@pagopa/io-react-native-wallet 1.1.2 → 1.2.3

package/src/credential/presentation/08-send-authorization-response.ts

@@ -0,0 +1,251 @@
+import {
+  EncryptJwe,
+  SignJWT,
+  sha256ToBase64,
+} from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import type { FetchJwks } from "./04-retrieve-rp-jwks";
+import type { VerifyRequestObjectSignature } from "./05-verify-request-object";
+import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+import { hasStatusOrThrow, type Out } from "../../utils/misc";
+import { disclose } from "../../sd-jwt";
+import { PresentationDefinition, type Presentation } from "./types";
+import * as z from "zod";
+
+export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
+export const AuthorizationResponse = z.object({
+  status: z.string().optional(),
+  response_code: z
+    .string() /**
+      FIXME: [SIW-627] we expect this value from every RP implementation
+      Actually some RP does not return the value
+      We make it optional to not break the flow.
+    */
+    .optional(),
+  redirect_uri: z.string().optional(),
+});
+
+/**
+ * Selects an RSA public key (with `use = enc` and `kty = RSA`) from the set of JWK keys
+ * offered by the Relying Party (RP) for encryption.
+ *
+ * @param rpJwkKeys - The array of JWKs retrieved from the RP entity configuration.
+ * @returns The first suitable RSA public key found in the list.
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If no suitable RSA encryption key is found.
+ */
+export const chooseRSAPublicKeyToEncrypt = (
+  rpJwkKeys: Out<FetchJwks>["keys"]
+): JWK => {
+  const [rsaEncKey] = rpJwkKeys.filter(
+    (jwk) => jwk.use === "enc" && jwk.kty === "RSA"
+  );
+
+  if (rsaEncKey) {
+    return rsaEncKey;
+  }
+
+  // No suitable key found
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "No suitable RSA public key found for encryption."
+  );
+};
+
+/**
+ * Prepares a Verified Presentation (VP) token to be sent as part of an
+ * authorization response in an OpenID 4 Verifiable Presentations flow.
+ *
+ * @param requestObject - The request object containing the nonce, response URI, and other necessary info.
+ * @param presentationTuple - A tuple containing a verifiable credential, the claims to disclose,
+ *                            and a cryptographic context for signing.
+ * @returns An object containing the signed VP token (`vp_token`) and a `presentation_submission` object.
+ * @param presentationDefinition - Definition outlining presentation requirements.
+ * @param presentationTuple - Tuple containing:
+ *    - A verifiable credential.
+ *    - Claims that should be disclosed.
+ *    - Cryptographic context for signing.
+ * @returns An object with:
+ *    - `vp_token`: The signed VP token.
+ *    - `presentation_submission`: Object mapping disclosed credentials to the request.
+ *
+ * @remarks
+ *  1. The `disclose()` function is used to produce a token with only the requested claims.
+ *  2. A new JWT is then signed, including the VP, `jti`, `iss`, `nonce`, audience, and expiration.
+ *  3. The `presentation_submission` object follows the OpenID 4 VP specification for describing
+ *     how the disclosed credentials map to the request.
+ *
+ * @todo [SIW-353] Support multiple verifiable credentials in a single request.
+ */
+export const prepareVpToken = async (
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  presentationDefinition: PresentationDefinition,
+  [verifiableCredential, requestedClaims, cryptoContext]: Presentation
+): Promise<{
+  vp_token: string;
+  presentation_submission: Record<string, unknown>;
+}> => {
+  // Produce a VP token with only requested claims from the verifiable credential
+  const { token: vp } = await disclose(verifiableCredential, requestedClaims);
+
+  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
+  const sd_hash = await sha256ToBase64(`${vp}~`);
+
+  const kbJwt = await new SignJWT(cryptoContext)
+    .setProtectedHeader({
+      typ: "kb+jwt",
+      alg: "ES256",
+    })
+    .setPayload({
+      sd_hash,
+      nonce: requestObject.nonce,
+    })
+    .setAudience(requestObject.client_id)
+    .setIssuedAt()
+    .sign();
+
+  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
+  const vp_token = [vp, kbJwt].join("~");
+
+  // Determine the descriptor ID to use for mapping. Fallback to first input descriptor ID if not specified
+  // We support only one credential for now, so we get first input_descriptor and create just one descriptor_map
+  const presentation_submission = {
+    id: uuid.v4(),
+    definition_id: presentationDefinition.id,
+    descriptor_map: [
+      {
+        id: presentationDefinition?.input_descriptors[0]?.id,
+        path: `$`,
+        format: "vc+sd-jwt",
+      },
+    ],
+  };
+
+  return { vp_token, presentation_submission };
+};
+
+/**
+ * Builds a URL-encoded form body for a direct POST response without encryption.
