@pagopa/io-react-native-wallet 0.22.0 → 0.24.0

package/README.md

@@ -146,6 +146,7 @@ Different flows are provided to perform common operations. Each flow is a set of
   - [Issuance](./src/credential/issuance/README.md)
   - [Presentation](./src/credential/presentation/README.md) (TODO)
   - [Status](./src/credential/status/README.md)
+  - [Trustmark](./src/credential/trustmark/README.md)
 
 ### Example
 

package/lib/commonjs/credential/index.js

@@ -3,13 +3,15 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.Status = exports.Presentation = exports.Issuance = void 0;
+exports.Trustmark = exports.Status = exports.Presentation = exports.Issuance = void 0;
 var Issuance = _interopRequireWildcard(require("./issuance"));
 exports.Issuance = Issuance;
 var Presentation = _interopRequireWildcard(require("./presentation"));
 exports.Presentation = Presentation;
 var Status = _interopRequireWildcard(require("./status"));
 exports.Status = Status;
+var Trustmark = _interopRequireWildcard(require("./trustmark"));
+exports.Trustmark = Trustmark;
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 //# sourceMappingURL=index.js.map

package/lib/commonjs/credential/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["Issuance","_interopRequireWildcard","require","exports","Presentation","Status","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../src","sources":["credential/index.ts"],"mappings":";;;;;;AAAA,IAAAA,QAAA,GAAAC,uBAAA,CAAAC,OAAA;AAAuCC,OAAA,CAAAH,QAAA,GAAAA,QAAA;AACvC,IAAAI,YAAA,GAAAH,uBAAA,CAAAC,OAAA;AAA+CC,OAAA,CAAAC,YAAA,GAAAA,YAAA;AAC/C,IAAAC,MAAA,GAAAJ,uBAAA,CAAAC,OAAA;AAAmCC,OAAA,CAAAE,MAAA,GAAAA,MAAA;AAAA,SAAAC,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAN,wBAAAU,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA"}
+{"version":3,"names":["Issuance","_interopRequireWildcard","require","exports","Presentation","Status","Trustmark","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../src","sources":["credential/index.ts"],"mappings":";;;;;;AAAA,IAAAA,QAAA,GAAAC,uBAAA,CAAAC,OAAA;AAAuCC,OAAA,CAAAH,QAAA,GAAAA,QAAA;AACvC,IAAAI,YAAA,GAAAH,uBAAA,CAAAC,OAAA;AAA+CC,OAAA,CAAAC,YAAA,GAAAA,YAAA;AAC/C,IAAAC,MAAA,GAAAJ,uBAAA,CAAAC,OAAA;AAAmCC,OAAA,CAAAE,MAAA,GAAAA,MAAA;AACnC,IAAAC,SAAA,GAAAL,uBAAA,CAAAC,OAAA;AAAyCC,OAAA,CAAAG,SAAA,GAAAA,SAAA;AAAA,SAAAC,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAP,wBAAAW,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA"}

package/lib/commonjs/credential/trustmark/README.md

@@ -0,0 +1,62 @@
+# Credential Trustmark
+
+A credential TrustMark is a signed JWT that verifies the authenticity of a credential issued by a trusted source. It serves as proof that a credential is valid and linked to a specific wallet instance.
+The TrustMark is often presented as a QR code, containing cryptographic data to ensure it hasn't been tampered with. It includes fields like issuer, issuance and expiration timestamps, and credential-specific details. TrustMarks have a short validity period and are used to enhance security and prevent misuse, such as QR code swapping.
+
+### getCredentialTrustmark
+
+A function that generates a signed JWT Trustmark to verify the authenticity of a digital credential. The Trustmark serves as a cryptographic proof linking a credential to a specific wallet instance, ensuring the credential's validity and preventing unauthorized modifications or misuse.
+
+#### Signature
+
+```typescript
+function getCredentialTrustmark({
+  walletInstanceAttestation: string,
+  wiaCryptoContext: CryptoContext,
+  credentialType: string,
+  docNumber?: string,
+  expirationTime?: number | string
+}): Promise<{
+  jwt: string,
+  expirationTime: number
+}>
+```
+
+#### Parameters
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| walletInstanceAttestation | string | Yes | A base64-encoded string containing the Wallet Instance Attestation (WIA). This attestation proves the authenticity of the wallet instance. |
+| wiaCryptoContext | CryptoContext | Yes | The cryptographic context associated with the wallet instance. Must contain the same key pair used to generate the WIA. |
+| credentialType | string | Yes | Identifier for the type of credential (e.g., "MDL" for Mobile Driver's License). |
+| docNumber | string | No | The document number of the credential. If provided, it will be obfuscated in the Trustmark for privacy. |
+| expirationTime | number \| string | No | Specifies when the Trustmark expires. Can be either:<br>- A timestamp in seconds<br>- A time span string (e.g., "2m" for 2 minutes)<br>Default: "2m" |
+
+#### Return Value
+
+Returns a Promise that resolves to an object containing:
+| Property | Type | Description |
+|----------|------|-------------|
+| jwt | string | The signed trustmark JWT string |
+| expirationTime | number | The expiration timestamp of the JWT in seconds |
+
+## Example
+
+```typescript
+// Required inputs
+const walletInstanceAttestation = "base64AttestationString";
+const credentialType = "MDL"; // Credential type (e.g., Mobile Driver's License)
+const documentNumber = "AB123456"; // Optional document number
+const cryptoContext = createCryptoContextFor("wiaKeyTag"); // Sample crypto context
+
+// Generate the TrustMark JWT
+const { jwt, expirationTime } = await getCredentialTrustmark({
+  walletInstanceAttestation: "eyJ0eXAi...", // WIA JWT
+  wiaCryptoContext: cryptoContext,
+  credentialType: "IdentityCard",
+  docNumber: "AB123456",
+  expirationTime: "5m", // 5 minutes
+});
+
+console.log("Generated TrustMark JWT:", jwt);
+console.log("Expires at:", new Date(expirationTime * 1000));
+```

