npm - @pagopa/io-react-native-wallet - Versions diffs - 1.0.0 → 1.1.0 - Mend

@pagopa/io-react-native-wallet 1.0.0 → 1.1.0

Files changed (289) hide show

package/src/credential/presentation/02-evaluate-rp-trust.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { getRelyingPartyEntityConfiguration } from "../../trust";
-import { RelyingPartyEntityConfiguration } from "../../trust/types";
+import { getRelyingPartyEntityConfiguration } from "../../entity/trust/index";
+import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
 import type { StartFlow } from "../issuance/01-start-flow";
 import type { Out } from "../../utils/misc";

package/src/credential/presentation/03-retrieve-jwks.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import { JWKS, JWK } from "../../utils/jwk";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+export type FetchJwks<T extends Array<unknown> = []> = (...args: T) => Promise<{
+  keys: JWK[];
+}>;
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from the specified client's well-known endpoint.
+ *
+ * @param clientUrl - The base URL of the client entity from which to retrieve the JWKS.
+ * @param options - Optional context containing a custom fetch implementation.
+ * @param options.context - Optional context object.
+ * @param options.context.appFetch - Optional custom fetch function to use instead of the global `fetch`.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ * @throws Will throw an error if the JWKS retrieval fails.
+ */
+export const fetchJwksFromUri: FetchJwks<
+  [string, { context?: { appFetch?: GlobalFetch["fetch"] } }]
+> = async (clientUrl, { context = {} } = {}) => {
+  const { appFetch = fetch } = context;
+  const wellKnownUrl = new URL(
+    "/.well-known/jar-issuer/jwk",
+    clientUrl
+  ).toString();
+  // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
+  const jwks = await appFetch(wellKnownUrl, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((raw) => raw.json())
+    .then((json) => JWKS.parse(json));
+  return {
+    keys: jwks.keys,
+  };
+};
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const fetchJwksFromConfig: FetchJwks<
+  [RelyingPartyEntityConfiguration]
+> = async (rpConfig) => {
+  const parsedConfig = RelyingPartyEntityConfiguration.safeParse(rpConfig);
+  if (!parsedConfig.success) {
+    throw new Error("Invalid Relying Party configuration.");
+  }
+  const jwks = parsedConfig.data.payload.metadata.wallet_relying_party.jwks;
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+  return {
+    keys: jwks.keys,
+  };
+};

package/src/credential/presentation/{03-get-request-object.ts → 04-get-request-object.ts} RENAMED Viewed

@@ -8,19 +8,19 @@ import {
 import { createDPopToken } from "../../utils/dpop";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
-import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import type { FetchJwks } from "./03-retrieve-jwks";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartFlow } from "./01-start-flow";
 import { RequestObject } from "./types";
 export type GetRequestObject = (
   requestUri: Out<StartFlow>["requestURI"],
-  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
   context: {
     wiaCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
     walletInstanceAttestation: string;
-  }
+  },
+  jwkKeys?: Out<FetchJwks>["keys"]
 ) => Promise<{ requestObject: RequestObject }>;
 /**
@@ -36,8 +36,8 @@ export type GetRequestObject = (
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  rpConf,
-  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation },
+  jwkKeys
 ) => {
   const signedWalletInstanceDPoP = await createDPopToken(
     {
@@ -62,10 +62,24 @@ export const getRequestObject: GetRequestObject = async (
   const responseJwt = decodeJwt(responseEncodedJwt);
-  // verify token signature according to RP's entity configuration
-  // to ensure the request object is authentic
-  {
-    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
+  await verifyTokenSignature(jwkKeys, responseJwt);
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+  return {
+    requestObject,
+  };
+};
+const verifyTokenSignature = async (
+  jwkKeys?: Out<FetchJwks>["keys"],
+  responseJwt?: any
+): Promise<void> => {
+  // verify token signature to ensure the request object is authentic
+  // 1. according to entity configuration if present
+  if (jwkKeys) {
+    const pubKey = jwkKeys.find(
       ({ kid }) => kid === responseJwt.protectedHeader.kid
     );
     if (!pubKey) {
@@ -73,13 +87,17 @@ export const getRequestObject: GetRequestObject = async (
         "Request Object signature verification"
       );
     }
-    await verify(responseEncodedJwt, pubKey);
+    await verify(responseJwt, pubKey);
+    return;
   }
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = RequestObject.parse(responseJwt.payload);
+  // 2. If jwk is not retrieved from entity config, check if the token contains the 'jwk' attribute
+  if (responseJwt.protectedHeader?.jwk) {
+    const pubKey = responseJwt.protectedHeader.jwk;
+    await verify(responseJwt, pubKey);
+    return;
+  }
-  return {
-    requestObject,
-  };
+  // No verification condition matched: skipping signature verification for now.
+  // TODO: [EUDIW-215] Remove skipping signature verification
 };

