@pagopa/io-react-native-wallet 0.28.0 → 0.28.1

package/src/credential/presentation/04-retrieve-rp-jwks.ts

@@ -0,0 +1,34 @@
+import { JWK } from "../../utils/jwk";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+export type FetchJwks<T extends Array<unknown> = []> = (...args: T) => {
+  keys: JWK[];
+};
+
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const getJwksFromConfig: FetchJwks<
+  [RelyingPartyEntityConfiguration["payload"]["metadata"]]
+> = (rpConfig) => {
+  const jwks = rpConfig.openid_credential_verifier.jwks;
+
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+
+  return {
+    keys: jwks.keys,
+  };
+};

package/src/credential/presentation/05-verify-request-object.ts

@@ -0,0 +1,52 @@
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import type { RelyingPartyEntityConfiguration } from "../../trust";
+import { UnverifiedEntityError } from "./errors";
+import { RequestObject } from "./types";
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+
+export type VerifyRequestObject = (
+  requestObjectEncodedJwt: string,
+  context: {
+    clientId: string;
+    // jwkKeys: Out<FetchJwks>["keys"];
+    rpConf: RelyingPartyEntityConfiguration["payload"];
+  }
+) => Promise<{ requestObject: RequestObject }>;
+
+/**
+ * Function to verify the Request Object's signature and the client ID.
+ * @param requestObjectEncodedJwt The Request Object in JWT format
+ * @param context.clientId The client ID to verify
+ * @param context.jwkKeys The set of keys to verify the signature
+ * @param context.rpConf The Entity Configuration of the Relying Party
+ * @returns The verified Request Object
+ */
+export const verifyRequestObject: VerifyRequestObject = async (
+  requestObjectEncodedJwt,
+  { clientId, rpConf }
+) => {
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+  const { keys } = getJwksFromConfig(rpConf.metadata);
+
+  // Verify token signature to ensure the request object is authentic
+  const pubKey = keys?.find(
+    ({ kid }) => kid === requestObjectJwt.protectedHeader.kid
+  );
+
+  if (!pubKey) {
+    throw new UnverifiedEntityError("Request Object signature verification!");
+  }
+
+  // Standard claims are verified within `verify`
+  await verify(requestObjectEncodedJwt, pubKey, { issuer: clientId });
+
+  const requestObject = RequestObject.parse(requestObjectJwt.payload);
+
+  if (!(clientId === requestObject.client_id && clientId === rpConf.sub)) {
+    throw new UnverifiedEntityError(
+      "Client ID does not match Request Object or Entity Configuration"
+    );
+  }
+
+  return { requestObject };
+};

package/src/credential/presentation/06-fetch-presentation-definition.ts

@@ -0,0 +1,48 @@
+import { PresentationDefinition, RequestObject } from "./types";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+
+export type FetchPresentationDefinition = (
+  requestObject: RequestObject,
+  rpConf?: RelyingPartyEntityConfiguration["payload"]["metadata"]
+) => Promise<{
+  presentationDefinition: PresentationDefinition;
+}>;
+
+/**
+ * Retrieves a PresentationDefinition based on the given parameters.
+ *
+ * The method attempts the following strategies in order:
+ * 1. Checks if `presentation_definition` is directly available in the request object.
+ * 2. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ *
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found. Note that `presentation_definition_uri` is not supported in 0.9.x.
+ *
+ * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
+ * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
+ * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
+ * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
+ */
+export const fetchPresentDefinition: FetchPresentationDefinition = async (
+  requestObject,
+  rpConf
+) => {
+  // Check if `presentation_definition` is directly available in the request object
+  if (requestObject.presentation_definition) {
+    return {
+      presentationDefinition: requestObject.presentation_definition,
+    };
+  }
+
+  // Check if `scope` is present in the request object and a pre-configured presentation definition exists
+  if (
+    requestObject.scope &&
+    rpConf?.openid_credential_verifier?.presentation_definition
+  ) {
+    return {
+      presentationDefinition:
+        rpConf.openid_credential_verifier.presentation_definition,
+    };
+  }
+
+  throw new Error("Presentation definition not found");
+};

