npm - @pagopa/io-react-native-wallet - Versions diffs - 2.0.0-next.2 → 2.0.0-next.3 - Mend

@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/src/credential/issuance/07-verify-and-parse-credential.ts CHANGED Viewed

@@ -9,10 +9,14 @@ import type { JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
 import { LogLevel, Logger } from "../../utils/logging";
+type IssuerConf = Out<EvaluateIssuerTrust>["issuerConf"];
+type CredentialConf =
+  IssuerConf["openid_credential_issuer"]["credential_configurations_supported"][string];
 export type VerifyAndParseCredential = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: IssuerConf,
   credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"],
+  credentialConfigurationId: string,
   context: {
     credentialCryptoContext: CryptoContext;
     /**
@@ -54,54 +58,35 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
 };
 const parseCredentialSdJwt = (
-  // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
+  // The credential configuration to use to parse the provided credential
+  credentialConfig: CredentialConf,
   { sdJwt, disclosures }: DecodedSdJwtCredential,
   ignoreMissingAttributes: boolean = false,
   includeUndefinedAttributes: boolean = false
 ): ParsedCredential => {
-  const credentialSubject = credentials_supported[sdJwt.payload.vct];
-  if (!credentialSubject) {
-    Logger.log(
-      LogLevel.ERROR,
-      `Credential type not supported by the issuer: ${sdJwt.payload.vct}`
-    );
-    throw new IoWalletError("Credential type not supported by the issuer");
+  if (credentialConfig.format !== sdJwt.header.typ) {
+    const message = `Received credential is of an unknwown type. Expected one of [${credentialConfig.format}], received '${sdJwt.header.typ}'`;
+    Logger.log(LogLevel.ERROR, message);
+    throw new IoWalletError(message);
   }
-  if (credentialSubject.format !== sdJwt.header.typ) {
-    Logger.log(
-      LogLevel.ERROR,
-      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`
-    );
-    throw new IoWalletError(
-      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
-    );
-  }
-  // transfrom a record { key: value } in an iterable of pairs [key, value]
-  if (!credentialSubject.claims) {
+  if (!credentialConfig.claims) {
     Logger.log(LogLevel.ERROR, "Missing claims in the credential subject");
     throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
-  const attrDefinitions = Object.entries(credentialSubject.claims);
+  const attrDefinitions = credentialConfig.claims;
   // the key of the attribute defintion must match the disclosure's name
   const attrsNotInDisclosures = attrDefinitions.filter(
-    ([attrKey]) => !disclosures.some(([, name]) => name === attrKey)
+    (definition) => !disclosures.some(([, name]) => name === definition.path[0]) // Ignore nested paths for now, see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#name-claims-path-pointer
   );
   if (attrsNotInDisclosures.length > 0) {
-    const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
+    const missing = attrsNotInDisclosures.map((_) => _.path[0]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
-      Logger.log(
-        LogLevel.ERROR,
-        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-      );
-      throw new IoWalletError(
-        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-      );
+      const message = `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`;
+      Logger.log(LogLevel.ERROR, message);
+      throw new IoWalletError(message);
     }
   }
@@ -111,13 +96,13 @@ const parseCredentialSdJwt = (
     attrDefinitions
       // retrieve the value from the disclosure set
       .map(
-        ([attrKey, definition]) =>
+        ({ path, ...definition }) =>
           [
-            attrKey,
+            path[0],
             {
               ...definition,
               value: disclosures.find(
-                (_) => _[1 /* name */] === attrKey
+                (_) => _[1 /* name */] === path[0]
               )?.[2 /* value */],
             },
           ] as const
@@ -186,30 +171,18 @@ async function verifyCredentialSdJwt(
   const { cnf } = decodedCredential.sdJwt.payload;
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-    Logger.log(
-      LogLevel.ERROR,
-      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
-    );
-    throw new IoWalletError(
-      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
-    );
+    const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
+    Logger.log(LogLevel.ERROR, message);
+    throw new IoWalletError(message);
   }
   return decodedCredential;
 }
-// utility type that specialize VerifyAndParseCredential for given format
-type WithFormat<Format extends Parameters<VerifyAndParseCredential>[2]> = (
-  _0: Parameters<VerifyAndParseCredential>[0],
-  _1: Parameters<VerifyAndParseCredential>[1],
-  _2: Format,
-  _3: Parameters<VerifyAndParseCredential>[3]
-) => ReturnType<VerifyAndParseCredential>;
-const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
+const verifyAndParseCredentialSdJwt: VerifyAndParseCredential = async (
   issuerConf,
   credential,
-  _,
+  credentialConfigurationId,
   {
     credentialCryptoContext,
     ignoreMissingAttributes,
@@ -224,8 +197,21 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+  const credentialConfig =
+    issuerConf.openid_credential_issuer.credential_configurations_supported[
+      credentialConfigurationId
+    ];
+  if (!credentialConfig) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential type not supported by the issuer: ${credentialConfigurationId}`
+    );
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
   const parsedCredential = parseCredentialSdJwt(
-    issuerConf.openid_credential_issuer.credential_configurations_supported,
+    credentialConfig,
     decoded,
     ignoreMissingAttributes,
     includeUndefinedAttributes
@@ -251,7 +237,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
  * Verify and parse an encoded credential.
  * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
  * @param credential The encoded credential returned by {@link obtainCredential}
- * @param format The format of the credentual returned by {@link obtainCredential}
+ * @param credentialConfigurationId The credential configuration ID that defines the provided credential
  * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
  * @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
  * @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
@@ -263,19 +249,25 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
 export const verifyAndParseCredential: VerifyAndParseCredential = async (
   issuerConf,
   credential,
-  format,
+  credentialConfigurationId,
   context
 ) => {
-  if (format === "vc+sd-jwt") {
-    Logger.log(LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
+  const format =
+    issuerConf.openid_credential_issuer.credential_configurations_supported[
+      credentialConfigurationId
+    ]?.format;
+  if (format === "dc+sd-jwt") {
+    Logger.log(LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
     return verifyAndParseCredentialSdJwt(
       issuerConf,
       credential,
-      format,
+      credentialConfigurationId,
       context
     );
   }
-  Logger.log(LogLevel.ERROR, `Unsupported credential format: ${format}`);
-  throw new IoWalletError(`Unsupported credential format: ${format}`);
+  const message = `Unsupported credential format: ${format}`;
+  Logger.log(LogLevel.ERROR, message);
+  throw new IoWalletError(message);
 };

