@pagopa/io-react-native-wallet 2.5.0 → 3.0.0

package/lib/commonjs/credential/issuance/05-authorize-access.js

@@ -1,87 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.authorizeAccess = void 0;
-var _misc = require("../../utils/misc");
-var _dpop = require("../../utils/dpop");
-var _uuid = require("uuid");
-var _pop = require("../../utils/pop");
-var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
-var _types = require("./types");
-var _errors = require("../../utils/errors");
-var _logging = require("../../utils/logging");
-function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
-function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
-/**
- * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
- * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
- * This enables the Wallet Instance to request a digital credential.
- * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
- * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
- * @param clientId The client id returned by {@link startUserAuthorization}
- * @param codeVerifier The code verifier returned by {@link startUserAuthorization}
- * @param context.walletInstanceAttestation The Wallet Instance's attestation
- * @param context.wiaCryptoContext The Wallet Instance's crypto context
- * @param context.dPopCryptoContext The DPoP crypto context
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @throws {ValidationFailed} if an error occurs while parsing the token response
- * @throws {IssuerResponseError} with a specific code for more context
- * @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
- */
-const authorizeAccess = async (issuerConf, code, _, redirectUri, codeVerifier, context) => {
-  const {
-    appFetch = fetch,
-    walletInstanceAttestation,
-    wiaCryptoContext,
-    dPopCryptoContext
-  } = context;
-  const aud = issuerConf.openid_credential_issuer.credential_issuer;
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
-  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
-  const tokenRequestSignedDPop = await (0, _dpop.createDPopToken)({
-    htm: "POST",
-    htu: tokenUrl,
-    jti: `${(0, _uuid.v4)()}`
-  }, dPopCryptoContext);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
-  const signedWiaPoP = await (0, _pop.createPopToken)({
-    jti: `${(0, _uuid.v4)()}`,
-    aud,
-    iss
-  }, wiaCryptoContext);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
-  const requestBody = {
-    grant_type: "authorization_code",
-    code,
-    code_verifier: codeVerifier,
-    redirect_uri: redirectUri
-  };
-  const authorizationRequestFormBody = new URLSearchParams(requestBody);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Auth form request body: ${authorizationRequestFormBody}`);
-  const tokenRes = await appFetch(tokenUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: tokenRequestSignedDPop,
-      "OAuth-Client-Attestation": walletInstanceAttestation,
-      "OAuth-Client-Attestation-PoP": signedWiaPoP
-    },
-    body: authorizationRequestFormBody.toString()
-  }).then((0, _misc.hasStatusOrThrow)(200, _errors.IssuerResponseError)).then(res => res.json()).then(body => _types.TokenResponse.safeParse(body));
-  if (!tokenRes.success) {
-    _logging.Logger.log(_logging.LogLevel.ERROR, `Token Response validation failed: ${tokenRes.error.message}`);
-    throw new _errors.ValidationFailed({
-      message: "Token Response validation failed",
-      reason: tokenRes.error.message
-    });
-  }
-  return {
-    accessToken: tokenRes.data
-  };
-};
-exports.authorizeAccess = authorizeAccess;
-//# sourceMappingURL=05-authorize-access.js.map

package/lib/commonjs/credential/issuance/05-authorize-access.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_misc","require","_dpop","_uuid","_pop","WalletInstanceAttestation","_interopRequireWildcard","_types","_errors","_logging","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","authorizeAccess","issuerConf","code","_","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","decode","payload","cnf","jwk","kid","tokenUrl","oauth_authorization_server","token_endpoint","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","Logger","log","LogLevel","DEBUG","signedWiaPoP","createPopToken","requestBody","grant_type","code_verifier","redirect_uri","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","hasStatusOrThrow","IssuerResponseError","res","json","TokenResponse","safeParse","success","ERROR","error","message","ValidationFailed","reason","accessToken","data","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,IAAA,GAAAH,OAAA;AACA,IAAAI,yBAAA,GAAAC,uBAAA,CAAAL,OAAA;AAEA,IAAAM,MAAA,GAAAN,OAAA;AACA,IAAAO,OAAA,GAAAP,OAAA;AAEA,IAAAQ,QAAA,GAAAR,OAAA;AAAuD,SAAAS,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAL,wBAAAS,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAgBvD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMW,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,CAAC,EACDC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAMM,GAAG,GAAGX,UAAU,CAACY,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAG1C,yBAAyB,CAAC2C,MAAM,CAACP,yBAAyB,CAAC,CACpEQ,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGpB,UAAU,CAACqB,0BAA0B,CAACC,cAAc;EAErE,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEN,QAAQ;IACbO,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE;EACnB,CAAC,EACDlB,iBACF,CAAC;EAEDmB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBT,sBAAuB,EAAC,CAAC;EAE3E,MAAMU,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEP,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBjB,GAAG;IACHG;EACF,CAAC,EACDL,gBACF,CAAC;EAEDoB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCnC,IAAI;IACJoC,aAAa,EAAEjC,YAAY;IAC3BkC,YAAY,EAAEnC;EAChB,CAAC;EAED,MAAMoC,4BAA4B,GAAG,IAAIC,eAAe,CAACL,WAAW,CAAC;EAErEN,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0BO,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAMnC,QAAQ,CAACc,QAAQ,EAAE;IACxCsB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAErB,sBAAsB;MAC5B,0BAA0B,EAAEf,yBAAyB;MACrD,8BAA8B,EAAEyB;IAClC,CAAC;IACDY,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAEF,IAAI,IAAKO,oBAAa,CAACC,SAAS,CAACR,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACa,OAAO,EAAE;IACrBzB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACwB,KAAK,EACb,qCAAoCd,QAAQ,CAACe,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAIC,wBAAgB,CAAC;MACzBD,OAAO,EAAE,kCAAkC;MAC3CE,MAAM,EAAElB,QAAQ,CAACe,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEG,WAAW,EAAEnB,QAAQ,CAACoB;EAAK,CAAC;AACvC,CAAC;AAACC,OAAA,CAAA/D,eAAA,GAAAA,eAAA"}

package/lib/commonjs/credential/issuance/06-obtain-credential.js

@@ -1,168 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.obtainCredential = exports.createNonceProof = void 0;
-var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
-var _misc = require("../../utils/misc");
-var _errors = require("../../utils/errors");
-var _types = require("./types");
-var _dpop = require("../../utils/dpop");
-var _uuid = require("uuid");
-var _logging = require("../../utils/logging");
-const createNonceProof = async (nonce, issuer, audience, ctx) => {
-  const jwk = await ctx.getPublicKey();
-  return new _ioReactNativeJwt.SignJWT(ctx).setPayload({
-    nonce
-  }).setProtectedHeader({
-    typ: "openid4vci-proof+jwt",
-    jwk
-  }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("5min").sign();
-};
-
-/**
- * Obtains the credential from the issuer.
- * The key pair of the credentialCryptoContext is used for Openid4vci proof JWT to be presented with the Access Token and the DPoP Proof JWT at the Credential Endpoint
- * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
- * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
- * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param accessToken The access token response returned by {@link authorizeAccess}
- * @param clientId The client id returned by {@link startUserAuthorization}
- * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link authorizeAccess}
- * @param context.credentialCryptoContext The crypto context used to obtain the credential
- * @param context.dPopCryptoContext The DPoP crypto context
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @param operationType Specify the type of credential issuance (used for reissuing)
- * @returns The credential response containing the credential
- */
-exports.createNonceProof = createNonceProof;
-const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, context, operationType) => {
-  const {
-    credentialCryptoContext,
-    appFetch = fetch,
-    dPopCryptoContext
-  } = context;
-  const {
-    credential_configuration_id,
-    credential_identifier
-  } = credentialDefinition;
-  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
-  const issuerUrl = issuerConf.oauth_authorization_server.issuer;
-  const nonceUrl = issuerConf.openid_credential_issuer.nonce_endpoint;
-
-  // Fetch the nonce from the Credential Issuer
-  const {
-    c_nonce
-  } = await appFetch(nonceUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json"
-    }
-  }).then((0, _misc.hasStatusOrThrow)(200)).then(res => res.json()).then(body => _types.NonceResponse.parse(body));
-
-  /**
-   * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
-   * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
-   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
-   */
-  const signedNonceProof = await createNonceProof(c_nonce, clientId, issuerUrl, credentialCryptoContext);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
-
-  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
-  const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credential_configuration_id && (credential_identifier ? c.credential_identifiers.includes(credential_identifier) : true));
-  if (!containsCredentialDefinition) {
-    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential definition not found in the access token response ${accessToken.authorization_details}`);
-    throw new _errors.ValidationFailed({
-      message: "The access token response does not contain the requested credential"
-    });
-  }
-
-  /**
-   * The credential request body.
-   * We accept both `credential_identifier` (recommended) and `credential_configuration_id`
-   * when the Authorization Server does not support `credential_identifier`.
