npm - @pagopa/io-react-native-wallet - Versions diffs - 0.27.1 → 0.28.1 - Mend

@pagopa/io-react-native-wallet 0.27.1 → 0.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/src/credential/presentation/03-get-request-object.ts CHANGED Viewed

@@ -1,85 +1,62 @@
-import { v4 as uuidv4 } from "uuid";
-import {
-  decode as decodeJwt,
-  sha256ToBase64,
-  verify,
-  type CryptoContext,
-} from "@pagopa/io-react-native-jwt";
-import { createDPopToken } from "../../utils/dpop";
-import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
-import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartFlow } from "./01-start-flow";
-import { RequestObject } from "./types";
+import { RequestObjectWalletCapabilities } from "./types";
 export type GetRequestObject = (
-  requestUri: Out<StartFlow>["requestURI"],
-  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  requestUri: Out<StartFlow>["requestUri"],
   context: {
-    wiaCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
     walletInstanceAttestation: string;
+    walletCapabilities?: RequestObjectWalletCapabilities;
   }
-) => Promise<{ requestObject: RequestObject }>;
+) => Promise<{ requestObjectEncodedJwt: string }>;
 /**
- * Obtain the Request Object for RP authentication
+ * Obtain the Request Object for RP authentication. Both the GET and POST `request_uri_method` are supported.
  * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
  *
  * @param requestUri The url for the Relying Party to connect with
- * @param rpConf The Relying Party's configuration
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param rpConf The Relying Party's configuration * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.walletCapabilities (optional) An object containing the wallet technical capabilities that will be sent with a POST request
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @returns The Request Object that describes the presentation
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  rpConf,
-  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+  { appFetch = fetch, walletCapabilities }
 ) => {
-  const signedWalletInstanceDPoP = await createDPopToken(
-    {
-      jti: `${uuidv4()}`,
-      htm: "GET",
-      htu: requestUri,
-      ath: await sha256ToBase64(walletInstanceAttestation),
-    },
-    wiaCryptoContext
-  );
+  if (walletCapabilities) {
+    // Validate external input
+    const { wallet_metadata, wallet_nonce } =
+      RequestObjectWalletCapabilities.parse(walletCapabilities);
+    const formUrlEncodedBody = new URLSearchParams({
+      wallet_metadata: JSON.stringify(wallet_metadata),
+      ...(wallet_nonce && { wallet_nonce }),
+    });
+    const requestObjectEncodedJwt = await appFetch(requestUri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: formUrlEncodedBody.toString(),
+    })
+      .then(hasStatusOrThrow(200))
+      .then((res) => res.text());
+    return {
+      requestObjectEncodedJwt,
+    };
+  }
-  const responseEncodedJwt = await appFetch(requestUri, {
+  const requestObjectEncodedJwt = await appFetch(requestUri, {
     method: "GET",
-    headers: {
-      Authorization: `DPoP ${walletInstanceAttestation}`,
-      DPoP: signedWalletInstanceDPoP,
-    },
   })
     .then(hasStatusOrThrow(200))
-    .then((res) => res.json())
-    .then((responseJson) => responseJson.response);
-  const responseJwt = decodeJwt(responseEncodedJwt);
-  // verify token signature according to RP's entity configuration
-  // to ensure the request object is authentic
-  {
-    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
-      ({ kid }) => kid === responseJwt.protectedHeader.kid
-    );
-    if (!pubKey) {
-      throw new NoSuitableKeysFoundInEntityConfiguration(
-        "Request Object signature verification"
-      );
-    }
-    await verify(responseEncodedJwt, pubKey);
-  }
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = RequestObject.parse(responseJwt.payload);
+    .then((res) => res.text());
   return {
-    requestObject,
+    requestObjectEncodedJwt,
   };
 };

package/src/credential/presentation/04-retrieve-rp-jwks.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { JWK } from "../../utils/jwk";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+export type FetchJwks<T extends Array<unknown> = []> = (...args: T) => {
+  keys: JWK[];
+};
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const getJwksFromConfig: FetchJwks<
+  [RelyingPartyEntityConfiguration["payload"]["metadata"]]
+> = (rpConfig) => {
+  const jwks = rpConfig.openid_credential_verifier.jwks;
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+  return {
+    keys: jwks.keys,
+  };
+};