package/src/credential/issuance/README.md CHANGED Viewed

@@ -6,7 +6,7 @@ There's a fork in the flow which is based on the type of the credential that is
 This is due to the fact that eID credentials require a different authorization flow than other credentials, which is accomplished by a strong authentication method like SPID or CIE.
 Credentials instead require a simpler authorization flow and they require other credentials to be presented in order to be issued.
-The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step.
+The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step. Available credentials are identified with a unique `credential_configuration_id`, that must be used when requesting authorization. The Authorization Server returns an array of **credential identifiers** that map to the `credential_configuration_id` provided: to obtain the credential, one of the credential identifiers (or all of them) must be requested to the credential endpoint.
 ## Sequence Diagram
@@ -72,6 +72,8 @@ The expected result from the authentication process is in `form_post.jwt` format
   <summary>Credential issuance flow</summary>
 ```ts
+// TODO: [SIW-2209] update documentation in PR #219
 // Retrieve the integrity key tag from the store and create its context
 const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
 const integrityContext = getIntegrityContext(integrityKeyTag);
@@ -251,11 +253,10 @@ const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EID_PROVIDER_BASE_URL,
-  credentialType: "PersonIdentificationData",
-  appFetch,
+  credentialId: "dc_sd_jwt_PersonIdentificationData",
 });
-const { issuerUrl } = startFlow();
+const { issuerUrl, credentialId } = startFlow();
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
@@ -265,12 +266,16 @@ const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
-  await Credential.Issuance.startUserAuthorization(issuerConf, credentialType, {
-    walletInstanceAttestation,
-    redirectUri,
-    wiaCryptoContext,
-    appFetch,
-  });
+  await Credential.Issuance.startUserAuthorization(
+    issuerConf,
+    [credentialId], // Request authorization for one or more credentials
+    {
+      walletInstanceAttestation,
+      redirectUri,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
 // Complete the authorization process with query mode with the authorizationContext which opens the browser
 const { code } =
@@ -301,12 +306,27 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   }
 );
+const [pidCredentialDefinition] = credentialDefinition;
+// Extract the credential_identifier(s) from the access token
+// For each one of them, a credential can be obtained by calling `obtainCredential`
+const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details.find(
+      (authDetails) =>
+        authDetails.credential_configuration_id ===
+        pidCredentialDefinition.credential_configuration_id
+    );
 // Obtain che eID credential
 const { credential, format } = await Credential.Issuance.obtainCredential(
   issuerConf,
   accessToken,
   clientId,
-  credentialDefinition,
+  {
+    credential_configuration_id,
+    credential_identifier: credential_identifiers.at(0),
+  },
   {
     credentialCryptoContext,
     dPopCryptoContext,
@@ -318,15 +338,16 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
 const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
   issuerConf,
   credential,
-  format,
+  credential_configuration_id,
   { credentialCryptoContext }
 );
 return {
   parsedCredential,
   credential,
+  credentialConfigurationId: credential_configuration_id
+  credentialType: "PersonIdentificationData",
   keyTag: credentialKeyTag,
-  credentialType,
   issuedAt,
   expiration
 };

package/src/credential/issuance/const.ts CHANGED Viewed

@@ -6,6 +6,6 @@ export type SupportedCredentialFormat = z.infer<
   typeof SupportedCredentialFormat
 >;
 export const SupportedCredentialFormat = z.union([
-  z.literal("vc+sd-jwt"),
+  z.literal("dc+sd-jwt"),
   z.literal("vc+mdoc-cbor"),
 ]);

package/src/credential/issuance/types.ts CHANGED Viewed

@@ -1,14 +1,17 @@
-import { AuthorizationDetail } from "../../utils/par";
 import * as z from "zod";
