@pagopa/io-react-native-wallet 0.11.1 → 0.13.0

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -1,11 +1,11 @@
 import type { Out } from "../../utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
-import type { ObtainCredential } from "./06-obtain-credential";
 import { IoWalletError } from "../../utils/errors";
 import { SdJwt4VC } from "../../sd-jwt/types";
 import { verify as verifySdJwt } from "../../sd-jwt";
 import type { JWK } from "../../utils/jwk";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { ObtainCredential } from "./06-obtain-credential";
 
 export type VerifyAndParseCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -13,7 +13,6 @@ export type VerifyAndParseCredential = (
   format: Out<ObtainCredential>["format"],
   context: {
     credentialCryptoContext: CryptoContext;
-    ignoreMissingAttributes?: boolean;
   }
 ) => Promise<{ parsedCredential: ParsedCredential }>;
 
@@ -28,9 +27,8 @@ type ParsedCredential = Record<
           string /* locale */,
           string /* value */
         >
-      | /* if no i18n is provided */ string;
-    /** If in defined as mandatory by the Issuer */
-    mandatory: boolean;
+      | /* if no i18n is provided */ string
+      | undefined; // Add undefined as a possible value for the name property
     /** The actual value of the attribute */
     value: unknown;
   }
@@ -43,48 +41,34 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
 
 const parseCredentialSdJwt = (
   // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credentials_supported"],
-  { sdJwt, disclosures }: DecodedSdJwtCredential,
-  ignoreMissingAttributes: boolean = false
+  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
+  { sdJwt, disclosures }: DecodedSdJwtCredential
 ): ParsedCredential => {
-  // find the definition that matches the received credential's type
-  // warning: if more then a defintion is found, the first is retrieved
-  const credentialSubject = credentials_supported.find(
-    (c) =>
-      c.format === "vc+sd-jwt" &&
-      c.credential_definition.type.includes(sdJwt.payload.type)
-  )?.credential_definition.credentialSubject;
-
-  // the received credential matches no supported credential, throw an exception
+  const credentialSubject = credentials_supported[sdJwt.payload.vct];
+
   if (!credentialSubject) {
-    const expected = credentials_supported
-      .flatMap((_) => _.credential_definition.type)
-      .join(", ");
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
+
+  if (credentialSubject.format !== sdJwt.header.typ) {
     throw new IoWalletError(
-      `Received credential is of an unknwown type. Expected one of [${expected}], received '${sdJwt.payload.type}', `
+      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
     );
   }
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
-  const attrDefinitions = Object.entries(credentialSubject);
+  const attrDefinitions = Object.entries(credentialSubject.claims);
 
-  // every mandatory attribute must be present in the credential's disclosures
   // the key of the attribute defintion must match the disclosure's name
   const attrsNotInDisclosures = attrDefinitions.filter(
-    ([attrKey, { mandatory }]) =>
-      mandatory && !disclosures.some(([, name]) => name === attrKey)
+    ([attrKey]) => !disclosures.some(([, name]) => name === attrKey)
   );
   if (attrsNotInDisclosures.length > 0) {
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
-    // the rationale of this condition is that we may want to be permissive
-    // on incomplete credentials in the test phase of the project.
-    // we might want to be strict once in production, hence remove this condition
-    if (!ignoreMissingAttributes) {
-      throw new IoWalletError(
-        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-      );
-    }
+    throw new IoWalletError(
+      `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+    );
   }
 
   // attributes that are defined in the issuer configuration
@@ -126,7 +110,7 @@ const parseCredentialSdJwt = (
   const undefinedValues = Object.fromEntries(
     disclosures
       .filter((_) => !Object.keys(definedValues).includes(_[1]))
-      .map(([, key, value]) => [key, { value, mandatory: false, name: key }])
+      .map(([, key, value]) => [key, { value, name: key }])
   );
 
   return {
@@ -185,7 +169,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   issuerConf,
   credential,
   _,
-  { credentialCryptoContext, ignoreMissingAttributes }
+  { credentialCryptoContext }
 ) => {
   const decoded = await verifyCredentialSdJwt(
     credential,
@@ -194,36 +178,23 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   );
 
   const parsedCredential = parseCredentialSdJwt(
-    issuerConf.openid_credential_issuer.credentials_supported,
-    decoded,
-    ignoreMissingAttributes
+    issuerConf.openid_credential_issuer.credential_configurations_supported,
+    decoded
   );
 
   return { parsedCredential };
 };
 
