@pagopa/io-react-native-wallet 0.12.0 → 0.13.0

package/src/sd-jwt/__test__/index.test.ts

@@ -13,99 +13,70 @@ import { SdJwt4VC } from "../types";
 //    - "address" is used as verification._sd
 //    - all others disclosures are in claims._sd
 const token =
-  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0.8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
 
 const unsigned =
-  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
 
 const signature =
-  "8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA";
+  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
 
 const signed = `${unsigned}.${signature}`;
 
 const tokenizedDisclosures = [
-  "WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd",
-  "WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd",
-  "WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ",
-  "WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ",
-  "WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0",
-  "WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ",
-  "WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ",
-  "WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ",
-  "WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0",
+  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
+  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
+  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
+  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
+  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
+  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
 ];
 
 const sdJwt = {
   header: {
+    kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
     typ: "vc+sd-jwt",
     alg: "ES256",
-    kid: "b186ea0c1925793097bf01b8a289a45f",
-    trust_chain: [
-      "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
-      "eyJhbGciOiJSUzI1NiIsImtpZCI6 ...",
-      "IkJYdmZybG5oQU11SFIwN2FqVW1B ...",
-    ],
   },
   payload: {
-    iss: "https://example.com/issuer",
-    sub: "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs...",
-    jti: "urn:uuid:6c5c0a49-b589-431d-bae7-219122a9ec2c",
-    iat: 1541493724,
-    exp: 1541493724,
-    status: "https://example.com/status",
+    _sd: [
+      "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+      "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+      "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+      "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+      "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+      "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+    ],
+    sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+    _sd_alg: "sha-256",
+    vct: "PersonIdentificationData",
+    iss: "https://pre.eid.wallet.ipzs.it",
     cnf: {
       jwk: {
-        kty: "RSA",
-        use: "sig",
-        n: "1Ta-sE",
-        e: "AQAB",
-        kid: "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+        kty: "EC",
+        crv: "P-256",
+        kid: "Rv3W-EiKpvBTyk5yZxvrev-7MDB6SlzUCBo_CQjjddU",
+        x: "0Wox7QtyPqByg35MH_XyCcnd5Le-Jm0AXHlUgDBA03Y",
+        y: "eEhVvg1JPqNd3DTSa4mGDGBlwY6NP-EZbLbNFXSXwIg",
       },
     },
-    type: "PersonIdentificationData",
-    verified_claims: {
-      verification: {
-        _sd: ["JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE"],
-        trust_framework: "eidas",
-        assurance_level: "high",
-      },
-      claims: {
-        _sd: [
-          "09vKrJMOlyTWM0sjpu_pdOBVBQ2M1y3KhpH515nXkpY",
-          "2rsjGbaC0ky8mT0pJrPioWTq0_daw1sX76poUlgCwbI",
-          "EkO8dhW0dHEJbvUHlE_VCeuC9uRELOieLZhh7XbUTtA",
-          "IlDzIKeiZdDwpqpK6ZfbyphFvz5FgnWa-sN6wqQXCiw",
-          "PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI",
-          "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
-          "jdrTE8YcbY4EifugihiAe_BPekxJQZICeiUQwY9QqxI",
-          "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
-        ],
+    exp: 1751546576,
+    status: {
+      status_attestation: {
+        credential_hash_alg: "sha-256",
       },
     },
-    _sd_alg: "sha-256",
   },
 };
 
