@sphereon/did-auth-siop-adapter/dist/index.cjs.map

Self Issued OpenID V2 (SIOPv2) and OpenID 4 Verifiable Presentations (OID4VP) did adapter

{"version":3,"sources":["../lib/index.ts","../lib/did/DidJWT.ts","../lib/helpers.ts","../lib/did/DIDResolution.ts","../lib/did/LinkedDomainValidations.ts","../lib/types/SIOP.types.ts","../lib/DidJwtAdapter.ts"],"sourcesContent":["export * from './did'\n\nexport * from './types'\nexport * from './DidJwtAdapter'\nexport * from './helpers'\n","import {\n  DEFAULT_EXPIRATION_TIME,\n  IDTokenPayload,\n  post,\n  RequestObjectPayload,\n  ResponseIss,\n  SignatureResponse,\n  SIOPErrors,\n  SIOPResonse,\n  VerifiedJWT,\n} from '@sphereon/did-auth-siop'\nimport { SigningAlgo } from '@sphereon/oid4vc-common'\nimport {\n  createJWT,\n  decodeJWT,\n  EdDSASigner,\n  ES256KSigner,\n  ES256Signer,\n  hexToBytes,\n  JWTHeader,\n  JWTOptions,\n  JWTPayload,\n  JWTVerifyOptions,\n  Signer,\n  verifyJWT,\n} from 'did-jwt'\nimport { Resolvable } from 'did-resolver'\n\nimport { isExternalSignature, isInternalSignature, isSuppliedSignature } from '../helpers'\nimport { ExternalSignature, InternalSignature, SuppliedSignature } from '../types'\n\n/**\n *  Verifies given JWT. If the JWT is valid, the promise returns an object including the JWT, the payload of the JWT,\n *  and the did doc of the issuer of the JWT.\n *\n *  @example\n *  verifyDidJWT('did:key:example', resolver, {audience: '5A8bRWU3F7j3REx3vkJ...', callbackUrl: 'https://...'}).then(obj => {\n *      const did = obj.did                 // DIDres of signer\n *      const payload = obj.payload\n *      const doc = obj.doc                 // DIDres Document of signer\n *      const JWT = obj.JWT                 // JWT\n *      const signerKeyId = obj.signerKeyId // ID of key in DIDres document that signed JWT\n *      ...\n *  })\n *\n *  @param    {String}            jwt                   a JSON Web Token to verify\n *  @param    {Resolvable}        resolver\n *  @param    {JWTVerifyOptions}  [options]             Options\n *  @param    {String}            options.audience      DID of the recipient of the JWT\n *  @param    {String}            options.callbackUrl   callback url in JWT\n *  @return   {Promise<Object, Error>}                  a promise which resolves with a response object or rejects with an error\n */\nexport async function verifyDidJWT(jwt: string, resolver: Resolvable, options: JWTVerifyOptions): Promise<VerifiedJWT> {\n  return verifyJWT(jwt, { ...options, resolver })\n}\n\n/**\n *  Creates a signed JWT given an address which becomes the issuer, a signer function, and a payload for which the withSignature is over.\n *\n *  @example\n *  const signer = ES256KSigner(process.env.PRIVATE_KEY)\n *  createJWT({address: '5A8bRWU3F7j3REx3vkJ...', signer}, {key1: 'value', key2: ..., ... }).then(JWT => {\n *      ...\n *  })\n *\n *  @param    {Object}            payload               payload object\n *  @param    {Object}            [options]             an unsigned credential object\n *  @param    {String}            options.issuer        The DID of the issuer (signer) of JWT\n *  @param    {Signer}            options.signer        a `Signer` function, Please see `ES256KSigner` or `EdDSASigner`\n *  @param    {boolean}           options.canonicalize  optional flag to canonicalize header and payload before signing\n *  @param    {Object}            header                optional object to specify or customize the JWT header\n *  @return   {Promise<Object, Error>}                  a promise which resolves with a signed JSON Web Token or rejects with an error\n */\nexport async function createDidJWT(\n  payload: Partial<JWTPayload>,\n  { issuer, signer, expiresIn, canonicalize }: JWTOptions,\n  header: Partial<JWTHeader>,\n): Promise<string> {\n  return createJWT(payload, { issuer, signer, expiresIn, canonicalize }, header)\n}\n\nexport async function signIDTokenPayload(payload: IDTokenPayload, signature: InternalSignature | ExternalSignature | SuppliedSignature) {\n  if (isInternalSignature(signature)) {\n    if (!signature.kid) {\n      return Promise.reject(Error('missing kid from signature'))\n    }\n    return signDidJwtInternal(payload, payload.issuer, signature.hexPrivateKey, signature.alg, signature.kid, signature.customJwtSigner)\n  } else if (isExternalSignature(signature)) {\n    return signDidJwtExternal(payload, signature.signatureUri, signature.authZToken, signature.alg, signature.kid)\n  } else if (isSuppliedSignature(signature)) {\n    if (!signature.kid) {\n      return Promise.reject(Error('missing kid from signature'))\n    }\n    return signDidJwtSupplied(payload, payload.issuer, signature.signature, signature.alg, signature.kid)\n  } else {\n    throw new Error(\n      'Signature parameters should be internal signature with hexPrivateKey, did, and an optional kid, or external signature parameters with signatureUri, did, and optionals parameters authZToken, hexPublicKey, and kid',\n    )\n  }\n}\n\nexport async function signRequestObjectPayload(payload: RequestObjectPayload, signature: InternalSignature | ExternalSignature | SuppliedSignature) {\n  let issuer = payload.iss\n  if (!issuer) {\n    issuer = signature.did\n  }\n  if (!issuer) {\n    throw Error('No issuer supplied to sign the JWT')\n  }\n  if (!payload.iss) {\n    payload.iss = issuer\n  }\n  if (!payload.sub) {\n    payload.sub = signature.did\n  }\n  if (isInternalSignature(signature)) {\n    if (!signature.kid) {\n      return Promise.reject(Error('missing kid from signature'))\n    }\n    return signDidJwtInternal(payload, issuer, signature.hexPrivateKey, signature.alg, signature.kid, signature.customJwtSigner)\n  } else if (isExternalSignature(signature)) {\n    return signDidJwtExternal(payload, signature.signatureUri, signature.authZToken, signature.alg, signature.kid)\n  } else if (isSuppliedSignature(signature)) {\n    if (!signature.kid) {\n      return Promise.reject(Error('missing kid from signature'))\n    }\n    return signDidJwtSupplied(payload, issuer, signature.signature, signature.alg, signature.kid)\n  } else {\n    throw new Error(\n      'Signature parameters should be internal signature with hexPrivateKey, did, and an optional kid, or external signature parameters with signatureUri, did, and optionals parameters authZToken, hexPublicKey, and kid',\n    )\n  }\n}\n\nexport async function signDidJwtInternal(\n  payload: IDTokenPayload | RequestObjectPayload,\n  issuer: string,\n  hexPrivateKey: string,\n  alg: SigningAlgo,\n  kid: string,\n  customJwtSigner?: Signer,\n): Promise<string> {\n  const signer = determineSigner(alg, hexPrivateKey, customJwtSigner)\n  const header = {\n    alg,\n    kid,\n  }\n  const options = {\n    issuer,\n    signer,\n    expiresIn: DEFAULT_EXPIRATION_TIME,\n  }\n\n  return await createDidJWT({ ...payload }, options, header)\n}\n\nasync function signDidJwtExternal(\n  payload: IDTokenPayload | RequestObjectPayload,\n  signatureUri: string,\n  authZToken: string,\n  alg: SigningAlgo,\n  kid?: string,\n): Promise<string> {\n  const body = {\n    issuer: payload.iss && payload.iss.includes('did:') ? payload.iss : payload.sub,\n    payload,\n    expiresIn: DEFAULT_EXPIRATION_TIME,\n    alg,\n    selfIssued: payload.iss && payload.iss.includes(ResponseIss.SELF_ISSUED_V2) ? payload.iss : undefined,\n    kid,\n  }\n\n  const response: SIOPResonse<SignatureResponse> = await post(signatureUri, JSON.stringify(body), { bearerToken: authZToken })\n  if (!response.successBody) {\n    return Promise.reject(Error('the siop SignatureResponse does not have a successBody'))\n  }\n  return response.successBody.jws\n}\n\nasync function signDidJwtSupplied(\n  payload: IDTokenPayload | RequestObjectPayload,\n  issuer: string,\n  signer: Signer,\n  alg: SigningAlgo,\n  kid: string,\n): Promise<string> {\n  const header = {\n    alg,\n    kid,\n  }\n  const options = {\n    issuer,\n    signer,\n    expiresIn: DEFAULT_EXPIRATION_TIME,\n  }\n\n  return await createDidJWT({ ...payload }, options, header)\n}\n\nconst determineSigner = (alg: SigningAlgo, hexPrivateKey?: string, customSigner?: Signer): Signer => {\n  if (customSigner) {\n    return customSigner\n  } else if (!hexPrivateKey) {\n    throw new Error('no private key provided')\n  }\n  const privateKey = hexToBytes(hexPrivateKey.replace('0x', ''))\n  switch (alg) {\n    case SigningAlgo.EDDSA:\n      return EdDSASigner(privateKey)\n    case SigningAlgo.ES256:\n      return ES256Signer(privateKey)\n    case SigningAlgo.ES256K:\n      return ES256KSigner(privateKey)\n    case SigningAlgo.PS256:\n      throw Error('PS256 is not supported yet. Please provide a custom signer')\n    case SigningAlgo.RS256:\n      throw Error('RS256 is not supported yet. Please provide a custom signer')\n  }\n}\n\nexport function getAudience(jwt: string) {\n  const { payload } = decodeJWT(jwt)\n  if (!payload) {\n    throw new Error(SIOPErrors.NO_AUDIENCE)\n  } else if (!payload.aud) {\n    return undefined\n  } else if (Array.isArray(payload.aud)) {\n    throw new Error(SIOPErrors.INVALID_AUDIENCE)\n  }\n\n  return payload.aud\n}\n\n//TODO To enable automatic registration, it cannot be a did, but HTTPS URL\nfunction assertIssSelfIssuedOrDid(payload: JWTPayload) {\n  if (!payload.sub || !payload.sub.startsWith('did:') || !payload.iss || !isIssSelfIssued(payload)) {\n    throw new Error('Token does not have a iss DID')\n  }\n}\n\nexport function getSubDidFromPayload(payload: JWTPayload, header?: JWTHeader): string {\n  assertIssSelfIssuedOrDid(payload)\n\n  if (isIssSelfIssued(payload)) {\n    let did\n    if (payload.sub && payload.sub.startsWith('did:')) {\n      did = payload.sub\n    }\n    if (!did && header && header.kid && header.kid.startsWith('did:')) {\n      did = header.kid.split('#')[0]\n    }\n    if (did) {\n      return did\n    }\n  }\n  return payload.sub!