npm - @pagopa/io-react-native-wallet - Versions diffs - 0.2.2 → 0.2.3 - Mend

@pagopa/io-react-native-wallet 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

package/src/pid/issuing.ts CHANGED Viewed

@@ -1,14 +1,16 @@
 import {
   decode as decodeJwt,
+  verify as verifyJwt,
   sha256ToBase64,
 } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
 import { JWK } from "../utils/jwk";
 import uuid from "react-native-uuid";
-import { PidIssuingError } from "../utils/errors";
+import { PidIssuingError, PidMetadataError } from "../utils/errors";
 import { getUnsignedDPop } from "../utils/dpop";
 import { sign, generate, deleteKey } from "@pagopa/io-react-native-crypto";
+import { PidIssuerEntityConfiguration } from "./metadata";
 // This is a temporary type that will be used for demo purposes only
 export type CieData = {
@@ -302,4 +304,39 @@ export class Issuing {
     throw new PidIssuingError(`Unable to obtain credential!`);
   }
+  /**
+   * Obtain the PID issuer metadata
+   *
+   * @function
+   * @returns PID issuer metadata
+   *
+   */
+  async getEntityConfiguration(): Promise<PidIssuerEntityConfiguration> {
+    const metadataUrl = new URL(
+      ".well-known/openid-federation",
+      this.pidProviderBaseUrl
+    ).href;
+    const response = await this.appFetch(metadataUrl);
+    if (response.status === 200) {
+      const jwtMetadata = await response.text();
+      const { payload } = decodeJwt(jwtMetadata);
+      const result = PidIssuerEntityConfiguration.safeParse(payload);
+      if (result.success) {
+        const parsedMetadata = result.data;
+        await verifyJwt(jwtMetadata, parsedMetadata.jwks.keys);
+        return parsedMetadata;
+      } else {
+        throw new PidMetadataError(result.error.message);
+      }
+    }
+    throw new PidMetadataError(
+      `Unable to obtain PID metadata. Response: ${await response.text()} with status: ${
+        response.status
+      }`
+    );
+  }
 }

package/src/pid/metadata.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { JWK } from "../utils/jwk";
+import { z } from "zod";
+export type PidDisplayMetadata = z.infer<typeof PidDisplayMetadata>;
+export const PidDisplayMetadata = z.object({
+  name: z.string(),
+  locale: z.string(),
+  logo: z.object({
+    url: z.string(),
+    alt_text: z.string(),
+  }),
+  background_color: z.string(),
+  text_color: z.string(),
+});
+export type PidIssuerEntityConfiguration = z.infer<
+  typeof PidIssuerEntityConfiguration
+>;
+export const PidIssuerEntityConfiguration = z.object({
+  jwks: z.object({ keys: z.array(JWK) }),
+  metadata: z.object({
+    openid_credential_issuer: z.object({
+      credential_issuer: z.string(),
+      authorization_endpoint: z.string(),
+      token_endpoint: z.string(),
+      pushed_authorization_request_endpoint: z.string(),
+      dpop_signing_alg_values_supported: z.array(z.string()),
+      credential_endpoint: z.string(),
+      credentials_supported: z.object({
+        "eu.eudiw.pid.it": z.object({
+          format: z.literal("vc+sd-jwt"),
+          cryptographic_binding_methods_supported: z.array(z.string()),
+          cryptographic_suites_supported: z.array(z.string()),
+          display: z.array(PidDisplayMetadata),
+        }),
+      }),
+    }),
+    federation_entity: z.object({
+      organization_name: z.string(),
+      homepage_uri: z.string(),
+      policy_uri: z.string(),
+      tos_uri: z.string(),
+      logo_uri: z.string(),
+    }),
+  }),
+});

package/src/pid/sd-jwt/index.ts CHANGED Viewed

@@ -1,5 +1,4 @@
-import { decode as decodeJwt } from "../../sd-jwt";
-import { verify as verifyJwt } from "../../sd-jwt";
+import { decode as decodeJwt, verify as verifyJwt } from "../../sd-jwt";
 import { PID } from "./types";
 import { pidFromToken } from "./converters";
 import { Disclosure, SdJwt4VC } from "../../sd-jwt/types";
@@ -20,7 +19,11 @@ import { Disclosure, SdJwt4VC } from "../../sd-jwt/types";
  *
  */
 export function decode(token: string): PidWithToken {
-  let { sdJwt, disclosures } = decodeJwt(token, SdJwt4VC);
+  let { sdJwt, disclosures: disclosuresWithOriginal } = decodeJwt(
+    token,
+    SdJwt4VC
+  );
+  const disclosures = disclosuresWithOriginal.map((d) => d.decoded);
   const pid = pidFromToken(sdJwt, disclosures);
   return { pid, sdJwt, disclosures };

