@pagopa/io-react-native-wallet 0.7.4 → 0.9.0

package/lib/commonjs/utils/par.js

@@ -0,0 +1,86 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.makeParRequest = exports.AuthorizationDetails = exports.AuthorizationDetail = void 0;
+var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
+var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
+var z = _interopRequireWildcard(require("zod"));
+var WalletInstanceAttestation = _interopRequireWildcard(require("../wallet-instance-attestation"));
+var _misc = require("./misc");
+function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+const AuthorizationDetail = z.object({
+  credential_definition: z.object({
+    type: z.string()
+  }),
+  format: z.literal("vc+sd-jwt"),
+  type: z.literal("openid_credential")
+});
+exports.AuthorizationDetail = AuthorizationDetail;
+const AuthorizationDetails = z.array(AuthorizationDetail);
+
+/**
+ * Make a PAR request to the issuer and return the response url
+ */
+exports.AuthorizationDetails = AuthorizationDetails;
+const makeParRequest = _ref => {
+  let {
+    wiaCryptoContext,
+    appFetch = fetch
+  } = _ref;
+  return async (clientId, codeVerifier, walletProviderBaseUrl, parEndpoint, walletInstanceAttestation, authorizationDetails, assertionType) => {
+    const wiaPublicKey = await wiaCryptoContext.getPublicKey();
+    const parUrl = new URL(parEndpoint);
+    const aud = `${parUrl.protocol}//${parUrl.hostname}`;
+    const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+
+    /** A code challenge is provided so that the PAR is bound 
+        to the subsequent authorization code request
+        @see https://datatracker.ietf.org/doc/html/rfc9126#name-request */
+    const codeChallengeMethod = "s256";
+    const codeChallenge = await (0, _ioReactNativeJwt.sha256ToBase64)(codeVerifier);
+
+    /** The PAR request token is signed used the Wallet Instance Attestation key.
+        The signature can be verified by reading the public key from the key set shippet
+        with the it will ship the Wallet Instance Attestation.
+        The key is matched by its kid */
+    const signedJwtForPar = await new _ioReactNativeJwt.SignJWT(wiaCryptoContext).setProtectedHeader({
+      kid: wiaPublicKey.kid
+    }).setPayload({
+      iss,
+      aud,
+      jti: `${_reactNativeUuid.default.v4()}`,
+      client_assertion_type: assertionType,
+      authorization_details: authorizationDetails,
+      response_type: "code",
+      redirect_uri: walletProviderBaseUrl,
+      state: `${_reactNativeUuid.default.v4()}`,
+      client_id: clientId,
+      code_challenge_method: codeChallengeMethod,
+      code_challenge: codeChallenge
+    }).setIssuedAt().setExpirationTime("1h").sign();
+
+    /** The request body for the Pushed Authorization Request */
+    var formBody = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      client_assertion_type: assertionType,
+      client_assertion: walletInstanceAttestation,
+      request: signedJwtForPar
+    });
+    return await appFetch(parEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formBody.toString()
+    }).then((0, _misc.hasStatus)(201)).then(res => res.json()).then(result => result.request_uri);
+  };
+};
+exports.makeParRequest = makeParRequest;
+//# sourceMappingURL=par.js.map

