npm - @pagopa/io-react-native-wallet - Versions diffs - 1.5.0 → 1.6.1 - Mend

@pagopa/io-react-native-wallet 1.5.0 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/src/credential/presentation/types.ts CHANGED Viewed

@@ -9,17 +9,20 @@ import { JWKS } from "../../utils/jwk";
 export type Presentation = [
   /* verified credential token */ string,
   /* claims */ string[],
-  /* the context for the key associated to the credential */ CryptoContext
+  /* the context for the key associated to the credential */ CryptoContext,
 ];
 /**
  * A object that associate the information needed to multiple remote presentation
  */
 export type RemotePresentation = {
-  requestedClaims: string[];
-  inputDescriptor: InputDescriptor;
-  format: string;
-  vpToken: string;
+  presentations: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    format: string;
+    vpToken: string;
+  }[];
+  generatedNonce?: string /* nonce generated by app, used in mdoc presentation */;
 };
 const Fields = z.object({
@@ -82,7 +85,7 @@ export const RequestObject = z.object({
   iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
   iat: UnixTime.optional(),
   exp: UnixTime.optional(),
-  state: z.string(),
+  state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),

package/src/entity/trust/chain.ts CHANGED Viewed

@@ -70,8 +70,8 @@ export async function validateTrustChain(
     elementIndex === 0
       ? FirstElementShape
       : elementIndex === chain.length - 1
-      ? LastElementShape
-      : MiddleElementShape;
+        ? LastElementShape
+        : MiddleElementShape;
   // select the kid from the current index
   const selectKid = (currentIndex: number): string => {
@@ -136,15 +136,19 @@ export function renewTrustChain(
         ec.success
           ? getSignedEntityConfiguration(ec.data.payload.iss, { appFetch })
           : es.success
-          ? getSignedEntityStatement(es.data.payload.iss, es.data.payload.sub, {
-              appFetch,
-            })
-          : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
-            Promise.reject(
-              new IoWalletError(
-                `Cannot renew trust chain because the element #${i} failed to be parsed.`
+            ? getSignedEntityStatement(
+                es.data.payload.iss,
+                es.data.payload.sub,
+                {
+                  appFetch,
+                }
+              )
+            : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
+              Promise.reject(
+                new IoWalletError(
+                  `Cannot renew trust chain because the element #${i} failed to be parsed.`
+                )
               )
-            )
       )
   );
 }

