@pagopa/io-react-native-wallet 1.4.0 → 1.6.0

package/src/credential/presentation/08-send-authorization-response.ts

@@ -1,22 +1,17 @@
-import {
-  EncryptJwe,
-  SignJWT,
-  sha256ToBase64,
-} from "@pagopa/io-react-native-jwt";
+import { EncryptJwe } from "@pagopa/io-react-native-jwt";
 import uuid from "react-native-uuid";
 import type { FetchJwks } from "./04-retrieve-rp-jwks";
 import type { VerifyRequestObjectSignature } from "./05-verify-request-object";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import { disclose } from "../../sd-jwt";
 import {
   DirectAuthorizationBodyPayload,
   ErrorResponse,
-  PresentationDefinition,
-  type Presentation,
+  type RemotePresentation,
 } from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
+import { Base64 } from "js-base64";
 
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({
@@ -54,78 +49,6 @@ export const choosePublicKeyToEncrypt = (
   );
 };
 
-/**
- * Prepares a Verified Presentation (VP) token to be sent as part of an
- * authorization response in an OpenID 4 Verifiable Presentations flow.
- *
- * @param requestObject - The request object containing the nonce, response URI, and other necessary info.
- * @param presentationTuple - A tuple containing a verifiable credential, the claims to disclose,
- *                            and a cryptographic context for signing.
- * @returns An object containing the signed VP token (`vp_token`) and a `presentation_submission` object.
- * @param presentationDefinition - Definition outlining presentation requirements.
- * @param presentationTuple - Tuple containing:
- *    - A verifiable credential.
- *    - Claims that should be disclosed.
- *    - Cryptographic context for signing.
- * @returns An object with:
- *    - `vp_token`: The signed VP token.
- *    - `presentation_submission`: Object mapping disclosed credentials to the request.
- *
- * @remarks
- *  1. The `disclose()` function is used to produce a token with only the requested claims.
- *  2. A new JWT is then signed, including the VP, `jti`, `iss`, `nonce`, audience, and expiration.
- *  3. The `presentation_submission` object follows the OpenID 4 VP specification for describing
- *     how the disclosed credentials map to the request.
- *
- * @todo [SIW-353] Support multiple verifiable credentials in a single request.
- */
-export const prepareVpToken = async (
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  presentationDefinition: PresentationDefinition,
-  [verifiableCredential, requestedClaims, cryptoContext]: Presentation
-): Promise<{
-  vp_token: string;
-  presentation_submission: Record<string, unknown>;
-}> => {
-  // Produce a VP token with only requested claims from the verifiable credential
-  const { token: vp } = await disclose(verifiableCredential, requestedClaims);
-
-  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
-  const sd_hash = await sha256ToBase64(`${vp}~`);
-
-  const kbJwt = await new SignJWT(cryptoContext)
-    .setProtectedHeader({
-      typ: "kb+jwt",
-      alg: "ES256",
-    })
-    .setPayload({
-      sd_hash,
-      nonce: requestObject.nonce,
-    })
-    .setAudience(requestObject.client_id)
-    .setIssuedAt()
-    .sign();
-
-  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
-  const vp_token = [vp, kbJwt].join("~");
-
-  // Determine the descriptor ID to use for mapping. Fallback to first input descriptor ID if not specified
-  // We support only one credential for now, so we get first input_descriptor and create just one descriptor_map
-  const presentation_submission = {
-    id: uuid.v4(),
-    definition_id: presentationDefinition.id,
-    descriptor_map: [
-      {
-        id: presentationDefinition?.input_descriptors[0]?.id,
-        path: `$`,
-        format: "vc+sd-jwt",
-      },
-    ],
-  };
-
-  return { vp_token, presentation_submission };
-};
-
 /**
  * Builds a URL-encoded form body for a direct POST response without encryption.
  *
@@ -138,10 +61,15 @@ export const buildDirectPostBody = async (
   payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
   const formUrlEncodedBody = new URLSearchParams({
-    state: requestObject.state,
+    ...(requestObject.state ? { state: requestObject.state } : {}),
     ...Object.fromEntries(
       Object.entries(payload).map(([key, value]) => {
-        return [key, typeof value === "object" ? JSON.stringify(value) : value];
+        return [
+          key,
+          Array.isArray(value) || typeof value === "object"
+            ? JSON.stringify(value)
+            : value,
+        ];
       })
     ),
   });
@@ -155,13 +83,15 @@ export const buildDirectPostBody = async (
  * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
  * @param requestObject - Contains state, nonce, and other relevant info.
  * @param payload - Object that contains either the VP token to encrypt and the mapping of the credential disclosures or the error code
+ * @param generatedNonce - Optional nonce for the `apu` claim in the JWE header, it is used during ISO 18013-7.
  * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
  *          where `response` contains the encrypted JWE.
  */
 export const buildDirectPostJwtBody = async (
   jwkKeys: Out<FetchJwks>["keys"],
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  payload: DirectAuthorizationBodyPayload
+  payload: DirectAuthorizationBodyPayload,
+  generatedNonce?: string
 ): Promise<string> => {
   // Prepare the authorization response payload to be encrypted
   const authzResponsePayload = JSON.stringify({
@@ -171,7 +101,6 @@ export const buildDirectPostJwtBody = async (
 
