@pagopa/io-react-native-wallet 2.0.0-next.4 → 2.0.0-next.6

package/src/credential/status/index.ts

@@ -1,22 +1,15 @@
 import { type StartFlow } from "./01-start-flow";
-import {
-  statusAttestation,
-  type StatusAttestation,
-} from "./02-status-attestation";
+import { statusAssertion, type StatusAssertion } from "./02-status-assertion";
 import { evaluateIssuerTrust, type EvaluateIssuerTrust } from "../issuance";
 import {
-  verifyAndParseStatusAttestation,
-  type VerifyAndParseStatusAttestation,
-} from "./03-verify-and-parse-status-attestation";
+  verifyAndParseStatusAssertion,
+  type VerifyAndParseStatusAssertion,
+} from "./03-verify-and-parse-status-assertion";
 
-export {
-  evaluateIssuerTrust,
-  statusAttestation,
-  verifyAndParseStatusAttestation,
-};
+export { evaluateIssuerTrust, statusAssertion, verifyAndParseStatusAssertion };
 export type {
   StartFlow,
   EvaluateIssuerTrust,
-  StatusAttestation,
-  VerifyAndParseStatusAttestation,
+  StatusAssertion,
+  VerifyAndParseStatusAssertion,
 };

package/src/credential/status/types.ts

@@ -3,35 +3,38 @@ import { JWK } from "../../utils/jwk";
 import * as z from "zod";
 
 /**
- * Shape from parsing a status attestation response in case of 201.
+ * Shape from parsing a status assertion response in case of 201.
  */
-export const StatusAttestationResponse = z.object({
-  status_attestation: z.string(),
+export const StatusAssertionResponse = z.object({
+  status_assertion_responses: z.array(z.string()),
 });
 
 /**
- * Type from parsing a status attestation response in case of 201.
- * Inferred from {@link StatusAttestationResponse}.
+ * Type from parsing a status assertion response in case of 201.
+ * Inferred from {@link StatusAssertionResponse}.
  */
-export type StatusAttestationResponse = z.infer<
-  typeof StatusAttestationResponse
->;
+export type StatusAssertionResponse = z.infer<typeof StatusAssertionResponse>;
 
-/**
- * Type for a parsed status attestation.
- */
-export type ParsedStatusAttestation = z.infer<typeof ParsedStatusAttestation>;
+export type ParsedStatusAssertion = z.infer<typeof ParsedStatusAssertion>;
 
 /**
- * Shape for parsing a status attestation in a JWT.
+ * Shape for parsing a successful status assertion in a JWT.
  */
-export const ParsedStatusAttestation = z.object({
+export const ParsedStatusAssertion = z.object({
   header: z.object({
-    typ: z.literal("status-attestation+jwt"),
+    typ: z.literal("status-assertion+jwt"),
     alg: z.string(),
     kid: z.string().optional(),
   }),
   payload: z.object({
+    iss: z.string(),
+    credential_status_type: z.string(),
+    credential_status_detail: z
+      .object({
+        state: z.string(),
+        description: z.string(),
+      })
+      .optional(),
     credential_hash_alg: z.string(),
     credential_hash: z.string(),
     cnf: z.object({
@@ -41,3 +44,47 @@ export const ParsedStatusAttestation = z.object({
     iat: UnixTime,
   }),
 });
+
+export type ParsedStatusAssertionError = z.infer<
+  typeof ParsedStatusAssertionError
+>;
+
+/**
+ * The JWT that contains the errors occurred for the status assertion request.
+ * @see https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-revocation.html#http-status-assertion-response
+ */
+export const ParsedStatusAssertionError = z.object({
+  header: z.object({
+    typ: z.literal("status-assertion-error+jwt"),
+    alg: z.string(),
+    kid: z.string().optional(),
+  }),
+  payload: z.object({
+    credential_hash_alg: z.string(),
+    credential_hash: z.string(),
+    error: z.string(),
+    error_description: z.string(),
+  }),
+});
+
+/**
+ * The status assertion response that might include either a successful assertion or an error
+ */
+export type ParsedStatusAssertionResponse = z.infer<
+  typeof ParsedStatusAssertionResponse
+>;
+export const ParsedStatusAssertionResponse = z.union([
+  ParsedStatusAssertion,
+  ParsedStatusAssertionError,
+]);
+
+export enum StatusType {
+  VALID = "0x00",
+  INVALID = "0x01",
+  SUSPENDED = "0x02",
+}
+
+export type InvalidStatusErrorReason = {
+  error: string;
+  error_description: string;
+};