\n}\n\nexport function isIssSelfIssued(payload: JWTPayload): boolean {\n  return (\n    (payload.iss && payload.iss.includes(ResponseIss.SELF_ISSUED_V1)) ||\n    (payload.iss && payload.iss.includes(ResponseIss.SELF_ISSUED_V2)) ||\n    payload.iss === payload.sub\n  )\n}\n\nexport function getMethodFromDid(did: string): string {\n  if (!did) {\n    throw new Error(SIOPErrors.BAD_PARAMS)\n  }\n  const split = did.split(':')\n  if (split.length == 1 && did.length > 0) {\n    return did\n  } else if (!did.startsWith('did:') || split.length < 2) {\n    throw new Error(SIOPErrors.BAD_PARAMS)\n  }\n\n  return split[1]\n}\n\n/**\n * Since the OIDC SIOP spec incorrectly uses 'did:<method>:' and calls that a method, we have to fix it\n * @param didOrMethod\n */\nexport function toSIOPRegistrationDidMethod(didOrMethod: string) {\n  let prefix = didOrMethod\n  if (!didOrMethod.startsWith('did:')) {\n    prefix = 'did:' + didOrMethod\n  }\n  const split = prefix.split(':')\n  return `${split[0]}:${split[1]}`\n}\n","import { ExternalSignature, InternalSignature, NoSignature, SuppliedSignature } from './types/SIOP.types'\n\nexport const isInternalSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is InternalSignature =>\n  'hexPrivateKey' in object && 'did' in object\n\nexport const isExternalSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is ExternalSignature =>\n  'signatureUri' in object && 'did' in object\n\nexport const isSuppliedSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is SuppliedSignature =>\n  'signature' in object\n","import { SubjectIdentifierType, SubjectSyntaxTypesSupportedValues } from '@sphereon/did-auth-siop'\nimport { getUniResolver, UniResolver } from '@sphereon/did-uni-client'\nimport { DIDResolutionOptions, DIDResolutionResult, ParsedDID, Resolvable, Resolver, ResolverRegistry } from 'did-resolver'\n\nimport { DIDDocument, ResolveOpts } from '../types'\n\nimport { getMethodFromDid, toSIOPRegistrationDidMethod } from '.'\n\nexport function getResolver(opts: ResolveOpts): Resolvable {\n  if (opts && typeof opts.resolver === 'object') {\n    return opts.resolver\n  }\n  if (!opts || !opts.subjectSyntaxTypesSupported) {\n    if (opts?.noUniversalResolverFallback) {\n      throw Error(`No subject syntax types nor did methods configured for DID resolution, but fallback to universal resolver has been disabled`)\n    }\n    console.log(\n      `Falling back to universal resolver as no resolve opts have been provided, or no subject syntax types supported are provided. It is wise to fix this`,\n    )\n    return new UniResolver()\n  }\n\n  const uniResolvers: {\n    [p: string]: (did: string, _parsed: ParsedDID, _didResolver: Resolvable, _options: DIDResolutionOptions) => Promise<DIDResolutionResult>\n  }[] = []\n  if (opts.subjectSyntaxTypesSupported.indexOf(SubjectIdentifierType.DID) === -1) {\n    const specificDidMethods = opts.subjectSyntaxTypesSupported.filter((sst) => sst.includes('did:'))\n    if (!specificDidMethods.length) {\n      throw new Error('No did method found.')\n    }\n    for (const didMethod of specificDidMethods) {\n      const uniResolver = getUniResolver(getMethodFromDid(didMethod), { resolveUrl: opts.resolveUrl })\n      uniResolvers.push(uniResolver)\n    }\n    return new Resolver(...uniResolvers)\n  } else {\n    if (opts?.noUniversalResolverFallback) {\n      throw Error(`No subject syntax types nor did methods configured for DID resolution, but fallback to universal resolver has been disabled`)\n    }\n    console.log(\n      `Falling back to universal resolver as no resolve opts have been provided, or no subject syntax types supported are provided. It is wise to fix this`,\n    )\n    return new UniResolver()\n  }\n}\n\n/**\n * This method returns a resolver object in OP/RP\n * If the user of this library, configures OP/RP to have a customResolver, we will use that\n * If the user of this library configures OP/RP to use a custom resolver for any specific did method, we will use that\n * and in the end for the rest of the did methods, configured either with calling `addDidMethod` upon building OP/RP\n * (without any resolver configuration) or declaring in the subject_syntax_types_supported of the registration object\n * we will use universal resolver from Sphereon's DID Universal Resolver library\n * @param customResolver\n * @param subjectSyntaxTypesSupported\n * @param resolverMap\n */\nexport function getResolverUnion(\n  customResolver: Resolvable,\n  subjectSyntaxTypesSupported: string[] | string,\n  resolverMap: Map<string, Resolvable>,\n): Resolvable {\n  if (customResolver) {\n    return customResolver\n  }\n  const fallbackResolver: Resolvable = customResolver ? customResolver : new UniResolver()\n  const uniResolvers: {\n    [p: string]: (did: string, _parsed: ParsedDID, _didResolver: Resolvable, _options: DIDResolutionOptions) => Promise<DIDResolutionResult>\n  }[] = []\n  const subjectTypes: string[] = []\n  if (subjectSyntaxTypesSupported) {\n    typeof subjectSyntaxTypesSupported === 'string'\n      ? subjectTypes.push(subjectSyntaxTypesSupported)\n      : subjectTypes.push(...subjectSyntaxTypesSupported)\n  }\n  if (subjectTypes.indexOf(SubjectSyntaxTypesSupportedValues.DID.valueOf()) !== -1) {\n    return customResolver ? customResolver : new UniResolver()\n  }\n  const specificDidMethods = subjectTypes.filter((sst) => !!sst && sst.startsWith('did:'))\n  specificDidMethods.forEach((dm) => {\n    let methodResolver: ResolverRegistry | Resolvable | undefined\n    if (!resolverMap.has(dm) || resolverMap.get(dm) === null) {\n      methodResolver = getUniResolver(getMethodFromDid(dm))\n      if (methodResolver) {\n        uniResolvers.push(methodResolver)\n      }\n    } else {\n      methodResolver = resolverMap.get(dm)\n      if (methodResolver) {\n        uniResolvers.push({ [dm]: methodResolver.resolve })\n      }\n    }\n  })\n  return subjectTypes.indexOf(SubjectSyntaxTypesSupportedValues.DID.valueOf()) !