@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.4

package/src/credential/issuance/README.md

@@ -6,7 +6,7 @@ There's a fork in the flow which is based on the type of the credential that is
 This is due to the fact that eID credentials require a different authorization flow than other credentials, which is accomplished by a strong authentication method like SPID or CIE.
 Credentials instead require a simpler authorization flow and they require other credentials to be presented in order to be issued.
 
-The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step.
+The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step. Available credentials are identified with a unique `credential_configuration_id`, that must be used when requesting authorization. The Authorization Server returns an array of **credential identifiers** that map to the `credential_configuration_id` provided: to obtain the credential, one of the credential identifiers (or all of them) must be requested to the credential endpoint.
 
 ## Sequence Diagram
 
@@ -96,17 +96,13 @@ const walletInstanceAttestation =
     appFetch,
   });
 
-const credentialType = "someCredential"; // Let's assume this is the credential type
-
-const eid = {
+const pid = {
   credential: "example",
   parsedCredential: "example"
   keyTag: "example";
-  credentialType: "eid";
+  credentialType: "PersonIdentificationData";
 };
 
-const eidCryptoContext = createCryptoContextFor(eid.keyTag);
-
 // Create credential crypto context
 const credentialKeyTag = uuidv4().toString();
 await generate(credentialKeyTag); // Let's assume this function generates a new hardware-backed key pair
@@ -115,22 +111,26 @@ const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EAA_PROVIDER_BASE_URL,
-  credentialType,
+  credentialId: "someCredentialId",
 });
 
-const { issuerUrl } = startFlow();
+const { issuerUrl, credentialId } = startFlow();
 
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
 
 // Start user authorization
-const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
-  await Credential.Issuance.startUserAuthorization(issuerConf, credentialType, {
-    walletInstanceAttestation,
-    redirectUri,
-    wiaCryptoContext,
-    appFetch,
-  });
+const { issuerRequestUri, clientId, codeVerifier } =
+  await Credential.Issuance.startUserAuthorization(
+    issuerConf, 
+    [credentialId], 
+    {
+      walletInstanceAttestation,
+      redirectUri: REDIRECT_URI,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
 
 const requestObject =
   await Credential.Issuance.getRequestedCredentialToBePresented(
@@ -140,13 +140,12 @@ const requestObject =
     appFetch
   );
 
-// The app here should ask the user to confirm the required data contained in the requestObject
-
 // Complete the user authorization via form_post.jwt mode
 const { code } =
   await Credential.Issuance.completeUserAuthorizationWithFormPostJwtMode(
     requestObject,
-    { wiaCryptoContext, pidCryptoContext, pid, walletInstanceAttestation }
+    pid.credential,
+    { wiaCryptoContext, pidCryptoContext: createCryptoContextFor(pid.keyTag) }
   );
 
 // Generate the DPoP context which will be used for the whole issuance flow
@@ -157,7 +156,7 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   issuerConf,
   code,
   clientId,
-  redirectUri,
+  redirectUri: REDIRECT_URI,
   codeVerifier,
   {
     walletInstanceAttestation,
@@ -167,12 +166,19 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   }
 );
 
-// Obtain the credential
-const { credential, format } = await Credential.Issuance.obtainCredential(
+// For simplicity, in this example flow we work on a single credential.
+const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details[0]!;
+
+ // Obtain the credential
+const { credential } = await Credential.Issuance.obtainCredential(
   issuerConf,
   accessToken,
   clientId,
-  credentialDefinition,
+  {
+    credential_configuration_id,
+    credential_identifier: credential_identifiers[0],
+  },
   {
     credentialCryptoContext,
     dPopCryptoContext,
@@ -184,22 +190,29 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
  * Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
  * WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
  */
-const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
-  issuerConf,
-  credential,
-  format,
-  {
-    credentialCryptoContext,
-    ignoreMissingAttributes: true,
-    includeUndefinedAttributes: false
-  }
-);
+const { parsedCredential } =
+  await Credential.Issuance.verifyAndParseCredential(
+    issuerConf,
+    credential,
+    credential_configuration_id,
+    { 
+      credentialCryptoContext, 
+      ignoreMissingAttributes: true,
+      includeUndefinedAttributes: false 
+    }
+  );
+
+const credentialType =
+  issuerConf.openid_credential_issuer.credential_configurations_supported[
+    credential_configuration_id
+  ].scope;
 
