@pagopa/io-react-native-wallet 1.7.1 → 1.8.0

package/src/entity/trust/types.ts

@@ -49,12 +49,12 @@ const CredentialIssuerDisplayMetadata = z.object({
 });
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
-const ClaimsMetadata = z.record(
-  z.object({
-    value_type: z.string(),
-    display: z.array(z.object({ name: z.string(), locale: z.string() })),
-  })
-);
+const ClaimsMetadata = z.object({
+  path: z.array(z.string()),
+  display: z.array(CredentialDisplayMetadata),
+  mandatory: z.boolean().optional(),
+  value_type: z.string().optional(),
+});
 
 type IssuanceErrorSupported = z.infer<typeof IssuanceErrorSupported>;
 const IssuanceErrorSupported = z.object({
@@ -70,12 +70,17 @@ const IssuanceErrorSupported = z.object({
 // Metadata for a credentia which is supported by a Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
 const SupportedCredentialMetadata = z.object({
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("mso_mdoc")]),
+  format: z.union([
+    z.literal("vc+sd-jwt"),
+    z.literal("dc+sd-jwt"),
+    z.literal("mso_mdoc"),
+  ]),
+  vct: z.string().optional(),
   scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
-  claims: ClaimsMetadata.optional(), // TODO [SIW-1268]: should not be optional
+  claims: z.array(ClaimsMetadata),
   cryptographic_binding_methods_supported: z.array(z.string()),
-  credential_signing_alg_values_supported: z.array(z.string()),
+  credential_signing_alg_values_supported: z.array(z.string()).optional(),
   authentic_source: z.string().optional(),
   issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
 });
@@ -165,40 +170,37 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
           credential_issuer: z.string(),
           credential_endpoint: z.string(),
           revocation_endpoint: z.string(),
+          nonce_endpoint: z.string(),
           status_attestation_endpoint: z.string(),
           display: z.array(CredentialIssuerDisplayMetadata),
           credential_configurations_supported: z.record(
             SupportedCredentialMetadata
           ),
           jwks: z.object({ keys: z.array(JWK) }),
+          trust_frameworks_supported: z.array(z.string()),
+          evidence_supported: z.array(z.string()),
         }),
         oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),
           pushed_authorization_request_endpoint: z.string(),
-          dpop_signing_alg_values_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           token_endpoint: z.string(),
-          introspection_endpoint: z.string().optional(), // TODO [SIW-1268]: should not be optional
           client_registration_types_supported: z.array(z.string()),
           code_challenge_methods_supported: z.array(z.string()),
-          authorization_details_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional,
           acr_values_supported: z.array(z.string()),
           grant_types_supported: z.array(z.string()),
           issuer: z.string(),
           jwks: z.object({ keys: z.array(JWK) }),
           scopes_supported: z.array(z.string()),
-          request_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
-          request_uri_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
-          response_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           response_modes_supported: z.array(z.string()),
-          subject_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           token_endpoint_auth_methods_supported: z.array(z.string()),
           token_endpoint_auth_signing_alg_values_supported: z.array(z.string()),
           request_object_signing_alg_values_supported: z.array(z.string()),
         }),
-        /** Credential Issuers act as Relying Party
-            when they require the presentation of other credentials.
-            This does not apply for PID issuance, which requires CIE authz. */
-        wallet_relying_party: RelyingPartyMetadata.optional(),
+        /**
+         * Credential Issuers act as Relying Party when they require the presentation of other credentials.
+         * This does not apply for PID issuance, which requires CIE authz.
+         */
+        openid_credential_verifier: RelyingPartyMetadata.optional(),
       }),
     }),
   })

package/src/index.ts

@@ -13,6 +13,7 @@ import * as WalletInstance from "./wallet-instance";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 import type { IntegrityContext } from "./utils/integrity";
+import { getCredentialIssuerEntityConfiguration } from "./entity/trust";
 
