@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.1

package/src/credential/status/03-verify-and-parse-status-attestation.ts

@@ -0,0 +1,70 @@
+import type { Out } from "../../utils/misc";
+import { IoWalletError } from "../../utils/errors";
+import { verify, type CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
+import { ParsedStatusAttestation } from "./types";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { LogLevel, Logger } from "../../utils/logging";
+
+export type VerifyAndParseStatusAttestation = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  statusAttestation: Out<StatusAttestation>,
+  context: {
+    credentialCryptoContext: CryptoContext;
+  }
+) => Promise<{ parsedStatusAttestation: ParsedStatusAttestation }>;
+
+/**
+ * Given a status attestation, verifies that:
+ * - It's in the supported format;
+ * - The attestation is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status attestation
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IoWalletError} If the credential is not bound to the provided user key
+ * @throws {IoWalletError} If the credential data fail to parse
+ */
+export const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation =
+  async (issuerConf, rawStatusAttestation, context) => {
+    try {
+      const { statusAttestation } = rawStatusAttestation;
+      const { credentialCryptoContext } = context;
+
+      await verify(
+        statusAttestation,
+        issuerConf.openid_credential_issuer.jwks.keys
+      );
+
+      const decodedJwt = decodeJwt(statusAttestation);
+      const parsedStatusAttestation = ParsedStatusAttestation.parse({
+        header: decodedJwt.protectedHeader,
+        payload: decodedJwt.payload,
+      });
+
+      Logger.log(
+        LogLevel.DEBUG,
+        `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`
+      );
+
+      const holderBindingKey = await credentialCryptoContext.getPublicKey();
+      const { cnf } = parsedStatusAttestation.payload;
+      if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+        Logger.log(
+          LogLevel.ERROR,
+          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
+        );
+        throw new IoWalletError(
+          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
+        );
+      }
+
+      return { parsedStatusAttestation };
+    } catch (e) {
+      throw new IoWalletError(
+        `Failed to verify status attestation: ${JSON.stringify(e)}`
+      );
+    }
+  };

package/src/credential/status/README.md

@@ -0,0 +1,67 @@
+# Credential Status Attestation
+
+This flow is used to obtain a credential status attestation from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
+The credential status attestation is a JWT which contains the credential status which indicates if the credential is valid or not.
+The status attestation is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
+
+## Sequence Diagram
+
+```mermaid
+graph TD;
+    0[startFlow]
+    1[statusAttestation]
+    2[verifyAndParseStatusAttestation]
+
+    0 --> 1
+    1 --> 2
+```
+
+
+## Mapped results
+
+The following errors are mapped to a `IssuerResponseError` with specific codes.
+
+|HTTP Status|Error Code|Description|
+|-----------|----------|-----------|
+|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the status attestation is invalid. It might contain more details in the `reason` property.|
+
+## Example
+
+<details>
+  <summary>Credential status attestation flow</summary>
+
+```ts
+// Start the issuance flow
+const credentialIssuerUrl = "https://issuer.example.com";
+const startFlow: Credential.Status.StartFlow = () => ({
+  issuerUrl: credentialIssuerUrl, // Let's assum
+});
+
+const { issuerUrl } = startFlow();
+
+// Evaluate issuer trust
+const { issuerConf } = await Credential.Status.evaluateIssuerTrust(issuerUrl);
+
+// Get the credential attestation
+const res = await Credential.Status.statusAttestation(
+  issuerConf,
+  credential,
+  credentialCryptoContext
+);
+
+// Verify and parse the status attestation
+const { parsedStatusAttestation } =
+  await Credential.Status.verifyAndParseStatusAttestation(
+    issuerConf,
+    res.statusAttestation,
+    { credentialCryptoContext }
+  );
+
+return {
+  statusAttestation: res.statusAttestation,
+  parsedStatusAttestation,
+  credentialType,
+};
+```
+
+</details>

