@pagopa/io-react-native-wallet 0.28.1 → 0.29.0

package/src/credential/issuance/05-authorize-access.ts

@@ -10,6 +10,7 @@ import { ASSERTION_TYPE } from "./const";
 import { TokenResponse } from "./types";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { CompleteUserAuthorizationWithQueryMode } from "./04-complete-user-authorization";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type AuthorizeAccess = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -76,6 +77,8 @@ export const authorizeAccess: AuthorizeAccess = async (
     dPopCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const signedWiaPoP = await createPopToken(
     {
       jti: `${uuidv4()}`,
@@ -85,6 +88,8 @@ export const authorizeAccess: AuthorizeAccess = async (
     wiaCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
+
   const requestBody = {
     grant_type: "authorization_code",
     client_id: clientId,
@@ -96,6 +101,12 @@ export const authorizeAccess: AuthorizeAccess = async (
   };
 
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
+
+  Logger.log(
+    LogLevel.DEBUG,
+    `Auth form request body: ${authorizationRequestFormBody}`
+  );
+
   const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -109,6 +120,11 @@ export const authorizeAccess: AuthorizeAccess = async (
     .then((body) => TokenResponse.safeParse(body));
 
   if (!tokenRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Token Response validation failed: ${tokenRes.error.message}`
+    );
+
     throw new ValidationFailed({
       message: "Token Response validation failed",
       reason: tokenRes.error.message,

package/src/credential/issuance/06-obtain-credential.ts

@@ -17,6 +17,7 @@ import {
 import { CredentialResponse } from "./types";
 import { createDPopToken } from "../../utils/dpop";
 import { v4 as uuidv4 } from "uuid";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type ObtainCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -27,7 +28,8 @@ export type ObtainCredential = (
     dPopCryptoContext: CryptoContext;
     credentialCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
-  }
+  },
+  operationType?: "reissuing"
 ) => Promise<CredentialResponse>;
 
 export const createNonceProof = async (
@@ -73,7 +75,8 @@ export const obtainCredential: ObtainCredential = async (
   accessToken,
   clientId,
   credentialDefinition,
-  context
+  context,
+  operationType
 ) => {
   const {
     credentialCryptoContext,
@@ -95,6 +98,8 @@ export const obtainCredential: ObtainCredential = async (
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
+
   // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
   const containsCredentialDefinition = accessToken.authorization_details.some(
     (c) =>
@@ -105,6 +110,10 @@ export const obtainCredential: ObtainCredential = async (
   );
 
   if (!containsCredentialDefinition) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential definition not found in the access token response ${accessToken.authorization_details}`
+    );
     throw new ValidationFailed({
       message:
         "The access token response does not contain the requested credential",
@@ -123,6 +132,11 @@ export const obtainCredential: ObtainCredential = async (
     },
   };
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`
+  );
+
   const tokenRequestSignedDPop = await createDPopToken(
     {
       htm: "POST",
@@ -132,12 +146,16 @@ export const obtainCredential: ObtainCredential = async (
     },
     dPopCryptoContext
   );
+
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       DPoP: tokenRequestSignedDPop,
       Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
+      ...(operationType === "reissuing" && { operationType }),
     },
     body: JSON.stringify(credentialRequestFormBody),
   })
@@ -147,12 +165,21 @@ export const obtainCredential: ObtainCredential = async (
     .catch(handleObtainCredentialError);
 
   if (!credentialRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential Response validation failed: ${credentialRes.error.message}`
+    );
     throw new ValidationFailed({
       message: "Credential Response validation failed",
       reason: credentialRes.error.message,
     });
   }
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential Response: ${JSON.stringify(credentialRes.data)}`
+  );
+
   return credentialRes.data;
 };
 