-import { SupportedCredentialFormat } from "./const";
+export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
+export const AuthorizationDetail = z.object({
+  type: z.literal("openid_credential"),
+  credential_configuration_id: z.string(),
+  credential_identifiers: z.array(z.string()),
+});
 export type TokenResponse = z.infer<typeof TokenResponse>;
 export const TokenResponse = z.object({
   access_token: z.string(),
   authorization_details: z.array(AuthorizationDetail),
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
   expires_in: z.number(),
   token_type: z.string(),
 });
@@ -16,10 +19,12 @@ export const TokenResponse = z.object({
 export type CredentialResponse = z.infer<typeof CredentialResponse>;
 export const CredentialResponse = z.object({
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
-  credential: z.string(),
-  format: SupportedCredentialFormat,
+  credentials: z.array(
+    z.object({
+      credential: z.string(),
+    })
+  ),
+  notification_id: z.string().optional(),
 });
 /**
@@ -30,3 +35,8 @@ export const ResponseUriResultShape = z.object({
 });
 export type ResponseMode = "query" | "form_post.jwt";
+export type NonceResponse = z.infer<typeof NonceResponse>;
+export const NonceResponse = z.object({
+  c_nonce: z.string(),
+});

package/src/credential/presentation/07-evaluate-dcql-query.ts CHANGED Viewed

@@ -56,7 +56,7 @@ const mapCredentialToObject = (jwt: string) => {
   const credentialFormat = sdJwt.header.typ;
   // TODO [SIW-2082]: support MDOC credentials
-  if (credentialFormat !== "vc+sd-jwt") {
+  if (credentialFormat !== "dc+sd-jwt") {
     throw new Error(`Unsupported credential format: ${credentialFormat}`);
   }
@@ -100,7 +100,7 @@ const extractMissingCredentials = (
 ): NotFoundDetail[] => {
   return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
     const credential = originalQuery.credentials.find((c) => c.id === id);
-    if (credential?.format !== "vc+sd-jwt") {
+    if (credential?.format !== "dc+sd-jwt") {
       throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
     }
     return { id, vctValues: credential.meta?.vct_values };
@@ -135,7 +135,7 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
     );
     return getDcqlQueryMatches(queryResult).map(([id, match]) => {
-      if (match.output.credential_format !== "vc+sd-jwt") {
+      if (match.output.credential_format !== "dc+sd-jwt") {
         throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
       }
       const { vct, claims } = match.output;
@@ -192,7 +192,7 @@ export const prepareRemotePresentations: PrepareRemotePresentations = async (
         credentialId: item.id,
         requestedClaims: item.requestedClaims,
         vpToken: vp_token,
-        format: "vc+sd-jwt",
+        format: "dc+sd-jwt",
       };
     })
   );

package/src/credential/presentation/07-evaluate-input-descriptor.ts CHANGED Viewed

@@ -326,7 +326,7 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
   return Promise.all(
     inputDescriptors.map(async (descriptor) => {
-      if (descriptor.format?.["vc+sd-jwt"]) {
+      if (descriptor.format?.["dc+sd-jwt"]) {
         if (!decodedSdJwtCredentials.length) {
           throw new CredentialsNotFoundError([
             {
@@ -379,7 +379,7 @@ export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations
       credentialAndDescriptors.map(async (item) => {
         const descriptor = item.inputDescriptor;
-        if (descriptor.format?.["vc+sd-jwt"]) {
+        if (descriptor.format?.["dc+sd-jwt"]) {
           const { vp_token } = await prepareVpToken(nonce, client_id, [
             item.credential,
             item.requestedClaims,
@@ -390,7 +390,7 @@ export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations
             requestedClaims: item.requestedClaims,
             inputDescriptor: descriptor,
             vpToken: vp_token,
-            format: "vc+sd-jwt",
+            format: "dc+sd-jwt",
           };
         }

package/src/credential/status/README.md CHANGED Viewed

@@ -60,7 +60,6 @@ const { parsedStatusAttestation } =
 return {
   statusAttestation: res.statusAttestation,
   parsedStatusAttestation,
-  credentialType,
 };
 ```

