@pagopa/io-react-native-wallet 0.4.2 → 0.5.0

package/src/rp/index.ts

@@ -10,6 +10,7 @@ import {
   SignJWT,
   EncryptJwe,
   verify,
+  type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
 import {
   QRCodePayload,
@@ -21,102 +22,111 @@ import {
 import uuid from "react-native-uuid";
 import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { disclose } from "../sd-jwt";
-import { getEntityConfiguration } from "../trust";
+import { getEntityConfiguration as getGenericEntityConfiguration } from "../trust";
+import { createDPopToken } from "../utils/dpop";
+import { WalletInstanceAttestation } from "..";
 
-export class RelyingPartySolution {
-  relyingPartyBaseUrl: string;
-  walletInstanceAttestation: string;
-  appFetch: GlobalFetch["fetch"];
+/**
+ * Select a RSA public key from those provided by the RP to encrypt.
+ *
+ * @param entity The RP entity configuration
+ * @returns A suitable public key with its compatible encryption algorithm
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+ */
+const chooseRSAPublicKeyToEncrypt = (entity: RpEntityConfiguration): JWK => {
+  const [usingRsa256] =
+    entity.payload.metadata.wallet_relying_party.jwks.filter(
+      (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+    );
 
-  constructor(
-    relyingPartyBaseUrl: string,
-    walletInstanceAttestation: string,
-    appFetch: GlobalFetch["fetch"] = fetch
-  ) {
-    this.relyingPartyBaseUrl = relyingPartyBaseUrl;
-    this.walletInstanceAttestation = walletInstanceAttestation;
-    this.appFetch = appFetch;
+  if (usingRsa256) {
+    return usingRsa256;
   }
 
-  /**
-   * Decode a QR code content to an authentication request url.
-   * @function
-   * @param qrcode QR code content
-   *
-   * @returns The authentication request url
-   *
-   */
-  static decodeAuthRequestQR(qrcode: string): QRCodePayload {
-    const decoded = decodeBase64(qrcode);
-    const decodedUrl = new URL(decoded);
-    const protocol = decodedUrl.protocol;
-    const resource = decodedUrl.hostname;
-    const requestURI = decodedUrl.searchParams.get("request_uri");
-    const clientId = decodedUrl.searchParams.get("client_id");
+  // No suitable key has been found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Encrypt with RP public key"
+  );
+};
 
-    const result = QRCodePayload.safeParse({
-      protocol,
-      resource,
-      requestURI,
-      clientId,
-    });
+/**
+ * Obtain the relying party entity configuration.
+ */
+export const getEntityConfiguration =
+  ({ appFetch = fetch }: { appFetch?: GlobalFetch["fetch"] } = {}) =>
+  async (relyingPartyBaseUrl: string): Promise<RpEntityConfiguration> => {
+    return getGenericEntityConfiguration(relyingPartyBaseUrl, {
+      appFetch: appFetch,
+    }).then(RpEntityConfiguration.parse);
+  };
 
-    if (result.success) {
-      return result.data;
-    } else {
-      throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
-    }
-  }
-  /**
-   * Obtain the unsigned wallet instance DPoP for authentication request
-   *
-   * @function
-   * @param walletInstanceAttestationJwk JWT of the Wallet Instance Attestation
-   * @param authRequestUrl authentication request url
-   *
-   * @returns The unsigned wallet instance DPoP
-   *
-   */
-  async getUnsignedWalletInstanceDPoP(
-    walletInstanceAttestationJwk: any,
-    authRequestUrl: string
-  ): Promise<string> {
-    return await new SignJWT({
-      jti: `${uuid.v4()}`,
-      htm: "GET",
-      htu: authRequestUrl,
-      ath: await sha256ToBase64(this.walletInstanceAttestation),
-    })
-      .setProtectedHeader({
-        alg: "ES256",
-        jwk: walletInstanceAttestationJwk,
-        typ: "dpop+jwt",
-      })
-      .setIssuedAt()
-      .setExpirationTime("1h")
-      .toSign();
+/**
+ * Decode a QR code content to an authentication request url.
+ * @function
+ * @param qrcode QR code content
+ *
+ * @returns The authentication request url
+ *
+ */
+export const decodeAuthRequestQR = (qrcode: string): QRCodePayload => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
+
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId,
+  });
+
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
   }
+};
+
+export type RequestObjectConf = {
+  requestObject: RequestObject;
+  rpEntityConfiguration: RpEntityConfiguration;
+  walletInstanceAttestation: string;
+};
 
