@pagopa/io-react-native-wallet 2.0.0-next.5 → 2.0.0-next.7

package/lib/typescript/utils/crypto.d.ts

@@ -1,4 +1,5 @@
 import { type CryptoContext } from "@pagopa/io-react-native-jwt";
+import { JWK } from "./jwk";
 /**
  * Create a CryptoContext bound to a key pair.
  * Key pair is supposed to exist already in the device's keychain.
@@ -16,4 +17,19 @@ export declare const createCryptoContextFor: (keytag: string) => CryptoContext;
  * @returns The returned value of the input procedure.
  */
 export declare const withEphemeralKey: <R>(fn: (ephemeralContext: CryptoContext) => Promise<R>) => Promise<R>;
+/**
+ * Converts a base64-encoded DER certificate to PEM format.
+ *
+ * @param certificate - The base64-encoded DER certificate.
+ * @returns The PEM-formatted certificate.
+ */
+export declare const convertBase64DerToPem: (certificate: string) => string;
+/**
+ * Retrieves the signing JWK from a PEM-formatted certificate.
+ *
+ * @param pemCert - The PEM-formatted certificate.
+ * @returns The signing JWK.
+ * @throws Will throw an error if the public key is unsupported.
+ */
+export declare const getSigninJwkFromCert: (pemCert: string) => JWK;
 //# sourceMappingURL=crypto.d.ts.map

package/lib/typescript/utils/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,KAAK,aAAa,EAAc,MAAM,6BAA6B,CAAC;AAE7E;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,WAAY,MAAM,KAAG,aAsBvD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,6BACJ,aAAa,8BAOrC,CAAC"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto.ts"],"names":[],"mappings":"AAOA,OAAO,EAAc,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC7E,OAAO,EAAE,GAAG,EAAE,MAAM,OAAO,CAAC;AAI5B;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,WAAY,MAAM,KAAG,aAsBvD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,6BACJ,aAAa,8BAOrC,CAAC;AACF;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,gBAAiB,MAAM,KAAG,MACc,CAAC;AAE3E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,YAAa,MAAM,KAAG,GAkBtD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "2.0.0-next.5",
+  "version": "2.0.0-next.7",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -30,7 +30,7 @@
     "test": "jest",
     "tsc": "tsc --noEmit",
     "lint": "eslint . -c .eslintrc.js --ext .ts,.tsx",
-    "prepack": "bob build",
+    "prepack": "yarn generate && bob build",
     "release": "release-it",
     "example": "yarn --cwd example",
     "bootstrap": "yarn example && yarn install",
@@ -53,12 +53,15 @@
     "registry": "https://registry.npmjs.org/"
   },
   "devDependencies": {
-    "@pagopa/io-react-native-crypto": "^1.2.2",
+    "@pagopa/io-react-native-crypto": "^1.2.3",
+    "@pagopa/io-react-native-iso18013": "^0.3.0",
     "@pagopa/io-react-native-jwt": "^2.1.0",
+    "@react-native/babel-preset": "0.78.3",
     "@react-native/eslint-config": "^0.75.5",
     "@rushstack/eslint-patch": "^1.3.2",
-    "@types/jest": "^28.1.2",
-    "@types/react": "^18.2.6",
+    "@types/jest": "^29.5.13",
+    "@types/jsrsasign": "^10.5.15",
+    "@types/react": "^19.0.0",
     "@types/react-native": "0.70.0",
     "@types/url-parse": "^1.4.11",
     "del-cli": "^5.0.0",
@@ -67,16 +70,14 @@
     "jest": "^28.1.1",
     "pod-install": "^0.1.0",
     "prettier": "^3.5.3",
-    "react": "18.3.1",
-    "react-native": "0.75.5",
+    "react": "19.0.0",
+    "react-native": "0.78.3",
     "react-native-builder-bob": "^0.20.0",
     "typed-openapi": "^0.4.1",
     "typescript": "5.0.4"
   },
-  "resolutions": {
-    "@types/react": "^18.2.6"
-  },
   "peerDependencies": {
+    "@pagopa/io-react-native-iso18013": "*",
     "@pagopa/io-react-native-crypto": "*",
     "@pagopa/io-react-native-jwt": "*",
     "react": "*",
@@ -93,7 +94,7 @@
       "<rootDir>/lib/"
     ],
     "transformIgnorePatterns": [
-      "node_modules/(?!(jest-)?@react-native|react-native|uuid)"
+      "node_modules/(?!(jest-)?@react-native|react-native|uuid|@pagopa/io-react-native-iso18013)"
     ],
     "setupFiles": [
       "<rootDir>/jestSetup.js"
@@ -118,6 +119,7 @@
     "js-base64": "^3.7.7",
     "js-sha256": "^0.9.0",
     "jsonpath-plus": "^10.2.0",
+    "jsrsasign": "^11.1.0",
     "parse-url": "^9.2.0",
     "react-native-url-polyfill": "^2.0.0",
     "react-native-uuid": "^2.0.1",

