npm - @pagopa/io-react-native-wallet - Versions diffs - 0.27.1 → 0.28.1 - Mend

@pagopa/io-react-native-wallet 0.27.1 → 0.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/lib/module/credential/presentation/08-send-authorization-response.js ADDED Viewed

@@ -0,0 +1,158 @@
+import { EncryptJwe } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+import { hasStatusOrThrow } from "../../utils/misc";
+import * as z from "zod";
+export const AuthorizationResponse = z.object({
+  status: z.string().optional(),
+  response_code: z.string() /**
+                            FIXME: [SIW-627] we expect this value from every RP implementation
+                            Actually some RP does not return the value
+                            We make it optional to not break the flow.
+                            */.optional(),
+  redirect_uri: z.string().optional()
+});
+/**
+ * Selects a public key (with `use = enc`) from the set of JWK keys
+ * offered by the Relying Party (RP) for encryption.
+ *
+ * @param rpJwkKeys - The array of JWKs retrieved from the RP entity configuration.
+ * @returns The first suitable public key found in the list.
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If no suitable encryption key is found.
+ */
+export const choosePublicKeyToEncrypt = rpJwkKeys => {
+  const encKey = rpJwkKeys.find(jwk => jwk.use === "enc");
+  if (encKey) {
+    return encKey;
+  }
+  // No suitable key found
+  throw new NoSuitableKeysFoundInEntityConfiguration("No suitable public key found for encryption.");
+};
+/**
+ * Builds a URL-encoded form body for a direct POST response using JWT encryption.
+ *
+ * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param payload - Object that contains the VP token to encrypt and the mapping of the credential disclosures
+ * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body, where `response` contains the encrypted JWE.
+ */
+export const buildDirectPostJwtBody = async (requestObject, rpConf, payload) => {
+  // Prepare the authorization response payload to be encrypted
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    ...payload
+  });
+  // Choose a suitable public key for encryption
+  const {
+    keys
+  } = getJwksFromConfig(rpConf.metadata);
+  const encPublicJwk = choosePublicKeyToEncrypt(keys);
+  // Encrypt the authorization payload
+  const {
+    authorization_encrypted_response_alg,
+    authorization_encrypted_response_enc
+  } = rpConf.metadata.openid_credential_verifier;
+  const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
+    alg: authorization_encrypted_response_alg || "RSA-OAEP-256",
+    enc: authorization_encrypted_response_enc || "A256CBC-HS512",
+    kid: encPublicJwk.kid
+  }).encrypt(encPublicJwk);
+  // Build the x-www-form-urlencoded form body
+  const formBody = new URLSearchParams({
+    response: encryptedResponse,
+    ...(requestObject.state ? {
+      state: requestObject.state
+    } : {})
+  });
+  return formBody.toString();
+};
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ * Use with `presentation_definition`.
+ * @deprecated Use `sendAuthorizationResponse`
+ */
+/**
+ * Sends the authorization response to the Relying Party (RP) using the specified `response_mode`.
+ * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
+ *
+ * @param requestObject - The request details, including presentation requirements.
+ * @param presentationDefinition - The definition of the expected presentation.
+ * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param presentation - Tuple with verifiable credential, claims, and crypto context.
+ * @param context - Contains optional custom fetch implementation.
+ * @returns Parsed and validated authorization response from the Relying Party.
+ */
+export const sendLegacyAuthorizationResponse = async function (requestObject, presentationDefinitionId, remotePresentations, rpConf) {
+  var _remotePresentations$;
+  let {
+    appFetch = fetch
+  } = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : {};
+  /**
+   * 1. Prepare the VP token and presentation submission
+   * If there is only one credential, `vpToken` is a single string.
+   * If there are multiple credential, `vpToken` is an array of string.
+   **/
+  const vp_token = (remotePresentations === null || remotePresentations === void 0 ? void 0 : remotePresentations.length) === 1 ? (_remotePresentations$ = remotePresentations[0]) === null || _remotePresentations$ === void 0 ? void 0 : _remotePresentations$.vpToken : remotePresentations.map(remotePresentation => remotePresentation.vpToken);
+  const descriptor_map = remotePresentations.map((remotePresentation, index) => ({
+    id: remotePresentation.inputDescriptor.id,
+    path: remotePresentations.length === 1 ? `$` : `$[${index}]`,
+    format: remotePresentation.format
+  }));
+  const presentation_submission = {
+    id: uuid.v4(),
+    definition_id: presentationDefinitionId,
+    descriptor_map
+  };
+  const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+    vp_token,
+    presentation_submission
+  });
+  // 3. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: requestBody
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(AuthorizationResponse.parse);
+};
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ * Use with DCQL queries.
+ */
+export const sendAuthorizationResponse = async function (requestObject, remotePresentations, rpConf) {
+  let {
+    appFetch = fetch
+  } = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : {};
+  // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
+  const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+    vp_token: remotePresentations.reduce((acc, presentation) => ({
+      ...acc,
+      [presentation.credentialId]: presentation.vpToken
+    }), {})
+  });
+  // 2. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: requestBody
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(AuthorizationResponse.parse);
+};
+//# sourceMappingURL=08-send-authorization-response.js.map

