npm - @pagopa/io-react-native-wallet - Versions diffs - 0.27.0 → 1.1.0 - Mend

@pagopa/io-react-native-wallet 0.27.0 → 1.1.0

Files changed (289) hide show

package/lib/typescript/trust/index.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/trust/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,iCAAiC,EACjC,8BAA8B,EAC9B,mCAAmC,EACnC,+BAA+B,EAC/B,mBAAmB,EACnB,eAAe,EAChB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,kBAAkB,EAAmB,MAAM,SAAS,CAAC;AAG9D,YAAY,EACV,iCAAiC,EACjC,8BAA8B,EAC9B,mCAAmC,EACnC,+BAA+B,EAC/B,mBAAmB,EACnB,eAAe,GAChB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CACpC,iBAAiB,EAAE,8BAA8B,EACjD,KAAK,EAAE,MAAM,EAAE,EACf,EACE,QAAgB,EAChB,WAAkB,GACnB,GAAE;IAAE,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAAC,WAAW,CAAC,EAAE,OAAO,CAAA;CAAO,GACjE,OAAO,CAAC,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC,CAWhD;AAED;;;;;;GAMG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B,GACL,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,iCAAiC,EAChD,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,iCAAiC,CAAC,CAAC;AAC9C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,+BAA+B,EAC9C,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,+BAA+B,CAAC,CAAC;AAC5C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,8BAA8B,EAC7C,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,8BAA8B,CAAC,CAAC;AAC3C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,mCAAmC,EAClD,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,mCAAmC,CAAC,CAAC;AAChD,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,mBAAmB,EAClC,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,mBAAmB,CAAC,CAAC;AA0BhC,eAAO,MAAM,oCAAoC,kBAChC,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,sCAAsC,kBAClC,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,iCAAiC,kBAC7B,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,kCAAkC,kBAC9B,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,sBAAsB,kBAClB,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAEa,CAAC;AAEhF;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,wBAAwB,EAAE,MAAM,EAChC,yBAAyB,EAAE,MAAM,EACjC,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAeP;AAED;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,wBAAwB,EAAE,MAAM,EAChC,yBAAyB,EAAE,MAAM,EACjC,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B,mBAWP"}

package/src/credential/issuance/02-evaluate-issuer-trust.ts DELETED Viewed

@@ -1,32 +0,0 @@
-import { getCredentialIssuerEntityConfiguration } from "../../trust";
-import { CredentialIssuerEntityConfiguration } from "../../trust/types";
-import type { StartFlow } from "./01-start-flow";
-import type { Out } from "../../utils/misc";
-export type EvaluateIssuerTrust = (
-  issuerUrl: Out<StartFlow>["issuerUrl"],
-  context?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-) => Promise<{
-  issuerConf: CredentialIssuerEntityConfiguration["payload"]["metadata"];
-}>;
-/**
- * WARNING: This function must be called after {@link startFlow}. The next function to be called is {@link startUserAuthorization}.
- * The Issuer trust evaluation phase.
- * Fetch the Issuer's configuration and verify trust.
- *
- * @param issuerUrl The base url of the Issuer returned by {@link startFlow}
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The Issuer's configuration
- */
-export const evaluateIssuerTrust: EvaluateIssuerTrust = async (
-  issuerUrl,
-  context = {}
-) => {
-  const issuerConf = await getCredentialIssuerEntityConfiguration(issuerUrl, {
-    appFetch: context.appFetch,
-  }).then((_) => _.payload.metadata);
-  return { issuerConf };
-};

package/src/credential/status/01-start-flow.ts DELETED Viewed

@@ -1,9 +0,0 @@
-/**
- * WARNING: This is the first function to be called in the status attestation flow. The next function to be called is {@link statusAttestation}.
- * The beginning of the status attestation flow.
- *
- * @returns The url of the credential issuer to be used in the next function.
- */
-export type StartFlow = () => {
-  issuerUrl: string;
-};

