@pagopa/io-react-native-wallet 1.4.0 → 1.6.0

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js

@@ -1,10 +1,21 @@
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
-import { MissingDataError } from "./errors";
+import { MissingDataError, CredentialNotFoundError } from "./errors";
 import Ajv from "ajv";
+import { CBOR } from "@pagopa/io-react-native-cbor";
+import { prepareVpTokenMdoc } from "../../mdoc";
+import { generateRandomAlphaNumericString } from "../../utils/misc";
 const ajv = new Ajv({
   allErrors: true
 });
-const INDEX_CLAIM_NAME = 1;
+export const disclosureWithEncodedToEvaluatedDisclosure = disclosure => {
+  const [, claimName, claimValue] = disclosure.decoded;
+  return {
+    name: claimName,
+    value: claimValue
+  };
+};
 /**
  * Transforms an array of DisclosureWithEncoded objects into a key-value map.
  * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
@@ -21,6 +32,22 @@ const mapDisclosuresToObject = disclosures => {
   }, {});
 };
 
+/**
+ * Transforms the issuer's namespaces from a CBOR structure into a plain JavaScript object.
+ *
+ * @param namespaces - The CBOR-based namespaces object where each key corresponds to a namespace,
+ *                     and each value is an array of elements containing identifiers and values.
+ * @returns A record (plain object) where each key is a namespace, and its value is another object
+ *          mapping element identifiers to their corresponding element values.
+ */
+const mapNamespacesToObject = namespaces => {
+  return Object.entries(namespaces).reduce((obj, _ref2) => {
+    let [namespace, elements] = _ref2;
+    obj[namespace] = Object.fromEntries(elements.map(element => [element.elementIdentifier, element.elementValue]));
+    return obj;
+  }, {});
+};
+
 /**
  * Finds a claim within the payload based on provided JSONPath expressions.
  * @param paths - An array of JSONPath expressions to search for in the payload.
@@ -68,10 +95,91 @@ const extractClaimName = path => {
     // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
     return match[1] || match[2];
   }
+  throw new Error(`Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`);
+};
 
-  // If the input doesn't match any of the expected formats, return null
+/**
+ * Extracts the namespace and claim name from a path in the following format:
+ * $['nameSpace']['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns An object with the extracted namespace and claim name.
+ * @throws An error if the input format is invalid.
+ */
+const extractNamespaceAndClaimName = path => {
+  const regex = /^\$\[(?:'|")([^'"\]]+)(?:'|")\]\[(?:'|")([^'"\]]+)(?:'|")\]$/;
+  const match = path.match(regex);
+  if (match) {
+    return {
+      nameSpace: match[1],
+      propertyName: match[2]
+    };
+  }
+  throw new Error(`Invalid input format: "${path}". Expected format is "$['nameSpace']['propertyName']".`);
+};
+/**
+ * Evaluates the input descriptor for an mDoc by verifying that the issuerSigned claims meet
+ * the constraints defined in the input descriptor. It categorizes disclosures as either required
+ * or optional based on the field definitions.
+ *
+ * @param inputDescriptor - Contains constraints and field definitions specifying required/optional claims.
+ * @param issuerSigned - Contains the issuerSigned with namespaces and their associated claims.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
+ * @throws MissingDataError - If a required field is missing or if a claim fails JSON Schema validation.
+ */
+export const evaluateInputDescriptorForMdoc = (inputDescriptor, issuerSigned) => {
+  var _inputDescriptor$cons;
+  if (!(inputDescriptor !== null && inputDescriptor !== void 0 && (_inputDescriptor$cons = inputDescriptor.constraints) !== null && _inputDescriptor$cons !== void 0 && _inputDescriptor$cons.fields)) {
+    // No validation, no field are required
+    return {
+      requiredDisclosures: [],
+      optionalDisclosures: []
+    };
+  }
+  const requiredDisclosures = [];
+  const optionalDisclosures = [];
 
-  throw new Error(`Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`);
+  // Convert issuer's namespaces into an object for easier lookup of claim values.
+  const namespacesAsPayload = mapNamespacesToObject(issuerSigned.nameSpaces);
+  const allFieldsValid = inputDescriptor.constraints.fields.every(field => {
+    const [matchedPath, matchedValue] = findMatchedClaim(field.path, namespacesAsPayload);
+
+    // If no matching claim is found, the field is valid only if it's marked as optional.
+    if (matchedValue === undefined || !matchedPath) {
+      return field === null || field === void 0 ? void 0 : field.optional;
+    } else {
+      // Extract the namespace and property name from the matched path.
+      const {
+        nameSpace,
+        propertyName
+      } = extractNamespaceAndClaimName(matchedPath);
+      if (nameSpace && propertyName) {
+        (field !== null && field !== void 0 && field.optional ? optionalDisclosures : requiredDisclosures).push({
+          namespace: nameSpace,
+          name: propertyName,
+          value: matchedValue
+        });
+      }
+    }
+    if (field.filter) {
+      try {
+        const validateSchema = ajv.compile(field.filter);
+        if (!validateSchema(matchedValue)) {
+          throw new MissingDataError(`Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`);
+        }
+      } catch (error) {
+        return false;
+      }
+    }
+    return true;
+  });
+  if (!allFieldsValid) {
+    throw new MissingDataError("Credential validation failed: Required fields are missing or do not match the input descriptor.");
+  }
+  return {
+    requiredDisclosures,
+    optionalDisclosures
+  };
 };
 
 /**
@@ -82,30 +190,27 @@ const extractClaimName = path => {
  * - Validates whether required fields are present (unless marked optional)
  *   and match any specified JSONPath.
  * - If a field includes a JSON Schema filter, validates the claim value against that schema.
- * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
- *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
  * - Throws an error if a required field is invalid or missing.
  *
  * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
  * @param payloadCredential - The credential payload to check against.
  * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
- * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
  * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
  */
 export const evaluateInputDescriptorForSdJwt4VC = (inputDescriptor, payloadCredential, disclosures) => {
-  var _inputDescriptor$cons;
-  if (!(inputDescriptor !== null && inputDescriptor !== void 0 && (_inputDescriptor$cons = inputDescriptor.constraints) !== null && _inputDescriptor$cons !== void 0 && _inputDescriptor$cons.fields)) {
+  var _inputDescriptor$cons2;
+  if (!(inputDescriptor !== null && inputDescriptor !== void 0 && (_inputDescriptor$cons2 = inputDescriptor.constraints) !== null && _inputDescriptor$cons2 !== void 0 && _inputDescriptor$cons2.fields)) {
     // No validation, all field are optional
     return {
       requiredDisclosures: [],
-      optionalDisclosures: [],
-      unrequestedDisclosures: disclosures
+      optionalDisclosures: []
     };
   }
-  const requiredClaimNames = [];
-  const optionalClaimNames = [];
+  const requiredDisclosures = [];
+  const optionalDisclosures = [];
 