package/src/credential/presentation/{04-send-authorization-response.ts → 05-send-authorization-response.ts} RENAMED Viewed

@@ -4,7 +4,7 @@ import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { GetRequestObject } from "./03-get-request-object";
+import type { GetRequestObject } from "./04-get-request-object";
 import { disclose } from "../../sd-jwt";
 import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { type Presentation } from "./types";

package/src/credential/presentation/README.md CHANGED Viewed

@@ -1,3 +1,75 @@
-# Credential presentation
+# Credential Presentation
-Currently this flow is outdated.
+## Sequence Diagram
+```mermaid
+sequenceDiagram
+      autonumber
+      participant I as Individual using EUDI Wallet
+      participant O as Organisational Wallet (Verifier)
+      participant A as Organisational Wallet (Issuer)
+      O->>+I: QR-CODE: Authorisation request (`request_uri`)
+      I->>+O: GET: Request object, resolved from the `request_uri`
+      O->>+I: Respond with the Request object
+      I->>+O: GET: /.well-known/jar-issuer/jwk
+      O->>+I: Respond with the public key
+      I->>+O: POST: VP token response
+      O->>+A: GET: /.well-known/jwt-vc-issuer/jwk
+      A->>+O: Respond with the public key
+      O->>+I: Redirect: Authorisation response
+```
+## Mapped results
+## Examples
+<details>
+  <summary>Remote Presentation flow</summary>
+```ts
+// Scan e retrive qr-code
+const qrcode = ...
+// Retrieve the integrity key tag from the store and create its context
+const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
+const integrityContext = getIntegrityContext(integrityKeyTag);
+// Let's assume the key esists befor starting the presentation process
+const wiaCryptoContext = createCryptoContextFor(WIA_KEYTAG);
+const { WALLET_PROVIDER_BASE_URL, WALLET_EAA_PROVIDER_BASE_URL, REDIRECT_URI } =
+  env; // Let's assume these are the environment variables
+/**
+ * Obtains a new Wallet Instance Attestation.
+ * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
+ */
+const walletInstanceAttestation =
+  await WalletInstanceAttestation.getAttestation({
+    wiaCryptoContext,
+    integrityContext,
+    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
+    appFetch,
+  });
+// Start the issuance flow
+const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(qrcode);
+// If use trust federation: Evaluate issuer trust
+const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
+// If use trust federation: Fetch Jwks from rpConf
+const jwks = await Credential.Presentation.fetchJwksFromConfig(rpConf);
+// If not use trust: Fetch Jwks from well-know
+const jwks = await Credential.Presentation.fetchJwksFromUri(
+  requestURI,
+  appFetch,
+);
+```
+</details>

package/src/credential/presentation/index.ts CHANGED Viewed

@@ -3,19 +3,26 @@ import {
   evaluateRelyingPartyTrust,
   type EvaluateRelyingPartyTrust,
 } from "./02-evaluate-rp-trust";
+import {
+  fetchJwksFromUri,
+  fetchJwksFromConfig,
+  type FetchJwks,
+} from "./03-retrieve-jwks";
 import {
   getRequestObject,
   type GetRequestObject,
-} from "./03-get-request-object";
+} from "./04-get-request-object";
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
-} from "./04-send-authorization-response";
+} from "./05-send-authorization-response";
 import * as Errors from "./errors";
 export {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
+  fetchJwksFromUri,
+  fetchJwksFromConfig,
   getRequestObject,
   sendAuthorizationResponse,
   Errors,
@@ -23,6 +30,7 @@ export {
 export type {
   StartFlow,
   EvaluateRelyingPartyTrust,
+  FetchJwks,
   GetRequestObject,
   SendAuthorizationResponse,
 };

