npm - @pagopa/io-react-native-wallet - Versions diffs - 2.5.0 → 3.0.0 - Mend

@pagopa/io-react-native-wallet 2.5.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1562) hide show

package/src/credential/presentation/common/utils/dcql.ts ADDED Viewed

@@ -0,0 +1,188 @@
+import { DcqlClaimsQuery, DcqlQuery, DcqlQueryResult } from "dcql";
+import { isObject } from "../../../../utils/object";
+import type { EvaluatedDisclosure, PresentationFrame } from "../../api/types";
+import { IoWalletError } from "../../../../utils/errors";
+import { LEGACY_SD_JWT } from "../../../../sd-jwt/types";
+import type { NotFoundDetail } from "../errors";
+type DcqlMatchSuccess = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: true }
+>;
+type DcqlMatchFailure = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: false }
+>;
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+export const getDcqlQueryMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === true
+  ) as [string, DcqlMatchSuccess][];
+/**
+ * Extract only failed matches from the DCQL query result.
+ */
+const getDcqlQueryFailedMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === false
+  ) as [string, DcqlMatchFailure][];
+/**
+ * Extract details related to failed credentials
+ */
+export const extractFailedCredentialsDetails = (
+  queryResult: DcqlQueryResult
+): NotFoundDetail[] => {
+  return getDcqlQueryFailedMatches(queryResult).map(([id, match]) => {
+    const credential = queryResult.credentials.find((c) => c.id === id);
+    const issues = match.failed_credentials?.flatMap((c) => {
+      if ("issues" in c.meta) {
+        return Object.values(c.meta.issues).flat() as string[];
+      }
+      if (c.claims.failed_claim_sets) {
+        return c.claims.failed_claim_sets.flatMap(
+          (cs) => Object.values(cs.issues).flat() as string[]
+        );
+      }
+      return [];
+    });
+    if (credential?.format === "mso_mdoc") {
+      return {
+        id,
+        issues,
+        format: credential.format,
+        doctypeValue: credential.meta?.doctype_value,
+      };
+    }
+    if (
+      credential?.format === "dc+sd-jwt" ||
+      credential?.format === LEGACY_SD_JWT
+    ) {
+      return {
+        id,
+        issues,
+        format: credential.format,
+        vctValues:
+          credential.meta && "vct_values" in credential.meta
+            ? credential.meta.vct_values
+            : [],
+      };
+    }
+    throw new IoWalletError(`Unsupported format: ${credential?.format}`);
+  });
+};
+/**
+ * Extract a compact list of claims from the `dcql` result.
+ * @param match The DCQL query match
+ * @returns The list of claims in {@link EvaluatedDisclosure} format
+ */
+export const getClaimsFromDcqlMatch = (
+  match: DcqlQueryResult.CredentialMatch
+): EvaluatedDisclosure[] =>
+  getValidDcqlClaims(match).flatMap((c) =>
+    Object.entries(c.output).map(([name, value]) => ({ name, value }))
+  );
+/**
+ * Recursively convert a claim path to a {@link PresentationFrame} for `@sd-jwt/present`