package/src/credential/status/02-status-attestation.ts DELETED Viewed

@@ -1,102 +0,0 @@
-import {
-  getCredentialHashWithouDiscloures,
-  hasStatusOrThrow,
-  type Out,
-} from "../../utils/misc";
-import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
-import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
-import uuid from "react-native-uuid";
-import { StatusAttestationResponse } from "./types";
-import {
-  IssuerResponseError,
-  IssuerResponseErrorCodes,
-  ResponseErrorBuilder,
-  UnexpectedStatusCodeError,
-} from "../../utils/errors";
-export type StatusAttestation = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  credential: Out<ObtainCredential>["credential"],
-  credentialCryptoContext: CryptoContext,
-  appFetch?: GlobalFetch["fetch"]
-) => Promise<{
-  statusAttestation: StatusAttestationResponse["status_attestation"];
-}>;
-/**
- * WARNING: This function must be called after {@link startFlow}.
- * Verify the status of the credential attestation.
- * @param issuerConf - The issuer's configuration
- * @param credential - The credential to be verified
- * @param credentialCryptoContext - The credential's crypto context
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @throws {IssuerResponseError} with a specific code for more context
- * @returns The credential status attestation
- */
-export const statusAttestation: StatusAttestation = async (
-  issuerConf,
-  credential,
-  credentialCryptoContext,
-  appFetch: GlobalFetch["fetch"] = fetch
-) => {
-  const jwk = await credentialCryptoContext.getPublicKey();
-  const credentialHash = await getCredentialHashWithouDiscloures(credential);
-  const statusAttUrl =
-    issuerConf.openid_credential_issuer.status_attestation_endpoint;
-  const credentialPop = await new SignJWT(credentialCryptoContext)
-    .setPayload({
-      aud: statusAttUrl,
-      jti: uuid.v4().toString(),
-      credential_hash: credentialHash,
-      credential_hash_alg: "S256",
-    })
-    .setProtectedHeader({
-      alg: "ES256",
-      typ: "status-attestation-request+jwt",
-      kid: jwk.kid,
-    })
-    .setIssuedAt()
-    .setExpirationTime("5m")
-    .sign();
-  const body = {
-    credential_pop: credentialPop,
-  };
-  const result = await appFetch(statusAttUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(body),
-  })
-    .then(hasStatusOrThrow(201))
-    .then((raw) => raw.json())
-    .then((json) => StatusAttestationResponse.parse(json))
-    .catch(handleStatusAttestationError);
-  return { statusAttestation: result.status_attestation };
-};
-/**
- * Handle the status attestation error by mapping it to a custom exception.
- * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
- * @param e - The error to be handled
- * @throws {IssuerResponseError} with a specific code for more context
- */
-const handleStatusAttestationError = (e: unknown) => {
-  if (!(e instanceof UnexpectedStatusCodeError)) {
-    throw e;
-  }
-  throw new ResponseErrorBuilder(IssuerResponseError)
-    .handle(404, {
-      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-      message: "Invalid status found for the given credential",
-    })
-    .handle("*", {
-      code: IssuerResponseErrorCodes.StatusAttestationRequestFailed,
-      message: `Unable to obtain the status attestation for the given credential`,
-    })
-    .buildFrom(e);
-};

package/src/credential/status/03-verify-and-parse-status-attestation.ts DELETED Viewed