package/src/credential/status/index.ts

@@ -0,0 +1,22 @@
+import { type StartFlow } from "./01-start-flow";
+import {
+  statusAttestation,
+  type StatusAttestation,
+} from "./02-status-attestation";
+import { evaluateIssuerTrust, type EvaluateIssuerTrust } from "../issuance";
+import {
+  verifyAndParseStatusAttestation,
+  type VerifyAndParseStatusAttestation,
+} from "./03-verify-and-parse-status-attestation";
+
+export {
+  evaluateIssuerTrust,
+  statusAttestation,
+  verifyAndParseStatusAttestation,
+};
+export type {
+  StartFlow,
+  EvaluateIssuerTrust,
+  StatusAttestation,
+  VerifyAndParseStatusAttestation,
+};

package/src/credential/status/types.ts

@@ -0,0 +1,43 @@
+import { UnixTime } from "../../sd-jwt/types";
+import { JWK } from "../../utils/jwk";
+import * as z from "zod";
+
+/**
+ * Shape from parsing a status attestation response in case of 201.
+ */
+export const StatusAttestationResponse = z.object({
+  status_attestation: z.string(),
+});
+
+/**
+ * Type from parsing a status attestation response in case of 201.
+ * Inferred from {@link StatusAttestationResponse}.
+ */
+export type StatusAttestationResponse = z.infer<
+  typeof StatusAttestationResponse
+>;
+
+/**
+ * Type for a parsed status attestation.
+ */
+export type ParsedStatusAttestation = z.infer<typeof ParsedStatusAttestation>;
+
+/**
+ * Shape for parsing a status attestation in a JWT.
+ */
+export const ParsedStatusAttestation = z.object({
+  header: z.object({
+    typ: z.literal("status-attestation+jwt"),
+    alg: z.string(),
+    kid: z.string().optional(),
+  }),
+  payload: z.object({
+    credential_hash_alg: z.string(),
+    credential_hash: z.string(),
+    cnf: z.object({
+      jwk: JWK,
+    }),
+    exp: UnixTime,
+    iat: UnixTime,
+  }),
+});

package/src/credential/trustmark/README.md

@@ -0,0 +1,62 @@
+# Credential Trustmark
+
+A credential TrustMark is a signed JWT that verifies the authenticity of a credential issued by a trusted source. It serves as proof that a credential is valid and linked to a specific wallet instance.
+The TrustMark is often presented as a QR code, containing cryptographic data to ensure it hasn't been tampered with. It includes fields like issuer, issuance and expiration timestamps, and credential-specific details. TrustMarks have a short validity period and are used to enhance security and prevent misuse, such as QR code swapping.
+
+### getCredentialTrustmark
+
+A function that generates a signed JWT Trustmark to verify the authenticity of a digital credential. The Trustmark serves as a cryptographic proof linking a credential to a specific wallet instance, ensuring the credential's validity and preventing unauthorized modifications or misuse.
+
+#### Signature
+
+```typescript
+function getCredentialTrustmark({
+  walletInstanceAttestation: string,
+  wiaCryptoContext: CryptoContext,
+  credentialType: string,
+  docNumber?: string,
+  expirationTime?: number | string
+}): Promise<{
+  jwt: string,
+  expirationTime: number
+}>
+```
+
+#### Parameters
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| walletInstanceAttestation | string | Yes | A base64-encoded string containing the Wallet Instance Attestation (WIA). This attestation proves the authenticity of the wallet instance. |
+| wiaCryptoContext | CryptoContext | Yes | The cryptographic context associated with the wallet instance. Must contain the same key pair used to generate the WIA. |
+| credentialType | string | Yes | Identifier for the type of credential (e.g., "MDL" for Mobile Driver's License). |
+| docNumber | string | No | The document number of the credential. If provided, it will be obfuscated in the Trustmark for privacy. |
+| expirationTime | number \| string | No | Specifies when the Trustmark expires. Can be either:<br>- A timestamp in seconds<br>- A time span string (e.g., "2m" for 2 minutes)<br>Default: "2m" |
+
+#### Return Value
+
+Returns a Promise that resolves to an object containing:
+| Property | Type | Description |
+|----------|------|-------------|
+| jwt | string | The signed trustmark JWT string |
+| expirationTime | number | The expiration timestamp of the JWT in seconds |
+
+## Example
+
+```typescript
+// Required inputs
+const walletInstanceAttestation = "base64AttestationString";
+const credentialType = "MDL"; // Credential type (e.g., Mobile Driver's License)
+const documentNumber = "AB123456"; // Optional document number
+const cryptoContext = createCryptoContextFor("wiaKeyTag"); // Sample crypto context
+
+// Generate the TrustMark JWT
+const { jwt, expirationTime } = await getCredentialTrustmark({
+  walletInstanceAttestation: "eyJ0eXAi...", // WIA JWT
+  wiaCryptoContext: cryptoContext,
+  credentialType: "IdentityCard",
+  docNumber: "AB123456",
+  expirationTime: "5m", // 5 minutes
+});
+
+console.log("Generated TrustMark JWT:", jwt);
+console.log("Expires at:", new Date(expirationTime * 1000));
+```

