@pagopa/io-react-native-wallet 0.17.1 → 0.18.1
Sign up to get free protection for your applications and to get access to all the features.
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js +11 -4
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/commonjs/credential/issuance/README.md +22 -4
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js +11 -4
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/module/credential/issuance/README.md +22 -4
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts +12 -2
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts.map +1 -1
- package/lib/typescript/pid/sd-jwt/types.d.ts +2 -2
- package/package.json +1 -1
- package/src/credential/issuance/07-verify-and-parse-credential.ts +33 -6
- package/src/credential/issuance/README.md +22 -4
|
@@ -7,6 +7,7 @@ exports.verifyAndParseCredential = void 0;
|
|
|
7
7
|
var _errors = require("../../utils/errors");
|
|
8
8
|
var _types = require("../../sd-jwt/types");
|
|
9
9
|
var _sdJwt = require("../../sd-jwt");
|
|
10
|
+
var _converters = require("../../sd-jwt/converters");
|
|
10
11
|
// The credential as a collection of attributes in plain value
|
|
11
12
|
|
|
12
13
|
// handy alias
|
|
@@ -133,12 +134,16 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
|
|
|
133
134
|
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
|
|
134
135
|
let {
|
|
135
136
|
credentialCryptoContext,
|
|
136
|
-
ignoreMissingAttributes
|
|
137
|
+
ignoreMissingAttributes,
|
|
138
|
+
includeUndefinedAttributes
|
|
137
139
|
} = _ref8;
|
|
138
140
|
const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
|
|
139
|
-
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes);
|
|
141
|
+
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
|
|
142
|
+
const maybeIssuedAt = (0, _converters.getValueFromDisclosures)(decoded.disclosures, "iat");
|
|
140
143
|
return {
|
|
141
|
-
parsedCredential
|
|
144
|
+
parsedCredential,
|
|
145
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
146
|
+
issuedAt: typeof maybeIssuedAt === "number" ? new Date(maybeIssuedAt * 1000) : undefined
|
|
142
147
|
};
|
|
143
148
|
};
|
|
144
149
|
|
|
@@ -148,7 +153,9 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
148
153
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
149
154
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
150
155
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
151
|
-
* @
|
|
156
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
157
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
158
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
152
159
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
153
160
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
154
161
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_errors","require","_types","_sdJwt","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","IoWalletError","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","verifySdJwt","SdJwt4VC","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","verifyAndParseCredential","context","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":";;;;;;
|
|