package/src/mdoc/index.ts CHANGED Viewed

@@ -1,28 +1,85 @@
-import { CBOR } from "@pagopa/io-react-native-cbor";
+import { CBOR, COSE, ISO18013 } from "@pagopa/io-react-native-cbor";
 import type { JWK } from "../utils/jwk";
+import type { PublicKey } from "@pagopa/io-react-native-crypto";
+import { b64utob64 } from "jsrsasign";
+import {
+  convertCertToPem,
+  getSigningJwk,
+  parsePublicKey,
+} from "../utils/crypto";
+import { type Presentation } from "../credential/presentation/types";
+import { base64ToBase64Url } from "../utils/string";
 export const verify = async (
   token: string,
-  publicKey: JWK | JWK[]
-): Promise<{ mDoc: CBOR.MDOC }> => {
+  _: JWK | JWK[]
+): Promise<{ issuerSigned: CBOR.IssuerSigned }> => {
   // get decoded data
-  const documents = await CBOR.decodeDocuments(token);
-  if (!documents || documents.documents.length === 0) {
-    throw new Error("Invalid mDoc");
-  }
-  const mDoc = documents.documents[0];
-  if (!mDoc) {
+  const issuerSigned = await CBOR.decodeIssuerSigned(token);
+  if (!issuerSigned) {
     throw new Error("Invalid mDoc");
   }
-  const sigKey = Array.isArray(publicKey)
-    ? publicKey.find((k) => k.use === "sig")
-    : publicKey;
-  sigKey;
+  const cert = issuerSigned.issuerAuth.unprotectedHeader[0]?.keyId;
+  if (!cert) throw new Error("Certificate not present in credential");
+  const pemcert = convertCertToPem(b64utob64(cert));
+  const publickey = parsePublicKey(pemcert);
+  if (!publickey) throw new Error("Certificate not present in credential");
+  const jwk = getSigningJwk(publickey);
+  jwk.x = b64utob64(jwk.x!);
+  jwk.y = b64utob64(jwk.y!);
+  const signatureCorrect = await COSE.verify(
+    b64utob64(issuerSigned.issuerAuth.rawValue!),
+    jwk as PublicKey
+  ).catch(() => false);
+  if (!signatureCorrect) throw new Error("Invalid mDoc signature");
+  return { issuerSigned };
+};
+export const prepareVpTokenMdoc = async (
+  requestNonce: string,
+  generatedNonce: string,
+  clientId: string,
+  responseUri: string,
+  docType: string,
+  keyTag: string,
+  [verifiableCredential, requestedClaims, _]: Presentation
+): Promise<{
+  vp_token: string;
+}> => {
+  /* verifiableCredential is a IssuerSigned structure */
+  const documents = [
+    {
+      issuerSignedContent: verifiableCredential,
+      alias: keyTag,
+      docType,
+    },
+  ];
+  /* we map each requested claim as for ex. { "org.iso.18013.5.1.mDL" { <claim-name>: true, ... }} for selective disclosure */
+  const fieldRequestedAndAccepted = JSON.stringify({
+    [docType]: requestedClaims.reduce((acc, item) => {
+      return { ...acc, [item]: true };
+    }, {}),
+  });
-  //await COSE.verify(mDoc.issuerSigned.issuerAuth, sigKey as PublicKey);
+  /* clientId,responseUri,requestNonce are retrieved by Auth Request Object */
+  /* create DeviceResponse as { documents: { docType, issuerSigned, deviceSigned }, version, status } */
+  const vp_token = await ISO18013.generateOID4VPDeviceResponse(
+    clientId,
+    responseUri,
+    requestNonce,
+    generatedNonce,
+    documents,
+    fieldRequestedAndAccepted
+  );
   return {
-    mDoc,
+    vp_token: base64ToBase64Url(vp_token),
   };
 };