-const verifyAndParseCredentialMdoc: WithFormat<"vc+mdoc-cbor"> = async (
-  _issuerConf,
-  _credential,
-  _,
-  _ctx
-) => {
-  // TODO: [SIW-686] decode MDOC credentials
-  throw new Error("verifyAndParseCredentialMdoc not implemented yet");
-};
-
 /**
- * Verify and parse an encoded credential
- *
- * @param issuerConf The Issuer configuration
- * @param credential The encoded credential
- * @param format The format of the credentual
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
- * @param context.ignoreMissingAttributes (optional) Whether to fail if a defined attribute is note present in the credentual. Default: false
+ * Verify and parse an encoded credential.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param credential The encoded credential returned by {@link obtainCredential}
+ * @param format The format of the credentual returned by {@link obtainCredential}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
  * @returns A parsed credential with attributes in plain value
- * @throws If the credential signature is not verified with the Issuer key set
- * @throws If the credential is not bound to the provided user key
- * @throws If the credential data fail to parse
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IoWalletError} If the credential is not bound to the provided user key
+ * @throws {IoWalletError} If the credential data fail to parse
  */
 export const verifyAndParseCredential: VerifyAndParseCredential = async (
   issuerConf,
@@ -238,15 +209,7 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
       format,
       context
     );
-  } else if (format === "vc+mdoc-cbor") {
-    return verifyAndParseCredentialMdoc(
-      issuerConf,
-      credential,
-      format,
-      context
-    );
   }
 
-  const _: never = format;
-  throw new IoWalletError(`Unsupported credential format: ${_}`);
+  throw new IoWalletError(`Unsupported credential format: ${format}`);
 };

package/src/credential/issuance/index.ts

@@ -7,7 +7,10 @@ import {
   startUserAuthorization,
   type StartUserAuthorization,
 } from "./03-start-user-authorization";
-import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
+import {
+  completeUserAuthorizationWithQueryMode,
+  type CompleteUserAuthorizationWithQueryMode,
+} from "./04-complete-user-authorization";
 import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
 import {
   obtainCredential,
@@ -17,11 +20,11 @@ import {
   verifyAndParseCredential,
   type VerifyAndParseCredential,
 } from "./07-verify-and-parse-credential";
-import type { ConfirmCredential } from "./08-confirm-credential";
 
 export {
   evaluateIssuerTrust,
   startUserAuthorization,
+  completeUserAuthorizationWithQueryMode,
   authorizeAccess,
   obtainCredential,
   verifyAndParseCredential,
@@ -30,9 +33,8 @@ export type {
   StartFlow,
   EvaluateIssuerTrust,
   StartUserAuthorization,
-  CompleteUserAuthorization,
+  CompleteUserAuthorizationWithQueryMode,
   AuthorizeAccess,
   ObtainCredential,
   VerifyAndParseCredential,
-  ConfirmCredential,
 };

package/src/credential/issuance/types.ts

@@ -0,0 +1,25 @@
+import { AuthorizationDetail } from "../../utils/par";
+import * as z from "zod";
+import { SupportedCredentialFormat } from "./const";
+
+export type TokenResponse = z.infer<typeof TokenResponse>;
+
+export const TokenResponse = z.object({
+  access_token: z.string(),
+  authorization_details: z.array(AuthorizationDetail),
+  c_nonce: z.string(),
+  c_nonce_expires_in: z.number(),
+  expires_in: z.number(),
+  token_type: z.string(),
+});
+
+export type CredentialResponse = z.infer<typeof CredentialResponse>;
+
+export const CredentialResponse = z.object({
+  c_nonce: z.string(),
+  c_nonce_expires_in: z.number(),
+  credential: z.string(),
+  format: SupportedCredentialFormat,
+});
+
+export type ResponseMode = "query" | "form_post.jwt";

package/src/index.ts

@@ -1,3 +1,5 @@
+import type { AuthorizationContext } from "./utils/auth";
+import { fixBase64EncodingOnKey } from "./utils/jwk";
 // polyfill due to known bugs on URL implementation for react native
 // https://github.com/facebook/react-native/issues/24428
 import "react-native-url-polyfill/auto";
@@ -8,17 +10,23 @@ import * as SdJwt from "./sd-jwt";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
 import * as Trust from "./trust";
+import * as WalletInstance from "./wallet-instance";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
+import type { IntegrityContext } from "./utils/integrity";
 