+ * @param path The claim path array
+ * @param claim The decoded claim
+ * @returns A presentation frame compatible with `@sd-jwt/present`
+ */
+export const pathToPresentationFrame = (
+  path: (string | number | null)[],
+  claim: Record<string, unknown>
+): PresentationFrame => {
+  const [segment, ...rest] = path;
+  // Base case: no more path segments to process
+  if (segment === undefined) {
+    // @ts-expect-error unwind recursion
+    return true;
+  }
+  // null path segments (lists) must include all elements in the list
+  if (segment === null) {
+    const [maybeArrayClaim] = Object.values(claim);
+    if (Array.isArray(maybeArrayClaim)) {
+      return maybeArrayClaim.reduce(
+        (acc, c, i) => ({ ...acc, [i]: pathToPresentationFrame(rest, c) }),
+        {}
+      );
+    }
+    // @ts-expect-error unwind recursion
+    return true;
+  }
+  return {
+    [segment]: pathToPresentationFrame(rest, claim),
+  };
+};
+/**
+ * Build a presentation frame from the `dcql` result to use for disclosing the requested claims.
+ * @param match The DCQL query match
+ * @param originalQuery The original DCQL query
+ * @returns A presentation frame compatible with `@sd-jwt/present`
+ */
+export const getPresentationFrameFromDcqlMatch = (
+  match: DcqlQueryResult.CredentialMatch,
+  originalQuery: DcqlQuery
+): PresentationFrame => {
+  // The original DCQL query claims are needed to get their path
+  const queryClaims =
+    originalQuery.credentials.find(({ id }) => id === match.credential_query_id)
+      ?.claims ?? [];
+  if (queryClaims.length === 0) return {};
+  const typedQueryClaims = queryClaims as DcqlClaimsQuery.W3cAndSdJwtVc[];
+  // Build a presentation frame from each claim's path
+  return getValidDcqlClaims(match).reduce((acc, c) => {
+    const pf = pathToPresentationFrame(
+      typedQueryClaims[c.claim_index]!.path,
+      c.output
+    );
+    // Merge objects with the same key to not lose objects that are already in the accumulator
+    for (const [key, value] of Object.entries(pf)) {
+      acc[key] = isObject(value) ? Object.assign(value, acc[key]) : value;
+    }
+    return acc;
+  }, {} as PresentationFrame);
+};
+/**
+ * Extract valid claims from a successful `dcql` match. The extracted claims
+ * come directly from the library, without any processing.
+ * @param match The DCQL query match
+ * @returns A list of raw `dcql` claims
+ */
+export const getValidDcqlClaims = (match: DcqlQueryResult.CredentialMatch) => {
+  const validClaims = match.valid_credentials?.[0]?.claims?.valid_claims;
+  if (!validClaims) return [];
+  const [validClaimSet] =
+    match.valid_credentials?.[0]?.claims?.valid_claim_sets ?? [];
+  // If there is a valid claim set, only claims from that set must be disclosed
+  // We select claims in the order they are defined in the set
+  if (validClaimSet) {
+    return (
+      validClaimSet.valid_claim_indexes?.map(
+        (i) => validClaims.find((c) => c.claim_index === i)!
+      ) ?? []
+    );
+  }
+  return validClaims;
+};

