@pagopa/io-react-native-wallet 2.0.0-next.4 → 2.0.0-next.5

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -2,12 +2,11 @@ import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { Out } from "../../utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { IoWalletError } from "../../utils/errors";
-import { SdJwt4VC } from "../../sd-jwt/types";
-import { verify as verifySdJwt } from "../../sd-jwt";
+import { SdJwt4VC, verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
-import type { JWK } from "../../utils/jwk";
+import { isSameThumbprint, type JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
 
 type IssuerConf = Out<EvaluateIssuerTrust>["issuerConf"];
 type CredentialConf =
@@ -169,8 +168,7 @@ async function verifyCredentialSdJwt(
     ]);
 
   const { cnf } = decodedCredential.sdJwt.payload;
-
-  if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+  if (!(await isSameThumbprint(cnf.jwk, holderBindingKey as JWK))) {
     const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
     Logger.log(LogLevel.ERROR, message);
     throw new IoWalletError(message);

package/src/credential/status/{02-status-attestation.ts → 02-status-assertion.ts}

@@ -6,54 +6,65 @@ import {
 import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
 import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
 import { v4 as uuidv4 } from "uuid";
-import { StatusAttestationResponse } from "./types";
+import { StatusAssertionResponse } from "./types";
 import {
   IssuerResponseError,
   IssuerResponseErrorCodes,
   ResponseErrorBuilder,
   UnexpectedStatusCodeError,
 } from "../../utils/errors";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
+import { extractJwkFromCredential } from "../../utils/credentials";
 
-export type StatusAttestation = (
+export type StatusAssertion = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   credential: Out<ObtainCredential>["credential"],
-  credentialCryptoContext: CryptoContext,
-  appFetch?: GlobalFetch["fetch"]
+  format: Out<ObtainCredential>["format"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }
 ) => Promise<{
-  statusAttestation: StatusAttestationResponse["status_attestation"];
+  statusAssertion: string;
 }>;
 
 /**
- * WARNING: This function must be called after {@link startFlow}.
- * Verify the status of the credential attestation.
+ * Get the status assertion of a digital credential.
  * @param issuerConf - The issuer's configuration
  * @param credential - The credential to be verified
- * @param credentialCryptoContext - The credential's crypto context
+ * @param format - The format of the credential, e.g. "sd-jwt"
+ * @param context.credentialCryptoContext - The credential's crypto context
+ * @param context.wiaCryptoContext - The Wallet Attestation's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {IssuerResponseError} with a specific code for more context
- * @returns The credential status attestation
+ * @returns The credential status assertion
  */
-export const statusAttestation: StatusAttestation = async (
+export const statusAssertion: StatusAssertion = async (
   issuerConf,
   credential,
-  credentialCryptoContext,
-  appFetch: GlobalFetch["fetch"] = fetch
+  format,
+  ctx
 ) => {
-  const jwk = await credentialCryptoContext.getPublicKey();
+  const { credentialCryptoContext, wiaCryptoContext, appFetch = fetch } = ctx;
+
+  const jwk = await extractJwkFromCredential(credential, format);
+  const issuerJwk = await wiaCryptoContext.getPublicKey();
   const credentialHash = await getCredentialHashWithouDiscloures(credential);
   const statusAttUrl =
     issuerConf.openid_credential_issuer.status_attestation_endpoint;
+
   const credentialPop = await new SignJWT(credentialCryptoContext)
     .setPayload({
+      iss: issuerJwk.kid,
       aud: statusAttUrl,
       jti: uuidv4().toString(),
       credential_hash: credentialHash,
-      credential_hash_alg: "S256",
+      credential_hash_alg: "sha-256",
     })
     .setProtectedHeader({
       alg: "ES256",
-      typ: "status-attestation-request+jwt",
+      typ: "status-assertion-request+jwt",
       kid: jwk.kid,
     })
     .setIssuedAt()
@@ -61,7 +72,7 @@ export const statusAttestation: StatusAttestation = async (
     .sign();
 
   const body = {
-    credential_pop: credentialPop,
+    status_assertion_requests: [credentialPop],
   };
 