package/src/credential/trustmark/get-credential-trustmark.ts

@@ -0,0 +1,139 @@
+import {
+  SignJWT,
+  thumbprint,
+  type CryptoContext,
+  decode as decodeJwt,
+} from "@pagopa/io-react-native-jwt";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import { IoWalletError } from "../../utils/errors";
+import { obfuscateString } from "../../utils/string";
+import { LogLevel, Logger } from "../../utils/logging";
+
+export type GetCredentialTrustmarkJwt = (params: {
+  /**
+   * The Wallet Instance's attestation
+   */
+  walletInstanceAttestation: string;
+  /**
+   * The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+   */
+  wiaCryptoContext: CryptoContext;
+  /**
+   * The type of credential for which the trustmark is generated
+   */
+  credentialType: string;
+  /**
+   * (Optional) Document number contained in the credential, if applicable
+   */
+  docNumber?: string;
+  /**
+   * (Optional) Expiration time for the trustmark, default is 2 minutes.
+   * If a number is provided, it is interpreted as a timestamp in seconds.
+   * If a string is provided, it is interpreted as a time span and added to the current timestamp.
+   */
+  expirationTime?: number | string;
+}) => Promise<{
+  /**
+   * The signed JWT
+   */
+  jwt: string;
+  /**
+   * The expiration time of the JWT in seconds
+   */
+  expirationTime: number;
+}>;
+
+/**
+ * Generates a trustmark signed JWT, which is used to verify the authenticity of a credential.
+ * The public key used to sign the trustmark must the same used for the Wallet Instance Attestation.
+ *
+ * @param walletInstanceAttestation the Wallet Instance's attestation
+ * @param wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param credentialType The type of credential for which the trustmark is generated
+ * @param docNumber (Optional) Document number contained in the credential, if applicable
+ * @param expirationTime (Optional) Expiration time for the trustmark, default is 2 minutes.
+ *                        If a number is provided, it is interpreted as a timestamp in seconds.
+ *                        If a string is provided, it is interpreted as a time span and added to the current timestamp.
+ * @throws {IoWalletError} If the WIA is expired
+ * @throws {IoWalletError} If the public key associated to the WIA is not the same for the CryptoContext
+ * @throws {JWSSignatureVerificationFailed} If the WIA signature is not valid
+ * @returns A promise containing the signed JWT and its expiration time in seconds
+ */
+export const getCredentialTrustmark: GetCredentialTrustmarkJwt = async ({
+  walletInstanceAttestation,
+  wiaCryptoContext,
+  credentialType,
+  docNumber,
+  expirationTime = "2m",
+}) => {
+  /**
+   * Check that the public key used to sign the trustmark is the one used for the WIA
+   */
+  const holderBindingKey = await wiaCryptoContext.getPublicKey();
+  const decodedWia = WalletInstanceAttestation.decode(
+    walletInstanceAttestation
+  );
+
+  Logger.log(
+    LogLevel.DEBUG,
+    `Decoded wia ${JSON.stringify(decodedWia.payload)} with holder binding key ${JSON.stringify(holderBindingKey)}`
+  );
+
+  /**
+   * Check that the WIA is not expired
+   */
+  if (decodedWia.payload.exp * 1000 < Date.now()) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Wallet Instance Attestation expired with exp: ${decodedWia.payload.exp}`
+    );
+    throw new IoWalletError("Wallet Instance Attestation expired");
+  }
+
+  /**
+   * Verify holder binding by comparing thumbprints of the WIA and the CryptoContext key
+   */
+  const wiaThumbprint = await thumbprint(decodedWia.payload.cnf.jwk);
+  const cryptoContextThumbprint = await thumbprint(holderBindingKey);
+
+  if (wiaThumbprint !== cryptoContextThumbprint) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
+    );
+    throw new IoWalletError(
+      `Failed to verify holder binding for status attestation, expected thumbprint: ${cryptoContextThumbprint}, got: ${wiaThumbprint}`
+    );
+  }
+
+  Logger.log(
+    LogLevel.DEBUG,
+    `Wia thumbprint: ${wiaThumbprint} CryptoContext thumbprint: ${cryptoContextThumbprint}`
+  );
+
+  /**
+   * Generate Trustmark signed JWT
+   */
+  const signedTrustmarkJwt = await new SignJWT(wiaCryptoContext)
+    .setProtectedHeader({
+      alg: "ES256",
+    })
+    .setPayload({
+      iss: walletInstanceAttestation,
+      /**
+       * If present, the document number is obfuscated before adding it to the payload
+       */
+      ...(docNumber ? { sub: obfuscateString(docNumber) } : {}),
+      subtyp: credentialType,
+    })
+    .setIssuedAt()
+    .setExpirationTime(expirationTime)
+    .sign();
+
+  const decodedTrustmark = decodeJwt(signedTrustmarkJwt);
+
+  return {
+    jwt: signedTrustmarkJwt,
+    expirationTime: decodedTrustmark.payload.exp ?? 0,
+  };
+};