 export {
   SdJwt,
@@ -25,6 +26,7 @@ export {
   AuthorizationDetail,
   AuthorizationDetails,
   fixBase64EncodingOnKey,
+  getCredentialIssuerEntityConfiguration,
 };
 
 export type { IntegrityContext, AuthorizationContext };

package/src/mdoc/index.ts

@@ -14,8 +14,8 @@ export const verify = async (
   token: string,
   _: JWK | JWK[]
 ): Promise<{ issuerSigned: CBOR.IssuerSigned }> => {
-  // get decoded data
-  const issuerSigned = await CBOR.decodeIssuerSigned(token);
+  // ensure that token is base64
+  const issuerSigned = await CBOR.decodeIssuerSigned(b64utob64(token));
   if (!issuerSigned) {
     throw new Error("Invalid mDoc");
   }
@@ -55,7 +55,7 @@ export const prepareVpTokenMdoc = async (
   /* verifiableCredential is a IssuerSigned structure */
   const documents = [
     {
-      issuerSignedContent: verifiableCredential,
+      issuerSignedContent: b64utob64(verifiableCredential),
       alias: keyTag,
       docType,
     },

package/src/sd-jwt/index.ts

@@ -41,7 +41,7 @@ export const decode = <S extends z.ZodType<SdJwt4VC>>(
   if (token.slice(-1) === "~") {
     token = token.slice(0, -1);
   }
-  const [rawSdJwt = "", ...rawDisclosures] = token.split("~");
+  const [rawSdJwt = "", ...rawDisclosures] = token.split("~").filter(Boolean);
 
   // get the sd-jwt as object
   // validate it's a valid SD-JWT for Verifiable Credentials
@@ -80,7 +80,7 @@ export const disclose = async (
   token: string,
   claims: string[]
 ): Promise<{ token: string; paths: { claim: string; path: string }[] }> => {
-  const [rawSdJwt, ...rawDisclosures] = token.split("~");
+  const [rawSdJwt, ...rawDisclosures] = token.split("~").filter(Boolean);
   const { sdJwt, disclosures } = decode(token, SdJwt4VC);
 
   // for each claim, return the path on which they are located in the SD-JWT token

package/src/sd-jwt/types.ts

@@ -49,7 +49,7 @@ export const SdJwt4VC = z.object({
     typ: CredentialFormat,
     alg: z.string(),
     kid: z.string().optional(),
-    x5c: z.string().optional(),
+    x5c: z.array(z.string()).optional(),
     vctm: z.array(z.string()).optional(),
   }),
   payload: z.intersection(

package/src/utils/credential/issuance/07-verify-and-parse-credentials-utils.ts

@@ -127,10 +127,11 @@ export function buildMockSDJWTTestScenario(
 ): Parameters<typeof parseCredentialSdJwt> {
   return [
     {
-      "eu.europa.ec.eudi.pid.1": {
+      dc_sd_jwt_PersonIdentificationData: {
         cryptographic_suites_supported: [],
         cryptographic_binding_methods_supported: [],
         format: "vc+sd-jwt",
+        vct: "urn:eu.europa.ec.eudi:pid:1",
         display: [],
         claims,
       },
@@ -147,7 +148,7 @@ export function buildMockSDJWTTestScenario(
               credential_hash_alg: "sha-256",
             },
           },
-          vct: "eu.europa.ec.eudi.pid.1",
+          vct: "urn:eu.europa.ec.eudi:pid:1",
           iss: "unused",
           sub: "unused",
           expiry_date: "unused",

package/src/utils/pop.ts

@@ -18,7 +18,7 @@ export const createPopToken = async (
   return new SignJWT(crypto)
     .setPayload(payload)
     .setProtectedHeader({
-      typ: "jwt-client-attestation-pop",
+      typ: "oauth-client-attestation-pop+jwt",
       kid,
     })
     .setIssuedAt()

package/src/wallet-instance-attestation/issuing.ts

@@ -7,11 +7,12 @@ import { fixBase64EncodingOnKey, JWK } from "../utils/jwk";
 import { getWalletProviderClient } from "../client";
 import type { IntegrityContext } from "..";
 import {
+  IoWalletError,
   ResponseErrorBuilder,
   WalletProviderResponseError,
   WalletProviderResponseErrorCodes,
 } from "../utils/errors";
-import { TokenResponse } from "./types";
+import { WalletAttestationResponse } from "./types";
 