   Logger.log(LogLevel.DEBUG, `Credential pop: ${credentialPop}`);
@@ -73,33 +84,31 @@ export const statusAttestation: StatusAttestation = async (
     },
     body: JSON.stringify(body),
   })
-    .then(hasStatusOrThrow(201))
+    .then(hasStatusOrThrow(200))
     .then((raw) => raw.json())
-    .then((json) => StatusAttestationResponse.parse(json))
-    .catch(handleStatusAttestationError);
+    .then((json) => StatusAssertionResponse.parse(json))
+    .catch(handleStatusAssertionError);
 
-  return { statusAttestation: result.status_attestation };
+  const [statusAttestationJwt] = result.status_assertion_responses;
+
+  return { statusAssertion: statusAttestationJwt! };
 };
 
 /**
- * Handle the status attestation error by mapping it to a custom exception.
+ * Handle the status assertion error by mapping it to a custom exception.
  * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
  * @param e - The error to be handled
  * @throws {IssuerResponseError} with a specific code for more context
  */
-const handleStatusAttestationError = (e: unknown) => {
+const handleStatusAssertionError = (e: unknown) => {
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }
 
   throw new ResponseErrorBuilder(IssuerResponseError)
-    .handle(404, {
-      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-      message: "Invalid status found for the given credential",
-    })
     .handle("*", {
       code: IssuerResponseErrorCodes.StatusAttestationRequestFailed,
-      message: `Unable to obtain the status attestation for the given credential`,
+      message: `Unable to obtain the status assertion for the given credential`,
     })
     .buildFrom(e);
 };

package/src/credential/status/03-verify-and-parse-status-assertion.ts

@@ -0,0 +1,109 @@
+import type { Out } from "../../utils/misc";
+import {
+  IoWalletError,
+  IssuerResponseError,
+  IssuerResponseErrorCodes,
+} from "../../utils/errors";
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import type { EvaluateIssuerTrust, StatusAssertion } from ".";
+import {
+  type InvalidStatusErrorReason,
+  ParsedStatusAssertion,
+  ParsedStatusAssertionError,
+  ParsedStatusAssertionResponse,
+  StatusType,
+} from "./types";
+import { Logger, LogLevel } from "../../utils/logging";
+import type { ObtainCredential } from "../issuance";
+import { extractJwkFromCredential } from "../../utils/credentials";
+import { isSameThumbprint } from "../../utils/jwk";
+
+export type VerifyAndParseStatusAssertion = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  statusAssertion: Out<StatusAssertion>,
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+) => Promise<{ parsedStatusAssertion: ParsedStatusAssertion }>;
+
+/**
+ * Given a status assertion, verifies that:
+ * - It's in the supported format;
+ * - The assertion is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAssertion The encoded status assertion returned by {@link statusAssertion}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status assertion
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IssuerResponseError} If the status assertion contains an error or the credential status is invalid
+ */
+export const verifyAndParseStatusAssertion: VerifyAndParseStatusAssertion =
+  async (issuerConf, rawStatusAssertion, credential, format) => {
+    const { statusAssertion } = rawStatusAssertion;
+
+    await verify(
+      statusAssertion,
+      issuerConf.openid_credential_issuer.jwks.keys
+    );
+
+    const decodedJwt = decodeJwt(statusAssertion);
+    const parsedStatusAssertion = ParsedStatusAssertionResponse.parse({
+      header: decodedJwt.protectedHeader,
+      payload: decodedJwt.payload,
+    });
+
+    Logger.log(
+      LogLevel.DEBUG,
+      `Parsed status assertion: ${JSON.stringify(parsedStatusAssertion)}`
+    );
+
+    // Errors are transmitted in the JWT and use a 200 HTTP status code
+    if (isStatusAssertionError(parsedStatusAssertion)) {
+      throw new IssuerResponseError({
+        code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+        message: "The status assertion contains an error",
+        statusCode: 200,
+        reason: buildErrorReason(parsedStatusAssertion),
+      });
+    }
+
+    const { cnf, credential_status_type } = parsedStatusAssertion.payload;
+    const holderBindingKey = await extractJwkFromCredential(credential, format);
+
+    if (!(await isSameThumbprint(cnf.jwk, holderBindingKey))) {
+      const errorMessage = `Failed to verify holder binding for status assertion: the thumbprints of keys ${cnf.jwk.kid} and ${holderBindingKey.kid} do not match`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new IoWalletError(errorMessage);
+    }
+
+    if (credential_status_type !== StatusType.VALID) {
+      throw new IssuerResponseError({
+        code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+        message: "Invalid status found for the given credential",
+        statusCode: 200,
+        reason: buildErrorReason(parsedStatusAssertion),
+      });
+    }
+
+    return { parsedStatusAssertion };
+  };
+
+const isStatusAssertionError = (
+  assertion: ParsedStatusAssertionResponse
+): assertion is ParsedStatusAssertionError =>
+  assertion.header.typ === "status-assertion-error+jwt";
+
+/**
+ * Build an object containing the details on the error to use as the IssuerResponseError's reason
+ * @param assertion The status assertion response, both success or failure
+ * @returns The error's reason object
+ */
+const buildErrorReason = ({
+  payload,
+}: ParsedStatusAssertionResponse): InvalidStatusErrorReason =>
+  "error" in payload
+    ? payload
+    : {
+        error: payload.credential_status_detail!.state,
+        error_description: payload.credential_status_detail!.description,
+      };