package/src/trust/types.ts

@@ -38,7 +38,7 @@ const CredentialIssuerDisplayMetadata = z.object({
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
 const ClaimsMetadata = z.object({
-  path: z.array(z.string()),
+  path: z.array(z.union([z.string(), z.number(), z.null()])), // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#name-claims-path-pointer
   display: z.array(CredentialDisplayMetadata),
 });
 

package/src/utils/credentials.ts

@@ -0,0 +1,29 @@
+import { decode } from "../sd-jwt";
+import { thumbprint } from "@pagopa/io-react-native-jwt";
+import type { Out } from "./misc";
+import type { ObtainCredential } from "../credential/issuance";
+import type { JWK } from "./jwk";
+import { IoWalletError } from "./errors";
+
+const SD_JWT = ["vc+sd-jwt", "dc+sd-jwt"];
+
+/**
+ * Extracts a JWK from a credential.
+ * @param credential - The credential string, which can be in SD-JWT or CBOR format.
+ * @param format - The format of the credential
+ * @return A Promise that resolves to a JWK object if the credential is in SD-JWT format and contains a JWK, or undefined otherwise.
+ */
+export const extractJwkFromCredential = async (
+  credential: Out<ObtainCredential>["credential"],
+  format: Out<ObtainCredential>["format"]
+): Promise<JWK> => {
+  if (SD_JWT.includes(format)) {
+    // 1. SD-JWT case
+    const decoded = decode(credential);
+    const jwk = decoded.sdJwt.payload.cnf.jwk;
+    if (jwk) {
+      return { ...jwk, kid: await thumbprint(jwk) };
+    }
+  }
+  throw new IoWalletError(`Credential format ${format} not supported`);
+};

package/src/utils/crypto.ts

@@ -1,12 +1,11 @@
 import {
-  getPublicKey,
-  sign,
-  generate,
   deleteKey,
+  generate,
+  getPublicKeyFixed,
+  sign,
 } from "@pagopa/io-react-native-crypto";
 import { v4 as uuidv4 } from "uuid";
-import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { fixBase64EncodingOnKey } from "./jwk";
+import { type CryptoContext, thumbprint } from "@pagopa/io-react-native-jwt";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -17,22 +16,15 @@ import { fixBase64EncodingOnKey } from "./jwk";
  */
 export const createCryptoContextFor = (keytag: string): CryptoContext => {
   return {
-    /**
-     * Retrieve the public key of the pair.
-     * If the key pair doesn't exist yet, an error is raised
-     * @returns The public key.
-     */
     async getPublicKey() {
-      return getPublicKey(keytag)
-        .then(fixBase64EncodingOnKey)
-        .then(async (jwk) => ({
-          ...jwk,
-          // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
-          // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).
-          // We assume the convention we use the thumbprint of the public key as KID, thus for easy development we decided to evaluate KID here
-          // However the values is an arbitrary string that might be anything
-          kid: await thumbprint(jwk),
-        }));
+      return getPublicKeyFixed(keytag).then(async (jwk) => ({
+        ...jwk,
+        // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
+        // (that is, KID is not a propoerty of the key itself, but it's property used to identify a key in a set).
+        // We assume the convention we use the thumbprint of the public key as KID, thus for easy development we decided to evaluate KID here
+        // However the values is an arbitrary string that might be anything
+        kid: await thumbprint(jwk),
+      }));
     },
     /**
      * Get a signature for a provided value.

