{"version":3,"file":"X509ModuleConfig.mjs","names":[],"sources":["../../../src/modules/x509/X509ModuleConfig.ts"],"sourcesContent":["import type { AgentContext } from '../../agent'\nimport type { JwtPayload } from '../../crypto'\nimport type { Mdoc } from '../mdoc/Mdoc'\nimport type { SdJwtVc } from '../sd-jwt-vc'\nimport type { W3cJwtVerifiableCredential, W3cJwtVerifiablePresentation } from '../vc'\n\nimport { X509Certificate } from './X509Certificate'\n\nexport type X509VerificationTypeCredential = {\n  type: 'credential'\n  credential: SdJwtVc | Mdoc | W3cJwtVerifiableCredential | W3cJwtVerifiablePresentation\n\n  /**\n   * The `id` of the `DidCommProofRecord` that this verification is bound to.\n   */\n  didcommProofRecordId?: string\n\n  /**\n   * The `id` of the `OpenId4VcVerificationSessionRecord` that this verification is bound to.\n   */\n  openId4VcVerificationSessionId?: string\n}\n\n// NOTE: we should probably move these to the OpenID4VC module\n// but have to think about the typing. Probably the base interface should just contain\n// the `verification` with a `type`. And extension modules can extend the verification\nexport type X509VerificationTypeOauth2SecuredAuthorizationRequest = {\n  type: 'oauth2SecuredAuthorizationRequest'\n  authorizationRequest: {\n    jwt: string\n    payload: JwtPayload\n  }\n}\n\nexport type X509VerificationTypeOpenId4VciKeyAttestation = {\n  type: 'openId4VciKeyAttestation'\n\n  /**\n   * The `id` of the `OpenId4VcIssuanceSessionRecord` that this key\n   * attestation verification is bound to.\n   */\n  // TODO: should be the record, but we don't have access to the record type here.\n  openId4VcIssuanceSessionId: string\n\n  // NOTE: it would be more helpful to have the typed JWT payload from openid4vc here?\n  keyAttestation: {\n    jwt: string\n    payload: JwtPayload\n  }\n}\n\nexport type X509VerificationTypeOpenId4VciCredentialIssuerMetadata = {\n  type: 'openId4VciCredentialIssuerMetadata'\n\n  // NOTE: it would be more helpful to have the typed JWT payload from openid4vc here?\n  credentialIssuerMetadata: {\n    jwt: string\n    payload: JwtPayload\n  }\n}\n\nexport type X509VerificationTypeOauth2ClientAttestation = {\n  type: 'oauth2ClientAttestation'\n\n  /**\n   * The `id` of the `OpenId4VcIssuanceSessionRecord` that this client\n   * attestation verification is bound to.\n   */\n  // TODO: should be the record, but we don't have access to the record type here.\n  openId4VcIssuanceSessionId: string\n\n  // NOTE: it would be more helpful to have the typed JWT payload from openid4vc here?\n  clientAttestation: {\n    jwt: string\n    payload: JwtPayload\n  }\n}\n\nexport interface X509VerificationContext {\n  /**\n   * The certificate chain provided with the data to be verified. The trusted certificates\n   * are determined before verification and thus it is not verified that the data was actually\n   * signed by the private key assocaited with the leaf certificate in the certificate chain, or\n   * whether the certificate chain is valid. However if the certificate\n   * does not match, or is not valid, verification will always fail at a later stage\n   */\n  certificateChain: X509Certificate[]\n\n  verification:\n    | X509VerificationTypeCredential\n    | X509VerificationTypeOauth2SecuredAuthorizationRequest\n    | X509VerificationTypeOauth2ClientAttestation\n    | X509VerificationTypeOpenId4VciKeyAttestation\n    | X509VerificationTypeOpenId4VciCredentialIssuerMetadata\n}\n\nexport interface X509ModuleConfigOptions {\n  /**\n   *\n   * Array of trusted base64-encoded certificate strings in the DER-format.