@pagopa/io-react-native-wallet 2.0.0-next.4 → 2.0.0-next.6

package/lib/typescript/trust/types.d.ts

@@ -2351,7 +2351,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }>, "many">;
                     claims: z.ZodArray<z.ZodObject<{
-                        path: z.ZodArray<z.ZodString, "many">;
+                        path: z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodNull]>, "many">;
                         display: z.ZodArray<z.ZodObject<{
                             name: z.ZodString;
                             locale: z.ZodString;
@@ -2363,13 +2363,13 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                             locale: string;
                         }>, "many">;
                     }, "strip", z.ZodTypeAny, {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
                         }[];
                     }, {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -2412,7 +2412,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -2435,7 +2435,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -2624,7 +2624,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -2692,7 +2692,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -3476,7 +3476,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -3660,7 +3660,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -3872,7 +3872,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -4084,7 +4084,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -4298,7 +4298,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -4512,7 +4512,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -10705,7 +10705,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }>, "many">;
                     claims: z.ZodArray<z.ZodObject<{
-                        path: z.ZodArray<z.ZodString, "many">;
+                        path: z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodNull]>, "many">;
                         display: z.ZodArray<z.ZodObject<{
                             name: z.ZodString;
                             locale: z.ZodString;
@@ -10717,13 +10717,13 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                             locale: string;
                         }>, "many">;
                     }, "strip", z.ZodTypeAny, {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
                         }[];
                     }, {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -10766,7 +10766,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -10789,7 +10789,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -10978,7 +10978,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -11046,7 +11046,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -11830,7 +11830,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -12014,7 +12014,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -12226,7 +12226,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -12438,7 +12438,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -12652,7 +12652,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;
@@ -12866,7 +12866,7 @@ export declare const EntityConfiguration: z.ZodUnion<[z.ZodIntersection<z.ZodObj
                         locale: string;
                     }[];
                     claims: {
-                        path: string[];
+                        path: (string | number | null)[];
                         display: {
                             name: string;
                             locale: string;

package/lib/typescript/utils/credentials.d.ts

@@ -0,0 +1,11 @@
+import type { Out } from "./misc";
+import type { ObtainCredential } from "../credential/issuance";
+import type { JWK } from "./jwk";
+/**
+ * Extracts a JWK from a credential.
+ * @param credential - The credential string, which can be in SD-JWT or CBOR format.
+ * @param format - The format of the credential
+ * @return A Promise that resolves to a JWK object if the credential is in SD-JWT format and contains a JWK, or undefined otherwise.
+ */
+export declare const extractJwkFromCredential: (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<JWK>;
+//# sourceMappingURL=credentials.d.ts.map

package/lib/typescript/utils/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../../src/utils/credentials.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,OAAO,CAAC;AAKjC;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,eACvB,IAAI,gBAAgB,CAAC,CAAC,YAAY,CAAC,UACvC,IAAI,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACtC,QAAQ,GAAG,CAUb,CAAC"}

package/lib/typescript/utils/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto.ts"],"names":[],"mappings":"AAOA,OAAO,EAAc,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAG7E;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,WAAY,MAAM,KAAG,aA6BvD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,6BACJ,aAAa,8BAOrC,CAAC"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,KAAK,aAAa,EAAc,MAAM,6BAA6B,CAAC;AAE7E;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,WAAY,MAAM,KAAG,aAsBvD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,6BACJ,aAAa,8BAOrC,CAAC"}

package/lib/typescript/utils/jwk.d.ts

@@ -228,4 +228,11 @@ export declare const JWKS: z.ZodObject<{
     }[];
 }>;
 export type JWTDecodeResult = ReturnType<typeof decode>;
+/**
+ * Utility function that checks if two JWKs have the same thumbprint.
+ * @param jwkA The first JWK
+ * @param jwkB The second JWK
+ * @returns Whether the thumbprints match
+ */
+export declare const isSameThumbprint: (jwkA: JWK, jwkB: JWK) => Promise<boolean>;
 //# sourceMappingURL=jwk.d.ts.map

