@pagopa/io-react-native-wallet 2.0.0-next.4 → 2.0.0-next.5

package/lib/module/credential/issuance/07-verify-and-parse-credential.js

@@ -1,8 +1,8 @@
 import { IoWalletError } from "../../utils/errors";
-import { SdJwt4VC } from "../../sd-jwt/types";
-import { verify as verifySdJwt } from "../../sd-jwt";
+import { SdJwt4VC, verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
-import { LogLevel, Logger } from "../../utils/logging";
+import { isSameThumbprint } from "../../utils/jwk";
+import { Logger, LogLevel } from "../../utils/logging";
 
 // The credential as a collection of attributes in plain value
 
@@ -120,7 +120,7 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
   const {
     cnf
   } = decodedCredential.sdJwt.payload;
-  if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+  if (!(await isSameThumbprint(cnf.jwk, holderBindingKey))) {
     const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
     Logger.log(LogLevel.ERROR, message);
     throw new IoWalletError(message);

package/lib/module/credential/issuance/07-verify-and-parse-credential.js.map

@@ -1 +1 @@
-{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","getValueFromDisclosures","LogLevel","Logger","parseCredentialSdJwt","credentialConfig","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","format","header","typ","message","log","ERROR","claims","attrDefinitions","attrsNotInDisclosures","filter","definition","some","_ref2","name","path","missing","map","_","join","received","definedValues","Object","fromEntries","_ref3","_disclosures$find","value","find","_ref4","attrKey","display","reduce","names","_ref5","locale","undefinedValues","keys","includes","_ref6","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","payload","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","credentialConfigurationId","_ref7","credentialCryptoContext","decoded","openid_credential_issuer","jwks","DEBUG","JSON","stringify","credential_configurations_supported","parsedCredential","maybeIssuedAt","expiration","Date","exp","issuedAt","verifyAndParseCredential","context","_issuerConf$openid_cr"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"AAGA,SAASA,aAAa,QAAQ,oBAAoB;AAClD,SAASC,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,MAAM,IAAIC,WAAW,QAAQ,cAAc;AACpD,SAASC,uBAAuB,QAAQ,yBAAyB;AAGjE,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;;AA2BtD;;AAkBA;;AAKA,MAAMC,oBAAoB,GAAG,SAAAA,CAE3BC,gBAAgC,EAAAC,IAAA,EAIX;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,IAAIL,gBAAgB,CAACS,MAAM,KAAKP,KAAK,CAACQ,MAAM,CAACC,GAAG,EAAE;IAChD,MAAMC,OAAO,GAAI,gEAA+DZ,gBAAgB,CAACS,MAAO,gBAAeP,KAAK,CAACQ,MAAM,CAACC,GAAI,GAAE;IAC1Ib,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACiB,KAAK,EAAEF,OAAO,CAAC;IACnC,MAAM,IAAIpB,aAAa,CAACoB,OAAO,CAAC;EAClC;EAEA,IAAI,CAACZ,gBAAgB,CAACe,MAAM,EAAE;IAC5BjB,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACiB,KAAK,EAAE,0CAA0C,CAAC;IACtE,MAAM,IAAItB,aAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMwB,eAAe,GAAGhB,gBAAgB,CAACe,MAAM;;EAE/C;EACA,MAAME,qBAAqB,GAAGD,eAAe,CAACE,MAAM,CACjDC,UAAU,IAAK,CAAChB,WAAW,CAACiB,IAAI,CAACC,KAAA;IAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;IAAA,OAAKC,IAAI,KAAKH,UAAU,CAACI,IAAI,CAAC,CAAC,CAAC;EAAA,EAAC,CAAC;EAC/E,CAAC;;EACD,IAAIN,qBAAqB,CAACX,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMkB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAACH,IAAI,CAAC,CAAC,CAAC,CAAC,CAACI,IAAI,CAAC,IAAI,CAAC;IACtE,MAAMC,QAAQ,GAAGzB,WAAW,CAACsB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAACvB,uBAAuB,EAAE;MAC5B,MAAMQ,OAAO,GAAI,4DAA2DY,OAAQ,iBAAgBI,QAAS,GAAE;MAC/G9B,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACiB,KAAK,EAAEF,OAAO,CAAC;MACnC,MAAM,IAAIpB,aAAa,CAACoB,OAAO,CAAC;IAClC;EACF;;EAEA;EACA;EACA,MAAMiB,aAAa,GAAGC,MAAM,CAACC,WAAW,CACtCf;EACE;EAAA,CACCS,GAAG,CACFO,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC;MAAEV,IAAI;MAAE,GAAGJ;IAAW,CAAC,GAAAa,KAAA;IAAA,OACtB,CACET,IAAI,CAAC,CAAC,CAAC,EACP;MACE,GAAGJ,UAAU;MACbe,KAAK,GAAAD,iBAAA,GAAE9B,WAAW,CAACgC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKH,IAAI,CAAC,CAAC,CACnC,CAAC,cAAAU,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCR,GAAG,CACFW,KAAA;IAAA,IAAC,CAACC,OAAO,EAAE;MAAEC,OAAO;MAAE,GAAGnB;IAAW,CAAC,CAAC,GAAAiB,KAAA;IAAA,OACpC,CACEC,OAAO,EACP;MACE,GAAGlB,UAAU;MACbG,IAAI,EAAEgB,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAEpB;QAAK,CAAC,GAAAmB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGpB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAId,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMmC,eAAe,GAAGb,MAAM,CAACC,WAAW,CACxC5B,WAAW,CACRe,MAAM,CAAEQ,CAAC,IAAK,CAACI,MAAM,CAACc,IAAI,CAACf,aAAa,CAAC,CAACgB,QAAQ,CAACnB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACqB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEb,KAAK,CAAC,GAAAY,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEb,KAAK;QAAEZ,IAAI,EAAEyB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGlB,aAAa;MAChB,GAAGc;IACL,CAAC;EACH;EAEA,OAAOd,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAemB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB5D,WAAW,CAACsD,aAAa,EAAEC,UAAU,EAAEzD,QAAQ,CAAC,EAChD0D,oBAAoB,CAACK,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGL,iBAAiB,CAAClD,KAAK,CAACwD,OAAO;EAE/C,IAAI,CAACD,GAAG,CAACE,GAAG,CAACC,GAAG,IAAIH,GAAG,CAACE,GAAG,CAACC,GAAG,KAAKP,gBAAgB,CAACO,GAAG,EAAE;IACxD,MAAMhD,OAAO,GAAI,kDAAiDyC,gBAAgB,CAACO,GAAI,UAASR,iBAAiB,CAAClD,KAAK,CAACwD,OAAO,CAACD,GAAG,CAACE,GAAG,CAACC,GAAI,EAAC;IAC7I9D,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACiB,KAAK,EAAEF,OAAO,CAAC;IACnC,MAAM,IAAIpB,aAAa,CAACoB,OAAO,CAAC;EAClC;EAEA,OAAOwC,iBAAiB;AAC1B;AAEA,MAAMS,6BAAuD,GAAG,MAAAA,CAC9DC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EAAAC,KAAA,KAMtB;EAAA,IALH;IACEC,uBAAuB;IACvB9D,uBAAuB;IACvBI;EACF,CAAC,GAAAyD,KAAA;EAED,MAAME,OAAO,GAAG,MAAMnB,qBAAqB,CACzCe,UAAU,EACVD,UAAU,CAACM,wBAAwB,CAACC,IAAI,CAACzB,IAAI,EAC7CsB,uBACF,CAAC;EAEDpE,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACyE,KAAK,EAAG,uBAAsBC,IAAI,CAACC,SAAS,CAACL,OAAO,CAAE,EAAC,CAAC;EAE5E,MAAMnE,gBAAgB,GACpB8D,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B;EAEH,IAAI,CAAChE,gBAAgB,EAAE;IACrBF,MAAM,CAACe,GAAG,CACRhB,QAAQ,CAACiB,KAAK,EACb,gDAA+CkD,yBAA0B,EAC5E,CAAC;IACD,MAAM,IAAIxE,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,MAAMkF,gBAAgB,GAAG3E,oBAAoB,CAC3CC,gBAAgB,EAChBmE,OAAO,EACP/D,uBAAuB,EACvBI,0BACF,CAAC;EACD,MAAMmE,aAAa,GAAG/E,uBAAuB,CAACuE,OAAO,CAAChE,WAAW,EAAE,KAAK,CAAC;EAEzEL,MAAM,CAACe,GAAG,CACRhB,QAAQ,CAACyE,KAAK,EACb,sBAAqBC,IAAI,CAACC,SAAS,CAACE,gBAAgB,CAAE,gBAAeC,aAAc,EACtF,CAAC;EAED,OAAO;IACLD,gBAAgB;IAChBE,UAAU,EAAE,IAAIC,IAAI,CAACV,OAAO,CAACjE,KAAK,CAACwD,OAAO,CAACoB,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOJ,aAAa,KAAK,QAAQ,GAC7B,IAAIE,IAAI,CAACF,aAAa,GAAG,IAAI,CAAC,GAC9BpE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMyE,wBAAkD,GAAG,MAAAA,CAChElB,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBiB,OAAO,KACJ;EAAA,IAAAC,qBAAA;EACH,MAAMzE,MAAM,IAAAyE,qBAAA,GACVpB,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B,cAAAkB,qBAAA,uBAFDA,qBAAA,CAEGzE,MAAM;EAEX,IAAIA,MAAM,KAAK,WAAW,EAAE;IAC1BX,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACyE,KAAK,EAAE,wCAAwC,CAAC;IACpE,OAAOT,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBiB,OACF,CAAC;EACH;EAEA,MAAMrE,OAAO,GAAI,kCAAiCH,MAAO,EAAC;EAC1DX,MAAM,CAACe,GAAG,CAAChB,QAAQ,CAACiB,KAAK,EAAEF,OAAO,CAAC;EACnC,MAAM,IAAIpB,aAAa,CAACoB,OAAO,CAAC;AAClC,CAAC"}
