@pagopa/io-react-native-wallet 0.11.1 → 0.13.0

package/src/wallet-instance-attestation/issuing.ts

@@ -1,77 +1,68 @@
-import {
-  type CryptoContext,
-  decode as decodeJwt,
-} from "@pagopa/io-react-native-jwt";
-import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
+import { z } from "zod";
 import { JWK, fixBase64EncodingOnKey } from "../utils/jwk";
-import { WalletInstanceAttestationRequestJwt } from "./types";
-import uuid from "react-native-uuid";
-import { WalletInstanceAttestationIssuingError } from "../utils/errors";
-import type { WalletProviderEntityConfiguration } from "../trust/types";
+import { getWalletProviderClient } from "../client";
+import type { IntegrityContext } from "..";
+import {
+  WalletProviderResponseError,
+  WalletInstanceRevokedError,
+  WalletInstanceNotFoundError,
+  WalletInstanceAttestationIssuingError,
+} from "../utils/errors";
 
-async function getAttestationRequest(
+/**
+ * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
+ *
+ * @param challenge - The nonce received from the Wallet Provider which is part of the signed clientData
+ * @param wiaCryptoContext - The key pair associated with the WIA. Will be use to prove the ownership of the attestation
+ * @param integrityContext - The integrity context which exposes a set of functions to interact with the device integrity service
+ * @param walletProviderBaseUrl - Base url for the Wallet Provider
+ * @returns A JWT containing the attestation request
+ */
+export async function getAttestationRequest(
+  challenge: string,
   wiaCryptoContext: CryptoContext,
-  walletProviderEntityConfiguration: WalletProviderEntityConfiguration
+  integrityContext: IntegrityContext,
+  walletProviderBaseUrl: string
 ): Promise<string> {
   const jwk = await wiaCryptoContext.getPublicKey();
   const parsedJwk = JWK.parse(jwk);
   const keyThumbprint = await thumbprint(parsedJwk);
   const publicKey = { ...parsedJwk, kid: keyThumbprint };
 
+  const clientData = {
+    challenge,
+    jwk_thumbprint: keyThumbprint,
+  };
+
+  const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+  const { signature, authenticatorData } =
+    await integrityContext.getHardwareSignatureWithAuthData(
+      JSON.stringify(clientData)
+    );
+
   return new SignJWT(wiaCryptoContext)
     .setPayload({
       iss: keyThumbprint,
-      aud: walletProviderEntityConfiguration.payload.iss,
-      jti: `${uuid.v4()}`,
-      nonce: `${uuid.v4()}`,
+      sub: walletProviderBaseUrl,
+      challenge,
+      hardware_signature: signature,
+      integrity_assertion: authenticatorData,
+      hardware_key_tag: hardwareKeyTag,
       cnf: {
         jwk: fixBase64EncodingOnKey(publicKey),
       },
     })
     .setProtectedHeader({
       kid: publicKey.kid,
-      typ: "wiar+jwt",
+      typ: "war+jwt",
     })
     .setIssuedAt()
     .setExpirationTime("1h")
     .sign();
 }
 
-/**
- * Validate a Wallet Instance Attestation token.
- * Either return true or throw an exception.
- *
- * @param wia Signed Wallet Instance Attestation token
- * @param walletProviderEntityConfiguration Entity Configuration object for the issuing Wallet Provider
- * @returns The token is valid
- * @throws {WalletInstanceAttestationIssuingError} When the received token fails to validate. This can happen due to invalid signature, expired token or malformed JWT token.
- */
-async function verifyWalletInstanceAttestation(
-  wia: string,
-  walletProviderEntityConfiguration: WalletProviderEntityConfiguration
-): Promise<true> {
-  const {
-    payload: {
-      sub,
-      metadata: {
-        wallet_provider: {
-          jwks: { keys },
-        },
-      },
-    },
-  } = walletProviderEntityConfiguration;
-  return verifyJwt(wia, keys, { issuer: sub })
-    .then((_) => true as const)
-    .catch((ex) => {
-      const reason = ex && ex instanceof Error ? ex.message : "unknown reason";
-      throw new WalletInstanceAttestationIssuingError(
-        "Unable to validate received wallet instance attestation",
-        reason
-      );
-    });
-}
-
 /**
  * Request a Wallet Instance Attestation (WIA) to the Wallet provider
  *
@@ -79,61 +70,74 @@ async function verifyWalletInstanceAttestation(
  * @param params.appFetch (optional) Http client
  * @param walletProviderBaseUrl Base url for the Wallet Provider
  * @returns The retrieved Wallet Instance Attestation token
+ * @throws {WalletInstanceRevokedError} The Wallet Instance was revoked
+ * @throws {WalletInstanceNotFoundError} The Wallet Instance does not exist
  */
-export const getAttestation =
-  ({
-    wiaCryptoContext,
-    appFetch = fetch,
-  }: {
-    wiaCryptoContext: CryptoContext;
-    appFetch?: GlobalFetch["fetch"];
-  }) =>
-  async (
-    walletProviderEntityConfiguration: WalletProviderEntityConfiguration
-  ): Promise<string> => {
-    const signedAttestationRequest = await getAttestationRequest(
-      wiaCryptoContext,
-      walletProviderEntityConfiguration
-    );
+export const getAttestation = async ({
+  wiaCryptoContext,
+  integrityContext,
+  walletProviderBaseUrl,
+  appFetch = fetch,
+}: {
+  wiaCryptoContext: CryptoContext;
+  integrityContext: IntegrityContext;
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}): Promise<string> => {
+  const api = getWalletProviderClient({
+    walletProviderBaseUrl,
+    appFetch,
+  });
 