 // In the very same order than tokenizedDisclosures
 const disclosures = [
-  ["2GLC42sKQveCfGfryNRN9w", "given_name", "John"],
-  ["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"],
-  ["6Ij7tM-a5iVPGboS5tmvVA", "email", "johndoe@example.com"],
-  ["eI8ZWm9QnKPpNPeNenHdhQ", "phone_number", "+1-202-555-0101"],
-  ["AJx-095VPrpTtN4QMOqROA", "birthdate", "1940-01-01"],
-  ["Pc33JM2LchcU_lHggv_ufQ", "is_over_18", true],
-  ["G02NSrQfjFXQ7Io09syajA", "is_over_21", true],
-  ["lklxF5jMYlGTPUovMNIvCA", "is_over_65", true],
-  [
-    "Qg_O64zqAxe412a108iroA",
-    "address",
-    {
-      street_address: "123 Main St",
-      locality: "Anytown",
-      region: "Anystate",
-      country: "US",
-    },
-  ],
+  ["kJDEP8EaNTEMBDOZzZzT4w", "unique_id", "TINIT-LVLDAA85T50G702B"],
+  ["zIAyUFvPfIpE1zBqxI5haQ", "birth_date", "1985-12-10"],
+  ["Gr3R3s290OkQUm-NFTu96A", "tax_id_code", "TINIT-LVLDAA85T50G702B"],
+  ["GxORalMAelfZ0edFJjjYUw", "given_name", "Ada"],
+  ["_vV5RIkl0IOEXKots9kt1w", "family_name", "Lovelace"],
+  ["Cj5tccR72Jwrze2TW4a-wg", "iat", 1720010575],
 ];
 it("Ensures example data correctness", () => {
   expect(
@@ -161,8 +132,8 @@ describe("disclose", () => {
   it("should encode a valid sdjwt (one claim)", async () => {
     const result = await disclose(token, ["given_name"]);
     const expected = {
-      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd`,
-      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[7]" }],
+      token: `${signed}~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd`,
+      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[3]" }],
     };
 
     expect(result).toEqual(expected);
@@ -176,17 +147,17 @@ describe("disclose", () => {
   });
 
   it("should encode a valid sdjwt (multiple claims)", async () => {
-    const result = await disclose(token, ["given_name", "email"]);
+    const result = await disclose(token, ["iat", "family_name"]);
     const expected = {
-      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ`,
+      token: `${signed}~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ`,
       paths: [
         {
-          claim: "given_name",
-          path: "verified_claims.claims._sd[7]",
+          claim: "iat",
+          path: "verified_claims.claims._sd[4]",
         },
         {
-          claim: "email",
-          path: "verified_claims.verification._sd[0]",
+          claim: "family_name",
+          path: "verified_claims.claims._sd[0]",
         },
       ],
     };

package/src/sd-jwt/__test__/types.test.ts

@@ -8,47 +8,35 @@ describe("SdJwt4VC", () => {
         typ: "vc+sd-jwt",
         alg: "RS512",
         kid: "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
-        trust_chain: [
-          "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
-          "eyJhbGciOiJSUzI1NiIsImtpZCI6 ...",
-          "IkJYdmZybG5oQU11SFIwN2FqVW1B ...",
-        ],
       },
       payload: {
-        iss: "https://pidprovider.example.org",
-        sub: "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs...",
-        jti: "urn:uuid:6c5c0a49-b589-431d-bae7-219122a9ec2c",
-        iat: 1541493724,
-        exp: 1541493724,
-        status: "https://pidprovider.example.org/status",
+        _sd: [
+          "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+          "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+          "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+          "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+          "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+          "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+        ],
+        sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+        _sd_alg: "sha-256",
+        vct: "PersonIdentificationData",
+        iss: "https://pidprovider.example.com",
         cnf: {
           jwk: {
-            kty: "RSA",
-            use: "sig",
-            n: "1Ta-sE …",
-            e: "AQAB",
-            kid: "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+            kty: "EC",
+            crv: "P-256",
+            kid: "zEv_qGSL5r0_F67j2dwEgUJmBgbMNSEJ5K_iH1PYc7A",
+            x: "0Pj7v_afNp9ETJx11JbYgkI7yQpd0rtiYuo5feuAN2o",
+            y: "XB62Um02vHqedkOzSfJ5hdtjPz-zmV9jmWh4sKgdD9o",
           },
         },
-        type: "PersonIdentificationData",
-        verified_claims: {
-          verification: {
-            _sd: ["OGm7ryXgt5Xzlevp-Hu-UTk0a-TxAaPAobqv1pIWMfw"],
-            trust_framework: "eidas",
-            assurance_level: "high",
-          },
-          claims: {
-            _sd: [
-              "8JjozBfovMNvQ3HflmPWy4O19Gpxs61FWHjZebU589E",
-              "BoMGktW1rbikntw8Fzx_BeL4YbAndr6AHsdgpatFCig",
-              "CFLGzentGNRFngnLVVQVcoAFi05r6RJUX-rdbLdEfew",
-              "JU_sTaHCngS32X-0ajHrd1-HCLCkpT5YqgcfQme168w",
-              "VQI-S1mT1Kxfq2o8J9io7xMMX2MIxaG9M9PeJVqrMcA",
-              "zVdghcmClMVWlUgGsGpSkCPkEHZ4u9oWj1SlIBlCc1o",
-            ],
+        exp: 1751107255,
+        status: {
+          status_attestation: {
+            credential_hash_alg: "sha-256",
           },
         },
-        _sd_alg: "sha-256",
       },
     };
 

