@pagopa/io-react-native-wallet 0.11.0 → 0.12.0

package/src/client/index.ts

@@ -0,0 +1,58 @@
+import { WalletProviderResponseError } from "../utils/errors";
+import {
+  ProblemDetail,
+  createApiClient as createWalletProviderApiClient,
+} from "./generated/wallet-provider";
+import { ApiClient as WalletProviderApiClient } from "./generated/wallet-provider";
+
+export type WalletProviderClient = WalletProviderApiClient;
+
+const validateResponse = async (response: Response) => {
+  if (!response.ok) {
+    let problemDetail: ProblemDetail = {};
+    try {
+      problemDetail = ProblemDetail.parse(await response.json());
+    } catch {
+      problemDetail = {
+        title: "Invalid response from Wallet Provider",
+      };
+    }
+
+    let statusResponse = `Response status code: ${response.status}`;
+
+    throw new WalletProviderResponseError(
+      problemDetail.title
+        ? problemDetail.title
+        : "Invalid response from Wallet Provider",
+      problemDetail.type,
+      problemDetail.detail
+        ? statusResponse
+        : `${statusResponse} with detail: ${problemDetail.detail}`
+    );
+  }
+  return response;
+};
+
+export const getWalletProviderClient = (context: {
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}) => {
+  const { walletProviderBaseUrl, appFetch = fetch } = context;
+
+  return createWalletProviderApiClient(
+    (method, url, params) =>
+      appFetch(url, {
+        method,
+        body: params ? JSON.stringify(params.body) : undefined,
+      })
+        .then(validateResponse)
+        .then((res) => {
+          const contentType = res.headers.get("content-type");
+          if (contentType === "application/json") {
+            return res.json();
+          }
+          return res.text();
+        }),
+    walletProviderBaseUrl
+  );
+};

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -89,45 +89,49 @@ const parseCredentialSdJwt = (
 
   // attributes that are defined in the issuer configuration
   // and are present in the disclosure set
-  const definedValues = attrDefinitions
-    // retrieve the value from the disclosure set
-    .map(
-      ([attrKey, definition]) =>
-        [
-          attrKey,
-          {
-            ...definition,
-            value: disclosures.find(
-              (_) => _[1 /* name */] === attrKey
-            )?.[2 /* value */],
-          },
-        ] as const
-    )
-    // add a human readable attribute name, with i18n, in the form { locale: name }
-    // example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-    .map(
-      ([attrKey, { display, ...definition }]) =>
-        [
-          attrKey,
-          {
-            ...definition,
-            name: display.reduce(
-              (names, { locale, name }) => ({ ...names, [locale]: name }),
-              {} as Record<string, string>
-            ),
-          },
-        ] as const
-    );
+  const definedValues = Object.fromEntries(
+    attrDefinitions
+      // retrieve the value from the disclosure set
+      .map(
+        ([attrKey, definition]) =>
+          [
+            attrKey,
+            {
+              ...definition,
+              value: disclosures.find(
+                (_) => _[1 /* name */] === attrKey
+              )?.[2 /* value */],
+            },
+          ] as const
+      )
+      // add a human readable attribute name, with i18n, in the form { locale: name }
+      // example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
+      .map(
+        ([attrKey, { display, ...definition }]) =>
+          [
+            attrKey,
+            {
+              ...definition,
+              name: display.reduce(
+                (names, { locale, name }) => ({ ...names, [locale]: name }),
+                {} as Record<string, string>
+              ),
+            },
+          ] as const
+      )
+  );
 