package/lib/module/credential/presentation/08-send-authorization-response.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["EncryptJwe","uuid","getJwksFromConfig","NoSuitableKeysFoundInEntityConfiguration","hasStatusOrThrow","z","AuthorizationResponse","object","status","string","optional","response_code","redirect_uri","choosePublicKeyToEncrypt","rpJwkKeys","encKey","find","jwk","use","buildDirectPostJwtBody","requestObject","rpConf","payload","authzResponsePayload","JSON","stringify","state","keys","metadata","encPublicJwk","authorization_encrypted_response_alg","authorization_encrypted_response_enc","openid_credential_verifier","encryptedResponse","alg","enc","kid","encrypt","formBody","URLSearchParams","response","toString","sendLegacyAuthorizationResponse","presentationDefinitionId","remotePresentations","_remotePresentations$","appFetch","fetch","arguments","length","undefined","vp_token","vpToken","map","remotePresentation","descriptor_map","index","id","inputDescriptor","path","format","presentation_submission","v4","definition_id","requestBody","response_uri","method","headers","body","then","res","json","parse","sendAuthorizationResponse","reduce","acc","presentation","credentialId"],"sourceRoot":"../../../../src","sources":["credential/presentation/08-send-authorization-response.ts"],"mappings":"AAAA,SAASA,UAAU,QAAQ,6BAA6B;AACxD,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAASC,iBAAiB,QAAwB,uBAAuB;AAEzE,SAASC,wCAAwC,QAAQ,UAAU;AACnE,SAASC,gBAAgB,QAAkB,kBAAkB;AAO7D,OAAO,KAAKC,CAAC,MAAM,KAAK;AAKxB,OAAO,MAAMC,qBAAqB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC5CC,MAAM,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC7BC,aAAa,EAAEN,CAAC,CACbI,MAAM,CAAC,CAAC,CAAC;AACd;AACA;AACA;AACA,8BAJc,CAKTC,QAAQ,CAAC,CAAC;EACbE,YAAY,EAAEP,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC;AACpC,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMG,wBAAwB,GACnCC,SAAiC,IACzB;EACR,MAAMC,MAAM,GAAGD,SAAS,CAACE,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,GAAG,KAAK,KAAK,CAAC;EAEzD,IAAIH,MAAM,EAAE;IACV,OAAOA,MAAM;EACf;;EAEA;EACA,MAAM,IAAIZ,wCAAwC,CAChD,8CACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMgB,sBAAsB,GAAG,MAAAA,CACpCC,aAAwD,EACxDC,MAAkD,EAClDC,OAA8E,KAC1D;EAGpB;EACA,MAAMC,oBAAoB,GAAGC,IAAI,CAACC,SAAS,CAAC;IAC1CC,KAAK,EAAEN,aAAa,CAACM,KAAK;IAC1B,GAAGJ;EACL,CAAC,CAAC;;EAEF;EACA,MAAM;IAAEK;EAAK,CAAC,GAAGzB,iBAAiB,CAACmB,MAAM,CAACO,QAAQ,CAAC;EACnD,MAAMC,YAAY,GAAGhB,wBAAwB,CAACc,IAAI,CAAC;;EAEnD;EACA,MAAM;IACJG,oCAAoC;IACpCC;EACF,CAAC,GAAGV,MAAM,CAACO,QAAQ,CAACI,0BAA0B;EAE9C,MAAMC,iBAAiB,GAAG,MAAM,IAAIjC,UAAU,CAACuB,oBAAoB,EAAE;IACnEW,GAAG,EAAGJ,oCAAoC,IAAmB,cAAc;IAC3EK,GAAG,EACAJ,oCAAoC,IAAmB,eAAe;IACzEK,GAAG,EAAEP,YAAY,CAACO;EACpB,CAAC,CAAC,CAACC,OAAO,CAACR,YAAY,CAAC;;EAExB;EACA,MAAMS,QAAQ,GAAG,IAAIC,eAAe,CAAC;IACnCC,QAAQ,EAAEP,iBAAiB;IAC3B,IAAIb,aAAa,CAACM,KAAK,GAAG;MAAEA,KAAK,EAAEN,aAAa,CAACM;IAAM,CAAC,GAAG,CAAC,CAAC;EAC/D,CAAC,CAAC;EACF,OAAOY,QAAQ,CAACG,QAAQ,CAAC,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;;AAWA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,+BAAgE,GAC3E,eAAAA,CACEtB,aAAa,EACbuB,wBAAwB,EACxBC,mBAAmB,EACnBvB,MAAM,EAE6B;EAAA,IAAAwB,qBAAA;EAAA,IADnC;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEzB;AACJ;AACA;AACA;AACA;EACI,MAAMG,QAAQ,GACZ,CAAAP,mBAAmB,aAAnBA,mBAAmB,uBAAnBA,mBAAmB,CAAEK,MAAM,MAAK,CAAC,IAAAJ,qBAAA,GAC7BD,mBAAmB,CAAC,CAAC,CAAC,cAAAC,qBAAA,uBAAtBA,qBAAA,CAAwBO,OAAO,GAC/BR,mBAAmB,CAACS,GAAG,CACpBC,kBAAkB,IAAKA,kBAAkB,CAACF,OAC7C,CAAC;EAEP,MAAMG,cAAc,GAAGX,mBAAmB,CAACS,GAAG,CAC5C,CAACC,kBAAkB,EAAEE,KAAK,MAAM;IAC9BC,EAAE,EAAEH,kBAAkB,CAACI,eAAe,CAACD,EAAE;IACzCE,IAAI,EAAEf,mBAAmB,CAACK,MAAM,KAAK,CAAC,GAAI,GAAE,GAAI,KAAIO,KAAM,GAAE;IAC5DI,MAAM,EAAEN,kBAAkB,CAACM;EAC7B,CAAC,CACH,CAAC;EAED,MAAMC,uBAAuB,GAAG;IAC9BJ,EAAE,EAAExD,IAAI,CAAC6D,EAAE,CAAC,CAAC;IACbC,aAAa,EAAEpB,wBAAwB;IACvCY;EACF,CAAC;EAED,MAAMS,WAAW,GAAG,MAAM7C,sBAAsB,CAACC,aAAa,EAAEC,MAAM,EAAE;IACtE8B,QAAQ;IACRU;EACF,CAAC,CAAC;;EAEF;EACA,OAAO,MAAMf,QAAQ,CAAC1B,aAAa,CAAC6C,YAAY,EAAE;IAChDC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDC,IAAI,EAAEJ;EACR,CAAC,CAAC,CACCK,IAAI,CAACjE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiE,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAC/D,qBAAqB,CAACkE,KAAK,CAAC;AACtC,CAAC;;AAEH;AACA;AACA;AACA;AACA;;AAUA,OAAO,MAAMC,yBAAoD,GAAG,eAAAA,CAClErD,aAAa,EACbwB,mBAAmB,EACnBvB,MAAM,EAE6B;EAAA,IADnC;IAAEyB,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEzB;EACA,MAAMgB,WAAW,GAAG,MAAM7C,sBAAsB,CAACC,aAAa,EAAEC,MAAM,EAAE;IACtE8B,QAAQ,EAAEP,mBAAmB,CAAC8B,MAAM,CAClC,CAACC,GAAG,EAAEC,YAAY,MAAM;MACtB,GAAGD,GAAG;MACN,CAACC,YAAY,CAACC,YAAY,GAAGD,YAAY,CAACxB;IAC5C,CAAC,CAAC,EACF,CAAC,CACH;EACF,CAAC,CAAC;;EAEF;EACA,OAAO,MAAMN,QAAQ,CAAC1B,aAAa,CAAC6C,YAAY,EAAE;IAChDC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDC,IAAI,EAAEJ;EACR,CAAC,CAAC,CACCK,IAAI,CAACjE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiE,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAC/D,qBAAqB,CAACkE,KAAK,CAAC;AACtC,CAAC"}

package/lib/module/credential/presentation/errors.js CHANGED Viewed

@@ -39,4 +39,68 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
     super(message);
   }
 }
+/**
+ * When a QR code is not valid.
+ *
+ */
+export class InvalidQRCodeError extends IoWalletError {
+  code = "ERR_INVALID_QR_CODE";
+  /**
+   * @param detail A description of why the QR code is considered invalid.
+   */
+  constructor(detail) {
+    const message = `QR code is not valid: ${detail}.`;
+    super(message);
+  }
+}
+/**
+ * When the entity is unverified because the Relying Party is not trusted.
+ *
+ */
+export class UnverifiedEntityError extends IoWalletError {
+  code = "ERR_UNVERIFIED_RP_ENTITY";
+  /**
+   * @param reason A description of why the entity cannot be verified.
+   */
+  constructor(reason) {
+    const message = `Unverified entity: ${reason}.`;
+    super(message);
+  }
+}
+/**
+ * When some required data is missing to continue because certain attributes are not contained inside the wallet.
+ *
+ */
+export class MissingDataError extends IoWalletError {
+  code = "ERR_MISSING_DATA";
+  /**
+   * @param missingAttributes An array or description of the attributes that are missing.
+   */
+  constructor(missingAttributes) {
+    const message = `Some required data is missing: ${missingAttributes}.`;
+    super(message);
+  }
+}
+/**
+ * When a credential is not found in the wallet.
+ *
+ */
+export class CredentialNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIAL_NOT_FOUND";
+  /**
+   * @param credentialId The ID of the credential that was not found.
+   */
+  constructor(credentialId) {
+    const message = `Credential not found: ${credentialId}.`;
+    super(message);
+  }
+}
 //# sourceMappingURL=errors.js.map