 export {
   SdJwt,
   PID,
   Credential,
   WalletInstanceAttestation,
+  WalletInstance,
   Errors,
   Trust,
   createCryptoContextFor,
   AuthorizationDetail,
   AuthorizationDetails,
+  fixBase64EncodingOnKey,
 };
+
+export type { IntegrityContext, AuthorizationContext };

package/src/pid/sd-jwt/converters.ts

@@ -3,24 +3,18 @@ import type { Disclosure, SdJwt4VC } from "../../sd-jwt/types";
 import { PID } from "./types";
 
 export function pidFromToken(sdJwt: SdJwt4VC, disclosures: Disclosure[]): PID {
+  const placeOfBirth = getValueFromDisclosures(disclosures, "place_of_birth");
   return PID.parse({
     issuer: sdJwt.payload.iss,
-    issuedAt: new Date(sdJwt.payload.iat * 1000),
+    issuedAt: new Date(getValueFromDisclosures(disclosures, "iat") * 1000),
     expiration: new Date(sdJwt.payload.exp * 1000),
-    verification: {
-      trustFramework:
-        sdJwt.payload.verified_claims.verification.trust_framework,
-      assuranceLevel:
-        sdJwt.payload.verified_claims.verification.assurance_level,
-      evidence: getValueFromDisclosures(disclosures, "evidence"),
-    },
     claims: {
       uniqueId: getValueFromDisclosures(disclosures, "unique_id"),
       givenName: getValueFromDisclosures(disclosures, "given_name"),
       familyName: getValueFromDisclosures(disclosures, "family_name"),
-      birthdate: getValueFromDisclosures(disclosures, "birthdate"),
-      placeOfBirth: getValueFromDisclosures(disclosures, "place_of_birth"),
-      taxIdCode: getValueFromDisclosures(disclosures, "tax_id_number"),
+      birthDate: getValueFromDisclosures(disclosures, "birth_date"),
+      ...(placeOfBirth && placeOfBirth),
+      taxIdCode: getValueFromDisclosures(disclosures, "tax_id_code"),
     },
   });
 }

package/src/pid/sd-jwt/types.ts

@@ -29,16 +29,18 @@ export const PID = z.object({
   issuer: z.string(),
   issuedAt: z.date(),
   expiration: z.date(),
-  verification: Verification,
+  verification: Verification.optional(),
   claims: z.object({
     uniqueId: z.string(),
     givenName: z.string(),
     familyName: z.string(),
-    birthdate: z.string(),
-    placeOfBirth: z.object({
-      country: z.string(),
-      locality: z.string(),
-    }),
+    birthDate: z.string(),
+    placeOfBirth: z
+      .object({
+        country: z.string(),
+        locality: z.string(),
+      })
+      .optional(),
     taxIdCode: z.string(),
   }),
 });

package/src/sd-jwt/__test__/converters.test.ts

@@ -3,7 +3,7 @@ import { Disclosure } from "../types";
 
 const disclosures: Disclosure[] = [
   ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
-  ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
+  ["fuNp97Hf3wV6y48y-QZhIg", "birth_date", "1980-10-01"],
   [
     "p-9LzyWHZBVDvhXDWkN2xA",
     "place_of_birth",

package/src/sd-jwt/__test__/index.test.ts

@@ -13,99 +13,70 @@ import { SdJwt4VC } from "../types";
 //    - "address" is used as verification._sd
 //    - all others disclosures are in claims._sd
 const token =
-  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0.8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
 
 const unsigned =
-  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
 
 const signature =
-  "8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA";
+  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
 
 const signed = `${unsigned}.${signature}`;
 
 const tokenizedDisclosures = [
-  "WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd",
-  "WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd",
-  "WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ",
-  "WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ",
-  "WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0",
-  "WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ",
-  "WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ",
-  "WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ",
-  "WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0",
+  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
+  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
+  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
+  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
+  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
+  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
 ];
 
