npm - @pagopa/io-react-native-wallet - Versions diffs - 1.0.0 → 1.1.1 - Mend

@pagopa/io-react-native-wallet 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

package/src/credential/presentation/02-evaluate-rp-trust.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { getRelyingPartyEntityConfiguration } from "../../trust";
-import { RelyingPartyEntityConfiguration } from "../../trust/types";
+import { getRelyingPartyEntityConfiguration } from "../../entity/trust/index";
+import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
 import type { StartFlow } from "../issuance/01-start-flow";
 import type { Out } from "../../utils/misc";

package/src/credential/presentation/03-retrieve-jwks.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import { JWKS, JWK } from "../../utils/jwk";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+export type FetchJwks<T extends Array<unknown> = []> = (...args: T) => Promise<{
+  keys: JWK[];
+}>;
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from the specified client's well-known endpoint.
+ *
+ * @param clientUrl - The base URL of the client entity from which to retrieve the JWKS.
+ * @param options - Optional context containing a custom fetch implementation.
+ * @param options.context - Optional context object.
+ * @param options.context.appFetch - Optional custom fetch function to use instead of the global `fetch`.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ * @throws Will throw an error if the JWKS retrieval fails.
+ */
+export const fetchJwksFromUri: FetchJwks<
+  [string, { context?: { appFetch?: GlobalFetch["fetch"] } }]
+> = async (clientUrl, { context = {} } = {}) => {
+  const { appFetch = fetch } = context;
+  const wellKnownUrl = new URL(
+    "/.well-known/jar-issuer/jwk",
+    clientUrl
+  ).toString();
+  // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
+  const jwks = await appFetch(wellKnownUrl, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((raw) => raw.json())
+    .then((json) => JWKS.parse(json));
+  return {
+    keys: jwks.keys,
+  };
+};
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const fetchJwksFromConfig: FetchJwks<
+  [RelyingPartyEntityConfiguration]
+> = async (rpConfig) => {
+  const parsedConfig = RelyingPartyEntityConfiguration.safeParse(rpConfig);
+  if (!parsedConfig.success) {
+    throw new Error("Invalid Relying Party configuration.");
+  }
+  const jwks = parsedConfig.data.payload.metadata.wallet_relying_party.jwks;
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+  return {
+    keys: jwks.keys,
+  };
+};

package/src/credential/presentation/{03-get-request-object.ts → 04-get-request-object.ts} RENAMED Viewed

@@ -8,19 +8,19 @@ import {
 import { createDPopToken } from "../../utils/dpop";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
-import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
+import type { FetchJwks } from "./03-retrieve-jwks";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartFlow } from "./01-start-flow";
 import { RequestObject } from "./types";
 export type GetRequestObject = (
   requestUri: Out<StartFlow>["requestURI"],
-  rpConf: Out<EvaluateRelyingPartyTrust>["rpConf"],
   context: {
     wiaCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
     walletInstanceAttestation: string;
-  }
+  },
+  jwkKeys?: Out<FetchJwks>["keys"]
 ) => Promise<{ requestObject: RequestObject }>;
 /**
@@ -36,8 +36,8 @@ export type GetRequestObject = (
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  rpConf,
-  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation },
+  jwkKeys
 ) => {
   const signedWalletInstanceDPoP = await createDPopToken(
     {
@@ -62,10 +62,24 @@ export const getRequestObject: GetRequestObject = async (
   const responseJwt = decodeJwt(responseEncodedJwt);
-  // verify token signature according to RP's entity configuration
-  // to ensure the request object is authentic
-  {
-    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(
+  await verifyTokenSignature(jwkKeys, responseJwt);
+  // Ensure that the request object conforms to the expected specification.
+  const requestObject = RequestObject.parse(responseJwt.payload);
+  return {
+    requestObject,
+  };
+};
+const verifyTokenSignature = async (
+  jwkKeys?: Out<FetchJwks>["keys"],
+  responseJwt?: any
+): Promise<void> => {
+  // verify token signature to ensure the request object is authentic
+  // 1. according to entity configuration if present
+  if (jwkKeys) {
+    const pubKey = jwkKeys.find(
       ({ kid }) => kid === responseJwt.protectedHeader.kid
     );
     if (!pubKey) {
@@ -73,13 +87,17 @@ export const getRequestObject: GetRequestObject = async (
         "Request Object signature verification"
       );
     }
-    await verify(responseEncodedJwt, pubKey);
+    await verify(responseJwt, pubKey);
+    return;
   }
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = RequestObject.parse(responseJwt.payload);
+  // 2. If jwk is not retrieved from entity config, check if the token contains the 'jwk' attribute
+  if (responseJwt.protectedHeader?.jwk) {
+    const pubKey = responseJwt.protectedHeader.jwk;
+    await verify(responseJwt, pubKey);
+    return;
+  }
-  return {
-    requestObject,
-  };
+  // No verification condition matched: skipping signature verification for now.
+  // TODO: [EUDIW-215] Remove skipping signature verification
 };