package/lib/module/credential/presentation/errors.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["IoWalletError","serializeAttrs","AuthRequestDecodeError","code","constructor","message","claim","arguments","length","undefined","reason","NoSuitableKeysFoundInEntityConfiguration","scenario"],"sourceRoot":"../../../../src","sources":["credential/presentation/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,oBAAoB;;AAElE;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAsB,SAASF,aAAa,CAAC;EACxDG,IAAI,GAAG,oDAAoD;;EAE3D;;EAGA;;EAGAC,WAAWA,CACTC,OAAe,EAGf;IAAA,IAFAC,KAAa,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,aAAa;IAAA,IAC7BG,MAAc,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,aAAa;IAE9B,KAAK,CAACN,cAAc,CAAC;MAAEI,OAAO;MAAEC,KAAK;MAAEI;IAAO,CAAC,CAAC,CAAC;IACjD,IAAI,CAACJ,KAAK,GAAGA,KAAK;IAClB,IAAI,CAACI,MAAM,GAAGA,MAAM;EACtB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMC,wCAAwC,SAASX,aAAa,CAAC;EAC1EG,IAAI,GAAG,gCAAgC;;EAEvC;AACF;AACA;EACEC,WAAWA,CAACQ,QAAgB,EAAE;IAC5B,MAAMP,OAAO,GAAI,0DAAyDO,QAAS,IAAG;IACtF,KAAK,CAACP,OAAO,CAAC;EAChB;AACF"}
1	+ {"version":3,"names":["IoWalletError","serializeAttrs","AuthRequestDecodeError","code","constructor","message","claim","arguments","length","undefined","reason","NoSuitableKeysFoundInEntityConfiguration","scenario","InvalidQRCodeError","detail","UnverifiedEntityError","MissingDataError","missingAttributes","CredentialNotFoundError","credentialId"],"sourceRoot":"../../../../src","sources":["credential/presentation/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,oBAAoB;;AAElE;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAsB,SAASF,aAAa,CAAC;EACxDG,IAAI,GAAG,oDAAoD;;EAE3D;;EAGA;;EAGAC,WAAWA,CACTC,OAAe,EAGf;IAAA,IAFAC,KAAa,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,aAAa;IAAA,IAC7BG,MAAc,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,aAAa;IAE9B,KAAK,CAACN,cAAc,CAAC;MAAEI,OAAO;MAAEC,KAAK;MAAEI;IAAO,CAAC,CAAC,CAAC;IACjD,IAAI,CAACJ,KAAK,GAAGA,KAAK;IAClB,IAAI,CAACI,MAAM,GAAGA,MAAM;EACtB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMC,wCAAwC,SAASX,aAAa,CAAC;EAC1EG,IAAI,GAAG,gCAAgC;;EAEvC;AACF;AACA;EACEC,WAAWA,CAACQ,QAAgB,EAAE;IAC5B,MAAMP,OAAO,GAAI,0DAAyDO,QAAS,IAAG;IACtF,KAAK,CAACP,OAAO,CAAC;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,kBAAkB,SAASb,aAAa,CAAC;EACpDG,IAAI,GAAG,qBAAqB;;EAE5B;AACF;AACA;EACEC,WAAWA,CAACU,MAAc,EAAE;IAC1B,MAAMT,OAAO,GAAI,yBAAwBS,MAAO,GAAE;IAClD,KAAK,CAACT,OAAO,CAAC;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMU,qBAAqB,SAASf,aAAa,CAAC;EACvDG,IAAI,GAAG,0BAA0B;;EAEjC;AACF;AACA;EACEC,WAAWA,CAACM,MAAc,EAAE;IAC1B,MAAML,OAAO,GAAI,sBAAqBK,MAAO,GAAE;IAC/C,KAAK,CAACL,OAAO,CAAC;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMW,gBAAgB,SAAShB,aAAa,CAAC;EAClDG,IAAI,GAAG,kBAAkB;;EAEzB;AACF;AACA;EACEC,WAAWA,CAACa,iBAAyB,EAAE;IACrC,MAAMZ,OAAO,GAAI,kCAAiCY,iBAAkB,GAAE;IACtE,KAAK,CAACZ,OAAO,CAAC;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMa,uBAAuB,SAASlB,aAAa,CAAC;EACzDG,IAAI,GAAG,0BAA0B;;EAEjC;AACF;AACA;EACEC,WAAWA,CAACe,YAAoB,EAAE;IAChC,MAAMd,OAAO,GAAI,yBAAwBc,YAAa,GAAE;IACxD,KAAK,CAACd,OAAO,CAAC;EAChB;AACF"}

package/lib/module/credential/presentation/index.js CHANGED Viewed

@@ -1,7 +1,11 @@
 import { startFlowFromQR } from "./01-start-flow";
 import { evaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { getRequestObject } from "./03-get-request-object";
-import { sendAuthorizationResponse } from "./04-send-authorization-response";
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+import { verifyRequestObject } from "./05-verify-request-object";
+import { fetchPresentDefinition } from "./06-fetch-presentation-definition";
+import { evaluateInputDescriptorForSdJwt4VC } from "./07-evaluate-input-descriptor";
+import { sendAuthorizationResponse } from "./08-send-authorization-response";
 import * as Errors from "./errors";
-export { startFlowFromQR, evaluateRelyingPartyTrust, getRequestObject, sendAuthorizationResponse, Errors };
+export { startFlowFromQR, evaluateRelyingPartyTrust, getRequestObject, getJwksFromConfig, verifyRequestObject, fetchPresentDefinition, evaluateInputDescriptorForSdJwt4VC, sendAuthorizationResponse, Errors };
 //# sourceMappingURL=index.js.map

package/lib/module/credential/presentation/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["startFlowFromQR","evaluateRelyingPartyTrust","getRequestObject","sendAuthorizationResponse","Errors"],"sourceRoot":"../../../../src","sources":["credential/presentation/index.ts"],"mappings":"AAAA,SAASA,eAAe,QAAwB,iBAAiB;AACjE,SACEC,yBAAyB,QAEpB,wBAAwB;AAC/B,SACEC,gBAAgB,QAEX,yBAAyB;AAChC,SACEC,yBAAyB,QAEpB,kCAAkC;AACzC,OAAO,KAAKC,MAAM,MAAM,UAAU;AAElC,~~SACEJ~~,eAAe,EACfC,yBAAyB,EACzBC,gBAAgB,EAChBC,yBAAyB,EACzBC,MAAM"}
1	+ {"version":3,"names":["startFlowFromQR","evaluateRelyingPartyTrust","getRequestObject","getJwksFromConfig","verifyRequestObject","fetchPresentDefinition","evaluateInputDescriptorForSdJwt4VC","sendAuthorizationResponse","Errors"],"sourceRoot":"../../../../src","sources":["credential/presentation/index.ts"],"mappings":"AAAA,SAASA,eAAe,QAAwB,iBAAiB;AACjE,SACEC,yBAAyB,QAEpB,wBAAwB;AAC/B,SACEC,gBAAgB,QAEX,yBAAyB;AAChC,SAASC,iBAAiB,QAAwB,uBAAuB;AACzE,SACEC,mBAAmB,QAEd,4BAA4B;AACnC,SACEC,sBAAsB,QAEjB,oCAAoC;AAC3C,SACEC,kCAAkC,QAE7B,gCAAgC;AACvC,SACEC,yBAAyB,QAEpB,kCAAkC;AACzC,OAAO,KAAKC,MAAM,MAAM,UAAU;AAElC,SACER,eAAe,EACfC,yBAAyB,EACzBC,gBAAgB,EAChBC,iBAAiB,EACjBC,mBAAmB,EACnBC,sBAAsB,EACtBC,kCAAkC,EAClCC,yBAAyB,EACzBC,MAAM"}

package/lib/module/credential/presentation/types.js CHANGED Viewed

@@ -5,6 +5,80 @@ import * as z from "zod";
  * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
  */
+/**
+ * A object that associate the information needed to multiple remote presentation
+ * Used with `presentation_definition`
+ * @deprecated Use `RemotePresentation`
+ */
+/**
+ * A object that associate the information needed to multiple remote presentation
+ * Used with DCQL queries
+ */
+const Fields = z.object({
+  path: z.array(z.string().min(1)),
+  // Array of JSONPath string expressions
+  id: z.string().optional(),
+  // Unique string ID
+  purpose: z.string().optional(),
+  // Purpose of the field
+  name: z.string().optional(),
+  // Human-friendly name
+  filter: z.any().optional(),
+  // JSON Schema descriptor for filtering
+  optional: z.boolean().optional(),
+  // Boolean indicating if the field is optional
+  intent_to_retain: z.boolean().optional() // Boolean indicating that the Verifier intends to retain the Claim's data being requested
+});
+// Define the Constraints Object Schema
+const Constraints = z.object({
+  fields: z.array(Fields).optional(),
+  // Array of Field Objects
+  limit_disclosure: z.enum(["required", "preferred"]).optional() // Limit disclosure property
+});
+// Define the Input Descriptor Object Schema
+export const InputDescriptor = z.object({
+  id: z.string().min(1),
+  // Mandatory unique string ID
+  name: z.string().optional(),
+  // Human-friendly name
+  purpose: z.string().optional(),
+  // Purpose of the schema
+  format: z.record(z.string(), z.any()).optional(),
+  // Object with Claim Format Designations
+  constraints: Constraints,
+  // Constraints Object (mandatory)
+  group: z.string().optional() // Match one of the grouping strings listed in the "from" values of a Submission Requirement Rule
+});
+const SubmissionRequirement = z.object({
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  rule: z.string(),
+  // "all": all group's rules must be present, or "pick": at least group's "count" rules must be present
+  from: z.string().optional(),
+  // MUST contain either a "from" or "from_nested" property
+  from_nested: z.array(z.object({
+    name: z.string().optional(),
+    purpose: z.string().optional(),
+    rule: z.string(),
+    from: z.string()
+  })).optional(),
+  count: z.number().optional()
+  //"count", "min", and "max" may be present with a "pick" rule
+});
+export const PresentationDefinition = z.object({
+  id: z.string(),
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  input_descriptors: z.array(InputDescriptor),
+  submission_requirements: z.array(SubmissionRequirement).optional()
+});
 export const RequestObject = z.object({
   iss: z.string(),
   iat: UnixTime,
@@ -12,10 +86,55 @@ export const RequestObject = z.object({
   state: z.string(),
   nonce: z.string(),
   response_uri: z.string(),
+  response_uri_method: z.string().optional(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),
-  client_id_scheme: z.literal("entity_id"),
-  scope: z.string()
+  dcql_query: z.record(z.string(), z.any()).optional(),
+  // Validation happens within the `dcql` library, no need to duplicate it here
+  scope: z.string().optional(),
+  presentation_definition: PresentationDefinition.optional()
+});
+export const WalletMetadata = z.object({
+  presentation_definition_uri_supported: z.boolean().optional(),
+  client_id_schemes_supported: z.array(z.string()).optional(),
+  request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+  vp_formats_supported: z.record(z.string(),
+  // TODO [SIW-2110]: use explicit credential format?
+  z.object({
+    "sd-jwt_alg_values": z.array(z.string()).optional() // alg_values_supported?
+  }))
+  // TODO [SIW-2110]: include other metadata?
+});
+/**
+ * Wallet capabilities that must be submitted to get the Request Object
+ * via POST request when the `request_uri_method` is `post`.
+ */
+export const RequestObjectWalletCapabilities = z.object({
+  wallet_metadata: WalletMetadata,
+  wallet_nonce: z.string().optional()
+});
+/**
+ * Authorization Response payload when using `presentation_definition`.
+ * @deprecated Use `DirectAuthorizationBodyPayload`
+ */
+/**
+ * @deprecated Use `DirectAuthorizationBodyPayload`
+ */
+export const LegacyDirectAuthorizationBodyPayload = z.object({
+  vp_token: z.union([z.string(), z.array(z.string())]).optional(),
+  presentation_submission: z.record(z.string(), z.unknown())
+});
+/**
+ * Authorization Response payload when using DCQL queries.
+ */
+export const DirectAuthorizationBodyPayload = z.object({
+  vp_token: z.record(z.string(), z.string())
 });
 //# sourceMappingURL=types.js.map

