@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.0

package/lib/commonjs/credential/issuance/05-authorize-access.js

@@ -6,20 +6,21 @@ Object.defineProperty(exports, "__esModule", {
 exports.authorizeAccess = void 0;
 var _misc = require("../../utils/misc");
 var _dpop = require("../../utils/dpop");
-var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
+var _uuid = require("uuid");
 var _pop = require("../../utils/pop");
 var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
+var _const = require("./const");
 var _types = require("./types");
 var _errors = require("../../utils/errors");
+var _logging = require("../../utils/logging");
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
  * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
  * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
  * This enables the Wallet Instance to request a digital credential.
  * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
  * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
  * @param clientId The client id returned by {@link startUserAuthorization}
@@ -39,40 +40,44 @@ const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVeri
     wiaCryptoContext,
     dPopCryptoContext
   } = context;
-  const parEndpoint = issuerConf.pushed_authorization_request_endpoint;
+  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
   const parUrl = new URL(parEndpoint);
   const aud = `${parUrl.protocol}//${parUrl.hostname}`;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
-  const tokenUrl = issuerConf.token_endpoint;
+  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
   const tokenRequestSignedDPop = await (0, _dpop.createDPopToken)({
     htm: "POST",
     htu: tokenUrl,
-    jti: `${_reactNativeUuid.default.v4()}`
+    jti: `${(0, _uuid.v4)()}`
   }, dPopCryptoContext);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
   const signedWiaPoP = await (0, _pop.createPopToken)({
-    jti: `${_reactNativeUuid.default.v4()}`,
+    jti: `${(0, _uuid.v4)()}`,
     aud,
     iss
   }, wiaCryptoContext);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
   const requestBody = {
-    client_id: clientId,
     grant_type: "authorization_code",
+    client_id: clientId,
     code,
     redirect_uri: redirectUri,
-    code_verifier: codeVerifier
+    code_verifier: codeVerifier,
+    client_assertion_type: _const.ASSERTION_TYPE,
+    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
   };
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Auth form request body: ${authorizationRequestFormBody}`);
   const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: tokenRequestSignedDPop,
-      "OAuth-Client-Attestation": walletInstanceAttestation,
-      "OAuth-Client-Attestation-PoP": signedWiaPoP
+      DPoP: tokenRequestSignedDPop
     },
     body: authorizationRequestFormBody.toString()
   }).then((0, _misc.hasStatusOrThrow)(200, _errors.IssuerResponseError)).then(res => res.json()).then(body => _types.TokenResponse.safeParse(body));
   if (!tokenRes.success) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Token Response validation failed: ${tokenRes.error.message}`);
     throw new _errors.ValidationFailed({
       message: "Token Response validation failed",
       reason: tokenRes.error.message

