@pagopa/io-react-native-wallet 1.3.0 → 1.4.0

package/src/credential/presentation/03-get-request-object.ts

@@ -1,19 +1,10 @@
-import uuid from "react-native-uuid";
-import {
-  sha256ToBase64,
-  type CryptoContext,
-} from "@pagopa/io-react-native-jwt";
-
-import { createDPopToken } from "../../utils/dpop";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartFlow } from "./01-start-flow";
 
 export type GetRequestObject = (
   requestUri: Out<StartFlow>["requestUri"],
-  context: {
-    wiaCryptoContext: CryptoContext;
+  context?: {
     appFetch?: GlobalFetch["fetch"];
-    walletInstanceAttestation: string;
   }
 ) => Promise<{ requestObjectEncodedJwt: string }>;
 
@@ -21,33 +12,17 @@ export type GetRequestObject = (
  * Obtain the Request Object for RP authentication
  * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
  *
- * @param requestUri The url for the Relying Party to connect with
- * @param rpConf The Relying Party's configuration
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param requestUri The request uri of the Relying Party
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @returns The Request Object that describes the presentation
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
+  context = {}
 ) => {
-  const signedWalletInstanceDPoP = await createDPopToken(
-    {
-      jti: `${uuid.v4()}`,
-      htm: "GET",
-      htu: requestUri,
-      ath: await sha256ToBase64(walletInstanceAttestation),
-    },
-    wiaCryptoContext
-  );
-
+  const { appFetch = fetch } = context;
   const requestObjectEncodedJwt = await appFetch(requestUri, {
     method: "GET",
-    headers: {
-      Authorization: `DPoP ${walletInstanceAttestation}`,
-      DPoP: signedWalletInstanceDPoP,
-    },
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.text());

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -189,11 +189,8 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
     );
 
-    const optionalDisclosures = disclosures.filter(
-      (disclosure) =>
-        optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]) ||
-        (isNotLimitDisclosure &&
-          !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]))
+    const optionalDisclosures = disclosures.filter((disclosure) =>
+      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
     );
 
     const isNotLimitDisclosure = !(

package/src/credential/presentation/08-send-authorization-response.ts

@@ -9,7 +9,12 @@ import type { VerifyRequestObjectSignature } from "./05-verify-request-object";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import { disclose } from "../../sd-jwt";
-import { PresentationDefinition, type Presentation } from "./types";
+import {
+  DirectAuthorizationBodyPayload,
+  ErrorResponse,
+  PresentationDefinition,
+  type Presentation,
+} from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
 
@@ -125,19 +130,20 @@ export const prepareVpToken = async (
  * Builds a URL-encoded form body for a direct POST response without encryption.
  *
  * @param requestObject - Contains state, nonce, and other relevant info.
- * @param vpToken - The signed VP token to include.
- * @param presentationSubmission - Object mapping credential disclosures.
+ * @param payload - Object that contains either the VP token to encrypt and the stringified mapping of the credential disclosures or the error code
  * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
  */
 export const buildDirectPostBody = async (
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  vpToken: string,
-  presentationSubmission: Record<string, unknown>
+  payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
   const formUrlEncodedBody = new URLSearchParams({
     state: requestObject.state,
-    presentation_submission: JSON.stringify(presentationSubmission),
-    vp_token: vpToken,
+    ...Object.fromEntries(
+      Object.entries(payload).map(([key, value]) => {
+        return [key, typeof value === "object" ? JSON.stringify(value) : value];
+      })
+    ),
   });
 
   return formUrlEncodedBody.toString();
@@ -148,22 +154,19 @@ export const buildDirectPostBody = async (
  *
  * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
  * @param requestObject - Contains state, nonce, and other relevant info.
- * @param vpToken - The signed VP token to encrypt.
- * @param presentationSubmission - Object mapping credential disclosures.
+ * @param payload - Object that contains either the VP token to encrypt and the mapping of the credential disclosures or the error code
  * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
  *          where `response` contains the encrypted JWE.
  */
 export const buildDirectPostJwtBody = async (
   jwkKeys: Out<FetchJwks>["keys"],
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  vpToken: string,
-  presentationSubmission: Record<string, unknown>
+  payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
   // Prepare the authorization response payload to be encrypted
   const authzResponsePayload = JSON.stringify({
     state: requestObject.state,
-    presentation_submission: presentationSubmission,
-    vp_token: vpToken,
+    ...payload,
   });
 
   // Choose a suitable RSA public key for encryption
@@ -233,17 +236,14 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   // 2. Choose the appropriate request body builder based on response mode
   const requestBody =
     requestObject.response_mode === "direct_post.jwt"
-      ? await buildDirectPostJwtBody(
-          jwkKeys,
-          requestObject,
+      ? await buildDirectPostJwtBody(jwkKeys, requestObject, {
           vp_token,
-          presentation_submission
-        )
-      : await buildDirectPostBody(
-          requestObject,
+          presentation_submission,
+        })
+      : await buildDirectPostBody(requestObject, {
           vp_token,
-          presentation_submission
-        );
+          presentation_submission: presentation_submission,
+        });
 
   // 3. Send the authorization response via HTTP POST and validate the response
   return await appFetch(requestObject.response_uri, {
@@ -257,3 +257,51 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
     .then((res) => res.json())
     .then(AuthorizationResponse.parse);
 };
+
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ */
+export type SendAuthorizationErrorResponse = (
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  error: ErrorResponse,
+  jwkKeys: Out<FetchJwks>["keys"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
+/**
+ * Sends the authorization error response to the Relying Party (RP) using the specified `response_mode`.
+ * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
+ *
+ * @param requestObject - The request details, including presentation requirements.
+ * @param error - The response error value
+ * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param context - Contains optional custom fetch implementation.
+ * @returns Parsed and validated authorization response from the Relying Party.
+ */
+export const sendAuthorizationErrorResponse: SendAuthorizationErrorResponse =
+  async (
+    requestObject,
+    error,
+    jwkKeys,
+    { appFetch = fetch } = {}
+  ): Promise<AuthorizationResponse> => {
+    // 2. Choose the appropriate request body builder based on response mode
+    const requestBody =
+      requestObject.response_mode === "direct_post.jwt"
+        ? await buildDirectPostJwtBody(jwkKeys, requestObject, { error })
+        : await buildDirectPostBody(requestObject, { error });
+    // 3. Send the authorization error response via HTTP POST and validate the response
+    return await appFetch(requestObject.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: requestBody,
+    })
+      .then(hasStatusOrThrow(200))
+      .then((res) => res.json())
+      .then(AuthorizationResponse.parse);
+  };

package/src/credential/presentation/README.md

@@ -62,9 +62,7 @@ const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clien
 
 const { requestObjectEncodedJwt } =
     await Credential.Presentation.getRequestObject(requestURI, {
-      wiaCryptoContext: wiaCryptoContext,
-      appFetch: appFetch,
-      walletInstanceAttestation: walletInstanceAttestation,
+      appFetch: appFetch
     });
 
 // Retrieve RP JWK

package/src/credential/presentation/index.ts

@@ -27,6 +27,8 @@ import {
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
+  sendAuthorizationErrorResponse,
+  type SendAuthorizationErrorResponse,
 } from "./08-send-authorization-response";
 import * as Errors from "./errors";
 
@@ -40,6 +42,7 @@ export {
   fetchPresentDefinition,
   evaluateInputDescriptorForSdJwt4VC,
   sendAuthorizationResponse,
+  sendAuthorizationErrorResponse,
   Errors,
 };
 export type {
@@ -51,4 +54,5 @@ export type {
   FetchPresentationDefinition,
   EvaluateInputDescriptorSdJwt4VC,
   SendAuthorizationResponse,
+  SendAuthorizationErrorResponse,
 };

package/src/credential/presentation/types.ts

@@ -90,3 +90,29 @@ export const RequestObject = z.object({
   scope: z.string().optional(),
   presentation_definition: PresentationDefinition.optional(),
 });
+
+/**
+ * This type models the possible error responses the OpenID4VP protocol allows for a presentation of a credential.
+ * See https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#name-error-response for more information.
+ */
+export type ErrorResponse = z.infer<typeof ErrorResponse>;
+export const ErrorResponse = z.enum([
+  "invalid_scope",
+  "invalid_request",
+  "invalid_client",
+  "access_denied",
+]);
+
+/**
+ * Type that defines the possible payload formats accepted by {@link buildDirectPostJwtBody} and {@link buildDirectPostBody}
+ */
+export type DirectAuthorizationBodyPayload = z.infer<
+  typeof DirectAuthorizationBodyPayload
+>;
+export const DirectAuthorizationBodyPayload = z.union([
+  z.object({
+    vp_token: z.string(),
+    presentation_submission: z.record(z.string(), z.unknown()),
+  }),
+  z.object({ error: ErrorResponse }),
+]);