package/src/credential/presentation/types.ts CHANGED Viewed

@@ -13,15 +13,15 @@ export type Presentation = [
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
-  iss: z.string(),
+  iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
   iat: UnixTime,
-  exp: UnixTime,
+  exp: UnixTime.optional(),
   state: z.string(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),
-  client_id_scheme: z.literal("entity_id"),
+  client_id_scheme: z.string(), // previous z.literal("entity_id"),
   scope: z.string(),
 });

package/src/entity/openid-connect/issuer/index.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { CredentialIssuerConfiguration } from "./types";
+/**
+ * Fetch the signed entity configuration token for an entity
+ *
+ * @param entityBaseUrl The url of the entity to fetch
+ * @param param.appFetch (optional) fetch api implemention
+ * @returns The signed Entity Configuration token
+ */
+export async function getCredentialIssuerMetadata(
+  entityBaseUrl: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<CredentialIssuerConfiguration> {
+  const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-credential-issuer`;
+  return await appFetch(wellKnownUrl, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then(CredentialIssuerConfiguration.parse);
+}

package/src/entity/openid-connect/issuer/types.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { JWK } from "../../../utils/jwk";
+import * as z from "zod";
+// Display metadata for a credential, used by the issuer to
+// instruct the Wallet Solution on how to render the credential correctly
+export type CredentialDisplay = z.infer<typeof CredentialDisplay>;
+export const CredentialDisplay = z.object({
+  name: z.string(),
+  locale: z.string(),
+  logo: z
+    .object({
+      url: z.string(),
+      alt_text: z.string(),
+    })
+    .optional(),
+  background_color: z.string().optional(),
+  text_color: z.string().optional(),
+});
+export const CredentialClaimDisplay = z.object({
+  name: z.string(),
+  locale: z.string(),
+});
+export const CredentialFormat = z.union([
+  z.literal("vc+sd-jwt"),
+  z.literal("example+sd-jwt"),
+]);
+const CredentialSdJwtClaims = z.record(
+  z.object({
+    mandatory: z.boolean(),
+    display: z.array(CredentialClaimDisplay),
+  })
+);
+export type CredentialConfigurationSupported = z.infer<
+  typeof CredentialConfigurationSupported
+>;
+export const CredentialConfigurationSupported = z.record(
+  z.object({
+    cryptographic_suites_supported: z.array(z.string()),
+    vct: z.string(),
+    scope: z.string(),
+    cryptographic_binding_methods_supported: z.array(z.string()),
+    display: z.array(CredentialDisplay),
+    format: CredentialFormat,
+    claims: CredentialSdJwtClaims,
+  })
+);
+export type CredentialIssuerKeys = z.infer<typeof CredentialIssuerKeys>;
+export const CredentialIssuerKeys = z.object({
+  keys: z.array(JWK),
+});
+export type CredentialIssuerConfiguration = z.infer<
+  typeof CredentialIssuerConfiguration
+>;
+export const CredentialIssuerConfiguration = z.object({
+  credential_configurations_supported: CredentialConfigurationSupported,
+  pushed_authorization_request_endpoint: z.string(),
+  dpop_signing_alg_values_supported: z.array(z.string()),
+  jwks: CredentialIssuerKeys,
+  credential_issuer: z.string(),
+  authorization_endpoint: z.string(),
+  token_endpoint: z.string(),
+  credential_endpoint: z.string(),
+});

package/src/{trust → entity/trust}/chain.ts RENAMED Viewed

@@ -7,8 +7,8 @@ import {
   EntityStatement,
   TrustAnchorEntityConfiguration,
 } from "./types";
-import { JWK } from "../utils/jwk";
-import { IoWalletError } from "../utils/errors";
+import { JWK } from "../../utils/jwk";
+import { IoWalletError } from "../../utils/errors";
 import * as z from "zod";
 import type { JWTDecodeResult } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";

