| _getIssuanceCert | ||||||
_getIssuanceCert(entity: TrustedEntity)
|
||||||
|
Get the issuance certificate from a TrustedEntity.
Parameters :
Returns :
TrustedEntityServiceCert | undefined
|
| findServiceByType | |||||||||
findServiceByType(entity: TrustedEntity, serviceType: ServiceTypeIdentifier)
|
|||||||||
|
Helper to find a specific service type within a TrustedEntity.
Parameters :
Returns :
TrustedEntityServiceCert | undefined
|
| getRevocationCert | ||||||
getRevocationCert(entity: TrustedEntity)
|
||||||
|
Get the revocation certificate from a TrustedEntity.
Parameters :
Returns :
TrustedEntityServiceCert | undefined
|
| _isMsoMdocConfig | ||||
_isMsoMdocConfig(config)
|
||||
|
Type guard to check if a config is for mso_mdoc format
Parameters :
Returns :
MsoMdocCredentialConfig
|
| _isSdJwtDcConfig | ||||
_isSdJwtDcConfig(config)
|
||||
|
Type guard to check if a config is for dc+sd-jwt format
Parameters :
Returns :
SdJwtDcCredentialConfig
|
| buildMsoMdocConfig | |||||||||||||||
buildMsoMdocConfig(doctype: string, options: BuildCredentialConfigOptions, metadata?: CredentialMetadataInput, scope?: string)
|
|||||||||||||||
|
Build an mso_mdoc credential configuration
Parameters :
Returns :
MsoMdocCredentialConfig
|
| buildSdJwtDcConfig | |||||||||||||||
buildSdJwtDcConfig(vct: string, options: BuildCredentialConfigOptions, metadata?: CredentialMetadataInput, scope?: string)
|
|||||||||||||||
|
Build a dc+sd-jwt credential configuration
Parameters :
Returns :
SdJwtDcCredentialConfig
|
| toCredentialConfigurationSupported | ||||||
toCredentialConfigurationSupported(config: TypedCredentialConfig)
|
||||||
|
Converts a TypedCredentialConfig to CredentialConfigurationSupported This is a type assertion helper since our types are derived from the SDK
Parameters :
|
| _transformIaeActions |
_transformIaeActions()
|
|
Helper function to validate and transform IAE actions array.
Returns :
ReturnType<typeof Type>
|
| addRequired | |||||||||
addRequired(parent: JsonSchema, key: string)
|
|||||||||
|
Parameters :
Returns :
void
|
| applyLeafSchema | |||||||||
applyLeafSchema(root: JsonSchema, field: ClaimFieldDefinition)
|
|||||||||
|
Parameters :
Returns :
void
|
| buildClaims | ||||
buildClaims(fields)
|
||||
|
Parameters :
Returns :
Record<string, unknown>
|
| buildClaimsByNamespace | ||||
buildClaimsByNamespace(fields)
|
||||
|
Parameters :
Returns :
Record<string, Record<string, unknown>>
|
| buildClaimsMetadata | ||||
buildClaimsMetadata(fields)
|
||||
|
Parameters :
Returns :
ClaimMetadata[]
|
| buildDisclosureFrame | ||||
buildDisclosureFrame(fields)
|
||||
|
Parameters :
Returns :
Record | undefined
|
| buildJsonSchema | ||||
buildJsonSchema(fields)
|
||||
|
Parameters :
Returns :
JsonSchema
|
| buildLeafSchema | ||||||
buildLeafSchema(field: ClaimFieldDefinition)
|
||||||
|
Parameters :
Returns :
JsonSchema
|
| ensureFrameNode | |||||||||
ensureFrameNode(root: Record, path)
|
|||||||||
|
Parameters :
Returns :
Record<string, unknown>
|
| ensureSchemaNode | |||||||||
ensureSchemaNode(root: JsonSchema, path: Array)
|
|||||||||
|
Parameters :
Returns :
JsonSchema
|
| flattenFields | ||||
flattenFields(fields)
|
||||
|
Parameters :
Returns :
ClaimFieldDefinition[]
|
| getArrayIndex | ||||||
getArrayIndex(segment: Segment)
|
||||||
|
Parameters :
Returns :
number | undefined
|
| getDisplayTitle | ||||
getDisplayTitle(display)
|
||||
|
Parameters :
Returns :
string | undefined
|
| getFieldNamespace | ||||||
getFieldNamespace(field: ClaimFieldDefinition)
