@pagopa/io-react-native-wallet 0.11.1 → 0.13.0

package/src/sd-jwt/types.ts

@@ -39,29 +39,24 @@ export const SdJwt4VC = z.object({
     typ: z.literal("vc+sd-jwt"),
     alg: z.string(),
     kid: z.string().optional(),
-    trust_chain: z.array(z.string()),
   }),
-  payload: z.object({
-    iss: z.string(),
-    sub: z.string(),
-    jti: z.string(),
-    iat: UnixTime,
-    exp: UnixTime,
-    status: z.string(),
-    cnf: z.object({
-      jwk: JWK,
-    }),
-    type: z.string(),
-    verified_claims: z.object({
-      verification: z.intersection(
-        z.object({
-          trust_framework: z.literal("eidas"),
-          assurance_level: z.string(),
+  payload: z.intersection(
+    z.object({
+      iss: z.string(),
+      sub: z.string(),
+      iat: UnixTime.optional(),
+      exp: UnixTime,
+      _sd_alg: z.literal("sha-256"),
+      status: z.object({
+        status_attestation: z.object({
+          credential_hash_alg: z.literal("sha-256"),
         }),
-        ObfuscatedDisclosures
-      ),
-      claims: ObfuscatedDisclosures,
+      }),
+      cnf: z.object({
+        jwk: JWK,
+      }),
+      vct: z.string(),
     }),
-    _sd_alg: z.literal("sha-256"),
-  }),
+    ObfuscatedDisclosures
+  ),
 });

package/src/trust/types.ts

@@ -18,38 +18,48 @@ const RelyingPartyMetadata = z.object({
 // instruct the Wallet Solution on how to render the credential correctly
 type CredentialDisplayMetadata = z.infer<typeof CredentialDisplayMetadata>;
 const CredentialDisplayMetadata = z.object({
+  name: z.string(),
+  locale: z.string(),
+  logo: z
+    .object({
+      url: z.string(),
+      alt_text: z.string(),
+    })
+    .optional(), // TODO [SIW-1268]: should not be optional
+  background_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
+  text_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
+});
+
+// Metadata for displaying issuer information
+type CredentialIssuerDisplayMetadata = z.infer<
+  typeof CredentialIssuerDisplayMetadata
+>;
+const CredentialIssuerDisplayMetadata = z.object({
   name: z.string(),
   locale: z.string(),
   logo: z.object({
     url: z.string(),
     alt_text: z.string(),
   }),
-  background_color: z.string(),
-  text_color: z.string(),
 });
 
-type CredentialDefinitionMetadata = z.infer<
-  typeof CredentialDefinitionMetadata
->;
-const CredentialDefinitionMetadata = z.object({
-  type: z.array(z.string()),
-  credentialSubject: z.record(
-    z.object({
-      mandatory: z.boolean(),
-      display: z.array(z.object({ name: z.string(), locale: z.string() })),
-    })
-  ),
-});
+type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
+const ClaimsMetadata = z.record(
+  z.object({
+    value_type: z.string(),
+    display: z.array(z.object({ name: z.string(), locale: z.string() })),
+  })
+);
 
 // Metadata for a credentia which i supported by a Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
 const SupportedCredentialMetadata = z.object({
-  id: z.string(),
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
-  cryptographic_binding_methods_supported: z.array(z.string()),
-  cryptographic_suites_supported: z.array(z.string()),
+  scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
-  credential_definition: CredentialDefinitionMetadata,
+  claims: ClaimsMetadata,
+  cryptographic_binding_methods_supported: z.array(z.string()),
+  credential_signing_alg_values_supported: z.array(z.string()),
 });
 