package/src/credential/trustmark/index.ts

@@ -0,0 +1,8 @@
+import {
+  type GetCredentialTrustmarkJwt,
+  getCredentialTrustmark,
+} from "./get-credential-trustmark";
+
+export { getCredentialTrustmark };
+
+export type { GetCredentialTrustmarkJwt };

package/src/index.ts

@@ -9,7 +9,9 @@ import * as PID from "./pid";
 import * as SdJwt from "./sd-jwt";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
+import * as Trust from "./trust";
 import * as WalletInstance from "./wallet-instance";
+import * as Logging from "./utils/logging";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 import type { IntegrityContext } from "./utils/integrity";
@@ -21,10 +23,12 @@ export {
   WalletInstanceAttestation,
   WalletInstance,
   Errors,
+  Trust,
   createCryptoContextFor,
   AuthorizationDetail,
   AuthorizationDetails,
   fixBase64EncodingOnKey,
+  Logging,
 };
 
 export type { IntegrityContext, AuthorizationContext };

package/src/pid/sd-jwt/types.ts

@@ -1,5 +1,22 @@
 import { z } from "zod";
-import { Verification } from "../../sd-jwt/types";
+
+const VerificationEvidence = z.object({
+  type: z.string(),
+  record: z.object({
+    type: z.string(),
+    source: z.object({
+      organization_name: z.string(),
+      organization_id: z.string(),
+      country_code: z.string(),
+    }),
+  }),
+});
+type Verification = z.infer<typeof Verification>;
+const Verification = z.object({
+  trustFramework: z.literal("eidas"),
+  assuranceLevel: z.string(),
+  evidence: z.array(VerificationEvidence),
+});
 
 /**
  * Data structure for the PID.