+{"version":3,"names":["IoWalletError","SdJwt4VC","verify","verifySdJwt","getValueFromDisclosures","isSameThumbprint","Logger","LogLevel","parseCredentialSdJwt","credentialConfig","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","format","header","typ","message","log","ERROR","claims","attrDefinitions","attrsNotInDisclosures","filter","definition","some","_ref2","name","path","missing","map","_","join","received","definedValues","Object","fromEntries","_ref3","_disclosures$find","value","find","_ref4","attrKey","display","reduce","names","_ref5","locale","undefinedValues","keys","includes","_ref6","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","cnf","payload","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","credentialConfigurationId","_ref7","credentialCryptoContext","decoded","openid_credential_issuer","jwks","DEBUG","JSON","stringify","credential_configurations_supported","parsedCredential","maybeIssuedAt","expiration","Date","exp","issuedAt","verifyAndParseCredential","context","_issuerConf$openid_cr"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":"AAGA,SAASA,aAAa,QAAQ,oBAAoB;AAClD,SAASC,QAAQ,EAAEC,MAAM,IAAIC,WAAW,QAAQ,cAAc;AAC9D,SAASC,uBAAuB,QAAQ,yBAAyB;AACjE,SAASC,gBAAgB,QAAkB,iBAAiB;AAE5D,SAASC,MAAM,EAAEC,QAAQ,QAAQ,qBAAqB;;AA2BtD;;AAkBA;;AAKA,MAAMC,oBAAoB,GAAG,SAAAA,CAE3BC,gBAAgC,EAAAC,IAAA,EAIX;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,IAAIL,gBAAgB,CAACS,MAAM,KAAKP,KAAK,CAACQ,MAAM,CAACC,GAAG,EAAE;IAChD,MAAMC,OAAO,GAAI,gEAA+DZ,gBAAgB,CAACS,MAAO,gBAAeP,KAAK,CAACQ,MAAM,CAACC,GAAI,GAAE;IAC1Id,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACgB,KAAK,EAAEF,OAAO,CAAC;IACnC,MAAM,IAAIrB,aAAa,CAACqB,OAAO,CAAC;EAClC;EAEA,IAAI,CAACZ,gBAAgB,CAACe,MAAM,EAAE;IAC5BlB,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACgB,KAAK,EAAE,0CAA0C,CAAC;IACtE,MAAM,IAAIvB,aAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAMyB,eAAe,GAAGhB,gBAAgB,CAACe,MAAM;;EAE/C;EACA,MAAME,qBAAqB,GAAGD,eAAe,CAACE,MAAM,CACjDC,UAAU,IAAK,CAAChB,WAAW,CAACiB,IAAI,CAACC,KAAA;IAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;IAAA,OAAKC,IAAI,KAAKH,UAAU,CAACI,IAAI,CAAC,CAAC,CAAC;EAAA,EAAC,CAAC;EAC/E,CAAC;;EACD,IAAIN,qBAAqB,CAACX,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMkB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAACH,IAAI,CAAC,CAAC,CAAC,CAAC,CAACI,IAAI,CAAC,IAAI,CAAC;IACtE,MAAMC,QAAQ,GAAGzB,WAAW,CAACsB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAACvB,uBAAuB,EAAE;MAC5B,MAAMQ,OAAO,GAAI,4DAA2DY,OAAQ,iBAAgBI,QAAS,GAAE;MAC/G/B,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACgB,KAAK,EAAEF,OAAO,CAAC;MACnC,MAAM,IAAIrB,aAAa,CAACqB,OAAO,CAAC;IAClC;EACF;;EAEA;EACA;EACA,MAAMiB,aAAa,GAAGC,MAAM,CAACC,WAAW,CACtCf;EACE;EAAA,CACCS,GAAG,CACFO,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC;MAAEV,IAAI;MAAE,GAAGJ;IAAW,CAAC,GAAAa,KAAA;IAAA,OACtB,CACET,IAAI,CAAC,CAAC,CAAC,EACP;MACE,GAAGJ,UAAU;MACbe,KAAK,GAAAD,iBAAA,GAAE9B,WAAW,CAACgC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKH,IAAI,CAAC,CAAC,CACnC,CAAC,cAAAU,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCR,GAAG,CACFW,KAAA;IAAA,IAAC,CAACC,OAAO,EAAE;MAAEC,OAAO;MAAE,GAAGnB;IAAW,CAAC,CAAC,GAAAiB,KAAA;IAAA,OACpC,CACEC,OAAO,EACP;MACE,GAAGlB,UAAU;MACbG,IAAI,EAAEgB,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAEpB;QAAK,CAAC,GAAAmB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGpB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAId,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMmC,eAAe,GAAGb,MAAM,CAACC,WAAW,CACxC5B,WAAW,CACRe,MAAM,CAAEQ,CAAC,IAAK,CAACI,MAAM,CAACc,IAAI,CAACf,aAAa,CAAC,CAACgB,QAAQ,CAACnB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACqB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEb,KAAK,CAAC,GAAAY,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEb,KAAK;QAAEZ,IAAI,EAAEyB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGlB,aAAa;MAChB,GAAGc;IACL,CAAC;EACH;EAEA,OAAOd,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAemB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB7D,WAAW,CAACuD,aAAa,EAAEC,UAAU,EAAE1D,QAAQ,CAAC,EAChD2D,oBAAoB,CAACK,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGL,iBAAiB,CAAClD,KAAK,CAACwD,OAAO;EAC/C,IAAI,EAAE,MAAM9D,gBAAgB,CAAC6D,GAAG,CAACE,GAAG,EAAEN,gBAAuB,CAAC,CAAC,EAAE;IAC/D,MAAMzC,OAAO,GAAI,kDAAiDyC,gBAAgB,CAACO,GAAI,UAASR,iBAAiB,CAAClD,KAAK,CAACwD,OAAO,CAACD,GAAG,CAACE,GAAG,CAACC,GAAI,EAAC;IAC7I/D,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACgB,KAAK,EAAEF,OAAO,CAAC;IACnC,MAAM,IAAIrB,aAAa,CAACqB,OAAO,CAAC;EAClC;EAEA,OAAOwC,iBAAiB;AAC1B;AAEA,MAAMS,6BAAuD,GAAG,MAAAA,CAC9DC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EAAAC,KAAA,KAMtB;EAAA,IALH;IACEC,uBAAuB;IACvB9D,uBAAuB;IACvBI;EACF,CAAC,GAAAyD,KAAA;EAED,MAAME,OAAO,GAAG,MAAMnB,qBAAqB,CACzCe,UAAU,EACVD,UAAU,CAACM,wBAAwB,CAACC,IAAI,CAACzB,IAAI,EAC7CsB,uBACF,CAAC;EAEDrE,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACwE,KAAK,EAAG,uBAAsBC,IAAI,CAACC,SAAS,CAACL,OAAO,CAAE,EAAC,CAAC;EAE5E,MAAMnE,gBAAgB,GACpB8D,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B;EAEH,IAAI,CAAChE,gBAAgB,EAAE;IACrBH,MAAM,CAACgB,GAAG,CACRf,QAAQ,CAACgB,KAAK,EACb,gDAA+CkD,yBAA0B,EAC5E,CAAC;IACD,MAAM,IAAIzE,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,MAAMmF,gBAAgB,GAAG3E,oBAAoB,CAC3CC,gBAAgB,EAChBmE,OAAO,EACP/D,uBAAuB,EACvBI,0BACF,CAAC;EACD,MAAMmE,aAAa,GAAGhF,uBAAuB,CAACwE,OAAO,CAAChE,WAAW,EAAE,KAAK,CAAC;EAEzEN,MAAM,CAACgB,GAAG,CACRf,QAAQ,CAACwE,KAAK,EACb,sBAAqBC,IAAI,CAACC,SAAS,CAACE,gBAAgB,CAAE,gBAAeC,aAAc,EACtF,CAAC;EAED,OAAO;IACLD,gBAAgB;IAChBE,UAAU,EAAE,IAAIC,IAAI,CAACV,OAAO,CAACjE,KAAK,CAACwD,OAAO,CAACoB,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOJ,aAAa,KAAK,QAAQ,GAC7B,IAAIE,IAAI,CAACF,aAAa,GAAG,IAAI,CAAC,GAC9BpE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMyE,wBAAkD,GAAG,MAAAA,CAChElB,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBiB,OAAO,KACJ;EAAA,IAAAC,qBAAA;EACH,MAAMzE,MAAM,IAAAyE,qBAAA,GACVpB,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B,cAAAkB,qBAAA,uBAFDA,qBAAA,CAEGzE,MAAM;EAEX,IAAIA,MAAM,KAAK,WAAW,EAAE;IAC1BZ,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACwE,KAAK,EAAE,wCAAwC,CAAC;IACpE,OAAOT,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBiB,OACF,CAAC;EACH;EAEA,MAAMrE,OAAO,GAAI,kCAAiCH,MAAO,EAAC;EAC1DZ,MAAM,CAACgB,GAAG,CAACf,QAAQ,CAACgB,KAAK,EAAEF,OAAO,CAAC;EACnC,MAAM,IAAIrB,aAAa,CAACqB,OAAO,CAAC;AAClC,CAAC"}