   // Choose a suitable RSA public key for encryption
   const encPublicJwk = choosePublicKeyToEncrypt(jwkKeys);
-
   // Encrypt the authorization payload
   const { client_metadata } = requestObject;
   const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
@@ -184,12 +113,15 @@ export const buildDirectPostJwtBody = async (
         | "A256CBC-HS512"
         | "A128CBC-HS256") || "A256CBC-HS512",
     kid: encPublicJwk.kid,
+    /* ISO 18013-7 */
+    apv: Base64.encodeURI(requestObject.nonce),
+    ...(generatedNonce ? { apu: Base64.encodeURI(generatedNonce) } : {}),
   }).encrypt(encPublicJwk);
 
   // Build the x-www-form-urlencoded form body
   const formBody = new URLSearchParams({
     response: encryptedResponse,
-    state: requestObject.state,
+    ...(requestObject.state ? { state: requestObject.state } : {}),
   });
   return formBody.toString();
 };
@@ -200,9 +132,9 @@ export const buildDirectPostJwtBody = async (
  */
 export type SendAuthorizationResponse = (
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  presentationDefinition: PresentationDefinition,
+  presentationDefinitionId: string,
   jwkKeys: Out<FetchJwks>["keys"],
-  presentation: Presentation, // TODO: [SIW-353] support multiple presentations
+  remotePresentation: RemotePresentation,
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }
@@ -221,32 +153,53 @@ export type SendAuthorizationResponse = (
  */
 export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   requestObject,
-  presentationDefinition,
+  presentationDefinitionId,
   jwkKeys,
-  presentation,
+  remotePresentation,
   { appFetch = fetch } = {}
 ): Promise<AuthorizationResponse> => {
-  // 1. Create the VP token and associated submission mapping
-  const { vp_token, presentation_submission } = await prepareVpToken(
-    requestObject,
-    presentationDefinition,
-    presentation
-  );
+  const { generatedNonce, presentations } = remotePresentation;
+  /**
+   * 1. Prepare the VP token and presentation submission
+   * If there is only one credential, `vpToken` is a single string.
+   * If there are multiple credential, `vpToken` is an array of string.
+   **/
+  const vp_token =
+    presentations?.length === 1
+      ? presentations[0]?.vpToken
+      : presentations.map((presentation) => presentation.vpToken);
+
+  const descriptor_map = presentations.map((presentation, index) => ({
+    id: presentation.inputDescriptor.id,
+    path: presentations?.length === 1 ? `$` : `$[${index}]`,
+    format: presentation.format,
+  }));
+
+  const presentation_submission = {
+    id: uuid.v4(),
+    definition_id: presentationDefinitionId,
+    descriptor_map,
+  };
 