 export type EntityStatement = z.infer<typeof EntityStatement>;
@@ -101,19 +111,19 @@ const BaseEntityConfiguration = z.object({
   header: EntityConfigurationHeader,
   payload: z
     .object({
-      exp: UnixTime,
-      iat: UnixTime,
       iss: z.string(),
       sub: z.string(),
-      jwks: z.object({
-        keys: z.array(JWK),
-      }),
+      iat: UnixTime,
+      exp: UnixTime,
+      authority_hints: z.array(z.string()).optional(),
       metadata: z
         .object({
           federation_entity: FederationEntityMetadata,
         })
         .passthrough(),
-      authority_hints: z.array(z.string()).optional(),
+      jwks: z.object({
+        keys: z.array(JWK),
+      }),
     })
     .passthrough(),
 });
@@ -135,18 +145,42 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
       metadata: z.object({
         openid_credential_issuer: z.object({
           credential_issuer: z.string(),
+          credential_endpoint: z.string(),
+          revocation_endpoint: z.string(),
+          status_attestation_endpoint: z.string(),
+          display: z.array(CredentialIssuerDisplayMetadata),
+          credential_configurations_supported: z.record(
+            SupportedCredentialMetadata
+          ),
+          jwks: z.object({ keys: z.array(JWK) }),
+        }),
+        oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),
-          token_endpoint: z.string(),
           pushed_authorization_request_endpoint: z.string(),
-          dpop_signing_alg_values_supported: z.array(z.string()),
-          credential_endpoint: z.string(),
-          credentials_supported: z.array(SupportedCredentialMetadata),
+          dpop_signing_alg_values_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          token_endpoint: z.string(),
+          introspection_endpoint: z.string().optional(), // TODO [SIW-1268]: should not be optional
+          client_registration_types_supported: z.array(z.string()),
+          code_challenge_methods_supported: z.array(z.string()),
+          authorization_details_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional,
+          acr_values_supported: z.array(z.string()),
+          grant_types_supported: z.array(z.string()),
+          issuer: z.string(),
           jwks: z.object({ keys: z.array(JWK) }),
+          scopes_supported: z.array(z.string()),
+          request_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
+          request_uri_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
+          response_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          response_modes_supported: z.array(z.string()),
+          subject_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          token_endpoint_auth_methods_supported: z.array(z.string()),
+          token_endpoint_auth_signing_alg_values_supported: z.array(z.string()),
+          request_object_signing_alg_values_supported: z.array(z.string()),
         }),
         /** Credential Issuers act as Relying Party
             when they require the presentation of other credentials.
             This does not apply for PID issuance, which requires CIE authz. */
-        wallet_relying_party: RelyingPartyMetadata.optional(),
+        openid_relying_party: RelyingPartyMetadata.optional(),
       }),
     }),
   })
@@ -177,9 +211,7 @@ export const WalletProviderEntityConfiguration = BaseEntityConfiguration.and(
         wallet_provider: z
           .object({
             token_endpoint: z.string(),
-            attested_security_context_values_supported: z
-              .array(z.string())
-              .optional(),
+            aal_values_supported: z.array(z.string()).optional(),
             grant_types_supported: z.array(z.string()),
             token_endpoint_auth_methods_supported: z.array(z.string()),
             token_endpoint_auth_signing_alg_values_supported: z.array(

package/src/utils/auth.ts

@@ -0,0 +1,37 @@
+import * as z from "zod";
+
+/**
+ * Context for authorization during the {@link 03-start-user-authorization.ts} phase.
+ * It consists of a single method to identify the user which takes a URL and a redirect schema as input.
+ * Once the authorization is completed and the URL calls the redirect schema, the method should return the redirect URL.
+ */
+export interface AuthorizationContext {
+  authorize: (url: string, redirectSchema: string) => Promise<string>;
+}
+
+/**
+ * The result of the identification process.
+ */
+export const AuthorizationResultShape = z.object({
+  code: z.string(),
+  state: z.string(),
+  iss: z.string().optional(),
+});
+
+/**
+ * The error of the identification process.
+ * It follows the OAuth/OIDC error response format.
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+ */
+export const AuthorizationErrorShape = z.object({
+  error: z.string(), // not enforcing the error code format
+  error_description: z.string().optional(),
+  error_uri: z.string().optional(),
+  state: z.string().optional(),
+});
+
+/**
+ * Type of the identification result.
+ */
+export type AuthorizationResult = z.infer<typeof AuthorizationResultShape>;