-   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#section-3.3.4
-   */
-  const credentialRequestFormBody = credential_identifier ? {
-    credential_identifier: credential_identifier,
-    proof: {
-      jwt: signedNonceProof,
-      proof_type: "jwt"
-    }
-  } : {
-    credential_configuration_id: credential_configuration_id,
-    proof: {
-      jwt: signedNonceProof,
-      proof_type: "jwt"
-    }
-  };
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`);
-  const tokenRequestSignedDPop = await (0, _dpop.createDPopToken)({
-    htm: "POST",
-    htu: credentialUrl,
-    jti: `${(0, _uuid.v4)()}`,
-    ath: await (0, _ioReactNativeJwt.sha256ToBase64)(accessToken.access_token)
-  }, dPopCryptoContext);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
-  const credentialRes = await appFetch(credentialUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      DPoP: tokenRequestSignedDPop,
-      Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
-      ...(operationType === "reissuing" && {
-        operationType
-      })
-    },
-    body: JSON.stringify(credentialRequestFormBody)
-  }).then((0, _misc.hasStatusOrThrow)(200)).then(res => res.json()).then(body => _types.CredentialResponse.safeParse(body)).catch(handleObtainCredentialError);
-  if (!credentialRes.success) {
-    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential Response validation failed: ${credentialRes.error.message}`);
-    throw new _errors.ValidationFailed({
-      message: "Credential Response validation failed",
-      reason: credentialRes.error.message
-    });
-  }
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Credential Response: ${JSON.stringify(credentialRes.data)}`);
-
-  // Extract the format corresponding to the credential_configuration_id used
-  const issuerCredentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credential_configuration_id];
-
-  // TODO: [SIW-2264] Handle multiple credentials
-  return {
-    credential: credentialRes.data.credentials.at(0).credential,
-    format: issuerCredentialConfig.format
-  };
-};
-
-/**
- * Handle the credential error by mapping it to a custom exception.
- * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
- * @param e - The error to be handled
- * @throws {IssuerResponseError} with a specific code for more context
- */
-exports.obtainCredential = obtainCredential;
-const handleObtainCredentialError = e => {
-  _logging.Logger.log(_logging.LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
-  if (!(e instanceof _errors.UnexpectedStatusCodeError)) {
-    throw e;
-  }
-  throw new _errors.ResponseErrorBuilder(_errors.IssuerResponseError).handle(201, {
-    // Although it is technically not an error, we handle it as such to avoid
-    // changing the return type of `obtainCredential` and introduce a breaking change.
-    code: _errors.IssuerResponseErrorCodes.CredentialIssuingNotSynchronous,
-    message: "This credential cannot be issued synchronously. It will be available at a later time."
-  }).handle(403, {
-    code: _errors.IssuerResponseErrorCodes.CredentialInvalidStatus,
-    message: "Invalid status found for the given credential"
-  }).handle(404, {
-    code: _errors.IssuerResponseErrorCodes.CredentialInvalidStatus,
-    message: "Invalid status found for the given credential"
-  }).handle("*", {
-    code: _errors.IssuerResponseErrorCodes.CredentialRequestFailed,
-    message: "Unable to obtain the requested credential"
-  }).buildFrom(e);
-};
-//# sourceMappingURL=06-obtain-credential.js.map

package/lib/commonjs/credential/issuance/06-obtain-credential.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_ioReactNativeJwt","require","_misc","_errors","_types","_dpop","_uuid","_logging","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","exports","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credential_configuration_id","credential_identifier","credentialUrl","openid_credential_issuer","credential_endpoint","issuerUrl","oauth_authorization_server","nonceUrl","nonce_endpoint","c_nonce","method","headers","then","hasStatusOrThrow","res","json","body","NonceResponse","parse","signedNonceProof","Logger","log","LogLevel","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_identifiers","includes","ERROR","ValidationFailed","message","credentialRequestFormBody","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","ath","sha256ToBase64","access_token","credentialRes","DPoP","Authorization","token_type","CredentialResponse","safeParse","catch","handleObtainCredentialError","success","error","reason","data","issuerCredentialConfig","credential_configurations_supported","credential","credentials","at","format","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAOA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAOA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AACA,IAAAK,KAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AAsBO,MAAMO,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIC,yBAAO,CAACH,GAAG,CAAC,CACpBI,UAAU,CAAC;IACVP;EACF,CAAC,CAAC,CACDQ,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BL;EACF,CAAC,CAAC,CACDM,WAAW,CAACR,QAAQ,CAAC,CACrBS,SAAS,CAACV,MAAM,CAAC,CACjBW,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAfAC,OAAA,CAAAhB,gBAAA,GAAAA,gBAAA;AAgBO,MAAMiB,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,EACPC,aAAa,KACV;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAM;IAAEM,2BAA2B;IAAEC;EAAsB,CAAC,GAC1DR,oBAAoB;EAEtB,MAAMS,aAAa,GAAGZ,UAAU,CAACa,wBAAwB,CAACC,mBAAmB;EAC7E,MAAMC,SAAS,GAAGf,UAAU,CAACgB,0BAA0B,CAAChC,MAAM;EAC9D,MAAMiC,QAAQ,GAAGjB,UAAU,CAACa,wBAAwB,CAACK,cAAc;;EAEnE;EACA,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMZ,QAAQ,CAACU,QAAQ,EAAE;IAC3CG,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MAAE,cAAc,EAAE;IAAmB;EAChD,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,IAAI,IAAKC,oBAAa,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC;;EAE5C;AACF;AACA;AACA;AACA;EACE,MAAMG,gBAAgB,GAAG,MAAM/C,gBAAgB,CAC7CqC,OAAO,EACPjB,QAAQ,EACRa,SAAS,EACTT,uBACF,CAAC;EAEDwB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBJ,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMK,4BAA4B,GAAGjC,WAAW,CAACkC,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAAC3B,2BAA2B,KAAKA,2BAA2B,KAC5DC,qBAAqB,GAClB0B,CAAC,CAACC,sBAAsB,CAACC,QAAQ,CAAC5B,qBAAqB,CAAC,GACxD,IAAI,CACZ,CAAC;EAED,IAAI,CAACuB,4BAA4B,EAAE;IACjCJ,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACQ,KAAK,EACb,gEAA+DvC,WAAW,CAACkC,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAIM,wBAAgB,CAAC;MACzBC,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;AACF;AACA;AACA;AACA;AACA;EACE,MAAMC,yBAAyB,GAAGhC,qBAAqB,GACnD;IACEA,qBAAqB,EAAEA,qBAAqB;IAC5CiC,KAAK,EAAE;MAAEC,GAAG,EAAEhB,gBAAgB;MAAEiB,UAAU,EAAE;IAAM;EACpD,CAAC,GACD;IACEpC,2BAA2B,EAAEA,2BAA2B;IACxDkC,KAAK,EAAE;MAAEC,GAAG,EAAEhB,gBAAgB;MAAEiB,UAAU,EAAE;IAAM;EACpD,CAAC;EAELhB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,4BAA2Bc,IAAI,CAACC,SAAS,CAACL,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMM,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAExC,aAAa;IAClByC,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBC,GAAG,EAAE,MAAM,IAAAC,gCAAc,EAACvD,WAAW,CAACwD,YAAY;EACpD,CAAC,EACDhD,iBACF,CAAC;EAEDqB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBgB,sBAAuB,EAAC,CAAC;EAE3E,MAAMS,aAAa,GAAG,MAAMnD,QAAQ,CAACK,aAAa,EAAE;IAClDQ,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCsC,IAAI,EAAEV,sBAAsB;MAC5BW,aAAa,EAAG,GAAE3D,WAAW,CAAC4D,UAAW,IAAG5D,WAAW,CAACwD,YAAa,EAAC;MACtE,IAAIpD,aAAa,KAAK,WAAW,IAAI;QAAEA;MAAc,CAAC;IACxD,CAAC;IACDqB,IAAI,EAAEqB,IAAI,CAACC,SAAS,CAACL,yBAAyB;EAChD,CAAC,CAAC,CACCrB,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,IAAI,IAAKoC,yBAAkB,CAACC,SAAS,CAACrC,IAAI,CAAC,CAAC,CAClDsC,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACP,aAAa,CAACQ,OAAO,EAAE;IAC1BpC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACQ,KAAK,EACb,0CAAyCkB,aAAa,CAACS,KAAK,CAACzB,OAAQ,EACxE,CAAC;IACD,MAAM,IAAID,wBAAgB,CAAC;MACzBC,OAAO,EAAE,uCAAuC;MAChD0B,MAAM,EAAEV,aAAa,CAACS,KAAK,CAACzB;IAC9B,CAAC,CAAC;EACJ;EAEAZ,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,wBAAuBc,IAAI,CAACC,SAAS,CAACU,aAAa,CAACW,IAAI,CAAE,EAC7D,CAAC;;EAED;EACA,MAAMC,sBAAsB,GAC1BtE,UAAU,CAACa,wBAAwB,CAAC0D,mCAAmC,CACrE7D,2BAA2B,CAC5B;;EAEH;EACA,OAAO;IACL8D,UAAU,EAAEd,aAAa,CAACW,IAAI,CAACI,WAAW,CAACC,EAAE,CAAC,CAAC,CAAC,CAAEF,UAAU;IAC5DG,MAAM,EAAEL,sBAAsB,CAAEK;EAClC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALA7E,OAAA,CAAAC,gBAAA,GAAAA,gBAAA;AAMA,MAAMkE,2BAA2B,GAAIW,CAAU,IAAK;EAClD9C,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACQ,KAAK,EAAG,8CAA6CoC,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAEC,gCAAwB,CAACC,+BAA+B;IAC9DzC,OAAO,EACL;EACJ,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD1C,OAAO,EAAE;EACX,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD1C,OAAO,EAAE;EACX,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACG,uBAAuB;IACtD3C,OAAO,EAAE;EACX,CAAC,CAAC,CACD4C,SAAS,CAACV,CAAC,CAAC;AACjB,CAAC"}