package/lib/commonjs/credential/trustmark/get-credential-trustmark.js

@@ -0,0 +1,72 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.getCredentialTrustmark = void 0;
+var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
+var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
+var _errors = require("../../utils/errors");
+var _string = require("../../utils/string");
+function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+/**
+ * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
+ * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
+ *
+ * @param walletInstanceAttestation the Wallet Instance's attestation
+ * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param credentialType The type of credential for which the trustmark is generated
+ * @param docNumber (Optional) Document number contained in the credential, if applicable
+ * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
+ * If a number is provided, it is interpreted as a timestamp in seconds.
+ * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+ * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
+ * @returns A promise containing the signed JWT and its expiration time in seconds
+ */
+const getCredentialTrustmark = async _ref => {
+  let {
+    walletInstanceAttestation,
+    wiaCryptoContext,
+    credentialType,
+    docNumber,
+    expirationTime = "2m"
+  } = _ref;
+  /**
+   * Check that the public key used to sign the trustmark is the one used for the WIA
+   */
+  const holderBindingKey = await wiaCryptoContext.getPublicKey();
+  const decodedWia = WalletInstanceAttestation.decode(walletInstanceAttestation);
+
+  /**
+   * Verify holder binding by comparing thumbprints of the WIA and the CryptoContext key
+   */
+  const wiaThumbprint = await (0, _ioReactNativeJwt.thumbprint)(decodedWia.payload.cnf.jwk);
+  const cryptoContextThumbprint = await (0, _ioReactNativeJwt.thumbprint)(holderBindingKey);
+  if (wiaThumbprint !== cryptoContextThumbprint) {
+    throw new _errors.IoWalletError(`Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`);
+  }
+
+  /**
+   * Generate Trustmark signed JWT
+   */
+  const signedTrustmarkJwt = await new _ioReactNativeJwt.SignJWT(wiaCryptoContext).setProtectedHeader({
+    alg: "ES256"
+  }).setPayload({
+    iss: walletInstanceAttestation,
+    sub: credentialType,
+    /**
+     * If present, the document number is obfuscated before adding it to the payload
+     */
+    ...(docNumber ? {
+      subtyp: (0, _string.obfuscateString)(docNumber)
+    } : {})
+  }).setIssuedAt().setExpirationTime(expirationTime).sign();
+  const decodedTrustmark = (0, _ioReactNativeJwt.decode)(signedTrustmarkJwt);
+  return {
+    jwt: signedTrustmarkJwt,
+    expirationTime: decodedTrustmark.payload.exp ?? 0
+  };
+};
+exports.getCredentialTrustmark = getCredentialTrustmark;
+//# sourceMappingURL=get-credential-trustmark.js.map

package/lib/commonjs/credential/trustmark/get-credential-trustmark.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["_ioReactNativeJwt","require","WalletInstanceAttestation","_interopRequireWildcard","_errors","_string","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","getCredentialTrustmark","_ref","walletInstanceAttestation","wiaCryptoContext","credentialType","docNumber","expirationTime","holderBindingKey","getPublicKey","decodedWia","decode","wiaThumbprint","thumbprint","payload","cnf","jwk","cryptoContextThumbprint","IoWalletError","signedTrustmarkJwt","SignJWT","setProtectedHeader","alg","setPayload","iss","sub","subtyp","obfuscateString","setIssuedAt","setExpirationTime","sign","decodedTrustmark","decodeJwt","jwt","exp","exports"],"sourceRoot":"../../../../src","sources":["credential/trustmark/get-credential-trustmark.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAMA,IAAAC,yBAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AAAqD,SAAAK,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAJ,wBAAAQ,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAoCrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMW,sBAAiD,GAAG,MAAAC,IAAA,IAM3D;EAAA,IANkE;IACtEC,yBAAyB;IACzBC,gBAAgB;IAChBC,cAAc;IACdC,SAAS;IACTC,cAAc,GAAG;EACnB,CAAC,GAAAL,IAAA;EACC;AACF;AACA;EACE,MAAMM,gBAAgB,GAAG,MAAMJ,gBAAgB,CAACK,YAAY,CAAC,CAAC;EAC9D,MAAMC,UAAU,GAAGnC,yBAAyB,CAACoC,MAAM,CACjDR,yBACF,CAAC;;EAED;AACF;AACA;EACE,MAAMS,aAAa,GAAG,MAAM,IAAAC,4BAAU,EAACH,UAAU,CAACI,OAAO,CAACC,GAAG,CAACC,GAAG,CAAC;EAClE,MAAMC,uBAAuB,GAAG,MAAM,IAAAJ,4BAAU,EAACL,gBAAgB,CAAC;EAElE,IAAII,aAAa,KAAKK,uBAAuB,EAAE;IAC7C,MAAM,IAAIC,qBAAa,CACpB,gFAA+ED,uBAAwB,UAASL,aAAc,EACjI,CAAC;EACH;;EAEA;AACF;AACA;EACE,MAAMO,kBAAkB,GAAG,MAAM,IAAIC,yBAAO,CAAChB,gBAAgB,CAAC,CAC3DiB,kBAAkB,CAAC;IAClBC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVC,GAAG,EAAErB,yBAAyB;IAC9BsB,GAAG,EAAEpB,cAAc;IACnB;AACN;AACA;IACM,IAAIC,SAAS,GAAG;MAAEoB,MAAM,EAAE,IAAAC,uBAAe,EAACrB,SAAS;IAAE,CAAC,GAAG,CAAC,CAAC;EAC7D,CAAC,CAAC,CACDsB,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAACtB,cAAc,CAAC,CACjCuB,IAAI,CAAC,CAAC;EAET,MAAMC,gBAAgB,GAAG,IAAAC,wBAAS,EAACb,kBAAkB,CAAC;EAEtD,OAAO;IACLc,GAAG,EAAEd,kBAAkB;IACvBZ,cAAc,EAAEwB,gBAAgB,CAACjB,OAAO,CAACoB,GAAG,IAAI;EAClD,CAAC;AACH,CAAC;AAACC,OAAA,CAAAlC,sBAAA,GAAAA,sBAAA"}