   // attributes that are in the disclosure set
   // but are not defined in the issuer configuration
-  const undefinedValues = disclosures
-    .filter((_) => !Object.keys(definedValues).includes(_[1]))
-    .map(([, key, value]) => [key, { value, mandatory: false, name: key }]);
+  const undefinedValues = Object.fromEntries(
+    disclosures
+      .filter((_) => !Object.keys(definedValues).includes(_[1]))
+      .map(([, key, value]) => [key, { value, mandatory: false, name: key }])
+  );
 
   return {
-    ...Object.fromEntries(definedValues),
-    ...Object.fromEntries(undefinedValues),
+    ...definedValues,
+    ...undefinedValues,
   };
 };
 

package/src/index.ts

@@ -1,3 +1,4 @@
+import { fixBase64EncodingOnKey } from "./utils/jwk";
 // polyfill due to known bugs on URL implementation for react native
 // https://github.com/facebook/react-native/issues/24428
 import "react-native-url-polyfill/auto";
@@ -8,17 +9,23 @@ import * as SdJwt from "./sd-jwt";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
 import * as Trust from "./trust";
+import * as WalletInstance from "./wallet-instance";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
+import type { IntegrityContext } from "./utils/integrity";
 
 export {
   SdJwt,
   PID,
   Credential,
   WalletInstanceAttestation,
+  WalletInstance,
   Errors,
   Trust,
   createCryptoContextFor,
   AuthorizationDetail,
   AuthorizationDetails,
+  fixBase64EncodingOnKey,
 };
+
+export type { IntegrityContext };

package/src/sd-jwt/__test__/converters.test.js

@@ -0,0 +1,24 @@
+import { getValueFromDisclosures } from "../converters";
+const disclosures = [
+  ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
+  ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
+  [
+    "p-9LzyWHZBVDvhXDWkN2xA",
+    "place_of_birth",
+    { country: "IT", locality: "Rome" },
+  ],
+];
+describe("getValueFromDisclosures", () => {
+  it("should return correct value for given_name", () => {
+    const success = getValueFromDisclosures(disclosures, "given_name");
+    expect(success).toBe("Mario");
+  });
+  it("should return correct value for place_of_birth", () => {
+    const success = getValueFromDisclosures(disclosures, "place_of_birth");
+    expect(success).toEqual({ country: "IT", locality: "Rome" });
+  });
+  it("should fail", () => {
+    const success = getValueFromDisclosures(disclosures, "given_surname");
+    expect(success).toBeUndefined();
+  });
+});

package/src/sd-jwt/verifier.js

@@ -0,0 +1,12 @@
+import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { ValidationFailed } from "../utils/errors";
+export const verifyDisclosure = async ({ encoded, decoded }, claims) => {
+  let hash = await sha256ToBase64(encoded);
+  if (!claims.includes(hash)) {
+    throw new ValidationFailed(
+      "Validation of disclosure failed",
+      `${decoded}`,
+      "Disclosure hash not found in claims"
+    );
+  }
+};

package/src/utils/errors.ts

@@ -233,3 +233,31 @@ export class PidMetadataError extends Error {
     super(message);
   }
 }
+
+/**
+ * An error subclass thrown when a Wallet Provider http request fail
+ *
+ */
+export class WalletProviderResponseError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED" {
+    return "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED";
+  }
+
+  code = "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED";
+
+  /** The Claim for which the validation failed. */
+  claim: string;
+
+  /** Reason code for the validation failure. */
+  reason: string;
+
+  constructor(
+    message: string,
+    claim: string = "unspecified",
+    reason: string = "unspecified"
+  ) {
+    super(serializeAttrs({ message, claim, reason }));
+    this.claim = claim;
+    this.reason = reason;
+  }
+}

package/src/utils/integrity.ts

@@ -0,0 +1,23 @@
+/**
+ * Interface for the integrity context which provides the necessary functions to interact with the integrity service.
+ * The functions are platform specific and must be implemented in the platform specific code.
+ * getHardwareKeyTag: returns the hardware key tag.
+ * getAttestation: requests the attestation from the integrity service.
+ * getHardwareSignatureWithAuthData: signs the clientData and returns the signature with the authenticator data.
+ */
+export interface IntegrityContext {
+  getHardwareKeyTag: () => string;
+  getAttestation: (nonce: string) => Promise<string>;
+  getHardwareSignatureWithAuthData: (
+    clientData: string
+  ) => Promise<HardwareSignatureWithAuthData>;
+}
+
+/**
+ * Type returned by the getHardwareSignatureWithAuthData function of {@link IntegrityContext}.
+ * It contains the signature and the authenticator data.
+ */
+export type HardwareSignatureWithAuthData = {
+  signature: string;
+  authenticatorData: string;
+};