package/lib/commonjs/credential/issuance/05-authorize-access.js.map

@@ -1 +1 @@
-{"version":3,"names":["_misc","require","_dpop","_reactNativeUuid","_interopRequireDefault","_pop","WalletInstanceAttestation","_interopRequireWildcard","_types","_errors","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","authorizeAccess","issuerConf","code","clientId","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","parEndpoint","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuid","v4","signedWiaPoP","createPopToken","requestBody","client_id","grant_type","redirect_uri","code_verifier","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","hasStatusOrThrow","IssuerResponseError","res","json","TokenResponse","safeParse","success","ValidationFailed","message","reason","error","accessToken","data","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,gBAAA,GAAAC,sBAAA,CAAAH,OAAA;AACA,IAAAI,IAAA,GAAAJ,OAAA;AACA,IAAAK,yBAAA,GAAAC,uBAAA,CAAAN,OAAA;AAEA,IAAAO,MAAA,GAAAP,OAAA;AACA,IAAAQ,OAAA,GAAAR,OAAA;AAA2E,SAAAS,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAJ,wBAAAQ,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAAA,SAAAjB,uBAAAW,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAiB3E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMiB,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EAEX,MAAMM,WAAW,GAAGX,UAAU,CAACY,qCAAqC;EACpE,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACH,WAAW,CAAC;EACnC,MAAMI,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAG7C,yBAAyB,CAAC8C,MAAM,CAACX,yBAAyB,CAAC,CACpEY,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGxB,UAAU,CAACyB,cAAc;EAE1C,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEL,QAAQ;IACbM,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE;EACpB,CAAC,EACDtB,iBACF,CAAC;EAED,MAAMuB,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEJ,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;IACnBjB,GAAG;IACHG;EACF,CAAC,EACDT,gBACF,CAAC;EAED,MAAM0B,WAAW,GAAG;IAClBC,SAAS,EAAElC,QAAQ;IACnBmC,UAAU,EAAE,oBAAoB;IAChCpC,IAAI;IACJqC,YAAY,EAAEnC,WAAW;IACzBoC,aAAa,EAAEnC;EACjB,CAAC;EAED,MAAMoC,4BAA4B,GAAG,IAAIC,eAAe,CAACN,WAAW,CAAC;EACrE,MAAMO,QAAQ,GAAG,MAAMpC,QAAQ,CAACkB,QAAQ,EAAE;IACxCmB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEnB,sBAAsB;MAC5B,0BAA0B,EAAElB,yBAAyB;MACrD,8BAA8B,EAAEyB;IAClC,CAAC;IACDa,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAEF,IAAI,IAAKO,oBAAa,CAACC,SAAS,CAACR,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACa,OAAO,EAAE;IACrB,MAAM,IAAIC,wBAAgB,CAAC;MACzBC,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEhB,QAAQ,CAACiB,KAAK,CAACF;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEG,WAAW,EAAElB,QAAQ,CAACmB;EAAK,CAAC;AACvC,CAAC;AAACC,OAAA,CAAA/D,eAAA,GAAAA,eAAA"}
+{"version":3,"names":["_misc","require","_dpop","_uuid","_pop","WalletInstanceAttestation","_interopRequireWildcard","_const","_types","_errors","_logging","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","authorizeAccess","issuerConf","code","clientId","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","parEndpoint","oauth_authorization_server","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","Logger","log","LogLevel","DEBUG","signedWiaPoP","createPopToken","requestBody","grant_type","client_id","redirect_uri","code_verifier","client_assertion_type","ASSERTION_TYPE","client_assertion","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","hasStatusOrThrow","IssuerResponseError","res","json","TokenResponse","safeParse","success","ERROR","error","message","ValidationFailed","reason","accessToken","data","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,IAAA,GAAAH,OAAA;AACA,IAAAI,yBAAA,GAAAC,uBAAA,CAAAL,OAAA;AAEA,IAAAM,MAAA,GAAAN,OAAA;AACA,IAAAO,MAAA,GAAAP,OAAA;AACA,IAAAQ,OAAA,GAAAR,OAAA;AAEA,IAAAS,QAAA,GAAAT,OAAA;AAAuD,SAAAU,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAN,wBAAAU,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAgBvD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMW,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EAEX,MAAMM,WAAW,GACfX,UAAU,CAACY,0BAA0B,CAACC,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACJ,WAAW,CAAC;EACnC,MAAMK,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAGhD,yBAAyB,CAACiD,MAAM,CAACZ,yBAAyB,CAAC,CACpEa,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGzB,UAAU,CAACY,0BAA0B,CAACc,cAAc;EAErE,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEL,QAAQ;IACbM,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE;EACnB,CAAC,EACDtB,iBACF,CAAC;EAEDuB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBT,sBAAuB,EAAC,CAAC;EAE3E,MAAMU,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEP,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBhB,GAAG;IACHG;EACF,CAAC,EACDV,gBACF,CAAC;EAEDwB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAEvC,QAAQ;IACnBD,IAAI;IACJyC,YAAY,EAAEvC,WAAW;IACzBwC,aAAa,EAAEvC,YAAY;IAC3BwC,qBAAqB,EAAEC,qBAAc;IACrCC,gBAAgB,EAAEtC,yBAAyB,GAAG,GAAG,GAAG6B;EACtD,CAAC;EAED,MAAMU,4BAA4B,GAAG,IAAIC,eAAe,CAACT,WAAW,CAAC;EAErEN,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0BW,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAM3C,QAAQ,CAACmB,QAAQ,EAAE;IACxCyB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEzB;IACR,CAAC;IACD0B,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAEF,IAAI,IAAKO,oBAAa,CAACC,SAAS,CAACR,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACa,OAAO,EAAE;IACrB7B,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAAC4B,KAAK,EACb,qCAAoCd,QAAQ,CAACe,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAIC,wBAAgB,CAAC;MACzBD,OAAO,EAAE,kCAAkC;MAC3CE,MAAM,EAAElB,QAAQ,CAACe,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEG,WAAW,EAAEnB,QAAQ,CAACoB;EAAK,CAAC;AACvC,CAAC;AAACC,OAAA,CAAAvE,eAAA,GAAAA,eAAA"}

