@sphereon/ssi-sdk.ebsi-support

import * as _sphereon_ssi_types from '@sphereon/ssi-types'; import { W3CVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'; import { IIdentifier, MinimalImportableKey, TKeyType, IService, IKey, IAgentContext, IKeyManager, IDIDManager, IPluginMethodMap, IResolver, IAgentPlugin } from '@veramo/core'; import { DiscoveryMetadataPayload, JWK } from '@sphereon/did-auth-siop'; import { RequestObjectOpts, OID4VCICredentialFormat } from '@sphereon/oid4vci-common'; import { PresentationDefinitionV2, Format } from '@sphereon/pex-models'; import { ManagedIdentifierDidResult, IIdentifierResolution, ManagedIdentifierDidOpts } from '@sphereon/ssi-sdk-ext.identifier-resolution'; import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'; import { CredentialRole, Party, IBasicCredentialLocaleBranding } from '@sphereon/ssi-sdk.data-store'; import { PrepareStartArgs, IssuanceOpts, IOID4VCIHolder, ErrorDetails, MappedCredentialToAccept } from '@sphereon/ssi-sdk.oid4vci-holder'; import { IPresentationExchange } from '@sphereon/ssi-sdk.presentation-exchange'; import { IDidAuthSiopOpAuthenticator } from '@sphereon/ssi-sdk.siopv2-oid4vp-op-auth'; import { _ExtendedIKey } from '@veramo/utils'; import { DIDDocument } from 'did-resolver'; import { AbstractIdentifierProvider } from '@veramo/did-manager'; /** * The type of the DID to be created * @readonly * @enum {string} */ type EbsiDIDType = 'NATURAL_PERSON' | 'LEGAL_ENTITY'; /** * The DID method to use * @readonly * @enum {string} */ type EbsiDIDPrefix = 'did:ebsi:' | 'did:key:'; /** * @typedef EbsiDidSpecInfo * @type {object} * @property {EbsiDIDType} type - The type of the DID * @property {EbsiDIDPrefix} method - The method of the DID * @property {number} version - The version of the specs * @property {number} didLength - The length of the DID * @property {number} privateKeyLength The private key length */ interface EbsiDidSpecInfo { type: EbsiDIDType; method: EbsiDIDPrefix; version?: number; didLength?: number; privateKeyLength?: number; } /** * A minimal importable key with restricted types to choose from and purposes of the public key * @typedef IKeyOpts * @extends MinimalImportableKey * @property {EbsiKeyType} type * @property {EbsiPublicKeyPurpose[]} purposes */ interface IKeyOpts extends WithRequiredProperty<Partial<MinimalImportableKey>, 'privateKeyHex'> { type?: EbsiKeyType; purposes?: EbsiPublicKeyPurpose[]; } type WithRequiredProperty<Type, Key extends keyof Type> = Type & { [Property in Key]-?: Type[Property]; }; type EbsiCreateIdentifierOpts = { methodSpecificId?: string; rpcId?: number; secp256k1Key?: IKeyOpts; secp256r1Key?: IKeyOpts; did?: string; keys?: IKeyOpts[]; executeLedgerOperation?: boolean; baseDocument?: string; notBefore?: number; notAfter?: number; accessTokenOpts: EbsiAccessTokenOpts; services?: IService[]; }; /** * @typedef ICreateIdentifierArgs * @type {object} * @property {string} kms - The kms to use * @property {string} alias - The alias of the DID * @property {EbsiDidSpecInfo} type * @property {string} options.methodSpecificId - method specific id for import * @property {IKeyOpts} secp256k1Key - The options to create the key * @property {IKeyOpts} secp256r1Key - The options to create the key */ interface ICreateIdentifierArgs { kms?: string; alias?: string; type?: EbsiDidSpecInfo; options: EbsiCreateIdentifierOpts; } /** * The Ebsi allowed key types - Secp256k1 and Secp256r1 * @readonly * @enum {string} */ type EbsiKeyType = Extract<TKeyType, 'Secp256k1' | 'Secp256r1'>; /** * The purpose of the public keys * @readonly * @enum {string} */ declare enum EbsiPublicKeyPurpose { Authentication = "authentication", AssertionMethod = "assertionMethod", CapabilityInvocation = "capabilityInvocation" } /** * @typedef UpdateIdentifierParams * @type {object} * @property {string} did - A DID * @property {Partial<DIDDocument>} document - The partial DID document * @property {{ [p: string]: any }} [options] - Any additional options */ type UpdateIdentifierParams = { did: string; document: Partial<DIDDocument>; options?: { [p: string]: any; }; }; /** * @typedef RpcOkResponse * @type {object} * @property {string} JSON_RPC_VERSION - Must be exactly "2.0" * @property {number} id - Same identifier established by the client in the call * @property {object} result - Result of the transaction */ type RpcOkResponse = { jsonrpc: string; id: number; result: any; }; type RpcErrorResponse = { jsonrpc: string; id: number; error: { code: number; message: string; }; }; type EbsiAccessTokenOpts = { attestationToOnboard?: W3CVerifiableCredential; attestationToOnboardCredentialRole: CredentialRole; jwksUri?: string; redirectUri: string; credentialIssuer: string; clientId: string; environment: EbsiEnvironment; }; /** * @typedef CreateEbsiDidParams * @type {object} * @property {Omit<IIdentifier, 'provider'>} identifier An identifier without the provider * @property {ManagedKeyInfo} secp256k1ManagedKeyInfo A Secp256k1 managed key * @property {ManagedKeyInfo} secp256r1ManagedKeyInfo A Secp256r1 managed key * @property {number} id A client created id * @property {string} from The wallet eth like address * @property {string} [baseDocument] The base DID document * @property {number} notBefore Date of issuance of the identifier * @property {number} notAfter Date of expiration of the identifier * @property {ApiOpts} [apiOpts] The EBSI API options */ type CreateEbsiDidParams = { identifier: IIdentifier; rpcId?: number; notBefore?: number; notAfter?: number; baseDocument?: string; accessTokenOpts: EbsiAccessTokenOpts; }; interface CreateEbsiDidOnLedgerResult { identifier: IIdentifier; addVerificationMethod: EbsiRPCResponse; insertDidDoc: EbsiRPCResponse; addAssertionMethodRelationship: EbsiRPCResponse; addAuthenticationRelationship: EbsiRPCResponse; } type EbsiRPCResponse = RpcOkResponse | (RpcErrorResponse & { nonce: string; }); declare class EbsiDidProvider extends AbstractIdentifierProvider { static readonly PROVIDER = "did:ebsi"; private readonly defaultKms?; private readonly apiOpts?; constructor(options: { defaultKms?: string; apiOpts?: ApiOpts; }); createIdentifier(args: ICreateIdentifierArgs, context: IRequiredContext): Promise<Omit<IIdentifier, 'provider'>>; addKey(args: { identifier: IIdentifier; key: IKey; options: { rpcId?: number; accessToken: string; vmRelationships: 'authentication' | 'assertionMethod' | 'keyAgreement' | 'capabilityInvocation' | 'capabilityDelegation'[]; apiOpts?: ApiOpts; }; }, context: IAgentContext<IKeyManager>): Promise<any>; addService(args: { identifier: IIdentifier; service: IService; options: { rpcId?: number; accessToken: string; apiOpts?: ApiOpts; }; }, context: IAgentContext<IKeyManager>): Promise<any>; deleteIdentifier(args: IIdentifier, context: IAgentContext<IKeyManager>): Promise<boolean>; removeKey(args: { identifier: IIdentifier; kid: string; options?: any; }, context: IAgentContext<IKeyManager>): Promise<any>; removeService(args: { identifier: IIdentifier; id: string; options?: any; }, context: IAgentContext<IKeyManager>): Promise<any>; updateIdentifier(args: UpdateIdentifierParams, context: IAgentContext<IKeyManager & IDIDManager>): Promise<IIdentifier>; } interface AttestationAuthRequestUrlResult extends Omit<Required<PrepareStartArgs>, 'issuanceOpt'> { issuanceOpt?: IssuanceOpts; authorizationCodeURL: string; identifier: ManagedIdentifierDidResult; authKey: _ExtendedIKey; } /** * The OpenID scope * @readonly * @enum {string} */ type EBSIScope = 'didr_write' | 'didr_invite' | 'tir_write' | 'tir_invite' | 'timestamp_write' | 'tnt_authorise' | 'tnt_create' | 'tnt_write' | 'did_authn'; declare enum TokenType { BEARER = "Bearer" } type EbsiEnvironment = 'pilot' | 'conformance' | 'conformance-test'; type EbsiApiVersion = 'v3' | 'v4' | 'v5'; type WellknownType = 'openid-credential-issuer' | 'openid-configuration'; type EbsiMock = 'issuer-mock' | 'auth-mock'; type EbsiSystem = 'authorisation' | 'conformance' | 'did-registry'; type ApiOpts = { environment?: EbsiEnvironment; version: EbsiApiVersion; }; type WellknownOpts = ApiOpts & { type: WellknownType; system?: EbsiSystem | EbsiEnvironment; mock?: EbsiMock; }; interface IEbsiSupport extends IPluginMethodMap { ebsiCreateDidOnLedger(args: CreateEbsiDidParams, context: IRequiredContext): Promise<CreateEbsiDidOnLedgerResult>; ebsiWellknownMetadata(args?: ApiOpts): Promise<GetOIDProviderMetadataResponse>; ebsiAuthorizationServerJwks(args?: ApiOpts): Promise<GetOIDProviderJwksResponse>; ebsiPresentationDefinitionGet(args: GetPresentationDefinitionArgs): Promise<GetPresentationDefinitionResponse>; ebsiAccessTokenGet(args: EBSIAuthAccessTokenGetArgs, context: IRequiredContext): Promise<GetAccessTokenResult>; ebsiCreateAttestationAuthRequestURL(args: CreateAttestationAuthRequestURLArgs, context: IRequiredContext): Promise<AttestationAuthRequestUrlResult>; ebsiGetAttestation(args: GetAttestationArgs, context: IRequiredContext): Promise<AttestationResult>; } /** * @typedef EbsiOpenIDMetadata * @type {object} * @property {(URL | string)} issuer URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. * @property {(URL | string)} authorization_endpoint URL of the OP's OAuth 2.0 Authorization Endpoint. * @property {(URL | string)} token_endpoint URL of the OP's OAuth 2.0 Token Endpoint. * @property {(URL | string)} [presentation_definition_endpoint] URL of the OP's presentation definitions endpoint. Non-standard, used in EBSI * @property {(URL | string)} jwks_uri URL of the authorization server's JWK Set [JWK] document * @property {string[]} scopes_supported JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. (SIOP v2) * @property {string[]} response_types_supported JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports (SIOP v2) * @property {string[]} [response_mode_supported] JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports * @property {string[]} [grant_types_supported] JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. * @property {string[]} subject_types_supported JSON array containing a list of the Subject Identifier types that this OP supports. * @property {string[]} id_token_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT * @property {string[]} [request_object_signing_alg_values_supported] JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects * @property {string[]} [request_parameter_supported] Boolean value specifying whether the OP supports use of the request parameter, with true indicating support * @property {string[]} [token_endpoint_auth_methods_supported] JSON array containing a list of client authentication methods supported by this token endpoint * @property {{ authorization_endpoint: string[] }} [request_authentication_methods_supported] A JSON Object defining the client authentications supported for each endpoint * @property {string[]} [vp_formats_supported] An object containing a list of key value pairs, where the key is a string identifying a credential format supported by the AS * @property {(URL[] | string[])} [subject_syntax_types_supported] A JSON array of strings representing URI scheme identifiers and optionally method names of supported Subject Syntax Types * @property {string[]} [subject_trust_frameworks_supported] A JSON array of supported trust frameworks. * @property {string[]} [id_token_types_supported] A JSON array of strings containing the list of ID Token types supported by the OP */ type EbsiOpenIDMetadata = DiscoveryMetadataPayload & { presentation_definition_endpoint?: URL | string; }; /** * JSON Web Key Set * @typedef GetOIDProviderJwksSuccessResponse * @property {JWK[]} keys */ interface GetOIDProviderJwksSuccessResponse { keys: JWK[]; } /** * @typedef GetPresentationDefinitionArgs * @type {object} * @property {EBSIScope} scope * @property {ApiOpts} [apiOpts] The environment and version of the API */ interface GetPresentationDefinitionArgs { scope: EBSIScope; apiOpts?: WellknownOpts; openIDMetadata?: EbsiOpenIDMetadata; } type CreateAttestationAuthRequestURLArgs = { credentialIssuer: string; credentialType: string; idOpts: ManagedIdentifierDidOpts; requestObjectOpts: RequestObjectOpts; clientId?: string; redirectUri?: string; formats?: Array<Extract<OID4VCICredentialFormat, 'jwt_vc' | 'jwt_vc_json'>>; }; type GetAttestationArgs = { clientId: string; authReqResult: AttestationAuthRequestUrlResult; opts?: { timeout: number; }; }; /** * Presentation Definition V2 * @typedef GetPresentationDefinitionSuccessResponse * @type {object} * @property {string} id A UUID or some other unique ID to identify this Presentation Definition * @property {string} [name] A name property is a human-friendly string intended to constitute a distinctive designation of the Presentation Definition. * @property {string} [purpose] It describes the purpose for which the Presentation Definition's inputs are being requested. * @property {Format} [format] What claim variants Verifiers and Holders support. * @property {SubmissionRequirement[]} [submission_requirements] List of requirements for described inputs in input descriptors. * @property {InputDescriptor[]} input_descriptors List of descriptions of the required inputs. * @property {object} [frame] a JSON LD Framing Document object. */ type GetPresentationDefinitionSuccessResponse = PresentationDefinitionV2 & { format?: Pick<Format, 'jwt_vc' | 'jwt_vc_json' | 'jwt_vp' | 'jwt_vp_json'>; }; /** * @typedef GetAccessTokenArgs * @type {object} * @property {string} grant_type MUST be set to "vp_token" * @property {string} vp_token Signed Verifiable Presentation. See also the VP Token schema definition. * @property {PresentationSubmission} presentation_submission Descriptor for the vp_token, linked by presentation_definition. See also the Presentation Definition schema. * @property {EBSIScope} scope Possible values: [openid didr_write, openid didr_invite, openid tir_write, openid tir_invite, openid timestamp_write, openid tnt_authorise, openid tnt_create, openid tnt_write] OIDC scope * @property {ApiOpts} [apiOpts] The environment and the version of the API */ interface GetAccessTokenArgs { grant_type?: string; vp_token: string; presentation_submission: PresentationSubmission; scope: EBSIScope; openIDMetadata?: EbsiOpenIDMetadata; apiOpts: ApiOpts; } type GetAccessTokenResult = { identifier: ManagedIdentifierDidResult; scope: EBSIScope; accessTokenResponse: GetAccessTokenSuccessResponse; }; /** * @typedef EBSIAuthAccessTokenGetArgs * @type {object} * @property {string} attestationCredential Verifiable Credential (Verifiable Authorisation to Onboard) JWT format // * @property {ScopeByDefinition} definitionId The presentation definition id * @property {string} [domain] The domain of the issuer * @property {string} did The did of the VP issuer * @property {string} kid kid in the format: did#kid * @property {EBSIScope} scope Needed to retrieve the authentication request * @property {ApiOpts} [apiOpts] The environment and the version of the API */ interface EBSIAuthAccessTokenGetArgs { clientId: string; credentialRole: CredentialRole; credentialIssuer?: string; attestationCredential?: W3CVerifiableCredential; allVerifiableCredentials?: W3CVerifiableCredential[]; redirectUri?: string; jwksUri: string; idOpts: ManagedIdentifierDidOpts; scope: EBSIScope; environment: EbsiEnvironment; skipDidResolution?: boolean; } /** * @typedef GetAccessTokenSuccessResponse * @type {object} * @property {string} access_token ^(([A-Za-z0-9\-_])+\.)