@@ -1,60 +0,0 @@
-import type { Out } from "../../utils/misc";
-import { IoWalletError } from "../../utils/errors";
-import { verify, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
-import { ParsedStatusAttestation } from "./types";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-export type VerifyAndParseStatusAttestation = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  statusAttestation: Out<StatusAttestation>,
-  context: {
-    credentialCryptoContext: CryptoContext;
-  }
-) => Promise<{ parsedStatusAttestation: ParsedStatusAttestation }>;
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-export const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation =
-  async (issuerConf, rawStatusAttestation, context) => {
-    try {
-      const { statusAttestation } = rawStatusAttestation;
-      const { credentialCryptoContext } = context;
-      await verify(
-        statusAttestation,
-        issuerConf.openid_credential_issuer.jwks.keys
-      );
-      const decodedJwt = decodeJwt(statusAttestation);
-      const parsedStatusAttestation = ParsedStatusAttestation.parse({
-        header: decodedJwt.protectedHeader,
-        payload: decodedJwt.payload,
-      });
-      const holderBindingKey = await credentialCryptoContext.getPublicKey();
-      const { cnf } = parsedStatusAttestation.payload;
-      if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-        throw new IoWalletError(
-          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
-        );
-      }
-      return { parsedStatusAttestation };
-    } catch (e) {
-      throw new IoWalletError(
-        `Failed to verify status attestation: ${JSON.stringify(e)}`
-      );
-    }
-  };

package/src/credential/status/README.md DELETED Viewed

@@ -1,67 +0,0 @@
-# Credential Status Attestation
-This flow is used to obtain a credential status attestation from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
-The credential status attestation is a JWT which contains the credential status which indicates if the credential is valid or not.
-The status attestation is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
-## Sequence Diagram
-```mermaid
-graph TD;
-    0[startFlow]
-    1[statusAttestation]
-    2[verifyAndParseStatusAttestation]
-    0 --> 1
-    1 --> 2
-```
-## Mapped results
-The following errors are mapped to a `IssuerResponseError` with specific codes.
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the status attestation is invalid. It might contain more details in the `reason` property.|
-## Example
-<details>
-  <summary>Credential status attestation flow</summary>
-```ts
-// Start the issuance flow
-const credentialIssuerUrl = "https://issuer.example.com";
-const startFlow: Credential.Status.StartFlow = () => ({
-  issuerUrl: credentialIssuerUrl, // Let's assum
-});
-const { issuerUrl } = startFlow();
-// Evaluate issuer trust
-const { issuerConf } = await Credential.Status.evaluateIssuerTrust(issuerUrl);
-// Get the credential attestation
-const res = await Credential.Status.statusAttestation(
-  issuerConf,
-  credential,
-  credentialCryptoContext
-);
-// Verify and parse the status attestation
-const { parsedStatusAttestation } =
-  await Credential.Status.verifyAndParseStatusAttestation(
-    issuerConf,
-    res.statusAttestation,
-    { credentialCryptoContext }
-  );
-return {
-  statusAttestation: res.statusAttestation,
-  parsedStatusAttestation,
-  credentialType,
-};
-```
-</details>

package/src/credential/status/index.ts DELETED Viewed

@@ -1,22 +0,0 @@
-import { type StartFlow } from "./01-start-flow";
-import {
-  statusAttestation,
-  type StatusAttestation,
-} from "./02-status-attestation";
-import { evaluateIssuerTrust, type EvaluateIssuerTrust } from "../issuance";
-import {
-  verifyAndParseStatusAttestation,
-  type VerifyAndParseStatusAttestation,
-} from "./03-verify-and-parse-status-attestation";
-export {
-  evaluateIssuerTrust,
-  statusAttestation,
-  verifyAndParseStatusAttestation,
-};
-export type {
-  StartFlow,
-  EvaluateIssuerTrust,
-  StatusAttestation,
-  VerifyAndParseStatusAttestation,
-};

package/src/credential/status/types.ts DELETED Viewed

@@ -1,43 +0,0 @@
-import { UnixTime } from "../../sd-jwt/types";
-import { JWK } from "../../utils/jwk";
-import * as z from "zod";
-/**
- * Shape from parsing a status attestation response in case of 201.
- */
-export const StatusAttestationResponse = z.object({
-  status_attestation: z.string(),
-});
-/**
- * Type from parsing a status attestation response in case of 201.
- * Inferred from {@link StatusAttestationResponse}.
- */
-export type StatusAttestationResponse = z.infer<
-  typeof StatusAttestationResponse
->;
-/**
- * Type for a parsed status attestation.
- */
-export type ParsedStatusAttestation = z.infer<typeof ParsedStatusAttestation>;
-/**
- * Shape for parsing a status attestation in a JWT.
- */
-export const ParsedStatusAttestation = z.object({
-  header: z.object({
-    typ: z.literal("status-attestation+jwt"),
-    alg: z.string(),
-    kid: z.string().optional(),
-  }),
-  payload: z.object({
-    credential_hash_alg: z.string(),
-    credential_hash: z.string(),
-    cnf: z.object({
-      jwk: JWK,
-    }),
-    exp: UnixTime,
-    iat: UnixTime,
-  }),
-});

