npm - @pagopa/io-react-native-wallet - Versions diffs - 2.5.0 → 3.0.0 - Mend

@pagopa/io-react-native-wallet 2.5.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1562) hide show

package/lib/module/credential/issuance/common/06-verify-and-parse-credential.mdoc.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["extractElementValueAsDate","getParsedCredentialClaimKey","verify","verifyMdoc","MDOC_DEFAULT_NAMESPACE","IoWalletError","isSameThumbprint","verifyCredentialMDoc","rawCredential","x509CertRoot","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","getPublicKey","key","issuerSigned","issuerAuth","payload","deviceKeyInfo","deviceKey","parseCredentialMDoc","credentialConfig","_ref","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","claims","attrDefinitions","map","_ref2","path","namespace","attribute","display","nameSpaces","flatNamespaces","Object","entries","flatMap","_ref3","values","v","elementIdentifier","elementValue","attrsNotInDisclosures","filter","_ref4","attrDefNamespace","attrKey","some","_ref5","claim","missing","_ref6","join","received","_ref7","definedValues","_ref8","_flatNamespaces$find","value","find","_ref9","name","_ref10","_","__","definition","reduce","acc","_ref11","names","_ref12","locale","undefinedValues","fromEntries","_ref13","_ref14","verifyAndParseCredentialMDoc","issuerConf","credential","credentialConfigurationId","_ref15","_parsedCredential$get","_parsedCredential$get2","credentialCryptoContext","decoded","credential_configurations_supported","parsedCredential","expirationDate","setDate","getDate","maybeIssuedAt","expiration","issuedAt"],"sourceRoot":"../../../../../src","sources":["credential/issuance/common/06-verify-and-parse-credential.mdoc.ts"],"mappings":"AAGA,SAASA,yBAAyB,QAAQ,yBAAyB;AACnE,SACEC,2BAA2B,EAC3BC,MAAM,IAAIC,UAAU,QACf,eAAe;AACtB,SAASC,sBAAsB,QAAQ,qBAAqB;AAC5D,SAASC,aAAa,QAAQ,uBAAuB;AAErD,SAASC,gBAAgB,QAAQ,oBAAoB;AAUrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,oBAAoBA,CACjCC,aAAqB,EACrBC,YAAoB,EACpBC,oBAAmC,EACH;EAChC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChBX,UAAU,CAACK,aAAa,EAAEC,YAAY,CAAC,EACvCC,oBAAoB,CAACK,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,IAAI,CAACJ,iBAAiB,EAAE;IACtB,MAAM,IAAIN,aAAa,CAAC,4BAA4B,CAAC;EACvD;EAEA,MAAMW,GAAG,GACPL,iBAAiB,CAACM,YAAY,CAACC,UAAU,CAACC,OAAO,CAACC,aAAa,CAACC,SAAS;EAE3E,IAAI,EAAE,MAAMf,gBAAgB,CAACU,GAAG,EAAEJ,gBAA6B,CAAC,CAAC,EAAE;IACjE,MAAM,IAAIP,aAAa,CACpB,oFACH,CAAC;EACH;EAEA,OAAOM,iBAAiB;AAC1B;AAEA,MAAMW,mBAAmB,GAAG,SAAAA,CAE1BC,gBAAgC,EAAAC,IAAA,EAKX;EAAA,IAHrB;IAAEP;EAAoC,CAAC,GAAAO,IAAA;EAAA,IACvCC,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,IAAI,CAACH,gBAAgB,EAAE;IACrB,MAAM,IAAIlB,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,IAAI,CAACkB,gBAAgB,CAACO,MAAM,EAAE;IAC5B,MAAM,IAAIzB,aAAa,CAAC,0CAA0C,CAAC;EACrE;EAEA,MAAM0B,eAAe,GAAGR,gBAAgB,CAACO,MAAM,CAACE,GAAG,CAEjDC,KAAA;IAAA,IAAC;MAAEC,IAAI,EAAE,CAACC,SAAS,EAAEC,SAAS,CAAC;MAAEC;IAAQ,CAAC,GAAAJ,KAAA;IAAA,OAAK,CAC/CE,SAAS,EACTC,SAAS,EACTC,OAAO,CACR;EAAA,EAAC;EAEF,IAAI,CAACpB,YAAY,CAACqB,UAAU,EAAE;IAC5B,MAAM,IAAIjC,aAAa,CAAC,kCAAkC,CAAC;EAC7D;EAEA,MAAMkC,cAAc,GAAGC,MAAM,CAACC,OAAO,CAACxB,YAAY,CAACqB,UAAU,CAAC,CAACI,OAAO,CACpEC,KAAA;IAAA,IAAC,CAACR,SAAS,EAAES,MAAM,CAAC,GAAAD,KAAA;IAAA,OAClBC,MAAM,CAACZ,GAAG,CAA4Ba,CAAC,IAAK,CAC1CV,SAAS,EACTU,CAAC,CAACC,iBAAiB,EACnBD,CAAC,CAACE,YAAY,CACf,CAAC;EAAA,CACN,CAAC;;EAED;EACA;EACA,MAAMC,qBAAqB,GAAGjB,eAAe,CAACkB,MAAM,CAClDC,KAAA;IAAA,IAAC,CAACC,gBAAgB,EAAEC,OAAO,CAAC,GAAAF,KAAA;IAAA,OAC1B,CAACX,cAAc,CAACc,IAAI,CAClBC,KAAA;MAAA,IAAC,CAACnB,SAAS,EAAEoB,KAAK,CAAC,GAAAD,KAAA;MAAA,OACjBH,gBAAgB,KAAKhB,SAAS,IAAIiB,OAAO,KAAKG,KAAK;IAAA,CACvD,CAAC;EAAA,CACL,CAAC;EAED,IAAIP,qBAAqB,CAACrB,MAAM,GAAG,CAAC,EAAE;IACpC,MAAM6B,OAAO,GAAGR,qBAAqB,CAClChB,GAAG,CAACyB,KAAA;MAAA,IAAC,GAAGL,OAAO,CAAC,GAAAK,KAAA;MAAA,OAAKL,OAAO;IAAA,EAAC,CAC7BM,IAAI,CAAC,IAAI,CAAC;IACb,MAAMC,QAAQ,GAAGpB,cAAc,CAACP,GAAG,CAAC4B,KAAA;MAAA,IAAC,GAAGR,OAAO,CAAC,GAAAQ,KAAA;MAAA,OAAKR,OAAO;IAAA,EAAC,CAACM,IAAI,CAAC,IAAI,CAAC;IAExE,IAAI,CAACjC,uBAAuB,EAAE;MAC5B,MAAM,IAAIpB,aAAa,CACpB,4DAA2DmD,OAAQ,iBAAgBG,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;EACA,MAAME,aAAa,GAAG9B;EACpB;EAAA,CACCC,GAAG,CACF8B,KAAA;IAAA,IAAAC,oBAAA;IAAA,IAAC,CAACZ,gBAAgB,EAAEC,OAAO,EAAEf,OAAO,CAAC,GAAAyB,KAAA;IAAA,OACnC,CACEX,gBAAgB,EAChBC,OAAO,EACP;MACEf,OAAO;MACP2B,KAAK,GAAAD,oBAAA,GAAExB,cAAc,CAAC0B,IAAI,CACxBC,KAAA;QAAA,IAAC,CAAC/B,SAAS,EAAEgC,IAAI,CAAC,GAAAD,KAAA;QAAA,OAChBf,gBAAgB,KAAKhB,SAAS,IAAIgC,IAAI,KAAKf,OAAO;MAAA,CACtD,CAAC,cAAAW,oBAAA,uBAHMA,oBAAA,CAGH,CAAC;IACP,CAAC,CACF;EAAA,CACL;EACA;EAAA,CACCd,MAAM,CAACmB,MAAA;IAAA,IAAC,CAACC,CAAC,EAAEC,EAAE,EAAEC,UAAU,CAAC,GAAAH,MAAA;IAAA,OAAKG,UAAU,CAACP,KAAK,KAAKpC,SAAS;EAAA;EAC/D;EACA;EAAA,CACC4C,MAAM,CACL,CAACC,GAAG,EAAAC,MAAA;IAAA,IAAE,CAACvB,gBAAgB,EAAEC,OAAO,EAAE;MAAEf,OAAO;MAAE2B;IAAM,CAAC,CAAC,GAAAU,MAAA;IAAA,OAAM;MACzD,GAAGD,GAAG;MACN,CAACxE,2BAA2B,CAACkD,gBAAgB,EAAEC,OAAO,CAAC,GAAG;QACxDY,KAAK;QACLG,IAAI,EAAE9B,OAAO,CAACmC,MAAM,CAClB,CAACG,KAAK,EAAAC,MAAA;UAAA,IAAE;YAAEC,MAAM;YAAEV;UAAK,CAAC,GAAAS,MAAA;UAAA,OAAM;YAC5B,GAAGD,KAAK;YACR,CAACE,MAAM,GAAGV;UACZ,CAAC;QAAA,CAAC,EACF,CAAC,CACH;MACF;IACF,CAAC;EAAA,CAAC,EACF,CAAC,CACH,CAAC;EAEH,IAAItC,0BAA0B,EAAE;IAC9B,MAAMiD,eAAiC,GAAGtC,MAAM,CAACuC,WAAW,CAC1DvC,MAAM,CAACI,MAAM,CAACL,cAAc,CAAC,CAC1BU,MAAM,CACL+B,MAAA;MAAA,IAAC,CAAC7C,SAAS,EAAEnB,GAAG,CAAC,GAAAgE,MAAA;MAAA,OACf,CAACnB,aAAa,CAAC5D,2BAA2B,CAACkC,SAAS,EAAEnB,GAAG,CAAC,CAAC;IAAA,CAC/D,CAAC,CACAgB,GAAG,CAACiD,MAAA;MAAA,IAAC,CAAC9C,SAAS,EAAEnB,GAAG,EAAEgD,KAAK,CAAC,GAAAiB,MAAA;MAAA,OAAK,CAChChF,2BAA2B,CAACkC,SAAS,EAAEnB,GAAG,CAAC,EAC3C;QAAEgD,KAAK;QAAEG,IAAI,EAAEnD;MAAI,CAAC,CACrB;IAAA,EACL,CAAC;IACD,OAAO;MACL,GAAG6C,aAAa;MAChB,GAAGiB;IACL,CAAC;EACH;EAEA,OAAOjB,aAAa;AACtB,CAAC;AAED,OAAO,MAAMqB,4BAAqE,GAChF,MAAAA,CACEC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EAAAC,MAAA,EAEzB7E,YAAY,KACT;EAAA,IAAA8E,qBAAA,EAAAC,sBAAA;EAAA,IAFH;IAAEC,uBAAuB;IAAEhE;EAAwB,CAAC,GAAA6D,MAAA;EAGpD,IAAI,CAAC7E,YAAY,EAAE;IACjB,MAAM,IAAIJ,aAAa,CAAC,sBAAsB,CAAC;EACjD;EAEA,MAAMqF,OAAO,GAAG,MAAMnF,oBAAoB,CACxC6E,UAAU,EACV3E,YAAY,EACZgF,uBACF,CAAC;EAED,MAAMlE,gBAAgB,GACpB4D,UAAU,CAACQ,mCAAmC,CAC5CN,yBAAyB,CACzB;EACJ,MAAMO,gBAAgB,GAAGtE,mBAAmB,CAC1CC,gBAAgB,EAChBmE,OAAO,EACPjE,uBAAuB,EACvBA,uBACF,CAAC;EAED,MAAMoE,cAAc,GAAG7F,yBAAyB,CAC9C4F,gBAAgB,aAAhBA,gBAAgB,gBAAAL,qBAAA,GAAhBK,gBAAgB,CACd3F,2BAA2B,CAACG,sBAAsB,EAAE,aAAa,CAAC,CACnE,cAAAmF,qBAAA,uBAFDA,qBAAA,CAEGvB,KACL,CAAC;EACD,IAAI,CAAC6B,cAAc,EAAE;IACnB,MAAM,IAAIxF,aAAa,CAAE,kCAAiC,CAAC;EAC7D;EACAwF,cAAc,CAACC,OAAO,CAACD,cAAc,CAACE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC;EAEpD,MAAMC,aAAa,GAAGhG,yBAAyB,CAC7C4F,gBAAgB,aAAhBA,gBAAgB,gBAAAJ,sBAAA,GAAhBI,gBAAgB,CACd3F,2BAA2B,CAACG,sBAAsB,EAAE,YAAY,CAAC,CAClE,cAAAoF,sBAAA,uBAFDA,sBAAA,CAEGxB,KACL,CAAC;EACDgC,aAAa,aAAbA,aAAa,uBAAbA,aAAa,CAAEF,OAAO,CAACE,aAAa,CAACD,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC;EAEnD,OAAO;IACLH,gBAAgB;IAChBR,UAAU;IACVC,yBAAyB;IACzBY,UAAU,EAAEJ,cAAc;IAC1BK,QAAQ,EAAEF,aAAa,IAAIpE;EAC7B,CAAC;AACH,CAAC"}