|
||||||
|
Parameters :
Returns :
string | undefined
|
| getOrCreateChild |
getOrCreateChild(target: Record, key: string, nextIsArray: boolean)
|
|
Returns :
PathCursor
|
| isArrayPathSegment | ||||
isArrayPathSegment(segment)
|
||||
|
Parameters :
Returns :
boolean
|
| mergeArrayLeafSchema | |||||||||
mergeArrayLeafSchema(parent: JsonSchema, leafSchema: JsonSchema)
|
|||||||||
|
Parameters :
Returns :
void
|
| mergeLeafSchema | |||||||||
mergeLeafSchema(existing: JsonSchema, next: JsonSchema)
|
|||||||||
|
Parameters :
Returns :
JsonSchema
|
| mergeObjectLeafSchema | |||||||||||||||
mergeObjectLeafSchema(parent: JsonSchema, leafSegment, leafSchema: JsonSchema, mandatory)
|
|||||||||||||||
|
Parameters :
Returns :
void
|
| normalizeDisplayInfo | ||||
normalizeDisplayInfo(display)
|
||||
|
Parameters :
Returns :
[] | undefined
|
| resolveChildPath | ||||||
resolveChildPath(parentPath, childPath)
|
||||||
|
Parameters :
Returns :
Segment[]
|
| segmentToKey | ||||||
segmentToKey(segment: Segment)
|
||||||
|
Parameters :
Returns :
string
|
| setArrayPathValue | ||||||||||||||||||
setArrayPathValue(cursor, segment: Segment, isLast: boolean, next: Segment, value)
|
||||||||||||||||||
|
Parameters :
Returns :
PathCursor | undefined
|
| setObjectPathValue | ||||||||||||||||||
setObjectPathValue(cursor: Record, segment: Segment, isLast: boolean, next: Segment, value)
|
||||||||||||||||||
|
Parameters :
Returns :
PathCursor | undefined
|
| setValueAtPath | ||||||||||||
setValueAtPath(target: Record, path, value)
|
||||||||||||
|
Parameters :
Returns :
void
|
| applyTrustedAuthoritiesPolicy | ||||||||||||
applyTrustedAuthoritiesPolicy<T extends { credentials: Array
|
||||||||||||
Type parameters :
|
||||||||||||
|
Conditionally strips Some wallets do not yet correctly handle
Parameters :
Returns :
T
a DCQL query with credentials stripped of trusted_authorities when removeTrustedAuthorities is true, otherwise the original query |
| arrayBufferToHex | ||||||
arrayBufferToHex(buffer: ArrayBuffer)
|
||||||
|
Parameters :
Returns :
string
|
| certFromBase64Der | ||||||
certFromBase64Der(val: string)
|
||||||
|
Parse a certificate from a Base64-encoded DER string (as used in LoTE trust lists). Converts to PEM format which is more reliably parsed by
Parameters :
Returns :
x509.X509Certificate
|
| assertTokenRequestSessionValid | ||||||||||||
assertTokenRequestSessionValid(sessionRepository: Repository, session: ChainedAsSessionEntity, request: ChainedAsTokenRequestDto)
|
||||||||||||
|
Parameters :
Returns :
Promise<void>
|
| issueRefreshTokenIfEnabled | |||||||||
issueRefreshTokenIfEnabled(session: ChainedAsSessionEntity, issuanceConfig: RefreshTokenIssuanceConfig)
|
|||||||||
|
Parameters :
Returns :
string | undefined
|
| resolveSessionForTokenRequest | ||||||||||||
resolveSessionForTokenRequest(sessionRepository: Repository, tenantId: string, request: ChainedAsTokenRequestDto)
|
||||||||||||
|
Parameters :
Returns :
Promise<ChainedAsSessionEntity>
|
| resolveTokenBinding | ||||||||||||
resolveTokenBinding(requireDPoP, session: ChainedAsSessionEntity, dpopJwt?: string)
|
||||||||||||
|
Parameters :
Returns :
{ tokenType: string; dpopJkt?: string }
|
| attachResponseBodyCapture |
attachResponseBodyCapture(req: any, res: any)
|
|
Returns :
void
|
| isLoggableContentType | ||||
isLoggableContentType(contentType)
|
||||
|
Content types we consider safe to buffer and stringify for logs. Anything else (binary uploads/downloads, streaming) is skipped entirely.