package/lib/module/credential/presentation/types.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["UnixTime","z","~~RequestObject~~","object","~~iss~~","string","iat","exp","state","nonce","response_uri","response_type","literal","response_mode","client_id","~~client_id_scheme~~","scope"],"sourceRoot":"../../../../src","sources":["credential/presentation/types.ts"],"mappings":"AACA,SAASA,QAAQ,QAAQ,oBAAoB;AAC7C,OAAO,KAAKC,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;;AAQA,~~OAAO,~~MAAMC,~~aAAa~~,GAAGD,CAAC,CAACE,MAAM,CAAC;~~EACpCC~~,~~GAAG~~,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC;~~EACfC~~,GAAG,~~EAAEN~~,QAAQ;~~EACbO~~,GAAG,EAAEP,QAAQ;~~EACbQ~~,KAAK,EAAEP,CAAC,~~CAACI~~,MAAM,CAAC,CAAC;~~EACjBI~~,KAAK,~~EAAER~~,CAAC,CAACI,MAAM,CAAC,CAAC;~~EACjBK~~,YAAY,~~EAAET~~,CAAC,~~CAACI~~,MAAM,CAAC,CAAC;~~EACxBM~~,aAAa,~~EAAEV~~,CAAC,~~CAACW~~,OAAO,CAAC,UAAU,CAAC;EACpCC,aAAa,~~EAAEZ~~,CAAC,~~CAACW~~,OAAO,CAAC,iBAAiB,CAAC;EAC3CE,SAAS,~~EAAEb~~,CAAC,CAACI,MAAM,CAAC,CAAC;~~EACrBU~~,~~gBAAgB~~,~~EAAEd~~,CAAC,~~CAACW~~,OAAO,CAAC,~~WAAW~~,CAAC;~~EACxCI~~,KAAK,~~EAAEf~~,CAAC,CAACI,MAAM,CAAC;~~AAClB~~,CAAC,CAAC"}
1	+ {"version":3,"names":["UnixTime","z","Fields","object","path","array","string","min","id","optional","purpose","name","filter","any","boolean","intent_to_retain","Constraints","fields","limit_disclosure","enum","InputDescriptor","format","record","constraints","group","SubmissionRequirement","rule","from","from_nested","count","number","PresentationDefinition","input_descriptors","submission_requirements","RequestObject","iss","iat","exp","state","nonce","response_uri","response_uri_method","response_type","literal","response_mode","client_id","dcql_query","scope","presentation_definition","WalletMetadata","presentation_definition_uri_supported","client_id_schemes_supported","request_object_signing_alg_values_supported","vp_formats_supported","RequestObjectWalletCapabilities","wallet_metadata","wallet_nonce","LegacyDirectAuthorizationBodyPayload","vp_token","union","presentation_submission","unknown","DirectAuthorizationBodyPayload"],"sourceRoot":"../../../../src","sources":["credential/presentation/types.ts"],"mappings":"AACA,SAASA,QAAQ,QAAQ,oBAAoB;AAC7C,OAAO,KAAKC,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;;AAOA;AACA;AACA;AACA;AACA;;AAQA;AACA;AACA;AACA;;AAQA,MAAMC,MAAM,GAAGD,CAAC,CAACE,MAAM,CAAC;EACtBC,IAAI,EAAEH,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC,CAACC,GAAG,CAAC,CAAC,CAAC,CAAC;EAAE;EAClCC,EAAE,EAAEP,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAC3BC,OAAO,EAAET,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAChCE,IAAI,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAC7BG,MAAM,EAAEX,CAAC,CAACY,GAAG,CAAC,CAAC,CAACJ,QAAQ,CAAC,CAAC;EAAE;EAC5BA,QAAQ,EAAER,CAAC,CAACa,OAAO,CAAC,CAAC,CAACL,QAAQ,CAAC,CAAC;EAAE;EAClCM,gBAAgB,EAAEd,CAAC,CAACa,OAAO,CAAC,CAAC,CAACL,QAAQ,CAAC,CAAC,CAAE;AAC5C,CAAC,CAAC;;AAEF;AACA,MAAMO,WAAW,GAAGf,CAAC,CAACE,MAAM,CAAC;EAC3Bc,MAAM,EAAEhB,CAAC,CAACI,KAAK,CAACH,MAAM,CAAC,CAACO,QAAQ,CAAC,CAAC;EAAE;EACpCS,gBAAgB,EAAEjB,CAAC,CAACkB,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAACV,QAAQ,CAAC,CAAC,CAAE;AAClE,CAAC,CAAC;;AAEF;;AAEA,OAAO,MAAMW,eAAe,GAAGnB,CAAC,CAACE,MAAM,CAAC;EACtCK,EAAE,EAAEP,CAAC,CAACK,MAAM,CAAC,CAAC,CAACC,GAAG,CAAC,CAAC,CAAC;EAAE;EACvBI,IAAI,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAC7BC,OAAO,EAAET,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAChCY,MAAM,EAAEpB,CAAC,CAACqB,MAAM,CAACrB,CAAC,CAACK,MAAM,CAAC,CAAC,EAAEL,CAAC,CAACY,GAAG,CAAC,CAAC,CAAC,CAACJ,QAAQ,CAAC,CAAC;EAAE;EAClDc,WAAW,EAAEP,WAAW;EAAE;EAC1BQ,KAAK,EAAEvB,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC,CAAE;AAChC,CAAC,CAAC;;AAEF,MAAMgB,qBAAqB,GAAGxB,CAAC,CAACE,MAAM,CAAC;EACrCQ,IAAI,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC3BC,OAAO,EAAET,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC9BiB,IAAI,EAAEzB,CAAC,CAACK,MAAM,CAAC,CAAC;EAAE;EAClBqB,IAAI,EAAE1B,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAAE;EAC7BmB,WAAW,EAAE3B,CAAC,CACXI,KAAK,CACJJ,CAAC,CAACE,MAAM,CAAC;IACPQ,IAAI,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;IAC3BC,OAAO,EAAET,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;IAC9BiB,IAAI,EAAEzB,CAAC,CAACK,MAAM,CAAC,CAAC;IAChBqB,IAAI,EAAE1B,CAAC,CAACK,MAAM,CAAC;EACjB,CAAC,CACH,CAAC,CACAG,QAAQ,CAAC,CAAC;EACboB,KAAK,EAAE5B,CAAC,CAAC6B,MAAM,CAAC,CAAC,CAACrB,QAAQ,CAAC;EAC3B;AACF,CAAC,CAAC;;AAGF,OAAO,MAAMsB,sBAAsB,GAAG9B,CAAC,CAACE,MAAM,CAAC;EAC7CK,EAAE,EAAEP,CAAC,CAACK,MAAM,CAAC,CAAC;EACdK,IAAI,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC3BC,OAAO,EAAET,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC9BuB,iBAAiB,EAAE/B,CAAC,CAACI,KAAK,CAACe,eAAe,CAAC;EAC3Ca,uBAAuB,EAAEhC,CAAC,CAACI,KAAK,CAACoB,qBAAqB,CAAC,CAAChB,QAAQ,CAAC;AACnE,CAAC,CAAC;AAGF,OAAO,MAAMyB,aAAa,GAAGjC,CAAC,CAACE,MAAM,CAAC;EACpCgC,GAAG,EAAElC,CAAC,CAACK,MAAM,CAAC,CAAC;EACf8B,GAAG,EAAEpC,QAAQ;EACbqC,GAAG,EAAErC,QAAQ;EACbsC,KAAK,EAAErC,CAAC,CAACK,MAAM,CAAC,CAAC;EACjBiC,KAAK,EAAEtC,CAAC,CAACK,MAAM,CAAC,CAAC;EACjBkC,YAAY,EAAEvC,CAAC,CAACK,MAAM,CAAC,CAAC;EACxBmC,mBAAmB,EAAExC,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC1CiC,aAAa,EAAEzC,CAAC,CAAC0C,OAAO,CAAC,UAAU,CAAC;EACpCC,aAAa,EAAE3C,CAAC,CAAC0C,OAAO,CAAC,iBAAiB,CAAC;EAC3CE,SAAS,EAAE5C,CAAC,CAACK,MAAM,CAAC,CAAC;EACrBwC,UAAU,EAAE7C,CAAC,CAACqB,MAAM,CAACrB,CAAC,CAACK,MAAM,CAAC,CAAC,EAAEL,CAAC,CAACY,GAAG,CAAC,CAAC,CAAC,CAACJ,QAAQ,CAAC,CAAC;EAAE;EACtDsC,KAAK,EAAE9C,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC5BuC,uBAAuB,EAAEjB,sBAAsB,CAACtB,QAAQ,CAAC;AAC3D,CAAC,CAAC;AAGF,OAAO,MAAMwC,cAAc,GAAGhD,CAAC,CAACE,MAAM,CAAC;EACrC+C,qCAAqC,EAAEjD,CAAC,CAACa,OAAO,CAAC,CAAC,CAACL,QAAQ,CAAC,CAAC;EAC7D0C,2BAA2B,EAAElD,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC3D2C,2CAA2C,EAAEnD,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC3E4C,oBAAoB,EAAEpD,CAAC,CAACqB,MAAM,CAC5BrB,CAAC,CAACK,MAAM,CAAC,CAAC;EAAE;EACZL,CAAC,CAACE,MAAM,CAAC;IACP,mBAAmB,EAAEF,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC,CAAE;EACvD,CAAC,CACH;EACA;AACF,CAAC,CAAC;;AAEF;AACA;AACA;AACA;;AAIA,OAAO,MAAM6C,+BAA+B,GAAGrD,CAAC,CAACE,MAAM,CAAC;EACtDoD,eAAe,EAAEN,cAAc;EAC/BO,YAAY,EAAEvD,CAAC,CAACK,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC;AACpC,CAAC,CAAC;;AAEF;AACA;AACA;AACA;;AAIA;AACA;AACA;AACA,OAAO,MAAMgD,oCAAoC,GAAGxD,CAAC,CAACE,MAAM,CAAC;EAC3DuD,QAAQ,EAAEzD,CAAC,CAAC0D,KAAK,CAAC,CAAC1D,CAAC,CAACK,MAAM,CAAC,CAAC,EAAEL,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAC/DmD,uBAAuB,EAAE3D,CAAC,CAACqB,MAAM,CAACrB,CAAC,CAACK,MAAM,CAAC,CAAC,EAAEL,CAAC,CAAC4D,OAAO,CAAC,CAAC;AAC3D,CAAC,CAAC;;AAEF;AACA;AACA;;AAIA,OAAO,MAAMC,8BAA8B,GAAG7D,CAAC,CAACE,MAAM,CAAC;EACrDuD,QAAQ,EAAEzD,CAAC,CAACqB,MAAM,CAACrB,CAAC,CAACK,MAAM,CAAC,CAAC,EAAEL,CAAC,CAACK,MAAM,CAAC,CAAC;AAC3C,CAAC,CAAC"}

