@pagopa/io-react-native-wallet 0.17.1 → 0.18.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js +11 -4
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/commonjs/credential/issuance/README.md +22 -4
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js +11 -4
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/module/credential/issuance/README.md +22 -4
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts +12 -2
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts.map +1 -1
- package/lib/typescript/pid/sd-jwt/types.d.ts +2 -2
- package/package.json +1 -1
- package/src/credential/issuance/07-verify-and-parse-credential.ts +33 -6
- package/src/credential/issuance/README.md +22 -4
|
@@ -7,6 +7,7 @@ exports.verifyAndParseCredential = void 0;
|
|
|
7
7
|
var _errors = require("../../utils/errors");
|
|
8
8
|
var _types = require("../../sd-jwt/types");
|
|
9
9
|
var _sdJwt = require("../../sd-jwt");
|
|
10
|
+
var _converters = require("../../sd-jwt/converters");
|
|
10
11
|
// The credential as a collection of attributes in plain value
|
|
11
12
|
|
|
12
13
|
// handy alias
|
|
@@ -133,12 +134,16 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
|
|
|
133
134
|
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
|
|
134
135
|
let {
|
|
135
136
|
credentialCryptoContext,
|
|
136
|
-
ignoreMissingAttributes
|
|
137
|
+
ignoreMissingAttributes,
|
|
138
|
+
includeUndefinedAttributes
|
|
137
139
|
} = _ref8;
|
|
138
140
|
const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
|
|
139
|
-
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes);
|
|
141
|
+
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
|
|
142
|
+
const maybeIssuedAt = (0, _converters.getValueFromDisclosures)(decoded.disclosures, "iat");
|
|
140
143
|
return {
|
|
141
|
-
parsedCredential
|
|
144
|
+
parsedCredential,
|
|
145
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
146
|
+
issuedAt: typeof maybeIssuedAt === "number" ? new Date(maybeIssuedAt * 1000) : undefined
|
|
142
147
|
};
|
|
143
148
|
};
|
|
144
149
|
|
|
@@ -148,7 +153,9 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
148
153
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
149
154
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
150
155
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
151
|
-
* @
|
|
156
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
157
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
158
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
152
159
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
153
160
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
154
161
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_errors","require","_types","_sdJwt","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","IoWalletError","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","verifySdJwt","SdJwt4VC","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","verifyAndParseCredential","context","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":";;;;;;
|
|
1
|
+
