@pagopa/io-react-native-wallet 0.7.3 → 0.9.0

package/src/credential/issuance/07-confirm-credential.ts

@@ -0,0 +1,14 @@
+import type { ObtainCredential } from "./06-obtain-credential";
+import type { Out } from "../../utils/misc";
+
+/**
+ * The end of the issuing flow.
+ * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
+ * To be implemented.
+ *
+ * @returns The type of the Credential to be issued and the url of the Issuer
+ */
+export type ConfirmCredential = (
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+) => Promise<void>;

package/src/credential/issuance/const.ts

@@ -0,0 +1,2 @@
+export const ASSERTION_TYPE =
+  "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation";

package/src/credential/issuance/index.ts

@@ -0,0 +1,32 @@
+import { type StartFlow } from "./01-start-flow";
+import {
+  evaluateIssuerTrust,
+  type EvaluateIssuerTrust,
+} from "./02-evaluate-issuer-trust";
+import {
+  startUserAuthorization,
+  type StartUserAuthorization,
+} from "./03-start-user-authorization";
+import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
+import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
+import {
+  obtainCredential,
+  type ObtainCredential,
+} from "./06-obtain-credential";
+import type { ConfirmCredential } from "./07-confirm-credential";
+
+export {
+  evaluateIssuerTrust,
+  startUserAuthorization,
+  authorizeAccess,
+  obtainCredential,
+};
+export type {
+  StartFlow,
+  EvaluateIssuerTrust,
+  StartUserAuthorization,
+  CompleteUserAuthorization,
+  AuthorizeAccess,
+  ObtainCredential,
+  ConfirmCredential,
+};

package/src/credential/presentation/01-start-flow.ts

@@ -0,0 +1,51 @@
+import * as z from "zod";
+import { decodeBase64 } from "@pagopa/io-react-native-jwt";
+import { AuthRequestDecodeError } from "../../utils/errors";
+
+const QRCodePayload = z.object({
+  protocol: z.string(),
+  resource: z.string(), // TODO: refine to known paths using literals
+  clientId: z.string(),
+  requestURI: z.string(),
+});
+
+/**
+ * The beginning of the presentation flow.
+ * To be implemented accordind to the user touchpoint
+ *
+ * @param Optional parameters, depending on the starting touchoint
+ * @returns The url for the Relying Party to connect with
+ */
+export type StartFlow<T extends Array<unknown> = []> = (...args: T) => Promise<{
+  requestURI: string;
+  clientId: string;
+}>;
+
+/**
+ * Start a presentation flow by decoding an incoming QR-code
+ *
+ * @param qrcode The encoded QR-code content
+ * @returns The url for the Relying Party to connect with
+ * @throws If the provided qr code fails to be decoded
+ */
+export const startFlowFromQR: StartFlow<[string]> = async (qrcode) => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
+
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId,
+  });
+
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+  }
+};

package/src/credential/presentation/02-evaluate-rp-trust.ts

@@ -0,0 +1,33 @@
+import { getRelyingPartyEntityConfiguration } from "../../trust";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+import type { StartFlow } from "../issuance/01-start-flow";
+import type { Out } from "../../utils/misc";
+
+export type EvaluateRelyingPartyTrust = (
+  rpUrl: Out<StartFlow>["issuerUrl"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+}>;
+
+/**
+ * The Relying Party trust evaluation phase.
+ * Fetch the  Relying Party's configuration and verify trust.
+ *
+ * @param rpUrl The base url of the Issuer
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Relying Party's configuration
+ */
+export const evaluateRelyingPartyTrust: EvaluateRelyingPartyTrust = async (
+  rpUrl,
+  { appFetch = fetch } = {}
+) => {
+  const {
+    payload: { metadata: rpConf },
+  } = await getRelyingPartyEntityConfiguration(rpUrl, {
+    appFetch,
+  });
+  return { rpConf };
+};

