@pagopa/io-react-native-wallet 0.4.3 → 0.6.0

package/src/rp/index.ts

@@ -10,113 +10,109 @@ import {
   SignJWT,
   EncryptJwe,
   verify,
+  type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
-import {
-  QRCodePayload,
-  RequestObject,
-  RpEntityConfiguration,
-  type Presentation,
-} from "./types";
+import { QRCodePayload, RequestObject, type Presentation } from "./types";
 
 import uuid from "react-native-uuid";
 import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { disclose } from "../sd-jwt";
-import { getEntityConfiguration } from "../trust";
+import { createDPopToken } from "../utils/dpop";
+import { RelyingPartyEntityConfiguration } from "../trust/types";
+import * as WalletInstanceAttestation from "../wallet-instance-attestation";
 
-export class RelyingPartySolution {
-  relyingPartyBaseUrl: string;
-  walletInstanceAttestation: string;
-  appFetch: GlobalFetch["fetch"];
+/**
+ * Select a RSA public key from those provided by the RP to encrypt.
+ *
+ * @param entity The RP entity configuration
+ * @returns A suitable public key with its compatible encryption algorithm
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+ */
+const chooseRSAPublicKeyToEncrypt = (
+  entity: RelyingPartyEntityConfiguration
+): JWK => {
+  const [usingRsa256] =
+    entity.payload.metadata.wallet_relying_party.jwks.filter(
+      (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+    );
 
-  constructor(
-    relyingPartyBaseUrl: string,
-    walletInstanceAttestation: string,
-    appFetch: GlobalFetch["fetch"] = fetch
-  ) {
-    this.relyingPartyBaseUrl = relyingPartyBaseUrl;
-    this.walletInstanceAttestation = walletInstanceAttestation;
-    this.appFetch = appFetch;
+  if (usingRsa256) {
+    return usingRsa256;
   }
 
-  /**
-   * Decode a QR code content to an authentication request url.
-   * @function
-   * @param qrcode QR code content
-   *
-   * @returns The authentication request url
-   *
-   */
-  static decodeAuthRequestQR(qrcode: string): QRCodePayload {
-    const decoded = decodeBase64(qrcode);
-    const decodedUrl = new URL(decoded);
-    const protocol = decodedUrl.protocol;
-    const resource = decodedUrl.hostname;
-    const requestURI = decodedUrl.searchParams.get("request_uri");
-    const clientId = decodedUrl.searchParams.get("client_id");
+  // No suitable key has been found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Encrypt with RP public key"
+  );
+};
 
-    const result = QRCodePayload.safeParse({
-      protocol,
-      resource,
-      requestURI,
-      clientId,
-    });
+/**
+ * Decode a QR code content to an authentication request url.
+ * @function
+ * @param qrcode QR code content
+ *
+ * @returns The authentication request url
+ *
+ */
+export const decodeAuthRequestQR = (qrcode: string): QRCodePayload => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
 
-    if (result.success) {
-      return result.data;
-    } else {
-      throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
-    }
-  }
-  /**
-   * Obtain the unsigned wallet instance DPoP for authentication request
-   *
-   * @function
-   * @param walletInstanceAttestationJwk JWT of the Wallet Instance Attestation
-   * @param authRequestUrl authentication request url
-   *
-   * @returns The unsigned wallet instance DPoP
-   *
-   */
-  async getUnsignedWalletInstanceDPoP(
-    walletInstanceAttestationJwk: any,
-    authRequestUrl: string
-  ): Promise<string> {
-    return await new SignJWT({
-      jti: `${uuid.v4()}`,
-      htm: "GET",
-      htu: authRequestUrl,
-      ath: await sha256ToBase64(this.walletInstanceAttestation),
-    })
-      .setProtectedHeader({
-        alg: "ES256",
-        jwk: walletInstanceAttestationJwk,
-        typ: "dpop+jwt",
-      })
-      .setIssuedAt()
-      .setExpirationTime("1h")
-      .toSign();
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId,
+  });
+
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
   }
+};
+
+export type RequestObjectConf = {
+  requestObject: RequestObject;
+  rpEntityConfiguration: RelyingPartyEntityConfiguration;
+  walletInstanceAttestation: string;
+};
 