package/lib/module/sd-jwt/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
-import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { SignJWT, sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { Disclosure, SdJwt4VC } from "./types";
 import { verifyDisclosure } from "./verifier";
 import * as Errors from "./errors";
@@ -149,5 +149,44 @@ export const verify = async (token, publicKey, customSchema) => {
     disclosures: decoded.disclosures.map(d => d.decoded)
   };
 };
+/**
+ * Prepares a Verified Presentation (VP) token to be sent as part of an
+ * authorization response in an OpenID 4 Verifiable Presentations flow.
+ *
+ * @param nonce - The nonce provided by the relying party.
+ * @param client_id - The client identifier of the relying party.
+ * @param presentation - An object containing the verifiable credential, the claims to disclose,
+ *                       and the cryptographic context for signing.
+ * @returns An object containing the signed VP token (`vp_token`).
+ *
+ * @remarks
+ *  1. The `disclose()` function is used to produce a token with only the requested claims.
+ *  2. A KB-JWT is then signed, including sd_hash and `nonce`.
+ *  3. The `vp_token` is composed of the disclosed VP and the KB-JWT.
+ */
+export const prepareVpToken = async (nonce, client_id, _ref2) => {
+  let [verifiableCredential, requestedClaims, cryptoContext] = _ref2;
+  // Produce a VP token with only requested claims from the verifiable credential
+  const {
+    token: vp
+  } = await disclose(verifiableCredential, requestedClaims);
+  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
+  const sd_hash = await sha256ToBase64(`${vp}~`);
+  const kbJwt = await new SignJWT(cryptoContext).setProtectedHeader({
+    typ: "kb+jwt",
+    alg: "ES256"
+  }).setPayload({
+    sd_hash,
+    nonce: nonce
+  }).setAudience(client_id).setIssuedAt().sign();
+  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
+  const vp_token = [vp, kbJwt].join("~");
+  return {
+    vp_token
+  };
+};
 export { SdJwt4VC, Errors };
 //# sourceMappingURL=index.js.map

