Sphereon-Opensource · nklomp · Oct 9, 2024 · Sep 18, 2024 · Sep 18, 2024 · Sep 18, 2024
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,14 +12,14 @@ jobs:
     name: build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: pnpm/action-setup@v2
+    - uses: pnpm/action-setup@v4
       with:
         version: 8
     - name: Use Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '18.x'
         cache: 'pnpm'
@@ -31,7 +31,7 @@ jobs:
     - name: pnpm test
       run: pnpm test
     - name: codecov
-      uses: codecov/codecov-action@v2
+      uses: codecov/codecov-action@v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
         name: codecove # optional

diff --git a/lib/PEX.ts b/lib/PEX.ts
diff --git a/lib/PEXv1.ts b/lib/PEXv1.ts
@@ -124,13 +124,13 @@ export class PEXv1 extends PEX {
       opts?.presentationSubmissionLocation ??
       (hasSdJwtCredentials ? PresentationSubmissionLocation.EXTERNAL : PresentationSubmissionLocation.PRESENTATION);
 
-    const presentation = PEX.constructPresentation(selectedCredentials, {
+    const presentations = this.constructPresentations(selectedCredentials, {
       ...opts,
       presentationSubmission: presentationSubmissionLocation === PresentationSubmissionLocation.PRESENTATION ? presentationSubmission : undefined,
     });
 
     return {
-      presentation,
+      presentations,
       presentationSubmissionLocation,
       presentationSubmission,
     };

diff --git a/lib/PEXv2.ts b/lib/PEXv2.ts
@@ -15,7 +15,7 @@ export class PEXv2 extends PEX {
    * The evaluatePresentationV2 compares what is expected from a presentation with a presentationDefinitionV2.
    *
    * @param presentationDefinition the definition of what is expected in the presentation.
-   * @param presentation the presentation which has to be evaluated in comparison of the definition.
+   * @param presentations the presentation which has to be evaluated in comparison of the definition.
    * @param opts - limitDisclosureSignatureSuites the credential signature suites that support limit disclosure
    *
    * @return the evaluation results specify what was expected and was fulfilled and also specifies which requirements described in the input descriptors
@@ -120,13 +120,13 @@ export class PEXv2 extends PEX {
       opts?.presentationSubmissionLocation ??
       (hasSdJwtCredentials ? PresentationSubmissionLocation.EXTERNAL : PresentationSubmissionLocation.PRESENTATION);
 
-    const presentation = PEX.constructPresentation(selectedCredentials, {
+    const presentations = this.constructPresentations(selectedCredentials, {
       ...opts,
       presentationSubmission: presentationSubmissionLocation === PresentationSubmissionLocation.PRESENTATION ? presentationSubmission : undefined,
     });
 
     return {
-      presentation,
+      presentations,
       presentationSubmissionLocation,
       presentationSubmission,
     };

diff --git a/lib/evaluation/core/evaluationResults.ts b/lib/evaluation/core/evaluationResults.ts
@@ -2,10 +2,9 @@ import { PresentationSubmission } from '@sphereon/pex-models';
 import { IPresentation, IVerifiableCredential, OriginalVerifiablePresentation, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types';
 
 import { Checked, Status } from '../../ConstraintUtils';
-import { OrArray } from '../../types';
 
 export interface PresentationEvaluationResults extends Omit<EvaluationResults, 'verifiableCredential'> {
-  presentation: OrArray<OriginalVerifiablePresentation | IPresentation>;
+  presentations: Array<OriginalVerifiablePresentation | IPresentation>;
 }
 
 export interface EvaluationResults {

diff --git a/lib/evaluation/evaluationClientWrapper.ts b/lib/evaluation/evaluationClientWrapper.ts
@@ -4,6 +4,7 @@ import type { SubmissionRequirement } from '@sphereon/pex-models';
 import {
   CredentialMapper,
   IVerifiableCredential,
+  IVerifiablePresentation,
   OriginalVerifiableCredential,
   SdJwtDecodedVerifiableCredential,
   WrappedVerifiableCredential,
@@ -96,7 +97,11 @@ export class EvaluationClientWrapper {
           marked,
         );
       } catch (e) {
-        const matchingError: Checked = { status: Status.ERROR, message: JSON.stringify(e), tag: 'matchSubmissionRequirements' };
+        const matchingError: Checked = {
+          status: Status.ERROR,
+          message: JSON.stringify(e),
+          tag: 'matchSubmissionRequirements',
+        };
         return {
           errors: errors ? [...errors, matchingError] : [matchingError],
           warnings: warnings,
@@ -406,7 +411,7 @@ export class EvaluationClientWrapper {
 