package/lib/module/credential/status/{02-status-attestation.js → 02-status-assertion.js}

@@ -1,36 +1,44 @@
 import { getCredentialHashWithouDiscloures, hasStatusOrThrow } from "../../utils/misc";
 import { SignJWT } from "@pagopa/io-react-native-jwt";
 import { v4 as uuidv4 } from "uuid";
-import { StatusAttestationResponse } from "./types";
+import { StatusAssertionResponse } from "./types";
 import { IssuerResponseError, IssuerResponseErrorCodes, ResponseErrorBuilder, UnexpectedStatusCodeError } from "../../utils/errors";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
+import { extractJwkFromCredential } from "../../utils/credentials";
 /**
- * WARNING: This function must be called after {@link startFlow}.
- * Verify the status of the credential attestation.
+ * Get the status assertion of a digital credential.
  * @param issuerConf - The issuer's configuration
  * @param credential - The credential to be verified
- * @param credentialCryptoContext - The credential's crypto context
+ * @param format - The format of the credential, e.g. "sd-jwt"
+ * @param context.credentialCryptoContext - The credential's crypto context
+ * @param context.wiaCryptoContext - The Wallet Attestation's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {IssuerResponseError} with a specific code for more context
- * @returns The credential status attestation
+ * @returns The credential status assertion
  */
-export const statusAttestation = async function (issuerConf, credential, credentialCryptoContext) {
-  let appFetch = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : fetch;
-  const jwk = await credentialCryptoContext.getPublicKey();
+export const statusAssertion = async (issuerConf, credential, format, ctx) => {
+  const {
+    credentialCryptoContext,
+    wiaCryptoContext,
+    appFetch = fetch
+  } = ctx;
+  const jwk = await extractJwkFromCredential(credential, format);
+  const issuerJwk = await wiaCryptoContext.getPublicKey();
   const credentialHash = await getCredentialHashWithouDiscloures(credential);
   const statusAttUrl = issuerConf.openid_credential_issuer.status_attestation_endpoint;
   const credentialPop = await new SignJWT(credentialCryptoContext).setPayload({
+    iss: issuerJwk.kid,
     aud: statusAttUrl,
     jti: uuidv4().toString(),
     credential_hash: credentialHash,
-    credential_hash_alg: "S256"
+    credential_hash_alg: "sha-256"
   }).setProtectedHeader({
     alg: "ES256",
-    typ: "status-attestation-request+jwt",
+    typ: "status-assertion-request+jwt",
     kid: jwk.kid
   }).setIssuedAt().setExpirationTime("5m").sign();
   const body = {
-    credential_pop: credentialPop
+    status_assertion_requests: [credentialPop]
   };
   Logger.log(LogLevel.DEBUG, `Credential pop: ${credentialPop}`);
   const result = await appFetch(statusAttUrl, {
@@ -39,28 +47,26 @@ export const statusAttestation = async function (issuerConf, credential, credent
       "Content-Type": "application/json"
     },
     body: JSON.stringify(body)
-  }).then(hasStatusOrThrow(201)).then(raw => raw.json()).then(json => StatusAttestationResponse.parse(json)).catch(handleStatusAttestationError);
+  }).then(hasStatusOrThrow(200)).then(raw => raw.json()).then(json => StatusAssertionResponse.parse(json)).catch(handleStatusAssertionError);
+  const [statusAttestationJwt] = result.status_assertion_responses;
   return {
-    statusAttestation: result.status_attestation
+    statusAssertion: statusAttestationJwt
   };
 };
 
 /**
- * Handle the status attestation error by mapping it to a custom exception.
+ * Handle the status assertion error by mapping it to a custom exception.
  * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
  * @param e - The error to be handled
  * @throws {IssuerResponseError} with a specific code for more context
  */
-const handleStatusAttestationError = e => {
+const handleStatusAssertionError = e => {
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }
-  throw new ResponseErrorBuilder(IssuerResponseError).handle(404, {
-    code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-    message: "Invalid status found for the given credential"
-  }).handle("*", {
+  throw new ResponseErrorBuilder(IssuerResponseError).handle("*", {
     code: IssuerResponseErrorCodes.StatusAttestationRequestFailed,
-    message: `Unable to obtain the status attestation for the given credential`
+    message: `Unable to obtain the status assertion for the given credential`
   }).buildFrom(e);
 };
-//# sourceMappingURL=02-status-attestation.js.map
+//# sourceMappingURL=02-status-assertion.js.map

package/lib/module/credential/status/02-status-assertion.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getCredentialHashWithouDiscloures","hasStatusOrThrow","SignJWT","v4","uuidv4","StatusAssertionResponse","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","UnexpectedStatusCodeError","Logger","LogLevel","extractJwkFromCredential","statusAssertion","issuerConf","credential","format","ctx","credentialCryptoContext","wiaCryptoContext","appFetch","fetch","jwk","issuerJwk","getPublicKey","credentialHash","statusAttUrl","openid_credential_issuer","status_attestation_endpoint","credentialPop","setPayload","iss","kid","aud","jti","toString","credential_hash","credential_hash_alg","setProtectedHeader","alg","typ","setIssuedAt","setExpirationTime","sign","body","status_assertion_requests","log","DEBUG","result","method","headers","JSON","stringify","then","raw","json","parse","catch","handleStatusAssertionError","statusAttestationJwt","status_assertion_responses","e","handle","code","StatusAttestationRequestFailed","message","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/status/02-status-assertion.ts"],"mappings":"AAAA,SACEA,iCAAiC,EACjCC,gBAAgB,QAEX,kBAAkB;AAEzB,SAA6BC,OAAO,QAAQ,6BAA6B;AACzE,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,uBAAuB,QAAQ,SAAS;AACjD,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,EACpBC,yBAAyB,QACpB,oBAAoB;AAC3B,SAASC,MAAM,EAAEC,QAAQ,QAAQ,qBAAqB;AACtD,SAASC,wBAAwB,QAAQ,yBAAyB;AAelE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,UAAU,EACVC,MAAM,EACNC,GAAG,KACA;EACH,MAAM;IAAEC,uBAAuB;IAAEC,gBAAgB;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAGJ,GAAG;EAE3E,MAAMK,GAAG,GAAG,MAAMV,wBAAwB,CAACG,UAAU,EAAEC,MAAM,CAAC;EAC9D,MAAMO,SAAS,GAAG,MAAMJ,gBAAgB,CAACK,YAAY,CAAC,CAAC;EACvD,MAAMC,cAAc,GAAG,MAAMzB,iCAAiC,CAACe,UAAU,CAAC;EAC1E,MAAMW,YAAY,GAChBZ,UAAU,CAACa,wBAAwB,CAACC,2BAA2B;EAEjE,MAAMC,aAAa,GAAG,MAAM,IAAI3B,OAAO,CAACgB,uBAAuB,CAAC,CAC7DY,UAAU,CAAC;IACVC,GAAG,EAAER,SAAS,CAACS,GAAG;IAClBC,GAAG,EAAEP,YAAY;IACjBQ,GAAG,EAAE9B,MAAM,CAAC,CAAC,CAAC+B,QAAQ,CAAC,CAAC;IACxBC,eAAe,EAAEX,cAAc;IAC/BY,mBAAmB,EAAE;EACvB,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE,8BAA8B;IACnCR,GAAG,EAAEV,GAAG,CAACU;EACX,CAAC,CAAC,CACDS,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,IAAI,GAAG;IACXC,yBAAyB,EAAE,CAAChB,aAAa;EAC3C,CAAC;EAEDnB,MAAM,CAACoC,GAAG,CAACnC,QAAQ,CAACoC,KAAK,EAAG,mBAAkBlB,aAAc,EAAC,CAAC;EAE9D,MAAMmB,MAAM,GAAG,MAAM5B,QAAQ,CAACM,YAAY,EAAE;IAC1CuB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDN,IAAI,EAAEO,IAAI,CAACC,SAAS,CAACR,IAAI;EAC3B,CAAC,CAAC,CACCS,IAAI,CAACpD,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BoD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAKlD,uBAAuB,CAACmD,KAAK,CAACD,IAAI,CAAC,CAAC,CACnDE,KAAK,CAACC,0BAA0B,CAAC;EAEpC,MAAM,CAACC,oBAAoB,CAAC,GAAGX,MAAM,CAACY,0BAA0B;EAEhE,OAAO;IAAE/C,eAAe,EAAE8C;EAAsB,CAAC;AACnD,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMD,0BAA0B,GAAIG,CAAU,IAAK;EACjD,IAAI,EAAEA,CAAC,YAAYpD,yBAAyB,CAAC,EAAE;IAC7C,MAAMoD,CAAC;EACT;EAEA,MAAM,IAAIrD,oBAAoB,CAACF,mBAAmB,CAAC,CAChDwD,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAExD,wBAAwB,CAACyD,8BAA8B;IAC7DC,OAAO,EAAG;EACZ,CAAC,CAAC,CACDC,SAAS,CAACL,CAAC,CAAC;AACjB,CAAC"}