== -1\n    ? new Resolver(...{ fallbackResolver, ...uniResolvers })\n    : new Resolver(...uniResolvers)\n}\n\nexport function mergeAllDidMethods(subjectSyntaxTypesSupported: string | string[], resolvers: Map<string, Resolvable>): string[] {\n  if (!Array.isArray(subjectSyntaxTypesSupported)) {\n    subjectSyntaxTypesSupported = [subjectSyntaxTypesSupported]\n  }\n  const unionSubjectSyntaxTypes = new Set()\n  subjectSyntaxTypesSupported.forEach((sst) => unionSubjectSyntaxTypes.add(sst))\n  resolvers.forEach((_, didMethod) => unionSubjectSyntaxTypes.add(toSIOPRegistrationDidMethod(didMethod)))\n  return Array.from(unionSubjectSyntaxTypes) as string[]\n}\n\nexport async function resolveDidDocument(did: string, opts?: ResolveOpts): Promise<DIDDocument> {\n  // todo: The accept is only there because did:key used by Veramo requires it. According to the spec it is optional. It should not hurt, but let's test\n  const result = await getResolver({ ...opts }).resolve(did, { accept: 'application/did+ld+json' })\n  if (result?.didResolutionMetadata?.error) {\n    throw Error(result.didResolutionMetadata.error)\n  }\n  // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n  // @ts-ignore\n  if (!result.didDocument && result.id) {\n    // todo: This looks like a bug. It seems that sometimes we get back a DID document directly instead of a did resolution results\n    return result as unknown as DIDDocument\n  }\n  return result.didDocument as DIDDocument\n}\n","import { IDomainLinkageValidation, ValidationStatusEnum, VerifyCallback, WDCErrors, WellKnownDidVerifier } from '@sphereon/wellknown-dids-client'\n\nimport { DIDDocument } from '../types/SSI.types'\n\nimport { CheckLinkedDomain, ExternalVerification, InternalVerification } from './../types/'\nimport { resolveDidDocument } from './DIDResolution'\nimport { getMethodFromDid, toSIOPRegistrationDidMethod } from './DidJWT'\n\nfunction getValidationErrorMessages(validationResult: IDomainLinkageValidation): string[] {\n  const messages = []\n  if (validationResult.message) {\n    messages.push(validationResult.message)\n  }\n  if (validationResult?.endpointDescriptors?.length) {\n    for (const endpointDescriptor of validationResult.endpointDescriptors) {\n      if (endpointDescriptor.message) {\n        messages.push(endpointDescriptor.message)\n      }\n      if (endpointDescriptor.resources) {\n        for (const resource of endpointDescriptor.resources) {\n          if (resource.message) {\n            messages.push(resource.message)\n          }\n        }\n      }\n    }\n  }\n  return messages\n}\n\n/**\n * @param validationErrorMessages\n * @return returns false if the messages received from wellknown-dids-client makes this invalid for CheckLinkedDomain.IF_PRESENT plus the message itself\n *                  and true for when we can move on\n */\nfunction checkInvalidMessages(validationErrorMessages: string[]): { status: boolean; message?: string } {\n  if (!validationErrorMessages || !validationErrorMessages.length) {\n    return { status: false, message: 'linked domain is invalid.' }\n  }\n  const validMessages: string[] = [\n    WDCErrors.PROPERTY_LINKED_DIDS_DOES_NOT_CONTAIN_ANY_DOMAIN_LINK_CREDENTIALS.valueOf(),\n    WDCErrors.PROPERTY_LINKED_DIDS_NOT_PRESENT.valueOf(),\n    WDCErrors.PROPERTY_TYPE_NOT_CONTAIN_VALID_LINKED_DOMAIN.valueOf(),\n    WDCErrors.PROPERTY_SERVICE_NOT_PRESENT.valueOf(),\n  ]\n  for (const validationErrorMessage of validationErrorMessages) {\n    if (!validMessages.filter((vm) => validationErrorMessage.includes(vm)).pop()) {\n      return { status: false, message: validationErrorMessage }\n    }\n  }\n  return { status: true }\n}\n\nexport async function validateLinkedDomainWithDid(did: string, verification: InternalVerification | ExternalVerification): Promise<void> {\n  const { checkLinkedDomain, resolveOpts, wellknownDIDVerifyCallback } = verification\n  if (checkLinkedDomain === CheckLinkedDomain.NEVER) {\n    return\n  }\n  const didDocument = await resolveDidDocument(did, {\n    ...resolveOpts,\n    subjectSyntaxTypesSupported: [toSIOPRegistrationDidMethod(getMethodFromDid(did))],\n  })\n  if (!didDocument) {\n    throw Error(`Could not resolve DID: ${did}`)\n  }\n  if ((!didDocument.service || !didDocument.service.find((s) => s.type === 'LinkedDomains')) && checkLinkedDomain === CheckLinkedDomain.IF_PRESENT) {\n    // No linked domains in DID document and it was optional. Let's cut it short here.