev/null +++ b/packages/openid4vc/src/shared/router/context.ts @@ -0,0 +1,32 @@ +import type { AgentContext, Logger } from '@aries-framework/core' +import type { Response, Request } from 'express' + +import { AriesFrameworkError } from '@aries-framework/core' + +export interface OpenId4VcRequest = Record> extends Request { + requestContext?: RC & OpenId4VcRequestContext +} + +export interface OpenId4VcRequestContext { + agentContext: AgentContext +} + +export function sendErrorResponse(response: Response, logger: Logger, code: number, message: string, error: unknown) { + const error_description = + error instanceof Error ? error.message : typeof error === 'string' ? error : 'An unknown error occurred.' + + const body = { error: message, error_description } + logger.warn(`[OID4VCI] Sending error response: ${JSON.stringify(body)}`, { + error, + }) + + return response.status(code).json(body) +} + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +export function getRequestContext>(request: T): NonNullable { + const requestContext = request.requestContext + if (!requestContext) throw new AriesFrameworkError('Request context not set.') + + return requestContext +} diff --git a/packages/openid4vc/src/shared/router/express.ts b/packages/openid4vc/src/shared/router/express.ts new file mode 100644 index 0000000000..43bdcf12fa --- /dev/null +++ b/packages/openid4vc/src/shared/router/express.ts @@ -0,0 +1,12 @@ +import type { default as Express } from 'express' + +export function importExpress() { + try { + // NOTE: 'express' is added as a peer-dependency, and is required when using this module + // eslint-disable-next-line import/no-extraneous-dependencies, @typescript-eslint/no-var-requires + const express = require('express') as typeof Express + return express + } catch (error) { + throw new Error('Express must be installed as a peer dependency') + } +} diff --git a/packages/openid4vc/src/shared/router/index.ts b/packages/openid4vc/src/shared/router/index.ts new file mode 100644 index 0000000000..dc3697dcc1 --- /dev/null +++ b/packages/openid4vc/src/shared/router/index.ts @@ -0,0 +1,3 @@ +export * from './express' +export * from './context' +export * from './tenants' diff --git a/packages/openid4vc/src/shared/router/tenants.ts b/packages/openid4vc/src/shared/router/tenants.ts new file mode 100644 index 0000000000..23b5353da4 --- /dev/null +++ b/packages/openid4vc/src/shared/router/tenants.ts @@ -0,0 +1,56 @@ +import type { AgentContext, AgentContextProvider } from '@aries-framework/core' +import type { TenantsModule } from '@aries-framework/tenants' + +import { getApiForModuleByName, InjectionSymbols } from '@aries-framework/core' + +const OPENID4VC_ACTOR_IDS_METADATA_KEY = '_openid4vc/openId4VcActorIds' + +export async function getAgentContextForActorId(rootAgentContext: AgentContext, actorId: string) { + // Check if multi-tenancy is enabled, and if so find the associated multi-tenant record + // This is a bit hacky as it uses the tenants module to store the openid4vc actor id + // but this way we don't have to expose the contextCorrelationId in the openid metadata + const tenantsApi = getApiForModuleByName(rootAgentContext, 'TenantsModule') + if (tenantsApi) { + const [tenant] = await tenantsApi.findTenantsByQuery({ + [OPENID4VC_ACTOR_IDS_METADATA_KEY]: [actorId], + }) + + if (tenant) { + const agentContextProvider = rootAgentContext.dependencyManager.resolve( + InjectionSymbols.AgentContextProvider + ) + return agentContextProvider.getAgentContextForContextCorrelationId(tenant.id) + } + } + + return rootAgentContext +} + +/** + * Store the actor id associated with a context correlation id. If multi-tenancy is not used + * this method won't do anything as we can just use the actor from the default context. However + * if multi-tenancy is used, we will store the actor id in the tenant record metadata so it can + * be queried when a request comes in for the specific actor id. + * + * The reason for doing this is that we don't want to expose the context correlation id in the + * actor metadata url, as it is then possible to see exactly which actors are registered under + * the same agent. + */ +export async function storeActorIdForContextCorrelationId(agentContext: AgentContext, actorId: string) { + // It's kind of hacky, but we add support for the tenants module specifically here to map an actorId to + // a specific tenant. Otherwise we have to expose /:contextCorrelationId/:actorId in all the public URLs + // which is of course not so nice. + const tenantsApi = getApiForModuleByName(agentContext, 'TenantsModule') + + // We don't want to query the tenant record if the current context is the root context + if (tenantsApi && tenantsApi.rootAgentContext.contextCorrelationId !== agentContext.contextCorrelationId) { + const tenantRecord = await tenantsApi.getTenantById(agentContext.contextCorrelationId) + + const currentOpenId4VcActorIds = tenantRecord.metadata.get(OPENID4VC_ACTOR_IDS_METADATA_KEY) ?? [] + const openId4VcActorIds = [...currentOpenId4VcActorIds, actorId] + + tenantRecord.metadata.set(OPENID4VC_ACTOR_IDS_METADATA_KEY, openId4VcActorIds) + tenantRecord.setTag(OPENID4VC_ACTOR_IDS_METADATA_KEY, openId4VcActorIds) + await tenantsApi.updateTenant(tenantRecord) + } +} diff --git a/packages/openid4vc/src/shared/transform.ts b/packages/openid4vc/src/shared/transform.ts new file mode 100644 index 0000000000..c45d0fe793 --- /dev/null +++ b/packages/openid4vc/src/shared/transform.ts @@ -0,0 +1,73 @@ +import type { W3cVerifiableCredential, W3cVerifiablePresentation, SdJwtVc } from '@aries-framework/core' +import type { + W3CVerifiableCredential as SphereonW3cVerifiableCredential, + W3CVerifiablePresentation as SphereonW3cVerifiablePresentation, + CompactSdJwtVc as SphereonCompactSdJwtVc, + WrappedVerifiablePresentation, +} from '@sphereon/ssi-types' + +import { + JsonTransformer, + AriesFrameworkError, + W3cJsonLdVerifiablePresentation, + W3cJwtVerifiablePresentation, + W3cJwtVerifiableCredential, + W3cJsonLdVerifiableCredential, + JsonEncoder, +} from '@aries-framework/core' + +export function getSphereonVerifiableCredential( + verifiableCredential: W3cVerifiableCredential | SdJwtVc +): SphereonW3cVerifiableCredential | SphereonCompactSdJwtVc { + // encoded sd-jwt or jwt + if (typeof verifiableCredential === 'string') { + return verifiableCredential + } else if (verifiableCredential instanceof W3cJsonLdVerifiableCredential) { + return JsonTransformer.toJSON(verifiableCredential) as SphereonW3cVerifiableCredential + } else if (verifiableCredential instanceof W3cJwtVerifiableCredential) { + return verifiableCredential.serializedJwt + } else { + return verifiableCredential.compact + } +} + +export function getSphereonVerifiablePresentation( + verifiablePresentation: W3cVerifiablePresentation | SdJwtVc +): SphereonW3cVerifiablePresentation | SphereonCompactSdJwtVc { + // encoded sd-jwt or jwt + if (typeof verifiablePresentation === 'string') { + return verifiablePresentation + } else if (verifiablePresentation instanceof W3cJsonLdVerifiablePresentation) { + return JsonTransformer.toJSON(verifiablePresentation) as SphereonW3cVerifiablePresentation + } else if (verifiablePresentation instanceof W3cJwtVerifiablePresentation) { + return verifiablePresentation.serializedJwt + } else { + return verifiablePresentation.compact + } +} + +export function getVerifiablePresentationFromSphereonWrapped( + wrappedVerifiablePresentation: WrappedVerifiablePresentation +): W3cVerifiablePresentation | SdJwtVc { + if (wrappedVerifiablePresentation.format === 'jwt_vp') { + if (typeof wrappedVerifiablePresentation.original !== 'string') { + throw new AriesFrameworkError('Unable to transform JWT VP to W3C VP') + } + + return W3cJwtVerifiablePresentation.fromSerializedJwt(wrappedVerifiablePresentation.original) + } else if (wrappedVerifiablePresentation.format === 'ldp_vp') { + return JsonTransformer.fromJSON(wrappedVerifiablePresentation.original, W3cJsonLdVerifiablePresentation) + } else if (wrappedVerifiablePresentation.format === 'vc+sd-jwt') { + // We use some custom logic here so we don't have to re-process the encoded SD-JWT + const [encodedHeader] = wrappedVerifiablePresentation.presentation.compactSdJwtVc.split('.') + const header = JsonEncoder.fromBase64(encodedHeader) + return { + compact: wrappedVerifiablePresentation.presentation.compactSdJwtVc, + header, + payload: wrappedVerifiablePresentation.presentation.signedPayload, + prettyClaims: wrappedVerifiablePresentation.presentation.decodedPayload, + } satisfies SdJwtVc + } + + throw new AriesFrameworkError(`Unsupported presentation format: ${wrappedVerifiablePresentation.format}`) +} diff --git a/packages/openid4vc/src/shared/utils.ts b/packages/openid4vc/src/shared/utils.ts new file mode 100644 index 0000000000..922b5632e9 --- /dev/null +++ b/packages/openid4vc/src/shared/utils.ts @@ -0,0 +1,103 @@ +import type { OpenId4VcJwtIssuer } from './models' +import type { AgentContext, JwaSignatureAlgorithm, Key } from '@aries-framework/core' +import type { DIDDocument, SigningAlgo, SuppliedSignature } from '@sphereon/did-auth-siop' + +import { + AriesFrameworkError, + DidsApi, + TypedArrayEncoder, + getKeyFromVerificationMethod, + getJwkClassFromKeyType, + SignatureSuiteRegistry, +} from '@aries-framework/core' + +/** + * Returns the JWA Signature Algorithms that are supported by the wallet. + * + * This is an approximation based on the supported key types of the wallet. + * This is not 100% correct as a supporting a key type does not mean you support + * all the algorithms for that key type. However, this needs refactoring of the wallet + * that is planned for the 0.5.0 release. + */ +export function getSupportedJwaSignatureAlgorithms(agentContext: AgentContext): JwaSignatureAlgorithm[] { + const supportedKeyTypes = agentContext.wallet.supportedKeyTypes + + // Extract the supported JWS algs based on the key types the wallet support. + const supportedJwaSignatureAlgorithms = supportedKeyTypes + // Map the supported key types to the supported JWK class + .map(getJwkClassFromKeyType) + // Filter out the undefined values + .filter((jwkClass): jwkClass is Exclude => jwkClass !== undefined) + // Extract the supported JWA signature algorithms from the JWK class + .flatMap((jwkClass) => jwkClass.supportedSignatureAlgorithms) + + return supportedJwaSignatureAlgorithms +} + +export async function getSphereonSuppliedSignatureFromJwtIssuer( + agentContext: AgentContext, + jwtIssuer: OpenId4VcJwtIssuer +): Promise { + let key: Key + let alg: string + let kid: string | undefined + let did: string | undefined + + if (jwtIssuer.method === 'did') { + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const didDocument = await didsApi.resolveDidDocument(jwtIssuer.didUrl) + const verificationMethod = didDocument.dereferenceKey(jwtIssuer.didUrl, ['authentication']) + + // get the key from the verification method and use the first supported signature algorithm + key = getKeyFromVerificationMethod(verificationMethod) + const _alg = getJwkClassFromKeyType(key.keyType)?.supportedSignatureAlgorithms[0] + if (!_alg) throw new AriesFrameworkError(`No supported signature algorithms for key type: ${key.keyType}`) + + alg = _alg + kid = verificationMethod.id + did = verificationMethod.controller + } else { + throw new AriesFrameworkError("Unsupported jwt issuer method. Only 'did' is supported.") + } + + return { + signature: async (data: string | Uint8Array) => { + if (typeof data !== 'string') throw new AriesFrameworkError("Expected string but received 'Uint8Array'") + const signedData = await agentContext.wallet.sign({ + data: TypedArrayEncoder.fromString(data), + key, + }) + + const signature = TypedArrayEncoder.toBase64URL(signedData) + return signature + }, + alg: alg as unknown as SigningAlgo, + did, + kid, + } +} + +export function getSphereonDidResolver(agentContext: AgentContext) { + return { + resolve: async (didUrl: string) => { + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const result = await didsApi.resolve(didUrl) + + return { + ...result, + didDocument: result.didDocument?.toJSON() as DIDDocument, + } + }, + } +} + +export function getProofTypeFromKey(agentContext: AgentContext, key: Key) { + const signatureSuiteRegistry = agentContext.dependencyManager.resolve(SignatureSuiteRegistry) + + const supportedSignatureSuites = signatureSuiteRegistry.getByKeyType(key.keyType) + if (supportedSignatureSuites.length === 0) { + throw new AriesFrameworkError(`Couldn't find a supported signature suite for the given key type '${key.keyType}'.