package/src/utils/errors.ts

@@ -233,3 +233,115 @@ export class PidMetadataError extends Error {
     super(message);
   }
 }
+
+/**
+ * An error subclass thrown when a Wallet Provider http request fail
+ *
+ */
+export class WalletProviderResponseError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED" {
+    return "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED";
+  }
+
+  code = "ERR_IO_WALLET_PROVIDER_RESPONSE_FAILED";
+
+  /** The Claim for which the validation failed. */
+  claim: string;
+
+  /** Reason code for the validation failure. */
+  reason: string;
+
+  /** HTTP status code */
+  statusCode: number;
+
+  constructor(
+    message: string,
+    claim: string = "unspecified",
+    reason: string = "unspecified",
+    statusCode: number
+  ) {
+    super(
+      serializeAttrs({
+        message,
+        claim,
+        reason,
+        statusCode: statusCode.toString(),
+      })
+    );
+    this.claim = claim;
+    this.reason = reason;
+    this.statusCode = statusCode;
+  }
+}
+
+export class WalletInstanceRevokedError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_INSTANCE_REVOKED" {
+    return "ERR_IO_WALLET_INSTANCE_REVOKED";
+  }
+
+  code = "ERR_IO_WALLET_INSTANCE_REVOKED";
+
+  claim: string;
+  reason: string;
+
+  constructor(message: string, claim: string, reason: string = "unspecified") {
+    super(serializeAttrs({ message, claim, reason }));
+    this.reason = reason;
+    this.claim = claim;
+  }
+}
+
+export class WalletInstanceNotFoundError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_INSTANCE_NOT_FOUND" {
+    return "ERR_IO_WALLET_INSTANCE_NOT_FOUND";
+  }
+
+  code = "ERR_IO_WALLET_INSTANCE_NOT_FOUND";
+
+  claim: string;
+  reason: string;
+
+  constructor(message: string, claim: string, reason: string = "unspecified") {
+    super(serializeAttrs({ message, claim, reason }));
+    this.reason = reason;
+    this.claim = claim;
+  }
+}
+
+/**
+ * An error subclass thrown when an error occurs during the authorization process.
+ */
+export class AuthorizationError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_AUTHORIZATION_ERROR" {
+    return "ERR_IO_WALLET_AUTHORIZATION_ERROR";
+  }
+
+  code = "ERR_IO_WALLET_AUTHORIZATION_ERROR";
+
+  constructor(message?: string) {
+    super(message);
+  }
+}
+
+/**
+ * An error subclass thrown when an error occurs during the authorization process with the IDP.
+ * It contains the error and error description returned by the IDP.
+ */
+export class AuthorizationIdpError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_ERROR" {
+    return "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_ERROR";
+  }
+
+  code = "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_PARSING_FAILED";
+
+  error: string;
+  errorDescription?: string;
+
+  constructor(error: string, errorDescription?: string) {
+    super(
+      serializeAttrs(errorDescription ? { error, errorDescription } : { error })
+    );
+    this.error = error;
+    this.errorDescription = errorDescription;
+  }
+}

package/src/utils/integrity.ts

@@ -0,0 +1,23 @@
+/**
+ * Interface for the integrity context which provides the necessary functions to interact with the integrity service.
+ * The functions are platform specific and must be implemented in the platform specific code.
+ * getHardwareKeyTag: returns the hardware key tag in a url safe format (e.g. base64url).
+ * getAttestation: requests the attestation from the integrity service.
+ * getHardwareSignatureWithAuthData: signs the clientData and returns the signature with the authenticator data.
+ */
+export interface IntegrityContext {
+  getHardwareKeyTag: () => string;
+  getAttestation: (nonce: string) => Promise<string>;
+  getHardwareSignatureWithAuthData: (
+    clientData: string
+  ) => Promise<HardwareSignatureWithAuthData>;
+}
+
+/**
+ * Type returned by the getHardwareSignatureWithAuthData function of {@link IntegrityContext}.
+ * It contains the signature and the authenticator data.
+ */
+export type HardwareSignatureWithAuthData = {
+  signature: string;
+  authenticatorData: string;
+};

package/src/utils/misc.ts

@@ -25,3 +25,46 @@ export type Out<FN> = FN extends (...args: any[]) => Promise<any>
   : FN extends (...args: any[]) => any
   ? ReturnType<FN>
   : never;
+
+/**
+ * TODO [SIW-1310]: replace this function with a cryptographically secure one.
+ * @param size - The size of the string to generate
+ * @returns A random alphanumeric string of the given size
+ */
+export const generateRandomAlphaNumericString = (size: number) =>
+  Array.from(Array(size), () =>
+    Math.floor(Math.random() * 36).toString(36)
+  ).join("");
+
+/**
+ * Repeatedly checks a condition function until it returns true,
+ * then resolves the returned promise. If the condition function does not return true
+ * within the specified timeout, the promise is rejected.
+ *
+ * @param conditionFunction - A function that returns a boolean value.
+ *                            The promise resolves when this function returns true.
+ * @param timeout - An optional timeout in seconds. The promise is rejected if the
+ *                  condition function does not return true within this time.
+ * @returns A promise that resolves once the conditionFunction returns true or rejects if timed out.
+ */
+export const until = (
+  conditionFunction: () => boolean,
+  timeoutSeconds?: number
+): Promise<void> =>
+  new Promise<void>((resolve, reject) => {
+    const start = Date.now();
+    const poll = () => {
+      if (conditionFunction()) {
+        resolve();
+      } else if (
+        timeoutSeconds !== undefined &&
+        Date.now() - start >= timeoutSeconds * 1000
+      ) {
+        reject(new Error("Timeout exceeded"));
+      } else {
+        setTimeout(poll, 400);
+      }
+    };
+
+    poll();
+  });

package/src/utils/par.ts

@@ -6,13 +6,12 @@ import {
 import uuid from "react-native-uuid";
 import * as z from "zod";
 import * as WalletInstanceAttestation from "../wallet-instance-attestation";
-import { hasStatus } from "./misc";
+import { generateRandomAlphaNumericString, hasStatus } from "./misc";
+import { createPopToken } from "./pop";
 