package/lib/module/credential/issuance/common/06-verify-and-parse-credential.sdjwt.js ADDED Viewed

@@ -0,0 +1,176 @@
+import { getJwkFromHeader, decode } from "@pagopa/io-react-native-jwt";
+import { SDJwtInstance } from "@sd-jwt/core";
+import { digest, ES256 } from "@sd-jwt/crypto-nodejs";
+import { isPathEqual, isPrefixOf } from "../../../utils/parser";
+import { IoWalletError } from "../../../utils/errors";
+import { LogLevel, Logger } from "../../../utils/logging";
+import { isSameThumbprint } from "../../../utils/jwk";
+/**
+ * Parse a Sd-Jwt credential according to the issuer configuration
+ * @param credentialConfig - the list of supported credentials, as defined in the issuer configuration with their claims metadata
+ * @param parsedCredentialRaw - the raw parsed credential
+ * @param ignoreMissingAttributes - skip error when attributes declared in the issuer configuration are not found within disclosures
+ * @param includeUndefinedAttributes - include attributes not explicitly declared in the issuer configuration
+ * @returns The parsed credential with attributes in plain value
+ */
+const parseCredentialSdJwt = function (credentialConfig, parsedCredentialRaw) {
+  let ignoreMissingAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
+  let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
+  const claimsMetadata = credentialConfig.claims || [];
+  // Check that all mandatory attributes defined in the issuer configuration are present in the credential
+  if (!ignoreMissingAttributes) {
+    const missingPaths = [];
+    const rootKeysToVerify = new Set(claimsMetadata.map(c => c.path[0]).filter(p => typeof p === "string"));
+    for (const rootKey of rootKeysToVerify) {
+      if (!(rootKey in parsedCredentialRaw)) {
+        missingPaths.push(rootKey);
+      }
+    }
+    if (missingPaths.length > 0) {
+      const missing = missingPaths.join(", ");
+      const received = Object.keys(parsedCredentialRaw).join(", ");
+      throw new IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
+    }
+  }
+  /**
+   * Helper to find display metadata for any given path
+   */
+  const getDisplayNames = path => {
+    const match = claimsMetadata.find(c => isPathEqual(c.path, path));
+    if (!match) return undefined;
+    const nameMap = {};
+    for (const entry of match.display) {
+      nameMap[entry.locale] = entry.name;
+    }
+    return nameMap;
+  };
+  /**
+   * Recursive function to build the localized structure
+   */
+  const processLevel = (currentData, currentPath) => {
+    // Handle Arrays
+    if (Array.isArray(currentData)) {
+      return currentData.map(item => processLevel(item, [...currentPath, null]));
+    }
+    // Handle Objects
+    if (typeof currentData !== "object" || currentData === null) {
+      return currentData;
+    }
+    const dataObj = currentData;
+    const result = {};
+    const processedKeys = new Set();
+    // Identify unique keys in config at this level
+    const configKeysAtThisLevel = [];
+    for (const claim of claimsMetadata) {
+      // Check if the claim path starts with the current path
+      if (isPrefixOf(currentPath, claim.path)) {
+        const nextPart = claim.path[currentPath.length];
+        if ((typeof nextPart === "string" || typeof nextPart === "number") && !configKeysAtThisLevel.includes(nextPart)) {
+          configKeysAtThisLevel.push(nextPart);
+        }
+      }
+    }
+    // Process keys
+    for (const key of configKeysAtThisLevel) {
+      const stringKey = key.toString();
+      const dataValue = dataObj[stringKey];
+      if (dataValue === undefined) continue;
+      const newPath = [...currentPath, key];
+      let localizedNames = getDisplayNames(newPath);
+      // Fallback for arrays
+      if (!localizedNames && Array.isArray(dataValue)) {
+        localizedNames = getDisplayNames([...newPath, null]);
+      }
+      result[stringKey] = {
+        name: localizedNames || stringKey,
+        value: processLevel(dataValue, newPath)
+      };
+      processedKeys.add(key);
+    }
+    // Handle Undefined Attributes
+    if (includeUndefinedAttributes) {
+      for (const [key, value] of Object.entries(dataObj)) {
+        if (!processedKeys.has(key)) {
+          result[key] = {
+            name: key,
+            value: value
+          };
+        }
+      }
+    }
+    return result;
+  };
+  return processLevel(parsedCredentialRaw, []);
+};
+/**
+ * Given a credential, verify it's in the supported format
+ * and the credential is correctly signed
+ * and it's bound to the given key
+ *
+ * @param rawCredential The received credential
+ * @param issuerKeys The set of public keys of the issuer,
+ * which will be used to verify the signature
+ * @param holderBindingContext The access to the holder's key
+ *
+ * @throws If the signature verification fails
+ * @throws If the credential is not in the SdJwt4VC format
+ * @throws If the holder binding is not properly configured
+ *
+ */
+async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingContext) {
+  const {
+    protectedHeader
+  } = decode(rawCredential);
+  const verifierJwk = getJwkFromHeader(protectedHeader, issuerKeys);
+  const sdJwtInstance = new SDJwtInstance({
+    hasher: digest,
+    verifier: await ES256.getVerifier(verifierJwk)
+  });
+  const [verifiedCredential, holderBindingKey] = await Promise.all([sdJwtInstance.verify(rawCredential), holderBindingContext.getPublicKey()]);
+  const {
+    cnf
+  } = verifiedCredential.payload;
+  if (!(await isSameThumbprint(cnf.jwk, holderBindingKey))) {
+    const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${cnf.jwk.kid}`;
+    Logger.log(LogLevel.ERROR, message);
+    throw new IoWalletError(message);
+  }
+  return await sdJwtInstance.decode(rawCredential);
+}
+export const verifyAndParseCredentialSdJwt = async (issuerConf, credential, credentialConfigurationId, _ref) => {
+  let {
+    credentialCryptoContext,
+    ignoreMissingAttributes,
+    includeUndefinedAttributes
+  } = _ref;
+  const decoded = await verifyCredentialSdJwt(credential, issuerConf.keys, credentialCryptoContext);
+  Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+  const credentialConfig = issuerConf.credential_configurations_supported[credentialConfigurationId];
+  if (!credentialConfig) {
+    Logger.log(LogLevel.ERROR, `Credential type not supported by the issuer: ${credentialConfigurationId}`);
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
+  const parsedCredentialRaw = await decoded.getClaims(digest);
+  const parsedCredential = parseCredentialSdJwt(credentialConfig, parsedCredentialRaw, ignoreMissingAttributes, includeUndefinedAttributes);
+  const issuedAt = typeof parsedCredentialRaw.iat === "number" ? new Date(parsedCredentialRaw.iat * 1000) : undefined;
+  if (typeof parsedCredentialRaw.exp !== "number") {
+    throw new IoWalletError("Invalid or missing expiration claim (exp)");
+  }
+  const expiration = new Date(parsedCredentialRaw.exp * 1000);
+  Logger.log(LogLevel.DEBUG, `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${issuedAt}`);
+  return {
+    parsedCredential,
+    expiration,
+    issuedAt
+  };
+};
+//# sourceMappingURL=06-verify-and-parse-credential.sdjwt.js.map