package/src/credential/issuance/02-evaluate-issuer-trust.ts

@@ -27,6 +27,7 @@ export const evaluateIssuerTrust: EvaluateIssuerTrust = async (
 ) => {
   const issuerConf = await getCredentialIssuerEntityConfiguration(issuerUrl, {
     appFetch: context.appFetch,
-  }).then((_) => _.payload.metadata);
+  }).then(({ payload }) => payload.metadata);
+
   return { issuerConf };
 };

package/src/credential/issuance/06-obtain-credential.ts

@@ -18,6 +18,7 @@ import { CredentialResponse, NonceResponse } from "./types";
 import { createDPopToken } from "../../utils/dpop";
 import { v4 as uuidv4 } from "uuid";
 import { LogLevel, Logger } from "../../utils/logging";
+import type { SupportedCredentialFormat } from "../../trust/types";
 
 export type ObtainCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -35,7 +36,7 @@ export type ObtainCredential = (
   operationType?: "reissuing"
 ) => Promise<{
   credential: string;
-  format: string;
+  format: SupportedCredentialFormat;
 }>;
 
 export const createNonceProof = async (

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -6,12 +6,22 @@ import { SdJwt4VC, verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
 import { isSameThumbprint, type JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
-import { Logger, LogLevel } from "../../utils/logging";
+import { verify as verifyMdoc } from "../../mdoc";
+import { MDOC_DEFAULT_NAMESPACE } from "../../mdoc/const";
+import { getParsedCredentialClaimKey } from "../../mdoc/utils";
+import { LogLevel, Logger } from "../../utils/logging";
+import { extractElementValueAsDate } from "../../mdoc/converter";
+import type { CBOR } from "@pagopa/io-react-native-iso18013";
+import type { PublicKey } from "@pagopa/io-react-native-crypto";
 
 type IssuerConf = Out<EvaluateIssuerTrust>["issuerConf"];
 type CredentialConf =
   IssuerConf["openid_credential_issuer"]["credential_configurations_supported"][string];
 
+type DecodedMDocCredential = Out<typeof verifyMdoc> & {
+  issuerSigned: CBOR.IssuerSigned;
+};
+
 export type VerifyAndParseCredential = (
   issuerConf: IssuerConf,
   credential: Out<ObtainCredential>["credential"],
@@ -26,7 +36,8 @@ export type VerifyAndParseCredential = (
      * Include attributes that are not explicitly mapped in the issuer configuration.
      */
     includeUndefinedAttributes?: boolean;
-  }
+  },
+  x509CertRoot?: string
 ) => Promise<{
   parsedCredential: ParsedCredential;
   expiration: Date;
@@ -34,11 +45,9 @@ export type VerifyAndParseCredential = (
 }>;
 
 // The credential as a collection of attributes in plain value
-type ParsedCredential = Record<
+type ParsedCredential = {
   /** Attribute key */
-  string,
-  {
-    /** Human-readable name of the attribute */
+  [claim: string]: {
     name:
       | /* if i18n is provided */ Record<
           string /* locale */,
@@ -46,10 +55,9 @@ type ParsedCredential = Record<
         >
       | /* if no i18n is provided */ string
       | undefined; // Add undefined as a possible value for the name property
-    /** The actual value of the attribute */
     value: unknown;
-  }
->;
+  };
+};
 
