@pagopa/io-react-native-wallet 0.1.0

package/src/utils/jwk.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+export type JWK = z.infer<typeof JWK>;
+export const JWK = z.object({
+  /** JWK "alg" (Algorithm) Parameter. */
+  alg: z.string().optional(),
+  crv: z.string().optional(),
+  d: z.string().optional(),
+  dp: z.string().optional(),
+  dq: z.string().optional(),
+  e: z.string().optional(),
+  /** JWK "ext" (Extractable) Parameter. */
+  ext: z.boolean().optional(),
+  k: z.string().optional(),
+  /** JWK "key_ops" (Key Operations) Parameter. */
+  key_ops: z.array(z.string()).optional(),
+  /** JWK "kid" (Key ID) Parameter. */
+  kid: z.string().optional(),
+  /** JWK "kty" (Key Type) Parameter.
+   * This attribute is required to discriminate the
+   * type of EC/RSA algorithm */
+  kty: z.union([z.literal("RSA"), z.literal("EC")]),
+  n: z.string().optional(),
+  p: z.string().optional(),
+  q: z.string().optional(),
+  qi: z.string().optional(),
+  /** JWK "use" (Public Key Use) Parameter. */
+  use: z.string().optional(),
+  x: z.string().optional(),
+  y: z.string().optional(),
+  /** JWK "x5c" (X.509 Certificate Chain) Parameter. */
+  x5c: z.array(z.string()).optional(),
+  /** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter. */
+  x5t: z.string().optional(),
+  /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter. */
+  "x5t#S256": z.string().optional(),
+  /** JWK "x5u" (X.509 URL) Parameter. */
+  x5u: z.string().optional(),
+});

package/src/wallet-instance-attestation/index.ts

@@ -0,0 +1,56 @@
+import { WalletInstanceAttestationJwt } from "./types";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+
+import { Issuing } from "./issuing";
+export { Issuing };
+/**
+ * Decode a given JWT to get the parsed Wallet Instance Attestation object they define.
+ * It ensures provided data is in a valid shape.
+ *
+ * It DOES NOT verify token signature nor check disclosures are correctly referenced by the JWT.
+ * Use {@link verify} instead
+ *
+ * @function
+ * @param token The encoded token that represents a valid jwt for Wallet Instance Attestation
+ *
+ * @returns The validated Wallet Instance Attestation object
+ * @throws A decoding error if the token doesn't resolve in a valid JWT
+ * @throws A validation error if the provided data doesn't result in a valid Wallet Instance Attestation
+ *
+ */
+export function decode(token: string): WalletInstanceAttestationJwt {
+  // decode JWT parts
+  const decodedJwt = decodeJwt(token);
+  // parse JWT to ensure it has the shape of a WalletInstanceAttestationJwt
+  return WalletInstanceAttestationJwt.parse({
+    header: decodedJwt.protectedHeader,
+    payload: decodedJwt.payload,
+  });
+}
+
+/**
+ * Verify a given JWT to get the parsed Wallet Instance Attestation object they define.
+ * Same as {@link decode} plus token signature verification
+ *
+ * @async @function
+ *
+ *
+ * @param token The encoded token that represents a valid jwt
+ *
+ * @returns {WalletInstanceAttestationJwt} The validated Wallet Instance Attestation object
+ * @throws A decoding error if the token doesn't resolve in a valid JWT
+ * @throws A validation error if the provided data doesn't result in a valid Wallet Instance Attestation
+ * @throws Invalid signature error if the token signature is not valid
+ *
+ */
+export async function verify(
+  token: string
+): Promise<WalletInstanceAttestationJwt> {
+  const decoded = decode(token);
+  const pubKey = decoded.payload.cnf.jwk;
+
+  await verifyJwt(token, pubKey);
+
+  return decoded;
+}