package/lib/commonjs/utils/par.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["_ioReactNativeJwt","require","_reactNativeUuid","_interopRequireDefault","z","_interopRequireWildcard","WalletInstanceAttestation","_misc","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","AuthorizationDetail","object","credential_definition","type","string","format","literal","exports","AuthorizationDetails","array","makeParRequest","_ref","wiaCryptoContext","appFetch","fetch","clientId","codeVerifier","walletProviderBaseUrl","parEndpoint","walletInstanceAttestation","authorizationDetails","assertionType","wiaPublicKey","getPublicKey","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","codeChallengeMethod","codeChallenge","sha256ToBase64","signedJwtForPar","SignJWT","setProtectedHeader","setPayload","jti","uuid","v4","client_assertion_type","authorization_details","response_type","redirect_uri","state","client_id","code_challenge_method","code_challenge","setIssuedAt","setExpirationTime","sign","formBody","URLSearchParams","client_assertion","request","method","headers","body","toString","then","hasStatus","res","json","result","request_uri"],"sourceRoot":"../../../src","sources":["utils/par.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAKA,IAAAC,gBAAA,GAAAC,sBAAA,CAAAF,OAAA;AACA,IAAAG,CAAA,GAAAC,uBAAA,CAAAJ,OAAA;AACA,IAAAK,yBAAA,GAAAD,uBAAA,CAAAJ,OAAA;AACA,IAAAM,KAAA,GAAAN,OAAA;AAAmC,SAAAO,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAJ,wBAAAQ,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAAA,SAAAhB,uBAAAU,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAG5B,MAAMiB,mBAAmB,GAAG1B,CAAC,CAAC2B,MAAM,CAAC;EAC1CC,qBAAqB,EAAE5B,CAAC,CAAC2B,MAAM,CAAC;IAC9BE,IAAI,EAAE7B,CAAC,CAAC8B,MAAM,CAAC;EACjB,CAAC,CAAC;EACFC,MAAM,EAAE/B,CAAC,CAACgC,OAAO,CAAC,WAAW,CAAC;EAC9BH,IAAI,EAAE7B,CAAC,CAACgC,OAAO,CAAC,mBAAmB;AACrC,CAAC,CAAC;AAACC,OAAA,CAAAP,mBAAA,GAAAA,mBAAA;AAGI,MAAMQ,oBAAoB,GAAGlC,CAAC,CAACmC,KAAK,CAACT,mBAAmB,CAAC;;AAEhE;AACA;AACA;AAFAO,OAAA,CAAAC,oBAAA,GAAAA,oBAAA;AAGO,MAAME,cAAc,GACzBC,IAAA;EAAA,IAAC;IACCC,gBAAgB;IAChBC,QAAQ,GAAGC;EAIb,CAAC,GAAAH,IAAA;EAAA,OACD,OACEI,QAAgB,EAChBC,YAAoB,EACpBC,qBAA6B,EAC7BC,WAAmB,EACnBC,yBAAiC,EACjCC,oBAA0C,EAC1CC,aAAqB,KACD;IACpB,MAAMC,YAAY,GAAG,MAAMV,gBAAgB,CAACW,YAAY,CAAC,CAAC;IAE1D,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACP,WAAW,CAAC;IACnC,MAAMQ,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;IAEpD,MAAMC,GAAG,GAAGrD,yBAAyB,CAACsD,MAAM,CAACX,yBAAyB,CAAC,CACpEY,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;;IAEtB;AACJ;AACA;IACI,MAAMC,mBAAmB,GAAG,MAAM;IAClC,MAAMC,aAAa,GAAG,MAAM,IAAAC,gCAAc,EAACrB,YAAY,CAAC;;IAExD;AACJ;AACA;AACA;IACI,MAAMsB,eAAe,GAAG,MAAM,IAAIC,yBAAO,CAAC3B,gBAAgB,CAAC,CACxD4B,kBAAkB,CAAC;MAClBN,GAAG,EAAEZ,YAAY,CAACY;IACpB,CAAC,CAAC,CACDO,UAAU,CAAC;MACVZ,GAAG;MACHH,GAAG;MACHgB,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;MACnBC,qBAAqB,EAAExB,aAAa;MACpCyB,qBAAqB,EAAE1B,oBAAoB;MAC3C2B,aAAa,EAAE,MAAM;MACrBC,YAAY,EAAE/B,qBAAqB;MACnCgC,KAAK,EAAG,GAAEN,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;MACrBM,SAAS,EAAEnC,QAAQ;MACnBoC,qBAAqB,EAAEhB,mBAAmB;MAC1CiB,cAAc,EAAEhB;IAClB,CAAC,CAAC,CACDiB,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;;IAET;IACA,IAAIC,QAAQ,GAAG,IAAIC,eAAe,CAAC;MACjCV,aAAa,EAAE,MAAM;MACrBG,SAAS,EAAEnC,QAAQ;MACnBqC,cAAc,EAAEhB,aAAa;MAC7Be,qBAAqB,EAAE,MAAM;MAC7BN,qBAAqB,EAAExB,aAAa;MACpCqC,gBAAgB,EAAEvC,yBAAyB;MAC3CwC,OAAO,EAAErB;IACX,CAAC,CAAC;IAEF,OAAO,MAAMzB,QAAQ,CAACK,WAAW,EAAE;MACjC0C,MAAM,EAAE,MAAM;MACdC,OAAO,EAAE;QACP,cAAc,EAAE;MAClB,CAAC;MACDC,IAAI,EAAEN,QAAQ,CAACO,QAAQ,CAAC;IAC1B,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,eAAS,EAAC,GAAG,CAAC,CAAC,CACpBD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,MAAM,IAAKA,MAAM,CAACC,WAAW,CAAC;EACzC,CAAC;AAAA;AAAC9D,OAAA,CAAAG,cAAA,GAAAA,cAAA"}

package/lib/module/credential/index.js

@@ -0,0 +1,4 @@
+import * as Issuance from "./issuance";
+import * as Presentation from "./presentation";
+export { Issuance, Presentation };
+//# sourceMappingURL=index.js.map

package/lib/module/credential/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["Issuance","Presentation"],"sourceRoot":"../../../src","sources":["credential/index.ts"],"mappings":"AAAA,OAAO,KAAKA,QAAQ,MAAM,YAAY;AACtC,OAAO,KAAKC,YAAY,MAAM,gBAAgB;AAE9C,SAASD,QAAQ,EAAEC,YAAY"}

package/lib/module/credential/issuance/01-start-flow.js

@@ -0,0 +1,2 @@
+
+//# sourceMappingURL=01-start-flow.js.map

package/lib/module/credential/issuance/01-start-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/01-start-flow.ts"],"mappings":""}

package/lib/module/credential/issuance/02-evaluate-issuer-trust.js

@@ -0,0 +1,19 @@
+import { getCredentialIssuerEntityConfiguration } from "../../trust";
+/**
+ * The Issuer trust evaluation phase.
+ * Fetch the Issuer's configuration and verify trust.
+ *
+ * @param issuerUrl The base url of the Issuer
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Issuer's configuration
+ */
+export const evaluateIssuerTrust = async function (issuerUrl) {
+  let context = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  const issuerConf = await getCredentialIssuerEntityConfiguration(issuerUrl, {
+    appFetch: context.appFetch
+  }).then(_ => _.payload.metadata);
+  return {
+    issuerConf
+  };
+};
+//# sourceMappingURL=02-evaluate-issuer-trust.js.map

package/lib/module/credential/issuance/02-evaluate-issuer-trust.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getCredentialIssuerEntityConfiguration","evaluateIssuerTrust","issuerUrl","context","arguments","length","undefined","issuerConf","appFetch","then","_","payload","metadata"],"sourceRoot":"../../../../src","sources":["credential/issuance/02-evaluate-issuer-trust.ts"],"mappings":"AAAA,SAASA,sCAAsC,QAAQ,aAAa;AAcpE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,mBAAwC,GAAG,eAAAA,CACtDC,SAAS,EAEN;EAAA,IADHC,OAAO,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEZ,MAAMG,UAAU,GAAG,MAAMP,sCAAsC,CAACE,SAAS,EAAE;IACzEM,QAAQ,EAAEL,OAAO,CAACK;EACpB,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,OAAO,CAACC,QAAQ,CAAC;EAClC,OAAO;IAAEL;EAAW,CAAC;AACvB,CAAC"}

