feat: openid4vp

packages/oauth2/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@openid4vc/oauth2",
   "version": "0.2.0",
-  "exports": "./src/index.ts",
   "files": ["dist"],
   "license": "Apache-2.0",
+  "exports": "./src/index.ts",
   "homepage": "https://github.com/openwallet-foundation-labs/oid4vc-ts/tree/main/packages/oauth2",
   "repository": {
     "type": "git",

packages/oauth2/src/Oauth2AuthorizationServer.ts

@@ -37,7 +37,7 @@ export interface Oauth2AuthorizationServerOptions {
   /**
    * Callbacks required for the oauth2 authorization server
    */
-  callbacks: CallbackContext
+  callbacks: Omit<CallbackContext, 'decryptJwt' | 'encryptJwe'>
 }
 
 export class Oauth2AuthorizationServer {

packages/oauth2/src/Oauth2Client.ts

@@ -32,7 +32,7 @@ export interface Oauth2ClientOptions {
   /**
    * Callbacks required for the oauth2 client
    */
-  callbacks: Omit<CallbackContext, 'verifyJwt' | 'clientAuthentication'>
+  callbacks: Omit<CallbackContext, 'verifyJwt' | 'clientAuthentication' | 'decryptJwt' | 'encryptJwe'>
 }
 
 export class Oauth2Client {

packages/oauth2/src/callbacks.ts

@@ -1,7 +1,7 @@
 import type { Fetch, OrPromise } from '@openid4vc/utils'
 import type { ClientAuthenticationCallback } from './client-authentication'
 import type { Jwk } from './common/jwk/v-jwk'
-import type { JwtHeader, JwtPayload, JwtSigner } from './common/jwt/v-jwt'
+import type { JweEncryptor, JwtHeader, JwtPayload, JwtSigner } from './common/jwt/v-jwt'
 
 /**
  * Supported hashing algorithms
@@ -39,6 +39,36 @@ export type VerifyJwtCallback = (
     }
 >
 
+export interface DecryptJwtCallbackOptions {
+  jwk: Jwk
+}
+
+export type DecryptJwtCallback = (
+  jwe: string,
+  options?: DecryptJwtCallbackOptions
+) => OrPromise<
+  | {
+      decrypted: true
+      decryptionJwk: Jwk
+      payload: string
+      header: JwtHeader
+    }
+  | {
+      decrypted: false
+      decryptionJwk?: Jwk
+      payload?: string
+      header?: JwtHeader
+    }
+>
+
+export type EncryptJweCallback = (
+  jweEncryptor: JweEncryptor,
+  data: string
+) => OrPromise<{
+  encryptionJwk: Jwk
+  jwe: string
+}>
+
 /**
  * Callback context provides the callbacks that are required for the oid4vc library
  */
@@ -58,6 +88,16 @@ export interface CallbackContext {
    */
   signJwt: SignJwtCallback
 
+  /**
+   * Decrypt jwe callback for decrypting of Json Web Encryptions
+   */
+  decryptJwt: DecryptJwtCallback
+
+  /**
+   * Encrypt jwt callback for encrypting of Json Web Encryptions
+   */
+  encryptJwe: EncryptJweCallback
+
   /**
    * Verify jwt callback for verification of Json Web Tokens
    */
@@ -83,4 +123,14 @@ export interface CallbackContext {
    * scenarios where multiple authorization servers are supported.
    */
   clientAuthentication: ClientAuthenticationCallback
+
+  /**
+   * Get the DNS names from a X.509 certificate
+   */
+  getX509SanDnsNames?: (certificate: string) => string[]
+
+  /**
+   * Get the URI names from a X.509 certificate
+   */
+  getX509SanUriNames?: (certificate: string) => string[]
 }

packages/oauth2/src/common/jwe/v-jwe.ts

@@ -0,0 +1,6 @@
+import * as v from 'valibot'
+
+export const vCompactJwe = v.pipe(
+  v.string(),
+  v.regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, 'Not a valid compact jwe')
+)

packages/oauth2/src/common/jwk/v-jwk.ts

@@ -28,7 +28,7 @@ export const vJwk = v.looseObject({
   q: v.optional(v.string()),
   qi: v.optional(v.string()),
   use: v.optional(v.string()),
-  x5c: v.optional(v.string()),
+  x5c: v.optional(v.array(v.string())),
   x5t: v.optional(v.string()),
   'x5t#S256': v.optional(v.string()),
   x5u: v.optional(v.string()),