package/src/{trust → entity/trust}/index.ts RENAMED Viewed

@@ -8,7 +8,7 @@ import {
   EntityStatement,
 } from "./types";
 import { validateTrustChain, renewTrustChain } from "./chain";
-import { hasStatusOrThrow } from "../utils/misc";
+import { hasStatusOrThrow } from "../../utils/misc";
 export type {
   WalletProviderEntityConfiguration,

package/src/{trust → entity/trust}/types.ts RENAMED Viewed

@@ -1,5 +1,5 @@
-import { UnixTime } from "../sd-jwt/types";
-import { JWK } from "../utils/jwk";
+import { UnixTime } from "../../sd-jwt/types";
+import { JWK } from "../../utils/jwk";
 import * as z from "zod";
 export const TrustMark = z.object({ id: z.string(), trust_mark: z.string() });

package/src/index.ts CHANGED Viewed

@@ -9,7 +9,6 @@ import * as PID from "./pid";
 import * as SdJwt from "./sd-jwt";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
-import * as Trust from "./trust";
 import * as WalletInstance from "./wallet-instance";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
@@ -22,7 +21,6 @@ export {
   WalletInstanceAttestation,
   WalletInstance,
   Errors,
-  Trust,
   createCryptoContextFor,
   AuthorizationDetail,
   AuthorizationDetails,

package/src/pid/sd-jwt/types.ts CHANGED Viewed

@@ -1,22 +1,5 @@
 import { z } from "zod";
-const VerificationEvidence = z.object({
-  type: z.string(),
-  record: z.object({
-    type: z.string(),
-    source: z.object({
-      organization_name: z.string(),
-      organization_id: z.string(),
-      country_code: z.string(),
-    }),
-  }),
-});
-type Verification = z.infer<typeof Verification>;
-const Verification = z.object({
-  trustFramework: z.literal("eidas"),
-  assuranceLevel: z.string(),
-  evidence: z.array(VerificationEvidence),
-});
+import { Verification } from "../../sd-jwt/types";
 /**
  * Data structure for the PID.