`) + } + + return supportedSignatureSuites[0].proofType +} diff --git a/packages/openid4vc/tests/openid4vc.e2e.test.ts b/packages/openid4vc/tests/openid4vc.e2e.test.ts new file mode 100644 index 0000000000..038c854c76 --- /dev/null +++ b/packages/openid4vc/tests/openid4vc.e2e.test.ts @@ -0,0 +1,683 @@ +import type { AgentType, TenantType } from './utils' +import type { OpenId4VciCredentialBindingResolver } from '../src/openid4vc-holder' +import type { DifPresentationExchangeDefinitionV2, SdJwtVc } from '@aries-framework/core' +import type { Server } from 'http' + +import { + AriesFrameworkError, + ClaimFormat, + DidsApi, + DifPresentationExchangeService, + getJwkFromKey, + getKeyFromVerificationMethod, + JsonEncoder, + JwaSignatureAlgorithm, + W3cCredential, + W3cCredentialSubject, + w3cDate, + W3cIssuer, +} from '@aries-framework/core' +import express, { type Express } from 'express' + +import { AskarModule } from '../../askar/src' +import { askarModuleConfig } from '../../askar/tests/helpers' +import { TenantsModule } from '../../tenants/src' +import { OpenId4VcHolderModule, OpenId4VcIssuerModule, OpenId4VcVerifierModule } from '../src' + +import { createAgentFromModules, createTenantForAgent } from './utils' +import { universityDegreeCredentialSdJwt, universityDegreeCredentialSdJwt2 } from './utilsVci' +import { openBadgePresentationDefinition, universityDegreePresentationDefinition } from './utilsVp' + +const serverPort = 1234 +const baseUrl = `http://localhost:${serverPort}` +const issuanceBaseUrl = `${baseUrl}/oid4vci` +const verificationBaseUrl = `${baseUrl}/oid4vp` + +describe('OpenId4Vc', () => { + let expressApp: Express + let expressServer: Server + + let issuer: AgentType<{ + openId4VcIssuer: OpenId4VcIssuerModule + tenants: TenantsModule<{ openId4VcIssuer: OpenId4VcIssuerModule }> + }> + let issuer1: TenantType + let issuer2: TenantType + + let holder: AgentType<{ + openId4VcHolder: OpenId4VcHolderModule + tenants: TenantsModule<{ openId4VcHolder: OpenId4VcHolderModule }> + }> + let holder1: TenantType + + let verifier: AgentType<{ + openId4VcVerifier: OpenId4VcVerifierModule + tenants: TenantsModule<{ openId4VcVerifier: OpenId4VcVerifierModule }> + }> + let verifier1: TenantType + let verifier2: TenantType + + beforeEach(async () => { + expressApp = express() + + issuer = (await createAgentFromModules( + 'issuer', + { + openId4VcIssuer: new OpenId4VcIssuerModule({ + baseUrl: issuanceBaseUrl, + endpoints: { + credential: { + credentialRequestToCredentialMapper: async ({ agentContext, credentialRequest, holderBinding }) => { + // We sign the request with the first did:key did we have + const didsApi = agentContext.dependencyManager.resolve(DidsApi) + const [firstDidKeyDid] = await didsApi.getCreatedDids({ method: 'key' }) + const didDocument = await didsApi.resolveDidDocument(firstDidKeyDid.did) + const verificationMethod = didDocument.verificationMethod?.[0] + if (!verificationMethod) { + throw new Error('No verification method found') + } + + if (credentialRequest.format === 'vc+sd-jwt') { + return { + format: credentialRequest.format, + payload: { vct: credentialRequest.vct, university: 'innsbruck', degree: 'bachelor' }, + holder: holderBinding, + issuer: { + method: 'did', + didUrl: verificationMethod.id, + }, + disclosureFrame: { university: true, degree: true }, + } + } + + throw new Error('Invalid request') + }, + }, + }, + }), + askar: new AskarModule(askarModuleConfig), + tenants: new TenantsModule(), + }, + '96213c3d7fc8d4d6754c7a0fd969598g' + )) as unknown as typeof issuer + issuer1 = await createTenantForAgent(issuer.agent, 'iTenant1') + issuer2 = await createTenantForAgent(issuer.agent, 'iTenant2') + + holder = (await createAgentFromModules( + 'holder', + { + openId4VcHolder: new OpenId4VcHolderModule(), + askar: new AskarModule(askarModuleConfig), + tenants: new TenantsModule(), + }, + '96213c3d7fc8d4d6754c7a0fd969598e' + )) as unknown as typeof holder + holder1 = await createTenantForAgent(holder.agent, 'hTenant1') + + verifier = (await createAgentFromModules( + 'verifier', + { + openId4VcVerifier: new OpenId4VcVerifierModule({ + baseUrl: verificationBaseUrl, + }), + askar: new AskarModule(askarModuleConfig), + tenants: new TenantsModule(), + }, + '96213c3d7fc8d4d6754c7a0fd969598f' + )) as unknown as typeof verifier + verifier1 = await createTenantForAgent(verifier.agent, 'vTenant1') + verifier2 = await createTenantForAgent(verifier.agent, 'vTenant2') + + // We let AFJ create the router, so we have a fresh one each time + expressApp.use('/oid4vci', issuer.agent.modules.openId4VcIssuer.config.router) + expressApp.use('/oid4vp', verifier.agent.modules.openId4VcVerifier.config.router) + + expressServer = expressApp.listen(serverPort) + }) + + afterEach(async () => { + expressServer?.close() + + await issuer.agent.shutdown() + await issuer.agent.wallet.delete() + + await holder.agent.shutdown() + await holder.agent.wallet.delete() + }) + + const credentialBindingResolver: OpenId4VciCredentialBindingResolver = ({ supportsJwk, supportedDidMethods }) => { + // prefer did:key + if (supportedDidMethods?.includes('did:key')) { + return { + method: 'did', + didUrl: holder1.verificationMethod.id, + } + } + + // otherwise fall back to JWK + if (supportsJwk) { + return { + method: 'jwk', + jwk: getJwkFromKey(getKeyFromVerificationMethod(holder1.verificationMethod)), + } + } + + // otherwise throw an error + throw new AriesFrameworkError('Issuer does not support did:key or JWK for credential binding') + } + + it('e2e flow with tenants, issuer endpoints requesting a sd-jwt-vc', async () => { + const issuerTenant1 = await issuer.agent.modules.tenants.getTenantAgent({ tenantId: issuer1.tenantId }) + const issuerTenant2 = await issuer.agent.modules.tenants.getTenantAgent({ tenantId: issuer2.tenantId }) + + const openIdIssuerTenant1 = await issuerTenant1.modules.openId4VcIssuer.createIssuer({ + credentialsSupported: [universityDegreeCredentialSdJwt], + }) + + const openIdIssuerTenant2 = await issuerTenant2.modules.openId4VcIssuer.createIssuer({ + credentialsSupported: [universityDegreeCredentialSdJwt2], + }) + + const { credentialOffer: credentialOffer1 } = await issuerTenant1.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openIdIssuerTenant1.issuerId, + offeredCredentials: [universityDegreeCredentialSdJwt.id], + preAuthorizedCodeFlowConfig: { userPinRequired: false }, + }) + + const { credentialOffer: credentialOffer2 } = await issuerTenant2.modules.openId4VcIssuer.createCredentialOffer({ + issuerId: openIdIssuerTenant2.issuerId, + offeredCredentials: [universityDegreeCredentialSdJwt2.id], + preAuthorizedCodeFlowConfig: { userPinRequired: false }, + }) + + await issuerTenant1.endSession() + await issuerTenant2.endSession() + + const holderTenant1 = await holder.agent.modules.tenants.getTenantAgent({ tenantId: holder1.tenantId }) + + const resolvedCredentialOffer1 = await holderTenant1.modules.openId4VcHolder.resolveCredentialOffer( + credentialOffer1 + ) + + expect(resolvedCredentialOffer1.credentialOfferPayload.credential_issuer).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant1.issuerId}` + ) + expect(resolvedCredentialOffer1.metadata.credentialIssuerMetadata?.token_endpoint).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant1.issuerId}/token` + ) + expect(resolvedCredentialOffer1.metadata.credentialIssuerMetadata?.credential_endpoint).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant1.issuerId}/credential` + ) + + // Bind to JWK + const credentialsTenant1 = await holderTenant1.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode( + resolvedCredentialOffer1, + { + credentialBindingResolver, + } + ) + + expect(credentialsTenant1).toHaveLength(1) + const compactSdJwtVcTenant1 = (credentialsTenant1[0] as SdJwtVc).compact + const sdJwtVcTenant1 = holderTenant1.sdJwtVc.fromCompact(compactSdJwtVcTenant1) + expect(sdJwtVcTenant1.payload.vct).toEqual('UniversityDegreeCredential') + + const resolvedCredentialOffer2 = await holderTenant1.modules.openId4VcHolder.resolveCredentialOffer( + credentialOffer2 + ) + expect(resolvedCredentialOffer2.credentialOfferPayload.credential_issuer).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant2.issuerId}` + ) + expect(resolvedCredentialOffer2.metadata.credentialIssuerMetadata?.token_endpoint).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant2.issuerId}/token` + ) + expect(resolvedCredentialOffer2.metadata.credentialIssuerMetadata?.credential_endpoint).toEqual( + `${issuanceBaseUrl}/${openIdIssuerTenant2.issuerId}/credential` + ) + + // Bind to did + const credentialsTenant2 = await holderTenant1.modules.openId4VcHolder.acceptCredentialOfferUsingPreAuthorizedCode( + resolvedCredentialOffer2, + { + credentialBindingResolver, + } + ) + + expect(credentialsTenant2).toHaveLength(1) + const compactSdJwtVcTenant2 = (credentialsTenant2[0] as SdJwtVc).compact + const sdJwtVcTenant2 = holderTenant1.sdJwtVc.fromCompact(compactSdJwtVcTenant2) + expect(sdJwtVcTenant2.payload.vct).toEqual('UniversityDegreeCredential2') + + await holderTenant1.endSession() + }) + + it('e2e flow with tenants, verifier endpoints verifying a jwt-vc', async () => { + const holderTenant = await holder.agent.modules.tenants.getTenantAgent({ tenantId: holder1.tenantId }) + const verifierTenant1 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier1.tenantId }) + const verifierTenant2 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier2.tenantId }) + + const openIdVerifierTenant1 = await verifierTenant1.modules.openId4VcVerifier.createVerifier() + const openIdVerifierTenant2 = await verifierTenant2.modules.openId4VcVerifier.createVerifier() + + const signedCredential1 = await issuer.agent.w3cCredentials.signCredential({ + format: ClaimFormat.JwtVc, + credential: new W3cCredential({ + type: ['VerifiableCredential', 'OpenBadgeCredential'], + issuer: new W3cIssuer({ id: issuer.did }), + credentialSubject: new W3cCredentialSubject({ id: holder1.did }), + issuanceDate: w3cDate(Date.now()), + }), + alg: JwaSignatureAlgorithm.EdDSA, + verificationMethod: issuer.verificationMethod.id, + }) + + const signedCredential2 = await issuer.agent.w3cCredentials.signCredential({ + format: ClaimFormat.JwtVc, + credential: new W3cCredential({ + type: ['VerifiableCredential', 'UniversityDegreeCredential'], + issuer: new W3cIssuer({ id: issuer.did }), + credentialSubject: new W3cCredentialSubject({ id: holder1.did }), + issuanceDate: w3cDate(Date.now()), + }), + alg: JwaSignatureAlgorithm.EdDSA, + verificationMethod: issuer.verificationMethod.id, + }) + + await holderTenant.w3cCredentials.storeCredential({ credential: signedCredential1 }) + await holderTenant.w3cCredentials.storeCredential({ credential: signedCredential2 }) + + const { + authorizationRequestUri: authorizationRequestUri1, + authorizationRequestPayload: authorizationRequestPayload1, + } = await verifierTenant1.modules.openId4VcVerifier.createAuthorizationRequest({ + verifierId: openIdVerifierTenant1.verifierId, + requestSigner: { + method: 'did', + didUrl: verifier1.verificationMethod.id, + }, + presentationExchange: { + definition: openBadgePresentationDefinition, + }, + }) + + expect( + authorizationRequestUri1.startsWith( + `openid://?redirect_uri=http%3A%2F%2Flocalhost%3A1234%2Foid4vp%2F${openIdVerifierTenant1.verifierId}%2Fauthorize` + ) + ).toBe(true) + + const { + authorizationRequestUri: authorizationRequestUri2, + authorizationRequestPayload: authorizationRequestPayload2, + } = await verifierTenant2.modules.openId4VcVerifier.createAuthorizationRequest({ + requestSigner: { + method: 'did', + didUrl: verifier2.verificationMethod.id, + }, + presentationExchange: { + definition: universityDegreePresentationDefinition, + }, + verifierId: openIdVerifierTenant2.verifierId, + }) + + expect( + authorizationRequestUri2.startsWith( + `openid://?redirect_uri=http%3A%2F%2Flocalhost%3A1234%2Foid4vp%2F${openIdVerifierTenant2.verifierId}%2Fauthorize` + ) + ).toBe(true) + + await verifierTenant1.endSession() + await verifierTenant2.endSession() + + const resolvedProofRequest1 = await holderTenant.modules.openId4VcHolder.resolveSiopAuthorizationRequest( + authorizationRequestUri1 + ) + + expect(resolvedProofRequest1.presentationExchange?.credentialsForRequest).toMatchObject({ + areRequirementsSatisfied: true, + requirements: [ + { + submissionEntry: [ + { + verifiableCredentials: [ + { + credential: { + type: ['VerifiableCredential', 'OpenBadgeCredential'], + }, + }, + ], + }, + ], + }, + ], + }) + + const resolvedProofRequest2 = await holderTenant.modules.openId4VcHolder.resolveSiopAuthorizationRequest( + authorizationRequestUri2 + ) + + expect(resolvedProofRequest2.presentationExchange?.credentialsForRequest).toMatchObject({ + areRequirementsSatisfied: true, + requirements: [ + { + submissionEntry: [ + { + verifiableCredentials: [ + { + credential: { + type: ['VerifiableCredential', 