package/src/credential/presentation/{04-send-authorization-response.ts → 05-send-authorization-response.ts} RENAMED Viewed

@@ -4,7 +4,7 @@ import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { GetRequestObject } from "./03-get-request-object";
+import type { GetRequestObject } from "./04-get-request-object";
 import { disclose } from "../../sd-jwt";
 import type { EvaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { type Presentation } from "./types";

package/src/credential/presentation/README.md CHANGED Viewed

@@ -1,3 +1,75 @@
-# Credential presentation
+# Credential Presentation
-Currently this flow is outdated.
+## Sequence Diagram
+```mermaid
+sequenceDiagram
+      autonumber
+      participant I as Individual using EUDI Wallet
+      participant O as Organisational Wallet (Verifier)
+      participant A as Organisational Wallet (Issuer)
+      O->>+I: QR-CODE: Authorisation request (`request_uri`)
+      I->>+O: GET: Request object, resolved from the `request_uri`
+      O->>+I: Respond with the Request object
+      I->>+O: GET: /.well-known/jar-issuer/jwk
+      O->>+I: Respond with the public key
+      I->>+O: POST: VP token response
+      O->>+A: GET: /.well-known/jwt-vc-issuer/jwk
+      A->>+O: Respond with the public key
+      O->>+I: Redirect: Authorisation response
+```
+## Mapped results
+## Examples
+<details>
+  <summary>Remote Presentation flow</summary>
+```ts
+// Scan e retrive qr-code
+const qrcode = ...
+// Retrieve the integrity key tag from the store and create its context
+const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
+const integrityContext = getIntegrityContext(integrityKeyTag);
+// Let's assume the key esists befor starting the presentation process
+const wiaCryptoContext = createCryptoContextFor(WIA_KEYTAG);
+const { WALLET_PROVIDER_BASE_URL, WALLET_EAA_PROVIDER_BASE_URL, REDIRECT_URI } =
+  env; // Let's assume these are the environment variables
+/**
+ * Obtains a new Wallet Instance Attestation.
+ * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
+ */
+const walletInstanceAttestation =
+  await WalletInstanceAttestation.getAttestation({
+    wiaCryptoContext,
+    integrityContext,
+    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
+    appFetch,
+  });
+// Start the issuance flow
+const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(qrcode);
+// If use trust federation: Evaluate issuer trust
+const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
+// If use trust federation: Fetch Jwks from rpConf
+const jwks = await Credential.Presentation.fetchJwksFromConfig(rpConf);
+// If not use trust: Fetch Jwks from well-know
+const jwks = await Credential.Presentation.fetchJwksFromUri(
+  requestURI,
+  appFetch,
+);
+```
+</details>

package/src/credential/presentation/index.ts CHANGED Viewed

@@ -3,19 +3,26 @@ import {
   evaluateRelyingPartyTrust,
   type EvaluateRelyingPartyTrust,
 } from "./02-evaluate-rp-trust";
+import {
+  fetchJwksFromUri,
+  fetchJwksFromConfig,
+  type FetchJwks,
+} from "./03-retrieve-jwks";
 import {
   getRequestObject,
   type GetRequestObject,
-} from "./03-get-request-object";
+} from "./04-get-request-object";
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
-} from "./04-send-authorization-response";
+} from "./05-send-authorization-response";
 import * as Errors from "./errors";
 export {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
+  fetchJwksFromUri,
+  fetchJwksFromConfig,
   getRequestObject,
   sendAuthorizationResponse,
   Errors,
@@ -23,6 +30,7 @@ export {
 export type {
   StartFlow,
   EvaluateRelyingPartyTrust,
+  FetchJwks,
   GetRequestObject,
   SendAuthorizationResponse,
 };