   // 2. Choose the appropriate request body builder based on response mode
   const requestBody =
     requestObject.response_mode === "direct_post.jwt"
-      ? await buildDirectPostJwtBody(jwkKeys, requestObject, {
-          vp_token,
-          presentation_submission,
-        })
+      ? await buildDirectPostJwtBody(
+          jwkKeys,
+          requestObject,
+          {
+            vp_token,
+            presentation_submission,
+          },
+          generatedNonce
+        )
       : await buildDirectPostBody(requestObject, {
           vp_token,
           presentation_submission: presentation_submission,
         });
 
   // 3. Send the authorization response via HTTP POST and validate the response
-  return await appFetch(requestObject.response_uri, {
+  const authResponse = await appFetch(requestObject.response_uri, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
@@ -255,7 +208,10 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.json())
-    .then(AuthorizationResponse.parse);
+    .then(AuthorizationResponse.safeParse);
+
+  // Some Relying Parties may return an empty body.
+  return authResponse.success ? authResponse.data : {};
 };
 
 /**

package/src/credential/presentation/errors.ts

@@ -71,3 +71,19 @@ export class MissingDataError extends IoWalletError {
     super(message);
   }
 }
+
+/**
+ * When a credential is not found in the wallet.
+ *
+ */
+export class CredentialNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIAL_NOT_FOUND";
+
+  /**
+   * @param credentialId The ID of the credential that was not found.
+   */
+  constructor(credentialId: string) {
+    const message = `Credential not found: ${credentialId}.`;
+    super(message);
+  }
+}

package/src/credential/presentation/index.ts

@@ -21,8 +21,10 @@ import {
   type FetchPresentationDefinition,
 } from "./06-fetch-presentation-definition";
 import {
-  evaluateInputDescriptorForSdJwt4VC,
-  type EvaluateInputDescriptorSdJwt4VC,
+  evaluateInputDescriptors,
+  prepareRemotePresentations,
+  type EvaluateInputDescriptors,
+  type PrepareRemotePresentations,
 } from "./07-evaluate-input-descriptor";
 import {
   sendAuthorizationResponse,
@@ -40,9 +42,10 @@ export {
   fetchJwksFromConfig,
   verifyRequestObjectSignature,
   fetchPresentDefinition,
-  evaluateInputDescriptorForSdJwt4VC,
+  evaluateInputDescriptors,
   sendAuthorizationResponse,
   sendAuthorizationErrorResponse,
+  prepareRemotePresentations,
   Errors,
 };
 export type {
@@ -52,7 +55,8 @@ export type {
   FetchJwks,
   VerifyRequestObjectSignature,
   FetchPresentationDefinition,
-  EvaluateInputDescriptorSdJwt4VC,
+  EvaluateInputDescriptors,
+  PrepareRemotePresentations,
   SendAuthorizationResponse,
   SendAuthorizationErrorResponse,
 };

package/src/credential/presentation/types.ts

@@ -9,9 +9,22 @@ import { JWKS } from "../../utils/jwk";
 export type Presentation = [
   /* verified credential token */ string,
   /* claims */ string[],
-  /* the context for the key associated to the credential */ CryptoContext
+  /* the context for the key associated to the credential */ CryptoContext,
 ];
 
+/**
+ * A object that associate the information needed to multiple remote presentation
+ */
+export type RemotePresentation = {
+  presentations: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    format: string;
+    vpToken: string;
+  }[];
+  generatedNonce?: string /* nonce generated by app, used in mdoc presentation */;
+};
+
 const Fields = z.object({
   path: z.array(z.string().min(1)), // Array of JSONPath string expressions
   id: z.string().optional(), // Unique string ID
@@ -72,7 +85,7 @@ export const RequestObject = z.object({
   iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
   iat: UnixTime.optional(),
   exp: UnixTime.optional(),
-  state: z.string(),
+  state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),
@@ -111,7 +124,7 @@ export type DirectAuthorizationBodyPayload = z.infer<
 >;
 export const DirectAuthorizationBodyPayload = z.union([
   z.object({
-    vp_token: z.string(),
+    vp_token: z.union([z.string(), z.array(z.string())]).optional(),
     presentation_submission: z.record(z.string(), z.unknown()),
   }),
   z.object({ error: ErrorResponse }),

package/src/entity/trust/chain.ts

@@ -70,8 +70,8 @@ export async function validateTrustChain(
     elementIndex === 0
       ? FirstElementShape
       : elementIndex === chain.length - 1
-      ? LastElementShape
-      : MiddleElementShape;
+        ? LastElementShape
+        : MiddleElementShape;
 
