@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.3

package/src/sd-jwt/utils.ts

@@ -0,0 +1,73 @@
+import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { hasStatusOrThrow } from "../utils/misc";
+import { TypeMetadata, Verification } from "./types";
+import {
+  IoWalletError,
+  IssuerResponseError,
+  ValidationFailed,
+} from "../utils/errors";
+import { decode } from ".";
+import { getValueFromDisclosures } from "./converters";
+
+/**
+ * Retrieve the Type Metadata for a credential and verify its integrity.
+ * @param vct The VCT as a valid HTTPS url
+ * @param vctIntegrity The integrity hash
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The credential metadata {@link TypeMetadata}
+ */
+export const fetchTypeMetadata = async (
+  vct: string,
+  vctIntegrity: string,
+  context: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<TypeMetadata> => {
+  const { appFetch = fetch } = context;
+  const { origin, pathname } = new URL(vct);
+
+  const metadata = await appFetch(`${origin}/.well-known/vct${pathname}`, {
+    headers: {
+      "Content-Type": "application/json",
+    },
+  })
+    .then(hasStatusOrThrow(200, IssuerResponseError))
+    .then((res) => res.json())
+    .then(TypeMetadata.parse);
+
+  const [alg, hash] = vctIntegrity.split(/-(.*)/s);
+
+  if (alg !== "sha256") {
+    throw new IoWalletError(`${alg} algorithm is not supported`);
+  }
+
+  // TODO: [SIW-2264] check if the hash is correctly calculated
+  const metadataHash = await sha256ToBase64(JSON.stringify(metadata));
+
+  if (metadataHash !== hash) {
+    throw new ValidationFailed({
+      message: "Unable to verify VCT integrity",
+      reason: "vct#integrity does not match the metadata hash",
+    });
+  }
+
+  return metadata;
+};
+
+/**
+ * Extract and validate the `verification` claim from disclosures.
+ * @param credentialSdJwt The raw credential SD-JWT
+ * @returns The verification claim or undefined if it wasn't found
+ */
+export const getVerification = (
+  credentialSdJwt: string
+): Verification | undefined => {
+  const { disclosures } = decode(credentialSdJwt);
+  const verificationDisclosure = getValueFromDisclosures(
+    disclosures.map((d) => d.decoded),
+    "verification"
+  );
+  return verificationDisclosure
+    ? Verification.parse(verificationDisclosure)
+    : undefined;
+};

package/src/trust/types.ts

@@ -37,12 +37,10 @@ const CredentialIssuerDisplayMetadata = z.object({
 });
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
-const ClaimsMetadata = z.record(
-  z.object({
-    value_type: z.string(),
-    display: z.array(z.object({ name: z.string(), locale: z.string() })),
-  })
-);
+const ClaimsMetadata = z.object({
+  path: z.array(z.string()),
+  display: z.array(CredentialDisplayMetadata),
+});
 
 type IssuanceErrorSupported = z.infer<typeof IssuanceErrorSupported>;
 const IssuanceErrorSupported = z.object({
@@ -57,16 +55,21 @@ const IssuanceErrorSupported = z.object({
 
 // Metadata for a credential which is supported by an Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
-const SupportedCredentialMetadata = z.object({
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
-  scope: z.string(),
-  display: z.array(CredentialDisplayMetadata),
-  claims: ClaimsMetadata,
-  cryptographic_binding_methods_supported: z.array(z.string()),
-  credential_signing_alg_values_supported: z.array(z.string()),
-  authentic_source: z.string().optional(),
-  issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
-});
+const SupportedCredentialMetadata = z.intersection(
+  z.discriminatedUnion("format", [
+    z.object({ format: z.literal("dc+sd-jwt"), vct: z.string() }),
+    z.object({ format: z.literal("mso_mdoc"), doctype: z.string() }),
+  ]),
+  z.object({
+    scope: z.string(),
+    display: z.array(CredentialDisplayMetadata),
+    claims: z.array(ClaimsMetadata),
+    cryptographic_binding_methods_supported: z.array(z.string()),
+    credential_signing_alg_values_supported: z.array(z.string()),
+    authentic_source: z.string().optional(),
+    issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
+  })
+);
 
 export type EntityStatement = z.infer<typeof EntityStatement>;
 export const EntityStatement = z.object({
@@ -155,13 +158,16 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
         openid_credential_issuer: z.object({
           credential_issuer: z.string(),
           credential_endpoint: z.string(),
-          revocation_endpoint: z.string(),
+          revocation_endpoint: z.string().optional(),
+          nonce_endpoint: z.string(),
           status_attestation_endpoint: z.string(),
           display: z.array(CredentialIssuerDisplayMetadata),
           credential_configurations_supported: z.record(
             SupportedCredentialMetadata
           ),
           jwks: z.object({ keys: z.array(JWK) }),
+          trust_frameworks_supported: z.array(z.string()),
+          evidence_supported: z.array(z.string()),
         }),
         oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),

package/src/utils/par.ts

@@ -13,14 +13,31 @@ import { LogLevel, Logger } from "./logging";
 