package/lib/commonjs/credential/trustmark/index.js

@@ -0,0 +1,13 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+Object.defineProperty(exports, "getCredentialTrustmark", {
+  enumerable: true,
+  get: function () {
+    return _getCredentialTrustmark.getCredentialTrustmark;
+  }
+});
+var _getCredentialTrustmark = require("./get-credential-trustmark");
+//# sourceMappingURL=index.js.map

package/lib/commonjs/credential/trustmark/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["_getCredentialTrustmark","require"],"sourceRoot":"../../../../src","sources":["credential/trustmark/index.ts"],"mappings":";;;;;;;;;;;AAAA,IAAAA,uBAAA,GAAAC,OAAA"}

package/lib/commonjs/utils/string.js

@@ -0,0 +1,50 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.obfuscateString = void 0;
+/**
+ * Randomly obfuscates characters in a string by replacing them with a specified character.
+ *
+ * @example
+ * ```ts
+ * const value = "1234567890";
+ * const obfuscated = obfuscateString(value, 60, "*");
+ * // Could output: "12**5*78**"
+ * ```
+ *
+ * @param value - The input string to obfuscate
+ * @param percentage - Percentage of characters to obfuscate (0-100). Defaults to 60
+ * @param obfuscatedChar - Character used for obfuscation. Defaults to "*"
+ * @returns The obfuscated string with random characters replaced
+ */
+const obfuscateString = function (value) {
+  let percentage = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 60;
+  let obfuscatedChar = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : "*";
+  if (!value) {
+    return "";
+  }
+
+  // Ensure percentage is between 0 and 100
+  const safePercentage = Math.max(0, Math.min(100, percentage));
+
+  // Calculate number of characters to obfuscate
+  const charsToObfuscate = Math.floor(value.length * safePercentage / 100);
+
+  // Convert string to array for manipulation
+  const chars = value.split("");
+
+  // Get random positions to obfuscate
+  const positions = Array.from({
+    length: value.length
+  }, (_, i) => i).sort(() => Math.random() - 0.5).slice(0, charsToObfuscate);
+
+  // Replace characters at random positions
+  positions.forEach(pos => {
+    chars[pos] = obfuscatedChar;
+  });
+  return chars.join("");
+};
+exports.obfuscateString = obfuscateString;
+//# sourceMappingURL=string.js.map

package/lib/commonjs/utils/string.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["obfuscateString","value","percentage","arguments","length","undefined","obfuscatedChar","safePercentage","Math","max","min","charsToObfuscate","floor","chars","split","positions","Array","from","_","i","sort","random","slice","forEach","pos","join","exports"],"sourceRoot":"../../../src","sources":["utils/string.ts"],"mappings":";;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMA,eAAe,GAAG,SAAAA,CAC7BC,KAAa,EAGF;EAAA,IAFXC,UAAkB,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,EAAE;EAAA,IACvBG,cAAsB,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,GAAG;EAE5B,IAAI,CAACF,KAAK,EAAE;IACV,OAAO,EAAE;EACX;;EAEA;EACA,MAAMM,cAAc,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,EAAED,IAAI,CAACE,GAAG,CAAC,GAAG,EAAER,UAAU,CAAC,CAAC;;EAE7D;EACA,MAAMS,gBAAgB,GAAGH,IAAI,CAACI,KAAK,CAAEX,KAAK,CAACG,MAAM,GAAGG,cAAc,GAAI,GAAG,CAAC;;EAE1E;EACA,MAAMM,KAAK,GAAGZ,KAAK,CAACa,KAAK,CAAC,EAAE,CAAC;;EAE7B;EACA,MAAMC,SAAS,GAAGC,KAAK,CAACC,IAAI,CAAC;IAAEb,MAAM,EAAEH,KAAK,CAACG;EAAO,CAAC,EAAE,CAACc,CAAC,EAAEC,CAAC,KAAKA,CAAC,CAAC,CAChEC,IAAI,CAAC,MAAMZ,IAAI,CAACa,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAC/BC,KAAK,CAAC,CAAC,EAAEX,gBAAgB,CAAC;;EAE7B;EACAI,SAAS,CAACQ,OAAO,CAAEC,GAAG,IAAK;IACzBX,KAAK,CAACW,GAAG,CAAC,GAAGlB,cAAc;EAC7B,CAAC,CAAC;EAEF,OAAOO,KAAK,CAACY,IAAI,CAAC,EAAE,CAAC;AACvB,CAAC;AAACC,OAAA,CAAA1B,eAAA,GAAAA,eAAA"}

package/lib/module/credential/index.js

@@ -1,5 +1,6 @@
 import * as Issuance from "./issuance";
 import * as Presentation from "./presentation";
 import * as Status from "./status";
-export { Issuance, Presentation, Status };
+import * as Trustmark from "./trustmark";
+export { Issuance, Presentation, Status, Trustmark };
 //# sourceMappingURL=index.js.map