Parameters :
Returns :
boolean
|
| serializeResponseBody | |||||||||
serializeResponseBody(rawBody: Buffer, contentType)
|
|||||||||
|
Parameters :
Returns :
unknown
|
| truncate | ||||||
truncate(value: string)
|
||||||
|
Parameters :
Returns :
string
|
| base64url | ||||||
base64url(input: string)
|
||||||
|
Parameters :
Returns :
string
|
| base64UrlOrBase64ToBytes | ||||||
base64UrlOrBase64ToBytes(s: string)
|
||||||
|
Parameters :
Returns :
Uint8Array
|
| derEcdsaToRaw | |||||||||
derEcdsaToRaw(der: Uint8Array, coordLength: number)
|
|||||||||
|
Parameters :
Returns :
Uint8Array
|
| extractFirstCertificate | ||||||
extractFirstCertificate(data: Record)
|
||||||
|
Parameters :
Returns :
string | undefined
|
| normalizeCertificateToPem | ||||||
normalizeCertificateToPem(value: string)
|
||||||
|
Parameters :
Returns :
string
|
| base64UrlOrBase64ToBytes | ||||||
base64UrlOrBase64ToBytes(s: string)
|
||||||
|
Parameters :
Returns :
Uint8Array
|
| pemToDer | ||||||
pemToDer(pem: string)
|
||||||
|
Parameters :
Returns :
ArrayBuffer
|
| stripPrivateComponents | ||||||
stripPrivateComponents(jwk: JWK)
|
||||||
|
Parameters :
Returns :
JWK
|
| vaultKeyType | ||||||
vaultKeyType(alg: KmsSigningAlg)
|
||||||
|
Parameters :
Returns :
string
|
| base64UrlToBytes | ||||||
base64UrlToBytes(encoded: string)
|
||||||
|
Convert base64url or base64 string to Uint8Array.
Parameters :
Returns :
Uint8Array
|
| bootstrap |
bootstrap()
|
|
Bootstrap function to initialize the NestJS application. |
| loadTlsOptions |
loadTlsOptions()
|
|
Load TLS options from certificate and key files. Returns undefined if TLS is not enabled or files are not found.
Returns :
TlsOptions | undefined
|
| buildAuthorizationServerMetadata | ||||||
buildAuthorizationServerMetadata(options: AuthorizationServerMetadataBuildOptions)
|
||||||
|
Parameters :
Returns :
Record<string, unknown>
|
| buildJwksResponse | |||||||||
buildJwksResponse(publicKey: JwkWithOptionalKid, fallbackKid: string)
|
|||||||||
|
Parameters :
Returns :
{ keys: Record[] }
|
| buildWalletAttestationMetadata | ||||||
buildWalletAttestationMetadata(walletAttestationRequired: boolean)
|
||||||
|
Parameters :
Returns :
{ tokenEndpointAuthMethodsSupported: readonly string[]; clientAttestationSigningAlgValuesSupported?: readonly string[]; clientAttestationPopSigningAlgValuesSupported?: readonly string[] }
|
| buildCoseKeyMap |
buildCoseKeyMap(xB64: string, yB64: string)
|
|
Build a COSE_Key map (integer-keyed) for a P-256 public key from JWK base64url components.
Returns :
Map<number, unknown>
|
| buildDeviceRequestCbor | ||||||||||||
buildDeviceRequestCbor(docType: string, namespaces: Record)
|
||||||||||||
|
Build the CBOR DeviceRequest per ISO 18013-5 §8.3.2.1.2.1.
Parameters :
Returns :
Buffer
|
| buildEncryptionInfo |
buildEncryptionInfo(xB64: string, yB64: string, nonce: Buffer)
|
|
Build the CBOR-encoded EncryptionInfo per ISO/IEC TS 18013-7:2025 Annex C: EncryptionInfo = ["dcapi", EncryptionParameters] EncryptionParameters = {"nonce": bstr, "recipientPublicKey": COSE_Key}
Returns :
Buffer
|
| buildIsoMdocDcApiTranscript | ||||||||||||
buildIsoMdocDcApiTranscript(encryptionInfoB64u: string, origin: string)
|
||||||||||||
|
Build the DCAPIHandover SessionTranscript per ISO/IEC TS 18013-7:2025 Annex C: SessionTranscript = [null, null, ["dcapi", SHA-256(CBOR([encInfoB64u, origin]))]] The transcript is used in two places:
Parameters :
|
| parseEncryptedResponse | ||||||
parseEncryptedResponse(encryptedResponse: Buffer)
|
||||||
|
Parse the wallet's EncryptedResponse per ISO/IEC TS 18013-7:2025 Annex C: EncryptedResponse = ["dcapi", {"enc": bstr, "cipherText": bstr}]
Parameters :
Returns :
{ enc: Buffer; cipherText: Buffer }
|
| loadPkcs11 |
loadPkcs11()
|
|
Returns :
Promise<Pkcs11Module>
|
| toConstants | ||||||
toConstants(mod: Pkcs11Module)
|
||||||
|
Parameters :
Returns :
Pkcs11Constants
|
| unwrapEcPoint | ||||||
unwrapEcPoint(raw: Buffer)
|
||||||
|
CKA_EC_POINT is specified as a DER-encoded OCTET STRING wrapping the raw ECPoint. Some HSM vendors return the unwrapped ECPoint directly, so we accept both.