@@ -163,6 +190,8 @@ export const obtainCredential: ObtainCredential = async (
  * @throws {IssuerResponseError} with a specific code for more context
  */
 const handleObtainCredentialError = (e: unknown) => {
+  Logger.log(LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
+
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -7,6 +7,7 @@ import { verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
 import type { JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type VerifyAndParseCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -62,10 +63,18 @@ const parseCredentialSdJwt = (
   const credentialSubject = credentials_supported[sdJwt.payload.vct];
 
   if (!credentialSubject) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential type not supported by the issuer: ${sdJwt.payload.vct}`
+    );
     throw new IoWalletError("Credential type not supported by the issuer");
   }
 
   if (credentialSubject.format !== sdJwt.header.typ) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`
+    );
     throw new IoWalletError(
       `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
     );
@@ -73,6 +82,7 @@ const parseCredentialSdJwt = (
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
   if (!credentialSubject.claims) {
+    Logger.log(LogLevel.ERROR, "Missing claims in the credential subject");
     throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
   const attrDefinitions = Object.entries(credentialSubject.claims);
@@ -85,6 +95,10 @@ const parseCredentialSdJwt = (
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+      );
       throw new IoWalletError(
         `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
       );
@@ -172,6 +186,10 @@ async function verifyCredentialSdJwt(
   const { cnf } = decodedCredential.sdJwt.payload;
 
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
+    );
     throw new IoWalletError(
       `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
     );
@@ -204,15 +222,21 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+
   const parsedCredential = parseCredentialSdJwt(
     issuerConf.openid_credential_issuer.credential_configurations_supported,
     decoded,
     ignoreMissingAttributes,
     includeUndefinedAttributes
   );
-
   const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`
+  );
+
   return {
     parsedCredential,
     expiration: new Date(decoded.sdJwt.payload.exp * 1000),
@@ -243,6 +267,7 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
   context
 ) => {
   if (format === "vc+sd-jwt") {
+    Logger.log(LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
     return verifyAndParseCredentialSdJwt(
       issuerConf,
       credential,
@@ -251,5 +276,6 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
     );
   }
 
+  Logger.log(LogLevel.ERROR, `Unsupported credential format: ${format}`);
   throw new IoWalletError(`Unsupported credential format: ${format}`);
 };

package/src/credential/presentation/01-start-flow.ts

@@ -1,10 +1,10 @@
 import * as z from "zod";
-import { ValidationFailed } from "../../utils/errors";
+import { InvalidQRCodeError } from "./errors";
 
 const PresentationParams = z.object({
-  clientId: z.string().nonempty(),
-  requestUri: z.string().url(),
-  requestUriMethod: z.enum(["get", "post"]),
+  client_id: z.string().nonempty(),
+  request_uri: z.string().url(),
+  request_uri_method: z.enum(["get", "post"]),
   state: z.string().optional(),
 });
 export type PresentationParams = z.infer<typeof PresentationParams>;
@@ -13,32 +13,30 @@ export type PresentationParams = z.infer<typeof PresentationParams>;
  * The beginning of the presentation flow.
  * To be implemented accordind to the user touchpoint
  *
- * @param params Presentation parameters, depending on the starting touchoint
+ * @param params Presentation parameters, depending on the starting touchpoint
  * @returns The url for the Relying Party to connect with
  */
-export type StartFlow = (params: PresentationParams) => {
-  requestUri: string;
-  clientId: string;
-  requestUriMethod?: "get" | "post";
-  state?: string;
-};
+export type StartFlow = (params: {
+  [K in keyof PresentationParams]?: PresentationParams[K] | null;
+}) => PresentationParams;
 
 /**
- * Start a presentation flow by decoding an incoming QR-code
+ * Start a presentation flow by validating the required parameters.
+ * Parameters are extracted from a url encoded in a QR code or in a deep link.
  *
- * @param params The encoded QR-code content
+ * @param params The parameters to be validated
  * @returns The url for the Relying Party to connect with
- * @throws If the provided qr code fails to be decoded
+ * @throws If the provided parameters are not valid
  */
 export const startFlowFromQR: StartFlow = (params) => {
-  const result = PresentationParams.safeParse(params);
+  const result = PresentationParams.safeParse({
+    ...params,
+    request_uri_method: params.request_uri_method ?? "get",
+  });
 
   if (result.success) {
     return result.data;
-  } else {
-    throw new ValidationFailed({
-      message: "Invalid parameters provided",
-      reason: result.error.message,
-    });
   }
+
+  throw new InvalidQRCodeError(result.error.message);
 };

package/src/credential/presentation/02-evaluate-rp-trust.ts

@@ -10,6 +10,7 @@ export type EvaluateRelyingPartyTrust = (
   }
 ) => Promise<{
   rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+  subject: string;
 }>;
 