package/src/sd-jwt/__test__/index.test.ts CHANGED Viewed

@@ -13,56 +13,66 @@ import { SdJwt4VC } from "../types";
 //    - "address" is used as verification._sd
 //    - all others disclosures are in claims._sd
 const token =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
+  "eyJraWQiOiJlTk4tZzVpNkNuTEtjbHRRQnA2YWJiaW9HTWJ6TTZtdVczdnV4dzZ1aDg4IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzajFPcFlpaUxUVllBTm5CR053U0sya3JNd3FwV2F6MmlIbU4xdDBfRXNnIiwiX3NkIjpbIjFVbXRJU3NkZDd1ZGJGYUZ5LVZpWjhkWkZoZXJiT0dEMk4zSGxYNFBJQzgiLCJGbWpzNHF6YzV2a2VPQVk1RzIwX1pQdlUtMXEtb1hhVjdBeDUxNkNDTUZrIiwiUTNiYWdOek1lUWg2RWd3UEJTSGltYmdRcGxtWV82djlTVzRnbzJYQWtnQSIsIlFWd2tuNzFCNHBXZkNPenpsUWw5SG54RlNWZEVIdVczNXpkVFFRZEZRR2MiLCJWVmRSNDFBMktPT1Z6eFlhZ1pDR2JWYW5nN3NTa2VnQ2VpdVdmM0RPdGpzIiwidk8yZHZuY216bHYzN01Ra21XdWRTRElIREU5WUhkMEVGQjh4QlREVmp6MCJdLCJ2Y3QjaW50ZWdyaXR5IjoiMjQyMzAyZDk3ZDM4ZGEyNzE0YTI1N2YyYTI1M2JmMmZhMzBhYWU1YzEwOWZlOTU4MWJmY2RhM2IxZDc5N2M5NyIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJjbmYiOnsiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJraWQiOiJMZWduRlE4bHZoQTZxeVB1dFl2NDhuV1dwU25PNXRIaWdhdnl3eWRzNVMwIiwieCI6ImN6WnJOOWxjTnVjMHE2OVg0MG4yN2M1aktwaWkwQS1hWVhfUGJvOXBxQlEiLCJ5IjoiWUdLR2FDSk5XZlRpS2l6M0ptQUc5a3k3aDR0d1B1VWZ6WU9neTFiekx2OCJ9fSwiZXhwIjoxNzY4NDkwMTk2LCJpYXQiOjE3MzY5NTQxOTYsInZlcmlmaWNhdGlvbiI6eyJldmlkZW5jZSI6eyJtZXRob2QiOiJjaWUifSwidHJ1c3RfZnJhbWV3b3JrIjoiZWlkYXMiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn0sInN0YXR1cyI6eyJzdGF0dXNfYXNzZXJ0aW9uIjp7ImNyZWRlbnRpYWxfaGFzaF9hbGciOiJzaGEtMjU2In19fQ.bDBz9xa_u1g27TEuGRjNdFCMXuVibXHeI-rpnSZ_NE7k2h4_Kcshk1Van-ttmJiDq3XFBGckl3nka_QVsMjaRMnURQP62URci3CCaFZUVu3zI4BsXp1oRhucPqq6BHl6sjZbDXALp2jViEQ862-frdFnCCEuQC0xMh-zYycpL60bHXHTaGYDzHafGQAwcwr3fyYwFZvfmLFEBoKmEawDrFC0Enfw7pE9EHP9jITxWRTIxn9NcVdnzki1FO-ERsjrDS2y-u2RK6uy6-_0kIx-1mDJ7krCkaxeol0zOLb7zJX8ooxC1QupSp1z457JKi7cPPoL1GWeTRoHFy_kZL_Jew~WyJacnBvZllXMWs2NEpuUE05WjdEWS1RIiwiZ2l2ZW5fbmFtZSIsIk1hcmlvIl0~WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd~WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0~WyJHcXZJTzV5SVN3bjg4eDkzbE1aalpRIiwiYmlydGhkYXRlIiwiMTk4MC0xMC0wMSJd~WyJvUmprWWxPc1JvSGZ4eEh2WmZueDN3IiwidGF4X2lkX2NvZGUiLCJUSU5JVC1SU1NNUkE4MEExMEg1MDFBIl0~WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ";
 const unsigned =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
+  "eyJraWQiOiJlTk4tZzVpNkNuTEtjbHRRQnA2YWJiaW9HTWJ6TTZtdVczdnV4dzZ1aDg4IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzajFPcFlpaUxUVllBTm5CR053U0sya3JNd3FwV2F6MmlIbU4xdDBfRXNnIiwiX3NkIjpbIjFVbXRJU3NkZDd1ZGJGYUZ5LVZpWjhkWkZoZXJiT0dEMk4zSGxYNFBJQzgiLCJGbWpzNHF6YzV2a2VPQVk1RzIwX1pQdlUtMXEtb1hhVjdBeDUxNkNDTUZrIiwiUTNiYWdOek1lUWg2RWd3UEJTSGltYmdRcGxtWV82djlTVzRnbzJYQWtnQSIsIlFWd2tuNzFCNHBXZkNPenpsUWw5SG54RlNWZEVIdVczNXpkVFFRZEZRR2MiLCJWVmRSNDFBMktPT1Z6eFlhZ1pDR2JWYW5nN3NTa2VnQ2VpdVdmM0RPdGpzIiwidk8yZHZuY216bHYzN01Ra21XdWRTRElIREU5WUhkMEVGQjh4QlREVmp6MCJdLCJ2Y3QjaW50ZWdyaXR5IjoiMjQyMzAyZDk3ZDM4ZGEyNzE0YTI1N2YyYTI1M2JmMmZhMzBhYWU1YzEwOWZlOTU4MWJmY2RhM2IxZDc5N2M5NyIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJjbmYiOnsiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJraWQiOiJMZWduRlE4bHZoQTZxeVB1dFl2NDhuV1dwU25PNXRIaWdhdnl3eWRzNVMwIiwieCI6ImN6WnJOOWxjTnVjMHE2OVg0MG4yN2M1aktwaWkwQS1hWVhfUGJvOXBxQlEiLCJ5IjoiWUdLR2FDSk5XZlRpS2l6M0ptQUc5a3k3aDR0d1B1VWZ6WU9neTFiekx2OCJ9fSwiZXhwIjoxNzY4NDkwMTk2LCJpYXQiOjE3MzY5NTQxOTYsInZlcmlmaWNhdGlvbiI6eyJldmlkZW5jZSI6eyJtZXRob2QiOiJjaWUifSwidHJ1c3RfZnJhbWV3b3JrIjoiZWlkYXMiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn0sInN0YXR1cyI6eyJzdGF0dXNfYXNzZXJ0aW9uIjp7ImNyZWRlbnRpYWxfaGFzaF9hbGciOiJzaGEtMjU2In19fQ";
 const signature =
-  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
+  "bDBz9xa_u1g27TEuGRjNdFCMXuVibXHeI-rpnSZ_NE7k2h4_Kcshk1Van-ttmJiDq3XFBGckl3nka_QVsMjaRMnURQP62URci3CCaFZUVu3zI4BsXp1oRhucPqq6BHl6sjZbDXALp2jViEQ862-frdFnCCEuQC0xMh-zYycpL60bHXHTaGYDzHafGQAwcwr3fyYwFZvfmLFEBoKmEawDrFC0Enfw7pE9EHP9jITxWRTIxn9NcVdnzki1FO-ERsjrDS2y-u2RK6uy6-_0kIx-1mDJ7krCkaxeol0zOLb7zJX8ooxC1QupSp1z457JKi7cPPoL1GWeTRoHFy_kZL_Jew";
 const signed = `${unsigned}.${signature}`;
 const tokenizedDisclosures = [
-  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
-  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
-  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
-  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
-  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
-  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
+  "WyJacnBvZllXMWs2NEpuUE05WjdEWS1RIiwiZ2l2ZW5fbmFtZSIsIk1hcmlvIl0",
+  "WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd",
+  "WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0",
+  "WyJHcXZJTzV5SVN3bjg4eDkzbE1aalpRIiwiYmlydGhkYXRlIiwiMTk4MC0xMC0wMSJd",
+  "WyJvUmprWWxPc1JvSGZ4eEh2WmZueDN3IiwidGF4X2lkX2NvZGUiLCJUSU5JVC1SU1NNUkE4MEExMEg1MDFBIl0",
+  "WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ",
 ];
 const sdJwt = {
   header: {
-    kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
+    kid: "eNN-g5i6CnLKcltQBp6abbioGMbzM6muW3vuxw6uh88",
     typ: "vc+sd-jwt",
-    alg: "ES256",
+    alg: "RS256",
   },
   payload: {
+    sub: "sj1OpYiiLTVYANnBGNwSK2krMwqpWaz2iHmN1t0_Esg",
     _sd: [
-      "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
-      "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
-      "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
-      "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
-      "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
-      "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+      "1UmtISsdd7udbFaFy-ViZ8dZFherbOGD2N3HlX4PIC8",
+      "Fmjs4qzc5vkeOAY5G20_ZPvU-1q-oXaV7Ax516CCMFk",
+      "Q3bagNzMeQh6EgwPBSHimbgQplmY_6v9SW4go2XAkgA",
+      "QVwkn71B4pWfCOzzlQl9HnxFSVdEHuW35zdTQQdFQGc",
+      "VVdR41A2KOOVzxYagZCGbVang7sSkegCeiuWf3DOtjs",
+      "vO2dvncmzlv37MQkmWudSDIHDE9YHd0EFB8xBTDVjz0",
     ],
-    sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+    "vct#integrity":
+      "242302d97d38da2714a257f2a253bf2fa30aae5c109fe9581bfcda3b1d797c97",
     _sd_alg: "sha-256",
-    vct: "PersonIdentificationData",
-    iss: "https://pre.eid.wallet.ipzs.it",
+    vct: "urn:eu.europa.ec.eudi:pid:1",
