feat: mdoc-support

.changeset/metal-carrots-hang.md

@@ -0,0 +1,5 @@
+---
+'@credo-ts/core': patch
+---
+
+feat: mdoc-support

demo-openid/src/Holder.ts

@@ -5,6 +5,7 @@ import {
  W3cJwtVerifiableCredential,
  W3cJsonLdVerifiableCredential,
  DifPresentationExchangeService,
+ Mdoc,
 } from '@credo-ts/core'
 import { OpenId4VcHolderModule } from '@credo-ts/openid4vc'
 import { ariesAskar } from '@hyperledger/aries-askar-nodejs'
@@ -56,6 +57,8 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
  const credential = response.credential
  if (credential instanceof W3cJwtVerifiableCredential || credential instanceof W3cJsonLdVerifiableCredential) {
  return this.agent.w3cCredentials.storeCredential({ credential })
+ } else if (credential instanceof Mdoc) {
+ return this.agent.mdoc.store(credential)
  } else {
  return this.agent.sdJwtVc.store(credential.compact)
  }

demo-openid/src/HolderInquirer.ts

@@ -1,7 +1,7 @@
-import type { SdJwtVcRecord, W3cCredentialRecord } from '@credo-ts/core'
+import type { MdocRecord, SdJwtVcRecord, W3cCredentialRecord } from '@credo-ts/core'
 import type { OpenId4VcSiopResolvedAuthorizationRequest, OpenId4VciResolvedCredentialOffer } from '@credo-ts/openid4vc'
 
-import { DifPresentationExchangeService } from '@credo-ts/core'
+import { DifPresentationExchangeService, Mdoc } from '@credo-ts/core'
 import console, { clear } from 'console'
 import { textSync } from 'figlet'
 import { prompt } from 'inquirer'
@@ -181,11 +181,16 @@ export class HolderInquirer extends BaseInquirer {
  }
  }
 
- private printCredential = (credential: W3cCredentialRecord | SdJwtVcRecord) => {
+ private printCredential = (credential: W3cCredentialRecord | SdJwtVcRecord | MdocRecord) => {
  if (credential.type === 'W3cCredentialRecord') {
  console.log(greenText(`W3cCredentialRecord with claim format ${credential.credential.claimFormat}`, true))
  console.log(JSON.stringify(credential.credential.jsonCredential, null, 2))
  console.log('')
+ } else if (credential.type === 'MdocRecord') {
+ console.log(greenText(`MdocRecord`, true))
+ const namespaces = Mdoc.fromBase64Url(credential.base64Url).namespaces
+ console.log(JSON.stringify(namespaces, null, 2))
+ console.log('')
  } else {
  console.log(greenText(`SdJwtVcRecord`, true))
  const prettyClaims = this.holder.agent.sdJwtVc.fromCompact(credential.compactSdJwtVc).prettyClaims

packages/core/package.json

@@ -29,11 +29,15 @@
  "@digitalcredentials/jsonld-signatures": "^9.4.0",
  "@digitalcredentials/vc": "^6.0.1",
  "@multiformats/base-x": "^4.0.1",
- "@noble/hashes": "^1.4.0",
+ "@noble/curves": "^1.6.0",
+ "@noble/hashes": "^1.5.0",
  "@peculiar/asn1-ecc": "^2.3.8",
  "@peculiar/asn1-schema": "^2.3.8",
  "@peculiar/asn1-x509": "^2.3.8",
  "@peculiar/x509": "^1.11.0",
+ "@protokoll/core": "0.2.26",
+ "@protokoll/crypto": "0.2.26",
+ "@protokoll/mdoc-client": "0.2.26",
  "@sd-jwt/core": "^0.7.0",
  "@sd-jwt/decode": "^0.7.0",
  "@sd-jwt/jwt-status-list": "^0.7.0",
@@ -54,7 +58,7 @@
  "did-resolver": "^4.1.0",
  "jsonpath": "^1.1.1",
  "lru_map": "^0.4.1",
- "luxon": "^3.3.0",
+ "luxon": "^3.5.0",
  "make-error": "^1.3.6",
  "object-inspect": "^1.10.3",
  "query-string": "^7.0.1",