 // handy alias
 type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
@@ -139,7 +147,123 @@ const parseCredentialSdJwt = (
 
   return definedValues;
 };
+const parseCredentialMDoc = (
+  // the list of supported credentials, as defined in the issuer configuration
+  credentialConfig: CredentialConf,
+  // credential_type: string,
+  { issuerSigned }: DecodedMDocCredential,
+  ignoreMissingAttributes: boolean = false,
+  includeUndefinedAttributes: boolean = false
+): ParsedCredential => {
+  if (!credentialConfig) {
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
+
+  if (!credentialConfig.claims) {
+    throw new IoWalletError("Missing claims in the credential subject");
+  }
+
+  const attrDefinitions = credentialConfig.claims.map<
+    [string, string, { name: string; locale: string }[]]
+  >(({ path: [namespace, attribute], display }) => [
+    namespace as string,
+    attribute as string,
+    display,
+  ]);
+
+  if (!issuerSigned.nameSpaces) {
+    throw new IoWalletError("Missing claims in the credential");
+  }
+
+  const flatNamespaces = Object.entries(issuerSigned.nameSpaces).flatMap(
+    ([namespace, values]) =>
+      values.map<[string, string, string]>((v) => [
+        namespace,
+        v.elementIdentifier,
+        v.elementValue,
+      ])
+  );
+
+  // Check that all mandatory attributes defined in the issuer configuration are present in the disclosure set
+  // and filter the non present ones
+  const attrsNotInDisclosures = attrDefinitions.filter(
+    ([attrDefNamespace, attrKey]) =>
+      flatNamespaces.some(
+        ([namespace, claim]) =>
+          attrDefNamespace === namespace && attrKey === claim
+      )
+  );
+  if (attrsNotInDisclosures.length > 0) {
+    const missing = attrsNotInDisclosures
+      .map(([, attrKey]) => attrKey)
+      .join(", ");
+    const received = Object.keys(Object.values(flatNamespaces));
+
+    if (!ignoreMissingAttributes) {
+      throw new IoWalletError(
+        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+      );
+    }
+  }
+
+  // Attributes defined in the issuer configuration and present in the disclosure set
+  const definedValues = attrDefinitions
+    // Retrieve the value from the corresponding disclosure
+    .map(
+      ([attrDefNamespace, attrKey, display]) =>
+        [
+          attrDefNamespace,
+          attrKey,
+          {
+            display,
+            value: flatNamespaces.find(
+              ([namespace, name]) =>
+                attrDefNamespace === namespace && name === attrKey
+            )?.[2],
+          },
+        ] as const
+    )
+    //filter the not found elements
+    .filter(([_, __, definition]) => definition.value !== undefined)
+    // Add a human-readable attribute name, with i18n, in the form { locale: name }
+    // Example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
+    .reduce<ParsedCredential>(
+      (acc, [attrDefNamespace, attrKey, { display, value }]) => ({
+        ...acc,
+        [getParsedCredentialClaimKey(attrDefNamespace, attrKey)]: {
+          value,
+          name: display.reduce(
+            (names, { locale, name }) => ({
+              ...names,
+              [locale]: name,
+            }),
+            {}
+          ),
+        },
+      }),
+      {}
+    );
+
+  if (includeUndefinedAttributes) {
+    const undefinedValues: ParsedCredential = Object.fromEntries(
+      Object.values(flatNamespaces)
+        .filter(
+          ([namespace, key]) =>
+            !definedValues[getParsedCredentialClaimKey(namespace, key)]
+        )
+        .map(([namespace, key, value]) => [
+          getParsedCredentialClaimKey(namespace, key),
+          { value, name: key },
+        ])
+    );
+    return {
+      ...definedValues,
+      ...undefinedValues,
+    };
+  }
 
