@pagopa/io-react-native-wallet 1.6.2 → 1.7.1

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -0,0 +1,228 @@
+import {
+  DcqlQuery,
+  DcqlError,
+  DcqlCredentialSetError,
+  DcqlQueryResult,
+  DcqlCredential,
+} from "dcql";
+import { isValiError } from "valibot";
+import { decode } from "../../sd-jwt";
+import type { Disclosure } from "../../sd-jwt/types";
+import { ValidationFailed } from "../../utils/errors";
+import { CredentialNotFoundError } from "./errors";
+import type { CredentialFormat, EvaluatedDisclosure } from "./types";
+import { CBOR } from "@pagopa/io-react-native-cbor";
+
+/**
+ * The purpose for the credential request by the RP.
+ */
+type CredentialPurpose = {
+  required: boolean;
+  description?: string;
+};
+
+export type EvaluateDcqlQuery = (
+  query: DcqlQuery.Input,
+  credentialsSdJwt: [
+    string /* type */,
+    string /* keyTag */,
+    string /* credential */,
+  ][],
+  credentialsMdoc: [
+    string /* type */,
+    string /* keyTag */,
+    string /* credential */,
+  ][]
+) => Promise<
+  ({
+    id: string;
+    credential: string;
+    keyTag: string;
+    requiredDisclosures: EvaluatedDisclosure[];
+    purposes: CredentialPurpose[];
+  } & CredentialFormat)[]
+>;
+
+type DcqlMatchSuccess = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: true }
+>;
+
+/**
+ * Convert a credential in SD-JWT format to an object with claims
+ * for correct parsing by the `dcql` library.
+ */
+const mapCredentialSdJwtToObj = (credentials: [string, string, string][]) =>
+  credentials.map(([, , jwt]) => {
+    const { sdJwt, disclosures } = decode(jwt);
+    const credentialFormat = sdJwt.header.typ;
+
+    return {
+      vct: sdJwt.payload.vct,
+      credential_format: credentialFormat,
+      claims: disclosures.reduce(
+        (acc, disclosure) => ({
+          ...acc,
+          [disclosure.decoded[1]]: disclosure.decoded,
+        }),
+        {} as Record<string, Disclosure>
+      ),
+    } as DcqlCredential;
+  });
+
+/**
+ * Convert a credential in Mdoc format to an object with claims
+ * for correct parsing by the `dcql` library.
+ */
+const mapCredentialsMdocToObj = async (
+  credentialsMdoc: [string, string, string][]
+) => {
+  return await Promise.all(
+    credentialsMdoc?.map(async ([type, _, credential]) => {
+      const issuerSigned = credential
+        ? await CBOR.decodeIssuerSigned(credential)
+        : undefined;
+      if (!issuerSigned) {
+        throw new CredentialNotFoundError(
+          "mso_mdoc credential is not present."
+        );
+      }
+
+      const namespaces = Object.entries(issuerSigned.nameSpaces).reduce(
+        (acc, [ns, nsClaims]) => {
+          const flattenNsClaims = Object.entries(nsClaims).reduce(
+            (ac, [, el]) => ({
+              ...ac,
+              [el.elementIdentifier]: el.elementValue,
+            }),
+            {} as Record<string, unknown>
+          );
+
+          return {
+            ...acc,
+            [ns]: flattenNsClaims,
+          };
+        },
+        {} as Record<string, unknown>
+      );
+
+      return {
+        credential_format: "mso_mdoc",
+        doctype: type,
+        namespaces,
+      } as DcqlCredential;
+    })
+  );
+};
+
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+const getDcqlQueryMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === true
+  ) as [string, DcqlMatchSuccess][];
+
+export const evaluateDcqlQuery: EvaluateDcqlQuery = async (
+  query,
+  credentialsSdJwt,
+  credentialsMdoc
+) => {
+  const credentials = [] as DcqlCredential[];
+  credentials.push(...mapCredentialSdJwtToObj(credentialsSdJwt));
+  credentials.push(...(await mapCredentialsMdocToObj(credentialsMdoc)));
+
+  try {
+    // Validate the query
+    const parsedQuery = DcqlQuery.parse(query);
+    DcqlQuery.validate(parsedQuery);
+
+    const queryResult = DcqlQuery.query(parsedQuery, credentials);
+
+    if (!queryResult.canBeSatisfied) {
+      throw new Error("No credential can satisfy the provided DCQL query");
+    }
+
+    return getDcqlQueryMatches(queryResult).map(([id, match]) => {
+      const purposes = queryResult.credential_sets
+        ?.filter((set) => set.matching_options?.flat().includes(id))
+        ?.map<CredentialPurpose>((credentialSet) => ({
+          description: credentialSet.purpose?.toString(),
+          required: Boolean(credentialSet.required),
+        }));
+
+      if (match.output.credential_format === "vc+sd-jwt") {
+        const { vct, claims } = match.output;
+
+        const [, keyTag, credential] = credentialsSdJwt.find(
+          ([type]) => type === vct
+        )!;
+        const requiredDisclosures = Object.values(
+          claims
+        ) as EvaluatedDisclosure[];
+        return {
+          id,
+          vct,
+          keyTag,
+          format: match.output.credential_format,
+          credential,
+          requiredDisclosures,
+          // When it is a match but no credential_sets are found, the credential is required by default
+          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
+          purposes: purposes ?? [{ required: true }],
+        };
+      }
+
+      if (match.output.credential_format === "mso_mdoc") {
+        const { doctype, namespaces } = match.output;
+
+        const [, keyTag, credential] = credentialsMdoc.find(
+          ([type]) => type === doctype
+        )!;
+        const requiredDisclosures = Object.entries(namespaces).reduce(
+          (acc, [ns, nsClaims]) => [
+            ...acc,
+            ...Object.entries(nsClaims).map(([claimName]) => ({
+              namespace: ns,
+              name: claimName,
+              value: nsClaims[claimName],
+            })),
+          ],
+          [] as EvaluatedDisclosure[]
+        );
+
+        return {
+          id,
+          keyTag,
+          format: match.output.credential_format,
+          credential,
+          requiredDisclosures,
+          // When it is a match but no credential_sets are found, the credential is required by default
+          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
+          purposes: purposes ?? [{ required: true }],
+          doctype,
+        };
+      }
+
+      throw new Error(
+        `Unsupported credential format: ${match.output.credential_format}`
+      );
+    });
+  } catch (error) {
+    // Invalid DCQL query structure
+    if (isValiError(error)) {
+      throw new ValidationFailed({
+        message: "Invalid DCQL query",
+        reason: error.issues.map((issue) => issue.message).join(", "),
+      });
+    }
+
+    if (error instanceof DcqlError) {
+      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
+    }
+    if (error instanceof DcqlCredentialSetError) {
+      // TODO [SIW-2110]: handle missing credentials or let the error propagate
+    }
+    throw error;
+  }
+};