 return {
   parsedCredential,
   credential,
   keyTag: credentialKeyTag,
   credentialType,
+  credentialConfigurationId: credential_configuration_id,
 };
 ```
 
@@ -251,11 +264,10 @@ const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EID_PROVIDER_BASE_URL,
-  credentialType: "PersonIdentificationData",
-  appFetch,
+  credentialId: "dc_sd_jwt_PersonIdentificationData",
 });
 
-const { issuerUrl } = startFlow();
+const { issuerUrl, credentialId } = startFlow();
 
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
@@ -265,12 +277,16 @@ const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
 
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
-  await Credential.Issuance.startUserAuthorization(issuerConf, credentialType, {
-    walletInstanceAttestation,
-    redirectUri,
-    wiaCryptoContext,
-    appFetch,
-  });
+  await Credential.Issuance.startUserAuthorization(
+    issuerConf,
+    [credentialId], // Request authorization for one or more credentials
+    {
+      walletInstanceAttestation,
+      redirectUri,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
 
 // Complete the authorization process with query mode with the authorizationContext which opens the browser
 const { code } =
@@ -301,12 +317,27 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   }
 );
 
+
+const [pidCredentialDefinition] = credentialDefinition;
+
+// Extract the credential_identifier(s) from the access token
+// For each one of them, a credential can be obtained by calling `obtainCredential`
+const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details.find(
+      (authDetails) =>
+        authDetails.credential_configuration_id ===
+        pidCredentialDefinition.credential_configuration_id
+    );
+
 // Obtain che eID credential
 const { credential, format } = await Credential.Issuance.obtainCredential(
   issuerConf,
   accessToken,
   clientId,
-  credentialDefinition,
+  {
+    credential_configuration_id,
+    credential_identifier: credential_identifiers.at(0),
+  },
   {
     credentialCryptoContext,
     dPopCryptoContext,
@@ -318,15 +349,16 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
 const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
   issuerConf,
   credential,
-  format,
+  credential_configuration_id,
   { credentialCryptoContext }
 );
 
 return {
   parsedCredential,
   credential,
+  credentialConfigurationId: credential_configuration_id
+  credentialType: "PersonIdentificationData",
   keyTag: credentialKeyTag,
-  credentialType,
   issuedAt,
   expiration
 };

package/src/credential/issuance/const.ts

@@ -6,6 +6,6 @@ export type SupportedCredentialFormat = z.infer<
   typeof SupportedCredentialFormat
 >;
 export const SupportedCredentialFormat = z.union([
-  z.literal("vc+sd-jwt"),
+  z.literal("dc+sd-jwt"),
   z.literal("vc+mdoc-cbor"),
 ]);

package/src/credential/issuance/types.ts

@@ -1,14 +1,18 @@
-import { AuthorizationDetail } from "../../utils/par";
 import * as z from "zod";
-import { SupportedCredentialFormat } from "./const";
+
+export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
+export const AuthorizationDetail = z.object({
+  type: z.literal("openid_credential"),
+  credential_configuration_id: z.string(),
+  credential_identifiers: z.array(z.string()),
+});
 
 export type TokenResponse = z.infer<typeof TokenResponse>;
 
 export const TokenResponse = z.object({
   access_token: z.string(),
+  refresh_token: z.string().optional(),
   authorization_details: z.array(AuthorizationDetail),
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
   expires_in: z.number(),
   token_type: z.string(),
 });
@@ -16,10 +20,12 @@ export const TokenResponse = z.object({
 export type CredentialResponse = z.infer<typeof CredentialResponse>;
 
 export const CredentialResponse = z.object({
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
-  credential: z.string(),
-  format: SupportedCredentialFormat,
+  credentials: z.array(
+    z.object({
+      credential: z.string(),
+    })
+  ),
+  notification_id: z.string().optional(),
 });
 
 /**
@@ -30,3 +36,8 @@ export const ResponseUriResultShape = z.object({
 });
 
 export type ResponseMode = "query" | "form_post.jwt";
+
+export type NonceResponse = z.infer<typeof NonceResponse>;
+export const NonceResponse = z.object({
+  c_nonce: z.string(),
+});

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -2,9 +2,9 @@ import { DcqlQuery, DcqlError, DcqlQueryResult } from "dcql";
 import { isValiError } from "valibot";
 import { decode, prepareVpToken } from "../../sd-jwt";