package/src/credential/presentation/03-get-request-object.ts

@@ -0,0 +1,85 @@
+import uuid from "react-native-uuid";
+import {
+  decode as decodeJwt,
+  sha256ToBase64,
+  verify,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
+
+import { createDPopToken } from "../../utils/dpop";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { StartFlow } from "./01-start-flow";
+import { RequestObject } from "./types";
+
+export type GetRequestObject = (
+  requestUri: Out<StartFlow>["requestURI"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  context: {
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+    walletInstanceAttestation: string;
+  }
+) => Promise<{ requestObject: RequestObject }>;
+
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ *
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Request Object that describes the presentation
+ */
+export const getRequestObject: GetRequestObject = async (
+  requestUri,
+  rpConf,
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+) => {
+  const signedWalletInstanceDPoP = await createDPopToken(
+    {
+      jti: `${uuid.v4()}`,
+      htm: "GET",
+      htu: requestUri,
+      ath: await sha256ToBase64(walletInstanceAttestation),
+    },
+    wiaCryptoContext
+  );
+
+  const responseEncodedJwt = await appFetch(requestUri, {
+    method: "GET",
+    headers: {
+      Authorization: `DPoP ${walletInstanceAttestation}`,
+      DPoP: signedWalletInstanceDPoP,
+    },
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then((responseJson) => responseJson.response);
+
+  const responseJwt = decodeJwt(responseEncodedJwt);
+
+  // verify token signature according to RP's entity configuration
+  // to ensure the request object is authentic
+  {
+    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
+      ({ kid }) => kid === responseJwt.protectedHeader.kid
+    );
+    if (!pubKey) {
+      throw new NoSuitableKeysFoundInEntityConfiguration(
+        "Request Object signature verification"
+      );
+    }
+    await verify(responseEncodedJwt, pubKey);
+  }
+
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+
+  return {
+    requestObject,
+  };
+};

package/src/credential/presentation/04-send-authorization-response.ts

@@ -0,0 +1,168 @@
+import { EncryptJwe, SignJWT } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { GetRequestObject } from "./03-get-request-object";
+import { disclose } from "../../sd-jwt";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { type Presentation } from "./types";
+import * as z from "zod";
+
+export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
+export const AuthorizationResponse = z.object({
+  status: z.string(),
+  response_code: z
+    .string() /**
+      FIXME: [SIW-627] we expect this value from every RP implementation
+      Actually some RP does not return the value
+      We make it optional to not break the flow.
+    */
+    .optional(),
+});
+
+/**
+ * Choose an RSA public key from those offered by the RP for encryption.
+ *
+ * @param entity The RP entity configuration
+ * @returns A suitable public key with its compatible encryption algorithm
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+ */
+const chooseRSAPublicKeyToEncrypt = (
+  entity: Out<EvaluateRelyingPartyTrust>["rpConf"]
+): JWK => {
+  const [usingRsa256] = entity.wallet_relying_party.jwks.keys.filter(
+    (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+  );
+
+  if (usingRsa256) {
+    return usingRsa256;
+  }
+
+  // No suitable key has been found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Encrypt with RP public key"
+  );
+};
+
+/**
+ * Generate a Verified Presentation token for a received request object within the context of an authorization request flow.
+ * The presentation is created by revealing data from the provided credentials based on the requested claims.
+ * Each Verified Credential is accompanied by the claims that the user consents to disclose from it.
+ *
+ * @todo: Allow for handling more than one Verified Credential.
+ */
+const prepareVpToken = async (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  walletInstanceAttestation: string,
+  [vc, claims, cryptoCtx]: Presentation // TODO: [SIW-353] support multiple presentations,
+): Promise<{
+  vp_token: string;
+  presentation_submission: Record<string, unknown>;
+}> => {
+  // this throws if vc cannot satisfy all the requested claims
+  const { token: vp, paths } = await disclose(vc, claims);
+
+  // obtain issuer from Wallet Instance
+  const {
+    payload: { iss },
+  } = WalletInstanceAttestation.decode(walletInstanceAttestation);
+
+  const pidKid = await cryptoCtx.getPublicKey().then((_) => _.kid);
+
+  // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+  const vp_token = await new SignJWT(cryptoCtx)
+    .setProtectedHeader({
+      typ: "JWT",
+      kid: pidKid,
+    })
+    .setPayload({
+      vp: vp,
+      jti: `${uuid.v4()}`,
+      iss,
+      nonce: requestObject.nonce,
+    })
+    .setAudience(requestObject.response_uri)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+
+  const vc_scope = requestObject.scope;
+  const presentation_submission = {
+    definition_id: `${uuid.v4()}`,
+    id: `${uuid.v4()}`,
+    descriptor_map: paths.map((p) => ({
+      id: vc_scope,
+      path: `$.vp_token.${p.path}`,
+      format: "vc+sd-jwt",
+    })),
+  };
+
+  return { vp_token, presentation_submission };
+};
+
+export type SendAuthorizationResponse = (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  presentation: Presentation, // TODO: [SIW-353] support multiple presentations
+  context: {
+    walletInstanceAttestation: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
+/**
+ * Complete the presentation flow by sending the authorization response to the Relying Party
+ *
+ * @param requestObject The Request Object that describes the presentation
+ * @param rpConf The Relying Party's configuration
+ * @param presentation The presentation tuple consisting in the signed credential,
+ * the list of claims to be disclosed, and the context to access the key that proves the holder binding
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The result of the presentation flow
+ */
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  rpConf,
+  presentation,
+  { appFetch = fetch, walletInstanceAttestation }
+): Promise<AuthorizationResponse> => {
+  // the request is an unsigned jws without iss, aud, exp
+  // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
+  const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
+
+  const { vp_token, presentation_submission } = await prepareVpToken(
+    requestObject,
+    walletInstanceAttestation,
+    presentation
+  );
+
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    presentation_submission,
+    nonce: requestObject.nonce,
+    vp_token,
+  });
+
+  const encrypted = await new EncryptJwe(authzResponsePayload, {
+    alg: "RSA-OAEP-256",
+    enc: "A256CBC-HS512",
+    kid: rsaPublicJwk.kid,
+  }).encrypt(rsaPublicJwk);
+
+  const formBody = new URLSearchParams({ response: encrypted });
+  const body = formBody.toString();
+
+  return appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body,
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then(AuthorizationResponse.parse);
+};

