@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.1

package/src/utils/error-codes.ts

@@ -1,9 +1,21 @@
 export const IssuerResponseErrorCodes = {
   IssuerGenericError: "ERR_ISSUER_GENERIC_ERROR",
+  /**
+   * Error code thrown when a credential cannot be issued immediately because it follows the async flow.
+   */
+  CredentialIssuingNotSynchronous: "ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS",
   /**
    * Error code thrown when an error occurs while requesting a credential.
    */
   CredentialRequestFailed: "ERR_CREDENTIAL_REQUEST_FAILED",
+  /**
+   * Error code thrown when a credential status is invalid, either during issuance or when requesting a status attestation.
+   */
+  CredentialInvalidStatus: "ERR_CREDENTIAL_INVALID_STATUS",
+  /**
+   * Error code thrown when an error occurs while obtaining a status attestation for a credential.
+   */
+  StatusAttestationRequestFailed: "ERR_STATUS_ATTESTATION_REQUEST_FAILED",
 } as const;
 
 export const WalletProviderResponseErrorCodes = {
@@ -31,8 +43,19 @@ export const WalletProviderResponseErrorCodes = {
   WalletInstanceNotFound: "ERR_IO_WALLET_INSTANCE_NOT_FOUND",
 } as const;
 
+export const RelyingPartyResponseErrorCodes = {
+  RelyingPartyGenericError: "ERR_RP_GENERIC_ERROR",
+  /**
+   * An error code thrown then the Relying Party rejects the Wallet's Authorization Response.
+   */
+  InvalidAuthorizationResponse: "ERR_RP_INVALID_AUTHORIZATION_RESPONSE",
+} as const;
+
 export type IssuerResponseErrorCode =
   (typeof IssuerResponseErrorCodes)[keyof typeof IssuerResponseErrorCodes];
 
 export type WalletProviderResponseErrorCode =
   (typeof WalletProviderResponseErrorCodes)[keyof typeof WalletProviderResponseErrorCodes];
+
+export type RelyingPartyResponseErrorCode =
+  (typeof RelyingPartyResponseErrorCodes)[keyof typeof RelyingPartyResponseErrorCodes];

package/src/utils/errors.ts

@@ -1,12 +1,19 @@
 import type { ProblemDetail } from "../client/generated/wallet-provider";
+import type { CredentialIssuerEntityConfiguration } from "../trust";
 import {
   IssuerResponseErrorCodes,
   WalletProviderResponseErrorCodes,
+  RelyingPartyResponseErrorCodes,
   type IssuerResponseErrorCode,
   type WalletProviderResponseErrorCode,
+  type RelyingPartyResponseErrorCode,
 } from "./error-codes";
 
-export { IssuerResponseErrorCodes, WalletProviderResponseErrorCodes };
+export {
+  IssuerResponseErrorCodes,
+  WalletProviderResponseErrorCodes,
+  RelyingPartyResponseErrorCodes,
+};
 
 // An error reason that supports both a string and a generic JSON object
 type GenericErrorReason = string | Record<string, unknown>;
@@ -109,8 +116,6 @@ export class UnexpectedStatusCodeError extends IoWalletError {
 /**
  * An error subclass thrown when an Issuer HTTP request fails.
  * The specific error can be found in the `code` property.
- *
- * The class is generic over the error code to narrow down the reason.
  */
 export class IssuerResponseError extends UnexpectedStatusCodeError {
   code: IssuerResponseErrorCode;
@@ -148,6 +153,117 @@ export class WalletProviderResponseError extends UnexpectedStatusCodeError {
   }
 }
 
