@pagopa/io-react-native-wallet 0.15.4 → 0.16.1

package/src/credential/issuance/06-obtain-credential.ts

@@ -12,16 +12,14 @@ import { CredentialResponse } from "./types";
 
 import { createDPopToken } from "../../utils/dpop";
 import uuid from "react-native-uuid";
-import { deleteKey } from "@pagopa/io-react-native-crypto";
-import { DPOP_KET_TAG } from "./const";
 
 export type ObtainCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   accessToken: Out<AuthorizeAccess>["accessToken"],
   clientId: Out<StartUserAuthorization>["clientId"],
   credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
-  dPoPContext: CryptoContext,
   context: {
+    dPopCryptoContext: CryptoContext;
     credentialCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
   }
@@ -61,6 +59,7 @@ export const createNonceProof = async (
  * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
  * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
  * @param context.credentialCryptoContext The crypto context used to obtain the credential
+ * @param context.dPopCryptoContext The DPoP crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @returns The credential response containing the credential
  */
@@ -69,10 +68,13 @@ export const obtainCredential: ObtainCredential = async (
   accessToken,
   clientId,
   credentialDefinition,
-  dPoPContext,
   context
 ) => {
-  const { credentialCryptoContext, appFetch = fetch } = context;
+  const {
+    credentialCryptoContext,
+    appFetch = fetch,
+    dPopCryptoContext,
+  } = context;
 
   const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
@@ -122,10 +124,8 @@ export const obtainCredential: ObtainCredential = async (
       jti: `${uuid.v4()}`,
       ath: await sha256ToBase64(accessToken.access_token),
     },
-    dPoPContext
+    dPopCryptoContext
   );
-
-  await deleteKey(DPOP_KET_TAG);
   const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {

package/src/credential/issuance/const.ts

@@ -2,8 +2,6 @@ import * as z from "zod";
 export const ASSERTION_TYPE =
   "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation";
 
-export const DPOP_KET_TAG = `dpop`;
-
 export type SupportedCredentialFormat = z.infer<
   typeof SupportedCredentialFormat
 >;

package/src/credential/status/01-start-flow.ts

@@ -0,0 +1,9 @@
+/**
+ * WARNING: This is the first function to be called in the status attestation flow. The next function to be called is {@link statusAttestation}.
+ * The beginning of the status attestation flow.
+ *
+ * @returns The url of the credential issuer to be used in the next function.
+ */
+export type StartFlow = () => {
+  issuerUrl: string;
+};

