Start adding support for di_vp DID proof type during OID4VCI.

Author: dlongley

CHANGELOG.md

@@ -1,5 +1,10 @@
 # @digitalbazaar/oid4-client Changelog
 
+## 5.12.0 - 2026-mm-dd
+
+### Added
+- Add support for `di_vp` DID proof type during OID4VCI.
+
 ## 5.11.0 - 2026-05-01
 
 ### Added

lib/OID4Client.js

@@ -4,8 +4,8 @@
 import {
   createAuthorizationDetailsFromOffer, createCredentialRequestsFromOffer
 } from './oid4vci/credentialOffer.js';
+import {generateDIDProofDIVP, generateDIDProofJWT} from './oid4vci/proofs.js';
 import {createNamedError} from './util.js';
-import {generateDIDProofJWT} from './oid4vci/proofs.js';
 import {httpClient} from '@digitalbazaar/http-client';
 import {robustDiscoverIssuer} from './oid4vci/discovery.js';
 
@@ -231,6 +231,46 @@ export class OID4Client {
   }
 }
 
+async function _addDIDProof({
+  issuerConfig, json, nonce, did, didProofSigner
+}) {
+  // FIXME: allow these to combine; and choose just one based on
+  // `proof_types_supported`, defaulting to `jwt` if nothing is specified
+  await _addDIDProofDIVP({issuerConfig, json, nonce, did, didProofSigner});
+  // add DID proof `jwt` to json
+  await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
+}
+
+async function _addDIDProofDIVP({
+  issuerConfig, json, nonce, did, didProofSigner
+}) {
+  // generate a DID proof DI VP
+  const {issuer: domain} = issuerConfig;
+  const di_vp = [await generateDIDProofDIVP({
+    did,
+    signer: didProofSigner,
+    domain,
+    challenge: nonce
+  })];
+
+  // add proof to body to be posted and loop to retry
+  const proof = {proof_type: 'di_vp', di_vp};
+  if(json.credential_requests) {
+    // OID4VCI Draft 13 only
+    json.credential_requests = json.credential_requests.map(
+      cr => ({...cr, proof}));
+  } else if(json.credential_definition) {
+    // OID4VCI Draft 13 only
+    json.proof = proof;
+  } else {
+    // OID4VCI 1.0+
+    json.proofs = {
+      ...proof,
+      di_vp: [proof.di_vp]
+    };
+  }
+}
+
 async function _addDIDProofJWT({
   issuerConfig, json, nonce, did, didProofSigner
 }) {
@@ -278,6 +318,12 @@ async function _requestCredential({
     "format": "ldp_vc",
     "credential_definition": {...},
     // only present on retry after server requests it or if nonce is given
+    // v1.0 format:
+    "proofs": {
+      "di_vp": [VP1, VP2, ...],
+      "jwt": [JWT1, JWT2, ...]
+    }
+    // draft 13 format:
     "proof": {
       "proof_type": "jwt",
       "jwt": "eyJraW..."
@@ -306,6 +352,12 @@ async function _requestCredential({
       "format": "ldp_vc",
       "credential_definition": {...},
       // only present on retry after server requests it
+      // v1.0 format:
+      "proofs": {
+        "di_vp": [VP1, VP2, ...],
+        "jwt": [JWT1, JWT2, ...]
+      }
+      // draft 13 format:
       "proof": {
         "proof_type": "jwt",
         "jwt": "eyJraW..."
@@ -320,8 +372,8 @@ async function _requestCredential({
 
   */
   if(nonce !== undefined) {
-    // add DID proof JWT to json
-    await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
+    // add DID proof to json
+    await _addDIDProof({issuerConfig, json, nonce, did, didProofSigner});
   }
 
   let result;
@@ -373,10 +425,8 @@ async function _requestCredential({
         ({nonce} = await this.getNonce({agent}));
       }
 
-      // add DID proof JWT to json
-      await _addDIDProofJWT({
-        issuerConfig, json, nonce, did, didProofSigner
-      });
+      // add DID proof to json
+      await _addDIDProof({issuerConfig, json, nonce, did, didProofSigner});
     }
   }
 

lib/index.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
 export * as oid4vp from './oid4vp/index.js';
 export * as query from './query/index.js';
@@ -15,5 +15,5 @@ export {
   signJWT,
   selectJwk
 } from './util.js';
-export {generateDIDProofJWT} from './oid4vci/proofs.js';
+export {generateDIDProofDIVP, generateDIDProofJWT} from './oid4vci/proofs.js';
 export {OID4Client} from './OID4Client.js';

lib/oid4vci/proofs.js

@@ -1,8 +1,28 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
+import {createPresentation, signPresentation} from '@digitalbazaar/vc';
+import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
+import {cryptosuite as ecdsaRdfc2019CryptoSuite} from
+  '@digitalbazaar/ecdsa-rdfc-2019-cryptosuite';
+import {cryptosuite as eddsaRdfc2022CryptoSuite} from
+  '@digitalbazaar/eddsa-rdfc-2022-cryptosuite';
 import {signJWT} from '../util.js';
 
+export async function generateDIDProofDIVP({
+  did, signer, challenge, domain
+} = {}) {
+  const {id} = signer;
+  const holder = did ?? id?.includes('#') ? id.slice(0, id.indexOf('#')) : id;
+  const presentation = createPresentation({holder});
+  return signPresentation({
+    presentation,
+    suite: _createDataIntegrityProof({signer}),
+    domain,
+    challenge
+  });
+}
+
 export async function generateDIDProofJWT({
   signer, nonce, iss, aud, exp, nbf
 } = {}) {
@@ -36,6 +56,22 @@ export async function generateDIDProofJWT({
   return signJWT({payload, protectedHeader, signer});
 }
 
+function _createDataIntegrityProof({signer}) {
+  const {algorithm} = signer;
+
+  let cryptosuite;
+  if(algorithm === 'Ed25519' || algorithm === 'EdDSA') {
+    cryptosuite = eddsaRdfc2022CryptoSuite;
+  } else if(algorithm?.startsWith('P-')) {
+    cryptosuite = ecdsaRdfc2019CryptoSuite;
+  } else {
+    // default
+    cryptosuite = eddsaRdfc2022CryptoSuite;
+  }
+
+  return new DataIntegrityProof({signer, cryptosuite});
+}
+
 function _curveToAlg(crv) {
   if(crv === 'Ed25519' || crv === 'Ed448') {
     return 'EdDSA';

package.json

@@ -23,7 +23,11 @@
     "lib/**/*.js"
   ],
   "dependencies": {
+    "@digitalbazaar/data-integrity": "^2.5.0",
+    "@digitalbazaar/ecdsa-rdfc-2019-cryptosuite": "^1.3.0",
+    "@digitalbazaar/eddsa-rdfc-2022-cryptosuite": "^1.3.0",
     "@digitalbazaar/http-client": "^4.0.0",
+    "@digitalbazaar/vc": "^7.3.0",
     "@hpke/core": "^1.7.5",
     "base64url-universal": "^2.0.0",
     "cborg": "^4.5.8",