-  // Transform disclosures to find claim using JSONPath
+  // Transform disclosures into an object for easier lookup of claim values.
   const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
 
   // For each field, we need at least one matching path
@@ -125,7 +230,10 @@ export const evaluateInputDescriptorForSdJwt4VC = (inputDescriptor, payloadCrede
       // if match a disclouse we save which is required or optional
       const claimName = extractClaimName(matchedPath);
       if (claimName) {
-        (field !== null && field !== void 0 && field.optional ? optionalClaimNames : requiredClaimNames).push(claimName);
+        (field !== null && field !== void 0 && field.optional ? optionalDisclosures : requiredDisclosures).push({
+          value: matchedValue,
+          name: claimName
+        });
       }
     }
 
@@ -149,17 +257,197 @@ export const evaluateInputDescriptorForSdJwt4VC = (inputDescriptor, payloadCrede
   if (!allFieldsValid) {
     throw new MissingDataError("Credential validation failed: Required fields are missing or do not match the input descriptor.");
   }
+  return {
+    requiredDisclosures,
+    optionalDisclosures
+  };
+};
+
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialSdJwt = (inputDescriptor, decodedSdJwtCredentials) => {
+  for (const {
+    keyTag,
+    credential,
+    sdJwt,
+    disclosures
+  } of decodedSdJwtCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(inputDescriptor, sdJwt.payload, disclosures);
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+  throw new CredentialNotFoundError("None of the vc+sd-jwt credentials satisfy the requirements.");
+};
+
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedMdocCredentials An array of decoded MDOC credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialMDoc = (inputDescriptor, decodedMDocCredentials) => {
+  for (const {
+    keyTag,
+    credential,
+    issuerSigned
+  } of decodedMDocCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForMdoc(inputDescriptor, issuerSigned);
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+  throw new CredentialNotFoundError("None of the mso_mdoc credentials satisfy the requirements.");
+};
+
+/**
+ * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
+ *
+ * For each input descriptor, this function:
+ * - Checks the credential format.
+ * - Decodes the credential.
+ * - Evaluates the descriptor using the associated disclosures.
+ *
+ * @param inputDescriptors - An array of input descriptors.
+ * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
+ * @param credentialsMdoc - An array of tuples containing keyTag and MDOC credential.
+ * @returns An array of objects, each containing the evaluated disclosures,
+ *          the input descriptor, the credential, and the keyTag.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const evaluateInputDescriptors = async (inputDescriptors, credentialsSdJwt, credentialsMdoc) => {
+  // We need decode SD-JWT credentials for evaluation
+  const decodedSdJwtCredentials = (credentialsSdJwt === null || credentialsSdJwt === void 0 ? void 0 : credentialsSdJwt.map(_ref3 => {
+    let [keyTag, credential] = _ref3;
+    const {
+      sdJwt,
+      disclosures
+    } = decode(credential);
+    return {
+      keyTag,
+      credential,
+      sdJwt,
+      disclosures
+    };
+  })) || [];
 
-  // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+  // We need decode Mdoc credentials for evaluation
+  const decodedMdocCredentials = (await Promise.all(credentialsMdoc === null || credentialsMdoc === void 0 ? void 0 : credentialsMdoc.map(async _ref4 => {
+    let [keyTag, credential] = _ref4;
+    const issuerSigned = await CBOR.decodeIssuerSigned(credential);
+    if (!issuerSigned) {
+      throw new CredentialNotFoundError("mso_mdoc credential is not present.");
+    }
+    return {
+      keyTag,
+      credential,
+      issuerSigned
+    };
+  }))) || [];
+  const results = Promise.all(inputDescriptors.map(async descriptor => {
+    var _descriptor$format, _descriptor$format2;
+    if ((_descriptor$format = descriptor.format) !== null && _descriptor$format !== void 0 && _descriptor$format.mso_mdoc) {
+      if (!credentialsMdoc.length) {
+        throw new CredentialNotFoundError("mso_mdoc credential is not supported.");
+      }
+      const {
+        matchedEvaluation,
+        matchedKeyTag,
+        matchedCredential
+      } = findCredentialMDoc(descriptor, decodedMdocCredentials);
+      return {
+        evaluatedDisclosure: matchedEvaluation,
+        inputDescriptor: descriptor,
+        credential: matchedCredential,
+        keyTag: matchedKeyTag
+      };
+    }
+    if ((_descriptor$format2 = descriptor.format) !== null && _descriptor$format2 !== void 0 && _descriptor$format2["vc+sd-jwt"]) {
+      if (!decodedSdJwtCredentials.length) {
+        throw new CredentialNotFoundError("vc+sd-jwt credential is not supported.");
+      }
+      const {
+        matchedEvaluation,
+        matchedKeyTag,
+        matchedCredential
+      } = findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
+      return {
+        evaluatedDisclosure: matchedEvaluation,
+        inputDescriptor: descriptor,
+        credential: matchedCredential,
+        keyTag: matchedKeyTag
+      };
+    }
+    throw new CredentialNotFoundError(`${descriptor.format} format is not supported.`);
+  }));
+  return results;
+};
 
-  const requiredDisclosures = disclosures.filter(disclosure => requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
-  const optionalDisclosures = disclosures.filter(disclosure => optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
-  const isNotLimitDisclosure = !(inputDescriptor.constraints.limit_disclosure === "required");
-  const unrequestedDisclosures = isNotLimitDisclosure ? disclosures.filter(disclosure => !optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]) && !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])) : [];
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations = async (credentialAndDescriptors, authRequestObject) => {
+  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
+  const generatedNonce = generateRandomAlphaNumericString(16);
+  const presentations = await Promise.all(credentialAndDescriptors.map(async item => {
+    var _descriptor$format3, _descriptor$format4;
+    const descriptor = item.inputDescriptor;
+    if ((_descriptor$format3 = descriptor.format) !== null && _descriptor$format3 !== void 0 && _descriptor$format3.mso_mdoc) {
+      const {
+        vp_token
+      } = await prepareVpTokenMdoc(authRequestObject.nonce, generatedNonce, authRequestObject.clientId, authRequestObject.responseUri, descriptor.id, item.keyTag, [item.credential, item.requestedClaims, createCryptoContextFor(item.keyTag)]);
+      return {
+        requestedClaims: item.requestedClaims,
+        inputDescriptor: descriptor,
+        vpToken: vp_token,
+        format: "mso_mdoc"
+      };
+    }
+    if ((_descriptor$format4 = descriptor.format) !== null && _descriptor$format4 !== void 0 && _descriptor$format4["vc+sd-jwt"]) {
+      const {
+        vp_token
+      } = await prepareVpToken(authRequestObject.nonce, authRequestObject.clientId, [item.credential, item.requestedClaims, createCryptoContextFor(item.keyTag)]);
+      return {
+        requestedClaims: item.requestedClaims,
+        inputDescriptor: descriptor,
+        vpToken: vp_token,
+        format: "vc+sd-jwt"
+      };
+    }
+    throw new CredentialNotFoundError(`${descriptor.format} format is not supported.`);
+  }));
   return {
-    requiredDisclosures,
-    optionalDisclosures,
-    unrequestedDisclosures
+    presentations,
+    generatedNonce
   };
 };
 //# sourceMappingURL=07-evaluate-input-descriptor.js.map