package/src/wallet-instance/index.ts

@@ -0,0 +1,29 @@
+import { getWalletProviderClient } from "../client";
+import type { IntegrityContext } from "..";
+
+export async function createWalletInstance(context: {
+  integrityContext: IntegrityContext;
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}) {
+  const { integrityContext } = context;
+
+  const api = getWalletProviderClient(context);
+
+  //1. Obtain nonce
+  const challenge = await api.get("/nonce").then((response) => response.nonce);
+
+  const keyAttestation = await integrityContext.getAttestation(challenge);
+  const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+
+  //2. Create Wallet Instance
+  await api.post("/wallet-instances", {
+    body: {
+      challenge,
+      key_attestation: keyAttestation,
+      hardware_key_tag: hardwareKeyTag,
+    },
+  });
+
+  return hardwareKeyTag;
+}

package/src/wallet-instance-attestation/issuing.ts

@@ -1,77 +1,62 @@
-import {
-  type CryptoContext,
-  decode as decodeJwt,
-} from "@pagopa/io-react-native-jwt";
-import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
 import { JWK, fixBase64EncodingOnKey } from "../utils/jwk";
-import { WalletInstanceAttestationRequestJwt } from "./types";
-import uuid from "react-native-uuid";
-import { WalletInstanceAttestationIssuingError } from "../utils/errors";
-import type { WalletProviderEntityConfiguration } from "../trust/types";
+import { getWalletProviderClient } from "../client";
+import type { IntegrityContext } from "..";
+import { z } from "zod";
 
-async function getAttestationRequest(
+/**
+ * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
+ *
+ * @param challenge - The nonce received from the Wallet Provider which is part of the signed clientData
+ * @param wiaCryptoContext - The key pair associated with the WIA. Will be use to prove the ownership of the attestation
+ * @param integrityContext - The integrity context which exposes a set of functions to interact with the device integrity service
+ * @param walletProviderBaseUrl - Base url for the Wallet Provider
+ * @returns A JWT containing the attestation request
+ */
+export async function getAttestationRequest(
+  challenge: string,
   wiaCryptoContext: CryptoContext,
-  walletProviderEntityConfiguration: WalletProviderEntityConfiguration
+  integrityContext: IntegrityContext,
+  walletProviderBaseUrl: string
 ): Promise<string> {
   const jwk = await wiaCryptoContext.getPublicKey();
   const parsedJwk = JWK.parse(jwk);
   const keyThumbprint = await thumbprint(parsedJwk);
   const publicKey = { ...parsedJwk, kid: keyThumbprint };
 
+  const clientData = {
+    challenge,
+    jwk_thumbprint: keyThumbprint,
+  };
+
+  const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+  const { signature, authenticatorData } =
+    await integrityContext.getHardwareSignatureWithAuthData(
+      JSON.stringify(clientData)
+    );
+
   return new SignJWT(wiaCryptoContext)
     .setPayload({
       iss: keyThumbprint,
-      aud: walletProviderEntityConfiguration.payload.iss,
-      jti: `${uuid.v4()}`,
-      nonce: `${uuid.v4()}`,
+      sub: walletProviderBaseUrl,
+      challenge,
+      hardware_signature: signature,
+      integrity_assertion: authenticatorData,
+      hardware_key_tag: hardwareKeyTag,
       cnf: {
         jwk: fixBase64EncodingOnKey(publicKey),
       },
     })
     .setProtectedHeader({
       kid: publicKey.kid,
-      typ: "wiar+jwt",
+      typ: "war+jwt",
     })
     .setIssuedAt()
     .setExpirationTime("1h")
     .sign();
 }
 