package/src/credential/presentation/05-verify-request-object.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import type { RelyingPartyEntityConfiguration } from "../../trust";
+import { UnverifiedEntityError } from "./errors";
+import { RequestObject } from "./types";
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+export type VerifyRequestObject = (
+  requestObjectEncodedJwt: string,
+  context: {
+    clientId: string;
+    // jwkKeys: Out<FetchJwks>["keys"];
+    rpConf: RelyingPartyEntityConfiguration["payload"];
+  }
+) => Promise<{ requestObject: RequestObject }>;
+/**
+ * Function to verify the Request Object's signature and the client ID.
+ * @param requestObjectEncodedJwt The Request Object in JWT format
+ * @param context.clientId The client ID to verify
+ * @param context.jwkKeys The set of keys to verify the signature
+ * @param context.rpConf The Entity Configuration of the Relying Party
+ * @returns The verified Request Object
+ */
+export const verifyRequestObject: VerifyRequestObject = async (
+  requestObjectEncodedJwt,
+  { clientId, rpConf }
+) => {
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+  const { keys } = getJwksFromConfig(rpConf.metadata);
+  // Verify token signature to ensure the request object is authentic
+  const pubKey = keys?.find(
+    ({ kid }) => kid === requestObjectJwt.protectedHeader.kid
+  );
+  if (!pubKey) {
+    throw new UnverifiedEntityError("Request Object signature verification!");
+  }
+  // Standard claims are verified within `verify`
+  await verify(requestObjectEncodedJwt, pubKey, { issuer: clientId });
+  const requestObject = RequestObject.parse(requestObjectJwt.payload);
+  if (!(clientId === requestObject.client_id && clientId === rpConf.sub)) {
+    throw new UnverifiedEntityError(
+      "Client ID does not match Request Object or Entity Configuration"
+    );
+  }
+  return { requestObject };
+};

package/src/credential/presentation/06-fetch-presentation-definition.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import { PresentationDefinition, RequestObject } from "./types";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+export type FetchPresentationDefinition = (
+  requestObject: RequestObject,
+  rpConf?: RelyingPartyEntityConfiguration["payload"]["metadata"]
+) => Promise<{
+  presentationDefinition: PresentationDefinition;
+}>;
+/**
+ * Retrieves a PresentationDefinition based on the given parameters.
+ *
+ * The method attempts the following strategies in order:
+ * 1. Checks if `presentation_definition` is directly available in the request object.
+ * 2. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ *
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found. Note that `presentation_definition_uri` is not supported in 0.9.x.
+ *
+ * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
+ * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
+ * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
+ * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
+ */
+export const fetchPresentDefinition: FetchPresentationDefinition = async (
+  requestObject,
+  rpConf
+) => {
+  // Check if `presentation_definition` is directly available in the request object
+  if (requestObject.presentation_definition) {
+    return {
+      presentationDefinition: requestObject.presentation_definition,
+    };
+  }
+  // Check if `scope` is present in the request object and a pre-configured presentation definition exists
+  if (
+    requestObject.scope &&
+    rpConf?.openid_credential_verifier?.presentation_definition
+  ) {
+    return {
+      presentationDefinition:
+        rpConf.openid_credential_verifier.presentation_definition,
+    };
+  }
+  throw new Error("Presentation definition not found");
+};

