Merge remote-tracking branch 'origin/develop' into develop

Author: nklomp

packages/client/lib/CredentialRequestClient.ts

@@ -267,12 +267,11 @@ export class CredentialRequestClient {
     }
     response.access_token = requestToken
 
-    /* TODO SSISDK-85
-  if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
+    if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
       if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {
         throw Error('Subject signing was requested, but issuer did not provide the options in its response')
       }
-    }*/
+    }
     logger.debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`)
 
     return {

packages/client/lib/MetadataClientV1_0_15.ts

@@ -55,6 +55,7 @@ export class MetadataClientV1_0_15 {
     let credential_endpoint: string | undefined
     let nonce_endpoint: string | undefined
     let deferred_credential_endpoint: string | undefined
+    let notification_endpoint: string | undefined
     let authorization_endpoint: string | undefined
     let authorization_challenge_endpoint: string | undefined
     let authorizationServerType: AuthorizationServerType = 'OID4VCI'
@@ -66,6 +67,7 @@ export class MetadataClientV1_0_15 {
       credential_endpoint = credentialIssuerMetadata.credential_endpoint
       nonce_endpoint = credentialIssuerMetadata.nonce_endpoint
       deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint
+      notification_endpoint = credentialIssuerMetadata.notification_endpoint
       if (credentialIssuerMetadata.token_endpoint) {
         token_endpoint = credentialIssuerMetadata.token_endpoint
       }
@@ -140,6 +142,15 @@ export class MetadataClientV1_0_15 {
           deferred_credential_endpoint = authMetadata.deferred_credential_endpoint
         }
       }
+      if (authMetadata.notification_endpoint) {
+        if (notification_endpoint && authMetadata.notification_endpoint !== notification_endpoint) {
+          logger.debug(
+            `Credential issuer has a different notification_endpoint (${notification_endpoint}) from the Authorization Server (${authMetadata.notification_endpoint}). Will use the issuer value`,
+          )
+        } else {
+          notification_endpoint = authMetadata.notification_endpoint
+        }
+      }
     }
 
     if (!authorization_endpoint) {
@@ -182,6 +193,7 @@ export class MetadataClientV1_0_15 {
       display: ci.display ?? [],
       ...(nonce_endpoint && { nonce_endpoint }),
       ...(deferred_credential_endpoint && { deferred_credential_endpoint }),
+      ...(notification_endpoint && { notification_endpoint }),
     }
 
     logger.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`)
@@ -192,6 +204,7 @@ export class MetadataClientV1_0_15 {
       token_endpoint,
       credential_endpoint,
       authorization_challenge_endpoint,
+      notification_endpoint,
       authorizationServerType,
       credentialIssuerMetadata: v15CredentialIssuerMetadata,
       authorizationServerMetadata: authMetadata,

packages/issuer/lib/VcIssuer.ts

@@ -34,6 +34,7 @@ import {
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PRE_AUTH_GRANT_LITERAL,
+  ProofOfPossession,
   QRCodeOpts,
   StatusListOpts,
   TokenErrorResponse,
@@ -54,7 +55,7 @@ import { LOG } from './index'
 const shortUUID = ShortUUID()
 
 export class VcIssuer {
-  private readonly _issuerMetadata: CredentialIssuerMetadataOptsV1_0_15
+  private _issuerMetadata: CredentialIssuerMetadataOptsV1_0_15 // TODO SSISDK-87 create proper solution to update issuer metadata
   private readonly _authorizationServerMetadata: AuthorizationServerMetadata
   private readonly _defaultCredentialOfferBaseUri?: string
   private readonly _credentialSignerCallback?: CredentialSignerCallback
@@ -675,16 +676,70 @@ export class VcIssuer {
     try {
       if (format && !supportedIssuanceFormats.includes(format)) {
         throw Error(`Format ${format} not supported yet`)
-      } else if (typeof this._jwtVerifyCallback !== 'function' && typeof jwtVerifyCallback !== 'function') {
-        throw new Error(JWT_VERIFY_CONFIG_ERROR)
-      } else if (!credentialRequest.proof) {
-        throw Error('Proof of possession is required. No proof value present in credential request')
       }
 