package/lib/module/credential/status/03-verify-and-parse-status-assertion.js

@@ -0,0 +1,78 @@
+import { IoWalletError, IssuerResponseError, IssuerResponseErrorCodes } from "../../utils/errors";
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import { ParsedStatusAssertionResponse, StatusType } from "./types";
+import { Logger, LogLevel } from "../../utils/logging";
+import { extractJwkFromCredential } from "../../utils/credentials";
+import { isSameThumbprint } from "../../utils/jwk";
+/**
+ * Given a status assertion, verifies that:
+ * - It's in the supported format;
+ * - The assertion is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAssertion The encoded status assertion returned by {@link statusAssertion}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status assertion
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IssuerResponseError} If the status assertion contains an error or the credential status is invalid
+ */
+export const verifyAndParseStatusAssertion = async (issuerConf, rawStatusAssertion, credential, format) => {
+  const {
+    statusAssertion
+  } = rawStatusAssertion;
+  await verify(statusAssertion, issuerConf.openid_credential_issuer.jwks.keys);
+  const decodedJwt = decodeJwt(statusAssertion);
+  const parsedStatusAssertion = ParsedStatusAssertionResponse.parse({
+    header: decodedJwt.protectedHeader,
+    payload: decodedJwt.payload
+  });
+  Logger.log(LogLevel.DEBUG, `Parsed status assertion: ${JSON.stringify(parsedStatusAssertion)}`);
+
+  // Errors are transmitted in the JWT and use a 200 HTTP status code
+  if (isStatusAssertionError(parsedStatusAssertion)) {
+    throw new IssuerResponseError({
+      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+      message: "The status assertion contains an error",
+      statusCode: 200,
+      reason: buildErrorReason(parsedStatusAssertion)
+    });
+  }
+  const {
+    cnf,
+    credential_status_type
+  } = parsedStatusAssertion.payload;
+  const holderBindingKey = await extractJwkFromCredential(credential, format);
+  if (!(await isSameThumbprint(cnf.jwk, holderBindingKey))) {
+    const errorMessage = `Failed to verify holder binding for status assertion: the thumbprints of keys ${cnf.jwk.kid} and ${holderBindingKey.kid} do not match`;
+    Logger.log(LogLevel.ERROR, errorMessage);
+    throw new IoWalletError(errorMessage);
+  }
+  if (credential_status_type !== StatusType.VALID) {
+    throw new IssuerResponseError({
+      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+      message: "Invalid status found for the given credential",
+      statusCode: 200,
+      reason: buildErrorReason(parsedStatusAssertion)
+    });
+  }
+  return {
+    parsedStatusAssertion
+  };
+};
+const isStatusAssertionError = assertion => assertion.header.typ === "status-assertion-error+jwt";
+
+/**
+ * Build an object containing the details on the error to use as the IssuerResponseError's reason
+ * @param assertion The status assertion response, both success or failure
+ * @returns The error's reason object
+ */
+const buildErrorReason = _ref => {
+  let {
+    payload
+  } = _ref;
+  return "error" in payload ? payload : {
+    error: payload.credential_status_detail.state,
+    error_description: payload.credential_status_detail.description
+  };
+};
+//# sourceMappingURL=03-verify-and-parse-status-assertion.js.map

package/lib/module/credential/status/03-verify-and-parse-status-assertion.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["IoWalletError","IssuerResponseError","IssuerResponseErrorCodes","decode","decodeJwt","verify","ParsedStatusAssertionResponse","StatusType","Logger","LogLevel","extractJwkFromCredential","isSameThumbprint","verifyAndParseStatusAssertion","issuerConf","rawStatusAssertion","credential","format","statusAssertion","openid_credential_issuer","jwks","keys","decodedJwt","parsedStatusAssertion","parse","header","protectedHeader","payload","log","DEBUG","JSON","stringify","isStatusAssertionError","code","CredentialInvalidStatus","message","statusCode","reason","buildErrorReason","cnf","credential_status_type","holderBindingKey","jwk","errorMessage","kid","ERROR","VALID","assertion","typ","_ref","error","credential_status_detail","state","error_description","description"],"sourceRoot":"../../../../src","sources":["credential/status/03-verify-and-parse-status-assertion.ts"],"mappings":"AACA,SACEA,aAAa,EACbC,mBAAmB,EACnBC,wBAAwB,QACnB,oBAAoB;AAC3B,SAASC,MAAM,IAAIC,SAAS,EAAEC,MAAM,QAAQ,6BAA6B;AAEzE,SAIEC,6BAA6B,EAC7BC,UAAU,QACL,SAAS;AAChB,SAASC,MAAM,EAAEC,QAAQ,QAAQ,qBAAqB;AAEtD,SAASC,wBAAwB,QAAQ,yBAAyB;AAClE,SAASC,gBAAgB,QAAQ,iBAAiB;AASlD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,6BAA4D,GACvE,MAAAA,CAAOC,UAAU,EAAEC,kBAAkB,EAAEC,UAAU,EAAEC,MAAM,KAAK;EAC5D,MAAM;IAAEC;EAAgB,CAAC,GAAGH,kBAAkB;EAE9C,MAAMT,MAAM,CACVY,eAAe,EACfJ,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACC,IAC3C,CAAC;EAED,MAAMC,UAAU,GAAGjB,SAAS,CAACa,eAAe,CAAC;EAC7C,MAAMK,qBAAqB,GAAGhB,6BAA6B,CAACiB,KAAK,CAAC;IAChEC,MAAM,EAAEH,UAAU,CAACI,eAAe;IAClCC,OAAO,EAAEL,UAAU,CAACK;EACtB,CAAC,CAAC;EAEFlB,MAAM,CAACmB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,4BAA2BC,IAAI,CAACC,SAAS,CAACR,qBAAqB,CAAE,EACpE,CAAC;;EAED;EACA,IAAIS,sBAAsB,CAACT,qBAAqB,CAAC,EAAE;IACjD,MAAM,IAAIrB,mBAAmB,CAAC;MAC5B+B,IAAI,EAAE9B,wBAAwB,CAAC+B,uBAAuB;MACtDC,OAAO,EAAE,wCAAwC;MACjDC,UAAU,EAAE,GAAG;MACfC,MAAM,EAAEC,gBAAgB,CAACf,qBAAqB;IAChD,CAAC,CAAC;EACJ;EAEA,MAAM;IAAEgB,GAAG;IAAEC;EAAuB,CAAC,GAAGjB,qBAAqB,CAACI,OAAO;EACrE,MAAMc,gBAAgB,GAAG,MAAM9B,wBAAwB,CAACK,UAAU,EAAEC,MAAM,CAAC;EAE3E,IAAI,EAAE,MAAML,gBAAgB,CAAC2B,GAAG,CAACG,GAAG,EAAED,gBAAgB,CAAC,CAAC,EAAE;IACxD,MAAME,YAAY,GAAI,iFAAgFJ,GAAG,CAACG,GAAG,CAACE,GAAI,QAAOH,gBAAgB,CAACG,GAAI,eAAc;IAC5JnC,MAAM,CAACmB,GAAG,CAAClB,QAAQ,CAACmC,KAAK,EAAEF,YAAY,CAAC;IACxC,MAAM,IAAI1C,aAAa,CAAC0C,YAAY,CAAC;EACvC;EAEA,IAAIH,sBAAsB,KAAKhC,UAAU,CAACsC,KAAK,EAAE;IAC/C,MAAM,IAAI5C,mBAAmB,CAAC;MAC5B+B,IAAI,EAAE9B,wBAAwB,CAAC+B,uBAAuB;MACtDC,OAAO,EAAE,+CAA+C;MACxDC,UAAU,EAAE,GAAG;MACfC,MAAM,EAAEC,gBAAgB,CAACf,qBAAqB;IAChD,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEA;EAAsB,CAAC;AAClC,CAAC;AAEH,MAAMS,sBAAsB,GAC1Be,SAAwC,IAExCA,SAAS,CAACtB,MAAM,CAACuB,GAAG,KAAK,4BAA4B;;AAEvD;AACA;AACA;AACA;AACA;AACA,MAAMV,gBAAgB,GAAGW,IAAA;EAAA,IAAC;IACxBtB;EAC6B,CAAC,GAAAsB,IAAA;EAAA,OAC9B,OAAO,IAAItB,OAAO,GACdA,OAAO,GACP;IACEuB,KAAK,EAAEvB,OAAO,CAACwB,wBAAwB,CAAEC,KAAK;IAC9CC,iBAAiB,EAAE1B,OAAO,CAACwB,wBAAwB,CAAEG;EACvD,CAAC;AAAA"}

package/lib/module/credential/status/README.md

@@ -1,16 +1,16 @@
-# Credential Status Attestation
+# Credential Status Assertion
 