-    const decodedRequest = decodeJwt(signedAttestationRequest);
-    const parsedRequest = WalletInstanceAttestationRequestJwt.parse({
-      payload: decodedRequest.payload,
-      header: decodedRequest.protectedHeader,
-    });
-    const publicKey = parsedRequest.payload.cnf.jwk;
+  // 1. Get nonce from backend
+  const challenge = await api.get("/nonce").then((response) => response.nonce);
 
-    await verifyJwt(signedAttestationRequest, publicKey);
+  // 2. Get a signed attestation request
+  const signedAttestationRequest = await getAttestationRequest(
+    challenge,
+    wiaCryptoContext,
+    integrityContext,
+    walletProviderBaseUrl
+  );
 
-    const tokenUrl =
-      walletProviderEntityConfiguration.payload.metadata.wallet_provider
-        .token_endpoint;
-    const requestBody = {
-      grant_type:
-        "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation",
-      assertion: signedAttestationRequest,
-    };
-    const response = await appFetch(tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
+  // 3. Request WIA
+  const wia = await api
+    .post("/token", {
+      body: {
+        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        assertion: signedAttestationRequest,
       },
-      body: JSON.stringify(requestBody),
-    });
+    })
+    .then((result) => z.string().parse(result))
+    .catch(handleAttestationCreationError);
 
-    if (response.status !== 201) {
-      throw new WalletInstanceAttestationIssuingError(
-        "Unable to obtain wallet instance attestation from wallet provider",
-        `Response code: ${response.status}`
-      );
-    }
+  return wia;
+};
 
-    const wia = await response.text();
+const handleAttestationCreationError = (e: unknown) => {
+  if (!(e instanceof WalletProviderResponseError)) {
+    throw e;
+  }
 
-    await verifyWalletInstanceAttestation(
-      wia,
-      walletProviderEntityConfiguration
+  if (e.statusCode === 403) {
+    throw new WalletInstanceRevokedError(
+      "Unable to get an attestation for a revoked Wallet Instance",
+      e.claim,
+      e.reason
     );
+  }
 
-    return wia;
-  };
+  if (e.statusCode === 404) {
+    throw new WalletInstanceNotFoundError(
+      "Unable to get an attestation for a Wallet Instance that does not exist",
+      e.claim,
+      e.reason
+    );
+  }
+
+  throw new WalletInstanceAttestationIssuingError(
+    `Unable to obtain wallet instance attestation [response status code: ${e.statusCode}]`,
+    e.claim,
+    e.reason
+  );
+};

package/src/wallet-instance-attestation/types.ts

@@ -33,7 +33,7 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("wiar+jwt"),
+      typ: z.literal("war+jwt"),
     })
   ),
   payload: z.intersection(
@@ -60,16 +60,20 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.payload,
     z.object({
       sub: z.string(),
-      attested_security_context: z.string(),
+      aal: z.string(),
       authorization_endpoint: z.string(),
       response_types_supported: z.array(z.string()),
       vp_formats_supported: z.object({
-        jwt_vp_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
-        jwt_vc_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
+        "vc+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
+        "vp+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
       }),
       request_object_signing_alg_values_supported: z.array(z.string()),
       presentation_definition_uri_supported: z.boolean(),

package/lib/commonjs/credential/issuance/07-confirm-credential.js

@@ -1,6 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=07-confirm-credential.js.map

package/lib/commonjs/credential/issuance/07-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/commonjs/credential/issuance/08-confirm-credential.js

@@ -1,6 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=08-confirm-credential.js.map

package/lib/commonjs/credential/issuance/08-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/07-confirm-credential.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=07-confirm-credential.js.map

package/lib/module/credential/issuance/07-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/08-confirm-credential.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=08-confirm-credential.js.map

package/lib/module/credential/issuance/08-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=07-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"07-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=08-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"08-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/08-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/src/credential/issuance/07-confirm-credential.ts

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;

package/src/credential/issuance/08-confirm-credential.ts

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;