package/lib/module/credential/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["Issuance","Presentation","Status"],"sourceRoot":"../../../src","sources":["credential/index.ts"],"mappings":"AAAA,OAAO,KAAKA,QAAQ,MAAM,YAAY;AACtC,OAAO,KAAKC,YAAY,MAAM,gBAAgB;AAC9C,OAAO,KAAKC,MAAM,MAAM,UAAU;AAElC,SAASF,QAAQ,EAAEC,YAAY,EAAEC,MAAM"}
+{"version":3,"names":["Issuance","Presentation","Status","Trustmark"],"sourceRoot":"../../../src","sources":["credential/index.ts"],"mappings":"AAAA,OAAO,KAAKA,QAAQ,MAAM,YAAY;AACtC,OAAO,KAAKC,YAAY,MAAM,gBAAgB;AAC9C,OAAO,KAAKC,MAAM,MAAM,UAAU;AAClC,OAAO,KAAKC,SAAS,MAAM,aAAa;AAExC,SAASH,QAAQ,EAAEC,YAAY,EAAEC,MAAM,EAAEC,SAAS"}

package/lib/module/credential/trustmark/README.md

@@ -0,0 +1,62 @@
+# Credential Trustmark
+
+A credential TrustMark is a signed JWT that verifies the authenticity of a credential issued by a trusted source. It serves as proof that a credential is valid and linked to a specific wallet instance.
+The TrustMark is often presented as a QR code, containing cryptographic data to ensure it hasn't been tampered with. It includes fields like issuer, issuance and expiration timestamps, and credential-specific details. TrustMarks have a short validity period and are used to enhance security and prevent misuse, such as QR code swapping.
+
+### getCredentialTrustmark
+
+A function that generates a signed JWT Trustmark to verify the authenticity of a digital credential. The Trustmark serves as a cryptographic proof linking a credential to a specific wallet instance, ensuring the credential's validity and preventing unauthorized modifications or misuse.
+
+#### Signature
+
+```typescript
+function getCredentialTrustmark({
+  walletInstanceAttestation: string,
+  wiaCryptoContext: CryptoContext,
+  credentialType: string,
+  docNumber?: string,
+  expirationTime?: number | string
+}): Promise<{
+  jwt: string,
+  expirationTime: number
+}>
+```
+
+#### Parameters
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| walletInstanceAttestation | string | Yes | A base64-encoded string containing the Wallet Instance Attestation (WIA). This attestation proves the authenticity of the wallet instance. |
+| wiaCryptoContext | CryptoContext | Yes | The cryptographic context associated with the wallet instance. Must contain the same key pair used to generate the WIA. |
+| credentialType | string | Yes | Identifier for the type of credential (e.g., "MDL" for Mobile Driver's License). |
+| docNumber | string | No | The document number of the credential. If provided, it will be obfuscated in the Trustmark for privacy. |
+| expirationTime | number \| string | No | Specifies when the Trustmark expires. Can be either:<br>- A timestamp in seconds<br>- A time span string (e.g., "2m" for 2 minutes)<br>Default: "2m" |
+
+#### Return Value
+
+Returns a Promise that resolves to an object containing:
+| Property | Type | Description |
+|----------|------|-------------|
+| jwt | string | The signed trustmark JWT string |
+| expirationTime | number | The expiration timestamp of the JWT in seconds |
+
+## Example
+
+```typescript
+// Required inputs
+const walletInstanceAttestation = "base64AttestationString";
+const credentialType = "MDL"; // Credential type (e.g., Mobile Driver's License)
+const documentNumber = "AB123456"; // Optional document number
+const cryptoContext = createCryptoContextFor("wiaKeyTag"); // Sample crypto context
+
+// Generate the TrustMark JWT
+const { jwt, expirationTime } = await getCredentialTrustmark({
+  walletInstanceAttestation: "eyJ0eXAi...", // WIA JWT
+  wiaCryptoContext: cryptoContext,
+  credentialType: "IdentityCard",
+  docNumber: "AB123456",
+  expirationTime: "5m", // 5 minutes
+});
+
+console.log("Generated TrustMark JWT:", jwt);
+console.log("Expires at:", new Date(expirationTime * 1000));
+```

package/lib/module/credential/trustmark/get-credential-trustmark.js

@@ -0,0 +1,63 @@
+import { SignJWT, thumbprint, decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import { IoWalletError } from "../../utils/errors";
+import { obfuscateString } from "../../utils/string";
+/**
+ * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
+ * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
+ *
+ * @param walletInstanceAttestation the Wallet Instance's attestation
+ * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param credentialType The type of credential for which the trustmark is generated
+ * @param docNumber (Optional) Document number contained in the credential, if applicable
+ * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
+ * If a number is provided, it is interpreted as a timestamp in seconds.
+ * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+ * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
+ * @returns A promise containing the signed JWT and its expiration time in seconds
+ */
+export const getCredentialTrustmark = async _ref => {
+  let {
+    walletInstanceAttestation,
+    wiaCryptoContext,
+    credentialType,
+    docNumber,
+    expirationTime = "2m"
+  } = _ref;
+  /**
+   * Check that the public key used to sign the trustmark is the one used for the WIA
+   */
+  const holderBindingKey = await wiaCryptoContext.getPublicKey();
+  const decodedWia = WalletInstanceAttestation.decode(walletInstanceAttestation);
+
+  /**
+   * Verify holder binding by comparing thumbprints of the WIA and the CryptoContext key
+   */
+  const wiaThumbprint = await thumbprint(decodedWia.payload.cnf.jwk);
+  const cryptoContextThumbprint = await thumbprint(holderBindingKey);
+  if (wiaThumbprint !== cryptoContextThumbprint) {
+    throw new IoWalletError(`Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`);
+  }
+
+  /**
+   * Generate Trustmark signed JWT
+   */
+  const signedTrustmarkJwt = await new SignJWT(wiaCryptoContext).setProtectedHeader({
+    alg: "ES256"
+  }).setPayload({
+    iss: walletInstanceAttestation,
+    sub: credentialType,
+    /**
+     * If present, the document number is obfuscated before adding it to the payload
+     */
+    ...(docNumber ? {
+      subtyp: obfuscateString(docNumber)
+    } : {})
+  }).setIssuedAt().setExpirationTime(expirationTime).sign();
+  const decodedTrustmark = decodeJwt(signedTrustmarkJwt);
+  return {
+    jwt: signedTrustmarkJwt,
+    expirationTime: decodedTrustmark.payload.exp ?? 0
+  };
+};
+//# sourceMappingURL=get-credential-trustmark.js.map

