@pagopa/io-react-native-wallet 1.2.3 → 1.2.4

package/src/credential/presentation/05-verify-request-object.ts

@@ -15,9 +15,10 @@ export const verifyRequestObjectSignature: VerifyRequestObjectSignature =
     const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
 
     // verify token signature to ensure the request object is authentic
-    const pubKey = jwkKeys?.find(
-      ({ kid }) => kid === requestObjectJwt.protectedHeader.kid
-    );
+    const pubKey =
+      jwkKeys?.find(
+        ({ kid }) => kid === requestObjectJwt.protectedHeader.kid
+      ) || jwkKeys?.find(({ use }) => use === "sig");
 
     if (!pubKey) {
       throw new UnverifiedEntityError("Request Object signature verification!");

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -9,6 +9,7 @@ const INDEX_CLAIM_NAME = 1;
 export type EvaluatedDisclosures = {
   requiredDisclosures: DisclosureWithEncoded[];
   optionalDisclosures: DisclosureWithEncoded[];
+  unrequestedDisclosures: DisclosureWithEncoded[];
 };
 
 export type EvaluateInputDescriptorSdJwt4VC = (
@@ -99,8 +100,8 @@ const extractClaimName = (path: string): string | undefined => {
  * - Validates whether required fields are present (unless marked optional)
  *   and match any specified JSONPath.
  * - If a field includes a JSON Schema filter, validates the claim value against that schema.
- * - Enforces `limit_disclosure` rules by returning only disclosures matching the specified fields
- *   if set to "required". Otherwise return the array of all disclosures.
+ * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
+ *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
  * - Throws an error if a required field is invalid or missing.
  *
  * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
@@ -115,7 +116,8 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       // No validation, all field are optional
       return {
         requiredDisclosures: [],
-        optionalDisclosures: disclosures,
+        optionalDisclosures: [],
+        unrequestedDisclosures: disclosures,
       };
     }
     const requiredClaimNames: string[] = [];
@@ -182,9 +184,6 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
     }
 
     // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
-    const isNotLimitDisclosure = !(
-      inputDescriptor.constraints.limit_disclosure === "required"
-    );
 
     const requiredDisclosures = disclosures.filter((disclosure) =>
       requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
@@ -197,8 +196,23 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
           !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]))
     );
 
+    const isNotLimitDisclosure = !(
+      inputDescriptor.constraints.limit_disclosure === "required"
+    );
+
+    const unrequestedDisclosures = isNotLimitDisclosure
+      ? disclosures.filter(
+          (disclosure) =>
+            !optionalClaimNames.includes(
+              disclosure.decoded[INDEX_CLAIM_NAME]
+            ) &&
+            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+        )
+      : [];
+
     return {
       requiredDisclosures,
       optionalDisclosures,
+      unrequestedDisclosures,
     };
   };

package/src/credential/presentation/README.md

@@ -29,8 +29,8 @@ sequenceDiagram
   <summary>Remote Presentation flow</summary>
 
 ```ts
-// Scan e retrive qr-code
-const qrcode = ...
+// Scan e retrive qr-code, decode it and get its parameters
+const {requestUri, clientId} = ...
 
 // Retrieve the integrity key tag from the store and create its context
 const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
@@ -55,7 +55,7 @@ const walletInstanceAttestation =
   });
 
 // Start the issuance flow
-const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(qrcode);
+const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(requestUri, clientId);
 
 // If use trust federation: Evaluate issuer trust
 const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
@@ -111,4 +111,4 @@ const { presentationDefinition } = await Credential.Presentation.fetchPresentDef
 
 ```
 
-</details>
+</details>

package/src/credential/presentation/errors.ts

@@ -40,22 +40,6 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
   }
 }
 
-/**
- * When a QR code is not valid.
- *
- */
-export class InvalidQRCodeError extends IoWalletError {
-  code = "ERR_INVALID_QR_CODE";
-
-  /**
-   * @param detail A description of why the QR code is considered invalid.
-   */
-  constructor(detail: string) {
-    const message = `QR code is not valid: ${detail}.`;
-    super(message);
-  }
-}
-
 /**
  * When the entity is unverified because the Relying Party is not trusted.
  *

package/src/credential/presentation/types.ts

@@ -1,6 +1,7 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import { UnixTime } from "../../sd-jwt/types";
 import * as z from "zod";
+import { JWKS } from "../../utils/jwk";
 
 /**
  * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
@@ -77,7 +78,13 @@ export const RequestObject = z.object({
   response_type: z.literal("vp_token"),
   response_mode: z.enum(["direct_post.jwt", "direct_post"]),
   client_id: z.string(),
-  client_id_scheme: z.string(), // previous z.literal("entity_id"),
+  client_id_scheme: z.string().optional(), // previous z.literal("entity_id"),
+  client_metadata: z
+    .object({
+      jwks_uri: z.string().optional(),
+      jwks: JWKS.optional(),
+    })
+    .optional(), // previous z.literal("entity_id"),
   scope: z.string().optional(),
   presentation_definition: PresentationDefinition.optional(),
 });

package/src/utils/crypto.ts

@@ -7,6 +7,8 @@ import {
 import uuid from "react-native-uuid";
 import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { fixBase64EncodingOnKey } from "./jwk";
+import { X509, KEYUTIL, RSAKey, KJUR } from "jsrsasign";
+import { JWK } from "./jwk";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -63,3 +65,44 @@ export const withEphemeralKey = async <R>(
   const ephemeralContext = createCryptoContextFor(keytag);
   return fn(ephemeralContext).finally(() => deleteKey(keytag));
 };
+
+/**
+ * Converts a certificate string to PEM format.
+ *
+ * @param certificate - The certificate string.
+ * @returns The PEM-formatted certificate.
+ */
+export const convertCertToPem = (certificate: string): string =>
+  `-----BEGIN CERTIFICATE-----\n${certificate}\n-----END CERTIFICATE-----`;
+
+/**
+ * Parses the public key from a PEM-formatted certificate.
+ *
+ * @param pemCert - The PEM-formatted certificate.
+ * @returns The public key object.
+ * @throws Will throw an error if the public key is unsupported.
+ */
+export const parsePublicKey = (
+  pemCert: string
+): RSAKey | KJUR.crypto.ECDSA | undefined => {
+  const x509 = new X509();
+  x509.readCertPEM(pemCert);
+  const publicKey = x509.getPublicKey();
+
+  if (publicKey instanceof RSAKey || publicKey instanceof KJUR.crypto.ECDSA) {
+    return publicKey;
+  }
+
+  return undefined;
+};
+
+/**
+ * Retrieves the signing JWK from the public key.
+ *
+ * @param publicKey - The public key object.
+ * @returns The signing JWK.
+ */
+export const getSigningJwk = (publicKey: RSAKey | KJUR.crypto.ECDSA): JWK => ({
+  ...JWK.parse(KEYUTIL.getJWKFromKey(publicKey)),
+  use: "sig",
+});