package/src/credential/trustmark/README.md DELETED Viewed

@@ -1,62 +0,0 @@
-# Credential Trustmark
-A credential TrustMark is a signed JWT that verifies the authenticity of a credential issued by a trusted source. It serves as proof that a credential is valid and linked to a specific wallet instance.
-The TrustMark is often presented as a QR code, containing cryptographic data to ensure it hasn't been tampered with. It includes fields like issuer, issuance and expiration timestamps, and credential-specific details. TrustMarks have a short validity period and are used to enhance security and prevent misuse, such as QR code swapping.
-### getCredentialTrustmark
-A function that generates a signed JWT Trustmark to verify the authenticity of a digital credential. The Trustmark serves as a cryptographic proof linking a credential to a specific wallet instance, ensuring the credential's validity and preventing unauthorized modifications or misuse.
-#### Signature
-```typescript
-function getCredentialTrustmark({
-  walletInstanceAttestation: string,
-  wiaCryptoContext: CryptoContext,
-  credentialType: string,
-  docNumber?: string,
-  expirationTime?: number | string
-}): Promise<{
-  jwt: string,
-  expirationTime: number
-}>
-```
-#### Parameters
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| walletInstanceAttestation | string | Yes | A base64-encoded string containing the Wallet Instance Attestation (WIA). This attestation proves the authenticity of the wallet instance. |
-| wiaCryptoContext | CryptoContext | Yes | The cryptographic context associated with the wallet instance. Must contain the same key pair used to generate the WIA. |
-| credentialType | string | Yes | Identifier for the type of credential (e.g., "MDL" for Mobile Driver's License). |
-| docNumber | string | No | The document number of the credential. If provided, it will be obfuscated in the Trustmark for privacy. |
-| expirationTime | number \| string | No | Specifies when the Trustmark expires. Can be either:<br>- A timestamp in seconds<br>- A time span string (e.g., "2m" for 2 minutes)<br>Default: "2m" |
-#### Return Value
-Returns a Promise that resolves to an object containing:
-| Property | Type | Description |
-|----------|------|-------------|
-| jwt | string | The signed trustmark JWT string |
-| expirationTime | number | The expiration timestamp of the JWT in seconds |
-## Example
-```typescript
-// Required inputs
-const walletInstanceAttestation = "base64AttestationString";
-const credentialType = "MDL"; // Credential type (e.g., Mobile Driver's License)
-const documentNumber = "AB123456"; // Optional document number
-const cryptoContext = createCryptoContextFor("wiaKeyTag"); // Sample crypto context
-// Generate the TrustMark JWT
-const { jwt, expirationTime } = await getCredentialTrustmark({
-  walletInstanceAttestation: "eyJ0eXAi...", // WIA JWT
-  wiaCryptoContext: cryptoContext,
-  credentialType: "IdentityCard",
-  docNumber: "AB123456",
-  expirationTime: "5m", // 5 minutes
-});
-console.log("Generated TrustMark JWT:", jwt);
-console.log("Expires at:", new Date(expirationTime * 1000));
-```