package/src/sd-jwt/index.ts

@@ -101,15 +101,9 @@ export const disclose = async (
 
       // _sd is defined in verified_claims.claims and verified_claims.verification
       // we must look into both
-      if (sdJwt.payload.verified_claims.claims._sd.includes(hash)) {
-        const index = sdJwt.payload.verified_claims.claims._sd.indexOf(hash);
+      if (sdJwt.payload._sd.includes(hash)) {
+        const index = sdJwt.payload._sd.indexOf(hash);
         return { claim, path: `verified_claims.claims._sd[${index}]` };
-      } else if (
-        sdJwt.payload.verified_claims.verification._sd.includes(hash)
-      ) {
-        const index =
-          sdJwt.payload.verified_claims.verification._sd.indexOf(hash);
-        return { claim, path: `verified_claims.verification._sd[${index}]` };
       }
 
       throw new ClaimsNotFoundInToken(claim);
@@ -158,10 +152,7 @@ export const verify = async <S extends z.ZodType<SdJwt4VC>>(
   await verifyJwt(rawSdJwt, publicKey);
 
   //Check disclosures in sd-jwt
-  const claims = [
-    ...decoded.sdJwt.payload.verified_claims.verification._sd,
-    ...decoded.sdJwt.payload.verified_claims.claims._sd,
-  ];
+  const claims = [...decoded.sdJwt.payload._sd];
 
   await Promise.all(
     decoded.disclosures.map(

package/src/sd-jwt/types.ts

@@ -39,29 +39,24 @@ export const SdJwt4VC = z.object({
     typ: z.literal("vc+sd-jwt"),
     alg: z.string(),
     kid: z.string().optional(),
-    trust_chain: z.array(z.string()),
   }),
-  payload: z.object({
-    iss: z.string(),
-    sub: z.string(),
-    jti: z.string(),
-    iat: UnixTime,
-    exp: UnixTime,
-    status: z.string(),
-    cnf: z.object({
-      jwk: JWK,
-    }),
-    type: z.string(),
-    verified_claims: z.object({
-      verification: z.intersection(
-        z.object({
-          trust_framework: z.literal("eidas"),
-          assurance_level: z.string(),
+  payload: z.intersection(
+    z.object({
+      iss: z.string(),
+      sub: z.string(),
+      iat: UnixTime.optional(),
+      exp: UnixTime,
+      _sd_alg: z.literal("sha-256"),
+      status: z.object({
+        status_attestation: z.object({
+          credential_hash_alg: z.literal("sha-256"),
         }),
-        ObfuscatedDisclosures
-      ),
-      claims: ObfuscatedDisclosures,
+      }),
+      cnf: z.object({
+        jwk: JWK,
+      }),
+      vct: z.string(),
     }),
-    _sd_alg: z.literal("sha-256"),
-  }),
+    ObfuscatedDisclosures
+  ),
 });

package/src/trust/types.ts

@@ -18,38 +18,48 @@ const RelyingPartyMetadata = z.object({
 // instruct the Wallet Solution on how to render the credential correctly
 type CredentialDisplayMetadata = z.infer<typeof CredentialDisplayMetadata>;
 const CredentialDisplayMetadata = z.object({
+  name: z.string(),
+  locale: z.string(),
+  logo: z
+    .object({
+      url: z.string(),
+      alt_text: z.string(),
+    })
+    .optional(), // TODO [SIW-1268]: should not be optional
+  background_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
+  text_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
+});
+
+// Metadata for displaying issuer information
+type CredentialIssuerDisplayMetadata = z.infer<
+  typeof CredentialIssuerDisplayMetadata
+>;
+const CredentialIssuerDisplayMetadata = z.object({
   name: z.string(),
   locale: z.string(),
   logo: z.object({
     url: z.string(),
     alt_text: z.string(),
   }),
-  background_color: z.string(),
-  text_color: z.string(),
 });
 