package/src/credential/presentation/index.ts

@@ -0,0 +1,26 @@
+import { startFlowFromQR, type StartFlow } from "./01-start-flow";
+import {
+  evaluateRelyingPartyTrust,
+  type EvaluateRelyingPartyTrust,
+} from "./02-evaluate-rp-trust";
+import {
+  getRequestObject,
+  type GetRequestObject,
+} from "./03-get-request-object";
+import {
+  sendAuthorizationResponse,
+  type SendAuthorizationResponse,
+} from "./04-send-authorization-response";
+
+export {
+  startFlowFromQR,
+  evaluateRelyingPartyTrust,
+  getRequestObject,
+  sendAuthorizationResponse,
+};
+export type {
+  StartFlow,
+  EvaluateRelyingPartyTrust,
+  GetRequestObject,
+  SendAuthorizationResponse,
+};

package/src/credential/presentation/types.ts

@@ -0,0 +1,27 @@
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import { UnixTime } from "../../sd-jwt/types";
+import * as z from "zod";
+
+/**
+ * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
+ */
+export type Presentation = [
+  /* verified credential token */ string,
+  /* claims */ string[],
+  /* the context for the key associated to the credential */ CryptoContext
+];
+
+export type RequestObject = z.infer<typeof RequestObject>;
+export const RequestObject = z.object({
+  iss: z.string(),
+  iat: UnixTime,
+  exp: UnixTime,
+  state: z.string(),
+  nonce: z.string(),
+  response_uri: z.string(),
+  response_type: z.literal("vp_token"),
+  response_mode: z.literal("direct_post.jwt"),
+  client_id: z.string(),
+  client_id_scheme: z.literal("entity_id"),
+  scope: z.string(),
+});

package/src/index.ts

@@ -2,42 +2,21 @@
 // https://github.com/facebook/react-native/issues/24428
 import "react-native-url-polyfill/auto";
 
