@pagopa/io-react-native-wallet 0.2.7 → 0.3.0

package/src/rp/index.ts

@@ -77,7 +77,7 @@ export class RelyingPartySolution {
    *
    */
   async getUnsignedWalletInstanceDPoP(
-    walletInstanceAttestationJwk: JWK,
+    walletInstanceAttestationJwk: any,
     authRequestUrl: string
   ): Promise<string> {
     return await new SignJWT({
@@ -109,10 +109,9 @@ export class RelyingPartySolution {
    */
   async getRequestObject(
     signedWalletInstanceDPoP: string,
+    requestUri: string,
     entity: RpEntityConfiguration
   ): Promise<RequestObject> {
-    const decodedJwtDPop = await decodeJwt(signedWalletInstanceDPoP);
-    const requestUri = decodedJwtDPop.payload.htu as string;
     const response = await this.appFetch(requestUri, {
       method: "GET",
       headers: {
@@ -122,13 +121,15 @@ export class RelyingPartySolution {
     });
 
     if (response.status === 200) {
-      const responseText = await response.text();
-      const responseJwt = decodeJwt(responseText);
+      const responseJson = await response.json();
+      const responseEncodedJwt = responseJson.response;
+
+      const responseJwt = decodeJwt(responseEncodedJwt);
 
       // verify token signature according to RP's entity configuration
       // to ensure the request object is authentic
       {
-        const pubKey = entity.payload.jwks.keys.find(
+        const pubKey = entity.payload.metadata.wallet_relying_party.jwks.find(
           ({ kid }) => kid === responseJwt.protectedHeader.kid
         );
         if (!pubKey) {
@@ -136,7 +137,7 @@ export class RelyingPartySolution {
             "Request Object signature verification"
           );
         }
-        await verify(responseText, pubKey);
+        await verify(responseEncodedJwt, pubKey);
       }
 
       // parse request object it has the expected shape by specification
@@ -163,14 +164,18 @@ export class RelyingPartySolution {
    * @todo accept more than a Verified Credential
    *
    * @param requestObj The incoming request object, which the requirements for the requested authorization
+   * @param walletInstanceIdentifier The identifies of the wallt instance that is presenting
    * @param presentation The Verified Credential containing user data along with the list of claims to be disclosed.
+   * @param signKeyId The kid of the key that will be used to sign
    * @returns The unsigned Verified Presentation token
    * @throws {ClaimsNotFoundBetweenDislosures} If the Verified Credential does not contain one or more requested claims.
    *
    */
   async prepareVpToken(
     requestObj: RequestObject,
-    [vc, claims]: Presentation // TODO: [SIW-353] support multiple presentations
+    walletInstanceIdentifier: string,
+    [vc, claims]: Presentation, // TODO: [SIW-353] support multiple presentations,
+    signKeyId: string
   ): Promise<{
     vp_token: string;
     presentation_submission: Record<string, unknown>;
@@ -180,18 +185,25 @@ export class RelyingPartySolution {
 
     // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
 
-    const vp_token = new SignJWT({ vp })
+    const vp_token = new SignJWT({
+      vp: vp,
+      jti: `${uuid.v4()}`,
+      iss: walletInstanceIdentifier,
+      nonce: requestObj.payload.nonce,
+    })
       .setAudience(requestObj.payload.response_uri)
+      .setIssuedAt()
       .setExpirationTime("1h")
       .setProtectedHeader({
         typ: "JWT",
         alg: "ES256",
+        kid: signKeyId,
       })
       .toSign();
 
-    const [definition_id, vc_scope] = requestObj.payload.scope;
+    const vc_scope = requestObj.payload.scope;
     const presentation_submission = {
-      definition_id,
+      definition_id: `${uuid.v4()}`,
       id: `${uuid.v4()}`,
       descriptor_map: paths.map((p) => ({
         id: vc_scope,
@@ -225,94 +237,72 @@ export class RelyingPartySolution {
   ): Promise<string> {
     // the request is an unsigned jws without iss, aud, exp
     // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
-    const jwk = this.choosePublicKeyToEncrypt(entity);
-    const enc = this.getEncryptionAlgByJwk(jwk);
+    const jwk = this.chooseRSAPublicKeyToEncrypt(entity);
 
