@pagopa/io-react-native-wallet 0.7.3 → 0.9.0

package/src/rp/__test__/index.test.ts

@@ -1,250 +0,0 @@
-import { RelyingPartyEntityConfiguration } from "../../trust/types";
-import * as RelyingPartySolution from "..";
-import { AuthRequestDecodeError } from "../../utils/errors";
-
-describe("decodeAuthRequestQR", () => {
-  it("should return authentication request URL", async () => {
-    const qrcode =
-      "ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaQ==";
-    const result = RelyingPartySolution.decodeAuthRequestQR(qrcode);
-    expect(result.requestURI).toEqual(
-      "https://verifier.example.org/request_uri"
-    );
-  });
-  it("should throw exception with invalid QR", async () => {
-    const qrcode = "aHR0cDovL2dvb2dsZS5pdA==";
-    expect(() => RelyingPartySolution.decodeAuthRequestQR(qrcode)).toThrowError(
-      AuthRequestDecodeError
-    );
-  });
-});
-
-describe("RpEntityConfiguration", () => {
-  it("should parse a valid conf", async () => {
-    const pp = {
-      header: {
-        alg: "RS256",
-        kid: "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
-        typ: "entity-statement+jwt",
-      },
-      payload: {
-        exp: 1692625747,
-        iat: 1692625387,
-        iss: "https://demo.proxy.eudi.wallet.developers.italia.it/OpenID4VP",
-        sub: "https://demo.proxy.eudi.wallet.developers.italia.it/OpenID4VP",
-        jwks: {
-          keys: [
-            {
-              kty: "RSA",
-              kid: "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
-              e: "AQAB",
-              n: "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw",
-            },
-          ],
-        },
-        metadata: {
-          federation_entity: {
-            organization_name: "wallet-provider",
-            homepage_uri: "https://wallet-provider.example",
-            policy_uri: "https://wallet-provider.example",
-            logo_uri: "https://wallet-provider.example",
-            contacts: ["https://wallet-provider.example"],
-          },
-          wallet_relying_party: {
-            application_type: "web",
-            authorization_encrypted_response_alg: [
-              "RSA-OAEP",
-              "RSA-OAEP-256",
-              "ECDH-ES",
-              "ECDH-ES+A128KW",
-              "ECDH-ES+A192KW",
-              "ECDH-ES+A256KW",
-            ],
-            authorization_encrypted_response_enc: [
-              "A128CBC-HS256",
-              "A192CBC-HS384",
-              "A256CBC-HS512",
-              "A128GCM",
-              "A192GCM",
-              "A256GCM",
-            ],
-            authorization_signed_response_alg: [
-              "RS256",
-              "RS384",
-              "RS512",
-              "ES256",
-              "ES384",
-              "ES512",
-            ],
-            client_id:
-              "https://demo.proxy.eudi.wallet.developers.italia.it/OpenID4VP",
-            client_name: "Name of an example organization",
-            contacts: ["ops@verifier.example.org"],
-            default_acr_values: [
-              "https://www.spid.gov.it/SpidL2",
-              "https://www.spid.gov.it/SpidL3",
-            ],
-            default_max_age: 1111,
-            id_token_encrypted_response_alg: [
-              "RSA-OAEP",
-              "RSA-OAEP-256",
-              "ECDH-ES",
-              "ECDH-ES+A128KW",
-              "ECDH-ES+A192KW",
-              "ECDH-ES+A256KW",
-            ],
-            id_token_encrypted_response_enc: [
-              "A128CBC-HS256",
-              "A192CBC-HS384",
-              "A256CBC-HS512",
-              "A128GCM",
-              "A192GCM",
-              "A256GCM",
-            ],
-            id_token_signed_response_alg: [
-              "RS256",
-              "RS384",
-              "RS512",
-              "ES256",
-              "ES384",
-              "ES512",
-            ],
-            presentation_definitions: [
-              {
-                id: "pid-sd-jwt:unique_id+given_name+family_name",
-                input_descriptors: [
-                  {
-                    id: "pid-sd-jwt:unique_id+given_name+family_name",
-                    format: {
-                      constraints: {
-                        fields: [
-                          {
-                            filter: {
-                              const: "PersonIdentificationData",
-                              type: "string",
-                            },
-                            path: ["$.sd-jwt.type"],
-                          },
-                          {
-                            filter: {
-                              type: "object",
-                            },
-                            path: ["$.sd-jwt.cnf"],
-                          },
-                          {
-                            intent_to_retain: "true",
-                            path: ["$.sd-jwt.family_name"],
-                          },
-                          {