package/src/sd-jwt/__test__/index.test.ts CHANGED Viewed

@@ -3,39 +3,14 @@ import { decode, disclose } from "../index";
 import { encodeBase64, decodeBase64 } from "@pagopa/io-react-native-jwt";
 import { SdJwt4VC } from "../types";
+import { pid } from "../__mocks__/sd-jwt";
-// Examples from https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#name-example-4
-// but adapted to adhere to format declared in https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/pid-eaa-data-model.html#id2
-// In short, the token is a Frankenstein composed as follows:
-//  - the header is taken from the italian specification, with kid and alg valued according to the signing keys
-//  - disclosures are taken from the SD-JWT-4-VC standard
-//  - payload is taken from the italian specification, but _sd are compiled with:
-//    - "address" is used as verification._sd
-//    - all others disclosures are in claims._sd
-const token =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
-const unsigned =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
-const signature =
-  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
-const signed = `${unsigned}.${signature}`;
-const tokenizedDisclosures = [
-  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
-  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
-  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
-  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
-  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
-  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
-];
+const { token, signed, tokenizedDisclosures } = pid;
 const sdJwt = {
   header: {
     kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
-    typ: "vc+sd-jwt",
+    typ: "dc+sd-jwt",
     alg: "ES256",
   },
   payload: {
@@ -50,7 +25,11 @@ const sdJwt = {
     sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
     _sd_alg: "sha-256",
     vct: "PersonIdentificationData",
+    "vct#integrity":
+      "13e25888ac7b8a3a6d61440da787fccc81654e61085732bcacd89b36aec32675",
     iss: "https://pre.eid.wallet.ipzs.it",
+    issuing_country: "IT",
+    issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
     cnf: {
       jwk: {
         kty: "EC",
@@ -62,7 +41,7 @@ const sdJwt = {
     },
     exp: 1751546576,
     status: {
-      status_attestation: {
+      status_assertion: {
         credential_hash_alg: "sha-256",
       },
     },

package/src/sd-jwt/__test__/types.test.ts CHANGED Viewed

@@ -5,7 +5,7 @@ describe("SdJwt4VC", () => {
     // example provided at https://italia.github.io/eidas-it-wallet-docs/en/pid-data-model.html
     const token = {
       header: {
-        typ: "vc+sd-jwt",
+        typ: "dc+sd-jwt",
         alg: "RS512",
         kid: "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
       },
@@ -21,7 +21,11 @@ describe("SdJwt4VC", () => {
         sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
         _sd_alg: "sha-256",
         vct: "PersonIdentificationData",
+        "vct#integrity":
+          "13e25888ac7b8a3a6d61440da787fccc81654e61085732bcacd89b36aec32675",
         iss: "https://pidprovider.example.com",
+        issuing_country: "IT",
+        issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
         cnf: {
           jwk: {
             kty: "EC",
@@ -33,7 +37,7 @@ describe("SdJwt4VC", () => {
         },
         exp: 1751107255,
         status: {
-          status_attestation: {
+          status_assertion: {
             credential_hash_alg: "sha-256",
           },
         },