+ *
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param vpToken - The signed VP token to include.
+ * @param presentationSubmission - Object mapping credential disclosures.
+ * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
+ */
+export const buildDirectPostBody = async (
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  vpToken: string,
+  presentationSubmission: Record<string, unknown>
+): Promise<string> => {
+  const formUrlEncodedBody = new URLSearchParams({
+    state: requestObject.state,
+    presentation_submission: JSON.stringify(presentationSubmission),
+    vp_token: vpToken,
+  });
+
+  return formUrlEncodedBody.toString();
+};
+
+/**
+ * Builds a URL-encoded form body for a direct POST response using JWT encryption.
+ *
+ * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param vpToken - The signed VP token to encrypt.
+ * @param presentationSubmission - Object mapping credential disclosures.
+ * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
+ *          where `response` contains the encrypted JWE.
+ */
+export const buildDirectPostJwtBody = async (
+  jwkKeys: Out<FetchJwks>["keys"],
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  vpToken: string,
+  presentationSubmission: Record<string, unknown>
+): Promise<string> => {
+  // Prepare the authorization response payload to be encrypted
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    presentation_submission: presentationSubmission,
+    vp_token: vpToken,
+  });
+
+  // Choose a suitable RSA public key for encryption
+  const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(jwkKeys);
+
+  // Encrypt the authorization payload
+  const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
+    alg: "RSA-OAEP-256",
+    enc: "A256CBC-HS512",
+    kid: rsaPublicJwk.kid,
+  }).encrypt(rsaPublicJwk);
+
+  // Build the x-www-form-urlencoded form body
+  const formBody = new URLSearchParams({ response: encryptedResponse });
+  return formBody.toString();
+};
+
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ */
+export type SendAuthorizationResponse = (
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  presentationDefinition: PresentationDefinition,
+  jwkKeys: Out<FetchJwks>["keys"],
+  presentation: Presentation, // TODO: [SIW-353] support multiple presentations
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
+/**
+ * Sends the authorization response to the Relying Party (RP) using the specified `response_mode`.
+ * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
+ *
+ * @param requestObject - The request details, including presentation requirements.
+ * @param presentationDefinition - The definition of the expected presentation.
+ * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param presentation - Tuple with verifiable credential, claims, and crypto context.
+ * @param context - Contains optional custom fetch implementation.
+ * @returns Parsed and validated authorization response from the Relying Party.
+ */
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  presentationDefinition,
+  jwkKeys,
+  presentation,
+  { appFetch = fetch } = {}
+): Promise<AuthorizationResponse> => {
+  // 1. Create the VP token and associated submission mapping
+  const { vp_token, presentation_submission } = await prepareVpToken(
+    requestObject,
+    presentationDefinition,
+    presentation
+  );
+
+  // 2. Choose the appropriate request body builder based on response mode
+  const requestBody =
+    requestObject.response_mode === "direct_post.jwt"
+      ? await buildDirectPostJwtBody(
+          jwkKeys,
+          requestObject,
+          vp_token,
+          presentation_submission
+        )
+      : await buildDirectPostBody(
+          requestObject,
+          vp_token,
+          presentation_submission
+        );
+
+  // 3. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: requestBody,
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then(AuthorizationResponse.parse);
+};

package/src/credential/presentation/README.md

@@ -60,15 +60,54 @@ const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(qrcode)
 // If use trust federation: Evaluate issuer trust
 const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
 
+const { requestObjectEncodedJwt } =
+    await Credential.Presentation.getRequestObject(requestURI, {
+      wiaCryptoContext: wiaCryptoContext,