+/**
+ * An error subclass thrown when a Relying Party HTTP request fails.
+ * The specific error can be found in the `code` property.
+ */
+export class RelyingPartyResponseError extends UnexpectedStatusCodeError {
+  code: RelyingPartyResponseErrorCode;
+
+  constructor(params: {
+    code?: RelyingPartyResponseErrorCode;
+    message: string;
+    reason: GenericErrorReason;
+    statusCode: number;
+  }) {
+    super(params);
+    this.code =
+      params.code ?? RelyingPartyResponseErrorCodes.RelyingPartyGenericError;
+  }
+}
+
+type LocalizedIssuanceError = {
+  [locale: string]: {
+    title: string;
+    description: string;
+  };
+};
+
+/**
+ * Function to extract the error message from the Entity Configuration's supported error codes.
+ * @param errorCode The error code to map to a meaningful message
+ * @param issuerConf The entity configuration for credentials
+ * @param credentialType The type of credential the error belongs to
+ * @returns A localized error {@link LocalizedIssuanceError} or undefined
+ * @throws {IoWalletError} When no credential config is found
+ */
+export function extractErrorMessageFromIssuerConf(
+  errorCode: string,
+  {
+    issuerConf,
+    credentialType,
+  }: {
+    issuerConf: CredentialIssuerEntityConfiguration["payload"]["metadata"];
+    credentialType: string;
+  }
+): LocalizedIssuanceError | undefined {
+  const credentialConfiguration =
+    issuerConf.openid_credential_issuer.credential_configurations_supported[
+      credentialType
+    ];
+
+  if (!credentialConfiguration) {
+    throw new IoWalletError(
+      `No configuration found for ${credentialType} in the provided EC`
+    );
+  }
+
+  const { issuance_errors_supported } = credentialConfiguration;
+
+  if (!issuance_errors_supported?.[errorCode]) {
+    return undefined;
+  }
+
+  const localesList = issuance_errors_supported[errorCode]!.display;
+
+  return localesList.reduce(
+    (acc, { locale, ...rest }) => ({ ...acc, [locale]: rest }),
+    {} as LocalizedIssuanceError
+  );
+}
+
+/**
+ * Factory function to create a type guard for specific error classes.
+ *
+ * @param errorClass The error class to create the type guard for
+ * @returns A type guard that checks if the error is an instance of the given class and has the expected code
+ */
+const makeErrorTypeGuard =
+  <T extends typeof UnexpectedStatusCodeError>(ErrorClass: T) =>
+  (error: unknown, code?: ExtractErrorCode<T>): error is InstanceType<T> =>
+    error instanceof ErrorClass && error.code === (code ?? error.code);
+
+export const isIssuerResponseError = makeErrorTypeGuard(IssuerResponseError);
+export const isWalletProviderResponseError = makeErrorTypeGuard(
+  WalletProviderResponseError
+);
+export const isRelyingPartyResponseError = makeErrorTypeGuard(
+  RelyingPartyResponseError
+);
+
+// Mapping type between error classes and their allowed codes
+type ErrorCodeMap =
+  | {
+      type: typeof IssuerResponseError;
+      code: IssuerResponseErrorCode;
+    }
+  | {
+      type: typeof WalletProviderResponseError;
+      code: WalletProviderResponseErrorCode;
+    }
+  | {
+      type: typeof RelyingPartyResponseError;
+      code: RelyingPartyResponseErrorCode;
+    };
+
+type ExtractErrorCode<T> = Extract<ErrorCodeMap, { type: T }>["code"];
+
+type ErrorCase<T> = {
+  code: ExtractErrorCode<T>;
+  message: string;
+  reason?: GenericErrorReason;
+};
+
 /**
  * Builder class used to create specialized errors from type {@link UnexpectedStatusCodeError} that handles multiple status codes.
  *
@@ -185,15 +301,3 @@ export class ResponseErrorBuilder<T extends typeof UnexpectedStatusCodeError> {
     return originalError;
   }
 }
-
-type ErrorCodeMap<T> = T extends typeof IssuerResponseError
-  ? IssuerResponseErrorCode
-  : T extends typeof WalletProviderResponseError
-    ? WalletProviderResponseErrorCode
-    : never;
-
-type ErrorCase<T> = {
-  code: ErrorCodeMap<T>;
-  message: string;
-  reason?: GenericErrorReason;
-};