package/src/entity/openid-connect/issuer/types.ts

@@ -24,14 +24,17 @@ export const CredentialClaimDisplay = z.object({
 
 export const CredentialFormat = z.union([
   z.literal("vc+sd-jwt"),
-  z.literal("example+sd-jwt"),
+  z.literal("mso_mdoc"),
 ]);
-const CredentialSdJwtClaims = z.record(
-  z.object({
-    mandatory: z.boolean(),
-    display: z.array(CredentialClaimDisplay),
-  })
-);
+
+export type CredentialClaim = z.infer<typeof CredentialClaim>;
+export const CredentialClaim = z.object({
+  mandatory: z.boolean(),
+  display: z.array(CredentialClaimDisplay),
+});
+
+export type CredentialSdJwtClaims = z.infer<typeof CredentialSdJwtClaims>;
+export const CredentialSdJwtClaims = z.record(CredentialClaim);
 
 export type CredentialConfigurationSupported = z.infer<
   typeof CredentialConfigurationSupported
@@ -39,12 +42,17 @@ export type CredentialConfigurationSupported = z.infer<
 export const CredentialConfigurationSupported = z.record(
   z.object({
     cryptographic_suites_supported: z.array(z.string()),
-    vct: z.string(),
-    scope: z.string(),
+    vct: z.string().optional(),
+    scope: z.string().optional(),
     cryptographic_binding_methods_supported: z.array(z.string()),
     display: z.array(CredentialDisplay),
     format: CredentialFormat,
-    claims: CredentialSdJwtClaims,
+    claims: z
+      .union([
+        CredentialSdJwtClaims,
+        z.record(z.string(), CredentialSdJwtClaims),
+      ])
+      .optional(),
   })
 );
 

package/src/entity/trust/types.ts

@@ -70,7 +70,7 @@ const IssuanceErrorSupported = z.object({
 // Metadata for a credentia which is supported by a Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
 const SupportedCredentialMetadata = z.object({
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
+  format: z.union([z.literal("vc+sd-jwt"), z.literal("mso_mdoc")]),
   scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
   claims: ClaimsMetadata.optional(), // TODO [SIW-1268]: should not be optional

package/src/mdoc/converters.ts

@@ -0,0 +1,26 @@
+/**
+ * Extracts the date value of a given elementIdentifier from an MDOC object.
+ * Searches through the issuerSigned namespaces and attempts to parse the value as a Date.
+ * The expected date format is "DD-MM-YYYY".
+ * Returns the Date object if found, otherwise returns null.
+ */
+export function extractElementValueAsDate(elementValue: string): Date | null {
+  if (typeof elementValue === "string") {
+    const dateParts = elementValue.split("-");
+    if (dateParts.length === 3) {
+      const [day, month, year] = dateParts.map((part) => Number(part));
+      if (
+        day !== undefined &&
+        month !== undefined &&
+        year !== undefined &&
+        !isNaN(day) &&
+        !isNaN(month) &&
+        !isNaN(year)
+      ) {
+        return new Date(year, month - 1, day); // Month is zero-based in JS Date
+      }
+    }
+  }
+
+  return null; // Return null if no matching element is found or it's not a valid date
+}

package/src/mdoc/index.ts

@@ -0,0 +1,28 @@
+import { CBOR } from "@pagopa/io-react-native-cbor";
+import type { JWK } from "../utils/jwk";
+
+export const verify = async (
+  token: string,
+  publicKey: JWK | JWK[]
+): Promise<{ mDoc: CBOR.MDOC }> => {
+  // get decoded data
+  const documents = await CBOR.decodeDocuments(token);
+  if (!documents || documents.documents.length === 0) {
+    throw new Error("Invalid mDoc");
+  }
+  const mDoc = documents.documents[0];
+  if (!mDoc) {
+    throw new Error("Invalid mDoc");
+  }
+
+  const sigKey = Array.isArray(publicKey)
+    ? publicKey.find((k) => k.use === "sig")
+    : publicKey;
+  sigKey;
+
+  //await COSE.verify(mDoc.issuerSigned.issuerAuth, sigKey as PublicKey);
+
+  return {
+    mDoc,
+  };
+};

package/src/utils/string.ts

@@ -1,3 +1,5 @@
+import { Buffer } from "buffer";
+
 /**
  * Randomly obfuscates characters in a string by replacing them with a specified character.
  *
@@ -43,3 +45,13 @@ export const obfuscateString = (
 
   return chars.join("");
 };
+
+/**
+ * Converts a hexadecimal byte string to a Base64 URL-encoded string.
+ *
+ * @param byteString - The input string in hexadecimal format.
+ * @returns The Base64 URL-encoded string.
+ */
+export const byteStringToBase64Url = (byteString: string): string => {
+  return Buffer.from(byteString, "hex").toString("base64");
+};