package/src/wallet-instance-attestation/issuing.ts

@@ -0,0 +1,107 @@
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
+import { JWK } from "../utils/jwk";
+import { WalletInstanceAttestationRequestJwt } from "./types";
+import uuid from "react-native-uuid";
+import { WalletInstanceAttestationIssuingError } from "../utils/errors";
+
+export class Issuing {
+  walletProviderBaseUrl: string;
+
+  constructor(walletProviderBaseUrl: string) {
+    this.walletProviderBaseUrl = walletProviderBaseUrl;
+  }
+
+  /**
+   * Get the Wallet Instance Attestation Request to sign
+   *
+   * @async @function
+   *
+   * @param jwk Public key of the wallet instance
+   *
+   * @returns {string} Wallet Instance Attestation Request to sign
+   *
+   */
+  async getAttestationRequestToSign(jwk: JWK): Promise<string> {
+    const parsedJwk = JWK.parse(jwk);
+    const keyThumbprint = await thumbprint(parsedJwk);
+    const publicKey = { ...parsedJwk, kid: keyThumbprint };
+
+    const walletInstanceAttestationRequest = new SignJWT({
+      iss: keyThumbprint,
+      sub: this.walletProviderBaseUrl,
+      jti: `${uuid.v4()}`,
+      type: "WalletInstanceAttestationRequest",
+      cnf: {
+        jwk: publicKey,
+      },
+    })
+      .setProtectedHeader({
+        alg: "ES256",
+        kid: publicKey.kid,
+        typ: "var+jwt",
+      })
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .toSign();
+
+    return walletInstanceAttestationRequest;
+  }
+
+  /**
+   * Get the Wallet Instance Attestation given a
+   * Wallet Instance Attestation Request and signature
+   *
+   * @async @function
+   *
+   * @param attestationRequest Wallet Instance Attestaion Request
+   * obtained with {@link getAttestationRequestToSign}
+   * @param signature Signature of the Wallet Instance Attestaion Request
+   * @param appFetch Optional object with fetch function to use
+   *
+   * @returns {string} Wallet Instance Attestation
+   *
+   */
+  async getAttestation(
+    attestationRequest: string,
+    signature: string,
+    appFetch: GlobalFetch = { fetch }
+  ): Promise<String> {
+    const signedAttestationRequest = await SignJWT.appendSignature(
+      attestationRequest,
+      signature
+    );
+    const decodedRequest = decodeJwt(signedAttestationRequest);
+    const parsedRequest = WalletInstanceAttestationRequestJwt.parse({
+      payload: decodedRequest.payload,
+      header: decodedRequest.protectedHeader,
+    });
+    const publicKey = parsedRequest.payload.cnf.jwk;
+
+    await verifyJwt(signedAttestationRequest, publicKey);
+
+    const tokenUrl = new URL("token", this.walletProviderBaseUrl).href;
+    const requestBody = {
+      grant_type:
+        "urn:ietf:params:oauth:client-assertion-type:jwt-key-attestation",
+      assertion: signedAttestationRequest,
+    };
+    const response = await appFetch.fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(requestBody),
+    });
+
+    if (response.status === 201) {
+      return await response.text();
+    }
+
+    throw new WalletInstanceAttestationIssuingError(
+      "Unable to obtain wallet instance attestation from wallet provider",
+      `Response code: ${response.status}`
+    );
+  }
+}

package/src/wallet-instance-attestation/types.ts

@@ -0,0 +1,77 @@
+import { JWK } from "../utils/jwk";
+import * as z from "zod";
+
+const UnixTime = z.number().min(0).max(2147483647000);
+type UnixTime = z.infer<typeof UnixTime>;
+
+const Jwt = z.object({
+  header: z.object({
+    alg: z.string(),
+    kid: z.string(),
+    typ: z.string(),
+    x5c: z.array(z.string()).optional(),
+    trust_chain: z.array(z.string()).optional(),
+  }),
+  payload: z.object({
+    iss: z.string(),
+    sub: z.string(),
+    iat: UnixTime,
+    exp: UnixTime,
+    cnf: z.object({
+      jwk: JWK,
+    }),
+  }),
+});
+
+export type WalletInstanceAttestationRequestJwt = z.infer<
+  typeof WalletInstanceAttestationRequestJwt
+>;
+export const WalletInstanceAttestationRequestJwt = z.object({
+  header: z.intersection(
+    Jwt.shape.header,
+    z.object({
+      typ: z.literal("var+jwt"),
+    })
+  ),
+  payload: z.intersection(
+    Jwt.shape.payload,
+    z.object({
+      jti: z.string(),
+      type: z.literal("WalletInstanceAttestationRequest"),
+    })
+  ),
+});
+
+export type WalletInstanceAttestationJwt = z.infer<
+  typeof WalletInstanceAttestationJwt
+>;
+export const WalletInstanceAttestationJwt = z.object({
+  header: z.intersection(
+    Jwt.shape.header,
+    z.object({
+      typ: z.literal("va+jwt"),
+    })
+  ),
+  payload: z.intersection(
+    Jwt.shape.payload,
+    z.object({
+      type: z.literal("WalletInstanceAttestation"),
+      policy_uri: z.string().url(),
+      tos_uri: z.string().url(),
+      logo_uri: z.string().url(),
+      asc: z.string(),
+      authorization_endpoint: z.string().url(),
+      response_types_supported: z.array(z.string()),
+      vp_formats_supported: z.object({
+        jwt_vp_json: z.object({
+          alg_values_supported: z.array(z.string()),
+        }),
+        jwt_vc_json: z.object({
+          alg_values_supported: z.array(z.string()),
+        }),
+      }),
+      request_object_signing_alg_values_supported: z.array(z.string()),
+      presentation_definition_uri_supported: z.boolean(),
+    })
+  ),
+});