package/src/rp/index.ts CHANGED Viewed

@@ -1,14 +1,26 @@
-import { AuthRequestDecodeError, IoWalletError } from "../utils/errors";
+import {
+  AuthRequestDecodeError,
+  IoWalletError,
+  NoSuitableKeysFoundInEntityConfiguration,
+} from "../utils/errors";
 import {
   decode as decodeJwt,
   decodeBase64,
   sha256ToBase64,
   SignJWT,
+  EncryptJwe,
+  verify,
 } from "@pagopa/io-react-native-jwt";
-import { QRCodePayload, RequestObject, RpEntityConfiguration } from "./types";
+import {
+  QRCodePayload,
+  RequestObject,
+  RpEntityConfiguration,
+  type Presentation,
+} from "./types";
 import uuid from "react-native-uuid";
 import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { disclose } from "../sd-jwt";
 export class RelyingPartySolution {
   relyingPartyBaseUrl: string;
@@ -86,15 +98,18 @@ export class RelyingPartySolution {
   /**
    * Obtain the Request Object for RP authentication
+   * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
    *
-   * @function
+   * @async @function
    * @param signedWalletInstanceDPoP JWT of the Wallet Instance Attestation DPoP
    *
    * @returns The Request Object JWT
+   * @throws {NoSuitableKeysFoundInEntityConfiguration} When the Request Object is signed with a key not listed in RP's entity configuration
    *
    */
   async getRequestObject(
-    signedWalletInstanceDPoP: string
+    signedWalletInstanceDPoP: string,
+    entity: RpEntityConfiguration
   ): Promise<RequestObject> {
     const decodedJwtDPop = await decodeJwt(signedWalletInstanceDPoP);
     const requestUri = decodedJwtDPop.payload.htu as string;
@@ -108,11 +123,28 @@ export class RelyingPartySolution {
     if (response.status === 200) {
       const responseText = await response.text();
-      const responseJwt = await decodeJwt(responseText);
+      const responseJwt = decodeJwt(responseText);
+      // verify token signature according to RP's entity configuration
+      // to ensure the request object is authentic
+      {
+        const pubKey = entity.payload.jwks.keys.find(
+          ({ kid }) => kid === responseJwt.protectedHeader.kid
+        );
+        if (!pubKey) {
+          throw new NoSuitableKeysFoundInEntityConfiguration(
+            "Request Object signature verification"
+          );
+        }
+        await verify(responseText, pubKey);
+      }
+      // parse request object it has the expected shape by specification
       const requestObj = RequestObject.parse({
         header: responseJwt.protectedHeader,
         payload: responseJwt.payload,
       });
       return requestObj;
     }
@@ -121,6 +153,158 @@ export class RelyingPartySolution {
     );
   }
+  /**
+   * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
+   * The presentation is prepared by disclosing data from provided credentials, according to requested claims
+   * Each Verified Credential come along with the claims the user accepts to disclose from it.
+   *
+   * The returned token is unsigned (sign should be apply by the caller).
+   *
+   * @todo accept more than a Verified Credential
+   *
+   * @param requestObj The incoming request object, which the requirements for the requested authorization
+   * @param presentation The Verified Credential containing user data along with the list of claims to be disclosed.
+   * @returns The unsigned Verified Presentation token
+   * @throws {ClaimsNotFoundBetweenDislosures} If the Verified Credential does not contain one or more requested claims.
+   *
+   */
+  async prepareVpToken(
+    requestObj: RequestObject,
+    [vc, claims]: Presentation // TODO: [SIW-353] support multiple presentations
+  ): Promise<{
+    vp_token: string;
+    presentation_submission: Record<string, unknown>;
+  }> {
+    // this throws if vc cannot satisfy all the requested claims
+    const { token: vp, paths } = await disclose(vc, claims);
+    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+    const vp_token = new SignJWT({ vp })
+      .setAudience(requestObj.payload.response_uri)
+      .setExpirationTime("1h")
+      .setProtectedHeader({
+        typ: "JWT",
+        alg: "ES256",
+      })