package/src/credential/presentation/types.ts CHANGED Viewed

@@ -13,15 +13,15 @@ export type Presentation = [
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
-  iss: z.string(),
+  iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
   iat: UnixTime,
-  exp: UnixTime,
+  exp: UnixTime.optional(),
   state: z.string(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),
-  client_id_scheme: z.literal("entity_id"),
+  client_id_scheme: z.string(), // previous z.literal("entity_id"),
   scope: z.string(),
 });

package/src/entity/openid-connect/issuer/index.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { CredentialIssuerConfiguration } from "./types";
+/**
+ * Fetch the signed entity configuration token for an entity
+ *
+ * @param entityBaseUrl The url of the entity to fetch
+ * @param param.appFetch (optional) fetch api implemention
+ * @returns The signed Entity Configuration token
+ */
+export async function getCredentialIssuerMetadata(
+  entityBaseUrl: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<CredentialIssuerConfiguration> {
+  const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-credential-issuer`;
+  return await appFetch(wellKnownUrl, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then(CredentialIssuerConfiguration.parse);
+}

package/src/entity/openid-connect/issuer/types.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { JWK } from "../../../utils/jwk";
+import * as z from "zod";
+// Display metadata for a credential, used by the issuer to
+// instruct the Wallet Solution on how to render the credential correctly
+export type CredentialDisplay = z.infer<typeof CredentialDisplay>;
+export const CredentialDisplay = z.object({
+  name: z.string(),
+  locale: z.string(),
+  logo: z
+    .object({
+      url: z.string(),
+      alt_text: z.string(),
+    })
+    .optional(),
+  background_color: z.string().optional(),
+  text_color: z.string().optional(),
+});
+export const CredentialClaimDisplay = z.object({
+  name: z.string(),
+  locale: z.string(),
+});
+export const CredentialFormat = z.union([
+  z.literal("vc+sd-jwt"),
+  z.literal("example+sd-jwt"),
+]);
+const CredentialSdJwtClaims = z.record(
+  z.object({
+    mandatory: z.boolean(),
+    display: z.array(CredentialClaimDisplay),
+  })
+);
+export type CredentialConfigurationSupported = z.infer<
+  typeof CredentialConfigurationSupported
+>;
+export const CredentialConfigurationSupported = z.record(
+  z.object({
+    cryptographic_suites_supported: z.array(z.string()),
+    vct: z.string(),
+    scope: z.string(),
+    cryptographic_binding_methods_supported: z.array(z.string()),
+    display: z.array(CredentialDisplay),
+    format: CredentialFormat,
+    claims: CredentialSdJwtClaims,
+  })
+);
+export type CredentialIssuerKeys = z.infer<typeof CredentialIssuerKeys>;
+export const CredentialIssuerKeys = z.object({
+  keys: z.array(JWK),
+});
+export type CredentialIssuerConfiguration = z.infer<
+  typeof CredentialIssuerConfiguration
+>;
+export const CredentialIssuerConfiguration = z.object({
+  credential_configurations_supported: CredentialConfigurationSupported,
+  pushed_authorization_request_endpoint: z.string(),
+  dpop_signing_alg_values_supported: z.array(z.string()),
+  jwks: CredentialIssuerKeys,
+  credential_issuer: z.string(),
+  authorization_endpoint: z.string(),
+  token_endpoint: z.string(),
+  credential_endpoint: z.string(),
+});

package/src/{trust → entity/trust}/chain.ts RENAMED Viewed

@@ -7,8 +7,8 @@ import {
   EntityStatement,
   TrustAnchorEntityConfiguration,
 } from "./types";
-import { JWK } from "../utils/jwk";
-import { IoWalletError } from "../utils/errors";
+import { JWK } from "../../utils/jwk";
+import { IoWalletError } from "../../utils/errors";
 import * as z from "zod";
 import type { JWTDecodeResult } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";