+      appFetch: appFetch,
+      walletInstanceAttestation: walletInstanceAttestation,
+    });
+
+// Retrieve RP JWK
 // If use trust federation: Fetch Jwks from rpConf
 const jwks = await Credential.Presentation.fetchJwksFromConfig(rpConf);
 
-// If not use trust: Fetch Jwks from well-know
-const jwks = await Credential.Presentation.fetchJwksFromUri(
-  requestURI,
-  appFetch,
+// If not use trust: Fetch Jwks from request object
+const jwks = await Credential.Presentation.fetchJwksFromRequestObject(
+  requestObjectEncodedJwt,
+  { context: { appFetch } }
 );
 
+// Verify signature Request Object
+const { requestObject } =
+    await Credential.Presentation.verifyRequestObjectSignature(
+      requestObjectEncodedJwt,
+      jwks.keys
+    );
+
+
+const { presentationDefinition } = await Credential.Presentation.fetchPresentDefinition(
+  requestObject,
+  {
+    appFetch: appFetch,
+  },
+  rpConf // If trust federation is used
+);
+
+// For each credential, find it and evaluate input descriptor and disclosures
+  const { requiredDisclosures } = Credential.Presentation.evaluateInputDescriptionForSdJwt4VC(
+    inputDescriptor,
+    credential.payload,
+    disclosures
+  );
+
+// After confirm disclosures in app
+  const authResponse = Credential.Presentation.sendAuthorizationResponse(
+    requestObject,
+    presentationDefinition,
+    jwks,
+    [credential, disclosuresRequested, { appFetch: appFetch }]
+  );
+
 
 ```
 

package/src/credential/presentation/errors.ts

@@ -39,3 +39,51 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
     super(message);
   }
 }
+
+/**
+ * When a QR code is not valid.
+ *
+ */
+export class InvalidQRCodeError extends IoWalletError {
+  code = "ERR_INVALID_QR_CODE";
+
+  /**
+   * @param detail A description of why the QR code is considered invalid.
+   */
+  constructor(detail: string) {
+    const message = `QR code is not valid: ${detail}.`;
+    super(message);
+  }
+}
+
+/**
+ * When the entity is unverified because the Relying Party is not trusted.
+ *
+ */
+export class UnverifiedEntityError extends IoWalletError {
+  code = "ERR_UNVERIFIED_RP_ENTITY";
+
+  /**
+   * @param reason A description of why the entity cannot be verified.
+   */
+  constructor(reason: string) {
+    const message = `Unverified entity: ${reason}.`;
+    super(message);
+  }
+}
+
+/**
+ * When some required data is missing to continue because certain attributes are not contained inside the wallet.
+ *
+ */
+export class MissingDataError extends IoWalletError {
+  code = "ERR_MISSING_DATA";
+
+  /**
+   * @param missingAttributes An array or description of the attributes that are missing.
+   */
+  constructor(missingAttributes: string) {
+    const message = `Some required data is missing: ${missingAttributes}.`;
+    super(message);
+  }
+}

package/src/credential/presentation/index.ts

@@ -4,33 +4,51 @@ import {
   type EvaluateRelyingPartyTrust,
 } from "./02-evaluate-rp-trust";
 import {
-  fetchJwksFromUri,
+  getRequestObject,
+  type GetRequestObject,
+} from "./03-get-request-object";
+import {
+  fetchJwksFromRequestObject,
   fetchJwksFromConfig,
   type FetchJwks,
-} from "./03-retrieve-jwks";
+} from "./04-retrieve-rp-jwks";
 import {
-  getRequestObject,
-  type GetRequestObject,
-} from "./04-get-request-object";
+  verifyRequestObjectSignature,
+  type VerifyRequestObjectSignature,
+} from "./05-verify-request-object";
+import {
+  fetchPresentDefinition,
+  type FetchPresentationDefinition,
+} from "./06-fetch-presentation-definition";
+import {
+  evaluateInputDescriptorForSdJwt4VC,
+  type EvaluateInputDescriptorSdJwt4VC,
+} from "./07-evaluate-input-descriptor";
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
-} from "./05-send-authorization-response";
+} from "./08-send-authorization-response";
 import * as Errors from "./errors";
 
 export {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
-  fetchJwksFromUri,
-  fetchJwksFromConfig,
   getRequestObject,
+  fetchJwksFromRequestObject,
+  fetchJwksFromConfig,
+  verifyRequestObjectSignature,
+  fetchPresentDefinition,
+  evaluateInputDescriptorForSdJwt4VC,
   sendAuthorizationResponse,
   Errors,
 };
 export type {
   StartFlow,
   EvaluateRelyingPartyTrust,
-  FetchJwks,
   GetRequestObject,
+  FetchJwks,
+  VerifyRequestObjectSignature,
+  FetchPresentationDefinition,