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js.map

@@ -1 +1 @@
-{"version":3,"names":["JSONPath","MissingDataError","Ajv","ajv","allErrors","INDEX_CLAIM_NAME","mapDisclosuresToObject","disclosures","reduce","obj","_ref","decoded","claimName","claimValue","findMatchedClaim","paths","payload","matchedPath","matchedValue","some","singlePath","result","path","json","length","error","extractClaimName","regex","match","Error","evaluateInputDescriptorForSdJwt4VC","inputDescriptor","payloadCredential","_inputDescriptor$cons","constraints","fields","requiredDisclosures","optionalDisclosures","unrequestedDisclosures","requiredClaimNames","optionalClaimNames","disclosuresAsPayload","allFieldsValid","every","field","optional","push","filter","validateSchema","compile","disclosure","includes","isNotLimitDisclosure","limit_disclosure"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-input-descriptor.ts"],"mappings":"AAEA,SAASA,QAAQ,QAAQ,eAAe;AACxC,SAASC,gBAAgB,QAAQ,UAAU;AAC3C,OAAOC,GAAG,MAAM,KAAK;AACrB,MAAMC,GAAG,GAAG,IAAID,GAAG,CAAC;EAAEE,SAAS,EAAE;AAAK,CAAC,CAAC;AACxC,MAAMC,gBAAgB,GAAG,CAAC;AAc1B;AACA;AACA;AACA;AACA;AACA,MAAMC,sBAAsB,GAC1BC,WAAoC,IACR;EAC5B,OAAOA,WAAW,CAACC,MAAM,CAAC,CAACC,GAAG,EAAAC,IAAA,KAAkB;IAAA,IAAhB;MAAEC;IAAQ,CAAC,GAAAD,IAAA;IACzC,MAAM,GAAGE,SAAS,EAAEC,UAAU,CAAC,GAAGF,OAAO;IACzCF,GAAG,CAACG,SAAS,CAAC,GAAGC,UAAU;IAC3B,OAAOJ,GAAG;EACZ,CAAC,EAAE,CAAC,CAA4B,CAAC;AACnC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMK,gBAAgB,GAAGA,CACvBC,KAAe,EACfC,OAAY,KACW;EACvB,IAAIC,WAAW;EACf,IAAIC,YAAY;EAChBH,KAAK,CAACI,IAAI,CAAEC,UAAU,IAAK;IACzB,IAAI;MACF,MAAMC,MAAM,GAAGrB,QAAQ,CAAC;QAAEsB,IAAI,EAAEF,UAAU;QAAEG,IAAI,EAAEP;MAAQ,CAAC,CAAC;MAC5D,IAAIK,MAAM,CAACG,MAAM,GAAG,CAAC,EAAE;QACrBP,WAAW,GAAGG,UAAU;QACxBF,YAAY,GAAGG,MAAM,CAAC,CAAC,CAAC;QACxB,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOI,KAAK,EAAE;MACd,MAAM,IAAIxB,gBAAgB,CACvB,iBAAgBmB,UAAW,wCAC9B,CAAC;IACH;IACA,OAAO,KAAK;EACd,CAAC,CAAC;EAEF,OAAO,CAACH,WAAW,EAAEC,YAAY,CAAC;AACpC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMQ,gBAAgB,GAAIJ,IAAY,IAAyB;EAC7D;EACA;EACA;EACA,MAAMK,KAAK,GAAG,yCAAyC;EAEvD,MAAMC,KAAK,GAAGN,IAAI,CAACM,KAAK,CAACD,KAAK,CAAC;EAC/B,IAAIC,KAAK,EAAE;IACT;IACA;IACA,OAAOA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAC;EAC7B;;EAEA;;EAEA,MAAM,IAAIC,KAAK,CACZ,0BAAyBP,IAAK,wFACjC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,kCAAmE,GAC9EA,CAACC,eAAe,EAAEC,iBAAiB,EAAEzB,WAAW,KAAK;EAAA,IAAA0B,qBAAA;EACnD,IAAI,EAACF,eAAe,aAAfA,eAAe,gBAAAE,qBAAA,GAAfF,eAAe,CAAEG,WAAW,cAAAD,qBAAA,eAA5BA,qBAAA,CAA8BE,MAAM,GAAE;IACzC;IACA,OAAO;MACLC,mBAAmB,EAAE,EAAE;MACvBC,mBAAmB,EAAE,EAAE;MACvBC,sBAAsB,EAAE/B;IAC1B,CAAC;EACH;EACA,MAAMgC,kBAA4B,GAAG,EAAE;EACvC,MAAMC,kBAA4B,GAAG,EAAE;;EAEvC;EACA,MAAMC,oBAAoB,GAAGnC,sBAAsB,CAACC,WAAW,CAAC;;EAEhE;EACA;EACA,MAAMmC,cAAc,GAAGX,eAAe,CAACG,WAAW,CAACC,MAAM,CAACQ,KAAK,CAAEC,KAAK,IAAK;IACzE;IACA;IACA;IACA,IAAI,CAAC3B,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAChD8B,KAAK,CAACtB,IAAI,EACVmB,oBACF,CAAC;IAED,IAAI,CAACxB,WAAW,EAAE;MAChB,CAACA,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAC5C8B,KAAK,CAACtB,IAAI,EACVU,iBACF,CAAC;MAED,IAAI,CAACf,WAAW,EAAE;QAChB;QACA,OAAO2B,KAAK,aAALA,KAAK,uBAALA,KAAK,CAAEC,QAAQ;MACxB;IACF,CAAC,MAAM;MACL;MACA,MAAMjC,SAAS,GAAGc,gBAAgB,CAACT,WAAW,CAAC;MAC/C,IAAIL,SAAS,EAAE;QACb,CAACgC,KAAK,aAALA,KAAK,eAALA,KAAK,CAAEC,QAAQ,GAAGL,kBAAkB,GAAGD,kBAAkB,EAAEO,IAAI,CAC9DlC,SACF,CAAC;MACH;IACF;;IAEA;IACA;IACA,IAAIgC,KAAK,CAACG,MAAM,EAAE;MAChB,IAAI;QACF,MAAMC,cAAc,GAAG7C,GAAG,CAAC8C,OAAO,CAACL,KAAK,CAACG,MAAM,CAAC;QAChD,IAAI,CAACC,cAAc,CAAC9B,YAAY,CAAC,EAAE;UACjC,MAAM,IAAIjB,gBAAgB,CACvB,gBAAeiB,YAAa,eAAcD,WAAY,4CACzD,CAAC;QACH;MACF,CAAC,CAAC,OAAOQ,KAAK,EAAE;QACd,OAAO,KAAK;MACd;IACF;IACA;IACA;;IAEA,OAAO,IAAI;EACb,CAAC,CAAC;EAEF,IAAI,CAACiB,cAAc,EAAE;IACnB,MAAM,IAAIzC,gBAAgB,CACxB,iGACF,CAAC;EACH;;EAEA;;EAEA,MAAMmC,mBAAmB,GAAG7B,WAAW,CAACwC,MAAM,CAAEG,UAAU,IACxDX,kBAAkB,CAACY,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CAClE,CAAC;EAED,MAAMgC,mBAAmB,GAAG9B,WAAW,CAACwC,MAAM,CAAEG,UAAU,IACxDV,kBAAkB,CAACW,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CAClE,CAAC;EAED,MAAM+C,oBAAoB,GAAG,EAC3BrB,eAAe,CAACG,WAAW,CAACmB,gBAAgB,KAAK,UAAU,CAC5D;EAED,MAAMf,sBAAsB,GAAGc,oBAAoB,GAC/C7C,WAAW,CAACwC,MAAM,CACfG,UAAU,IACT,CAACV,kBAAkB,CAACW,QAAQ,CAC1BD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CACrC,CAAC,IACD,CAACkC,kBAAkB,CAACY,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CACrE,CAAC,GACD,EAAE;EAEN,OAAO;IACL+B,mBAAmB;IACnBC,mBAAmB;IACnBC;EACF,CAAC;AACH,CAAC"}