package/src/credential/status/02-status-attestation.ts

@@ -0,0 +1,104 @@
+import {
+  getCredentialHashWithouDiscloures,
+  hasStatus,
+  type Out,
+} from "../../utils/misc";
+import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import { StatusAttestationResponse } from "./types";
+import {
+  StatusAttestationError,
+  StatusAttestationInvalid,
+  UnexpectedStatusCodeError,
+} from "../../utils/errors";
+
+export type StatusAttestation = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  credential: Out<ObtainCredential>["credential"],
+  credentialCryptoContext: CryptoContext,
+  appFetch?: GlobalFetch["fetch"]
+) => Promise<{
+  statusAttestation: StatusAttestationResponse["status_attestation"];
+}>;
+
+/**
+ * WARNING: This function must be called after {@link startFlow}.
+ * Verify the status of the credential attestation.
+ * @param issuerConf - The issuer's configuration
+ * @param credential - The credential to be verified
+ * @param credentialCryptoContext - The credential's crypto context
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @throws {@link StatusAttestationInvalid} if the status attestation is invalid and thus the credential is not valid
+ * @throws {@link StatusAttestationError} if an error occurs during the status attestation
+ * @returns The credential status attestation
+ */
+export const statusAttestation: StatusAttestation = async (
+  issuerConf,
+  credential,
+  credentialCryptoContext,
+  appFetch: GlobalFetch["fetch"] = fetch
+) => {
+  const jwk = await credentialCryptoContext.getPublicKey();
+  const credentialHash = await getCredentialHashWithouDiscloures(credential);
+  const statusAttUrl =
+    issuerConf.openid_credential_issuer.status_attestation_endpoint;
+  const credentialPop = await new SignJWT(credentialCryptoContext)
+    .setPayload({
+      aud: statusAttUrl,
+      jti: uuid.v4().toString(),
+      credential_hash: credentialHash,
+      credential_hash_alg: "S256",
+    })
+    .setProtectedHeader({
+      alg: "ES256",
+      typ: "status-attestation-request+jwt",
+      kid: jwk.kid,
+    })
+    .setIssuedAt()
+    .setExpirationTime("5m")
+    .sign();
+
+  const body = {
+    credential_pop: credentialPop,
+  };
+
+  const result = await appFetch(statusAttUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+  })
+    .then(hasStatus(201))
+    .then((raw) => raw.json())
+    .then((json) => StatusAttestationResponse.parse(json))
+    .catch(handleStatusAttestationError);
+
+  return { statusAttestation: result.status_attestation };
+};
+
+/**
+ * Handle the status attestation error by mapping it to a custom exception.
+ * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
+ * @param e - The error to be handled
+ * @throws {@link StatusAttestationError} if the status code is different from 404
+ * @throws {@link StatusAttestationInvalid} if the status code is 404 (meaning the credential is invalid)
+ */
+const handleStatusAttestationError = (e: unknown) => {
+  if (!(e instanceof UnexpectedStatusCodeError)) {
+    throw e;
+  }
+
+  if (e.statusCode === 404) {
+    throw new StatusAttestationInvalid(
+      "Invalid status found for the given credential",
+      e.message
+    );
+  }
+
+  throw new StatusAttestationError(
+    `Unable to obtain the status attestation for the given credential [response status code: ${e.statusCode}]`,
+    e.message
+  );
+};

package/src/credential/status/03-verify-and-parse-status-attestation.ts

@@ -0,0 +1,60 @@
+import type { Out } from "../../utils/misc";
+import { IoWalletError } from "../../utils/errors";
+import { verify, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
+import { ParsedStatusAttestation } from "./types";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+
+export type VerifyAndParseStatusAttestation = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  statusAttestation: Out<StatusAttestation>,
+  context: {
+    credentialCryptoContext: CryptoContext;
+  }
+) => Promise<{ parsedStatusAttestation: ParsedStatusAttestation }>;
+
+/**
+ * Given a status attestation, verifies that:
+ * - It's in the supported format;
+ * - The attestation is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status attestation
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IoWalletError} If the credential is not bound to the provided user key
+ * @throws {IoWalletError} If the credential data fail to parse
+ */
+export const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation =
+  async (issuerConf, rawStatusAttestation, context) => {
+    try {
+      const { statusAttestation } = rawStatusAttestation;
+      const { credentialCryptoContext } = context;
+
+      await verify(
+        statusAttestation,
+        issuerConf.openid_credential_issuer.jwks.keys
+      );
+
+      const decodedJwt = decodeJwt(statusAttestation);
+      const parsedStatusAttestation = ParsedStatusAttestation.parse({
+        header: decodedJwt.protectedHeader,
+        payload: decodedJwt.payload,
+      });
+
+      const holderBindingKey = await credentialCryptoContext.getPublicKey();
+      const { cnf } = parsedStatusAttestation.payload;
+      if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+        throw new IoWalletError(
+          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
+        );
+      }
+
+      return { parsedStatusAttestation };
+    } catch (e) {
+      throw new IoWalletError(
+        `Failed to verify status attestation: ${JSON.stringify(e)}`
+      );
+    }
+  };