package/lib/module/credential/issuance/common/06-verify-and-parse-credential.sdjwt.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["getJwkFromHeader","decode","SDJwtInstance","digest","ES256","isPathEqual","isPrefixOf","IoWalletError","LogLevel","Logger","isSameThumbprint","parseCredentialSdJwt","credentialConfig","parsedCredentialRaw","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","claimsMetadata","claims","missingPaths","rootKeysToVerify","Set","map","c","path","filter","p","rootKey","push","missing","join","received","Object","keys","getDisplayNames","match","find","nameMap","entry","display","locale","name","processLevel","currentData","currentPath","Array","isArray","item","dataObj","result","processedKeys","configKeysAtThisLevel","claim","nextPart","includes","key","stringKey","toString","dataValue","newPath","localizedNames","value","add","entries","has","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","protectedHeader","verifierJwk","sdJwtInstance","hasher","verifier","getVerifier","verifiedCredential","holderBindingKey","Promise","all","verify","getPublicKey","cnf","payload","jwk","message","kid","log","ERROR","verifyAndParseCredentialSdJwt","issuerConf","credential","credentialConfigurationId","_ref","credentialCryptoContext","decoded","DEBUG","JSON","stringify","credential_configurations_supported","getClaims","parsedCredential","issuedAt","iat","Date","exp","expiration"],"sourceRoot":"../../../../../src","sources":["credential/issuance/common/06-verify-and-parse-credential.sdjwt.ts"],"mappings":"AAAA,SACEA,gBAAgB,EAEhBC,MAAM,QACD,6BAA6B;AACpC,SAAqBC,aAAa,QAAQ,cAAc;AACxD,SAASC,MAAM,EAAEC,KAAK,QAAQ,uBAAuB;AACrD,SAASC,WAAW,EAAEC,UAAU,QAAQ,uBAAuB;AAC/D,SAASC,aAAa,QAAQ,uBAAuB;AACrD,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AACzD,SAASC,gBAAgB,QAAkB,oBAAoB;AAO/D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,oBAAoB,GAAG,SAAAA,CAC3BC,gBAAgC,EAChCC,mBAA4C,EAGvB;EAAA,IAFrBC,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,MAAMI,cAAc,GAAGP,gBAAgB,CAACQ,MAAM,IAAI,EAAE;;EAEpD;EACA,IAAI,CAACN,uBAAuB,EAAE;IAC5B,MAAMO,YAAsB,GAAG,EAAE;IACjC,MAAMC,gBAAgB,GAAG,IAAIC,GAAG,CAC9BJ,cAAc,CACXK,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAACC,IAAI,CAAC,CAAC,CAAC,CAAC,CACrBC,MAAM,CAAEC,CAAC,IAAkB,OAAOA,CAAC,KAAK,QAAQ,CACrD,CAAC;IAED,KAAK,MAAMC,OAAO,IAAIP,gBAAgB,EAAE;MACtC,IAAI,EAAEO,OAAO,IAAIhB,mBAAmB,CAAC,EAAE;QACrCQ,YAAY,CAACS,IAAI,CAACD,OAAO,CAAC;MAC5B;IACF;IAEA,IAAIR,YAAY,CAACL,MAAM,GAAG,CAAC,EAAE;MAC3B,MAAMe,OAAO,GAAGV,YAAY,CAACW,IAAI,CAAC,IAAI,CAAC;MACvC,MAAMC,QAAQ,GAAGC,MAAM,CAACC,IAAI,CAACtB,mBAAmB,CAAC,CAACmB,IAAI,CAAC,IAAI,CAAC;MAC5D,MAAM,IAAIzB,aAAa,CACpB,4DAA2DwB,OAAQ,iBAAgBE,QAAS,GAC/F,CAAC;IACH;EACF;;EAEA;AACF;AACA;EACE,MAAMG,eAAe,GACnBV,IAAgC,IACO;IACvC,MAAMW,KAAK,GAAGlB,cAAc,CAACmB,IAAI,CAAEb,CAAC,IAAKpB,WAAW,CAACoB,CAAC,CAACC,IAAI,EAAEA,IAAI,CAAC,CAAC;IACnE,IAAI,CAACW,KAAK,EAAE,OAAOpB,SAAS;IAE5B,MAAMsB,OAA+B,GAAG,CAAC,CAAC;IAC1C,KAAK,MAAMC,KAAK,IAAIH,KAAK,CAACI,OAAO,EAAE;MACjCF,OAAO,CAACC,KAAK,CAACE,MAAM,CAAC,GAAGF,KAAK,CAACG,IAAI;IACpC;IACA,OAAOJ,OAAO;EAChB,CAAC;;EAED;AACF;AACA;EACE,MAAMK,YAAY,GAAGA,CACnBC,WAAoB,EACpBC,WAAuC,KAC3B;IACZ;IACA,IAAIC,KAAK,CAACC,OAAO,CAACH,WAAW,CAAC,EAAE;MAC9B,OAAOA,WAAW,CAACrB,GAAG,CAAEyB,IAAI,IAC1BL,YAAY,CAACK,IAAI,EAAE,CAAC,GAAGH,WAAW,EAAE,IAAI,CAAC,CAC3C,CAAC;IACH;;IAEA;IACA,IAAI,OAAOD,WAAW,KAAK,QAAQ,IAAIA,WAAW,KAAK,IAAI,EAAE;MAC3D,OAAOA,WAAW;IACpB;IAEA,MAAMK,OAAO,GAAGL,WAAsC;IACtD,MAAMM,MAAwB,GAAG,CAAC,CAAC;IACnC,MAAMC,aAAa,GAAG,IAAI7B,GAAG,CAAkB,CAAC;;IAEhD;IACA,MAAM8B,qBAA0C,GAAG,EAAE;IACrD,KAAK,MAAMC,KAAK,IAAInC,cAAc,EAAE;MAClC;MACA,IAAIb,UAAU,CAACwC,WAAW,EAAEQ,KAAK,CAAC5B,IAAI,CAAC,EAAE;QACvC,MAAM6B,QAAQ,GAAGD,KAAK,CAAC5B,IAAI,CAACoB,WAAW,CAAC9B,MAAM,CAAC;QAC/C,IACE,CAAC,OAAOuC,QAAQ,KAAK,QAAQ,IAAI,OAAOA,QAAQ,KAAK,QAAQ,KAC7D,CAACF,qBAAqB,CAACG,QAAQ,CAACD,QAAQ,CAAC,EACzC;UACAF,qBAAqB,CAACvB,IAAI,CAACyB,QAAQ,CAAC;QACtC;MACF;IACF;;IAEA;IACA,KAAK,MAAME,GAAG,IAAIJ,qBAAqB,EAAE;MACvC,MAAMK,SAAS,GAAGD,GAAG,CAACE,QAAQ,CAAC,CAAC;MAChC,MAAMC,SAAS,GAAGV,OAAO,CAACQ,SAAS,CAAC;MACpC,IAAIE,SAAS,KAAK3C,SAAS,EAAE;MAE7B,MAAM4C,OAAO,GAAG,CAAC,GAAGf,WAAW,EAAEW,GAAG,CAAC;MAErC,IAAIK,cAAc,GAAG1B,eAAe,CAACyB,OAAO,CAAC;;MAE7C;MACA,IAAI,CAACC,cAAc,IAAIf,KAAK,CAACC,OAAO,CAACY,SAAS,CAAC,EAAE;QAC/CE,cAAc,GAAG1B,eAAe,CAAC,CAAC,GAAGyB,OAAO,EAAE,IAAI,CAAC,CAAC;MACtD;MAEAV,MAAM,CAACO,SAAS,CAAC,GAAG;QAClBf,IAAI,EAAEmB,cAAc,IAAIJ,SAAS;QACjCK,KAAK,EAAEnB,YAAY,CAACgB,SAAS,EAAEC,OAAO;MACxC,CAAC;MAEDT,aAAa,CAACY,GAAG,CAACP,GAAG,CAAC;IACxB;;IAEA;IACA,IAAIvC,0BAA0B,EAAE;MAC9B,KAAK,MAAM,CAACuC,GAAG,EAAEM,KAAK,CAAC,IAAI7B,MAAM,CAAC+B,OAAO,CAACf,OAAO,CAAC,EAAE;QAClD,IAAI,CAACE,aAAa,CAACc,GAAG,CAACT,GAAG,CAAC,EAAE;UAC3BN,MAAM,CAACM,GAAG,CAAC,GAAG;YACZd,IAAI,EAAEc,GAAG;YACTM,KAAK,EAAEA;UACT,CAAC;QACH;MACF;IACF;IAEA,OAAOZ,MAAM;EACf,CAAC;EAED,OAAOP,YAAY,CAAC/B,mBAAmB,EAAE,EAAE,CAAC;AAC9C,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAesD,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACnB;EAChB,MAAM;IAAEC;EAAgB,CAAC,GAAGtE,MAAM,CAACmE,aAAa,CAAC;EACjD,MAAMI,WAAW,GAAGxE,gBAAgB,CAACuE,eAAe,EAAEF,UAAU,CAAC;EAEjE,MAAMI,aAAa,GAAG,IAAIvE,aAAa,CAAC;IACtCwE,MAAM,EAAEvE,MAAM;IACdwE,QAAQ,EAAE,MAAMvE,KAAK,CAACwE,WAAW,CAACJ,WAAW;EAC/C,CAAC,CAAC;EAEF,MAAM,CAACK,kBAAkB,EAAEC,gBAAgB,CAAC,GAAG,MAAMC,OAAO,CAACC,GAAG,CAAC,CAC/DP,aAAa,CAACQ,MAAM,CAACb,aAAa,CAAC,EACnCE,oBAAoB,CAACY,YAAY,CAAC,CAAC,CACpC,CAAC;EAEF,MAAM;IAAEC;EAAI,CAAC,GAAGN,kBAAkB,CAACO,OAAkC;EACrE,IAAI,EAAE,MAAM1E,gBAAgB,CAACyE,GAAG,CAACE,GAAG,EAAEP,gBAAuB,CAAC,CAAC,EAAE;IAC/D,MAAMQ,OAAO,GAAI,kDAAiDR,gBAAgB,CAACS,GAAI,UAASJ,GAAG,CAACE,GAAG,CAACE,GAAI,EAAC;IAC7G9E,MAAM,CAAC+E,GAAG,CAAChF,QAAQ,CAACiF,KAAK,EAAEH,OAAO,CAAC;IACnC,MAAM,IAAI/E,aAAa,CAAC+E,OAAO,CAAC;EAClC;EAEA,OAAO,MAAMb,aAAa,CAACxE,MAAM,CAACmE,aAAa,CAAC;AAClD;AAEA,OAAO,MAAMsB,6BAAsE,GACjF,MAAAA,CACEC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EAAAC,IAAA,KAMtB;EAAA,IALH;IACEC,uBAAuB;IACvBjF,uBAAuB;IACvBI;EACF,CAAC,GAAA4E,IAAA;EAED,MAAME,OAAO,GAAG,MAAM7B,qBAAqB,CACzCyB,UAAU,EACVD,UAAU,CAACxD,IAAI,EACf4D,uBACF,CAAC;EAEDtF,MAAM,CAAC+E,GAAG,CACRhF,QAAQ,CAACyF,KAAK,EACb,uBAAsBC,IAAI,CAACC,SAAS,CAACH,OAAO,CAAE,EACjD,CAAC;EAED,MAAMpF,gBAAgB,GACpB+E,UAAU,CAACS,mCAAmC,CAACP,yBAAyB,CAAC;EAE3E,IAAI,CAACjF,gBAAgB,EAAE;IACrBH,MAAM,CAAC+E,GAAG,CACRhF,QAAQ,CAACiF,KAAK,EACb,gDAA+CI,yBAA0B,EAC5E,CAAC;IACD,MAAM,IAAItF,aAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,MAAMM,mBAAmB,GAAI,MAAMmF,OAAO,CAACK,SAAS,CAAClG,MAAM,CAG1D;EAED,MAAMmG,gBAAgB,GAAG3F,oBAAoB,CAC3CC,gBAAgB,EAChBC,mBAAmB,EACnBC,uBAAuB,EACvBI,0BACF,CAAC;EAED,MAAMqF,QAAQ,GACZ,OAAO1F,mBAAmB,CAAC2F,GAAG,KAAK,QAAQ,GACvC,IAAIC,IAAI,CAAC5F,mBAAmB,CAAC2F,GAAG,GAAG,IAAI,CAAC,GACxCvF,SAAS;EAEf,IAAI,OAAOJ,mBAAmB,CAAC6F,GAAG,KAAK,QAAQ,EAAE;IAC/C,MAAM,IAAInG,aAAa,CAAC,2CAA2C,CAAC;EACtE;EACA,MAAMoG,UAAU,GAAG,IAAIF,IAAI,CAAC5F,mBAAmB,CAAC6F,GAAG,GAAG,IAAI,CAAC;EAE3DjG,MAAM,CAAC+E,GAAG,CACRhF,QAAQ,CAACyF,KAAK,EACb,sBAAqBC,IAAI,CAACC,SAAS,CAACG,gBAAgB,CAAE,gBAAeC,QAAS,EACjF,CAAC;EAED,OAAO;IACLD,gBAAgB;IAChBK,UAAU;IACVJ;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/issuance/common/authorization.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { IoWalletError } from "../../../utils/errors";
+import { LogLevel, Logger } from "../../../utils/logging";
+/**
+ * Ensures that the credential type requested is supported by the issuer and contained in the
+ * issuer configuration.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param credentialId The credential configuration ID to be requested;
+ * @returns The credential definition to be used in the request which includes the format and the type and its type
+ */
+export const selectCredentialDefinition = (issuerConf, credentialId) => {
+  const credential_configurations_supported = issuerConf.credential_configurations_supported;
+  const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialId)).map(() => ({
+    credential_configuration_id: credentialId,
+    type: "openid_credential"
+  }));
+  if (!result) {
+    Logger.log(LogLevel.ERROR, `Requested credential ${credentialId} is not supported by the issuer according to its configuration ${JSON.stringify(credential_configurations_supported)}`);
+    throw new IoWalletError(`No credential support the type '${credentialId}'`);
+  }
+  return result;
+};
+/**
+ * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
+ * When multiple credentials are provided, all of them must support the same response_mode.
+ * @param issuerConf The issuer configuration
+ * @param credentialIds The credential configuration IDs to be requested
+ * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
+ */
+export const selectResponseMode = (issuerConf, credentialIds) => {
+  const responseModeSet = new Set();
+  for (const credentialId of credentialIds) {
+    responseModeSet.add(credentialId.match(/PersonIdentificationData/i) ? "query" : "form_post.jwt");
+  }
+  if (responseModeSet.size !== 1) {
+    Logger.log(LogLevel.ERROR, `${credentialIds} have incompatible response_mode: ${[...responseModeSet.values()]}`);
+    throw new IoWalletError("Requested credentials have incompatible response_mode and cannot be requested with the same PAR request");
+  }
+  const [responseMode] = responseModeSet.values();
+  Logger.log(LogLevel.DEBUG, `Selected response mode ${responseMode} for credential IDs ${credentialIds}`);
+  const responseModeSupported = issuerConf.response_modes_supported;
+  if (responseModeSupported && !responseModeSupported.includes(responseMode)) {
+    Logger.log(LogLevel.ERROR, `Requested response mode ${responseMode} is not supported by the issuer according to its configuration ${JSON.stringify(responseModeSupported)}`);
+    throw new IoWalletError(`No response mode support for IDs '${credentialIds}'`);
+  }
+  return responseMode;
+};
+//# sourceMappingURL=authorization.js.map