package/src/sd-jwt/__test__/index.test.ts

@@ -13,73 +13,56 @@ import { SdJwt4VC } from "../types";
 //    - "address" is used as verification._sd
 //    - all others disclosures are in claims._sd
 const token =
-  "eyJraWQiOiJvTHZHOHFGeGJZQ2RZRXBGNVdEeEJVYzM1THI1YTgwZ2FtbjZPeU5pSFRjIiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJzdWIiOiJaTGJkSm53Qm1xQks2aVJqZmVmdXNqcjBZMUk1SE11MUllcXJ5TWJGejRnIiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiZXhwaXJ5X2RhdGUiOiIyMDI2LTA1LTIwIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJfc2QiOlsiNDNlbk9MQ0xSdnhseDkyTG5QaUxOMTFMR3lIVjJtT1NycmRMa1RfTm1SQSIsIkdkc1hiX0s5ZHh5WWxCd3lCclloSVdVQnlSbFdxRk9IRlVWZ1J3RWZTdjQiLCJJaGgzUFRXbWM0Zk1MQ1FZQVFsN2l5ajRYY3RwbEZOS0VaUDVtQU9BWmo4IiwiTUx0RktpVUdzUDhrMUMxN3hYblZmWFh3emhpUHN0ekx4a2dLWk10YXZ1QSIsIlkxOU9vNFNfVjZEdjZRcGVPcFJSLWxOMmlGeHJ0RzF2WkVVejFKVy1CN2MiLCJ1LWlYMXduZUtja3NDeld6elRkOUZvUTlRUGNoNlhxS2hBZkMyRFZySk9zIiwid1FURHpYcFZpNmlVa01yUW9sNFdpWkpwZkhsS2FoZi1LLWxYZjE4Rll1YyIsInhqZzVNbEpXcDVqVGltdlhzaXZRUmhMVnFlOGNTemFkTVo2MEhrazUzanMiXSwidmN0I2ludGVncml0eSI6IjI0MjMwMmQ5N2QzOGRhMjcxNGEyNTdmMmEyNTNiZjJmYTMwYWFlNWMxMDlmZTk1ODFiZmNkYTNiMWQ3OTdjOTciLCJpc3N1aW5nX2NvdW50cnkiOiJJVCIsIl9zZF9hbGciOiJzaGEtMjU2IiwiaXNzdWluZ19hdXRob3JpdHkiOiJJc3RpdHV0byBQb2xpZ3JhZmljbyBlIFplY2NhIGRlbGxvIFN0YXRvIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiTTBQYnZkWXNqVmdybWtXTTFfYVpZMk5zYmRMX3ZtckgyODd5TzQzTHF1WSIsIngiOiJfOHBuSVg2LXR6WEpBa0NSNmlhdnNDUVB0aW5ZYkZJeHI3NEYtNnJUejJVIiwieSI6IlJMeE53dHIxZzhIcmI1TlNoajFHYk1XZ0hvUS1DNzBCT3o0LVN5ZERoRmcifX0sImV4cCI6MTc3OTI4MzEyNSwiaWF0IjoxNzQ3NzQ3MTI1LCJ2ZXJpZmljYXRpb24iOnsiZXZpZGVuY2UiOnsibWV0aG9kIjoiY2llIn0sInRydXN0X2ZyYW1ld29yayI6ImVpZGFzIiwiYXNzdXJhbmNlX2xldmVsIjoiaGlnaCJ9LCJzdGF0dXMiOnsic3RhdHVzX2Fzc2VydGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.guNNpF6KeKSowT6WCYvslgaPQbTRhwgqxTdJMPwsBOEkh6A9X2FvU8RMJoalhwXLHLo72bE4-HCvXO803I98JQ~WyItR0wxV1NiMnRWdTVTMDM4OXRFZW9nIiwiZ2l2ZW5fbmFtZSIsIk1BUklBIl0~WyJqSHYzdEFQNTNyRGxSbXVsdlo0Z2hBIiwiZmFtaWx5X25hbWUiLCJTUEVDSU1FTiJd~WyJiX3FtcnVBWTJkOEN5bk4yc0FPVm5nIiwidW5pcXVlX2lkIiwiaWRBTlBSIl0~WyJGajhqZ055bUVXYk9OdFpHeGV0SFh3IiwiYmlydGhfZGF0ZSIsIjE5OTUtMDEtMTgiXQ~WyI5aUs2UF9jY2UyY29QR1Q4b3d2TWxBIiwiYmlydGhfcGxhY2UiLCJST01BIl0~WyJucGVfcHJyUWxHT0hMU19pbS1pNmNnIiwibmF0aW9uYWxpdHkiLCJJVCJd~WyJrazlUVW9DQm9OZFd0VElpUWJValNBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1TUENNUkE5NUE1OEg1MDFUIl0~WyJjclNLNDlpaWpiZTdSbFFLSXlvcmlRIiwiaWF0IiwxNzQ3NzQ3MTI1XQ";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
 