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -1,14 +1,10 @@
-import { InputDescriptor, type RemotePresentation } from "./types";
-import { decode, prepareVpToken } from "../../sd-jwt";
+import { InputDescriptor, type EvaluatedDisclosure } from "./types";
+import { decode } from "../../sd-jwt";
 import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
-import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
 import { MissingDataError, CredentialNotFoundError } from "./errors";
-import { type EvaluatedDisclosure } from "./types";
 import Ajv from "ajv";
 import { CBOR } from "@pagopa/io-react-native-cbor";
-import { prepareVpTokenMdoc } from "../../mdoc";
-import { generateRandomAlphaNumericString } from "../../utils/misc";
 
 const ajv = new Ajv({ allErrors: true });
 
@@ -30,8 +26,8 @@ type EvaluateInputDescriptorMdoc = (
 
 export type EvaluateInputDescriptors = (
   descriptors: InputDescriptor[],
-  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
-  credentialsMdoc: [string /* keyTag */, string /* credential */][]
+  credentialsSdJwt: [string, string /* keyTag */, string /* credential */][],
+  credentialsMdoc: [string, string /* keyTag */, string /* credential */][]
 ) => Promise<
   {
     evaluatedDisclosure: EvaluatedDisclosures;
@@ -41,20 +37,6 @@ export type EvaluateInputDescriptors = (
   }[]
 >;
 
