@pagopa/io-react-native-wallet 0.27.1 → 0.28.1

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -0,0 +1,391 @@
+import { InputDescriptor, type LegacyRemotePresentation } from "./types";
+import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { createCryptoContextFor } from "../../utils/crypto";
+import { JSONPath } from "jsonpath-plus";
+import { CredentialNotFoundError, MissingDataError } from "./errors";
+import Ajv from "ajv";
+
+const ajv = new Ajv({ allErrors: true });
+const INDEX_CLAIM_NAME = 1;
+
+export type EvaluatedDisclosures = {
+  requiredDisclosures: DisclosureWithEncoded[];
+  optionalDisclosures: DisclosureWithEncoded[];
+  unrequestedDisclosures: DisclosureWithEncoded[];
+};
+
+export type EvaluateInputDescriptorSdJwt4VC = (
+  inputDescriptor: InputDescriptor,
+  payloadCredential: SdJwt4VC["payload"],
+  disclosures: DisclosureWithEncoded[]
+) => EvaluatedDisclosures;
+
+export type EvaluateInputDescriptors = (
+  descriptors: InputDescriptor[],
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][]
+) => Promise<
+  {
+    evaluatedDisclosure: EvaluatedDisclosures;
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[]
+>;
+
+export type PrepareRemotePresentations = (
+  credentialAndDescriptors: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[],
+  nonce: string,
+  client_id: string
+) => Promise<LegacyRemotePresentation[]>;
+
+/**
+ * Transforms an array of DisclosureWithEncoded objects into a key-value map.
+ * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
+ * @returns An object mapping claim names to their corresponding values.
+ */
+const mapDisclosuresToObject = (
+  disclosures: DisclosureWithEncoded[]
+): Record<string, unknown> => {
+  return disclosures.reduce(
+    (obj, { decoded }) => {
+      const [, claimName, claimValue] = decoded;
+      obj[claimName] = claimValue;
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
+};
+
+/**
+ * Finds a claim within the payload based on provided JSONPath expressions.
+ * @param paths - An array of JSONPath expressions to search for in the payload.
+ * @param payload - The object to search within using JSONPath.
+ * @returns A tuple with the first matched JSONPath and its corresponding value, or [undefined, undefined] if not found.
+ */
+const findMatchedClaim = (
+  paths: string[],
+  payload: any
+): [string?, string?] => {
+  let matchedPath;
+  let matchedValue;
+  paths.some((singlePath) => {
+    try {
+      const result = JSONPath({ path: singlePath, json: payload });
+      if (result.length > 0) {
+        matchedPath = singlePath;
+        matchedValue = result[0];
+        return true;
+      }
+    } catch (error) {
+      throw new MissingDataError(
+        `JSONPath for "${singlePath}" does not match the provided payload.`
+      );
+    }
+    return false;
+  });
+
+  return [matchedPath, matchedValue];
+};
+
+/**
+ * Extracts the claim name from a path that can be in one of the following formats:
+ * 1. $.propertyName
+ * 2. $["propertyName"] or $['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns The extracted claim name if matched; otherwise, throws an exception.
+ */
+const extractClaimName = (path: string): string | undefined => {
+  // Define a regular expression that matches both formats:
+  // 1. $.propertyName
+  // 2. $["propertyName"] or $['propertyName']
+  const regex = /^\$\.(\w+)$|^\$\[(?:'|")(\w+)(?:'|")\]$/;
+
+  const match = path.match(regex);
+  if (match) {
+    // match[1] corresponds to the first capture group (\w+) after $.
+    // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
+    return match[1] || match[2];
+  }
+
+  // If the input doesn't match any of the expected formats, return null
+
+  throw new Error(
+    `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
+  );
+};
+
+/**
+ * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
+ *
+ * - Checks each field in the InputDescriptor against the provided `payloadCredential`
+ *   and `disclosures` (selectively disclosed claims).
+ * - Validates whether required fields are present (unless marked optional)
+ *   and match any specified JSONPath.
+ * - If a field includes a JSON Schema filter, validates the claim value against that schema.
+ * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
+ *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
+ * - Throws an error if a required field is invalid or missing.
+ *
+ * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
+ * @param payloadCredential - The credential payload to check against.
+ * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
+ * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
+ */
+export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
+  (inputDescriptor, payloadCredential, disclosures) => {
+    if (!inputDescriptor?.constraints?.fields) {
+      // No validation, all field are optional
+      return {
+        requiredDisclosures: [],
+        optionalDisclosures: [],
+        unrequestedDisclosures: disclosures,
+      };
+    }
+    const requiredClaimNames: string[] = [];
+    const optionalClaimNames: string[] = [];
+
+    // Transform disclosures to find claim using JSONPath
+    const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
+
+    // For each field, we need at least one matching path
+    // If we succeed, we push the matched disclosure in matchedDisclosures and stop checking further paths
+    const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
+      // For Potential profile, selectively disclosed claims will always be built as an individual object property, by using a name-value pair.
+      // Hence that selective claim for array element and recursive disclosures are not supported by Potential for the first iteration of Piloting.
+      // We need to check inside disclosures or inside credential payload. Example path: "$.given_name"
+      let [matchedPath, matchedValue] = findMatchedClaim(
+        field.path,
+        disclosuresAsPayload
+      );
+
+      if (!matchedPath) {
+        [matchedPath, matchedValue] = findMatchedClaim(
+          field.path,
+          payloadCredential
+        );
+
+        if (!matchedPath) {
+          // Path could be optional, in this case no need to validate! continue to next field
+          return field?.optional;
+        }
+      } else {
+        // if match a disclouse we save which is required or optional
+        const claimName = extractClaimName(matchedPath);
+        if (claimName) {
+          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
+            claimName
+          );
+        }
+      }
+
+      // FILTER validation
+      // If this field has a "filter" (JSON Schema), validate the claimValue
+      if (field.filter) {
+        try {
+          const validateSchema = ajv.compile(field.filter);
+          if (!validateSchema(matchedValue)) {
+            throw new MissingDataError(
+              `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
+            );
+          }
+        } catch (error) {
+          return false;
+        }
+      }
+      // Submission Requirements validation
+      // TODO: [EUDIW-216] Read rule value if “all” o “pick” and validate
+
+      return true;
+    });
+
+    if (!allFieldsValid) {
+      throw new MissingDataError(
+        "Credential validation failed: Required fields are missing or do not match the input descriptor."
+      );
+    }
+
+    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+
+    const requiredDisclosures = disclosures.filter((disclosure) =>
+      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const optionalDisclosures = disclosures.filter((disclosure) =>
+      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const isNotLimitDisclosure = !(
+      inputDescriptor.constraints.limit_disclosure === "required"
+    );
+
+    const unrequestedDisclosures = isNotLimitDisclosure
+      ? disclosures.filter(
+          (disclosure) =>
+            !optionalClaimNames.includes(
+              disclosure.decoded[INDEX_CLAIM_NAME]
+            ) &&
+            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+        )
+      : [];
+
+    return {
+      requiredDisclosures,
+      optionalDisclosures,
+      unrequestedDisclosures,
+    };
+  };
+
+type DecodedCredentialSdJwt = {
+  keyTag: string;
+  credential: string;
+  sdJwt: SdJwt4VC;
+  disclosures: DisclosureWithEncoded[];
+};
+
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialSdJwt = (
+  inputDescriptor: InputDescriptor,
+  decodedSdJwtCredentials: DecodedCredentialSdJwt[]
+): {
+  matchedEvaluation: EvaluatedDisclosures;
+  matchedKeyTag: string;
+  matchedCredential: string;
+} => {
+  for (const {
+    keyTag,
+    credential,
+    sdJwt,
+    disclosures,
+  } of decodedSdJwtCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(
+        inputDescriptor,
+        sdJwt.payload,
+        disclosures
+      );
+
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential,
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+
+  throw new CredentialNotFoundError(
+    "None of the vc+sd-jwt credentials satisfy the requirements."
+  );
+};
+
+/**
+ * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
+ *
+ * For each input descriptor, this function:
+ * - Checks the credential format.
+ * - Decodes the credential.
+ * - Evaluates the descriptor using the associated disclosures.
+ *
+ * @param inputDescriptors - An array of input descriptors.
+ * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
+ * @returns An array of objects, each containing the evaluated disclosures,
+ *          the input descriptor, the credential, and the keyTag.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
+  inputDescriptors,
+  credentialsSdJwt
+) => {
+  // We need decode SD-JWT credentials for evaluation
+  const decodedSdJwtCredentials =
+    credentialsSdJwt?.map(([keyTag, credential]) => {
+      const { sdJwt, disclosures } = decode(credential);
+      return { keyTag, credential, sdJwt, disclosures };
+    }) || [];
+
+  return Promise.all(
+    inputDescriptors.map(async (descriptor) => {
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        if (!decodedSdJwtCredentials.length) {
+          throw new CredentialNotFoundError(
+            "vc+sd-jwt credential is not supported."