 import type { Disclosure } from "../../sd-jwt/types";
-import { createCryptoContextFor } from "../../utils/crypto";
 import type { RemotePresentation } from "./types";
 import { CredentialsNotFoundError, type NotFoundDetail } from "./errors";
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 
 /**
  * The purpose for the credential request by the RP.
@@ -15,13 +15,13 @@ type CredentialPurpose = {
 };
 
 export type EvaluateDcqlQuery = (
-  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
+  credentialsSdJwt: [CryptoContext, string /* credential */][],
   query: DcqlQuery.Input
 ) => {
   id: string;
   vct: string;
   credential: string;
-  keyTag: string;
+  cryptoContext: CryptoContext;
   requiredDisclosures: Disclosure[];
   purposes: CredentialPurpose[];
 }[];
@@ -30,7 +30,7 @@ export type PrepareRemotePresentations = (
   credentials: {
     id: string;
     credential: string;
-    keyTag: string;
+    cryptoContext: CryptoContext;
     requestedClaims: string[];
   }[],
   nonce: string,
@@ -55,11 +55,6 @@ const mapCredentialToObject = (jwt: string) => {
   const { sdJwt, disclosures } = decode(jwt);
   const credentialFormat = sdJwt.header.typ;
 
-  // TODO [SIW-2082]: support MDOC credentials
-  if (credentialFormat !== "vc+sd-jwt") {
-    throw new Error(`Unsupported credential format: ${credentialFormat}`);
-  }
-
   return {
     vct: sdJwt.payload.vct,
     credential_format: credentialFormat,
@@ -100,7 +95,10 @@ const extractMissingCredentials = (
 ): NotFoundDetail[] => {
   return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
     const credential = originalQuery.credentials.find((c) => c.id === id);
-    if (credential?.format !== "vc+sd-jwt") {
+    if (
+      credential?.format !== "dc+sd-jwt" &&
+      credential?.format !== "vc+sd-jwt"
+    ) {
       throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
     }
     return { id, vctValues: credential.meta?.vct_values };
@@ -114,7 +112,6 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
   const credentials = credentialsSdJwt.map(([, credential]) =>
     mapCredentialToObject(credential)
   );
-
   try {
     // Validate the query
     const parsedQuery = DcqlQuery.parse(query);
@@ -131,11 +128,14 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
     // Build an object vct:credentialJwt to map matched credentials to their JWT
     const credentialsSdJwtByVct = credentials.reduce(
       (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),
-      {} as Record<string, [string /* keyTag */, string /* credential */]>
+      {} as Record<string, [CryptoContext, string /* credential */]>
     );
 
     return getDcqlQueryMatches(queryResult).map(([id, match]) => {
-      if (match.output.credential_format !== "vc+sd-jwt") {
+      if (
+        match.output.credential_format !== "dc+sd-jwt" &&
+        match.output.credential_format !== "vc+sd-jwt"
+      ) {
         throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
       }
       const { vct, claims } = match.output;
@@ -147,12 +147,12 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
           required: Boolean(credentialSet.required),
         }));
 
-      const [keyTag, credential] = credentialsSdJwtByVct[vct]!;
+      const [cryptoContext, credential] = credentialsSdJwtByVct[vct]!;
       const requiredDisclosures = Object.values(claims) as Disclosure[];
       return {
         id,
         vct,
-        keyTag,
+        cryptoContext,
         credential,
         requiredDisclosures,
         // When it is a match but no credential_sets are found, the credential is required by default
@@ -185,14 +185,13 @@ export const prepareRemotePresentations: PrepareRemotePresentations = async (
       const { vp_token } = await prepareVpToken(nonce, clientId, [
         item.credential,
         item.requestedClaims,
-        createCryptoContextFor(item.keyTag),
+        item.cryptoContext,
       ]);
 
       return {
         credentialId: item.id,
         requestedClaims: item.requestedClaims,
         vpToken: vp_token,
-        format: "vc+sd-jwt",
       };
     })
   );

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -1,10 +1,10 @@
 import { InputDescriptor, type LegacyRemotePresentation } from "./types";
 import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
 import { decode, prepareVpToken } from "../../sd-jwt";
-import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
 import { CredentialsNotFoundError, MissingDataError } from "./errors";
 import Ajv from "ajv";