 const unsigned =
-  "eyJraWQiOiJvTHZHOHFGeGJZQ2RZRXBGNVdEeEJVYzM1THI1YTgwZ2FtbjZPeU5pSFRjIiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJzdWIiOiJaTGJkSm53Qm1xQks2aVJqZmVmdXNqcjBZMUk1SE11MUllcXJ5TWJGejRnIiwidmN0IjoidXJuOmV1LmV1cm9wYS5lYy5ldWRpOnBpZDoxIiwiZXhwaXJ5X2RhdGUiOiIyMDI2LTA1LTIwIiwiaXNzIjoiaHR0cHM6Ly9hcGkucG90ZW50aWFsLXdhbGxldC1pdC1waWQtcHJvdmlkZXIuaXQiLCJfc2QiOlsiNDNlbk9MQ0xSdnhseDkyTG5QaUxOMTFMR3lIVjJtT1NycmRMa1RfTm1SQSIsIkdkc1hiX0s5ZHh5WWxCd3lCclloSVdVQnlSbFdxRk9IRlVWZ1J3RWZTdjQiLCJJaGgzUFRXbWM0Zk1MQ1FZQVFsN2l5ajRYY3RwbEZOS0VaUDVtQU9BWmo4IiwiTUx0RktpVUdzUDhrMUMxN3hYblZmWFh3emhpUHN0ekx4a2dLWk10YXZ1QSIsIlkxOU9vNFNfVjZEdjZRcGVPcFJSLWxOMmlGeHJ0RzF2WkVVejFKVy1CN2MiLCJ1LWlYMXduZUtja3NDeld6elRkOUZvUTlRUGNoNlhxS2hBZkMyRFZySk9zIiwid1FURHpYcFZpNmlVa01yUW9sNFdpWkpwZkhsS2FoZi1LLWxYZjE4Rll1YyIsInhqZzVNbEpXcDVqVGltdlhzaXZRUmhMVnFlOGNTemFkTVo2MEhrazUzanMiXSwidmN0I2ludGVncml0eSI6IjI0MjMwMmQ5N2QzOGRhMjcxNGEyNTdmMmEyNTNiZjJmYTMwYWFlNWMxMDlmZTk1ODFiZmNkYTNiMWQ3OTdjOTciLCJpc3N1aW5nX2NvdW50cnkiOiJJVCIsIl9zZF9hbGciOiJzaGEtMjU2IiwiaXNzdWluZ19hdXRob3JpdHkiOiJJc3RpdHV0byBQb2xpZ3JhZmljbyBlIFplY2NhIGRlbGxvIFN0YXRvIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiTTBQYnZkWXNqVmdybWtXTTFfYVpZMk5zYmRMX3ZtckgyODd5TzQzTHF1WSIsIngiOiJfOHBuSVg2LXR6WEpBa0NSNmlhdnNDUVB0aW5ZYkZJeHI3NEYtNnJUejJVIiwieSI6IlJMeE53dHIxZzhIcmI1TlNoajFHYk1XZ0hvUS1DNzBCT3o0LVN5ZERoRmcifX0sImV4cCI6MTc3OTI4MzEyNSwiaWF0IjoxNzQ3NzQ3MTI1LCJ2ZXJpZmljYXRpb24iOnsiZXZpZGVuY2UiOnsibWV0aG9kIjoiY2llIn0sInRydXN0X2ZyYW1ld29yayI6ImVpZGFzIiwiYXNzdXJhbmNlX2xldmVsIjoiaGlnaCJ9LCJzdGF0dXMiOnsic3RhdHVzX2Fzc2VydGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
+  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
 