package/lib/module/credential/issuance/common/authorization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["IoWalletError","LogLevel","Logger","selectCredentialDefinition","issuerConf","credentialId","credential_configurations_supported","result","Object","keys","filter","e","includes","map","credential_configuration_id","type","log","ERROR","JSON","stringify","selectResponseMode","credentialIds","responseModeSet","Set","add","match","size","values","responseMode","DEBUG","responseModeSupported","response_modes_supported"],"sourceRoot":"../../../../../src","sources":["credential/issuance/common/authorization.ts"],"mappings":"AAAA,SAASA,aAAa,QAAQ,uBAAuB;AACrD,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AAMzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,0BAA0B,GAAGA,CACxCC,UAAwB,EACxBC,YAAoB,KACI;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACE,mCAAmC;EAEhD,MAAM,CAACC,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACH,mCAAmC,CAAC,CAC9DI,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACP,YAAY,CAAC,CAAC,CACvCQ,GAAG,CAAC,OAAO;IACVC,2BAA2B,EAAET,YAAY;IACzCU,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACR,MAAM,EAAE;IACXL,MAAM,CAACc,GAAG,CACRf,QAAQ,CAACgB,KAAK,EACb,wBAAuBZ,YAAa,kEAAiEa,IAAI,CAACC,SAAS,CAACb,mCAAmC,CAAE,EAC5J,CAAC;IACD,MAAM,IAAIN,aAAa,CAAE,mCAAkCK,YAAa,GAAE,CAAC;EAC7E;EACA,OAAOE,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMa,kBAAkB,GAAGA,CAChChB,UAAwB,EACxBiB,aAAuB,KACN;EACjB,MAAMC,eAAe,GAAG,IAAIC,GAAG,CAAe,CAAC;EAE/C,KAAK,MAAMlB,YAAY,IAAIgB,aAAa,EAAE;IACxCC,eAAe,CAACE,GAAG,CACjBnB,YAAY,CAACoB,KAAK,CAAC,2BAA2B,CAAC,GAC3C,OAAO,GACP,eACN,CAAC;EACH;EAEA,IAAIH,eAAe,CAACI,IAAI,KAAK,CAAC,EAAE;IAC9BxB,MAAM,CAACc,GAAG,CACRf,QAAQ,CAACgB,KAAK,EACb,GAAEI,aAAc,qCAAoC,CAAC,GAAGC,eAAe,CAACK,MAAM,CAAC,CAAC,CAAE,EACrF,CAAC;IACD,MAAM,IAAI3B,aAAa,CACrB,yGACF,CAAC;EACH;EAEA,MAAM,CAAC4B,YAAY,CAAC,GAAGN,eAAe,CAACK,MAAM,CAAC,CAAC;EAE/CzB,MAAM,CAACc,GAAG,CACRf,QAAQ,CAAC4B,KAAK,EACb,0BAAyBD,YAAa,uBAAsBP,aAAc,EAC7E,CAAC;EAED,MAAMS,qBAAqB,GAAG1B,UAAU,CAAC2B,wBAAwB;EACjE,IAAID,qBAAqB,IAAI,CAACA,qBAAqB,CAAClB,QAAQ,CAACgB,YAAa,CAAC,EAAE;IAC3E1B,MAAM,CAACc,GAAG,CACRf,QAAQ,CAACgB,KAAK,EACb,2BAA0BW,YAAa,kEAAiEV,IAAI,CAACC,SAAS,CAACW,qBAAqB,CAAE,EACjJ,CAAC;IACD,MAAM,IAAI9B,aAAa,CACpB,qCAAoCqB,aAAc,GACrD,CAAC;EACH;EAEA,OAAOO,YAAY;AACrB,CAAC"}

package/lib/module/credential/issuance/common/errors.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { IoWalletError, serializeAttrs } from "../../../utils/errors";
+/**
+ * An error subclass thrown when an error occurs during the authorization process.
+ */
+export class AuthorizationError extends IoWalletError {
+  code = "ERR_IO_WALLET_AUTHORIZATION_ERROR";
+  constructor(message) {
+    super(message);
+  }
+}
+/**
+ * An error subclass thrown when an error occurs during the authorization process with the IDP.
+ * It contains the error and error description returned by the IDP.
+ */
+export class AuthorizationIdpError extends IoWalletError {
+  code = "ERR_IO_WALLET_IDENTIFICATION_RESPONSE_PARSING_FAILED";
+  constructor(error, errorDescription) {
+    super(serializeAttrs({
+      error,
+      errorDescription
+    }));
+    this.error = error;
+    this.errorDescription = errorDescription;
+  }
+}
+//# sourceMappingURL=errors.js.map