package/lib/typescript/utils/jwk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../../src/utils/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;AACtC,eAAO,MAAM,GAAG;IACd,uCAAuC;;;;;;;IAOvC,yCAAyC;;;IAGzC,gDAAgD;;IAEhD,oCAAoC;;IAEpC;;kCAE8B;;;;;;IAM9B,4CAA4C;;;;IAI5C,qDAAqD;;IAErD,gEAAgE;;IAEhE,mEAAmE;;IAEnE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvC,CAAC;AAEH;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,CAUpD;AAED,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC;AACxC,eAAO,MAAM,IAAI;;QAzDf,uCAAuC;;;;;;;QAOvC,yCAAyC;;;QAGzC,gDAAgD;;QAEhD,oCAAoC;;QAEpC;;sCAE8B;;;;;;QAM9B,4CAA4C;;;;QAI5C,qDAAqD;;QAErD,gEAAgE;;QAEhE,mEAAmE;;QAEnE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2BvC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC"}
+{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../../src/utils/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAA6B,MAAM,6BAA6B,CAAC;AAChF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;AACtC,eAAO,MAAM,GAAG;IACd,uCAAuC;;;;;;;IAOvC,yCAAyC;;;IAGzC,gDAAgD;;IAEhD,oCAAoC;;IAEpC;;kCAE8B;;;;;;IAM9B,4CAA4C;;;;IAI5C,qDAAqD;;IAErD,gEAAgE;;IAEhE,mEAAmE;;IAEnE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvC,CAAC;AAEH;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,CAUpD;AAED,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC;AACxC,eAAO,MAAM,IAAI;;QAzDf,uCAAuC;;;;;;;QAOvC,yCAAyC;;;QAGzC,gDAAgD;;QAEhD,oCAAoC;;QAEpC;;sCAE8B;;;;;;QAM9B,4CAA4C;;;;QAI5C,qDAAqD;;QAErD,gEAAgE;;QAEhE,mEAAmE;;QAEnE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2BvC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC;AAExD;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,SAAgB,GAAG,QAAQ,GAAG,qBAM1D,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "2.0.0-next.4",
+  "version": "2.0.0-next.6",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -55,10 +55,11 @@
   "devDependencies": {
     "@pagopa/io-react-native-crypto": "^1.2.2",
     "@pagopa/io-react-native-jwt": "^2.1.0",
+    "@react-native/babel-preset": "0.78.3",
     "@react-native/eslint-config": "^0.75.5",
     "@rushstack/eslint-patch": "^1.3.2",
-    "@types/jest": "^28.1.2",
-    "@types/react": "^18.2.6",
+    "@types/jest": "^29.5.13",
+    "@types/react": "^19.0.0",
     "@types/react-native": "0.70.0",
     "@types/url-parse": "^1.4.11",
     "del-cli": "^5.0.0",
@@ -67,15 +68,12 @@
     "jest": "^28.1.1",
     "pod-install": "^0.1.0",
     "prettier": "^3.5.3",
-    "react": "18.3.1",
-    "react-native": "0.75.5",
+    "react": "19.0.0",
+    "react-native": "0.78.3",
     "react-native-builder-bob": "^0.20.0",
     "typed-openapi": "^0.4.1",
     "typescript": "5.0.4"
   },
-  "resolutions": {
-    "@types/react": "^18.2.6"
-  },
   "peerDependencies": {
     "@pagopa/io-react-native-crypto": "*",
     "@pagopa/io-react-native-jwt": "*",