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 
 const ajv = new Ajv({ allErrors: true });
 const INDEX_CLAIM_NAME = 1;
@@ -23,13 +23,16 @@ export type EvaluateInputDescriptorSdJwt4VC = (
 
 export type EvaluateInputDescriptors = (
   descriptors: InputDescriptor[],
-  credentialsSdJwt: [string /* keyTag */, string /* credential */][]
+  credentialsSdJwt: [
+    CryptoContext /* cryptoContext */,
+    string /* credential */,
+  ][]
 ) => Promise<
   {
     evaluatedDisclosure: EvaluatedDisclosures;
     inputDescriptor: InputDescriptor;
     credential: string;
-    keyTag: string;
+    cryptoContext: CryptoContext;
   }[]
 >;
 
@@ -41,7 +44,7 @@ export type PrepareLegacyRemotePresentations = (
     requestedClaims: string[];
     inputDescriptor: InputDescriptor;
     credential: string;
-    keyTag: string;
+    cryptoContext: CryptoContext;
   }[],
   nonce: string,
   client_id: string
@@ -247,7 +250,7 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
   };
 
 type DecodedCredentialSdJwt = {
-  keyTag: string;
+  cryptoContext: CryptoContext;
   credential: string;
   sdJwt: SdJwt4VC;
   disclosures: DisclosureWithEncoded[];
@@ -264,11 +267,11 @@ export const findCredentialSdJwt = (
   decodedSdJwtCredentials: DecodedCredentialSdJwt[]
 ): {
   matchedEvaluation: EvaluatedDisclosures;
-  matchedKeyTag: string;
   matchedCredential: string;
+  cryptoContext: CryptoContext;
 } => {
   for (const {
-    keyTag,
+    cryptoContext,
     credential,
     sdJwt,
     disclosures,
@@ -282,7 +285,7 @@ export const findCredentialSdJwt = (
 
       return {
         matchedEvaluation: evaluatedDisclosure,
-        matchedKeyTag: keyTag,
+        cryptoContext,
         matchedCredential: credential,
       };
     } catch {
@@ -319,14 +322,14 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
 ) => {
   // We need decode SD-JWT credentials for evaluation
   const decodedSdJwtCredentials =
-    credentialsSdJwt?.map(([keyTag, credential]) => {
+    credentialsSdJwt?.map(([cryptoContext, credential]) => {
       const { sdJwt, disclosures } = decode(credential);
-      return { keyTag, credential, sdJwt, disclosures };
+      return { cryptoContext, credential, sdJwt, disclosures };
     }) || [];
 
   return Promise.all(
     inputDescriptors.map(async (descriptor) => {
-      if (descriptor.format?.["vc+sd-jwt"]) {
+      if (descriptor.format?.["dc+sd-jwt"]) {
         if (!decodedSdJwtCredentials.length) {
           throw new CredentialsNotFoundError([
             {
@@ -336,14 +339,14 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
           ]);
         }
 
-        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+        const { matchedEvaluation, cryptoContext, matchedCredential } =
           findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
 
         return {
           evaluatedDisclosure: matchedEvaluation,
           inputDescriptor: descriptor,
           credential: matchedCredential,
-          keyTag: matchedKeyTag,
+          cryptoContext,
         };
       }
 
@@ -379,18 +382,18 @@ export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations
       credentialAndDescriptors.map(async (item) => {
         const descriptor = item.inputDescriptor;
 
-        if (descriptor.format?.["vc+sd-jwt"]) {
+        if (descriptor.format?.["dc+sd-jwt"]) {
           const { vp_token } = await prepareVpToken(nonce, client_id, [
             item.credential,
             item.requestedClaims,
-            createCryptoContextFor(item.keyTag),
+            item.cryptoContext,
           ]);
 
           return {
             requestedClaims: item.requestedClaims,
             inputDescriptor: descriptor,
             vpToken: vp_token,
-            format: "vc+sd-jwt",
+            format: "dc+sd-jwt",
           };
         }
 

package/src/credential/presentation/types.ts

@@ -30,7 +30,6 @@ export type LegacyRemotePresentation = {
 export type RemotePresentation = {
   requestedClaims: string[];
   credentialId: string;
-  format: string;
   vpToken: string;
 };
 
@@ -97,7 +96,7 @@ export const RequestObject = z.object({
   state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
-  response_uri_method: z.string().optional(),
+  request_uri_method: z.string().optional(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),

package/src/credential/status/README.md

@@ -60,7 +60,6 @@ const { parsedStatusAttestation } =
 return {
   statusAttestation: res.statusAttestation,
   parsedStatusAttestation,
-  credentialType,
 };
 ```
 