+          );
+        }
+
+        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+          findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
+
+        return {
+          evaluatedDisclosure: matchedEvaluation,
+          inputDescriptor: descriptor,
+          credential: matchedCredential,
+          keyTag: matchedKeyTag,
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+};
+
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentialAndDescriptors,
+  nonce,
+  client_id
+) => {
+  return Promise.all(
+    credentialAndDescriptors.map(async (item) => {
+      const descriptor = item.inputDescriptor;
+
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        const { vp_token } = await prepareVpToken(nonce, client_id, [
+          item.credential,
+          item.requestedClaims,
+          createCryptoContextFor(item.keyTag),
+        ]);
+
+        return {
+          requestedClaims: item.requestedClaims,
+          inputDescriptor: descriptor,
+          vpToken: vp_token,
+          format: "vc+sd-jwt",
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+};

package/src/credential/presentation/08-send-authorization-response.ts

@@ -0,0 +1,220 @@
+import { EncryptJwe } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
+import type { VerifyRequestObject } from "./05-verify-request-object";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+import { hasStatusOrThrow, type Out } from "../../utils/misc";
+import {
+  type RemotePresentation,
+  DirectAuthorizationBodyPayload,
+  type LegacyRemotePresentation,
+  LegacyDirectAuthorizationBodyPayload,
+} from "./types";
+import * as z from "zod";
+import type { JWK } from "../../utils/jwk";
+import type { RelyingPartyEntityConfiguration } from "../../trust";
+
+export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
+export const AuthorizationResponse = z.object({
+  status: z.string().optional(),
+  response_code: z
+    .string() /**
+      FIXME: [SIW-627] we expect this value from every RP implementation
+      Actually some RP does not return the value
+      We make it optional to not break the flow.
+    */
+    .optional(),
+  redirect_uri: z.string().optional(),
+});
+
+/**
+ * Selects a public key (with `use = enc`) from the set of JWK keys
+ * offered by the Relying Party (RP) for encryption.
+ *
+ * @param rpJwkKeys - The array of JWKs retrieved from the RP entity configuration.
+ * @returns The first suitable public key found in the list.
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If no suitable encryption key is found.
+ */
+export const choosePublicKeyToEncrypt = (
+  rpJwkKeys: Out<FetchJwks>["keys"]
+): JWK => {
+  const encKey = rpJwkKeys.find((jwk) => jwk.use === "enc");
+
+  if (encKey) {
+    return encKey;
+  }
+
+  // No suitable key found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "No suitable public key found for encryption."
+  );
+};
+
+/**
+ * Builds a URL-encoded form body for a direct POST response using JWT encryption.
+ *
+ * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param payload - Object that contains the VP token to encrypt and the mapping of the credential disclosures
+ * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body, where `response` contains the encrypted JWE.
+ */
+export const buildDirectPostJwtBody = async (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  rpConf: RelyingPartyEntityConfiguration["payload"],
+  payload: DirectAuthorizationBodyPayload | LegacyDirectAuthorizationBodyPayload
+): Promise<string> => {
+  type Jwe = ConstructorParameters<typeof EncryptJwe>[1];
+
+  // Prepare the authorization response payload to be encrypted
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    ...payload,
+  });
+
+  // Choose a suitable public key for encryption
+  const { keys } = getJwksFromConfig(rpConf.metadata);
+  const encPublicJwk = choosePublicKeyToEncrypt(keys);
+
+  // Encrypt the authorization payload
+  const {
+    authorization_encrypted_response_alg,
+    authorization_encrypted_response_enc,
+  } = rpConf.metadata.openid_credential_verifier;
+
+  const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
+    alg: (authorization_encrypted_response_alg as Jwe["alg"]) || "RSA-OAEP-256",
+    enc:
+      (authorization_encrypted_response_enc as Jwe["enc"]) || "A256CBC-HS512",
+    kid: encPublicJwk.kid,
+  }).encrypt(encPublicJwk);
+
+  // Build the x-www-form-urlencoded form body
+  const formBody = new URLSearchParams({
+    response: encryptedResponse,
+    ...(requestObject.state ? { state: requestObject.state } : {}),
+  });
+  return formBody.toString();
+};
+
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ * Use with `presentation_definition`.