package/src/sd-jwt/__test__/utils.test.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { getVerification } from "..";
+import { pid } from "../__mocks__/sd-jwt";
+const { signed, token } = pid;
+describe("SD-JWT getVerification", () => {
+  it("extracts the verification claims correctly", () => {
+    const disclosure =
+      "WyJxTGxVdkNKY3hwX3d4MVY5dHFPbFFRIiwidmVyaWZpY2F0aW9uIix7ImV2aWRlbmNlIjpbeyJhdHRlc3RhdGlvbiI6eyJkYXRlX29mX2lzc3VhbmNlIjoiMjAyNS0wNi0yMyIsInZvdWNoZXIiOnsib3JnYW5pemF0aW9uIjoiTWluaXN0ZXJvIGRlbGwnSW50ZXJubyJ9LCJ0eXBlIjoiZGlnaXRhbF9hdHRlc3RhdGlvbiIsInJlZmVyZW5jZV9udW1iZXIiOiIxMjM0NTY3ODkifSwidGltZSI6IjIwMjUtMDYtMjNUMTM6MTQ6MjVaIiwidHlwZSI6InZvdWNoIn1dLCJ0cnVzdF9mcmFtZXdvcmsiOiJpdF9jaWUiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn1d";
+    expect(getVerification(`${signed}~${disclosure}`)).toEqual({
+      evidence: [
+        {
+          attestation: {
+            date_of_issuance: "2025-06-23",
+            voucher: { organization: "Ministero dell'Interno" },
+            type: "digital_attestation",
+            reference_number: "123456789",
+          },
+          time: "2025-06-23T13:14:25Z",
+          type: "vouch",
+        },
+      ],
+      trust_framework: "it_cie",
+      assurance_level: "high",
+    });
+  });
+  it("returns undefined when the verification claim is not found", () => {
+    expect(getVerification(token)).toBeUndefined();
+  });
+  it("throws when the verification claim is invalid", () => {
+    const disclosure =
+      "WyJxTGxVdkNKY3hwX3d4MVY5dHFPbFFRIiwidmVyaWZpY2F0aW9uIix7InRydXN0X2ZyYW1ld29yayI6ICJpdF9jaWUiLCJhc3N1cmFuY2VfbGV2ZWwiOiAic3Vic3RhbnRpYWwifV0";
+    expect(() => getVerification(`${signed}~${disclosure}`)).toThrow();
+  });
+});

package/src/sd-jwt/index.ts CHANGED Viewed

@@ -10,6 +10,8 @@ import * as Errors from "./errors";
 import { Base64 } from "js-base64";
 import { type Presentation } from "../credential/presentation/types";
+export * from "./utils";
 const decodeDisclosure = (encoded: string): DisclosureWithEncoded => {
   const utf8String = Base64.decode(encoded); // Decode Base64 into UTF-8 string
   const decoded = Disclosure.parse(JSON.parse(utf8String));

package/src/sd-jwt/types.ts CHANGED Viewed

@@ -36,7 +36,7 @@ export type DisclosureWithEncoded = {
 export type SdJwt4VC = z.infer<typeof SdJwt4VC>;
 export const SdJwt4VC = z.object({
   header: z.object({
-    typ: z.literal("vc+sd-jwt"),
+    typ: z.literal("dc+sd-jwt"),
     alg: z.string(),
     kid: z.string().optional(),
   }),
@@ -48,7 +48,7 @@ export const SdJwt4VC = z.object({
       exp: UnixTime,
       _sd_alg: z.literal("sha-256"),
       status: z.object({
-        status_attestation: z.object({
+        status_assertion: z.object({
           credential_hash_alg: z.literal("sha-256"),
         }),
       }),
@@ -56,7 +56,54 @@ export const SdJwt4VC = z.object({
         jwk: JWK,
       }),
       vct: z.string(),
+      "vct#integrity": z.string(),
+      issuing_authority: z.string(),
+      issuing_country: z.string(),
     }),
     ObfuscatedDisclosures
   ),
 });
+/**
+ * Object containing User authentication and User data verification information.
+ * Useful to extract the assurance level to determine L2/L3 authentication.
+ */
+export type Verification = z.infer<typeof Verification>;
+export const Verification = z.object({
+  trust_framework: z.string(),
+  assurance_level: z.string(),
+  evidence: z.array(
+    z.object({
+      type: z.literal("vouch"),
+      time: z.string(),
+      attestation: z.object({
+        type: z.literal("digital_attestation"),
+        reference_number: z.string(),
+        date_of_issuance: z.string(),
+        voucher: z.object({ organization: z.string() }),
+      }),
+    })
+  ),
+});
+/**
+ * Metadata for a digital credential. This information is retrieved from the URL defined in the `vct` claim.
+ *
+ * @see https://italia.github.io/eid-wallet-it-docs/v0.9.1/en/pid-eaa-data-model.html#digital-credential-metadata-type
+ */
+export type TypeMetadata = z.infer<typeof TypeMetadata>;
+export const TypeMetadata = z.object({
+  name: z.string(),
+  description: z.string(),
+  data_source: z.object({
+    trust_framework: z.string(),
+    authentic_source: z.object({
+      organization_name: z.string(),
+      organization_code: z.string(),
+      contacts: z.array(z.string()),
+      homepage_uri: z.string().url(),
+      logo_uri: z.string().url(),
+    }),
+  }),
+  // TODO: add more fields
+});