package/lib/commonjs/credential/issuance/06-obtain-credential.js

@@ -9,8 +9,8 @@ var _misc = require("../../utils/misc");
 var _errors = require("../../utils/errors");
 var _types = require("./types");
 var _dpop = require("../../utils/dpop");
-var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+var _uuid = require("uuid");
+var _logging = require("../../utils/logging");
 const createNonceProof = async (nonce, issuer, audience, ctx) => {
   const jwk = await ctx.getPublicKey();
   return new _ioReactNativeJwt.SignJWT(ctx).setPayload({
@@ -27,7 +27,7 @@ const createNonceProof = async (nonce, issuer, audience, ctx) => {
  * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
  * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
  * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
- * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param accessToken The access token response returned by {@link authorizeAccess}
  * @param clientId The client id returned by {@link startUserAuthorization}
  * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
@@ -38,13 +38,13 @@ const createNonceProof = async (nonce, issuer, audience, ctx) => {
  * @returns The credential response containing the credential
  */
 exports.createNonceProof = createNonceProof;
-const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, context) => {
+const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, context, operationType) => {
   const {
     credentialCryptoContext,
     appFetch = fetch,
     dPopCryptoContext
   } = context;
-  const credentialUrl = issuerConf.credential_endpoint;
+  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
   /**
    * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
@@ -52,61 +52,56 @@ const obtainCredential = async (issuerConf, accessToken, clientId, credentialDef
    * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
    */
   const signedNonceProof = await createNonceProof(accessToken.c_nonce, clientId, credentialUrl, credentialCryptoContext);
-  const containsCredentialDefinition = accessToken.authorization_details.some(detail => detail.credential_configuration_id === credentialDefinition.credential_configuration_id && detail.type === credentialDefinition.type);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
+
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credentialDefinition.credential_configuration_id && c.format === credentialDefinition.format && c.type === credentialDefinition.type);
   if (!containsCredentialDefinition) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential definition not found in the access token response ${accessToken.authorization_details}`);
     throw new _errors.ValidationFailed({
       message: "The access token response does not contain the requested credential"
     });
   }
-  const credential = issuerConf.credential_configurations_supported[credentialDefinition.credential_configuration_id];
-  if (!credential) {
-    throw new _errors.ValidationFailed({
-      message: "The credential configuration is not supported by the issuer"
-    });
-  }
-  const format = credential.format;
-  if (!format) {
-    throw new _errors.ValidationFailed({
-      message: "The credential doesn't contain the format required by the issuer"
-    });
-  }
 
   /** The credential request body */
   const credentialRequestFormBody = {
-    ...(format === "mso_mdoc" ? {
-      doctype: credentialDefinition.credential_configuration_id
-    } : {
-      vct: credentialDefinition.credential_configuration_id
-    }),
-    format,
+    credential_definition: {
+      type: [credentialDefinition.credential_configuration_id]
+    },
+    format: credentialDefinition.format,
     proof: {
       jwt: signedNonceProof,
       proof_type: "jwt"
     }
   };
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`);
   const tokenRequestSignedDPop = await (0, _dpop.createDPopToken)({
     htm: "POST",
     htu: credentialUrl,
-    jti: `${_reactNativeUuid.default.v4()}`,
+    jti: `${(0, _uuid.v4)()}`,
     ath: await (0, _ioReactNativeJwt.sha256ToBase64)(accessToken.access_token)
   }, dPopCryptoContext);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
   const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       DPoP: tokenRequestSignedDPop,
-      Authorization: `${accessToken.token_type} ${accessToken.access_token}`
+      Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
+      ...(operationType === "reissuing" && {
+        operationType
+      })
     },
     body: JSON.stringify(credentialRequestFormBody)
   }).then((0, _misc.hasStatusOrThrow)(200)).then(res => res.json()).then(body => _types.CredentialResponse.safeParse(body)).catch(handleObtainCredentialError);
   if (!credentialRes.success) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential Response validation failed: ${credentialRes.error.message}`);
     throw new _errors.ValidationFailed({
       message: "Credential Response validation failed",
       reason: credentialRes.error.message
     });
   }
-
-  /* temporary base64 parsing for the "mso_mdoc" format until the credential submission with this format is fixed. */
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Credential Response: ${JSON.stringify(credentialRes.data)}`);
   return credentialRes.data;
 };
 
@@ -118,10 +113,22 @@ const obtainCredential = async (issuerConf, accessToken, clientId, credentialDef
  */
 exports.obtainCredential = obtainCredential;
 const handleObtainCredentialError = e => {
+  _logging.Logger.log(_logging.LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
   if (!(e instanceof _errors.UnexpectedStatusCodeError)) {
     throw e;
   }
-  throw new _errors.ResponseErrorBuilder(_errors.IssuerResponseError).handle("*", {
+  throw new _errors.ResponseErrorBuilder(_errors.IssuerResponseError).handle(201, {
+    // Although it is technically not an error, we handle it as such to avoid
+    // changing the return type of `obtainCredential` and introduce a breaking change.
+    code: _errors.IssuerResponseErrorCodes.CredentialIssuingNotSynchronous,
+    message: "This credential cannot be issued synchronously. It will be available at a later time."
+  }).handle(403, {
+    code: _errors.IssuerResponseErrorCodes.CredentialInvalidStatus,
+    message: "Invalid status found for the given credential"
+  }).handle(404, {
+    code: _errors.IssuerResponseErrorCodes.CredentialInvalidStatus,
+    message: "Invalid status found for the given credential"
+  }).handle("*", {
     code: _errors.IssuerResponseErrorCodes.CredentialRequestFailed,
     message: "Unable to obtain the requested credential"
   }).buildFrom(e);