 const sdJwt = {
   header: {
+    kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
     typ: "vc+sd-jwt",
     alg: "ES256",
-    kid: "b186ea0c1925793097bf01b8a289a45f",
-    trust_chain: [
-      "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
-      "eyJhbGciOiJSUzI1NiIsImtpZCI6 ...",
-      "IkJYdmZybG5oQU11SFIwN2FqVW1B ...",
-    ],
   },
   payload: {
-    iss: "https://example.com/issuer",
-    sub: "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs...",
-    jti: "urn:uuid:6c5c0a49-b589-431d-bae7-219122a9ec2c",
-    iat: 1541493724,
-    exp: 1541493724,
-    status: "https://example.com/status",
+    _sd: [
+      "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+      "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+      "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+      "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+      "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+      "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+    ],
+    sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+    _sd_alg: "sha-256",
+    vct: "PersonIdentificationData",
+    iss: "https://pre.eid.wallet.ipzs.it",
     cnf: {
       jwk: {
-        kty: "RSA",
-        use: "sig",
-        n: "1Ta-sE",
-        e: "AQAB",
-        kid: "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+        kty: "EC",
+        crv: "P-256",
+        kid: "Rv3W-EiKpvBTyk5yZxvrev-7MDB6SlzUCBo_CQjjddU",
+        x: "0Wox7QtyPqByg35MH_XyCcnd5Le-Jm0AXHlUgDBA03Y",
+        y: "eEhVvg1JPqNd3DTSa4mGDGBlwY6NP-EZbLbNFXSXwIg",
       },
     },
-    type: "PersonIdentificationData",
-    verified_claims: {
-      verification: {
-        _sd: ["JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE"],
-        trust_framework: "eidas",
-        assurance_level: "high",
-      },
-      claims: {
-        _sd: [
-          "09vKrJMOlyTWM0sjpu_pdOBVBQ2M1y3KhpH515nXkpY",
-          "2rsjGbaC0ky8mT0pJrPioWTq0_daw1sX76poUlgCwbI",
-          "EkO8dhW0dHEJbvUHlE_VCeuC9uRELOieLZhh7XbUTtA",
-          "IlDzIKeiZdDwpqpK6ZfbyphFvz5FgnWa-sN6wqQXCiw",
-          "PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI",
-          "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
-          "jdrTE8YcbY4EifugihiAe_BPekxJQZICeiUQwY9QqxI",
-          "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
-        ],
+    exp: 1751546576,
+    status: {
+      status_attestation: {
+        credential_hash_alg: "sha-256",
       },
     },
-    _sd_alg: "sha-256",
   },
 };
 
 // In the very same order than tokenizedDisclosures
 const disclosures = [
-  ["2GLC42sKQveCfGfryNRN9w", "given_name", "John"],
-  ["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"],
-  ["6Ij7tM-a5iVPGboS5tmvVA", "email", "johndoe@example.com"],
-  ["eI8ZWm9QnKPpNPeNenHdhQ", "phone_number", "+1-202-555-0101"],
-  ["AJx-095VPrpTtN4QMOqROA", "birthdate", "1940-01-01"],
-  ["Pc33JM2LchcU_lHggv_ufQ", "is_over_18", true],
-  ["G02NSrQfjFXQ7Io09syajA", "is_over_21", true],
-  ["lklxF5jMYlGTPUovMNIvCA", "is_over_65", true],
-  [
-    "Qg_O64zqAxe412a108iroA",
-    "address",
-    {
-      street_address: "123 Main St",
-      locality: "Anytown",
-      region: "Anystate",
-      country: "US",
-    },
-  ],
+  ["kJDEP8EaNTEMBDOZzZzT4w", "unique_id", "TINIT-LVLDAA85T50G702B"],
+  ["zIAyUFvPfIpE1zBqxI5haQ", "birth_date", "1985-12-10"],
+  ["Gr3R3s290OkQUm-NFTu96A", "tax_id_code", "TINIT-LVLDAA85T50G702B"],
+  ["GxORalMAelfZ0edFJjjYUw", "given_name", "Ada"],
+  ["_vV5RIkl0IOEXKots9kt1w", "family_name", "Lovelace"],
+  ["Cj5tccR72Jwrze2TW4a-wg", "iat", 1720010575],
 ];
 it("Ensures example data correctness", () => {
   expect(
@@ -161,8 +132,8 @@ describe("disclose", () => {
   it("should encode a valid sdjwt (one claim)", async () => {
     const result = await disclose(token, ["given_name"]);
     const expected = {
-      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd`,
-      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[7]" }],
+      token: `${signed}~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd`,
+      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[3]" }],
     };
 
     expect(result).toEqual(expected);
@@ -176,17 +147,17 @@ describe("disclose", () => {
   });
 
   it("should encode a valid sdjwt (multiple claims)", async () => {
-    const result = await disclose(token, ["given_name", "email"]);
+    const result = await disclose(token, ["iat", "family_name"]);
     const expected = {
-      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ`,
+      token: `${signed}~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ`,
       paths: [
         {
-          claim: "given_name",
-          path: "verified_claims.claims._sd[7]",
+          claim: "iat",
+          path: "verified_claims.claims._sd[4]",
         },
         {
-          claim: "email",
-          path: "verified_claims.verification._sd[0]",
+          claim: "family_name",
+          path: "verified_claims.claims._sd[0]",
         },
       ],
     };