package/src/{trust → entity/trust}/index.ts RENAMED Viewed

@@ -8,7 +8,7 @@ import {
   EntityStatement,
 } from "./types";
 import { validateTrustChain, renewTrustChain } from "./chain";
-import { hasStatusOrThrow } from "../utils/misc";
+import { hasStatusOrThrow } from "../../utils/misc";
 export type {
   WalletProviderEntityConfiguration,

package/src/{trust → entity/trust}/types.ts RENAMED Viewed

@@ -1,5 +1,5 @@
-import { UnixTime } from "../sd-jwt/types";
-import { JWK } from "../utils/jwk";
+import { UnixTime } from "../../sd-jwt/types";
+import { JWK } from "../../utils/jwk";
 import * as z from "zod";
 export const TrustMark = z.object({ id: z.string(), trust_mark: z.string() });

package/src/index.ts CHANGED Viewed

@@ -9,7 +9,6 @@ import * as PID from "./pid";
 import * as SdJwt from "./sd-jwt";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
-import * as Trust from "./trust";
 import * as WalletInstance from "./wallet-instance";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
@@ -22,7 +21,6 @@ export {
   WalletInstanceAttestation,
   WalletInstance,
   Errors,
-  Trust,
   createCryptoContextFor,
   AuthorizationDetail,
   AuthorizationDetails,

package/src/pid/sd-jwt/types.ts CHANGED Viewed

@@ -1,22 +1,5 @@
 import { z } from "zod";
-const VerificationEvidence = z.object({
-  type: z.string(),
-  record: z.object({
-    type: z.string(),
-    source: z.object({
-      organization_name: z.string(),
-      organization_id: z.string(),
-      country_code: z.string(),
-    }),
-  }),
-});
-type Verification = z.infer<typeof Verification>;
-const Verification = z.object({
-  trustFramework: z.literal("eidas"),
-  assuranceLevel: z.string(),
-  evidence: z.array(VerificationEvidence),
-});
+import { Verification } from "../../sd-jwt/types";
 /**
  * Data structure for the PID.