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -2,12 +2,11 @@ import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { Out } from "../../utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { IoWalletError } from "../../utils/errors";
-import { SdJwt4VC } from "../../sd-jwt/types";
-import { verify as verifySdJwt } from "../../sd-jwt";
+import { SdJwt4VC, verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
-import type { JWK } from "../../utils/jwk";
+import { isSameThumbprint, type JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
 
 type IssuerConf = Out<EvaluateIssuerTrust>["issuerConf"];
 type CredentialConf =
@@ -169,8 +168,7 @@ async function verifyCredentialSdJwt(
     ]);
 
   const { cnf } = decodedCredential.sdJwt.payload;
-
-  if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+  if (!(await isSameThumbprint(cnf.jwk, holderBindingKey as JWK))) {
     const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
     Logger.log(LogLevel.ERROR, message);
     throw new IoWalletError(message);

package/src/credential/status/{02-status-attestation.ts → 02-status-assertion.ts}

@@ -6,54 +6,65 @@ import {
 import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
 import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
 import { v4 as uuidv4 } from "uuid";
-import { StatusAttestationResponse } from "./types";
+import { StatusAssertionResponse } from "./types";
 import {
   IssuerResponseError,
   IssuerResponseErrorCodes,
   ResponseErrorBuilder,
   UnexpectedStatusCodeError,
 } from "../../utils/errors";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
+import { extractJwkFromCredential } from "../../utils/credentials";
 
-export type StatusAttestation = (
+export type StatusAssertion = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   credential: Out<ObtainCredential>["credential"],
-  credentialCryptoContext: CryptoContext,
-  appFetch?: GlobalFetch["fetch"]
+  format: Out<ObtainCredential>["format"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    wiaCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }
 ) => Promise<{
-  statusAttestation: StatusAttestationResponse["status_attestation"];
+  statusAssertion: string;
 }>;
 
 /**
- * WARNING: This function must be called after {@link startFlow}.
- * Verify the status of the credential attestation.
+ * Get the status assertion of a digital credential.
  * @param issuerConf - The issuer's configuration
  * @param credential - The credential to be verified
- * @param credentialCryptoContext - The credential's crypto context
+ * @param format - The format of the credential, e.g. "sd-jwt"
+ * @param context.credentialCryptoContext - The credential's crypto context
+ * @param context.wiaCryptoContext - The Wallet Attestation's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {IssuerResponseError} with a specific code for more context
- * @returns The credential status attestation
+ * @returns The credential status assertion
  */
-export const statusAttestation: StatusAttestation = async (
+export const statusAssertion: StatusAssertion = async (
   issuerConf,
   credential,
-  credentialCryptoContext,
-  appFetch: GlobalFetch["fetch"] = fetch
+  format,
+  ctx
 ) => {
-  const jwk = await credentialCryptoContext.getPublicKey();
+  const { credentialCryptoContext, wiaCryptoContext, appFetch = fetch } = ctx;
+
+  const jwk = await extractJwkFromCredential(credential, format);
+  const issuerJwk = await wiaCryptoContext.getPublicKey();
   const credentialHash = await getCredentialHashWithouDiscloures(credential);
   const statusAttUrl =
     issuerConf.openid_credential_issuer.status_attestation_endpoint;
+
   const credentialPop = await new SignJWT(credentialCryptoContext)
     .setPayload({
+      iss: issuerJwk.kid,
       aud: statusAttUrl,
       jti: uuidv4().toString(),
       credential_hash: credentialHash,
-      credential_hash_alg: "S256",
+      credential_hash_alg: "sha-256",
     })
     .setProtectedHeader({
       alg: "ES256",
-      typ: "status-attestation-request+jwt",
+      typ: "status-assertion-request+jwt",
       kid: jwk.kid,
     })
     .setIssuedAt()
@@ -61,7 +72,7 @@ export const statusAttestation: StatusAttestation = async (
     .sign();
 
   const body = {
-    credential_pop: credentialPop,
+    status_assertion_requests: [credentialPop],
   };
 
   Logger.log(LogLevel.DEBUG, `Credential pop: ${credentialPop}`);
@@ -73,33 +84,31 @@ export const statusAttestation: StatusAttestation = async (
     },
     body: JSON.stringify(body),
   })
-    .then(hasStatusOrThrow(201))
+    .then(hasStatusOrThrow(200))
     .then((raw) => raw.json())
-    .then((json) => StatusAttestationResponse.parse(json))
-    .catch(handleStatusAttestationError);
+    .then((json) => StatusAssertionResponse.parse(json))
+    .catch(handleStatusAssertionError);
 