package/lib/module/credential/issuance/common/errors.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["IoWalletError","serializeAttrs","AuthorizationError","code","constructor","message","AuthorizationIdpError","error","errorDescription"],"sourceRoot":"../../../../../src","sources":["credential/issuance/common/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,uBAAuB;;AAErE;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,SAASF,aAAa,CAAC;EACpDG,IAAI,GAAG,mCAAmC;EAE1CC,WAAWA,CAACC,OAAgB,EAAE;IAC5B,KAAK,CAACA,OAAO,CAAC;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMC,qBAAqB,SAASN,aAAa,CAAC;EACvDG,IAAI,GAAG,sDAAsD;EAK7DC,WAAWA,CAACG,KAAa,EAAEC,gBAAyB,EAAE;IACpD,KAAK,CAACP,cAAc,CAAC;MAAEM,KAAK;MAAEC;IAAiB,CAAC,CAAC,CAAC;IAClD,IAAI,CAACD,KAAK,GAAGA,KAAK;IAClB,IAAI,CAACC,gBAAgB,GAAGA,gBAAgB;EAC1C;AACF"}

package/lib/module/credential/issuance/index.js CHANGED Viewed

@@ -1,10 +1,5 @@
-import { evaluateIssuerTrust } from "./02-evaluate-issuer-trust";
-import { startUserAuthorization } from "./03-start-user-authorization";
-import { continueUserAuthorizationWithMRTDPoPChallenge, completeUserAuthorizationWithQueryMode, completeUserAuthorizationWithFormPostJwtMode, parseAuthorizationResponse, buildAuthorizationUrl, getRequestedCredentialToBePresented } from "./04-complete-user-authorization";
-import { authorizeAccess } from "./05-authorize-access";
-import { obtainCredential } from "./06-obtain-credential";
-import { verifyAndParseCredential } from "./07-verify-and-parse-credential";
-import * as Errors from "./errors";
-import * as MRTDPoP from "./mrtd-pop";
-export { MRTDPoP, evaluateIssuerTrust, startUserAuthorization, buildAuthorizationUrl, completeUserAuthorizationWithQueryMode, continueUserAuthorizationWithMRTDPoPChallenge, getRequestedCredentialToBePresented, completeUserAuthorizationWithFormPostJwtMode, authorizeAccess, obtainCredential, verifyAndParseCredential, parseAuthorizationResponse, Errors };
+import * as Errors from "./common/errors";
+export { Errors };
+export { Issuance as V1_0_0 } from "./v1.0.0";
+export { Issuance as V1_3_3 } from "./v1.3.3";
 //# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~evaluateIssuerTrust~~","~~startUserAuthorization~~","~~continueUserAuthorizationWithMRTDPoPChallenge~~","~~completeUserAuthorizationWithQueryMode~~","completeUserAuthorizationWithFormPostJwtMode","parseAuthorizationResponse","buildAuthorizationUrl","getRequestedCredentialToBePresented","authorizeAccess","obtainCredential","verifyAndParseCredential","Errors","MRTDPoP"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"~~AACA~~,~~SACEA~~,~~mBAAmB~~,~~QAEd~~,~~4BAA4B;AACnC~~,~~SACEC,sBAAsB,QAEjB,+BAA+B~~;~~AACtC~~,~~SACEC~~,~~6CAA6C,EAC7CC,sCAAsC,EACtCC,4CAA4C,EAC5CC,0BAA0B,EAC1BC,qBAAqB,EACrBC,mCAAmC,QAM9B,kCAAkC~~;~~AACzC~~,SAASC,~~eAAe~~,~~QAA8B~~,~~uBAAuB;AAC7E,SACEC,gBAAgB,QAEX,wBAAwB;AAC/B,SACEC,wBAAwB,QAEnB,kCAAkC;AACzC,OAAO,KAAKC,~~MAAM,~~MAAM~~,UAAU;~~AAClC~~,~~OAAO~~,~~KAAKC~~,~~OAAO~~,MAAM,~~YAAY;AAErC~~,~~SACEA,OAAO,EACPZ,mBAAmB,EACnBC,sBAAsB,EACtBK,qBAAqB,EACrBH,sCAAsC,EACtCD,6CAA6C,EAC7CK,mCAAmC,EACnCH,4CAA4C,EAC5CI,eAAe,EACfC,gBAAgB,EAChBC,wBAAwB,EACxBL,0BAA0B,EAC1BM,MAAM~~"}
1	+ {"version":3,"names":["Errors","Issuance","V1_0_0","V1_3_3"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"AAAA,OAAO,KAAKA,MAAM,MAAM,iBAAiB;AACzC,SAASA,MAAM;AAEf,SAASC,QAAQ,IAAIC,MAAM,QAAQ,UAAU;AAC7C,SAASD,QAAQ,IAAIE,MAAM,QAAQ,UAAU"}

package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js CHANGED Viewed

@@ -1,50 +1,21 @@
-import { decode as decodeJwt, verify as verifyJwt } from "@pagopa/io-react-native-jwt";
-import { MrtdProofChallengeInfo } from "./types";
+import { verifyMrtdChallenge } from "@pagopa/io-wallet-oauth2";
 import { IoWalletError } from "../../../utils/errors";
-/**
- * Verifies and parses the payload of a MRTD Proof Challenge Info JWT obtained after the primary authentication.
- *
- * This function performs the following steps:
- * 1. Validates the JWT signature using the issuer's JWKS.
- * 2. Decodes the JWT and parses its structure according to the {@link MrtdProofChallengeInfo} schema.
- * 3. Verifies that the `aud` claim matches the client's public key ID.
- * 4. Checks that the JWT is not expired and was not issued in the future.
- *
- * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
- * @param challengeInfoJwt - The JWT string representing the MRTD Proof Challenge Info.
- * @param context - The context containing the WIA crypto context used to retrieve the client public key.
- * @returns The parsed payload of the MRTD Proof Challenge Info JWT.
- * @throws {Error} If the JWT signature is invalid, the structure is malformed, the `aud` claim does not match,
- * or the JWT is expired/not yet valid.
- */
+import { createVerifyJwtFromJwks } from "../../../utils/callbacks";
 export const verifyAndParseChallengeInfo = async (issuerConf, challengeInfoJwt, _ref) => {
   let {
     wiaCryptoContext
   } = _ref;
-  // Verify JWT signature
-  await verifyJwt(challengeInfoJwt, issuerConf.oauth_authorization_server.jwks.keys);
-  // Decode JWT
-  const challengeInfoDecoded = decodeJwt(challengeInfoJwt);
-  // Parse and validate structure
-  const challengeInfoParsed = MrtdProofChallengeInfo.safeParse(challengeInfoDecoded);
-  if (!challengeInfoParsed.success) {
-    throw new IoWalletError("Malformed challenge info.");
+  const clientId = await wiaCryptoContext.getPublicKey().then(x => x.kid);
+  if (!clientId) {
+    throw new IoWalletError("Could not extract client_id from Wallet Attestation");
   }
-  const payload = challengeInfoParsed.data.payload;
-  // Verify aud claim
-  const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
-  if (payload.aud !== clientId) {
-    throw new IoWalletError("aud claim does not match client_id.");
-  }
-  // Verify iat and exp
-  const now = Math.floor(Date.now() / 1000);
-  if (payload.iat > now || payload.exp < now) {
-    throw new IoWalletError("JWT is not valid (issued in future or expired).");
-  }
-  return payload;
+  const verified = await verifyMrtdChallenge({
+    challengeJwt: challengeInfoJwt,
+    clientId,
+    callbacks: {
+      verifyJwt: createVerifyJwtFromJwks(issuerConf.keys)
+    }
+  });
+  return verified.payload;
 };
 //# sourceMappingURL=01-verify-and-parse-challenge-info.js.map

package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~decode~~","~~decodeJwt~~","~~verify~~","~~verifyJwt","MrtdProofChallengeInfo","IoWalletError","~~verifyAndParseChallengeInfo","issuerConf","challengeInfoJwt","_ref","wiaCryptoContext","~~oauth_authorization_server","jwks","keys","challengeInfoDecoded","challengeInfoParsed","safeParse","success","payload","data","~~clientId","getPublicKey","then","_","kid","~~aud~~","~~now~~","~~Math~~","~~floor~~","~~Date~~","~~iat~~"~~,"exp"~~],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.ts"],"mappings":"AAAA,~~SACEA~~,~~MAAM~~,~~IAAIC~~,~~SAAS,EACnBC,MAAM,IAAIC,SAAS,QAEd,6BAA6B~~;~~AACpC~~,SAASC,~~sBAAsB~~,QAAQ,~~SAAS~~;~~AAGhD~~,SAASC,~~aAAa~~,QAAQ,~~uBAAuB~~;~~AAUrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA~~,OAAO,MAAMC,~~2BAAwD~~,~~GAAG~~,MAAAA,~~CACtEC~~,UAAU,~~EACVC~~,~~gBAAwB~~,EAAAC,IAAA,~~KAErB~~;EAAA,~~IADH~~;IAAEC;EAAiB,CAAC,GAAAD,IAAA;~~EAEpB;EACA~~,MAAMN,SAAS,CACbK,gBAAgB,EAChBD,UAAU,CAACI,0BAA0B,CAACC,IAAI,CAACC,IAC7C,CAAC;;EAED;EACA,MAAMC,oBAAoB,GAAGb,SAAS,CAACO,gBAAgB,CAAC;;EAExD;EACA,MAAMO,mBAAmB,GACvBX,sBAAsB,CAACY,SAAS,CAACF,oBAAoB,CAAC;EACxD,IAAI,CAACC,mBAAmB,CAACE,OAAO,EAAE;IAChC,MAAM,IAAIZ,aAAa,CAAC,2BAA2B,CAAC;EACtD;EACA,MAAMa,OAAO,GAAGH,mBAAmB,CAACI,IAAI,CAACD,OAAO;;EAEhD;EACA,MAAME,QAAQ,GAAG,~~MAAMV~~,gBAAgB,~~CAACW~~,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;~~EACzE~~,~~IAAIN~~,~~OAAO~~,~~CAACO,GAAG,KAAKL,~~QAAQ,EAAE;~~IAC5B~~,MAAM,~~IAAIf~~,aAAa,~~CAAC~~,~~qCAAqC~~,CAAC;~~EAChE;;~~EAEA~~;EACA~~,~~MAAMqB~~,GAAG,~~GAAGC~~,~~IAAI~~,~~CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,~~CAAC,~~CAAC~~,~~GAAG~~,~~IAAI~~,~~CAAC~~;~~EACzC~~,~~IAAIR~~,~~OAAO~~,~~CAACY~~,~~GAAG~~,~~GAAGJ~~,~~GAAG~~,~~IAAIR~~,~~OAAO,~~CAACa,~~GAAG,GAAGL,GAAG,EAAE~~;~~IAC1C~~,~~MAAM,IAAIrB,aAAa,~~CAAC,~~iDAAiD,~~CAAC;~~EAC5E;EAEA~~,~~OAAOa~~,OAAO;~~AAChB~~,CAAC"}
1	+ {"version":3,"names":["verifyMrtdChallenge","IoWalletError","createVerifyJwtFromJwks","verifyAndParseChallengeInfo","issuerConf","challengeInfoJwt","_ref","wiaCryptoContext","clientId","getPublicKey","then","x","kid","verified","challengeJwt","callbacks","verifyJwt","keys","payload"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.ts"],"mappings":"AAAA,SAASA,mBAAmB,QAAQ,0BAA0B;AAC9D,SAASC,aAAa,QAAQ,uBAAuB;AACrD,SAASC,uBAAuB,QAAQ,0BAA0B;AAGlE,OAAO,MAAMC,2BAAsE,GACjF,MAAAA,CAAOC,UAAU,EAAEC,gBAAgB,EAAAC,IAAA,KAA2B;EAAA,IAAzB;IAAEC;EAAiB,CAAC,GAAAD,IAAA;EACvD,MAAME,QAAQ,GAAG,MAAMD,gBAAgB,CAACE,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EAEzE,IAAI,CAACJ,QAAQ,EAAE;IACb,MAAM,IAAIP,aAAa,CACrB,qDACF,CAAC;EACH;EAEA,MAAMY,QAAQ,GAAG,MAAMb,mBAAmB,CAAC;IACzCc,YAAY,EAAET,gBAAgB;IAC9BG,QAAQ;IACRO,SAAS,EAAE;MACTC,SAAS,EAAEd,uBAAuB,CAACE,UAAU,CAACa,IAAI;IACpD;EACF,CAAC,CAAC;EAEF,OAAOJ,QAAQ,CAACK,OAAO;AACzB,CAAC"}