+      .toSign();
+    const [definition_id, vc_scope] = requestObj.payload.scope;
+    const presentation_submission = {
+      definition_id,
+      id: `${uuid.v4()}`,
+      descriptor_map: paths.map((p) => ({
+        id: vc_scope,
+        path: `$.vp_token.${p.path}`,
+        format: "vc+sd-jwt",
+      })),
+    };
+    return { vp_token, presentation_submission };
+  }
+  /**
+   * Compose and send an Authorization Response in the context of an authorization request flow.
+   *
+   * @todo MUST add presentation_submission
+   *
+   * @param requestObj The incoming request object, which the requirements for the requested authorization
+   * @param vp_token The signed Verified Presentation token with data to send.
+   * @param presentation_submission
+   * @param entity The RP entity configuration
+   * @returns The response from the RP
+   * @throws {IoWalletError} if the submission fails.
+   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key
+   *
+   */
+  async sendAuthorizationResponse(
+    requestObj: RequestObject,
+    vp_token: string,
+    presentation_submission: Record<string, unknown>,
+    entity: RpEntityConfiguration
+  ): Promise<string> {
+    // the request is an unsigned jws without iss, aud, exp
+    // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
+    const jwk = this.choosePublicKeyToEncrypt(entity);
+    const enc = this.getEncryptionAlgByJwk(jwk);
+    const authzResponsePayload = JSON.stringify({
+      state: requestObj.payload.state,
+      presentation_submission,
+      vp_token,
+    });
+    const encrypted = await new EncryptJwe(authzResponsePayload, {
+      alg: jwk.alg,
+      enc,
+    }).encrypt(jwk);
+    const formBody = new URLSearchParams({ response: encrypted });
+    const response = await this.appFetch(requestObj.payload.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: formBody.toString(),
+    });
+    if (response.status === 200) {
+      return response.text();
+    }
+    throw new IoWalletError(
+      `Unable to send Authorization Response. Response code: ${response.status}`
+    );
+  }
+  /**
+   * Select a public key from those provided by the RP.
+   * Keys with algorithm "RSA-OAEP-256" or "RSA-OAEP" are expected, the firsts to be preferred.
+   *
+   * @param entity The RP entity configuration
+   * @returns A suitable public key with its compatible encryption algorithm
+   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+   */
+  private choosePublicKeyToEncrypt(
+    entity: RpEntityConfiguration
+  ): (JWK & { alg: "RSA-OAEP-256" }) | (JWK & { alg: "RSA-OAEP" }) {
+    // Look for keys using "RSA-OAEP-256", and pick a random one
+    const [usingRsa256] = entity.payload.jwks.keys.filter(
+      <T>(k: T & { alg?: string }): k is T & { alg: "RSA-OAEP-256" } =>
+        typeof k.alg === "string" && k.alg === "RSA-OAEP-256"
+    );
+    if (usingRsa256) {
+      return usingRsa256;
+    }
+    // Look for keys using "RSA-OAEP", and pick a random one
+    const [usingRsa] = entity.payload.jwks.keys.filter(
+      <T>(k: T & { alg?: string }): k is T & { alg: "RSA-OAEP" } =>
+        typeof k.alg === "string" && k.alg === "RSA-OAEP"
+    );
+    if (usingRsa) {
+      return usingRsa;
+    }
+    // No suitable key has been found
+    throw new NoSuitableKeysFoundInEntityConfiguration(
+      "Encrypt with RP public key"
+    );
+  }
+  private getEncryptionAlgByJwk({
+    alg,
+  }: (JWK & { alg: "RSA-OAEP-256" }) | (JWK & { alg: "RSA-OAEP" })):
+    | "A128CBC-HS256"
+    | "A256CBC-HS512" {
+    if (alg === "RSA-OAEP-256") return "A256CBC-HS512";
+    if (alg === "RSA-OAEP") return "A128CBC-HS256";
+    const _: never = alg;
+    throw new Error(`Invalid jwk algorithm: ${_}`);
+  }
   /**
    * Obtain the relying party entity configuration.
    */

package/src/rp/types.ts CHANGED Viewed

@@ -70,3 +70,11 @@ export const QRCodePayload = z.object({
   clientId: z.string(),
   requestURI: z.string(),
 });
+/**
+ * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
+ */
+export type Presentation = [
+  /* verified credential token */ string,
+  /* claims */ string[]
+];