-  /**
-   * Obtain the Request Object for RP authentication
-   * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
-   *
-   * @async @function
-   * @param signedWalletInstanceDPoP JWT of the Wallet Instance Attestation DPoP
-   *
-   * @returns The Request Object JWT
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} When the Request Object is signed with a key not listed in RP's entity configuration
-   *
-   */
-  async getRequestObject(
-    signedWalletInstanceDPoP: string,
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ */
+export const getRequestObject =
+  ({
+    wiaCryptoContext,
+    appFetch = fetch,
+  }: {
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }) =>
+  async (
+    walletInstanceAttestation: string,
     requestUri: string,
-    entity: RpEntityConfiguration
-  ): Promise<RequestObject> {
-    const response = await this.appFetch(requestUri, {
+    rpEntityConfiguration: RelyingPartyEntityConfiguration
+  ): Promise<RequestObjectConf> => {
+    const signedWalletInstanceDPoP = await createDPopToken(
+      {
+        jti: `${uuid.v4()}`,
+        htm: "GET",
+        htu: requestUri,
+        ath: await sha256ToBase64(walletInstanceAttestation),
+      },
+      wiaCryptoContext
+    );
+
+    const response = await appFetch(requestUri, {
       method: "GET",
       headers: {
-        Authorization: `DPoP ${this.walletInstanceAttestation}`,
+        Authorization: `DPoP ${walletInstanceAttestation}`,
         DPoP: signedWalletInstanceDPoP,
       },
     });
@@ -130,9 +126,10 @@ export class RelyingPartySolution {
       // verify token signature according to RP's entity configuration
       // to ensure the request object is authentic
       {
-        const pubKey = entity.payload.metadata.wallet_relying_party.jwks.find(
-          ({ kid }) => kid === responseJwt.protectedHeader.kid
-        );
+        const pubKey =
+          rpEntityConfiguration.payload.metadata.wallet_relying_party.jwks.find(
+            ({ kid }) => kid === responseJwt.protectedHeader.kid
+          );
         if (!pubKey) {
           throw new NoSuitableKeysFoundInEntityConfiguration(
             "Request Object signature verification"
@@ -142,67 +139,68 @@ export class RelyingPartySolution {
       }
 
       // parse request object it has the expected shape by specification
-      const requestObj = RequestObject.parse({
+      const requestObject = RequestObject.parse({
         header: responseJwt.protectedHeader,
         payload: responseJwt.payload,
       });
 
-      return requestObj;
+      return {
+        requestObject,
+        rpEntityConfiguration,
+        walletInstanceAttestation,
+      };
     }
 
     throw new IoWalletError(
-      `Unable to obtain Request Object. Response code: ${response.status}`
+      `Unable to obtain Request Object. Response code: ${response.status}
+      ${await response.text()}`
     );
-  }
+  };
 
-  /**
-   * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
-   * The presentation is prepared by disclosing data from provided credentials, according to requested claims
-   * Each Verified Credential come along with the claims the user accepts to disclose from it.
-   *
-   * The returned token is unsigned (sign should be apply by the caller).
-   *
-   * @todo accept more than a Verified Credential
-   *
-   * @param requestObj The incoming request object, which the requirements for the requested authorization
-   * @param walletInstanceIdentifier The identifies of the wallt instance that is presenting
-   * @param presentation The Verified Credential containing user data along with the list of claims to be disclosed.
-   * @param signKeyId The kid of the key that will be used to sign
-   * @returns The unsigned Verified Presentation token
-   * @throws {ClaimsNotFoundBetweenDislosures} If the Verified Credential does not contain one or more requested claims.
-   *
-   */
-  async prepareVpToken(
-    requestObj: RequestObject,
-    walletInstanceIdentifier: string,
-    [vc, claims]: Presentation, // TODO: [SIW-353] support multiple presentations,
-    signKeyId: string
+/**
+ * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
+ * The presentation is prepared by disclosing data from provided credentials, according to requested claims
+ * Each Verified Credential come along with the claims the user accepts to disclose from it.
+ *
+ * @todo accept more than a Verified Credential
+ */
+const prepareVpToken =
+  ({ pidCryptoContext }: { pidCryptoContext: CryptoContext }) =>
+  async (
+    { requestObject, walletInstanceAttestation }: RequestObjectConf,
+    [vc, claims]: Presentation // TODO: [SIW-353] support multiple presentations,
   ): Promise<{
     vp_token: string;
     presentation_submission: Record<string, unknown>;
-  }> {
+  }> => {
     // this throws if vc cannot satisfy all the requested claims
     const { token: vp, paths } = await disclose(vc, claims);
 
-    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+    // obtain issuer from Wallet Instance
+    const {
+      payload: { iss },
+    } = WalletInstanceAttestation.decode(walletInstanceAttestation);
 