package/src/credential/status/README.md

@@ -1,16 +1,16 @@
-# Credential Status Attestation
+# Credential Status Assertion
 
-This flow is used to obtain a credential status attestation from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
-The credential status attestation is a JWT which contains the credential status which indicates if the credential is valid or not.
-The status attestation is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
+This flow is used to obtain a credential status assertion from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
+The credential status assertion is a JWT which contains the credential status which indicates if the credential is valid or not (see [OAuth Status Assertions](https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#oauth-status-assertions)).
+The status assertion is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
 
 ## Sequence Diagram
 
 ```mermaid
 graph TD;
     0[startFlow]
-    1[statusAttestation]
-    2[verifyAndParseStatusAttestation]
+    1[statusAssertion]
+    2[verifyAndParseStatusAssertion]
 
     0 --> 1
     1 --> 2
@@ -21,14 +21,14 @@ graph TD;
 
 The following errors are mapped to a `IssuerResponseError` with specific codes.
 
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the status attestation is invalid. It might contain more details in the `reason` property.|
+|Error Code|Description|
+|----------|-----------|
+|`ERR_CREDENTIAL_INVALID_STATUS`|This error is thrown when the status assertion for a given credential is invalid. It might contain more details in the `reason` property.|
 
 ## Example
 
 <details>
-  <summary>Credential status attestation flow</summary>
+  <summary>Credential status assertion flow</summary>
 
 ```ts
 // Start the issuance flow
@@ -42,24 +42,26 @@ const { issuerUrl } = startFlow();
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Status.evaluateIssuerTrust(issuerUrl);
 
-// Get the credential attestation
-const res = await Credential.Status.statusAttestation(
+// Get the credential assertion
+const res = await Credential.Status.statusAssertion(
   issuerConf,
   credential,
-  credentialCryptoContext
+  format,
+  { credentialCryptoContext, wiaCryptoContext }
 );
 
-// Verify and parse the status attestation
-const { parsedStatusAttestation } =
-  await Credential.Status.verifyAndParseStatusAttestation(
+// Verify and parse the status assertion
+const { parsedStatusAssertion } =
+  await Credential.Status.verifyAndParseStatusAssertion(
     issuerConf,
-    res.statusAttestation,
-    { credentialCryptoContext }
+    res.statusAssertion,
+    credential,
+    format
   );
 