 /**
  * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
@@ -47,8 +48,8 @@ export async function getAttestationRequest(
   return new SignJWT(wiaCryptoContext)
     .setPayload({
       iss: keyThumbprint,
-      sub: walletProviderBaseUrl,
-      challenge,
+      aud: walletProviderBaseUrl,
+      nonce: challenge,
       hardware_signature: signature,
       integrity_assertion: authenticatorData,
       hardware_key_tag: hardwareKeyTag,
@@ -58,7 +59,7 @@ export async function getAttestationRequest(
     })
     .setProtectedHeader({
       kid: publicKey.kid,
-      typ: "war+jwt",
+      typ: "wp-war+jwt",
     })
     .setIssuedAt()
     .setExpirationTime("1h")
@@ -103,16 +104,21 @@ export const getAttestation = async ({
 
   // 3. Request WIA
   const tokenResponse = await api
-    .post("/token", {
+    .post("/wallet-attestations", {
       body: {
-        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
         assertion: signedAttestationRequest,
       },
     })
-    .then((result) => TokenResponse.parse(result))
+    .then(WalletAttestationResponse.parse)
     .catch(handleAttestationCreationError);
 
-  return tokenResponse.wallet_attestation;
+  const wallet_attestation = tokenResponse.wallet_attestations;
+  if (wallet_attestation && wallet_attestation[0]) {
+    // Return first because eudiw be return only jwt
+    return wallet_attestation[0].wallet_attestation;
+  }
+
+  throw new IoWalletError("Wallet Attestation response is empty!");
 };
 
 const handleAttestationCreationError = (e: unknown) => {

package/src/wallet-instance-attestation/types.ts

@@ -33,7 +33,7 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("war+jwt"),
+      typ: z.literal("wp-war+jwt"),
     })
   ),
   payload: z.intersection(
@@ -53,35 +53,29 @@ export const WalletInstanceAttestationJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("wallet-attestation+jwt"),
+      typ: z.literal("oauth-client-attestation+jwt"),
+      trust_chain: z.array(z.string()).optional(), // TODO: [SIW-2264] Make mandatory
     })
   ),
   payload: z.intersection(
     Jwt.shape.payload,
     z.object({
       sub: z.string(),
-      aal: z.string(),
-      authorization_endpoint: z.string(),
-      response_types_supported: z.array(z.string()),
-      vp_formats_supported: z.object({
-        "vc+sd-jwt": z
-          .object({
-            "sd-jwt_alg_values": z.array(z.string()),
-          })
-          .optional(),
-        "vp+sd-jwt": z
-          .object({
-            "sd-jwt_alg_values": z.array(z.string()),
-          })
-          .optional(),
-      }),
-      request_object_signing_alg_values_supported: z.array(z.string()),
-      presentation_definition_uri_supported: z.boolean(),
+      aal: z.string().optional(),
+      wallet_link: z.string().optional(),
+      wallet_name: z.string().optional(),
     })
   ),
 });
 
-export type TokenResponse = z.infer<typeof TokenResponse>;
-export const TokenResponse = z.object({
-  wallet_attestation: z.string(),
+export type WalletAttestationResponse = z.infer<
+  typeof WalletAttestationResponse
+>;
+export const WalletAttestationResponse = z.object({
+  wallet_attestations: z.array(
+    z.object({
+      wallet_attestation: z.string(),
+      format: z.enum(["jwt", "dc+sd-jwt", "mso_mdoc"]),
+    })
+  ),
 });