-  /**
-   * Obtain the Request Object for RP authentication
-   * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
-   *
-   * @async @function
-   * @param signedWalletInstanceDPoP JWT of the Wallet Instance Attestation DPoP
-   *
-   * @returns The Request Object JWT
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} When the Request Object is signed with a key not listed in RP's entity configuration
-   *
-   */
-  async getRequestObject(
-    signedWalletInstanceDPoP: string,
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ */
+export const getRequestObject =
+  ({
+    wiaCryptoContext,
+    appFetch = fetch,
+  }: {
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }) =>
+  async (
+    walletInstanceAttestation: string,
     requestUri: string,
-    entity: RpEntityConfiguration
-  ): Promise<RequestObject> {
-    const response = await this.appFetch(requestUri, {
+    rpEntityConfiguration: RpEntityConfiguration
+  ): Promise<RequestObjectConf> => {
+    const signedWalletInstanceDPoP = await createDPopToken(
+      {
+        jti: `${uuid.v4()}`,
+        htm: "GET",
+        htu: requestUri,
+        ath: await sha256ToBase64(walletInstanceAttestation),
+      },
+      wiaCryptoContext
+    );
+
+    const response = await appFetch(requestUri, {
       method: "GET",
       headers: {
-        Authorization: `DPoP ${this.walletInstanceAttestation}`,
+        Authorization: `DPoP ${walletInstanceAttestation}`,
         DPoP: signedWalletInstanceDPoP,
       },
     });
@@ -130,9 +140,10 @@ export class RelyingPartySolution {
       // verify token signature according to RP's entity configuration
       // to ensure the request object is authentic
       {
-        const pubKey = entity.payload.metadata.wallet_relying_party.jwks.find(
-          ({ kid }) => kid === responseJwt.protectedHeader.kid
-        );
+        const pubKey =
+          rpEntityConfiguration.payload.metadata.wallet_relying_party.jwks.find(
+            ({ kid }) => kid === responseJwt.protectedHeader.kid
+          );
         if (!pubKey) {
           throw new NoSuitableKeysFoundInEntityConfiguration(
             "Request Object signature verification"
@@ -142,67 +153,68 @@ export class RelyingPartySolution {
       }
 
       // parse request object it has the expected shape by specification
-      const requestObj = RequestObject.parse({
+      const requestObject = RequestObject.parse({
         header: responseJwt.protectedHeader,
         payload: responseJwt.payload,
       });
 
-      return requestObj;
+      return {
+        requestObject,
+        rpEntityConfiguration,
+        walletInstanceAttestation,
+      };
     }
 
     throw new IoWalletError(
-      `Unable to obtain Request Object. Response code: ${response.status}`
+      `Unable to obtain Request Object. Response code: ${response.status}
+      ${await response.text()}`
     );
-  }
+  };
 
