@sphereon/oid4vc-common

import * as _sphereon_ssi_types from '@sphereon/ssi-types'; import { HasherSync, Loggers } from '@sphereon/ssi-types'; import * as jwt_decode from 'jwt-decode'; import { JwtHeader as JwtHeader$1, JwtPayload as JwtPayload$1 } from 'jwt-decode'; export { v4 as uuidv4 } from 'uuid'; type DigestAlgorithm = 'sha256' | 'sha384' | 'sha512'; interface BaseJWK { kty?: string; crv?: string; x?: string; y?: string; e?: string; n?: string; } interface JWK extends BaseJWK { alg?: string; d?: string; dp?: string; dq?: string; ext?: boolean; k?: string; key_ops?: string[]; kid?: string; oth?: Array<{ d?: string; r?: string; t?: string; }>; p?: string; q?: string; qi?: string; use?: string; x5c?: string[]; x5t?: string; 'x5t#S256'?: string; x5u?: string; [propName: string]: unknown; } type JWKS = { keys: JWK[]; }; type JwtHeader = JwtHeader$1 & { alg?: string; x5c?: string[]; kid?: string; jwk?: JWK; jwt?: string; } & Record<string, unknown>; type JwtPayload = JwtPayload$1 & { client_id?: string; nonce?: string; request_uri?: string; } & Record<string, unknown>; declare enum SigningAlgo { EDDSA = "EdDSA", RS256 = "RS256", PS256 = "PS256", ES256 = "ES256", ES256K = "ES256K" } declare function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string>; declare function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm>; declare function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string>; type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'; type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'; declare function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string): { header: NonNullable<Header>; payload: NonNullable<Payload>; }; declare function getNowSkewed(now?: number, skewTime?: number): { nowSkewedPast: number; nowSkewedFuture: number; }; /** * Returns the current unix timestamp in seconds. */ declare function epochTime(): number; declare const BASE64_URL_REGEX: RegExp; declare const isJws: (jws: string) => boolean; declare const isJwe: (jwe: string) => boolean; declare const decodeProtectedHeader: (jwt: string) => jwt_decode.JwtHeader; declare const decodeJwt: (jwt: string) => JwtPayload; declare const checkExp: (input: { exp: number; now?: number; clockSkew?: number; }) => boolean; interface JwtIssuerBase { method: JwtProtectionMethod; /** * Additional options for the issuance context */ options?: Record<string, unknown>; } interface JwtIssuerDid extends JwtIssuerBase { method: 'did'; didUrl: string; alg: SigningAlgo | string; } interface JwtIssuerX5c extends JwtIssuerBase { method: 'x5c'; alg: SigningAlgo | string; /** * * Array of base64-encoded certificate strings in the DER-format. * * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. */ x5c: Array<string>; /** * The issuer jwt * * This value will be used as the iss value of the issue jwt. * It is also used as the client_id. * And will also be set as the redirect_uri * * It must match an entry in the x5c certificate leaf entry dnsName / uriName */ issuer: string; } interface JwtIssuerJwk extends JwtIssuerBase { method: 'jwk'; alg: SigningAlgo | string; jwk: JWK; } interface JwtIssuerCustom extends JwtIssuerBase { method: 'custom'; } type JwtIssuer = JwtIssuerDid | JwtIssuerX5c | JwtIssuerJwk | JwtIssuerCustom; interface JwtIssuanceContextBase { type: string; } type CreateJwtCallback<T extends JwtIssuer & JwtIssuanceContextBase> = (jwtIssuer: T, jwt: { header: JwtHeader; payload: JwtPayload; }) => Promise<string>; interface JwtVerifierBase { type: JwtType; method: JwtProtectionMethod; } interface DidJwtVerifier extends JwtVerifierBase { method: 'did'; alg: SigningAlgo | string; didUrl: string; } interface X5cJwtVerifier extends JwtVerifierBase { method: 'x5c'; alg: SigningAlgo | string; /** * * Array of base64-encoded certificate strings in the DER-format. * * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. */ x5c: Array<string>; /** * The jwt issuer */ issuer: string; } interface OpenIdFederationJwtVerifier extends JwtVerifierBase { method: 'openid-federation'; /** * The OpenId federation Entity */ entityId: string; } interface JwkJwtVerifier extends JwtVerifierBase { method: 'jwk'; alg: SigningAlgo | string; jwk: JWK; } interface CustomJwtVerifier extends JwtVerifierBase { method: 'custom'; } type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier; declare const getDidJwtVerifier: (jwt: { header: JwtHeader; payload: JwtPayload; }, options: { type: JwtType; }) => DidJwtVerifier; declare const getX5cVerifier: (jwt: { header: JwtHeader; payload: JwtPayload; }, options: { type: JwtType; }) => X5cJwtVerifier; declare const getJwkVerifier: (jwt: { header: JwtHeader; payload: JwtPayload; }, options: { type: JwtType; }) => Promise<JwkJwtVerifier>; declare const getJwtVerifierWithContext: (jwt: { header: JwtHeader; payload: JwtPayload; }, options: { type: JwtType; }) => Promise<JwtVerifier>; type VerifyJwtCallbackBase<T extends JwtVerifier> = (jwtVerifier: T, jwt: { header: JwtHeader; payload: JwtPayload; raw: string; }) => Promise<boolean>; declare const dpopTokenRequestNonceError = "use_dpop_nonce"; interface DPoPJwtIssuerWithContext extends JwtIssuerJwk { type: 'dpop'; dPoPSigningAlgValuesSupported?: string[]; } type DPoPJwtPayloadProps = { htu: string; iat: number; htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'; ath?: string; nonce?: string; jti: string; }; type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK; }; type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string; }; interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> { createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>; jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>; jwtPayloadProps: Record<string, unknown> & JwtPayloadProps; dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]; } type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>; declare function getCreateDPoPOptions(createDPoPClientOpts: CreateDPoPClientOpts, endPointUrl: string, resourceRequestOpts?: { accessToken: string; }): CreateDPoPOpts; declare function createDPoP(options: CreateDPoPOpts): Promise<string>; type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop'; }>; interface DPoPVerifyOptions { expectedNonce?: string; acceptedAlgorithms?: (string | SigningAlgo)[]; maxIatAgeInSeconds?: number; expectAccessToken?: boolean; jwtVerifyCallback: DPoPVerifyJwtCallback; now?: number; } declare function verifyDPoP(request: { headers: Record<string, string | string[] | undefined>; fullUrl: string; } & Pick<Request, 'method'>, options: DPoPVerifyOptions): Promise<JWK>; /** * DPoP verifications for resource requests * For Bearer token compatibility jwt's must have a token_type claim * The access token itself must be validated before using this method * If the token_type is not DPoP, then the request is not a DPoP request * and we don't need to verify the DPoP proof */ declare function verifyResourceDPoP(request: { headers: Record<string, string | string[] | undefined>; fullUrl: string; } & Pick<Request, 'method'>, options: Omit<DPoPVerifyOptions, 'expectAccessToken'>): Promise<JWK | undefined>; interface DynamicRegistrationClientMetadata { redirect_uris?: string[]; token_endpoint_auth_method?: string; grant_types?: string; response_types?: string; client_name?: string; client_uri?: string; logo_uri?: string; scope?: string; contacts?: string[]; tos_uri?: string; policy_uri?: string; jwks_uri?: string; jwks?: JWKS; software_id?: string; software_version?: string; } declare function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string; declare function fromBase64(base64: string): string; declare function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string; }): string; declare function base64urlToString(base64url: string): string; declare const defaultHasher: HasherSync; declare const VCI_LOGGERS: Loggers; declare const VCI_LOG_COMMON: _sphereon_ssi_types.ISimpleLogger<unknown>; export { BASE64_URL_REGEX, type BaseJWK, type CreateDPoPClientOpts, type CreateDPoPJwtPayloadProps, type CreateDPoPOpts, type CreateJwtCallback, type CustomJwtVerifier, type DPoPJwtHeaderProps, type DPoPJwtIssuerWithContext, type DPoPJwtPayloadProps, type DPoPVerifyJwtCallback, type DPoPVerifyOptions, type DidJwtVerifier, type DigestAlgorithm, type DynamicRegistrationClientMetadata, type JWK, type JWKS, type JwkJwtVerifier, type JwtHeader, type JwtIssuanceContextBase, type JwtIssuer, type JwtIssuerBase, type JwtIssuerCustom, type JwtIssuerDid, type JwtIssuerJwk, type JwtIssuerX5c, type JwtPayload, type JwtProtectionMethod, type JwtType, type JwtVerifier, type JwtVerifierBase, type OpenIdFederationJwtVerifier, SigningAlgo, VCI_LOGGERS, VCI_LOG_COMMON, type VerifyJwtCallbackBase, type X5cJwtVerifier, base64ToHexString, base64urlEncodeBuffer, base64urlToString, calculateJwkThumbprint, calculateJwkThumbprintUri, checkExp, createDPoP, decodeJwt, decodeProtectedHeader, defaultHasher, dpopTokenRequestNonceError, epochTime, fromBase64, getCreateDPoPOptions, getDidJwtVerifier, getDigestAlgorithmFromJwkThumbprintUri, getJwkVerifier, getJwtVerifierWithContext, getNowSkewed, getX5cVerifier, isJwe, isJws, parseJWT, verifyDPoP, verifyResourceDPoP };