package/src/credential/status/index.ts

@@ -0,0 +1,22 @@
+import { type StartFlow } from "./01-start-flow";
+import {
+  statusAttestation,
+  type StatusAttestation,
+} from "./02-status-attestation";
+import { evaluateIssuerTrust, type EvaluateIssuerTrust } from "../issuance";
+import {
+  verifyAndParseStatusAttestation,
+  type VerifyAndParseStatusAttestation,
+} from "./03-verify-and-parse-status-attestation";
+
+export {
+  evaluateIssuerTrust,
+  statusAttestation,
+  verifyAndParseStatusAttestation,
+};
+export type {
+  StartFlow,
+  EvaluateIssuerTrust,
+  StatusAttestation,
+  VerifyAndParseStatusAttestation,
+};

package/src/credential/status/types.ts

@@ -0,0 +1,43 @@
+import { UnixTime } from "../../sd-jwt/types";
+import { JWK } from "../../utils/jwk";
+import * as z from "zod";
+
+/**
+ * Shape from parsing a status attestation response in case of 201.
+ */
+export const StatusAttestationResponse = z.object({
+  status_attestation: z.string(),
+});
+
+/**
+ * Type from parsing a status attestation response in case of 201.
+ * Inferred from {@link StatusAttestationResponse}.
+ */
+export type StatusAttestationResponse = z.infer<
+  typeof StatusAttestationResponse
+>;
+
+/**
+ * Type for a parsed status attestation.
+ */
+export type ParsedStatusAttestation = z.infer<typeof ParsedStatusAttestation>;
+
+/**
+ * Shape for parsing a status attestation in a JWT.
+ */
+export const ParsedStatusAttestation = z.object({
+  header: z.object({
+    typ: z.literal("status-attestation+jwt"),
+    alg: z.string(),
+    kid: z.string().optional(),
+  }),
+  payload: z.object({
+    credential_hash_alg: z.string(),
+    credential_hash: z.string(),
+    cnf: z.object({
+      jwk: JWK,
+    }),
+    exp: UnixTime,
+    iat: UnixTime,
+  }),
+});

package/src/utils/errors.ts

@@ -8,7 +8,9 @@
  * @param attrs A key value record set
  * @returns a human-readable serialization of the set
  */
-const serializeAttrs = (attrs: Record<string, string | string>): string =>
+export const serializeAttrs = (
+  attrs: Record<string, string | string>
+): string =>
   Object.entries(attrs)
     .map(([k, v]) => [k, Array.isArray(v) ? `(${v.join(", ")})` : v])
     .map((_) => _.join("="))
@@ -41,6 +43,30 @@ export class IoWalletError extends Error {
     Error.captureStackTrace?.(this, this.constructor);
   }
 }
+
+/**
+ * An error subclass thrown when a Wallet Provider http request has a status code different from the one expected.
+ */
+export class UnexpectedStatusCodeError extends IoWalletError {
+  static get code(): "ERR_UNEXPECTED_STATUS_CODE" {
+    return "ERR_UNEXPECTED_STATUS_CODE";
+  }
+
+  code = "ERR_UNEXPECTED_STATUS_CODE";
+
+  /** HTTP status code */
+  statusCode: number;
+
+  constructor(message: string, statusCode: number) {
+    super(
+      serializeAttrs({
+        message,
+        statusCode: statusCode.toString(),
+      })
+    );
+    this.statusCode = statusCode;
+  }
+}
 /**
  * An error subclass thrown when validation fail
  *
@@ -345,3 +371,58 @@ export class AuthorizationIdpError extends IoWalletError {
     this.errorDescription = errorDescription;
   }
 }
+
+/**
+ * Error subclass thrown when an operation has been aborted.
+ */
+export class OperationAbortedError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_OPERATION_ABORTED" {
+    return "ERR_IO_WALLET_OPERATION_ABORTED";
+  }
+
+  code = "ERR_IO_WALLET_OPERATION_ABORTED";
+
+  /** The aborted operation */
+  operation: string;
+
+  constructor(operation: string) {
+    super(serializeAttrs({ operation }));
+    this.operation = operation;
+  }
+}
+
+/**
+ * Error subclass thrown when the status attestation for a credential is invalid.
+ */
+export class StatusAttestationInvalid extends IoWalletError {
+  static get code(): "ERR_STATUS_ATTESTATION_INVALID" {
+    return "ERR_STATUS_ATTESTATION_INVALID";
+  }
+
+  code = "ERR_STATUS_ATTESTATION_INVALID";
+
+  reason: string;
+
+  constructor(message: string, reason: string = "unspecified") {
+    super(serializeAttrs({ message, reason }));
+    this.reason = reason;
+  }
+}
+
+/**
+ * Error subclass thrown when an error occurs while obtaining a status attestation for a credential.
+ */
+export class StatusAttestationError extends IoWalletError {
+  static get code(): "ERR_STATUS_ATTESTATION_ERROR" {
+    return "ERR_STATUS_ATTESTATION_ERROR";
+  }
+
+  code = "ERR_STATUS_ATTESTATION_ERROR";
+
+  reason: string;
+
+  constructor(message: string, reason: string = "unspecified") {
+    super(serializeAttrs({ message, reason }));
+    this.reason = reason;
+  }
+}

