fix(sd-jwt): cnf instead of kid

Signed-off-by: Timo Glastra <[email protected]>
Sphereon-Opensource · Jan 11, 2024 · 510a4e8 · 510a4e8
1 parent 7577e3d
commit 510a4e8
Showing 1 changed file with 25 additions and 12 deletions.
diff --git a/packages/issuer/lib/VcIssuer.ts b/packages/issuer/lib/VcIssuer.ts
@@ -255,6 +255,8 @@ export class VcIssuer<DIDDoc extends object> {
 
       const { preAuthSession, authSession, cNonceState, jwtVerifyResult } = validated
       const did = jwtVerifyResult.did
+      const jwk = jwtVerifyResult.jwk
+      const kid = jwtVerifyResult.kid
       const newcNonce = opts.newCNonce ? opts.newCNonce : v4()
       const newcNonceState = {
         cNonce: newcNonce,
@@ -305,20 +307,31 @@ export class VcIssuer<DIDDoc extends object> {
       if (!credential) {
         throw Error('A credential needs to be supplied at this point')
       }
-      if (did) {
-        if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {
-          credential.sub = did
-        } else {
-          const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]
-          credentialSubjects.map((subject) => {
-            if (!subject.id) {
-              subject.id = did
-            }
-            return subject
-          })
-          credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]
+      // Bind credential to the provided proof of possession
+      if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && (kid || jwk) && !credential.cnf) {
+        if (kid) {
+          // NOTE: any can be removed once this PR is released:
+          // https://github.com/Sphereon-Opensource/SSI-SDK/pull/150
+          credential.cnf = {
+            kid,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          } as any
+        } else if (jwk) {
+          credential.cnf = {
+            jwk,
+          }
         }
       }
+      if (did && !CredentialMapper.isSdJwtDecodedCredentialPayload(credential)) {
+        const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]
+        credentialSubjects.map((subject) => {
+          if (!subject.id) {
+            subject.id = did
+          }
+          return subject
+        })
+        credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]
+      }
 
       const verifiableCredential = await this.issueCredentialImpl(
         {