package/lib/module/credential/trustmark/get-credential-trustmark.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["SignJWT","thumbprint","decode","decodeJwt","WalletInstanceAttestation","IoWalletError","obfuscateString","getCredentialTrustmark","_ref","walletInstanceAttestation","wiaCryptoContext","credentialType","docNumber","expirationTime","holderBindingKey","getPublicKey","decodedWia","wiaThumbprint","payload","cnf","jwk","cryptoContextThumbprint","signedTrustmarkJwt","setProtectedHeader","alg","setPayload","iss","sub","subtyp","setIssuedAt","setExpirationTime","sign","decodedTrustmark","jwt","exp"],"sourceRoot":"../../../../src","sources":["credential/trustmark/get-credential-trustmark.ts"],"mappings":"AAAA,SACEA,OAAO,EACPC,UAAU,EAEVC,MAAM,IAAIC,SAAS,QACd,6BAA6B;AACpC,OAAO,KAAKC,yBAAyB,MAAM,mCAAmC;AAC9E,SAASC,aAAa,QAAQ,oBAAoB;AAClD,SAASC,eAAe,QAAQ,oBAAoB;AAoCpD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAiD,GAAG,MAAAC,IAAA,IAM3D;EAAA,IANkE;IACtEC,yBAAyB;IACzBC,gBAAgB;IAChBC,cAAc;IACdC,SAAS;IACTC,cAAc,GAAG;EACnB,CAAC,GAAAL,IAAA;EACC;AACF;AACA;EACE,MAAMM,gBAAgB,GAAG,MAAMJ,gBAAgB,CAACK,YAAY,CAAC,CAAC;EAC9D,MAAMC,UAAU,GAAGZ,yBAAyB,CAACF,MAAM,CACjDO,yBACF,CAAC;;EAED;AACF;AACA;EACE,MAAMQ,aAAa,GAAG,MAAMhB,UAAU,CAACe,UAAU,CAACE,OAAO,CAACC,GAAG,CAACC,GAAG,CAAC;EAClE,MAAMC,uBAAuB,GAAG,MAAMpB,UAAU,CAACa,gBAAgB,CAAC;EAElE,IAAIG,aAAa,KAAKI,uBAAuB,EAAE;IAC7C,MAAM,IAAIhB,aAAa,CACpB,gFAA+EgB,uBAAwB,UAASJ,aAAc,EACjI,CAAC;EACH;;EAEA;AACF;AACA;EACE,MAAMK,kBAAkB,GAAG,MAAM,IAAItB,OAAO,CAACU,gBAAgB,CAAC,CAC3Da,kBAAkB,CAAC;IAClBC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVC,GAAG,EAAEjB,yBAAyB;IAC9BkB,GAAG,EAAEhB,cAAc;IACnB;AACN;AACA;IACM,IAAIC,SAAS,GAAG;MAAEgB,MAAM,EAAEtB,eAAe,CAACM,SAAS;IAAE,CAAC,GAAG,CAAC,CAAC;EAC7D,CAAC,CAAC,CACDiB,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAACjB,cAAc,CAAC,CACjCkB,IAAI,CAAC,CAAC;EAET,MAAMC,gBAAgB,GAAG7B,SAAS,CAACmB,kBAAkB,CAAC;EAEtD,OAAO;IACLW,GAAG,EAAEX,kBAAkB;IACvBT,cAAc,EAAEmB,gBAAgB,CAACd,OAAO,CAACgB,GAAG,IAAI;EAClD,CAAC;AACH,CAAC"}

package/lib/module/credential/trustmark/index.js

@@ -0,0 +1,3 @@
+import { getCredentialTrustmark } from "./get-credential-trustmark";
+export { getCredentialTrustmark };
+//# sourceMappingURL=index.js.map

package/lib/module/credential/trustmark/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getCredentialTrustmark"],"sourceRoot":"../../../../src","sources":["credential/trustmark/index.ts"],"mappings":"AAAA,SAEEA,sBAAsB,QACjB,4BAA4B;AAEnC,SAASA,sBAAsB"}