package/src/utils/misc.ts

@@ -1,18 +1,21 @@
-import { IoWalletError } from "./errors";
+import { IoWalletError, UnexpectedStatusCodeError } from "./errors";
+import { sha256 } from "js-sha256";
 
 /**
  * Check if a response is in the expected status, other
- * @param status The expected status
+ * @param status - The expected status
+ * @throws {@link UnexpectedStatusCodeError} if the status is different from the one expected
  * @returns The given response object
  */
 export const hasStatus =
   (status: number) =>
   async (res: Response): Promise<Response> => {
     if (res.status !== status) {
-      throw new IoWalletError(
+      throw new UnexpectedStatusCodeError(
         `Http request failed. Expected ${status}, got ${res.status}, url: ${
           res.url
-        } with response: ${await res.text()}`
+        } with response: ${await res.text()}`,
+        res.status
       );
     }
     return res;
@@ -68,3 +71,41 @@ export const until = (
 
     poll();
   });
+
+/**
+ * Get the hash of a credential without discloures.
+ * A credential is a string like `header.body.sign~sd1~sd2....` where `~` is the separator between the credential and the discloures.
+ * @param credential - The credential to hash
+ * @returns The hash of the credential without discloures
+ */
+export const getCredentialHashWithouDiscloures = async (
+  credential: string
+): Promise<string> => {
+  const tildeIndex = credential.indexOf("~");
+  if (tildeIndex === -1) {
+    throw new IoWalletError("Invalid credential format");
+  }
+  return sha256(credential.slice(0, tildeIndex));
+};
+
+/**
+ * Creates a promise that waits until the provided signal is aborted.
+ * @returns {Object} An object with `listen` and `remove` methods to handle subscribing and unsubscribing.
+ */
+export const createAbortPromiseFromSignal = (signal: AbortSignal) => {
+  let listener: () => void;
+  return {
+    listen: () =>
+      new Promise<"OPERATION_ABORTED">((resolve) => {
+        if (signal.aborted) {
+          return resolve("OPERATION_ABORTED");
+        }
+        listener = () => resolve("OPERATION_ABORTED");
+        signal.addEventListener("abort", listener);
+      }),
+    remove: () => signal.removeEventListener("abort", listener),
+  };
+};
+
+export const isDefined = <T>(x: T | undefined | null | ""): x is T =>
+  Boolean(x);

package/src/utils/par.ts

@@ -25,10 +25,10 @@ export const AuthorizationDetails = z.array(AuthorizationDetail);
 export const makeParRequest =
   ({
     wiaCryptoContext,
-    appFetch = fetch,
+    appFetch,
   }: {
     wiaCryptoContext: CryptoContext;
-    appFetch?: GlobalFetch["fetch"];
+    appFetch: GlobalFetch["fetch"];
   }) =>
   async (
     clientId: string,