package/src/utils/jwk.ts

@@ -1,4 +1,4 @@
-import { decode, removePadding } from "@pagopa/io-react-native-jwt";
+import { decode, removePadding, thumbprint } from "@pagopa/io-react-native-jwt";
 import { z } from "zod";
 
 export type JWK = z.infer<typeof JWK>;
@@ -65,3 +65,17 @@ export const JWKS = z.object({
 });
 
 export type JWTDecodeResult = ReturnType<typeof decode>;
+
+/**
+ * Utility function that checks if two JWKs have the same thumbprint.
+ * @param jwkA The first JWK
+ * @param jwkB The second JWK
+ * @returns Whether the thumbprints match
+ */
+export const isSameThumbprint = async (jwkA: JWK, jwkB: JWK) => {
+  const [thumbprintJwkA, thumbprintJwkB] = await Promise.all([
+    thumbprint(jwkA),
+    thumbprint(jwkB),
+  ]);
+  return thumbprintJwkA === thumbprintJwkB;
+};

package/lib/commonjs/credential/status/02-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_misc","require","_ioReactNativeJwt","_uuid","_types","_errors","_logging","statusAttestation","issuerConf","credential","credentialCryptoContext","appFetch","arguments","length","undefined","fetch","jwk","getPublicKey","credentialHash","getCredentialHashWithouDiscloures","statusAttUrl","openid_credential_issuer","status_attestation_endpoint","credentialPop","SignJWT","setPayload","aud","jti","uuidv4","toString","credential_hash","credential_hash_alg","setProtectedHeader","alg","typ","kid","setIssuedAt","setExpirationTime","sign","body","credential_pop","Logger","log","LogLevel","DEBUG","result","method","headers","JSON","stringify","then","hasStatusOrThrow","raw","json","StatusAttestationResponse","parse","catch","handleStatusAttestationError","status_attestation","exports","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialInvalidStatus","message","StatusAttestationRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/status/02-status-attestation.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAMA,IAAAC,iBAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AAMA,IAAAK,QAAA,GAAAL,OAAA;AAWA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMM,iBAAoC,GAAG,eAAAA,CAClDC,UAAU,EACVC,UAAU,EACVC,uBAAuB,EAEpB;EAAA,IADHC,QAA8B,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAEtC,MAAMC,GAAG,GAAG,MAAMN,uBAAuB,CAACO,YAAY,CAAC,CAAC;EACxD,MAAMC,cAAc,GAAG,MAAM,IAAAC,uCAAiC,EAACV,UAAU,CAAC;EAC1E,MAAMW,YAAY,GAChBZ,UAAU,CAACa,wBAAwB,CAACC,2BAA2B;EACjE,MAAMC,aAAa,GAAG,MAAM,IAAIC,yBAAO,CAACd,uBAAuB,CAAC,CAC7De,UAAU,CAAC;IACVC,GAAG,EAAEN,YAAY;IACjBO,GAAG,EAAE,IAAAC,QAAM,EAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;IACxBC,eAAe,EAAEZ,cAAc;IAC/Ba,mBAAmB,EAAE;EACvB,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE,gCAAgC;IACrCC,GAAG,EAAEnB,GAAG,CAACmB;EACX,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,IAAI,GAAG;IACXC,cAAc,EAAEjB;EAClB,CAAC;EAEDkB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,mBAAkBrB,aAAc,EAAC,CAAC;EAE9D,MAAMsB,MAAM,GAAG,MAAMlC,QAAQ,CAACS,YAAY,EAAE;IAC1C0B,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDR,IAAI,EAAES,IAAI,CAACC,SAAS,CAACV,IAAI;EAC3B,CAAC,CAAC,CACCW,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEG,IAAI,IAAKC,gCAAyB,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC,CACrDG,KAAK,CAACC,4BAA4B,CAAC;EAEtC,OAAO;IAAElD,iBAAiB,EAAEsC,MAAM,CAACa;EAAmB,CAAC;AACzD,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALAC,OAAA,CAAApD,iBAAA,GAAAA,iBAAA;AAMA,MAAMkD,4BAA4B,GAAIG,CAAU,IAAK;EACnD,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACC,uBAAuB;IACtDC,OAAO,EAAE;EACX,CAAC,CAAC,CACDJ,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACG,8BAA8B;IAC7DD,OAAO,EAAG;EACZ,CAAC,CAAC,CACDE,SAAS,CAACV,CAAC,CAAC;AACjB,CAAC"}

