npm - @pagopa/io-react-native-wallet - Versions diffs - 0.7.4 → 0.9.1 - Mend

@pagopa/io-react-native-wallet 0.7.4 → 0.9.1

Files changed (217) hide show

package/src/credential/issuance/06-obtain-credential.ts ADDED Viewed

@@ -0,0 +1,179 @@
+import * as z from "zod";
+import uuid from "react-native-uuid";
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import { verify as verifySdJwt } from "../../sd-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import type { StartFlow } from "./01-start-flow";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { AuthorizeAccess } from "./05-authorize-access";
+import { SdJwt4VC } from "../../sd-jwt/types";
+import { IoWalletError } from "../../utils/errors";
+import type { JWK } from "../../utils/jwk";
+/**
+ * Return the signed jwt for nonce proof of possession
+ */
+export const createNonceProof = async (
+  nonce: string,
+  issuer: string,
+  audience: string,
+  ctx: CryptoContext
+): Promise<string> => {
+  return new SignJWT(ctx)
+    .setPayload({
+      nonce,
+      jwk: await ctx.getPublicKey(),
+    })
+    .setProtectedHeader({
+      type: "openid4vci-proof+jwt",
+    })
+    .setAudience(audience)
+    .setIssuer(issuer)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+};
+/**
+ * Given a credential, verify it's in the supported format
+ * and the credential is correctly signed
+ * and it's bound to the given key
+ *
+ * @param rawCredential The received credential
+ * @param issuerKeys The set of public keys of the issuer,
+ * which will be used to verify the signature
+ * @param holderBindingContext The access to the holder's key
+ *
+ * @throws If the signature verification fails
+ * @throws If the credential is not in the SdJwt4VC format
+ * @throws If the holder binding is not properly configured
+ *
+ */
+async function verifyCredential(
+  rawCredential: string,
+  issuerKeys: JWK[],
+  holderBindingContext: CryptoContext
+): Promise<void> {
+  const [{ sdJwt }, holderBindingKey] =
+    // parallel for optimization
+    await Promise.all([
+      verifySdJwt(rawCredential, issuerKeys, SdJwt4VC),
+      holderBindingContext.getPublicKey(),
+    ]);
+  if (
+    !sdJwt.payload.cnf.jwk.kid ||
+    sdJwt.payload.cnf.jwk.kid !== holderBindingKey.kid
+  ) {
+    throw new IoWalletError(
+      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${sdJwt.payload.cnf.jwk.kid}`
+    );
+  }
+}
+const CredentialEndpointResponse = z.object({
+  credential: z.string(),
+  format: z.literal("vc+sd-jwt"),
+});
+export type ObtainCredential = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  accessToken: Out<AuthorizeAccess>["accessToken"],
+  nonce: Out<AuthorizeAccess>["nonce"],
+  clientId: Out<AuthorizeAccess>["clientId"],
+  credentialType: Out<StartFlow>["credentialType"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    walletProviderBaseUrl: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{ credential: string; format: string }>;
+/**
+ * Fetch a credential from the issuer
+ *
+ * @param issuerConf The Issuer configuration
+ * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
+ * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
+ * @param clientId Identifies the current client across all the requests of the issuing flow
+ * @param credentialType The type of the credential to be requested
+ * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
+ * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The signed credential token
+ */
+export const obtainCredential: ObtainCredential = async (
+  issuerConf,
+  accessToken,
+  nonce,
+  clientId,
+  credentialType,
+  context
+) => {
+  const {
+    credentialCryptoContext,
+    walletProviderBaseUrl,
+    appFetch = fetch,
+  } = context;
+  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
+  /** DPoP token for demonstating the possession
+      of the key that will bind the holder User with the Credential
+      @see https://datatracker.ietf.org/doc/html/rfc9449 */
+  const signedDPopForPid = await createDPopToken(
+    {
+      htm: "POST",
+      htu: credentialUrl,
+      jti: `${uuid.v4()}`,
+    },
+    credentialCryptoContext
+  );
+  /** JWT proof token to bind the request nonce
+      to the key that will bind the holder User with the Credential
+      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
+  const signedNonceProof = await createNonceProof(
+    nonce,
+    clientId,
+    walletProviderBaseUrl,
+    credentialCryptoContext
+  );
+  /** The credential request body */
+  const formBody = new URLSearchParams({
+    credential_definition: JSON.stringify({
+      type: [credentialType],
+    }),
+    format: "vc+sd-jwt",
+    proof: JSON.stringify({
+      jwt: signedNonceProof,
+      proof_type: "jwt",
+    }),
+  });
+  const { credential, format } = await appFetch(credentialUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      DPoP: signedDPopForPid,
+      Authorization: accessToken,
+    },
+    body: formBody.toString(),
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then(CredentialEndpointResponse.parse);
+  /** validate the received credential signature
+      is correct and refers to the public keys of the issuer */
+  await verifyCredential(
+    credential,
+    issuerConf.openid_credential_issuer.jwks.keys,
+    credentialCryptoContext
+  );
+  return { credential, format };
+};