+  EvaluateInputDescriptorSdJwt4VC,
   SendAuthorizationResponse,
 };

package/src/credential/presentation/types.ts

@@ -11,17 +11,73 @@ export type Presentation = [
   /* the context for the key associated to the credential */ CryptoContext
 ];
 
+const Fields = z.object({
+  path: z.array(z.string().min(1)), // Array of JSONPath string expressions
+  id: z.string().optional(), // Unique string ID
+  purpose: z.string().optional(), // Purpose of the field
+  name: z.string().optional(), // Human-friendly name
+  filter: z.any().optional(), // JSON Schema descriptor for filtering
+  optional: z.boolean().optional(), // Boolean indicating if the field is optional
+  intent_to_retain: z.boolean().optional(), // Boolean indicating that the Verifier intends to retain the Claim's data being requested
+});
+
+// Define the Constraints Object Schema
+const Constraints = z.object({
+  fields: z.array(Fields).optional(), // Array of Field Objects
+  limit_disclosure: z.enum(["required", "preferred"]).optional(), // Limit disclosure property
+});
+
+// Define the Input Descriptor Object Schema
+export type InputDescriptor = z.infer<typeof InputDescriptor>;
+export const InputDescriptor = z.object({
+  id: z.string().min(1), // Mandatory unique string ID
+  name: z.string().optional(), // Human-friendly name
+  purpose: z.string().optional(), // Purpose of the schema
+  format: z.record(z.string(), z.any()).optional(), // Object with Claim Format Designations
+  constraints: Constraints, // Constraints Object (mandatory)
+  group: z.string().optional(), // Match one of the grouping strings listed in the "from" values of a Submission Requirement Rule
+});
+
+const SubmissionRequirement = z.object({
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  rule: z.string(), // "all": all group's rules must be present, or "pick": at least group's "count" rules must be present
+  from: z.string().optional(), // MUST contain either a "from" or "from_nested" property
+  from_nested: z
+    .array(
+      z.object({
+        name: z.string().optional(),
+        purpose: z.string().optional(),
+        rule: z.string(),
+        from: z.string(),
+      })
+    )
+    .optional(),
+  count: z.number().optional(),
+  //"count", "min", and "max" may be present with a "pick" rule
+});
+
+export type PresentationDefinition = z.infer<typeof PresentationDefinition>;
+export const PresentationDefinition = z.object({
+  id: z.string(),
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  input_descriptors: z.array(InputDescriptor),
+  submission_requirements: z.array(SubmissionRequirement).optional(),
+});
+
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
   iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
-  iat: UnixTime,
+  iat: UnixTime.optional(),
   exp: UnixTime.optional(),
   state: z.string(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),
-  response_mode: z.literal("direct_post.jwt"),
+  response_mode: z.enum(["direct_post.jwt", "direct_post"]),
   client_id: z.string(),
   client_id_scheme: z.string(), // previous z.literal("entity_id"),
-  scope: z.string(),
+  scope: z.string().optional(),
+  presentation_definition: PresentationDefinition.optional(),
 });

package/src/entity/trust/types.ts

@@ -1,6 +1,7 @@
 import { UnixTime } from "../../sd-jwt/types";
 import { JWK } from "../../utils/jwk";
 import * as z from "zod";
+import { PresentationDefinition } from "../../credential/presentation/types";
 
 export const TrustMark = z.object({ id: z.string(), trust_mark: z.string() });
 export type TrustMark = z.infer<typeof TrustMark>;
@@ -11,6 +12,8 @@ const RelyingPartyMetadata = z.object({
   client_name: z.string().optional(),
   jwks: z.object({ keys: z.array(JWK) }),
   contacts: z.array(z.string()).optional(),
+  presentation_definition: PresentationDefinition.optional(),
+  presentation_definition_uri: z.string().optional(),
 });
 //.passthrough();
 

package/lib/commonjs/credential/presentation/03-retrieve-jwks.js

@@ -1,68 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.fetchJwksFromUri = exports.fetchJwksFromConfig = void 0;
-var _jwk = require("../../utils/jwk");
-var _misc = require("../../utils/misc");
-var _types = require("../../entity/trust/types");
-/**
- * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
- *
- * @template T - The tuple type representing the function arguments.
