npm - @pagopa/io-react-native-wallet - Versions diffs - 0.28.1 → 0.29.0 - Mend

@pagopa/io-react-native-wallet 0.28.1 → 0.29.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (168) hide show

package/src/credential/presentation/08-send-authorization-response.ts CHANGED Viewed

@@ -60,7 +60,7 @@ export const choosePublicKeyToEncrypt = (
  */
 export const buildDirectPostJwtBody = async (
   requestObject: Out<VerifyRequestObject>["requestObject"],
-  rpConf: RelyingPartyEntityConfiguration["payload"],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
   payload: DirectAuthorizationBodyPayload | LegacyDirectAuthorizationBodyPayload
 ): Promise<string> => {
   type Jwe = ConstructorParameters<typeof EncryptJwe>[1];
@@ -70,19 +70,21 @@ export const buildDirectPostJwtBody = async (
     state: requestObject.state,
     ...payload,
   });
   // Choose a suitable public key for encryption
-  const { keys } = getJwksFromConfig(rpConf.metadata);
+  const { keys } = getJwksFromConfig(rpConf);
   const encPublicJwk = choosePublicKeyToEncrypt(keys);
   // Encrypt the authorization payload
   const {
     authorization_encrypted_response_alg,
     authorization_encrypted_response_enc,
-  } = rpConf.metadata.openid_credential_verifier;
+  } = rpConf.openid_credential_verifier;
+  const defaultAlg: Jwe["alg"] =
+    encPublicJwk.kty === "EC" ? "ECDH-ES" : "RSA-OAEP-256";
   const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
-    alg: (authorization_encrypted_response_alg as Jwe["alg"]) || "RSA-OAEP-256",
+    alg: (authorization_encrypted_response_alg as Jwe["alg"]) || defaultAlg,
     enc:
       (authorization_encrypted_response_enc as Jwe["enc"]) || "A256CBC-HS512",
     kid: encPublicJwk.kid,
@@ -106,7 +108,7 @@ export type SendLegacyAuthorizationResponse = (
   requestObject: Out<VerifyRequestObject>["requestObject"],
   presentationDefinitionId: string,
   remotePresentations: LegacyRemotePresentation[],
-  rpConf: RelyingPartyEntityConfiguration["payload"],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }
@@ -183,7 +185,7 @@ export const sendLegacyAuthorizationResponse: SendLegacyAuthorizationResponse =
 export type SendAuthorizationResponse = (
   requestObject: Out<VerifyRequestObject>["requestObject"],
   remotePresentations: RemotePresentation[],
-  rpConf: RelyingPartyEntityConfiguration["payload"],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }

package/src/credential/presentation/README.md CHANGED Viewed

@@ -1,3 +1,97 @@
-# Credential presentation
+# Credential Presentation
-Currently this flow is outdated.
+This flow is used for remote presentation, allowing a user with a valid Wallet Instance to remotely present credentials to a Relying Party (Verifier). The presentation flow adheres to the [IT Wallet 0.9.x specification](https://italia.github.io/eid-wallet-it-docs/v0.9.3/en/relying-party-solution.html).
+The Relying Party provides the Wallet with a Request Object that contains the requested credentials and claims. The Wallet validates the Request Object and asks the user for consent. Then the Wallet creates an encrypted Authorization Response that contains the Verifiable Presentation with the requested data (`vp_token`) and sends it to the Relying Party.
+## Sequence Diagram
+```mermaid
+sequenceDiagram
+  autonumber
+  participant I as User (Wallet Instance)
+  participant O as Relying Party (Verifier)
+  O->>+I: QR-CODE: Authorization Request (`request_uri`)
+  I->>+O: GET: Verifier's Entity Configuration
+  O->>+I: Respond with metadata (including public keys)
+  I->>+O: GET: Request Object, resolved from `request_uri`
+  O->>+I: Respond with the Request Object
+  I->>+I: Validate Request Object and give consent
+  I->>+O: POST: Authorization Response with encrypted VP token
+  O->>+I: Respond with optional `redirect_uri`
+```
+## Mapped results
+|Error|Description|
+|-----|-----------|
+|`ValidationFailed`|The presentation request is not valid, for instance the DCQL query is invalid.|
+|`CredentialsNotFoundError`|The presentation cannot be completed because the Wallet does not contain all requested credentials. The missing credentials can be found in `details`.|
+## Examples
+<details>
+  <summary>Remote Presentation flow</summary>
+**Note:** To successfully complete a remote presentation, the Wallet Instance must be in a valid state with a valid Wallet Instance Attestation.
+```ts
+// Retrieve and scan the qr-code, decode it and get its parameters
+const qrCodeParams = decodeQrCode(qrCode)
+// Start the issuance flow
+const {
+  request_uri,
+  client_id,
+  request_uri_method,
+  state
+} = Credential.Presentation.startFlowFromQR(qrCodeParams);
+// Get the Relying Party's Entity Configuration and evaluate trust
+const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(client_id);
+// Get the Request Object from the RP
+const { requestObjectEncodedJwt } =
+  await Credential.Presentation.getRequestObject(request_uri);
+// Validate the Request Object
+const { requestObject } = await Credential.Presentation.verifyRequestObject(
+  requestObjectEncodedJwt,
+  { clientId: client_id, rpConf }
+);
+// All the credentials that might be requested by the Relying Party
+const credentialsSdJwt = [
+  ["credential1_keytag", "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2"],
+  ["credential2_keytag", "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6Ii1GXzZVZ2E4bjNWZWdqWTJVN1lVSEsxekxvYUQtTlBUYzYzUk1JU25MYXcifQ.ew0KIC"]
+];
+const result = Credential.Presentation.evaluateDcqlQuery(
+  credentialsSdJwt,
+  requestObject.dcql_query as DcqlQuery
+);
+const credentialsToPresent = result.map(
+  ({ requiredDisclosures, ...rest }) => ({
+    ...rest,
+    requestedClaims: requiredDisclosures.map(([, claimName]) => claimName),
+  })
+);
+const remotePresentations =
+  await Credential.Presentation.prepareRemotePresentations(
+    credentialsToPresent,
+    requestObject.nonce,
+    requestObject.client_id
+  );
+const authResponse = await Credential.Presentation.sendAuthorizationResponse(
+  requestObject,
+  remotePresentations,
+  rpConf
+);
+```
+</details>

package/src/credential/presentation/errors.ts CHANGED Viewed

@@ -47,12 +47,12 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
 export class InvalidQRCodeError extends IoWalletError {
   code = "ERR_INVALID_QR_CODE";
-  /**
-   * @param detail A description of why the QR code is considered invalid.
-   */
-  constructor(detail: string) {
-    const message = `QR code is not valid: ${detail}.`;
-    super(message);
+  /** Detailed reason for the QR code validation failure. */
+  reason: string;
+  constructor(reason: string) {
+    super("Invalid QR code");
+    this.reason = reason;
   }
 }
@@ -88,18 +88,25 @@ export class MissingDataError extends IoWalletError {
   }
 }
+export type NotFoundDetail = {
+  id: string;
+  reason?: string;
+  vctValues?: string[];
+};
 /**
- * When a credential is not found in the wallet.
- *
+ * Error thrown when one or more credentials cannot be found in the wallet
+ * and the presentation request cannot be satisfied.
  */
-export class CredentialNotFoundError extends IoWalletError {
-  code = "ERR_CREDENTIAL_NOT_FOUND";
+export class CredentialsNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIALS_NOT_FOUND";
+  details: NotFoundDetail[];
   /**
-   * @param credentialId The ID of the credential that was not found.
+   * @param details The details of the credentials that could not be found.
    */
-  constructor(credentialId: string) {
-    const message = `Credential not found: ${credentialId}.`;
-    super(message);
+  constructor(details: NotFoundDetail[]) {
+    super("One or more credentials cannot be found in the wallet");
+    this.details = details;
   }
 }