+{"version":3,"names":["decode","prepareVpToken","createCryptoContextFor","JSONPath","MissingDataError","CredentialNotFoundError","Ajv","CBOR","prepareVpTokenMdoc","generateRandomAlphaNumericString","ajv","allErrors","disclosureWithEncodedToEvaluatedDisclosure","disclosure","claimName","claimValue","decoded","name","value","mapDisclosuresToObject","disclosures","reduce","obj","_ref","mapNamespacesToObject","namespaces","Object","entries","_ref2","namespace","elements","fromEntries","map","element","elementIdentifier","elementValue","findMatchedClaim","paths","payload","matchedPath","matchedValue","some","singlePath","result","path","json","length","error","extractClaimName","regex","match","Error","extractNamespaceAndClaimName","nameSpace","propertyName","evaluateInputDescriptorForMdoc","inputDescriptor","issuerSigned","_inputDescriptor$cons","constraints","fields","requiredDisclosures","optionalDisclosures","namespacesAsPayload","nameSpaces","allFieldsValid","every","field","undefined","optional","push","filter","validateSchema","compile","evaluateInputDescriptorForSdJwt4VC","payloadCredential","_inputDescriptor$cons2","disclosuresAsPayload","findCredentialSdJwt","decodedSdJwtCredentials","keyTag","credential","sdJwt","evaluatedDisclosure","matchedEvaluation","matchedKeyTag","matchedCredential","findCredentialMDoc","decodedMDocCredentials","evaluateInputDescriptors","inputDescriptors","credentialsSdJwt","credentialsMdoc","_ref3","decodedMdocCredentials","Promise","all","_ref4","decodeIssuerSigned","results","descriptor","_descriptor$format","_descriptor$format2","format","mso_mdoc","prepareRemotePresentations","credentialAndDescriptors","authRequestObject","generatedNonce","presentations","item","_descriptor$format3","_descriptor$format4","vp_token","nonce","clientId","responseUri","id","requestedClaims","vpToken"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-input-descriptor.ts"],"mappings":"AACA,SAASA,MAAM,EAAEC,cAAc,QAAQ,cAAc;AAErD,SAASC,sBAAsB,QAAQ,oBAAoB;AAC3D,SAASC,QAAQ,QAAQ,eAAe;AACxC,SAASC,gBAAgB,EAAEC,uBAAuB,QAAQ,UAAU;AACpE,OAAOC,GAAG,MAAM,KAAK;AACrB,SAASC,IAAI,QAAQ,8BAA8B;AACnD,SAASC,kBAAkB,QAAQ,YAAY;AAC/C,SAASC,gCAAgC,QAAQ,kBAAkB;AAEnE,MAAMC,GAAG,GAAG,IAAIJ,GAAG,CAAC;EAAEK,SAAS,EAAE;AAAK,CAAC,CAAC;AAmDxC,OAAO,MAAMC,0CAA0C,GACrDC,UAAiC,IACT;EACxB,MAAM,GAAGC,SAAS,EAAEC,UAAU,CAAC,GAAGF,UAAU,CAACG,OAAO;EACpD,OAAO;IACLC,IAAI,EAAEH,SAAS;IACfI,KAAK,EAAEH;EACT,CAAC;AACH,CAAC;AAeD;AACA;AACA;AACA;AACA;AACA,MAAMI,sBAAsB,GAC1BC,WAAoC,IACR;EAC5B,OAAOA,WAAW,CAACC,MAAM,CACvB,CAACC,GAAG,EAAAC,IAAA,KAAkB;IAAA,IAAhB;MAAEP;IAAQ,CAAC,GAAAO,IAAA;IACf,MAAM,GAAGT,SAAS,EAAEC,UAAU,CAAC,GAAGC,OAAO;IACzCM,GAAG,CAACR,SAAS,CAAC,GAAGC,UAAU;IAC3B,OAAOO,GAAG;EACZ,CAAC,EACD,CAAC,CACH,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAME,qBAAqB,GACzBC,UAA2C,IACf;EAC5B,OAAOC,MAAM,CAACC,OAAO,CAACF,UAAU,CAAC,CAACJ,MAAM,CACtC,CAACC,GAAG,EAAAM,KAAA,KAA4B;IAAA,IAA1B,CAACC,SAAS,EAAEC,QAAQ,CAAC,GAAAF,KAAA;IACzBN,GAAG,CAACO,SAAS,CAAC,GAAGH,MAAM,CAACK,WAAW,CACjCD,QAAQ,CAACE,GAAG,CAAEC,OAAO,IAAK,CACxBA,OAAO,CAACC,iBAAiB,EACzBD,OAAO,CAACE,YAAY,CACrB,CACH,CAAC;IACD,OAAOb,GAAG;EACZ,CAAC,EACD,CAAC,CACH,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMc,gBAAgB,GAAGA,CACvBC,KAAe,EACfC,OAAY,KACW;EACvB,IAAIC,WAAW;EACf,IAAIC,YAAY;EAChBH,KAAK,CAACI,IAAI,CAAEC,UAAU,IAAK;IACzB,IAAI;MACF,MAAMC,MAAM,GAAGxC,QAAQ,CAAC;QAAEyC,IAAI,EAAEF,UAAU;QAAEG,IAAI,EAAEP;MAAQ,CAAC,CAAC;MAC5D,IAAIK,MAAM,CAACG,MAAM,GAAG,CAAC,EAAE;QACrBP,WAAW,GAAGG,UAAU;QACxBF,YAAY,GAAGG,MAAM,CAAC,CAAC,CAAC;QACxB,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOI,KAAK,EAAE;MACd,MAAM,IAAI3C,gBAAgB,CACvB,iBAAgBsC,UAAW,wCAC9B,CAAC;IACH;IACA,OAAO,KAAK;EACd,CAAC,CAAC;EAEF,OAAO,CAACH,WAAW,EAAEC,YAAY,CAAC;AACpC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMQ,gBAAgB,GAAIJ,IAAY,IAAyB;EAC7D;EACA;EACA;EACA,MAAMK,KAAK,GAAG,yCAAyC;EAEvD,MAAMC,KAAK,GAAGN,IAAI,CAACM,KAAK,CAACD,KAAK,CAAC;EAC/B,IAAIC,KAAK,EAAE;IACT;IACA;IACA,OAAOA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAC;EAC7B;EAEA,MAAM,IAAIC,KAAK,CACZ,0BAAyBP,IAAK,wFACjC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMQ,4BAA4B,GAChCR,IAAY,IACsC;EAClD,MAAMK,KAAK,GAAG,8DAA8D;EAC5E,MAAMC,KAAK,GAAGN,IAAI,CAACM,KAAK,CAACD,KAAK,CAAC;EAC/B,IAAIC,KAAK,EAAE;IACT,OAAO;MAAEG,SAAS,EAAEH,KAAK,CAAC,CAAC,CAAC;MAAEI,YAAY,EAAEJ,KAAK,CAAC,CAAC;IAAE,CAAC;EACxD;EAEA,MAAM,IAAIC,KAAK,CACZ,0BAAyBP,IAAK,yDACjC,CAAC;AACH,CAAC;AACD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMW,8BAA2D,GAAGA,CACzEC,eAAe,EACfC,YAAY,KACT;EAAA,IAAAC,qBAAA;EACH,IAAI,EAACF,eAAe,aAAfA,eAAe,gBAAAE,qBAAA,GAAfF,eAAe,CAAEG,WAAW,cAAAD,qBAAA,eAA5BA,qBAAA,CAA8BE,MAAM,GAAE;IACzC;IACA,OAAO;MACLC,mBAAmB,EAAE,EAAE;MACvBC,mBAAmB,EAAE;IACvB,CAAC;EACH;EAEA,MAAMD,mBAA0C,GAAG,EAAE;EACrD,MAAMC,mBAA0C,GAAG,EAAE;;EAErD;EACA,MAAMC,mBAAmB,GAAGvC,qBAAqB,CAACiC,YAAY,CAACO,UAAU,CAAC;EAE1E,MAAMC,cAAc,GAAGT,eAAe,CAACG,WAAW,CAACC,MAAM,CAACM,KAAK,CAAEC,KAAK,IAAK;IACzE,MAAM,CAAC5B,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAClD+B,KAAK,CAACvB,IAAI,EACVmB,mBACF,CAAC;;IAED;IACA,IAAIvB,YAAY,KAAK4B,SAAS,IAAI,CAAC7B,WAAW,EAAE;MAC9C,OAAO4B,KAAK,aAALA,KAAK,uBAALA,KAAK,CAAEE,QAAQ;IACxB,CAAC,MAAM;MACL;MACA,MAAM;QAAEhB,SAAS;QAAEC;MAAa,CAAC,GAC/BF,4BAA4B,CAACb,WAAW,CAAC;MAC3C,IAAIc,SAAS,IAAIC,YAAY,EAAE;QAC7B,CAACa,KAAK,aAALA,KAAK,eAALA,KAAK,CAAEE,QAAQ,GAAGP,mBAAmB,GAAGD,mBAAmB,EAAES,IAAI,CAAC;UACjEzC,SAAS,EAAEwB,SAAS;UACpBpC,IAAI,EAAEqC,YAAY;UAClBpC,KAAK,EAAEsB;QACT,CAAC,CAAC;MACJ;IACF;IAEA,IAAI2B,KAAK,CAACI,MAAM,EAAE;MAChB,IAAI;QACF,MAAMC,cAAc,GAAG9D,GAAG,CAAC+D,OAAO,CAACN,KAAK,CAACI,MAAM,CAAC;QAChD,IAAI,CAACC,cAAc,CAAChC,YAAY,CAAC,EAAE;UACjC,MAAM,IAAIpC,gBAAgB,CACvB,gBAAeoC,YAAa,eAAcD,WAAY,4CACzD,CAAC;QACH;MACF,CAAC,CAAC,OAAOQ,KAAK,EAAE;QACd,OAAO,KAAK;MACd;IACF;IAEA,OAAO,IAAI;EACb,CAAC,CAAC;EAEF,IAAI,CAACkB,cAAc,EAAE;IACnB,MAAM,IAAI7D,gBAAgB,CACxB,iGACF,CAAC;EACH;EAEA,OAAO;IACLyD,mBAAmB;IACnBC;EACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMY,kCAAmE,GAC9EA,CAAClB,eAAe,EAAEmB,iBAAiB,EAAEvD,WAAW,KAAK;EAAA,IAAAwD,sBAAA;EACnD,IAAI,EAACpB,eAAe,aAAfA,eAAe,gBAAAoB,sBAAA,GAAfpB,eAAe,CAAEG,WAAW,cAAAiB,sBAAA,eAA5BA,sBAAA,CAA8BhB,MAAM,GAAE;IACzC;IACA,OAAO;MACLC,mBAAmB,EAAE,EAAE;MACvBC,mBAAmB,EAAE;IACvB,CAAC;EACH;EACA,MAAMD,mBAA0C,GAAG,EAAE;EACrD,MAAMC,mBAA0C,GAAG,EAAE;;EAErD;EACA,MAAMe,oBAAoB,GAAG1D,sBAAsB,CAACC,WAAW,CAAC;;EAEhE;EACA;EACA,MAAM6C,cAAc,GAAGT,eAAe,CAACG,WAAW,CAACC,MAAM,CAACM,KAAK,CAAEC,KAAK,IAAK;IACzE;IACA;IACA;IACA,IAAI,CAAC5B,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAChD+B,KAAK,CAACvB,IAAI,EACViC,oBACF,CAAC;IAED,IAAI,CAACtC,WAAW,EAAE;MAChB,CAACA,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAC5C+B,KAAK,CAACvB,IAAI,EACV+B,iBACF,CAAC;MAED,IAAI,CAACpC,WAAW,EAAE;QAChB;QACA,OAAO4B,KAAK,aAALA,KAAK,uBAALA,KAAK,CAAEE,QAAQ;MACxB;IACF,CAAC,MAAM;MACL;MACA,MAAMvD,SAAS,GAAGkC,gBAAgB,CAACT,WAAW,CAAC;MAC/C,IAAIzB,SAAS,EAAE;QACb,CAACqD,KAAK,aAALA,KAAK,eAALA,KAAK,CAAEE,QAAQ,GAAGP,mBAAmB,GAAGD,mBAAmB,EAAES,IAAI,CAAC;UACjEpD,KAAK,EAAEsB,YAAY;UACnBvB,IAAI,EAAEH;QACR,CAAC,CAAC;MACJ;IACF;;IAEA;IACA;IACA,IAAIqD,KAAK,CAACI,MAAM,EAAE;MAChB,IAAI;QACF,MAAMC,cAAc,GAAG9D,GAAG,CAAC+D,OAAO,CAACN,KAAK,CAACI,MAAM,CAAC;QAChD,IAAI,CAACC,cAAc,CAAChC,YAAY,CAAC,EAAE;UACjC,MAAM,IAAIpC,gBAAgB,CACvB,gBAAeoC,YAAa,eAAcD,WAAY,4CACzD,CAAC;QACH;MACF,CAAC,CAAC,OAAOQ,KAAK,EAAE;QACd,OAAO,KAAK;MACd;IACF;IACA;IACA;;IAEA,OAAO,IAAI;EACb,CAAC,CAAC;EAEF,IAAI,CAACkB,cAAc,EAAE;IACnB,MAAM,IAAI7D,gBAAgB,CACxB,iGACF,CAAC;EACH;EAEA,OAAO;IACLyD,mBAAmB;IACnBC;EACF,CAAC;AACH,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMgB,mBAAmB,GAAGA,CACjCtB,eAAgC,EAChCuB,uBAAiD,KAK9C;