 /**
@@ -25,9 +26,9 @@ export const evaluateRelyingPartyTrust: EvaluateRelyingPartyTrust = async (
   { appFetch = fetch } = {}
 ) => {
   const {
-    payload: { metadata: rpConf },
+    payload: { metadata: rpConf, sub },
   } = await getRelyingPartyEntityConfiguration(rpUrl, {
     appFetch,
   });
-  return { rpConf };
+  return { rpConf, subject: sub };
 };

package/src/credential/presentation/03-get-request-object.ts

@@ -1,12 +1,10 @@
-import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { StartFlow } from "./01-start-flow";
+import { hasStatusOrThrow } from "../../utils/misc";
 import { RequestObjectWalletCapabilities } from "./types";
 
 export type GetRequestObject = (
-  requestUri: Out<StartFlow>["requestUri"],
-  context: {
+  requestUri: string,
+  context?: {
     appFetch?: GlobalFetch["fetch"];
-    walletInstanceAttestation: string;
     walletCapabilities?: RequestObjectWalletCapabilities;
   }
 ) => Promise<{ requestObjectEncodedJwt: string }>;
@@ -23,7 +21,7 @@ export type GetRequestObject = (
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  { appFetch = fetch, walletCapabilities }
+  { appFetch = fetch, walletCapabilities } = {}
 ) => {
   if (walletCapabilities) {
     // Validate external input

package/src/credential/presentation/05-verify-request-object.ts

@@ -8,8 +8,9 @@ export type VerifyRequestObject = (
   requestObjectEncodedJwt: string,
   context: {
     clientId: string;
-    // jwkKeys: Out<FetchJwks>["keys"];
-    rpConf: RelyingPartyEntityConfiguration["payload"];
+    rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+    rpSubject: string;
+    state?: string;
   }
 ) => Promise<{ requestObject: RequestObject }>;
 
@@ -17,16 +18,16 @@ export type VerifyRequestObject = (
  * Function to verify the Request Object's signature and the client ID.
  * @param requestObjectEncodedJwt The Request Object in JWT format
  * @param context.clientId The client ID to verify
- * @param context.jwkKeys The set of keys to verify the signature
  * @param context.rpConf The Entity Configuration of the Relying Party
+ * @param context.state Optional state
  * @returns The verified Request Object
  */
 export const verifyRequestObject: VerifyRequestObject = async (
   requestObjectEncodedJwt,
-  { clientId, rpConf }
+  { clientId, rpConf, rpSubject, state }
 ) => {
   const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
-  const { keys } = getJwksFromConfig(rpConf.metadata);
+  const { keys } = getJwksFromConfig(rpConf);
 
   // Verify token signature to ensure the request object is authentic
   const pubKey = keys?.find(
@@ -42,11 +43,21 @@ export const verifyRequestObject: VerifyRequestObject = async (
 
   const requestObject = RequestObject.parse(requestObjectJwt.payload);
 
-  if (!(clientId === requestObject.client_id && clientId === rpConf.sub)) {
+  const isClientIdMatch =
+    clientId === requestObject.client_id && clientId === rpSubject;
+
+  if (!isClientIdMatch) {
     throw new UnverifiedEntityError(
       "Client ID does not match Request Object or Entity Configuration"
     );
   }
 
+  const isStateMatch =
+    state && requestObject.state ? state === requestObject.state : true;
+
+  if (!isStateMatch) {
+    throw new UnverifiedEntityError("State does not match Request Object");
+  }
+
   return { requestObject };
 };

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -6,23 +6,33 @@ import {
 } from "dcql";
 import { isValiError } from "valibot";
 import { decode, prepareVpToken } from "../../sd-jwt";
-import type { Disclosure, DisclosureWithEncoded } from "../../sd-jwt/types";
+import type { Disclosure } from "../../sd-jwt/types";
 import { ValidationFailed } from "../../utils/errors";
 import { createCryptoContextFor } from "../../utils/crypto";
 import type { RemotePresentation } from "./types";
+import { CredentialsNotFoundError, type NotFoundDetail } from "./errors";
 