package/src/utils/logging.ts

@@ -0,0 +1,68 @@
+/**
+ * Logger interface which can be provided to the Logger class as a custom implementation.
+ */
+export interface LoggingContext {
+  logDebug: (msg: string) => void;
+  logInfo: (msg: string) => void;
+  logWarn: (msg: string) => void;
+  logError: (msg: string) => void;
+}
+
+/**
+ * Supported debug levels.
+ */
+export enum LogLevel {
+  DEBUG,
+  INFO,
+  WARN,
+  ERROR,
+}
+
+/**
+ * Logger singleton class which provides a simple logging interface with an init function to set the logging context and
+ * a static log function to log messages based on the debug level.
+ * This can be used as follows:
+ * const logger = Logger.getInstance();
+ * logger.initLogging(yourLoggingContext);
+ * logger.log(LogLevel.DEBUG, "Debug message");
+ */
+export class Logger {
+  private static instance: Logger | null = null;
+  private static loggingContext?: LoggingContext;
+
+  // Private constructor to prevent direct instantiation
+  private constructor() {}
+
+  // Public static method to get the Logger instance
+  public static getInstance(): Logger {
+    if (Logger.instance === null) {
+      Logger.instance = new Logger();
+    }
+    return Logger.instance;
+  }
+
+  // Method to initialize the logging context
+  public initLogging(loggingCtx: LoggingContext): void {
+    Logger.loggingContext = loggingCtx;
+  }
+
+  // Method to log based on the level which wraps the null check for the logging context
+  public static log(level: LogLevel, msg: string): void {
+    if (Logger.loggingContext) {
+      switch (level) {
+        case LogLevel.DEBUG:
+          Logger.loggingContext.logDebug(msg);
+          break;
+        case LogLevel.INFO:
+          Logger.loggingContext.logInfo(msg);
+          break;
+        case LogLevel.WARN:
+          Logger.loggingContext.logWarn(msg);
+          break;
+        case LogLevel.ERROR:
+          Logger.loggingContext.logError(msg);
+          break;
+      }
+    }
+  }
+}

package/src/utils/misc.ts

@@ -1,5 +1,6 @@
 import { IoWalletError, UnexpectedStatusCodeError } from "./errors";
 import { sha256 } from "js-sha256";
+import { LogLevel, Logger } from "./logging";
 
 /**
  * Check if a response is in the expected status, otherwise throw an error
@@ -13,6 +14,10 @@ export const hasStatusOrThrow =
   async (res: Response): Promise<Response> => {
     if (res.status !== status) {
       const ErrorClass = customError ?? UnexpectedStatusCodeError;
+      Logger.log(
+        LogLevel.ERROR,
+        `Http request failed. Expected ${status}, got ${res.status}, url: ${res.url}`
+      );
       throw new ErrorClass({
         message: `Http request failed. Expected ${status}, got ${res.status}, url: ${res.url}`,
         statusCode: res.status,

package/src/utils/par.ts

@@ -3,16 +3,18 @@ import {
   type CryptoContext,
   SignJWT,
 } from "@pagopa/io-react-native-jwt";
-import uuid from "react-native-uuid";
+import { v4 as uuidv4 } from "uuid";
 import * as z from "zod";
 import * as WalletInstanceAttestation from "../wallet-instance-attestation";
 import { generateRandomAlphaNumericString, hasStatusOrThrow } from "./misc";
 import { createPopToken } from "./pop";
 import { IssuerResponseError } from "./errors";
+import { LogLevel, Logger } from "./logging";
 
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
   credential_configuration_id: z.string(),
+  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
 });
 
@@ -37,7 +39,8 @@ export const makeParRequest =
     responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
-    authorizationDetails: AuthorizationDetails
+    authorizationDetails: AuthorizationDetails,
+    assertionType: string
   ): Promise<string> => {
     const wiaPublicKey = await wiaCryptoContext.getPublicKey();
 