EACH,KAAK,MAAM;IACTC,MAAM;IACNC,UAAU;IACVC,KAAK;IACL9D;EACF,CAAC,IAAI2D,uBAAuB,EAAE;IAC5B,IAAI;MACF,MAAMI,mBAAmB,GAAGT,kCAAkC,CAC5DlB,eAAe,EACf0B,KAAK,CAAC5C,OAAO,EACblB,WACF,CAAC;MAED,OAAO;QACLgE,iBAAiB,EAAED,mBAAmB;QACtCE,aAAa,EAAEL,MAAM;QACrBM,iBAAiB,EAAEL;MACrB,CAAC;IACH,CAAC,CAAC,MAAM;MACN;MACA;IACF;EACF;EAEA,MAAM,IAAI5E,uBAAuB,CAC/B,6DACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMkF,kBAAkB,GAAGA,CAChC/B,eAAgC,EAChCgC,sBAA+C,KAK5C;EACH,KAAK,MAAM;IAAER,MAAM;IAAEC,UAAU;IAAExB;EAAa,CAAC,IAAI+B,sBAAsB,EAAE;IACzE,IAAI;MACF,MAAML,mBAAmB,GAAG5B,8BAA8B,CACxDC,eAAe,EACfC,YACF,CAAC;MAED,OAAO;QACL2B,iBAAiB,EAAED,mBAAmB;QACtCE,aAAa,EAAEL,MAAM;QACrBM,iBAAiB,EAAEL;MACrB,CAAC;IACH,CAAC,CAAC,MAAM;MACN;MACA;IACF;EACF;EAEA,MAAM,IAAI5E,uBAAuB,CAC/B,4DACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMoF,wBAAkD,GAAG,MAAAA,CAChEC,gBAAgB,EAChBC,gBAAgB,EAChBC,eAAe,KACZ;EACH;EACA,MAAMb,uBAAuB,GAC3B,CAAAY,gBAAgB,aAAhBA,gBAAgB,uBAAhBA,gBAAgB,CAAE3D,GAAG,CAAC6D,KAAA,IAA0B;IAAA,IAAzB,CAACb,MAAM,EAAEC,UAAU,CAAC,GAAAY,KAAA;IACzC,MAAM;MAAEX,KAAK;MAAE9D;IAAY,CAAC,GAAGpB,MAAM,CAACiF,UAAU,CAAC;IACjD,OAAO;MAAED,MAAM;MAAEC,UAAU;MAAEC,KAAK;MAAE9D;IAAY,CAAC;EACnD,CAAC,CAAC,KAAI,EAAE;;EAEV;EACA,MAAM0E,sBAAsB,GAC1B,CAAC,MAAMC,OAAO,CAACC,GAAG,CAChBJ,eAAe,aAAfA,eAAe,uBAAfA,eAAe,CAAE5D,GAAG,CAAC,MAAAiE,KAAA,IAAgC;IAAA,IAAzB,CAACjB,MAAM,EAAEC,UAAU,CAAC,GAAAgB,KAAA;IAC9C,MAAMxC,YAAY,GAAG,MAAMlD,IAAI,CAAC2F,kBAAkB,CAACjB,UAAU,CAAC;IAC9D,IAAI,CAACxB,YAAY,EAAE;MACjB,MAAM,IAAIpD,uBAAuB,CAC/B,qCACF,CAAC;IACH;IACA,OAAO;MAAE2E,MAAM;MAAEC,UAAU;MAAExB;IAAa,CAAC;EAC7C,CAAC,CACH,CAAC,KAAK,EAAE;EAEV,MAAM0C,OAAO,GAAGJ,OAAO,CAACC,GAAG,CACzBN,gBAAgB,CAAC1D,GAAG,CAAC,MAAOoE,UAAU,IAAK;IAAA,IAAAC,kBAAA,EAAAC,mBAAA;IACzC,KAAAD,kBAAA,GAAID,UAAU,CAACG,MAAM,cAAAF,kBAAA,eAAjBA,kBAAA,CAAmBG,QAAQ,EAAE;MAC/B,IAAI,CAACZ,eAAe,CAAC9C,MAAM,EAAE;QAC3B,MAAM,IAAIzC,uBAAuB,CAC/B,uCACF,CAAC;MACH;MAEA,MAAM;QAAE+E,iBAAiB;QAAEC,aAAa;QAAEC;MAAkB,CAAC,GAC3DC,kBAAkB,CAACa,UAAU,EAAEN,sBAAsB,CAAC;MAExD,OAAO;QACLX,mBAAmB,EAAEC,iBAAiB;QACtC5B,eAAe,EAAE4C,UAAU;QAC3BnB,UAAU,EAAEK,iBAAiB;QAC7BN,MAAM,EAAEK;MACV,CAAC;IACH;IAEA,KAAAiB,mBAAA,GAAIF,UAAU,CAACG,MAAM,cAAAD,mBAAA,eAAjBA,mBAAA,CAAoB,WAAW,CAAC,EAAE;MACpC,IAAI,CAACvB,uBAAuB,CAACjC,MAAM,EAAE;QACnC,MAAM,IAAIzC,uBAAuB,CAC/B,wCACF,CAAC;MACH;MAEA,MAAM;QAAE+E,iBAAiB;QAAEC,aAAa;QAAEC;MAAkB,CAAC,GAC3DR,mBAAmB,CAACsB,UAAU,EAAErB,uBAAuB,CAAC;MAE1D,OAAO;QACLI,mBAAmB,EAAEC,iBAAiB;QACtC5B,eAAe,EAAE4C,UAAU;QAC3BnB,UAAU,EAAEK,iBAAiB;QAC7BN,MAAM,EAAEK;MACV,CAAC;IACH;IAEA,MAAM,IAAIhF,uBAAuB,CAC9B,GAAE+F,UAAU,CAACG,MAAO,2BACvB,CAAC;EACH,CAAC,CACH,CAAC;EAED,OAAOJ,OAAO;AAChB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMM,0BAAsD,GAAG,MAAAA,CACpEC,wBAAwB,EACxBC,iBAAiB,KACd;EACH;EACA,MAAMC,cAAc,GAAGnG,gCAAgC,CAAC,EAAE,CAAC;EAE3D,MAAMoG,aAAa,GAAG,MAAMd,OAAO,CAACC,GAAG,CACrCU,wBAAwB,CAAC1E,GAAG,CAAC,MAAO8E,IAAI,IAAK;IAAA,IAAAC,mBAAA,EAAAC,mBAAA;IAC3C,MAAMZ,UAAU,GAAGU,IAAI,CAACtD,eAAe;IAEvC,KAAAuD,mBAAA,GAAIX,UAAU,CAACG,MAAM,cAAAQ,mBAAA,eAAjBA,mBAAA,CAAmBP,QAAQ,EAAE;MAC/B,MAAM;QAAES;MAAS,CAAC,GAAG,MAAMzG,kBAAkB,CAC3CmG,iBAAiB,CAACO,KAAK,EACvBN,cAAc,EACdD,iBAAiB,CAACQ,QAAQ,EAC1BR,iBAAiB,CAACS,WAAW,EAC7BhB,UAAU,CAACiB,EAAE,EACbP,IAAI,CAAC9B,MAAM,EACX,CACE8B,IAAI,CAAC7B,UAAU,EACf6B,IAAI,CAACQ,eAAe,EACpBpH,sBAAsB,CAAC4G,IAAI,CAAC9B,MAAM,CAAC,CAEvC,CAAC;MAED,OAAO;QACLsC,eAAe,EAAER,IAAI,CAACQ,eAAe;QACrC9D,eAAe,EAAE4C,UAAU;QAC3BmB,OAAO,EAAEN,QAAQ;QACjBV,MAAM,EAAE;MACV,CAAC;IACH;IAEA,KAAAS,mBAAA,GAAIZ,UAAU,CAACG,MAAM,cAAAS,mBAAA,eAAjBA,mBAAA,CAAoB,WAAW,CAAC,EAAE;MACpC,MAAM;QAAEC;MAAS,CAAC,GAAG,MAAMhH,cAAc,CACvC0G,iBAAiB,CAACO,KAAK,EACvBP,iBAAiB,CAACQ,QAAQ,EAC1B,CACEL,IAAI,CAAC7B,UAAU,EACf6B,IAAI,CAACQ,eAAe,EACpBpH,sBAAsB,CAAC4G,IAAI,CAAC9B,MAAM,CAAC,CAEvC,CAAC;MAED,OAAO;QACLsC,eAAe,EAAER,IAAI,CAACQ,eAAe;QACrC9D,eAAe,EAAE4C,UAAU;QAC3BmB,OAAO,EAAEN,QAAQ;QACjBV,MAAM,EAAE;MACV,CAAC;IACH;IAEA,MAAM,IAAIlG,uBAAuB,CAC9B,GAAE+F,UAAU,CAACG,MAAO,2BACvB,CAAC;EACH,CAAC,CACH,CAAC;EAED,OAAO;IACLM,aAAa;IACbD;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/08-send-authorization-response.js

