@pagopa/io-react-native-wallet 0.12.0 → 0.13.0

package/src/utils/misc.ts

@@ -25,3 +25,46 @@ export type Out<FN> = FN extends (...args: any[]) => Promise<any>
   : FN extends (...args: any[]) => any
   ? ReturnType<FN>
   : never;
+
+/**
+ * TODO [SIW-1310]: replace this function with a cryptographically secure one.
+ * @param size - The size of the string to generate
+ * @returns A random alphanumeric string of the given size
+ */
+export const generateRandomAlphaNumericString = (size: number) =>
+  Array.from(Array(size), () =>
+    Math.floor(Math.random() * 36).toString(36)
+  ).join("");
+
+/**
+ * Repeatedly checks a condition function until it returns true,
+ * then resolves the returned promise. If the condition function does not return true
+ * within the specified timeout, the promise is rejected.
+ *
+ * @param conditionFunction - A function that returns a boolean value.
+ *                            The promise resolves when this function returns true.
+ * @param timeout - An optional timeout in seconds. The promise is rejected if the
+ *                  condition function does not return true within this time.
+ * @returns A promise that resolves once the conditionFunction returns true or rejects if timed out.
+ */
+export const until = (
+  conditionFunction: () => boolean,
+  timeoutSeconds?: number
+): Promise<void> =>
+  new Promise<void>((resolve, reject) => {
+    const start = Date.now();
+    const poll = () => {
+      if (conditionFunction()) {
+        resolve();
+      } else if (
+        timeoutSeconds !== undefined &&
+        Date.now() - start >= timeoutSeconds * 1000
+      ) {
+        reject(new Error("Timeout exceeded"));
+      } else {
+        setTimeout(poll, 400);
+      }
+    };
+
+    poll();
+  });

package/src/utils/par.ts

@@ -6,13 +6,12 @@ import {
 import uuid from "react-native-uuid";
 import * as z from "zod";
 import * as WalletInstanceAttestation from "../wallet-instance-attestation";
-import { hasStatus } from "./misc";
+import { generateRandomAlphaNumericString, hasStatus } from "./misc";
+import { createPopToken } from "./pop";
 
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
-  credential_definition: z.object({
-    type: z.string(),
-  }),
+  credential_configuration_id: z.string(),
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
 });
@@ -34,7 +33,8 @@ export const makeParRequest =
   async (
     clientId: string,
     codeVerifier: string,
-    walletProviderBaseUrl: string,
+    redirectUri: string,
+    responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
     authorizationDetails: AuthorizationDetails,
@@ -48,10 +48,19 @@ export const makeParRequest =
     const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
       .payload.cnf.jwk.kid;
 
+    const signedWiaPoP = await createPopToken(
+      {
+        jti: `${uuid.v4()}`,
+        aud,
+        iss,
+      },
+      wiaCryptoContext
+    );
+
     /** A code challenge is provided so that the PAR is bound
         to the subsequent authorization code request
         @see https://datatracker.ietf.org/doc/html/rfc9126#name-request */
-    const codeChallengeMethod = "s256";
+    const codeChallengeMethod = "S256";
     const codeChallenge = await sha256ToBase64(codeVerifier);
 
     /** The PAR request token is signed used the Wallet Instance Attestation key.
@@ -60,23 +69,26 @@ export const makeParRequest =
         The key is matched by its kid */
     const signedJwtForPar = await new SignJWT(wiaCryptoContext)
       .setProtectedHeader({
+        typ: "jwk",
         kid: wiaPublicKey.kid,
       })
       .setPayload({
-        iss,
-        aud,
         jti: `${uuid.v4()}`,
-        client_assertion_type: assertionType,
-        authorization_details: authorizationDetails,
+        aud,
         response_type: "code",
-        redirect_uri: walletProviderBaseUrl,
-        state: `${uuid.v4()}`,
+        response_mode: responseMode,
         client_id: clientId,
-        code_challenge_method: codeChallengeMethod,
+        iss,
+        state: generateRandomAlphaNumericString(32),
         code_challenge: codeChallenge,
+        code_challenge_method: codeChallengeMethod,
+        authorization_details: authorizationDetails,
+        redirect_uri: redirectUri,
+        client_assertion_type: assertionType,
+        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
       })
-      .setIssuedAt()
-      .setExpirationTime("1h")
+      .setIssuedAt() //iat is set to now
+      .setExpirationTime("5min")
       .sign();
 
     /** The request body for the Pushed Authorization Request */
@@ -85,9 +97,9 @@ export const makeParRequest =
       client_id: clientId,
       code_challenge: codeChallenge,
       code_challenge_method: "S256",
-      client_assertion_type: assertionType,
-      client_assertion: walletInstanceAttestation,
       request: signedJwtForPar,
+      client_assertion_type: assertionType,
+      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
 
     return await appFetch(parEndpoint, {

package/src/utils/pop.ts

@@ -0,0 +1,34 @@
+import * as z from "zod";
+
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+
+/**
+ * Create a signed PoP token
+ *
+ * @param payload The payload to be included in the token.
+ * @param crypto The crypto context that handles the key bound to the DPoP.
+ *
+ * @returns The signed crypto token.
+ */
+export const createPopToken = async (
+  payload: PoPPayload,
+  crypto: CryptoContext
+): Promise<string> => {
+  const kid = await crypto.getPublicKey().then((_) => _.kid);
+  return new SignJWT(crypto)
+    .setPayload(payload)
+    .setProtectedHeader({
+      typ: "jwt-client-attestation-pop",
+      kid,
+    })
+    .setIssuedAt()
+    .setExpirationTime("5min")
+    .sign();
+};
+
+export type PoPPayload = z.infer<typeof PoPPayload>;
+export const PoPPayload = z.object({
+  jti: z.string(),
+  aud: z.string(),
+  iss: z.string(),
+});