package/lib/commonjs/credential/issuance/06-obtain-credential.js.map

@@ -1 +1 @@
-{"version":3,"names":["_ioReactNativeJwt","require","_misc","_errors","_types","_dpop","_reactNativeUuid","_interopRequireDefault","obj","__esModule","default","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","exports","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credentialUrl","credential_endpoint","signedNonceProof","c_nonce","containsCredentialDefinition","authorization_details","some","detail","credential_configuration_id","type","ValidationFailed","message","credential","credential_configurations_supported","format","credentialRequestFormBody","doctype","vct","proof","jwt","proof_type","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuid","v4","ath","sha256ToBase64","access_token","credentialRes","method","headers","DPoP","Authorization","token_type","body","JSON","stringify","then","hasStatusOrThrow","res","json","CredentialResponse","safeParse","catch","handleObtainCredentialError","success","reason","error","data","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAOA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAOA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AACA,IAAAK,gBAAA,GAAAC,sBAAA,CAAAN,OAAA;AAAqC,SAAAM,uBAAAC,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAc9B,MAAMG,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIC,yBAAO,CAACH,GAAG,CAAC,CACpBI,UAAU,CAAC;IACVP;EACF,CAAC,CAAC,CACDQ,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BL;EACF,CAAC,CAAC,CACDM,WAAW,CAACR,QAAQ,CAAC,CACrBS,SAAS,CAACV,MAAM,CAAC,CACjBW,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAfAC,OAAA,CAAAhB,gBAAA,GAAAA,gBAAA;AAgBO,MAAMiB,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,KACJ;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,aAAa,GAAGT,UAAU,CAACU,mBAAmB;;EAEpD;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAM7B,gBAAgB,CAC7CmB,WAAW,CAACW,OAAO,EACnBV,QAAQ,EACRO,aAAa,EACbJ,uBACF,CAAC;EAED,MAAMQ,4BAA4B,GAAGZ,WAAW,CAACa,qBAAqB,CAACC,IAAI,CACxEC,MAAM,IACLA,MAAM,CAACC,2BAA2B,KAChCd,oBAAoB,CAACc,2BAA2B,IAClDD,MAAM,CAACE,IAAI,KAAKf,oBAAoB,CAACe,IACzC,CAAC;EAED,IAAI,CAACL,4BAA4B,EAAE;IACjC,MAAM,IAAIM,wBAAgB,CAAC;MACzBC,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;EAEA,MAAMC,UAAU,GACdrB,UAAU,CAACsB,mCAAmC,CAC5CnB,oBAAoB,CAACc,2BAA2B,CACjD;EAEH,IAAI,CAACI,UAAU,EAAE;IACf,MAAM,IAAIF,wBAAgB,CAAC;MACzBC,OAAO,EAAE;IACX,CAAC,CAAC;EACJ;EAEA,MAAMG,MAAM,GAAGF,UAAU,CAACE,MAAM;EAEhC,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAIJ,wBAAgB,CAAC;MACzBC,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;EACA,MAAMI,yBAAyB,GAAG;IAChC,IAAID,MAAM,KAAK,UAAU,GACrB;MAAEE,OAAO,EAAEtB,oBAAoB,CAACc;IAA4B,CAAC,GAC7D;MAAES,GAAG,EAAEvB,oBAAoB,CAACc;IAA4B,CAAC,CAAC;IAC9DM,MAAM;IACNI,KAAK,EAAE;MACLC,GAAG,EAAEjB,gBAAgB;MACrBkB,UAAU,EAAE;IACd;EACF,CAAC;EAED,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAExB,aAAa;IAClByB,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;IACnBC,GAAG,EAAE,MAAM,IAAAC,gCAAc,EAACrC,WAAW,CAACsC,YAAY;EACpD,CAAC,EACD/B,iBACF,CAAC;EACD,MAAMgC,aAAa,GAAG,MAAMlC,QAAQ,CAACG,aAAa,EAAE;IAClDgC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAEb,sBAAsB;MAC5Bc,aAAa,EAAG,GAAE3C,WAAW,CAAC4C,UAAW,IAAG5C,WAAW,CAACsC,YAAa;IACvE,CAAC;IACDO,IAAI,EAAEC,IAAI,CAACC,SAAS,CAACxB,yBAAyB;EAChD,CAAC,CAAC,CACCyB,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEH,IAAI,IAAKO,yBAAkB,CAACC,SAAS,CAACR,IAAI,CAAC,CAAC,CAClDS,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAAChB,aAAa,CAACiB,OAAO,EAAE;IAC1B,MAAM,IAAItC,wBAAgB,CAAC;MACzBC,OAAO,EAAE,uCAAuC;MAChDsC,MAAM,EAAElB,aAAa,CAACmB,KAAK,CAACvC;IAC9B,CAAC,CAAC;EACJ;;EAEA;EACA,OAAOoB,aAAa,CAACoB,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALA9D,OAAA,CAAAC,gBAAA,GAAAA,gBAAA;AAMA,MAAMyD,2BAA2B,GAAIK,CAAU,IAAK;EAClD,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACC,uBAAuB;IACtDhD,OAAO,EAAE;EACX,CAAC,CAAC,CACDiD,SAAS,CAACR,CAAC,CAAC;AACjB,CAAC"}