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
-  credential_configuration_id: z.string(),
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
+  credential_configuration_id: z.string(),
 });
 
 export type AuthorizationDetails = z.infer<typeof AuthorizationDetails>;
 export const AuthorizationDetails = z.array(AuthorizationDetail);
 
+export type ParResponse = z.infer<typeof ParResponse>;
+export const ParResponse = z.object({
+  request_uri: z.string(),
+  expires_in: z.number(),
+});
+
+type AuthDetailsOrScope =
+  | { authorizationDetails: AuthorizationDetails; scope?: string }
+  | { authorizationDetails?: AuthorizationDetails; scope: string };
+
+type ParRequestPayload = {
+  clientId: string;
+  codeVerifier: string;
+  redirectUri: string;
+  responseMode: string;
+  aud: string;
+} & AuthDetailsOrScope;
+
 /**
  * Make a PAR request to the issuer and return the response url
  */
@@ -33,20 +50,20 @@ export const makeParRequest =
     appFetch: GlobalFetch["fetch"];
   }) =>
   async (
-    clientId: string,
-    codeVerifier: string,
-    redirectUri: string,
-    responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
-    authorizationDetails: AuthorizationDetails,
-    assertionType: string
+    {
+      codeVerifier,
+      responseMode,
+      clientId,
+      redirectUri,
+      authorizationDetails,
+      scope,
+      aud,
+    }: ParRequestPayload
   ): Promise<string> => {
     const wiaPublicKey = await wiaCryptoContext.getPublicKey();
 
-    const parUrl = new URL(parEndpoint);
-    const aud = `${parUrl.protocol}//${parUrl.hostname}`;
-
     const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
       .payload.cnf.jwk.kid;
 
@@ -71,7 +88,7 @@ export const makeParRequest =
         The key is matched by its kid */
     const signedJwtForPar = await new SignJWT(wiaCryptoContext)
       .setProtectedHeader({
-        typ: "jwk",
+        typ: "jwt",
         kid: wiaPublicKey.kid,
       })
       .setPayload({
@@ -84,24 +101,20 @@ export const makeParRequest =
         state: generateRandomAlphaNumericString(32),
         code_challenge: codeChallenge,
         code_challenge_method: codeChallengeMethod,
-        authorization_details: authorizationDetails,
         redirect_uri: redirectUri,
-        client_assertion_type: assertionType,
-        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
+        ...(authorizationDetails && {
+          authorization_details: authorizationDetails,
+        }),
+        ...(scope && { scope }),
       })
-      .setIssuedAt() //iat is set to now
+      .setIssuedAt() // iat is set to now
       .setExpirationTime("5min")
       .sign();
 
     /** The request body for the Pushed Authorization Request */
     var formBody = new URLSearchParams({
-      response_type: "code",
       client_id: clientId,
-      code_challenge: codeChallenge,
-      code_challenge_method: "S256",
       request: signedJwtForPar,
-      client_assertion_type: assertionType,
-      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
 
     Logger.log(
@@ -113,10 +126,13 @@ export const makeParRequest =
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        "OAuth-Client-Attestation": walletInstanceAttestation,
+        "OAuth-Client-Attestation-PoP": signedWiaPoP,
       },
       body: formBody.toString(),
     })
       .then(hasStatusOrThrow(201, IssuerResponseError))
       .then((res) => res.json())
+      .then(ParResponse.parse)
       .then((result) => result.request_uri);
   };

package/src/utils/pop.ts

@@ -18,7 +18,7 @@ export const createPopToken = async (
   return new SignJWT(crypto)
     .setPayload(payload)
     .setProtectedHeader({
-      typ: "jwt-client-attestation-pop",
+      typ: "oauth-client-attestation-pop+jwt",
       kid,
     })
     .setIssuedAt()

package/src/wallet-instance-attestation/types.ts

@@ -48,6 +48,8 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   ),
 });
 
+// TODO: [SIW-2089] add type for Wallet Attestation in SD-JWT and MDOC format
+// See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/wallet-solution.html#wallet-attestation-issuance step 18
 export type WalletInstanceAttestationJwt = z.infer<
   typeof WalletInstanceAttestationJwt
 >;
@@ -56,7 +58,7 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.header,
     z.object({
       typ: z.literal("oauth-client-attestation+jwt"),
-      trust_chain: z.array(z.string()),
+      trust_chain: z.array(z.string()).optional(), // TODO: [SIW-2264] Make mandatory
     })
   ),
   payload: z.intersection(