1
|
+
{"version":3,"names":["_errors","require","_types","_sdJwt","_converters","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","IoWalletError","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","verifySdJwt","SdJwt4VC","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","maybeIssuedAt","getValueFromDisclosures","expiration","Date","exp","issuedAt","verifyAndParseCredential","context","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":";;;;;;AAGA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,MAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,WAAA,GAAAH,OAAA;AAyBA;;AAkBA;;AAKA,MAAMI,oBAAoB,GAAG,SAAAA,CAE3BC,qBAAgI,EAAAC,IAAA,EAI3G;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,MAAMI,iBAAiB,GAAGT,qBAAqB,CAACE,KAAK,CAACQ,OAAO,CAACC,GAAG,CAAC;EAElE,IAAI,CAACF,iBAAiB,EAAE;IACtB,MAAM,IAAIG,qBAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,IAAIH,iBAAiB,CAACI,MAAM,KAAKX,KAAK,CAACY,MAAM,CAACC,GAAG,EAAE;IACjD,MAAM,IAAIH,qBAAa,CACpB,gEAA+DH,iBAAiB,CAACI,MAAO,gBAAeX,KAAK,CAACY,MAAM,CAACC,GAAI,KAC3H,CAAC;EACH;;EAEA;EACA,IAAI,CAACN,iBAAiB,CAACO,MAAM,EAAE;IAC7B,MAAM,IAAIJ,qBAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMK,eAAe,GAAGC,MAAM,CAACC,OAAO,CAACV,iBAAiB,CAACO,MAAM,CAAC;;EAEhE;EACA,MAAMI,qBAAqB,GAAGH,eAAe,CAACI,MAAM,CAClDC,KAAA;IAAA,IAAC,CAACC,OAAO,CAAC,GAAAD,KAAA;IAAA,OAAK,CAACnB,WAAW,CAACqB,IAAI,CAACC,KAAA;MAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,IAAI,KAAKH,OAAO;IAAA,EAAC;EAAA,CAClE,CAAC;EACD,IAAIH,qBAAqB,CAACd,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMqB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IAC3E,MAAMC,QAAQ,GAAG5B,WAAW,CAACyB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAAC1B,uBAAuB,EAAE;MAC5B,MAAM,IAAIQ,qBAAa,CACpB,4DAA2De,OAAQ,iBAAgBI,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;EACA;EACA,MAAMC,aAAa,GAAGd,MAAM,CAACe,WAAW,CACtChB;EACE;EAAA,CACCW,GAAG,CACFM,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC,CAACZ,OAAO,EAAEa,UAAU,CAAC,GAAAF,KAAA;IAAA,OACpB,CACEX,OAAO,EACP;MACE,GAAGa,UAAU;MACbC,KAAK,GAAAF,iBAAA,GAAEhC,WAAW,CAACmC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKN,OAC7B,CAAC,cAAAY,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCP,GAAG,CACFW,KAAA;IAAA,IAAC,CAAChB,OAAO,EAAE;MAAEiB,OAAO;MAAE,GAAGJ;IAAW,CAAC,CAAC,GAAAG,KAAA;IAAA,OACpC,CACEhB,OAAO,EACP;MACE,GAAGa,UAAU;MACbV,IAAI,EAAEc,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAElB;QAAK,CAAC,GAAAiB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGlB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAIlB,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMqC,eAAe,GAAG3B,MAAM,CAACe,WAAW,CACxC9B,WAAW,CACRkB,MAAM,CAAEQ,CAAC,IAAK,CAACX,MAAM,CAAC4B,IAAI,CAACd,aAAa,CAAC,CAACe,QAAQ,CAAClB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACoB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEZ,KAAK,CAAC,GAAAW,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEZ,KAAK;QAAEX,IAAI,EAAEuB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGjB,aAAa;MAChB,GAAGa;IACL,CAAC;EACH;EAEA,OAAOb,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAekB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB,IAAAC,aAAW,EAACP,aAAa,EAAEC,UAAU,EAAEO,eAAQ,CAAC,EAChDN,oBAAoB,CAACO,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGP,iBAAiB,CAACpD,KAAK,CAACQ,OAAO;EAE/C,IAAI,CAACmD,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKR,gBAAgB,CAACQ,GAAG,EAAE;IACxD,MAAM,IAAInD,qBAAa,CACpB,kDAAiD2C,gBAAgB,CAACQ,GAAI,UAAST,iBAAiB,CAACpD,KAAK,CAACQ,OAAO,CAACmD,GAAG,CAACC,GAAG,CAACC,GAAI,EAC9H,CAAC;EACH;EAEA,OAAOT,iBAAiB;AAC1B;;AAEA;;AAQA,MAAMU,6BAAsD,GAAG,MAAAA,CAC7DC,UAAU,EACVC,UAAU,EACVrC,CAAC,EAAAsC,KAAA,KAME;EAAA,IALH;IACEC,uBAAuB;IACvBhE,uBAAuB;IACvBI;EACF,CAAC,GAAA2D,KAAA;EAED,MAAME,OAAO,GAAG,MAAMnB,qBAAqB,CACzCgB,UAAU,EACVD,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACzB,IAAI,EAC7CsB,uBACF,CAAC;EAED,MAAMI,gBAAgB,GAAGzE,oBAAoB,CAC3CkE,UAAU,CAACK,wBAAwB,CAACG,mCAAmC,EACvEJ,OAAO,EACPjE,uBAAuB,EACvBI,0BACF,CAAC;EAED,MAAMkE,aAAa,GAAG,IAAAC,mCAAuB,EAACN,OAAO,CAAClE,WAAW,EAAE,KAAK,CAAC;EAEzE,OAAO;IACLqE,gBAAgB;IAChBI,UAAU,EAAE,IAAIC,IAAI,CAACR,OAAO,CAACnE,KAAK,CAACQ,OAAO,CAACoE,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOL,aAAa,KAAK,QAAQ,GAC7B,IAAIG,IAAI,CAACH,aAAa,GAAG,IAAI,CAAC,GAC9BnE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMyE,wBAAkD,GAAG,MAAAA,CAChEf,UAAU,EACVC,UAAU,EACVrD,MAAM,EACNoE,OAAO,KACJ;EACH,IAAIpE,MAAM,KAAK,WAAW,EAAE;IAC1B,OAAOmD,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVrD,MAAM,EACNoE,OACF,CAAC;EACH;EAEA,MAAM,IAAIrE,qBAAa,CAAE,kCAAiCC,MAAO,EAAC,CAAC;AACrE,CAAC;AAACqE,OAAA,CAAAF,wBAAA,GAAAA,wBAAA"}
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { IoWalletError } from "../../utils/errors";
|
|
2
2
|
import { SdJwt4VC } from "../../sd-jwt/types";
|
|
3
3
|
import { verify as verifySdJwt } from "../../sd-jwt";
|
|
4
|
+
import { getValueFromDisclosures } from "../../sd-jwt/converters";
|
|
4
5
|
|
|
5
6
|
// The credential as a collection of attributes in plain value
|
|
6
7
|
|
|
@@ -128,12 +129,16 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
|
|
|
128
129
|
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
|
|
129
130
|
let {
|
|
130
131
|
credentialCryptoContext,
|
|
131
|
-
ignoreMissingAttributes
|
|
132
|
+
ignoreMissingAttributes,
|
|
133
|
+
includeUndefinedAttributes
|
|
132
134
|
} = _ref8;
|
|
133
135
|
const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
|
|
134
|
-
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes);
|
|
136
|
+
const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
|
|
137
|
+
const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
|
|
135
138
|
return {
|
|
136
|
-
parsedCredential
|
|
139
|
+
parsedCredential,
|
|
140
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
141
|
+
issuedAt: typeof maybeIssuedAt === "number" ? new Date(maybeIssuedAt * 1000) : undefined
|
|
137
142
|
};
|
|
138
143
|
};
|
|
139
144
|
|
|
@@ -143,7 +148,9 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
143
148
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
144
149
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
145
150
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
146
|
-
* @
|
|
151
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
152