packages/oauth2/src/common/jwt/decode-jwt-header.ts

@@ -0,0 +1,52 @@
+import {
+  type BaseSchema,
+  decodeBase64,
+  encodeToUtf8String,
+  parseWithErrorHandling,
+  stringToJsonWithErrorHandling,
+} from '@openid4vc/utils'
+import { Oauth2JwtParseError } from '../../error/Oauth2JwtParseError'
+import type { InferSchemaOutput } from './decode-jwt'
+import { vJwtHeader } from './v-jwt'
+
+export interface DecodeJwtHeaderOptions<HeaderSchema extends BaseSchema | undefined> {
+  /**
+   * The comapct encoded jwt
+   */
+  jwe: string
+
+  /**
+   * Schema to use for validating the header. If not provided the
+   * default `vJwtHeader` schema will be used
+   */
+  headerSchema?: HeaderSchema
+}
+
+export type DecodeJweResult<HeaderSchema extends BaseSchema | undefined = undefined> = {
+  header: InferSchemaOutput<HeaderSchema, typeof vJwtHeader>
+}
+
+export function decodeJwtHeader<HeaderSchema extends BaseSchema | undefined = undefined>(
+  options: DecodeJwtHeaderOptions<HeaderSchema>
+): DecodeJweResult<HeaderSchema> {
+  const jwtParts = options.jwe.split('.')
+  if (jwtParts.length <= 2) {
+    throw new Oauth2JwtParseError('Jwt is not a valid jwt, unable to decode')
+  }
+
+  let headerJson: Record<string, unknown>
+  try {
+    headerJson = stringToJsonWithErrorHandling(
+      encodeToUtf8String(decodeBase64(jwtParts[0])),
+      'Unable to parse jwt header to JSON'
+    )
+  } catch (error) {
+    throw new Oauth2JwtParseError('Error parsing JWT')
+  }
+
+  const header = parseWithErrorHandling(options.headerSchema ?? vJwtHeader, headerJson)
+
+  return {
+    header,
+  }
+}

packages/oauth2/src/common/jwt/decode-jwt.ts

@@ -8,7 +8,8 @@ import {
   stringToJsonWithErrorHandling,
 } from '@openid4vc/utils'
 import { Oauth2JwtParseError } from '../../error/Oauth2JwtParseError'
-import { type JwtSigner, vJwtHeader, vJwtPayload } from './v-jwt'
+import { decodeJwtHeader } from './decode-jwt-header'
+import { type JwtSigner, type vJwtHeader, vJwtPayload } from './v-jwt'
 
 export interface DecodeJwtOptions<
   HeaderSchema extends BaseSchema | undefined,
@@ -50,13 +51,8 @@ export function decodeJwt<
     throw new Oauth2JwtParseError('Jwt is not a valid jwt, unable to decode')
   }
 
-  let headerJson: Record<string, unknown>
   let payloadJson: Record<string, unknown>
   try {
-    headerJson = stringToJsonWithErrorHandling(
-      encodeToUtf8String(decodeBase64(jwtParts[0])),
-      'Unable to parse jwt header to JSON'
-    )
     payloadJson = stringToJsonWithErrorHandling(
       encodeToUtf8String(decodeBase64(jwtParts[1])),
       'Unable to parse jwt payload to JSON'
@@ -65,7 +61,7 @@ export function decodeJwt<
     throw new Oauth2JwtParseError('Error parsing JWT')
   }
 
-  const header = parseWithErrorHandling(options.headerSchema ?? vJwtHeader, headerJson)
+  const { header } = decodeJwtHeader({ jwe: options.jwt, headerSchema: options.headerSchema })
   const payload = parseWithErrorHandling(options.payloadSchema ?? vJwtPayload, payloadJson)
 
   return {
@@ -175,7 +171,7 @@ export function jwtSignerFromJwt({ header, payload }: Pick<DecodeJwtResult, 'hea
 type IsSchemaProvided<T> = T extends undefined ? false : true
 
 // Helper type to infer the output type based on whether a schema is provided
-type InferSchemaOutput<
+export type InferSchemaOutput<
   ProvidedSchema extends BaseSchema | undefined,
   DefaultSchema extends BaseSchema,
 > = IsSchemaProvided<ProvidedSchema> extends true

packages/oauth2/src/common/jwt/v-jwe.ts

@@ -0,0 +1,6 @@
+import * as v from 'valibot'
+
+export const vCompactJwe = v.pipe(
+  v.string(),
+  v.regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, 'Not a valid compact jwe')
+)

packages/oauth2/src/common/jwt/v-jwt.ts

@@ -36,6 +36,12 @@ export type JwtSignerCustom = {
 
 export type JwtSigner = JwtSignerDid | JwtSignerJwk | JwtSignerX5c | JwtSignerTrustChain | JwtSignerCustom
 
+export type JweEncryptor = JwtSignerJwk & {
+  enc: string
+  apu?: string
+  apv?: string
+}
+
 export type JwtSignerWithJwk = JwtSigner & { publicJwk: Jwk }
 
 export const vCompactJwt = v.pipe(

packages/oauth2/src/common/v-oauth2-error.ts

@@ -33,6 +33,12 @@ export enum Oauth2ErrorCodes {
   InvalidProof = 'invalid_proof',
   InvalidNonce = 'invalid_nonce',
   InvalidEncryptionParameters = 'invalid_encryption_parameters',
+
+  // Jar
+  InvalidRequestUri = 'invalid_request_uri',
+  InvalidRequestObject = 'invalid_request_object',
+  RequestNotSupported = 'request_not_supported',
+  RequestUriNotSupported = 'request_uri_not_supported',
 }
 
 export const vOauth2ErrorResponse = v.looseObject({