package/lib/commonjs/credential/status/03-verify-and-parse-status-attestation.js

@@ -1,55 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.verifyAndParseStatusAttestation = void 0;
-var _errors = require("../../utils/errors");
-var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
-var _types = require("./types");
-var _logging = require("../../utils/logging");
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-const verifyAndParseStatusAttestation = async (issuerConf, rawStatusAttestation, context) => {
-  try {
-    const {
-      statusAttestation
-    } = rawStatusAttestation;
-    const {
-      credentialCryptoContext
-    } = context;
-    await (0, _ioReactNativeJwt.verify)(statusAttestation, issuerConf.openid_credential_issuer.jwks.keys);
-    const decodedJwt = (0, _ioReactNativeJwt.decode)(statusAttestation);
-    const parsedStatusAttestation = _types.ParsedStatusAttestation.parse({
-      header: decodedJwt.protectedHeader,
-      payload: decodedJwt.payload
-    });
-    _logging.Logger.log(_logging.LogLevel.DEBUG, `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`);
-    const holderBindingKey = await credentialCryptoContext.getPublicKey();
-    const {
-      cnf
-    } = parsedStatusAttestation.payload;
-    if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-      _logging.Logger.log(_logging.LogLevel.ERROR, `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-      throw new _errors.IoWalletError(`Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-    }
-    return {
-      parsedStatusAttestation
-    };
-  } catch (e) {
-    throw new _errors.IoWalletError(`Failed to verify status attestation: ${JSON.stringify(e)}`);
-  }
-};
-exports.verifyAndParseStatusAttestation = verifyAndParseStatusAttestation;
-//# sourceMappingURL=03-verify-and-parse-status-attestation.js.map

package/lib/commonjs/credential/status/03-verify-and-parse-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_errors","require","_ioReactNativeJwt","_types","_logging","verifyAndParseStatusAttestation","issuerConf","rawStatusAttestation","context","statusAttestation","credentialCryptoContext","verify","openid_credential_issuer","jwks","keys","decodedJwt","decodeJwt","parsedStatusAttestation","ParsedStatusAttestation","parse","header","protectedHeader","payload","Logger","log","LogLevel","DEBUG","JSON","stringify","holderBindingKey","getPublicKey","cnf","jwk","kid","ERROR","IoWalletError","e","exports"],"sourceRoot":"../../../../src","sources":["credential/status/03-verify-and-parse-status-attestation.ts"],"mappings":";;;;;;AACA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,iBAAA,GAAAD,OAAA;AAEA,IAAAE,MAAA,GAAAF,OAAA;AAEA,IAAAG,QAAA,GAAAH,OAAA;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMI,+BAAgE,GAC3E,MAAAA,CAAOC,UAAU,EAAEC,oBAAoB,EAAEC,OAAO,KAAK;EACnD,IAAI;IACF,MAAM;MAAEC;IAAkB,CAAC,GAAGF,oBAAoB;IAClD,MAAM;MAAEG;IAAwB,CAAC,GAAGF,OAAO;IAE3C,MAAM,IAAAG,wBAAM,EACVF,iBAAiB,EACjBH,UAAU,CAACM,wBAAwB,CAACC,IAAI,CAACC,IAC3C,CAAC;IAED,MAAMC,UAAU,GAAG,IAAAC,wBAAS,EAACP,iBAAiB,CAAC;IAC/C,MAAMQ,uBAAuB,GAAGC,8BAAuB,CAACC,KAAK,CAAC;MAC5DC,MAAM,EAAEL,UAAU,CAACM,eAAe;MAClCC,OAAO,EAAEP,UAAU,CAACO;IACtB,CAAC,CAAC;IAEFC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,8BAA6BC,IAAI,CAACC,SAAS,CAACX,uBAAuB,CAAE,EACxE,CAAC;IAED,MAAMY,gBAAgB,GAAG,MAAMnB,uBAAuB,CAACoB,YAAY,CAAC,CAAC;IACrE,MAAM;MAAEC;IAAI,CAAC,GAAGd,uBAAuB,CAACK,OAAO;IAC/C,IAAI,CAACS,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKJ,gBAAgB,CAACI,GAAG,EAAE;MACxDV,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACS,KAAK,EACb,yEAAwEL,gBAAgB,CAACI,GAAI,UAAShB,uBAAuB,CAACK,OAAO,CAACS,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;MACD,MAAM,IAAIE,qBAAa,CACpB,yEAAwEN,gBAAgB,CAACI,GAAI,UAAShB,uBAAuB,CAACK,OAAO,CAACS,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;IACH;IAEA,OAAO;MAAEhB;IAAwB,CAAC;EACpC,CAAC,CAAC,OAAOmB,CAAC,EAAE;IACV,MAAM,IAAID,qBAAa,CACpB,wCAAuCR,IAAI,CAACC,SAAS,CAACQ,CAAC,CAAE,EAC5D,CAAC;EACH;AACF,CAAC;AAACC,OAAA,CAAAhC,+BAAA,GAAAA,+BAAA"}

