Merge pull request #196 from Sphereon-Opensource/feature/SSISDK-41_credential_sets

feature/SSISDK-41_credential_sets

Author: BtencateSphereon

packages/siop-oid4vp/lib/__tests__/IT.spec.ts

@@ -1755,3 +1755,75 @@ describe.skip('RP and OP interaction should', () => {
     expect(resState?.status).toBe('error')
   })
 })
+
+
+describe('credential_sets tests', () => {
+  it('DCQL credential_sets: happy flow (single required option is satisfied)', () => {
+    const queryWithSet: DcqlQuery.Input = {
+      credentials: [
+        {
+          id: 'credA',
+          format: 'ldp_vc',
+          meta: {
+            type_values: [
+              ['https://www.w3.org/2018/credentials#VerifiableCredential'],
+              ['PermanentResidentCard']
+            ]
+          },
+          claims: [{ path: ['givenName'], values: ['JANE'] }]
+        }
+      ],
+      credential_sets: [
+        {
+          options: [['credA']],
+          required: true,
+          purpose: 'must include credA'
+        }
+      ]
+    }
+
+    const parsed = DcqlQuery.parse(queryWithSet)
+    DcqlQuery.validate(parsed) // validates structure + credential_sets references
+
+    const dcqlCredential: DcqlW3cVcCredential = {
+      credential_format: 'ldp_vc',
+      claims: (getVCs()[0].credentialSubject as { [x: string]: Json }),
+      type: getVCs()[0].type,
+      cryptographic_holder_binding: true
+    }
+
+    const result: DcqlQueryResult = DcqlQuery.query(parsed, [dcqlCredential])
+
+    // set is satisfied and matching_options should include ['credA']
+    expect(result.can_be_satisfied).toBe(true)
+    expect(result.credential_sets?.[0].matching_options).toEqual([['credA']])
+  })
+
+  it('DCQL credential_sets: invalid rule (references unknown credential id) fails validation', () => {
+    const queryWithBadSet: DcqlQuery.Input = {
+      credentials: [
+        {
+          id: 'credA',
+          format: 'ldp_vc',
+          meta: {
+            type_values: [
+              ['https://www.w3.org/2018/credentials#VerifiableCredential'],
+              ['PermanentResidentCard']
+            ]
+          },
+          claims: [{ path: ['givenName'], values: ['JANE'] }]
+        }
+      ],
+      credential_sets: [
+        {
+          // This option references a non-existent credential query id
+          options: [['does_not_exist']],
+          required: true
+        }
+      ]
+    }
+
+    const parsed = DcqlQuery.parse(queryWithBadSet)
+    expect(() => DcqlQuery.validate(parsed)).toThrowError(/Credential set contains undefined credential id/i)
+  })
+})

packages/siop-oid4vp/lib/authorization-response/Dcql.ts

@@ -57,7 +57,7 @@ export class Dcql {
       opts: {
         hasher?: HasherSync
       },
-  ) => {
+  ) : DcqlPresentationResult.Output => {
     const dcqlPresentation = Object.fromEntries(
         // FIXME SSISDK-41
         Object.entries(extractDcqlPresentationFromDcqlVpToken(record, opts)).map(([queryId, p]) => {

packages/siop-oid4vp/lib/authorization-response/OpenID4VP.ts

@@ -50,6 +50,7 @@ export const verifyPresentations = async (
   verifyOpts: VerifyAuthorizationResponseOpts,
 ): Promise<{ dcql: VerifiedOpenID4VPSubmission }> => {
   const dcqlQuery = DcqlQuery.parse(verifyOpts.dcqlQuery ?? authorizationResponse?.authorizationRequest.payload.dcql_query as DcqlQuery)
+  DcqlQuery.validate(dcqlQuery)
   const dcqlPresentation = extractDcqlPresentationFromDcqlVpToken(authorizationResponse.payload.vp_token as string, { hasher: verifyOpts.hasher })
 
   const wrappedPresentations = Object.values(dcqlPresentation)
@@ -59,7 +60,7 @@ export const verifyPresentations = async (
       ),
     )
 
-    await Dcql.assertValidDcqlPresentationResult(authorizationResponse.payload.vp_token as string, dcqlQuery, { hasher: verifyOpts.hasher })
+    const dcqlPresentationResult = await Dcql.assertValidDcqlPresentationResult(authorizationResponse.payload.vp_token as string, dcqlQuery, { hasher: verifyOpts.hasher })
 
     if (verifiedPresentations.some((verified) => !verified)) {
       const message = verifiedPresentations
@@ -95,7 +96,7 @@ export const verifyPresentations = async (
     }
   }
 
-  return { dcql: { nonce, presentation: dcqlPresentation, dcqlQuery } }
+  return { dcql: { nonce, presentation: dcqlPresentation, dcqlQuery , dcqlPresentationResult} }
 }
 
 export const extractDcqlPresentationFromDcqlVpToken = (

packages/siop-oid4vp/lib/types/SIOP.types.ts

@@ -9,7 +9,7 @@ import {
   W3CVerifiablePresentation,
   WrappedVerifiablePresentation
 } from '@sphereon/ssi-types'
-import { DcqlQuery } from 'dcql'
+import { DcqlPresentationResult, DcqlQuery } from 'dcql'
 import { z } from 'zod'
 import {
   AuthorizationRequest,
@@ -483,6 +483,7 @@ export interface VerifiedIDToken {
 export interface VerifiedOpenID4VPSubmission {
   dcqlQuery: DcqlQuery
   presentation: PresentationSubmission
+  dcqlPresentationResult?: DcqlPresentationResult
   nonce?: string
 }