- * @param args - The arguments passed to the function.
- * @returns A promise resolving to an object containing an array of JWKs.
- */
-
-/**
- * Retrieves the JSON Web Key Set (JWKS) from the specified client's well-known endpoint.
- *
- * @param clientUrl - The base URL of the client entity from which to retrieve the JWKS.
- * @param options - Optional context containing a custom fetch implementation.
- * @param options.context - Optional context object.
- * @param options.context.appFetch - Optional custom fetch function to use instead of the global `fetch`.
- * @returns A promise resolving to an object containing an array of JWKs.
- * @throws Will throw an error if the JWKS retrieval fails.
- */
-const fetchJwksFromUri = async function (clientUrl) {
-  let {
-    context = {}
-  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
-  const {
-    appFetch = fetch
-  } = context;
-  const wellKnownUrl = new URL("/.well-known/jar-issuer/jwk", clientUrl).toString();
-
-  // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
-  const jwks = await appFetch(wellKnownUrl, {
-    method: "GET"
-  }).then((0, _misc.hasStatusOrThrow)(200)).then(raw => raw.json()).then(json => _jwk.JWKS.parse(json));
-  return {
-    keys: jwks.keys
-  };
-};
-
-/**
- * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
- *
- * @param rpConfig - The configuration object of the Relying Party entity.
- * @returns An object containing an array of JWKs.
- * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
- */
-exports.fetchJwksFromUri = fetchJwksFromUri;
-const fetchJwksFromConfig = async rpConfig => {
-  const parsedConfig = _types.RelyingPartyEntityConfiguration.safeParse(rpConfig);
-  if (!parsedConfig.success) {
-    throw new Error("Invalid Relying Party configuration.");
-  }
-  const jwks = parsedConfig.data.payload.metadata.wallet_relying_party.jwks;
-  if (!jwks || !Array.isArray(jwks.keys)) {
-    throw new Error("JWKS not found in Relying Party configuration.");
-  }
-  return {
-    keys: jwks.keys
-  };
-};
-exports.fetchJwksFromConfig = fetchJwksFromConfig;
-//# sourceMappingURL=03-retrieve-jwks.js.map

package/lib/commonjs/credential/presentation/03-retrieve-jwks.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_jwk","require","_misc","_types","fetchJwksFromUri","clientUrl","context","arguments","length","undefined","appFetch","fetch","wellKnownUrl","URL","toString","jwks","method","then","hasStatusOrThrow","raw","json","JWKS","parse","keys","exports","fetchJwksFromConfig","rpConfig","parsedConfig","RelyingPartyEntityConfiguration","safeParse","success","Error","data","payload","metadata","wallet_relying_party","Array","isArray"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-retrieve-jwks.ts"],"mappings":";;;;;;AAAA,IAAAA,IAAA,GAAAC,OAAA;AACA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,gBAEZ,GAAG,eAAAA,CAAOC,SAAS,EAA4B;EAAA,IAA1B;IAAEC,OAAO,GAAG,CAAC;EAAE,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EACzC,MAAM;IAAEG,QAAQ,GAAGC;EAAM,CAAC,GAAGL,OAAO;EAEpC,MAAMM,YAAY,GAAG,IAAIC,GAAG,CAC1B,6BAA6B,EAC7BR,SACF,CAAC,CAACS,QAAQ,CAAC,CAAC;;EAEZ;EACA,MAAMC,IAAI,GAAG,MAAML,QAAQ,CAACE,YAAY,EAAE;IACxCI,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEG,IAAI,IAAKC,SAAI,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC;EAEnC,OAAO;IACLG,IAAI,EAAER,IAAI,CAACQ;EACb,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AANAC,OAAA,CAAApB,gBAAA,GAAAA,gBAAA;AAOO,MAAMqB,mBAEZ,GAAG,MAAOC,QAAQ,IAAK;EACtB,MAAMC,YAAY,GAAGC,sCAA+B,CAACC,SAAS,CAACH,QAAQ,CAAC;EACxE,IAAI,CAACC,YAAY,CAACG,OAAO,EAAE;IACzB,MAAM,IAAIC,KAAK,CAAC,sCAAsC,CAAC;EACzD;EAEA,MAAMhB,IAAI,GAAGY,YAAY,CAACK,IAAI,CAACC,OAAO,CAACC,QAAQ,CAACC,oBAAoB,CAACpB,IAAI;EAEzE,IAAI,CAACA,IAAI,IAAI,CAACqB,KAAK,CAACC,OAAO,CAACtB,IAAI,CAACQ,IAAI,CAAC,EAAE;IACtC,MAAM,IAAIQ,KAAK,CAAC,gDAAgD,CAAC;EACnE;EAEA,OAAO;IACLR,IAAI,EAAER,IAAI,CAACQ;EACb,CAAC;AACH,CAAC;AAACC,OAAA,CAAAC,mBAAA,GAAAA,mBAAA"}