-export type PrepareRemotePresentations = (
-  credentialAndDescriptors: {
-    requestedClaims: EvaluatedDisclosure[];
-    inputDescriptor: InputDescriptor;
-    credential: string;
-    keyTag: string;
-  }[],
-  authRequestObject: {
-    nonce: string;
-    clientId: string;
-    responseUri: string;
-  }
-) => Promise<RemotePresentation>;
-
 export const disclosureWithEncodedToEvaluatedDisclosure = (
   disclosure: DisclosureWithEncoded
 ): EvaluatedDisclosure => {
@@ -474,7 +456,7 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
 ) => {
   // We need decode SD-JWT credentials for evaluation
   const decodedSdJwtCredentials =
-    credentialsSdJwt?.map(([keyTag, credential]) => {
+    credentialsSdJwt?.map(([, keyTag, credential]) => {
       const { sdJwt, disclosures } = decode(credential);
       return { keyTag, credential, sdJwt, disclosures };
     }) || [];
@@ -482,7 +464,7 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
   // We need decode Mdoc credentials for evaluation
   const decodedMdocCredentials =
     (await Promise.all(
-      credentialsMdoc?.map(async ([keyTag, credential]) => {
+      credentialsMdoc?.map(async ([, keyTag, credential]) => {
         const issuerSigned = await CBOR.decodeIssuerSigned(credential);
         if (!issuerSigned) {
           throw new CredentialNotFoundError(
@@ -539,82 +521,3 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
 
   return results;
 };
-
-/**
- * Prepares remote presentations for a set of credentials based on input descriptors.
- *
- * For each credential and its corresponding input descriptor, this function:
- * - Validates the credential format.
- * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
- *
- * @param credentialAndDescriptors - An array containing objects with requested claims,
- *                                   input descriptor, credential, and keyTag.
- * @param nonce - A unique nonce for the verifiable presentation token.
- * @param client_id - The client identifier.
- * @returns A promise that resolves to an array of RemotePresentation objects.
- * @throws {CredentialNotFoundError} When the credential format is unsupported.
- */
-export const prepareRemotePresentations: PrepareRemotePresentations = async (
-  credentialAndDescriptors,
-  authRequestObject
-) => {
-  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
-  const generatedNonce = generateRandomAlphaNumericString(16);
-
-  const presentations = await Promise.all(
-    credentialAndDescriptors.map(async (item) => {
-      const descriptor = item.inputDescriptor;
-
-      if (descriptor.format?.mso_mdoc) {
-        const { vp_token } = await prepareVpTokenMdoc(
-          authRequestObject.nonce,
-          generatedNonce,
-          authRequestObject.clientId,
-          authRequestObject.responseUri,
-          descriptor.id,
-          item.keyTag,
-          [
-            item.credential,
-            item.requestedClaims,
-            createCryptoContextFor(item.keyTag),
-          ]
-        );
-
-        return {
-          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
-          inputDescriptor: descriptor,
-          vpToken: vp_token,
-          format: "mso_mdoc",
-        };
-      }
-
-      if (descriptor.format?.["vc+sd-jwt"]) {
-        const { vp_token } = await prepareVpToken(
-          authRequestObject.nonce,
-          authRequestObject.clientId,
-          [
-            item.credential,
-            item.requestedClaims,
-            createCryptoContextFor(item.keyTag),
-          ]
-        );
-
-        return {
-          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
-          inputDescriptor: descriptor,
-          vpToken: vp_token,
-          format: "vc+sd-jwt",
-        };
-      }
-
-      throw new CredentialNotFoundError(
-        `${descriptor.format} format is not supported.`
-      );
-    })
-  );
-
-  return {
-    presentations,
-    generatedNonce,
-  };
-};

package/src/credential/presentation/08-send-authorization-response.ts

@@ -2,17 +2,26 @@ import { EncryptJwe } from "@pagopa/io-react-native-jwt";
 import uuid from "react-native-uuid";
 import type { FetchJwks } from "./04-retrieve-rp-jwks";
 import type { VerifyRequestObjectSignature } from "./05-verify-request-object";
-import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+import {
+  NoSuitableKeysFoundInEntityConfiguration,
+  CredentialNotFoundError,
+} from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import {
   DirectAuthorizationBodyPayload,
   ErrorResponse,
   type RemotePresentation,
+  type PrepareRemotePresentations,
 } from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
 import { Base64 } from "js-base64";
 