package/lib/module/credential/status/02-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["getCredentialHashWithouDiscloures","hasStatusOrThrow","SignJWT","v4","uuidv4","StatusAttestationResponse","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","UnexpectedStatusCodeError","LogLevel","Logger","statusAttestation","issuerConf","credential","credentialCryptoContext","appFetch","arguments","length","undefined","fetch","jwk","getPublicKey","credentialHash","statusAttUrl","openid_credential_issuer","status_attestation_endpoint","credentialPop","setPayload","aud","jti","toString","credential_hash","credential_hash_alg","setProtectedHeader","alg","typ","kid","setIssuedAt","setExpirationTime","sign","body","credential_pop","log","DEBUG","result","method","headers","JSON","stringify","then","raw","json","parse","catch","handleStatusAttestationError","status_attestation","e","handle","code","CredentialInvalidStatus","message","StatusAttestationRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/status/02-status-attestation.ts"],"mappings":"AAAA,SACEA,iCAAiC,EACjCC,gBAAgB,QAEX,kBAAkB;AAEzB,SAA6BC,OAAO,QAAQ,6BAA6B;AACzE,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,yBAAyB,QAAQ,SAAS;AACnD,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,EACpBC,yBAAyB,QACpB,oBAAoB;AAC3B,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAWtD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,iBAAoC,GAAG,eAAAA,CAClDC,UAAU,EACVC,UAAU,EACVC,uBAAuB,EAEpB;EAAA,IADHC,QAA8B,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAEtC,MAAMC,GAAG,GAAG,MAAMN,uBAAuB,CAACO,YAAY,CAAC,CAAC;EACxD,MAAMC,cAAc,GAAG,MAAMvB,iCAAiC,CAACc,UAAU,CAAC;EAC1E,MAAMU,YAAY,GAChBX,UAAU,CAACY,wBAAwB,CAACC,2BAA2B;EACjE,MAAMC,aAAa,GAAG,MAAM,IAAIzB,OAAO,CAACa,uBAAuB,CAAC,CAC7Da,UAAU,CAAC;IACVC,GAAG,EAAEL,YAAY;IACjBM,GAAG,EAAE1B,MAAM,CAAC,CAAC,CAAC2B,QAAQ,CAAC,CAAC;IACxBC,eAAe,EAAET,cAAc;IAC/BU,mBAAmB,EAAE;EACvB,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE,gCAAgC;IACrCC,GAAG,EAAEhB,GAAG,CAACgB;EACX,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,IAAI,GAAG;IACXC,cAAc,EAAEf;EAClB,CAAC;EAEDhB,MAAM,CAACgC,GAAG,CAACjC,QAAQ,CAACkC,KAAK,EAAG,mBAAkBjB,aAAc,EAAC,CAAC;EAE9D,MAAMkB,MAAM,GAAG,MAAM7B,QAAQ,CAACQ,YAAY,EAAE;IAC1CsB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDN,IAAI,EAAEO,IAAI,CAACC,SAAS,CAACR,IAAI;EAC3B,CAAC,CAAC,CACCS,IAAI,CAACjD,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAK/C,yBAAyB,CAACgD,KAAK,CAACD,IAAI,CAAC,CAAC,CACrDE,KAAK,CAACC,4BAA4B,CAAC;EAEtC,OAAO;IAAE3C,iBAAiB,EAAEiC,MAAM,CAACW;EAAmB,CAAC;AACzD,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMD,4BAA4B,GAAIE,CAAU,IAAK;EACnD,IAAI,EAAEA,CAAC,YAAYhD,yBAAyB,CAAC,EAAE;IAC7C,MAAMgD,CAAC;EACT;EAEA,MAAM,IAAIjD,oBAAoB,CAACF,mBAAmB,CAAC,CAChDoD,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEpD,wBAAwB,CAACqD,uBAAuB;IACtDC,OAAO,EAAE;EACX,CAAC,CAAC,CACDH,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEpD,wBAAwB,CAACuD,8BAA8B;IAC7DD,OAAO,EAAG;EACZ,CAAC,CAAC,CACDE,SAAS,CAACN,CAAC,CAAC;AACjB,CAAC"}