     const result: PresentationEvaluationResults = {
       areRequiredCredentialsPresent: Status.INFO,
-      presentation: Array.isArray(wvps) ? wvps.map((wvp) => wvp.original) : wvps.original,
+      presentations: Array.isArray(wvps) ? wvps.map((wvp) => wvp.original) : [wvps.original],
       errors: [],
       warnings: [],
     };
@@ -429,7 +434,9 @@ export class EvaluationClientWrapper {
     if (this._client.generatePresentationSubmission && result.value && useExternalSubmission) {
       // we map the descriptors of the generated submisison to take into account the nexted values
       result.value.descriptor_map = result.value.descriptor_map.map((descriptor) => {
-        const [wvcResult] = JsonPathUtils.extractInputField(allWvcs, [descriptor.path]) as Array<{ value: WrappedVerifiableCredential }>;
+        const [wvcResult] = JsonPathUtils.extractInputField(allWvcs, [descriptor.path]) as Array<{
+          value: WrappedVerifiableCredential;
+        }>;
         if (!wvcResult) {
           throw new Error(`Could not find descriptor path ${descriptor.path} in wrapped verifiable credentials`);
         }
@@ -460,7 +467,7 @@ export class EvaluationClientWrapper {
   ): { error: Checked; wvc: undefined } | { wvc: WrappedVerifiableCredential; error: undefined } {
     // Decoded won't work for sd-jwt or jwt?!?!
     const [vcResult] = JsonPathUtils.extractInputField(wvp.decoded, [descriptor.path]) as Array<{
-      value: string | IVerifiableCredential;
+      value: string | IVerifiablePresentation[] | IVerifiableCredential;
     }>;
 
     if (!vcResult) {
@@ -474,16 +481,48 @@ export class EvaluationClientWrapper {
       };
     }
 
-    // Find the wrapped VC based on the original VC
-    const originalVc = vcResult.value;
-    const wvc = wvp.vcs.find((wvc) => CredentialMapper.areOriginalVerifiableCredentialsEqual(wvc.original, originalVc));
+    // FIXME figure out possible types, can't see that in debug mode...
+    const isCredential = CredentialMapper.isCredential(vcResult.value as OriginalVerifiableCredential);
+    if (
+      !vcResult.value ||
+      (typeof vcResult.value === 'string' && !isCredential) ||
+      (typeof vcResult.value !== 'string' && !isCredential && !('verifiableCredential' in vcResult.value || 'vp' in vcResult.value))
+    ) {
+      return {
+        error: {
+          status: Status.ERROR,
+          tag: 'NoVerifiableCredentials',
+          message: `No verifiable credentials found at path "${descriptor.path}" for submission.descriptor_path[${descriptorIndex}]`,
+        },
+        wvc: undefined,
+      };
+    }
+
+    // When result is an array, extract the first Verifiable Credential from the array FIXME figure out proper types, can't see that in debug mode...
+    let originalVc;
+    if (isCredential) {
+      originalVc = vcResult.value;
+    } else if (typeof vcResult.value !== 'string') {
+      if ('verifiableCredential' in vcResult.value) {
+        originalVc = Array.isArray(vcResult.value.verifiableCredential)
+          ? vcResult.value.verifiableCredential[0]
+          : vcResult.value.verifiableCredential;
+      } else {
+        throw Error('Could not deduce original VC from evaluation result');
+      }
+    } else {
+      throw Error('Could not deduce original VC from evaluation result');
+    }
+
+    // Find the corresponding Wrapped Verifiable Credential (wvc) based on the original VC
+    const wvc = wvp.vcs.find((wrappedVc) => CredentialMapper.areOriginalVerifiableCredentialsEqual(wrappedVc.original, originalVc));
 