+{"version":3,"names":["_ioReactNativeJwt","require","_misc","_errors","_types","_dpop","_uuid","_logging","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","exports","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credentialUrl","openid_credential_issuer","credential_endpoint","signedNonceProof","c_nonce","Logger","log","LogLevel","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_configuration_id","format","type","ERROR","ValidationFailed","message","credentialRequestFormBody","credential_definition","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","ath","sha256ToBase64","access_token","credentialRes","method","headers","DPoP","Authorization","token_type","body","then","hasStatusOrThrow","res","json","CredentialResponse","safeParse","catch","handleObtainCredentialError","success","error","reason","data","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAOA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAOA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AACA,IAAAK,KAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AAeO,MAAMO,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIC,yBAAO,CAACH,GAAG,CAAC,CACpBI,UAAU,CAAC;IACVP;EACF,CAAC,CAAC,CACDQ,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BL;EACF,CAAC,CAAC,CACDM,WAAW,CAACR,QAAQ,CAAC,CACrBS,SAAS,CAACV,MAAM,CAAC,CACjBW,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAfAC,OAAA,CAAAhB,gBAAA,GAAAA,gBAAA;AAgBO,MAAMiB,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,EACPC,aAAa,KACV;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGL,OAAO;EAEX,MAAMM,aAAa,GAAGV,UAAU,CAACW,wBAAwB,CAACC,mBAAmB;;EAE7E;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAM/B,gBAAgB,CAC7CmB,WAAW,CAACa,OAAO,EACnBZ,QAAQ,EACRQ,aAAa,EACbJ,uBACF,CAAC;EAEDS,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBL,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMM,4BAA4B,GAAGlB,WAAW,CAACmB,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAACC,2BAA2B,KAC3BpB,oBAAoB,CAACoB,2BAA2B,IAClDD,CAAC,CAACE,MAAM,KAAKrB,oBAAoB,CAACqB,MAAM,IACxCF,CAAC,CAACG,IAAI,KAAKtB,oBAAoB,CAACsB,IACpC,CAAC;EAED,IAAI,CAACN,4BAA4B,EAAE;IACjCJ,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACS,KAAK,EACb,gEAA+DzB,WAAW,CAACmB,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAIO,wBAAgB,CAAC;MACzBC,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;EACA,MAAMC,yBAAyB,GAAG;IAChCC,qBAAqB,EAAE;MACrBL,IAAI,EAAE,CAACtB,oBAAoB,CAACoB,2BAA2B;IACzD,CAAC;IACDC,MAAM,EAAErB,oBAAoB,CAACqB,MAAM;IACnCO,KAAK,EAAE;MACLC,GAAG,EAAEnB,gBAAgB;MACrBoB,UAAU,EAAE;IACd;EACF,CAAC;EAEDlB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,4BAA2BgB,IAAI,CAACC,SAAS,CAACN,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMO,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAE7B,aAAa;IAClB8B,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBC,GAAG,EAAE,MAAM,IAAAC,gCAAc,EAAC1C,WAAW,CAAC2C,YAAY;EACpD,CAAC,EACDnC,iBACF,CAAC;EAEDM,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBkB,sBAAuB,EAAC,CAAC;EAE3E,MAAMS,aAAa,GAAG,MAAMtC,QAAQ,CAACG,aAAa,EAAE;IAClDoC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAEZ,sBAAsB;MAC5Ba,aAAa,EAAG,GAAEhD,WAAW,CAACiD,UAAW,IAAGjD,WAAW,CAAC2C,YAAa,EAAC;MACtE,IAAIvC,aAAa,KAAK,WAAW,IAAI;QAAEA;MAAc,CAAC;IACxD,CAAC;IACD8C,IAAI,EAAEjB,IAAI,CAACC,SAAS,CAACN,yBAAyB;EAChD,CAAC,CAAC,CACCuB,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAED,IAAI,IAAKK,yBAAkB,CAACC,SAAS,CAACN,IAAI,CAAC,CAAC,CAClDO,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACd,aAAa,CAACe,OAAO,EAAE;IAC1B7C,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACS,KAAK,EACb,0CAAyCmB,aAAa,CAACgB,KAAK,CAACjC,OAAQ,EACxE,CAAC;IACD,MAAM,IAAID,wBAAgB,CAAC;MACzBC,OAAO,EAAE,uCAAuC;MAChDkC,MAAM,EAAEjB,aAAa,CAACgB,KAAK,CAACjC;IAC9B,CAAC,CAAC;EACJ;EAEAb,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,wBAAuBgB,IAAI,CAACC,SAAS,CAACU,aAAa,CAACkB,IAAI,CAAE,EAC7D,CAAC;EAED,OAAOlB,aAAa,CAACkB,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALAjE,OAAA,CAAAC,gBAAA,GAAAA,gBAAA;AAMA,MAAM4D,2BAA2B,GAAIK,CAAU,IAAK;EAClDjD,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACS,KAAK,EAAG,8CAA6CsC,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAEC,gCAAwB,CAACC,+BAA+B;IAC9D3C,OAAO,EACL;EACJ,CAAC,CAAC,CACDwC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD5C,OAAO,EAAE;EACX,CAAC,CAAC,CACDwC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD5C,OAAO,EAAE;EACX,CAAC,CAAC,CACDwC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACG,uBAAuB;IACtD7C,OAAO,EAAE;EACX,CAAC,CAAC,CACD8C,SAAS,CAACV,CAAC,CAAC;AACjB,CAAC"}