 return {
-  statusAttestation: res.statusAttestation,
-  parsedStatusAttestation,
+  statusAssertion: res.statusAssertion,
+  parsedStatusAssertion,
 };
 ```
 

package/src/credential/status/index.ts

@@ -1,22 +1,15 @@
 import { type StartFlow } from "./01-start-flow";
-import {
-  statusAttestation,
-  type StatusAttestation,
-} from "./02-status-attestation";
+import { statusAssertion, type StatusAssertion } from "./02-status-assertion";
 import { evaluateIssuerTrust, type EvaluateIssuerTrust } from "../issuance";
 import {
-  verifyAndParseStatusAttestation,
-  type VerifyAndParseStatusAttestation,
-} from "./03-verify-and-parse-status-attestation";
+  verifyAndParseStatusAssertion,
+  type VerifyAndParseStatusAssertion,
+} from "./03-verify-and-parse-status-assertion";
 
-export {
-  evaluateIssuerTrust,
-  statusAttestation,
-  verifyAndParseStatusAttestation,
-};
+export { evaluateIssuerTrust, statusAssertion, verifyAndParseStatusAssertion };
 export type {
   StartFlow,
   EvaluateIssuerTrust,
-  StatusAttestation,
-  VerifyAndParseStatusAttestation,
+  StatusAssertion,
+  VerifyAndParseStatusAssertion,
 };

package/src/credential/status/types.ts

@@ -3,35 +3,38 @@ import { JWK } from "../../utils/jwk";
 import * as z from "zod";
 
 /**
- * Shape from parsing a status attestation response in case of 201.
+ * Shape from parsing a status assertion response in case of 201.
  */
-export const StatusAttestationResponse = z.object({
-  status_attestation: z.string(),
+export const StatusAssertionResponse = z.object({
+  status_assertion_responses: z.array(z.string()),
 });
 
 /**
- * Type from parsing a status attestation response in case of 201.
- * Inferred from {@link StatusAttestationResponse}.
+ * Type from parsing a status assertion response in case of 201.
+ * Inferred from {@link StatusAssertionResponse}.
  */
-export type StatusAttestationResponse = z.infer<
-  typeof StatusAttestationResponse
->;
+export type StatusAssertionResponse = z.infer<typeof StatusAssertionResponse>;
 
-/**
- * Type for a parsed status attestation.
- */
-export type ParsedStatusAttestation = z.infer<typeof ParsedStatusAttestation>;
+export type ParsedStatusAssertion = z.infer<typeof ParsedStatusAssertion>;
 
 /**
- * Shape for parsing a status attestation in a JWT.
+ * Shape for parsing a successful status assertion in a JWT.
  */
-export const ParsedStatusAttestation = z.object({
+export const ParsedStatusAssertion = z.object({
   header: z.object({
-    typ: z.literal("status-attestation+jwt"),
+    typ: z.literal("status-assertion+jwt"),
     alg: z.string(),
     kid: z.string().optional(),
   }),
   payload: z.object({
+    iss: z.string(),
+    credential_status_type: z.string(),
+    credential_status_detail: z
+      .object({
+        state: z.string(),
+        description: z.string(),
+      })
+      .optional(),
     credential_hash_alg: z.string(),
     credential_hash: z.string(),
     cnf: z.object({
@@ -41,3 +44,47 @@ export const ParsedStatusAttestation = z.object({
     iat: UnixTime,
   }),
 });
+
+export type ParsedStatusAssertionError = z.infer<
+  typeof ParsedStatusAssertionError
+>;
+
+/**
+ * The JWT that contains the errors occurred for the status assertion request.
+ * @see https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#http-status-assertion-response
+ */
+export const ParsedStatusAssertionError = z.object({
+  header: z.object({
+    typ: z.literal("status-assertion-error+jwt"),
+    alg: z.string(),
+    kid: z.string().optional(),
+  }),
+  payload: z.object({
+    credential_hash_alg: z.string(),
+    credential_hash: z.string(),
+    error: z.string(),
+    error_description: z.string(),
+  }),
+});
+
+/**