-                            intent_to_retain: "true",
-                            path: ["$.sd-jwt.given_name"],
-                          },
-                          {
-                            intent_to_retain: "true",
-                            path: ["$.sd-jwt.unique_id"],
-                          },
-                        ],
-                        limit_disclosure: "required",
-                      },
-                      jwt: {
-                        alg: ["EdDSA", "ES256"],
-                      },
-                    },
-                  },
-                ],
-              },
-              {
-                id: "mDL-sample-req",
-                input_descriptors: [
-                  {
-                    format: {
-                      constraints: {
-                        fields: [
-                          {
-                            filter: {
-                              const: "org.iso.18013.5.1.mDL",
-                              type: "string",
-                            },
-                            path: ["$.mdoc.doctype"],
-                          },
-                          {
-                            filter: {
-                              const: "org.iso.18013.5.1",
-                              type: "string",
-                            },
-                            path: ["$.mdoc.namespace"],
-                          },
-                          {
-                            intent_to_retain: "false",
-                            path: ["$.mdoc.family_name"],
-                          },
-                          {
-                            intent_to_retain: "false",
-                            path: ["$.mdoc.portrait"],
-                          },
-                          {
-                            intent_to_retain: "false",
-                            path: ["$.mdoc.driving_privileges"],
-                          },
-                        ],
-                        limit_disclosure: "required",
-                      },
-                      mso_mdoc: {
-                        alg: ["EdDSA", "ES256"],
-                      },
-                    },
-                    id: "mDL",
-                  },
-                ],
-              },
-            ],
-            redirect_uris: [
-              "https://demo.proxy.eudi.wallet.developers.italia.it/OpenID4VP/redirect-uri",
-            ],
-            request_uris: [
-              "https://demo.proxy.eudi.wallet.developers.italia.it/OpenID4VP/request-uri",
-            ],
-            require_auth_time: true,
-            subject_type: "pairwise",
-            vp_formats: {
-              jwt_vp_json: {
-                alg: ["EdDSA", "ES256K"],
-              },
-            },
-            jwks: {
-              keys: [
-                {
-                  crv: "P-256",
-                  d: "KzQBowMMoPmSZe7G8QsdEWc1IvR2nsgE8qTOYmMcLtc",
-                  kid: "dDwPWXz5sCtczj7CJbqgPGJ2qQ83gZ9Sfs-tJyULi6s",
-                  use: "sig",
-                  kty: "EC",
-                  x: "TSO-KOqdnUj5SUuasdlRB2VVFSqtJOxuR5GftUTuBdk",
-                  y: "ByWgQt1wGBSnF56jQqLdoO1xKUynMY-BHIDB3eXlR7",
-                },
-                {
-                  kty: "RSA",
-                  d: "QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q",
-                  e: "AQAB",
-                  use: "enc",
-                  kid: "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
-                  n: "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw",
-                  p: "2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0",
-                  q: "2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM",
-                },
-              ],
-            },
-          },
-        },
-        authority_hints: [
-          "https://demo.federation.eudi.wallet.developers.italia.it",
-        ],
-      },
-    };
-    const result = RelyingPartyEntityConfiguration.safeParse(pp);
-    if (result.success === false) {
-      throw result.error;
-    }
-    expect(result.success).toBe(true);
-  });
-});

package/src/rp/index.ts

@@ -1,287 +0,0 @@
-import {
-  AuthRequestDecodeError,
-  IoWalletError,
-  NoSuitableKeysFoundInEntityConfiguration,
-} from "../utils/errors";
-import {
-  decode as decodeJwt,
-  decodeBase64,
-  sha256ToBase64,
-  SignJWT,
-  EncryptJwe,
-  verify,
-  type CryptoContext,
-} from "@pagopa/io-react-native-jwt";
-import { QRCodePayload, RequestObject, type Presentation } from "./types";
-
-import uuid from "react-native-uuid";
-import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
-import { disclose } from "../sd-jwt";
-import { createDPopToken } from "../utils/dpop";
-import { RelyingPartyEntityConfiguration } from "../trust/types";
-import * as WalletInstanceAttestation from "../wallet-instance-attestation";
-
-/**
- * Select a RSA public key from those provided by the RP to encrypt.
