@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.4

package/src/sd-jwt/__test__/utils.test.ts

@@ -0,0 +1,37 @@
+import { getVerification } from "..";
+import { pid } from "../__mocks__/sd-jwt";
+
+const { signed, token } = pid;
+
+describe("SD-JWT getVerification", () => {
+  it("extracts the verification claims correctly", () => {
+    const disclosure =
+      "WyJxTGxVdkNKY3hwX3d4MVY5dHFPbFFRIiwidmVyaWZpY2F0aW9uIix7ImV2aWRlbmNlIjpbeyJhdHRlc3RhdGlvbiI6eyJkYXRlX29mX2lzc3VhbmNlIjoiMjAyNS0wNi0yMyIsInZvdWNoZXIiOnsib3JnYW5pemF0aW9uIjoiTWluaXN0ZXJvIGRlbGwnSW50ZXJubyJ9LCJ0eXBlIjoiZGlnaXRhbF9hdHRlc3RhdGlvbiIsInJlZmVyZW5jZV9udW1iZXIiOiIxMjM0NTY3ODkifSwidGltZSI6IjIwMjUtMDYtMjNUMTM6MTQ6MjVaIiwidHlwZSI6InZvdWNoIn1dLCJ0cnVzdF9mcmFtZXdvcmsiOiJpdF9jaWUiLCJhc3N1cmFuY2VfbGV2ZWwiOiJoaWdoIn1d";
+    expect(getVerification(`${signed}~${disclosure}`)).toEqual({
+      evidence: [
+        {
+          attestation: {
+            date_of_issuance: "2025-06-23",
+            voucher: { organization: "Ministero dell'Interno" },
+            type: "digital_attestation",
+            reference_number: "123456789",
+          },
+          time: "2025-06-23T13:14:25Z",
+          type: "vouch",
+        },
+      ],
+      trust_framework: "it_cie",
+      assurance_level: "high",
+    });
+  });
+
+  it("returns undefined when the verification claim is not found", () => {
+    expect(getVerification(token)).toBeUndefined();
+  });
+
+  it("throws when the verification claim is invalid", () => {
+    const disclosure =
+      "WyJxTGxVdkNKY3hwX3d4MVY5dHFPbFFRIiwidmVyaWZpY2F0aW9uIix7InRydXN0X2ZyYW1ld29yayI6ICJpdF9jaWUiLCJhc3N1cmFuY2VfbGV2ZWwiOiAic3Vic3RhbnRpYWwifV0";
+    expect(() => getVerification(`${signed}~${disclosure}`)).toThrow();
+  });
+});

package/src/sd-jwt/index.ts

@@ -10,6 +10,8 @@ import * as Errors from "./errors";
 import { Base64 } from "js-base64";
 import { type Presentation } from "../credential/presentation/types";
 
+export * from "./utils";
+
 const decodeDisclosure = (encoded: string): DisclosureWithEncoded => {
   const utf8String = Base64.decode(encoded); // Decode Base64 into UTF-8 string
   const decoded = Disclosure.parse(JSON.parse(utf8String));
@@ -108,7 +110,11 @@ export const disclose = async (
     })
   );
 
-  const filteredDisclosures = rawDisclosures.filter((d) => {
+  // The disclosures in the new SD-JWT aligned with version 1.0
+  // include a trailing "~" character.
+  // To avoid parsing errors, it is necessary to filter the array
+  // to remove any empty strings
+  const filteredDisclosures = rawDisclosures.filter(Boolean).filter((d) => {
     const {
       decoded: [, name],
     } = decodeDisclosure(d);

package/src/sd-jwt/types.ts

@@ -33,12 +33,23 @@ export type DisclosureWithEncoded = {
   encoded: string;
 };
 