     const authzResponsePayload = JSON.stringify({
       state: requestObj.payload.state,
       presentation_submission,
+      nonce: requestObj.payload.nonce,
       vp_token,
     });
+
     const encrypted = await new EncryptJwe(authzResponsePayload, {
-      alg: jwk.alg,
-      enc,
+      alg: "RSA-OAEP-256",
+      enc: "A256CBC-HS512",
+      kid: jwk.kid,
     }).encrypt(jwk);
 
     const formBody = new URLSearchParams({ response: encrypted });
+    const body = formBody.toString();
+
     const response = await this.appFetch(requestObj.payload.response_uri, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
       },
-      body: formBody.toString(),
+      body,
     });
 
     if (response.status === 200) {
-      return response.text();
+      return await response.text();
     }
 
     throw new IoWalletError(
-      `Unable to send Authorization Response. Response code: ${response.status}`
+      `Unable to send Authorization Response. Response: ${await response.text()} with code: ${
+        response.status
+      }`
     );
   }
 
   /**
-   * Select a public key from those provided by the RP.
-   * Keys with algorithm "RSA-OAEP-256" or "RSA-OAEP" are expected, the firsts to be preferred.
+   * Select a RSA public key from those provided by the RP to encrypt.
    *
    * @param entity The RP entity configuration
    * @returns A suitable public key with its compatible encryption algorithm
    * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
    */
-  private choosePublicKeyToEncrypt(
-    entity: RpEntityConfiguration
-  ): (JWK & { alg: "RSA-OAEP-256" }) | (JWK & { alg: "RSA-OAEP" }) {
-    // Look for keys using "RSA-OAEP-256", and pick a random one
-    const [usingRsa256] = entity.payload.jwks.keys.filter(
-      <T>(k: T & { alg?: string }): k is T & { alg: "RSA-OAEP-256" } =>
-        typeof k.alg === "string" && k.alg === "RSA-OAEP-256"
-    );
+  private chooseRSAPublicKeyToEncrypt(entity: RpEntityConfiguration): JWK {
+    const [usingRsa256] =
+      entity.payload.metadata.wallet_relying_party.jwks.filter(
+        (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+      );
 
     if (usingRsa256) {
       return usingRsa256;
     }
 
-    // Look for keys using "RSA-OAEP", and pick a random one
-    const [usingRsa] = entity.payload.jwks.keys.filter(
-      <T>(k: T & { alg?: string }): k is T & { alg: "RSA-OAEP" } =>
-        typeof k.alg === "string" && k.alg === "RSA-OAEP"
-    );
-
-    if (usingRsa) {
-      return usingRsa;
-    }
-
     // No suitable key has been found
     throw new NoSuitableKeysFoundInEntityConfiguration(
       "Encrypt with RP public key"
     );
   }
 
-  private getEncryptionAlgByJwk({
-    alg,
-  }: (JWK & { alg: "RSA-OAEP-256" }) | (JWK & { alg: "RSA-OAEP" })):
-    | "A128CBC-HS256"
-    | "A256CBC-HS512" {
-    if (alg === "RSA-OAEP-256") return "A256CBC-HS512";
-    if (alg === "RSA-OAEP") return "A128CBC-HS256";
-
-    const _: never = alg;
-    throw new Error(`Invalid jwk algorithm: ${_}`);
-  }
-
   /**
    * Obtain the relying party entity configuration.
    */
   async getEntityConfiguration(): Promise<RpEntityConfiguration> {
-    const wellKnownUrl = new URL(
-      "/.well-known/openid-federation",
-      this.relyingPartyBaseUrl
-    ).href;
+    const wellKnownUrl =
+      this.relyingPartyBaseUrl + "/.well-known/openid-federation";
 