-  /**
-   * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
-   * The presentation is prepared by disclosing data from provided credentials, according to requested claims
-   * Each Verified Credential come along with the claims the user accepts to disclose from it.
-   *
-   * The returned token is unsigned (sign should be apply by the caller).
-   *
-   * @todo accept more than a Verified Credential
-   *
-   * @param requestObj The incoming request object, which the requirements for the requested authorization
-   * @param walletInstanceIdentifier The identifies of the wallt instance that is presenting
-   * @param presentation The Verified Credential containing user data along with the list of claims to be disclosed.
-   * @param signKeyId The kid of the key that will be used to sign
-   * @returns The unsigned Verified Presentation token
-   * @throws {ClaimsNotFoundBetweenDislosures} If the Verified Credential does not contain one or more requested claims.
-   *
-   */
-  async prepareVpToken(
-    requestObj: RequestObject,
-    walletInstanceIdentifier: string,
-    [vc, claims]: Presentation, // TODO: [SIW-353] support multiple presentations,
-    signKeyId: string
+/**
+ * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
+ * The presentation is prepared by disclosing data from provided credentials, according to requested claims
+ * Each Verified Credential come along with the claims the user accepts to disclose from it.
+ *
+ * @todo accept more than a Verified Credential
+ */
+const prepareVpToken =
+  ({ pidCryptoContext }: { pidCryptoContext: CryptoContext }) =>
+  async (
+    { requestObject, walletInstanceAttestation }: RequestObjectConf,
+    [vc, claims]: Presentation // TODO: [SIW-353] support multiple presentations,
   ): Promise<{
     vp_token: string;
     presentation_submission: Record<string, unknown>;
-  }> {
+  }> => {
     // this throws if vc cannot satisfy all the requested claims
     const { token: vp, paths } = await disclose(vc, claims);
 
-    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+    // obtain issuer from Wallet Instance
+    const {
+      payload: { iss },
+    } = WalletInstanceAttestation.decode(walletInstanceAttestation);
 
-    const vp_token = new SignJWT({
-      vp: vp,
-      jti: `${uuid.v4()}`,
-      iss: walletInstanceIdentifier,
-      nonce: requestObj.payload.nonce,
-    })
-      .setAudience(requestObj.payload.response_uri)
-      .setIssuedAt()
-      .setExpirationTime("1h")
+    const pidKid = await pidCryptoContext.getPublicKey().then((_) => _.kid);
+
+    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+    const vp_token = await new SignJWT(pidCryptoContext)
       .setProtectedHeader({
         typ: "JWT",
-        alg: "ES256",
-        kid: signKeyId,
+        kid: pidKid,
+      })
+      .setPayload({
+        vp: vp,
+        jti: `${uuid.v4()}`,
+        iss,
+        nonce: requestObject.payload.nonce,
       })
-      .toSign();
+      .setAudience(requestObject.payload.response_uri)
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .sign();
 
-    const vc_scope = requestObj.payload.scope;
+    const vc_scope = requestObject.payload.scope;
     const presentation_submission = {
       definition_id: `${uuid.v4()}`,
       id: `${uuid.v4()}`,
@@ -214,36 +226,49 @@ export class RelyingPartySolution {
     };
 
     return { vp_token, presentation_submission };
-  }
+  };
 
-  /**
-   * Compose and send an Authorization Response in the context of an authorization request flow.
-   *
-   * @todo MUST add presentation_submission
-   *
-   * @param requestObj The incoming request object, which the requirements for the requested authorization
-   * @param vp_token The signed Verified Presentation token with data to send.
-   * @param presentation_submission
-   * @param entity The RP entity configuration
-   * @returns The response from the RP
-   * @throws {IoWalletError} if the submission fails.
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key
-   *
-   */
-  async sendAuthorizationResponse(
-    requestObj: RequestObject,
-    vp_token: string,
-    presentation_submission: Record<string, unknown>,
-    entity: RpEntityConfiguration
-  ): Promise<string> {
+/**
+ * Compose and send an Authorization Response in the context of an authorization request flow.
+ *
+ * @todo MUST add presentation_submission
+ *
+ */
+export const sendAuthorizationResponse =
+  ({
+    pidCryptoContext,
+    appFetch = fetch,
+  }: {
+    pidCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }) =>
+  async (
+    {
+      requestObject,
+      rpEntityConfiguration,
+      walletInstanceAttestation,
+    }: RequestObjectConf,
+    presentation: Presentation // TODO: [SIW-353] support multiple presentations,
+  ): Promise<string> => {
     // the request is an unsigned jws without iss, aud, exp
     // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
-    const jwk = this.chooseRSAPublicKeyToEncrypt(entity);
+    const jwk = chooseRSAPublicKeyToEncrypt(rpEntityConfiguration);
+
+    const { vp_token, presentation_submission } = await prepareVpToken({
+      pidCryptoContext,
+    })(
+      {
+        requestObject,
+        rpEntityConfiguration,
+        walletInstanceAttestation,
+      },
+      presentation
+    );
 
     const authzResponsePayload = JSON.stringify({
-      state: requestObj.payload.state,
+      state: requestObject.payload.state,
       presentation_submission,
-      nonce: requestObj.payload.nonce,
+      nonce: requestObject.payload.nonce,
       vp_token,
     });
 