-This flow is used to obtain a credential status attestation from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
-The credential status attestation is a JWT which contains the credential status which indicates if the credential is valid or not.
-The status attestation is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
+This flow is used to obtain a credential status assertion from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
+The credential status assertion is a JWT which contains the credential status which indicates if the credential is valid or not (see [OAuth Status Assertions](https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#oauth-status-assertions)).
+The status assertion is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
 
 ## Sequence Diagram
 
 ```mermaid
 graph TD;
     0[startFlow]
-    1[statusAttestation]
-    2[verifyAndParseStatusAttestation]
+    1[statusAssertion]
+    2[verifyAndParseStatusAssertion]
 
     0 --> 1
     1 --> 2
@@ -21,14 +21,14 @@ graph TD;
 
 The following errors are mapped to a `IssuerResponseError` with specific codes.
 
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the status attestation is invalid. It might contain more details in the `reason` property.|
+|Error Code|Description|
+|----------|-----------|
+|`ERR_CREDENTIAL_INVALID_STATUS`|This error is thrown when the status assertion for a given credential is invalid. It might contain more details in the `reason` property.|
 
 ## Example
 
 <details>
-  <summary>Credential status attestation flow</summary>
+  <summary>Credential status assertion flow</summary>
 
 ```ts
 // Start the issuance flow
@@ -42,24 +42,26 @@ const { issuerUrl } = startFlow();
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Status.evaluateIssuerTrust(issuerUrl);
 
-// Get the credential attestation
-const res = await Credential.Status.statusAttestation(
+// Get the credential assertion
+const res = await Credential.Status.statusAssertion(
   issuerConf,
   credential,
-  credentialCryptoContext
+  format,
+  { credentialCryptoContext, wiaCryptoContext }
 );
 
-// Verify and parse the status attestation
-const { parsedStatusAttestation } =
-  await Credential.Status.verifyAndParseStatusAttestation(
+// Verify and parse the status assertion
+const { parsedStatusAssertion } =
+  await Credential.Status.verifyAndParseStatusAssertion(
     issuerConf,
-    res.statusAttestation,
-    { credentialCryptoContext }
+    res.statusAssertion,
+    credential,
+    format
   );
 