+ * The status assertion response that might include either a successful assertion or an error
+ */
+export type ParsedStatusAssertionResponse = z.infer<
+  typeof ParsedStatusAssertionResponse
+>;
+export const ParsedStatusAssertionResponse = z.union([
+  ParsedStatusAssertion,
+  ParsedStatusAssertionError,
+]);
+
+export enum StatusType {
+  VALID = "0x00",
+  INVALID = "0x01",
+  SUSPENDED = "0x02",
+}
+
+export type InvalidStatusErrorReason = {
+  error: string;
+  error_description: string;
+};

package/src/utils/credentials.ts

@@ -0,0 +1,29 @@
+import { decode } from "../sd-jwt";
+import { thumbprint } from "@pagopa/io-react-native-jwt";
+import type { Out } from "./misc";
+import type { ObtainCredential } from "../credential/issuance";
+import type { JWK } from "./jwk";
+import { IoWalletError } from "./errors";
+
+const SD_JWT = ["vc+sd-jwt", "dc+sd-jwt"];
+
+/**
+ * Extracts a JWK from a credential.
+ * @param credential - The credential string, which can be in SD-JWT or CBOR format.
+ * @param format - The format of the credential
+ * @return A Promise that resolves to a JWK object if the credential is in SD-JWT format and contains a JWK, or undefined otherwise.
+ */
+export const extractJwkFromCredential = async (
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+): Promise<JWK> => {
+  if (SD_JWT.includes(format)) {
+    // 1. SD-JWT case
+    const decoded = decode(credential);
+    const jwk = decoded.sdJwt.payload.cnf.jwk;
+    if (jwk) {
+      return { ...jwk, kid: await thumbprint(jwk) };
+    }
+  }
+  throw new IoWalletError(`Credential format ${format} not supported`);
+};

package/src/utils/crypto.ts

@@ -1,12 +1,11 @@
 import {
-  getPublicKey,
-  sign,
-  generate,
   deleteKey,
+  generate,
+  getPublicKeyFixed,
+  sign,
 } from "@pagopa/io-react-native-crypto";
 import { v4 as uuidv4 } from "uuid";
-import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { fixBase64EncodingOnKey } from "./jwk";
+import { type CryptoContext, thumbprint } from "@pagopa/io-react-native-jwt";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -17,22 +16,15 @@ import { fixBase64EncodingOnKey } from "./jwk";
  */
 export const createCryptoContextFor = (keytag: string): CryptoContext => {
   return {
-    /**
-     * Retrieve the public key of the pair.
-     * If the key pair doesn't exist yet, an error is raised
-     * @returns The public key.
-     */
     async getPublicKey() {
-      return getPublicKey(keytag)
-        .then(fixBase64EncodingOnKey)
-        .then(async (jwk) => ({
-          ...jwk,
-          // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
-          // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).
-          // We assume the convention we use the thumbprint of the public key as KID, thus for easy development we decided to evaluate KID here
-          // However the values is an arbitrary string that might be anything
-          kid: await thumbprint(jwk),
-        }));
+      return getPublicKeyFixed(keytag).then(async (jwk) => ({
+        ...jwk,
+        // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
+        // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).
+        // We assume the convention we use the thumbprint of the public key as KID, thus for easy development we decided to evaluate KID here
+        // However the values is an arbitrary string that might be anything
+        kid: await thumbprint(jwk),
+      }));
     },
     /**
      * Get a signature for a provided value.

package/src/utils/jwk.ts

@@ -1,4 +1,4 @@
-import { decode, removePadding } from "@pagopa/io-react-native-jwt";
+import { decode, removePadding, thumbprint } from "@pagopa/io-react-native-jwt";
 import { z } from "zod";
 