package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js

@@ -3,18 +3,16 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.verifyAndParseCredential = exports.parseCredentialSdJwt = exports.parseCredentialMDoc = void 0;
+exports.verifyAndParseCredential = void 0;
 var _errors = require("../../utils/errors");
 var _types = require("../../sd-jwt/types");
 var _sdJwt = require("../../sd-jwt");
-var _mdoc = require("../../mdoc");
 var _converters = require("../../sd-jwt/converters");
-var _converters2 = require("../../mdoc/converters");
+var _logging = require("../../utils/logging");
 // The credential as a collection of attributes in plain value
 
 // handy alias
 
-//Exported for testing purposes
 const parseCredentialSdJwt = function (credentials_supported, _ref) {
   let {
     sdJwt,
@@ -24,32 +22,35 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
   let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
   const credentialSubject = credentials_supported[sdJwt.payload.vct];
   if (!credentialSubject) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential type not supported by the issuer: ${sdJwt.payload.vct}`);
     throw new _errors.IoWalletError("Credential type not supported by the issuer");
   }
   if (credentialSubject.format !== sdJwt.header.typ) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`);
     throw new _errors.IoWalletError(`Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `);
   }
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
   if (!credentialSubject.claims) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, "Missing claims in the credential subject");
     throw new _errors.IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
 
-  const claims = credentialSubject.claims;
-  const attrDefinitions = Object.entries(claims);
+  const attrDefinitions = Object.entries(credentialSubject.claims);
 