+  return definedValues;
+};
 /**
  * Given a credential, verify it's in the supported format
  * and the credential is correctly signed
@@ -176,6 +300,48 @@ async function verifyCredentialSdJwt(
 
   return decodedCredential;
 }
+/**
+ * Given a credential, verify it's in the supported format
+ * and the credential is correctly signed
+ * and it's bound to the given key
+ *
+ * @param rawCredential The received credential
+ * @param issuerKeys The set of public keys of the issuer,
+ * which will be used to verify the signature
+ * @param holderBindingContext The access to the holder's key
+ *
+ * @throws If the signature verification fails
+ * @throws If the credential is not in the SdJwt4VC format
+ * @throws If the holder binding is not properly configured
+ *
+ */
+async function verifyCredentialMDoc(
+  rawCredential: string,
+  x509CertRoot: string,
+  holderBindingContext: CryptoContext
+): Promise<DecodedMDocCredential> {
+  const [decodedCredential, holderBindingKey] =
+    // parallel for optimization
+    await Promise.all([
+      verifyMdoc(rawCredential, x509CertRoot),
+      holderBindingContext.getPublicKey(),
+    ]);
+
+  if (!decodedCredential) {
+    throw new IoWalletError("No MDOC credentials found!");
+  }
+
+  const key =
+    decodedCredential.issuerSigned.issuerAuth.payload.deviceKeyInfo.deviceKey;
+
+  if (!(await isSameThumbprint(key, holderBindingKey as PublicKey))) {
+    throw new IoWalletError(
+      `Failed to verify holder binding, holder binding key and mDoc deviceKey don't match`
+    );
+  }
+
+  return decodedCredential;
+}
 
 const verifyAndParseCredentialSdJwt: VerifyAndParseCredential = async (
   issuerConf,
@@ -231,6 +397,60 @@ const verifyAndParseCredentialSdJwt: VerifyAndParseCredential = async (
   };
 };
 
+const verifyAndParseCredentialMDoc: VerifyAndParseCredential = async (
+  issuerConf,
+  credential,
+  credentialConfigurationId,
+  { credentialCryptoContext, ignoreMissingAttributes },
+  x509CertRoot
+) => {
+  if (!x509CertRoot) {
+    throw new IoWalletError("Missing x509CertRoot");
+  }
+
+  const decoded = await verifyCredentialMDoc(
+    credential,
+    x509CertRoot,
+    credentialCryptoContext
+  );
+
+  const credentialConfig =
+    issuerConf.openid_credential_issuer.credential_configurations_supported[
+      credentialConfigurationId
+    ]!;
+  const parsedCredential = parseCredentialMDoc(
+    credentialConfig,
+    decoded,
+    ignoreMissingAttributes,
+    ignoreMissingAttributes
+  );
+
+  const expirationDate = extractElementValueAsDate(
+    parsedCredential?.[
+      getParsedCredentialClaimKey(MDOC_DEFAULT_NAMESPACE, "expiry_date")
+    ]?.value as string
+  );
+  if (!expirationDate) {
+    throw new IoWalletError(`expirationDate must be present!!`);
+  }
+  expirationDate.setDate(expirationDate.getDate() + 1);
+
+  const maybeIssuedAt = extractElementValueAsDate(
+    parsedCredential?.[
+      getParsedCredentialClaimKey(MDOC_DEFAULT_NAMESPACE, "issue_date")
+    ]?.value as string
+  );
+  maybeIssuedAt?.setDate(maybeIssuedAt.getDate() + 1);
+
+  return {
+    parsedCredential,
+    credential,
+    credentialConfigurationId,
+    expiration: expirationDate,
+    issuedAt: maybeIssuedAt ?? undefined,
+  };
+};
+
 /**
  * Verify and parse an encoded credential.
  * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
@@ -248,24 +468,39 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
   issuerConf,
   credential,
   credentialConfigurationId,
-  context
+  context,
+  x509CertRoot
 ) => {
   const format =
     issuerConf.openid_credential_issuer.credential_configurations_supported[
       credentialConfigurationId
     ]?.format;
 