\n    return\n  }\n  try {\n    if (!wellknownDIDVerifyCallback) {\n      return Promise.reject(Error('wellknownDIDVerifyCallback is required for checkWellKnownDid'))\n    }\n    const validationResult = await checkWellKnownDid({ didDocument, verifyCallback: wellknownDIDVerifyCallback })\n    if (validationResult.status === ValidationStatusEnum.INVALID) {\n      const validationErrorMessages = getValidationErrorMessages(validationResult)\n      const messageCondition: { status: boolean; message?: string } = checkInvalidMessages(validationErrorMessages)\n      if (checkLinkedDomain === CheckLinkedDomain.ALWAYS || (checkLinkedDomain === CheckLinkedDomain.IF_PRESENT && !messageCondition.status)) {\n        throw new Error(messageCondition.message ? messageCondition.message : validationErrorMessages[0])\n      }\n    }\n  } catch (err: any) {\n    const messageCondition: { status: boolean; message?: string } = checkInvalidMessages([err.message])\n    if (checkLinkedDomain === CheckLinkedDomain.ALWAYS || (checkLinkedDomain === CheckLinkedDomain.IF_PRESENT && !messageCondition.status)) {\n      throw new Error(err.message)\n    }\n  }\n}\n\ninterface CheckWellKnownDidArgs {\n  didDocument: DIDDocument\n  verifyCallback: VerifyCallback\n}\n\nasync function checkWellKnownDid(args: CheckWellKnownDidArgs): Promise<IDomainLinkageValidation> {\n  const verifier = new WellKnownDidVerifier({\n    verifySignatureCallback: args.verifyCallback,\n    onlyVerifyServiceDid: false,\n  })\n  return await verifier.verifyDomainLinkage({ didDocument: args.didDocument })\n}\n","import { SigningAlgo } from '@sphereon/oid4vc-common'\nimport { VerifyCallback as WellknownDIDVerifyCallback } from '@sphereon/wellknown-dids-client'\nimport { JWTVerifyOptions } from 'did-jwt'\nimport { Resolvable } from 'did-resolver'\n\nexport enum CheckLinkedDomain {\n  NEVER = 'never', // We don't want to verify Linked domains\n  IF_PRESENT = 'if_present', // If present, did-auth-siop will check the linked domain, if exist and not valid, throws an exception\n  ALWAYS = 'always', // We'll always check the linked domains, if not exist or not valid, throws an exception\n}\n\nexport interface InternalSignature {\n  hexPrivateKey: string // hex private key Only secp256k1 format\n  did: string\n\n  alg: SigningAlgo\n  kid?: string // Optional: key identifier\n\n  customJwtSigner?: Signer\n}\n\nexport interface SuppliedSignature {\n  signature: (data: string | Uint8Array) => Promise<EcdsaSignature | string>\n\n  alg: SigningAlgo\n  did: string\n  kid: string\n}\n\nexport interface NoSignature {\n  hexPublicKey: string // hex public key\n  did: string\n  kid?: string // Optional: key identifier\n}\n\nexport interface ExternalSignature {\n  signatureUri: string // url to call to generate a withSignature\n  did: string\n  authZToken: string // Optional: bearer token to use to the call\n  hexPublicKey?: string // Optional: hex encoded public key to compute JWK key, if not possible from DIDres Document\n\n  alg: SigningAlgo\n  kid?: string // Optional: key identifier. default did#keys-1\n}\n\nexport enum VerificationMode {\n  INTERNAL,\n  EXTERNAL,\n}\n\nexport interface EcdsaSignature {\n  r: string\n  s: string\n  recoveryParam?: number | null\n}\nexport type Signer = (data: string | Uint8Array) => Promise<EcdsaSignature | string>\n\nexport interface Verification {\n  checkLinkedDomain?: CheckLinkedDomain\n  wellknownDIDVerifyCallback?: WellknownDIDVerifyCallback\n  resolveOpts: ResolveOpts\n}\n\nexport type InternalVerification = Verification\n\nexport interface ExternalVerification extends Verification {\n  verifyUri: string // url to call to verify the id_token withSignature\n  authZToken?: string // Optional: bearer token to use to the call\n}\n\nexport interface ResolveOpts {\n  jwtVerifyOpts?: JWTVerifyOptions\n  resolver?: Resolvable\n  resolveUrl?: string\n  noUniversalResolverFallback?: boolean\n  subjectSyntaxTypesSupported?: string[]\n}\n","import { AuthorizationRequestPayload, IDTokenPayload, JwtIssuerWithContext, JwtVerifier, RequestObjectPayload } from '@sphereon/did-auth-siop'\nimport { JwtHeader, JwtPayload } from '@sphereon/oid4vc-common'\nimport { Resolvable } from 'did-resolver'\n\nimport { getAudience, getSubDidFromPayload, signIDTokenPayload, signRequestObjectPayload, validateLinkedDomainWithDid, verifyDidJWT } from './did'\nimport { CheckLinkedDomain, ExternalSignature, ExternalVerification, InternalSignature, InternalVerification, SuppliedSignature } from './types'\n\nexport const verfiyDidJwtAdapter = async (\n  jwtVerifier: JwtVerifier,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n  options: {\n    verification: InternalVerification | ExternalVerification\n    resolver: Resolvable\n  },\n): Promise<boolean> => {\n  if (jwtVerifier.method === 'did') {\n    const audience = options?.verification?.resolveOpts?.jwtVerifyOpts?.audience ?? getAudience(jwt.raw)\n\n    await verifyDidJWT(jwt.raw, options.resolver, { ...options.verification?.resolveOpts?.jwtVerifyOpts, audience })\n\n    if (jwtVerifier.type === 'request-object' && (jwt.payload as JwtPayload & { client_id?: string }).client_id?.startsWith('did:')) {\n      const authorizationRequestPayload = jwt.payload as AuthorizationRequestPayload\n      if (options.verification?.checkLinkedDomain && options.verification.checkLinkedDomain != CheckLinkedDomain.NEVER) {\n        if (!authorizationRequestPayload.client_id) {\n          return Promise.reject(Error('missing client_id from AuthorizationRequestPayload'))\n        }\n        await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, options.verification)\n      } else if (!options.verification?.checkLinkedDomain && options.verification.wellknownDIDVerifyCallback) {\n        if (!authorizationRequestPayload.client_id) {\n          return