+const StatusAssertion = z.object({
+  credential_hash_alg: z.literal("sha-256"),
+});
+
+/**
+ * Type for a Verifiable Credential in SD-JWT format.
+ * It supports both the older and the new data model for backward compatibility.
+ */
 export type SdJwt4VC = z.infer<typeof SdJwt4VC>;
 export const SdJwt4VC = z.object({
   header: z.object({
-    typ: z.literal("vc+sd-jwt"),
+    typ: z.enum(["vc+sd-jwt", "dc+sd-jwt"]),
     alg: z.string(),
-    kid: z.string().optional(),
+    kid: z.string(),
+    trust_chain: z.array(z.string()).optional(),
+    x5c: z.array(z.string()).optional(),
+    vctm: z.array(z.string()).optional(),
   }),
   payload: z.intersection(
     z.object({
@@ -47,16 +58,66 @@ export const SdJwt4VC = z.object({
       iat: UnixTime.optional(),
       exp: UnixTime,
       _sd_alg: z.literal("sha-256"),
-      status: z.object({
-        status_attestation: z.object({
-          credential_hash_alg: z.literal("sha-256"),
-        }),
-      }),
+      status: z
+        .union([
+          // Credentials v1.0
+          z.object({ status_assertion: StatusAssertion }),
+          // Credentials v0.7.1
+          z.object({ status_attestation: StatusAssertion }),
+        ])
+        .optional(),
       cnf: z.object({
         jwk: JWK,
       }),
       vct: z.string(),
+      "vct#integrity": z.string().optional(),
+      issuing_authority: z.string().optional(),
+      issuing_country: z.string().optional(),
     }),
     ObfuscatedDisclosures
   ),
 });
+
+/**
+ * Object containing User authentication and User data verification information.
+ * Useful to extract the assurance level to determine L2/L3 authentication.
+ */
+export type Verification = z.infer<typeof Verification>;
+export const Verification = z.object({
+  trust_framework: z.string(),
+  assurance_level: z.string(),
+  evidence: z.array(
+    z.object({
+      type: z.literal("vouch"),
+      time: z.string(),
+      attestation: z.object({
+        type: z.literal("digital_attestation"),
+        reference_number: z.string(),
+        date_of_issuance: z.string(),
+        voucher: z.object({ organization: z.string() }),
+      }),
+    })
+  ),
+});
+
+/**
+ * Metadata for a digital credential. This information is retrieved from the URL defined in the `vct` claim.
+ *
+ * @see https://italia.github.io/eid-wallet-it-docs/v0.9.1/en/pid-eaa-data-model.html#digital-credential-metadata-type
+ */
+export type TypeMetadata = z.infer<typeof TypeMetadata>;
+export const TypeMetadata = z.object({
+  name: z.string(),
+  description: z.string(),
+  data_source: z.object({
+    trust_framework: z.string(),
+    authentic_source: z.object({
+      organization_name: z.string(),
+      organization_code: z.string(),
+      contacts: z.array(z.string()),
+      homepage_uri: z.string().url(),
+      logo_uri: z.string().url(),
+    }),
+  }),
+  // TODO: add more fields
+});

package/src/sd-jwt/utils.ts

@@ -0,0 +1,73 @@
+import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { hasStatusOrThrow } from "../utils/misc";
+import { TypeMetadata, Verification } from "./types";
+import {
+  IoWalletError,
+  IssuerResponseError,
+  ValidationFailed,
+} from "../utils/errors";
+import { decode } from ".";
+import { getValueFromDisclosures } from "./converters";
+
+/**
+ * Retrieve the Type Metadata for a credential and verify its integrity.
+ * @param vct The VCT as a valid HTTPS url
+ * @param vctIntegrity The integrity hash
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The credential metadata {@link TypeMetadata}
+ */
+export const fetchTypeMetadata = async (
+  vct: string,
+  vctIntegrity: string,
+  context: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<TypeMetadata> => {
+  const { appFetch = fetch } = context;
+  const { origin, pathname } = new URL(vct);
+
+  const metadata = await appFetch(`${origin}/.well-known/vct${pathname}`, {
+    headers: {
+      "Content-Type": "application/json",
+    },
+  })
+    .then(hasStatusOrThrow(200, IssuerResponseError))
+    .then((res) => res.json())
+    .then(TypeMetadata.parse);
+
+  const [alg, hash] = vctIntegrity.split(/-(.*)/s);
+
+  if (alg !== "sha256") {
+    throw new IoWalletError(`${alg} algorithm is not supported`);
+  }
+
+  // TODO: [SIW-2264] check if the hash is correctly calculated
+  const metadataHash = await sha256ToBase64(JSON.stringify(metadata));
+
+  if (metadataHash !== hash) {
+    throw new ValidationFailed({
+      message: "Unable to verify VCT integrity",
+      reason: "vct#integrity does not match the metadata hash",
+    });
+  }
+
+  return metadata;
+};
+
+/**
+ * Extract and validate the `verification` claim from disclosures.
+ * @param credentialSdJwt The raw credential SD-JWT
+ * @returns The verification claim or undefined if it wasn't found
+ */
+export const getVerification = (
+  credentialSdJwt: string
+): Verification | undefined => {
+  const { disclosures } = decode(credentialSdJwt);
+  const verificationDisclosure = getValueFromDisclosures(
+    disclosures.map((d) => d.decoded),
+    "verification"
+  );
+  return verificationDisclosure
+    ? Verification.parse(verificationDisclosure)
+    : undefined;
+};