-    const vp_token = new SignJWT({
-      vp: vp,
-      jti: `${uuid.v4()}`,
-      iss: walletInstanceIdentifier,
-      nonce: requestObj.payload.nonce,
-    })
-      .setAudience(requestObj.payload.response_uri)
-      .setIssuedAt()
-      .setExpirationTime("1h")
+    const pidKid = await pidCryptoContext.getPublicKey().then((_) => _.kid);
+
+    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+    const vp_token = await new SignJWT(pidCryptoContext)
       .setProtectedHeader({
         typ: "JWT",
-        alg: "ES256",
-        kid: signKeyId,
+        kid: pidKid,
+      })
+      .setPayload({
+        vp: vp,
+        jti: `${uuid.v4()}`,
+        iss,
+        nonce: requestObject.payload.nonce,
       })
-      .toSign();
+      .setAudience(requestObject.payload.response_uri)
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .sign();
 
-    const vc_scope = requestObj.payload.scope;
+    const vc_scope = requestObject.payload.scope;
     const presentation_submission = {
       definition_id: `${uuid.v4()}`,
       id: `${uuid.v4()}`,
@@ -214,36 +212,49 @@ export class RelyingPartySolution {
     };
 
     return { vp_token, presentation_submission };
-  }
+  };
 
-  /**
-   * Compose and send an Authorization Response in the context of an authorization request flow.
-   *
-   * @todo MUST add presentation_submission
-   *
-   * @param requestObj The incoming request object, which the requirements for the requested authorization
-   * @param vp_token The signed Verified Presentation token with data to send.
-   * @param presentation_submission
-   * @param entity The RP entity configuration
-   * @returns The response from the RP
-   * @throws {IoWalletError} if the submission fails.
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key
-   *
-   */
-  async sendAuthorizationResponse(
-    requestObj: RequestObject,
-    vp_token: string,
-    presentation_submission: Record<string, unknown>,
-    entity: RpEntityConfiguration
-  ): Promise<string> {
+/**
+ * Compose and send an Authorization Response in the context of an authorization request flow.
+ *
+ * @todo MUST add presentation_submission
+ *
+ */
+export const sendAuthorizationResponse =
+  ({
+    pidCryptoContext,
+    appFetch = fetch,
+  }: {
+    pidCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }) =>
+  async (
+    {
+      requestObject,
+      rpEntityConfiguration,
+      walletInstanceAttestation,
+    }: RequestObjectConf,
+    presentation: Presentation // TODO: [SIW-353] support multiple presentations,
+  ): Promise<string> => {
     // the request is an unsigned jws without iss, aud, exp
     // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
-    const jwk = this.chooseRSAPublicKeyToEncrypt(entity);
+    const jwk = chooseRSAPublicKeyToEncrypt(rpEntityConfiguration);
+
+    const { vp_token, presentation_submission } = await prepareVpToken({
+      pidCryptoContext,
+    })(
+      {
+        requestObject,
+        rpEntityConfiguration,
+        walletInstanceAttestation,
+      },
+      presentation
+    );
 
     const authzResponsePayload = JSON.stringify({
-      state: requestObj.payload.state,
+      state: requestObject.payload.state,
       presentation_submission,
-      nonce: requestObj.payload.nonce,
+      nonce: requestObject.payload.nonce,
       vp_token,
     });
 
@@ -256,7 +267,7 @@ export class RelyingPartySolution {
     const formBody = new URLSearchParams({ response: encrypted });
     const body = formBody.toString();
 
-    const response = await this.appFetch(requestObj.payload.response_uri, {
+    const response = await appFetch(requestObject.payload.response_uri, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
@@ -273,37 +284,4 @@ export class RelyingPartySolution {
         response.status
       }`
     );
-  }
-
-  /**
-   * Select a RSA public key from those provided by the RP to encrypt.
-   *
-   * @param entity The RP entity configuration
-   * @returns A suitable public key with its compatible encryption algorithm
-   * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
-   */
-  private chooseRSAPublicKeyToEncrypt(entity: RpEntityConfiguration): JWK {
-    const [usingRsa256] =
-      entity.payload.metadata.wallet_relying_party.jwks.filter(
-        (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
-      );
-
-    if (usingRsa256) {
-      return usingRsa256;
-    }
-
-    // No suitable key has been found
-    throw new NoSuitableKeysFoundInEntityConfiguration(
-      "Encrypt with RP public key"
-    );
-  }
-
-  /**
-   * Obtain the relying party entity configuration.
-   */
-  async getEntityConfiguration(): Promise<RpEntityConfiguration> {
-    return getEntityConfiguration(this.relyingPartyBaseUrl, {
-      appFetch: this.appFetch,
-    }).then(RpEntityConfiguration.parse);
-  }
-}
+  };

package/src/rp/types.ts

@@ -1,7 +1,5 @@
-import { JWK } from "../utils/jwk";
 import { UnixTime } from "../sd-jwt/types";
 import * as z from "zod";
-import { EntityConfiguration } from "../trust/types";
 