-type EvaluateDcqlQuery = (
+/**
+ * The purpose for the credential request by the RP.
+ */
+type CredentialPurpose = {
+  required: boolean;
+  description?: string;
+};
+
+export type EvaluateDcqlQuery = (
   credentialsSdJwt: [string /* keyTag */, string /* credential */][],
   query: DcqlQuery.Input
 ) => {
   id: string;
+  vct: string;
   credential: string;
   keyTag: string;
-  requiredDisclosures: DisclosureWithEncoded[];
-  isOptional?: boolean;
+  requiredDisclosures: Disclosure[];
+  purposes: CredentialPurpose[];
 }[];
 
-type PrepareRemotePresentations = (
+export type PrepareRemotePresentations = (
   credentials: {
     id: string;
     credential: string;
@@ -38,6 +48,11 @@ type DcqlMatchSuccess = Extract<
   { success: true }
 >;
 
+type DcqlMatchFailure = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: false }
+>;
+
 /**
  * Convert a credential in JWT format to an object with claims
  * for correct parsing by the `dcql` library.
@@ -72,6 +87,32 @@ const getDcqlQueryMatches = (result: DcqlQueryResult) =>
     ([, match]) => match.success === true
   ) as [string, DcqlMatchSuccess][];
 
+/**
+ * Extract only failed matches from the DCQL query result.
+ */
+const getDcqlQueryFailedMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === false
+  ) as [string, DcqlMatchFailure][];
+
+/**
+ * Extract missing credentials from the DCQL query result.
+ * Note: here we are assuming a failed match is a missing credential,
+ * but there might be other reasons for its failure.
+ */
+const extractMissingCredentials = (
+  queryResult: DcqlQueryResult,
+  originalQuery: DcqlQuery
+): NotFoundDetail[] => {
+  return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
+    const credential = originalQuery.credentials.find((c) => c.id === id);
+    if (credential?.format !== "vc+sd-jwt") {
+      throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+    }
+    return { id, vctValues: credential.meta?.vct_values };
+  });
+};
+
 export const evaluateDcqlQuery: EvaluateDcqlQuery = (
   credentialsSdJwt,
   query
@@ -88,7 +129,9 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
     const queryResult = DcqlQuery.query(parsedQuery, credentials);
 
     if (!queryResult.canBeSatisfied) {
-      throw new Error("No credential can satisfy the provided DCQL query");
+      throw new CredentialsNotFoundError(
+        extractMissingCredentials(queryResult, parsedQuery)
+      );
     }
 
     // Build an object vct:credentialJwt to map matched credentials to their JWT
@@ -103,24 +146,24 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
       }
       const { vct, claims } = match.output;
 
-      // Find a matching credential set to see whether the credential is optional
-      // If no credential set is found, then the credential is required by default
-      // NOTE: This is an extra, it might not be necessary
-      const credentialSet = queryResult.credential_sets?.find((set) =>
-        set.matching_options?.flat().includes(vct)
-      );
-      const isOptional = credentialSet ? !credentialSet.required : false;
+      const purposes = queryResult.credential_sets
+        ?.filter((set) => set.matching_options?.flat().includes(id))
+        ?.map<CredentialPurpose>((credentialSet) => ({
+          description: credentialSet.purpose?.toString(),
+          required: Boolean(credentialSet.required),
+        }));
 
       const [keyTag, credential] = credentialsSdJwtByVct[vct]!;
-      const requiredDisclosures = Object.values(
-        claims
-      ) as DisclosureWithEncoded[];
+      const requiredDisclosures = Object.values(claims) as Disclosure[];
       return {
         id,
+        vct,
         keyTag,
         credential,
-        isOptional,
         requiredDisclosures,
+        // When it is a match but no credential_sets are found, the credential is required by default
+        // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
+        purposes: purposes ?? [{ required: true }],
       };
     });
   } catch (error) {