   // select the kid from the current index
   const selectKid = (currentIndex: number): string => {
@@ -136,15 +136,19 @@ export function renewTrustChain(
         ec.success
           ? getSignedEntityConfiguration(ec.data.payload.iss, { appFetch })
           : es.success
-          ? getSignedEntityStatement(es.data.payload.iss, es.data.payload.sub, {
-              appFetch,
-            })
-          : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
-            Promise.reject(
-              new IoWalletError(
-                `Cannot renew trust chain because the element #${i} failed to be parsed.`
+            ? getSignedEntityStatement(
+                es.data.payload.iss,
+                es.data.payload.sub,
+                {
+                  appFetch,
+                }
+              )
+            : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
+              Promise.reject(
+                new IoWalletError(
+                  `Cannot renew trust chain because the element #${i} failed to be parsed.`
+                )
               )
-            )
       )
   );
 }

package/src/mdoc/index.ts

@@ -1,28 +1,85 @@
-import { CBOR } from "@pagopa/io-react-native-cbor";
+import { CBOR, COSE, ISO18013 } from "@pagopa/io-react-native-cbor";
 import type { JWK } from "../utils/jwk";
+import type { PublicKey } from "@pagopa/io-react-native-crypto";
+import { b64utob64 } from "jsrsasign";
+import {
+  convertCertToPem,
+  getSigningJwk,
+  parsePublicKey,
+} from "../utils/crypto";
+import { type Presentation } from "../credential/presentation/types";
+import { base64ToBase64Url } from "../utils/string";
 
 export const verify = async (
   token: string,
-  publicKey: JWK | JWK[]
-): Promise<{ mDoc: CBOR.MDOC }> => {
+  _: JWK | JWK[]
+): Promise<{ issuerSigned: CBOR.IssuerSigned }> => {
   // get decoded data
-  const documents = await CBOR.decodeDocuments(token);
-  if (!documents || documents.documents.length === 0) {
-    throw new Error("Invalid mDoc");
-  }
-  const mDoc = documents.documents[0];
-  if (!mDoc) {
+  const issuerSigned = await CBOR.decodeIssuerSigned(token);
+  if (!issuerSigned) {
     throw new Error("Invalid mDoc");
   }
 
-  const sigKey = Array.isArray(publicKey)
-    ? publicKey.find((k) => k.use === "sig")
-    : publicKey;
-  sigKey;
+  const cert = issuerSigned.issuerAuth.unprotectedHeader[0]?.keyId;
+  if (!cert) throw new Error("Certificate not present in credential");
+
+  const pemcert = convertCertToPem(b64utob64(cert));
+  const publickey = parsePublicKey(pemcert);
+  if (!publickey) throw new Error("Certificate not present in credential");
+
+  const jwk = getSigningJwk(publickey);
+
+  jwk.x = b64utob64(jwk.x!);
+  jwk.y = b64utob64(jwk.y!);
+
+  const signatureCorrect = await COSE.verify(
+    b64utob64(issuerSigned.issuerAuth.rawValue!),
+    jwk as PublicKey
+  ).catch(() => false);
+  if (!signatureCorrect) throw new Error("Invalid mDoc signature");
+
+  return { issuerSigned };
+};
+
+export const prepareVpTokenMdoc = async (
+  requestNonce: string,
+  generatedNonce: string,
+  clientId: string,
+  responseUri: string,
+  docType: string,
+  keyTag: string,
+  [verifiableCredential, requestedClaims, _]: Presentation
+): Promise<{
+  vp_token: string;
+}> => {
+  /* verifiableCredential is a IssuerSigned structure */
+  const documents = [
+    {
+      issuerSignedContent: verifiableCredential,
+      alias: keyTag,
+      docType,
+    },
+  ];
+
+  /* we map each requested claim as for ex. { "org.iso.18013.5.1.mDL" { <claim-name>: true, ... }} for selective disclosure */
+  const fieldRequestedAndAccepted = JSON.stringify({
+    [docType]: requestedClaims.reduce((acc, item) => {
+      return { ...acc, [item]: true };
+    }, {}),
+  });
 