packages/core/src/agent/AgentModules.ts

@@ -10,6 +10,7 @@ import { DidsModule } from '../modules/dids'
 import { DifPresentationExchangeModule } from '../modules/dif-presentation-exchange'
 import { DiscoverFeaturesModule } from '../modules/discover-features'
 import { GenericRecordsModule } from '../modules/generic-records'
+import { MdocModule } from '../modules/mdoc/MdocModule'
 import { MessagePickupModule } from '../modules/message-pickup'
 import { OutOfBandModule } from '../modules/oob'
 import { ProofsModule } from '../modules/proofs'
@@ -137,6 +138,7 @@ function getDefaultAgentModules() {
  pex: () => new DifPresentationExchangeModule(),
  sdJwtVc: () => new SdJwtVcModule(),
  x509: () => new X509Module(),
+ mdoc: () => new MdocModule(),
  } as const
 }
 

packages/core/src/agent/BaseAgent.ts

@@ -14,6 +14,7 @@ import { CredentialsApi } from '../modules/credentials'
 import { DidsApi } from '../modules/dids'
 import { DiscoverFeaturesApi } from '../modules/discover-features'
 import { GenericRecordsApi } from '../modules/generic-records'
+import { MdocApi } from '../modules/mdoc'
 import { MessagePickupApi } from '../modules/message-pickup/MessagePickupApi'
 import { OutOfBandApi } from '../modules/oob'
 import { ProofsApi } from '../modules/proofs'
@@ -53,6 +54,7 @@ export abstract class BaseAgent<AgentModules extends ModulesMap = EmptyModuleMap
  public readonly mediationRecipient: MediationRecipientApi
  public readonly messagePickup: CustomOrDefaultApi<AgentModules['messagePickup'], MessagePickupModule>
  public readonly basicMessages: BasicMessagesApi
+ public readonly mdoc: MdocApi
  public readonly genericRecords: GenericRecordsApi
  public readonly discovery: DiscoverFeaturesApi
  public readonly dids: DidsApi
@@ -111,6 +113,7 @@ export abstract class BaseAgent<AgentModules extends ModulesMap = EmptyModuleMap
  this.w3cCredentials = this.dependencyManager.resolve(W3cCredentialsApi)
  this.sdJwtVc = this.dependencyManager.resolve(SdJwtVcApi)
  this.x509 = this.dependencyManager.resolve(X509Api)
+ this.mdoc = this.dependencyManager.resolve(MdocApi)
 
  const defaultApis = [
  this.connections,

packages/core/src/crypto/webcrypto/CredoWebCrypto.ts

@@ -2,6 +2,8 @@ import type { AgentContext } from '../../agent'
 
 import * as core from 'webcrypto-core'
 
+import { Hasher } from '../hashes'
+
 import { CredoSubtle } from './CredoSubtle'
 import { CredoWalletWebCrypto } from './CredoWalletWebCrypto'
 
@@ -18,4 +20,8 @@ export class CredoWebCrypto extends core.Crypto {
  public getRandomValues<T extends ArrayBufferView | null>(array: T): T {
  return this.walletWebCrypto.generateRandomValues(array)
  }
+
+ public digest(algorithm: string, data: ArrayBuffer): ArrayBuffer {
+ return Hasher.hash(new Uint8Array(data), algorithm)
+ }
 }

packages/core/src/index.ts

@@ -64,6 +64,7 @@ export * from './modules/vc'
 export * from './modules/cache'
 export * from './modules/dif-presentation-exchange'
 export * from './modules/sd-jwt-vc'
+export * from './modules/mdoc'
 export {
  JsonEncoder,
  JsonTransformer,

packages/core/src/modules/dif-presentation-exchange/DifPresentationExchangeService.ts

@@ -22,13 +22,15 @@ import type {
  W3CVerifiablePresentation,
 } from '@sphereon/ssi-types'
 
-import { PEVersion, PEX, Status } from '@sphereon/pex'
+import { PEVersion, PEX, PresentationSubmissionLocation, Status } from '@sphereon/pex'
 import { injectable } from 'tsyringe'
 
 import { Hasher, getJwkFromKey } from '../../crypto'
 import { CredoError } from '../../error'
 import { JsonTransformer } from '../../utils'
 import { DidsApi, getKeyFromVerificationMethod } from '../dids'
+import { Mdoc, MdocApi, MdocOpenId4VpSessionTranscriptOptions, MdocRecord } from '../mdoc'
+import { MdocDeviceResponse } from '../mdoc/MdocDeviceResponse'
 import { SdJwtVcApi } from '../sd-jwt-vc'
 import {
  ClaimFormat,
@@ -151,9 +153,10 @@ export class DifPresentationExchangeService {
  presentationSubmissionLocation?: DifPresentationExchangeSubmissionLocation
  challenge: string
  domain?: string
+ openid4vp?: MdocOpenId4VpSessionTranscriptOptions
  }
  ) {
- const { presentationDefinition, domain, challenge } = options
+ const { presentationDefinition, domain, challenge, openid4vp } = options
  const presentationSubmissionLocation =
  options.presentationSubmissionLocation ?? DifPresentationExchangeSubmissionLocation.PRESENTATION
 