@@ -49,7 +52,7 @@ export const makeParRequest =
 
     const signedWiaPoP = await createPopToken(
       {
-        jti: `${uuid.v4()}`,
+        jti: `${uuidv4()}`,
         aud,
         iss,
       },
@@ -72,7 +75,7 @@ export const makeParRequest =
         kid: wiaPublicKey.kid,
       })
       .setPayload({
-        jti: `${uuid.v4()}`,
+        jti: `${uuidv4()}`,
         aud,
         response_type: "code",
         response_mode: responseMode,
@@ -83,6 +86,8 @@ export const makeParRequest =
         code_challenge_method: codeChallengeMethod,
         authorization_details: authorizationDetails,
         redirect_uri: redirectUri,
+        client_assertion_type: assertionType,
+        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
       })
       .setIssuedAt() //iat is set to now
       .setExpirationTime("5min")
@@ -90,16 +95,24 @@ export const makeParRequest =
 
     /** The request body for the Pushed Authorization Request */
     var formBody = new URLSearchParams({
+      response_type: "code",
       client_id: clientId,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
       request: signedJwtForPar,
+      client_assertion_type: assertionType,
+      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Sending to PAR endpoint ${parEndpoint}: ${formBody}`
+    );
+
     return await appFetch(parEndpoint, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
-        "OAuth-Client-Attestation": walletInstanceAttestation,
-        "OAuth-Client-Attestation-PoP": signedWiaPoP,
       },
       body: formBody.toString(),
     })

package/src/utils/string.ts

@@ -43,13 +43,3 @@ export const obfuscateString = (
 
   return chars.join("");
 };
-
-/**
- * Converts a base64 string to a Base64 URL-encoded string.
- *
- * @param byteString - The input string in base64 format.
- * @returns The Base64 URL-encoded string.
- */
-export const base64ToBase64Url = (base64: string): string => {
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/[=]+$/, "");
-};

package/src/wallet-instance/index.ts

@@ -6,6 +6,7 @@ import {
 } from "../utils/errors";
 import type { WalletInstanceData } from "../client/generated/wallet-provider";
 import type { IntegrityContext } from "..";
+import { LogLevel, Logger } from "../utils/logging";
 
 export async function createWalletInstance(context: {
   integrityContext: IntegrityContext;
@@ -13,15 +14,25 @@ export async function createWalletInstance(context: {
   appFetch?: GlobalFetch["fetch"];
 }) {
   const { integrityContext } = context;
-
   const api = getWalletProviderClient(context);
 
   //1. Obtain nonce
   const challenge = await api.get("/nonce").then((response) => response.nonce);
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Challenge obtained from ${context.walletProviderBaseUrl}: ${challenge}`
+  );
+
   const keyAttestation = await integrityContext.getAttestation(challenge);
+
   const hardwareKeyTag = integrityContext.getHardwareKeyTag();
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Key attestation: ${keyAttestation}\nAssociated hardware key tag: ${hardwareKeyTag}`
+  );
+
   //2. Create Wallet Instance
   await api
     .post("/wallet-instances", {
@@ -37,6 +48,11 @@ export async function createWalletInstance(context: {
 }
 
 const handleCreateWalletInstanceError = (e: unknown) => {
+  Logger.log(
+    LogLevel.ERROR,
+    `An error occurred while calling /wallet-instances endpoint: ${e}`
+  );
+
   if (!(e instanceof WalletProviderResponseError)) {
     throw e;
   }
@@ -87,3 +103,16 @@ export async function getWalletInstanceStatus(context: {
     path: { id: context.id },
   });
 }
+
+/**
+ * Get the status of the current Wallet Instance.
+ * @returns Details on the status of the current Wallet Instance
+ */
+export async function getCurrentWalletInstanceStatus(context: {
+  walletProviderBaseUrl: string;
+  appFetch?: GlobalFetch["fetch"];
+}): Promise<WalletInstanceData> {
+  const api = getWalletProviderClient(context);
+
+  return api.get("/wallet-instances/current/status");
+}

package/src/wallet-instance-attestation/README.md

@@ -1,7 +1,11 @@
 # Wallet Instance Attestation
 
-This flow consists of a single step and is used to obtain a Wallet Instance Attestation. The wallet provider must implement its endpoints based on the OpenAPI specification provided in the [wallet-instance.yaml](../../openapi/wallet-provider.yaml) file.
-In order to require a status attestation the consumer application must provide:
+This flow consists of a single step and is used to obtain a Wallet Instance Attestation. The attestation is issued in multiple formats:
+- `jwt`
+- `dc+sd-jwt`
+- `mso_mdoc`
+
+The wallet provider must implement its endpoints based on the OpenAPI specification provided in the [wallet-instance.yaml](../../openapi/wallet-provider.yaml) file. In order to require a status attestation the consumer application must provide:
 