'UniversityDegreeCredential'], + }, + }, + ], + }, + ], + }, + ], + }) + + if (!resolvedProofRequest1.presentationExchange || !resolvedProofRequest2.presentationExchange) { + throw new Error('Presentation exchange not defined') + } + + const presentationExchangeService = holderTenant.dependencyManager.resolve(DifPresentationExchangeService) + const selectedCredentials = presentationExchangeService.selectCredentialsForRequest( + resolvedProofRequest1.presentationExchange.credentialsForRequest + ) + + const { submittedResponse: submittedResponse1, serverResponse: serverResponse1 } = + await holderTenant.modules.openId4VcHolder.acceptSiopAuthorizationRequest({ + authorizationRequest: resolvedProofRequest1.authorizationRequest, + presentationExchange: { + credentials: selectedCredentials, + }, + }) + + expect(submittedResponse1).toEqual({ + expires_in: 6000, + id_token: expect.any(String), + presentation_submission: { + definition_id: 'OpenBadgeCredential', + descriptor_map: [ + { + format: 'jwt_vp', + id: 'OpenBadgeCredentialDescriptor', + path: '$', + path_nested: { + format: 'jwt_vc', + id: 'OpenBadgeCredentialDescriptor', + path: '$.vp.verifiableCredential[0]', + }, + }, + ], + id: expect.any(String), + }, + state: expect.any(String), + vp_token: expect.any(String), + }) + expect(serverResponse1).toMatchObject({ + status: 200, + }) + + // The RP MUST validate that the aud (audience) Claim contains the value of the client_id + // that the RP sent in the Authorization Request as an audience. + // When the request has been signed, the value might be an HTTPS URL, or a Decentralized Identifier. + const verifierTenant1_2 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier1.tenantId }) + const { idToken: idToken1, presentationExchange: presentationExchange1 } = + await verifierTenant1_2.modules.openId4VcVerifier.verifyAuthorizationResponse({ + authorizationResponse: submittedResponse1, + verifierId: openIdVerifierTenant1.verifierId, + }) + + const requestObjectPayload1 = JsonEncoder.fromBase64(authorizationRequestPayload1.request?.split('.')[1] as string) + expect(idToken1?.payload).toMatchObject({ + state: requestObjectPayload1.state, + nonce: requestObjectPayload1.nonce, + }) + + expect(presentationExchange1).toMatchObject({ + definition: openBadgePresentationDefinition, + submission: { + definition_id: 'OpenBadgeCredential', + }, + presentations: [ + { + verifiableCredential: [ + { + type: ['VerifiableCredential', 'OpenBadgeCredential'], + }, + ], + }, + ], + }) + + const selectedCredentials2 = presentationExchangeService.selectCredentialsForRequest( + resolvedProofRequest2.presentationExchange.credentialsForRequest + ) + + const { serverResponse: serverResponse2, submittedResponse: submittedResponse2 } = + await holderTenant.modules.openId4VcHolder.acceptSiopAuthorizationRequest({ + authorizationRequest: resolvedProofRequest2.authorizationRequest, + presentationExchange: { + credentials: selectedCredentials2, + }, + }) + expect(serverResponse2).toMatchObject({ + status: 200, + }) + + // The RP MUST validate that the aud (audience) Claim contains the value of the client_id + // that the RP sent in the Authorization Request as an audience. + // When the request has been signed, the value might be an HTTPS URL, or a Decentralized Identifier. + const verifierTenant2_2 = await verifier.agent.modules.tenants.getTenantAgent({ tenantId: verifier2.tenantId }) + const { idToken: idToken2, presentationExchange: presentationExchange2 } = + await verifierTenant2_2.modules.openId4VcVerifier.verifyAuthorizationResponse({ + authorizationResponse: submittedResponse2, + verifierId: openIdVerifierTenant2.verifierId, + }) + + const requestObjectPayload2 = JsonEncoder.fromBase64(authorizationRequestPayload2.request?.split('.')[1] as string) + expect(idToken2?.payload).toMatchObject({ + state: requestObjectPayload2.state, + nonce: requestObjectPayload2.nonce, + }) + + expect(presentationExchange2).toMatchObject({ + definition: universityDegreePresentationDefinition, + submission: { + definition_id: 'UniversityDegreeCredential', + }, + presentations: [ + { + verifiableCredential: [ + { + type: ['VerifiableCredential', 'UniversityDegreeCredential'], + }, + ], + }, + ], + }) + }) + + it('e2e flow with verifier endpoints verifying a sd-jwt-vc with selective disclosure', async () => { + const openIdVerifier = await verifier.agent.modules.openId4VcVerifier.createVerifier() + + const signedSdJwtVc = await issuer.agent.sdJwtVc.sign({ + holder: { + method: 'did', + didUrl: holder.kid, + }, + issuer: { + method: 'did', + didUrl: issuer.kid, + }, + payload: { + vct: 'OpenBadgeCredential', + university: 'innsbruck', + degree: 'bachelor', + name: 'John Doe', + }, + disclosureFrame: { + university: true, + name: true, + }, + }) + + await holder.agent.sdJwtVc.store(signedSdJwtVc.compact) + + const presentationDefinition = { + id: 'OpenBadgeCredential', + input_descriptors: [ + { + id: 'OpenBadgeCredentialDescriptor', + // FIXME: https://github.com/Sphereon-Opensource/pex-openapi/issues/32 + // format: { + // 'vc+sd-jwt': { + // 'sd-jwt_alg_values': ['EdDSA'], + // }, + // }, + constraints: { + limit_disclosure: 'required', + fields: [ + { + path: ['$.vct'], + filter: { + type: 'string', + const: 'OpenBadgeCredential', + }, + }, + { + path: ['$.university'], + }, + ], + }, + }, + ], + } satisfies DifPresentationExchangeDefinitionV2 + + const { authorizationRequestUri, authorizationRequestPayload } = + await verifier.agent.modules.openId4VcVerifier.createAuthorizationRequest({ + verifierId: openIdVerifier.verifierId, + requestSigner: { + method: 'did', + didUrl: verifier.kid, + }, + presentationExchange: { + definition: presentationDefinition, + }, + }) + + expect( + authorizationRequestUri.startsWith( + `openid://?redirect_uri=http%3A%2F%2Flocalhost%3A1234%2Foid4vp%2F${openIdVerifier.verifierId}%2Fauthorize` + ) + ).toBe(true) + + const resolvedAuthorizationRequest = await holder.agent.modules.openId4VcHolder.resolveSiopAuthorizationRequest( + authorizationRequestUri + ) + + expect(resolvedAuthorizationRequest.presentationExchange?.credentialsForRequest).toMatchObject({ + areRequirementsSatisfied: true, + requirements: [ + { + submissionEntry: [ + { + verifiableCredentials: [ + { + // FIXME: because we have the record, we don't know which fields will be disclosed + // Can we temp-assign these to the record? + compactSdJwtVc: signedSdJwtVc.compact, + }, + ], + }, + ], + }, + ], + }) + + if (!resolvedAuthorizationRequest.presentationExchange) { + throw new Error('Presentation exchange not defined') + } + + // TODO: better way to auto-select + const presentationExchangeService = holder.agent.dependencyManager.resolve(DifPresentationExchangeService) + const selectedCredentials = presentationExchangeService.selectCredentialsForRequest( + resolvedAuthorizationRequest.presentationExchange.credentialsForRequest + ) + + const { serverResponse, submittedResponse } = + await holder.agent.modules.openId4VcHolder.acceptSiopAuthorizationRequest({ + authorizationRequest: resolvedAuthorizationRequest.authorizationRequest, + presentationExchange: { + credentials: selectedCredentials, + }, + }) + + // path_nested should not be used for sd-jwt + expect(submittedResponse.presentation_submission?.descriptor_map[0].path_nested).toBeUndefined() + expect(submittedResponse).toEqual({ + expires_in: 6000, + id_token: expect.any(String), + presentation_submission: { + definition_id: 'OpenBadgeCredential', + descriptor_map: [ + { + format: 'vc+sd-jwt', + id: 'OpenBadgeCredentialDescriptor', + path: '$', + }, + ], + id: expect.any(String), + }, + state: expect.any(String), + vp_token: expect.any(String), + }) + expect(serverResponse).toMatchObject({ + status: 200, + }) + + // The RP MUST validate that the aud (audience) Claim contains the value of the client_id + // that the RP sent in the Authorization Request as an audience. + // When the request has been signed, the value might be an HTTPS URL, or a Decentralized Identifier. + const { idToken, presentationExchange } = + await verifier.agent.modules.openId4VcVerifier.verifyAuthorizationResponse({ + authorizationResponse: submittedResponse, + verifierId: openIdVerifier.verifierId, + }) + + const requestObjectPayload = JsonEncoder.fromBase64(authorizationRequestPayload.request?.split('.')[1] as string) + expect(idToken?.payload).toMatchObject({ + state: requestObjectPayload.state, + nonce: requestObjectPayload.nonce, + }) + + const presentation = presentationExchange?.presentations[0] as SdJwtVc + + // name SHOULD NOT be disclosed + expect(presentation.prettyClaims).not.toHaveProperty('name') + + // university and name SHOULD NOT be in the signed payload + expect(presentation.payload).not.toHaveProperty('university') + expect(presentation.payload).not.toHaveProperty('name') + + expect(presentationExchange).toMatchObject({ + definition: presentationDefinition, + submission: { + definition_id: 'OpenBadgeCredential', + }, + presentations: [ + { + payload: { + vct: 'OpenBadgeCredential', + degree: 'bachelor', + }, + // university SHOULD be disclosed + prettyClaims: { + degree: 'bachelor', + university: 'innsbruck', + }, + }, + ], + }) + }) +}) diff --git a/packages/openid4vc-client/tests/setup.ts b/packages/openid4vc/tests/setup.ts similarity index 100% rename from packages/openid4vc-client/tests/setup.ts rename to packages/openid4vc/tests/setup.ts diff --git a/packages/openid4vc/tests/utils.ts b/packages/openid4vc/tests/utils.ts new file mode 100644 index 0000000000..88007013f8 --- /dev/null +++ b/packages/openid4vc/tests/utils.ts @@ -0,0 +1,74 @@ +import type { TenantAgent } from '../../tenants/src/TenantAgent' +import type { KeyDidCreateOptions, ModulesMap } from '@aries-framework/core' +import type { TenantsModule } from '@aries-framework/tenants' + +import { LogLevel, Agent, DidKey, KeyType, TypedArrayEncoder, utils } from '@aries-framework/core' + +import { agentDependencies, TestLogger } from '../../core/tests' + +export async function createDidKidVerificationMethod(agent: Agent | TenantAgent, secretKey?: string) { + const didCreateResult = await agent.dids.create({ + method: 'key', + options: { keyType: KeyType.Ed25519 }, + secret: { privateKey: secretKey ? TypedArrayEncoder.fromString(secretKey) : undefined }, + }) + + const did = didCreateResult.didState.did as string + const didKey = DidKey.fromDid(did) + const kid = `${did}#${didKey.key.fingerprint}` + + const verificationMethod = didCreateResult.didState.didDocument?.dereferenceKey(kid, ['authentication']) + if (!verificationMethod) throw new Error('No verification method found') + + return { + did, + kid, + verificationMethod, + } +} + +export async function createAgentFromModules(label: string, modulesMap: MM, secretKey: string) { + const agent = new Agent({ + config: { label, walletConfig: { id: utils.uuid(), key: utils.uuid() }, logger: new TestLogger(LogLevel.off) }, + dependencies: agentDependencies, + modules: modulesMap, + }) + + await agent.initialize() + const data = await createDidKidVerificationMethod(agent, secretKey) + + return { + ...data, + agent, + } +} + +export type AgentType = Awaited>> + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +type AgentWithTenantsModule = Agent<{ tenants: TenantsModule }> + +export async function createTenantForAgent( + // FIXME: we need to make some improvements on the agent typing. It'a quite hard + // to get it right at the moment + // eslint-disable-next-line @typescript-eslint/no-explicit-any + agent: AgentWithTenantsModule & any, + label: string +) { + const tenantRecord = await agent.modules.tenants.createTenant({ + config: { + label, + }, + }) + + const tenant = await agent.modules.tenants.getTenantAgent({ tenantId: tenantRecord.id }) + const data = await createDidKidVerificationMethod(tenant) + await tenant.endSession() + + return { + ...data, + tenantId: tenantRecord.id, + } +} + +export type TenantType = Awaited> diff --git a/packages/openid4vc/tests/utilsVci.ts b/packages/openid4vc/tests/utilsVci.ts new file mode 100644 index 0000000000..798c9f76af --- /dev/null +++ b/packages/openid4vc/tests/utilsVci.ts @@ -0,0 +1,45 @@ +import type { OpenId4VciCredentialSupportedWithId } from '../src' + +import { OpenId4VciCredentialFormatProfile } from '../src' + +export const openBadgeCredential: OpenId4VciCredentialSupportedWithId = { + id: `/credentials/OpenBadgeCredential`, + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'OpenBadgeCredential'], +} + +export const universityDegreeCredential: OpenId4VciCredentialSupportedWithId = { + id: `/credentials/UniversityDegreeCredential`, + format: OpenId4VciCredentialFormatProfile.JwtVcJson, + types: ['VerifiableCredential', 'UniversityDegreeCredential'], +} + +export const