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -0,0 +1,166 @@
+import {
+  DcqlQuery,
+  DcqlError,
+  DcqlCredentialSetError,
+  DcqlQueryResult,
+} from "dcql";
+import { isValiError } from "valibot";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import type { Disclosure, DisclosureWithEncoded } from "../../sd-jwt/types";
+import { ValidationFailed } from "../../utils/errors";
+import { createCryptoContextFor } from "../../utils/crypto";
+import type { RemotePresentation } from "./types";
+
+type EvaluateDcqlQuery = (
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
+  query: DcqlQuery.Input
+) => {
+  id: string;
+  credential: string;
+  keyTag: string;
+  requiredDisclosures: DisclosureWithEncoded[];
+  isOptional?: boolean;
+}[];
+
+type PrepareRemotePresentations = (
+  credentials: {
+    id: string;
+    credential: string;
+    keyTag: string;
+    requestedClaims: string[];
+  }[],
+  nonce: string,
+  clientId: string
+) => Promise<RemotePresentation[]>;
+
+type DcqlMatchSuccess = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: true }
+>;
+
+/**
+ * Convert a credential in JWT format to an object with claims
+ * for correct parsing by the `dcql` library.
+ */
+const mapCredentialToObject = (jwt: string) => {
+  const { sdJwt, disclosures } = decode(jwt);
+  const credentialFormat = sdJwt.header.typ;
+
+  // TODO [SIW-2082]: support MDOC credentials
+  if (credentialFormat !== "vc+sd-jwt") {
+    throw new Error(`Unsupported credential format: ${credentialFormat}`);
+  }
+
+  return {
+    vct: sdJwt.payload.vct,
+    credential_format: credentialFormat,
+    claims: disclosures.reduce(
+      (acc, disclosure) => ({
+        ...acc,
+        [disclosure.decoded[1]]: disclosure.decoded,
+      }),
+      {} as Record<string, Disclosure>
+    ),
+  };
+};
+
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+const getDcqlQueryMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === true
+  ) as [string, DcqlMatchSuccess][];
+
+export const evaluateDcqlQuery: EvaluateDcqlQuery = (
+  credentialsSdJwt,
+  query
+) => {
+  const credentials = credentialsSdJwt.map(([, credential]) =>
+    mapCredentialToObject(credential)
+  );
+
+  try {
+    // Validate the query
+    const parsedQuery = DcqlQuery.parse(query);
+    DcqlQuery.validate(parsedQuery);
+
+    const queryResult = DcqlQuery.query(parsedQuery, credentials);
+
+    if (!queryResult.canBeSatisfied) {
+      throw new Error("No credential can satisfy the provided DCQL query");
+    }
+
+    // Build an object vct:credentialJwt to map matched credentials to their JWT
+    const credentialsSdJwtByVct = credentials.reduce(
+      (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),
+      {} as Record<string, [string /* keyTag */, string /* credential */]>
+    );
+
+    return getDcqlQueryMatches(queryResult).map(([id, match]) => {
+      if (match.output.credential_format !== "vc+sd-jwt") {
+        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+      }
+      const { vct, claims } = match.output;
+
+      // Find a matching credential set to see whether the credential is optional
+      // If no credential set is found, then the credential is required by default
+      // NOTE: This is an extra, it might not be necessary
+      const credentialSet = queryResult.credential_sets?.find((set) =>
+        set.matching_options?.flat().includes(vct)
+      );
+      const isOptional = credentialSet ? !credentialSet.required : false;
+
+      const [keyTag, credential] = credentialsSdJwtByVct[vct]!;
+      const requiredDisclosures = Object.values(
+        claims
+      ) as DisclosureWithEncoded[];
+      return {
+        id,
+        keyTag,
+        credential,
+        isOptional,
+        requiredDisclosures,
+      };
+    });
+  } catch (error) {
+    // Invalid DCQL query structure
+    if (isValiError(error)) {
+      throw new ValidationFailed({
+        message: "Invalid DCQL query",
+        reason: error.issues.map((issue) => issue.message).join(", "),
+      });
+    }
+
+    if (error instanceof DcqlError) {
+      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
+    }
+    if (error instanceof DcqlCredentialSetError) {
+      // TODO [SIW-2110]: handle missing credentials or let the error propagate
+    }
+    throw error;
+  }
+};
+
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentials,
+  nonce,
+  clientId
+) => {
+  return Promise.all(
+    credentials.map(async (item) => {
+      const { vp_token } = await prepareVpToken(nonce, clientId, [
+        item.credential,
+        item.requestedClaims,
+        createCryptoContextFor(item.keyTag),
+      ]);
+
+      return {
+        credentialId: item.id,
+        requestedClaims: item.requestedClaims,
+        vpToken: vp_token,
+        format: "vc+sd-jwt",
+      };
+    })
+  );
+};