-  //await COSE.verify(mDoc.issuerSigned.issuerAuth, sigKey as PublicKey);
+  /* clientId,responseUri,requestNonce are retrieved by Auth Request Object */
+  /* create DeviceResponse as { documents: { docType, issuerSigned, deviceSigned }, version, status } */
+  const vp_token = await ISO18013.generateOID4VPDeviceResponse(
+    clientId,
+    responseUri,
+    requestNonce,
+    generatedNonce,
+    documents,
+    fieldRequestedAndAccepted
+  );
 
   return {
-    mDoc,
+    vp_token: base64ToBase64Url(vp_token),
   };
 };

package/src/sd-jwt/index.ts

@@ -2,12 +2,13 @@ import { z } from "zod";
 
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
-import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { SignJWT, sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { Disclosure, SdJwt4VC, type DisclosureWithEncoded } from "./types";
 import { verifyDisclosure } from "./verifier";
 import type { JWK } from "../utils/jwk";
 import * as Errors from "./errors";
 import { Base64 } from "js-base64";
+import { type Presentation } from "../credential/presentation/types";
 
 const decodeDisclosure = (encoded: string): DisclosureWithEncoded => {
   const utf8String = Base64.decode(encoded); // Decode Base64 into UTF-8 string
@@ -163,4 +164,51 @@ export const verify = async <S extends z.ZodType<SdJwt4VC>>(
   };
 };
 
+/**
+ * Prepares a Verified Presentation (VP) token to be sent as part of an
+ * authorization response in an OpenID 4 Verifiable Presentations flow.
+ *
+ * @param nonce - The nonce provided by the relying party.
+ * @param client_id - The client identifier of the relying party.
+ * @param presentation - An object containing the verifiable credential, the claims to disclose,
+ *                       and the cryptographic context for signing.
+ * @returns An object containing the signed VP token (`vp_token`).
+ *
+ * @remarks
+ *  1. The `disclose()` function is used to produce a token with only the requested claims.
+ *  2. A KB-JWT is then signed, including sd_hash and `nonce`.
+ *  3. The `vp_token` is composed of the disclosed VP and the KB-JWT.
+ */
+export const prepareVpToken = async (
+  nonce: string,
+  client_id: string,
+  [verifiableCredential, requestedClaims, cryptoContext]: Presentation
+): Promise<{
+  vp_token: string;
+}> => {
+  // Produce a VP token with only requested claims from the verifiable credential
+  const { token: vp } = await disclose(verifiableCredential, requestedClaims);
+
+  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
+  const sd_hash = await sha256ToBase64(`${vp}~`);
+
+  const kbJwt = await new SignJWT(cryptoContext)
+    .setProtectedHeader({
+      typ: "kb+jwt",
+      alg: "ES256",
+    })
+    .setPayload({
+      sd_hash,
+      nonce: nonce,
+    })
+    .setAudience(client_id)
+    .setIssuedAt()
+    .sign();
+
+  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
+  const vp_token = [vp, kbJwt].join("~");
+
+  return { vp_token };
+};
+
 export { SdJwt4VC, Errors };

package/src/utils/crypto.ts

@@ -3,12 +3,14 @@ import {
   sign,
   generate,
   deleteKey,
+  type PublicKey,
 } from "@pagopa/io-react-native-crypto";
 import uuid from "react-native-uuid";
 import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { fixBase64EncodingOnKey } from "./jwk";
 import { X509, KEYUTIL, RSAKey, KJUR } from "jsrsasign";
 import { JWK } from "./jwk";
+import { removePadding } from "@pagopa/io-react-native-jwt";
+import { Buffer } from "buffer";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -26,7 +28,7 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
      */
     async getPublicKey() {
       return getPublicKey(keytag)
-        .then(fixBase64EncodingOnKey)
+        .then(fixBase64WithLeadingZero)
         .then(async (jwk) => ({
           ...jwk,
           // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
@@ -48,6 +50,45 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
   };
 };
 