package/src/sd-jwt/__test__/index.test.ts CHANGED Viewed

@@ -13,56 +13,66 @@ import { SdJwt4VC } from "../types";
 //    - "address" is used as verification._sd
 //    - all others disclosures are in claims._sd
 const token =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
+  "eyJraWQiOiJlTk4tZzVpNkNuTEtjbHRRQnA2YWJiaW9HTWJ6TTZtdVczdnV4dzZ1aDg4IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzajFPcFlpaUxUVllBTm5CR053U0sya3JNd3FwV2F6MmlIbU4xdDBfRXNnIiwiX3NkIjpbIjFVbXRJU3NkZDd1ZGJGYUZ5LVZpWjhkWkZoZXJiT0dEMk4zSGxYNFBJQzgiLCJGbWpzNHF6YzV2a2VPQVk1RzIwX1pQdlUtMXEtb1hhVjdBeDUxNkNDTUZrIiwiUTNiYWdOek1lUWg2RWd3UEJTSGltYmdRcGxtWV82djlTVzRnbzJYQWtnQSIsIlFWd2tuNzFCNHBXZkNPenpsUWw5SG54RlNWZEVIdVczNXpkVFFRZEZRR2MiLCJWVmRSNDFBMktPT1Z6eFlhZ1pDR2JWYW5nN3NTa2VnQ2VpdVdmM0RPdGpzIiwidk8yZHZuY216bHYzN01Ra21XdWRTRElIREU5WUhkMEVGQjh4QlREVmp6MCJdLCJ2Y3QjaW50ZWdyaXR5IjoiMjQyMzAyZDk3ZDM4ZGEyNzE0YTI1N2YyYTI1M2JmMmZhMzBhYWU1YzEwOWZlOTU4MWJmY2RhM2IxZDc5N2M5NyIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJjbmYiOnsiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJraWQiOiJMZWduRlE4bHZoQTZxeVB1dFl2NDhuV1dwU25PNXRIaWdhdnl3eWRzNVMwIiwieCI6ImN6WnJOOWxjTnVjMHE2OVg0MG4yN2M1aktwaWkwQS1hWVhfUGJvOXBxQlEiLCJ5IjoiWUdLR2FDSk5XZlRpS2l6M0ptQUc5a3k3aDR0d1B1VWZ6WU9neTFiekx2OCJ9fSwiZXhwIjoxNzY4NDkwMTk2LCJpYXQiOjE3MzY5NTQxOTYsInZlcmlmaWNhdGlvbiI6eyJldmlkZW5jZSI6eyJtZXRob2QiOiJjaWUifSwidHJ1c3RfZnJhbWV3b3JrIjoiZWlkYXMiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn0sInN0YXR1cyI6eyJzdGF0dXNfYXNzZXJ0aW9uIjp7ImNyZWRlbnRpYWxfaGFzaF9hbGciOiJzaGEtMjU2In19fQ.bDBz9xa_u1g27TEuGRjNdFCMXuVibXHeI-rpnSZ_NE7k2h4_Kcshk1Van-ttmJiDq3XFBGckl3nka_QVsMjaRMnURQP62URci3CCaFZUVu3zI4BsXp1oRhucPqq6BHl6sjZbDXALp2jViEQ862-frdFnCCEuQC0xMh-zYycpL60bHXHTaGYDzHafGQAwcwr3fyYwFZvfmLFEBoKmEawDrFC0Enfw7pE9EHP9jITxWRTIxn9NcVdnzki1FO-ERsjrDS2y-u2RK6uy6-_0kIx-1mDJ7krCkaxeol0zOLb7zJX8ooxC1QupSp1z457JKi7cPPoL1GWeTRoHFy_kZL_Jew~WyJacnBvZllXMWs2NEpuUE05WjdEWS1RIiwiZ2l2ZW5fbmFtZSIsIk1hcmlvIl0~WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd~WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0~WyJHcXZJTzV5SVN3bjg4eDkzbE1aalpRIiwiYmlydGhkYXRlIiwiMTk4MC0xMC0wMSJd~WyJvUmprWWxPc1JvSGZ4eEh2WmZueDN3IiwidGF4X2lkX2NvZGUiLCJUSU5JVC1SU1NNUkE4MEExMEg1MDFBIl0~WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ";
 const unsigned =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
+  "eyJraWQiOiJlTk4tZzVpNkNuTEtjbHRRQnA2YWJiaW9HTWJ6TTZtdVczdnV4dzZ1aDg4IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzajFPcFlpaUxUVllBTm5CR053U0sya3JNd3FwV2F6MmlIbU4xdDBfRXNnIiwiX3NkIjpbIjFVbXRJU3NkZDd1ZGJGYUZ5LVZpWjhkWkZoZXJiT0dEMk4zSGxYNFBJQzgiLCJGbWpzNHF6YzV2a2VPQVk1RzIwX1pQdlUtMXEtb1hhVjdBeDUxNkNDTUZrIiwiUTNiYWdOek1lUWg2RWd3UEJTSGltYmdRcGxtWV82djlTVzRnbzJYQWtnQSIsIlFWd2tuNzFCNHBXZkNPenpsUWw5SG54RlNWZEVIdVczNXpkVFFRZEZRR2MiLCJWVmRSNDFBMktPT1Z6eFlhZ1pDR2JWYW5nN3NTa2VnQ2VpdVdmM0RPdGpzIiwidk8yZHZuY216bHYzN01Ra21XdWRTRElIREU5WUhkMEVGQjh4QlREVmp6MCJdLCJ2Y3QjaW50ZWdyaXR5IjoiMjQyMzAyZDk3ZDM4ZGEyNzE0YTI1N2YyYTI1M2JmMmZhMzBhYWU1YzEwOWZlOTU4MWJmY2RhM2IxZDc5N2M5NyIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJjbmYiOnsiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJraWQiOiJMZWduRlE4bHZoQTZxeVB1dFl2NDhuV1dwU25PNXRIaWdhdnl3eWRzNVMwIiwieCI6ImN6WnJOOWxjTnVjMHE2OVg0MG4yN2M1aktwaWkwQS1hWVhfUGJvOXBxQlEiLCJ5IjoiWUdLR2FDSk5XZlRpS2l6M0ptQUc5a3k3aDR0d1B1VWZ6WU9neTFiekx2OCJ9fSwiZXhwIjoxNzY4NDkwMTk2LCJpYXQiOjE3MzY5NTQxOTYsInZlcmlmaWNhdGlvbiI6eyJldmlkZW5jZSI6eyJtZXRob2QiOiJjaWUifSwidHJ1c3RfZnJhbWV3b3JrIjoiZWlkYXMiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn0sInN0YXR1cyI6eyJzdGF0dXNfYXNzZXJ0aW9uIjp7ImNyZWRlbnRpYWxfaGFzaF9hbGciOiJzaGEtMjU2In19fQ";
 const signature =
-  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
+  "bDBz9xa_u1g27TEuGRjNdFCMXuVibXHeI-rpnSZ_NE7k2h4_Kcshk1Van-ttmJiDq3XFBGckl3nka_QVsMjaRMnURQP62URci3CCaFZUVu3zI4BsXp1oRhucPqq6BHl6sjZbDXALp2jViEQ862-frdFnCCEuQC0xMh-zYycpL60bHXHTaGYDzHafGQAwcwr3fyYwFZvfmLFEBoKmEawDrFC0Enfw7pE9EHP9jITxWRTIxn9NcVdnzki1FO-ERsjrDS2y-u2RK6uy6-_0kIx-1mDJ7krCkaxeol0zOLb7zJX8ooxC1QupSp1z457JKi7cPPoL1GWeTRoHFy_kZL_Jew";
 const signed = `${unsigned}.${signature}`;
 const tokenizedDisclosures = [
-  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
-  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
-  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
-  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
-  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
-  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
+  "WyJacnBvZllXMWs2NEpuUE05WjdEWS1RIiwiZ2l2ZW5fbmFtZSIsIk1hcmlvIl0",
+  "WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd",
+  "WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0",
+  "WyJHcXZJTzV5SVN3bjg4eDkzbE1aalpRIiwiYmlydGhkYXRlIiwiMTk4MC0xMC0wMSJd",
+  "WyJvUmprWWxPc1JvSGZ4eEh2WmZueDN3IiwidGF4X2lkX2NvZGUiLCJUSU5JVC1SU1NNUkE4MEExMEg1MDFBIl0",
+  "WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ",
 ];
 const sdJwt = {
   header: {
-    kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
+    kid: "eNN-g5i6CnLKcltQBp6abbioGMbzM6muW3vuxw6uh88",
     typ: "vc+sd-jwt",
-    alg: "ES256",
+    alg: "RS256",
   },
   payload: {
+    sub: "sj1OpYiiLTVYANnBGNwSK2krMwqpWaz2iHmN1t0_Esg",
     _sd: [
-      "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
-      "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
-      "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
-      "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
-      "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
-      "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
+      "1UmtISsdd7udbFaFy-ViZ8dZFherbOGD2N3HlX4PIC8",
+      "Fmjs4qzc5vkeOAY5G20_ZPvU-1q-oXaV7Ax516CCMFk",
+      "Q3bagNzMeQh6EgwPBSHimbgQplmY_6v9SW4go2XAkgA",
+      "QVwkn71B4pWfCOzzlQl9HnxFSVdEHuW35zdTQQdFQGc",
+      "VVdR41A2KOOVzxYagZCGbVang7sSkegCeiuWf3DOtjs",
+      "vO2dvncmzlv37MQkmWudSDIHDE9YHd0EFB8xBTDVjz0",
     ],
-    sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
+    "vct#integrity":
+      "242302d97d38da2714a257f2a253bf2fa30aae5c109fe9581bfcda3b1d797c97",
     _sd_alg: "sha-256",
-    vct: "PersonIdentificationData",
-    iss: "https://pre.eid.wallet.ipzs.it",
+    vct: "urn:eu.europa.ec.eudi:pid:1",
+    iss: "https://api.potential-wallet-it-pid-provider.it",