package/lib/module/credential/status/03-verify-and-parse-status-attestation.js

@@ -1,49 +0,0 @@
-import { IoWalletError } from "../../utils/errors";
-import { verify } from "@pagopa/io-react-native-jwt";
-import { ParsedStatusAttestation } from "./types";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { LogLevel, Logger } from "../../utils/logging";
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-export const verifyAndParseStatusAttestation = async (issuerConf, rawStatusAttestation, context) => {
-  try {
-    const {
-      statusAttestation
-    } = rawStatusAttestation;
-    const {
-      credentialCryptoContext
-    } = context;
-    await verify(statusAttestation, issuerConf.openid_credential_issuer.jwks.keys);
-    const decodedJwt = decodeJwt(statusAttestation);
-    const parsedStatusAttestation = ParsedStatusAttestation.parse({
-      header: decodedJwt.protectedHeader,
-      payload: decodedJwt.payload
-    });
-    Logger.log(LogLevel.DEBUG, `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`);
-    const holderBindingKey = await credentialCryptoContext.getPublicKey();
-    const {
-      cnf
-    } = parsedStatusAttestation.payload;
-    if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-      Logger.log(LogLevel.ERROR, `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-      throw new IoWalletError(`Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`);
-    }
-    return {
-      parsedStatusAttestation
-    };
-  } catch (e) {
-    throw new IoWalletError(`Failed to verify status attestation: ${JSON.stringify(e)}`);
-  }
-};
-//# sourceMappingURL=03-verify-and-parse-status-attestation.js.map