package/src/credential/presentation/common/utils/http.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { RequestObject } from "../../api";
+import type { DirectAuthorizationBodyPayload } from "../../v1.0.0/types";
+/**
+ * Builds a URL-encoded form body for a direct POST response without encryption.
+ *
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param payload - Object that contains either the VP token to encrypt and the stringified mapping of the credential disclosures or the error code
+ * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
+ */
+export const buildDirectPostBody = async (
+  requestObject: RequestObject,
+  payload: DirectAuthorizationBodyPayload
+): Promise<string> => {
+  const formUrlEncodedBody = new URLSearchParams({
+    state: requestObject.state,
+    ...Object.entries(payload).reduce(
+      (acc, [key, value]) => ({
+        ...acc,
+        [key]:
+          Array.isArray(value) || typeof value === "object"
+            ? JSON.stringify(value)
+            : value,
+      }),
+      {} as Record<string, string>
+    ),
+  });
+  return formUrlEncodedBody.toString();
+};

package/src/credential/presentation/common/utils/sd-jwt.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { SDJwtInstance, type SDJwt } from "@sd-jwt/core";
+import { getClaims } from "@sd-jwt/decode";
+import { digest } from "@sd-jwt/crypto-nodejs";
+import type { DcqlSdJwtVcCredential } from "dcql";
+import { IoWalletError } from "../../../../utils/errors";
+import { LEGACY_SD_JWT } from "../../../../sd-jwt/types";
+import type { Credential4Dcql } from "../../api";
+type CustomDcqlSdJwtVcCredential = DcqlSdJwtVcCredential & {
+  original_credential: Credential4Dcql;
+};
+/**
+ * List of claims to remove from the SD-JWT before evaluating the DCQL query.
+ */
+const NON_DISCLOSABLE_CLAIMS = ["status", "cnf", "exp"];
+/**
+ * Extract claims from disclosures for use in `dcql` library.
+ */
+const getClaimsFromDecodedSdJwt = async (decodedRawSdJwt: SDJwt) => {
+  if (!decodedRawSdJwt.jwt?.payload) {
+    throw new IoWalletError("Can't decode SD-JWT");
+  }
+  const claims = await getClaims<DcqlSdJwtVcCredential["claims"]>(
+    decodedRawSdJwt.jwt.payload,
+    decodedRawSdJwt.disclosures ?? [],
+    digest
+  );
+  for (const claim of NON_DISCLOSABLE_CLAIMS) {
+    delete claims[claim];
+  }
+  return claims;
+};
+/**
+ * Convert a list of credential in SD-JWT format to a list of objects
+ * with claims for correct parsing by the `dcql` library.
+ * @param credentials The raw SD-JWT credentials
+ * @returns List of `dcql` compatible objects
+ */
+export const mapCredentialsToObj = async (
+  credentials: Credential4Dcql[]
+): Promise<CustomDcqlSdJwtVcCredential[]> => {
+  const sdJwt = new SDJwtInstance({
+    hasher: digest,
+  });
+  return Promise.all(
+    credentials.map(async (credential) => {
+      const decodedRawSdJwt = await sdJwt.decode(credential[1]);
+      const claims = await getClaimsFromDecodedSdJwt(decodedRawSdJwt);
+      return {
+        vct: decodedRawSdJwt.jwt?.payload?.vct as string,
+        credential_format:
+          decodedRawSdJwt.jwt?.header?.typ === LEGACY_SD_JWT
+            ? LEGACY_SD_JWT
+            : "dc+sd-jwt",
+        cryptographic_holder_binding: true,
+        claims,
+        original_credential: credential,
+      } satisfies CustomDcqlSdJwtVcCredential;
+    })
+  );
+};

package/src/credential/presentation/common/utils.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { RequestObject } from "../api";
+import type { DirectAuthorizationBodyPayload } from "../v1.0.0/types";
+/**
+ * Builds a URL-encoded form body for a direct POST response without encryption.
+ *
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param payload - Object that contains either the VP token to encrypt and the stringified mapping of the credential disclosures or the error code
+ * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
+ */
+export const buildDirectPostBody = async (
+  requestObject: RequestObject,
+  payload: DirectAuthorizationBodyPayload
+): Promise<string> => {
+  const formUrlEncodedBody = new URLSearchParams({
+    state: requestObject.state,
+    ...Object.entries(payload).reduce(
+      (acc, [key, value]) => ({
+        ...acc,
+        [key]:
+          Array.isArray(value) || typeof value === "object"
+            ? JSON.stringify(value)
+            : value,
+      }),
+      {} as Record<string, string>
+    ),
+  });
+  return formUrlEncodedBody.toString();
+};

package/src/credential/presentation/index.ts CHANGED Viewed

@@ -1,71 +1,5 @@
-import { startFlowFromQR, type StartFlow } from "./01-start-flow";
-import {
-  evaluateRelyingPartyTrust,
-  type EvaluateRelyingPartyTrust,
-} from "./02-evaluate-rp-trust";
-import {
-  getRequestObject,
-  type GetRequestObject,
-} from "./03-get-request-object";
-import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
-import {
-  verifyRequestObject,
-  type VerifyRequestObject,
-} from "./05-verify-request-object";
-import {
-  fetchPresentDefinition,
-  type FetchPresentationDefinition,
-} from "./06-fetch-presentation-definition";
-import {
-  evaluateInputDescriptors,
-  prepareLegacyRemotePresentations,
-  type EvaluateInputDescriptors,
-  type PrepareLegacyRemotePresentations,
-} from "./07-evaluate-input-descriptor";
-import {
-  evaluateDcqlQuery,
-  prepareRemotePresentations,
-  type EvaluateDcqlQuery,
-  type PrepareRemotePresentations,
-} from "./07-evaluate-dcql-query";
-import {
-  sendAuthorizationResponse,
-  type SendAuthorizationResponse,
-  sendLegacyAuthorizationResponse,
-  type SendLegacyAuthorizationResponse,
-  sendAuthorizationErrorResponse,
-  type SendAuthorizationErrorResponse,
-} from "./08-send-authorization-response";
-import * as Errors from "./errors";
-export {
-  startFlowFromQR,
-  evaluateRelyingPartyTrust,
-  getRequestObject,
-  getJwksFromConfig,
-  verifyRequestObject,
-  fetchPresentDefinition,
-  evaluateInputDescriptors,
-  evaluateDcqlQuery,
-  prepareLegacyRemotePresentations,
-  prepareRemotePresentations,
-  sendAuthorizationResponse,
-  sendLegacyAuthorizationResponse,
-  sendAuthorizationErrorResponse,
-  Errors,
-};
-export type {
-  StartFlow,
-  EvaluateRelyingPartyTrust,
-  GetRequestObject,
-  FetchJwks,
-  VerifyRequestObject,
-  FetchPresentationDefinition,
-  EvaluateInputDescriptors,
-  EvaluateDcqlQuery,
-  PrepareLegacyRemotePresentations,
-  PrepareRemotePresentations,
-  SendAuthorizationResponse,
-  SendLegacyAuthorizationResponse,
-  SendAuthorizationErrorResponse,
-};
+import * as Errors from "./common/errors";
+export { Errors };
+export type * from "./api";
+export { RemotePresentation as V1_0_0 } from "./v1.0.0";
+export { RemotePresentation as V1_3_3 } from "./v1.3.3";

package/src/credential/presentation/v1.0.0/01-start-flow.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { InvalidQRCodeError } from "../common/errors";
+import type { RemotePresentationApi } from "../api";
+import { PresentationParams } from "../api/types";
+export const startFlowFromQR: RemotePresentationApi["startFlowFromQR"] = (
+  params
+) => {
+  const result = PresentationParams.safeParse({
+    ...params,
+    request_uri_method: params.request_uri_method ?? "get",
+  });
+  if (!result.success) throw new InvalidQRCodeError(result.error.message);
+  if (!result.data.request_uri) {
+    throw new InvalidQRCodeError(
+      "Invalid QR code missing the required 'request_uri' parameter."
+    );
+  }
+  return result.data;
+};

package/src/credential/presentation/v1.0.0/02-evaluate-rp-trust.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { getRelyingPartyEntityConfiguration } from "../../../trust/v1.0.0/entities";
+import type { RemotePresentationApi } from "../api";
+import { mapToRelyingPartyConfig } from "./mappers";
+export const evaluateRelyingPartyTrust: RemotePresentationApi["evaluateRelyingPartyTrust"] =
+  async (rpUrl, { appFetch = fetch } = {}) => {
+    const rpEntityConfiguration = await getRelyingPartyEntityConfiguration(
+      rpUrl,
+      { appFetch }
+    );
+    return {
+      rpConf: mapToRelyingPartyConfig(rpEntityConfiguration),
+    };
+  };

package/src/credential/presentation/v1.0.0/03-get-request-object.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { RelyingPartyResponseError } from "../../../utils/errors";
+import { hasStatusOrThrow } from "../../../utils/misc";
+import type { RemotePresentationApi } from "../api";
+import { RequestObjectWalletCapabilities } from "../api/types";
+import { InvalidQRCodeError } from "../common/errors";
+export const getRequestObject: RemotePresentationApi["getRequestObject"] =
+  async (
+    authorizationRequestUrl,
+    { appFetch = fetch, walletCapabilities } = {}
+  ) => {
+    const authorizationUrl = new URL(authorizationRequestUrl);
+    /*
+     * The QR code parameters are validated in step 1.
+     * For consistency with the 1.3 flow we accept the full authorization URL,
+     * but here we only extract the `request_uri` to retrieve the Request Object.
+     */
+    const requestUri =
+      authorizationUrl.searchParams.get("request_uri") ?? undefined;
+    if (!requestUri) {
+      throw new InvalidQRCodeError(
+        "The QR code is missing the required 'request_uri' parameter."
+      );
+    }
+    if (walletCapabilities) {
+      // Validate external input
+      const { wallet_metadata, wallet_nonce } =
+        RequestObjectWalletCapabilities.parse(walletCapabilities);
+      const formUrlEncodedBody = new URLSearchParams({
+        wallet_metadata: JSON.stringify(wallet_metadata),
+        ...(wallet_nonce && { wallet_nonce }),
+      });
+      const requestObjectEncodedJwt = await appFetch(requestUri, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: formUrlEncodedBody.toString(),
+      })
+        .then(hasStatusOrThrow(200, RelyingPartyResponseError))
+        .then((res) => res.text());
+      return {
+        requestObjectEncodedJwt,
+      };
+    }
+    const requestObjectEncodedJwt = await appFetch(requestUri, {
+      method: "GET",
+    })
+      .then(hasStatusOrThrow(200, RelyingPartyResponseError))
+      .then((res) => res.text());
+    return {
+      requestObjectEncodedJwt,
+    };
+  };