package/lib/module/utils/string.js

@@ -0,0 +1,43 @@
+/**
+ * Randomly obfuscates characters in a string by replacing them with a specified character.
+ *
+ * @example
+ * ```ts
+ * const value = "1234567890";
+ * const obfuscated = obfuscateString(value, 60, "*");
+ * // Could output: "12**5*78**"
+ * ```
+ *
+ * @param value - The input string to obfuscate
+ * @param percentage - Percentage of characters to obfuscate (0-100). Defaults to 60
+ * @param obfuscatedChar - Character used for obfuscation. Defaults to "*"
+ * @returns The obfuscated string with random characters replaced
+ */
+export const obfuscateString = function (value) {
+  let percentage = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 60;
+  let obfuscatedChar = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : "*";
+  if (!value) {
+    return "";
+  }
+
+  // Ensure percentage is between 0 and 100
+  const safePercentage = Math.max(0, Math.min(100, percentage));
+
+  // Calculate number of characters to obfuscate
+  const charsToObfuscate = Math.floor(value.length * safePercentage / 100);
+
+  // Convert string to array for manipulation
+  const chars = value.split("");
+
+  // Get random positions to obfuscate
+  const positions = Array.from({
+    length: value.length
+  }, (_, i) => i).sort(() => Math.random() - 0.5).slice(0, charsToObfuscate);
+
+  // Replace characters at random positions
+  positions.forEach(pos => {
+    chars[pos] = obfuscatedChar;
+  });
+  return chars.join("");
+};
+//# sourceMappingURL=string.js.map

package/lib/module/utils/string.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["obfuscateString","value","percentage","arguments","length","undefined","obfuscatedChar","safePercentage","Math","max","min","charsToObfuscate","floor","chars","split","positions","Array","from","_","i","sort","random","slice","forEach","pos","join"],"sourceRoot":"../../../src","sources":["utils/string.ts"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMA,eAAe,GAAG,SAAAA,CAC7BC,KAAa,EAGF;EAAA,IAFXC,UAAkB,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,EAAE;EAAA,IACvBG,cAAsB,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,GAAG;EAE5B,IAAI,CAACF,KAAK,EAAE;IACV,OAAO,EAAE;EACX;;EAEA;EACA,MAAMM,cAAc,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,EAAED,IAAI,CAACE,GAAG,CAAC,GAAG,EAAER,UAAU,CAAC,CAAC;;EAE7D;EACA,MAAMS,gBAAgB,GAAGH,IAAI,CAACI,KAAK,CAAEX,KAAK,CAACG,MAAM,GAAGG,cAAc,GAAI,GAAG,CAAC;;EAE1E;EACA,MAAMM,KAAK,GAAGZ,KAAK,CAACa,KAAK,CAAC,EAAE,CAAC;;EAE7B;EACA,MAAMC,SAAS,GAAGC,KAAK,CAACC,IAAI,CAAC;IAAEb,MAAM,EAAEH,KAAK,CAACG;EAAO,CAAC,EAAE,CAACc,CAAC,EAAEC,CAAC,KAAKA,CAAC,CAAC,CAChEC,IAAI,CAAC,MAAMZ,IAAI,CAACa,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAC/BC,KAAK,CAAC,CAAC,EAAEX,gBAAgB,CAAC;;EAE7B;EACAI,SAAS,CAACQ,OAAO,CAAEC,GAAG,IAAK;IACzBX,KAAK,CAACW,GAAG,CAAC,GAAGlB,cAAc;EAC7B,CAAC,CAAC;EAEF,OAAOO,KAAK,CAACY,IAAI,CAAC,EAAE,CAAC;AACvB,CAAC"}

package/lib/typescript/credential/index.d.ts

@@ -1,5 +1,6 @@
 import * as Issuance from "./issuance";
 import * as Presentation from "./presentation";
 import * as Status from "./status";
-export { Issuance, Presentation, Status };
+import * as Trustmark from "./trustmark";
+export { Issuance, Presentation, Status, Trustmark };
 //# sourceMappingURL=index.d.ts.map

package/lib/typescript/credential/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/credential/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,YAAY,MAAM,gBAAgB,CAAC;AAC/C,OAAO,KAAK,MAAM,MAAM,UAAU,CAAC;AAEnC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/credential/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,YAAY,MAAM,gBAAgB,CAAC;AAC/C,OAAO,KAAK,MAAM,MAAM,UAAU,CAAC;AACnC,OAAO,KAAK,SAAS,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC"}

package/lib/typescript/credential/trustmark/get-credential-trustmark.d.ts

@@ -0,0 +1,50 @@
+import { type CryptoContext } from "@pagopa/io-react-native-jwt";
+export type GetCredentialTrustmarkJwt = (params: {
+    /**
+     * The Wallet Instance's attestation
+     */
+    walletInstanceAttestation: string;
+    /**
+     * The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+     */
+    wiaCryptoContext: CryptoContext;
+    /**
+     * The type of credential for which the trustmark is generated
+     */
+    credentialType: string;
+    /**
+     * (Optional) Document number contained in the credential, if applicable
+     */
+    docNumber?: string;
+    /**
+     * (Optional) Expiration time for the trustmark, default is 2 minutes.
+     * If a number is provided, it is interpreted as a timestamp in seconds.
+     * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+     */
+    expirationTime?: number | string;
+}) => Promise<{
+    /**
+     * The signed JWT
+     */
+    jwt: string;
+    /**
+     * The expiration time of the JWT in seconds
+     */
+    expirationTime: number;
+}>;
+/**
+ * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
+ * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
+ *
+ * @param walletInstanceAttestation the Wallet Instance's attestation
+ * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param credentialType The type of credential for which the trustmark is generated
+ * @param docNumber (Optional) Document number contained in the credential, if applicable
+ * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
+ * If a number is provided, it is interpreted as a timestamp in seconds.
+ * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+ * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
+ * @returns A promise containing the signed JWT and its expiration time in seconds
+ */
+export declare const getCredentialTrustmark: GetCredentialTrustmarkJwt;
+//# sourceMappingURL=get-credential-trustmark.d.ts.map