package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js CHANGED Viewed

@@ -1,58 +1,44 @@
-import { hasStatusOrThrow } from "../../../utils/misc";
 import { v4 as uuidv4 } from "uuid";
+import { fetchMrtdPopInit } from "@pagopa/io-wallet-oauth2";
+import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
 import { createPopToken } from "../../../utils/pop";
 import { Logger, LogLevel } from "../../../utils/logging";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation";
-import { IssuerResponseError, IssuerResponseErrorCodes, ResponseErrorBuilder, UnexpectedStatusCodeError } from "../../../utils/errors";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { MrtdPoPChallenge } from "./types";
-/**
- * Initialaizes the MRTD challenge with the data received from the issuer after the primary authentication.
- * This function must be called after {@link verifyAndParseChallengeInfo}.
- *
- * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
- * @param initUrl - The endpoint to call to initialize the challenge.
- * @param mrtd_auth_session - Session identifier for session binding obtained from the MRTD Proof JWT.
- * @param mrtd_pop_jwt_nonce - Nonce value obtained from the MRTD Proof JWT.
- * @param context - The context containing the WIA crypto context used to retrieve the client public key,
- * the wallet instance attestation and an optional fetch implementation.
- * @returns The payload of the MRTD PoP Challenge JWT.
- */
+import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from version 1.0.0
+import { IssuerResponseError, IssuerResponseErrorCodes, ResponseErrorBuilder } from "../../../utils/errors";
+import { createVerifyJwtFromJwks } from "../../../utils/callbacks";
 export const initChallenge = async (issuerConf, initUrl, mrtd_auth_session, mrtd_pop_jwt_nonce, context) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
     wiaCryptoContext
   } = context;
-  const aud = issuerConf.openid_credential_issuer.credential_issuer;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
   const signedWiaPoP = await createPopToken({
-    jti: `${uuidv4()}`,
-    aud,
+    jti: uuidv4(),
+    aud: issuerConf.credential_issuer,
     iss
   }, wiaCryptoContext);
-  const requestBody = {
-    mrtd_auth_session,
-    mrtd_pop_jwt_nonce
+  const initResult = await fetchMrtdPopInit({
+    popInitEndpoint: initUrl,
+    mrtdAuthSession: mrtd_auth_session,
+    mrtdPopJwtNonce: mrtd_pop_jwt_nonce,
+    walletAttestation: walletInstanceAttestation,
+    clientAttestationDPoP: signedWiaPoP,
+    callbacks: {
+      verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+      fetch: appFetch
+    }
+  }).catch(handleInitChallengeError);
+  return {
+    challenge: initResult.challenge,
+    mrtd_pop_nonce: initResult.mrtdPopNonce,
+    pop_verify_endpoint: initResult.popVerifyEndpoint,
+    mrz: initResult.mrz
   };
-  const mrtdPoPChallengeJwt = await appFetch(initUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "OAuth-Client-Attestation": walletInstanceAttestation,
-      "OAuth-Client-Attestation-PoP": signedWiaPoP
-    },
-    body: JSON.stringify(requestBody)
-  }).then(hasStatusOrThrow(202)).then(res => res.text()).catch(handleInitChallengeError);
-  const mrtdPoPChallengeDecoded = decodeJwt(mrtdPoPChallengeJwt);
-  const {
-    payload
-  } = MrtdPoPChallenge.parse(mrtdPoPChallengeDecoded);
-  return payload;
 };
 const handleInitChallengeError = e => {
   Logger.log(LogLevel.ERROR, `Failed to get MRTD challenge: ${e}`);
-  if (!(e instanceof UnexpectedStatusCodeError)) {
+  if (!(e instanceof SdkUnexpectedStatusCodeError)) {
     throw e;
   }
   throw new ResponseErrorBuilder(IssuerResponseError).handle("*", {