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -0,0 +1,391 @@
+import { InputDescriptor, type LegacyRemotePresentation } from "./types";
+import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { createCryptoContextFor } from "../../utils/crypto";
+import { JSONPath } from "jsonpath-plus";
+import { CredentialNotFoundError, MissingDataError } from "./errors";
+import Ajv from "ajv";
+
+const ajv = new Ajv({ allErrors: true });
+const INDEX_CLAIM_NAME = 1;
+
+export type EvaluatedDisclosures = {
+  requiredDisclosures: DisclosureWithEncoded[];
+  optionalDisclosures: DisclosureWithEncoded[];
+  unrequestedDisclosures: DisclosureWithEncoded[];
+};
+
+export type EvaluateInputDescriptorSdJwt4VC = (
+  inputDescriptor: InputDescriptor,
+  payloadCredential: SdJwt4VC["payload"],
+  disclosures: DisclosureWithEncoded[]
+) => EvaluatedDisclosures;
+
+export type EvaluateInputDescriptors = (
+  descriptors: InputDescriptor[],
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][]
+) => Promise<
+  {
+    evaluatedDisclosure: EvaluatedDisclosures;
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[]
+>;
+
+export type PrepareRemotePresentations = (
+  credentialAndDescriptors: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[],
+  nonce: string,
+  client_id: string
+) => Promise<LegacyRemotePresentation[]>;
+
+/**
+ * Transforms an array of DisclosureWithEncoded objects into a key-value map.
+ * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
+ * @returns An object mapping claim names to their corresponding values.
+ */
+const mapDisclosuresToObject = (
+  disclosures: DisclosureWithEncoded[]
+): Record<string, unknown> => {
+  return disclosures.reduce(
+    (obj, { decoded }) => {
+      const [, claimName, claimValue] = decoded;
+      obj[claimName] = claimValue;
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
+};
+
+/**
+ * Finds a claim within the payload based on provided JSONPath expressions.
+ * @param paths - An array of JSONPath expressions to search for in the payload.
+ * @param payload - The object to search within using JSONPath.
+ * @returns A tuple with the first matched JSONPath and its corresponding value, or [undefined, undefined] if not found.
+ */
+const findMatchedClaim = (
+  paths: string[],
+  payload: any
+): [string?, string?] => {
+  let matchedPath;
+  let matchedValue;
+  paths.some((singlePath) => {
+    try {
+      const result = JSONPath({ path: singlePath, json: payload });
+      if (result.length > 0) {
+        matchedPath = singlePath;
+        matchedValue = result[0];
+        return true;
+      }
+    } catch (error) {
+      throw new MissingDataError(
+        `JSONPath for "${singlePath}" does not match the provided payload.`
+      );
+    }
+    return false;
+  });
+
+  return [matchedPath, matchedValue];
+};
+
+/**
+ * Extracts the claim name from a path that can be in one of the following formats:
+ * 1. $.propertyName
+ * 2. $["propertyName"] or $['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns The extracted claim name if matched; otherwise, throws an exception.
+ */
+const extractClaimName = (path: string): string | undefined => {
+  // Define a regular expression that matches both formats:
+  // 1. $.propertyName
+  // 2. $["propertyName"] or $['propertyName']
+  const regex = /^\$\.(\w+)$|^\$\[(?:'|")(\w+)(?:'|")\]$/;
+
+  const match = path.match(regex);
+  if (match) {
+    // match[1] corresponds to the first capture group (\w+) after $.
+    // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
+    return match[1] || match[2];
+  }
+
+  // If the input doesn't match any of the expected formats, return null
+
+  throw new Error(
+    `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
+  );
+};
+
+/**
+ * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
+ *
+ * - Checks each field in the InputDescriptor against the provided `payloadCredential`
+ *   and `disclosures` (selectively disclosed claims).
+ * - Validates whether required fields are present (unless marked optional)
+ *   and match any specified JSONPath.
+ * - If a field includes a JSON Schema filter, validates the claim value against that schema.
+ * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
+ *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
+ * - Throws an error if a required field is invalid or missing.
+ *
+ * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
+ * @param payloadCredential - The credential payload to check against.
+ * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
+ * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
+ */
+export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
+  (inputDescriptor, payloadCredential, disclosures) => {
+    if (!inputDescriptor?.constraints?.fields) {
+      // No validation, all field are optional
+      return {
+        requiredDisclosures: [],
+        optionalDisclosures: [],
+        unrequestedDisclosures: disclosures,
+      };
+    }
+    const requiredClaimNames: string[] = [];
+    const optionalClaimNames: string[] = [];
+
+    // Transform disclosures to find claim using JSONPath
+    const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
+
+    // For each field, we need at least one matching path
+    // If we succeed, we push the matched disclosure in matchedDisclosures and stop checking further paths
+    const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
+      // For Potential profile, selectively disclosed claims will always be built as an individual object property, by using a name-value pair.
+      // Hence that selective claim for array element and recursive disclosures are not supported by Potential for the first iteration of Piloting.
