npm - @pagopa/io-react-native-wallet - Versions diffs - 0.7.4 → 0.9.1 - Mend

@pagopa/io-react-native-wallet 0.7.4 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/src/credential/issuance/06-obtain-credential.ts ADDED Viewed

@@ -0,0 +1,179 @@
+import * as z from "zod";
+import uuid from "react-native-uuid";
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import { verify as verifySdJwt } from "../../sd-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import type { StartFlow } from "./01-start-flow";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { AuthorizeAccess } from "./05-authorize-access";
+import { SdJwt4VC } from "../../sd-jwt/types";
+import { IoWalletError } from "../../utils/errors";
+import type { JWK } from "../../utils/jwk";
+/**
+ * Return the signed jwt for nonce proof of possession
+ */
+export const createNonceProof = async (
+  nonce: string,
+  issuer: string,
+  audience: string,
+  ctx: CryptoContext
+): Promise<string> => {
+  return new SignJWT(ctx)
+    .setPayload({
+      nonce,
+      jwk: await ctx.getPublicKey(),
+    })
+    .setProtectedHeader({
+      type: "openid4vci-proof+jwt",
+    })
+    .setAudience(audience)
+    .setIssuer(issuer)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+};
+/**
+ * Given a credential, verify it's in the supported format
+ * and the credential is correctly signed
+ * and it's bound to the given key
+ *
+ * @param rawCredential The received credential
+ * @param issuerKeys The set of public keys of the issuer,
+ * which will be used to verify the signature
+ * @param holderBindingContext The access to the holder's key
+ *
+ * @throws If the signature verification fails
+ * @throws If the credential is not in the SdJwt4VC format
+ * @throws If the holder binding is not properly configured
+ *
+ */
+async function verifyCredential(
+  rawCredential: string,
+  issuerKeys: JWK[],
+  holderBindingContext: CryptoContext
+): Promise<void> {
+  const [{ sdJwt }, holderBindingKey] =
+    // parallel for optimization
+    await Promise.all([
+      verifySdJwt(rawCredential, issuerKeys, SdJwt4VC),
+      holderBindingContext.getPublicKey(),
+    ]);
+  if (
+    !sdJwt.payload.cnf.jwk.kid ||
+    sdJwt.payload.cnf.jwk.kid !== holderBindingKey.kid
+  ) {
+    throw new IoWalletError(
+      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${sdJwt.payload.cnf.jwk.kid}`
+    );
+  }
+}
+const CredentialEndpointResponse = z.object({
+  credential: z.string(),
+  format: z.literal("vc+sd-jwt"),
+});
+export type ObtainCredential = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  accessToken: Out<AuthorizeAccess>["accessToken"],
+  nonce: Out<AuthorizeAccess>["nonce"],
+  clientId: Out<AuthorizeAccess>["clientId"],
+  credentialType: Out<StartFlow>["credentialType"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    walletProviderBaseUrl: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{ credential: string; format: string }>;
+/**
+ * Fetch a credential from the issuer
+ *
+ * @param issuerConf The Issuer configuration
+ * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
+ * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
+ * @param clientId Identifies the current client across all the requests of the issuing flow
+ * @param credentialType The type of the credential to be requested
+ * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
+ * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The signed credential token
+ */
+export const obtainCredential: ObtainCredential = async (
+  issuerConf,
+  accessToken,
+  nonce,
+  clientId,
+  credentialType,
+  context
+) => {
+  const {
+    credentialCryptoContext,
+    walletProviderBaseUrl,
+    appFetch = fetch,
+  } = context;
+  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
+  /** DPoP token for demonstating the possession
+      of the key that will bind the holder User with the Credential
+      @see https://datatracker.ietf.org/doc/html/rfc9449 */
+  const signedDPopForPid = await createDPopToken(
+    {
+      htm: "POST",
+      htu: credentialUrl,
+      jti: `${uuid.v4()}`,
+    },
+    credentialCryptoContext
+  );
+  /** JWT proof token to bind the request nonce
+      to the key that will bind the holder User with the Credential
+      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
+  const signedNonceProof = await createNonceProof(
+    nonce,
+    clientId,
+    walletProviderBaseUrl,
+    credentialCryptoContext
+  );
+  /** The credential request body */
+  const formBody = new URLSearchParams({
+    credential_definition: JSON.stringify({
+      type: [credentialType],
+    }),
+    format: "vc+sd-jwt",
+    proof: JSON.stringify({
+      jwt: signedNonceProof,
+      proof_type: "jwt",
+    }),
+  });
+  const { credential, format } = await appFetch(credentialUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      DPoP: signedDPopForPid,
+      Authorization: accessToken,
+    },
+    body: formBody.toString(),
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then(CredentialEndpointResponse.parse);
+  /** validate the received credential signature
+      is correct and refers to the public keys of the issuer */
+  await verifyCredential(
+    credential,
+    issuerConf.openid_credential_issuer.jwks.keys,
+    credentialCryptoContext
+  );
+  return { credential, format };
+};