     const response = await this.appFetch(wellKnownUrl, {
       method: "GET",

package/src/rp/types.ts

@@ -5,7 +5,8 @@ import * as z from "zod";
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
   header: z.object({
-    typ: z.literal("JWT"),
+    // FIXME: SIW-421 type field must be either required or omitted, optional isn't useful
+    typ: z.literal("JWT").optional(),
     alg: z.string(),
     kid: z.string(),
     trust_chain: z.array(z.string()),
@@ -46,18 +47,18 @@ export const RpEntityConfiguration = z.object({
         application_type: z.string(),
         client_id: z.string(),
         client_name: z.string(),
-        jwks: z.object({
-          keys: z.array(JWK),
-        }),
+        jwks: z.array(JWK),
         contacts: z.array(z.string()),
       }),
-      federation_entity: z.object({
+      // FIXME: SIW-422 require federation_metadata field
+      // Actual RP implementation does not comply with the spec
+      /* federation_entity: z.object({
         organization_name: z.string(),
         homepage_uri: z.string(),
         policy_uri: z.string(),
         logo_uri: z.string(),
         contacts: z.array(z.string()),
-      }),
+      }), */
     }),
     authority_hints: z.array(z.string()),
   }),
@@ -65,7 +66,7 @@ export const RpEntityConfiguration = z.object({
 
 export type QRCodePayload = z.infer<typeof QRCodePayload>;
 export const QRCodePayload = z.object({
-  protocol: z.literal("eudiw:"),
+  protocol: z.string(),
   resource: z.string(), // TODO: refine to known paths using literals
   clientId: z.string(),
   requestURI: z.string(),

package/src/utils/jwk.ts

@@ -1,3 +1,4 @@
+import { removePadding } from "@pagopa/io-react-native-jwt";
 import { z } from "zod";
 
 export type JWK = z.infer<typeof JWK>;
@@ -37,3 +38,23 @@ export const JWK = z.object({
   /** JWK "x5u" (X.509 URL) Parameter. */
   x5u: z.string().optional(),
 });
+
+/**
+ * Ensure key values are encoded using base64url and not just base64, as defined in https://datatracker.ietf.org/doc/html/rfc7517
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7517
+ *
+ * @param key The key to fix
+ * @returns THe same input key with fixed values
+ */
+export function fixBase64EncodingOnKey(key: JWK): JWK {
+  const { x, y, e, n, ...pk } = key;
+
+  return {
+    ...pk,
+    ...(x ? { x: removePadding(x) } : {}),
+    ...(y ? { y: removePadding(y) } : {}),
+    ...(e ? { e: removePadding(e) } : {}),
+    ...(n ? { n: removePadding(n) } : {}),
+  };
+}

package/src/wallet-instance-attestation/issuing.ts

@@ -1,7 +1,7 @@
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
-import { JWK } from "../utils/jwk";
+import { JWK, fixBase64EncodingOnKey } from "../utils/jwk";
 import { WalletInstanceAttestationRequestJwt } from "./types";
 import uuid from "react-native-uuid";
 import { WalletInstanceAttestationIssuingError } from "../utils/errors";
@@ -38,7 +38,7 @@ export class Issuing {
       jti: `${uuid.v4()}`,
       type: "WalletInstanceAttestationRequest",
       cnf: {
-        jwk: publicKey,
+        jwk: fixBase64EncodingOnKey(publicKey),
       },
     })
       .setProtectedHeader({
@@ -74,6 +74,7 @@ export class Issuing {
       attestationRequest,
       signature
     );
+
     const decodedRequest = decodeJwt(signedAttestationRequest);
     const parsedRequest = WalletInstanceAttestationRequestJwt.parse({
       payload: decodedRequest.payload,

package/src/wallet-instance-attestation/types.ts

@@ -18,7 +18,11 @@ const Jwt = z.object({
     iat: UnixTime,
     exp: UnixTime,
     cnf: z.object({
-      jwk: JWK,
+      jwk: z.intersection(
+        JWK,
+        // this key requires a kis because it must be referenced for DPoP
+        z.object({ kid: z.string() })
+      ),
     }),
   }),
 });
@@ -60,7 +64,7 @@ export const WalletInstanceAttestationJwt = z.object({
       tos_uri: z.string().url(),
       logo_uri: z.string().url(),
       asc: z.string(),
-      authorization_endpoint: z.string().url(),
+      authorization_endpoint: z.string(),
       response_types_supported: z.array(z.string()),
       vp_formats_supported: z.object({
         jwt_vp_json: z.object({

package/lib/typescript/src/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,gCAAgC,CAAC;AAExC,OAAO,KAAK,GAAG,MAAM,OAAO,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,MAAM,CAAC;AAC3B,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,KAAK,yBAAyB,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,MAAM,CAAC;AAE5C,OAAO,EACL,GAAG,EACH,EAAE,EACF,yBAAyB,EACzB,MAAM,EACN,eAAe,EACf,oBAAoB,GACrB,CAAC"}