Parameters :
Returns :
Buffer
|
| buildPostgresSslOptions | ||||
buildPostgresSslOptions(readValue)
|
||||
|
Build PostgreSQL SSL settings from environment/config values. Supported variables:
Parameters :
Returns :
boolean | TlsOptions
|
| parseBoolean | ||||
parseBoolean(value)
|
||||
|
Parameters :
Returns :
boolean | undefined
|
| parseOptionalString | ||||
parseOptionalString(value)
|
||||
|
Parameters :
Returns :
string | undefined
|
| readOptionalFile |
readOptionalFile(path: string, variableName: string)
|
|
Returns :
Buffer
|
| concat | ||||
concat(...parts: undefined)
|
||||
|
Parameters :
Returns :
Buffer
|
| dhkemDecap | |||||||||
dhkemDecap(encKey: Buffer, recipientPrivateKeyJwk)
|
|||||||||
|
DHKEM(P-256) Decap: derive shared secret using recipient's private key and the sender's encapsulated public key (enc = 65-byte uncompressed P-256 point). RFC 9180 §4.1
Parameters :
Returns :
Buffer
|
| hkdfExpand | ||||||||||||
hkdfExpand(prk: Buffer, info: Buffer, len: number)
|
||||||||||||
|
Parameters :
Returns :
Buffer
|
| hkdfExtract | |||||||||
hkdfExtract(salt, ikm: Buffer)
|
|||||||||
|
Parameters :
Returns :
Buffer
|
| hpkeOpen | ||||||||||||||||||||||||||||||
hpkeOpen(encKey: Buffer, ciphertext: Buffer, recipientPriv, info: Buffer, aad: Buffer)
|
||||||||||||||||||||||||||||||
|
Decrypt an HPKE Base Mode ciphertext (RFC 9180 §6.1 OpenBase).
Parameters :
Returns :
Buffer
|
| i2osp |
i2osp(n: number, len: number)
|
|
Returns :
Uint8Array
|
| keySchedule | |||||||||
keySchedule(sharedSecret: Buffer, info: Buffer)
|
|||||||||
|
HPKE KeyScheduleBase: derive AEAD key and nonce from the KEM shared secret. RFC 9180 §5.1 (mode_base = 0x00, psk="" psk_id="")
Parameters :
Returns :
{ key: Buffer; baseNonce: Buffer }
|
| labeledExpand | ||||||||||||||||||
labeledExpand(suiteId: Buffer, prk: Buffer, label: string, info: Buffer, len: number)
|
||||||||||||||||||
|
Parameters :
Returns :
Buffer
|
| labeledExtract | |||||||||||||||
labeledExtract(suiteId: Buffer, salt, label: string, ikm: Buffer)
|
|||||||||||||||
|
Parameters :
Returns :
Buffer
|
| defaultConfig |
defaultConfig()
|
|
Returns :
KmsConfigDto
|
| mergeConfigs | |||||||||
mergeConfigs(global: KmsConfigDto, tenant: KmsConfigDto)
|
|||||||||
|
Parameters :
Returns :
KmsConfigDto
|
| resolveEnvPlaceholders | ||||||
resolveEnvPlaceholders<T>(value: T)
|
||||||
Type parameters :
|
||||||
|
Parameters :
Returns :
T
|
| derEcdsaToRaw | |||||||||
derEcdsaToRaw(der: Uint8Array, coordLength: number)
|
|||||||||
|
Convert an ASN.1 DER-encoded ECDSA-Sig-Value (
Parameters :
Returns :
Uint8Array
|
| extractDpopJkt | ||||||
extractDpopJkt(dpopJwt?: string)
|
||||||
|
Extract DPoP JWK thumbprint from DPoP JWT. Returns undefined if parsing fails or DPoP is not provided.