{"version":3,"names":["_errors","require","_types","_sdJwt","_converters","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","IoWalletError","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","verifySdJwt","SdJwt4VC","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","maybeIssuedAt","getValueFromDisclosures","expiration","Date","exp","issuedAt","verifyAndParseCredential","context","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":";;;;;;AAGA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,MAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,WAAA,GAAAH,OAAA;AAyBA;;AAkBA;;AAKA,MAAMI,oBAAoB,GAAG,SAAAA,CAE3BC,qBAAgI,EAAAC,IAAA,EAI3G;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,MAAMI,iBAAiB,GAAGT,qBAAqB,CAACE,KAAK,CAACQ,OAAO,CAACC,GAAG,CAAC;EAElE,IAAI,CAACF,iBAAiB,EAAE;IACtB,MAAM,IAAIG,qBAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,IAAIH,iBAAiB,CAACI,MAAM,KAAKX,KAAK,CAACY,MAAM,CAACC,GAAG,EAAE;IACjD,MAAM,IAAIH,qBAAa,CACpB,gEAA+DH,iBAAiB,CAACI,MAAO,gBAAeX,KAAK,CAACY,MAAM,CAACC,GAAI,KAC3H,CAAC;EACH;;EAEA;EACA,IAAI,CAACN,iBAAiB,CAACO,MAAM,EAAE;IAC7B,MAAM,IAAIJ,qBAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMK,eAAe,GAAGC,MAAM,CAACC,OAAO,CAACV,iBAAiB,CAACO,MAAM,CAAC;;EAEhE;EACA,MAAMI,qBAAqB,GAAGH,eAAe,CAACI,MAAM,CAClDC,KAAA;IAAA,IAAC,CAACC,OAAO,CAAC,GAAAD,KAAA;IAAA,OAAK,CAACnB,WAAW,CAACqB,IAAI,CAACC,KAAA;MAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,IAAI,KAAKH,OAAO;IAAA,EAAC;EAAA,CAClE,CAAC;EACD,IAAIH,qBAAqB,CAACd,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMqB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IAC3E,MAAMC,QAAQ,GAAG5B,WAAW,CAACyB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAAC1B,uBAAuB,EAAE;MAC5B,MAAM,IAAIQ,qBAAa,CACpB,4DAA2De,OAAQ,iBAAgBI,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;EACA;EACA,MAAMC,aAAa,GAAGd,MAAM,CAACe,WAAW,CACtChB;EACE;EAAA,CACCW,GAAG,CACFM,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC,CAACZ,OAAO,EAAEa,UAAU,CAAC,GAAAF,KAAA;IAAA,OACpB,CACEX,OAAO,EACP;MACE,GAAGa,UAAU;MACbC,KAAK,GAAAF,iBAAA,GAAEhC,WAAW,CAACmC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKN,OAC7B,CAAC,cAAAY,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCP,GAAG,CACFW,KAAA;IAAA,IAAC,CAAChB,OAAO,EAAE;MAAEiB,OAAO;MAAE,GAAGJ;IAAW,CAAC,CAAC,GAAAG,KAAA;IAAA,OACpC,CACEhB,OAAO,EACP;MACE,GAAGa,UAAU;MACbV,IAAI,EAAEc,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAElB;QAAK,CAAC,GAAAiB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGlB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAIlB,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMqC,eAAe,GAAG3B,MAAM,CAACe,WAAW,CACxC9B,WAAW,CACRkB,MAAM,CAAEQ,CAAC,IAAK,CAACX,MAAM,CAAC4B,IAAI,CAACd,aAAa,CAAC,CAACe,QAAQ,CAAClB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACoB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEZ,KAAK,CAAC,GAAAW,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEZ,KAAK;QAAEX,IAAI,EAAEuB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGjB,aAAa;MAChB,GAAGa;IACL,CAAC;EACH;EAEA,OAAOb,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAekB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB,IAAAC,aAAW,EAACP,aAAa,EAAEC,UAAU,EAAEO,eAAQ,CAAC,EAChDN,oBAAoB,CAACO,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGP,iBAAiB,CAACpD,KAAK,CAACQ,OAAO;EAE/C,IAAI,CAACmD,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKR,gBAAgB,CAACQ,GAAG,EAAE;IACxD,MAAM,IAAInD,qBAAa,CACpB,kDAAiD2C,gBAAgB,CAACQ,GAAI,UAAST,iBAAiB,CAACpD,KAAK,CAACQ,OAAO,CAACmD,GAAG,CAACC,GAAG,CAACC,GAAI,EAC9H,CAAC;EACH;EAEA,OAAOT,iBAAiB;AAC1B;;AAEA;;AAQA,MAAMU,6BAAsD,GAAG,MAAAA,CAC7DC,UAAU,EACVC,UAAU,EACVrC,CAAC,EAAAsC,KAAA,KAME;EAAA,IALH;IACEC,uBAAuB;IACvBhE,uBAAuB;IACvBI;EACF,CAAC,GAAA2D,KAAA;EAED,MAAME,OAAO,GAAG,MAAMnB,qBAAqB,CACzCgB,UAAU,EACVD,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACzB,IAAI,EAC7CsB,uBACF,CAAC;EAED,MAAMI,gBAAgB,GAAGzE,oBAAoB,CAC3CkE,UAAU,CAACK,wBAAwB,CAACG,mCAAmC,EACvEJ,OAAO,EACPjE,uBAAuB,EACvBI,0BACF,CAAC;EAED,MAAMkE,aAAa,GAAG,IAAAC,mCAAuB,EAACN,OAAO,CAAClE,WAAW,EAAE,KAAK,CAAC;EAEzE,OAAO;IACLqE,gBAAgB;IAChBI,UAAU,EAAE,IAAIC,IAAI,CAACR,OAAO,CAACnE,KAAK,CAACQ,OAAO,CAACoE,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOL,aAAa,KAAK,QAAQ,GAC7B,IAAIG,IAAI,CAACH,aAAa,GAAG,IAAI,CAAC,GAC9BnE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMyE,wBAAkD,GAAG,MAAAA,CAChEf,UAAU,EACVC,UAAU,EACVrD,MAAM,EACNoE,OAAO,KACJ;EACH,IAAIpE,MAAM,KAAK,WAAW,EAAE;IAC1B,OAAOmD,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVrD,MAAM,EACNoE,OACF,CAAC;EACH;EAEA,MAAM,IAAIrE,qBAAa,CAAE,kCAAiCC,MAAO,EAAC,CAAC;AACrE,CAAC;AAACqE,OAAA,CAAAF,wBAAA,GAAAA,wBAAA"}
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { IoWalletError } from "../../utils/errors";
|
|
2
2
|
import { SdJwt4VC } from "../../sd-jwt/types";
|
|
3
3
|
import { verify as verifySdJwt } from "../../sd-jwt";
|
|
4
|
+
import { getValueFromDisclosures } from "../../sd-jwt/converters";
|
|
4
5
|
|
|
5
6
|
// The credential as a collection of attributes in plain value
|
|
6
7
|
|
|
@@ -128,12 +129,16 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
|
|
|
128
129
|
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
|
|
129
130
|
let {
|
|
130
131
|
credentialCryptoContext,
|
|
131
|
-
ignoreMissingAttributes
|
|
132
|
+
ignoreMissingAttributes,
|
|
133
|
+
includeUndefinedAttributes
|
|
132
134
|
} = _ref8;
|
|
133
135
|
const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
|
|
134
|
-
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes);
|
|
136
|
+
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
|
|
137
|
+
const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
|
|
135
138
|
return {
|
|
136
|
-
parsedCredential
|
|
139
|
+
parsedCredential,
|
|
140
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
141
|
+
issuedAt: typeof maybeIssuedAt === "number" ? new Date(maybeIssuedAt * 1000) : undefined
|
|
137
142
|
};
|
|
138
143
|
};
|
|
139
144
|
|
|
@@ -143,7 +148,9 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
143
148
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
144
149
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
145
150
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
146
|
-
* @
|
|
151
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
152
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
153
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
147
154
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
148
155
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
149
156
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","verifyAndParseCredential","context"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"
|
|
1
|
+
{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","getValueFromDisclosures","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","maybeIssuedAt","expiration","Date","exp","issuedAt","verifyAndParseCredential","context"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"AAGA,SAASA,aAAa,QAAQ,oBAAoB;AAClD,SAASC,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,MAAM,IAAIC,WAAW,QAAQ,cAAc;AACpD,SAASC,uBAAuB,QAAQ,yBAAyB;;AAyBjE;;AAkBA;;AAKA,MAAMC,oBAAoB,GAAG,SAAAA,CAE3BC,qBAAgI,EAAAC,IAAA,EAI3G;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,MAAMI,iBAAiB,GAAGT,qBAAqB,CAACE,KAAK,CAACQ,OAAO,CAACC,GAAG,CAAC;EAElE,IAAI,CAACF,iBAAiB,EAAE;IACtB,MAAM,IAAIf