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
-  credential_definition: z.object({
-    type: z.string(),
-  }),
+  credential_configuration_id: z.string(),
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
 });
@@ -34,7 +33,8 @@ export const makeParRequest =
   async (
     clientId: string,
     codeVerifier: string,
-    walletProviderBaseUrl: string,
+    redirectUri: string,
+    responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
     authorizationDetails: AuthorizationDetails,
@@ -48,10 +48,19 @@ export const makeParRequest =
     const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
       .payload.cnf.jwk.kid;
 
+    const signedWiaPoP = await createPopToken(
+      {
+        jti: `${uuid.v4()}`,
+        aud,
+        iss,
+      },
+      wiaCryptoContext
+    );
+
     /** A code challenge is provided so that the PAR is bound
         to the subsequent authorization code request
         @see https://datatracker.ietf.org/doc/html/rfc9126#name-request */
-    const codeChallengeMethod = "s256";
+    const codeChallengeMethod = "S256";
     const codeChallenge = await sha256ToBase64(codeVerifier);
 
     /** The PAR request token is signed used the Wallet Instance Attestation key.
@@ -60,23 +69,26 @@ export const makeParRequest =
         The key is matched by its kid */
     const signedJwtForPar = await new SignJWT(wiaCryptoContext)
       .setProtectedHeader({
+        typ: "jwk",
         kid: wiaPublicKey.kid,
       })
       .setPayload({
-        iss,
-        aud,
         jti: `${uuid.v4()}`,
-        client_assertion_type: assertionType,
-        authorization_details: authorizationDetails,
+        aud,
         response_type: "code",
-        redirect_uri: walletProviderBaseUrl,
-        state: `${uuid.v4()}`,
+        response_mode: responseMode,
         client_id: clientId,
-        code_challenge_method: codeChallengeMethod,
+        iss,
+        state: generateRandomAlphaNumericString(32),
         code_challenge: codeChallenge,
+        code_challenge_method: codeChallengeMethod,
+        authorization_details: authorizationDetails,
+        redirect_uri: redirectUri,
+        client_assertion_type: assertionType,
+        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
       })
-      .setIssuedAt()
-      .setExpirationTime("1h")
+      .setIssuedAt() //iat is set to now
+      .setExpirationTime("5min")
       .sign();
 
     /** The request body for the Pushed Authorization Request */
@@ -85,9 +97,9 @@ export const makeParRequest =
       client_id: clientId,
       code_challenge: codeChallenge,
       code_challenge_method: "S256",
-      client_assertion_type: assertionType,
-      client_assertion: walletInstanceAttestation,
       request: signedJwtForPar,
+      client_assertion_type: assertionType,
+      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
 
     return await appFetch(parEndpoint, {

package/src/utils/pop.ts

@@ -0,0 +1,34 @@
+import * as z from "zod";
+
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+
+/**
+ * Create a signed PoP token
+ *
+ * @param payload The payload to be included in the token.
+ * @param crypto The crypto context that handles the key bound to the DPoP.
+ *
+ * @returns The signed crypto token.
+ */
+export const createPopToken = async (
+  payload: PoPPayload,
+  crypto: CryptoContext
+): Promise<string> => {
+  const kid = await crypto.getPublicKey().then((_) => _.kid);
+  return new SignJWT(crypto)
+    .setPayload(payload)
+    .setProtectedHeader({
+      typ: "jwt-client-attestation-pop",
+      kid,
+    })
+    .setIssuedAt()
+    .setExpirationTime("5min")
+    .sign();
+};
+
+export type PoPPayload = z.infer<typeof PoPPayload>;
+export const PoPPayload = z.object({
+  jti: z.string(),
+  aud: z.string(),
+  iss: z.string(),
+});

package/src/wallet-instance/index.ts

@@ -0,0 +1,29 @@
+import { getWalletProviderClient } from "../client";
+import type { IntegrityContext } from "..";
+
+export async function createWalletInstance(context: {
+  integrityContext: IntegrityContext;
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}) {
+  const { integrityContext } = context;
+
+  const api = getWalletProviderClient(context);
+
+  //1. Obtain nonce
+  const challenge = await api.get("/nonce").then((response) => response.nonce);
+
+  const keyAttestation = await integrityContext.getAttestation(challenge);
+  const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+
+  //2. Create Wallet Instance
+  await api.post("/wallet-instances", {
+    body: {
+      challenge,
+      key_attestation: keyAttestation,
+      hardware_key_tag: hardwareKeyTag,
+    },
+  });
+
+  return hardwareKeyTag;
+}