package/lib/module/sd-jwt/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["decode","decodeJwt","verify","verifyJwt","sha256ToBase64","Disclosure","SdJwt4VC","verifyDisclosure","Errors","Base64","decodeDisclosure","encoded","utf8String","decoded","parse","JSON","token","customSchema","slice","rawSdJwt","rawDisclosures","split","decodedJwt","parser","sdJwt","header","protectedHeader","payload","disclosures","map","disclose","claims","paths","Promise","all","claim","disclosure","find","_ref","name","ClaimsNotFoundBetweenDisclosures","hash","_sd","includes","index","indexOf","path","ClaimsNotFoundInToken","filteredDisclosures","filter","d","disclosedToken","join","publicKey"],"sourceRoot":"../../../src","sources":["sd-jwt/index.ts"],"mappings":"AAEA,SAASA,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,cAAc,QAAQ,6BAA6B;~~AAC5D~~,SAASC,UAAU,EAAEC,QAAQ,QAAoC,SAAS;AAC1E,SAASC,gBAAgB,QAAQ,YAAY;AAE7C,OAAO,KAAKC,MAAM,MAAM,UAAU;AAClC,SAASC,MAAM,QAAQ,WAAW;~~AAElC~~,MAAMC,gBAAgB,GAAIC,OAAe,IAA4B;EACnE,MAAMC,UAAU,GAAGH,MAAM,~~CAACT~~,MAAM,~~CAACW~~,OAAO,CAAC,CAAC,CAAC;EAC3C,MAAME,OAAO,GAAGR,UAAU,CAACS,KAAK,CAACC,IAAI,CAACD,KAAK,CAACF,UAAU,CAAC,CAAC;EACxD,OAAO;IAAEC,OAAO;IAAEF;EAAQ,CAAC;AAC7B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,~~MAAMX~~,MAAM,GAAGA,~~CACpBgB~~,KAAa,EACbC,YAAgB,KAIb;EACH;EACA,IAAID,KAAK,CAACE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;IAC3BF,KAAK,GAAGA,KAAK,CAACE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;EAC5B;EACA,MAAM,CAACC,QAAQ,GAAG,EAAE,EAAE,GAAGC,cAAc,CAAC,GAAGJ,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;;EAE3D;EACA;EACA,MAAMC,UAAU,~~GAAGrB~~,SAAS,~~CAACkB~~,QAAQ,CAAC;;EAEtC;EACA,MAAMI,MAAM,GAAGN,YAAY,IAAIX,QAAQ;EAEvC,MAAMkB,KAAK,GAAGD,MAAM,CAACT,KAAK,CAAC;IACzBW,MAAM,EAAEH,UAAU,CAACI,eAAe;IAClCC,OAAO,EAAEL,UAAU,CAACK;EACtB,CAAC,CAAC;;EAEF;EACA;EACA;EACA,MAAMC,WAAW,GAAGR,cAAc,CAACS,GAAG,CAACnB,gBAAgB,CAAC;EAExD,OAAO;IAAEc,KAAK;IAAEI;EAAY,CAAC;AAC/B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAME,QAAQ,GAAG,MAAAA,CACtBd,KAAa,EACbe,MAAgB,KACyD;EACzE,MAAM,CAACZ,QAAQ,EAAE,GAAGC,cAAc,CAAC,GAAGJ,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;EACtD,MAAM;IAAEG,KAAK;IAAEI;EAAY,CAAC,~~GAAG5B~~,MAAM,~~CAACgB~~,KAAK,EAAEV,QAAQ,CAAC;;EAEtD;EACA,MAAM0B,KAAK,GAAG,MAAMC,OAAO,CAACC,GAAG,CAC7BH,MAAM,CAACF,GAAG,CAAC,MAAOM,KAAK,IAAK;IAC1B,MAAMC,UAAU,GAAGR,WAAW,CAACS,IAAI,CACjCC,IAAA;MAAA,IAAC;QAAEzB,OAAO,EAAE,GAAG0B,IAAI;MAAE,CAAC,GAAAD,IAAA;MAAA,OAAKC,IAAI,KAAKJ,KAAK;IAAA,CAC3C,CAAC;;IAED;IACA,IAAI,CAACC,UAAU,EAAE;MACf,MAAM,IAAI5B,MAAM,CAACgC,gCAAgC,CAACL,KAAK,CAAC;IAC1D;IAEA,MAAMM,IAAI,GAAG,MAAMrC,cAAc,CAACgC,UAAU,CAACzB,OAAO,CAAC;;IAErD;IACA;IACA,IAAIa,KAAK,CAACG,OAAO,CAACe,GAAG,CAACC,QAAQ,CAACF,IAAI,CAAC,EAAE;MACpC,MAAMG,KAAK,GAAGpB,KAAK,CAACG,OAAO,CAACe,GAAG,CAACG,OAAO,CAACJ,IAAI,CAAC;MAC7C,OAAO;QAAEN,KAAK;QAAEW,IAAI,EAAG,8BAA6BF,KAAM;MAAG,CAAC;IAChE;IAEA,MAAM,IAAIpC,MAAM,CAACuC,qBAAqB,CAACZ,KAAK,CAAC;EAC/C,CAAC,CACH,CAAC;EAED,MAAMa,mBAAmB,GAAG5B,cAAc,CAAC6B,MAAM,CAAEC,CAAC,IAAK;IACvD,MAAM;MACJrC,OAAO,EAAE,GAAG0B,IAAI;IAClB,CAAC,GAAG7B,gBAAgB,CAACwC,CAAC,CAAC;IACvB,OAAOnB,MAAM,CAACY,QAAQ,CAACJ,IAAI,CAAC;EAC9B,CAAC,CAAC;;EAEF;EACA,MAAMY,cAAc,GAAG,CAAChC,QAAQ,EAAE,GAAG6B,mBAAmB,CAAC,CAACI,IAAI,CAAC,GAAG,CAAC;EAEnE,OAAO;IAAEpC,KAAK,EAAEmC,cAAc;IAAEnB;EAAM,CAAC;AACzC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,~~MAAM9B~~,MAAM,GAAG,MAAAA,~~CACpBc~~,KAAa,EACbqC,SAAsB,EACtBpC,YAAgB,KAC8C;EAC9D;EACA,MAAM,CAACE,QAAQ,GAAG,EAAE,CAAC,GAAGH,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;EACxC,MAAMR,OAAO,~~GAAGb~~,MAAM,~~CAACgB~~,KAAK,EAAEC,YAAY,CAAC;;EAE3C;EACA,~~MAAMd~~,SAAS,~~CAACgB~~,QAAQ,EAAEkC,SAAS,CAAC;;EAEpC;EACA,MAAMtB,MAAM,GAAG,CAAC,GAAGlB,OAAO,CAACW,KAAK,CAACG,OAAO,CAACe,GAAG,CAAC;EAE7C,MAAMT,OAAO,CAACC,GAAG,CACfrB,OAAO,CAACe,WAAW,CAACC,GAAG,CACrB,MAAOO,UAAU,IAAK,MAAM7B,gBAAgB,CAAC6B,UAAU,EAAEL,MAAM,CACjE,CACF,CAAC;EAED,OAAO;IACLP,KAAK,EAAEX,OAAO,CAACW,KAAK;IACpBI,WAAW,EAAEf,OAAO,CAACe,WAAW,CAACC,GAAG,CAAEqB,CAAC,IAAKA,CAAC,CAACrC,OAAO;EACvD,CAAC;AACH,CAAC;AAED,~~SAASP~~,QAAQ,EAAEE,MAAM"}
1	+ {"version":3,"names":["decode","decodeJwt","verify","verifyJwt","SignJWT","sha256ToBase64","Disclosure","SdJwt4VC","verifyDisclosure","Errors","Base64","decodeDisclosure","encoded","utf8String","decoded","parse","JSON","token","customSchema","slice","rawSdJwt","rawDisclosures","split","decodedJwt","parser","sdJwt","header","protectedHeader","payload","disclosures","map","disclose","claims","paths","Promise","all","claim","disclosure","find","_ref","name","ClaimsNotFoundBetweenDisclosures","hash","_sd","includes","index","indexOf","path","ClaimsNotFoundInToken","filteredDisclosures","filter","d","disclosedToken","join","publicKey","prepareVpToken","nonce","client_id","_ref2","verifiableCredential","requestedClaims","cryptoContext","vp","sd_hash","kbJwt","setProtectedHeader","typ","alg","setPayload","setAudience","setIssuedAt","sign","vp_token"],"sourceRoot":"../../../src","sources":["sd-jwt/index.ts"],"mappings":"AAEA,SAASA,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,OAAO,EAAEC,cAAc,QAAQ,6BAA6B;AACrE,SAASC,UAAU,EAAEC,QAAQ,QAAoC,SAAS;AAC1E,SAASC,gBAAgB,QAAQ,YAAY;AAE7C,OAAO,KAAKC,MAAM,MAAM,UAAU;AAClC,SAASC,MAAM,QAAQ,WAAW;AAGlC,MAAMC,gBAAgB,GAAIC,OAAe,IAA4B;EACnE,MAAMC,UAAU,GAAGH,MAAM,CAACV,MAAM,CAACY,OAAO,CAAC,CAAC,CAAC;EAC3C,MAAME,OAAO,GAAGR,UAAU,CAACS,KAAK,CAACC,IAAI,CAACD,KAAK,CAACF,UAAU,CAAC,CAAC;EACxD,OAAO;IAAEC,OAAO;IAAEF;EAAQ,CAAC;AAC7B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMZ,MAAM,GAAGA,CACpBiB,KAAa,EACbC,YAAgB,KAIb;EACH;EACA,IAAID,KAAK,CAACE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;IAC3BF,KAAK,GAAGA,KAAK,CAACE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;EAC5B;EACA,MAAM,CAACC,QAAQ,GAAG,EAAE,EAAE,GAAGC,cAAc,CAAC,GAAGJ,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;;EAE3D;EACA;EACA,MAAMC,UAAU,GAAGtB,SAAS,CAACmB,QAAQ,CAAC;;EAEtC;EACA,MAAMI,MAAM,GAAGN,YAAY,IAAIX,QAAQ;EAEvC,MAAMkB,KAAK,GAAGD,MAAM,CAACT,KAAK,CAAC;IACzBW,MAAM,EAAEH,UAAU,CAACI,eAAe;IAClCC,OAAO,EAAEL,UAAU,CAACK;EACtB,CAAC,CAAC;;EAEF;EACA;EACA;EACA,MAAMC,WAAW,GAAGR,cAAc,CAACS,GAAG,CAACnB,gBAAgB,CAAC;EAExD,OAAO;IAAEc,KAAK;IAAEI;EAAY,CAAC;AAC/B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAME,QAAQ,GAAG,MAAAA,CACtBd,KAAa,EACbe,MAAgB,KACyD;EACzE,MAAM,CAACZ,QAAQ,EAAE,GAAGC,cAAc,CAAC,GAAGJ,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;EACtD,MAAM;IAAEG,KAAK;IAAEI;EAAY,CAAC,GAAG7B,MAAM,CAACiB,KAAK,EAAEV,QAAQ,CAAC;;EAEtD;EACA,MAAM0B,KAAK,GAAG,MAAMC,OAAO,CAACC,GAAG,CAC7BH,MAAM,CAACF,GAAG,CAAC,MAAOM,KAAK,IAAK;IAC1B,MAAMC,UAAU,GAAGR,WAAW,CAACS,IAAI,CACjCC,IAAA;MAAA,IAAC;QAAEzB,OAAO,EAAE,GAAG0B,IAAI;MAAE,CAAC,GAAAD,IAAA;MAAA,OAAKC,IAAI,KAAKJ,KAAK;IAAA,CAC3C,CAAC;;IAED;IACA,IAAI,CAACC,UAAU,EAAE;MACf,MAAM,IAAI5B,MAAM,CAACgC,gCAAgC,CAACL,KAAK,CAAC;IAC1D;IAEA,MAAMM,IAAI,GAAG,MAAMrC,cAAc,CAACgC,UAAU,CAACzB,OAAO,CAAC;;IAErD;IACA;IACA,IAAIa,KAAK,CAACG,OAAO,CAACe,GAAG,CAACC,QAAQ,CAACF,IAAI,CAAC,EAAE;MACpC,MAAMG,KAAK,GAAGpB,KAAK,CAACG,OAAO,CAACe,GAAG,CAACG,OAAO,CAACJ,IAAI,CAAC;MAC7C,OAAO;QAAEN,KAAK;QAAEW,IAAI,EAAG,8BAA6BF,KAAM;MAAG,CAAC;IAChE;IAEA,MAAM,IAAIpC,MAAM,CAACuC,qBAAqB,CAACZ,KAAK,CAAC;EAC/C,CAAC,CACH,CAAC;EAED,MAAMa,mBAAmB,GAAG5B,cAAc,CAAC6B,MAAM,CAAEC,CAAC,IAAK;IACvD,MAAM;MACJrC,OAAO,EAAE,GAAG0B,IAAI;IAClB,CAAC,GAAG7B,gBAAgB,CAACwC,CAAC,CAAC;IACvB,OAAOnB,MAAM,CAACY,QAAQ,CAACJ,IAAI,CAAC;EAC9B,CAAC,CAAC;;EAEF;EACA,MAAMY,cAAc,GAAG,CAAChC,QAAQ,EAAE,GAAG6B,mBAAmB,CAAC,CAACI,IAAI,CAAC,GAAG,CAAC;EAEnE,OAAO;IAAEpC,KAAK,EAAEmC,cAAc;IAAEnB;EAAM,CAAC;AACzC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM/B,MAAM,GAAG,MAAAA,CACpBe,KAAa,EACbqC,SAAsB,EACtBpC,YAAgB,KAC8C;EAC9D;EACA,MAAM,CAACE,QAAQ,GAAG,EAAE,CAAC,GAAGH,KAAK,CAACK,KAAK,CAAC,GAAG,CAAC;EACxC,MAAMR,OAAO,GAAGd,MAAM,CAACiB,KAAK,EAAEC,YAAY,CAAC;;EAE3C;EACA,MAAMf,SAAS,CAACiB,QAAQ,EAAEkC,SAAS,CAAC;;EAEpC;EACA,MAAMtB,MAAM,GAAG,CAAC,GAAGlB,OAAO,CAACW,KAAK,CAACG,OAAO,CAACe,GAAG,CAAC;EAE7C,MAAMT,OAAO,CAACC,GAAG,CACfrB,OAAO,CAACe,WAAW,CAACC,GAAG,CACrB,MAAOO,UAAU,IAAK,MAAM7B,gBAAgB,CAAC6B,UAAU,EAAEL,MAAM,CACjE,CACF,CAAC;EAED,OAAO;IACLP,KAAK,EAAEX,OAAO,CAACW,KAAK;IACpBI,WAAW,EAAEf,OAAO,CAACe,WAAW,CAACC,GAAG,CAAEqB,CAAC,IAAKA,CAAC,CAACrC,OAAO;EACvD,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMyC,cAAc,GAAG,MAAAA,CAC5BC,KAAa,EACbC,SAAiB,EAAAC,KAAA,KAIb;EAAA,IAHJ,CAACC,oBAAoB,EAAEC,eAAe,EAAEC,aAAa,CAAe,GAAAH,KAAA;EAIpE;EACA,MAAM;IAAEzC,KAAK,EAAE6C;EAAG,CAAC,GAAG,MAAM/B,QAAQ,CAAC4B,oBAAoB,EAAEC,eAAe,CAAC;;EAE3E;EACA,MAAMG,OAAO,GAAG,MAAM1D,cAAc,CAAE,GAAEyD,EAAG,GAAE,CAAC;EAE9C,MAAME,KAAK,GAAG,MAAM,IAAI5D,OAAO,CAACyD,aAAa,CAAC,CAC3CI,kBAAkB,CAAC;IAClBC,GAAG,EAAE,QAAQ;IACbC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVL,OAAO;IACPP,KAAK,EAAEA;EACT,CAAC,CAAC,CACDa,WAAW,CAACZ,SAAS,CAAC,CACtBa,WAAW,CAAC,CAAC,CACbC,IAAI,CAAC,CAAC;;EAET;EACA,MAAMC,QAAQ,GAAG,CAACV,EAAE,EAAEE,KAAK,CAAC,CAACX,IAAI,CAAC,GAAG,CAAC;EAEtC,OAAO;IAAEmB;EAAS,CAAC;AACrB,CAAC;AAED,SAASjE,QAAQ,EAAEE,MAAM"}