+    iss: "https://api.potential-wallet-it-pid-provider.it",
     cnf: {
       jwk: {
         kty: "EC",
         crv: "P-256",
-        kid: "Rv3W-EiKpvBTyk5yZxvrev-7MDB6SlzUCBo_CQjjddU",
-        x: "0Wox7QtyPqByg35MH_XyCcnd5Le-Jm0AXHlUgDBA03Y",
-        y: "eEhVvg1JPqNd3DTSa4mGDGBlwY6NP-EZbLbNFXSXwIg",
+        kid: "LegnFQ8lvhA6qyPutYv48nWWpSnO5tHigavywyds5S0",
+        x: "czZrN9lcNuc0q69X40n27c5jKpii0A-aYX_Pbo9pqBQ",
+        y: "YGKGaCJNWfTiKiz3JmAG9ky7h4twPuUfzYOgy1bzLv8",
       },
     },
-    exp: 1751546576,
+    exp: 1768490196,
+    iat: 1736954196,
+    verification: {
+      evidence: {
+        method: "cie",
+      },
+      trust_framework: "eidas",
+      assurance_level: "high",
+    },
     status: {
-      status_attestation: {
+      status_assertion: {
         credential_hash_alg: "sha-256",
       },
     },
@@ -71,12 +81,12 @@ const sdJwt = {
 // In the very same order than tokenizedDisclosures
 const disclosures = [
-  ["kJDEP8EaNTEMBDOZzZzT4w", "unique_id", "TINIT-LVLDAA85T50G702B"],
-  ["zIAyUFvPfIpE1zBqxI5haQ", "birth_date", "1985-12-10"],
-  ["Gr3R3s290OkQUm-NFTu96A", "tax_id_code", "TINIT-LVLDAA85T50G702B"],
-  ["GxORalMAelfZ0edFJjjYUw", "given_name", "Ada"],
-  ["_vV5RIkl0IOEXKots9kt1w", "family_name", "Lovelace"],
-  ["Cj5tccR72Jwrze2TW4a-wg", "iat", 1720010575],
+  ["ZrpofYW1k64JnPM9Z7DY-Q", "given_name", "Mario"],
+  ["xwJ5Qc690uxH2gEJ0qCWgQ", "family_name", "Rossi"],
+  ["eWvpAp-VAG3KAvEFLH1Dfw", "unique_id", "idANPR"],
+  ["GqvIO5yISwn88x93lMZjZQ", "birthdate", "1980-10-01"],
+  ["oRjkYlOsRoHfxxHvZfnx3w", "tax_id_code", "TINIT-RSSMRA80A10H501A"],
+  ["s9poHCPqo7qWlopdAtYsEw", "iat", 1736954196],
 ];
 it("Ensures example data correctness", () => {
   expect(
@@ -130,10 +140,10 @@ describe("decode", () => {
 describe("disclose", () => {
   it("should encode a valid sdjwt (one claim)", async () => {
-    const result = await disclose(token, ["given_name"]);
+    const result = await disclose(token, ["unique_id"]);
     const expected = {
-      token: `${signed}~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd`,
-      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[3]" }],
+      token: `${signed}~WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0`,
+      paths: [{ claim: "unique_id", path: "verified_claims.claims._sd[5]" }],
     };
     expect(result).toEqual(expected);
@@ -149,15 +159,15 @@ describe("disclose", () => {
   it("should encode a valid sdjwt (multiple claims)", async () => {
     const result = await disclose(token, ["iat", "family_name"]);
     const expected = {
-      token: `${signed}~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ`,
+      token: `${signed}~WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd~WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ`,
       paths: [
         {
           claim: "iat",
-          path: "verified_claims.claims._sd[4]",
+          path: "verified_claims.claims._sd[1]",
         },
         {
           claim: "family_name",
-          path: "verified_claims.claims._sd[0]",
+          path: "verified_claims.claims._sd[3]",
         },
       ],
     };