package/src/wallet-instance-attestation/issuing.ts

@@ -1,9 +1,15 @@
 import { type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
+import { z } from "zod";
 import { JWK, fixBase64EncodingOnKey } from "../utils/jwk";
 import { getWalletProviderClient } from "../client";
 import type { IntegrityContext } from "..";
-import { z } from "zod";
+import {
+  WalletProviderResponseError,
+  WalletInstanceRevokedError,
+  WalletInstanceNotFoundError,
+  WalletInstanceAttestationIssuingError,
+} from "../utils/errors";
 
 /**
  * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
@@ -64,6 +70,8 @@ export async function getAttestationRequest(
  * @param params.appFetch (optional) Http client
  * @param walletProviderBaseUrl Base url for the Wallet Provider
  * @returns The retrieved Wallet Instance Attestation token
+ * @throws {WalletInstanceRevokedError} The Wallet Instance was revoked
+ * @throws {WalletInstanceNotFoundError} The Wallet Instance does not exist
  */
 export const getAttestation = async ({
   wiaCryptoContext,
@@ -100,7 +108,36 @@ export const getAttestation = async ({
         assertion: signedAttestationRequest,
       },
     })
-    .then((result) => z.string().parse(result));
+    .then((result) => z.string().parse(result))
+    .catch(handleAttestationCreationError);
 
   return wia;
 };
+
+const handleAttestationCreationError = (e: unknown) => {
+  if (!(e instanceof WalletProviderResponseError)) {
+    throw e;
+  }
+
+  if (e.statusCode === 403) {
+    throw new WalletInstanceRevokedError(
+      "Unable to get an attestation for a revoked Wallet Instance",
+      e.claim,
+      e.reason
+    );
+  }
+
+  if (e.statusCode === 404) {
+    throw new WalletInstanceNotFoundError(
+      "Unable to get an attestation for a Wallet Instance that does not exist",
+      e.claim,
+      e.reason
+    );
+  }
+
+  throw new WalletInstanceAttestationIssuingError(
+    `Unable to obtain wallet instance attestation [response status code: ${e.statusCode}]`,
+    e.claim,
+    e.reason
+  );
+};

package/src/wallet-instance-attestation/types.ts

@@ -60,16 +60,20 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.payload,
     z.object({
       sub: z.string(),
-      attested_security_context: z.string(),
+      aal: z.string(),
       authorization_endpoint: z.string(),
       response_types_supported: z.array(z.string()),
       vp_formats_supported: z.object({
-        jwt_vp_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
-        jwt_vc_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
+        "vc+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
+        "vp+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
       }),
       request_object_signing_alg_values_supported: z.array(z.string()),
       presentation_definition_uri_supported: z.boolean(),

package/lib/commonjs/credential/issuance/07-confirm-credential.js

@@ -1,6 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=07-confirm-credential.js.map

package/lib/commonjs/credential/issuance/07-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/commonjs/credential/issuance/08-confirm-credential.js

@@ -1,6 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=08-confirm-credential.js.map

package/lib/commonjs/credential/issuance/08-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/07-confirm-credential.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=07-confirm-credential.js.map

package/lib/module/credential/issuance/07-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/08-confirm-credential.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=08-confirm-credential.js.map

package/lib/module/credential/issuance/08-confirm-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=07-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"07-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=08-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"08-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/08-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/src/credential/issuance/07-confirm-credential.ts

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;

package/src/credential/issuance/08-confirm-credential.ts

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;

package/src/sd-jwt/__test__/converters.test.js

@@ -1,24 +0,0 @@
-import { getValueFromDisclosures } from "../converters";
-const disclosures = [
-  ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
-  ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
-  [
-    "p-9LzyWHZBVDvhXDWkN2xA",
-    "place_of_birth",
-    { country: "IT", locality: "Rome" },
-  ],
-];
-describe("getValueFromDisclosures", () => {
-  it("should return correct value for given_name", () => {
-    const success = getValueFromDisclosures(disclosures, "given_name");
-    expect(success).toBe("Mario");
-  });
-  it("should return correct value for place_of_birth", () => {
-    const success = getValueFromDisclosures(disclosures, "place_of_birth");
-    expect(success).toEqual({ country: "IT", locality: "Rome" });
-  });
-  it("should fail", () => {
-    const success = getValueFromDisclosures(disclosures, "given_surname");
-    expect(success).toBeUndefined();
-  });
-});

package/src/sd-jwt/verifier.js

@@ -1,12 +0,0 @@
-import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
-import { ValidationFailed } from "../utils/errors";
-export const verifyDisclosure = async ({ encoded, decoded }, claims) => {
-  let hash = await sha256ToBase64(encoded);
-  if (!claims.includes(hash)) {
-    throw new ValidationFailed(
-      "Validation of disclosure failed",
-      `${decoded}`,
-      "Disclosure hash not found in claims"
-    );
-  }
-};