package/src/credential/issuance/07-confirm-credential.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { ObtainCredential } from "./06-obtain-credential";
+import type { Out } from "../../utils/misc";
+/**
+ * The end of the issuing flow.
+ * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
+ * To be implemented.
+ *
+ * @returns The type of the Credential to be issued and the url of the Issuer
+ */
+export type ConfirmCredential = (
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+) => Promise<void>;

package/src/credential/issuance/const.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export const ASSERTION_TYPE =
2	+ "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation";

package/src/credential/issuance/index.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { type StartFlow } from "./01-start-flow";
+import {
+  evaluateIssuerTrust,
+  type EvaluateIssuerTrust,
+} from "./02-evaluate-issuer-trust";
+import {
+  startUserAuthorization,
+  type StartUserAuthorization,
+} from "./03-start-user-authorization";
+import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
+import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
+import {
+  obtainCredential,
+  type ObtainCredential,
+} from "./06-obtain-credential";
+import type { ConfirmCredential } from "./07-confirm-credential";
+export {
+  evaluateIssuerTrust,
+  startUserAuthorization,
+  authorizeAccess,
+  obtainCredential,
+};
+export type {
+  StartFlow,
+  EvaluateIssuerTrust,
+  StartUserAuthorization,
+  CompleteUserAuthorization,
+  AuthorizeAccess,
+  ObtainCredential,
+  ConfirmCredential,
+};

package/src/credential/presentation/01-start-flow.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import * as z from "zod";
+import { decodeBase64 } from "@pagopa/io-react-native-jwt";
+import { AuthRequestDecodeError } from "../../utils/errors";
+const QRCodePayload = z.object({
+  protocol: z.string(),
+  resource: z.string(), // TODO: refine to known paths using literals
+  clientId: z.string(),
+  requestURI: z.string(),
+});
+/**
+ * The beginning of the presentation flow.
+ * To be implemented accordind to the user touchpoint
+ *
+ * @param Optional parameters, depending on the starting touchoint
+ * @returns The url for the Relying Party to connect with
+ */
+export type StartFlow<T extends Array<unknown> = []> = (...args: T) => Promise<{
+  requestURI: string;
+  clientId: string;
+}>;
+/**
+ * Start a presentation flow by decoding an incoming QR-code
+ *
+ * @param qrcode The encoded QR-code content
+ * @returns The url for the Relying Party to connect with
+ * @throws If the provided qr code fails to be decoded
+ */
+export const startFlowFromQR: StartFlow<[string]> = async (qrcode) => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId,
+  });
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+  }
+};

package/src/credential/presentation/02-evaluate-rp-trust.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import { getRelyingPartyEntityConfiguration } from "../../trust";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+import type { StartFlow } from "../issuance/01-start-flow";
+import type { Out } from "../../utils/misc";
+export type EvaluateRelyingPartyTrust = (
+  rpUrl: Out<StartFlow>["issuerUrl"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+}>;
+/**
+ * The Relying Party trust evaluation phase.
+ * Fetch the  Relying Party's configuration and verify trust.
+ *
+ * @param rpUrl The base url of the Issuer
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Relying Party's configuration
+ */
+export const evaluateRelyingPartyTrust: EvaluateRelyingPartyTrust = async (
+  rpUrl,
+  { appFetch = fetch } = {}
+) => {
+  const {
+    payload: { metadata: rpConf },
+  } = await getRelyingPartyEntityConfiguration(rpUrl, {
+    appFetch,
+  });
+  return { rpConf };
+};