package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~hasStatusOrThrow","~~v4","uuidv4","~~createPopToken~~","~~Logger~~","~~LogLevel~~","~~WalletInstanceAttestation~~","~~IssuerResponseError~~","~~IssuerResponseErrorCodes~~","~~ResponseErrorBuilder~~","~~UnexpectedStatusCodeError~~","~~decode~~","~~decodeJwt~~","~~MrtdPoPChallenge~~","initChallenge","issuerConf","initUrl","mrtd_auth_session","mrtd_pop_jwt_nonce","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","~~aud~~","~~openid_credential_issuer~~","~~credential_issuer","iss","~~payload","cnf","jwk","kid","signedWiaPoP","jti","~~requestBody~~","~~mrtdPoPChallengeJwt~~","~~method~~","~~headers~~","~~body~~","~~JSON~~","~~stringify~~","~~then~~","~~res~~","~~text~~","catch","handleInitChallengeError","~~mrtdPoPChallengeDecoded~~","~~parse~~","e","log","ERROR","handle","code","MrtdChallengeInitRequestFailed","message","buildFrom"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/02-init-challenge.ts"],"mappings":"AAAA,SAASA,gBAAgB,~~QAAkB~~,~~qBAAqB~~;~~AAEhE~~,SAASC,~~EAAE~~,IAAIC,~~MAAM~~,QAAQ,~~MAAM~~;~~AACnC~~,SAASC,cAAc,QAAQ,oBAAoB;AACnD,SAASC,MAAM,EAAEC,QAAQ,QAAQ,wBAAwB;AACzD,OAAO,KAAKC,yBAAyB,MAAM,~~sCAAsC~~;~~AAEjF~~,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,~~EACpBC~~,~~yBAAyB,QACpB,~~uBAAuB;~~AAC9B~~,SAASC,~~MAAM~~,~~IAAIC,SAAS,~~QAAQ,~~6BAA6B~~;~~AACjE~~,~~SAASC,gBAAgB,QAAQ,SAAS;AAc1C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,~~OAAO,MAAMC,~~aAA4B~~,GAAG,MAAAA,~~CAC1CC~~,UAAU,EACVC,OAAO,EACPC,iBAAiB,EACjBC,kBAAkB,EAClBC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,~~GAAGT~~,~~UAAU,CAACU,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAGrB,~~yBAAyB,~~CAACK~~,MAAM,~~CAACW~~,yBAAyB,CAAC,~~CACpEM~~,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,~~MAAM7B~~,cAAc,CACvC;~~IACE8B~~,GAAG,~~EAAG~~,~~GAAE/B,~~MAAM,CAAC,~~CAAE,EAAC~~;~~IAClBsB~~,GAAG;~~IACHG~~;EACF,CAAC,~~EACDJ~~,gBACF,CAAC;EAED,MAAMW,~~WAAW~~,GAAG~~;IAClBjB~~,~~iBAAiB;IACjBC;EACF~~,CAAC;~~EAED~~,~~MAAMiB~~,~~mBAAmB~~,~~GAAG,MAAMf,QAAQ,CAACJ,~~OAAO~~,EAAE~~;~~IAClDoB~~,~~MAAM~~,~~EAAE~~,~~MAAM~~;~~IACdC~~,~~OAAO~~,~~EAAE;MACP~~,~~cAAc,EAAE,~~kBAAkB;~~MAClC~~,~~0BAA0B~~,~~EAAEf~~,yBAAyB;~~MACrD~~,~~8BAA8B~~,~~EAAEU;IAClC~~,~~CAAC~~;~~IACDM~~,~~IAAI~~,~~EAAEC~~,~~IAAI,CAACC,~~SAAS,~~CAACN~~,~~WAAW;EAClC~~,~~CAAC~~,~~CAAC~~,~~CACCO~~,IAAI,~~CAACzC,gBAAgB,~~CAAC,~~GAAG~~,~~CAAC~~,CAAC,~~CAC3ByC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,~~CAAC,~~CAAC~~,~~CAAC,CACzBC,~~KAAK,CAACC,wBAAwB,CAAC;EAElC,~~MAAMC~~,~~uBAAuB~~,~~GAAGlC~~,SAAS,~~CAACuB~~,~~mBAAmB~~,~~CAAC;EAC9D~~,~~MAAM~~;~~IAAEP;EAAQ~~,~~CAAC~~,~~GAAGf~~,~~gBAAgB~~,~~CAACkC~~,~~KAAK~~,~~CAACD~~,~~uBAAuB~~,~~CAAC~~;~~EAEnE~~,~~OAAOlB,OAAO~~;~~AAChB~~,CAAC;AAED,~~MAAMiB~~,wBAAwB,~~GAAIG~~,CAAU,IAAK;EAC/C5C,MAAM,CAAC6C,GAAG,CAAC5C,QAAQ,CAAC6C,KAAK,EAAG,iCAAgCF,CAAE,EAAC,CAAC;EAEhE,IAAI,EAAEA,CAAC,~~YAAYtC~~,~~yBAAyB~~,CAAC,EAAE;~~IAC7C~~,~~MAAMsC~~,CAAC;EACT;EAEA,MAAM,IAAIvC,oBAAoB,CAACF,mBAAmB,CAAC,CAChD4C,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAE5C,wBAAwB,CAAC6C,8BAA8B;IAC7DC,OAAO,EAAE;EACX,CAAC,CAAC,CACDC,SAAS,CAACP,CAAC,CAAC;AACjB,CAAC"}
1	+ {"version":3,"names":["v4","uuidv4","fetchMrtdPopInit","UnexpectedStatusCodeError","SdkUnexpectedStatusCodeError","createPopToken","Logger","LogLevel","WalletInstanceAttestation","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","createVerifyJwtFromJwks","initChallenge","issuerConf","initUrl","mrtd_auth_session","mrtd_pop_jwt_nonce","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","iss","decode","payload","cnf","jwk","kid","signedWiaPoP","jti","aud","credential_issuer","initResult","popInitEndpoint","mrtdAuthSession","mrtdPopJwtNonce","walletAttestation","clientAttestationDPoP","callbacks","verifyJwt","keys","catch","handleInitChallengeError","challenge","mrtd_pop_nonce","mrtdPopNonce","pop_verify_endpoint","popVerifyEndpoint","mrz","e","log","ERROR","handle","code","MrtdChallengeInitRequestFailed","message","buildFrom"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/02-init-challenge.ts"],"mappings":"AAAA,SAASA,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,gBAAgB,QAAQ,0BAA0B;AAC3D,SAASC,yBAAyB,IAAIC,4BAA4B,QAAQ,yBAAyB;AACnG,SAASC,cAAc,QAAQ,oBAAoB;AACnD,SAASC,MAAM,EAAEC,QAAQ,QAAQ,wBAAwB;AACzD,OAAO,KAAKC,yBAAyB,MAAM,mDAAmD,CAAC,CAAC;AAChG,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,QACf,uBAAuB;AAE9B,SAASC,uBAAuB,QAAQ,0BAA0B;AAElE,OAAO,MAAMC,aAA0C,GAAG,MAAAA,CACxDC,UAAU,EACVC,OAAO,EACPC,iBAAiB,EACjBC,kBAAkB,EAClBC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGf,yBAAyB,CAACgB,MAAM,CAACH,yBAAyB,CAAC,CACpEI,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAMxB,cAAc,CACvC;IACEyB,GAAG,EAAE7B,MAAM,CAAC,CAAC;IACb8B,GAAG,EAAEjB,UAAU,CAACkB,iBAAiB;IACjCT;EACF,CAAC,EACDD,gBACF,CAAC;EAED,MAAMW,UAAU,GAAG,MAAM/B,gBAAgB,CAAC;IACxCgC,eAAe,EAAEnB,OAAO;IACxBoB,eAAe,EAAEnB,iBAAiB;IAClCoB,eAAe,EAAEnB,kBAAkB;IACnCoB,iBAAiB,EAAEhB,yBAAyB;IAC5CiB,qBAAqB,EAAET,YAAY;IACnCU,SAAS,EAAE;MACTC,SAAS,EAAE5B,uBAAuB,CAACE,UAAU,CAAC2B,IAAI,CAAC;MACnDrB,KAAK,EAAED;IACT;EACF,CAAC,CAAC,CAACuB,KAAK,CAACC,wBAAwB,CAAC;EAElC,OAAO;IACLC,SAAS,EAAEX,UAAU,CAACW,SAAS;IAC/BC,cAAc,EAAEZ,UAAU,CAACa,YAAY;IACvCC,mBAAmB,EAAEd,UAAU,CAACe,iBAAiB;IACjDC,GAAG,EAAEhB,UAAU,CAACgB;EAClB,CAAC;AACH,CAAC;AAED,MAAMN,wBAAwB,GAAIO,CAAU,IAAK;EAC/C5C,MAAM,CAAC6C,GAAG,CAAC5C,QAAQ,CAAC6C,KAAK,EAAG,iCAAgCF,CAAE,EAAC,CAAC;EAEhE,IAAI,EAAEA,CAAC,YAAY9C,4BAA4B,CAAC,EAAE;IAChD,MAAM8C,CAAC;EACT;EAEA,MAAM,IAAIvC,oBAAoB,CAACF,mBAAmB,CAAC,CAChD4C,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAE5C,wBAAwB,CAAC6C,8BAA8B;IAC7DC,OAAO,EAAE;EACX,CAAC,CAAC,CACDC,SAAS,CAACP,CAAC,CAAC;AACjB,CAAC"}

package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js CHANGED Viewed

@@ -1,42 +1,27 @@
 import { SignJWT } from "@pagopa/io-react-native-jwt";
+import { fetchMrtdPopVerify } from "@pagopa/io-wallet-oauth2";
 import { v4 as uuidv4 } from "uuid";
-import { IssuerResponseError } from "../../../utils/errors";
-import { hasStatusOrThrow } from "../../../utils/misc";
 import { createPopToken } from "../../../utils/pop";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation";
-import { MrtdPopVerificationResult } from "./types";
-/**
- * Validates the MRTD signed challenge by sending the MRTD and IAS payloads to the issuer.
- * This function must be called after {@link initChallenge} and after obtaining the MRTD and IAS payloads
- * through the CIE PACE process.
- *
- * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
- * @param verifyUrl - The endpoint to call to validate the challenge.
- * @param mrtd_auth_session - Session identifier for session binding obtained from the MRTD Proof JWT.
- * @param mrtd_pop_nonce - Nonce value obtained from the MRTD Proof JWT.
- * @param mrtd - MRTD validation data containing Data Groups and SOD.
- * @param ias - IAS validation data containing Anti-Cloning Public Key, and SOD.
- * @param context - The context containing the WIA crypto context used to retrieve the client public key,
- * the wallet instance attestation and an optional fetch implementation.
- * @returns The MRTD PoP Verification Result containing the validation nonce and redirect URI to complete the flow.
- */
+import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from 1.0.0 version
+import { sdkUnexpectedStatusCodeToIssuerError } from "../../../utils/errors";
+import { partialCallbacks } from "../../../utils/callbacks";
 export const validateChallenge = async (issuerConf, verifyUrl, mrtd_auth_session, mrtd_pop_nonce, mrtd, ias, context) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
     wiaCryptoContext
   } = context;
-  const aud = issuerConf.openid_credential_issuer.credential_issuer;
+  const aud = issuerConf.credential_issuer;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
   const signedWiaPoP = await createPopToken({
-    jti: `${uuidv4()}`,
+    jti: uuidv4(),
     aud,
     iss
   }, wiaCryptoContext);
   const {
     kid
   } = await wiaCryptoContext.getPublicKey();
-  const mrtd_validation_jwt = await new SignJWT(wiaCryptoContext).setProtectedHeader({
+  const mrtdValidationJwt = await new SignJWT(wiaCryptoContext).setProtectedHeader({
     typ: "mrtd-ias+jwt",
     kid
   }).setPayload({
@@ -46,32 +31,23 @@ export const validateChallenge = async (issuerConf, verifyUrl, mrtd_auth_session
     mrtd,
     ias
   }).setIssuedAt().setExpirationTime("5m").sign();
-  const requestBody = {
-    mrtd_validation_jwt,
-    mrtd_auth_session,
-    mrtd_pop_nonce
+  const verifyResult = await fetchMrtdPopVerify({
+    popVerifyEndpoint: verifyUrl,
+    mrtdAuthSession: mrtd_auth_session,
+    mrtdPopNonce: mrtd_pop_nonce,
+    clientAttestationDPoP: signedWiaPoP,
+    mrtdValidationJwt,
+    walletAttestation: walletInstanceAttestation,
+    callbacks: {
+      fetch: appFetch,
+      ...partialCallbacks
+    }
+  }).catch(sdkUnexpectedStatusCodeToIssuerError);
+  return {
+    redirect_uri: verifyResult.redirectUri,
+    mrtd_val_pop_nonce: verifyResult.mrtdValPopNonce
   };
-  const verifyResult = await appFetch(verifyUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "OAuth-Client-Attestation": walletInstanceAttestation,
-      "OAuth-Client-Attestation-PoP": signedWiaPoP
-    },
-    body: JSON.stringify(requestBody)
-  }).then(hasStatusOrThrow(202, IssuerResponseError)).then(res => res.json());
-  const verifyResultParsed = MrtdPopVerificationResult.parse(verifyResult);
-  return verifyResultParsed;
 };
-/**
- * WARNING: This function must be called after {@link validateChallenge}. The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
- * Builds the callback URL to which the end user should be redirected to continue the authentication flow after the MRTD challenge validation.
- * @param redirectUri - The redirect URI provided by the issuer after the challenge validation to continue the authentication flow.
- * @param valPopNonce - The MRTD validation PoP nonce obtained from the challenge validation response.
- * @param authSession - The MRTD authentication session identifier used for session binding.
- * @returns An object containing the callback URL
- */
 export const buildChallengeCallbackUrl = async (redirectUri, valPopNonce, authSession) => {
   const params = new URLSearchParams({
     mrtd_val_pop_nonce: valPopNonce,