package/lib/module/credential/status/03-verify-and-parse-status-attestation.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["IoWalletError","verify","ParsedStatusAttestation","decode","decodeJwt","LogLevel","Logger","verifyAndParseStatusAttestation","issuerConf","rawStatusAttestation","context","statusAttestation","credentialCryptoContext","openid_credential_issuer","jwks","keys","decodedJwt","parsedStatusAttestation","parse","header","protectedHeader","payload","log","DEBUG","JSON","stringify","holderBindingKey","getPublicKey","cnf","jwk","kid","ERROR","e"],"sourceRoot":"../../../../src","sources":["credential/status/03-verify-and-parse-status-attestation.ts"],"mappings":"AACA,SAASA,aAAa,QAAQ,oBAAoB;AAClD,SAASC,MAAM,QAA4B,6BAA6B;AAExE,SAASC,uBAAuB,QAAQ,SAAS;AACjD,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAUtD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,+BAAgE,GAC3E,MAAAA,CAAOC,UAAU,EAAEC,oBAAoB,EAAEC,OAAO,KAAK;EACnD,IAAI;IACF,MAAM;MAAEC;IAAkB,CAAC,GAAGF,oBAAoB;IAClD,MAAM;MAAEG;IAAwB,CAAC,GAAGF,OAAO;IAE3C,MAAMT,MAAM,CACVU,iBAAiB,EACjBH,UAAU,CAACK,wBAAwB,CAACC,IAAI,CAACC,IAC3C,CAAC;IAED,MAAMC,UAAU,GAAGZ,SAAS,CAACO,iBAAiB,CAAC;IAC/C,MAAMM,uBAAuB,GAAGf,uBAAuB,CAACgB,KAAK,CAAC;MAC5DC,MAAM,EAAEH,UAAU,CAACI,eAAe;MAClCC,OAAO,EAAEL,UAAU,CAACK;IACtB,CAAC,CAAC;IAEFf,MAAM,CAACgB,GAAG,CACRjB,QAAQ,CAACkB,KAAK,EACb,8BAA6BC,IAAI,CAACC,SAAS,CAACR,uBAAuB,CAAE,EACxE,CAAC;IAED,MAAMS,gBAAgB,GAAG,MAAMd,uBAAuB,CAACe,YAAY,CAAC,CAAC;IACrE,MAAM;MAAEC;IAAI,CAAC,GAAGX,uBAAuB,CAACI,OAAO;IAC/C,IAAI,CAACO,GAAG,CAACC,GAAG,CAACC,GAAG,IAAIF,GAAG,CAACC,GAAG,CAACC,GAAG,KAAKJ,gBAAgB,CAACI,GAAG,EAAE;MACxDxB,MAAM,CAACgB,GAAG,CACRjB,QAAQ,CAAC0B,KAAK,EACb,yEAAwEL,gBAAgB,CAACI,GAAI,UAASb,uBAAuB,CAACI,OAAO,CAACO,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;MACD,MAAM,IAAI9B,aAAa,CACpB,yEAAwE0B,gBAAgB,CAACI,GAAI,UAASb,uBAAuB,CAACI,OAAO,CAACO,GAAG,CAACC,GAAG,CAACC,GAAI,EACrJ,CAAC;IACH;IAEA,OAAO;MAAEb;IAAwB,CAAC;EACpC,CAAC,CAAC,OAAOe,CAAC,EAAE;IACV,MAAM,IAAIhC,aAAa,CACpB,wCAAuCwB,IAAI,CAACC,SAAS,CAACO,CAAC,CAAE,EAC5D,CAAC;EACH;AACF,CAAC"}

package/lib/typescript/credential/status/02-status-attestation.d.ts

@@ -1,19 +0,0 @@
-import { type Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
-import { type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { StatusAttestationResponse } from "./types";
-export type StatusAttestation = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], credential: Out<ObtainCredential>["credential"], credentialCryptoContext: CryptoContext, appFetch?: GlobalFetch["fetch"]) => Promise<{
-    statusAttestation: StatusAttestationResponse["status_attestation"];
-}>;
-/**
- * WARNING: This function must be called after {@link startFlow}.
- * Verify the status of the credential attestation.
- * @param issuerConf - The issuer's configuration
- * @param credential - The credential to be verified
- * @param credentialCryptoContext - The credential's crypto context
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @throws {IssuerResponseError} with a specific code for more context
- * @returns The credential status attestation
- */
-export declare const statusAttestation: StatusAttestation;
-//# sourceMappingURL=02-status-attestation.d.ts.map

package/lib/typescript/credential/status/02-status-attestation.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"02-status-attestation.d.ts","sourceRoot":"","sources":["../../../../src/credential/status/02-status-attestation.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,GAAG,EACT,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,KAAK,aAAa,EAAW,MAAM,6BAA6B,CAAC;AAE1E,OAAO,EAAE,yBAAyB,EAAE,MAAM,SAAS,CAAC;AASpD,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,uBAAuB,EAAE,aAAa,EACtC,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC;IACX,iBAAiB,EAAE,yBAAyB,CAAC,oBAAoB,CAAC,CAAC;CACpE,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,EAAE,iBA6C/B,CAAC"}

package/lib/typescript/credential/status/03-verify-and-parse-status-attestation.d.ts