package/src/credential/presentation/03-get-request-object.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import uuid from "react-native-uuid";
+import {
+  decode as decodeJwt,
+  sha256ToBase64,
+  verify,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { StartFlow } from "./01-start-flow";
+import { RequestObject } from "./types";
+export type GetRequestObject = (
+  requestUri: Out<StartFlow>["requestURI"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  context: {
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+    walletInstanceAttestation: string;
+  }
+) => Promise<{ requestObject: RequestObject }>;
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ *
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Request Object that describes the presentation
+ */
+export const getRequestObject: GetRequestObject = async (
+  requestUri,
+  rpConf,
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+) => {
+  const signedWalletInstanceDPoP = await createDPopToken(
+    {
+      jti: `${uuid.v4()}`,
+      htm: "GET",
+      htu: requestUri,
+      ath: await sha256ToBase64(walletInstanceAttestation),
+    },
+    wiaCryptoContext
+  );
+  const responseEncodedJwt = await appFetch(requestUri, {
+    method: "GET",
+    headers: {
+      Authorization: `DPoP ${walletInstanceAttestation}`,
+      DPoP: signedWalletInstanceDPoP,
+    },
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then((responseJson) => responseJson.response);
+  const responseJwt = decodeJwt(responseEncodedJwt);
+  // verify token signature according to RP's entity configuration
+  // to ensure the request object is authentic
+  {
+    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
+      ({ kid }) => kid === responseJwt.protectedHeader.kid
+    );
+    if (!pubKey) {
+      throw new NoSuitableKeysFoundInEntityConfiguration(
+        "Request Object signature verification"
+      );
+    }
+    await verify(responseEncodedJwt, pubKey);
+  }
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+  return {
+    requestObject,
+  };
+};

package/src/credential/presentation/04-send-authorization-response.ts ADDED Viewed

@@ -0,0 +1,168 @@
+import { EncryptJwe, SignJWT } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { GetRequestObject } from "./03-get-request-object";
+import { disclose } from "../../sd-jwt";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { type Presentation } from "./types";
+import * as z from "zod";
+export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
+export const AuthorizationResponse = z.object({
+  status: z.string(),
+  response_code: z
+    .string() /**
+      FIXME: [SIW-627] we expect this value from every RP implementation
+      Actually some RP does not return the value
+      We make it optional to not break the flow.
+    */
+    .optional(),
+});
+/**
+ * Choose an RSA public key from those offered by the RP for encryption.
+ *
+ * @param entity The RP entity configuration
+ * @returns A suitable public key with its compatible encryption algorithm
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+ */
+const chooseRSAPublicKeyToEncrypt = (
+  entity: Out<EvaluateRelyingPartyTrust>["rpConf"]
+): JWK => {
+  const [usingRsa256] = entity.wallet_relying_party.jwks.keys.filter(
+    (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+  );
+  if (usingRsa256) {
+    return usingRsa256;
+  }
+  // No suitable key has been found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Encrypt with RP public key"
+  );
+};
+/**
+ * Generate a Verified Presentation token for a received request object within the context of an authorization request flow.
+ * The presentation is created by revealing data from the provided credentials based on the requested claims.
+ * Each Verified Credential is accompanied by the claims that the user consents to disclose from it.
+ *
+ * @todo: Allow for handling more than one Verified Credential.
+ */
+const prepareVpToken = async (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  walletInstanceAttestation: string,
+  [vc, claims, cryptoCtx]: Presentation // TODO: [SIW-353] support multiple presentations,
+): Promise<{
+  vp_token: string;
+  presentation_submission: Record<string, unknown>;
+}> => {
+  // this throws if vc cannot satisfy all the requested claims
+  const { token: vp, paths } = await disclose(vc, claims);
+  // obtain issuer from Wallet Instance
+  const {
+    payload: { iss },
+  } = WalletInstanceAttestation.decode(walletInstanceAttestation);
+  const pidKid = await cryptoCtx.getPublicKey().then((_) => _.kid);
+  // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+  const vp_token = await new SignJWT(cryptoCtx)
+    .setProtectedHeader({
+      typ: "JWT",
+      kid: pidKid,
+    })
+    .setPayload({
+      vp: vp,
+      jti: `${uuid.v4()}`,
+      iss,
+      nonce: requestObject.nonce,
+    })
+    .setAudience(requestObject.response_uri)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+  const vc_scope = requestObject.scope;
+  const presentation_submission = {
+    definition_id: `${uuid.v4()}`,
+    id: `${uuid.v4()}`,
+    descriptor_map: paths.map((p) => ({
+      id: vc_scope,
+      path: `$.vp_token.${p.path}`,
+      format: "vc+sd-jwt",
+    })),
+  };
+  return { vp_token, presentation_submission };
+};
+export type SendAuthorizationResponse = (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  presentation: Presentation, // TODO: [SIW-353] support multiple presentations
+  context: {
+    walletInstanceAttestation: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+/**
+ * Complete the presentation flow by sending the authorization response to the Relying Party
+ *
+ * @param requestObject The Request Object that describes the presentation
+ * @param rpConf The Relying Party's configuration
+ * @param presentation The presentation tuple consisting in the signed credential,
+ * the list of claims to be disclosed, and the context to access the key that proves the holder binding
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The result of the presentation flow
+ */
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  rpConf,
+  presentation,
+  { appFetch = fetch, walletInstanceAttestation }
+): Promise<AuthorizationResponse> => {
+  // the request is an unsigned jws without iss, aud, exp
+  // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
+  const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
+  const { vp_token, presentation_submission } = await prepareVpToken(
+    requestObject,
+    walletInstanceAttestation,
+    presentation
+  );
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    presentation_submission,
+    nonce: requestObject.nonce,
+    vp_token,
+  });
+  const encrypted = await new EncryptJwe(authzResponsePayload, {
+    alg: "RSA-OAEP-256",
+    enc: "A256CBC-HS512",
+    kid: rsaPublicJwk.kid,
+  }).encrypt(rsaPublicJwk);
+  const formBody = new URLSearchParams({ response: encrypted });
+  const body = formBody.toString();
+  return appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body,
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then(AuthorizationResponse.parse);
+};

