{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string {\n  return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n  return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n  return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n  const uint8array = fromString(base64url, 'base64url')\n  return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACkBjB,IAAKC,cAAAA,0BAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,UAAqB;;;ACFrB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAAgDC,cAAAA;AACxF,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AAGrB,kBAA6B;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,yBAAqBC,8BAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,IAAAI,OAAqB;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAE1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APPhB,IAAAG,eAA6B;AATtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}