-  return { statusAttestation: result.status_attestation };
+  const [statusAttestationJwt] = result.status_assertion_responses;
+
+  return { statusAssertion: statusAttestationJwt! };
 };
 
 /**
- * Handle the status attestation error by mapping it to a custom exception.
+ * Handle the status assertion error by mapping it to a custom exception.
  * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
  * @param e - The error to be handled
  * @throws {IssuerResponseError} with a specific code for more context
  */
-const handleStatusAttestationError = (e: unknown) => {
+const handleStatusAssertionError = (e: unknown) => {
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }
 
   throw new ResponseErrorBuilder(IssuerResponseError)
-    .handle(404, {
-      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-      message: "Invalid status found for the given credential",
-    })
     .handle("*", {
       code: IssuerResponseErrorCodes.StatusAttestationRequestFailed,
-      message: `Unable to obtain the status attestation for the given credential`,
+      message: `Unable to obtain the status assertion for the given credential`,
     })
     .buildFrom(e);
 };

package/src/credential/status/03-verify-and-parse-status-assertion.ts

@@ -0,0 +1,109 @@
+import type { Out } from "../../utils/misc";
+import {
+  IoWalletError,
+  IssuerResponseError,
+  IssuerResponseErrorCodes,
+} from "../../utils/errors";
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import type { EvaluateIssuerTrust, StatusAssertion } from ".";
+import {
+  type InvalidStatusErrorReason,
+  ParsedStatusAssertion,
+  ParsedStatusAssertionError,
+  ParsedStatusAssertionResponse,
+  StatusType,
+} from "./types";
+import { Logger, LogLevel } from "../../utils/logging";
+import type { ObtainCredential } from "../issuance";
+import { extractJwkFromCredential } from "../../utils/credentials";
+import { isSameThumbprint } from "../../utils/jwk";
+
+export type VerifyAndParseStatusAssertion = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  statusAssertion: Out<StatusAssertion>,
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+) => Promise<{ parsedStatusAssertion: ParsedStatusAssertion }>;
+
+/**
+ * Given a status assertion, verifies that:
+ * - It's in the supported format;
+ * - The assertion is correctly signed;
+ * - It's bound to the given key.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param statusAssertion The encoded status assertion returned by {@link statusAssertion}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
+ * @returns A parsed status assertion
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IssuerResponseError} If the status assertion contains an error or the credential status is invalid
+ */
+export const verifyAndParseStatusAssertion: VerifyAndParseStatusAssertion =
+  async (issuerConf, rawStatusAssertion, credential, format) => {
+    const { statusAssertion } = rawStatusAssertion;
+
+    await verify(
+      statusAssertion,
+      issuerConf.openid_credential_issuer.jwks.keys
+    );
+
+    const decodedJwt = decodeJwt(statusAssertion);
+    const parsedStatusAssertion = ParsedStatusAssertionResponse.parse({
+      header: decodedJwt.protectedHeader,
+      payload: decodedJwt.payload,
+    });
+
+    Logger.log(
+      LogLevel.DEBUG,
+      `Parsed status assertion: ${JSON.stringify(parsedStatusAssertion)}`
+    );
+
+    // Errors are transmitted in the JWT and use a 200 HTTP status code
+    if (isStatusAssertionError(parsedStatusAssertion)) {
+      throw new IssuerResponseError({
+        code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+        message: "The status assertion contains an error",
+        statusCode: 200,
+        reason: buildErrorReason(parsedStatusAssertion),
+      });
+    }
+
+    const { cnf, credential_status_type } = parsedStatusAssertion.payload;
+    const holderBindingKey = await extractJwkFromCredential(credential, format);
+
+    if (!(await isSameThumbprint(cnf.jwk, holderBindingKey))) {
+      const errorMessage = `Failed to verify holder binding for status assertion: the thumbprints of keys ${cnf.jwk.kid} and ${holderBindingKey.kid} do not match`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new IoWalletError(errorMessage);
+    }
+
+    if (credential_status_type !== StatusType.VALID) {
+      throw new IssuerResponseError({
+        code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+        message: "Invalid status found for the given credential",
+        statusCode: 200,
+        reason: buildErrorReason(parsedStatusAssertion),
+      });
+    }
+
+    return { parsedStatusAssertion };
+  };
+
+const isStatusAssertionError = (
+  assertion: ParsedStatusAssertionResponse
+): assertion is ParsedStatusAssertionError =>
+  assertion.header.typ === "status-assertion-error+jwt";
+
+/**
+ * Build an object containing the details on the error to use as the IssuerResponseError's reason
+ * @param assertion The status assertion response, both success or failure
+ * @returns The error's reason object
+ */
+const buildErrorReason = ({
+  payload,
+}: ParsedStatusAssertionResponse): InvalidStatusErrorReason =>
+  "error" in payload
+    ? payload
+    : {
+        error: payload.credential_status_detail!.state,
+        error_description: payload.credential_status_detail!.description,
+      };