+import { prepareVpTokenMdoc } from "../../mdoc";
+import { generateRandomAlphaNumericString } from "../../utils/misc";
+import { createCryptoContextFor } from "../../utils/crypto";
+import { prepareVpToken } from "../../sd-jwt";
+
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({
   status: z.string().optional(),
@@ -153,6 +162,19 @@ export type SendAuthorizationResponse = (
   }
 ) => Promise<AuthorizationResponse>;
 
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ */
+export type SendAuthorizationResponseDcql = (
+  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
+  jwkKeys: Out<FetchJwks>["keys"],
+  remotePresentation: RemotePresentation,
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
+
 /**
  * Sends the authorization response to the Relying Party (RP) using the specified `response_mode`.
  * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
@@ -183,7 +205,7 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
       : presentations.map((presentation) => presentation.vpToken);
 
   const descriptor_map = presentations.map((presentation, index) => ({
-    id: presentation.inputDescriptor.id,
+    id: presentation.credentialId,
     path: presentations?.length === 1 ? `$` : `$[${index}]`,
     format: presentation.format,
   }));
@@ -274,3 +296,116 @@ export const sendAuthorizationErrorResponse: SendAuthorizationErrorResponse =
       .then((res) => res.json())
       .then(AuthorizationResponse.parse);
   };
+
+export const sendAuthorizationResponseDcql: SendAuthorizationResponseDcql =
+  async (
+    requestObject,
+    jwkKeys,
+    remotePresentation,
+    { appFetch = fetch } = {}
+  ): Promise<AuthorizationResponse> => {
+    const { generatedNonce, presentations } = remotePresentation;
+    // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
+    const requestBody = await buildDirectPostJwtBody(
+      jwkKeys,
+      requestObject,
+      {
+        vp_token: presentations.reduce(
+          (acc, presentation) => ({
+            ...acc,
+            [presentation.credentialId]: presentation.vpToken,
+          }),
+          {} as Record<string, string>
+        ),
+      },
+      generatedNonce
+    );
+
+    // 2. Send the authorization response via HTTP POST and validate the response
+    return await appFetch(requestObject.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: requestBody,
+    })
+      .then(hasStatusOrThrow(200))
+      .then((res) => res.json())
+      .then(AuthorizationResponse.parse);
+  };
+
+/**
+ * Prepares remote presentations for a set of credentials.
+ *
+ * For each credential, this function:
+ * - Validates the credential format (currently supports 'mso_mdoc' and 'vc+sd-jwt').
+ * - Generates a verifiable presentation token (vpToken) using the appropriate method.
+ * - For ISO 18013-7, generates a special nonce with minimum entropy of 16.
+ *
+ * @param credentials - An array of credential items containing format, credential data, requested claims, and key information.
+ * @param authRequestObject - The authentication request object containing nonce, clientId, and responseUri.
+ * @returns A promise that resolves to an object containing an array of presentations and the generated nonce.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentials,
+  authRequestObject
+) => {
+  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
+  const generatedNonce = generateRandomAlphaNumericString(16);
+
+  const presentations = await Promise.all(
+    credentials.map(async (item) => {
+      const { credentialInputId, format } = item;
+
+      if (format === "mso_mdoc") {
+        const { vp_token } = await prepareVpTokenMdoc(
+          authRequestObject.nonce,
+          generatedNonce,
+          authRequestObject.clientId,
+          authRequestObject.responseUri,
+          item.doctype,
+          item.keyTag,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
+
+        return {
+          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
+          credentialId: credentialInputId,
+          vpToken: vp_token,
+          format: "mso_mdoc",
+        };
+      }
+
+      if (format === "vc+sd-jwt") {
+        const { vp_token } = await prepareVpToken(
+          authRequestObject.nonce,
+          authRequestObject.clientId,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
+
+        return {
+          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
+          credentialId: credentialInputId,
+          vpToken: vp_token,
+          format: "vc+sd-jwt",
+        };
+      }
+
+      throw new CredentialNotFoundError(`${format} format is not supported.`);
+    })
+  );
+
+  return {
+    presentations,
+    generatedNonce,
+  };
+};