@@ -256,7 +281,7 @@ export class RelyingPartySolution {
     const formBody = new URLSearchParams({ response: encrypted });
     const body = formBody.toString();
 
-    const response = await this.appFetch(requestObj.payload.response_uri, {
+    const response = await appFetch(requestObject.payload.response_uri, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
@@ -273,37 +298,4 @@ export class RelyingPartySolution {
         response.status
       }`
     );
-  }
-
-  /**
-   * Select a RSA public key from those provided by the RP to encrypt.
-   *
-   * @param entity The RP entity configuration
-   * @returns A suitable public key with its compatible encryption algorithm
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
-   */
-  private chooseRSAPublicKeyToEncrypt(entity: RpEntityConfiguration): JWK {
-    const [usingRsa256] =
-      entity.payload.metadata.wallet_relying_party.jwks.filter(
-        (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
-      );
-
-    if (usingRsa256) {
-      return usingRsa256;
-    }
-
-    // No suitable key has been found
-    throw new NoSuitableKeysFoundInEntityConfiguration(
-      "Encrypt with RP public key"
-    );
-  }
-
-  /**
-   * Obtain the relying party entity configuration.
-   */
-  async getEntityConfiguration(): Promise<RpEntityConfiguration> {
-    return getEntityConfiguration(this.relyingPartyBaseUrl, {
-      appFetch: this.appFetch,
-    }).then(RpEntityConfiguration.parse);
-  }
-}
+  };

package/src/sd-jwt/index.ts

@@ -7,7 +7,7 @@ import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { decodeBase64 } from "@pagopa/io-react-native-jwt";
 import { Disclosure, SdJwt4VC, type DisclosureWithEncoded } from "./types";
 import { verifyDisclosure } from "./verifier";
-import type { JWK } from "src/utils/jwk";
+import type { JWK } from "../utils/jwk";
 import {
   ClaimsNotFoundBetweenDislosures,
   ClaimsNotFoundInToken,

package/src/trust/types.ts

@@ -22,40 +22,47 @@ export const EntityStatement = z.object({
   }),
 });
 
+export type EntityConfigurationHeader = z.infer<
+  typeof EntityConfigurationHeader
+>;
+export const EntityConfigurationHeader = z.object({
+  typ: z.literal("entity-statement+jwt"),
+  alg: z.string(),
+  kid: z.string(),
+});
+
 export type EntityConfiguration = z.infer<typeof EntityConfiguration>;
 export const EntityConfiguration = z.object({
-  header: z.object({
-    typ: z.literal("entity-statement+jwt"),
-    alg: z.string(),
-    kid: z.string(),
-  }),
-  payload: z.object({
-    exp: UnixTime,
-    iat: UnixTime,
-    iss: z.string(),
-    sub: z.string(),
-    jwks: z.object({
-      keys: z.array(JWK),
-    }),
-    metadata: z
-      .object({
-        federation_entity: z
-          .object({
-            federation_fetch_endpoint: z.string().optional(),
-            federation_list_endpoint: z.string().optional(),
-            federation_resolve_endpoint: z.string().optional(),
-            federation_trust_mark_status_endpoint: z.string().optional(),
-            federation_trust_mark_list_endpoint: z.string().optional(),
-            homepage_uri: z.string().optional(),
-            policy_uri: z.string().optional(),
-            logo_uri: z.string().optional(),
-            contacts: z.array(z.string()).optional(),
-          })
-          .passthrough(),
-      })
-      .passthrough(),
-    authority_hints: z.array(z.string()).optional(),
-  }),
+  header: EntityConfigurationHeader,
+  payload: z
+    .object({
+      exp: UnixTime,
+      iat: UnixTime,
+      iss: z.string(),
+      sub: z.string(),
+      jwks: z.object({
+        keys: z.array(JWK),
+      }),
+      metadata: z
+        .object({
+          federation_entity: z
+            .object({
+              federation_fetch_endpoint: z.string().optional(),
+              federation_list_endpoint: z.string().optional(),
+              federation_resolve_endpoint: z.string().optional(),
+              federation_trust_mark_status_endpoint: z.string().optional(),
+              federation_trust_mark_list_endpoint: z.string().optional(),
+              homepage_uri: z.string().optional(),
+              policy_uri: z.string().optional(),
+              logo_uri: z.string().optional(),
+              contacts: z.array(z.string()).optional(),
+            })
+            .passthrough(),
+        })
+        .passthrough(),
+      authority_hints: z.array(z.string()).optional(),
+    })
+    .passthrough(),
 });
 