package/src/credential/status/README.md

@@ -1,16 +1,16 @@
-# Credential Status Attestation
+# Credential Status Assertion
 
-This flow is used to obtain a credential status attestation from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
-The credential status attestation is a JWT which contains the credential status which indicates if the credential is valid or not.
-The status attestation is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
+This flow is used to obtain a credential status assertion from its credential issuer. Each step in the flow is imported from the related file which is named with a sequential number.
+The credential status assertion is a JWT which contains the credential status which indicates if the credential is valid or not (see [OAuth Status Assertions](https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#oauth-status-assertions)).
+The status assertion is supposed to be stored securely along with the credential. It has a limited lifetime and should be refreshed periodically according to the `exp` field in the JWT payload.
 
 ## Sequence Diagram
 
 ```mermaid
 graph TD;
     0[startFlow]
-    1[statusAttestation]
-    2[verifyAndParseStatusAttestation]
+    1[statusAssertion]
+    2[verifyAndParseStatusAssertion]
 
     0 --> 1
     1 --> 2
@@ -21,14 +21,14 @@ graph TD;
 
 The following errors are mapped to a `IssuerResponseError` with specific codes.
 
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the status attestation is invalid. It might contain more details in the `reason` property.|
+|Error Code|Description|
+|----------|-----------|
+|`ERR_CREDENTIAL_INVALID_STATUS`|This error is thrown when the status assertion for a given credential is invalid. It might contain more details in the `reason` property.|
 
 ## Example
 
 <details>
-  <summary>Credential status attestation flow</summary>
+  <summary>Credential status assertion flow</summary>
 
 ```ts
 // Start the issuance flow
@@ -42,24 +42,26 @@ const { issuerUrl } = startFlow();
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Status.evaluateIssuerTrust(issuerUrl);
 
-// Get the credential attestation
-const res = await Credential.Status.statusAttestation(
+// Get the credential assertion
+const res = await Credential.Status.statusAssertion(
   issuerConf,
   credential,
-  credentialCryptoContext
+  format,
+  { credentialCryptoContext, wiaCryptoContext }
 );
 
-// Verify and parse the status attestation
-const { parsedStatusAttestation } =
-  await Credential.Status.verifyAndParseStatusAttestation(
+// Verify and parse the status assertion
+const { parsedStatusAssertion } =
+  await Credential.Status.verifyAndParseStatusAssertion(
     issuerConf,
-    res.statusAttestation,
-    { credentialCryptoContext }
+    res.statusAssertion,
+    credential,
+    format
   );
 
 return {
-  statusAttestation: res.statusAttestation,
-  parsedStatusAttestation,
+  statusAssertion: res.statusAssertion,
+  parsedStatusAssertion,
 };
 ```