package/src/credential/presentation/v1.0.0/04-verify-request-object.ts ADDED Viewed

@@ -0,0 +1,104 @@
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import { type typeToFlattenedError } from "zod";
+import type { RelyingPartyConfig, RemotePresentationApi } from "../api";
+import { InvalidRequestObjectError } from "../common/errors";
+import { RequestObjectPayload } from "./types";
+import { mapToRequestObject } from "./mappers";
+import { getJwksFromRpConfig } from "./utils.jwks";
+export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
+  async (requestObjectEncodedJwt, { clientId, rpConf, state }) => {
+    const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+    const pubKey = getSigPublicKey(
+      rpConf,
+      requestObjectJwt.protectedHeader.kid
+    );
+    try {
+      // Standard claims are verified within `verify`
+      await verify(requestObjectEncodedJwt, pubKey, { issuer: clientId });
+    } catch (_) {
+      throw new InvalidRequestObjectError(
+        "The Request Object signature verification failed"
+      );
+    }
+    const requestObject = validateRequestObjectShape(requestObjectJwt.payload);
+    const isClientIdMatch =
+      clientId === requestObject.client_id && clientId === rpConf.subject;
+    if (!isClientIdMatch) {
+      throw new InvalidRequestObjectError(
+        "Client ID does not match Request Object or Entity Configuration"
+      );
+    }
+    const isStateMatch = state ? state === requestObject.state : true;
+    if (!isStateMatch) {
+      throw new InvalidRequestObjectError(
+        "The provided state does not match the Request Object's"
+      );
+    }
+    return { requestObject: mapToRequestObject(requestObject) };
+  };
+/**
+ * Validate the shape of the Request Object to ensure all required properties are present and are of the expected type.
+ *
+ * @param payload The Request Object to validate
+ * @returns A valid Request Object
+ * @throws {InvalidRequestObjectError} when the Request Object cannot be parsed
+ */
+const validateRequestObjectShape = (payload: unknown): RequestObjectPayload => {
+  const requestObjectParse = RequestObjectPayload.safeParse(payload);
+  if (requestObjectParse.success) {
+    return requestObjectParse.data;
+  }
+  throw new InvalidRequestObjectError(
+    "The Request Object cannot be parsed successfully",
+    formatFlattenedZodErrors(requestObjectParse.error.flatten())
+  );
+};
+/**
+ * Get the public key to verify the Request Object's signature from the Relying Party's EC.
+ *
+ * @param rpConf The Relying Party's EC
+ * @param kid The identifier of the key to find
+ * @returns The corresponding public key to verify the signature
+ * @throws {InvalidRequestObjectError} when the key cannot be found
+ */
+const getSigPublicKey = (
+  rpConf: RelyingPartyConfig,
+  kid: string | undefined
+) => {
+  try {
+    const { keys } = getJwksFromRpConfig(rpConf);
+    const pubKey = keys.find((k) => k.kid === kid);
+    if (!pubKey) throw new Error();
+    return pubKey;
+  } catch (_) {
+    throw new InvalidRequestObjectError(
+      `The public key for signature verification (${kid}) cannot be found in the Entity Configuration`
+    );
+  }
+};
+/**
+ * Utility to format flattened Zod errors into a simplified string `key1: key1_error, key2: key2_error`
+ */
+const formatFlattenedZodErrors = (
+  errors: typeToFlattenedError<RequestObjectPayload>
+): string =>
+  Object.entries(errors.fieldErrors)
+    .map(([key, error]) => `${key}: ${error[0]}`)
+    .join(", ");

package/src/credential/presentation/v1.0.0/05-evaluate-dcql-query.ts ADDED Viewed

