@pagopa/io-react-native-wallet 1.7.0 → 2.0.0-next.0

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -7,7 +7,7 @@ import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import parseUrl from "parse-url";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
-import type { GetIssuerConfig } from "./02-get-issuer-config";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import {
   decode,
   encodeBase64,
@@ -15,13 +15,14 @@ import {
   type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
 import { RequestObject } from "../presentation/types";
-import uuid from "react-native-uuid";
+import { v4 as uuidv4 } from "uuid";
 import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
+import { LogLevel, Logger } from "../../utils/logging";
 
 /**
- * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a urn:eu.europa.ec.eudi:pid:1.
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
  */
 export type CompleteUserAuthorizationWithQueryMode = (
   authRedirectUrl: string
@@ -41,14 +42,14 @@ export type CompleteUserAuthorizationWithFormPostJwtMode = (
 export type GetRequestedCredentialToBePresented = (
   issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
   clientId: Out<StartUserAuthorization>["clientId"],
-  issuerConf: Out<GetIssuerConfig>["issuerConf"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   appFetch?: GlobalFetch["fetch"]
 ) => Promise<RequestObject>;
 
 export type BuildAuthorizationUrl = (
   issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
   clientId: Out<StartUserAuthorization>["clientId"],
-  issuerConf: Out<GetIssuerConfig>["issuerConf"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   idpHint?: string
 ) => Promise<{
   authUrl: string;
@@ -59,8 +60,8 @@ export type BuildAuthorizationUrl = (
  * Builds the authorization URL to which the end user should be redirected to continue the authentication flow.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
- * @param idpHint Unique identifier of the IDP selected by the user
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param idpHint Unique identifier of the IDP selected by the user (optional)
  * @returns An object containing the authorization URL
  */
 export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
@@ -69,14 +70,18 @@ export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
   issuerConf,
   idpHint
 ) => {
-  const authzRequestEndpoint = issuerConf.authorization_endpoint;
+  const authzRequestEndpoint =
+    issuerConf.oauth_authorization_server.authorization_endpoint;
 
   const params = new URLSearchParams({
     client_id: clientId,
     request_uri: issuerRequestUri,
-    ...(idpHint && { idphint: idpHint }),
   });
 
+  if (idpHint) {
+    params.append("idphint", idpHint);
+  }
+
   const authUrl = `${authzRequestEndpoint}?${params}`;
 
   return { authUrl };
@@ -84,13 +89,17 @@ export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
 
 /**
  * WARNING: This function must be called after obtaining the authorization redirect URL from the webviews (SPID and CIE L3) or browser for CIEID.
- * Complete User authorization via strong identification when the response mode is "query" and the request credential is a urn:eu.europa.ec.eudi:pid:1.
+ * Complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
  * This function parses the authorization redirect URL to extract the authorization response.
  * @param authRedirectUrl The URL to which the end user should be redirected to start the authentication flow
  * @returns the authorization response which contains code, state and iss
  */
 export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWithQueryMode =
   async (authRedirectUrl) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is a PersonIdentificationData, completing the user authorization with query mode`
+    );
     const query = parseUrl(authRedirectUrl).query;
 
     return parseAuthorizationResponse(query);
@@ -103,19 +112,29 @@ export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWi
  * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {ValidationFailed} if an error while validating the response
  * @returns the request object which contains the credential to be presented in order to obtain the requested credential
  */
 export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePresented =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
-    const authzRequestEndpoint = issuerConf.authorization_endpoint;
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`
+    );
+    const authzRequestEndpoint =
+      issuerConf.oauth_authorization_server.authorization_endpoint;
     const params = new URLSearchParams({
       client_id: clientId,
       request_uri: issuerRequestUri,
     });
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`
+    );
+
     const requestObject = await appFetch(
       `${authzRequestEndpoint}?${params.toString()}`,
       { method: "GET" }
@@ -126,6 +145,10 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
       .then((reqObj) => RequestObject.safeParse(reqObj.payload));
 