-/**
- * Validate a Wallet Instance Attestation token.
- * Either return true or throw an exception.
- *
- * @param wia Signed Wallet Instance Attestation token
- * @param walletProviderEntityConfiguration Entity Configuration object for the issuing Wallet Provider
- * @returns The token is valid
- * @throws {WalletInstanceAttestationIssuingError} When the received token fails to validate. This can happen due to invalid signature, expired token or malformed JWT token.
- */
-async function verifyWalletInstanceAttestation(
-  wia: string,
-  walletProviderEntityConfiguration: WalletProviderEntityConfiguration
-): Promise<true> {
-  const {
-    payload: {
-      sub,
-      metadata: {
-        wallet_provider: {
-          jwks: { keys },
-        },
-      },
-    },
-  } = walletProviderEntityConfiguration;
-  return verifyJwt(wia, keys, { issuer: sub })
-    .then((_) => true as const)
-    .catch((ex) => {
-      const reason = ex && ex instanceof Error ? ex.message : "unknown reason";
-      throw new WalletInstanceAttestationIssuingError(
-        "Unable to validate received wallet instance attestation",
-        reason
-      );
-    });
-}
-
 /**
  * Request a Wallet Instance Attestation (WIA) to the Wallet provider
  *
@@ -80,60 +65,42 @@ async function verifyWalletInstanceAttestation(
  * @param walletProviderBaseUrl Base url for the Wallet Provider
  * @returns The retrieved Wallet Instance Attestation token
  */
-export const getAttestation =
-  ({
-    wiaCryptoContext,
-    appFetch = fetch,
-  }: {
-    wiaCryptoContext: CryptoContext;
-    appFetch?: GlobalFetch["fetch"];
-  }) =>
-  async (
-    walletProviderEntityConfiguration: WalletProviderEntityConfiguration
-  ): Promise<string> => {
-    const signedAttestationRequest = await getAttestationRequest(
-      wiaCryptoContext,
-      walletProviderEntityConfiguration
-    );
+export const getAttestation = async ({
+  wiaCryptoContext,
+  integrityContext,
+  walletProviderBaseUrl,
+  appFetch = fetch,
+}: {
+  wiaCryptoContext: CryptoContext;
+  integrityContext: IntegrityContext;
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}): Promise<string> => {
+  const api = getWalletProviderClient({
+    walletProviderBaseUrl,
+    appFetch,
+  });
 
-    const decodedRequest = decodeJwt(signedAttestationRequest);
-    const parsedRequest = WalletInstanceAttestationRequestJwt.parse({
-      payload: decodedRequest.payload,
-      header: decodedRequest.protectedHeader,
-    });
-    const publicKey = parsedRequest.payload.cnf.jwk;
+  // 1. Get nonce from backend
+  const challenge = await api.get("/nonce").then((response) => response.nonce);
 
-    await verifyJwt(signedAttestationRequest, publicKey);
+  // 2. Get a signed attestation request
+  const signedAttestationRequest = await getAttestationRequest(
+    challenge,
+    wiaCryptoContext,
+    integrityContext,
+    walletProviderBaseUrl
+  );
 
-    const tokenUrl =
-      walletProviderEntityConfiguration.payload.metadata.wallet_provider
-        .token_endpoint;
-    const requestBody = {
-      grant_type:
-        "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation",
-      assertion: signedAttestationRequest,
-    };
-    const response = await appFetch(tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
+  // 3. Request WIA
+  const wia = await api
+    .post("/token", {
+      body: {
+        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        assertion: signedAttestationRequest,
       },
-      body: JSON.stringify(requestBody),
-    });
-
-    if (response.status !== 201) {
-      throw new WalletInstanceAttestationIssuingError(
-        "Unable to obtain wallet instance attestation from wallet provider",
-        `Response code: ${response.status}`
-      );
-    }
-
-    const wia = await response.text();
-
-    await verifyWalletInstanceAttestation(
-      wia,
-      walletProviderEntityConfiguration
-    );
+    })
+    .then((result) => z.string().parse(result));
 
-    return wia;
-  };
+  return wia;
+};

package/src/wallet-instance-attestation/types.ts

@@ -33,7 +33,7 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("wiar+jwt"),
+      typ: z.literal("war+jwt"),
     })
   ),
   payload: z.intersection(