 export type JWK = z.infer<typeof JWK>;
@@ -65,3 +65,17 @@ export const JWKS = z.object({
 });
 
 export type JWTDecodeResult = ReturnType<typeof decode>;
+
+/**
+ * Utility function that checks if two JWKs have the same thumbprint.
+ * @param jwkA The first JWK
+ * @param jwkB The second JWK
+ * @returns Whether the thumbprints match
+ */
+export const isSameThumbprint = async (jwkA: JWK, jwkB: JWK) => {
+  const [thumbprintJwkA, thumbprintJwkB] = await Promise.all([
+    thumbprint(jwkA),
+    thumbprint(jwkB),
+  ]);
+  return thumbprintJwkA === thumbprintJwkB;
+};

package/lib/commonjs/credential/status/02-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_misc","require","_ioReactNativeJwt","_uuid","_types","_errors","_logging","statusAttestation","issuerConf","credential","credentialCryptoContext","appFetch","arguments","length","undefined","fetch","jwk","getPublicKey","credentialHash","getCredentialHashWithouDiscloures","statusAttUrl","openid_credential_issuer","status_attestation_endpoint","credentialPop","SignJWT","setPayload","aud","jti","uuidv4","toString","credential_hash","credential_hash_alg","setProtectedHeader","alg","typ","kid","setIssuedAt","setExpirationTime","sign","body","credential_pop","Logger","log","LogLevel","DEBUG","result","method","headers","JSON","stringify","then","hasStatusOrThrow","raw","json","StatusAttestationResponse","parse","catch","handleStatusAttestationError","status_attestation","exports","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialInvalidStatus","message","StatusAttestationRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/status/02-status-attestation.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAMA,IAAAC,iBAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AAMA,IAAAK,QAAA,GAAAL,OAAA;AAWA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMM,iBAAoC,GAAG,eAAAA,CAClDC,UAAU,EACVC,UAAU,EACVC,uBAAuB,EAEpB;EAAA,IADHC,QAA8B,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAEtC,MAAMC,GAAG,GAAG,MAAMN,uBAAuB,CAACO,YAAY,CAAC,CAAC;EACxD,MAAMC,cAAc,GAAG,MAAM,IAAAC,uCAAiC,EAACV,UAAU,CAAC;EAC1E,MAAMW,YAAY,GAChBZ,UAAU,CAACa,wBAAwB,CAACC,2BAA2B;EACjE,MAAMC,aAAa,GAAG,MAAM,IAAIC,yBAAO,CAACd,uBAAuB,CAAC,CAC7De,UAAU,CAAC;IACVC,GAAG,EAAEN,YAAY;IACjBO,GAAG,EAAE,IAAAC,QAAM,EAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;IACxBC,eAAe,EAAEZ,cAAc;IAC/Ba,mBAAmB,EAAE;EACvB,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE,gCAAgC;IACrCC,GAAG,EAAEnB,GAAG,CAACmB;EACX,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,IAAI,GAAG;IACXC,cAAc,EAAEjB;EAClB,CAAC;EAEDkB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,mBAAkBrB,aAAc,EAAC,CAAC;EAE9D,MAAMsB,MAAM,GAAG,MAAMlC,QAAQ,CAACS,YAAY,EAAE;IAC1C0B,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDR,IAAI,EAAES,IAAI,CAACC,SAAS,CAACV,IAAI;EAC3B,CAAC,CAAC,CACCW,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEG,IAAI,IAAKC,gCAAyB,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC,CACrDG,KAAK,CAACC,4BAA4B,CAAC;EAEtC,OAAO;IAAElD,iBAAiB,EAAEsC,MAAM,CAACa;EAAmB,CAAC;AACzD,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALAC,OAAA,CAAApD,iBAAA,GAAAA,iBAAA;AAMA,MAAMkD,4BAA4B,GAAIG,CAAU,IAAK;EACnD,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACC,uBAAuB;IACtDC,OAAO,EAAE;EACX,CAAC,CAAC,CACDJ,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACG,8BAA8B;IAC7DD,OAAO,EAAG;EACZ,CAAC,CAAC,CACDE,SAAS,CAACV,CAAC,CAAC;AACjB,CAAC"}

package/lib/commonjs/credential/status/03-verify-and-parse-status-attestation.js

@@ -1,55 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.verifyAndParseStatusAttestation = void 0;
-var _errors = require("../../utils/errors");
-var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