@@ -172,11 +175,6 @@ export class DifPresentationExchangeService {
  presentationDefinition as DifPresentationExchangeDefinitionV1
  ).input_descriptors.filter((inputDescriptor) => inputDescriptorIds.includes(inputDescriptor.id))
 
- // Get all the credentials for the presentation
- const credentialsForPresentation = presentationToCreate.verifiableCredentials.map((c) =>
- getSphereonOriginalVerifiableCredential(c.credential)
- )
-
  const presentationDefinitionForSubject: DifPresentationExchangeDefinition = {
  ...presentationDefinition,
  input_descriptors: inputDescriptorsForPresentation,
@@ -185,6 +183,42 @@ export class DifPresentationExchangeService {
  submission_requirements: undefined,
  }
 
+ if (presentationToCreate.claimFormat === ClaimFormat.MsoMdoc) {
+ if (presentationToCreate.verifiableCredentials.length !== 1) {
+ throw new DifPresentationExchangeError(
+ 'Currently a Mdoc presentation can only be created from a single credential'
+ )
+ }
+ const mdocRecord = presentationToCreate.verifiableCredentials[0].credential
+ if (!openid4vp) {
+ throw new DifPresentationExchangeError('Missing openid4vp options for creating MDOC presentation.')
+ }
+
+ const { deviceResponseBase64Url, presentationSubmission } = await MdocDeviceResponse.openId4Vp(agentContext, {
+ mdocs: [Mdoc.fromBase64Url(mdocRecord.base64Url)],
+ presentationDefinition: presentationDefinition as DifPresentationExchangeDefinitionV2,
+ sessionTranscriptOptions: {
+ ...openid4vp,
+ },
+ })
+
+ verifiablePresentationResultsWithFormat.push({
+ verifiablePresentationResult: {
+ presentationSubmission: presentationSubmission,
+ verifiablePresentation: deviceResponseBase64Url,
+ presentationSubmissionLocation: PresentationSubmissionLocation.EXTERNAL,
+ },
+ claimFormat: presentationToCreate.claimFormat,
+ })
+
+ continue
+ }
+
+ // Get all the credentials for the presentation
+ const credentialsForPresentation = presentationToCreate.verifiableCredentials.map((c) =>
+ getSphereonOriginalVerifiableCredential(c.credential)
+ )
+
  const verifiablePresentationResult = await this.pex.verifiablePresentationFrom(
  presentationDefinitionForSubject,
  credentialsForPresentation,
@@ -564,10 +598,12 @@ export class DifPresentationExchangeService {
  private async queryCredentialForPresentationDefinition(
  agentContext: AgentContext,
  presentationDefinition: DifPresentationExchangeDefinition
- ): Promise<Array<SdJwtVcRecord | W3cCredentialRecord>> {
+ ): Promise<Array<SdJwtVcRecord | W3cCredentialRecord | MdocRecord>> {
  const w3cCredentialRepository = agentContext.dependencyManager.resolve(W3cCredentialRepository)
  const w3cQuery: Array<Query<W3cCredentialRecord>> = []
  const sdJwtVcQuery: Array<Query<SdJwtVcRecord>> = []
+ const mdocQuery: Array<Query<MdocRecord>> = []
+
  const presentationDefinitionVersion = PEX.definitionVersionDiscovery(presentationDefinition)
 
  if (!presentationDefinitionVersion.version) {
@@ -591,6 +627,9 @@ export class DifPresentationExchangeService {
  w3cQuery.push({
  $or: [{ expandedTypes: [schema.uri] }, { contexts: [schema.uri] }, { types: [schema.uri] }],
  })
+ mdocQuery.push({
+ docType: inputDescriptor.id,
+ })
  }
  }
  } else if (presentationDefinitionVersion.version === PEVersion.v2) {
@@ -603,33 +642,33 @@ export class DifPresentationExchangeService {
  )
  }
 