package/src/sd-jwt/__test__/index.test.ts

@@ -3,39 +3,14 @@ import { decode, disclose } from "../index";
 
 import { encodeBase64, decodeBase64 } from "@pagopa/io-react-native-jwt";
 import { SdJwt4VC } from "../types";
+import { pid } from "../__mocks__/sd-jwt";
 
-// Examples from https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#name-example-4
-// but adapted to adhere to format declared in https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/pid-eaa-data-model.html#id2
-// In short, the token is a Frankenstein composed as follows:
-//  - the header is taken from the italian specification, with kid and alg valued according to the signing keys
-//  - disclosures are taken from the SD-JWT-4-VC standard
-//  - payload is taken from the italian specification, but _sd are compiled with:
-//    - "address" is used as verification._sd
-//    - all others disclosures are in claims._sd
-const token =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0.qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ~WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd~WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ~WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0~WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd~WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd~WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ";
-
-const unsigned =
-  "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2QiOlsiMHExRDVKbWF2NnBRYUVoX0pfRmN2X3VOTk1RSWdDeWhRT3hxbFk0bDNxVSIsIktDSi1BVk52ODhkLXhqNnNVSUFPSnhGbmJVaDNySFhES2tJSDFsRnFiUnMiLCJNOWxvOVl4RE5JWHJBcTJxV2VpQ0E0MHpwSl96WWZGZFJfNEFFQUxjUnRVIiwiY3pnalVrMG5xUkNzd1NoQ2hDamRTNkExLXY0N2RfcVRDU0ZJdklIaE1vSSIsIm5HblFyN2NsbTN0ZlRwOHlqTF91SHJEU090elIyUFZiOFM3R2VMZEFxQlEiLCJ4TklWd2xwU3NhWjhDSlNmMGd6NXhfNzVWUldXYzZWMW1scGVqZENycVVzIl0sInN1YiI6IjIxNmY4OTQ2LTllY2ItNDgxOS05MzA5LWMwNzZmMzRhN2UxMSIsIl9zZF9hbGciOiJzaGEtMjU2IiwidmN0IjoiUGVyc29uSWRlbnRpZmljYXRpb25EYXRhIiwiaXNzIjoiaHR0cHM6Ly9wcmUuZWlkLndhbGxldC5pcHpzLml0IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiUnYzVy1FaUtwdkJUeWs1eVp4dnJldi03TURCNlNselVDQm9fQ1FqamRkVSIsIngiOiIwV294N1F0eVBxQnlnMzVNSF9YeUNjbmQ1TGUtSm0wQVhIbFVnREJBMDNZIiwieSI6ImVFaFZ2ZzFKUHFOZDNEVFNhNG1HREdCbHdZNk5QLUVaYkxiTkZYU1h3SWcifX0sImV4cCI6MTc1MTU0NjU3Niwic3RhdHVzIjp7InN0YXR1c19hdHRlc3RhdGlvbiI6eyJjcmVkZW50aWFsX2hhc2hfYWxnIjoic2hhLTI1NiJ9fX0";
-
-const signature =
-  "qXHA2oqr8trX4fGxpxpUft2GX380TM3pzfo1MYAsDjUC8HsODA-4rdRWAvDe2zYP57x4tJU7eiABkd1Kmln9yQ";
-
-const signed = `${unsigned}.${signature}`;
-
-const tokenizedDisclosures = [
-  "WyJrSkRFUDhFYU5URU1CRE9aelp6VDR3IiwidW5pcXVlX2lkIiwiVElOSVQtTFZMREFBODVUNTBHNzAyQiJd",
-  "WyJ6SUF5VUZ2UGZJcEUxekJxeEk1aGFRIiwiYmlydGhfZGF0ZSIsIjE5ODUtMTItMTAiXQ",
-  "WyJHcjNSM3MyOTBPa1FVbS1ORlR1OTZBIiwidGF4X2lkX2NvZGUiLCJUSU5JVC1MVkxEQUE4NVQ1MEc3MDJCIl0",
-  "WyJHeE9SYWxNQWVsZlowZWRGSmpqWVV3IiwiZ2l2ZW5fbmFtZSIsIkFkYSJd",
-  "WyJfdlY1UklrbDBJT0VYS290czlrdDF3IiwiZmFtaWx5X25hbWUiLCJMb3ZlbGFjZSJd",
-  "WyJDajV0Y2NSNzJKd3J6ZTJUVzRhLXdnIiwiaWF0IiwxNzIwMDEwNTc1XQ",
-];
+const { token, signed, tokenizedDisclosures } = pid;
 