package/lib/module/credential/issuance/03-start-user-authorization.js

@@ -0,0 +1,109 @@
+import * as z from "zod";
+import uuid from "react-native-uuid";
+import { makeParRequest } from "../../utils/par";
+import { getJwtFromFormPost } from "../../utils/decoder";
+import { hasStatus } from "../../utils/misc";
+import { ASSERTION_TYPE } from "./const";
+const selectCredentialDefinition = (issuerConf, credentialType) => {
+  const {
+    credentials_supported
+  } = issuerConf.openid_credential_issuer;
+  const [result] = credentials_supported.filter(e => e.credential_definition.type.includes(credentialType)).map(e => ({
+    credential_definition: {
+      type: credentialType
+    },
+    format: e.format,
+    type: "openid_credential"
+  }));
+  if (!result) {
+    throw new Error(`No credential support the type '${credentialType}'`);
+  }
+  return result;
+};
+const decodeAuthorizationResponse = async raw => {
+  const {
+    decodedJwt: {
+      payload
+    }
+  } = await getJwtFromFormPost(raw);
+
+  /**
+   * FIXME: [SIW-628] This step must not make any difference on the credential
+   * we are authorizing for, being a PID or any other (Q)EAA.
+   *
+   * Currently, PID issuer is implemented to skip the CompleteUserAuthorization step
+   * thus returning a stubbed (code, state) pair.
+   *
+   * This is a workaround to proceeed the flow anyway.
+   * If the response does not map what expected (CorrectShape),
+   * we try parse into (code, state) to check if we are in the PID scenario.
+   * In that case, a stub value is returned (will not be evaluated anyway).
+   *
+   * This workaround will be obsolete once the PID issuer fixes its implementation
+   */
+  const CorrectShape = z.object({
+    request_uri: z.string()
+  });
+  const WrongShapeForPID = z.object({
+    code: z.string(),
+    state: z.string()
+  });
+  const [correct, wrong] = [CorrectShape.safeParse(payload), WrongShapeForPID.safeParse(payload)];
+  if (correct.success) {
+    return correct.data;
+  } else if (wrong.success) {
+    return {
+      request_uri: "https://fake-request-uri"
+    };
+  }
+  throw correct.error;
+};
+/**
+ * Start the User authorization phase.
+ * Perform the Pushed Authorization Request as defined in OAuth 2.0 protocol.
+ *
+ * @param issuerConf The Issuer configuration
+ * @param credentialType The type of the credential to be requested
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * @param context.additionalParams Hash set of parameters to be passed to the authorization endpoint
+ * (used as a temporary fix until we have a proper User identity in the PID token provider)
+ * TODO: [SIW-630]
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The request uri to continue the authorization to
+ */
+export const startUserAuthorization = async (issuerConf, credentialType, ctx) => {
+  const {
+    wiaCryptoContext,
+    walletInstanceAttestation,
+    walletProviderBaseUrl,
+    additionalParams = {},
+    appFetch = fetch
+  } = ctx;
+  const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
+  const codeVerifier = `${uuid.v4()}`;
+  // Make a PAR request to the credential issuer and return the response url
+  const parUrl = issuerConf.openid_credential_issuer.pushed_authorization_request_endpoint;
+  const getPar = makeParRequest({
+    wiaCryptoContext,
+    appFetch
+  });
+  const issuerRequestUri = await getPar(clientId, codeVerifier, walletProviderBaseUrl, parUrl, walletInstanceAttestation, [selectCredentialDefinition(issuerConf, credentialType)], ASSERTION_TYPE);
+
+  // Initialize authorization by requesting the authz request uri
+  const authzRequestEndpoint = issuerConf.openid_credential_issuer.authorization_endpoint;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    request_uri: issuerRequestUri,
+    ...additionalParams
+  });
+  const {
+    request_uri
+  } = await appFetch(`${authzRequestEndpoint}?${params}`).then(hasStatus(200)).then(res => res.text()).then(decodeAuthorizationResponse);
+  return {
+    requestUri: request_uri,
+    clientId
+  };
+};
+//# sourceMappingURL=03-start-user-authorization.js.map