package/lib/commonjs/credential/presentation/04-get-request-object.js

@@ -1,82 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.getRequestObject = void 0;
-var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
-var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
-var _dpop = require("../../utils/dpop");
-var _errors = require("./errors");
-var _misc = require("../../utils/misc");
-var _types = require("./types");
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-/**
- * Obtain the Request Object for RP authentication
- * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
- *
- * @param requestUri The url for the Relying Party to connect with
- * @param rpConf The Relying Party's configuration
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The Request Object that describes the presentation
- */
-const getRequestObject = async (requestUri, _ref, jwkKeys) => {
-  let {
-    wiaCryptoContext,
-    appFetch = fetch,
-    walletInstanceAttestation
-  } = _ref;
-  const signedWalletInstanceDPoP = await (0, _dpop.createDPopToken)({
-    jti: `${_reactNativeUuid.default.v4()}`,
-    htm: "GET",
-    htu: requestUri,
-    ath: await (0, _ioReactNativeJwt.sha256ToBase64)(walletInstanceAttestation)
-  }, wiaCryptoContext);
-  const responseEncodedJwt = await appFetch(requestUri, {
-    method: "GET",
-    headers: {
-      Authorization: `DPoP ${walletInstanceAttestation}`,
-      DPoP: signedWalletInstanceDPoP
-    }
-  }).then((0, _misc.hasStatusOrThrow)(200)).then(res => res.json()).then(responseJson => responseJson.response);
-  const responseJwt = (0, _ioReactNativeJwt.decode)(responseEncodedJwt);
-  await verifyTokenSignature(jwkKeys, responseJwt);
-
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = _types.RequestObject.parse(responseJwt.payload);
-  return {
-    requestObject
-  };
-};
-exports.getRequestObject = getRequestObject;
-const verifyTokenSignature = async (jwkKeys, responseJwt) => {
-  var _responseJwt$protecte;
-  // verify token signature to ensure the request object is authentic
-  // 1. according to entity configuration if present
-  if (jwkKeys) {
-    const pubKey = jwkKeys.find(_ref2 => {
-      let {
-        kid
-      } = _ref2;
-      return kid === responseJwt.protectedHeader.kid;
-    });
-    if (!pubKey) {
-      throw new _errors.NoSuitableKeysFoundInEntityConfiguration("Request Object signature verification");
-    }
-    await (0, _ioReactNativeJwt.verify)(responseJwt, pubKey);
-    return;
-  }
-
-  // 2. If jwk is not retrieved from entity config, check if the token contains the 'jwk' attribute
-  if ((_responseJwt$protecte = responseJwt.protectedHeader) !== null && _responseJwt$protecte !== void 0 && _responseJwt$protecte.jwk) {
-    const pubKey = responseJwt.protectedHeader.jwk;
-    await (0, _ioReactNativeJwt.verify)(responseJwt, pubKey);
-    return;
-  }
-
-  // No verification condition matched: skipping signature verification for now.