     if (!wvc) {
       return {
         error: {
           status: Status.ERROR,
           tag: 'SubmissionPathNotFound',
-          message: `Unable to find wrapped vc`,
+          message: `Unable to find wrapped VC for the extracted credential at path "${descriptor.path}" in descriptor_path[${descriptorIndex}]`,
         },
         wvc: undefined,
       };
@@ -508,7 +547,7 @@ export class EvaluationClientWrapper {
   ): PresentationEvaluationResults {
     const result: PresentationEvaluationResults = {
       areRequiredCredentialsPresent: Status.INFO,
-      presentation: Array.isArray(wvps) ? wvps.map((wvp) => wvp.original) : wvps.original,
+      presentations: Array.isArray(wvps) ? wvps.map((wvp) => wvp.original) : [wvps.original],
       errors: [],
       warnings: [],
       value: submission,
@@ -517,45 +556,67 @@ export class EvaluationClientWrapper {
     // If only a single VP is passed that is not w3c and no presentationSubmissionLocation, we set the default location to presentation. Otherwise we assume it's external
     const presentationSubmissionLocation =
       opts?.presentationSubmissionLocation ??
-      (Array.isArray(wvps) || !CredentialMapper.isW3cPresentation(wvps.presentation)
+      (Array.isArray(wvps) || !CredentialMapper.isW3cPresentation(Array.isArray(wvps) ? wvps[0].presentation : wvps.presentation)
         ? PresentationSubmissionLocation.EXTERNAL
         : PresentationSubmissionLocation.PRESENTATION);
 
-    // We loop over all the descriptors in the submission
-    for (const descriptorIndex in submission.descriptor_map) {
-      const descriptor = submission.descriptor_map[descriptorIndex];
-
-      let vp: WrappedVerifiablePresentation;
-      let vc: WrappedVerifiableCredential;
-      let vcPath: string;
+    // Iterate over each descriptor in the submission
+    for (const [descriptorIndex, descriptor] of submission.descriptor_map.entries()) {
+      let matchingVps: WrappedVerifiablePresentation[] = [];
 
       if (presentationSubmissionLocation === PresentationSubmissionLocation.EXTERNAL) {
-        // Extract the VP from the wrapped VPs
-        const [vpResult] = JsonPathUtils.extractInputField(wvps, [descriptor.path]) as Array<{ value: WrappedVerifiablePresentation }>;
-        if (!vpResult) {
+        // Extract VPs matching the descriptor path
+        const vpResults = JsonPathUtils.extractInputField(wvps, [descriptor.path]) as Array<{
+          value: WrappedVerifiablePresentation[];
+        }>;
+
+        if (!vpResults.length) {
           result.areRequiredCredentialsPresent = Status.ERROR;
           result.errors?.push({
             status: Status.ERROR,
             tag: 'SubmissionPathNotFound',
-            message: `Unable to extract path ${descriptor.path} for submission.descriptor_path[${descriptorIndex}] from presentation(s)`,
+            message: `Unable to extract path ${descriptor.path} for submission.descriptor_map[${descriptorIndex}] from presentation(s)`,
           });
           continue;
         }
-        vp = vpResult.value;
-        vcPath = `presentation ${descriptor.path}`;
 
-        if (vp.format !== descriptor.format) {
+        // Flatten the array of VPs
+        const allVps = vpResults.flatMap((vpResult) => vpResult.value);
+
+        // Filter VPs that match the required format
+        matchingVps = allVps.filter((vp) => vp.format === descriptor.format);
+
+        if (!matchingVps.length) {
           result.areRequiredCredentialsPresent = Status.ERROR;
           result.errors?.push({
             status: Status.ERROR,
             tag: 'SubmissionFormatNoMatch',
-            message: `VP at path ${descriptor.path} has format ${vp.format}, while submission.descriptor_path[${descriptorIndex}] has format ${descriptor.format}`,
+            message: `No VP at path ${descriptor.path} matches the required format ${descriptor.format}`,
           });
           continue;
         }
 