package/lib/module/credential/issuance/03-start-user-authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["z","uuid","makeParRequest","getJwtFromFormPost","hasStatus","ASSERTION_TYPE","selectCredentialDefinition","issuerConf","credentialType","credentials_supported","openid_credential_issuer","result","filter","e","credential_definition","type","includes","map","format","Error","decodeAuthorizationResponse","raw","decodedJwt","payload","CorrectShape","object","request_uri","string","WrongShapeForPID","code","state","correct","wrong","safeParse","success","data","error","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","walletProviderBaseUrl","additionalParams","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","v4","parUrl","pushed_authorization_request_endpoint","getPar","issuerRequestUri","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","res","text","requestUri"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAA8BC,cAAc,QAAQ,iBAAiB;AAErE,SAASC,kBAAkB,QAAQ,qBAAqB;AACxD,SAASC,SAAS,QAAkB,kBAAkB;AAGtD,SAASC,cAAc,QAAQ,SAAS;AAExC,MAAMC,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAM;IAAEC;EAAsB,CAAC,GAAGF,UAAU,CAACG,wBAAwB;EAErE,MAAM,CAACC,MAAM,CAAC,GAAGF,qBAAqB,CACnCG,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,qBAAqB,CAACC,IAAI,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACpES,GAAG,CAAEJ,CAAC,KAAM;IACXC,qBAAqB,EAAE;MAAEC,IAAI,EAAEP;IAAe,CAAC;IAC/CU,MAAM,EAAEL,CAAC,CAACK,MAAM;IAChBH,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACJ,MAAM,EAAE;IACX,MAAM,IAAIQ,KAAK,CAAE,mCAAkCX,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;AAED,MAAMS,2BAA2B,GAAG,MAClCC,GAAW,IAC0B;EACrC,MAAM;IACJC,UAAU,EAAE;MAAEC;IAAQ;EACxB,CAAC,GAAG,MAAMpB,kBAAkB,CAACkB,GAAG,CAAC;;EAEjC;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE,MAAMG,YAAY,GAAGxB,CAAC,CAACyB,MAAM,CAAC;IAAEC,WAAW,EAAE1B,CAAC,CAAC2B,MAAM,CAAC;EAAE,CAAC,CAAC;EAC1D,MAAMC,gBAAgB,GAAG5B,CAAC,CAACyB,MAAM,CAAC;IAAEI,IAAI,EAAE7B,CAAC,CAAC2B,MAAM,CAAC,CAAC;IAAEG,KAAK,EAAE9B,CAAC,CAAC2B,MAAM,CAAC;EAAE,CAAC,CAAC;EAE1E,MAAM,CAACI,OAAO,EAAEC,KAAK,CAAC,GAAG,CACvBR,YAAY,CAACS,SAAS,CAACV,OAAO,CAAC,EAC/BK,gBAAgB,CAACK,SAAS,CAACV,OAAO,CAAC,CACpC;EAED,IAAIQ,OAAO,CAACG,OAAO,EAAE;IACnB,OAAOH,OAAO,CAACI,IAAI;EACrB,CAAC,MAAM,IAAIH,KAAK,CAACE,OAAO,EAAE;IACxB,OAAO;MAAER,WAAW,EAAE;IAA2B,CAAC;EACpD;EACA,MAAMK,OAAO,CAACK,KAAK;AACrB,CAAC;AAcD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAA8C,GAAG,MAAAA,CAC5D9B,UAAU,EACVC,cAAc,EACd8B,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,qBAAqB;IACrBC,gBAAgB,GAAG,CAAC,CAAC;IACrBC,QAAQ,GAAGC;EACb,CAAC,GAAGN,GAAG;EACP,MAAMO,QAAQ,GAAG,MAAMN,gBAAgB,CAACO,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAI,GAAEjD,IAAI,CAACkD,EAAE,CAAC,CAAE,EAAC;EACnC;EACA,MAAMC,MAAM,GACV7C,UAAU,CAACG,wBAAwB,CAAC2C,qCAAqC;EAC3E,MAAMC,MAAM,GAAGpD,cAAc,CAAC;IAAEqC,gBAAgB;IAAEI;EAAS,CAAC,CAAC;EAC7D,MAAMY,gBAAgB,GAAG,MAAMD,MAAM,CACnCT,QAAQ,EACRK,YAAY,EACZT,qBAAqB,EACrBW,MAAM,EACNZ,yBAAyB,EACzB,CAAClC,0BAA0B,CAACC,UAAU,EAAEC,cAAc,CAAC,CAAC,EACxDH,cACF,CAAC;;EAED;EACA,MAAMmD,oBAAoB,GACxBjD,UAAU,CAACG,wBAAwB,CAAC+C,sBAAsB;EAC5D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEf,QAAQ;IACnBnB,WAAW,EAAE6B,gBAAgB;IAC7B,GAAGb;EACL,CAAC,CAAC;EAEF,MAAM;IAAEhB;EAAY,CAAC,GAAG,MAAMiB,QAAQ,CAAE,GAAEa,oBAAqB,IAAGE,MAAO,EAAC,CAAC,CACxEX,IAAI,CAAC3C,SAAS,CAAC,GAAG,CAAC,CAAC,CACpB2C,IAAI,CAAEc,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBf,IAAI,CAAC3B,2BAA2B,CAAC;EAEpC,OAAO;IAAE2C,UAAU,EAAErC,WAAW;IAAEmB;EAAS,CAAC;AAC9C,CAAC"}

package/lib/module/credential/issuance/04-complete-user-authorization.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=04-complete-user-authorization.js.map

package/lib/module/credential/issuance/04-complete-user-authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":""}

package/lib/module/credential/issuance/05-authorize-access.js

@@ -0,0 +1,55 @@
+import uuid from "react-native-uuid";
+import { withEphemeralKey } from "../../utils/crypto";
+import { createDPopToken } from "../../utils/dpop";
+import { hasStatus } from "../../utils/misc";
+import { ASSERTION_TYPE } from "./const";
+/**
+ * Obtain the access token to finally request the credential
+ *
+ * @param issuerConf The Issuer configuration
+ * @param code The access code from the User authorization phase
+ * @param clientId Identifies the current client across all the requests of the issuing flow
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns
+ */
+export const authorizeAccess = async (issuerConf, code, clientId, context) => {
+  const {
+    appFetch = fetch,
+    walletInstanceAttestation,
+    walletProviderBaseUrl
+  } = context;
+  const tokenUrl = issuerConf.openid_credential_issuer.token_endpoint;
+
+  // Use an ephemeral key to be destroyed after use
+  const signedDPop = await withEphemeralKey(ephemeralContext => createDPopToken({
+    htm: "POST",
+    htu: tokenUrl,
+    jti: `${uuid.v4()}`
+  }, ephemeralContext));
+  const codeVerifier = `${uuid.v4()}`;
+  const requestBody = {
+    grant_type: "authorization code",
+    client_id: clientId,
+    code,
+    code_verifier: codeVerifier,
+    client_assertion_type: ASSERTION_TYPE,
+    client_assertion: walletInstanceAttestation,
+    redirect_uri: walletProviderBaseUrl
+  };
+  var formBody = new URLSearchParams(requestBody);
+  return appFetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      DPoP: signedDPop
+    },
+    body: formBody.toString()
+  }).then(hasStatus(200)).then(res => res.json()).then(body => ({
+    accessToken: body.access_token,
+    nonce: body.c_nonce,
+    clientId
+  }));
+};
+//# sourceMappingURL=05-authorize-access.js.map