   // the key of the attribute defintion must match the disclosure's name
   const attrsNotInDisclosures = attrDefinitions.filter(_ref2 => {
-    let [attrKey, definition] = _ref2;
+    let [attrKey] = _ref2;
     return !disclosures.some(_ref3 => {
       let [, name] = _ref3;
       return name === attrKey;
-    }) && definition.mandatory;
+    });
   });
   if (attrsNotInDisclosures.length > 0) {
     const missing = attrsNotInDisclosures.map(_ => _[0 /* key */]).join(", ");
     const received = disclosures.map(_ => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
+      _logging.Logger.log(_logging.LogLevel.ERROR, `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
       throw new _errors.IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
     }
   }
@@ -66,25 +67,20 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
       value: (_disclosures$find = disclosures.find(_ => _[1 /* name */] === attrKey)) === null || _disclosures$find === void 0 ? void 0 : _disclosures$find[2 /* value */]
     }];
   })
-  //filter the not found elements
-  .filter(_ref5 => {
-    let [_, definition] = _ref5;
-    return definition.value !== undefined;
-  })
   // add a human readable attribute name, with i18n, in the form { locale: name }
   // example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-  .map(_ref6 => {
+  .map(_ref5 => {
     let [attrKey, {
       display,
       ...definition
-    }] = _ref6;
+    }] = _ref5;
     return [attrKey, {
       ...definition,
-      name: display.reduce((names, _ref7) => {
+      name: display.reduce((names, _ref6) => {
         let {
           locale,
           name
-        } = _ref7;
+        } = _ref6;
         return {
           ...names,
           [locale]: name
@@ -95,120 +91,8 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
   if (includeUndefinedAttributes) {
     // attributes that are in the disclosure set
     // but are not defined in the issuer configuration
-    const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(_ref8 => {
-      let [, key, value] = _ref8;
-      return [key, {
-        value,
-        name: key
-      }];
-    }));
-    return {
-      ...definedValues,
-      ...undefinedValues
-    };
-  }
-  return definedValues;
-};
-
-//Exported for testing purposes
-exports.parseCredentialSdJwt = parseCredentialSdJwt;
-const parseCredentialMDoc = function (credentials_supported, credential_type, _ref9) {
-  let {
-    issuerSigned
-  } = _ref9;
-  let ignoreMissingAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
-  let includeUndefinedAttributes = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : false;
-  const credentialSubject = credentials_supported[credential_type];
-  if (!credentialSubject) {
-    throw new _errors.IoWalletError("Credential type not supported by the issuer");
-  }
-
-  // transfrom a record { key: value } in an iterable of pairs [key, value]
-  if (!credentialSubject.claims) {
-    throw new _errors.IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
-  }
-
-  const claims = credentialSubject.claims;
-  const attrDefinitions = Object.entries(claims).flatMap(_ref10 => {
-    let [namespace, claimName] = _ref10;
-    return Object.entries(claimName).map(_ref11 => {
-      let [claimNameKey, definition] = _ref11;
-      return [namespace, claimNameKey, definition];
-    });
-  });
-  if (!issuerSigned.nameSpaces) {
-    throw new _errors.IoWalletError("Missing claims in the credential");
-  }
-  const flatNamespaces = Object.entries(issuerSigned.nameSpaces).flatMap(_ref12 => {
-    let [namespace, values] = _ref12;
-    return values.map(v => [namespace, v.elementIdentifier, v.elementValue]);
-  });
-
-  // Check that all mandatory attributes defined in the issuer configuration are present in the disclosure set
-  // and filter the non present ones
-  const attrsNotInDisclosures = attrDefinitions.filter(_ref13 => {
-    let [attrDefNamespace, attrKey, definition] = _ref13;
-    const isClaimPresent = flatNamespaces.find(_ref14 => {
-      let [namespace, name] = _ref14;
-      return attrDefNamespace === namespace && name === attrKey;
-    });
-    return isClaimPresent === undefined && definition.mandatory;
-  });
-  if (attrsNotInDisclosures.length > 0) {
-    const missing = attrsNotInDisclosures.map(_ => _[1 /* claim key */]).join(", ");
-    const received = flatNamespaces.map(_ => _[1 /*name*/]);
-    if (!ignoreMissingAttributes) {
-      throw new _errors.IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
-    }
-  }
-
-  // Attributes defined in the issuer configuration and present in the disclosure set
-  const definedValues = Object.fromEntries(attrDefinitions
-  // Retrieve the value from the corresponding disclosure
-  .map(_ref15 => {
-    var _flatNamespaces$find;
-    let [attrDefNamespace, attrKey, definition] = _ref15;
-    return [attrKey, {
-      ...definition,
-      value: (_flatNamespaces$find = flatNamespaces.find(_ref16 => {
-        let [namespace, name] = _ref16;
-        return attrDefNamespace === namespace && name === attrKey;
-      })) === null || _flatNamespaces$find === void 0 ? void 0 : _flatNamespaces$find[2]
-    }];
-  })
-  //filter the not found elements
-  .filter(_ref17 => {
-    let [_, definition] = _ref17;
-    return definition.value !== undefined;
-  })
-  // Add a human-readable attribute name, with i18n, in the form { locale: name }
-  // Example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-  .map(_ref18 => {
-    let [attrKey, {
-      display,
-      ...definition
-    }] = _ref18;
-    return [attrKey, {
-      ...definition,
-      name: display.reduce((names, _ref19) => {
-        let {
-          locale,
-          name
-        } = _ref19;
-        return {
-          ...names,
-          [locale]: name
-        };
-      }, {})
-    }];
-  }));
-  if (includeUndefinedAttributes) {
-    // Attributes that are present in the disclosure set but not defined in the issuer configuration
-    const undefinedValues = Object.fromEntries(flatNamespaces.filter(_ref20 => {
-      let [, key] = _ref20;
-      return !Object.keys(definedValues).includes(key);
-    }).map(_ref21 => {
-      let [, key, value] = _ref21;
+    const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(_ref7 => {
+      let [, key, value] = _ref7;
       return [key, {
         value,
         name: key
@@ -237,7 +121,6 @@ const parseCredentialMDoc = function (credentials_supported, credential_type, _r
  * @throws If the holder binding is not properly configured
  *
  */
-exports.parseCredentialMDoc = parseCredentialMDoc;
 async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingContext) {
   const [decodedCredential, holderBindingKey] =
   // parallel for optimization
@@ -246,97 +129,35 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
     cnf
   } = decodedCredential.sdJwt.payload;
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+    _logging.Logger.log(_logging.LogLevel.ERROR, `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`);
     throw new _errors.IoWalletError(`Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`);
   }
   return decodedCredential;
 }
 