     cnf: {
       jwk: {
         kty: "EC",
         crv: "P-256",
-        kid: "Rv3W-EiKpvBTyk5yZxvrev-7MDB6SlzUCBo_CQjjddU",
-        x: "0Wox7QtyPqByg35MH_XyCcnd5Le-Jm0AXHlUgDBA03Y",
-        y: "eEhVvg1JPqNd3DTSa4mGDGBlwY6NP-EZbLbNFXSXwIg",
+        kid: "LegnFQ8lvhA6qyPutYv48nWWpSnO5tHigavywyds5S0",
+        x: "czZrN9lcNuc0q69X40n27c5jKpii0A-aYX_Pbo9pqBQ",
+        y: "YGKGaCJNWfTiKiz3JmAG9ky7h4twPuUfzYOgy1bzLv8",
       },
     },
-    exp: 1751546576,
+    exp: 1768490196,
+    iat: 1736954196,
+    verification: {
+      evidence: {
+        method: "cie",
+      },
+      trust_framework: "eidas",
+      assurance_level: "high",
+    },
     status: {
-      status_attestation: {
+      status_assertion: {
         credential_hash_alg: "sha-256",
       },
     },
@@ -71,12 +81,12 @@ const sdJwt = {
 // In the very same order than tokenizedDisclosures
 const disclosures = [
-  ["kJDEP8EaNTEMBDOZzZzT4w", "unique_id", "TINIT-LVLDAA85T50G702B"],
-  ["zIAyUFvPfIpE1zBqxI5haQ", "birth_date", "1985-12-10"],
-  ["Gr3R3s290OkQUm-NFTu96A", "tax_id_code", "TINIT-LVLDAA85T50G702B"],
-  ["GxORalMAelfZ0edFJjjYUw", "given_name", "Ada"],
-  ["_vV5RIkl0IOEXKots9kt1w", "family_name", "Lovelace"],
-  ["Cj5tccR72Jwrze2TW4a-wg", "iat", 1720010575],
+  ["ZrpofYW1k64JnPM9Z7DY-Q", "given_name", "Mario"],
+  ["xwJ5Qc690uxH2gEJ0qCWgQ", "family_name", "Rossi"],
+  ["eWvpAp-VAG3KAvEFLH1Dfw", "unique_id", "idANPR"],
+  ["GqvIO5yISwn88x93lMZjZQ", "birthdate", "1980-10-01"],
+  ["oRjkYlOsRoHfxxHvZfnx3w", "tax_id_code", "TINIT-RSSMRA80A10H501A"],
+  ["s9poHCPqo7qWlopdAtYsEw", "iat", 1736954196],
 ];
 it("Ensures example data correctness", () => {
   expect(
@@ -130,10 +140,10 @@ describe("decode", () => {
 describe("disclose", () => {
   it("should encode a valid sdjwt (one claim)", async () => {
-    const result = await disclose(token, ["given_name"]);
+    const result = await disclose(token, ["unique_id"]);
     const expected = {
-      token: `${signed}~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd`,
-      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[3]" }],
+      token: `${signed}~WyJlV3ZwQXAtVkFHM0tBdkVGTEgxRGZ3IiwidW5pcXVlX2lkIiwiaWRBTlBSIl0`,
+      paths: [{ claim: "unique_id", path: "verified_claims.claims._sd[5]" }],
     };
     expect(result).toEqual(expected);
@@ -149,15 +159,15 @@ describe("disclose", () => {
   it("should encode a valid sdjwt (multiple claims)", async () => {
     const result = await disclose(token, ["iat", "family_name"]);
     const expected = {
-      token: `${signed}~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ`,
+      token: `${signed}~WyJ4d0o1UWM2OTB1eEgyZ0VKMHFDV2dRIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd~WyJzOXBvSENQcW83cVdsb3BkQXRZc0V3IiwiaWF0IiwxNzM2OTU0MTk2XQ`,
       paths: [
         {
           claim: "iat",
-          path: "verified_claims.claims._sd[4]",
+          path: "verified_claims.claims._sd[1]",
         },
         {
           claim: "family_name",
-          path: "verified_claims.claims._sd[0]",
+          path: "verified_claims.claims._sd[3]",
         },
       ],
     };