-      const jwtVerifyResult = jwtVerifyCallback
-        ? await jwtVerifyCallback(credentialRequest.proof)
-        : // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          await this._jwtVerifyCallback!(credentialRequest.proof)
+      const verifyFn: JWTVerifyCallback | undefined = jwtVerifyCallback ?? this._jwtVerifyCallback
+      if (typeof verifyFn !== 'function') {
+        throw Error(JWT_VERIFY_CONFIG_ERROR)
+      }
+
+      const credReq = credentialRequest as CredentialRequestV1_0_15
+
+      // Validate request structure (mutually exclusive)
+      if (credReq.proof && credReq.proofs) {
+        throw Error('Credential request may not contain both proof and proofs parameters')
+      }
+
+      // Normalize candidates into a single array of ProofOfPossession objects
+      const proofCandidates: Array<ProofOfPossession> = []
+
+      if (credReq.proof) {
+        proofCandidates.push(credReq.proof)
+      } else if (credReq.proofs) {
+        // Handle "proofs": prioritize 'jwt' as it's the only fully supported type
+        if (Array.isArray(credReq.proofs.jwt)) {
+          // Map to ProofOfPossession objects, handling both string and object formats
+          for (const jwtProof of credReq.proofs.jwt) {
+            if (typeof jwtProof === 'string') {
+              // Handle case where jwt array contains strings instead of ProofOfPossession objects
+              proofCandidates.push({
+                proof_type: 'jwt',
+                jwt: jwtProof,
+              })
+            } else if (jwtProof && typeof jwtProof === 'object' && 'jwt' in jwtProof) {
+              // Handle proper ProofOfPossession object
+              proofCandidates.push(jwtProof)
+            }
+          }
+        }
+
+        // Check if there are no supported proofs found
+        if (proofCandidates.length === 0) {
+          const availableTypes = Object.keys(credReq.proofs).join(', ')
+          throw Error(`No supported proof types found in request. Available: [${availableTypes}]`)
+        }
+      } else {
+        throw Error('Proof of possession is required. No proof or proofs value present in credential request')
+      }
+
+      // Execute verification
+      let jwtVerifyResult: JwtVerifyResult | undefined
+      const validationErrors: string[] = []
+
+      for (const proof of proofCandidates) {
+        try {
+          jwtVerifyResult = await verifyFn({ jwt: proof.jwt })
+          break
+        } catch (error) {
+          const msg = error instanceof Error ? error.message : String(error)
+          validationErrors.push(msg)
+        }
+      }
+
+      // Check success
+      if (!jwtVerifyResult) {
+        throw Error(`Unable to verify any provided proofs. Errors: ${validationErrors.join('; ')}`)
+      }
 
       const { didDocument, did, jwt } = jwtVerifyResult
       const { header, payload } = jwt
@@ -863,6 +918,11 @@ export class VcIssuer {
     return this._issuerMetadata
   }
 
+  // TODO SSISDK-87 create proper solution to update issuer metadata
+  public set issuerMetadata(value: CredentialIssuerMetadataOptsV1_0_15) {
+    this._issuerMetadata = value;
+  }
+
   public get authorizationServerMetadata() {
     return this._authorizationServerMetadata
   }

packages/issuer/lib/builder/DisplayBuilder.ts

@@ -21,7 +21,7 @@ export class DisplayBuilder {
 
   withLogo(logo: ImageInfo) {
     if (logo) {
-      if (!logo.url) {
+      if (!logo.uri) {
         throw Error(`logo without url will not work`)
       }
     }

packages/oid4vci-common/lib/types/Generic.types.ts

@@ -23,7 +23,7 @@ export type CredentialOfferMode = 'VALUE' | 'REFERENCE'
  * Important Note: please be aware that these Common interfaces are based on versions v1_0.11 and v1_0.09
  */
 export interface ImageInfo {
-  url?: string
+  uri?: string
   alt_text?: string
 
   [key: string]: unknown

packages/oid4vci-common/lib/types/ServerMetadata.ts

@@ -148,6 +148,7 @@ export interface EndpointMetadata {
   token_endpoint: string
   credential_endpoint: string
   deferred_credential_endpoint?: string
+  notification_endpoint?: string
   authorization_server?: string
   authorization_endpoint?: string // Can be undefined in pre-auth flow
   authorization_challenge_endpoint?: string

packages/oid4vci-common/lib/types/v1_0_15.types.ts

@@ -73,7 +73,7 @@ export type CredentialConfigurationSupportedCommonV1_0_15 = {
 }
 
 export interface CredentialConfigurationSupportedSdJwtVcV1_0_15 extends CredentialConfigurationSupportedCommonV1_0_15 {
-  format: 'dc+sd-jwt' // REQUIRED. Updated format identifier for SD-JWT VC to align with the media type in draft -06 of [I-D.ietf-oauth-sd-jwt-vc]
+  format: 'dc+sd-jwt' | 'vc+sd-jwt' // REQUIRED. Updated format identifier for SD-JWT VC to align with the media type in draft -06 of [I-D.ietf-oauth-sd-jwt-vc]
   vct: string // REQUIRED. String designating the type of a Credential, as defined in [I-D.ietf-oauth-sd-jwt-vc].
   claims?: ClaimsDescriptionV1_0_15[] // OPTIONAL. Array of claims description objects using claims path pointers as defined in Appendix C.
   order?: string[] // OPTIONAL. An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.