,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,IAAIe,iBAAiB,CAACG,MAAM,KAAKV,KAAK,CAACW,MAAM,CAACC,GAAG,EAAE;IACjD,MAAM,IAAIpB,aAAa,CACpB,gEAA+De,iBAAiB,CAACG,MAAO,gBAAeV,KAAK,CAACW,MAAM,CAACC,GAAI,KAC3H,CAAC;EACH;;EAEA;EACA,IAAI,CAACL,iBAAiB,CAACM,MAAM,EAAE;IAC7B,MAAM,IAAIrB,aAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMsB,eAAe,GAAGC,MAAM,CAACC,OAAO,CAACT,iBAAiB,CAACM,MAAM,CAAC;;EAEhE;EACA,MAAMI,qBAAqB,GAAGH,eAAe,CAACI,MAAM,CAClDC,KAAA;IAAA,IAAC,CAACC,OAAO,CAAC,GAAAD,KAAA;IAAA,OAAK,CAAClB,WAAW,CAACoB,IAAI,CAACC,KAAA;MAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,IAAI,KAAKH,OAAO;IAAA,EAAC;EAAA,CAClE,CAAC;EACD,IAAIH,qBAAqB,CAACb,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMoB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IAC3E,MAAMC,QAAQ,GAAG3B,WAAW,CAACwB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAACzB,uBAAuB,EAAE;MAC5B,MAAM,IAAIV,aAAa,CACpB,4DAA2DgC,OAAQ,iBAAgBI,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;EACA;EACA,MAAMC,aAAa,GAAGd,MAAM,CAACe,WAAW,CACtChB;EACE;EAAA,CACCW,GAAG,CACFM,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC,CAACZ,OAAO,EAAEa,UAAU,CAAC,GAAAF,KAAA;IAAA,OACpB,CACEX,OAAO,EACP;MACE,GAAGa,UAAU;MACbC,KAAK,GAAAF,iBAAA,GAAE/B,WAAW,CAACkC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKN,OAC7B,CAAC,cAAAY,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCP,GAAG,CACFW,KAAA;IAAA,IAAC,CAAChB,OAAO,EAAE;MAAEiB,OAAO;MAAE,GAAGJ;IAAW,CAAC,CAAC,GAAAG,KAAA;IAAA,OACpC,CACEhB,OAAO,EACP;MACE,GAAGa,UAAU;MACbV,IAAI,EAAEc,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAElB;QAAK,CAAC,GAAAiB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGlB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAIjB,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMoC,eAAe,GAAG3B,MAAM,CAACe,WAAW,CACxC7B,WAAW,CACRiB,MAAM,CAAEQ,CAAC,IAAK,CAACX,MAAM,CAAC4B,IAAI,CAACd,aAAa,CAAC,CAACe,QAAQ,CAAClB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACoB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEZ,KAAK,CAAC,GAAAW,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEZ,KAAK;QAAEX,IAAI,EAAEuB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGjB,aAAa;MAChB,GAAGa;IACL,CAAC;EACH;EAEA,OAAOb,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAekB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB3D,WAAW,CAACqD,aAAa,EAAEC,UAAU,EAAExD,QAAQ,CAAC,EAChDyD,oBAAoB,CAACK,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGL,iBAAiB,CAACnD,KAAK,CAACQ,OAAO;EAE/C,IAAI,CAACgD,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKN,gBAAgB,CAACM,GAAG,EAAE;IACxD,MAAM,IAAIlE,aAAa,CACpB,kDAAiD4D,gBAAgB,CAACM,GAAI,UAASP,iBAAiB,CAACnD,KAAK,CAACQ,OAAO,CAACgD,GAAG,CAACC,GAAG,CAACC,GAAI,EAC9H,CAAC;EACH;EAEA,OAAOP,iBAAiB;AAC1B;;AAEA;;AAQA,MAAMQ,6BAAsD,GAAG,MAAAA,CAC7DC,UAAU,EACVC,UAAU,EACVnC,CAAC,EAAAoC,KAAA,KAME;EAAA,IALH;IACEC,uBAAuB;IACvB7D,uBAAuB;IACvBI;EACF,CAAC,GAAAwD,KAAA;EAED,MAAME,OAAO,GAAG,MAAMjB,qBAAqB,CACzCc,UAAU,EACVD,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACvB,IAAI,EAC7CoB,uBACF,CAAC;EAED,MAAMI,gBAAgB,GAAGtE,oBAAoB,CAC3C+D,UAAU,CAACK,wBAAwB,CAACG,mCAAmC,EACvEJ,OAAO,EACP9D,uBAAuB,EACvBI,0BACF,CAAC;EAED,MAAM+D,aAAa,GAAGzE,uBAAuB,CAACoE,OAAO,CAAC/D,WAAW,EAAE,KAAK,CAAC;EAEzE,OAAO;IACLkE,gBAAgB;IAChBG,UAAU,EAAE,IAAIC,IAAI,CAACP,OAAO,CAAChE,KAAK,CAACQ,OAAO,CAACgE,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOJ,aAAa,KAAK,QAAQ,GAC7B,IAAIE,IAAI,CAACF,aAAa,GAAG,IAAI,CAAC,GAC9BhE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMqE,wBAAkD,GAAG,MAAAA,CAChEd,UAAU,EACVC,UAAU,EACVnD,MAAM,EACNiE,OAAO,KACJ;EACH,IAAIjE,MAAM,KAAK,WAAW,EAAE;IAC1B,OAAOiD,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVnD,MAAM,EACNiE,OACF,CAAC;EACH;EAEA,MAAM,IAAInF,aAAa,CAAE,kCAAiCkB,MAAO,EAAC,CAAC;AACrE,CAAC"}