package/lib/typescript/credential/trustmark/get-credential-trustmark.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-credential-trustmark.d.ts","sourceRoot":"","sources":["../../../../src/credential/trustmark/get-credential-trustmark.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,aAAa,EAEnB,MAAM,6BAA6B,CAAC;AAKrC,MAAM,MAAM,yBAAyB,GAAG,CAAC,MAAM,EAAE;IAC/C;;OAEG;IACH,yBAAyB,EAAE,MAAM,CAAC;IAClC;;OAEG;IACH,gBAAgB,EAAE,aAAa,CAAC;IAChC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CAClC,KAAK,OAAO,CAAC;IACZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,EAAE,yBAoDpC,CAAC"}

package/lib/typescript/credential/trustmark/index.d.ts

@@ -0,0 +1,4 @@
+import { type GetCredentialTrustmarkJwt, getCredentialTrustmark } from "./get-credential-trustmark";
+export { getCredentialTrustmark };
+export type { GetCredentialTrustmarkJwt };
+//# sourceMappingURL=index.d.ts.map

package/lib/typescript/credential/trustmark/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/credential/trustmark/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,yBAAyB,EAC9B,sBAAsB,EACvB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC,YAAY,EAAE,yBAAyB,EAAE,CAAC"}

package/lib/typescript/utils/string.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Randomly obfuscates characters in a string by replacing them with a specified character.
+ *
+ * @example
+ * ```ts
+ * const value = "1234567890";
+ * const obfuscated = obfuscateString(value, 60, "*");
+ * // Could output: "12**5*78**"
+ * ```
+ *
+ * @param value - The input string to obfuscate
+ * @param percentage - Percentage of characters to obfuscate (0-100). Defaults to 60
+ * @param obfuscatedChar - Character used for obfuscation. Defaults to "*"
+ * @returns The obfuscated string with random characters replaced
+ */
+export declare const obfuscateString: (value: string, percentage?: number, obfuscatedChar?: string) => string;
+//# sourceMappingURL=string.d.ts.map

package/lib/typescript/utils/string.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"string.d.ts","sourceRoot":"","sources":["../../../src/utils/string.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,eAAe,UACnB,MAAM,eACD,MAAM,mBACF,MAAM,KACrB,MAyBF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "0.22.0",
+  "version": "0.24.0",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -55,7 +55,7 @@
   "devDependencies": {
     "@pagopa/eslint-config": "^3.0.0",
     "@pagopa/io-react-native-crypto": "^0.2.3",
-    "@pagopa/io-react-native-jwt": "^1.2.0",
+    "@pagopa/io-react-native-jwt": "^1.3.0",
     "@pagopa/react-native-cie": "^1.3.0",
     "@react-native/eslint-config": "^0.72.2",
     "@rushstack/eslint-patch": "^1.3.2",

package/src/credential/index.ts

@@ -1,5 +1,6 @@
 import * as Issuance from "./issuance";
 import * as Presentation from "./presentation";
 import * as Status from "./status";
+import * as Trustmark from "./trustmark";
 
-export { Issuance, Presentation, Status };
+export { Issuance, Presentation, Status, Trustmark };

package/src/credential/trustmark/README.md

@@ -0,0 +1,62 @@
+# Credential Trustmark
+
+A credential TrustMark is a signed JWT that verifies the authenticity of a credential issued by a trusted source. It serves as proof that a credential is valid and linked to a specific wallet instance.
+The TrustMark is often presented as a QR code, containing cryptographic data to ensure it hasn't been tampered with. It includes fields like issuer, issuance and expiration timestamps, and credential-specific details. TrustMarks have a short validity period and are used to enhance security and prevent misuse, such as QR code swapping.
+
+### getCredentialTrustmark
+
+A function that generates a signed JWT Trustmark to verify the authenticity of a digital credential. The Trustmark serves as a cryptographic proof linking a credential to a specific wallet instance, ensuring the credential's validity and preventing unauthorized modifications or misuse.
+
+#### Signature
+
+```typescript
+function getCredentialTrustmark({
+  walletInstanceAttestation: string,
+  wiaCryptoContext: CryptoContext,
+  credentialType: string,
+  docNumber?: string,
+  expirationTime?: number | string
+}): Promise<{
+  jwt: string,
+  expirationTime: number
+}>
+```
+
+#### Parameters
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| walletInstanceAttestation | string | Yes | A base64-encoded string containing the Wallet Instance Attestation (WIA). This attestation proves the authenticity of the wallet instance. |
+| wiaCryptoContext | CryptoContext | Yes | The cryptographic context associated with the wallet instance. Must contain the same key pair used to generate the WIA. |
+| credentialType | string | Yes | Identifier for the type of credential (e.g., "MDL" for Mobile Driver's License). |
+| docNumber | string | No | The document number of the credential. If provided, it will be obfuscated in the Trustmark for privacy. |
+| expirationTime | number \| string | No | Specifies when the Trustmark expires. Can be either:<br>- A timestamp in seconds<br>- A time span string (e.g., "2m" for 2 minutes)<br>Default: "2m" |
+
+#### Return Value
+
+Returns a Promise that resolves to an object containing:
+| Property | Type | Description |
+|----------|------|-------------|
+| jwt | string | The signed trustmark JWT string |
+| expirationTime | number | The expiration timestamp of the JWT in seconds |
+
+## Example
+
+```typescript
+// Required inputs
+const walletInstanceAttestation = "base64AttestationString";
+const credentialType = "MDL"; // Credential type (e.g., Mobile Driver's License)
+const documentNumber = "AB123456"; // Optional document number
+const cryptoContext = createCryptoContextFor("wiaKeyTag"); // Sample crypto context
+
+// Generate the TrustMark JWT
+const { jwt, expirationTime } = await getCredentialTrustmark({
+  walletInstanceAttestation: "eyJ0eXAi...", // WIA JWT
+  wiaCryptoContext: cryptoContext,
+  credentialType: "IdentityCard",
+  docNumber: "AB123456",
+  expirationTime: "5m", // 5 minutes
+});
+
+console.log("Generated TrustMark JWT:", jwt);
+console.log("Expires at:", new Date(expirationTime * 1000));
+```