 return {
-  statusAttestation: res.statusAttestation,
-  parsedStatusAttestation,
+  statusAssertion: res.statusAssertion,
+  parsedStatusAssertion,
 };
 ```
 

package/lib/module/credential/status/index.js

@@ -1,5 +1,5 @@
-import { statusAttestation } from "./02-status-attestation";
+import { statusAssertion } from "./02-status-assertion";
 import { evaluateIssuerTrust } from "../issuance";
-import { verifyAndParseStatusAttestation } from "./03-verify-and-parse-status-attestation";
-export { evaluateIssuerTrust, statusAttestation, verifyAndParseStatusAttestation };
+import { verifyAndParseStatusAssertion } from "./03-verify-and-parse-status-assertion";
+export { evaluateIssuerTrust, statusAssertion, verifyAndParseStatusAssertion };
 //# sourceMappingURL=index.js.map

package/lib/module/credential/status/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["statusAttestation","evaluateIssuerTrust","verifyAndParseStatusAttestation"],"sourceRoot":"../../../../src","sources":["credential/status/index.ts"],"mappings":"AACA,SACEA,iBAAiB,QAEZ,yBAAyB;AAChC,SAASC,mBAAmB,QAAkC,aAAa;AAC3E,SACEC,+BAA+B,QAE1B,0CAA0C;AAEjD,SACED,mBAAmB,EACnBD,iBAAiB,EACjBE,+BAA+B"}
+{"version":3,"names":["statusAssertion","evaluateIssuerTrust","verifyAndParseStatusAssertion"],"sourceRoot":"../../../../src","sources":["credential/status/index.ts"],"mappings":"AACA,SAASA,eAAe,QAA8B,uBAAuB;AAC7E,SAASC,mBAAmB,QAAkC,aAAa;AAC3E,SACEC,6BAA6B,QAExB,wCAAwC;AAE/C,SAASD,mBAAmB,EAAED,eAAe,EAAEE,6BAA6B"}

package/lib/module/credential/status/types.js

@@ -3,31 +3,33 @@ import { JWK } from "../../utils/jwk";
 import * as z from "zod";
 
 /**
- * Shape from parsing a status attestation response in case of 201.
+ * Shape from parsing a status assertion response in case of 201.
  */
-export const StatusAttestationResponse = z.object({
-  status_attestation: z.string()
+export const StatusAssertionResponse = z.object({
+  status_assertion_responses: z.array(z.string())
 });
 
 /**
- * Type from parsing a status attestation response in case of 201.
- * Inferred from {@link StatusAttestationResponse}.
+ * Type from parsing a status assertion response in case of 201.
+ * Inferred from {@link StatusAssertionResponse}.
  */
 
 /**
- * Type for a parsed status attestation.
+ * Shape for parsing a successful status assertion in a JWT.
  */
-
-/**
- * Shape for parsing a status attestation in a JWT.
- */
-export const ParsedStatusAttestation = z.object({
+export const ParsedStatusAssertion = z.object({
   header: z.object({
-    typ: z.literal("status-attestation+jwt"),
+    typ: z.literal("status-assertion+jwt"),
     alg: z.string(),
     kid: z.string().optional()
   }),
   payload: z.object({
+    iss: z.string(),
+    credential_status_type: z.string(),
+    credential_status_detail: z.object({
+      state: z.string(),
+      description: z.string()
+    }).optional(),
     credential_hash_alg: z.string(),
     credential_hash: z.string(),
     cnf: z.object({
@@ -37,4 +39,33 @@ export const ParsedStatusAttestation = z.object({
     iat: UnixTime
   })
 });
+/**
+ * The JWT that contains the errors occurred for the status assertion request.
+ * @see https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#http-status-assertion-response
+ */
+export const ParsedStatusAssertionError = z.object({
+  header: z.object({
+    typ: z.literal("status-assertion-error+jwt"),
+    alg: z.string(),
+    kid: z.string().optional()
+  }),
+  payload: z.object({
+    credential_hash_alg: z.string(),
+    credential_hash: z.string(),
+    error: z.string(),
+    error_description: z.string()
+  })
+});
+
+/**
+ * The status assertion response that might include either a successful assertion or an error
+ */
+
+export const ParsedStatusAssertionResponse = z.union([ParsedStatusAssertion, ParsedStatusAssertionError]);
+export let StatusType = /*#__PURE__*/function (StatusType) {
+  StatusType["VALID"] = "0x00";
+  StatusType["INVALID"] = "0x01";
+  StatusType["SUSPENDED"] = "0x02";
+  return StatusType;
+}({});
 //# sourceMappingURL=types.js.map

package/lib/module/credential/status/types.js.map

@@ -1 +1 @@
-{"version":3,"names":["UnixTime","JWK","z","StatusAttestationResponse","object","status_attestation","string","ParsedStatusAttestation","header","typ","literal","alg","kid","optional","payload","credential_hash_alg","credential_hash","cnf","jwk","exp","iat"],"sourceRoot":"../../../../src","sources":["credential/status/types.ts"],"mappings":"AAAA,SAASA,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,GAAG,QAAQ,iBAAiB;AACrC,OAAO,KAAKC,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;AACA,OAAO,MAAMC,yBAAyB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAChDC,kBAAkB,EAAEH,CAAC,CAACI,MAAM,CAAC;AAC/B,CAAC,CAAC;;AAEF;AACA;AACA;AACA;;AAKA;AACA;AACA;;AAGA;AACA;AACA;AACA,OAAO,MAAMC,uBAAuB,GAAGL,CAAC,CAACE,MAAM,CAAC;EAC9CI,MAAM,EAAEN,CAAC,CAACE,MAAM,CAAC;IACfK,GAAG,EAAEP,CAAC,CAACQ,OAAO,CAAC,wBAAwB,CAAC;IACxCC,GAAG,EAAET,CAAC,CAACI,MAAM,CAAC,CAAC;IACfM,GAAG,EAAEV,CAAC,CAACI,MAAM,CAAC,CAAC,CAACO,QAAQ,CAAC;EAC3B,CAAC,CAAC;EACFC,OAAO,EAAEZ,CAAC,CAACE,MAAM,CAAC;IAChBW,mBAAmB,EAAEb,CAAC,CAACI,MAAM,CAAC,CAAC;IAC/BU,eAAe,EAAEd,CAAC,CAACI,MAAM,CAAC,CAAC;IAC3BW,GAAG,EAAEf,CAAC,CAACE,MAAM,CAAC;MACZc,GAAG,EAAEjB;IACP,CAAC,CAAC;IACFkB,GAAG,EAAEnB,QAAQ;IACboB,GAAG,EAAEpB;EACP,CAAC;AACH,CAAC,CAAC"}
+{"version":3,"names":["UnixTime","JWK","z","StatusAssertionResponse","object","status_assertion_responses","array","string","ParsedStatusAssertion","header","typ","literal","alg","kid","optional","payload","iss","credential_status_type","credential_status_detail","state","description","credential_hash_alg","credential_hash","cnf","jwk","exp","iat","ParsedStatusAssertionError","error","error_description","ParsedStatusAssertionResponse","union","StatusType"],"sourceRoot":"../../../../src","sources":["credential/status/types.ts"],"mappings":"AAAA,SAASA,QAAQ,QAAQ,oBAAoB;AAC7C,SAASC,GAAG,QAAQ,iBAAiB;AACrC,OAAO,KAAKC,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;AACA,OAAO,MAAMC,uBAAuB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC9CC,0BAA0B,EAAEH,CAAC,CAACI,KAAK,CAACJ,CAAC,CAACK,MAAM,CAAC,CAAC;AAChD,CAAC,CAAC;;AAEF;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA,OAAO,MAAMC,qBAAqB,GAAGN,CAAC,CAACE,MAAM,CAAC;EAC5CK,MAAM,EAAEP,CAAC,CAACE,MAAM,CAAC;IACfM,GAAG,EAAER,CAAC,CAACS,OAAO,CAAC,sBAAsB,CAAC;IACtCC,GAAG,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC;IACfM,GAAG,EAAEX,CAAC,CAACK,MAAM,CAAC,CAAC,CAACO,QAAQ,CAAC;EAC3B,CAAC,CAAC;EACFC,OAAO,EAAEb,CAAC,CAACE,MAAM,CAAC;IAChBY,GAAG,EAAEd,CAAC,CAACK,MAAM,CAAC,CAAC;IACfU,sBAAsB,EAAEf,CAAC,CAACK,MAAM,CAAC,CAAC;IAClCW,wBAAwB,EAAEhB,CAAC,CACxBE,MAAM,CAAC;MACNe,KAAK,EAAEjB,CAAC,CAACK,MAAM,CAAC,CAAC;MACjBa,WAAW,EAAElB,CAAC,CAACK,MAAM,CAAC;IACxB,CAAC,CAAC,CACDO,QAAQ,CAAC,CAAC;IACbO,mBAAmB,EAAEnB,CAAC,CAACK,MAAM,CAAC,CAAC;IAC/Be,eAAe,EAAEpB,CAAC,CAACK,MAAM,CAAC,CAAC;IAC3BgB,GAAG,EAAErB,CAAC,CAACE,MAAM,CAAC;MACZoB,GAAG,EAAEvB;IACP,CAAC,CAAC;IACFwB,GAAG,EAAEzB,QAAQ;IACb0B,GAAG,EAAE1B;EACP,CAAC;AACH,CAAC,CAAC;AAMF;AACA;AACA;AACA;AACA,OAAO,MAAM2B,0BAA0B,GAAGzB,CAAC,CAACE,MAAM,CAAC;EACjDK,MAAM,EAAEP,CAAC,CAACE,MAAM,CAAC;IACfM,GAAG,EAAER,CAAC,CAACS,OAAO,CAAC,4BAA4B,CAAC;IAC5CC,GAAG,EAAEV,CAAC,CAACK,MAAM,CAAC,CAAC;IACfM,GAAG,EAAEX,CAAC,CAACK,MAAM,CAAC,CAAC,CAACO,QAAQ,CAAC;EAC3B,CAAC,CAAC;EACFC,OAAO,EAAEb,CAAC,CAACE,MAAM,CAAC;IAChBiB,mBAAmB,EAAEnB,CAAC,CAACK,MAAM,CAAC,CAAC;IAC/Be,eAAe,EAAEpB,CAAC,CAACK,MAAM,CAAC,CAAC;IAC3BqB,KAAK,EAAE1B,CAAC,CAACK,MAAM,CAAC,CAAC;IACjBsB,iBAAiB,EAAE3B,CAAC,CAACK,MAAM,CAAC;EAC9B,CAAC;AACH,CAAC,CAAC;;AAEF;AACA;AACA;;AAIA,OAAO,MAAMuB,6BAA6B,GAAG5B,CAAC,CAAC6B,KAAK,CAAC,CACnDvB,qBAAqB,EACrBmB,0BAA0B,CAC3B,CAAC;AAEF,WAAYK,UAAU,0BAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAA,OAAVA,UAAU;AAAA"}

package/lib/module/utils/credentials.js

@@ -0,0 +1,26 @@
+import { decode } from "../sd-jwt";
+import { thumbprint } from "@pagopa/io-react-native-jwt";
+import { IoWalletError } from "./errors";
+const SD_JWT = ["vc+sd-jwt", "dc+sd-jwt"];
+
+/**
+ * Extracts a JWK from a credential.
+ * @param credential - The credential string, which can be in SD-JWT or CBOR format.
+ * @param format - The format of the credential
+ * @return A Promise that resolves to a JWK object if the credential is in SD-JWT format and contains a JWK, or undefined otherwise.
+ */
+export const extractJwkFromCredential = async (credential, format) => {
+  if (SD_JWT.includes(format)) {
+    // 1. SD-JWT case
+    const decoded = decode(credential);
+    const jwk = decoded.sdJwt.payload.cnf.jwk;
+    if (jwk) {
+      return {
+        ...jwk,
+        kid: await thumbprint(jwk)
+      };
+    }
+  }
+  throw new IoWalletError(`Credential format ${format} not supported`);
+};
+//# sourceMappingURL=credentials.js.map