 const signature =
-  "guNNpF6KeKSowT6WCYvslgaPQbTRhwgqxTdJMPwsBOEkh6A9X2FvU8RMJoalhwXLHLo72bE4-HCvXO803I98JQ";
+  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
 
 const signed = `${unsigned}.${signature}`;
 
 const tokenizedDisclosures = [
-  "WyItR0wxV1NiMnRWdTVTMDM4OXRFZW9nIiwiZ2l2ZW5fbmFtZSIsIk1BUklBIl0",
-  "WyJqSHYzdEFQNTNyRGxSbXVsdlo0Z2hBIiwiZmFtaWx5X25hbWUiLCJTUEVDSU1FTiJd",
-  "WyJiX3FtcnVBWTJkOEN5bk4yc0FPVm5nIiwidW5pcXVlX2lkIiwiaWRBTlBSIl0",
-  "WyJGajhqZ055bUVXYk9OdFpHeGV0SFh3IiwiYmlydGhfZGF0ZSIsIjE5OTUtMDEtMTgiXQ",
-  "WyI5aUs2UF9jY2UyY29QR1Q4b3d2TWxBIiwiYmlydGhfcGxhY2UiLCJST01BIl0",
-  "WyJucGVfcHJyUWxHT0hMU19pbS1pNmNnIiwibmF0aW9uYWxpdHkiLCJJVCJd",
-  "WyJrazlUVW9DQm9OZFd0VElpUWJValNBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1TUENNUkE5NUE1OEg1MDFUIl0",
-  "WyJjclNLNDlpaWpiZTdSbFFLSXlvcmlRIiwiaWF0IiwxNzQ3NzQ3MTI1XQ",
+  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
+  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
+  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
+  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
+  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
+  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
 ];
 
 const sdJwt = {
   header: {
-    kid: "oLvG8qFxbYCdYEpF5WDxBUc35Lr5a80gamn6OyNiHTc",
+    kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
     typ: "vc+sd-jwt",
     alg: "ES256",
   },
   payload: {
-    sub: "ZLbdJnwBmqBK6iRjfefusjr0Y1I5HMu1IeqryMbFz4g",
-    vct: "urn:eu.europa.ec.eudi:pid:1",
-    expiry_date: "2026-05-20",
-    iss: "https://api.potential-wallet-it-pid-provider.it",
     _sd: [
-      "43enOLCLRvxlx92LnPiLN11LGyHV2mOSrrdLkT_NmRA",
-      "GdsXb_K9dxyYlBwyBrYhIWUByRlWqFOHFUVgRwEfSv4",
-      "Ihh3PTWmc4fMLCQYAQl7iyj4XctplFNKEZP5mAOAZj8",
-      "MLtFKiUGsP8k1C17xXnVfXXwzhiPstzLxkgKZMtavuA",
-      "Y19Oo4S_V6Dv6QpeOpRR-lN2iFxrtG1vZEUz1JW-B7c",
-      "u-iX1wneKcksCzWzzTd9FoQ9QPch6XqKhAfC2DVrJOs",
-      "wQTDzXpVi6iUkMrQol4WiZJpfHlKahf-K-lXf18FYuc",
-      "xjg5MlJWp5jTimvXsivQRhLVqe8cSzadMZ60Hkk53js",
+      "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+      "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+      "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+      "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+      "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+      "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
     ],
-    "vct#integrity":
-      "242302d97d38da2714a257f2a253bf2fa30aae5c109fe9581bfcda3b1d797c97",
-    issuing_country: "IT",
+    sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
     _sd_alg: "sha-256",
-    issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
+    vct: "PersonIdentificationData",
+    iss: "https://pre.eid.wallet.ipzs.it",
     cnf: {
       jwk: {
         kty: "EC",
         crv: "P-256",
-        kid: "M0PbvdYsjVgrmkWM1_aZY2NsbdL_vmrH287yO43LquY",
-        x: "_8pnIX6-tzXJAkCR6iavsCQPtinYbFIxr74F-6rTz2U",
-        y: "RLxNwtr1g8Hrb5NShj1GbMWgHoQ-C70BOz4-SydDhFg",
+        kid: "Rv3W-EiKpvBTyk5yZxvrev-7MDB6SlzUCBo_CQjjddU",
+        x: "0Wox7QtyPqByg35MH_XyCcnd5Le-Jm0AXHlUgDBA03Y",
+        y: "eEhVvg1JPqNd3DTSa4mGDGBlwY6NP-EZbLbNFXSXwIg",
       },
     },
-    exp: 1779283125,
-    iat: 1747747125,
-    verification: {
-      evidence: {
-        method: "cie",
-      },
-      trust_framework: "eidas",
-      assurance_level: "high",
-    },
+    exp: 1751546576,
     status: {
-      status_assertion: {
+      status_attestation: {
         credential_hash_alg: "sha-256",
       },
     },
@@ -88,14 +71,12 @@ const sdJwt = {
 