package/src/credential/presentation/index.ts

@@ -22,17 +22,23 @@ import {
 } from "./06-fetch-presentation-definition";
 import {
   evaluateInputDescriptors,
-  prepareRemotePresentations,
   type EvaluateInputDescriptors,
-  type PrepareRemotePresentations,
 } from "./07-evaluate-input-descriptor";
 import {
+  evaluateDcqlQuery,
+  type EvaluateDcqlQuery,
+} from "./07-evaluate-dcql-query";
+import {
+  prepareRemotePresentations,
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
   sendAuthorizationErrorResponse,
   type SendAuthorizationErrorResponse,
+  sendAuthorizationResponseDcql,
+  type SendAuthorizationResponseDcql,
 } from "./08-send-authorization-response";
 import * as Errors from "./errors";
+import type { PrepareRemotePresentations } from "./types";
 
 export {
   startFlowFromQR,
@@ -43,8 +49,10 @@ export {
   verifyRequestObjectSignature,
   fetchPresentDefinition,
   evaluateInputDescriptors,
+  evaluateDcqlQuery,
   sendAuthorizationResponse,
   sendAuthorizationErrorResponse,
+  sendAuthorizationResponseDcql,
   prepareRemotePresentations,
   Errors,
 };
@@ -58,5 +66,7 @@ export type {
   EvaluateInputDescriptors,
   PrepareRemotePresentations,
   SendAuthorizationResponse,
+  SendAuthorizationResponseDcql,
   SendAuthorizationErrorResponse,
+  EvaluateDcqlQuery,
 };

package/src/credential/presentation/types.ts

@@ -9,6 +9,15 @@ export type EvaluatedDisclosure = {
   value: unknown;
 };
 
+export type CredentialFormat =
+  | {
+      format: "vc+sd-jwt";
+    }
+  | {
+      format: "mso_mdoc";
+      doctype: string;
+    };
+
 /**
  * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
  */
@@ -24,13 +33,27 @@ export type Presentation = [
 export type RemotePresentation = {
   presentations: {
     requestedClaims: string[];
-    inputDescriptor: InputDescriptor;
+    credentialId: string;
     format: string;
     vpToken: string;
   }[];
   generatedNonce?: string /* nonce generated by app, used in mdoc presentation */;
 };
 
+export type PrepareRemotePresentations = (
+  credentials: ({
+    requestedClaims: EvaluatedDisclosure[];
+    credentialInputId: string; // The credential ID descriptor in the presentation definition or DCQL query
+    credential: string;
+    keyTag: string;
+  } & CredentialFormat)[],
+  authRequestObject: {
+    nonce: string;
+    clientId: string;
+    responseUri: string;
+  }
+) => Promise<RemotePresentation>;
+
 const Fields = z.object({
   path: z.array(z.string().min(1)), // Array of JSONPath string expressions
   id: z.string().optional(), // Unique string ID
@@ -106,6 +129,7 @@ export const RequestObject = z.object({
       jwks: JWKS.optional(),
     })
     .optional(), // previous z.literal("entity_id"),
+  dcql_query: z.record(z.string(), z.any()).optional(), // Validation happens within the `dcql` library, no need to duplicate it here
   scope: z.string().optional(),
   presentation_definition: PresentationDefinition.optional(),
 });
@@ -130,8 +154,14 @@ export type DirectAuthorizationBodyPayload = z.infer<
 >;
 export const DirectAuthorizationBodyPayload = z.union([
   z.object({
-    vp_token: z.union([z.string(), z.array(z.string())]).optional(),
-    presentation_submission: z.record(z.string(), z.unknown()),
+    vp_token: z
+      .union([
+        z.string(), // Presentation Definition with one credential
+        z.array(z.string()), // Presentation Definition with more credential
+        z.record(z.string(), z.string()), // DCQL query
+      ])
+      .optional(),
+    presentation_submission: z.record(z.string(), z.unknown()).optional(),
   }),
   z.object({ error: ErrorResponse }),
 ]);

package/src/mdoc/index.ts

@@ -20,7 +20,7 @@ export const verify = async (
     throw new Error("Invalid mDoc");
   }
 
-  const cert = issuerSigned.issuerAuth.unprotectedHeader[0]?.keyId;
+  const cert = issuerSigned.issuerAuth.unprotectedHeader[0]?.x5chain?.[0];
   if (!cert) throw new Error("Certificate not present in credential");
 
   const pemcert = convertCertToPem(b64utob64(cert));