package/src/sd-jwt/__test__/index.test.ts ADDED Viewed

@@ -0,0 +1,171 @@
+import { decode, disclose } from "../index";
+import { encodeBase64, decodeBase64 } from "@pagopa/io-react-native-jwt";
+import { SdJwt4VC } from "../types";
+// Examples from https://www.ietf.org/id/draft-terbu-sd-jwt-vc-02.html#name-example-4
+// but adapted to adhere to format declared in https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/pid-eaa-data-model.html#id2
+// In short, the token is a Frankenstein composed as follows:
+//  - the header is taken from the italian specification, with kid and alg valued according to the signing keys
+//  - disclosures are taken from the SD-JWT-4-VC standard
+//  - payload is taken from the italian specification, but _sd are compiled with:
+//    - "address" is used as verification._sd
+//    - all others disclosures are in claims._sd
+const token =
+  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0.8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0";
+const unsigned =
+  "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImIxODZlYTBjMTkyNTc5MzA5N2JmMDFiOGEyODlhNDVmIiwidHJ1c3RfY2hhaW4iOlsiTkVoUmRFUnBZbmxIWTNNNVdsZFdUV1oyYVVobSAuLi4iLCJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2IC4uLiIsIklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUIgLi4uIl19.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2lzc3VlciIsInN1YiI6Ik56YkxzWGg4dURDY2Q3bm9XWEZaQWZIa3hac1JHQzlYcy4uLiIsImp0aSI6InVybjp1dWlkOjZjNWMwYTQ5LWI1ODktNDMxZC1iYWU3LTIxOTEyMmE5ZWMyYyIsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTQxNDkzNzI0LCJzdGF0dXMiOiJodHRwczovL2V4YW1wbGUuY29tL3N0YXR1cyIsImNuZiI6eyJqd2siOnsia3R5IjoiUlNBIiwidXNlIjoic2lnIiwibiI6IjFUYS1zRSIsImUiOiJBUUFCIiwia2lkIjoiWWhORlMzWW5DOXRqaUNhaXZoV0xWVUozQXh3R0d6Xzk4dVJGYXFNRUVzIn19LCJ0eXBlIjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJfc2QiOlsiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSJdLCJ0cnVzdF9mcmFtZXdvcmsiOiJlaWRhcyIsImFzc3VyYW5jZV9sZXZlbCI6ImhpZ2gifSwiY2xhaW1zIjp7Il9zZCI6WyIwOXZLckpNT2x5VFdNMHNqcHVfcGRPQlZCUTJNMXkzS2hwSDUxNW5Ya3BZIiwiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kYXcxc1g3NnBvVWxnQ3diSSIsIkVrTzhkaFcwZEhFSmJ2VUhsRV9WQ2V1Qzl1UkVMT2llTFpoaDdYYlVUdEEiLCJJbER6SUtlaVpkRHdwcXBLNlpmYnlwaEZ2ejVGZ25XYS1zTjZ3cVFYQ2l3IiwiUG9yRmJwS3VWdTZ4eW1KYWd2a0ZzRlhBYlJvYzJKR2xBVUEyQkE0bzdjSSIsIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCJqZHJURThZY2JZNEVpZnVnaWhpQWVfQlBla3hKUVpJQ2VpVVF3WTlRcXhJIiwianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdfX0sIl9zZF9hbGciOiJzaGEtMjU2In0";
+const signature =
+  "8wwSHCd47wCgzRYXvvPTTRXGS-hk9V8jRzy7WSjRBTZxSHxJkGOSWwBVAA-kpJ-IvQS7699aLWxIMqAvr34sOA";
+const signed = `${unsigned}.${signature}`;
+const tokenizedDisclosures = [
+  "WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd",
+  "WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd",
+  "WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ",
+  "WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ",
+  "WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0",
+  "WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ",
+  "WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVlXQ",
+  "WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVlXQ",
+  "WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0",
+];
+const sdJwt = {
+  header: {
+    typ: "vc+sd-jwt",
+    alg: "ES256",
+    kid: "b186ea0c1925793097bf01b8a289a45f",
+    trust_chain: [
+      "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6 ...",
+      "IkJYdmZybG5oQU11SFIwN2FqVW1B ...",
+    ],
+  },
+  payload: {
+    iss: "https://example.com/issuer",
+    sub: "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs...",