+import * as Credential from "./credential";
 import * as PID from "./pid";
-import * as RP from "./rp";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
-import * as RelyingPartySolution from "./rp";
-import {
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
-} from "./trust";
-import {
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
-} from "./trust/types";
+import * as Trust from "./trust";
+import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 
 export {
   PID,
-  RP,
+  Credential,
   WalletInstanceAttestation,
   Errors,
-  RelyingPartySolution,
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
+  Trust,
   createCryptoContextFor,
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
+  AuthorizationDetail,
+  AuthorizationDetails,
 };

package/src/pid/index.ts

@@ -1,3 +1,2 @@
 import * as SdJwt from "./sd-jwt";
-import * as Issuing from "./issuing";
-export { SdJwt, Issuing };
+export { SdJwt };

package/src/sd-jwt/index.ts

@@ -135,7 +135,7 @@ export const disclose = async (
  *
  *
  * @param token The encoded token that represents a valid sd-jwt for verifiable credentials
- * @param publicKey The public key to validate the signature
+ * @param publicKey The single public key or an array of public keys to validate the signature.
  * @param schema Schema to use to parse the SD-JWT
  *
  * @returns The parsed SD-JWT token and the parsed disclosures
@@ -143,7 +143,7 @@ export const disclose = async (
  */
 export const verify = async <S extends z.AnyZodObject>(
   token: string,
-  publicKey: JWK,
+  publicKey: JWK | JWK[],
   schema: S
 ): Promise<{ sdJwt: z.infer<S>; disclosures: Disclosure[] }> => {
   // get decoded data

package/src/sd-jwt/types.ts

@@ -51,7 +51,7 @@ export const SdJwt4VC = z.object({
     cnf: z.object({
       jwk: JWK,
     }),
-    type: z.literal("PersonIdentificationData"),
+    type: z.string(),
     verified_claims: z.object({
       verification: z.intersection(
         z.object({

package/src/trust/chain.ts

@@ -11,6 +11,7 @@ import { JWK } from "../utils/jwk";
 import { IoWalletError } from "../utils/errors";
 import * as z from "zod";
 import type { JWTDecodeResult } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
 
 type ParsedToken = {
   header: JWTDecodeResult["protectedHeader"];
@@ -51,12 +52,12 @@ const LastElementShape = z.union([
 /**
  * Validates a provided trust chain against a known trust
  *
- * @param trustAnchorEntity
- * @param chain
+ * @param trustAnchorEntity The entity configuration of the known trust anchor
+ * @param chain The chain of statements to be validate
  * @returns The list of parsed token representing the chain
  * @throws {IoWalletError} If the chain is not valid
  */
-export async function verifyTrustChain(
+export async function validateTrustChain(
   trustAnchorEntity: TrustAnchorEntityConfiguration,
   chain: string[]
 ): Promise<ParsedToken[]> {
@@ -107,3 +108,44 @@ export async function verifyTrustChain(
       .map((args) => verify(...args))
   );
 }
+
+/**
+ * Given a trust chain, obtain a new trust chain by fetching each element's fresh version
+ *
+ * @param chain The original chain
+ * @param appFetch (optional) fetch api implementation
+ * @returns A list of signed token that reprensent the trust chain, in the same order of the provided chain
+ * @throws When an element of the chain fails to parse
+ */
+export function renewTrustChain(
+  chain: string[],
+  appFetch: GlobalFetch["fetch"] = fetch
+) {
+  return Promise.all(
+    chain
+      // Decode each item to determine its shape
+      .map(decode)
+      .map(
+        (e) =>
+          [
+            EntityStatement.safeParse(e),
+            EntityConfiguration.safeParse(e),
+          ] as const
+      )
+      // fetch the element according to its shape
+      .map(([es, ec], i) =>
+        ec.success
+          ? getSignedEntityConfiguration(ec.data.payload.iss, { appFetch })
+          : es.success
+          ? getSignedEntityStatement(es.data.payload.iss, es.data.payload.sub, {
+              appFetch,
+            })
+          : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
+            Promise.reject(
+              new IoWalletError(
+                `Cannot renew trust chain because the element #${i} failed to be parsed.`
+              )
+            )
+      )
+  );
+}