package/lib/module/credential/issuance/05-authorize-access.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["uuid","withEphemeralKey","createDPopToken","hasStatus","ASSERTION_TYPE","authorizeAccess","issuerConf","code","clientId","context","appFetch","fetch","walletInstanceAttestation","walletProviderBaseUrl","tokenUrl","openid_credential_issuer","token_endpoint","signedDPop","ephemeralContext","htm","htu","jti","v4","codeVerifier","requestBody","grant_type","client_id","code_verifier","client_assertion_type","client_assertion","redirect_uri","formBody","URLSearchParams","method","headers","DPoP","body","toString","then","res","json","accessToken","access_token","nonce","c_nonce"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":"AAAA,OAAOA,IAAI,MAAM,mBAAmB;AACpC,SAASC,gBAAgB,QAAQ,oBAAoB;AACrD,SAASC,eAAe,QAAQ,kBAAkB;AAElD,SAASC,SAAS,QAAkB,kBAAkB;AAEtD,SAASC,cAAc,QAAQ,SAAS;AAqBxC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,OAAO,KAC+D;EACtE,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,QAAQ,GAAGR,UAAU,CAACS,wBAAwB,CAACC,cAAc;;EAEnE;EACA,MAAMC,UAAU,GAAG,MAAMhB,gBAAgB,CAAEiB,gBAAgB,IACzDhB,eAAe,CACb;IACEiB,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEN,QAAQ;IACbO,GAAG,EAAG,GAAErB,IAAI,CAACsB,EAAE,CAAC,CAAE;EACpB,CAAC,EACDJ,gBACF,CACF,CAAC;EAED,MAAMK,YAAY,GAAI,GAAEvB,IAAI,CAACsB,EAAE,CAAC,CAAE,EAAC;EACnC,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAElB,QAAQ;IACnBD,IAAI;IACJoB,aAAa,EAAEJ,YAAY;IAC3BK,qBAAqB,EAAExB,cAAc;IACrCyB,gBAAgB,EAAEjB,yBAAyB;IAC3CkB,YAAY,EAAEjB;EAChB,CAAC;EACD,IAAIkB,QAAQ,GAAG,IAAIC,eAAe,CAACR,WAAW,CAAC;EAE/C,OAAOd,QAAQ,CAACI,QAAQ,EAAE;IACxBmB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAElB;IACR,CAAC;IACDmB,IAAI,EAAEL,QAAQ,CAACM,QAAQ,CAAC;EAC1B,CAAC,CAAC,CACCC,IAAI,CAACnC,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBmC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,KAAM;IACfK,WAAW,EAAEL,IAAI,CAACM,YAAY;IAC9BC,KAAK,EAAEP,IAAI,CAACQ,OAAO;IACnBpC;EACF,CAAC,CAAC,CAAC;AACP,CAAC"}

package/lib/module/credential/issuance/06-obtain-credential.js

@@ -0,0 +1,117 @@
+import * as z from "zod";
+import uuid from "react-native-uuid";
+import { SignJWT } from "@pagopa/io-react-native-jwt";
+import { verify as verifySdJwt } from "../../sd-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import { hasStatus } from "../../utils/misc";
+import { SdJwt4VC } from "../../sd-jwt/types";
+import { IoWalletError } from "../../utils/errors";
+/**
+ * Return the signed jwt for nonce proof of possession
+ */
+export const createNonceProof = async (nonce, issuer, audience, ctx) => {
+  return new SignJWT(ctx).setPayload({
+    nonce,
+    jwk: await ctx.getPublicKey()
+  }).setProtectedHeader({
+    type: "openid4vci-proof+jwt"
+  }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("1h").sign();
+};
+
+/**
+ * Given a credential, verify it's in the supported format
+ * and the credential is correctly signed
+ * and it's bound to the given key
+ *
+ * @param rawCredential The received credential
+ * @param issuerKeys The set of public keys of the issuer,
+ * which will be used to verify the signature
+ * @param holderBindingContext The access to the holder's key
+ *
+ * @throws If the signature verification fails
+ * @throws If the credential is not in the SdJwt4VC format
+ * @throws If the holder binding is not properly configured
+ *
+ */
+async function verifyCredential(rawCredential, issuerKeys, holderBindingContext) {
+  const [{
+    sdJwt
+  }, holderBindingKey] =
+  // parallel for optimization
+  await Promise.all([verifySdJwt(rawCredential, issuerKeys, SdJwt4VC), holderBindingContext.getPublicKey()]);
+  if (!sdJwt.payload.cnf.jwk.kid || sdJwt.payload.cnf.jwk.kid !== holderBindingKey.kid) {
+    throw new IoWalletError(`Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${sdJwt.payload.cnf.jwk.kid}`);
+  }
+}
+const CredentialEndpointResponse = z.object({
+  credential: z.string(),
+  format: z.literal("vc+sd-jwt")
+});
+/**
+ * Fetch a credential from the issuer
+ *
+ * @param issuerConf The Issuer configuration
+ * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
+ * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
+ * @param clientId Identifies the current client across all the requests of the issuing flow
+ * @param credentialType The type of the credential to be requested
+ * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
+ * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The signed credential token
+ */
+export const obtainCredential = async (issuerConf, accessToken, nonce, clientId, credentialType, context) => {
+  const {
+    credentialCryptoContext,
+    walletProviderBaseUrl,
+    appFetch = fetch
+  } = context;
+  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
+
+  /** DPoP token for demonstating the possession
+      of the key that will bind the holder User with the Credential
+      @see https://datatracker.ietf.org/doc/html/rfc9449 */
+  const signedDPopForPid = await createDPopToken({
+    htm: "POST",
+    htu: credentialUrl,
+    jti: `${uuid.v4()}`
+  }, credentialCryptoContext);
+
+  /** JWT proof token to bind the request nonce
+      to the key that will bind the holder User with the Credential
+      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
+  const signedNonceProof = await createNonceProof(nonce, clientId, walletProviderBaseUrl, credentialCryptoContext);
+
+  /** The credential request body */
+  const formBody = new URLSearchParams({
+    credential_definition: JSON.stringify({
+      type: [credentialType]
+    }),
+    format: "vc+sd-jwt",
+    proof: JSON.stringify({
+      jwt: signedNonceProof,
+      proof_type: "jwt"
+    })
+  });
+  const {
+    credential,
+    format
+  } = await appFetch(credentialUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      DPoP: signedDPopForPid,
+      Authorization: accessToken
+    },
+    body: formBody.toString()
+  }).then(hasStatus(200)).then(res => res.json()).then(CredentialEndpointResponse.parse);
+
+  /** validate the received credential signature
+      is correct and refers to the public keys of the issuer */
+  await verifyCredential(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
+  return {
+    credential,
+    format
+  };
+};
+//# sourceMappingURL=06-obtain-credential.js.map