([A-Za-z0-9\-_]+)(\.([A-Za-z0-9\-_]+)?$ The access token issued by the authorization server in JWS format. See also the "Access Token" schema definition * @property {TokenType} token_type Possible values: [Bearer]/MUST be Bearer * @property {number} [expires_in] Possible values: >= 1. The lifetime in seconds of the access token * @property {EBSIScope} scope Possible values: [openid didr_write, openid didr_invite, openid tir_invite, openid tir_write, openid timestamp_write, openid tnt_authorise, openid tnt_create, openid tnt_write] The scope of the access token * @property {string} id_token ^(([A-Za-z0-9\-_])+\.)([A-Za-z0-9\-_]+)(\.([A-Za-z0-9\-_]+)?$ ID Token value associated with the authenticated session. Presents client's identity. ID Token is issued in a JWS format. See also the "ID Token" schema definition. * @property {ApiOpts} apiOpts The environment and the version of the API */ interface GetAccessTokenSuccessResponse { access_token: string; token_type: TokenType; expires_in?: number; scope: EBSIScope; id_token: string; apiOpts: ApiOpts; } /** * @typedef ExceptionResponse * @type {object} * @property {(URL | string)} [type] An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type. * @property {string} [title] A short summary of the problem type. * @property {number} [status] Possible values: >= 400 and <= 600. The HTTP status code generated by the origin server for this occurrence of the problem. * @property {string} [detail] A human readable explanation specific to this occurrence of the problem. * @property {(URL | string)} [instance] An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced. */ interface ExceptionResponse { type?: URL | string; title?: string; status?: number; detail?: string; instance?: URL | string; } type AttestationResult = { contactAlias: string; contact: Party; credentialBranding?: Record<string, Array<IBasicCredentialLocaleBranding>> | undefined; identifier: ManagedIdentifierDidResult; error: ErrorDetails | undefined; credentials: Array<MappedCredentialToAccept>; }; type GetOIDProviderMetadataResponse = EbsiOpenIDMetadata; type GetOIDProviderJwksResponse = GetOIDProviderJwksSuccessResponse | ExceptionResponse; type GetPresentationDefinitionResponse = GetPresentationDefinitionSuccessResponse; type GetAccessTokenResponse = GetAccessTokenSuccessResponse | ExceptionResponse; type IRequiredContext = IAgentContext<IKeyManager & IDIDManager & IResolver & IIdentifierResolution & IJwtService & IDidAuthSiopOpAuthenticator & IPresentationExchange & IOID4VCIHolder & IEbsiSupport>; declare const ebsiSupportMethods: Array<string>; declare class EbsiSupport implements IAgentPlugin { readonly schema: any; readonly methods: IEbsiSupport; private ebsiCreateDidOnLedger; private ebsiWellknownMetadata; private ebsiAuthorizationServerJwks; private ebsiPresentationDefinitionGet; private ebsiAccessTokenGet; private getAccessToken; } declare const logger: _sphereon_ssi_types.ISimpleLogger<unknown>; declare const schema: any; export { type ApiOpts, type AttestationResult, type CreateAttestationAuthRequestURLArgs, type EBSIAuthAccessTokenGetArgs, type EBSIScope, type EbsiApiVersion, EbsiDidProvider, type EbsiEnvironment, type EbsiMock, type EbsiOpenIDMetadata, EbsiSupport, type EbsiSystem, type ExceptionResponse, type GetAccessTokenArgs, type GetAccessTokenResponse, type GetAccessTokenResult, type GetAccessTokenSuccessResponse, type GetAttestationArgs, type GetOIDProviderJwksResponse, type GetOIDProviderJwksSuccessResponse, type GetOIDProviderMetadataResponse, type GetPresentationDefinitionArgs, type GetPresentationDefinitionResponse, type GetPresentationDefinitionSuccessResponse, type IEbsiSupport, type IRequiredContext, TokenType, type WellknownOpts, type WellknownType, ebsiSupportMethods, logger, schema };