-type CredentialDefinitionMetadata = z.infer<
-  typeof CredentialDefinitionMetadata
->;
-const CredentialDefinitionMetadata = z.object({
-  type: z.array(z.string()),
-  credentialSubject: z.record(
-    z.object({
-      mandatory: z.boolean(),
-      display: z.array(z.object({ name: z.string(), locale: z.string() })),
-    })
-  ),
-});
+type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
+const ClaimsMetadata = z.record(
+  z.object({
+    value_type: z.string(),
+    display: z.array(z.object({ name: z.string(), locale: z.string() })),
+  })
+);
 
 // Metadata for a credentia which i supported by a Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
 const SupportedCredentialMetadata = z.object({
-  id: z.string(),
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
-  cryptographic_binding_methods_supported: z.array(z.string()),
-  cryptographic_suites_supported: z.array(z.string()),
+  scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
-  credential_definition: CredentialDefinitionMetadata,
+  claims: ClaimsMetadata,
+  cryptographic_binding_methods_supported: z.array(z.string()),
+  credential_signing_alg_values_supported: z.array(z.string()),
 });
 
 export type EntityStatement = z.infer<typeof EntityStatement>;
@@ -101,19 +111,19 @@ const BaseEntityConfiguration = z.object({
   header: EntityConfigurationHeader,
   payload: z
     .object({
-      exp: UnixTime,
-      iat: UnixTime,
       iss: z.string(),
       sub: z.string(),
-      jwks: z.object({
-        keys: z.array(JWK),
-      }),
+      iat: UnixTime,
+      exp: UnixTime,
+      authority_hints: z.array(z.string()).optional(),
       metadata: z
         .object({
           federation_entity: FederationEntityMetadata,
         })
         .passthrough(),
-      authority_hints: z.array(z.string()).optional(),
+      jwks: z.object({
+        keys: z.array(JWK),
+      }),
     })
     .passthrough(),
 });
@@ -135,18 +145,42 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
       metadata: z.object({
         openid_credential_issuer: z.object({
           credential_issuer: z.string(),
+          credential_endpoint: z.string(),
+          revocation_endpoint: z.string(),
+          status_attestation_endpoint: z.string(),
+          display: z.array(CredentialIssuerDisplayMetadata),
+          credential_configurations_supported: z.record(
+            SupportedCredentialMetadata
+          ),
+          jwks: z.object({ keys: z.array(JWK) }),
+        }),
+        oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),
-          token_endpoint: z.string(),
           pushed_authorization_request_endpoint: z.string(),
-          dpop_signing_alg_values_supported: z.array(z.string()),
-          credential_endpoint: z.string(),
-          credentials_supported: z.array(SupportedCredentialMetadata),
+          dpop_signing_alg_values_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          token_endpoint: z.string(),
+          introspection_endpoint: z.string().optional(), // TODO [SIW-1268]: should not be optional
+          client_registration_types_supported: z.array(z.string()),
+          code_challenge_methods_supported: z.array(z.string()),
+          authorization_details_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional,
+          acr_values_supported: z.array(z.string()),
+          grant_types_supported: z.array(z.string()),
+          issuer: z.string(),
           jwks: z.object({ keys: z.array(JWK) }),
+          scopes_supported: z.array(z.string()),
+          request_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
+          request_uri_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
+          response_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          response_modes_supported: z.array(z.string()),
+          subject_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
+          token_endpoint_auth_methods_supported: z.array(z.string()),
+          token_endpoint_auth_signing_alg_values_supported: z.array(z.string()),
+          request_object_signing_alg_values_supported: z.array(z.string()),
         }),
         /** Credential Issuers act as Relying Party
             when they require the presentation of other credentials.
             This does not apply for PID issuance, which requires CIE authz. */
-        wallet_relying_party: RelyingPartyMetadata.optional(),
+        openid_relying_party: RelyingPartyMetadata.optional(),
       }),
     }),
   })
@@ -177,9 +211,7 @@ export const WalletProviderEntityConfiguration = BaseEntityConfiguration.and(
         wallet_provider: z
           .object({
             token_endpoint: z.string(),
-            attested_security_context_values_supported: z
-              .array(z.string())
-              .optional(),
+            aal_values_supported: z.array(z.string()).optional(),
             grant_types_supported: z.array(z.string()),
             token_endpoint_auth_methods_supported: z.array(z.string()),
             token_endpoint_auth_signing_alg_values_supported: z.array(