+    jti: "urn:uuid:6c5c0a49-b589-431d-bae7-219122a9ec2c",
+    iat: 1541493724,
+    exp: 1541493724,
+    status: "https://example.com/status",
+    cnf: {
+      jwk: {
+        kty: "RSA",
+        use: "sig",
+        n: "1Ta-sE",
+        e: "AQAB",
+        kid: "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+      },
+    },
+    type: "PersonIdentificationData",
+    verified_claims: {
+      verification: {
+        _sd: ["JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE"],
+        trust_framework: "eidas",
+        assurance_level: "high",
+      },
+      claims: {
+        _sd: [
+          "09vKrJMOlyTWM0sjpu_pdOBVBQ2M1y3KhpH515nXkpY",
+          "2rsjGbaC0ky8mT0pJrPioWTq0_daw1sX76poUlgCwbI",
+          "EkO8dhW0dHEJbvUHlE_VCeuC9uRELOieLZhh7XbUTtA",
+          "IlDzIKeiZdDwpqpK6ZfbyphFvz5FgnWa-sN6wqQXCiw",
+          "PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI",
+          "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
+          "jdrTE8YcbY4EifugihiAe_BPekxJQZICeiUQwY9QqxI",
+          "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
+        ],
+      },
+    },
+    _sd_alg: "sha-256",
+  },
+};
+// In the very same order than tokenizedDisclosures
+const disclosures = [
+  ["2GLC42sKQveCfGfryNRN9w", "given_name", "John"],
+  ["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"],
+  ["6Ij7tM-a5iVPGboS5tmvVA", "email", "johndoe@example.com"],
+  ["eI8ZWm9QnKPpNPeNenHdhQ", "phone_number", "+1-202-555-0101"],
+  ["AJx-095VPrpTtN4QMOqROA", "birthdate", "1940-01-01"],
+  ["Pc33JM2LchcU_lHggv_ufQ", "is_over_18", true],
+  ["G02NSrQfjFXQ7Io09syajA", "is_over_21", true],
+  ["lklxF5jMYlGTPUovMNIvCA", "is_over_65", true],
+  [
+    "Qg_O64zqAxe412a108iroA",
+    "address",
+    {
+      street_address: "123 Main St",
+      locality: "Anytown",
+      region: "Anystate",
+      country: "US",
+    },
+  ],
+];
+it("Ensures example data correctness", () => {
+  expect(
+    JSON.parse(decodeBase64(encodeBase64(JSON.stringify(sdJwt.header))))
+  ).toEqual(sdJwt.header);
+  expect([signed, ...tokenizedDisclosures].join("~")).toBe(token);
+});
+describe("decode", () => {
+  it("should decode a valid token", () => {
+    const result = decode(token, SdJwt4VC);
+    expect(result).toEqual({
+      sdJwt,
+      disclosures: disclosures.map((decoded, i) => ({
+        decoded,
+        encoded: tokenizedDisclosures[i],
+      })),
+    });
+  });
+});
+describe("disclose", () => {
+  it("should encode a valid sdjwt (one claim)", async () => {
+    const result = await disclose(token, ["given_name"]);
+    const expected = {
+      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd`,
+      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[7]" }],
+    };
+    expect(result).toEqual(expected);
+  });
+  it("should encode a valid sdjwt (no claims)", async () => {
+    const result = await disclose(token, []);
+    const expected = { token: `${signed}`, paths: [] };
+    expect(result).toEqual(expected);
+  });
+  it("should encode a valid sdjwt (multiple claims)", async () => {
+    const result = await disclose(token, ["given_name", "email"]);
+    const expected = {
+      token: `${signed}~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ`,
+      paths: [
+        {
+          claim: "given_name",
+          path: "verified_claims.claims._sd[7]",
+        },
+        {
+          claim: "email",
+          path: "verified_claims.verification._sd[0]",
+        },
+      ],
+    };
+    expect(result).toEqual(expected);
+  });
+  it("should fail on unknown claim", async () => {
+    const fn = async () => disclose(token, ["unknown"]);
+    await expect(fn()).rejects.toEqual(expect.any(Error));
+  });
+});