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|
|
@@ -1,13 +1,21 @@
|
|
|
1
|
+
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
1
2
|
import type { Out } from "../../utils/misc";
|
|
2
3
|
import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
|
|
3
|
-
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
4
4
|
import type { ObtainCredential } from "./06-obtain-credential";
|
|
5
5
|
export type VerifyAndParseCredential = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"], context: {
|
|
6
6
|
credentialCryptoContext: CryptoContext;
|
|
7
|
+
/**
|
|
8
|
+
* Do not throw an error when an attribute is not found within disclosures.
|
|
9
|
+
*/
|
|
7
10
|
ignoreMissingAttributes?: boolean;
|
|
11
|
+
/**
|
|
12
|
+
* Include attributes that are not explicitly mapped in the issuer configuration.
|
|
13
|
+
*/
|
|
8
14
|
includeUndefinedAttributes?: boolean;
|
|
9
15
|
}) => Promise<{
|
|
10
16
|
parsedCredential: ParsedCredential;
|
|
17
|
+
expiration: Date;
|
|
18
|
+
issuedAt: Date | undefined;
|
|
11
19
|
}>;
|
|
12
20
|
type ParsedCredential = Record<
|
|
13
21
|
/** Attribute key */
|
|
@@ -23,7 +31,9 @@ string, {
|
|
|
23
31
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
24
32
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
25
33
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
26
|
-
* @
|
|
34
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
35
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
36
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
27
37
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
28
38
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
29
39
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAMtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,MAAM,MAAM,wBAAwB,GAAG,CACrC,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,EACvC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;IACvC;;OAEG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC;;OAEG;IACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC,KACE,OAAO,CAAC;IACX,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,UAAU,EAAE,IAAI,CAAC;IACjB,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;CAC5B,CAAC,CAAC;AAGH,KAAK,gBAAgB,GAAG,MAAM;AAC5B,oBAAoB;AACpB,MAAM,EACN;IACE,2CAA2C;IAC3C,IAAI,EACA,yBAAyB,CAAC,MAAM,CAC9B,MAAM,EACN,MAAM,CACP,GACD,4BAA4B,CAAC,MAAM,GACnC,SAAS,CAAC;IACd,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;CAChB,CACF,CAAC;AAkLF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,wBAAwB,EAAE,wBAgBtC,CAAC"}
|
|
@@ -145,8 +145,8 @@ export declare const PID: z.ZodObject<{
|
|
|
145
145
|
} | undefined;
|
|
146
146
|
};
|
|
147
147
|
issuer: string;
|
|
148
|
-
issuedAt: Date;
|
|
149
148
|
expiration: Date;
|
|
149
|
+
issuedAt: Date;
|
|
150
150
|
verification?: {
|
|
151
151
|
trustFramework: "eidas";
|
|
152
152
|
assuranceLevel: string;
|
|
@@ -175,8 +175,8 @@ export declare const PID: z.ZodObject<{
|
|
|
175
175
|
} | undefined;
|
|
176
176
|
};
|
|
177
177
|
issuer: string;
|
|
178
|
-
issuedAt: Date;
|
|
179
178
|
expiration: Date;
|
|
179
|
+
issuedAt: Date;
|
|
180
180
|
verification?: {
|
|
181
181
|
trustFramework: "eidas";
|