package/lib/module/trust/chain.js CHANGED Viewed

@@ -1,34 +1,8 @@
-import { decode as decodeJwt, verify as verifyJwt } from "@pagopa/io-react-native-jwt";
 import { EntityConfiguration, EntityStatement, TrustAnchorEntityConfiguration } from "./types";
 import { IoWalletError } from "../utils/errors";
 import * as z from "zod";
 import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
-// Verify a token signature
-// The kid is extracted from the token header
-const verify = async (token, kid, jwks) => {
-  const jwk = jwks.find(k => k.kid === kid);
-  if (!jwk) {
-    throw new Error(`Invalid kid: ${kid}, token: ${token}`);
-  }
-  const {
-    protectedHeader: header,
-    payload
-  } = await verifyJwt(token, jwk);
-  return {
-    header,
-    payload
-  };
-};
-const decode = token => {
-  const {
-    protectedHeader: header,
-    payload
-  } = decodeJwt(token);
-  return {
-    header,
-    payload
-  };
-};
+import { decode, verify } from "./utils";
 // The first element of the chain is supposed to be the Entity Configuration for the document issuer
 const FirstElementShape = EntityConfiguration;
@@ -42,7 +16,7 @@ const LastElementShape = z.union([EntityStatement, TrustAnchorEntityConfiguratio
  * Validates a provided trust chain against a known trust
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validate
+ * @param chain The chain of statements to be validated
  * @returns The list of parsed token representing the chain
  * @throws {IoWalletError} If the chain is not valid
  */
@@ -66,7 +40,7 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
   };
   // select keys from the next token
-  // if the current token is the last, keys fro  trust anchor will be used
+  // if the current token is the last, keys from trust anchor will be used
   const selectKeys = currentIndex => {
     if (currentIndex === chain.length - 1) {
       return trustAnchorEntity.payload.jwks.keys;
@@ -81,7 +55,7 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
   };
   // Iterate the chain and validate each element's signature against the public keys of its next
-  // If there is no next, hence it's the end of the chain and it must be verified by the Trust Anchor
+  // If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
   return Promise.all(chain.map((token, i) => [token, selectKid(i), selectKeys(i)]).map(args => verify(...args)));
 }
@@ -90,24 +64,36 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
  *
  * @param chain The original chain
  * @param appFetch (optional) fetch api implementation
- * @returns A list of signed token that reprensent the trust chain, in the same order of the provided chain
- * @throws When an element of the chain fails to parse
+ * @returns A list of signed token that represent the trust chain, in the same order of the provided chain
+ * @throws IoWalletError When an element of the chain fails to parse
  */
-export function renewTrustChain(chain) {
+export async function renewTrustChain(chain) {
   let appFetch = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : fetch;
-  return Promise.all(chain
-  // Decode each item to determine its shape
-  .map(decode).map(e => [EntityStatement.safeParse(e), EntityConfiguration.safeParse(e)])
-  // fetch the element according to its shape
-  .map((_ref, i) => {
-    let [es, ec] = _ref;
-    return ec.success ? getSignedEntityConfiguration(ec.data.payload.iss, {
-      appFetch
-    }) : es.success ? getSignedEntityStatement(es.data.payload.iss, es.data.payload.sub, {
-      appFetch
-    }) :
-    // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
-    Promise.reject(new IoWalletError(`Cannot renew trust chain because the element #${i} failed to be parsed.`));
+  return Promise.all(chain.map(async (token, index) => {
+    const decoded = decode(token);
+    const entityStatementResult = EntityStatement.safeParse(decoded);
+    const entityConfigurationResult = EntityConfiguration.safeParse(decoded);
+    if (entityConfigurationResult.success) {
+      return getSignedEntityConfiguration(entityConfigurationResult.data.payload.iss, {
+        appFetch
+      });
+    }
+    if (entityStatementResult.success) {
+      const entityStatement = entityStatementResult.data;
+      const parentBaseUrl = entityStatement.payload.iss;
+      const parentECJwt = await getSignedEntityConfiguration(parentBaseUrl, {
+        appFetch
+      });
+      const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+      const federationFetchEndpoint = parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+      if (!federationFetchEndpoint) {
+        throw new IoWalletError(`Parent EC at ${parentBaseUrl} is missing federation_fetch_endpoint`);
+      }
+      return getSignedEntityStatement(federationFetchEndpoint, entityStatement.payload.sub, {
+        appFetch
+      });
+    }
+    throw new IoWalletError(`Cannot renew trust chain because element #${index} failed to parse.`);
   }));
 }
 //# sourceMappingURL=chain.js.map