package/lib/typescript/src/pid/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/pid/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC"}

package/lib/typescript/src/pid/issuing.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"issuing.d.ts","sourceRoot":"","sources":["../../../../src/pid/issuing.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAKnC,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC;AAG1D,MAAM,MAAM,OAAO,GAAG;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AACtE,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,qBAAa,OAAO;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,yBAAyB,EAAE,MAAM,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;gBAG7B,kBAAkB,EAAE,MAAM,EAC1B,qBAAqB,EAAE,MAAM,EAC7B,yBAAyB,EAAE,MAAM,EACjC,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS;IAYxC;;;;;;;;OAQG;IACG,oBAAoB,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAoCrD;;;;;;;;;OASG;IACG,MAAM,CAAC,iBAAiB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwC3E;;;;;;;;OAQG;IACG,eAAe,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAUhD;;;;;;OAMG;IACG,YAAY,IAAI,OAAO,CAAC,aAAa,CAAC;IA4C5C;;;;;;;;OAQG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgB3D;;;;;;;;;;;;;OAaG;IACG,aAAa,CACjB,kBAAkB,EAAE,MAAM,EAC1B,gBAAgB,EAAE,MAAM,EACxB,kBAAkB,EAAE,MAAM,EAC1B,mBAAmB,EAAE,MAAM,EAC3B,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,WAAW,CAAC;IAuCvB;;;;;;OAMG;IACG,sBAAsB,IAAI,OAAO,CAAC,4BAA4B,CAAC;CA2BtE"}

package/lib/typescript/src/pid/sd-jwt/converters.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"converters.d.ts","sourceRoot":"","sources":["../../../../../src/pid/sd-jwt/converters.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAC;AAE9B,wBAAgB,YAAY,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,CAqB5E"}

package/lib/typescript/src/pid/sd-jwt/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/pid/sd-jwt/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE1D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CASlD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAMjE;AAED,MAAM,MAAM,YAAY,GAAG;IAEzB,GAAG,EAAE,GAAG,CAAC;IAET,KAAK,EAAE,QAAQ,CAAC;IAEhB,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,YAAY,CAAC;AAExC,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAC"}

package/lib/typescript/src/pid/sd-jwt/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/pid/sd-jwt/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAoBxB;;;;;GAKG;AACH,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;AACtC,eAAO,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBd,CAAC"}

package/lib/typescript/src/rp/__test__/index.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../../../src/rp/__test__/index.test.ts"],"names":[],"mappings":""}

package/lib/typescript/src/rp/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/rp/index.ts"],"names":[],"mappings":"AAaA,OAAO,EACL,aAAa,EACb,aAAa,EACb,qBAAqB,EACrB,KAAK,YAAY,EAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kDAAkD,CAAC;AAG5E,qBAAa,oBAAoB;IAC/B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;gBAG7B,mBAAmB,EAAE,MAAM,EAC3B,yBAAyB,EAAE,MAAM,EACjC,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS;IAOxC;;;;;;;OAOG;IACH,MAAM,CAAC,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa;IAqBzD;;;;;;;;;OASG;IACG,6BAA6B,CACjC,4BAA4B,EAAE,GAAG,EACjC,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;;;;;;;;OAUG;IACG,gBAAgB,CACpB,wBAAwB,EAAE,MAAM,EAChC,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,aAAa,CAAC;IA2CzB;;;;;;;;;;;;;;OAcG;IACG,cAAc,CAClB,UAAU,EAAE,aAAa,EACzB,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,YAAY,GACzB,OAAO,CAAC;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClD,CAAC;IA6BF;;;;;;;;;;;;;OAaG;IACG,yBAAyB,CAC7B,UAAU,EAAE,aAAa,EACzB,QAAQ,EAAE,MAAM,EAChB,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChD,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,MAAM,CAAC;IAkClB;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;IA6BhC,OAAO,CAAC,qBAAqB;IAY7B;;OAEG;IACG,sBAAsB,IAAI,OAAO,CAAC,qBAAqB,CAAC;CAuB/D"}