+ * @deprecated Use `sendAuthorizationResponse`
+ */
+export type SendLegacyAuthorizationResponse = (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  presentationDefinitionId: string,
+  remotePresentations: LegacyRemotePresentation[],
+  rpConf: RelyingPartyEntityConfiguration["payload"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
+/**
+ * Sends the authorization response to the Relying Party (RP) using the specified `response_mode`.
+ * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
+ *
+ * @param requestObject - The request details, including presentation requirements.
+ * @param presentationDefinition - The definition of the expected presentation.
+ * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param presentation - Tuple with verifiable credential, claims, and crypto context.
+ * @param context - Contains optional custom fetch implementation.
+ * @returns Parsed and validated authorization response from the Relying Party.
+ */
+export const sendLegacyAuthorizationResponse: SendLegacyAuthorizationResponse =
+  async (
+    requestObject,
+    presentationDefinitionId,
+    remotePresentations,
+    rpConf,
+    { appFetch = fetch } = {}
+  ): Promise<AuthorizationResponse> => {
+    /**
+     * 1. Prepare the VP token and presentation submission
+     * If there is only one credential, `vpToken` is a single string.
+     * If there are multiple credential, `vpToken` is an array of string.
+     **/
+    const vp_token =
+      remotePresentations?.length === 1
+        ? remotePresentations[0]?.vpToken
+        : remotePresentations.map(
+            (remotePresentation) => remotePresentation.vpToken
+          );
+
+    const descriptor_map = remotePresentations.map(
+      (remotePresentation, index) => ({
+        id: remotePresentation.inputDescriptor.id,
+        path: remotePresentations.length === 1 ? `$` : `$[${index}]`,
+        format: remotePresentation.format,
+      })
+    );
+
+    const presentation_submission = {
+      id: uuid.v4(),
+      definition_id: presentationDefinitionId,
+      descriptor_map,
+    };
+
+    const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+      vp_token,
+      presentation_submission,
+    });
+
+    // 3. Send the authorization response via HTTP POST and validate the response
+    return await appFetch(requestObject.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: requestBody,
+    })
+      .then(hasStatusOrThrow(200))
+      .then((res) => res.json())
+      .then(AuthorizationResponse.parse);
+  };
+
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ * Use with DCQL queries.
+ */
+export type SendAuthorizationResponse = (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  remotePresentations: RemotePresentation[],
+  rpConf: RelyingPartyEntityConfiguration["payload"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  remotePresentations,
+  rpConf,
+  { appFetch = fetch } = {}
+): Promise<AuthorizationResponse> => {
+  // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
+  const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+    vp_token: remotePresentations.reduce(
+      (acc, presentation) => ({
+        ...acc,
+        [presentation.credentialId]: presentation.vpToken,
+      }),
+      {} as Record<string, string>
+    ),
+  });
+
+  // 2. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: requestBody,
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then(AuthorizationResponse.parse);
+};

package/src/credential/presentation/errors.ts

@@ -39,3 +39,67 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
     super(message);
   }
 }
+
+/**
+ * When a QR code is not valid.
+ *
+ */
+export class InvalidQRCodeError extends IoWalletError {
+  code = "ERR_INVALID_QR_CODE";
+
+  /**
+   * @param detail A description of why the QR code is considered invalid.
+   */
+  constructor(detail: string) {
+    const message = `QR code is not valid: ${detail}.`;
+    super(message);
+  }
+}
+
+/**
+ * When the entity is unverified because the Relying Party is not trusted.
+ *
+ */
+export class UnverifiedEntityError extends IoWalletError {
+  code = "ERR_UNVERIFIED_RP_ENTITY";
+
+  /**
+   * @param reason A description of why the entity cannot be verified.
+   */
+  constructor(reason: string) {
+    const message = `Unverified entity: ${reason}.`;
+    super(message);
+  }
+}
+
+/**
+ * When some required data is missing to continue because certain attributes are not contained inside the wallet.
+ *
+ */
+export class MissingDataError extends IoWalletError {
+  code = "ERR_MISSING_DATA";
+
+  /**
+   * @param missingAttributes An array or description of the attributes that are missing.
+   */
+  constructor(missingAttributes: string) {
+    const message = `Some required data is missing: ${missingAttributes}.`;
+    super(message);
+  }
+}
+
+/**
+ * When a credential is not found in the wallet.
+ *
+ */
+export class CredentialNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIAL_NOT_FOUND";
+
+  /**
+   * @param credentialId The ID of the credential that was not found.
+   */
+  constructor(credentialId: string) {
+    const message = `Credential not found: ${credentialId}.`;
+    super(message);
+  }
+}