@@ -1,24 +0,0 @@
-import type { Out } from "../../utils/misc";
-import { type CryptoContext } from "@pagopa/io-react-native-jwt";
-import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
-import { ParsedStatusAttestation } from "./types";
-export type VerifyAndParseStatusAttestation = (issuerConf: Out<EvaluateIssuerTrust>["issuerConf"], statusAttestation: Out<StatusAttestation>, context: {
-    credentialCryptoContext: CryptoContext;
-}) => Promise<{
-    parsedStatusAttestation: ParsedStatusAttestation;
-}>;
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-export declare const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation;
-//# sourceMappingURL=03-verify-and-parse-status-attestation.d.ts.map

package/lib/typescript/credential/status/03-verify-and-parse-status-attestation.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"03-verify-and-parse-status-attestation.d.ts","sourceRoot":"","sources":["../../../../src/credential/status/03-verify-and-parse-status-attestation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAU,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAIlD,MAAM,MAAM,+BAA+B,GAAG,CAC5C,UAAU,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,EAClD,iBAAiB,EAAE,GAAG,CAAC,iBAAiB,CAAC,EACzC,OAAO,EAAE;IACP,uBAAuB,EAAE,aAAa,CAAC;CACxC,KACE,OAAO,CAAC;IAAE,uBAAuB,EAAE,uBAAuB,CAAA;CAAE,CAAC,CAAC;AAEnE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,+BAA+B,EAAE,+BAwC3C,CAAC"}

package/src/credential/status/03-verify-and-parse-status-attestation.ts

@@ -1,70 +0,0 @@
-import type { Out } from "../../utils/misc";
-import { IoWalletError } from "../../utils/errors";
-import { verify, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import type { EvaluateIssuerTrust, StatusAttestation } from "../status";
-import { ParsedStatusAttestation } from "./types";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { LogLevel, Logger } from "../../utils/logging";
-
-export type VerifyAndParseStatusAttestation = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  statusAttestation: Out<StatusAttestation>,
-  context: {
-    credentialCryptoContext: CryptoContext;
-  }
-) => Promise<{ parsedStatusAttestation: ParsedStatusAttestation }>;
-
-/**
- * Given a status attestation, verifies that:
- * - It's in the supported format;
- * - The attestation is correctly signed;
- * - It's bound to the given key.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param statusAttestation The encoded status attestation returned by {@link statusAttestation}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @returns A parsed status attestation
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-export const verifyAndParseStatusAttestation: VerifyAndParseStatusAttestation =
-  async (issuerConf, rawStatusAttestation, context) => {
-    try {
-      const { statusAttestation } = rawStatusAttestation;
-      const { credentialCryptoContext } = context;
-
-      await verify(
-        statusAttestation,
-        issuerConf.openid_credential_issuer.jwks.keys
-      );
-
-      const decodedJwt = decodeJwt(statusAttestation);
-      const parsedStatusAttestation = ParsedStatusAttestation.parse({
-        header: decodedJwt.protectedHeader,
-        payload: decodedJwt.payload,
-      });
-
-      Logger.log(
-        LogLevel.DEBUG,
-        `Parsed status attestation: ${JSON.stringify(parsedStatusAttestation)}`
-      );
-
-      const holderBindingKey = await credentialCryptoContext.getPublicKey();
-      const { cnf } = parsedStatusAttestation.payload;
-      if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-        Logger.log(
-          LogLevel.ERROR,
-          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
-        );
-        throw new IoWalletError(
-          `Failed to verify holder binding for status attestation, expected kid: ${holderBindingKey.kid}, got: ${parsedStatusAttestation.payload.cnf.jwk.kid}`
-        );
-      }
-
-      return { parsedStatusAttestation };
-    } catch (e) {
-      throw new IoWalletError(
-        `Failed to verify status attestation: ${JSON.stringify(e)}`
-      );
-    }
-  };