package/src/credential/presentation/07-evaluate-dcql-query.ts ADDED Viewed

@@ -0,0 +1,166 @@
+import {
+  DcqlQuery,
+  DcqlError,
+  DcqlCredentialSetError,
+  DcqlQueryResult,
+} from "dcql";
+import { isValiError } from "valibot";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import type { Disclosure, DisclosureWithEncoded } from "../../sd-jwt/types";
+import { ValidationFailed } from "../../utils/errors";
+import { createCryptoContextFor } from "../../utils/crypto";
+import type { RemotePresentation } from "./types";
+type EvaluateDcqlQuery = (
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
+  query: DcqlQuery.Input
+) => {
+  id: string;
+  credential: string;
+  keyTag: string;
+  requiredDisclosures: DisclosureWithEncoded[];
+  isOptional?: boolean;
+}[];
+type PrepareRemotePresentations = (
+  credentials: {
+    id: string;
+    credential: string;
+    keyTag: string;
+    requestedClaims: string[];
+  }[],
+  nonce: string,
+  clientId: string
+) => Promise<RemotePresentation[]>;
+type DcqlMatchSuccess = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: true }
+>;
+/**
+ * Convert a credential in JWT format to an object with claims
+ * for correct parsing by the `dcql` library.
+ */
+const mapCredentialToObject = (jwt: string) => {
+  const { sdJwt, disclosures } = decode(jwt);
+  const credentialFormat = sdJwt.header.typ;
+  // TODO [SIW-2082]: support MDOC credentials
+  if (credentialFormat !== "vc+sd-jwt") {
+    throw new Error(`Unsupported credential format: ${credentialFormat}`);
+  }
+  return {
+    vct: sdJwt.payload.vct,
+    credential_format: credentialFormat,
+    claims: disclosures.reduce(
+      (acc, disclosure) => ({
+        ...acc,
+        [disclosure.decoded[1]]: disclosure.decoded,
+      }),
+      {} as Record<string, Disclosure>
+    ),
+  };
+};
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+const getDcqlQueryMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === true
+  ) as [string, DcqlMatchSuccess][];
+export const evaluateDcqlQuery: EvaluateDcqlQuery = (
+  credentialsSdJwt,
+  query
+) => {
+  const credentials = credentialsSdJwt.map(([, credential]) =>
+    mapCredentialToObject(credential)
+  );
+  try {
+    // Validate the query
+    const parsedQuery = DcqlQuery.parse(query);
+    DcqlQuery.validate(parsedQuery);
+    const queryResult = DcqlQuery.query(parsedQuery, credentials);
+    if (!queryResult.canBeSatisfied) {
+      throw new Error("No credential can satisfy the provided DCQL query");
+    }
+    // Build an object vct:credentialJwt to map matched credentials to their JWT
+    const credentialsSdJwtByVct = credentials.reduce(
+      (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),
+      {} as Record<string, [string /* keyTag */, string /* credential */]>
+    );
+    return getDcqlQueryMatches(queryResult).map(([id, match]) => {
+      if (match.output.credential_format !== "vc+sd-jwt") {
+        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+      }
+      const { vct, claims } = match.output;
+      // Find a matching credential set to see whether the credential is optional
+      // If no credential set is found, then the credential is required by default
+      // NOTE: This is an extra, it might not be necessary
+      const credentialSet = queryResult.credential_sets?.find((set) =>
+        set.matching_options?.flat().includes(vct)
+      );
+      const isOptional = credentialSet ? !credentialSet.required : false;
+      const [keyTag, credential] = credentialsSdJwtByVct[vct]!;
+      const requiredDisclosures = Object.values(
+        claims
+      ) as DisclosureWithEncoded[];
+      return {
+        id,
+        keyTag,
+        credential,
+        isOptional,
+        requiredDisclosures,
+      };
+    });
+  } catch (error) {
+    // Invalid DCQL query structure
+    if (isValiError(error)) {
+      throw new ValidationFailed({
+        message: "Invalid DCQL query",
+        reason: error.issues.map((issue) => issue.message).join(", "),
+      });
+    }
+    if (error instanceof DcqlError) {
+      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
+    }
+    if (error instanceof DcqlCredentialSetError) {
+      // TODO [SIW-2110]: handle missing credentials or let the error propagate
+    }
+    throw error;
+  }
+};
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentials,
+  nonce,
+  clientId
+) => {
+  return Promise.all(
+    credentials.map(async (item) => {
+      const { vp_token } = await prepareVpToken(nonce, clientId, [
+        item.credential,
+        item.requestedClaims,
+        createCryptoContextFor(item.keyTag),
+      ]);
+      return {
+        credentialId: item.id,
+        requestedClaims: item.requestedClaims,
+        vpToken: vp_token,
+        format: "vc+sd-jwt",
+      };
+    })
+  );
+};