 - `wiaCryptoContext` object that is used to sign the attestation request. The key must be generated before creating the crypto context;
 - `integrityContext` object that is used to verify the integrity of the device where the app is running. The key tag must be the same used when creating the Wallet Instance;
@@ -29,10 +33,11 @@ const issuedAttestation = await WalletInstanceAttestation.getAttestation({
   walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
   appFetch,
 });
+// [{ "format": "jwt", "wallet_attestation": "ey..." }, { "format": "dc+sd-jwt", "wallet_attestation": "ey..." }]
 return issuedAttestation;
 ```
 
-The returned `issuedAttestation` is supposed to be stored and used for any future operation that requires a Wallet Instance Attestation. The wallet attestation has a limited validity and must be regenerated when it expires.
+The returned `issuedAttestation` is supposed to be stored and used for any future operation that requires a Wallet Instance Attestation in one of the available formats. The wallet attestation has a limited validity and must be regenerated when it expires.
 
 ## Mapped results
 

package/src/wallet-instance-attestation/index.ts

@@ -2,8 +2,8 @@ import { WalletInstanceAttestationJwt } from "./types";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
 
-import { getAttestation } from "./issuing";
-export { getAttestation };
+export { getAttestation } from "./issuing";
+
 /**
  * Decode a given JWT to get the parsed Wallet Instance Attestation object they define.
  * It ensures provided data is in a valid shape.

package/src/wallet-instance-attestation/issuing.ts

@@ -5,13 +5,14 @@ import {
 } from "@pagopa/io-react-native-jwt";
 import { fixBase64EncodingOnKey, JWK } from "../utils/jwk";
 import { getWalletProviderClient } from "../client";
-import type { IntegrityContext } from "..";
+import type { IntegrityContext } from "../utils/integrity";
+import { LogLevel, Logger } from "../utils/logging";
 import {
   ResponseErrorBuilder,
   WalletProviderResponseError,
   WalletProviderResponseErrorCodes,
 } from "../utils/errors";
-import { TokenResponse } from "./types";
+import { WalletAttestationResponse } from "./types";
 
 /**
  * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
@@ -47,8 +48,8 @@ export async function getAttestationRequest(
   return new SignJWT(wiaCryptoContext)
     .setPayload({
       iss: keyThumbprint,
-      sub: walletProviderBaseUrl,
-      challenge,
+      aud: walletProviderBaseUrl,
+      nonce: challenge,
       hardware_signature: signature,
       integrity_assertion: authenticatorData,
       hardware_key_tag: hardwareKeyTag,
@@ -58,7 +59,7 @@ export async function getAttestationRequest(
     })
     .setProtectedHeader({
       kid: publicKey.kid,
-      typ: "war+jwt",
+      typ: "wp-war+jwt",
     })
     .setIssuedAt()
     .setExpirationTime("1h")
@@ -67,6 +68,7 @@ export async function getAttestationRequest(
 
 /**
  * Request a Wallet Instance Attestation (WIA) to the Wallet provider
+ * @version 1.0.0
  *
  * @param params.wiaCryptoContext The key pair associated with the WIA. Will be use to prove the ownership of the attestation.
  * @param params.appFetch (optional) Http client
@@ -84,7 +86,7 @@ export const getAttestation = async ({
   integrityContext: IntegrityContext;
   walletProviderBaseUrl: string;
   appFetch?: GlobalFetch["fetch"];
-}): Promise<string> => {
+}): Promise<WalletAttestationResponse["wallet_attestations"]> => {
   const api = getWalletProviderClient({
     walletProviderBaseUrl,
     appFetch,
@@ -92,6 +94,10 @@ export const getAttestation = async ({
 