+      // We need to check inside disclosures or inside credential payload. Example path: "$.given_name"
+      let [matchedPath, matchedValue] = findMatchedClaim(
+        field.path,
+        disclosuresAsPayload
+      );
+
+      if (!matchedPath) {
+        [matchedPath, matchedValue] = findMatchedClaim(
+          field.path,
+          payloadCredential
+        );
+
+        if (!matchedPath) {
+          // Path could be optional, in this case no need to validate! continue to next field
+          return field?.optional;
+        }
+      } else {
+        // if match a disclouse we save which is required or optional
+        const claimName = extractClaimName(matchedPath);
+        if (claimName) {
+          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
+            claimName
+          );
+        }
+      }
+
+      // FILTER validation
+      // If this field has a "filter" (JSON Schema), validate the claimValue
+      if (field.filter) {
+        try {
+          const validateSchema = ajv.compile(field.filter);
+          if (!validateSchema(matchedValue)) {
+            throw new MissingDataError(
+              `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
+            );
+          }
+        } catch (error) {
+          return false;
+        }
+      }
+      // Submission Requirements validation
+      // TODO: [EUDIW-216] Read rule value if “all” o “pick” and validate
+
+      return true;
+    });
+
+    if (!allFieldsValid) {
+      throw new MissingDataError(
+        "Credential validation failed: Required fields are missing or do not match the input descriptor."
+      );
+    }
+
+    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+
+    const requiredDisclosures = disclosures.filter((disclosure) =>
+      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const optionalDisclosures = disclosures.filter((disclosure) =>
+      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const isNotLimitDisclosure = !(
+      inputDescriptor.constraints.limit_disclosure === "required"
+    );
+
+    const unrequestedDisclosures = isNotLimitDisclosure
+      ? disclosures.filter(
+          (disclosure) =>
+            !optionalClaimNames.includes(
+              disclosure.decoded[INDEX_CLAIM_NAME]
+            ) &&
+            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+        )
+      : [];
+
+    return {
+      requiredDisclosures,
+      optionalDisclosures,
+      unrequestedDisclosures,
+    };
+  };
+
+type DecodedCredentialSdJwt = {
+  keyTag: string;
+  credential: string;
+  sdJwt: SdJwt4VC;
+  disclosures: DisclosureWithEncoded[];
+};
+
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialSdJwt = (
+  inputDescriptor: InputDescriptor,
+  decodedSdJwtCredentials: DecodedCredentialSdJwt[]
+): {
+  matchedEvaluation: EvaluatedDisclosures;
+  matchedKeyTag: string;
+  matchedCredential: string;
+} => {
+  for (const {
+    keyTag,
+    credential,
+    sdJwt,
+    disclosures,
+  } of decodedSdJwtCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(
+        inputDescriptor,
+        sdJwt.payload,
+        disclosures
+      );
+
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential,
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+
+  throw new CredentialNotFoundError(
+    "None of the vc+sd-jwt credentials satisfy the requirements."
+  );
+};
+
+/**
+ * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
+ *
+ * For each input descriptor, this function:
+ * - Checks the credential format.
+ * - Decodes the credential.
+ * - Evaluates the descriptor using the associated disclosures.
+ *
+ * @param inputDescriptors - An array of input descriptors.
+ * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
+ * @returns An array of objects, each containing the evaluated disclosures,
+ *          the input descriptor, the credential, and the keyTag.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
+  inputDescriptors,
+  credentialsSdJwt
+) => {
+  // We need decode SD-JWT credentials for evaluation
+  const decodedSdJwtCredentials =
+    credentialsSdJwt?.map(([keyTag, credential]) => {
+      const { sdJwt, disclosures } = decode(credential);
+      return { keyTag, credential, sdJwt, disclosures };
+    }) || [];
+
+  return Promise.all(
+    inputDescriptors.map(async (descriptor) => {
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        if (!decodedSdJwtCredentials.length) {
+          throw new CredentialNotFoundError(
+            "vc+sd-jwt credential is not supported."
+          );
+        }
+
+        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+          findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
+
+        return {
+          evaluatedDisclosure: matchedEvaluation,
+          inputDescriptor: descriptor,
+          credential: matchedCredential,
+          keyTag: matchedKeyTag,
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+};
+
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentialAndDescriptors,
+  nonce,
+  client_id
+) => {
+  return Promise.all(
+    credentialAndDescriptors.map(async (item) => {
+      const descriptor = item.inputDescriptor;
+
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        const { vp_token } = await prepareVpToken(nonce, client_id, [
+          item.credential,
+          item.requestedClaims,
+          createCryptoContextFor(item.keyTag),
+        ]);
+
+        return {
+          requestedClaims: item.requestedClaims,
+          inputDescriptor: descriptor,
+          vpToken: vp_token,
+          format: "vc+sd-jwt",
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+};