-var _types = require("./types");
-var _logging = require("../../utils/logging");
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-const verifyAndParseStatusAttestation = async (issuerConf, rawStatusAttestation, context) => {
-  try {
-    const {
-      statusAttestation
-    } = rawStatusAttestation;
-    const {
-      credentialCryptoContext
-    } = context;
-    await (0, _ioReactNativeJwt.verify)(statusAttestation, issuerConf.openid_credential_issuer.jwks.keys);
-    const decodedJwt = (0, _ioReactNativeJwt.decode)(statusAttestation);
-    const parsedStatusAttestation = _types.ParsedStatusAttestation.parse({
-      header: decodedJwt.protectedHeader,
-      payload: decodedJwt.payload
-    });
-    _logging.Logger.log(_logging.LogLevel.DEBUG, `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`);
-    const holderBindingKey = await credentialCryptoContext.getPublicKey();
-    const {
-      cnf
-    } = parsedStatusAttestation.payload;
-    if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-      _logging.Logger.log(_logging.LogLevel.ERROR, `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-      throw new _errors.IoWalletError(`Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-    }
-    return {
-      parsedStatusAttestation
-    };
-  } catch (e) {
-    throw new _errors.IoWalletError(`Failed to verify status attestation: ${JSON.stringify(e)}`);
-  }
-};
-exports.verifyAndParseStatusAttestation = verifyAndParseStatusAttestation;
-//# sourceMappingURL=03-verify-and-parse-status-attestation.js.map

package/lib/commonjs/credential/status/03-verify-and-parse-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_errors","require","_ioReactNativeJwt","_types","_logging","verifyAndParseStatusAttestation","issuerConf","rawStatusAttestation","context","statusAttestation","credentialCryptoContext","verify","openid_credential_issuer","jwks","keys","decodedJwt","decodeJwt","parsedStatusAttestation","ParsedStatusAttestation","parse","header","protectedHeader","payload","Logger","log","LogLevel","DEBUG","JSON","stringify","holderBindingKey","getPublicKey","cnf","jwk","kid","ERROR","IoWalletError","e","exports"],"sourceRoot":"../../../../src","sources":["credential/status/03-verify-and-parse-status-attestation.ts"],"mappings":";;;;;;AACA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,iBAAA,GAAAD,OAAA;AAEA,IAAAE,MAAA,GAAAF,OAAA;AAEA,IAAAG,QAAA,GAAAH,OAAA;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMI,+BAAgE,GAC3E,MAAAA,CAAOC,UAAU,EAAEC,oBAAoB,EAAEC,OAAO,KAAK;EACnD,IAAI;IACF,MAAM;MAAEC;IAAkB,CAAC,GAAGF,oBAAoB;IAClD,MAAM;MAAEG;IAAwB,CAAC,GAAGF,OAAO;IAE3C,MAAM,IAAAG,wBAAM,EACVF,iBAAiB,EACjBH,UAAU,CAACM,wBAAwB,CAACC,IAAI,CAACC,IAC3C,CAAC;IAED,MAAMC,UAAU,GAAG,IAAAC,wBAAS,EAACP,iBAAiB,CAAC;IAC/C,MAAMQ,uBAAuB,GAAGC,8BAAuB,CAACC,KAAK,CAAC;MAC5DC,MAAM,EAAEL,UAAU,CAACM,eAAe;MAClCC,OAAO,EAAEP,UAAU,CAACO;IACtB,CAAC,CAAC;IAEFC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,8BAA6BC,IAAI,CAACC,SAAS,CAACX,uBAAuB,CAAE,EACxE,CAAC;IAED,MAAMY,gBAAgB,GAAG,MAAMnB,uBAAuB,CAACoB,YAAY,CAAC,CAAC;IACrE,MAAM;MAAEC;IAAI,CAAC,GAAGd,uBAAuB,CAACK,OAAO;IAC/C,IAAI,CAACS,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKJ,gBAAgB,CAACI,GAAG,EAAE;MACxDV,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACS,KAAK,EACb,yEAAwEL,gBAAgB,CAACI,GAAI,UAAShB,uBAAuB,CAACK,OAAO,CAACS,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;MACD,MAAM,IAAIE,qBAAa,CACpB,yEAAwEN,gBAAgB,CAACI,GAAI,UAAShB,uBAAuB,CAACK,OAAO,CAACS,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;IACH;IAEA,OAAO;MAAEhB;IAAwB,CAAC;EACpC,CAAC,CAAC,OAAOmB,CAAC,EAAE;IACV,MAAM,IAAID,qBAAa,CACpB,wCAAuCR,IAAI,CAACC,SAAS,CAACQ,CAAC,CAAE,EAC5D,CAAC;EACH;AACF,CAAC;AAACC,OAAA,CAAAhC,+BAAA,GAAAA,+BAAA"}