 // In the very same order than tokenizedDisclosures
 const disclosures = [
-  ["-GL1WSb2tVu5S0389tEeog", "given_name", "MARIA"],
-  ["jHv3tAP53rDlRmulvZ4ghA", "family_name", "SPECIMEN"],
-  ["b_qmruAY2d8CynN2sAOVng", "unique_id", "idANPR"],
-  ["Fj8jgNymEWbONtZGxetHXw", "birth_date", "1995-01-18"],
-  ["9iK6P_cce2coPGT8owvMlA", "birth_place", "ROMA"],
-  ["npe_prrQlGOHLS_im-i6cg", "nationality", "IT"],
-  ["kk9TUoCBoNdWtTIiQbUjSA", "tax_id_code", "TINIT-SPCMRA95A58H501T"],
-  ["crSK49iijbe7RlQKIyoriQ", "iat", 1747747125],
+  ["kJDEP8EaNTEMBDOZzZzT4w", "unique_id", "TINIT-LVLDAA85T50G702B"],
+  ["zIAyUFvPfIpE1zBqxI5haQ", "birth_date", "1985-12-10"],
+  ["Gr3R3s290OkQUm-NFTu96A", "tax_id_code", "TINIT-LVLDAA85T50G702B"],
+  ["GxORalMAelfZ0edFJjjYUw", "given_name", "Ada"],
+  ["_vV5RIkl0IOEXKots9kt1w", "family_name", "Lovelace"],
+  ["Cj5tccR72Jwrze2TW4a-wg", "iat", 1720010575],
 ];
 it("Ensures example data correctness", () => {
   expect(
@@ -149,10 +130,10 @@ describe("decode", () => {
 
 describe("disclose", () => {
   it("should encode a valid sdjwt (one claim)", async () => {
-    const result = await disclose(token, ["unique_id"]);
+    const result = await disclose(token, ["given_name"]);
     const expected = {
-      token: `${signed}~WyJiX3FtcnVBWTJkOEN5bk4yc0FPVm5nIiwidW5pcXVlX2lkIiwiaWRBTlBSIl0`,
-      paths: [{ claim: "unique_id", path: "verified_claims.claims._sd[7]" }],
+      token: `${signed}~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd`,
+      paths: [{ claim: "given_name", path: "verified_claims.claims._sd[3]" }],
     };
 
     expect(result).toEqual(expected);
@@ -168,15 +149,15 @@ describe("disclose", () => {
   it("should encode a valid sdjwt (multiple claims)", async () => {
     const result = await disclose(token, ["iat", "family_name"]);
     const expected = {
-      token: `${signed}~WyJqSHYzdEFQNTNyRGxSbXVsdlo0Z2hBIiwiZmFtaWx5X25hbWUiLCJTUEVDSU1FTiJd~WyJjclNLNDlpaWpiZTdSbFFLSXlvcmlRIiwiaWF0IiwxNzQ3NzQ3MTI1XQ`,
+      token: `${signed}~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ`,
       paths: [
         {
           claim: "iat",
-          path: "verified_claims.claims._sd[0]",
+          path: "verified_claims.claims._sd[4]",
         },
         {
           claim: "family_name",
-          path: "verified_claims.claims._sd[5]",
+          path: "verified_claims.claims._sd[0]",
         },
       ],
     };