- *
- * @param entity The RP entity configuration
- * @returns A suitable public key with its compatible encryption algorithm
- * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
- */
-const chooseRSAPublicKeyToEncrypt = (
-  entity: RelyingPartyEntityConfiguration
-): JWK => {
-  const [usingRsa256] =
-    entity.payload.metadata.wallet_relying_party.jwks.keys.filter(
-      (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
-    );
-
-  if (usingRsa256) {
-    return usingRsa256;
-  }
-
-  // No suitable key has been found
-  throw new NoSuitableKeysFoundInEntityConfiguration(
-    "Encrypt with RP public key"
-  );
-};
-
-/**
- * Decode a QR code content to an authentication request url.
- * @function
- * @param qrcode QR code content
- *
- * @returns The authentication request url
- *
- */
-export const decodeAuthRequestQR = (qrcode: string): QRCodePayload => {
-  const decoded = decodeBase64(qrcode);
-  const decodedUrl = new URL(decoded);
-  const protocol = decodedUrl.protocol;
-  const resource = decodedUrl.hostname;
-  const requestURI = decodedUrl.searchParams.get("request_uri");
-  const clientId = decodedUrl.searchParams.get("client_id");
-
-  const result = QRCodePayload.safeParse({
-    protocol,
-    resource,
-    requestURI,
-    clientId,
-  });
-
-  if (result.success) {
-    return result.data;
-  } else {
-    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
-  }
-};
-
-export type RequestObjectConf = {
-  requestObject: RequestObject;
-  rpEntityConfiguration: RelyingPartyEntityConfiguration;
-  walletInstanceAttestation: string;
-};
-
-/**
- * Obtain the Request Object for RP authentication
- * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
- */
-export const getRequestObject =
-  ({
-    wiaCryptoContext,
-    appFetch = fetch,
-  }: {
-    wiaCryptoContext: CryptoContext;
-    appFetch?: GlobalFetch["fetch"];
-  }) =>
-  async (
-    walletInstanceAttestation: string,
-    requestUri: string,
-    rpEntityConfiguration: RelyingPartyEntityConfiguration
-  ): Promise<RequestObjectConf> => {
-    const signedWalletInstanceDPoP = await createDPopToken(
-      {
-        jti: `${uuid.v4()}`,
-        htm: "GET",
-        htu: requestUri,
-        ath: await sha256ToBase64(walletInstanceAttestation),
-      },
-      wiaCryptoContext
-    );
-
-    const response = await appFetch(requestUri, {
-      method: "GET",
-      headers: {
-        Authorization: `DPoP ${walletInstanceAttestation}`,
-        DPoP: signedWalletInstanceDPoP,
-      },
-    });
-
-    if (response.status === 200) {
-      const responseJson = await response.json();
-      const responseEncodedJwt = responseJson.response;
-
-      const responseJwt = decodeJwt(responseEncodedJwt);
-
-      // verify token signature according to RP's entity configuration
-      // to ensure the request object is authentic
-      {
-        const pubKey =
-          rpEntityConfiguration.payload.metadata.wallet_relying_party.jwks.keys.find(
-            ({ kid }) => kid === responseJwt.protectedHeader.kid
-          );
-        if (!pubKey) {
-          throw new NoSuitableKeysFoundInEntityConfiguration(
-            "Request Object signature verification"
-          );
-        }
-        await verify(responseEncodedJwt, pubKey);
-      }
-
-      // parse request object it has the expected shape by specification
-      const requestObject = RequestObject.parse({
-        header: responseJwt.protectedHeader,
-        payload: responseJwt.payload,
-      });
-
-      return {
-        requestObject,
-        rpEntityConfiguration,
-        walletInstanceAttestation,
-      };
-    }
-
-    throw new IoWalletError(
-      `Unable to obtain Request Object. Response code: ${response.status}
-      ${await response.text()}`
-    );
-  };
-
-/**
- * Prepare the Verified Presentation token for a received request object in the context of an authorization request flow.
- * The presentation is prepared by disclosing data from provided credentials, according to requested claims
- * Each Verified Credential come along with the claims the user accepts to disclose from it.