   // 1. Get nonce from backend
   const challenge = await api.get("/nonce").then((response) => response.nonce);
+  Logger.log(
+    LogLevel.DEBUG,
+    `Challenge obtained from ${walletProviderBaseUrl}: ${challenge} `
+  );
 
   // 2. Get a signed attestation request
   const signedAttestationRequest = await getAttestationRequest(
@@ -100,22 +106,37 @@ export const getAttestation = async ({
     integrityContext,
     walletProviderBaseUrl
   );
+  Logger.log(
+    LogLevel.DEBUG,
+    `Signed attestation request: ${signedAttestationRequest}`
+  );
 
-  // 3. Request WIA
-  const tokenResponse = await api
-    .post("/token", {
+  // 3. Request WIA in multiple formats
+  const response = await api
+    .post("/wallet-attestations", {
       body: {
-        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
         assertion: signedAttestationRequest,
       },
     })
-    .then((result) => TokenResponse.parse(result))
+    .then(WalletAttestationResponse.parse)
     .catch(handleAttestationCreationError);
 
-  return tokenResponse.wallet_attestation;
+  for (const attestation of response.wallet_attestations) {
+    Logger.log(
+      LogLevel.DEBUG,
+      `Obtained wallet attestation in ${attestation.format} format: ${attestation.wallet_attestation}`
+    );
+  }
+
+  return response.wallet_attestations;
 };
 
 const handleAttestationCreationError = (e: unknown) => {
+  Logger.log(
+    LogLevel.ERROR,
+    `An error occurred while calling /wallet-attestation endpoint: ${e}`
+  );
+
   if (!(e instanceof WalletProviderResponseError)) {
     throw e;
   }

package/src/wallet-instance-attestation/types.ts

@@ -33,15 +33,17 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("war+jwt"),
+      typ: z.literal("wp-war+jwt"),
     })
   ),
   payload: z.intersection(
     Jwt.shape.payload,
     z.object({
       aud: z.string(),
-      jti: z.string(),
       nonce: z.string(),
+      hardware_signature: z.string(),
+      integrity_assertion: z.string(),
+      hardware_key_tag: z.string(),
     })
   ),
 });
@@ -53,7 +55,8 @@ export const WalletInstanceAttestationJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
-      typ: z.literal("wallet-attestation+jwt"),
+      typ: z.literal("oauth-client-attestation+jwt"),
+      trust_chain: z.array(z.string()),
     })
   ),
   payload: z.intersection(
@@ -61,27 +64,20 @@ export const WalletInstanceAttestationJwt = z.object({
     z.object({
       sub: z.string(),
       aal: z.string(),
-      authorization_endpoint: z.string(),
-      response_types_supported: z.array(z.string()),
-      vp_formats_supported: z.object({
-        "vc+sd-jwt": z
-          .object({
-            "sd-jwt_alg_values": z.array(z.string()),
-          })
-          .optional(),
-        "vp+sd-jwt": z
-          .object({
-            "sd-jwt_alg_values": z.array(z.string()),
-          })
-          .optional(),
-      }),
-      request_object_signing_alg_values_supported: z.array(z.string()),
-      presentation_definition_uri_supported: z.boolean(),
+      wallet_link: z.string().optional(),
+      wallet_name: z.string().optional(),
     })
   ),
 });
 
-export type TokenResponse = z.infer<typeof TokenResponse>;
-export const TokenResponse = z.object({
-  wallet_attestation: z.string(),
+export type WalletAttestationResponse = z.infer<
+  typeof WalletAttestationResponse
+>;
+export const WalletAttestationResponse = z.object({
+  wallet_attestations: z.array(
+    z.object({
+      wallet_attestation: z.string(),
+      format: z.enum(["jwt", "dc+sd-jwt", "mso_mdoc"]),
+    })
+  ),
 });