package/lib/module/credential/issuance/06-obtain-credential.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["z","uuid","SignJWT","verify","verifySdJwt","createDPopToken","hasStatus","SdJwt4VC","IoWalletError","createNonceProof","nonce","issuer","audience","ctx","setPayload","jwk","getPublicKey","setProtectedHeader","type","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","verifyCredential","rawCredential","issuerKeys","holderBindingContext","sdJwt","holderBindingKey","Promise","all","payload","cnf","kid","CredentialEndpointResponse","object","credential","string","format","literal","obtainCredential","issuerConf","accessToken","clientId","credentialType","context","credentialCryptoContext","walletProviderBaseUrl","appFetch","fetch","credentialUrl","openid_credential_issuer","credential_endpoint","signedDPopForPid","htm","htu","jti","v4","signedNonceProof","formBody","URLSearchParams","credential_definition","JSON","stringify","proof","jwt","proof_type","method","headers","DPoP","Authorization","body","toString","then","res","json","parse","jwks","keys"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAASC,OAAO,QAA4B,6BAA6B;AACzE,SAASC,MAAM,IAAIC,WAAW,QAAQ,cAAc;AACpD,SAASC,eAAe,QAAQ,kBAAkB;AAGlD,SAASC,SAAS,QAAkB,kBAAkB;AAGtD,SAASC,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,aAAa,QAAQ,oBAAoB;AAGlD;AACA;AACA;AACA,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,OAAO,IAAIX,OAAO,CAACW,GAAG,CAAC,CACpBC,UAAU,CAAC;IACVJ,KAAK;IACLK,GAAG,EAAE,MAAMF,GAAG,CAACG,YAAY,CAAC;EAC9B,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,IAAI,EAAE;EACR,CAAC,CAAC,CACDC,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7BC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACpB;EACf,MAAM,CAAC;IAAEC;EAAM,CAAC,EAAEC,gBAAgB,CAAC;EACjC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB3B,WAAW,CAACqB,aAAa,EAAEC,UAAU,EAAEnB,QAAQ,CAAC,EAChDoB,oBAAoB,CAACX,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,IACE,CAACY,KAAK,CAACI,OAAO,CAACC,GAAG,CAAClB,GAAG,CAACmB,GAAG,IAC1BN,KAAK,CAACI,OAAO,CAACC,GAAG,CAAClB,GAAG,CAACmB,GAAG,KAAKL,gBAAgB,CAACK,GAAG,EAClD;IACA,MAAM,IAAI1B,aAAa,CACpB,kDAAiDqB,gBAAgB,CAACK,GAAI,UAASN,KAAK,CAACI,OAAO,CAACC,GAAG,CAAClB,GAAG,CAACmB,GAAI,EAC5G,CAAC;EACH;AACF;AAEA,MAAMC,0BAA0B,GAAGnC,CAAC,CAACoC,MAAM,CAAC;EAC1CC,UAAU,EAAErC,CAAC,CAACsC,MAAM,CAAC,CAAC;EACtBC,MAAM,EAAEvC,CAAC,CAACwC,OAAO,CAAC,WAAW;AAC/B,CAAC,CAAC;AAeF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXjC,KAAK,EACLkC,QAAQ,EACRC,cAAc,EACdC,OAAO,KACJ;EACH,MAAM;IACJC,uBAAuB;IACvBC,qBAAqB;IACrBC,QAAQ,GAAGC;EACb,CAAC,GAAGJ,OAAO;EAEX,MAAMK,aAAa,GAAGT,UAAU,CAACU,wBAAwB,CAACC,mBAAmB;;EAE7E;AACF;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAMjD,eAAe,CAC5C;IACEkD,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEL,aAAa;IAClBM,GAAG,EAAG,GAAExD,IAAI,CAACyD,EAAE,CAAC,CAAE;EACpB,CAAC,EACDX,uBACF,CAAC;;EAED;AACF;AACA;EACE,MAAMY,gBAAgB,GAAG,MAAMlD,gBAAgB,CAC7CC,KAAK,EACLkC,QAAQ,EACRI,qBAAqB,EACrBD,uBACF,CAAC;;EAED;EACA,MAAMa,QAAQ,GAAG,IAAIC,eAAe,CAAC;IACnCC,qBAAqB,EAAEC,IAAI,CAACC,SAAS,CAAC;MACpC9C,IAAI,EAAE,CAAC2B,cAAc;IACvB,CAAC,CAAC;IACFN,MAAM,EAAE,WAAW;IACnB0B,KAAK,EAAEF,IAAI,CAACC,SAAS,CAAC;MACpBE,GAAG,EAAEP,gBAAgB;MACrBQ,UAAU,EAAE;IACd,CAAC;EACH,CAAC,CAAC;EAEF,MAAM;IAAE9B,UAAU;IAAEE;EAAO,CAAC,GAAG,MAAMU,QAAQ,CAACE,aAAa,EAAE;IAC3DiB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEhB,gBAAgB;MACtBiB,aAAa,EAAE5B;IACjB,CAAC;IACD6B,IAAI,EAAEZ,QAAQ,CAACa,QAAQ,CAAC;EAC1B,CAAC,CAAC,CACCC,IAAI,CAACpE,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBoE,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAACvC,0BAA0B,CAAC0C,KAAK,CAAC;;EAEzC;AACF;EACE,MAAMrD,gBAAgB,CACpBa,UAAU,EACVK,UAAU,CAACU,wBAAwB,CAAC0B,IAAI,CAACC,IAAI,EAC7ChC,uBACF,CAAC;EAED,OAAO;IAAEV,UAAU;IAAEE;EAAO,CAAC;AAC/B,CAAC"}

package/lib/module/credential/issuance/07-confirm-credential.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=07-confirm-credential.js.map