package/src/credential/issuance/07-confirm-credential.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { ObtainCredential } from "./06-obtain-credential";
+import type { Out } from "../../utils/misc";
+/**
+ * The end of the issuing flow.
+ * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
+ * To be implemented.
+ *
+ * @returns The type of the Credential to be issued and the url of the Issuer
+ */
+export type ConfirmCredential = (
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+) => Promise<void>;

package/src/credential/issuance/const.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export const ASSERTION_TYPE =
2	+ "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation";

package/src/credential/issuance/index.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { type StartFlow } from "./01-start-flow";
+import {
+  evaluateIssuerTrust,
+  type EvaluateIssuerTrust,
+} from "./02-evaluate-issuer-trust";
+import {
+  startUserAuthorization,
+  type StartUserAuthorization,
+} from "./03-start-user-authorization";
+import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
+import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
+import {
+  obtainCredential,
+  type ObtainCredential,
+} from "./06-obtain-credential";
+import type { ConfirmCredential } from "./07-confirm-credential";
+export {
+  evaluateIssuerTrust,
+  startUserAuthorization,
+  authorizeAccess,
+  obtainCredential,
+};
+export type {
+  StartFlow,
+  EvaluateIssuerTrust,
+  StartUserAuthorization,
+  CompleteUserAuthorization,
+  AuthorizeAccess,
+  ObtainCredential,
+  ConfirmCredential,
+};

package/src/credential/presentation/01-start-flow.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import * as z from "zod";
+import { decodeBase64 } from "@pagopa/io-react-native-jwt";
+import { AuthRequestDecodeError } from "../../utils/errors";
+const QRCodePayload = z.object({
+  protocol: z.string(),
+  resource: z.string(), // TODO: refine to known paths using literals
+  clientId: z.string(),
+  requestURI: z.string(),
+});
+/**
+ * The beginning of the presentation flow.
+ * To be implemented accordind to the user touchpoint
+ *
+ * @param Optional parameters, depending on the starting touchoint
+ * @returns The url for the Relying Party to connect with
+ */
+export type StartFlow<T extends Array<unknown> = []> = (...args: T) => Promise<{
+  requestURI: string;
+  clientId: string;
+}>;
+/**
+ * Start a presentation flow by decoding an incoming QR-code
+ *
+ * @param qrcode The encoded QR-code content
+ * @returns The url for the Relying Party to connect with
+ * @throws If the provided qr code fails to be decoded
+ */
+export const startFlowFromQR: StartFlow<[string]> = async (qrcode) => {
+  const decoded = decodeBase64(qrcode);
+  const decodedUrl = new URL(decoded);
+  const protocol = decodedUrl.protocol;
+  const resource = decodedUrl.hostname;
+  const requestURI = decodedUrl.searchParams.get("request_uri");
+  const clientId = decodedUrl.searchParams.get("client_id");
+  const result = QRCodePayload.safeParse({
+    protocol,
+    resource,
+    requestURI,
+    clientId,
+  });
+  if (result.success) {
+    return result.data;
+  } else {
+    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+  }
+};

package/src/credential/presentation/02-evaluate-rp-trust.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import { getRelyingPartyEntityConfiguration } from "../../trust";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
+import type { StartFlow } from "../issuance/01-start-flow";
+import type { Out } from "../../utils/misc";
+export type EvaluateRelyingPartyTrust = (
+  rpUrl: Out<StartFlow>["issuerUrl"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+}>;
+/**
+ * The Relying Party trust evaluation phase.
+ * Fetch the  Relying Party's configuration and verify trust.
+ *
+ * @param rpUrl The base url of the Issuer
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Relying Party's configuration
+ */
+export const evaluateRelyingPartyTrust: EvaluateRelyingPartyTrust = async (
+  rpUrl,
+  { appFetch = fetch } = {}
+) => {
+  const {
+    payload: { metadata: rpConf },
+  } = await getRelyingPartyEntityConfiguration(rpUrl, {
+    appFetch,
+  });
+  return { rpConf };
+};