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
@@ -27,28 +25,6 @@ export const RequestObject = z.object({
   }),
 });
 
-/**
- * EntityConfiguration plus the metadata specific for a Relying Party entity.
- */
-export type RpEntityConfiguration = z.infer<typeof RpEntityConfiguration>;
-export const RpEntityConfiguration = EntityConfiguration.and(
-  z.object({
-    payload: z.object({
-      metadata: z.object({
-        wallet_relying_party: z
-          .object({
-            application_type: z.string().optional(),
-            client_id: z.string().optional(),
-            client_name: z.string().optional(),
-            jwks: z.array(JWK),
-            contacts: z.array(z.string()).optional(),
-          })
-          .passthrough(),
-      }),
-    }),
-  })
-);
-
 export type QRCodePayload = z.infer<typeof QRCodePayload>;
 export const QRCodePayload = z.object({
   protocol: z.string(),

package/src/sd-jwt/index.ts

@@ -7,7 +7,7 @@ import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { decodeBase64 } from "@pagopa/io-react-native-jwt";
 import { Disclosure, SdJwt4VC, type DisclosureWithEncoded } from "./types";
 import { verifyDisclosure } from "./verifier";
-import type { JWK } from "src/utils/jwk";
+import type { JWK } from "../utils/jwk";
 import {
   ClaimsNotFoundBetweenDislosures,
   ClaimsNotFoundInToken,

package/src/trust/index.ts

@@ -1,27 +1,82 @@
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { EntityConfiguration } from "./types";
+import {
+  WalletProviderEntityConfiguration,
+  TrustAnchorEntityConfiguration,
+  CredentialIssuerEntityConfiguration,
+  RelyingPartyEntityConfiguration,
+  EntityConfiguration,
+} from "./types";
 import { IoWalletError } from "../utils/errors";
 import { verifyTrustChain } from "./chain";
 
 export { verifyTrustChain };
 
 /**
- * Fetch and parse teh entity configuration document for a given federation entity
+ * Fetch and parse the entity configuration document for a given federation entity.
+ * This is an inner method to serve public interfaces.
+ *
+ * To add another entity configuration type (example: Foo entity type):
+ *  - create its zod schema and type by inherit from the base type (example: FooEntityConfiguration = BaseEntityConfiguration.and(...))
+ *  - add such type to EntityConfiguration union
+ *  - add an overload to this function
+ *  - create a public function which use such type (example: getFooEntityConfiguration = (url, options) => Promise<FooEntityConfiguration>)
  *
  * @param entityBaseUrl The base url of the entity.
+ * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
  * @param options.appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
  * @throws Parse error if the document is not in the expected shape.
  */
-export async function getEntityConfiguration(
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof WalletProviderEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<WalletProviderEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof RelyingPartyEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<RelyingPartyEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof TrustAnchorEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<TrustAnchorEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof CredentialIssuerEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<CredentialIssuerEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
   entityBaseUrl: string,
+  schema: typeof EntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<EntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: /* FIXME: why is it different from "typeof EntityConfiguration"? */
+  | typeof CredentialIssuerEntityConfiguration
+    | typeof WalletProviderEntityConfiguration
+    | typeof RelyingPartyEntityConfiguration
+    | typeof TrustAnchorEntityConfiguration
+    | typeof EntityConfiguration,
   {
     appFetch = fetch,
   }: {
     appFetch?: GlobalFetch["fetch"];
   } = {}
-): Promise<EntityConfiguration> {
+) {
   const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-federation`;
 
   const response = await appFetch(wellKnownUrl, {
@@ -31,7 +86,7 @@ export async function getEntityConfiguration(
   if (response.status === 200) {
     const responseText = await response.text();
     const responseJwt = decodeJwt(responseText);
-    return EntityConfiguration.parse({
+    return schema.parse({
       header: responseJwt.protectedHeader,
       payload: responseJwt.payload,
     });
@@ -41,3 +96,49 @@ export async function getEntityConfiguration(
     `Unable to obtain Entity Configuration at ${wellKnownUrl}. Response code: ${response.status}`
   );
 }
+
+export const getWalletProviderEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    WalletProviderEntityConfiguration,
+    options
+  );
+
+export const getCredentialIssuerEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    CredentialIssuerEntityConfiguration,
+    options
+  );
+
+export const getTrustAnchorEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    TrustAnchorEntityConfiguration,
+    options
+  );
+
+export const getRelyingPartyEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    RelyingPartyEntityConfiguration,
+    options
+  );
+
+export const getEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(entityBaseUrl, EntityConfiguration, options);