Promise.reject(Error('missing client_id from AuthorizationRequestPayload'))\n        }\n        await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, options.verification)\n      }\n    }\n\n    if (jwtVerifier.type === 'id-token') {\n      const issuerDid = getSubDidFromPayload(jwt.payload)\n      if (options.verification?.checkLinkedDomain && options.verification.checkLinkedDomain != CheckLinkedDomain.NEVER) {\n        await validateLinkedDomainWithDid(issuerDid, options.verification)\n      } else if (!options.verification?.checkLinkedDomain && options.verification.wellknownDIDVerifyCallback) {\n        await validateLinkedDomainWithDid(issuerDid, options.verification)\n      }\n    }\n\n    return true\n  }\n\n  throw new Error('Invalid use of the did-auth-siop create jwt adapter')\n}\n\nexport const createDidJwtAdapter = async (\n  signature: InternalSignature | ExternalSignature | SuppliedSignature,\n  jwtIssuer: JwtIssuerWithContext,\n  jwt: { header: JwtHeader; payload: JwtPayload },\n): Promise<string> => {\n  if (jwtIssuer.method === 'did') {\n    const issuer = jwtIssuer.didUrl.split('#')[0]\n    jwt.payload.issuer = issuer\n    if (jwtIssuer.type === 'request-object') {\n      return await signRequestObjectPayload(jwt.payload as RequestObjectPayload, signature)\n    } else if (jwtIssuer.type === 'id-token') {\n      return await signIDTokenPayload(jwt.payload as IDTokenPayload, signature)\n    }\n  }\n  throw new Error('Invalid use of the did-auth-siop create jwt adapter')\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,2BAUO;AACP,2BAA4B;AAC5B,qBAaO;;;ACvBA,IAAMA,sBAAsB,wBAACC,WAClC,mBAAmBA,UAAU,SAASA,QADL;AAG5B,IAAMC,sBAAsB,wBAACD,WAClC,kBAAkBA,UAAU,SAASA,QADJ;AAG5B,IAAME,sBAAsB,wBAACF,WAClC,eAAeA,QADkB;;;AD4CnC,eAAsBG,aAAaC,KAAaC,UAAsBC,SAAyB;AAC7F,aAAOC,0BAAUH,KAAK;IAAE,GAAGE;IAASD;EAAS,CAAA;AAC/C;AAFsBF;AAqBtB,eAAsBK,aACpBC,SACA,EAAEC,QAAQC,QAAQC,WAAWC,aAAY,GACzCC,QAA0B;AAE1B,aAAOC,0BAAUN,SAAS;IAAEC;IAAQC;IAAQC;IAAWC;EAAa,GAAGC,MAAAA;AACzE;AANsBN;AAQtB,eAAsBQ,mBAAmBP,SAAyBQ,WAAoE;AACpI,MAAIC,oBAAoBD,SAAAA,GAAY;AAClC,QAAI,CAACA,UAAUE,KAAK;AAClB,aAAOC,QAAQC,OAAOC,MAAM,4BAAA,CAAA;IAC9B;AACA,WAAOC,mBAAmBd,SAASA,QAAQC,QAAQO,UAAUO,eAAeP,UAAUQ,KAAKR,UAAUE,KAAKF,UAAUS,eAAe;EACrI,WAAWC,oBAAoBV,SAAAA,GAAY;AACzC,WAAOW,mBAAmBnB,SAASQ,UAAUY,cAAcZ,UAAUa,YAAYb,UAAUQ,KAAKR,UAAUE,GAAG;EAC/G,WAAWY,oBAAoBd,SAAAA,GAAY;AACzC,QAAI,CAACA,UAAUE,KAAK;AAClB,aAAOC,QAAQC,OAAOC,MAAM,4BAAA,CAAA;IAC9B;AACA,WAAOU,mBAAmBvB,SAASA,QAAQC,QAAQO,UAAUA,WAAWA,UAAUQ,KAAKR,UAAUE,GAAG;EACtG,OAAO;AACL,UAAM,IAAIG,MACR,qNAAA;EAEJ;AACF;AAlBsBN;AAoBtB,eAAsBiB,yBAAyBxB,SAA+BQ,WAAoE;AAChJ,MAAIP,SAASD,QAAQyB;AACrB,MAAI,CAACxB,QAAQ;AACXA,aAASO,UAAUkB;EACrB;AACA,MAAI,CAACzB,QAAQ;AACX,UAAMY,MAAM,oCAAA;EACd;AACA,MAAI,CAACb,QAAQyB,KAAK;AAChBzB,YAAQyB,MAAMxB;EAChB;AACA,MAAI,CAACD,QAAQ2B,KAAK;AAChB3B,YAAQ2B,MAAMnB,UAAUkB;EAC1B;AACA,MAAIjB,oBAAoBD,SAAAA,GAAY;AAClC,QAAI,CAACA,UAAUE,KAAK;AAClB,aAAOC,QAAQC,OAAOC,MAAM,4BAAA,CAAA;IAC9B;AACA,WAAOC,mBAAmBd,SAASC,QAAQO,UAAUO,eAAeP,UAAUQ,KAAKR,UAAUE,KAAKF,UAAUS,eAAe;EAC7H,WAAWC,oBAAoBV,SAAAA,GAAY;AACzC,WAAOW,mBAAmBnB,SAASQ,UAAUY,cAAcZ,UAAUa,YAAYb,UAAUQ,KAAKR,UAAUE,GAAG;EAC/G,WAAWY,oBAAoBd,SAAAA,GAAY;AACzC,QAAI,CAACA,UAAUE,KAAK;AAClB,aAAOC,QAAQC,OAAOC,MAAM,4BAAA,CAAA;IAC9B;AACA,WAAOU,mBAAmBvB,SAASC,QAAQO,UAAUA,WAAWA,UAAUQ,KAAKR,UAAUE,GAAG;EAC9F,OAAO;AACL,UAAM,IAAIG,MACR,qNAAA;EAEJ;AACF;AA/BsBW;AAiCtB,eAAsBV,mBACpBd,SACAC,QACAc,eACAC,KACAN,KACAO,iBAAwB;AAExB,QAAMf,SAAS0B,gBAAgBZ,KAAKD,eAAeE,eAAAA;AACnD,QAAMZ,SAAS;IACbW;IACAN;EACF;AACA,QAAMb,UAAU;IACdI;IACAC;IACAC,WAAW0B;EACb;AAEA,SAAO,MAAM9B,aAAa;IAAE,GAAGC;EAAQ,GAAGH,SAASQ,MAAAA;AACrD;AApBsBS;AAsBtB,eAAeK,mBACbnB,SACAoB,cACAC,YACAL,KACAN,KAAY;AAEZ,QAAMoB,OAAO;IACX7B,QAAQD,QAAQyB,OAAOzB,QAAQyB,IAAIM,SAAS,MAAA,IAAU/B,QAAQyB,MAAMzB,QAAQ2B;IAC5E3B;IACAG,WAAW0B;IACXb;IACAgB,YAAYhC,QAAQyB,OAAOzB,QAAQyB,IAAIM,SAASE,iCAAYC,cAAc,IAAIlC,QAAQyB,MAAMU;IAC5FzB;EACF;AAEA,QAAM0B,WAA2C,UAAMC,2BAAKjB,cAAckB,KAAKC,UAAUT,IAAAA,GAAO;IAAEU,aAAanB;EAAW,CAAA;AAC1H,MAAI,CAACe,SAASK,aAAa;AACzB,WAAO9B,QAAQC,OAAOC,MAAM,wDAAA,CAAA;EAC9B;AACA,SAAOuB,SAASK,YAAYC;AAC9B;AArBevB;AAuBf,eAAeI,mBACbvB,SACAC,QACAC,QACAc,KACAN,KAAW;AAEX,QAAML,SAAS;IACbW;IACAN;EACF;AACA,QAAMb,UAAU;IACdI;IACAC;IACAC,WAAW0B;EACb;AAEA,SAAO,MAAM9B,aAAa;IAAE,GAAGC;EAAQ,GAAGH,SAASQ,MAAAA;AACrD;AAlBekB;AAoBf,IAAMK,kBAAkB,wBAACZ,KAAkBD,eAAwB4B,iBAAAA;AACjE,MAAIA,cAAc;AAChB,WAAOA;EACT,WAAW,CAAC5B,eAAe;AACzB,UAAM,IAAIF,MAAM,yBAAA;EAClB;AACA,QAAM+B,iBAAaC,2BAAW9B,cAAc+B,QAAQ,MAAM,EAAA,CAAA;AAC1D,UAAQ9B,KAAAA;IACN,KAAK+B,iCAAYC;AACf,iBAAOC,4BAAYL,UAAAA;IACrB,KAAKG,iCAAYG;AACf,iBAAOC,4BAAYP,UAAAA;IACrB,KAAKG,iCAAYK;AACf,iBAAOC,6BAAaT,UAAAA;IACtB,KAAKG,iCAAYO;AACf,YAAMzC,MAAM,4DAAA;IACd,KAAKkC,iCAAYQ;AACf,YAAM1C,MAAM,4DAAA;EAChB;AACF,GAnBwB;AAqBjB,SAAS2C,YAAY7D,KAAW;AACrC,QAAM,EAAEK,QAAO,QAAKyD,0BAAU9D,GAAAA;AAC9B,MAAI,CAACK,SAAS;AACZ,UAAM,IAAIa,MAAM6C,gCAAWC,WAAW;EACxC,WAAW,CAAC3D,QAAQ4D,KAAK;AACvB,WAAOzB;EACT,WAAW0B,MAAMC,QAAQ9D,QAAQ4D,GAAG,GAAG;AACrC,UAAM,IAAI/C,MAAM6C,gCAAWK,gBAAgB;EAC7C;AAEA,SAAO/D,QAAQ4D;AACjB;AAXgBJ;AAchB,SAASQ,yBAAyBhE,SAAmB;AACnD,MAAI,CAACA,QAAQ2B,OAAO,CAAC3B,QAAQ2B,IAAIsC,WAAW,MAAA,KAAW,CAACjE,QAAQyB,OAAO,CAACyC,gBAAgBlE,OAAAA,GAAU;AAChG,UAAM,IAAIa,MAAM,+BAAA;EAClB;AACF;AAJSmD;AAMF,SAASG,qBAAqBnE,SAAqBK,QAAkB;AAC1E2D,2BAAyBhE,OAAAA;