Merge pull request #83 from TimoGlastra/fix/cnd-instead-of-sub

fix(sd-jwt): cnf instead of kid

packages/callback-example/package.json

@@ -18,7 +18,7 @@
     "@sphereon/oid4vci-client": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-types": "0.17.6-unstable.69",
+    "@sphereon/ssi-types": "^0.18.0",
     "jose": "^4.10.0"
   },
   "devDependencies": {

packages/client/package.json

@@ -16,7 +16,7 @@
   },
   "dependencies": {
     "@sphereon/oid4vci-common": "workspace:*",
-    "@sphereon/ssi-types": "0.17.6-unstable.69",
+    "@sphereon/ssi-types": "^0.18.0",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
   },

packages/common/package.json

@@ -10,7 +10,7 @@
     "build:clean": "tsc --build --clean && tsc --build"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "0.17.6-unstable.69",
+    "@sphereon/ssi-types": "^0.18.0",
     "cross-fetch": "^3.1.8",
     "jwt-decode": "^3.1.2"
   },

packages/issuer-rest/package.json

@@ -13,8 +13,8 @@
   "dependencies": {
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-express-support": "0.17.6-unstable.69",
-    "@sphereon/ssi-types": "0.17.6-unstable.69",
+    "@sphereon/ssi-express-support": "^0.18.0",
+    "@sphereon/ssi-types": "^0.18.0",
     "body-parser": "^1.20.2",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",

packages/issuer/lib/VcIssuer.ts

@@ -255,6 +255,8 @@ export class VcIssuer<DIDDoc extends object> {
 
       const { preAuthSession, authSession, cNonceState, jwtVerifyResult } = validated
       const did = jwtVerifyResult.did
+      const jwk = jwtVerifyResult.jwk
+      const kid = jwtVerifyResult.kid
       const newcNonce = opts.newCNonce ? opts.newCNonce : v4()
       const newcNonceState = {
         cNonce: newcNonce,
@@ -305,20 +307,28 @@ export class VcIssuer<DIDDoc extends object> {
       if (!credential) {
         throw Error('A credential needs to be supplied at this point')
       }
-      if (did) {
-        if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {
-          credential.sub = did
-        } else {
-          const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]
-          credentialSubjects.map((subject) => {
-            if (!subject.id) {
-              subject.id = did
-            }
-            return subject
-          })
-          credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]
+      // Bind credential to the provided proof of possession
+      if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && (kid || jwk) && !credential.cnf) {
+        if (kid) {
+          credential.cnf = {
+            kid
+          }
+        } else if (jwk) {
+          credential.cnf = {
+            jwk,
+          }
         }
       }
+      if (did && !CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {
+        const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]
+        credentialSubjects.map((subject) => {
+          if (!subject.id) {
+            subject.id = did
+          }
+          return subject
+        })
+        credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]
+      }
 
       const verifiableCredential = await this.issueCredentialImpl(
         {

packages/issuer/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@sphereon/oid4vci-common": "workspace:*",
-    "@sphereon/ssi-types": "0.17.6-unstable.69",
+    "@sphereon/ssi-types": "^0.18.0",
     "uuid": "^9.0.0"
   },
   "peerDependencies": {