|
182
182
|
assuranceLevel: string;
|
package/package.json
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
|
+
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
1
2
|
import type { Out } from "../../utils/misc";
|
|
2
3
|
import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
|
|
3
4
|
import { IoWalletError } from "../../utils/errors";
|
|
4
5
|
import { SdJwt4VC } from "../../sd-jwt/types";
|
|
5
6
|
import { verify as verifySdJwt } from "../../sd-jwt";
|
|
7
|
+
import { getValueFromDisclosures } from "../../sd-jwt/converters";
|
|
6
8
|
import type { JWK } from "../../utils/jwk";
|
|
7
|
-
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
8
9
|
import type { ObtainCredential } from "./06-obtain-credential";
|
|
9
10
|
|
|
10
11
|
export type VerifyAndParseCredential = (
|
|
@@ -13,10 +14,20 @@ export type VerifyAndParseCredential = (
|
|
|
13
14
|
format: Out<ObtainCredential>["format"],
|
|
14
15
|
context: {
|
|
15
16
|
credentialCryptoContext: CryptoContext;
|
|
17
|
+
/**
|
|
18
|
+
* Do not throw an error when an attribute is not found within disclosures.
|
|
19
|
+
*/
|
|
16
20
|
ignoreMissingAttributes?: boolean;
|
|
21
|
+
/**
|
|
22
|
+
* Include attributes that are not explicitly mapped in the issuer configuration.
|
|
23
|
+
*/
|
|
17
24
|
includeUndefinedAttributes?: boolean;
|
|
18
25
|
}
|
|
19
|
-
) => Promise<{
|
|
26
|
+
) => Promise<{
|
|
27
|
+
parsedCredential: ParsedCredential;
|
|
28
|
+
expiration: Date;
|
|
29
|
+
issuedAt: Date | undefined;
|
|
30
|
+
}>;
|
|
20
31
|
|
|
21
32
|
// The credential as a collection of attributes in plain value
|
|
22
33
|
type ParsedCredential = Record<
|
|
@@ -181,7 +192,11 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
181
192
|
issuerConf,
|
|
182
193
|
credential,
|
|
183
194
|
_,
|
|
184
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes,
|
|
198
|
+
includeUndefinedAttributes,
|
|
199
|
+
}
|
|
185
200
|
) => {
|
|
186
201
|
const decoded = await verifyCredentialSdJwt(
|
|
187
202
|
credential,
|
|
@@ -192,10 +207,20 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
192
207
|
const parsedCredential = parseCredentialSdJwt(
|
|
193
208
|
issuerConf.openid_credential_issuer.credential_configurations_supported,
|
|
194
209
|
decoded,
|
|
195
|
-
ignoreMissingAttributes
|
|
210
|
+
ignoreMissingAttributes,
|
|
211
|
+
includeUndefinedAttributes
|
|
196
212
|
);
|
|
197
213
|
|
|
198
|
-
|
|
214
|
+
const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
|
|
215
|
+
|
|
216
|
+
return {
|
|
217
|
+
parsedCredential,
|
|
218
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
219
|
+
issuedAt:
|
|
220
|
+
typeof maybeIssuedAt === "number"
|
|
221
|
+
? new Date(maybeIssuedAt * 1000)
|
|
222
|
+
: undefined,
|
|
223
|
+
};
|
|
199
224
|
};
|
|
200
225
|
|
|
201
226
|
/**
|
|
@@ -204,7 +229,9 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
204
229
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
205
230
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
206
231
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
207
|
-
* @
|
|
232
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
233
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
234
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
208
235
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
209
236
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
210
237
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|