package/src/credential/presentation/index.ts CHANGED Viewed

@@ -17,12 +17,22 @@ import {
   type FetchPresentationDefinition,
 } from "./06-fetch-presentation-definition";
 import {
-  evaluateInputDescriptorForSdJwt4VC,
-  type EvaluateInputDescriptorSdJwt4VC,
+  evaluateInputDescriptors,
+  prepareLegacyRemotePresentations,
+  type EvaluateInputDescriptors,
+  type PrepareLegacyRemotePresentations,
 } from "./07-evaluate-input-descriptor";
+import {
+  evaluateDcqlQuery,
+  prepareRemotePresentations,
+  type EvaluateDcqlQuery,
+  type PrepareRemotePresentations,
+} from "./07-evaluate-dcql-query";
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
+  sendLegacyAuthorizationResponse,
+  type SendLegacyAuthorizationResponse,
 } from "./08-send-authorization-response";
 import * as Errors from "./errors";
@@ -33,8 +43,12 @@ export {
   getJwksFromConfig,
   verifyRequestObject,
   fetchPresentDefinition,
-  evaluateInputDescriptorForSdJwt4VC,
+  evaluateInputDescriptors,
+  evaluateDcqlQuery,
+  prepareLegacyRemotePresentations,
+  prepareRemotePresentations,
   sendAuthorizationResponse,
+  sendLegacyAuthorizationResponse,
   Errors,
 };
 export type {
@@ -44,6 +58,10 @@ export type {
   FetchJwks,
   VerifyRequestObject,
   FetchPresentationDefinition,
-  EvaluateInputDescriptorSdJwt4VC,
+  EvaluateInputDescriptors,
+  EvaluateDcqlQuery,
+  PrepareLegacyRemotePresentations,
+  PrepareRemotePresentations,
   SendAuthorizationResponse,
+  SendLegacyAuthorizationResponse,
 };

package/src/credential/presentation/types.ts CHANGED Viewed

@@ -94,7 +94,7 @@ export const RequestObject = z.object({
   iss: z.string(),
   iat: UnixTime,
   exp: UnixTime,
-  state: z.string(),
+  state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
   response_uri_method: z.string().optional(),

package/src/credential/status/02-status-attestation.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import {
   ResponseErrorBuilder,
   UnexpectedStatusCodeError,
 } from "../../utils/errors";
+import { LogLevel, Logger } from "../../utils/logging";
 export type StatusAttestation = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -63,6 +64,8 @@ export const statusAttestation: StatusAttestation = async (
     credential_pop: credentialPop,
   };
+  Logger.log(LogLevel.DEBUG, `Credential pop: ${credentialPop}`);
   const result = await appFetch(statusAttUrl, {
     method: "POST",
     headers: {

package/src/credential/status/03-verify-and-parse-status-attestation.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { verify, type CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
 import { ParsedStatusAttestation } from "./types";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { LogLevel, Logger } from "../../utils/logging";
 export type VerifyAndParseStatusAttestation = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -43,9 +44,18 @@ export const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation =
         payload: decodedJwt.payload,
       });
+      Logger.log(
+        LogLevel.DEBUG,
+        `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`
+      );
       const holderBindingKey = await credentialCryptoContext.getPublicKey();
       const { cnf } = parsedStatusAttestation.payload;
       if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+        Logger.log(
+          LogLevel.ERROR,
+          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
+        );
         throw new IoWalletError(
           `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
         );

package/src/credential/trustmark/get-credential-trustmark.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
 import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import { IoWalletError } from "../../utils/errors";
 import { obfuscateString } from "../../utils/string";
+import { LogLevel, Logger } from "../../utils/logging";
 export type GetCredentialTrustmarkJwt = (params: {
   /**
@@ -73,10 +74,19 @@ export const getCredentialTrustmark: GetCredentialTrustmarkJwt = async ({
     walletInstanceAttestation
   );
+  Logger.log(
+    LogLevel.DEBUG,
+    `Decoded wia ${JSON.stringify(decodedWia.payload)} with holder binding key ${JSON.stringify(holderBindingKey)}`
+  );
   /**
    * Check that the WIA is not expired
    */
   if (decodedWia.payload.exp * 1000 < Date.now()) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Wallet Instance Attestation expired with exp: ${decodedWia.payload.exp}`
+    );
     throw new IoWalletError("Wallet Instance Attestation expired");
   }
@@ -87,11 +97,20 @@ export const getCredentialTrustmark: GetCredentialTrustmarkJwt = async ({
   const cryptoContextThumbprint = await thumbprint(holderBindingKey);
   if (wiaThumbprint !== cryptoContextThumbprint) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
+    );
     throw new IoWalletError(
       `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
     );
   }
+  Logger.log(
+    LogLevel.DEBUG,
+    `Wia thumbprint: ${wiaThumbprint} CryptoContext thumbprint: ${cryptoContextThumbprint}`
+  );
   /**
    * Generate Trustmark signed JWT
    */