+        // Log a warning if multiple VPs match the descriptor
+        if (matchingVps.length > 1) {
+          result.warnings?.push({
+            status: Status.WARN,
+            tag: 'MultipleVpsMatched',
+            message: `Multiple VPs matched for descriptor_path[${descriptorIndex}]. Using the first matching VP.`,
+          });
+        }
+      } else {
+        // When submission location is PRESENTATION, assume a single VP
+        matchingVps = Array.isArray(wvps) ? [wvps[0]] : [wvps];
+      }
+
+      // Process the first matching VP
+      const vp = matchingVps[0];
+      let vc: WrappedVerifiableCredential;
+      let vcPath: string = `presentation ${descriptor.path}`;
+
+      if (presentationSubmissionLocation === PresentationSubmissionLocation.EXTERNAL) {
         if (descriptor.path_nested) {
-          const extractionResult = this.extractWrappedVcFromWrappedVp(descriptor.path_nested, descriptorIndex, vp);
+          const extractionResult = this.extractWrappedVcFromWrappedVp(descriptor.path_nested, descriptorIndex.toString(), vp);
           if (extractionResult.error) {
             result.areRequiredCredentialsPresent = Status.ERROR;
             result.errors?.push(extractionResult.error);
@@ -565,6 +626,15 @@ export class EvaluationClientWrapper {
           vc = extractionResult.wvc;
           vcPath += ` with nested credential ${descriptor.path_nested.path}`;
         } else if (descriptor.format === 'vc+sd-jwt') {
+          if (!vp.vcs || !vp.vcs.length) {
+            result.areRequiredCredentialsPresent = Status.ERROR;
+            result.errors?.push({
+              status: Status.ERROR,
+              tag: 'NoCredentialsFound',
+              message: `No credentials found in VP at path ${descriptor.path}`,
+            });
+            continue;
+          }
           vc = vp.vcs[0];
         } else {
           result.areRequiredCredentialsPresent = Status.ERROR;
@@ -576,28 +646,28 @@ export class EvaluationClientWrapper {
           continue;
         }
       } else {
-        // TODO: check that not longer than 0
-        vp = Array.isArray(wvps) ? wvps[0] : wvps;
-        vcPath = `credential ${descriptor.path}`;
-
-        const extractionResult = this.extractWrappedVcFromWrappedVp(descriptor, descriptorIndex, vp);
+        const extractionResult = this.extractWrappedVcFromWrappedVp(descriptor, descriptorIndex.toString(), vp);
         if (extractionResult.error) {
           result.areRequiredCredentialsPresent = Status.ERROR;
           result.errors?.push(extractionResult.error);
           continue;
         }
 
         vc = extractionResult.wvc;
+        vcPath = `credential ${descriptor.path}`;
       }
 
       // TODO: we should probably add support for holder dids in the kb-jwt of an SD-JWT. We can extract this from the
       // `wrappedPresentation.original.compactKbJwt`, but as HAIP doesn't use dids, we'll leave it for now.
-      const holderDIDs = CredentialMapper.isW3cPresentation(vp.presentation) && vp.presentation.holder ? [vp.presentation.holder] : [];
 
-      // Get the presentation definition only for this descriptor, so we can evaluate it separately
+      // Determine holder DIDs
+      const holderDIDs =
+        CredentialMapper.isW3cPresentation(vp.presentation) && vp.presentation.holder ? [vp.presentation.holder] : opts?.holderDIDs || [];
+
+      // Get the presentation definition specific to the current descriptor
       const pdForDescriptor = this.internalPresentationDefinitionForDescriptor(pd, descriptor.id);
 
-      // Reset the client on each iteration.
+      // Reset and configure the evaluation client on each iteration
       this._client = new EvaluationClient();
       this._client.evaluate(pdForDescriptor, [vc], {
         ...opts,
@@ -606,6 +676,7 @@ export class EvaluationClientWrapper {
         generatePresentationSubmission: undefined,
       });
 
+      // Check if the evaluation resulted in exactly one descriptor map entry
       if (this._client.presentationSubmission.descriptor_map.length !== 1) {
         const submissionDescriptor = `submission.descriptor_map[${descriptorIndex}]`;
         result.areRequiredCredentialsPresent = Status.ERROR;
@@ -622,6 +693,7 @@ export class EvaluationClientWrapper {
         tag: 'SubmissionDoesNotSatisfyDefinition',
         // TODO: it would be nice to add the nested errors here for beter understanding WHY the submission
         // does not satisfy the definition, as we have that info, but we can only include one message here
+
         message: submissionAgainstDefinitionResult.error,
       });
       result.areRequiredCredentialsPresent = Status.ERROR;
@@ -797,7 +869,10 @@ export class EvaluationClientWrapper {
       presentationSubmissionLocation?: PresentationSubmissionLocation;
     },
   ): PresentationSubmission {
-    if (!this._client.results) {
+    if (!this._client.results || this._client.results.length === 0) {
+      if (vcs.length === 0) {
+        throw Error('The WrappedVerifiableCredentials input array is empty');
+      }
       throw Error('You need to call evaluate() before pex.presentationFrom()');
     }
     if (!this._client.generatePresentationSubmission) {