package/src/utils/crypto.ts CHANGED Viewed

@@ -3,12 +3,14 @@ import {
   sign,
   generate,
   deleteKey,
+  type PublicKey,
 } from "@pagopa/io-react-native-crypto";
 import uuid from "react-native-uuid";
 import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { fixBase64EncodingOnKey } from "./jwk";
 import { X509, KEYUTIL, RSAKey, KJUR } from "jsrsasign";
 import { JWK } from "./jwk";
+import { removePadding } from "@pagopa/io-react-native-jwt";
+import { Buffer } from "buffer";
 /**
  * Create a CryptoContext bound to a key pair.
@@ -26,7 +28,7 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
      */
     async getPublicKey() {
       return getPublicKey(keytag)
-        .then(fixBase64EncodingOnKey)
+        .then(fixBase64WithLeadingZero)
         .then(async (jwk) => ({
           ...jwk,
           // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
@@ -48,6 +50,45 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
   };
 };
+/**
+ * This function takes a JSON Web Key (JWK) and returns a new JWK with its base64-url properties (x, y, e, n) processed.
+ * Each property is passed through the `removeLeadingZeroAndParseb64u` function if it exists, which fixes any unwanted leading zeros.
+ *
+ * @param key - The input JSON Web Key that may contain properties with potential leading zero issues.
+ * @returns A new JSON Web Key with the processed properties.
+ */
+const fixBase64WithLeadingZero = (key: JWK): JWK => {
+  const { x, y, e, n, ...pk } = key;
+  return {
+    ...pk,
+    ...(x ? { x: removeLeadingZeroAndParseb64u(x) } : {}),
+    ...(y ? { y: removeLeadingZeroAndParseb64u(y) } : {}),
+    ...(e ? { e: removeLeadingZeroAndParseb64u(e) } : {}),
+    ...(n ? { n: removeLeadingZeroAndParseb64u(n) } : {}),
+  };
+};
+/**
+ * This function processes a base64-encoded string to remove any unwanted leading zeros.
+ * It converts the input base64 string into a buffer, then to a hex string, checks for a leading "00",
+ * and removes it if present. The result is then converted back to a base64-url.
+ *
+ * @param input - The base64 encoded string to process.
+ * @returns A new base64-url encoded string with any leading zero removed.
+ */
+const removeLeadingZeroAndParseb64u = (input: string): string => {
+  // Decode base64 input into a Buffer
+  const buffer = Buffer.from(input, "base64");
+  const hex = buffer.toString("hex");
+  // If the hex string starts with "00", remove the first two characters
+  const fixedHex = hex.startsWith("00") ? hex.slice(2) : hex;
+  const newBuffer = Buffer.from(fixedHex, "hex");
+  // removePadding convert base64 string to base64-url
+  return removePadding(newBuffer.toString("base64"));
+};
 /**
  * Executes the input function injecting an ephemeral crypto context.
  * An ephemeral crypto context is a context which is bound to a key
@@ -106,3 +147,21 @@ export const getSigningJwk = (publicKey: RSAKey | KJUR.crypto.ECDSA): JWK => ({
   ...JWK.parse(KEYUTIL.getJWKFromKey(publicKey)),
   use: "sig",
 });
+/**
+ * This function takes two {@link PublicKey} and evaluates and compares their thumbprints
+ * @param key1 The first key
+ * @param key2 The second key
+ * @returns true if the keys' thumbprints are equal, false otherwise
+ */
+export const compareKeysByThumbprint = async (
+  key1: PublicKey,
+  key2: PublicKey
+) => {
+  //Parallel for optimization
+  const [thumbprint1, thumbprint2] = await Promise.all([
+    thumbprint(key1),
+    thumbprint(key2),
+  ]);
+  return thumbprint1 === thumbprint2;
+};

package/src/utils/errors.ts CHANGED Viewed

@@ -189,8 +189,8 @@ export class ResponseErrorBuilder<T extends typeof UnexpectedStatusCodeError> {
 type ErrorCodeMap<T> = T extends typeof IssuerResponseError
   ? IssuerResponseErrorCode
   : T extends typeof WalletProviderResponseError
-  ? WalletProviderResponseErrorCode
-  : never;
+    ? WalletProviderResponseErrorCode
+    : never;
 type ErrorCase<T> = {
   code: ErrorCodeMap<T>;

package/src/utils/misc.ts CHANGED Viewed

@@ -37,8 +37,8 @@ export const parseRawHttpResponse = <T extends Record<string, unknown>>(
 export type Out<FN> = FN extends (...args: any[]) => Promise<any>
   ? Awaited<ReturnType<FN>>
   : FN extends (...args: any[]) => any
-  ? ReturnType<FN>
-  : never;
+    ? ReturnType<FN>
+    : never;
 /**
  * TODO [SIW-1310]: replace this function with a cryptographically secure one.

package/src/utils/string.ts CHANGED Viewed

@@ -45,11 +45,11 @@ export const obfuscateString = (
 };
 /**
- * Converts a hexadecimal byte string to a Base64 URL-encoded string.
+ * Converts a base64 string to a Base64 URL-encoded string.
  *
- * @param byteString - The input string in hexadecimal format.
+ * @param byteString - The input string in base64 format.
  * @returns The Base64 URL-encoded string.
  */
-export const base64ToBase64Url = (byteString: string): string => {
-  return byteString.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+export const base64ToBase64Url = (base64: string): string => {
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/[=]+$/, "");
 };