package/lib/module/utils/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["decode","thumbprint","IoWalletError","SD_JWT","extractJwkFromCredential","credential","format","includes","decoded","jwk","sdJwt","payload","cnf","kid"],"sourceRoot":"../../../src","sources":["utils/credentials.ts"],"mappings":"AAAA,SAASA,MAAM,QAAQ,WAAW;AAClC,SAASC,UAAU,QAAQ,6BAA6B;AAIxD,SAASC,aAAa,QAAQ,UAAU;AAExC,MAAMC,MAAM,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC;;AAEzC;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,wBAAwB,GAAG,MAAAA,CACtCC,UAA+C,EAC/CC,MAAuC,KACtB;EACjB,IAAIH,MAAM,CAACI,QAAQ,CAACD,MAAM,CAAC,EAAE;IAC3B;IACA,MAAME,OAAO,GAAGR,MAAM,CAACK,UAAU,CAAC;IAClC,MAAMI,GAAG,GAAGD,OAAO,CAACE,KAAK,CAACC,OAAO,CAACC,GAAG,CAACH,GAAG;IACzC,IAAIA,GAAG,EAAE;MACP,OAAO;QAAE,GAAGA,GAAG;QAAEI,GAAG,EAAE,MAAMZ,UAAU,CAACQ,GAAG;MAAE,CAAC;IAC/C;EACF;EACA,MAAM,IAAIP,aAAa,CAAE,qBAAoBI,MAAO,gBAAe,CAAC;AACtE,CAAC"}

package/lib/module/utils/crypto.js

@@ -1,7 +1,6 @@
-import { getPublicKey, sign, generate, deleteKey } from "@pagopa/io-react-native-crypto";
+import { deleteKey, generate, getPublicKeyFixed, sign } from "@pagopa/io-react-native-crypto";
 import { v4 as uuidv4 } from "uuid";
 import { thumbprint } from "@pagopa/io-react-native-jwt";
-import { fixBase64EncodingOnKey } from "./jwk";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -12,13 +11,8 @@ import { fixBase64EncodingOnKey } from "./jwk";
  */
 export const createCryptoContextFor = keytag => {
   return {
-    /**
-     * Retrieve the public key of the pair.
-     * If the key pair doesn't exist yet, an error is raised
-     * @returns The public key.
-     */
     async getPublicKey() {
-      return getPublicKey(keytag).then(fixBase64EncodingOnKey).then(async jwk => ({
+      return getPublicKeyFixed(keytag).then(async jwk => ({
         ...jwk,
         // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
         // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).

package/lib/module/utils/crypto.js.map

@@ -1 +1 @@
-{"version":3,"names":["getPublicKey","sign","generate","deleteKey","v4","uuidv4","thumbprint","fixBase64EncodingOnKey","createCryptoContextFor","keytag","then","jwk","kid","getSignature","value","withEphemeralKey","fn","ephemeralContext","finally"],"sourceRoot":"../../../src","sources":["utils/crypto.ts"],"mappings":"AAAA,SACEA,YAAY,EACZC,IAAI,EACJC,QAAQ,EACRC,SAAS,QACJ,gCAAgC;AACvC,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,UAAU,QAA4B,6BAA6B;AAC5E,SAASC,sBAAsB,QAAQ,OAAO;;AAE9C;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAsB,GAAIC,MAAc,IAAoB;EACvE,OAAO;IACL;AACJ;AACA;AACA;AACA;IACI,MAAMT,YAAYA,CAAA,EAAG;MACnB,OAAOA,YAAY,CAACS,MAAM,CAAC,CACxBC,IAAI,CAACH,sBAAsB,CAAC,CAC5BG,IAAI,CAAC,MAAOC,GAAG,KAAM;QACpB,GAAGA,GAAG;QACN;QACA;QACA;QACA;QACAC,GAAG,EAAE,MAAMN,UAAU,CAACK,GAAG;MAC3B,CAAC,CAAC,CAAC;IACP,CAAC;IACD;AACJ;AACA;AACA;AACA;AACA;IACI,MAAME,YAAYA,CAACC,KAAa,EAAE;MAChC,OAAOb,IAAI,CAACa,KAAK,EAAEL,MAAM,CAAC;IAC5B;EACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMM,gBAAgB,GAAG,MAC9BC,EAAmD,IACpC;EACf;EACA,MAAMP,MAAM,GAAI,aAAYJ,MAAM,CAAC,CAAE,EAAC;EACtC,MAAMH,QAAQ,CAACO,MAAM,CAAC;EACtB,MAAMQ,gBAAgB,GAAGT,sBAAsB,CAACC,MAAM,CAAC;EACvD,OAAOO,EAAE,CAACC,gBAAgB,CAAC,CAACC,OAAO,CAAC,MAAMf,SAAS,CAACM,MAAM,CAAC,CAAC;AAC9D,CAAC"}
+{"version":3,"names":["deleteKey","generate","getPublicKeyFixed","sign","v4","uuidv4","thumbprint","createCryptoContextFor","keytag","getPublicKey","then","jwk","kid","getSignature","value","withEphemeralKey","fn","ephemeralContext","finally"],"sourceRoot":"../../../src","sources":["utils/crypto.ts"],"mappings":"AAAA,SACEA,SAAS,EACTC,QAAQ,EACRC,iBAAiB,EACjBC,IAAI,QACC,gCAAgC;AACvC,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAA6BC,UAAU,QAAQ,6BAA6B;;AAE5E;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAsB,GAAIC,MAAc,IAAoB;EACvE,OAAO;IACL,MAAMC,YAAYA,CAAA,EAAG;MACnB,OAAOP,iBAAiB,CAACM,MAAM,CAAC,CAACE,IAAI,CAAC,MAAOC,GAAG,KAAM;QACpD,GAAGA,GAAG;QACN;QACA;QACA;QACA;QACAC,GAAG,EAAE,MAAMN,UAAU,CAACK,GAAG;MAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IACD;AACJ;AACA;AACA;AACA;AACA;IACI,MAAME,YAAYA,CAACC,KAAa,EAAE;MAChC,OAAOX,IAAI,CAACW,KAAK,EAAEN,MAAM,CAAC;IAC5B;EACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMO,gBAAgB,GAAG,MAC9BC,EAAmD,IACpC;EACf;EACA,MAAMR,MAAM,GAAI,aAAYH,MAAM,CAAC,CAAE,EAAC;EACtC,MAAMJ,QAAQ,CAACO,MAAM,CAAC;EACtB,MAAMS,gBAAgB,GAAGV,sBAAsB,CAACC,MAAM,CAAC;EACvD,OAAOQ,EAAE,CAACC,gBAAgB,CAAC,CAACC,OAAO,CAAC,MAAMlB,SAAS,CAACQ,MAAM,CAAC,CAAC;AAC9D,CAAC"}

package/lib/module/utils/jwk.js

@@ -1,4 +1,4 @@
-import { removePadding } from "@pagopa/io-react-native-jwt";
+import { removePadding, thumbprint } from "@pagopa/io-react-native-jwt";
 import { z } from "zod";
 export const JWK = z.object({
   /** JWK "alg" (Algorithm) Parameter. */
@@ -72,4 +72,14 @@ export function fixBase64EncodingOnKey(key) {
 export const JWKS = z.object({
   keys: z.array(JWK)
 });
+/**
+ * Utility function that checks if two JWKs have the same thumbprint.
+ * @param jwkA The first JWK
+ * @param jwkB The second JWK
+ * @returns Whether the thumbprints match
+ */
+export const isSameThumbprint = async (jwkA, jwkB) => {
+  const [thumbprintJwkA, thumbprintJwkB] = await Promise.all([thumbprint(jwkA), thumbprint(jwkB)]);
+  return thumbprintJwkA === thumbprintJwkB;
+};
 //# sourceMappingURL=jwk.js.map

package/lib/module/utils/jwk.js.map

@@ -1 +1 @@
-{"version":3,"names":["removePadding","z","JWK","object","alg","string","optional","crv","d","dp","dq","e","ext","boolean","k","key_ops","array","kid","kty","union","literal","n","p","q","qi","use","x","y","x5c","x5t","x5u","fixBase64EncodingOnKey","key","pk","JWKS","keys"],"sourceRoot":"../../../src","sources":["utils/jwk.ts"],"mappings":"AAAA,SAAiBA,aAAa,QAAQ,6BAA6B;AACnE,SAASC,CAAC,QAAQ,KAAK;AAGvB,OAAO,MAAMC,GAAG,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC1B;EACAC,GAAG,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BC,GAAG,EAAEN,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BE,CAAC,EAAEP,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBG,EAAE,EAAER,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzBI,EAAE,EAAET,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzBK,CAAC,EAAEV,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAM,GAAG,EAAEX,CAAC,CAACY,OAAO,CAAC,CAAC,CAACP,QAAQ,CAAC,CAAC;EAC3BQ,CAAC,EAAEb,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAS,OAAO,EAAEd,CAAC,CAACe,KAAK,CAACf,CAAC,CAACI,MAAM,CAAC,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACvC;EACAW,GAAG,EAAEhB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1B;AACF;AACA;EACEY,GAAG,EAAEjB,CAAC,CAACkB,KAAK,CAAC,CAAClB,CAAC,CAACmB,OAAO,CAAC,KAAK,CAAC,EAAEnB,CAAC,CAACmB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;EACjDC,CAAC,EAAEpB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBgB,CAAC,EAAErB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBiB,CAAC,EAAEtB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBkB,EAAE,EAAEvB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzB;EACAmB,GAAG,EAAExB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BoB,CAAC,EAAEzB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBqB,CAAC,EAAE1B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAsB,GAAG,EAAE3B,CAAC,CAACe,KAAK,CAACf,CAAC,CAACI,MAAM,CAAC,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACnC;EACAuB,GAAG,EAAE5B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1B;EACA,UAAU,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACjC;EACAwB,GAAG,EAAE7B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC;AAC3B,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASyB,sBAAsBA,CAACC,GAAQ,EAAO;EACpD,MAAM;IAAEN,CAAC;IAAEC,CAAC;IAAEhB,CAAC;IAAEU,CAAC;IAAE,GAAGY;EAAG,CAAC,GAAGD,GAAG;EAEjC,OAAO;IACL,GAAGC,EAAE;IACL,IAAIP,CAAC,GAAG;MAAEA,CAAC,EAAE1B,aAAa,CAAC0B,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIC,CAAC,GAAG;MAAEA,CAAC,EAAE3B,aAAa,CAAC2B,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIhB,CAAC,GAAG;MAAEA,CAAC,EAAEX,aAAa,CAACW,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIU,CAAC,GAAG;MAAEA,CAAC,EAAErB,aAAa,CAACqB,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC;EACtC,CAAC;AACH;AAGA,OAAO,MAAMa,IAAI,GAAGjC,CAAC,CAACE,MAAM,CAAC;EAC3BgC,IAAI,EAAElC,CAAC,CAACe,KAAK,CAACd,GAAG;AACnB,CAAC,CAAC"}