+/**
+ * This function takes a JSON Web Key (JWK) and returns a new JWK with its base64-url properties (x, y, e, n) processed.
+ * Each property is passed through the `removeLeadingZeroAndParseb64u` function if it exists, which fixes any unwanted leading zeros.
+ *
+ * @param key - The input JSON Web Key that may contain properties with potential leading zero issues.
+ * @returns A new JSON Web Key with the processed properties.
+ */
+const fixBase64WithLeadingZero = (key: JWK): JWK => {
+  const { x, y, e, n, ...pk } = key;
+
+  return {
+    ...pk,
+    ...(x ? { x: removeLeadingZeroAndParseb64u(x) } : {}),
+    ...(y ? { y: removeLeadingZeroAndParseb64u(y) } : {}),
+    ...(e ? { e: removeLeadingZeroAndParseb64u(e) } : {}),
+    ...(n ? { n: removeLeadingZeroAndParseb64u(n) } : {}),
+  };
+};
+
+/**
+ * This function processes a base64-encoded string to remove any unwanted leading zeros.
+ * It converts the input base64 string into a buffer, then to a hex string, checks for a leading "00",
+ * and removes it if present. The result is then converted back to a base64-url.
+ *
+ * @param input - The base64 encoded string to process.
+ * @returns A new base64-url encoded string with any leading zero removed.
+ */
+const removeLeadingZeroAndParseb64u = (input: string): string => {
+  // Decode base64 input into a Buffer
+  const buffer = Buffer.from(input, "base64");
+  const hex = buffer.toString("hex");
+  // If the hex string starts with "00", remove the first two characters
+  const fixedHex = hex.startsWith("00") ? hex.slice(2) : hex;
+  const newBuffer = Buffer.from(fixedHex, "hex");
+
+  // removePadding convert base64 string to base64-url
+  return removePadding(newBuffer.toString("base64"));
+};
+
 /**
  * Executes the input function injecting an ephemeral crypto context.
  * An ephemeral crypto context is a context which is bound to a key
@@ -106,3 +147,21 @@ export const getSigningJwk = (publicKey: RSAKey | KJUR.crypto.ECDSA): JWK => ({
   ...JWK.parse(KEYUTIL.getJWKFromKey(publicKey)),
   use: "sig",
 });
+
+/**
+ * This function takes two {@link PublicKey} and evaluates and compares their thumbprints
+ * @param key1 The first key
+ * @param key2 The second key
+ * @returns true if the keys' thumbprints are equal, false otherwise
+ */
+export const compareKeysByThumbprint = async (
+  key1: PublicKey,
+  key2: PublicKey
+) => {
+  //Parallel for optimization
+  const [thumbprint1, thumbprint2] = await Promise.all([
+    thumbprint(key1),
+    thumbprint(key2),
+  ]);
+  return thumbprint1 === thumbprint2;
+};

package/src/utils/errors.ts

@@ -189,8 +189,8 @@ export class ResponseErrorBuilder<T extends typeof UnexpectedStatusCodeError> {
 type ErrorCodeMap<T> = T extends typeof IssuerResponseError
   ? IssuerResponseErrorCode
   : T extends typeof WalletProviderResponseError
-  ? WalletProviderResponseErrorCode
-  : never;
+    ? WalletProviderResponseErrorCode
+    : never;
 
 type ErrorCase<T> = {
   code: ErrorCodeMap<T>;

package/src/utils/misc.ts

@@ -37,8 +37,8 @@ export const parseRawHttpResponse = <T extends Record<string, unknown>>(
 export type Out<FN> = FN extends (...args: any[]) => Promise<any>
   ? Awaited<ReturnType<FN>>
   : FN extends (...args: any[]) => any
-  ? ReturnType<FN>
-  : never;
+    ? ReturnType<FN>
+    : never;
 
 /**
  * TODO [SIW-1310]: replace this function with a cryptographically secure one.