package/src/trust/types.ts

@@ -37,12 +37,10 @@ const CredentialIssuerDisplayMetadata = z.object({
 });
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
-const ClaimsMetadata = z.record(
-  z.object({
-    value_type: z.string(),
-    display: z.array(z.object({ name: z.string(), locale: z.string() })),
-  })
-);
+const ClaimsMetadata = z.object({
+  path: z.array(z.string()),
+  display: z.array(CredentialDisplayMetadata),
+});
 
 type IssuanceErrorSupported = z.infer<typeof IssuanceErrorSupported>;
 const IssuanceErrorSupported = z.object({
@@ -57,16 +55,21 @@ const IssuanceErrorSupported = z.object({
 
 // Metadata for a credential which is supported by an Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
-const SupportedCredentialMetadata = z.object({
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
-  scope: z.string(),
-  display: z.array(CredentialDisplayMetadata),
-  claims: ClaimsMetadata,
-  cryptographic_binding_methods_supported: z.array(z.string()),
-  credential_signing_alg_values_supported: z.array(z.string()),
-  authentic_source: z.string().optional(),
-  issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
-});
+const SupportedCredentialMetadata = z.intersection(
+  z.discriminatedUnion("format", [
+    z.object({ format: z.literal("dc+sd-jwt"), vct: z.string() }),
+    z.object({ format: z.literal("mso_mdoc"), doctype: z.string() }),
+  ]),
+  z.object({
+    scope: z.string(),
+    display: z.array(CredentialDisplayMetadata),
+    claims: z.array(ClaimsMetadata),
+    cryptographic_binding_methods_supported: z.array(z.string()),
+    credential_signing_alg_values_supported: z.array(z.string()),
+    authentic_source: z.string().optional(),
+    issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
+  })
+);
 
 export type EntityStatement = z.infer<typeof EntityStatement>;
 export const EntityStatement = z.object({
@@ -155,13 +158,16 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
         openid_credential_issuer: z.object({
           credential_issuer: z.string(),
           credential_endpoint: z.string(),
-          revocation_endpoint: z.string(),
+          revocation_endpoint: z.string().optional(),
+          nonce_endpoint: z.string(),
           status_attestation_endpoint: z.string(),
           display: z.array(CredentialIssuerDisplayMetadata),
           credential_configurations_supported: z.record(
             SupportedCredentialMetadata
           ),
           jwks: z.object({ keys: z.array(JWK) }),
+          trust_frameworks_supported: z.array(z.string()),
+          evidence_supported: z.array(z.string()),
         }),
         oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),

package/src/utils/par.ts

@@ -13,14 +13,31 @@ import { LogLevel, Logger } from "./logging";
 
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
-  credential_configuration_id: z.string(),
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
+  credential_configuration_id: z.string(),
 });
 
 export type AuthorizationDetails = z.infer<typeof AuthorizationDetails>;
 export const AuthorizationDetails = z.array(AuthorizationDetail);
 