package/src/credential/trustmark/get-credential-trustmark.ts DELETED Viewed

@@ -1,120 +0,0 @@
-import {
-  SignJWT,
-  thumbprint,
-  type CryptoContext,
-  decode as decodeJwt,
-} from "@pagopa/io-react-native-jwt";
-import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
-import { IoWalletError } from "../../utils/errors";
-import { obfuscateString } from "../../utils/string";
-export type GetCredentialTrustmarkJwt = (params: {
-  /**
-   * The Wallet Instance's attestation
-   */
-  walletInstanceAttestation: string;
-  /**
-   * The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
-   */
-  wiaCryptoContext: CryptoContext;
-  /**
-   * The type of credential for which the trustmark is generated
-   */
-  credentialType: string;
-  /**
-   * (Optional) Document number contained in the credential, if applicable
-   */
-  docNumber?: string;
-  /**
-   * (Optional) Expiration time for the trustmark, default is 2 minutes.
-   * If a number is provided, it is interpreted as a timestamp in seconds.
-   * If a string is provided, it is interpreted as a time span and added to the current timestamp.
-   */
-  expirationTime?: number | string;
-}) => Promise<{
-  /**
-   * The signed JWT
-   */
-  jwt: string;
-  /**
-   * The expiration time of the JWT in seconds
-   */
-  expirationTime: number;
-}>;
-/**
- * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
- * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
- *
- * @param walletInstanceAttestation the Wallet Instance's attestation
- * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
- * @param credentialType The type of credential for which the trustmark is generated
- * @param docNumber (Optional) Document number contained in the credential, if applicable
- * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
- *                        If a number is provided, it is interpreted as a timestamp in seconds.
- *                        If a string is provided, it is interpreted as a time span and added to the current timestamp.
- * @throws {IoWalletError} If the WIA is expired
- * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
- * @throws {JWSSignatureVerificationFailed} If the WIA signature is not valid
- * @returns A promise containing the signed JWT and its expiration time in seconds
- */
-export const getCredentialTrustmark: GetCredentialTrustmarkJwt = async ({
-  walletInstanceAttestation,
-  wiaCryptoContext,
-  credentialType,
-  docNumber,
-  expirationTime = "2m",
-}) => {
-  /**
-   * Check that the public key used to sign the trustmark is the one used for the WIA
-   */
-  const holderBindingKey = await wiaCryptoContext.getPublicKey();
-  const decodedWia = WalletInstanceAttestation.decode(
-    walletInstanceAttestation
-  );
-  /**
-   * Check that the WIA is not expired
-   */
-  if (decodedWia.payload.exp * 1000 < Date.now()) {
-    throw new IoWalletError("Wallet Instance Attestation expired");
-  }
-  /**
-   * Verify holder binding by comparing thumbprints of the WIA and the CryptoContext key
-   */
-  const wiaThumbprint = await thumbprint(decodedWia.payload.cnf.jwk);
-  const cryptoContextThumbprint = await thumbprint(holderBindingKey);
-  if (wiaThumbprint !== cryptoContextThumbprint) {
-    throw new IoWalletError(
-      `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
-    );
-  }
-  /**
-   * Generate Trustmark signed JWT
-   */
-  const signedTrustmarkJwt = await new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      alg: "ES256",
-    })
-    .setPayload({
-      iss: walletInstanceAttestation,
-      /**
-       * If present, the document number is obfuscated before adding it to the payload
-       */
-      ...(docNumber ? { sub: obfuscateString(docNumber) } : {}),
-      subtyp: credentialType,
-    })
-    .setIssuedAt()
-    .setExpirationTime(expirationTime)
-    .sign();
-  const decodedTrustmark = decodeJwt(signedTrustmarkJwt);
-  return {
-    jwt: signedTrustmarkJwt,
-    expirationTime: decodedTrustmark.payload.exp ?? 0,
-  };
-};

package/src/credential/trustmark/index.ts DELETED Viewed

@@ -1,8 +0,0 @@
-import {
-  type GetCredentialTrustmarkJwt,
-  getCredentialTrustmark,
-} from "./get-credential-trustmark";
-export { getCredentialTrustmark };
-export type { GetCredentialTrustmarkJwt };

/package/lib/typescript/{trust → entity/trust}/chain.d.ts RENAMED Viewed

File without changes