package/src/credential/presentation/03-get-request-object.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import uuid from "react-native-uuid";
+import {
+  decode as decodeJwt,
+  sha256ToBase64,
+  verify,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { StartFlow } from "./01-start-flow";
+import { RequestObject } from "./types";
+export type GetRequestObject = (
+  requestUri: Out<StartFlow>["requestURI"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  context: {
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+    walletInstanceAttestation: string;
+  }
+) => Promise<{ requestObject: RequestObject }>;
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ *
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Request Object that describes the presentation
+ */
+export const getRequestObject: GetRequestObject = async (
+  requestUri,
+  rpConf,
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+) => {
+  const signedWalletInstanceDPoP = await createDPopToken(
+    {
+      jti: `${uuid.v4()}`,
+      htm: "GET",
+      htu: requestUri,
+      ath: await sha256ToBase64(walletInstanceAttestation),
+    },
+    wiaCryptoContext
+  );
+  const responseEncodedJwt = await appFetch(requestUri, {
+    method: "GET",
+    headers: {
+      Authorization: `DPoP ${walletInstanceAttestation}`,
+      DPoP: signedWalletInstanceDPoP,
+    },
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then((responseJson) => responseJson.response);
+  const responseJwt = decodeJwt(responseEncodedJwt);
+  // verify token signature according to RP's entity configuration
+  // to ensure the request object is authentic
+  {
+    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
+      ({ kid }) => kid === responseJwt.protectedHeader.kid
+    );
+    if (!pubKey) {
+      throw new NoSuitableKeysFoundInEntityConfiguration(
+        "Request Object signature verification"
+      );
+    }
+    await verify(responseEncodedJwt, pubKey);
+  }
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+  return {
+    requestObject,
+  };
+};

package/src/credential/presentation/04-send-authorization-response.ts ADDED Viewed

@@ -0,0 +1,168 @@
+import { EncryptJwe, SignJWT } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { NoSuitableKeysFoundInEntityConfiguration } from "../../utils/errors";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { GetRequestObject } from "./03-get-request-object";
+import { disclose } from "../../sd-jwt";
+import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import { type Presentation } from "./types";
+import * as z from "zod";
+export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
+export const AuthorizationResponse = z.object({
+  status: z.string(),
+  response_code: z
+    .string() /**
+      FIXME: [SIW-627] we expect this value from every RP implementation
+      Actually some RP does not return the value
+      We make it optional to not break the flow.
+    */
+    .optional(),
+});
+/**
+ * Choose an RSA public key from those offered by the RP for encryption.
+ *
+ * @param entity The RP entity configuration
+ * @returns A suitable public key with its compatible encryption algorithm
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If entity do not contain any public key suitable for encrypting
+ */
+const chooseRSAPublicKeyToEncrypt = (
+  entity: Out<EvaluateRelyingPartyTrust>["rpConf"]
+): JWK => {
+  const [usingRsa256] = entity.wallet_relying_party.jwks.keys.filter(
+    (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+  );
+  if (usingRsa256) {
+    return usingRsa256;
+  }
+  // No suitable key has been found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Encrypt with RP public key"
+  );
+};
+/**
+ * Generate a Verified Presentation token for a received request object within the context of an authorization request flow.
+ * The presentation is created by revealing data from the provided credentials based on the requested claims.
+ * Each Verified Credential is accompanied by the claims that the user consents to disclose from it.
+ *
+ * @todo: Allow for handling more than one Verified Credential.
+ */
+const prepareVpToken = async (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  walletInstanceAttestation: string,
+  [vc, claims, cryptoCtx]: Presentation // TODO: [SIW-353] support multiple presentations,
+): Promise<{
+  vp_token: string;
+  presentation_submission: Record<string, unknown>;
+}> => {
+  // this throws if vc cannot satisfy all the requested claims
+  const { token: vp, paths } = await disclose(vc, claims);
+  // obtain issuer from Wallet Instance
+  const {
+    payload: { iss },
+  } = WalletInstanceAttestation.decode(walletInstanceAttestation);
+  const pidKid = await cryptoCtx.getPublicKey().then((_) => _.kid);
+  // TODO: [SIW-359] check all requeste claims of the requestedObj are satisfied
+  const vp_token = await new SignJWT(cryptoCtx)
+    .setProtectedHeader({
+      typ: "JWT",
+      kid: pidKid,
+    })
+    .setPayload({
+      vp: vp,
+      jti: `${uuid.v4()}`,
+      iss,
+      nonce: requestObject.nonce,
+    })
+    .setAudience(requestObject.response_uri)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+  const vc_scope = requestObject.scope;
+  const presentation_submission = {
+    definition_id: `${uuid.v4()}`,
+    id: `${uuid.v4()}`,
+    descriptor_map: paths.map((p) => ({
+      id: vc_scope,
+      path: `$.vp_token.${p.path}`,
+      format: "vc+sd-jwt",
+    })),
+  };
+  return { vp_token, presentation_submission };
+};
+export type SendAuthorizationResponse = (
+  requestObject: Out<GetRequestObject>["requestObject"],
+  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
+  presentation: Presentation, // TODO: [SIW-353] support multiple presentations
+  context: {
+    walletInstanceAttestation: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+/**
+ * Complete the presentation flow by sending the authorization response to the Relying Party
+ *
+ * @param requestObject The Request Object that describes the presentation
+ * @param rpConf The Relying Party's configuration
+ * @param presentation The presentation tuple consisting in the signed credential,
+ * the list of claims to be disclosed, and the context to access the key that proves the holder binding
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The result of the presentation flow
+ */
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  rpConf,
+  presentation,
+  { appFetch = fetch, walletInstanceAttestation }
+): Promise<AuthorizationResponse> => {
+  // the request is an unsigned jws without iss, aud, exp
+  // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-respon
+  const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
+  const { vp_token, presentation_submission } = await prepareVpToken(
+    requestObject,
+    walletInstanceAttestation,
+    presentation
+  );
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    presentation_submission,
+    nonce: requestObject.nonce,
+    vp_token,
+  });
+  const encrypted = await new EncryptJwe(authzResponsePayload, {
+    alg: "RSA-OAEP-256",
+    enc: "A256CBC-HS512",
+    kid: rsaPublicJwk.kid,
+  }).encrypt(rsaPublicJwk);
+  const formBody = new URLSearchParams({ response: encrypted });
+  const body = formBody.toString();
+  return appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body,
+  })
+    .then(hasStatus(200))
+    .then((res) => res.json())
+    .then(AuthorizationResponse.parse);
+};