+{"version":3,"names":["removePadding","thumbprint","z","JWK","object","alg","string","optional","crv","d","dp","dq","e","ext","boolean","k","key_ops","array","kid","kty","union","literal","n","p","q","qi","use","x","y","x5c","x5t","x5u","fixBase64EncodingOnKey","key","pk","JWKS","keys","isSameThumbprint","jwkA","jwkB","thumbprintJwkA","thumbprintJwkB","Promise","all"],"sourceRoot":"../../../src","sources":["utils/jwk.ts"],"mappings":"AAAA,SAAiBA,aAAa,EAAEC,UAAU,QAAQ,6BAA6B;AAC/E,SAASC,CAAC,QAAQ,KAAK;AAGvB,OAAO,MAAMC,GAAG,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC1B;EACAC,GAAG,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BC,GAAG,EAAEN,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BE,CAAC,EAAEP,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBG,EAAE,EAAER,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzBI,EAAE,EAAET,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzBK,CAAC,EAAEV,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAM,GAAG,EAAEX,CAAC,CAACY,OAAO,CAAC,CAAC,CAACP,QAAQ,CAAC,CAAC;EAC3BQ,CAAC,EAAEb,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAS,OAAO,EAAEd,CAAC,CAACe,KAAK,CAACf,CAAC,CAACI,MAAM,CAAC,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACvC;EACAW,GAAG,EAAEhB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1B;AACF;AACA;EACEY,GAAG,EAAEjB,CAAC,CAACkB,KAAK,CAAC,CAAClB,CAAC,CAACmB,OAAO,CAAC,KAAK,CAAC,EAAEnB,CAAC,CAACmB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;EACjDC,CAAC,EAAEpB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBgB,CAAC,EAAErB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBiB,CAAC,EAAEtB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBkB,EAAE,EAAEvB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACzB;EACAmB,GAAG,EAAExB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1BoB,CAAC,EAAEzB,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxBqB,CAAC,EAAE1B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACxB;EACAsB,GAAG,EAAE3B,CAAC,CAACe,KAAK,CAACf,CAAC,CAACI,MAAM,CAAC,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACnC;EACAuB,GAAG,EAAE5B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC1B;EACA,UAAU,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EACjC;EACAwB,GAAG,EAAE7B,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC;AAC3B,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASyB,sBAAsBA,CAACC,GAAQ,EAAO;EACpD,MAAM;IAAEN,CAAC;IAAEC,CAAC;IAAEhB,CAAC;IAAEU,CAAC;IAAE,GAAGY;EAAG,CAAC,GAAGD,GAAG;EAEjC,OAAO;IACL,GAAGC,EAAE;IACL,IAAIP,CAAC,GAAG;MAAEA,CAAC,EAAE3B,aAAa,CAAC2B,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIC,CAAC,GAAG;MAAEA,CAAC,EAAE5B,aAAa,CAAC4B,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIhB,CAAC,GAAG;MAAEA,CAAC,EAAEZ,aAAa,CAACY,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAIU,CAAC,GAAG;MAAEA,CAAC,EAAEtB,aAAa,CAACsB,CAAC;IAAE,CAAC,GAAG,CAAC,CAAC;EACtC,CAAC;AACH;AAGA,OAAO,MAAMa,IAAI,GAAGjC,CAAC,CAACE,MAAM,CAAC;EAC3BgC,IAAI,EAAElC,CAAC,CAACe,KAAK,CAACd,GAAG;AACnB,CAAC,CAAC;AAIF;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMkC,gBAAgB,GAAG,MAAAA,CAAOC,IAAS,EAAEC,IAAS,KAAK;EAC9D,MAAM,CAACC,cAAc,EAAEC,cAAc,CAAC,GAAG,MAAMC,OAAO,CAACC,GAAG,CAAC,CACzD1C,UAAU,CAACqC,IAAI,CAAC,EAChBrC,UAAU,CAACsC,IAAI,CAAC,CACjB,CAAC;EACF,OAAOC,cAAc,KAAKC,cAAc;AAC1C,CAAC"}

package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAMtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,KAAK,UAAU,GAAG,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC;AAIzD,MAAM,MAAM,wBAAwB,GAAG,CACrC,UAAU,EAAE,UAAU,EACtB,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,yBAAyB,EAAE,MAAM,EACjC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;IACvC;;OAEG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC;;OAEG;IACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC,KACE,OAAO,CAAC;IACX,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,UAAU,EAAE,IAAI,CAAC;IACjB,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;CAC5B,CAAC,CAAC;AAGH,KAAK,gBAAgB,GAAG,MAAM;AAC5B,oBAAoB;AACpB,MAAM,EACN;IACE,2CAA2C;IAC3C,IAAI,EACA,yBAAyB,CAAC,MAAM,CAC9B,MAAM,EACN,MAAM,CACP,GACD,4BAA4B,CAAC,MAAM,GACnC,SAAS,CAAC;IACd,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;CAChB,CACF,CAAC;AAuLF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,wBAAwB,EAAE,wBAwBtC,CAAC"}
+{"version":3,"file":"07-verify-and-parse-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-verify-and-parse-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAKtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,KAAK,UAAU,GAAG,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC;AAIzD,MAAM,MAAM,wBAAwB,GAAG,CACrC,UAAU,EAAE,UAAU,EACtB,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,yBAAyB,EAAE,MAAM,EACjC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;IACvC;;OAEG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC;;OAEG;IACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC,KACE,OAAO,CAAC;IACX,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,UAAU,EAAE,IAAI,CAAC;IACjB,QAAQ,EAAE,IAAI,GAAG,SAAS,CAAC;CAC5B,CAAC,CAAC;AAGH,KAAK,gBAAgB,GAAG,MAAM;AAC5B,oBAAoB;AACpB,MAAM,EACN;IACE,2CAA2C;IAC3C,IAAI,EACA,yBAAyB,CAAC,MAAM,CAC9B,MAAM,EACN,MAAM,CACP,GACD,4BAA4B,CAAC,MAAM,GACnC,SAAS,CAAC;IACd,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;CAChB,CACF,CAAC;AAsLF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,wBAAwB,EAAE,wBAwBtC,CAAC"}

package/lib/typescript/credential/status/02-status-assertion.d.ts

@@ -0,0 +1,23 @@
+import { type Out } from "../../utils/misc";
+import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
+import { type CryptoContext } from "@pagopa/io-react-native-jwt";
+export type StatusAssertion = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"], context: {
+    credentialCryptoContext: CryptoContext;
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+}) => Promise<{
+    statusAssertion: string;
+}>;
+/**
+ * Get the status assertion of a digital credential.
+ * @param issuerConf - The issuer's configuration
+ * @param credential - The credential to be verified
+ * @param format - The format of the credential, e.g. "sd-jwt"
+ * @param context.credentialCryptoContext - The credential's crypto context
+ * @param context.wiaCryptoContext - The Wallet Attestation's crypto context
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @throws {IssuerResponseError} with a specific code for more context
+ * @returns The credential status assertion
+ */
+export declare const statusAssertion: StatusAssertion;
+//# sourceMappingURL=02-status-assertion.d.ts.map

package/lib/typescript/credential/status/02-status-assertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"02-status-assertion.d.ts","sourceRoot":"","sources":["../../../../src/credential/status/02-status-assertion.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,GAAG,EACT,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,KAAK,aAAa,EAAW,MAAM,6BAA6B,CAAC;AAY1E,MAAM,MAAM,eAAe,GAAG,CAC5B,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,EACvC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;IACvC,gBAAgB,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,KACE,OAAO,CAAC;IACX,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,EAAE,eAoD7B,CAAC"}

package/lib/typescript/credential/status/03-verify-and-parse-status-assertion.d.ts

@@ -0,0 +1,21 @@
+import type { Out } from "../../utils/misc";
+import type { EvaluateIssuerTrust, StatusAssertion } from ".";
+import { ParsedStatusAssertion } from "./types";
+import type { ObtainCredential } from "../issuance";
+export type VerifyAndParseStatusAssertion = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], statusAssertion: Out<StatusAssertion>, credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<{
+    parsedStatusAssertion: ParsedStatusAssertion;
+}>;
+/**
+ * Given a status assertion, verifies that:
+ * - It's in the supported format;
+ * - The assertion is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAssertion The encoded status assertion returned by {@link statusAssertion}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status assertion
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IssuerResponseError} If the status assertion contains an error or the credential status is invalid
+ */
+export declare const verifyAndParseStatusAssertion: VerifyAndParseStatusAssertion;
+//# sourceMappingURL=03-verify-and-parse-status-assertion.d.ts.map

package/lib/typescript/credential/status/03-verify-and-parse-status-assertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"03-verify-and-parse-status-assertion.d.ts","sourceRoot":"","sources":["../../../../src/credential/status/03-verify-and-parse-status-assertion.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAO5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,GAAG,CAAC;AAC9D,OAAO,EAEL,qBAAqB,EAItB,MAAM,SAAS,CAAC;AAEjB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,MAAM,MAAM,6BAA6B,GAAG,CAC1C,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,eAAe,EAAE,GAAG,CAAC,eAAe,CAAC,EACrC,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC;IAAE,qBAAqB,EAAE,qBAAqB,CAAA;CAAE,CAAC,CAAC;AAE/D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,EAAE,6BAiDzC,CAAC"}