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
153
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
147
154
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
148
155
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
149
156
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","verifyAndParseCredential","context"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"
|
|
1
|
+
{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","getValueFromDisclosures","parseCredentialSdJwt","credentials_supported","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","credentialSubject","payload","vct","format","header","typ","claims","attrDefinitions","Object","entries","attrsNotInDisclosures","filter","_ref2","attrKey","some","_ref3","name","missing","map","_","join","received","definedValues","fromEntries","_ref4","_disclosures$find","definition","value","find","_ref5","display","reduce","names","_ref6","locale","undefinedValues","keys","includes","_ref7","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","_ref8","credentialCryptoContext","decoded","openid_credential_issuer","jwks","parsedCredential","credential_configurations_supported","maybeIssuedAt","expiration","Date","exp","issuedAt","verifyAndParseCredential","context"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"AAGA,SAASA,aAAa,QAAQ,oBAAoB;AAClD,SAASC,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,MAAM,IAAIC,WAAW,QAAQ,cAAc;AACpD,SAASC,uBAAuB,QAAQ,yBAAyB;;AAyBjE;;AAkBA;;AAKA,MAAMC,oBAAoB,GAAG,SAAAA,CAE3BC,qBAAgI,EAAAC,IAAA,EAI3G;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,MAAMI,iBAAiB,GAAGT,qBAAqB,CAACE,KAAK,CAACQ,OAAO,CAACC,GAAG,CAAC;EAElE,IAAI,CAACF,iBAAiB,EAAE;IACtB,MAAM,IAAIf,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,IAAIe,iBAAiB,CAACG,MAAM,KAAKV,KAAK,CAACW,MAAM,CAACC,GAAG,EAAE;IACjD,MAAM,IAAIpB,aAAa,CACpB,gEAA+De,iBAAiB,CAACG,MAAO,gBAAeV,KAAK,CAACW,MAAM,CAACC,GAAI,KAC3H,CAAC;EACH;;EAEA;EACA,IAAI,CAACL,iBAAiB,CAACM,MAAM,EAAE;IAC7B,MAAM,IAAIrB,aAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMsB,eAAe,GAAGC,MAAM,CAACC,OAAO,CAACT,iBAAiB,CAACM,MAAM,CAAC;;EAEhE;EACA,MAAMI,qBAAqB,GAAGH,eAAe,CAACI,MAAM,CAClDC,KAAA;IAAA,IAAC,CAACC,OAAO,CAAC,GAAAD,KAAA;IAAA,OAAK,CAAClB,WAAW,CAACoB,IAAI,CAACC,KAAA;MAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,IAAI,KAAKH,OAAO;IAAA,EAAC;EAAA,CAClE,CAAC;EACD,IAAIH,qBAAqB,CAACb,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMoB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IAC3E,MAAMC,QAAQ,GAAG3B,WAAW,CAACwB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAACzB,uBAAuB,EAAE;MAC5B,MAAM,IAAIV,aAAa,CACpB,4DAA2DgC,OAAQ,iBAAgBI,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;EACA;EACA,MAAMC,aAAa,GAAGd,MAAM,CAACe,WAAW,CACtChB;EACE;EAAA,CACCW,GAAG,CACFM,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC,CAACZ,OAAO,EAAEa,UAAU,CAAC,GAAAF,KAAA;IAAA,OACpB,CACEX,OAAO,EACP;MACE,GAAGa,UAAU;MACbC,KAAK,GAAAF,iBAAA,GAAE/B,WAAW,CAACkC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKN,OAC7B,CAAC,cAAAY,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCP,GAAG,CACFW,KAAA;IAAA,IAAC,CAAChB,OAAO,EAAE;MAAEiB,OAAO;MAAE,GAAGJ;IAAW,CAAC,CAAC,GAAAG,KAAA;IAAA,OACpC,CACEhB,OAAO,EACP;MACE,GAAGa,UAAU;MACbV,IAAI,EAAEc,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAElB;QAAK,CAAC,GAAAiB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGlB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAIjB,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMoC,eAAe,GAAG3B,MAAM,CAACe,WAAW,CACxC7B,WAAW,CACRiB,MAAM,CAAEQ,CAAC,IAAK,CAACX,MAAM,CAAC4B,IAAI,CAACd,aAAa,CAAC,CAACe,QAAQ,CAAClB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACoB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEZ,KAAK,CAAC,GAAAW,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEZ,KAAK;QAAEX,IAAI,EAAEuB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGjB,aAAa;MAChB,GAAGa;IACL,CAAC;EACH;EAEA,OAAOb,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAekB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB3D,WAAW,CAACqD,aAAa,EAAEC,UAAU,EAAExD,QAAQ,CAAC,EAChDyD,oBAAoB,CAACK,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGL,iBAAiB,CAACnD,KAAK,CAACQ,OAAO;EAE/C,IAAI,CAACgD,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKN,gBAAgB,CAACM,GAAG,EAAE;IACxD,MAAM,IAAIlE,aAAa,CACpB,kDAAiD4D,gBAAgB,CAACM,GAAI,UAASP,iBAAiB,CAACnD,KAAK,CAACQ,OAAO,CAACgD,GAAG,CAACC,GAAG,CAACC,GAAI,EAC9H,CAAC;EACH;EAEA,OAAOP,iBAAiB;AAC1B;;AAEA;;AAQA,MAAMQ,6BAAsD,GAAG,MAAAA,CAC7DC,UAAU,EACVC,UAAU,EACVnC,CAAC,EAAAoC,KAAA,KAME;EAAA,IALH;IACEC,uBAAuB;IACvB7D,uBAAuB;IACvBI;EACF,CAAC,GAAAwD,KAAA;EAED,MAAME,OAAO,GAAG,MAAMjB,qBAAqB,CACzCc,UAAU,EACVD,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACvB,IAAI,EAC7CoB,uBACF,CAAC;EAED,MAAMI,gBAAgB,GAAGtE,oBAAoB,CAC3C+D,UAAU,CAACK,wBAAwB,CAACG,mCAAmC,EACvEJ,OAAO,EACP9D,uBAAuB,EACvBI,0BACF,CAAC;EAED,MAAM+D,aAAa,GAAGzE,uBAAuB,CAACoE,OAAO,CAAC/D,WAAW,EAAE,KAAK,CAAC;EAEzE,OAAO;IACLkE,gBAAgB;IAChBG,UAAU,EAAE,IAAIC,IAAI,CAACP,OAAO,CAAChE,KAAK,CAACQ,OAAO,CAACgE,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOJ,aAAa,KAAK,QAAQ,GAC7B,IAAIE,IAAI,CAACF,aAAa,GAAG,IAAI,CAAC,GAC9BhE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMqE,wBAAkD,GAAG,MAAAA,CAChEd,UAAU,EACVC,UAAU,EACVnD,MAAM,EACNiE,OAAO,KACJ;EACH,IAAIjE,MAAM,KAAK,WAAW,EAAE;IAC1B,OAAOiD,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVnD,MAAM,EACNiE,OACF,CAAC;EACH;EAEA,MAAM,IAAInF,aAAa,CAAE,kCAAiCkB,MAAO,EAAC,CAAC;AACrE,CAAC"}
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|
|
@@ -1,13 +1,21 @@
|
|
|
1
|
+
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
1
2
|
import type { Out } from "../../utils/misc";
|
|
2
3
|
import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
|
|
3
|
-
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
4
4
|
import type { ObtainCredential } from "./06-obtain-credential";
|
|
5
5
|
export type VerifyAndParseCredential = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"], context: {
|
|
6
6
|
credentialCryptoContext: CryptoContext;
|
|
7
|
+
/**
|
|
8
|
+
* Do not throw an error when an attribute is not found within disclosures.
|
|
9
|
+
*/
|
|
7
10
|
ignoreMissingAttributes?: boolean;
|
|
11
|
+
/**
|
|
12
|
+
* Include attributes that are not explicitly mapped in the issuer configuration.