+export type ParResponse = z.infer<typeof ParResponse>;
+export const ParResponse = z.object({
+  request_uri: z.string(),
+  expires_in: z.number(),
+});
+
+type AuthDetailsOrScope =
+  | { authorizationDetails: AuthorizationDetails; scope?: string }
+  | { authorizationDetails?: AuthorizationDetails; scope: string };
+
+type ParRequestPayload = {
+  clientId: string;
+  codeVerifier: string;
+  redirectUri: string;
+  responseMode: string;
+  aud: string;
+} & AuthDetailsOrScope;
+
 /**
  * Make a PAR request to the issuer and return the response url
  */
@@ -33,20 +50,20 @@ export const makeParRequest =
     appFetch: GlobalFetch["fetch"];
   }) =>
   async (
-    clientId: string,
-    codeVerifier: string,
-    redirectUri: string,
-    responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
-    authorizationDetails: AuthorizationDetails,
-    assertionType: string
+    {
+      codeVerifier,
+      responseMode,
+      clientId,
+      redirectUri,
+      authorizationDetails,
+      scope,
+      aud,
+    }: ParRequestPayload
   ): Promise<string> => {
     const wiaPublicKey = await wiaCryptoContext.getPublicKey();
 
-    const parUrl = new URL(parEndpoint);
-    const aud = `${parUrl.protocol}//${parUrl.hostname}`;
-
     const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
       .payload.cnf.jwk.kid;
 
@@ -71,7 +88,7 @@ export const makeParRequest =
         The key is matched by its kid */
     const signedJwtForPar = await new SignJWT(wiaCryptoContext)
       .setProtectedHeader({
-        typ: "jwk",
+        typ: "jwt",
         kid: wiaPublicKey.kid,
       })
       .setPayload({
@@ -84,24 +101,20 @@ export const makeParRequest =
         state: generateRandomAlphaNumericString(32),
         code_challenge: codeChallenge,
         code_challenge_method: codeChallengeMethod,
-        authorization_details: authorizationDetails,
         redirect_uri: redirectUri,
-        client_assertion_type: assertionType,
-        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
+        ...(authorizationDetails && {
+          authorization_details: authorizationDetails,
+        }),
+        ...(scope && { scope }),
       })
-      .setIssuedAt() //iat is set to now
+      .setIssuedAt() // iat is set to now
       .setExpirationTime("5min")
       .sign();
 
     /** The request body for the Pushed Authorization Request */
     var formBody = new URLSearchParams({
-      response_type: "code",
       client_id: clientId,
-      code_challenge: codeChallenge,
-      code_challenge_method: "S256",
       request: signedJwtForPar,
-      client_assertion_type: assertionType,
-      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
 
     Logger.log(
@@ -113,10 +126,13 @@ export const makeParRequest =
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        "OAuth-Client-Attestation": walletInstanceAttestation,
+        "OAuth-Client-Attestation-PoP": signedWiaPoP,
       },
       body: formBody.toString(),
     })
       .then(hasStatusOrThrow(201, IssuerResponseError))
       .then((res) => res.json())
+      .then(ParResponse.parse)
       .then((result) => result.request_uri);
   };

package/src/utils/pop.ts

@@ -18,7 +18,7 @@ export const createPopToken = async (
   return new SignJWT(crypto)
     .setPayload(payload)
     .setProtectedHeader({
-      typ: "jwt-client-attestation-pop",
+      typ: "oauth-client-attestation-pop+jwt",
       kid,
     })
     .setIssuedAt()

package/src/wallet-instance-attestation/types.ts

@@ -48,6 +48,8 @@ export const WalletInstanceAttestationRequestJwt = z.object({
   ),
 });
 
+// TODO: [SIW-2089] add type for Wallet Attestation in SD-JWT and MDOC format
+// See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/wallet-solution.html#wallet-attestation-issuance step 18
 export type WalletInstanceAttestationJwt = z.infer<
   typeof WalletInstanceAttestationJwt
 >;
@@ -56,7 +58,7 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.header,
     z.object({
       typ: z.literal("oauth-client-attestation+jwt"),
-      trust_chain: z.array(z.string()),
+      trust_chain: z.array(z.string()).optional(),
     })
   ),
   payload: z.intersection(