@@ -1,9 +1,9 @@
-import { EncryptJwe, SignJWT, sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { EncryptJwe } from "@pagopa/io-react-native-jwt";
 import uuid from "react-native-uuid";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow } from "../../utils/misc";
-import { disclose } from "../../sd-jwt";
 import * as z from "zod";
+import { Base64 } from "js-base64";
 export const AuthorizationResponse = z.object({
   status: z.string().optional(),
   response_code: z.string() /**
@@ -32,69 +32,6 @@ export const choosePublicKeyToEncrypt = rpJwkKeys => {
   throw new NoSuitableKeysFoundInEntityConfiguration("No suitable public key found for encryption.");
 };
 
-/**
- * Prepares a Verified Presentation (VP) token to be sent as part of an
- * authorization response in an OpenID 4 Verifiable Presentations flow.
- *
- * @param requestObject - The request object containing the nonce, response URI, and other necessary info.
- * @param presentationTuple - A tuple containing a verifiable credential, the claims to disclose,
- *                            and a cryptographic context for signing.
- * @returns An object containing the signed VP token (`vp_token`) and a `presentation_submission` object.
- * @param presentationDefinition - Definition outlining presentation requirements.
- * @param presentationTuple - Tuple containing:
- *    - A verifiable credential.
- *    - Claims that should be disclosed.
- *    - Cryptographic context for signing.
- * @returns An object with:
- *    - `vp_token`: The signed VP token.
- *    - `presentation_submission`: Object mapping disclosed credentials to the request.
- *
- * @remarks
- *  1. The `disclose()` function is used to produce a token with only the requested claims.
- *  2. A new JWT is then signed, including the VP, `jti`, `iss`, `nonce`, audience, and expiration.
- *  3. The `presentation_submission` object follows the OpenID 4 VP specification for describing
- *     how the disclosed credentials map to the request.
- *
- * @todo [SIW-353] Support multiple verifiable credentials in a single request.
- */
-export const prepareVpToken = async (requestObject, presentationDefinition, _ref) => {
-  var _presentationDefiniti;
-  let [verifiableCredential, requestedClaims, cryptoContext] = _ref;
-  // Produce a VP token with only requested claims from the verifiable credential
-  const {
-    token: vp
-  } = await disclose(verifiableCredential, requestedClaims);
-
-  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
-  const sd_hash = await sha256ToBase64(`${vp}~`);
-  const kbJwt = await new SignJWT(cryptoContext).setProtectedHeader({
-    typ: "kb+jwt",
-    alg: "ES256"
-  }).setPayload({
-    sd_hash,
-    nonce: requestObject.nonce
-  }).setAudience(requestObject.client_id).setIssuedAt().sign();
-
-  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
-  const vp_token = [vp, kbJwt].join("~");
-
-  // Determine the descriptor ID to use for mapping. Fallback to first input descriptor ID if not specified
-  // We support only one credential for now, so we get first input_descriptor and create just one descriptor_map
-  const presentation_submission = {
-    id: uuid.v4(),
-    definition_id: presentationDefinition.id,
-    descriptor_map: [{
-      id: presentationDefinition === null || presentationDefinition === void 0 || (_presentationDefiniti = presentationDefinition.input_descriptors[0]) === null || _presentationDefiniti === void 0 ? void 0 : _presentationDefiniti.id,
-      path: `$`,
-      format: "vc+sd-jwt"
-    }]
-  };
-  return {
-    vp_token,
-    presentation_submission
-  };
-};
-
 /**
  * Builds a URL-encoded form body for a direct POST response without encryption.
  *
@@ -104,10 +41,12 @@ export const prepareVpToken = async (requestObject, presentationDefinition, _ref
  */
 export const buildDirectPostBody = async (requestObject, payload) => {
   const formUrlEncodedBody = new URLSearchParams({
-    state: requestObject.state,
-    ...Object.fromEntries(Object.entries(payload).map(_ref2 => {
-      let [key, value] = _ref2;
-      return [key, typeof value === "object" ? JSON.stringify(value) : value];
+    ...(requestObject.state ? {
+      state: requestObject.state
+    } : {}),
+    ...Object.fromEntries(Object.entries(payload).map(_ref => {
+      let [key, value] = _ref;
+      return [key, Array.isArray(value) || typeof value === "object" ? JSON.stringify(value) : value];
     }))
   });
   return formUrlEncodedBody.toString();
@@ -119,10 +58,11 @@ export const buildDirectPostBody = async (requestObject, payload) => {
  * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
  * @param requestObject - Contains state, nonce, and other relevant info.
  * @param payload - Object that contains either the VP token to encrypt and the mapping of the credential disclosures or the error code
+ * @param generatedNonce - Optional nonce for the `apu` claim in the JWE header, it is used during ISO 18013-7.
  * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
  *          where `response` contains the encrypted JWE.
  */
-export const buildDirectPostJwtBody = async (jwkKeys, requestObject, payload) => {
+export const buildDirectPostJwtBody = async (jwkKeys, requestObject, payload, generatedNonce) => {
   // Prepare the authorization response payload to be encrypted
   const authzResponsePayload = JSON.stringify({
     state: requestObject.state,
@@ -131,7 +71,6 @@ export const buildDirectPostJwtBody = async (jwkKeys, requestObject, payload) =>
 