     if (!requestObject.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while validating the response object: ${requestObject.error.message}`
+      );
       throw new ValidationFailed({
         message: "Request Object validation failed",
         reason: requestObject.error.message,
@@ -141,7 +164,7 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
  * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
  * @param context.pid the PID to be presented
  * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
@@ -152,6 +175,11 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
  */
 export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthorizationWithFormPostJwtMode =
   async (requestObject, ctx) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
+    );
+
     const {
       wiaCryptoContext,
       pidCryptoContext,
@@ -167,7 +195,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       })
       .setPayload({
         vp: walletInstanceAttestation,
-        jti: uuid.v4().toString(),
+        jti: uuidv4().toString(),
         nonce: requestObject.nonce,
       })
       .setIssuedAt()
@@ -182,7 +210,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       })
       .setPayload({
         vp: pid,
-        jti: uuid.v4().toString(),
+        jti: uuidv4().toString(),
         nonce: requestObject.nonce,
       })
       .setIssuedAt()
@@ -190,15 +218,20 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       .setAudience(requestObject.response_uri)
       .sign();
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Wallet instance attestation JWT token: ${wiaWpToken}`
+    );
+
     /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
      * is cointaned in the `vp` property of the signed jwt token payload
      */
     const presentationSubmission = {
-      definition_id: `${uuid.v4()}`,
-      id: `${uuid.v4()}`,
+      definition_id: `${uuidv4()}`,
+      id: `${uuidv4()}`,
       descriptor_map: [
         {
-          id: "urn:eu.europa.ec.eudi:pid:1",
+          id: "PersonIdentificationData",
           path: "$.vp_token[0].vp",
           format: "vc+sd-jwt",
         },
@@ -210,6 +243,11 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       ],
     };
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Presentation submission: ${JSON.stringify(presentationSubmission)}`
+    );
+
     const authzResponsePayload = encodeBase64(
       JSON.stringify({
         state: requestObject.state,
@@ -218,6 +256,11 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       })
     );
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Authz response payload: ${authzResponsePayload}`
+    );
+
     // Note: according to the spec, the response should be encrypted with the public key of the RP however this is not implemented yet
     // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-response
     // const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
@@ -230,6 +273,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
     const body = new URLSearchParams({
       response: authzResponsePayload,
     }).toString();
+
     const resUriRes = await appFetch(requestObject.response_uri, {
       method: "POST",
       headers: {
@@ -242,6 +286,10 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
 
     const responseUri = ResponseUriResultShape.safeParse(resUriRes);
     if (!responseUri.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while validating the response uri: ${responseUri.error.message}`
+      );
       throw new ValidationFailed({
         message: "Response Uri validation failed",
         reason: responseUri.error.message,
@@ -269,8 +317,16 @@ export const parseAuthorizationResponse = (
   if (!authResParsed.success) {
     const authErr = AuthorizationErrorShape.safeParse(authRes);
     if (!authErr.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while parsing the authorization response: ${authResParsed.error.message}`
+      );
       throw new AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
     }
+    Logger.log(
+      LogLevel.ERROR,
+      `Error while authorizating with the idp: ${JSON.stringify(authErr)}`
+    );
     throw new AuthorizationIdpError(
       authErr.data.error,
       authErr.data.error_description

package/src/credential/issuance/05-authorize-access.ts

@@ -1,17 +1,19 @@
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { GetIssuerConfig } from "./02-get-issuer-config";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import { createDPopToken } from "../../utils/dpop";
-import uuid from "react-native-uuid";
+import { v4 as uuidv4 } from "uuid";
 import { createPopToken } from "../../utils/pop";
 import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import { ASSERTION_TYPE } from "./const";
 import { TokenResponse } from "./types";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { CompleteUserAuthorizationWithQueryMode } from "./04-complete-user-authorization";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type AuthorizeAccess = (
-  issuerConf: Out<GetIssuerConfig>["issuerConf"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   code: Out<CompleteUserAuthorizationWithQueryMode>["code"],
   redirectUri: string,
   clientId: Out<StartUserAuthorization>["clientId"],
@@ -29,7 +31,7 @@ export type AuthorizeAccess = (
  * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
  * This enables the Wallet Instance to request a digital credential.
  * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
  * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
  * @param clientId The client id returned by {@link startUserAuthorization}
@@ -57,48 +59,59 @@ export const authorizeAccess: AuthorizeAccess = async (
     dPopCryptoContext,
   } = context;
 