package/src/sd-jwt/index.ts CHANGED Viewed

@@ -2,11 +2,21 @@ import { z } from "zod";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { decodeBase64 } from "@pagopa/io-react-native-jwt";
-import { Disclosure } from "./types";
+import { Disclosure, SdJwt4VC, type DisclosureWithEncoded } from "./types";
 import { verifyDisclosure } from "./verifier";
 import type { JWK } from "src/utils/jwk";
+import {
+  ClaimsNotFoundBetweenDislosures,
+  ClaimsNotFoundInToken,
+} from "../utils/errors";
+const decodeDisclosure = (encoded: string): DisclosureWithEncoded => {
+  const decoded = Disclosure.parse(JSON.parse(decodeBase64(encoded)));
+  return { decoded, encoded };
+};
 /**
  * Decode a given SD-JWT with Disclosures to get the parsed SD-JWT object they define.
@@ -25,7 +35,10 @@ import type { JWK } from "src/utils/jwk";
 export const decode = <S extends z.AnyZodObject>(
   token: string,
   schema: S
-): { sdJwt: z.infer<S>; disclosures: Disclosure[] } => {
+): {
+  sdJwt: z.infer<S>;
+  disclosures: DisclosureWithEncoded[];
+} => {
   // token are expected in the form "sd-jwt~disclosure0~disclosure1~...~disclosureN~"
   if (token.slice(-1) === "~") {
     token = token.slice(0, -1);
@@ -43,14 +56,75 @@ export const decode = <S extends z.AnyZodObject>(
   // get disclosures as list of triples
   // validate each triple
   // throw a validation error if at least one fails to parse
-  const disclosures = rawDisclosures
-    .map(decodeBase64)
-    .map((e) => JSON.parse(e))
-    .map((e) => Disclosure.parse(e));
+  const disclosures = rawDisclosures.map(decodeDisclosure);
   return { sdJwt, disclosures };
 };
+/**
+ * Select disclosures from a given SD-JWT with Disclosures.
+ * Claims relate with disclosures by their name.
+ *
+ * @function
+ * @param token The encoded token that represents a valid sd-jwt for verifiable credentials
+ * @param claims The list of claims to be disclosed
+ *
+ * @throws {ClaimsNotFoundBetweenDislosures} When one or more claims does not relate to any discloure.
+ * @throws {ClaimsNotFoundInToken} When one or more claims are not contained in the SD-JWT token.
+ * @returns The encoded token with only the requested disclosures, along with the path each claim can be found on the SD-JWT token
+ *
+ */
+export const disclose = async (
+  token: string,
+  claims: string[]
+): Promise<{ token: string; paths: { claim: string; path: string }[] }> => {
+  const [rawSdJwt, ...rawDisclosures] = token.split("~");
+  const { sdJwt, disclosures } = decode(token, SdJwt4VC);
+  // for each claim, return the path on which they are located in the SD-JWT token
+  const paths = await Promise.all(
+    claims.map(async (claim) => {
+      const disclosure = disclosures.find(
+        ({ decoded: [, name] }) => name === claim
+      );
+      // check every claim represents a known disclosure
+      if (!disclosure) {
+        throw new ClaimsNotFoundBetweenDislosures(claim);
+      }
+      const hash = await sha256ToBase64(disclosure.encoded);
+      // _sd is defined in verified_claims.claims and verified_claims.verification
+      // we must look into both
+      if (sdJwt.payload.verified_claims.claims._sd.includes(hash)) {
+        const index = sdJwt.payload.verified_claims.claims._sd.indexOf(hash);
+        return { claim, path: `verified_claims.claims._sd[${index}]` };
+      } else if (
+        sdJwt.payload.verified_claims.verification._sd.includes(hash)
+      ) {
+        const index =
+          sdJwt.payload.verified_claims.verification._sd.indexOf(hash);
+        return { claim, path: `verified_claims.verification._sd[${index}]` };
+      }
+      throw new ClaimsNotFoundInToken(claim);
+    })
+  );
+  const filteredDisclosures = rawDisclosures.filter((d) => {
+    const {
+      decoded: [, name],
+    } = decodeDisclosure(d);
+    return claims.includes(name);
+  });
+  // compose the final disclosed token
+  const disclosedToken = [rawSdJwt, ...filteredDisclosures].join("~");
+  return { token: disclosedToken, paths };
+};
 /**
  * Verify a given SD-JWT with Disclosures
  * Same as {@link decode} plus:
@@ -91,5 +165,8 @@ export const verify = async <S extends z.AnyZodObject>(
     )
   );
-  return decoded;
+  return {
+    sdJwt: decoded.sdJwt,
+    disclosures: decoded.disclosures.map((d) => d.decoded),
+  };
 };