 const sdJwt = {
   header: {
     kid: "-F_6Uga8n3VegjY2U7YUHK1zLoaD-NPTc63RMISnLaw",
-    typ: "vc+sd-jwt",
+    typ: "dc+sd-jwt",
     alg: "ES256",
   },
   payload: {
@@ -50,7 +25,11 @@ const sdJwt = {
     sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
     _sd_alg: "sha-256",
     vct: "PersonIdentificationData",
+    "vct#integrity":
+      "13e25888ac7b8a3a6d61440da787fccc81654e61085732bcacd89b36aec32675",
     iss: "https://pre.eid.wallet.ipzs.it",
+    issuing_country: "IT",
+    issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
     cnf: {
       jwk: {
         kty: "EC",
@@ -62,7 +41,7 @@ const sdJwt = {
     },
     exp: 1751546576,
     status: {
-      status_attestation: {
+      status_assertion: {
         credential_hash_alg: "sha-256",
       },
     },

package/src/sd-jwt/__test__/types.test.ts

@@ -5,7 +5,7 @@ describe("SdJwt4VC", () => {
     // example provided at https://italia.github.io/eidas-it-wallet-docs/en/pid-data-model.html
     const token = {
       header: {
-        typ: "vc+sd-jwt",
+        typ: "dc+sd-jwt",
         alg: "RS512",
         kid: "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
       },
@@ -21,7 +21,11 @@ describe("SdJwt4VC", () => {
         sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
         _sd_alg: "sha-256",
         vct: "PersonIdentificationData",
+        "vct#integrity":
+          "13e25888ac7b8a3a6d61440da787fccc81654e61085732bcacd89b36aec32675",
         iss: "https://pidprovider.example.com",
+        issuing_country: "IT",
+        issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
         cnf: {
           jwk: {
             kty: "EC",
@@ -33,7 +37,7 @@ describe("SdJwt4VC", () => {
         },
         exp: 1751107255,
         status: {
-          status_attestation: {
+          status_assertion: {
             credential_hash_alg: "sha-256",
           },
         },