|
|
13
|
+
*/
|
|
8
14
|
includeUndefinedAttributes?: boolean;
|
|
9
15
|
}) => Promise<{
|
|
10
16
|
parsedCredential: ParsedCredential;
|
|
17
|
+
expiration: Date;
|
|
18
|
+
issuedAt: Date | undefined;
|
|
11
19
|
}>;
|
|
12
20
|
type ParsedCredential = Record<
|
|
13
21
|
/** Attribute key */
|
|
@@ -23,7 +31,9 @@ string, {
|
|
|
23
31
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
24
32
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
25
33
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
26
|
-
* @
|
|
34
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
35
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
36
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
27
37
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
28
38
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
29
39
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAMtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,MAAM,MAAM,wBAAwB,GAAG,CACrC,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,EACvC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;IACvC;;OAEG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC;;OAEG;IACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC,KACE,OAAO,CAAC;IACX,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,UAAU,EAAE,IAAI,CAAC;IACjB,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;CAC5B,CAAC,CAAC;AAGH,KAAK,gBAAgB,GAAG,MAAM;AAC5B,oBAAoB;AACpB,MAAM,EACN;IACE,2CAA2C;IAC3C,IAAI,EACA,yBAAyB,CAAC,MAAM,CAC9B,MAAM,EACN,MAAM,CACP,GACD,4BAA4B,CAAC,MAAM,GACnC,SAAS,CAAC;IACd,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;CAChB,CACF,CAAC;AAkLF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,wBAAwB,EAAE,wBAgBtC,CAAC"}
|
|
@@ -145,8 +145,8 @@ export declare const PID: z.ZodObject<{
|
|
|
145
145
|
} | undefined;
|
|
146
146
|
};
|
|
147
147
|
issuer: string;
|
|
148
|
-
issuedAt: Date;
|
|
149
148
|
expiration: Date;
|
|
149
|
+
issuedAt: Date;
|
|
150
150
|
verification?: {
|
|
151
151
|
trustFramework: "eidas";
|
|
152
152
|
assuranceLevel: string;
|
|
@@ -175,8 +175,8 @@ export declare const PID: z.ZodObject<{
|
|
|
175
175
|
} | undefined;
|
|
176
176
|
};
|
|
177
177
|
issuer: string;
|
|
178
|
-
issuedAt: Date;
|
|
179
178
|
expiration: Date;
|
|
179
|
+
issuedAt: Date;
|
|
180
180
|
verification?: {
|
|
181
181
|
trustFramework: "eidas";
|
|
182
182
|
assuranceLevel: string;
|
package/package.json
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
|
+
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
1
2
|
import type { Out } from "../../utils/misc";
|
|
2
3
|
import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
|
|
3
4
|
import { IoWalletError } from "../../utils/errors";
|
|
4
5
|
import { SdJwt4VC } from "../../sd-jwt/types";
|
|
5
6
|
import { verify as verifySdJwt } from "../../sd-jwt";
|
|
7
|
+
import { getValueFromDisclosures } from "../../sd-jwt/converters";
|
|
6
8
|
import type { JWK } from "../../utils/jwk";
|
|
7
|
-
import type { CryptoContext } from "@pagopa/io-react-native-jwt";
|
|
8
9
|
import type { ObtainCredential } from "./06-obtain-credential";
|
|
9
10
|
|
|
10
11
|
export type VerifyAndParseCredential = (
|
|
@@ -13,10 +14,20 @@ export type VerifyAndParseCredential = (
|
|
|
13
14
|
format: Out<ObtainCredential>["format"],
|
|
14
15
|
context: {
|
|
15
16
|
credentialCryptoContext: CryptoContext;
|
|
17
|
+
/**
|
|
18
|
+
* Do not throw an error when an attribute is not found within disclosures.
|
|
19
|
+
*/
|
|
16
20
|
ignoreMissingAttributes?: boolean;
|
|
21
|
+
/**
|
|
22
|
+
* Include attributes that are not explicitly mapped in the issuer configuration.