package/src/index.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
 import * as Trust from "./trust";
 import * as WalletInstance from "./wallet-instance";
+import * as Logging from "./utils/logging";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 import type { IntegrityContext } from "./utils/integrity";
@@ -27,6 +28,7 @@ export {
   AuthorizationDetail,
   AuthorizationDetails,
   fixBase64EncodingOnKey,
+  Logging,
 };
 export type { IntegrityContext, AuthorizationContext };

package/src/utils/decoder.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import type { JWTDecodeResult } from "./jwk";
 import { ValidationFailed } from "./errors";
+import { LogLevel, Logger } from "./logging";
 /*
  * Decode a form_post.jwt and return the final JWT.
@@ -47,6 +48,10 @@ export const getJwtFromFormPost = async (
     }
   }
+  Logger.log(
+    LogLevel.ERROR,
+    `Unable to obtain JWT from form_post.jwt. Form data: ${formData}`
+  );
   throw new ValidationFailed({
     message: `Unable to obtain JWT from form_post.jwt. Form data: ${formData}`,
   });

package/src/utils/logging.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Logger interface which can be provided to the Logger class as a custom implementation.
+ */
+export interface LoggingContext {
+  logDebug: (msg: string) => void;
+  logInfo: (msg: string) => void;
+  logWarn: (msg: string) => void;
+  logError: (msg: string) => void;
+}
+/**
+ * Supported debug levels.
+ */
+export enum LogLevel {
+  DEBUG,
+  INFO,
+  WARN,
+  ERROR,
+}
+/**
+ * Logger singleton class which provides a simple logging interface with an init function to set the logging context and
+ * a static log function to log messages based on the debug level.
+ * This can be used as follows:
+ * const logger = Logger.getInstance();
+ * logger.initLogging(yourLoggingContext);
+ * logger.log(LogLevel.DEBUG, "Debug message");
+ */
+export class Logger {
+  private static instance: Logger | null = null;
+  private static loggingContext?: LoggingContext;
+  // Private constructor to prevent direct instantiation
+  private constructor() {}
+  // Public static method to get the Logger instance
+  public static getInstance(): Logger {
+    if (Logger.instance === null) {
+      Logger.instance = new Logger();
+    }
+    return Logger.instance;
+  }
+  // Method to initialize the logging context
+  public initLogging(loggingCtx: LoggingContext): void {
+    Logger.loggingContext = loggingCtx;
+  }
+  // Method to log based on the level which wraps the null check for the logging context
+  public static log(level: LogLevel, msg: string): void {
+    if (Logger.loggingContext) {
+      switch (level) {
+        case LogLevel.DEBUG:
+          Logger.loggingContext.logDebug(msg);
+          break;
+        case LogLevel.INFO:
+          Logger.loggingContext.logInfo(msg);
+          break;
+        case LogLevel.WARN:
+          Logger.loggingContext.logWarn(msg);
+          break;
+        case LogLevel.ERROR:
+          Logger.loggingContext.logError(msg);
+          break;
+      }
+    }
+  }
+}

package/src/utils/misc.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { IoWalletError, UnexpectedStatusCodeError } from "./errors";
 import { sha256 } from "js-sha256";
+import { LogLevel, Logger } from "./logging";
 /**
  * Check if a response is in the expected status, otherwise throw an error
@@ -13,6 +14,10 @@ export const hasStatusOrThrow =
   async (res: Response): Promise<Response> => {
     if (res.status !== status) {
       const ErrorClass = customError ?? UnexpectedStatusCodeError;
+      Logger.log(
+        LogLevel.ERROR,
+        `Http request failed. Expected ${status}, got ${res.status}, url: ${res.url}`
+      );
       throw new ErrorClass({
         message: `Http request failed. Expected ${status}, got ${res.status}, url: ${res.url}`,
         statusCode: res.status,