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -3,7 +3,7 @@ import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
 import { decode, prepareVpToken } from "../../sd-jwt";
 import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
-import { CredentialNotFoundError, MissingDataError } from "./errors";
+import { CredentialsNotFoundError, MissingDataError } from "./errors";
 import Ajv from "ajv";
 
 const ajv = new Ajv({ allErrors: true });
@@ -33,7 +33,10 @@ export type EvaluateInputDescriptors = (
   }[]
 >;
 
-export type PrepareRemotePresentations = (
+/**
+ * @deprecated Use `prepareRemotePresentations` from DCQL
+ */
+export type PrepareLegacyRemotePresentations = (
   credentialAndDescriptors: {
     requestedClaims: string[];
     inputDescriptor: InputDescriptor;
@@ -288,9 +291,12 @@ export const findCredentialSdJwt = (
     }
   }
 
-  throw new CredentialNotFoundError(
-    "None of the vc+sd-jwt credentials satisfy the requirements."
-  );
+  throw new CredentialsNotFoundError([
+    {
+      id: "",
+      reason: "None of the vc+sd-jwt credentials satisfy the requirements.",
+    },
+  ]);
 };
 
 /**
@@ -322,9 +328,12 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
     inputDescriptors.map(async (descriptor) => {
       if (descriptor.format?.["vc+sd-jwt"]) {
         if (!decodedSdJwtCredentials.length) {
-          throw new CredentialNotFoundError(
-            "vc+sd-jwt credential is not supported."
-          );
+          throw new CredentialsNotFoundError([
+            {
+              id: descriptor.id,
+              reason: "vc+sd-jwt credential is not supported.",
+            },
+          ]);
         }
 
         const { matchedEvaluation, matchedKeyTag, matchedCredential } =
@@ -338,9 +347,12 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
         };
       }
 
-      throw new CredentialNotFoundError(
-        `${descriptor.format} format is not supported.`
-      );
+      throw new CredentialsNotFoundError([
+        {
+          id: descriptor.id,
+          reason: `${descriptor.format} format is not supported.`,
+        },
+      ]);
     })
   );
 };
@@ -352,6 +364,8 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
  * - Validates the credential format.
  * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
  *
+ * @deprecated Use `prepareRemotePresentations` from DCQL
+ *
  * @param credentialAndDescriptors - An array containing objects with requested claims,
  *                                   input descriptor, credential, and keyTag.
  * @param nonce - A unique nonce for the verifiable presentation token.
@@ -359,33 +373,33 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
  * @returns A promise that resolves to an array of RemotePresentation objects.
  * @throws {CredentialNotFoundError} When the credential format is unsupported.
  */
-export const prepareRemotePresentations: PrepareRemotePresentations = async (
-  credentialAndDescriptors,
-  nonce,
-  client_id
-) => {
-  return Promise.all(
-    credentialAndDescriptors.map(async (item) => {
-      const descriptor = item.inputDescriptor;
+export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations =
+  async (credentialAndDescriptors, nonce, client_id) => {
+    return Promise.all(
+      credentialAndDescriptors.map(async (item) => {
+        const descriptor = item.inputDescriptor;
+
+        if (descriptor.format?.["vc+sd-jwt"]) {
+          const { vp_token } = await prepareVpToken(nonce, client_id, [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]);
+
+          return {
+            requestedClaims: item.requestedClaims,
+            inputDescriptor: descriptor,
+            vpToken: vp_token,
+            format: "vc+sd-jwt",
+          };
+        }
 
-      if (descriptor.format?.["vc+sd-jwt"]) {
-        const { vp_token } = await prepareVpToken(nonce, client_id, [
-          item.credential,
-          item.requestedClaims,
-          createCryptoContextFor(item.keyTag),
+        throw new CredentialsNotFoundError([
+          {
+            id: descriptor.id,
+            reason: `${descriptor.format} format is not supported.`,
+          },
         ]);
-
-        return {
-          requestedClaims: item.requestedClaims,
-          inputDescriptor: descriptor,
-          vpToken: vp_token,
-          format: "vc+sd-jwt",
-        };
-      }
-
-      throw new CredentialNotFoundError(
-        `${descriptor.format} format is not supported.`
-      );
-    })
-  );
-};
+      })
+    );
+  };