package/src/credential/presentation/index.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { startFlowFromQR, type StartFlow } from "./01-start-flow";
+import {
+  evaluateRelyingPartyTrust,
+  type EvaluateRelyingPartyTrust,
+} from "./02-evaluate-rp-trust";
+import {
+  getRequestObject,
+  type GetRequestObject,
+} from "./03-get-request-object";
+import {
+  sendAuthorizationResponse,
+  type SendAuthorizationResponse,
+} from "./04-send-authorization-response";
+export {
+  startFlowFromQR,
+  evaluateRelyingPartyTrust,
+  getRequestObject,
+  sendAuthorizationResponse,
+};
+export type {
+  StartFlow,
+  EvaluateRelyingPartyTrust,
+  GetRequestObject,
+  SendAuthorizationResponse,
+};

package/src/credential/presentation/types.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import { UnixTime } from "../../sd-jwt/types";
+import * as z from "zod";
+/**
+ * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
+ */
+export type Presentation = [
+  /* verified credential token */ string,
+  /* claims */ string[],
+  /* the context for the key associated to the credential */ CryptoContext
+];
+export type RequestObject = z.infer<typeof RequestObject>;
+export const RequestObject = z.object({
+  iss: z.string(),
+  iat: UnixTime,
+  exp: UnixTime,
+  state: z.string(),
+  nonce: z.string(),
+  response_uri: z.string(),
+  response_type: z.literal("vp_token"),
+  response_mode: z.literal("direct_post.jwt"),
+  client_id: z.string(),
+  client_id_scheme: z.literal("entity_id"),
+  scope: z.string(),
+});

package/src/index.ts CHANGED Viewed

@@ -2,42 +2,21 @@
 // https://github.com/facebook/react-native/issues/24428
 import "react-native-url-polyfill/auto";
+import * as Credential from "./credential";
 import * as PID from "./pid";
-import * as RP from "./rp";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
-import * as RelyingPartySolution from "./rp";
-import {
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
-} from "./trust";
-import {
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
-} from "./trust/types";
+import * as Trust from "./trust";
+import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 export {
   PID,
-  RP,
+  Credential,
   WalletInstanceAttestation,
   Errors,
-  RelyingPartySolution,
-  verifyTrustChain,
-  getEntityConfiguration,
-  getCredentialIssuerEntityConfiguration,
-  getRelyingPartyEntityConfiguration,
-  getTrustAnchorEntityConfiguration,
-  getWalletProviderEntityConfiguration,
+  Trust,
   createCryptoContextFor,
-  RelyingPartyEntityConfiguration,
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
+  AuthorizationDetail,
+  AuthorizationDetails,
 };

package/src/pid/index.ts CHANGED Viewed

@@ -1,3 +1,2 @@
 import * as SdJwt from "./sd-jwt";
-import * as Issuing from "./issuing";
-export { SdJwt, Issuing };
+export { SdJwt };