-  // TODO: [EUDIW-215] Remove skipping signature verification
-};
-//# sourceMappingURL=04-get-request-object.js.map

package/lib/commonjs/credential/presentation/04-get-request-object.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_reactNativeUuid","_interopRequireDefault","require","_ioReactNativeJwt","_dpop","_errors","_misc","_types","obj","__esModule","default","getRequestObject","requestUri","_ref","jwkKeys","wiaCryptoContext","appFetch","fetch","walletInstanceAttestation","signedWalletInstanceDPoP","createDPopToken","jti","uuid","v4","htm","htu","ath","sha256ToBase64","responseEncodedJwt","method","headers","Authorization","DPoP","then","hasStatusOrThrow","res","json","responseJson","response","responseJwt","decodeJwt","verifyTokenSignature","requestObject","RequestObject","parse","payload","exports","_responseJwt$protecte","pubKey","find","_ref2","kid","protectedHeader","NoSuitableKeysFoundInEntityConfiguration","verify","jwk"],"sourceRoot":"../../../../src","sources":["credential/presentation/04-get-request-object.ts"],"mappings":";;;;;;AAAA,IAAAA,gBAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,iBAAA,GAAAD,OAAA;AAOA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,OAAA,GAAAH,OAAA;AAEA,IAAAI,KAAA,GAAAJ,OAAA;AAEA,IAAAK,MAAA,GAAAL,OAAA;AAAwC,SAAAD,uBAAAO,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAYxC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EAAAC,IAAA,EAEVC,OAAO,KACJ;EAAA,IAFH;IAAEC,gBAAgB;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAA0B,CAAC,GAAAL,IAAA;EAGjE,MAAMM,wBAAwB,GAAG,MAAM,IAAAC,qBAAe,EACpD;IACEC,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;IACnBC,GAAG,EAAE,KAAK;IACVC,GAAG,EAAEb,UAAU;IACfc,GAAG,EAAE,MAAM,IAAAC,gCAAc,EAACT,yBAAyB;EACrD,CAAC,EACDH,gBACF,CAAC;EAED,MAAMa,kBAAkB,GAAG,MAAMZ,QAAQ,CAACJ,UAAU,EAAE;IACpDiB,MAAM,EAAE,KAAK;IACbC,OAAO,EAAE;MACPC,aAAa,EAAG,QAAOb,yBAA0B,EAAC;MAClDc,IAAI,EAAEb;IACR;EACF,CAAC,CAAC,CACCc,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,YAAY,IAAKA,YAAY,CAACC,QAAQ,CAAC;EAEhD,MAAMC,WAAW,GAAG,IAAAC,wBAAS,EAACZ,kBAAkB,CAAC;EAEjD,MAAMa,oBAAoB,CAAC3B,OAAO,EAAEyB,WAAW,CAAC;;EAEhD;EACA,MAAMG,aAAa,GAAGC,oBAAa,CAACC,KAAK,CAACL,WAAW,CAACM,OAAO,CAAC;EAE9D,OAAO;IACLH;EACF,CAAC;AACH,CAAC;AAACI,OAAA,CAAAnC,gBAAA,GAAAA,gBAAA;AAEF,MAAM8B,oBAAoB,GAAG,MAAAA,CAC3B3B,OAAgC,EAChCyB,WAAiB,KACC;EAAA,IAAAQ,qBAAA;EAClB;EACA;EACA,IAAIjC,OAAO,EAAE;IACX,MAAMkC,MAAM,GAAGlC,OAAO,CAACmC,IAAI,CACzBC,KAAA;MAAA,IAAC;QAAEC;MAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,GAAG,KAAKZ,WAAW,CAACa,eAAe,CAACD,GAAG;IAAA,CACtD,CAAC;IACD,IAAI,CAACH,MAAM,EAAE;MACX,MAAM,IAAIK,gDAAwC,CAChD,uCACF,CAAC;IACH;IACA,MAAM,IAAAC,wBAAM,EAACf,WAAW,EAAES,MAAM,CAAC;IACjC;EACF;;EAEA;EACA,KAAAD,qBAAA,GAAIR,WAAW,CAACa,eAAe,cAAAL,qBAAA,eAA3BA,qBAAA,CAA6BQ,GAAG,EAAE;IACpC,MAAMP,MAAM,GAAGT,WAAW,CAACa,eAAe,CAACG,GAAG;IAC9C,MAAM,IAAAD,wBAAM,EAACf,WAAW,EAAES,MAAM,CAAC;IACjC;EACF;;EAEA;EACA;AACF,CAAC"}