-/**
- * Given a credential, verify it's in the supported format
- * and the credential is correctly signed
- * and it's bound to the given key
- *
- * @param rawCredential The received credential
- * @param issuerKeys The set of public keys of the issuer,
- * which will be used to verify the signature
- * @param holderBindingContext The access to the holder's key
- *
- * @throws If the signature verification fails
- * @throws If the credential is not in the SdJwt4VC format
- * @throws If the holder binding is not properly configured
- *
- */
-async function verifyCredentialMDoc(rawCredential, issuerKeys, holderBindingContext) {
-  /**
-   * For the moment, being that issues in the crypto key generation
-   * have been found on Android, the check for the deviceKey inside
-   * of the mDoc is skipped, so we are not interested in the holderBindingKey
-   */
-  const [decodedCredential, _] =
-  // parallel for optimization
-  await Promise.all([(0, _mdoc.verify)(rawCredential, issuerKeys), holderBindingContext.getPublicKey()]);
-  if (!decodedCredential) {
-    throw new _errors.IoWalletError("No MDOC credentials found!");
-  }
-
-  /**
-   * For the moment, being that issues in the crypto key generation
-   * have been found on Android, the check for the deviceKey inside
-   * of the mDoc is skipped.
-   */
-  //const key = decodedCredential.mDoc.issuerSigned.issuerAuth.payload.deviceKeyInfo.deviceKey;
-  //
-  //if (!compareKeysByThumbprint(key, holderBindingKey as PublicKey)) {
-  //  throw new IoWalletError(
-  //    `Failed to verify holder binding, holder binding key and mDoc deviceKey don't match`
-  //  );
-  //}
-
-  return decodedCredential;
-}
-
 // utility type that specialize VerifyAndParseCredential for given format
 
-const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, __, _ref22) => {
+const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
   let {
     credentialCryptoContext,
     ignoreMissingAttributes,
     includeUndefinedAttributes
-  } = _ref22;
-  const decoded = await verifyCredentialSdJwt(credential, issuerConf.keys, credentialCryptoContext);
-  const parsedCredential = parseCredentialSdJwt(issuerConf.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
+  } = _ref8;
+  const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+  const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
   const maybeIssuedAt = (0, _converters.getValueFromDisclosures)(decoded.disclosures, "iat");
+  _logging.Logger.log(_logging.LogLevel.DEBUG, `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`);
   return {
     parsedCredential,
     expiration: new Date(decoded.sdJwt.payload.exp * 1000),
     issuedAt: typeof maybeIssuedAt === "number" ? new Date(maybeIssuedAt * 1000) : undefined
   };
 };
-const verifyAndParseCredentialMDoc = async (issuerConf, credential, _, credentialType, _ref23) => {
-  var _parsedCredential$exp, _parsedCredential$iss;
-  let {
-    credentialCryptoContext,
-    ignoreMissingAttributes
-  } = _ref23;
-  const decoded = await verifyCredentialMDoc(credential, issuerConf.keys, credentialCryptoContext);
-  const parsedCredential = parseCredentialMDoc(issuerConf.credential_configurations_supported, credentialType, decoded, undefined, ignoreMissingAttributes);
-  const expirationDate = (0, _converters2.extractElementValueAsDate)(parsedCredential === null || parsedCredential === void 0 || (_parsedCredential$exp = parsedCredential.expiry_date) === null || _parsedCredential$exp === void 0 ? void 0 : _parsedCredential$exp.value);
-  if (!expirationDate) {
-    throw new _errors.IoWalletError(`expirationDate must be present!!`);
-  }
-  expirationDate === null || expirationDate === void 0 ? void 0 : expirationDate.setDate(expirationDate.getDate() + 1);
-  const maybeIssuedAt = (0, _converters2.extractElementValueAsDate)(parsedCredential === null || parsedCredential === void 0 || (_parsedCredential$iss = parsedCredential.issue_date) === null || _parsedCredential$iss === void 0 ? void 0 : _parsedCredential$iss.value);
-  maybeIssuedAt === null || maybeIssuedAt === void 0 ? void 0 : maybeIssuedAt.setDate(maybeIssuedAt.getDate() + 1);
-  return {
-    parsedCredential,
-    expiration: expirationDate ?? new Date(),
-    issuedAt: maybeIssuedAt ?? undefined
-  };
-};
 
 /**
  * Verify and parse an encoded credential.
- * @param issuerConf The Issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
  * @param credential The encoded credential returned by {@link obtainCredential}
  * @param format The format of the credentual returned by {@link obtainCredential}
  * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
@@ -347,13 +168,12 @@ const verifyAndParseCredentialMDoc = async (issuerConf, credential, _, credentia
  * @throws {IoWalletError} If the credential is not bound to the provided user key
  * @throws {IoWalletError} If the credential data fail to parse
  */
-const verifyAndParseCredential = async (issuerConf, credential, format, credentialType, context) => {
+const verifyAndParseCredential = async (issuerConf, credential, format, context) => {
   if (format === "vc+sd-jwt") {
-    return verifyAndParseCredentialSdJwt(issuerConf, credential, format, credentialType, context);
-  }
-  if (format === "mso_mdoc") {
-    return verifyAndParseCredentialMDoc(issuerConf, credential, format, credentialType, context);
+    _logging.Logger.log(_logging.LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
+    return verifyAndParseCredentialSdJwt(issuerConf, credential, format, context);
   }
+  _logging.Logger.log(_logging.LogLevel.ERROR, `Unsupported credential format: ${format}`);
   throw new _errors.IoWalletError(`Unsupported credential format: ${format}`);
 };
 exports.verifyAndParseCredential = verifyAndParseCredential;