\n   */\n  trustedCertificates?: Array<string | X509Certificate>\n\n  /**\n   * Optional callback method that will be called to dynamically get trusted certificates for a verification.\n   * It will provide the `agentContext` and `verificationContext` allowing to dynamically set the trusted certificates\n   * for a tenant or verificaiton context.\n   *\n   * If no certificaets should be trusted an empty array should be returned. If `undefined` is returned\n   * it will fallback to the globally registered trusted certificates\n   *\n   * @returns An array of base64-encoded certificate strings or PEM certificate strings.\n   */\n  getTrustedCertificatesForVerification?(\n    agentContext: AgentContext,\n    verificationContext: X509VerificationContext\n  ): Promise<string[] | undefined> | string[] | undefined\n}\n\nexport class X509ModuleConfig {\n  #trustedCertificates?: X509Certificate[]\n  #getTrustedCertificatesForVerification?: X509ModuleConfigOptions['getTrustedCertificatesForVerification']\n\n  public constructor(options?: X509ModuleConfigOptions) {\n    this.setTrustedCertificates(options?.trustedCertificates)\n    if (options?.getTrustedCertificatesForVerification) {\n      this.setTrustedCertificatesForVerification(options.getTrustedCertificatesForVerification)\n    }\n  }\n\n  public get trustedCertificates() {\n    // TODO: we should probably update this API to return the instances, but don't want to\n    // break too much now\n    return this.#trustedCertificates?.map((cert) => cert.toString('pem'))\n  }\n\n  public get getTrustedCertificatesForVerification() {\n    return this.#getTrustedCertificatesForVerification\n  }\n\n  public setTrustedCertificatesForVerification(fn: X509ModuleConfigOptions['getTrustedCertificatesForVerification']) {\n    this.#getTrustedCertificatesForVerification = fn\n  }\n\n  public setTrustedCertificates(trustedCertificates?: Array<string | X509Certificate>) {\n    const certificateInstances = trustedCertificates?.map((trustedCertificate) =>\n      typeof trustedCertificate === 'string'\n        ? X509Certificate.fromEncodedCertificate(trustedCertificate)\n        : trustedCertificate\n    )\n    this.#trustedCertificates = trustedCertificates?.length ? certificateInstances : undefined\n  }\n\n  public addTrustedCertificate(trustedCertificate: string | X509Certificate) {\n    const certificateInstance =\n      typeof trustedCertificate === 'string'\n        ? X509Certificate.fromEncodedCertificate(trustedCertificate)\n        : trustedCertificate\n\n    if (!this.#trustedCertificates) {\n      this.#trustedCertificates = []\n    }\n\n    this.#trustedCertificates.push(certificateInstance)\n  }\n}\n"],"mappings":";;;;;;;;;;AAuHA,IAAa,mBAAb,MAA8B;CAI5B,AAAO,YAAY,SAAmC;;;AACpD,OAAK,uBAAuB,SAAS,oBAAoB;AACzD,MAAI,SAAS,sCACX,MAAK,sCAAsC,QAAQ,sCAAsC;;CAI7F,IAAW,sBAAsB;AAG/B,sDAAO,KAAyB,EAAE,KAAK,SAAS,KAAK,SAAS,MAAM,CAAC;;CAGvE,IAAW,wCAAwC;AACjD,wEAAO,KAA2C;;CAGpD,AAAO,sCAAsC,IAAsE;AACjH,uEAA8C,GAAE;;CAGlD,AAAO,uBAAuB,qBAAuD;EACnF,MAAM,uBAAuB,qBAAqB,KAAK,uBACrD,OAAO,uBAAuB,WAC1B,gBAAgB,uBAAuB,mBAAmB,GAC1D,mBACL;AACD,qDAA4B,qBAAqB,SAAS,uBAAuB,OAAS;;CAG5F,AAAO,sBAAsB,oBAA8C;EACzE,MAAM,sBACJ,OAAO,uBAAuB,WAC1B,gBAAgB,uBAAuB,mBAAmB,GAC1D;AAEN,MAAI,8CAAC,KAAyB,CAC5B,oDAA4B,EAAE;AAGhC,oDAAyB,CAAC,KAAK,oBAAoB"}