package/src/utils/par.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import * as WalletInstanceAttestation from "../wallet-instance-attestation";
 import { generateRandomAlphaNumericString, hasStatusOrThrow } from "./misc";
 import { createPopToken } from "./pop";
 import { IssuerResponseError } from "./errors";
+import { LogLevel, Logger } from "./logging";
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
@@ -103,6 +104,11 @@ export const makeParRequest =
       client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
+    Logger.log(
+      LogLevel.DEBUG,
+      `Sending to PAR endpoint ${parEndpoint}: ${formBody}`
+    );
     return await appFetch(parEndpoint, {
       method: "POST",
       headers: {

package/src/wallet-instance/index.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import {
 } from "../utils/errors";
 import type { WalletInstanceData } from "../client/generated/wallet-provider";
 import type { IntegrityContext } from "..";
+import { LogLevel, Logger } from "../utils/logging";
 export async function createWalletInstance(context: {
   integrityContext: IntegrityContext;
@@ -13,15 +14,25 @@ export async function createWalletInstance(context: {
   appFetch?: GlobalFetch["fetch"];
 }) {
   const { integrityContext } = context;
   const api = getWalletProviderClient(context);
   //1. Obtain nonce
   const challenge = await api.get("/nonce").then((response) => response.nonce);
+  Logger.log(
+    LogLevel.DEBUG,
+    `Challenge obtained from ${context.walletProviderBaseUrl}: ${challenge}`
+  );
   const keyAttestation = await integrityContext.getAttestation(challenge);
   const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+  Logger.log(
+    LogLevel.DEBUG,
+    `Key attestation: ${keyAttestation}\nAssociated hardware key tag: ${hardwareKeyTag}`
+  );
   //2. Create Wallet Instance
   await api
     .post("/wallet-instances", {
@@ -37,6 +48,11 @@ export async function createWalletInstance(context: {
 }
 const handleCreateWalletInstanceError = (e: unknown) => {
+  Logger.log(
+    LogLevel.ERROR,
+    `An error occurred while calling /wallet-instances endpoint: ${e}`
+  );
   if (!(e instanceof WalletProviderResponseError)) {
     throw e;
   }

package/src/wallet-instance-attestation/issuing.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import {
   WalletProviderResponseErrorCodes,
 } from "../utils/errors";
 import { TokenResponse } from "./types";
+import { LogLevel, Logger } from "../utils/logging";
 /**
  * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
@@ -92,6 +93,10 @@ export const getAttestation = async ({
   // 1. Get nonce from backend
   const challenge = await api.get("/nonce").then((response) => response.nonce);
+  Logger.log(
+    LogLevel.DEBUG,
+    `Challenge obtained from ${walletProviderBaseUrl}: ${challenge} `
+  );
   // 2. Get a signed attestation request
   const signedAttestationRequest = await getAttestationRequest(
@@ -100,6 +105,10 @@ export const getAttestation = async ({
     integrityContext,
     walletProviderBaseUrl
   );
+  Logger.log(
+    LogLevel.DEBUG,
+    `Signed attestation request: ${signedAttestationRequest}`
+  );
   // 3. Request WIA
   const tokenResponse = await api
@@ -112,10 +121,20 @@ export const getAttestation = async ({
     .then((result) => TokenResponse.parse(result))
     .catch(handleAttestationCreationError);
+  Logger.log(
+    LogLevel.DEBUG,
+    `Obtained wallet attestation: ${tokenResponse.wallet_attestation}`
+  );
   return tokenResponse.wallet_attestation;
 };
 const handleAttestationCreationError = (e: unknown) => {
+  Logger.log(
+    LogLevel.ERROR,
+    `An error occurred while calling /token endpoint: ${e}`
+  );
   if (!(e instanceof WalletProviderResponseError)) {
     throw e;
   }