-  if (format === "dc+sd-jwt") {
-    Logger.log(LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
-    return verifyAndParseCredentialSdJwt(
-      issuerConf,
-      credential,
-      credentialConfigurationId,
-      context
-    );
-  }
+  switch (format) {
+    case "dc+sd-jwt": {
+      Logger.log(LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
+      return verifyAndParseCredentialSdJwt(
+        issuerConf,
+        credential,
+        credentialConfigurationId,
+        context
+      );
+    }
+    case "mso_mdoc": {
+      Logger.log(LogLevel.DEBUG, "Parsing credential in mso_mdoc format");
+      return verifyAndParseCredentialMDoc(
+        issuerConf,
+        credential,
+        credentialConfigurationId,
+        context,
+        x509CertRoot
+      );
+    }
 
-  const message = `Unsupported credential format: ${format}`;
-  Logger.log(LogLevel.ERROR, message);
-  throw new IoWalletError(message);
+    default: {
+      const message = `Unsupported credential format: ${format}`;
+      Logger.log(LogLevel.ERROR, message);
+      throw new IoWalletError(message);
+    }
+  }
 };

package/src/credential/issuance/README.md

@@ -171,7 +171,7 @@ const { credential_configuration_id, credential_identifiers } =
     accessToken.authorization_details[0]!;
 
  // Obtain the credential
-const { credential } = await Credential.Issuance.obtainCredential(
+const { credential, format } = await Credential.Issuance.obtainCredential(
   issuerConf,
   accessToken,
   clientId,
@@ -186,6 +186,10 @@ const { credential } = await Credential.Issuance.obtainCredential(
   }
 );
 
+// The certificate below is required to perform the `x5chain` validation of credentials in `mdoc` format.
+// In a real-world scenario, it must be obtained from the appropriate endpoint exposed by the Trust Anchor
+const mockX509CertRoot = format === "mso_mdoc" ? "base64encodedX509CertRoot" : undefined
+
 /*
  * Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
  * WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
@@ -199,7 +203,8 @@ const { parsedCredential } =
       credentialCryptoContext, 
       ignoreMissingAttributes: true,
       includeUndefinedAttributes: false 
-    }
+    },
+    mockX509CertRoot
   );
 
 const credentialType =

package/src/mdoc/const.ts

@@ -0,0 +1 @@
+export const MDOC_DEFAULT_NAMESPACE = "org.iso.18013.5.1";

package/src/mdoc/converter.ts

@@ -0,0 +1,26 @@
+/**
+ * Extracts the date value of a given elementIdentifier from an MDOC object.
+ * Searches through the issuerSigned namespaces and attempts to parse the value as a Date.
+ * The expected date format is "YYYY-MM-DD".
+ * Returns the Date object if found, otherwise returns null.
+ */
+export function extractElementValueAsDate(elementValue: string): Date | null {
+  if (typeof elementValue === "string") {
+    const dateParts = elementValue.split("-");
+    if (dateParts.length === 3) {
+      const [year, month, day] = dateParts.map(Number);
+      if (
+        day !== undefined &&
+        month !== undefined &&
+        year !== undefined &&
+        !isNaN(day) &&
+        !isNaN(month) &&
+        !isNaN(year)
+      ) {
+        return new Date(year, month - 1, day); // Month is zero-based in JS Date
+      }
+    }
+  }
+
+  return null; // Return null if no matching element is found or it's not a valid date
+}