   // Choose a suitable RSA public key for encryption
   const encPublicJwk = choosePublicKeyToEncrypt(jwkKeys);
-
   // Encrypt the authorization payload
   const {
     client_metadata
@@ -139,13 +78,20 @@ export const buildDirectPostJwtBody = async (jwkKeys, requestObject, payload) =>
   const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
     alg: (client_metadata === null || client_metadata === void 0 ? void 0 : client_metadata.authorization_encrypted_response_alg) || "RSA-OAEP-256",
     enc: (client_metadata === null || client_metadata === void 0 ? void 0 : client_metadata.authorization_encrypted_response_enc) || "A256CBC-HS512",
-    kid: encPublicJwk.kid
+    kid: encPublicJwk.kid,
+    /* ISO 18013-7 */
+    apv: Base64.encodeURI(requestObject.nonce),
+    ...(generatedNonce ? {
+      apu: Base64.encodeURI(generatedNonce)
+    } : {})
   }).encrypt(encPublicJwk);
 
   // Build the x-www-form-urlencoded form body
   const formBody = new URLSearchParams({
     response: encryptedResponse,
-    state: requestObject.state
+    ...(requestObject.state ? {
+      state: requestObject.state
+    } : {})
   });
   return formBody.toString();
 };
@@ -166,33 +112,52 @@ export const buildDirectPostJwtBody = async (jwkKeys, requestObject, payload) =>
  * @param context - Contains optional custom fetch implementation.
  * @returns Parsed and validated authorization response from the Relying Party.
  */
-export const sendAuthorizationResponse = async function (requestObject, presentationDefinition, jwkKeys, presentation) {
+export const sendAuthorizationResponse = async function (requestObject, presentationDefinitionId, jwkKeys, remotePresentation) {
+  var _presentations$;
   let {
     appFetch = fetch
   } = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : {};
-  // 1. Create the VP token and associated submission mapping
   const {
-    vp_token,
-    presentation_submission
-  } = await prepareVpToken(requestObject, presentationDefinition, presentation);
+    generatedNonce,
+    presentations
+  } = remotePresentation;
+  /**
+   * 1. Prepare the VP token and presentation submission
+   * If there is only one credential, `vpToken` is a single string.
+   * If there are multiple credential, `vpToken` is an array of string.
+   **/
+  const vp_token = (presentations === null || presentations === void 0 ? void 0 : presentations.length) === 1 ? (_presentations$ = presentations[0]) === null || _presentations$ === void 0 ? void 0 : _presentations$.vpToken : presentations.map(presentation => presentation.vpToken);
+  const descriptor_map = presentations.map((presentation, index) => ({
+    id: presentation.inputDescriptor.id,
+    path: (presentations === null || presentations === void 0 ? void 0 : presentations.length) === 1 ? `$` : `$[${index}]`,
+    format: presentation.format
+  }));
+  const presentation_submission = {
+    id: uuid.v4(),
+    definition_id: presentationDefinitionId,
+    descriptor_map
+  };
 
   // 2. Choose the appropriate request body builder based on response mode
   const requestBody = requestObject.response_mode === "direct_post.jwt" ? await buildDirectPostJwtBody(jwkKeys, requestObject, {
     vp_token,
     presentation_submission
-  }) : await buildDirectPostBody(requestObject, {
+  }, generatedNonce) : await buildDirectPostBody(requestObject, {
     vp_token,
     presentation_submission: presentation_submission
   });
 
   // 3. Send the authorization response via HTTP POST and validate the response
-  return await appFetch(requestObject.response_uri, {
+  const authResponse = await appFetch(requestObject.response_uri, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded"
     },
     body: requestBody
-  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(AuthorizationResponse.parse);
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(AuthorizationResponse.safeParse);
+
+  // Some Relying Parties may return an empty body.
+  return authResponse.success ? authResponse.data : {};
 };
 
 /**