-  const parEndpoint = issuerConf.pushed_authorization_request_endpoint;
+  const parEndpoint =
+    issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
   const parUrl = new URL(parEndpoint);
   const aud = `${parUrl.protocol}//${parUrl.hostname}`;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
     .payload.cnf.jwk.kid;
 
-  const tokenUrl = issuerConf.token_endpoint;
+  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
 
   const tokenRequestSignedDPop = await createDPopToken(
     {
       htm: "POST",
       htu: tokenUrl,
-      jti: `${uuid.v4()}`,
+      jti: `${uuidv4()}`,
     },
     dPopCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const signedWiaPoP = await createPopToken(
     {
-      jti: `${uuid.v4()}`,
+      jti: `${uuidv4()}`,
       aud,
       iss,
     },
     wiaCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
+
   const requestBody = {
-    client_id: clientId,
     grant_type: "authorization_code",
+    client_id: clientId,
     code,
     redirect_uri: redirectUri,
     code_verifier: codeVerifier,
+    client_assertion_type: ASSERTION_TYPE,
+    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
   };
 
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
+
+  Logger.log(
+    LogLevel.DEBUG,
+    `Auth form request body: ${authorizationRequestFormBody}`
+  );
+
   const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
       DPoP: tokenRequestSignedDPop,
-      "OAuth-Client-Attestation": walletInstanceAttestation,
-      "OAuth-Client-Attestation-PoP": signedWiaPoP,
     },
     body: authorizationRequestFormBody.toString(),
   })
@@ -107,6 +120,11 @@ export const authorizeAccess: AuthorizeAccess = async (
     .then((body) => TokenResponse.safeParse(body));
 
   if (!tokenRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Token Response validation failed: ${tokenRes.error.message}`
+    );
+
     throw new ValidationFailed({
       message: "Token Response validation failed",
       reason: tokenRes.error.message,

package/src/credential/issuance/06-obtain-credential.ts

@@ -4,7 +4,7 @@ import {
   SignJWT,
 } from "@pagopa/io-react-native-jwt";
 import type { AuthorizeAccess } from "./05-authorize-access";
-import type { GetIssuerConfig } from "./02-get-issuer-config";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import {
@@ -16,10 +16,11 @@ import {
 } from "../../utils/errors";
 import { CredentialResponse } from "./types";
 import { createDPopToken } from "../../utils/dpop";
-import uuid from "react-native-uuid";
+import { v4 as uuidv4 } from "uuid";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type ObtainCredential = (
-  issuerConf: Out<GetIssuerConfig>["issuerConf"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   accessToken: Out<AuthorizeAccess>["accessToken"],
   clientId: Out<StartUserAuthorization>["clientId"],
   credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
@@ -27,7 +28,8 @@ export type ObtainCredential = (
     dPopCryptoContext: CryptoContext;
     credentialCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
-  }
+  },
+  operationType?: "reissuing"
 ) => Promise<CredentialResponse>;
 
 export const createNonceProof = async (
@@ -58,7 +60,7 @@ export const createNonceProof = async (
  * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
  * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
  * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param accessToken The access token response returned by {@link authorizeAccess}
  * @param clientId The client id returned by {@link startUserAuthorization}
  * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
@@ -73,7 +75,8 @@ export const obtainCredential: ObtainCredential = async (
   accessToken,
   clientId,
   credentialDefinition,
-  context
+  context,
+  operationType
 ) => {
   const {
     credentialCryptoContext,
@@ -81,7 +84,7 @@ export const obtainCredential: ObtainCredential = async (
     dPopCryptoContext,
   } = context;
 