- const allRecords: Array<SdJwtVcRecord | W3cCredentialRecord> = []
+ const allRecords: Array<SdJwtVcRecord | W3cCredentialRecord | MdocRecord> = []
 
  // query the wallet ourselves first to avoid the need to query the pex library for all
  // credentials for every proof request
  const w3cCredentialRecords =
  w3cQuery.length > 0
- ? await w3cCredentialRepository.findByQuery(agentContext, {
- $or: w3cQuery,
- })
+ ? await w3cCredentialRepository.findByQuery(agentContext, { $or: w3cQuery })
  : await w3cCredentialRepository.getAll(agentContext)
-
  allRecords.push(...w3cCredentialRecords)
 
  const sdJwtVcApi = this.getSdJwtVcApi(agentContext)
  const sdJwtVcRecords =
- sdJwtVcQuery.length > 0
- ? await sdJwtVcApi.findAllByQuery({
- $or: sdJwtVcQuery,
- })
- : await sdJwtVcApi.getAll()
-
+ sdJwtVcQuery.length > 0 ? await sdJwtVcApi.findAllByQuery({ $or: sdJwtVcQuery }) : await sdJwtVcApi.getAll()
  allRecords.push(...sdJwtVcRecords)
 
+ const mdocApi = this.getMdocApi(agentContext)
+ const mdocRecords = mdocQuery.length > 0 ? await mdocApi.findAllByQuery({ $or: mdocQuery }) : await mdocApi.getAll()
+ allRecords.push(...mdocRecords)
+
  return allRecords
  }
 
  private getSdJwtVcApi(agentContext: AgentContext) {
  return agentContext.dependencyManager.resolve(SdJwtVcApi)
  }
+
+ private getMdocApi(agentContext: AgentContext) {
+ return agentContext.dependencyManager.resolve(MdocApi)
+ }
 }

packages/core/src/modules/dif-presentation-exchange/models/DifPexCredentialsForRequest.ts

@@ -1,5 +1,7 @@
+import type { MdocRecord } from '../../mdoc'
 import type { SdJwtVcRecord } from '../../sd-jwt-vc'
 import type { ClaimFormat, W3cCredentialRecord } from '../../vc'
+import type { IssuerSignedItem } from '@protokoll/mdoc-client'
 
 export interface DifPexCredentialsForRequest {
  /**
@@ -129,8 +131,13 @@ export type SubmissionEntryCredential =
  type: ClaimFormat.JwtVc | ClaimFormat.LdpVc
  credentialRecord: W3cCredentialRecord
  }
+ | {
+ type: ClaimFormat.MsoMdoc
+ credentialRecord: MdocRecord
+ disclosedPayload: Record<string, IssuerSignedItem[]>
+ }
 
 /**
  * Mapping of selected credentials for an input descriptor
  */
-export type DifPexInputDescriptorToCredentials = Record<string, Array<W3cCredentialRecord | SdJwtVcRecord>>
+export type DifPexInputDescriptorToCredentials = Record<string, Array<W3cCredentialRecord | SdJwtVcRecord | MdocRecord>>

packages/core/src/modules/dif-presentation-exchange/models/index.ts

@@ -1,4 +1,6 @@
 export * from './DifPexCredentialsForRequest'
+import type { Mdoc } from '../../mdoc'
+import type { MdocVerifiablePresentation } from '../../mdoc/MdocVerifiablePresentation'
 import type { SdJwtVc } from '../../sd-jwt-vc'
 import type { W3cVerifiableCredential, W3cVerifiablePresentation } from '../../vc'
 import type { PresentationDefinitionV1, PresentationDefinitionV2, PresentationSubmission } from '@sphereon/pex-models'
@@ -13,5 +15,5 @@ export type DifPresentationExchangeSubmission = PresentationSubmission
 export { PresentationSubmissionLocation as DifPresentationExchangeSubmissionLocation }
 
 // TODO: we might want to move this to another place at some point
-export type VerifiablePresentation = W3cVerifiablePresentation | SdJwtVc
-export type VerifiableCredential = W3cVerifiableCredential | SdJwtVc
+export type VerifiablePresentation = W3cVerifiablePresentation | SdJwtVc | MdocVerifiablePresentation
+export type VerifiableCredential = W3cVerifiableCredential | SdJwtVc | Mdoc