package/src/sd-jwt/__test__/types.test.ts

@@ -8,47 +8,35 @@ describe("SdJwt4VC", () => {
         typ: "vc+sd-jwt",
         alg: "RS512",
         kid: "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
-        trust_chain: [
-          "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
-          "eyJhbGciOiJSUzI1NiIsImtpZCI6 ...",
-          "IkJYdmZybG5oQU11SFIwN2FqVW1B ...",
-        ],
       },
       payload: {
-        iss: "https://pidprovider.example.org",
-        sub: "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs...",
-        jti: "urn:uuid:6c5c0a49-b589-431d-bae7-219122a9ec2c",
-        iat: 1541493724,
-        exp: 1541493724,
-        status: "https://pidprovider.example.org/status",
+        _sd: [
+          "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+          "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+          "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+          "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+          "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+          "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+        ],
+        sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+        _sd_alg: "sha-256",
+        vct: "PersonIdentificationData",
+        iss: "https://pidprovider.example.com",
         cnf: {
           jwk: {
-            kty: "RSA",
-            use: "sig",
-            n: "1Ta-sE …",
-            e: "AQAB",
-            kid: "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+            kty: "EC",
+            crv: "P-256",
+            kid: "zEv_qGSL5r0_F67j2dwEgUJmBgbMNSEJ5K_iH1PYc7A",
+            x: "0Pj7v_afNp9ETJx11JbYgkI7yQpd0rtiYuo5feuAN2o",
+            y: "XB62Um02vHqedkOzSfJ5hdtjPz-zmV9jmWh4sKgdD9o",
           },
         },
-        type: "PersonIdentificationData",
-        verified_claims: {
-          verification: {
-            _sd: ["OGm7ryXgt5Xzlevp-Hu-UTk0a-TxAaPAobqv1pIWMfw"],
-            trust_framework: "eidas",
-            assurance_level: "high",
-          },
-          claims: {
-            _sd: [
-              "8JjozBfovMNvQ3HflmPWy4O19Gpxs61FWHjZebU589E",
-              "BoMGktW1rbikntw8Fzx_BeL4YbAndr6AHsdgpatFCig",
-              "CFLGzentGNRFngnLVVQVcoAFi05r6RJUX-rdbLdEfew",
-              "JU_sTaHCngS32X-0ajHrd1-HCLCkpT5YqgcfQme168w",
-              "VQI-S1mT1Kxfq2o8J9io7xMMX2MIxaG9M9PeJVqrMcA",
-              "zVdghcmClMVWlUgGsGpSkCPkEHZ4u9oWj1SlIBlCc1o",
-            ],
+        exp: 1751107255,
+        status: {
+          status_attestation: {
+            credential_hash_alg: "sha-256",
           },
         },
-        _sd_alg: "sha-256",
       },
     };
 

package/src/sd-jwt/index.ts

@@ -101,15 +101,9 @@ export const disclose = async (
 
       // _sd is defined in verified_claims.claims and verified_claims.verification
       // we must look into both
-      if (sdJwt.payload.verified_claims.claims._sd.includes(hash)) {
-        const index = sdJwt.payload.verified_claims.claims._sd.indexOf(hash);
+      if (sdJwt.payload._sd.includes(hash)) {
+        const index = sdJwt.payload._sd.indexOf(hash);
         return { claim, path: `verified_claims.claims._sd[${index}]` };
-      } else if (
-        sdJwt.payload.verified_claims.verification._sd.includes(hash)
-      ) {
-        const index =
-          sdJwt.payload.verified_claims.verification._sd.indexOf(hash);
-        return { claim, path: `verified_claims.verification._sd[${index}]` };
       }
 
       throw new ClaimsNotFoundInToken(claim);
@@ -158,10 +152,7 @@ export const verify = async <S extends z.ZodType<SdJwt4VC>>(
   await verifyJwt(rawSdJwt, publicKey);
 
   //Check disclosures in sd-jwt
-  const claims = [
-    ...decoded.sdJwt.payload.verified_claims.verification._sd,
-    ...decoded.sdJwt.payload.verified_claims.claims._sd,
-  ];
+  const claims = [...decoded.sdJwt.payload._sd];
 
   await Promise.all(
     decoded.disclosures.map(