package/src/utils/auth.ts

@@ -0,0 +1,37 @@
+import * as z from "zod";
+
+/**
+ * Context for authorization during the {@link 03-start-user-authorization.ts} phase.
+ * It consists of a single method to identify the user which takes a URL and a redirect schema as input.
+ * Once the authorization is completed and the URL calls the redirect schema, the method should return the redirect URL.
+ */
+export interface AuthorizationContext {
+  authorize: (url: string, redirectSchema: string) => Promise<string>;
+}
+
+/**
+ * The result of the identification process.
+ */
+export const AuthorizationResultShape = z.object({
+  code: z.string(),
+  state: z.string(),
+  iss: z.string().optional(),
+});
+
+/**
+ * The error of the identification process.
+ * It follows the OAuth/OIDC error response format.
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+ */
+export const AuthorizationErrorShape = z.object({
+  error: z.string(), // not enforcing the error code format
+  error_description: z.string().optional(),
+  error_uri: z.string().optional(),
+  state: z.string().optional(),
+});
+
+/**
+ * Type of the identification result.
+ */
+export type AuthorizationResult = z.infer<typeof AuthorizationResultShape>;

package/src/utils/errors.ts

@@ -251,13 +251,97 @@ export class WalletProviderResponseError extends IoWalletError {
   /** Reason code for the validation failure. */
   reason: string;
 
+  /** HTTP status code */
+  statusCode: number;
+
   constructor(
     message: string,
     claim: string = "unspecified",
-    reason: string = "unspecified"
+    reason: string = "unspecified",
+    statusCode: number
   ) {
+    super(
+      serializeAttrs({
+        message,
+        claim,
+        reason,
+        statusCode: statusCode.toString(),
+      })
+    );
+    this.claim = claim;
+    this.reason = reason;
+    this.statusCode = statusCode;
+  }
+}
+
+export class WalletInstanceRevokedError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_INSTANCE_REVOKED" {
+    return "ERR_IO_WALLET_INSTANCE_REVOKED";
+  }
+
+  code = "ERR_IO_WALLET_INSTANCE_REVOKED";
+
+  claim: string;
+  reason: string;
+
+  constructor(message: string, claim: string, reason: string = "unspecified") {
     super(serializeAttrs({ message, claim, reason }));
+    this.reason = reason;
     this.claim = claim;
+  }
+}
+
+export class WalletInstanceNotFoundError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_INSTANCE_NOT_FOUND" {
+    return "ERR_IO_WALLET_INSTANCE_NOT_FOUND";
+  }
+
+  code = "ERR_IO_WALLET_INSTANCE_NOT_FOUND";
+
+  claim: string;
+  reason: string;
+
+  constructor(message: string, claim: string, reason: string = "unspecified") {
+    super(serializeAttrs({ message, claim, reason }));
     this.reason = reason;
+    this.claim = claim;
+  }
+}
+
+/**
+ * An error subclass thrown when an error occurs during the authorization process.
+ */
+export class AuthorizationError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_AUTHORIZATION_ERROR" {
+    return "ERR_IO_WALLET_AUTHORIZATION_ERROR";
+  }
+
+  code = "ERR_IO_WALLET_AUTHORIZATION_ERROR";
+
+  constructor(message?: string) {
+    super(message);
+  }
+}
+
+/**
+ * An error subclass thrown when an error occurs during the authorization process with the IDP.
+ * It contains the error and error description returned by the IDP.
+ */
+export class AuthorizationIdpError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_ERROR" {
+    return "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_ERROR";
+  }
+
+  code = "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_PARSING_FAILED";
+
+  error: string;
+  errorDescription?: string;
+
+  constructor(error: string, errorDescription?: string) {
+    super(
+      serializeAttrs(errorDescription ? { error, errorDescription } : { error })
+    );
+    this.error = error;
+    this.errorDescription = errorDescription;
   }
 }

package/src/utils/integrity.ts

@@ -1,7 +1,7 @@
 /**
  * Interface for the integrity context which provides the necessary functions to interact with the integrity service.
  * The functions are platform specific and must be implemented in the platform specific code.
- * getHardwareKeyTag: returns the hardware key tag.
+ * getHardwareKeyTag: returns the hardware key tag in a url safe format (e.g. base64url).
  * getAttestation: requests the attestation from the integrity service.
  * getHardwareSignatureWithAuthData: signs the clientData and returns the signature with the authenticator data.
  */