package/lib/module/credential/issuance/07-confirm-credential.js.map

@@ -0,0 +1 @@
+{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/const.js

@@ -0,0 +1,2 @@
+export const ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation";
+//# sourceMappingURL=const.js.map

package/lib/module/credential/issuance/const.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["ASSERTION_TYPE"],"sourceRoot":"../../../../src","sources":["credential/issuance/const.ts"],"mappings":"AAAA,OAAO,MAAMA,cAAc,GACzB,oEAAoE"}

package/lib/module/credential/issuance/index.js

@@ -0,0 +1,6 @@
+import { evaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import { startUserAuthorization } from "./03-start-user-authorization";
+import { authorizeAccess } from "./05-authorize-access";
+import { obtainCredential } from "./06-obtain-credential";
+export { evaluateIssuerTrust, startUserAuthorization, authorizeAccess, obtainCredential };
+//# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["evaluateIssuerTrust","startUserAuthorization","authorizeAccess","obtainCredential"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"AACA,SACEA,mBAAmB,QAEd,4BAA4B;AACnC,SACEC,sBAAsB,QAEjB,+BAA+B;AAEtC,SAASC,eAAe,QAA8B,uBAAuB;AAC7E,SACEC,gBAAgB,QAEX,wBAAwB;AAG/B,SACEH,mBAAmB,EACnBC,sBAAsB,EACtBC,eAAe,EACfC,gBAAgB"}

package/lib/module/credential/presentation/01-start-flow.js

@@ -0,0 +1,46 @@
+import * as z from "zod";
+import { decodeBase64 } from "@pagopa/io-react-native-jwt";
+import { AuthRequestDecodeError } from "../../utils/errors";
+const QRCodePayload = z.object({
+  protocol: z.string(),
+  resource: z.string(),
+  // TODO: refine to known paths using literals
+  clientId: z.string(),
+  requestURI: z.string()
+});
+
+/**
+ * The beginning of the presentation flow.
+ * To be implemented accordind to the user touchpoint
+ *
+ * @param Optional parameters, depending on the starting touchoint
+ * @returns The url for the Relying Party to connect with
+ */
+
+/**
+ * Start a presentation flow by decoding an incoming QR-code
+ *
+ * @param qrcode The encoded QR-code content
+ * @returns The url for the Relying Party to connect with
+ * @throws If the provided qr code fails to be decoded
+ */
+export const startFlowFromQR = async qrcode => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId
+  });
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+  }
+};
+//# sourceMappingURL=01-start-flow.js.map

package/lib/module/credential/presentation/01-start-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["z","decodeBase64","AuthRequestDecodeError","QRCodePayload","object","protocol","string","resource","clientId","requestURI","startFlowFromQR","qrcode","decoded","decodedUrl","URL","hostname","searchParams","get","result","safeParse","success","data","error","message"],"sourceRoot":"../../../../src","sources":["credential/presentation/01-start-flow.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,SAASC,YAAY,QAAQ,6BAA6B;AAC1D,SAASC,sBAAsB,QAAQ,oBAAoB;AAE3D,MAAMC,aAAa,GAAGH,CAAC,CAACI,MAAM,CAAC;EAC7BC,QAAQ,EAAEL,CAAC,CAACM,MAAM,CAAC,CAAC;EACpBC,QAAQ,EAAEP,CAAC,CAACM,MAAM,CAAC,CAAC;EAAE;EACtBE,QAAQ,EAAER,CAAC,CAACM,MAAM,CAAC,CAAC;EACpBG,UAAU,EAAET,CAAC,CAACM,MAAM,CAAC;AACvB,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMI,eAAoC,GAAG,MAAOC,MAAM,IAAK;EACpE,MAAMC,OAAO,GAAGX,YAAY,CAACU,MAAM,CAAC;EACpC,MAAME,UAAU,GAAG,IAAIC,GAAG,CAACF,OAAO,CAAC;EACnC,MAAMP,QAAQ,GAAGQ,UAAU,CAACR,QAAQ;EACpC,MAAME,QAAQ,GAAGM,UAAU,CAACE,QAAQ;EACpC,MAAMN,UAAU,GAAGI,UAAU,CAACG,YAAY,CAACC,GAAG,CAAC,aAAa,CAAC;EAC7D,MAAMT,QAAQ,GAAGK,UAAU,CAACG,YAAY,CAACC,GAAG,CAAC,WAAW,CAAC;EAEzD,MAAMC,MAAM,GAAGf,aAAa,CAACgB,SAAS,CAAC;IACrCd,QAAQ;IACRE,QAAQ;IACRE,UAAU;IACVD;EACF,CAAC,CAAC;EAEF,IAAIU,MAAM,CAACE,OAAO,EAAE;IAClB,OAAOF,MAAM,CAACG,IAAI;EACpB,CAAC,MAAM;IACL,MAAM,IAAInB,sBAAsB,CAACgB,MAAM,CAACI,KAAK,CAACC,OAAO,EAAG,GAAEV,UAAW,EAAC,CAAC;EACzE;AACF,CAAC"}

package/lib/module/credential/presentation/02-evaluate-rp-trust.js

@@ -0,0 +1,25 @@
+import { getRelyingPartyEntityConfiguration } from "../../trust";
+/**
+ * The Relying Party trust evaluation phase.
+ * Fetch the  Relying Party's configuration and verify trust.
+ *
+ * @param rpUrl The base url of the Issuer
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Relying Party's configuration
+ */
+export const evaluateRelyingPartyTrust = async function (rpUrl) {
+  let {
+    appFetch = fetch
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  const {
+    payload: {
+      metadata: rpConf
+    }
+  } = await getRelyingPartyEntityConfiguration(rpUrl, {
+    appFetch
+  });
+  return {
+    rpConf
+  };
+};
+//# sourceMappingURL=02-evaluate-rp-trust.js.map