package/src/credential/presentation/index.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { startFlowFromQR, type StartFlow } from "./01-start-flow";
+import {
+  evaluateRelyingPartyTrust,
+  type EvaluateRelyingPartyTrust,
+} from "./02-evaluate-rp-trust";
+import {
+  getRequestObject,
+  type GetRequestObject,
+} from "./03-get-request-object";
+import {
+  sendAuthorizationResponse,
+  type SendAuthorizationResponse,
+} from "./04-send-authorization-response";
+export {
+  startFlowFromQR,
+  evaluateRelyingPartyTrust,
+  getRequestObject,
+  sendAuthorizationResponse,
+};
+export type {
+  StartFlow,
+  EvaluateRelyingPartyTrust,
+  GetRequestObject,
+  SendAuthorizationResponse,
+};

package/src/credential/presentation/types.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import { UnixTime } from "../../sd-jwt/types";
+import * as z from "zod";
+/**
+ * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
+ */
+export type Presentation = [
+  /* verified credential token */ string,
+  /* claims */ string[],
+  /* the context for the key associated to the credential */ CryptoContext
+];
+export type RequestObject = z.infer<typeof RequestObject>;
+export const RequestObject = z.object({
+  iss: z.string(),
+  iat: UnixTime,
+  exp: UnixTime,
+  state: z.string(),
+  nonce: z.string(),
+  response_uri: z.string(),
+  response_type: z.literal("vp_token"),
+  response_mode: z.literal("direct_post.jwt"),
+  client_id: z.string(),
+  client_id_scheme: z.literal("entity_id"),
+  scope: z.string(),
+});

package/src/index.ts CHANGED Viewed

@@ -2,42 +2,21 @@
 // https://github.com/facebook/react-native/issues/24428
 import "react-native-url-polyfill/auto";
+import * as Credential from "./credential";
 import * as PID from "./pid";
-import * as RP from "./rp";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
-import * as RelyingPartySolution from "./rp";
-import {
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
-} from "./trust";
-import {
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
-} from "./trust/types";
+import * as Trust from "./trust";
+import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 export {
   PID,
-  RP,
+  Credential,
   WalletInstanceAttestation,
   Errors,
-  RelyingPartySolution,
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
+  Trust,
   createCryptoContextFor,
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
+  AuthorizationDetail,
+  AuthorizationDetails,
 };

package/src/pid/index.ts CHANGED Viewed

@@ -1,3 +1,2 @@
 import * as SdJwt from "./sd-jwt";
-import * as Issuing from "./issuing";
-export { SdJwt, Issuing };
+export { SdJwt };