package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["SignJWT","v4","~~uuidv4~~","~~IssuerResponseError~~","~~hasStatusOrThrow~~","~~createPopToken~~","~~WalletInstanceAttestation~~","~~MrtdPopVerificationResult~~","validateChallenge","issuerConf","verifyUrl","mrtd_auth_session","mrtd_pop_nonce","mrtd","ias","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","aud","~~openid_credential_issuer","~~credential_issuer","iss","decode","payload","cnf","jwk","kid","signedWiaPoP","jti","getPublicKey","~~mrtd_validation_jwt~~","setProtectedHeader","typ","setPayload","document_type","setIssuedAt","setExpirationTime","sign","~~requestBody~~","~~verifyResult~~","~~method~~","~~headers~~","~~body~~","~~JSON~~","~~stringify~~","~~then~~","~~res~~","~~json~~","~~verifyResultParsed~~","~~parse~~","buildChallengeCallbackUrl","~~redirectUri","~~valPopNonce","authSession","params","URLSearchParams","~~mrtd_val_pop_nonce","~~callbackUrl"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/03-validate-challenge.ts"],"mappings":"AAAA,SAASA,OAAO,~~QAA4B~~,6BAA6B;~~AACzE~~,SAASC,~~EAAE~~,~~IAAIC,MAAM,~~QAAQ,~~MAAM~~;~~AACnC~~,SAASC,~~mBAAmB~~,~~QAAQ~~,~~uBAAuB;AAC3D~~,~~SAASC~~,~~gBAAgB,QAAkB,qBAAqB~~;~~AAChE~~,SAASC,cAAc,QAAQ,oBAAoB;AACnD,OAAO,KAAKC,yBAAyB,MAAM,~~sCAAsC~~;~~AAEjF~~,~~SACEC~~,~~yBAAyB~~,~~QAGpB~~,~~SAAS~~;~~AAyBhB~~;~~AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA~~,OAAO,MAAMC,~~iBAAoC~~,GAAG,MAAAA,~~CAClDC~~,UAAU,EACVC,SAAS,EACTC,iBAAiB,EACjBC,cAAc,EACdC,IAAI,EACJC,GAAG,EACHC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGX,UAAU,CAACY,~~wBAAwB,CAACC,~~iBAAiB;~~EACjE~~,MAAMC,GAAG,GAAGjB,yBAAyB,CAACkB,MAAM,~~CAACN~~,yBAAyB,CAAC,~~CACpEO~~,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAMxB,cAAc,CACvC;IACEyB,GAAG,~~EAAG~~,~~GAAE5B,~~MAAM,CAAC,~~CAAE,EAAC~~;~~IAClBkB~~,GAAG;~~IACHG~~;EACF,CAAC,~~EACDJ~~,gBACF,CAAC;EAED,MAAM;~~IAAES~~;EAAI,CAAC,GAAG,~~MAAMT~~,gBAAgB,~~CAACY~~,YAAY,CAAC,CAAC;EAErD,MAAMC,~~mBAAmB~~,GAAG,MAAM,~~IAAIhC~~,OAAO,CAACmB,gBAAgB,CAAC,~~CAC5Dc~~,kBAAkB,CAAC;IAClBC,GAAG,EAAE,cAAc;IACnBN;EACF,CAAC,CAAC,CACDO,UAAU,CAAC;IACVZ,GAAG;~~IACHH~~,GAAG;~~IACHgB~~,aAAa,EAAE,KAAK;~~IACpBvB~~,IAAI;IACJC;EACF,CAAC,CAAC,~~CACDuB~~,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,~~WAAW~~,GAAG~~;IAClBR~~,~~mBAAmB;IACnBrB~~,~~iBAAiB;IACjBC;EACF~~,CAAC;~~EAED~~,~~MAAM6B~~,~~YAAY~~,~~GAAG,MAAMzB,QAAQ,CAACN,~~SAAS~~,EAAE~~;~~IAC7CgC~~,~~MAAM~~,~~EAAE~~,~~MAAM~~;~~IACdC~~,~~OAAO~~,~~EAAE;MACP~~,cAAc~~,EAAE,kBAAkB~~;~~MAClC~~,~~0BAA0B~~,~~EAAEzB~~,~~yBAAyB~~;~~MACrD~~,~~8BAA8B,EAAEW~~;~~IAClC~~,~~CAAC;IACDe~~,~~IAAI~~,~~EAAEC~~,~~IAAI~~,~~CAACC~~,~~SAAS~~,~~CAACN~~,~~WAAW~~;~~EAClC~~,~~CAAC~~,CAAC,~~CACCO,IAAI,CAAC3C,gBAAgB,~~CAAC,~~GAAG~~,~~EAAED~~,~~mBAAmB~~,~~CAAC~~,CAAC,~~CAChD4C~~,~~IAAI~~,~~CAAEC~~,~~GAAG~~,~~IAAKA~~,~~GAAG,CAACC,IAAI,CAAC,CAAC,CAAC~~;~~EAE5B~~,~~MAAMC,~~kBAAkB,~~GAAG3C~~,~~yBAAyB,CAAC4C,KAAK,CAACV,~~YAAY,~~CAAC~~;~~EACxE~~,~~OAAOS,kBAAkB~~;~~AAC3B~~,CAAC;;AAED~~;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA~~,OAAO,~~MAAME~~,~~yBAAoD~~,~~GAAG~~,MAAAA,~~CAClEC~~,WAAW,~~EACXC~~,WAAW,~~EACXC~~,WAAW,~~KACR~~;~~EACH~~,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;~~IACjCC~~,kBAAkB,~~EAAEJ~~,WAAW;IAC/~~B3C~~,iBAAiB,~~EAAE4C~~;EACrB,CAAC,CAAC;EAEF,~~MAAMI~~,WAAW,GAAI,~~GAAEN~~,WAAY,~~IAAGG~~,MAAO,EAAC;EAC9C,OAAO;~~IAAEG~~;EAAY,CAAC;AACxB,CAAC"}
1	+ {"version":3,"names":["SignJWT","fetchMrtdPopVerify","v4","uuidv4","createPopToken","WalletInstanceAttestation","sdkUnexpectedStatusCodeToIssuerError","partialCallbacks","validateChallenge","issuerConf","verifyUrl","mrtd_auth_session","mrtd_pop_nonce","mrtd","ias","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","aud","credential_issuer","iss","decode","payload","cnf","jwk","kid","signedWiaPoP","jti","getPublicKey","mrtdValidationJwt","setProtectedHeader","typ","setPayload","document_type","setIssuedAt","setExpirationTime","sign","verifyResult","popVerifyEndpoint","mrtdAuthSession","mrtdPopNonce","clientAttestationDPoP","walletAttestation","callbacks","catch","redirect_uri","redirectUri","mrtd_val_pop_nonce","mrtdValPopNonce","buildChallengeCallbackUrl","valPopNonce","authSession","params","URLSearchParams","callbackUrl"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/03-validate-challenge.ts"],"mappings":"AAAA,SAASA,OAAO,QAAQ,6BAA6B;AACrD,SAASC,kBAAkB,QAAQ,0BAA0B;AAC7D,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,cAAc,QAAQ,oBAAoB;AACnD,OAAO,KAAKC,yBAAyB,MAAM,mDAAmD,CAAC,CAAC;AAChG,SAASC,oCAAoC,QAAQ,uBAAuB;AAC5E,SAASC,gBAAgB,QAAQ,0BAA0B;AAG3D,OAAO,MAAMC,iBAAkD,GAAG,MAAAA,CAChEC,UAAU,EACVC,SAAS,EACTC,iBAAiB,EACjBC,cAAc,EACdC,IAAI,EACJC,GAAG,EACHC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGX,UAAU,CAACY,iBAAiB;EACxC,MAAMC,GAAG,GAAGjB,yBAAyB,CAACkB,MAAM,CAACL,yBAAyB,CAAC,CACpEM,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAMxB,cAAc,CACvC;IACEyB,GAAG,EAAE1B,MAAM,CAAC,CAAC;IACbiB,GAAG;IACHE;EACF,CAAC,EACDH,gBACF,CAAC;EAED,MAAM;IAAEQ;EAAI,CAAC,GAAG,MAAMR,gBAAgB,CAACW,YAAY,CAAC,CAAC;EAErD,MAAMC,iBAAiB,GAAG,MAAM,IAAI/B,OAAO,CAACmB,gBAAgB,CAAC,CAC1Da,kBAAkB,CAAC;IAClBC,GAAG,EAAE,cAAc;IACnBN;EACF,CAAC,CAAC,CACDO,UAAU,CAAC;IACVZ,GAAG;IACHF,GAAG;IACHe,aAAa,EAAE,KAAK;IACpBtB,IAAI;IACJC;EACF,CAAC,CAAC,CACDsB,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,YAAY,GAAG,MAAMtC,kBAAkB,CAAC;IAC5CuC,iBAAiB,EAAE9B,SAAS;IAC5B+B,eAAe,EAAE9B,iBAAiB;IAClC+B,YAAY,EAAE9B,cAAc;IAC5B+B,qBAAqB,EAAEf,YAAY;IACnCG,iBAAiB;IACjBa,iBAAiB,EAAE1B,yBAAyB;IAC5C2B,SAAS,EAAE;MACT5B,KAAK,EAAED,QAAQ;MACf,GAAGT;IACL;EACF,CAAC,CAAC,CAACuC,KAAK,CAACxC,oCAAoC,CAAC;EAE9C,OAAO;IACLyC,YAAY,EAAER,YAAY,CAACS,WAAW;IACtCC,kBAAkB,EAAEV,YAAY,CAACW;EACnC,CAAC;AACH,CAAC;AAED,OAAO,MAAMC,yBAAkE,GAC7E,MAAAA,CAAOH,WAAW,EAAEI,WAAW,EAAEC,WAAW,KAAK;EAC/C,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCN,kBAAkB,EAAEG,WAAW;IAC/BzC,iBAAiB,EAAE0C;EACrB,CAAC,CAAC;EAEF,MAAMG,WAAW,GAAI,GAAER,WAAY,IAAGM,MAAO,EAAC;EAC9C,OAAO;IAAEE;EAAY,CAAC;AACxB,CAAC"}