package/src/mdoc/index.ts

@@ -0,0 +1,93 @@
+import { CBOR, COSE } from "@pagopa/io-react-native-iso18013";
+import { b64utob64 } from "jsrsasign";
+import {
+  verifyCertificateChain,
+  type CertificateValidationResult,
+  type PublicKey,
+  type X509CertificateOptions,
+} from "@pagopa/io-react-native-crypto";
+import { MissingX509CertsError, X509ValidationError } from "../trust/errors";
+import { IoWalletError } from "../utils/errors";
+import { convertBase64DerToPem, getSigninJwkFromCert } from "../utils/crypto";
+
+export const verify = async (
+  token: string,
+  x509CertRoot: string
+): Promise<{ issuerSigned: CBOR.IssuerSigned }> => {
+  // get decoded data
+  const issuerSigned = await CBOR.decodeIssuerSigned(token);
+
+  if (!issuerSigned) {
+    throw new IoWalletError("Invalid mDoc");
+  }
+
+  if (
+    !issuerSigned.issuerAuth.unprotectedHeader?.x5chain &&
+    (!Array.isArray(issuerSigned.issuerAuth.unprotectedHeader.x5chain) ||
+      issuerSigned.issuerAuth.unprotectedHeader.x5chain.length === 0)
+  ) {
+    throw new MissingX509CertsError("Missing x509 certificates");
+  }
+  const x5chain =
+    issuerSigned.issuerAuth.unprotectedHeader.x5chain.map(b64utob64);
+  // Verify the x5chain
+  await verifyX5chain(x5chain, x509CertRoot);
+
+  const coseSign1 = issuerSigned.issuerAuth.rawValue;
+
+  if (!coseSign1) {
+    throw new IoWalletError("Missing coseSign1");
+  }
+  // Once the x5chain is verified, the signatures verification can be performed
+  await verifyMdocSignature(coseSign1, x5chain[0]!);
+
+  return { issuerSigned };
+};
+
+/**
+ * This function checks whether the x509 certificate chain is valid against a specified Certificate Authority (CA)
+ *
+ * @param x5chain The mdoc's x509 certificate chain
+ * @param x509CertRoot The Trust Anchor CA
+ * @param options Options for certificate validation
+ */
+const verifyX5chain = async (
+  x5chain: string[],
+  x509CertRoot: string,
+  options: X509CertificateOptions = {
+    connectTimeout: 10000,
+    readTimeout: 10000,
+    requireCrl: true,
+  }
+) => {
+  const x509ValidationResult: CertificateValidationResult =
+    await verifyCertificateChain(x5chain, x509CertRoot, options);
+
+  if (!x509ValidationResult.isValid) {
+    throw new X509ValidationError(
+      `X.509 certificate chain validation failed. Status: ${x509ValidationResult.validationStatus}. Error: ${x509ValidationResult.errorMessage}`,
+      {
+        x509ValidationStatus: x509ValidationResult.validationStatus,
+        x509ErrorMessage: x509ValidationResult.errorMessage,
+      }
+    );
+  }
+};
+/**
+ * This function verifies that the signature is valid for the given certificate.
+ * If not, it throws an error
+ *
+ * @param coseSign1 The COSE-Sign1 object encoded in base64 or base64url
+ * @param cert The `x5chain`'s leaf certificate
+ */
+const verifyMdocSignature = async (coseSign1: string, cert: string) => {
+  const pemcert = convertBase64DerToPem(cert);
+  const jwk = getSigninJwkFromCert(pemcert);
+
+  jwk.x = b64utob64(jwk.x!);
+  jwk.y = b64utob64(jwk.y!);
+
+  const signatureCorrect = await COSE.verify(coseSign1, jwk as PublicKey);
+
+  if (!signatureCorrect) throw new Error("Invalid mDoc signature");
+};

package/src/mdoc/utils.ts

@@ -0,0 +1,7 @@
+/**
+ * @param namespace The mdoc credential `namespace`
+ * @param key The claim attribute key
+ * @returns A string consisting of the concatenation of the namespace and the claim key, separated by a colon
+ */
+export const getParsedCredentialClaimKey = (namespace: string, key: string) =>
+  `${namespace}:${key}`;

package/src/trust/types.ts

@@ -38,7 +38,7 @@ const CredentialIssuerDisplayMetadata = z.object({
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
 const ClaimsMetadata = z.object({
-  path: z.array(z.string()),
+  path: z.array(z.union([z.string(), z.number(), z.null()])), // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#name-claims-path-pointer
   display: z.array(CredentialDisplayMetadata),
 });
 
@@ -71,6 +71,10 @@ const SupportedCredentialMetadata = z.intersection(
   })
 );
 
+export type SupportedCredentialFormat = z.infer<
+  typeof SupportedCredentialMetadata
+>["format"];
+
 export type EntityStatement = z.infer<typeof EntityStatement>;
 export const EntityStatement = z.object({
   header: z.object({