AAEzB,MAAIkE,gBAAgBlE,OAAAA,GAAU;AAC5B,QAAI0B;AACJ,QAAI1B,QAAQ2B,OAAO3B,QAAQ2B,IAAIsC,WAAW,MAAA,GAAS;AACjDvC,YAAM1B,QAAQ2B;IAChB;AACA,QAAI,CAACD,OAAOrB,UAAUA,OAAOK,OAAOL,OAAOK,IAAIuD,WAAW,MAAA,GAAS;AACjEvC,YAAMrB,OAAOK,IAAI0D,MAAM,GAAA,EAAK,CAAA;IAC9B;AACA,QAAI1C,KAAK;AACP,aAAOA;IACT;EACF;AACA,SAAO1B,QAAQ2B;AACjB;AAhBgBwC;AAkBT,SAASD,gBAAgBlE,SAAmB;AACjD,SACGA,QAAQyB,OAAOzB,QAAQyB,IAAIM,SAASE,iCAAYoC,cAAc,KAC9DrE,QAAQyB,OAAOzB,QAAQyB,IAAIM,SAASE,iCAAYC,cAAc,KAC/DlC,QAAQyB,QAAQzB,QAAQ2B;AAE5B;AANgBuC;AAQT,SAASI,iBAAiB5C,KAAW;AAC1C,MAAI,CAACA,KAAK;AACR,UAAM,IAAIb,MAAM6C,gCAAWa,UAAU;EACvC;AACA,QAAMH,QAAQ1C,IAAI0C,MAAM,GAAA;AACxB,MAAIA,MAAMI,UAAU,KAAK9C,IAAI8C,SAAS,GAAG;AACvC,WAAO9C;EACT,WAAW,CAACA,IAAIuC,WAAW,MAAA,KAAWG,MAAMI,SAAS,GAAG;AACtD,UAAM,IAAI3D,MAAM6C,gCAAWa,UAAU;EACvC;AAEA,SAAOH,MAAM,CAAA;AACf;AAZgBE;AAkBT,SAASG,4BAA4BC,aAAmB;AAC7D,MAAIC,SAASD;AACb,MAAI,CAACA,YAAYT,WAAW,MAAA,GAAS;AACnCU,aAAS,SAASD;EACpB;AACA,QAAMN,QAAQO,OAAOP,MAAM,GAAA;AAC3B,SAAO,GAAGA,MAAM,CAAA,CAAE,IAAIA,MAAM,CAAA,CAAE;AAChC;AAPgBK;;;AE5RhB,IAAAG,wBAAyE;AACzE,4BAA4C;AAC5C,0BAA6G;AAMtG,SAASC,YAAYC,MAAiB;AAC3C,MAAIA,QAAQ,OAAOA,KAAKC,aAAa,UAAU;AAC7C,WAAOD,KAAKC;EACd;AACA,MAAI,CAACD,QAAQ,CAACA,KAAKE,6BAA6B;AAC9C,QAAIF,MAAMG,6BAA6B;AACrC,YAAMC,MAAM,6HAA6H;IAC3I;AACAC,YAAQC,IACN,qJAAqJ;AAEvJ,WAAO,IAAIC,kCAAAA;EACb;AAEA,QAAMC,eAEA,CAAA;AACN,MAAIR,KAAKE,4BAA4BO,QAAQC,4CAAsBC,GAAG,MAAM,IAAI;AAC9E,UAAMC,qBAAqBZ,KAAKE,4BAA4BW,OAAO,CAACC,QAAQA,IAAIC,SAAS,MAAA,CAAA;AACzF,QAAI,CAACH,mBAAmBI,QAAQ;AAC9B,YAAM,IAAIZ,MAAM,sBAAA;IAClB;AACA,eAAWa,aAAaL,oBAAoB;AAC1C,YAAMM,kBAAcC,sCAAeC,iBAAiBH,SAAAA,GAAY;QAAEI,YAAYrB,KAAKqB;MAAW,CAAA;AAC9Fb,mBAAac,KAAKJ,WAAAA;IACpB;AACA,WAAO,IAAIK,6BAAAA,GAAYf,YAAAA;EACzB,OAAO;AACL,QAAIR,MAAMG,6BAA6B;AACrC,YAAMC,MAAM,6HAA6H;IAC3I;AACAC,YAAQC,IACN,qJAAqJ;AAEvJ,WAAO,IAAIC,kCAAAA;EACb;AACF;AApCgBR;AAiDT,SAASyB,iBACdC,gBACAvB,6BACAwB,aAAoC;AAEpC,MAAID,gBAAgB;AAClB,WAAOA;EACT;AACA,QAAME,mBAA+BF,iBAAiBA,iBAAiB,IAAIlB,kCAAAA;AAC3E,QAAMC,eAEA,CAAA;AACN,QAAMoB,eAAyB,CAAA;AAC/B,MAAI1B,6BAA6B;AAC/B,WAAOA,gCAAgC,WACnC0B,aAAaN,KAAKpB,2BAAAA,IAClB0B,aAAaN,KAAI,GAAIpB,2BAAAA;EAC3B;AACA,MAAI0B,aAAanB,QAAQoB,wDAAkClB,IAAImB,QAAO,CAAA,MAAQ,IAAI;AAChF,WAAOL,iBAAiBA,iBAAiB,IAAIlB,kCAAAA;EAC/C;AACA,QAAMK,qBAAqBgB,aAAaf,OAAO,CAACC,QAAQ,CAAC,CAACA,OAAOA,IAAIiB,WAAW,MAAA,CAAA;AAChFnB,qBAAmBoB,QAAQ,CAACC,OAAAA;AAC1B,QAAIC;AACJ,QAAI,CAACR,YAAYS,IAAIF,EAAAA,KAAOP,YAAYU,IAAIH,EAAAA,MAAQ,MAAM;AACxDC,2BAAiBf,sCAAeC,iBAAiBa,EAAAA,CAAAA;AACjD,UAAIC,gBAAgB;AAClB1B,qBAAac,KAAKY,cAAAA;MACpB;IACF,OAAO;AACLA,uBAAiBR,YAAYU,IAAIH,EAAAA;AACjC,UAAIC,gBAAgB;AAClB1B,qBAAac,KAAK;UAAE,CAACW,EAAAA,GAAKC,eAAeG;QAAQ,CAAA;MACnD;IACF;EACF,CAAA;AACA,SAAOT,aAAanB,QAAQoB,wDAAkClB,IAAImB,QAAO,CAAA,MAAQ,KAC7E,IAAIP,6BAAAA,GAAY;IAAEI;IAAkB,GAAGnB;EAAa,CAAA,IACpD,IAAIe,6BAAAA,GAAYf,YAAAA;AACtB;AAvCgBgB;AAyCT,SAASc,mBAAmBpC,6BAAgDqC,WAAkC;AACnH,MAAI,CAACC,MAAMC,QAAQvC,2BAAAA,GAA8B;AAC/CA,kCAA8B;MAACA;;EACjC;AACA,QAAMwC,0BAA0B,oBAAIC,IAAAA;AACpCzC,8BAA4B8B,QAAQ,CAAClB,QAAQ4B,wBAAwBE,IAAI9B,GAAAA,CAAAA;AACzEyB,YAAUP,QAAQ,CAACa,GAAG5B,cAAcyB,wBAAwBE,IAAIE,4BAA4B7B,SAAAA,CAAAA,CAAAA;AAC5F,SAAOuB,MAAMO,KAAKL,uBAAAA;AACpB;AARgBJ;AAUhB,eAAsBU,mBAAmBC,KAAajD,MAAkB;AAEtE,QAAMkD,SAAS,MAAMnD,YAAY;IAAE,GAAGC;EAAK,CAAA,EAAGqC,QAAQY,KAAK;IAAEE,QAAQ;EAA0B,CAAA;AAC/F,MAAID,QAAQE,uBAAuBC,OAAO;AACxC,UAAMjD,MAAM8C,OAAOE,sBAAsBC,KAAK;EAChD;AAGA,MAAI,CAACH,OAAOI,eAAeJ,OAAOK,IAAI;AAEpC,WAAOL;EACT;AACA,SAAOA,OAAOI;AAChB;AAbsBN;;;AC5GtB,mCAAgH;;;ACKzG,IAAKQ,oBAAAA,yBAAAA,oBAAAA;;;;SAAAA;;AAwCL,IAAKC,mBAAAA,yBAAAA,mBAAAA;;;SAAAA;;;;ADrCZ,SAASC,2BAA2BC,kBAA0C;AAC5E,QAAMC,WAAW,CAAA;AACjB,MAAID,iBAAiBE,SAAS;AAC5BD,aAASE,KAAKH,iBAAiBE,OAAO;EACxC;AACA,MAAIF,kBAAkBI,qBAAqBC,QAAQ;AACjD,eAAWC,sBAAsBN,iBAAiBI,qBAAqB;AACrE,UAAIE,mBAAmBJ,SAAS;AAC9BD,iBAASE,KAAKG,mBAAmBJ,OAAO;MAC1C;AACA,UAAII,mBAAmBC,WAAW;AAChC,mBAAWC,YAAYF,mBAAmBC,WAAW;AACnD,cAAIC,SAASN,SAAS;AACpBD,qBAASE,KAAKK,SAASN,OAAO;UAChC;QACF;MACF;IACF;EACF;AACA,SAAOD;AACT;AApBSF;AA2BT,SAASU,qBAAqBC,yBAAiC;AAC7D,MAAI,CAACA,2BAA2B,CAACA,wBAAwBL,QAAQ;AAC/D,WAAO;MAAEM,QAAQ;MAAOT,SAAS;IAA4B;EAC/D;AACA,QAAMU,gBAA0B;IAC9BC,uCAAUC,kEAAkEC,QAAO;IACnFF,uCAAUG,iCAAiCD,QAAO;IAClDF,uCAAUI,8CAA8CF,QAAO;IAC/DF,uCAAUK,6BAA6BH,QAAO;;AAEhD,aAAWI,0BAA0BT,yBAAyB;AAC5D,QAAI,CAACE,cAAcQ,OAAO,CAACC,OAAOF,uBAAuBG,SAASD,EAAAA,CAAAA,EAAKE,IAAG,GAAI;AAC5E,aAAO;QAAEZ,QAAQ;QAAOT,SAASiB;MAAuB;IAC1D;EACF;AACA,SAAO;IAAER,QAAQ;EAAK;AACxB;AAhBSF;AAkBT,eAAsBe,4BAA4BC,KAAaC,cAAyD;AACtH,QAAM,EAAEC,mBAAmBC,aAAaC,2BAA0B,IAAKH;AACvE,MAAIC,sBAAsBG,kBAAkBC,OAAO;AACjD;EACF;AACA,QAAMC,cAAc,MAAMC,mBAAmBR,KAAK;IAChD,GAAGG;IACHM,6BAA6B;MAACC,4BAA4BC,iBAAiBX,GAAAA,CAAAA;;EAC7E,CAAA;AACA,MAAI,CAACO,aAAa;AAChB,UAAMK,MAAM,0BAA0BZ,GAAAA,EAAK;EAC7C;AACA,OAAK,CAACO,YAAYM,WAAW,CAACN,YAAYM,QAAQC,KAAK,CAACC,MAAMA,EAAEC,SAAS,eAAA,MAAqBd,sBAAsBG,kBAAkBY,YAAY;AAEhJ;EACF;AACA,MAAI;AACF,QAAI,CAACb,4BAA4B;AAC/B,aAAOc,QAAQC,OAAOP,MAAM,8DAAA,CAAA;IAC9B;AACA,UAAMrC,mBAAmB,MAAM6C,kBAAkB;MAAEb;MAAac,gBAAgBjB;IAA2B,CAAA;AAC3G,QAAI7B,iBAAiBW,WAAWoC,kDAAqBC,SAAS;AAC5D,YAAMtC,0BAA0BX,2BAA2BC,gBAAAA;AAC3D,YAAMiD,mBAA0DxC,qBAAqBC,uBAAAA;AACrF,UAAIiB,sBAAsBG,kBAAkBoB,UAAWvB,sBAAsBG,kBAAkBY,cAAc,CAACO,iBAAiBtC,QAAS;AACtI,cAAM,IAAI0B,MAAMY,iBAAiB/C,UAAU+C,iBAAiB/C,UAAUQ,wBAAwB,CAAA,CAAE;MAClG;IACF;EACF,SAASyC,KAAU;AACjB,UAAMF,mBAA0DxC,qBAAqB;MAAC0C,IAAIjD;KAAQ;AAClG,QAAIyB,sBAAsBG,kBAAkBoB,UAAWvB,sBAAsBG,kBAAkBY,cAAc,CAACO,iBAAiBtC,QAAS;AACtI,YAAM,IAAI0B,MAAMc,IAAIjD,OAAO;IAC7B;EACF;AACF;AAlCsBsB;AAyCtB,eAAeqB,kBAAkBO,MAA2B;AAC1D,QAAMC,WAAW,IAAIC,kDAAqB;IACxCC,yBAAyBH,KAAKN;IAC9BU,sBAAsB;EACxB,CAAA;AACA,SAAO,MAAMH,SAASI,oBAAoB;IAAEzB,aAAaoB,KAAKpB;EAAY,CAAA;AAC5E;AANea;;;AEvFR,IAAMa,sBAAsB,8BACjCC,aACAC,KACAC,YAAAA;AAKA,MAAIF,YAAYG,WAAW,OAAO;AAChC,UAAMC,WAAWF,SAASG,cAAcC,aAAaC,eAAeH,YAAYI,YAAYP,IAAIQ,GAAG;AAEnG,UAAMC,aAAaT,IAAIQ,KAAKP,QAAQS,UAAU;MAAE,GAAGT,QAAQG,cAAcC,aAAaC;MAAeH;IAAS,CAAA;AAE9G,QAAIJ,YAAYY,SAAS,oBAAqBX,IAAIY,QAAgDC,WAAWC,WAAW,MAAA,GAAS;AAC/H,YAAMC,8BAA8Bf,IAAIY;AACxC,UAAIX,QAAQG,cAAcY,qBAAqBf,QAAQG,aAAaY,qBAAqBC,kBAAkBC,OAAO;AAChH,YAAI,CAACH,4BAA4BF,WAAW;AAC1C,iBAAOM,QAAQC,OAAOC,MAAM,oDAAA,CAAA;QAC9B;AACA,cAAMC,4BAA4BP,4BAA4BF,WAAWZ,QAAQG,YAAY;MAC/F,WAAW,CAACH,QAAQG,cAAcY,qBAAqBf,QAAQG,aAAamB,4BAA4B;AACtG,YAAI,CAACR,4BAA4BF,WAAW;AAC1C,iBAAOM,QAAQC,OAAOC,MAAM,oDAAA,CAAA;QAC9B;AACA,cAAMC,4BAA4BP,4BAA4BF,WAAWZ,QAAQG,YAAY;MAC/F;IACF;AAEA,QAAIL,YAAYY,SAAS,YAAY;AACnC,YAAMa,YAAYC,qBAAqBzB,IAAIY,OAAO;AAClD,UAAIX,QAAQG,cAAcY,qBAAqBf,QAAQG,aAAaY,qBAAqBC,kBAAkBC,OAAO;AAChH,cAAMI,4BAA4BE,WAAWvB,QAAQG,YAAY;MACnE,WAAW,CAACH,QAAQG,cAAcY,qBAAqBf,QAAQG,aAAamB,4BAA4B;AACtG,cAAMD,4BAA4BE,WAAWvB,QAAQG,YAAY;MACnE;IACF;AAEA,WAAO;EACT;AAEA,QAAM,IAAIiB,MAAM,qDAAA;AAClB,GAzCmC;AA2C5B,IAAMK,sBAAsB,8BACjCC,WACAC,WACA5B,QAAAA;AAEA,MAAI4B,UAAU1B,WAAW,OAAO;AAC9B,UAAM2B,SAASD,UAAUE,OAAOC,MAAM,GAAA,EAAK,CAAA;AAC3C/B,QAAIY,QAAQiB,SAASA;AACrB,QAAID,UAAUjB,SAAS,kBAAkB;AACvC,aAAO,MAAMqB,yBAAyBhC,IAAIY,SAAiCe,SAAAA;IAC7E,WAAWC,UAAUjB,SAAS,YAAY;AACxC,aAAO,MAAMsB,mBAAmBjC,IAAIY,SAA2Be,SAAAA;IACjE;EACF;AACA,QAAM,IAAIN,MAAM,qDAAA;AAClB,GAfmC;","names":["isInternalSignature","object","isExternalSignature","isSuppliedSignature","verifyDidJWT","jwt","resolver","options","verifyJWT","createDidJWT","payload","issuer","signer","expiresIn","canonicalize","header","createJWT","signIDTokenPayload","signature","isInternalSignature","kid","Promise","reject","Error","signDidJwtInternal","hexPrivateKey","alg","customJwtSigner","isExternalSignature","signDidJwtExternal","signatureUri","authZToken","isSuppliedSignature","signDidJwtSupplied","signRequestObjectPayload","iss","did","sub","determineSigner","DEFAULT_EXPIRATION_TIME","body","includes","selfIssued","ResponseIss","SELF_ISSUED_V2","undefined","response","post","JSON","stringify","bearerToken","successBody","jws","customSigner","privateKey","hexToBytes","replace","SigningAlgo","EDDSA","EdDSASigner","ES256","ES256Signer","ES256K","ES256KSigner","PS256","RS256","getAudience","decodeJWT","SIOPErrors","NO_AUDIENCE","aud","Array","isArray","INVALID_AUDIENCE","assertIssSelfIssuedOrDid","startsWith","isIssSelfIssued","getSubDidFromPayload","split","SELF_ISSUED_V1","getMethodFromDid","BAD_PARAMS","length","toSIOPRegistrationDidMethod","didOrMethod","prefix","import_did_auth_siop","getResolver","opts","resolver","subjectSyntaxTypesSupported","noUniversalResolverFallback","Error","console","log","UniResolver","uniResolvers","indexOf","SubjectIdentifierType","DID","specificDidMethods","filter","sst","includes","length","didMethod","uniResolver","getUniResolver","getMethodFromDid","resolveUrl","push","Resolver","getResolverUnion","customResolver","resolverMap","fallbackResolver","subjectTypes","SubjectSyntaxTypesSupportedValues","valueOf","startsWith","forEach","dm","methodResolver","has","get","resolve","mergeAllDidMethods","resolvers","Array","isArray","unionSubjectSyntaxTypes","Set","add","_","toSIOPRegistrationDidMethod","from","resolveDidDocument","did","result","accept","didResolutionMetadata","error","didDocument","id","CheckLinkedDomain","VerificationMode","getValidationErrorMessages","validationResult","messages","message","push","endpointDescriptors","length","endpointDescriptor","resources","resource","checkInvalidMessages","validationErrorMessages","status","validMessages","WDCErrors","PROPERTY_LINKED_DIDS_DOES_NOT_CONTAIN_ANY_DOMAIN_LINK_CREDENTIALS","valueOf","PROPERTY_LINKED_DIDS_NOT_PRESENT","PROPERTY_TYPE_NOT_CONTAIN_VALID_LINKED_DOMAIN","PROPERTY_SERVICE_NOT_PRESENT","validationErrorMessage","filter","vm","includes","pop","validateLinkedDomainWithDid","did","verification","checkLinkedDomain","resolveOpts","wellknownDIDVerifyCallback","CheckLinkedDomain","NEVER","didDocument","resolveDidDocument","subjectSyntaxTypesSupported","toSIOPRegistrationDidMethod","getMethodFromDid","Error","service","find","s","type","IF_PRESENT","Promise","reject","checkWellKnownDid","verifyCallback","ValidationStatusEnum","INVALID","messageCondition","ALWAYS","err","args","verifier","WellKnownDidVerifier","verifySignatureCallback","onlyVerifyServiceDid","verifyDomainLinkage","verfiyDidJwtAdapter","jwtVerifier","jwt","options","method","audience","verification","resolveOpts","jwtVerifyOpts","getAudience","raw","verifyDidJWT","resolver","type","payload","client_id","startsWith","authorizationRequestPayload","checkLinkedDomain","CheckLinkedDomain","NEVER","Promise","reject","Error","validateLinkedDomainWithDid","wellknownDIDVerifyCallback","issuerDid","getSubDidFromPayload","createDidJwtAdapter","signature","jwtIssuer","issuer","didUrl","split","signRequestObjectPayload","signIDTokenPayload"]}