 export type TrustAnchorEntityConfiguration = z.infer<

package/src/utils/crypto.ts

@@ -0,0 +1,41 @@
+import { getPublicKey, sign } from "@pagopa/io-react-native-crypto";
+import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import { fixBase64EncodingOnKey } from "./jwk";
+
+/**
+ * Create a CryptoContext bound to a key pair.
+ * Key pair is supposed to exist already in the device's keychain.
+ * It's identified by its unique keytag.
+ *
+ * @returns the crypto context
+ */
+export const createCryptoContextFor = (keytag: string): CryptoContext => {
+  return {
+    /**
+     * Retrieve the public key of the pair.
+     * If the key pair doesn't exist yet, an error is raised
+     * @returns The public key.
+     */
+    async getPublicKey() {
+      return getPublicKey(keytag)
+        .then(fixBase64EncodingOnKey)
+        .then(async (jwk) => ({
+          ...jwk,
+          // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
+          // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).
+          // We assume the convention we use the thumbprint of the public key as KID, thus for easy development we decided to evaluate KID here
+          // However the values is an arbitrary string that might be anything
+          kid: await thumbprint(jwk),
+        }));
+    },
+    /**
+     * Get a signature for a provided value.
+     * If the key pair doesn't exist yet, an error is raised.
+     * @param value
+     * @returns The signature for the value
+     */
+    async getSignature(value: string) {
+      return sign(value, keytag);
+    },
+  };
+};

package/src/utils/dpop.ts

@@ -1,19 +1,29 @@
 import * as z from "zod";
 
-import { SignJWT } from "@pagopa/io-react-native-jwt";
-import type { JWK } from "./jwk";
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
 
-export const getUnsignedDPop = (jwk: JWK, payload: DPoPPayload): string => {
-  const dPop = new SignJWT(payload)
+/**
+ * Create a signed DPoP token
+ *
+ * @param payload The payload to be included in the token.
+ * @param crypto The crypto context that handles the key bound to the DPoP.
+ *
+ * @returns The signed crypto token.
+ */
+export const createDPopToken = async (
+  payload: DPoPPayload,
+  crypto: CryptoContext
+): Promise<string> => {
+  const jwk = await crypto.getPublicKey();
+  return new SignJWT(crypto)
+    .setPayload(payload)
     .setProtectedHeader({
-      alg: "ES256",
       typ: "dpop+jwt",
       jwk,
     })
     .setIssuedAt()
     .setExpirationTime("1h")
-    .toSign();
-  return dPop;
+    .sign();
 };
 
 export type DPoPPayload = z.infer<typeof DPoPPayload>;

package/src/wallet-instance-attestation/index.ts

@@ -2,8 +2,8 @@ import { WalletInstanceAttestationJwt } from "./types";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
 
-import { Issuing } from "./issuing";
-export { Issuing };
+import { getAttestation } from "./issuing";
+export { getAttestation };
 /**
  * Decode a given JWT to get the parsed Wallet Instance Attestation object they define.
  * It ensures provided data is in a valid shape.