|
|
23
|
+
*/
|
|
17
24
|
includeUndefinedAttributes?: boolean;
|
|
18
25
|
}
|
|
19
|
-
) => Promise<{
|
|
26
|
+
) => Promise<{
|
|
27
|
+
parsedCredential: ParsedCredential;
|
|
28
|
+
expiration: Date;
|
|
29
|
+
issuedAt: Date | undefined;
|
|
30
|
+
}>;
|
|
20
31
|
|
|
21
32
|
// The credential as a collection of attributes in plain value
|
|
22
33
|
type ParsedCredential = Record<
|
|
@@ -181,7 +192,11 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
181
192
|
issuerConf,
|
|
182
193
|
credential,
|
|
183
194
|
_,
|
|
184
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes,
|
|
198
|
+
includeUndefinedAttributes,
|
|
199
|
+
}
|
|
185
200
|
) => {
|
|
186
201
|
const decoded = await verifyCredentialSdJwt(
|
|
187
202
|
credential,
|
|
@@ -192,10 +207,20 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
192
207
|
const parsedCredential = parseCredentialSdJwt(
|
|
193
208
|
issuerConf.openid_credential_issuer.credential_configurations_supported,
|
|
194
209
|
decoded,
|
|
195
|
-
ignoreMissingAttributes
|
|
210
|
+
ignoreMissingAttributes,
|
|
211
|
+
includeUndefinedAttributes
|
|
196
212
|
);
|
|
197
213
|
|
|
198
|
-
|
|
214
|
+
const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
|
|
215
|
+
|
|
216
|
+
return {
|
|
217
|
+
parsedCredential,
|
|
218
|
+
expiration: new Date(decoded.sdJwt.payload.exp * 1000),
|
|
219
|
+
issuedAt:
|
|
220
|
+
typeof maybeIssuedAt === "number"
|
|
221
|
+
? new Date(maybeIssuedAt * 1000)
|
|
222
|
+
: undefined,
|
|
223
|
+
};
|
|
199
224
|
};
|
|
200
225
|
|
|
201
226
|
/**
|
|
@@ -204,7 +229,9 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
|
|
|
204
229
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
205
230
|
* @param format The format of the credentual returned by {@link obtainCredential}
|
|
206
231
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
207
|
-
* @
|
|
232
|
+
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
233
|
+
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
234
|
+
* @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
|
|
208
235
|
* @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
|
|
209
236
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
210
237
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
@@ -39,10 +39,19 @@ graph TD;
|
|
|
39
39
|
|
|
40
40
|
## Mapped results
|
|
41
41
|
|
|
42
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
43
|
+
|
|
44
|
+
A `201 Created` response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time.
|
|
45
|
+
|
|
42
46
|
### 404 Not Found (CredentialNotEntitledError)
|
|
43
47
|
|
|
44
48
|
A `404 Not Found` response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential.
|
|
45
49
|
|
|
50
|
+
### 201 Created (CredentialIssuingNotSynchronousError)
|
|
51
|
+
|
|
52
|
+
Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous.
|
|
53
|
+
This allows keeping the flow consistent and handle the case where the credential is not immediately available.
|
|
54
|
+
|
|
46
55
|
## Strong authentication for eID issuance (Query Mode)
|
|
47
56
|
|
|
48
57
|
The eID issuance requires a strong authentication method. Currently SPID (L2), CieID (L2) and CIE+PIN (L3) are supported. The strong authentication method is determined by the IDP hint which is passed to the `completeUserAuthorizationWithQueryMode` function.
|
|
@@ -175,12 +184,19 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
175
184
|
}
|
|
176
185
|
);
|
|
177
186
|
|
|
178
|
-
|
|
187
|
+
/*
|
|
188
|
+
* Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
|
|
189
|
+
* WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
|
|
190
|
+
*/
|
|
179
191
|
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
180
192
|
issuerConf,
|
|
181
193
|
credential,
|
|
182
194
|
format,
|
|
183
|
-
{
|
|
195
|
+
{
|
|
196
|
+
credentialCryptoContext,
|
|
197
|
+
ignoreMissingAttributes: true,
|
|
198
|
+
includeUndefinedAttributes: false
|
|
199
|
+
}
|
|
184
200
|
);
|
|
185
201
|
|
|
186
202
|
return {
|
|
@@ -303,7 +319,7 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
|
|
|
303
319
|
);
|
|
304
320
|
|
|
305
321
|
// Parse and verify the eID credential
|
|
306
|
-
const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
|
|
322
|
+
const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
|
|
307
323
|
issuerConf,
|
|
308
324
|
credential,
|
|
309
325
|
format,
|
|
@@ -315,9 +331,11 @@ return {
|
|
|
315
331
|
credential,
|
|
316
332
|
keyTag: credentialKeyTag,
|
|
317
333
|
credentialType,
|
|
334
|
+
issuedAt,
|
|
335
|
+
expiration
|
|
318
336
|
};
|
|
319
337
|
```
|
|
320
338
|
|
|
321
|
-
The result of this flow is a
|
|
339
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
322
340
|
|
|
323
341
|
</details>
|