-  const credentialUrl = issuerConf.credential_endpoint;
+  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
   /**
    * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
@@ -95,67 +98,64 @@ export const obtainCredential: ObtainCredential = async (
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
+
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
   const containsCredentialDefinition = accessToken.authorization_details.some(
-    (detail) =>
-      detail.credential_configuration_id ===
+    (c) =>
+      c.credential_configuration_id ===
         credentialDefinition.credential_configuration_id &&
-      detail.type === credentialDefinition.type
+      c.format === credentialDefinition.format &&
+      c.type === credentialDefinition.type
   );
 
   if (!containsCredentialDefinition) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential definition not found in the access token response ${accessToken.authorization_details}`
+    );
     throw new ValidationFailed({
       message:
         "The access token response does not contain the requested credential",
     });
   }
 
-  const credential =
-    issuerConf.credential_configurations_supported[
-      credentialDefinition.credential_configuration_id
-    ];
-
-  if (!credential) {
-    throw new ValidationFailed({
-      message: "The credential configuration is not supported by the issuer",
-    });
-  }
-
-  const format = credential.format;
-
-  if (!format) {
-    throw new ValidationFailed({
-      message:
-        "The credential doesn't contain the format required by the issuer",
-    });
-  }
-
   /** The credential request body */
   const credentialRequestFormBody = {
-    ...(format === "mso_mdoc"
-      ? { doctype: credentialDefinition.credential_configuration_id }
-      : { vct: credentialDefinition.credential_configuration_id }),
-    format,
+    credential_definition: {
+      type: [credentialDefinition.credential_configuration_id],
+    },
+    format: credentialDefinition.format,
     proof: {
       jwt: signedNonceProof,
       proof_type: "jwt",
     },
   };
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`
+  );
+
   const tokenRequestSignedDPop = await createDPopToken(
     {
       htm: "POST",
       htu: credentialUrl,
-      jti: `${uuid.v4()}`,
+      jti: `${uuidv4()}`,
       ath: await sha256ToBase64(accessToken.access_token),
     },
     dPopCryptoContext
   );
+
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       DPoP: tokenRequestSignedDPop,
       Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
+      ...(operationType === "reissuing" && { operationType }),
     },
     body: JSON.stringify(credentialRequestFormBody),
   })
@@ -165,13 +165,21 @@ export const obtainCredential: ObtainCredential = async (
     .catch(handleObtainCredentialError);
 
   if (!credentialRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential Response validation failed: ${credentialRes.error.message}`
+    );
     throw new ValidationFailed({
       message: "Credential Response validation failed",
       reason: credentialRes.error.message,
     });
   }
 
-  /* temporary base64 parsing for the "mso_mdoc" format until the credential submission with this format is fixed. */
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential Response: ${JSON.stringify(credentialRes.data)}`
+  );
+
   return credentialRes.data;
 };
 
@@ -182,11 +190,28 @@ export const obtainCredential: ObtainCredential = async (
  * @throws {IssuerResponseError} with a specific code for more context
  */
 const handleObtainCredentialError = (e: unknown) => {
+  Logger.log(LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
+
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }
 
   throw new ResponseErrorBuilder(IssuerResponseError)
+    .handle(201, {
+      // Although it is technically not an error, we handle it as such to avoid
+      // changing the return type of `obtainCredential` and introduce a breaking change.
+      code: IssuerResponseErrorCodes.CredentialIssuingNotSynchronous,
+      message:
+        "This credential cannot be issued synchronously. It will be available at a later time.",
+    })
+    .handle(403, {
+      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+      message: "Invalid status found for the given credential",
+    })
+    .handle(404, {
+      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+      message: "Invalid status found for the given credential",
+    })
     .handle("*", {
       code: IssuerResponseErrorCodes.CredentialRequestFailed,
       message: "Unable to obtain the requested credential",