- *
- * @todo accept more than a Verified Credential
- */
-const prepareVpToken =
-  ({ pidCryptoContext }: { pidCryptoContext: CryptoContext }) =>
-  async (
-    { requestObject, walletInstanceAttestation }: RequestObjectConf,
-    [vc, claims]: Presentation // TODO: [SIW-353] support multiple presentations,
-  ): Promise<{
-    vp_token: string;
-    presentation_submission: Record<string, unknown>;
-  }> => {
-    // this throws if vc cannot satisfy all the requested claims
-    const { token: vp, paths } = await disclose(vc, claims);
-
-    // obtain issuer from Wallet Instance
-    const {
-      payload: { iss },
-    } = WalletInstanceAttestation.decode(walletInstanceAttestation);
-
-    const pidKid = await pidCryptoContext.getPublicKey().then((_) => _.kid);
-
-    // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
-    const vp_token = await new SignJWT(pidCryptoContext)
-      .setProtectedHeader({
-        typ: "JWT",
-        kid: pidKid,
-      })
-      .setPayload({
-        vp: vp,
-        jti: `${uuid.v4()}`,
-        iss,
-        nonce: requestObject.payload.nonce,
-      })
-      .setAudience(requestObject.payload.response_uri)
-      .setIssuedAt()
-      .setExpirationTime("1h")
-      .sign();
-
-    const vc_scope = requestObject.payload.scope;
-    const presentation_submission = {
-      definition_id: `${uuid.v4()}`,
-      id: `${uuid.v4()}`,
-      descriptor_map: paths.map((p) => ({
-        id: vc_scope,
-        path: `$.vp_token.${p.path}`,
-        format: "vc+sd-jwt",
-      })),
-    };
-
-    return { vp_token, presentation_submission };
-  };
-
-/**
- * Compose and send an Authorization Response in the context of an authorization request flow.
- *
- * @todo MUST add presentation_submission
- *
- */
-export const sendAuthorizationResponse =
-  ({
-    pidCryptoContext,
-    appFetch = fetch,
-  }: {
-    pidCryptoContext: CryptoContext;
-    appFetch?: GlobalFetch["fetch"];
-  }) =>
-  async (
-    {
-      requestObject,
-      rpEntityConfiguration,
-      walletInstanceAttestation,
-    }: RequestObjectConf,
-    presentation: Presentation // TODO: [SIW-353] support multiple presentations,
-  ): Promise<string> => {
-    // the request is an unsigned jws without iss, aud, exp
-    // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
-    const jwk = chooseRSAPublicKeyToEncrypt(rpEntityConfiguration);
-
-    const { vp_token, presentation_submission } = await prepareVpToken({
-      pidCryptoContext,
-    })(
-      {
-        requestObject,
-        rpEntityConfiguration,
-        walletInstanceAttestation,
-      },
-      presentation
-    );
-
-    const authzResponsePayload = JSON.stringify({
-      state: requestObject.payload.state,
-      presentation_submission,
-      nonce: requestObject.payload.nonce,
-      vp_token,
-    });
-
-    const encrypted = await new EncryptJwe(authzResponsePayload, {
-      alg: "RSA-OAEP-256",
-      enc: "A256CBC-HS512",
-      kid: jwk.kid,
-    }).encrypt(jwk);
-
-    const formBody = new URLSearchParams({ response: encrypted });
-    const body = formBody.toString();
-
-    const response = await appFetch(requestObject.payload.response_uri, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
-      body,
-    });
-
-    if (response.status === 200) {
-      return await response.json();
-    }
-
-    throw new IoWalletError(
-      `Unable to send Authorization Response. Response: ${await response.text()} with code: ${
-        response.status
-      }`
-    );
-  };

package/src/rp/types.ts

@@ -1,42 +0,0 @@
-import { UnixTime } from "../sd-jwt/types";
-import * as z from "zod";
-
-export type RequestObject = z.infer<typeof RequestObject>;
-export const RequestObject = z.object({
-  header: z.object({
-    // FIXME: SIW-421 type field must be either required or omitted, optional isn't useful
-    typ: z.literal("JWT").optional(),
-    alg: z.string(),
-    kid: z.string(),
-    trust_chain: z.array(z.string()),
-  }),
-  payload: z.object({
-    iss: z.string(),
-    iat: UnixTime,
-    exp: UnixTime,
-    state: z.string(),
-    nonce: z.string(),
-    response_uri: z.string(),
-    response_type: z.literal("vp_token"),
-    response_mode: z.literal("direct_post.jwt"),
-    client_id: z.string(),
-    client_id_scheme: z.literal("entity_id"),
-    scope: z.string(),
-  }),
-});
-
-export type QRCodePayload = z.infer<typeof QRCodePayload>;
-export const QRCodePayload = z.object({
-  protocol: z.string(),
-  resource: z.string(), // TODO: refine to known paths using literals
-  clientId: z.string(),
-  requestURI: z.string(),
-});
-
-/**
- * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
- */
-export type Presentation = [
-  /* verified credential token */ string,
-  /* claims */ string[]
-];