package/src/credential/trustmark/get-credential-trustmark.ts

@@ -0,0 +1,111 @@
+import {
+  SignJWT,
+  thumbprint,
+  type CryptoContext,
+  decode as decodeJwt,
+} from "@pagopa/io-react-native-jwt";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import { IoWalletError } from "../../utils/errors";
+import { obfuscateString } from "../../utils/string";
+
+export type GetCredentialTrustmarkJwt = (params: {
+  /**
+   * The Wallet Instance's attestation
+   */
+  walletInstanceAttestation: string;
+  /**
+   * The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+   */
+  wiaCryptoContext: CryptoContext;
+  /**
+   * The type of credential for which the trustmark is generated
+   */
+  credentialType: string;
+  /**
+   * (Optional) Document number contained in the credential, if applicable
+   */
+  docNumber?: string;
+  /**
+   * (Optional) Expiration time for the trustmark, default is 2 minutes.
+   * If a number is provided, it is interpreted as a timestamp in seconds.
+   * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+   */
+  expirationTime?: number | string;
+}) => Promise<{
+  /**
+   * The signed JWT
+   */
+  jwt: string;
+  /**
+   * The expiration time of the JWT in seconds
+   */
+  expirationTime: number;
+}>;
+
+/**
+ * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
+ * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
+ *
+ * @param walletInstanceAttestation the Wallet Instance's attestation
+ * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param credentialType The type of credential for which the trustmark is generated
+ * @param docNumber (Optional) Document number contained in the credential, if applicable
+ * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
+ * If a number is provided, it is interpreted as a timestamp in seconds.
+ * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+ * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
+ * @returns A promise containing the signed JWT and its expiration time in seconds
+ */
+export const getCredentialTrustmark: GetCredentialTrustmarkJwt = async ({
+  walletInstanceAttestation,
+  wiaCryptoContext,
+  credentialType,
+  docNumber,
+  expirationTime = "2m",
+}) => {
+  /**
+   * Check that the public key used to sign the trustmark is the one used for the WIA
+   */
+  const holderBindingKey = await wiaCryptoContext.getPublicKey();
+  const decodedWia = WalletInstanceAttestation.decode(
+    walletInstanceAttestation
+  );
+
+  /**
+   * Verify holder binding by comparing thumbprints of the WIA and the CryptoContext key
+   */
+  const wiaThumbprint = await thumbprint(decodedWia.payload.cnf.jwk);
+  const cryptoContextThumbprint = await thumbprint(holderBindingKey);
+
+  if (wiaThumbprint !== cryptoContextThumbprint) {
+    throw new IoWalletError(
+      `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
+    );
+  }
+
+  /**
+   * Generate Trustmark signed JWT
+   */
+  const signedTrustmarkJwt = await new SignJWT(wiaCryptoContext)
+    .setProtectedHeader({
+      alg: "ES256",
+    })
+    .setPayload({
+      iss: walletInstanceAttestation,
+      sub: credentialType,
+      /**
+       * If present, the document number is obfuscated before adding it to the payload
+       */
+      ...(docNumber ? { subtyp: obfuscateString(docNumber) } : {}),
+    })
+    .setIssuedAt()
+    .setExpirationTime(expirationTime)
+    .sign();
+
+  const decodedTrustmark = decodeJwt(signedTrustmarkJwt);
+
+  return {
+    jwt: signedTrustmarkJwt,
+    expirationTime: decodedTrustmark.payload.exp ?? 0,
+  };
+};

package/src/credential/trustmark/index.ts

@@ -0,0 +1,8 @@
+import {
+  type GetCredentialTrustmarkJwt,
+  getCredentialTrustmark,
+} from "./get-credential-trustmark";
+
+export { getCredentialTrustmark };
+
+export type { GetCredentialTrustmarkJwt };

package/src/utils/string.ts

@@ -0,0 +1,45 @@
+/**
+ * Randomly obfuscates characters in a string by replacing them with a specified character.
+ *
+ * @example
+ * ```ts
+ * const value = "1234567890";
+ * const obfuscated = obfuscateString(value, 60, "*");
+ * // Could output: "12**5*78**"
+ * ```
+ *
+ * @param value - The input string to obfuscate
+ * @param percentage - Percentage of characters to obfuscate (0-100). Defaults to 60
+ * @param obfuscatedChar - Character used for obfuscation. Defaults to "*"
+ * @returns The obfuscated string with random characters replaced
+ */
+export const obfuscateString = (
+  value: string,
+  percentage: number = 60,
+  obfuscatedChar: string = "*"
+): string => {
+  if (!value) {
+    return "";
+  }
+
+  // Ensure percentage is between 0 and 100
+  const safePercentage = Math.max(0, Math.min(100, percentage));
+
+  // Calculate number of characters to obfuscate
+  const charsToObfuscate = Math.floor((value.length * safePercentage) / 100);
+
+  // Convert string to array for manipulation
+  const chars = value.split("");
+
+  // Get random positions to obfuscate
+  const positions = Array.from({ length: value.length }, (_, i) => i)
+    .sort(() => Math.random() - 0.5)
+    .slice(0, charsToObfuscate);
+
+  // Replace characters at random positions
+  positions.forEach((pos) => {
+    chars[pos] = obfuscatedChar;
+  });
+
+  return chars.join("");
+};