Parameters :
Returns :
string | undefined
|
| extractRawTokenFromSubmission | |||||||||
extractRawTokenFromSubmission(id: string, payload)
|
|||||||||
|
Extracts the raw cryptographic token from the presentation payload. Supporting Multi-Credential-Flows by evaluating the descriptor_map or falling back to ID-mapping.
Parameters :
Returns :
string | undefined
|
| extractRequestMeta | ||||||
extractRequestMeta(req?: Request)
|
||||||
|
Parameters :
|
| getChangedFields | |||||||||
getChangedFields(before?: Record, after?: Record)
|
|||||||||
|
Parameters :
Returns :
string[]
|
| getChangedFieldsForKeys | ||||||||||||
getChangedFieldsForKeys<T extends object>(before: T, after: T, keys: Array)
|
||||||||||||
Type parameters :
|
||||||||||||
|
Parameters :
Returns :
string[]
|
| resolveAuditActor | ||||||
resolveAuditActor(token: TokenPayload)
|
||||||
|
Parameters :
Returns :
AuditLogActor
|
| filterOpenApiPaths | |||||||||
filterOpenApiPaths(document: OpenAPIObject, predicate)
|
|||||||||
|
Filter an OpenAPI document to only include paths matching (or not matching) a given predicate. Also prunes the tag list to only include tags that are actually referenced by the remaining paths.
Parameters :
Returns :
OpenAPIObject
|
| getEncryptionService |
getEncryptionService()
|
|
Get the encryption service instance. Throws if not initialized.
Returns :
EncryptionService
|
| initializeEncryptionTransformer | ||||||
initializeEncryptionTransformer(service: EncryptionService)
|
||||||
|
Initialize the encryption transformer with an EncryptionService instance. Must be called during application bootstrap before any database operations.
Parameters :
Returns :
void
|
| getHeadersFromRequest | ||||||
getHeadersFromRequest(req: Request)
|
||||||
|
Utility function to extract headers from an Express request
Parameters :
Returns :
globalThis.Headers
|
| importPublicCryptoKey | ||||||||||||
importPublicCryptoKey(publicJwk: JWK, alg: KmsSigningAlg)
|
||||||||||||
|
Convenience: derive a real WebCrypto public CryptoKey from a public JWK. Used by the cert builder to populate SubjectPublicKeyInfo / compute Subject- and AuthorityKeyIdentifier extensions.
Parameters :
Returns :
Promise<CryptoKey>
|
| isKmsKey | ||||||
isKmsKey(key: CryptoKey)
|
||||||
|
Parameters :
Returns :
CryptoKey & KmsSigningKeyMarker
|
| makeKmsSigningKey | ||||||||||||||||
makeKmsSigningKey(adapter: KmsAdapter, ref: KmsKeyRef, alg: KmsSigningAlg)
|
||||||||||||||||
|
Build an opaque CryptoKey-shaped value that routes WebCrypto The returned object is NEVER usable for export, verify or any other
native subtle operation — only for signing, and only when the
KmsCryptoProvider is active (which is the default once the
Parameters :
Returns :
CryptoKey
|
| IsTransactionData | ||||||
IsTransactionData(validationOptions?: ValidationOptions)
|
||||||
|
Parameters :
|
| loadConfigDto | |||||||||
loadConfigDto<T extends object>(filePath: string, validationClass: ClassConstructor)
|
|||||||||
Type parameters :
|
|||||||||
|
Parameters :
Returns :
T
|
| loadJsonFile | ||||||
loadJsonFile<T>(filePath: string)
|
||||||
Type parameters :
|
||||||
|
Parameters :
Returns :
T
|
| registerTolerantX509Extensions |
registerTolerantX509Extensions()
|
|
Register the tolerant issuerAltName parser globally. Call once at bootstrap (idempotent — re-registering simply overwrites the factory entry).
Returns :
void
|
| requireTenantContext | ||||||
requireTenantContext(user: TokenPayload)
|
||||||
|
Parameters :
Returns :
string
|
| Secured | ||||
Secured(roles)
|
||||
|
Parameters :
|
| signatureAlgFor | ||||||
signatureAlgFor(alg: KmsSigningAlg)
|
||||||
|
Parameters :
|
| stripPrivateComponents | ||||||
stripPrivateComponents(jwk: JWK)
|
||||||
|
Parameters :
Returns :
JWK
|
| verifyPkceCodeChallenge | ||||||||||||
verifyPkceCodeChallenge(codeChallenge?: string, codeChallengeMethod?: string, codeVerifier?: string)
|
||||||||||||
|
Parameters :
Returns :
void
|