package/lib/module/credential/presentation/02-evaluate-rp-trust.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getRelyingPartyEntityConfiguration","evaluateRelyingPartyTrust","rpUrl","appFetch","fetch","arguments","length","undefined","payload","metadata","rpConf"],"sourceRoot":"../../../../src","sources":["credential/presentation/02-evaluate-rp-trust.ts"],"mappings":"AAAA,SAASA,kCAAkC,QAAQ,aAAa;AAchE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,yBAAoD,GAAG,eAAAA,CAClEC,KAAK,EAEF;EAAA,IADH;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEzB,MAAM;IACJG,OAAO,EAAE;MAAEC,QAAQ,EAAEC;IAAO;EAC9B,CAAC,GAAG,MAAMV,kCAAkC,CAACE,KAAK,EAAE;IAClDC;EACF,CAAC,CAAC;EACF,OAAO;IAAEO;EAAO,CAAC;AACnB,CAAC"}

package/lib/module/credential/presentation/03-get-request-object.js

@@ -0,0 +1,60 @@
+import uuid from "react-native-uuid";
+import { decode as decodeJwt, sha256ToBase64, verify } from "@pagopa/io-react-native-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import { hasStatus } from "../../utils/misc";
+import { RequestObject } from "./types";
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ *
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Request Object that describes the presentation
+ */
+export const getRequestObject = async (requestUri, rpConf, _ref) => {
+  let {
+    wiaCryptoContext,
+    appFetch = fetch,
+    walletInstanceAttestation
+  } = _ref;
+  const signedWalletInstanceDPoP = await createDPopToken({
+    jti: `${uuid.v4()}`,
+    htm: "GET",
+    htu: requestUri,
+    ath: await sha256ToBase64(walletInstanceAttestation)
+  }, wiaCryptoContext);
+  const responseEncodedJwt = await appFetch(requestUri, {
+    method: "GET",
+    headers: {
+      Authorization: `DPoP ${walletInstanceAttestation}`,
+      DPoP: signedWalletInstanceDPoP
+    }
+  }).then(hasStatus(200)).then(res => res.json()).then(responseJson => responseJson.response);
+  const responseJwt = decodeJwt(responseEncodedJwt);
+
+  // verify token signature according to RP's entity configuration
+  // to ensure the request object is authentic
+  {
+    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(_ref2 => {
+      let {
+        kid
+      } = _ref2;
+      return kid === responseJwt.protectedHeader.kid;
+    });
+    if (!pubKey) {
+      throw new NoSuitableKeysFoundInEntityConfiguration("Request Object signature verification");
+    }
+    await verify(responseEncodedJwt, pubKey);
+  }
+
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+  return {
+    requestObject
+  };
+};
+//# sourceMappingURL=03-get-request-object.js.map

package/lib/module/credential/presentation/03-get-request-object.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["uuid","decode","decodeJwt","sha256ToBase64","verify","createDPopToken","NoSuitableKeysFoundInEntityConfiguration","hasStatus","RequestObject","getRequestObject","requestUri","rpConf","_ref","wiaCryptoContext","appFetch","fetch","walletInstanceAttestation","signedWalletInstanceDPoP","jti","v4","htm","htu","ath","responseEncodedJwt","method","headers","Authorization","DPoP","then","res","json","responseJson","response","responseJwt","pubKey","wallet_relying_party","jwks","keys","find","_ref2","kid","protectedHeader","requestObject","parse","payload"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,OAAOA,IAAI,MAAM,mBAAmB;AACpC,SACEC,MAAM,IAAIC,SAAS,EACnBC,cAAc,EACdC,MAAM,QAED,6BAA6B;AAEpC,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,wCAAwC,QAAQ,oBAAoB;AAE7E,SAASC,SAAS,QAAkB,kBAAkB;AAEtD,SAASC,aAAa,QAAQ,SAAS;AAYvC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,MAAM,EAAAC,IAAA,KAEH;EAAA,IADH;IAAEC,gBAAgB;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAA0B,CAAC,GAAAJ,IAAA;EAEjE,MAAMK,wBAAwB,GAAG,MAAMZ,eAAe,CACpD;IACEa,GAAG,EAAG,GAAElB,IAAI,CAACmB,EAAE,CAAC,CAAE,EAAC;IACnBC,GAAG,EAAE,KAAK;IACVC,GAAG,EAAEX,UAAU;IACfY,GAAG,EAAE,MAAMnB,cAAc,CAACa,yBAAyB;EACrD,CAAC,EACDH,gBACF,CAAC;EAED,MAAMU,kBAAkB,GAAG,MAAMT,QAAQ,CAACJ,UAAU,EAAE;IACpDc,MAAM,EAAE,KAAK;IACbC,OAAO,EAAE;MACPC,aAAa,EAAG,QAAOV,yBAA0B,EAAC;MAClDW,IAAI,EAAEV;IACR;EACF,CAAC,CAAC,CACCW,IAAI,CAACrB,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBqB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,YAAY,IAAKA,YAAY,CAACC,QAAQ,CAAC;EAEhD,MAAMC,WAAW,GAAG/B,SAAS,CAACqB,kBAAkB,CAAC;;EAEjD;EACA;EACA;IACE,MAAMW,MAAM,GAAGvB,MAAM,CAACwB,oBAAoB,CAACC,IAAI,CAACC,IAAI,CAACC,IAAI,CACvDC,KAAA;MAAA,IAAC;QAAEC;MAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,GAAG,KAAKP,WAAW,CAACQ,eAAe,CAACD,GAAG;IAAA,CACtD,CAAC;IACD,IAAI,CAACN,MAAM,EAAE;MACX,MAAM,IAAI5B,wCAAwC,CAChD,uCACF,CAAC;IACH;IACA,MAAMF,MAAM,CAACmB,kBAAkB,EAAEW,MAAM,CAAC;EAC1C;;EAEA;EACA,MAAMQ,aAAa,GAAGlC,aAAa,CAACmC,KAAK,CAACV,WAAW,CAACW,OAAO,CAAC;EAE9D,OAAO;IACLF;EACF,CAAC;AACH,CAAC"}