@@ -0,0 +1,97 @@
+import { DcqlQuery, DcqlError } from "dcql";
+import { isValiError } from "valibot";
+import { CredentialsNotFoundError } from "../common/errors";
+import type { Credential4Dcql, RemotePresentationApi } from "../api";
+import type { CredentialPurpose } from "../api/05-evaluate-dcql-query";
+import * as sdJwtUtils from "../common/utils/sd-jwt";
+import {
+  extractFailedCredentialsDetails,
+  getClaimsFromDcqlMatch,
+  getDcqlQueryMatches,
+  getPresentationFrameFromDcqlMatch,
+} from "../common/utils/dcql";
+import { LEGACY_SD_JWT } from "../../../sd-jwt/types";
+export const evaluateDcqlQuery: RemotePresentationApi["evaluateDcqlQuery"] =
+  async (query, credentialsSdJwt) => {
+    const credentials = await sdJwtUtils.mapCredentialsToObj(credentialsSdJwt);
+    const credentialsByVct = credentials.reduce(
+      (acc, c) => {
+        acc[c.vct] = c.original_credential;
+        return acc;
+      },
+      {} as Record<string, Credential4Dcql>
+    );
+    try {
+      // Validate the query
+      const parsedQuery = DcqlQuery.parse(query);
+      DcqlQuery.validate(parsedQuery);
+      const queryResult = DcqlQuery.query(parsedQuery, credentials);
+      if (!queryResult.can_be_satisfied) {
+        throw new CredentialsNotFoundError(
+          extractFailedCredentialsDetails(queryResult)
+        );
+      }
+      return getDcqlQueryMatches(queryResult).map(([id, match]) => {
+        const purposes = queryResult.credential_sets
+          ?.filter((set) => set.matching_options?.flat().includes(id))
+          ?.map<CredentialPurpose>((credentialSet) => ({
+            description: credentialSet.purpose?.toString(),
+            required: Boolean(credentialSet.required),
+          }));
+        const matchOutput = match.valid_credentials[0]?.meta.output;
+        // The legacy SD-JWT format is still supported because `evaluateDcqlQuery`
+        // is also used when presenting the legacy 0.7.1 eID to get other credentials.
+        if (
+          matchOutput?.credential_format === "dc+sd-jwt" ||
+          (matchOutput?.credential_format === LEGACY_SD_JWT &&
+            "vct" in matchOutput)
+        ) {
+          const { vct } = matchOutput;
+          const [keyTag, credential] = credentialsByVct[vct]!;
+          const requiredDisclosures = getClaimsFromDcqlMatch(match);
+          const presentationFrame = getPresentationFrameFromDcqlMatch(
+            match,
+            parsedQuery
+          );
+          return {
+            id,
+            vct,
+            keyTag,
+            format: matchOutput.credential_format,
+            credential,
+            requiredDisclosures,
+            presentationFrame,
+            // When it is a match but no credential_sets are found, the credential is required by default
+            // See https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-6.4.2
+            purposes: purposes ?? [{ required: true }],
+          };
+        }
+        throw new Error(
+          `Unsupported credential format: ${matchOutput?.credential_format}`
+        );
+      });
+    } catch (error) {
+      // Invalid DCQL query structure. Remap to `DcqlError` for consistency.
+      if (isValiError(error)) {
+        throw new DcqlError({
+          message: "Failed to parse the provided DCQL query",
+          code: "PARSE_ERROR",
+          cause: error.issues,
+        });
+      }
+      // Let other errors propagate so they can be caught with `err instanceof DcqlError`
+      throw error;
+    }
+  };