universityDegreeCredentialLd: OpenId4VciCredentialSupportedWithId = { + id: `/credentials/UniversityDegreeCredentialLd`, + format: OpenId4VciCredentialFormatProfile.JwtVcJsonLd, + types: ['VerifiableCredential', 'UniversityDegreeCredential'], + '@context': ['context'], +} + +export const universityDegreeCredentialSdJwt = { + id: 'https://openid4vc-issuer.com/credentials/UniversityDegreeCredentialSdJwt', + format: OpenId4VciCredentialFormatProfile.SdJwtVc, + vct: 'UniversityDegreeCredential', + cryptographic_binding_methods_supported: ['did:key'], +} satisfies OpenId4VciCredentialSupportedWithId + +export const universityDegreeCredentialSdJwt2 = { + id: 'https://openid4vc-issuer.com/credentials/UniversityDegreeCredentialSdJwt2', + format: OpenId4VciCredentialFormatProfile.SdJwtVc, + vct: 'UniversityDegreeCredential2', + // FIXME: should this be dynamically generated? I think static is fine for now + cryptographic_binding_methods_supported: ['jwk'], +} satisfies OpenId4VciCredentialSupportedWithId + +export const allCredentialsSupported = [ + openBadgeCredential, + universityDegreeCredential, + universityDegreeCredentialLd, + universityDegreeCredentialSdJwt, + universityDegreeCredentialSdJwt2, +] diff --git a/packages/openid4vc/tests/utilsVp.ts b/packages/openid4vc/tests/utilsVp.ts new file mode 100644 index 0000000000..229eba683e --- /dev/null +++ b/packages/openid4vc/tests/utilsVp.ts @@ -0,0 +1,121 @@ +import type { AgentContext, DifPresentationExchangeDefinitionV2, VerificationMethod } from '@aries-framework/core' + +import { + getKeyFromVerificationMethod, + W3cCredential, + W3cIssuer, + W3cCredentialSubject, + W3cCredentialService, + ClaimFormat, + CREDENTIALS_CONTEXT_V1_URL, +} from '@aries-framework/core' + +import { getProofTypeFromKey } from '../src/shared/utils' + +export const waltPortalOpenBadgeJwt = + 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3RpUVFFcW0yeWFwWEJEdDFXRVZCM2RxZ3Z5emk5NkZ1RkFOWW1yZ1RyS1Y5I3o2TWt0aVFRRXFtMnlhcFhCRHQxV0VWQjNkcWd2eXppOTZGdUZBTlltcmdUcktWOSJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiT3BlbkJhZGdlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6e319LCJpc3MiOiJkaWQ6a2V5Ono2TWt0aVFRRXFtMnlhcFhCRHQxV0VWQjNkcWd2eXppOTZGdUZBTlltcmdUcktWOSIsInN1YiI6ImRpZDprZXk6ejZNa3BHUjRnczRSYzNacGg0dmo4d1Juam5BeGdBUFN4Y1I4TUFWS3V0V3NwUXpjIiwibmJmIjoxNzAwNzQzMzM1fQ.OcKPyaWeVV-78BWr8N4h2Cyvjtc9jzknAqvTA77hTbKCNCEbhGboo-S6yXHLC-3NWYQ1vVcqZmdPlIOrHZ7MDw' + +export const waltUniversityDegreeJwt = + 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3RpUVFFcW0yeWFwWEJEdDFXRVZCM2RxZ3Z5emk5NkZ1RkFOWW1yZ1RyS1Y5I3o2TWt0aVFRRXFtMnlhcFhCRHQxV0VWQjNkcWd2eXppOTZGdUZBTlltcmdUcktWOSJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVW5pdmVyc2l0eURlZ3JlZUNyZWRlbnRpYWwiXSwiY3JlZGVudGlhbFN1YmplY3QiOnt9fSwiaXNzIjoiZGlkOmtleTp6Nk1rdGlRUUVxbTJ5YXBYQkR0MVdFVkIzZHFndnl6aTk2RnVGQU5ZbXJnVHJLVjkiLCJzdWIiOiJkaWQ6a2V5Ono2TWtwR1I0Z3M0UmMzWnBoNHZqOHdSbmpuQXhnQVBTeGNSOE1BVkt1dFdzcFF6YyIsIm5iZiI6MTcwMDc0MzM5NH0.EhMnE349oOvzbu0rFl-m_7FOoRsB5VucLV5tUUIW0jPxkJ7J0qVLOJTXVX4KNv_N9oeP8pgTUvydd6nxB_0KCQ' + +export const getOpenBadgeCredentialLdpVc = async ( + agentContext: AgentContext, + issuerVerificationMethod: VerificationMethod, + holderVerificationMethod: VerificationMethod +) => { + const credential = new W3cCredential({ + context: [CREDENTIALS_CONTEXT_V1_URL, 'https://www.w3.org/2018/credentials/examples/v1'], + type: ['VerifiableCredential', 'OpenBadgeCredential'], + id: 'http://example.edu/credentials/3732', + issuer: new W3cIssuer({ + id: issuerVerificationMethod.controller, + }), + issuanceDate: '2017-10-22T12:23:48Z', + expirationDate: '2027-10-22T12:23:48Z', + credentialSubject: new W3cCredentialSubject({ + id: holderVerificationMethod.controller, + }), + }) + + const w3cs = agentContext.dependencyManager.resolve(W3cCredentialService) + const key = getKeyFromVerificationMethod(holderVerificationMethod) + const proofType = getProofTypeFromKey(agentContext, key) + const signedLdpVc = await w3cs.signCredential(agentContext, { + format: ClaimFormat.LdpVc, + credential, + verificationMethod: issuerVerificationMethod.id, + proofType, + }) + + return signedLdpVc +} +export const openBadgeCredentialPresentationDefinitionLdpVc: DifPresentationExchangeDefinitionV2 = { + id: 'OpenBadgeCredential', + input_descriptors: [ + { + id: 'OpenBadgeCredential', + // changed jwt_vc_json to jwt_vc + format: { ldp_vc: { proof_type: ['Ed25519Signature2018'] } }, + // changed $.type to $.vc.type + constraints: { + fields: [{ path: ['$.type.*', '$.vc.type'], filter: { type: 'string', pattern: 'OpenBadgeCredential' } }], + }, + }, + ], +} + +export const universityDegreePresentationDefinition: DifPresentationExchangeDefinitionV2 = { + id: 'UniversityDegreeCredential', + input_descriptors: [ + { + id: 'UniversityDegree', + // changed jwt_vc_json to jwt_vc + format: { jwt_vc: { alg: ['EdDSA'] } }, + // changed $.type to $.vc.type + constraints: { + fields: [{ path: ['$.vc.type.*'], filter: { type: 'string', pattern: 'UniversityDegree' } }], + }, + }, + ], +} + +export const openBadgePresentationDefinition: DifPresentationExchangeDefinitionV2 = { + id: 'OpenBadgeCredential', + input_descriptors: [ + { + id: 'OpenBadgeCredentialDescriptor', + // changed jwt_vc_json to jwt_vc + format: { jwt_vc: { alg: ['EdDSA'] } }, + // changed $.type to $.vc.type + constraints: { + fields: [{ path: ['$.vc.type.*'], filter: { type: 'string', pattern: 'OpenBadgeCredential' } }], + }, + }, + ], +} + +export const combinePresentationDefinitions = ( + presentationDefinitions: DifPresentationExchangeDefinitionV2[] +): DifPresentationExchangeDefinitionV2 => { + return { + id: 'Combined', + input_descriptors: presentationDefinitions.flatMap((p) => p.input_descriptors), + } +} + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +export function waitForMockFunction(mockFn: jest.Mock) { + return new Promise((resolve, reject) => { + const intervalId = setInterval(() => { + if (mockFn.mock.calls.length > 0) { + clearInterval(intervalId) + resolve(0) + } + }, 100) + + setTimeout(() => { + clearInterval(intervalId) + reject(new Error('Timeout Callback')) + }, 10000) + }) +} diff --git a/packages/openid4vc-client/tsconfig.build.json b/packages/openid4vc/tsconfig.build.json similarity index 100% rename from packages/openid4vc-client/tsconfig.build.json rename to packages/openid4vc/tsconfig.build.json diff --git a/packages/openid4vc-client/tsconfig.json b/packages/openid4vc/tsconfig.json similarity index 100% rename from packages/openid4vc-client/tsconfig.json rename to packages/openid4vc/tsconfig.json diff --git a/packages/sd-jwt-vc/README.md b/packages/sd-jwt-vc/README.md deleted file mode 100644 index aaaac48824..0000000000 --- a/packages/sd-jwt-vc/README.md +++ /dev/null @@ -1,57 +0,0 @@ -

-
- Hyperledger Aries logo -

-

Aries Framework JavaScript Selective Disclosure JWT VC Module

-

- License - typescript - @aries-framework/sd-jwt-vc version -

-
- -### Installation - -Add the `sd-jwt-vc` module to your project. - -```sh -yarn add @aries-framework/sd-jwt-vc -``` - -### Quick start - -After the installation you can follow the [guide to setup your agent](https://aries.js.org/guides/0.4/getting-started/set-up) and add the following to your agent modules. - -```ts -import { SdJwtVcModule } from '@aries-framework/sd-jwt-vc' - -const agent = new Agent({ - config: { - /* config */ - }, - dependencies: agentDependencies, - modules: { - sdJwtVc: new SdJwtVcModule(), - /* other custom modules */ - }, -}) - -await agent.initialize() -``` diff --git a/packages/sd-jwt-vc/package.json b/packages/sd-jwt-vc/package.json deleted file mode 100644 index 1f973c648e..0000000000 --- a/packages/sd-jwt-vc/package.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "name": "@aries-framework/sd-jwt-vc", - "main": "build/index", - "types": "build/index", - "version": "0.4.2", - "files": [ - "build" - ], - "license": "Apache-2.0", - "publishConfig": { - "access": "public" - }, - "homepage": "https://github.com/hyperledger/aries-framework-javascript/tree/main/packages/sd-jwt-vc", - "repository": { - "type": "git", - "url": "https://github.com/hyperledger/aries-framework-javascript", - "directory": "packages/sd-jwt-vc" - }, - "scripts": { - "build": "yarn run clean && yarn run compile", - "clean": "rimraf ./build", - "compile": "tsc -p tsconfig.build.json", - "prepublishOnly": "yarn run build", - "test": "jest" - }, - "dependencies": { - "@aries-framework/askar": "^0.4.2", - "@aries-framework/core": "^0.4.2", - "class-transformer": "0.5.1", - "class-validator": "0.14.0", - "jwt-sd": "^0.1.2" - }, - "devDependencies": { - "@hyperledger/aries-askar-nodejs": "^0.2.0-dev.5", - "reflect-metadata": "^0.1.13", - "rimraf": "^4.4.0", - "typescript": "~4.9.5" - } -} diff --git a/packages/sd-jwt-vc/src/SdJwtVcApi.ts b/packages/sd-jwt-vc/src/SdJwtVcApi.ts deleted file mode 100644 index 8091d54c69..0000000000 --- a/packages/sd-jwt-vc/src/SdJwtVcApi.ts +++ /dev/null @@ -1,93 +0,0 @@ -import type { - SdJwtVcCreateOptions, - SdJwtVcPresentOptions, - SdJwtVcReceiveOptions, - SdJwtVcVerifyOptions, -} from './SdJwtVcOptions' -import type { SdJwtVcVerificationResult } from './SdJwtVcService' -import type { SdJwtVcRecord } from './repository' -import type { Query } from '@aries-framework/core' - -import { AgentContext, injectable } from '@aries-framework/core' - -import { SdJwtVcService } from './SdJwtVcService' - -/** - * @public - */ -@injectable() -export class SdJwtVcApi { - private agentContext: AgentContext - private sdJwtVcService: SdJwtVcService - - public constructor(agentContext: AgentContext, sdJwtVcService: SdJwtVcService) { - this.agentContext = agentContext - this.sdJwtVcService = sdJwtVcService - } - - public async create = Record>( - payload: Payload, - options: SdJwtVcCreateOptions - ): Promise<{ sdJwtVcRecord: SdJwtVcRecord; compact: string }> { - return await this.sdJwtVcService.create(this.agentContext, payload, options) - } - - /** - * - * Validates and stores an sd-jwt-vc from the perspective of an holder - * - */ - public async storeCredential(sdJwtVcCompact: string, options: SdJwtVcReceiveOptions): Promise { - return await this.sdJwtVcService.storeCredential(this.agentContext, sdJwtVcCompact, options) - } - - /** - * - * Create a compact presentation of the sd-jwt. - * This presentation can be send in- or out-of-band to the verifier. - * - * Within the `options` field, you can supply the indicies of the disclosures you would like to share with the verifier. - * Also, whether to include the holder key binding. - * - */ - public async present(sdJwtVcRecord: SdJwtVcRecord, options: SdJwtVcPresentOptions): Promise { - return await this.sdJwtVcService.present(this.agentContext, sdJwtVcRecord, options) - } - - /** - * - * Verify an incoming sd-jwt. It will check whether everything is valid, but also returns parts of the validation. - * - * For example, you might still want to continue with a flow if not all the claims are included, but the signature is valid. - * - */ - public async verify< - Header extends Record = Record, - Payload extends Record = Record - >( - sdJwtVcCompact: string, - options: SdJwtVcVerifyOptions - ): Promise<{ sdJwtVcRecord: SdJwtVcRecord; validation: SdJwtVcVerificationResult }> { - return await this.sdJwtVcService.verify(this.agentContext, sdJwtVcCompact, options) - } - - public async getById(id: string): Promise { - return await this.sdJwtVcService.getCredentialRecordById(this.agentContext, id) - } - - public async getAll(): Promise> { - return await this.sdJwtVcService.getAllCredentialRecords(this.agentContext) - } - - public async findAllByQuery(query: Query): Promise> { - return await this.sdJwtVcService.findCredentialRecordsByQuery(this.agentContext, query) - } - - public async remove(id: string) { - return await this.sdJwtVcService.removeCredentialRecord(this.agentContext, id) - } - - public async update(sdJwtVcRecord: SdJwtVcRecord) { - return await this.sdJwtVcService.updateCredentialRecord(this.agentContext, sdJwtVcRecord) - } -} diff --git a/packages/sd-jwt-vc/src/SdJwtVcError.ts b/packages/sd-jwt-vc/src/SdJwtVcError.ts deleted file mode 100644 index cacc4c7511..0000000000 --- a/packages/sd-jwt-vc/src/SdJwtVcError.ts +++ /dev/null @@ -1,3 +0,0 @@ -import { AriesFrameworkError } from '@aries-framework/core' - -export class SdJwtVcError extends AriesFrameworkError {} diff --git a/packages/sd-jwt-vc/src/SdJwtVcOptions.ts b/packages/sd-jwt-vc/src/SdJwtVcOptions.ts deleted file mode 100644 index d7e2ea7ece..0000000000 --- a/packages/sd-jwt-vc/src/SdJwtVcOptions.ts +++ /dev/null @@ -1,44 +0,0 @@ -import type { HashName, JwaSignatureAlgorithm } from '@aries-framework/core' -import type { DisclosureFrame } from 'jwt-sd' - -export type SdJwtVcCreateOptions = Record> = { - holderDidUrl: string - issuerDidUrl: string - jsonWebAlgorithm?: JwaSignatureAlgorithm - disclosureFrame?: DisclosureFrame - hashingAlgorithm?: HashName -} - -export type SdJwtVcReceiveOptions = { - issuerDidUrl: string - holderDidUrl: string -} - -/** - * `includedDisclosureIndices` is not the best API, but it is the best alternative until something like `PEX` is supported - */ -export type SdJwtVcPresentOptions = { - jsonWebAlgorithm?: JwaSignatureAlgorithm - includedDisclosureIndices?: Array - - /** - * This information is received out-of-band from the verifier. - * The claims will be used to create a normal JWT, used for key binding. - */ - verifierMetadata: { - verifierDid: string - nonce: string - issuedAt: number - } -} - -/** - * `requiredClaimKeys` is not the best API, but it is the best alternative until something like `PEX` is supported - */ -export type SdJwtVcVerifyOptions = { - holderDidUrl: string - challenge: { - verifierDid: string - } - requiredClaimKeys?: Array -} diff --git a/packages/sd-jwt-vc/src/SdJwtVcService.ts b/packages/sd-jwt-vc/src/SdJwtVcService.ts deleted file mode 100644 index e8af00af0d..0000000000 --- a/packages/sd-jwt-vc/src/SdJwtVcService.ts +++ /dev/null @@ -1,341 +0,0 @@ -import type { - SdJwtVcCreateOptions, - SdJwtVcPresentOptions, - SdJwtVcReceiveOptions, - SdJwtVcVerifyOptions, -} from './SdJwtVcOptions' -import type { AgentContext, JwkJson, Query } from '@aries-framework/core' -import type { Signer, SdJwtVcVerificationResult, Verifier, HasherAndAlgorithm } from 'jwt-sd' - -import { - parseDid, - DidResolverService, - getKeyFromVerificationMethod, - getJwkFromJson, - Key, - getJwkFromKey, - Hasher, - inject, - injectable, - InjectionSymbols, - Logger, - TypedArrayEncoder, - Buffer, -} from '@aries-framework/core' -import { KeyBinding, SdJwtVc, HasherAlgorithm, Disclosure } from 'jwt-sd' - -import { SdJwtVcError } from './SdJwtVcError' -import { SdJwtVcRepository, SdJwtVcRecord } from './repository' - -export { SdJwtVcVerificationResult } - -/** - * @internal - */ -@injectable() -export class SdJwtVcService { - private logger: Logger - private sdJwtVcRepository: SdJwtVcRepository - - public constructor(sdJwtVcRepository: SdJwtVcRepository, @inject(InjectionSymbols.Logger) logger: Logger) { - this.sdJwtVcRepository = sdJwtVcRepository - this.logger = logger - } - - private async resolveDidUrl(agentContext: AgentContext, didUrl: string) { - const didResolver = agentContext.dependencyManager.resolve(DidResolverService) - const didDocument = await didResolver.resolveDidDocument(agentContext, didUrl) - - return { verificationMethod: didDocument.dereferenceKey(didUrl), didDocument } - } - - private get hasher(): HasherAndAlgorithm { - return { - algorithm: HasherAlgorithm.Sha256, - hasher: (input: string) => { - const serializedInput = TypedArrayEncoder.fromString(input) - return Hasher.hash(serializedInput, 'sha2-256') - }, - } - } - - /** - * @todo validate the JWT header (alg) - */ - private signer
= Record>( - agentContext: AgentContext, - key: Key - ): Signer
{ - return async (input: string) => agentContext.wallet.sign({ key, data: TypedArrayEncoder.fromString(input) }) - } - - /** - * @todo validate the JWT header (alg) - */ - private verifier
= Record>( - agentContext: AgentContext, - signerKey: Key - ): Verifier
{ - return async ({ message, signature, publicKeyJwk }) => { - let key = signerKey - - if (publicKeyJwk) { - if (!('kty' in publicKeyJwk)) { - throw new SdJwtVcError( - 'Key type (kty) claim could not be found in the JWK of the confirmation (cnf) claim. Only JWK is supported right now' - ) - } - - const jwk = getJwkFromJson(publicKeyJwk as JwkJson) - key = Key.fromPublicKey(jwk.publicKey, jwk.keyType) - } - - return await agentContext.wallet.verify({ - signature: Buffer.from(signature), - key: key, - data: TypedArrayEncoder.fromString(message), - }) - } - } - - public async create = Record>( - agentContext: AgentContext, - payload: Payload, - { - issuerDidUrl, - holderDidUrl, - disclosureFrame, - hashingAlgorithm = 'sha2-256', - jsonWebAlgorithm, - }: SdJwtVcCreateOptions - ): Promise<{ sdJwtVcRecord: SdJwtVcRecord; compact: string }> { - if (hashingAlgorithm !== 'sha2-256') { - throw new SdJwtVcError(`Unsupported hashing algorithm used: ${hashingAlgorithm}`) - } - - const parsedDid = parseDid(issuerDidUrl) - if (!parsedDid.fragment) { - throw new SdJwtVcError( - `issuer did url '${issuerDidUrl}' does not contain a '#'. Unable to derive key from did document` - ) - } - - const { verificationMethod: issuerVerificationMethod, didDocument: issuerDidDocument } = await this.resolveDidUrl( - agentContext, - issuerDidUrl - ) - const issuerKey = getKeyFromVerificationMethod(issuerVerificationMethod) - const alg = jsonWebAlgorithm ?? getJwkFromKey(issuerKey).supportedSignatureAlgorithms[0] - - const { verificationMethod: holderVerificationMethod } = await this.resolveDidUrl(agentContext, holderDidUrl) - const holderKey = getKeyFromVerificationMethod(holderVerificationMethod) - const holderKeyJwk = getJwkFromKey(holderKey).toJson() - - const header = { - alg: alg.toString(), - typ: 'vc+sd-jwt', - kid: parsedDid.fragment, - } - - const sdJwtVc = new SdJwtVc({}, { disclosureFrame }) - .withHasher(this.hasher) - .withSigner(this.signer(agentContext, issuerKey)) - .withSaltGenerator(agentContext.wallet.generateNonce) - .withHeader(header) - .withPayload({ ...payload }) - - // Add the `cnf` claim for the holder key binding - sdJwtVc.addPayloadClaim('cnf', { jwk: holderKeyJwk }) - - // Add the issuer DID as the `iss` claim - sdJwtVc.addPayloadClaim('iss', issuerDidDocument.id) - - // Add the issued at (iat) claim - sdJwtVc.addPayloadClaim('iat', Math.floor(new Date().getTime() / 1000)) - - const compact = await sdJwtVc.toCompact() - - if (!sdJwtVc.signature) { - throw new SdJwtVcError('Invalid sd-jwt-vc state. Signature should have been set when calling `toCompact`.') - } - - const sdJwtVcRecord = new SdJwtVcRecord({ - sdJwtVc: { - header: sdJwtVc.header, - payload: sdJwtVc.payload, - signature: sdJwtVc.signature, - disclosures: sdJwtVc.disclosures?.map((d) => d.decoded), - holderDidUrl, - }, - }) - - await this.sdJwtVcRepository.save(agentContext, sdJwtVcRecord) - - return { - sdJwtVcRecord, - compact, - } - } - - public async storeCredential< - Header extends Record = Record, - Payload extends Record = Record - >( - agentContext: AgentContext, - sdJwtVcCompact: string, - { issuerDidUrl, holderDidUrl }: SdJwtVcReceiveOptions - ): Promise { - const sdJwtVc = SdJwtVc.fromCompact(sdJwtVcCompact) - - if (!sdJwtVc.signature) { - throw new SdJwtVcError('A signature must be included for an sd-jwt-vc') - } - - const { verificationMethod: issuerVerificationMethod } = await this.resolveDidUrl(agentContext, issuerDidUrl) - const issuerKey = getKeyFromVerificationMethod(issuerVerificationMethod) - - const { isSignatureValid } = await sdJwtVc.verify(this.verifier(agentContext, issuerKey)) - - if (!isSignatureValid) { - throw new SdJwtVcError('sd-jwt-vc has an invalid signature from the issuer') - } - - const { verificationMethod: holderVerificiationMethod } = await this.resolveDidUrl(agentContext, holderDidUrl) - const holderKey = getKeyFromVerificationMethod(holderVerificiationMethod) - const holderKeyJwk = getJwkFromKey(holderKey).toJson() - - sdJwtVc.assertClaimInPayload('cnf', { jwk: holderKeyJwk }) - - const sdJwtVcRecord = new SdJwtVcRecord({ - sdJwtVc: { - header: sdJwtVc.header, - payload: sdJwtVc.payload, - signature: sdJwtVc.signature, - disclosures: sdJwtVc.disclosures?.map((d) => d.decoded), - holderDidUrl, - }, - }) - - await this.sdJwtVcRepository.save(agentContext, sdJwtVcRecord) - - return sdJwtVcRecord - } - - public async present( - agentContext: AgentContext, - sdJwtVcRecord: SdJwtVcRecord, - { includedDisclosureIndices, verifierMetadata, jsonWebAlgorithm }: SdJwtVcPresentOptions - ): Promise { - const { verificationMethod: holderVerificationMethod } = await this.resolveDidUrl( - agentContext, - sdJwtVcRecord.sdJwtVc.holderDidUrl - ) - const holderKey = getKeyFromVerificationMethod(holderVerificationMethod) - const alg = jsonWebAlgorithm ?? getJwkFromKey(holderKey).supportedSignatureAlgorithms[0] - - const header = { - alg: alg.toString(), - typ: 'kb+jwt', - } as const - - const payload = { - iat: verifierMetadata.issuedAt, - nonce: verifierMetadata.nonce, - aud: verifierMetadata.verifierDid, - } - - const keyBinding = new KeyBinding, Record>({ header, payload }).withSigner( - this.signer(agentContext, holderKey) - ) - - const sdJwtVc = new SdJwtVc({ - header: sdJwtVcRecord.sdJwtVc.header, - payload: sdJwtVcRecord.sdJwtVc.payload, - signature: sdJwtVcRecord.sdJwtVc.signature, - disclosures: sdJwtVcRecord.sdJwtVc.disclosures?.map(Disclosure.fromArray), - }).withKeyBinding(keyBinding) - - return await sdJwtVc.present(includedDisclosureIndices) - } - - public async verify< - Header extends Record = Record, - Payload extends Record = Record - >( - agentContext: AgentContext, - sdJwtVcCompact: string, - { challenge: { verifierDid }, requiredClaimKeys, holderDidUrl }: SdJwtVcVerifyOptions - ): Promise<{ sdJwtVcRecord: SdJwtVcRecord; validation: SdJwtVcVerificationResult }> { - const sdJwtVc = SdJwtVc.fromCompact(sdJwtVcCompact) - - if (!sdJwtVc.signature) { - throw new SdJwtVcError('A signature is required for verification of the sd-jwt-vc') - } - - if (!sdJwtVc.keyBinding || !sdJwtVc.keyBinding.payload) { - throw new SdJwtVcError('Keybinding is required for verification of the sd-jwt-vc') - } - - sdJwtVc.keyBinding.assertClaimInPayload('aud', verifierDid) - - const { verificationMethod: holderVerificationMethod } = await this.resolveDidUrl(agentContext, holderDidUrl) - const holderKey = getKeyFromVerificationMethod(holderVerificationMethod) - const holderKeyJwk = getJwkFromKey(holderKey).toJson() - - sdJwtVc.assertClaimInPayload('cnf', { jwk: holderKeyJwk }) - - sdJwtVc.assertClaimInHeader('kid') - sdJwtVc.assertClaimInPayload('iss') - - const issuerKid = sdJwtVc.getClaimInHeader('kid') - const issuerDid = sdJwtVc.getClaimInPayload('iss') - - // TODO: is there a more AFJ way of doing this? - const issuerDidUrl = `${issuerDid}#${issuerKid}` - - const { verificationMethod: issuerVerificationMethod } = await this.resolveDidUrl(agentContext, issuerDidUrl) - const issuerKey = getKeyFromVerificationMethod(issuerVerificationMethod) - - const verificationResult = await sdJwtVc.verify(this.verifier(agentContext, issuerKey), requiredClaimKeys) - - const sdJwtVcRecord = new SdJwtVcRecord({ - sdJwtVc: { - signature: sdJwtVc.signature, - payload: sdJwtVc.payload, - disclosures: sdJwtVc.disclosures?.map((d) => d.decoded), - header: sdJwtVc.header, - holderDidUrl, - }, - }) - - await this.sdJwtVcRepository.save(agentContext, sdJwtVcRecord) - - return { - sdJwtVcRecord, - validation: verificationResult, - } - } - - public async getCredentialRecordById(agentContext: AgentContext, id: string): Promise { - return await this.sdJwtVcRepository.getById(agentContext, id) - } - - public async getAllCredentialRecords(agentContext: AgentContext): Promise> { - return await this.sdJwtVcRepository.getAll(agentContext) - } - - public async findCredentialRecordsByQuery( - agentContext: AgentContext, - query: Query - ): Promise> { - return await this.sdJwtVcRepository.findByQuery(agentContext, query) - } - - public async removeCredentialRecord(agentContext: AgentContext, id: string) { - await this.sdJwtVcRepository.deleteById(agentContext, id) - } - - public async updateCredentialRecord(agentContext: AgentContext, sdJwtVcRecord: SdJwtVcRecord) { - await this.sdJwtVcRepository.update(agentContext, sdJwtVcRecord) - } -} diff --git a/packages/sd-jwt-vc/src/__tests__/sdjwtvc.fixtures.ts b/packages/sd-jwt-vc/src/__tests__/sdjwtvc.fixtures.ts deleted file mode 100644 index e345cd8c3e..0000000000 --- a/packages/sd-jwt-vc/src/__tests__/sdjwtvc.fixtures.ts +++ /dev/null @@ -1,17 +0,0 @@ -export const simpleJwtVc = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJjbGFpbSI6InNvbWUtY2xhaW0iLCJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyfQ.5oT776RbzRyRTINojXJExV1Ul6aP7sXKssU5bR0uWmQzVJ046y7gNhD5shJ3arYbtdakeVKBTicPM8LAzOvzAw' - -export const simpleJwtVcPresentation = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJjbGFpbSI6InNvbWUtY2xhaW0iLCJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyfQ.5oT776RbzRyRTINojXJExV1Ul6aP7sXKssU5bR0uWmQzVJ046y7gNhD5shJ3arYbtdakeVKBTicPM8LAzOvzAw~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkifQ.VdZSnQJ5sklqMPnIzaOaGxP2qPiEPniTaUFHy4VMcW9h9pV1c17fcuTySJtmV2tcpKhei4ss04q_rFyN1EVRDg' - -export const sdJwtVcWithSingleDisclosure = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyJ2Y3ZGVTREc0ZLVHFRMXZsNG5lbEpXWFRiXy0wZE5vQmtzNmlxTkZwdHlnIl19.G5jb2P0z-9H-AsEGBbJmGk9VUTPJJ_bkVE95oKDu4YmilmQuvCritpOoK5nt9n4Bg_3v23ywagHHOnGTBCtQCQ~WyJzYWx0IiwiY2xhaW0iLCJzb21lLWNsYWltIl0~' - -export const sdJwtVcWithSingleDisclosurePresentation = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im9FTlZzeE9VaUg1NFg4d0pMYVZraWNDUmswMHdCSVE0c1JnYms1NE44TW8ifX0sImlzcyI6ImRpZDprZXk6ejZNa3RxdFhORzhDRFVZOVBycnRvU3RGemVDbmhwTW1neFlMMWdpa2NXM0J6dk5XIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyJ2Y3ZGVTREc0ZLVHFRMXZsNG5lbEpXWFRiXy0wZE5vQmtzNmlxTkZwdHlnIl19.G5jb2P0z-9H-AsEGBbJmGk9VUTPJJ_bkVE95oKDu4YmilmQuvCritpOoK5nt9n4Bg_3v23ywagHHOnGTBCtQCQ~WyJzYWx0IiwiY2xhaW0iLCJzb21lLWNsYWltIl0~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkifQ.VdZSnQJ5sklqMPnIzaOaGxP2qPiEPniTaUFHy4VMcW9h9pV1c17fcuTySJtmV2tcpKhei4ss04q_rFyN1EVRDg' - -export const complexSdJwtVc = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJwaG9uZV9udW1iZXIiOiIrMS0yMDItNTU1LTAxMDEiLCJhZGRyZXNzIjp7InN0cmVldF9hZGRyZXNzIjoiMTIzIE1haW4gU3QiLCJsb2NhbGl0eSI6IkFueXRvd24iLCJfc2QiOlsiTkpubWN0MEJxQk1FMUpmQmxDNmpSUVZSdWV2cEVPTmlZdzdBN01IdUp5USIsIm9tNVp6dFpIQi1HZDAwTEcyMUNWX3hNNEZhRU5Tb2lhT1huVEFKTmN6QjQiXX0sImNuZiI6eyJqd2siOnsia3R5IjoiT0tQIiwiY3J2IjoiRWQyNTUxOSIsIngiOiJvRU5Wc3hPVWlINTRYOHdKTGFWa2ljQ1JrMDB3QklRNHNSZ2JrNTROOE1vIn19LCJpc3MiOiJkaWQ6a2V5Ono2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyIsImlhdCI6MTY5ODE1MTUzMiwiX3NkX2FsZyI6InNoYS0yNTYiLCJfc2QiOlsiMUN1cjJrMkEyb0lCNUNzaFNJZl9BX0tnLWwyNnVfcUt1V1E3OVAwVmRhcyIsIlIxelRVdk9ZSGdjZXBqMGpIeXBHSHo5RUh0dFZLZnQweXN3YmM5RVRQYlUiLCJlRHFRcGRUWEpYYldoZi1Fc0k3enc1WDZPdlltRk4tVVpRUU1lc1h3S1B3IiwicGREazJfWEFLSG83Z09BZndGMWI3T2RDVVZUaXQya0pIYXhTRUNROXhmYyIsInBzYXVLVU5XRWkwOW51M0NsODl4S1hnbXBXRU5abDV1eTFOMW55bl9qTWsiLCJzTl9nZTBwSFhGNnFtc1luWDFBOVNkd0o4Y2g4YUVOa3hiT0RzVDc0WXdJIl19.LcCXQx4IEnA_JWK_fLD08xXL0RWO796UuiN8YL9CU4zy_MT-LTvWJa1WNoBBeoHLcKI6NlLbXHExGU7sbG1oDw~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8xOCIsdHJ1ZV0~WyJzYWx0IiwiYmlydGhkYXRlIiwiMTk0MC0wMS0wMSJd~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwicmVnaW9uIiwiQW55c3RhdGUiXQ~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~' - -export const complexSdJwtVcPresentation = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCIsImtpZCI6Ino2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyJ9.eyJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJwaG9uZV9udW1iZXIiOiIrMS0yMDItNTU1LTAxMDEiLCJhZGRyZXNzIjp7InN0cmVldF9hZGRyZXNzIjoiMTIzIE1haW4gU3QiLCJsb2NhbGl0eSI6IkFueXRvd24iLCJfc2QiOlsiTkpubWN0MEJxQk1FMUpmQmxDNmpSUVZSdWV2cEVPTmlZdzdBN01IdUp5USIsIm9tNVp6dFpIQi1HZDAwTEcyMUNWX3hNNEZhRU5Tb2lhT1huVEFKTmN6QjQiXX0sImNuZiI6eyJqd2siOnsia3R5IjoiT0tQIiwiY3J2IjoiRWQyNTUxOSIsIngiOiJvRU5Wc3hPVWlINTRYOHdKTGFWa2ljQ1JrMDB3QklRNHNSZ2JrNTROOE1vIn19LCJpc3MiOiJkaWQ6a2V5Ono2TWt0cXRYTkc4Q0RVWTlQcnJ0b1N0RnplQ25ocE1tZ3hZTDFnaWtjVzNCenZOVyIsImlhdCI6MTY5ODE1MTUzMiwiX3NkX2FsZyI6InNoYS0yNTYiLCJfc2QiOlsiMUN1cjJrMkEyb0lCNUNzaFNJZl9BX0tnLWwyNnVfcUt1V1E3OVAwVmRhcyIsIlIxelRVdk9ZSGdjZXBqMGpIeXBHSHo5RUh0dFZLZnQweXN3YmM5RVRQYlUiLCJlRHFRcGRUWEpYYldoZi1Fc0k3enc1WDZPdlltRk4tVVpRUU1lc1h3S1B3IiwicGREazJfWEFLSG83Z09BZndGMWI3T2RDVVZUaXQya0pIYXhTRUNROXhmYyIsInBzYXVLVU5XRWkwOW51M0NsODl4S1hnbXBXRU5abDV1eTFOMW55bl9qTWsiLCJzTl9nZTBwSFhGNnFtc1luWDFBOVNkd0o4Y2g4YUVOa3hiT0RzVDc0WXdJIl19.LcCXQx4IEnA_JWK_fLD08xXL0RWO796UuiN8YL9CU4zy_MT-LTvWJa1WNoBBeoHLcKI6NlLbXHExGU7sbG1oDw~WyJzYWx0IiwiaXNfb3Zlcl82NSIsdHJ1ZV0~WyJzYWx0IiwiaXNfb3Zlcl8yMSIsdHJ1ZV0~WyJzYWx0IiwiZW1haWwiLCJqb2huZG9lQGV4YW1wbGUuY29tIl0~WyJzYWx0IiwiY291bnRyeSIsIlVTIl0~WyJzYWx0IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ~eyJhbGciOiJFZERTQSIsInR5cCI6ImtiK2p3dCJ9.eyJpYXQiOjE2OTgxNTE1MzIsIm5vbmNlIjoic2FsdCIsImF1ZCI6ImRpZDprZXk6elVDNzRWRXFxaEVIUWNndjR6YWdTUGtxRkp4dU5XdW9CUEtqSnVIRVRFVWVITG9TcVd0OTJ2aVNzbWFXank4MnkifQ.VdZSnQJ5sklqMPnIzaOaGxP2qPiEPniTaUFHy4VMcW9h9pV1c17fcuTySJtmV2tcpKhei4ss04q_rFyN1EVRDg' diff --git a/packages/sd-jwt-vc/src/repository/SdJwtVcRecord.ts b/packages/sd-jwt-vc/src/repository/SdJwtVcRecord.ts deleted file mode 100644 index 0075850113..0000000000 --- a/packages/sd-jwt-vc/src/repository/SdJwtVcRecord.ts +++ /dev/null @@ -1,97 +0,0 @@ -import type { TagsBase, Constructable } from '@aries-framework/core' -import type { DisclosureItem, HasherAndAlgorithm } from 'jwt-sd' - -import { JsonTransformer, Hasher, TypedArrayEncoder, BaseRecord, utils } from '@aries-framework/core' -import { Disclosure, HasherAlgorithm, SdJwtVc } from 'jwt-sd' - -export type SdJwtVcRecordTags = TagsBase & { - disclosureKeys?: Array -} - -export type SdJwt< - Header extends Record = Record, - Payload extends Record = Record -> = { - disclosures?: Array - header: Header - payload: Payload - signature: Uint8Array - - holderDidUrl: string -} - -export type SdJwtVcRecordStorageProps< - Header extends Record = Record, - Payload extends Record = Record -> = { - id?: string - createdAt?: Date - tags?: SdJwtVcRecordTags - sdJwtVc: SdJwt -} - -export class SdJwtVcRecord< - Header extends Record = Record, - Payload extends Record = Record -> extends BaseRecord { - public static readonly type = 'SdJwtVcRecord' - public readonly type = SdJwtVcRecord.type - - public sdJwtVc!: SdJwt - - public constructor(props: SdJwtVcRecordStorageProps) { - super() - - if (props) { - this.id = props.id ?? utils.uuid() - this.createdAt = props.createdAt ?? new Date() - this.sdJwtVc = props.sdJwtVc - this._tags = props.tags ?? {} - } - } - - private get hasher(): HasherAndAlgorithm { - return { - algorithm: HasherAlgorithm.Sha256, - hasher: (input: string) => { - const serializedInput = TypedArrayEncoder.fromString(input) - return Hasher.hash(serializedInput, 'sha2-256') - }, - } - } - - /** - * This function gets the claims from the payload and combines them with the claims in the disclosures. - * - * This can be used to display all claims included in the `sd-jwt-vc` to the holder or verifier. - */ - public async getPrettyClaims | Payload = Payload>(): Promise { - const sdJwtVc = new SdJwtVc({ - header: this.sdJwtVc.header, - payload: this.sdJwtVc.payload, - disclosures: this.sdJwtVc.disclosures?.map(Disclosure.fromArray), - }).withHasher(this.hasher) - - // Assert that we only support `sha-256` as a hashing algorithm - if ('_sd_alg' in this.sdJwtVc.payload) { - sdJwtVc.assertClaimInPayload('_sd_alg', HasherAlgorithm.Sha256.toString()) - } - - return await sdJwtVc.getPrettyClaims() - } - - public getTags() { - const disclosureKeys = this.sdJwtVc.disclosures - ?.filter((d): d is [string, string, unknown] => d.length === 3) - .map((d) => d[1]) - - return { - ...this._tags, - disclosureKeys, - } - } - - public clone(): this { - return JsonTransformer.fromJSON(JsonTransformer.toJSON(this), this.constructor as Constructable) - } -} diff --git a/packages/sd-jwt-vc/src/repository/__tests__/SdJwtVcRecord.test.ts b/packages/sd-jwt-vc/src/repository/__tests__/SdJwtVcRecord.test.ts deleted file mode 100644 index 5033a32974..0000000000 --- a/packages/sd-jwt-vc/src/repository/__tests__/SdJwtVcRecord.test.ts +++ /dev/null @@ -1,121 +0,0 @@ -import { JsonTransformer } from '@aries-framework/core' -import { SdJwtVc, SignatureAndEncryptionAlgorithm } from 'jwt-sd' - -import { SdJwtVcRecord } from '../SdJwtVcRecord' - -describe('SdJwtVcRecord', () => { - const holderDidUrl = 'did:key:zUC74VEqqhEHQcgv4zagSPkqFJxuNWuoBPKjJuHETEUeHLoSqWt92viSsmaWjy82y' - - test('sets the values passed in the constructor on the record', () => { - const createdAt = new Date() - const sdJwtVcRecord = new SdJwtVcRecord({ - id: 'sdjwt-id', - createdAt, - tags: { - some: 'tag', - }, - sdJwtVc: { - header: { alg: SignatureAndEncryptionAlgorithm.EdDSA }, - payload: { iss: 'did:key:123' }, - signature: new Uint8Array(32).fill(42), - holderDidUrl, - }, - }) - - expect(sdJwtVcRecord.type).toBe('SdJwtVcRecord') - expect(sdJwtVcRecord.id).toBe('sdjwt-id') - expect(sdJwtVcRecord.createdAt).toBe(createdAt) - expect(sdJwtVcRecord.getTags()).toEqual({ - some: 'tag', - }) - expect(sdJwtVcRecord.sdJwtVc).toEqual({ - header: { alg: SignatureAndEncryptionAlgorithm.EdDSA }, - payload: { iss: 'did:key:123' }, - signature: new Uint8Array(32).fill(42), - holderDidUrl, - }) - }) - - test('serializes and deserializes', () => { - const createdAt = new Date('2022-02-02') - const sdJwtVcRecord = new SdJwtVcRecord({ - id: 'sdjwt-id', - createdAt, - tags: { - some: 'tag', - }, - sdJwtVc: { - header: { alg: SignatureAndEncryptionAlgorithm.EdDSA }, - payload: { iss: 'did:key:123' }, - signature: new Uint8Array(32).fill(42), - holderDidUrl, - }, - }) - - const json = sdJwtVcRecord.toJSON() - expect(json).toMatchObject({ - id: 'sdjwt-id', - createdAt: '2022-02-02T00:00:00.000Z', - metadata: {}, - _tags: { - some: 'tag', - }, - sdJwtVc: { - header: { alg: SignatureAndEncryptionAlgorithm.EdDSA }, - payload: { iss: 'did:key:123' }, - signature: new Uint8Array(32).fill(42), - }, - }) - - const instance = JsonTransformer.fromJSON(json, SdJwtVcRecord) - - expect(instance.type).toBe('SdJwtVcRecord') - expect(instance.id).toBe('sdjwt-id') - expect(instance.createdAt.getTime()).toBe(createdAt.getTime()) - expect(instance.getTags()).toEqual({ - some: 'tag', - }) - expect(instance.sdJwtVc).toMatchObject({ - header: { alg: SignatureAndEncryptionAlgorithm.EdDSA }, - payload: { iss: 'did:key:123' }, - signature: new Uint8Array(32).fill(42), - }) - }) - - test('Get the pretty claims', async () => { - const compactSdJwtVc = - 'eyJhbGciOiJFZERTQSIsInR5cCI6InZjK3NkLWp3dCJ9.eyJ0eXBlIjoiSWRlbnRpdHlDcmVkZW50aWFsIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6IlVXM3ZWRWp3UmYwSWt0Sm9jdktSbUdIekhmV0FMdF9YMkswd3ZsdVpJU3MifX0sImlzcyI6ImRpZDprZXk6MTIzIiwiaWF0IjoxNjk4MTUxNTMyLCJfc2RfYWxnIjoic2hhLTI1NiIsIl9zZCI6WyJ2Y3ZGVTREc0ZLVHFRMXZsNG5lbEpXWFRiXy0wZE5vQmtzNmlxTkZwdHlnIl19.IW6PaMTtxMNvqwrRac5nh7L9_ie4r-PUDL6Gqoey2O3axTm6RBrUv0ETLbdgALK6tU_HoIDuNE66DVrISQXaCw~WyJzYWx0IiwiY2xhaW0iLCJzb21lLWNsYWltIl0~' - - const sdJwtVc = SdJwtVc.fromCompact(compactSdJwtVc) - - const sdJwtVcRecord = new SdJwtVcRecord({ - tags: { - some: 'tag', - }, - sdJwtVc: { - header: sdJwtVc.header, - payload: sdJwtVc.payload, - // eslint-disable-next-line @typescript-eslint/no-non-null-assertion - signature: sdJwtVc.signature!, - disclosures: sdJwtVc.disclosures?.map((d) => d.decoded), - holderDidUrl, - }, - }) - - const prettyClaims = await sdJwtVcRecord.getPrettyClaims() - - expect(prettyClaims).toEqual({ - type: 'IdentityCredential', - cnf: { - jwk: { - kty: 'OKP', - crv: 'Ed25519', - x: 'UW3vVEjwRf0IktJocvKRmGHzHfWALt_X2K0wvluZISs', - }, - }, - iss: 'did:key:123', - iat: 1698151532, - claim: 'some-claim', - }) - }) -}) diff --git a/packages/sd-jwt-vc/tests/sdJwtVc.e2e.test.ts b/packages/sd-jwt-vc/tests/sdJwtVc.e2e.test.ts deleted file mode 100644 index 9db27d97fe..0000000000 --- a/packages/sd-jwt-vc/tests/sdJwtVc.e2e.test.ts +++ /dev/null @@ -1,144 +0,0 @@ -import type { Key } from '@aries-framework/core' - -import { AskarModule } from '@aries-framework/askar' -import { - Agent, - DidKey, - DidsModule, - KeyDidRegistrar, - KeyDidResolver, - KeyType, - TypedArrayEncoder, - utils, -} from '@aries-framework/core' -import { ariesAskar } from '@hyperledger/aries-askar-nodejs' - -import { agentDependencies } from '../../core/tests' -import { SdJwtVcModule } from '../src' - -const getAgent = (label: string) => - new Agent({ - config: { label, walletConfig: { id: utils.uuid(), key: utils.uuid() } }, - modules: { - sdJwt: new SdJwtVcModule(), - askar: new AskarModule({ ariesAskar }), - dids: new DidsModule({ - resolvers: [new KeyDidResolver()], - registrars: [new KeyDidRegistrar()], - }), - }, - dependencies: agentDependencies, - }) - -describe('sd-jwt-vc end to end test', () => { - const issuer = getAgent('sdjwtvcissueragent') - let issuerKey: Key - let issuerDidUrl: string - - const holder = getAgent('sdjwtvcholderagent') - let holderKey: Key - let holderDidUrl: string - - const verifier = getAgent('sdjwtvcverifieragent') - const verifierDid = 'did:key:zUC74VEqqhEHQcgv4zagSPkqFJxuNWuoBPKjJuHETEUeHLoSqWt92viSsmaWjy82y' - - beforeAll(async () => { - await issuer.initialize() - issuerKey = await issuer.context.wallet.createKey({ - keyType: KeyType.Ed25519, - seed: TypedArrayEncoder.fromString('00000000000000000000000000000000'), - }) - - const issuerDidKey = new DidKey(issuerKey) - const issuerDidDocument = issuerDidKey.didDocument - issuerDidUrl = (issuerDidDocument.verificationMethod ?? [])[0].id - await issuer.dids.import({ didDocument: issuerDidDocument, did: issuerDidDocument.id }) - - await holder.initialize() - holderKey = await holder.context.wallet.createKey({ - keyType: KeyType.Ed25519, - seed: TypedArrayEncoder.fromString('00000000000000000000000000000001'), - }) - - const holderDidKey = new DidKey(holderKey) - const holderDidDocument = holderDidKey.didDocument - holderDidUrl = (holderDidDocument.verificationMethod ?? [])[0].id - await holder.dids.import({ didDocument: holderDidDocument, did: holderDidDocument.id }) - - await verifier.initialize() - }) - - test('end to end flow', async () => { - const credential = { - type: 'IdentityCredential', - given_name: 'John', - family_name: 'Doe', - email: 'johndoe@example.com', - phone_number: '+1-202-555-0101', - address: { - street_address: '123 Main St', - locality: 'Anytown', - region: 'Anystate', - country: 'US', - }, - birthdate: '1940-01-01', - is_over_18: true, - is_over_21: true, - is_over_65: true, - } - - const { compact } = await issuer.modules.sdJwt.create(credential, { - holderDidUrl, - issuerDidUrl, - disclosureFrame: { - is_over_65: true, - is_over_21: true, - is_over_18: true, - birthdate: true, - email: true, - address: { country: true, region: true, locality: true, __decoyCount: 2, street_address: true }, - __decoyCount: 2, - given_name: true, - family_name: true, - phone_number: true, - }, - }) - - const sdJwtVcRecord = await holder.modules.sdJwt.storeCredential(compact, { issuerDidUrl, holderDidUrl }) - - // Metadata created by the verifier and send out of band by the verifier to the holder - const verifierMetadata = { - verifierDid, - issuedAt: new Date().getTime() / 1000, - nonce: await verifier.wallet.generateNonce(), - } - - const presentation = await holder.modules.sdJwt.present(sdJwtVcRecord, { - verifierMetadata, - includedDisclosureIndices: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11], - }) - - const { - validation: { isValid }, - } = await verifier.modules.sdJwt.verify(presentation, { - holderDidUrl, - challenge: { verifierDid }, - requiredClaimKeys: [ - 'is_over_65', - 'is_over_21', - 'is_over_18', - 'birthdate', - 'email', - 'country', - 'region', - 'locality', - 'street_address', - 'given_name', - 'family_name', - 'phone_number', - ], - }) - - expect(isValid).toBeTruthy() - }) -}) diff --git a/packages/sd-jwt-vc/tests/setup.ts b/packages/sd-jwt-vc/tests/setup.ts deleted file mode 100644 index 78143033f2..0000000000 --- a/packages/sd-jwt-vc/tests/setup.ts +++ /dev/null @@ -1,3 +0,0 @@ -import 'reflect-metadata' - -jest.setTimeout(120000) diff --git a/packages/sd-jwt-vc/tsconfig.build.json b/packages/sd-jwt-vc/tsconfig.build.json deleted file mode 100644 index 2b75d0adab..0000000000 --- a/packages/sd-jwt-vc/tsconfig.build.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "extends": "../../tsconfig.build.json", - "compilerOptions": { - "outDir": "./build" - }, - "include": ["src/**/*"] -} diff --git a/packages/sd-jwt-vc/tsconfig.json b/packages/sd-jwt-vc/tsconfig.json deleted file mode 100644 index 46efe6f721..0000000000 --- a/packages/sd-jwt-vc/tsconfig.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "extends": "../../tsconfig.json", - "compilerOptions": { - "types": ["jest"] - } -} diff --git a/packages/tenants/src/TenantsApi.ts b/packages/tenants/src/TenantsApi.ts index e29b487b14..b16d02e17b 100644 --- a/packages/tenants/src/TenantsApi.ts +++ b/packages/tenants/src/TenantsApi.ts @@ -1,5 +1,6 @@ import type { CreateTenantOptions, GetTenantAgentOptions, WithTenantAgentCallback } from './TenantsApiOptions' -import type { DefaultAgentModules, ModulesMap } from '@aries-framework/core' +import type { TenantRecord } from './repository' +import type { DefaultAgentModules, ModulesMap, Query } from '@aries-framework/core' import { AgentContext, inject, InjectionSymbols, AgentContextProvider, injectable, Logger } from '@aries-framework/core' @@ -8,19 +9,19 @@ import { TenantRecordService } from './services' @injectable() export class TenantsApi { - private agentContext: AgentContext + public readonly rootAgentContext: AgentContext private tenantRecordService: TenantRecordService private agentContextProvider: AgentContextProvider private logger: Logger public constructor( tenantRecordService: TenantRecordService, - agentContext: AgentContext, + rootAgentContext: AgentContext, @inject(InjectionSymbols.AgentContextProvider) agentContextProvider: AgentContextProvider, @inject(InjectionSymbols.Logger) logger: Logger ) { this.tenantRecordService = tenantRecordService - this.agentContext = agentContext + this.rootAgentContext = rootAgentContext this.agentContextProvider = agentContextProvider this.logger = logger } @@ -58,7 +59,7 @@ export class TenantsApi { public async createTenant(options: CreateTenantOptions) { this.logger.debug(`Creating tenant with label ${options.config.label}`) - const tenantRecord = await this.tenantRecordService.createTenant(this.agentContext, options.config) + const tenantRecord = await this.tenantRecordService.createTenant(this.rootAgentContext, options.config) // This initializes the tenant agent, creates the wallet etc... const tenantAgent = await this.getTenantAgent({ tenantId: tenantRecord.id }) @@ -71,7 +72,7 @@ export class TenantsApi { public async getTenantById(tenantId: string) { this.logger.debug(`Getting tenant by id '${tenantId}'`) - return this.tenantRecordService.getTenantById(this.agentContext, tenantId) + return this.tenantRecordService.getTenantById(this.rootAgentContext, tenantId) } public async deleteTenantById(tenantId: string) { @@ -84,6 +85,14 @@ export class TenantsApi { this.logger.trace(`Shutting down agent for tenant '${tenantId}'`) await tenantAgent.endSession() - return this.tenantRecordService.deleteTenantById(this.agentContext, tenantId) + return this.tenantRecordService.deleteTenantById(this.rootAgentContext, tenantId) + } + + public async updateTenant(tenant: TenantRecord) { + await this.tenantRecordService.updateTenant(this.rootAgentContext, tenant) + } + + public async findTenantsByQuery(query: Query) { + return this.tenantRecordService.findTenantsByQuery(this.rootAgentContext, query) } } diff --git a/packages/tenants/src/services/TenantRecordService.ts b/packages/tenants/src/services/TenantRecordService.ts index 3b690d7c3c..460add6e98 100644 --- a/packages/tenants/src/services/TenantRecordService.ts +++ b/packages/tenants/src/services/TenantRecordService.ts @@ -1,5 +1,5 @@ import type { TenantConfig } from '../models/TenantConfig' -import type { AgentContext, Key } from '@aries-framework/core' +import type { AgentContext, Key, Query } from '@aries-framework/core' import { injectable, utils, KeyDerivationMethod } from '@aries-framework/core' @@ -60,6 +60,14 @@ export class TenantRecordService { await this.tenantRepository.delete(agentContext, tenantRecord) } + public async updateTenant(agentContext: AgentContext, tenantRecord: TenantRecord) { + return this.tenantRepository.update(agentContext, tenantRecord) + } + + public async findTenantsByQuery(agentContext: AgentContext, query: Query) { + return this.tenantRepository.findByQuery(agentContext, query) + } + public async findTenantRoutingRecordByRecipientKey( agentContext: AgentContext, recipientKey: Key diff --git a/tsconfig.eslint.json b/tsconfig.eslint.json index 32670107d7..a8f908a24d 100644 --- a/tsconfig.eslint.json +++ b/tsconfig.eslint.json @@ -16,6 +16,7 @@ "tests", "samples", "demo", + "demo-openid", "scripts" ], "exclude": ["node_modules", "build"] diff --git a/tsconfig.test.json b/tsconfig.test.json index 096b728637..b39f15bce9 100644 --- a/tsconfig.test.json +++ b/tsconfig.test.json @@ -4,12 +4,15 @@ "require": ["tsconfig-paths/register"] }, "compilerOptions": { + // Needed because of type-issued in sphereon siop-oid4vp lib + // https://github.com/Sphereon-Opensource/SIOP-OID4VP/pull/71#issuecomment-1913552869 + "skipLibCheck": true, "baseUrl": ".", "paths": { "@aries-framework/*": ["packages/*/src"] }, "types": ["jest", "node"] }, - "include": ["tests", "samples", "demo", "packages/core/types/jest.d.ts"], + "include": ["tests", "samples", "demo", "demo-openid", "packages/core/types/jest.d.ts"], "exclude": ["node_modules", "build", "**/build/**"] } diff --git a/yarn.lock b/yarn.lock index e6a6a40e34..0460bc2a93 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1212,7 +1212,7 @@ resolved "https://registry.yarnpkg.com/@hutson/parse-repository-url/-/parse-repository-url-3.0.2.tgz#98c23c950a3d9b6c8f0daed06da6c3af06981340" integrity sha512-H9XAx3hc0BQHY6l+IFSWHDySypcXsvsuLhgYLUGywmJ5pswRVQJUHpOsobnLYp2ZUaUlKiKDrgWWhosOwAEM8Q== -"@hyperledger/anoncreds-nodejs@^0.2.0-dev.5": +"@hyperledger/anoncreds-nodejs@^0.2.0-dev.4", "@hyperledger/anoncreds-nodejs@^0.2.0-dev.5": version "0.2.0-dev.5" resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-nodejs/-/anoncreds-nodejs-0.2.0-dev.5.tgz#6464de1220d22b3a6db68286ba9c970f6f441adb" integrity sha512-8Comk3hx1xqcsbmS3xRtm5XS8XKymAsNM7dQ3UQeirtBkiAl1AzexraTLq/tAer6Cnmo/UpnhbEjbnJCyp8V3g== @@ -1229,7 +1229,7 @@ resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-shared/-/anoncreds-shared-0.2.0-dev.5.tgz#1d6da9db5cc16ba8766fb4db1166dbe5af63e96e" integrity sha512-YtVju8WBKj3tdZbPWGjwdx7jkE5ePPfspPCvbcjIia00CWPES7UUkfjn8NVk82rq/Gi7IoWR3Jdpfv8rPe0fEA== -"@hyperledger/aries-askar-nodejs@^0.2.0-dev.5": +"@hyperledger/aries-askar-nodejs@^0.2.0-dev.1", "@hyperledger/aries-askar-nodejs@^0.2.0-dev.5": version "0.2.0-dev.5" resolved "https://registry.yarnpkg.com/@hyperledger/aries-askar-nodejs/-/aries-askar-nodejs-0.2.0-dev.5.tgz#e831648d75ebde8e3f583e531710a21b08252f8d" integrity sha512-C/17MpOP5jZdIHEAUnkQ0DymiQAPFACiw1tmBFOVhHTF7PZDtSXzzp+orewaKsXcFL5Qc1FoEyves5ougftAbw== @@ -2518,6 +2518,45 @@ resolved "https://registry.yarnpkg.com/@react-native/polyfills/-/polyfills-2.0.0.tgz#4c40b74655c83982c8cf47530ee7dc13d957b6aa" integrity sha512-K0aGNn1TjalKj+65D7ycc1//H9roAQ51GJVk5ZJQFb2teECGmzd86bYDC0aYdbRf7gtovescq4Zt6FR0tgXiHQ== +"@sd-jwt/core@^0.2.0": + version "0.2.0" + resolved "https://registry.yarnpkg.com/@sd-jwt/core/-/core-0.2.0.tgz#e06736ff4920570660fce4e040fe40e900c7fcfa" + integrity sha512-KxsJm/NAvKkbqOXaIq7Pndn70++bm8QNzzBh1KOwhlRub7LVrqeEkie/wrI/sAH+S+5exG0HTbY95F86nHiq7Q== + dependencies: + "@sd-jwt/decode" "0.2.0" + "@sd-jwt/present" "0.2.0" + "@sd-jwt/types" "0.2.0" + "@sd-jwt/utils" "0.2.0" + +"@sd-jwt/decode@0.2.0", "@sd-jwt/decode@^0.2.0": + version "0.2.0" + resolved "https://registry.yarnpkg.com/@sd-jwt/decode/-/decode-0.2.0.tgz#44211418fd0884a160f8223feedfe04ae52398c4" + integrity sha512-nmiZN3SQ4ApapEu+rS1h/YAkDIq3exgN7swSCsEkrxSEwnBSbXtISIY/sv+EmwnehF1rcKbivHfHNxOWYtlxvg== + dependencies: + "@sd-jwt/types" "0.2.0" + "@sd-jwt/utils" "0.2.0" + +"@sd-jwt/present@0.2.0", "@sd-jwt/present@^0.2.0": + version "0.2.0" + resolved "https://registry.yarnpkg.com/@sd-jwt/present/-/present-0.2.0.tgz#01ecbd09dd21287be892b36d754a79c8629387f2" + integrity sha512-6xDBiB+UqCwW8k7O7OUJ7BgC/8zcO+AD5ZX1k4I6yjDM9vscgPulSVxT/yUH+Aov3cZ/BKvfKC0qDEZkHmP/kg== + dependencies: + "@sd-jwt/types" "0.2.0" + "@sd-jwt/utils" "0.2.0" + +"@sd-jwt/types@0.2.0": + version "0.2.0" + resolved "https://registry.yarnpkg.com/@sd-jwt/types/-/types-0.2.0.tgz#3cb50392e1b76ce69453f403c71c937a6e202352" + integrity sha512-16WFRcL/maG0/JxN9UCSx07/vJ2SDbGscv9gDLmFLgJzhJcGPer41XfI6aDfVARYP430wHFixChfY/n7qC1L/Q== + +"@sd-jwt/utils@0.2.0", "@sd-jwt/utils@^0.2.0": + version "0.2.0" + resolved "https://registry.yarnpkg.com/@sd-jwt/utils/-/utils-0.2.0.tgz#ef52b744116e874f72ec01978f0631ad5a131eb7" + integrity sha512-oHCfRYVHCb5RNwdq3eHAt7P9d7TsEaSM1TTux+xl1I9PeQGLtZETnto9Gchtzn8FlTrMdVsLlcuAcK6Viwj1Qw== + dependencies: + "@sd-jwt/types" "0.2.0" + buffer "*" + "@sideway/address@^4.1.3": version "4.1.4" resolved "https://registry.yarnpkg.com/@sideway/address/-/address-4.1.4.tgz#03dccebc6ea47fdc226f7d3d1ad512955d4783f0" @@ -2569,40 +2608,92 @@ resolved "https://registry.yarnpkg.com/@sovpro/delimited-stream/-/delimited-stream-1.1.0.tgz#4334bba7ee241036e580fdd99c019377630d26b4" integrity sha512-kQpk267uxB19X3X2T1mvNMjyvIEonpNSHrMlK5ZaBU6aZxw7wPbpgKJOjHN3+/GPVpXgAV9soVT2oyHpLkLtyw== -"@sphereon/openid4vci-client@^0.4.0": - version "0.4.0" - resolved "https://registry.yarnpkg.com/@sphereon/openid4vci-client/-/openid4vci-client-0.4.0.tgz#f48c2bb42041b9eab13669de23ba917785c83b24" - integrity sha512-N9ytyV3DHAjBjd67jMowmBMmD9/4Sxkehsrpd1I9Hxg5TO1K+puUPsPXj8Zh4heIWSzT5xBsGTSqXdF0LlrDwQ== +"@sphereon/did-auth-siop@0.6.0-unstable.3": + version "0.6.0-unstable.3" + resolved "https://registry.yarnpkg.com/@sphereon/did-auth-siop/-/did-auth-siop-0.6.0-unstable.3.tgz#705dfd17210846b382f3116a92d9d2e7242b93e3" + integrity sha512-0d2A3EPsywkHw5zfR3JWu0sjy3FACtpAlnWabol/5C8/C1Ys1hCk+X995aADqs8DRtdVFX8TFJkCMshp7pLyEg== dependencies: - "@sphereon/ssi-types" "^0.9.0" - cross-fetch "^3.1.5" - debug "^4.3.4" + "@astronautlabs/jsonpath" "^1.1.2" + "@sphereon/did-uni-client" "^0.6.1" + "@sphereon/pex" "^3.0.1" + "@sphereon/pex-models" "^2.1.5" + "@sphereon/ssi-types" "0.18.1" + "@sphereon/wellknown-dids-client" "^0.1.3" + cross-fetch "^4.0.0" + did-jwt "6.11.6" + did-resolver "^4.1.0" + events "^3.3.0" + language-tags "^1.0.9" + multiformats "^11.0.2" + qs "^6.11.2" + sha.js "^2.4.11" uint8arrays "^3.1.1" + uuid "^9.0.0" -"@sphereon/pex-models@^2.1.2": - version "2.1.2" - resolved "https://registry.yarnpkg.com/@sphereon/pex-models/-/pex-models-2.1.2.tgz#e1a0ce16ccc6b32128fc8c2da79d65fc35f6d10f" - integrity sha512-Ec1qZl8tuPd+s6E+ZM7v+HkGkSOjGDMLNN1kqaxAfWpITBYtTLb+d5YvwjvBZ1P2upZ7zwNER97FfW5n/30y2w== +"@sphereon/did-uni-client@^0.6.1": + version "0.6.1" + resolved "https://registry.yarnpkg.com/@sphereon/did-uni-client/-/did-uni-client-0.6.1.tgz#5fe7fa2b87c22f939c95d388b6fcf9e6e93c70a8" + integrity sha512-ryIPq9fAp8UuaN0ZQ16Gong5n5SX8G+SjNQ3x3Uy/pmd6syxh97kkmrfbna7a8dTmbP8YdNtgPLpcNbhLPMClQ== + dependencies: + cross-fetch "^4.0.0" + did-resolver "^4.1.0" -"@sphereon/pex@^2.2.2": - version "2.2.2" - resolved "https://registry.yarnpkg.com/@sphereon/pex/-/pex-2.2.2.tgz#3df9ed75281b46f0899256774060ed2ff982fade" - integrity sha512-NkR8iDTC2PSnYsOHlG2M2iOpFTTbzszs2/pL3iK3Dlv9QYLqX7NtPAlmeSwaoVP1NB1ewcs6U1DtemQAD+90yQ== +"@sphereon/oid4vci-client@0.8.2-next.46": + version "0.8.2-next.46" + resolved "https://registry.yarnpkg.com/@sphereon/oid4vci-client/-/oid4vci-client-0.8.2-next.46.tgz#0f53dc607a0ee17cf0bedb4e7ca91fe525a4c44e" + integrity sha512-oYY5RbFEpyYMU+EHriGOb/noFpFWhpgimr6drdAI7l5hMIQTs3iz8kUk9CSCJEOYq0n9VtWzd9jE3qDVjMgepA== + dependencies: + "@sphereon/oid4vci-common" "0.8.2-next.46+e3c1601" + "@sphereon/ssi-types" "^0.18.1" + cross-fetch "^3.1.8" + debug "^4.3.4" + +"@sphereon/oid4vci-common@0.8.2-next.46", "@sphereon/oid4vci-common@0.8.2-next.46+e3c1601": + version "0.8.2-next.46" + resolved "https://registry.yarnpkg.com/@sphereon/oid4vci-common/-/oid4vci-common-0.8.2-next.46.tgz#5def7c2aa68b19a7f52691668580755573db28e1" + integrity sha512-mt21K/bukcwdqB3kfKGFj3597rO3WnxW7Dietd0YE87C8yt7WyapXdogP7p18GJ40zu6+OealIeNnEMxCBQPXA== + dependencies: + "@sphereon/ssi-types" "^0.18.1" + cross-fetch "^3.1.8" + jwt-decode "^3.1.2" + +"@sphereon/oid4vci-issuer@0.8.2-next.46": + version "0.8.2-next.46" + resolved "https://registry.yarnpkg.com/@sphereon/oid4vci-issuer/-/oid4vci-issuer-0.8.2-next.46.tgz#3886b5e1b9203de8b6d7c5b435562f888177a87b" + integrity sha512-9/VG9QulFEDpNvEe8X7YCcc2FwUDpR2e7geWdWY9SyOexYtjxTcoyfHb9bPgIg5TuFbA1nADTD804935suhKtw== + dependencies: + "@sphereon/oid4vci-common" "0.8.2-next.46+e3c1601" + "@sphereon/ssi-types" "^0.18.1" + uuid "^9.0.0" + +"@sphereon/pex-models@^2.1.5": + version "2.1.5" + resolved "https://registry.yarnpkg.com/@sphereon/pex-models/-/pex-models-2.1.5.tgz#ba4474a3783081392b72403c4c8ee6da3d2e5585" + integrity sha512-7THexvdYUK/Dh8olBB46ErT9q/RnecnMdb5r2iwZ6be0Dt4vQLAUN7QU80H0HZBok4jRTb8ydt12x0raBSTHOg== + +"@sphereon/pex@^3.0.1": + version "3.0.1" + resolved "https://registry.yarnpkg.com/@sphereon/pex/-/pex-3.0.1.tgz#e7d9d36c7c921ab97190a735c67e0a2632432e3b" + integrity sha512-rj+GhFfV5JLyo7dTIA3htWlrT+f6tayF9JRAGxdsIYBfYictLi9BirQ++JRBXsiq7T5zMnfermz4RGi3cvt13Q== dependencies: "@astronautlabs/jsonpath" "^1.1.2" - "@sphereon/pex-models" "^2.1.2" - "@sphereon/ssi-types" "^0.17.5" + "@sd-jwt/decode" "^0.2.0" + "@sd-jwt/present" "^0.2.0" + "@sd-jwt/utils" "^0.2.0" + "@sphereon/pex-models" "^2.1.5" + "@sphereon/ssi-types" "0.18.1" ajv "^8.12.0" ajv-formats "^2.1.1" jwt-decode "^3.1.2" - nanoid "^3.3.6" - string.prototype.matchall "^4.0.8" + nanoid "^3.3.7" + string.prototype.matchall "^4.0.10" -"@sphereon/ssi-types@^0.17.5": - version "0.17.5" - resolved "https://registry.yarnpkg.com/@sphereon/ssi-types/-/ssi-types-0.17.5.tgz#7b4de0326e7c2993ab816caeef6deaea41a5f65f" - integrity sha512-hoQOkeOtshvIzNAG+HTqcKxeGssLVfwX7oILHJgs6VMb1GhR6QlqjMAxflDxZ/8Aq2R0I6fEPWmf73zAXY2X2Q== +"@sphereon/ssi-types@0.18.1", "@sphereon/ssi-types@^0.18.1": + version "0.18.1" + resolved "https://registry.yarnpkg.com/@sphereon/ssi-types/-/ssi-types-0.18.1.tgz#c00e4939149f4e441fae56af860735886a4c33a5" + integrity sha512-uM0gb1woyc0R+p+qh8tVDi15ZWmpzo9BP0iBp/yRkJar7gAfgwox/yvtEToaH9jROKnDCwL3DDQCDeNucpMkwg== dependencies: + "@sd-jwt/decode" "^0.2.0" jwt-decode "^3.1.2" "@sphereon/ssi-types@^0.9.0": @@ -2612,6 +2703,15 @@ dependencies: jwt-decode "^3.1.2" +"@sphereon/wellknown-dids-client@^0.1.3": + version "0.1.3" + resolved "https://registry.yarnpkg.com/@sphereon/wellknown-dids-client/-/wellknown-dids-client-0.1.3.tgz#4711599ed732903e9f45fe051660f925c9b508a4" + integrity sha512-TAT24L3RoXD8ocrkTcsz7HuJmgjNjdoV6IXP1p3DdaI/GqkynytXE3J1+F7vUFMRYwY5nW2RaXSgDQhrFJemaA== + dependencies: + "@sphereon/ssi-types" "^0.9.0" + cross-fetch "^3.1.5" + jwt-decode "^3.1.2" + "@stablelib/aead@^1.0.1": version "1.0.1" resolved "https://registry.yarnpkg.com/@stablelib/aead/-/aead-1.0.1.tgz#c4b1106df9c23d1b867eb9b276d8f42d5fc4c0c3" @@ -2898,6 +2998,16 @@ "@types/qs" "*" "@types/serve-static" "*" +"@types/express@^4.17.21": + version "4.17.21" + resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.21.tgz#c26d4a151e60efe0084b23dc3369ebc631ed192d" + integrity sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ== + dependencies: + "@types/body-parser" "*" + "@types/express-serve-static-core" "^4.17.33" + "@types/qs" "*" + "@types/serve-static" "*" + "@types/figlet@^1.5.4": version "1.5.5" resolved "https://registry.yarnpkg.com/@types/figlet/-/figlet-1.5.5.tgz#da93169178f0187da288c313ab98ab02fb1e8b8c" @@ -4048,6 +4158,14 @@ buffer-from@^1.0.0: resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.2.tgz#2b146a6fd72e80b4f55d255f35ed59a3a9a41bd5" integrity sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ== +buffer@*, buffer@^6.0.0, buffer@^6.0.3: + version "6.0.3" + resolved "https://registry.yarnpkg.com/buffer/-/buffer-6.0.3.tgz#2ace578459cc8fbe2a70aaa8f52ee63b6a74c6c6" + integrity sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA== + dependencies: + base64-js "^1.3.1" + ieee754 "^1.2.1" + buffer@^5.5.0: version "5.7.1" resolved "https://registry.yarnpkg.com/buffer/-/buffer-5.7.1.tgz#ba62e7c13133053582197160851a8f648e99eed0" @@ -4056,14 +4174,6 @@ buffer@^5.5.0: base64-js "^1.3.1" ieee754 "^1.1.13" -buffer@^6.0.0, buffer@^6.0.3: - version "6.0.3" - resolved "https://registry.yarnpkg.com/buffer/-/buffer-6.0.3.tgz#2ace578459cc8fbe2a70aaa8f52ee63b6a74c6c6" - integrity sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA== - dependencies: - base64-js "^1.3.1" - ieee754 "^1.2.1" - builtins@^1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/builtins/-/builtins-1.0.3.tgz#cb94faeb61c8696451db36534e1422f94f0aee88" @@ -4857,12 +4967,12 @@ credentials-context@^2.0.0: resolved "https://registry.yarnpkg.com/credentials-context/-/credentials-context-2.0.0.tgz#68a9a1a88850c398d3bba4976c8490530af093e8" integrity sha512-/mFKax6FK26KjgV2KW2D4YqKgoJ5DVJpNt87X2Jc9IxT2HBMy7nEIlc+n7pEi+YFFe721XqrvZPd+jbyyBjsvQ== -cross-fetch@^3.1.5: - version "3.1.5" - resolved "https://registry.yarnpkg.com/cross-fetch/-/cross-fetch-3.1.5.tgz#e1389f44d9e7ba767907f7af8454787952ab534f" - integrity sha512-lvb1SBsI0Z7GDwmuid+mU3kWVBwTVUbe7S0H52yaaAdQOXq2YktTCZdlAcNKFzE6QtRz0snpw9bNiPeOIkkQvw== +cross-fetch@^3.1.5, cross-fetch@^3.1.8: + version "3.1.8" + resolved "https://registry.yarnpkg.com/cross-fetch/-/cross-fetch-3.1.8.tgz#0327eba65fd68a7d119f8fb2bf9334a1a7956f82" + integrity sha512-cvA+JwZoU0Xq+h6WkMvAUqPEYy92Obet6UdKLfW60qn99ftItKjB5T+BkyWOFWe2pUyfQ+IJHmpOTznqk1M6Kg== dependencies: - node-fetch "2.6.7" + node-fetch "^2.6.12" cross-fetch@^4.0.0: version "4.0.0" @@ -5122,7 +5232,7 @@ detect-newline@^3.0.0: resolved "https://registry.yarnpkg.com/detect-newline/-/detect-newline-3.1.0.tgz#576f5dfc63ae1a192ff192d8ad3af6308991b651" integrity sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA== -did-jwt@^6.11.6: +did-jwt@6.11.6, did-jwt@^6.11.6: version "6.11.6" resolved "https://registry.yarnpkg.com/did-jwt/-/did-jwt-6.11.6.tgz#3eeb30d6bd01f33bfa17089574915845802a7d44" integrity sha512-OfbWknRxJuUqH6Lk0x+H1FsuelGugLbBDEwsoJnicFOntIG/A4y19fn0a8RLxaQbWQ5gXg0yDq5E2huSBiiXzw== @@ -5795,7 +5905,7 @@ expo-random@*: dependencies: base64-js "^1.3.0" -express@^4.17.1: +express@^4.17.1, express@^4.18.1, express@^4.18.2: version "4.18.2" resolved "https://registry.yarnpkg.com/express/-/express-4.18.2.tgz#3fabe08296e930c796c19e3c516979386ba9fd59" integrity sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ== @@ -6946,7 +7056,7 @@ inflight@^1.0.4: once "^1.3.0" wrappy "1" -inherits@2, inherits@2.0.4, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0.3: +inherits@2, inherits@2.0.4, inherits@^2.0.1, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0.3: version "2.0.4" resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== @@ -8189,13 +8299,6 @@ jwt-decode@^3.1.2: resolved "https://registry.yarnpkg.com/jwt-decode/-/jwt-decode-3.1.2.tgz#3fb319f3675a2df0c2895c8f5e9fa4b67b04ed59" integrity sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A== -jwt-sd@^0.1.2: - version "0.1.2" - resolved "https://registry.yarnpkg.com/jwt-sd/-/jwt-sd-0.1.2.tgz#e03d1a2fed7aadd94ee3c6af6594e40023230ff0" - integrity sha512-bFoAlIBkO6FtfaLZ7YxCHMMWDHoy/eNfw8Kkww9iExHA1si3SxKLTi1TpMmUWfwD37NQgJu2j9PkKHXwI6hGPw== - dependencies: - buffer "^6.0.3" - kind-of@^3.0.2, kind-of@^3.0.3, kind-of@^3.2.0: version "3.2.2" resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64" @@ -8238,6 +8341,18 @@ ky@^0.25.1: resolved "https://registry.yarnpkg.com/ky/-/ky-0.25.1.tgz#0df0bd872a9cc57e31acd5dbc1443547c881bfbc" integrity sha512-PjpCEWlIU7VpiMVrTwssahkYXX1by6NCT0fhTUX34F3DTinARlgMpriuroolugFPcMgpPWrOW4mTb984Qm1RXA== +language-subtag-registry@^0.3.20: + version "0.3.22" + resolved "https://registry.yarnpkg.com/language-subtag-registry/-/language-subtag-registry-0.3.22.tgz#2e1500861b2e457eba7e7ae86877cbd08fa1fd1d" + integrity sha512-tN0MCzyWnoz/4nHS6uxdlFWoUZT7ABptwKPQ52Ea7URk6vll88bWBVhodtnlfEuCcKWNGoc+uGbw1cwa9IKh/w== + +language-tags@^1.0.9: + version "1.0.9" + resolved "https://registry.yarnpkg.com/language-tags/-/language-tags-1.0.9.tgz#1ffdcd0ec0fafb4b1be7f8b11f306ad0f9c08777" + integrity sha512-MbjN408fEndfiQXbFQ1vnd+1NoLDsnQW41410oQBXiyXDMYH5z505juWa4KUE1LqxRC7DgOgZDbKLxHIwm27hA== + dependencies: + language-subtag-registry "^0.3.20" + lerna@^6.5.1: version "6.6.1" resolved "https://registry.yarnpkg.com/lerna/-/lerna-6.6.1.tgz#4897171aed64e244a2d0f9000eef5c5b228f9332" @@ -9298,6 +9413,11 @@ multer@^1.4.5-lts.1: type-is "^1.6.4" xtend "^4.0.0" +multiformats@^11.0.2: + version "11.0.2" + resolved "https://registry.yarnpkg.com/multiformats/-/multiformats-11.0.2.tgz#b14735efc42cd8581e73895e66bebb9752151b60" + integrity sha512-b5mYMkOkARIuVZCpvijFj9a6m5wMVLC7cf/jIPd5D/ARDOfLC5+IFkbgDXQgcU2goIsTD/O9NY4DI/Mt4OGvlg== + multiformats@^9.4.2, multiformats@^9.6.5, multiformats@^9.9.0: version "9.9.0" resolved "https://registry.yarnpkg.com/multiformats/-/multiformats-9.9.0.tgz#c68354e7d21037a8f1f8833c8ccd68618e8f1d37" @@ -9324,7 +9444,7 @@ nan@^2.11.1: resolved "https://registry.yarnpkg.com/nan/-/nan-2.17.0.tgz#c0150a2368a182f033e9aa5195ec76ea41a199cb" integrity sha512-2ZTgtl0nJsO0KQCjEpxcIr5D+Yv90plTitZt9JBfQvVJDS5seMl3FOvsh3+9CoYWXf/1l5OaZzzF6nDm4cagaQ== -nanoid@^3.3.6: +nanoid@^3.3.7: version "3.3.7" resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.7.tgz#d0c301a691bc8d54efa0a2226ccf3fe2fd656bd8" integrity sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g== @@ -10666,6 +10786,13 @@ qs@6.11.0: dependencies: side-channel "^1.0.4" +qs@^6.11.2: + version "6.11.2" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.2.tgz#64bea51f12c1f5da1bc01496f48ffcff7c69d7d9" + integrity sha512-tDNIz22aBzCDxLtVH++VnTfzxlfeK5CbqohpSqpJgj1Wg/cQbStNAz3NuqCs5vV+pjBsK4x4pN9HlVh7rcYRiA== + dependencies: + side-channel "^1.0.4" + query-string@^7.0.1: version "7.1.3" resolved "https://registry.yarnpkg.com/query-string/-/query-string-7.1.3.tgz#a1cf90e994abb113a325804a972d98276fe02328" @@ -11387,6 +11514,14 @@ setprototypeof@1.2.0: resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.2.0.tgz#66c9a24a73f9fc28cbe66b09fed3d33dcaf1b424" integrity sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw== +sha.js@^2.4.11: + version "2.4.11" + resolved "https://registry.yarnpkg.com/sha.js/-/sha.js-2.4.11.tgz#37a5cf0b81ecbc6943de109ba2960d1b26584ae7" + integrity sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ== + dependencies: + inherits "^2.0.1" + safe-buffer "^5.0.1" + shallow-clone@^3.0.0: version "3.0.1" resolved "https://registry.yarnpkg.com/shallow-clone/-/shallow-clone-3.0.1.tgz#8f2981ad92531f55035b01fb230769a40e02efa3" @@ -11748,7 +11883,7 @@ string-width@^1.0.1: is-fullwidth-code-point "^3.0.0" strip-ansi "^6.0.1" -string.prototype.matchall@^4.0.8: +string.prototype.matchall@^4.0.10: version "4.0.10" resolved "https://registry.yarnpkg.com/string.prototype.matchall/-/string.prototype.matchall-4.0.10.tgz#a1553eb532221d4180c51581d6072cd65d1ee100" integrity sha512-rGXbGmOEosIQi6Qva94HUjgPs9vKW+dkG7Y8Q5O2OYkWL6wFaTRZO8zM4mhP94uX55wgyrXzfS2aGtGzUL7EJQ==