package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js

@@ -1,388 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.verifyAndParseCredential = void 0;
-var _errors = require("../../utils/errors");
-var _sdJwt = require("../../sd-jwt");
-var _jwk = require("../../utils/jwk");
-var _mdoc = require("../../mdoc");
-var _const = require("../../mdoc/const");
-var _logging = require("../../utils/logging");
-var _converter = require("../../mdoc/converter");
-var _core = require("@sd-jwt/core");
-var _cryptoNodejs = require("@sd-jwt/crypto-nodejs");
-var _parser = require("../../utils/parser");
-// The credential as a collection of attributes in plain value
-
-/**
- * Parse a Sd-Jwt credential according to the issuer configuration
- * @param credentialConfig - the list of supported credentials, as defined in the issuer configuration with their claims metadata
- * @param parsedCredentialRaw - the raw parsed credential
- * @param ignoreMissingAttributes - skip error when attributes declared in the issuer configuration are not found within disclosures
- * @param includeUndefinedAttributes - include attributes not explicitly declared in the issuer configuration
- * @returns The parsed credential with attributes in plain value
- */
-const parseCredentialSdJwt = function (credentialConfig, parsedCredentialRaw) {
-  let ignoreMissingAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
-  let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
-  const claimsMetadata = credentialConfig.claims || [];
-
-  // Check that all mandatory attributes defined in the issuer configuration are present in the credential
-  if (!ignoreMissingAttributes) {
-    const missingPaths = [];
-    const rootKeysToVerify = new Set(claimsMetadata.map(c => c.path[0]).filter(p => typeof p === "string"));
-    for (const rootKey of rootKeysToVerify) {
-      if (!(rootKey in parsedCredentialRaw)) {
-        missingPaths.push(rootKey);
-      }
-    }
-    if (missingPaths.length > 0) {
-      const missing = missingPaths.join(", ");
-      const received = Object.keys(parsedCredentialRaw).join(", ");
-      throw new _errors.IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
-    }
-  }
-
-  /**
-   * Helper to find display metadata for any given path
-   */
-  const getDisplayNames = path => {
-    const match = claimsMetadata.find(c => (0, _parser.isPathEqual)(c.path, path));
-    if (!match) return undefined;
-    const nameMap = {};
-    for (const entry of match.display) {
-      nameMap[entry.locale] = entry.name;
-    }
-    return nameMap;
-  };
-
-  /**
-   * Recursive function to build the localized structure
-   */
-  const processLevel = (currentData, currentPath) => {
-    // Handle Arrays
-    if (Array.isArray(currentData)) {
-      return currentData.map(item => processLevel(item, [...currentPath, null]));
-    }
-
-    // Handle Objects
-    if (typeof currentData !== "object" || currentData === null) {
-      return currentData;
-    }
-    const dataObj = currentData;
-    const result = {};
-    const processedKeys = new Set();
-
-    // Identify unique keys in config at this level
-    const configKeysAtThisLevel = [];
-    for (const claim of claimsMetadata) {
-      // Check if the claim path starts with the current path
-      if ((0, _parser.isPrefixOf)(currentPath, claim.path)) {
-        const nextPart = claim.path[currentPath.length];
-        if ((typeof nextPart === "string" || typeof nextPart === "number") && !configKeysAtThisLevel.includes(nextPart)) {
-          configKeysAtThisLevel.push(nextPart);
-        }
-      }
-    }
-
-    // Process keys
-    for (const key of configKeysAtThisLevel) {
-      const stringKey = key.toString();
-      const dataValue = dataObj[stringKey];
-      if (dataValue === undefined) continue;
-      const newPath = [...currentPath, key];
-      let localizedNames = getDisplayNames(newPath);
-
-      // Fallback for arrays
-      if (!localizedNames && Array.isArray(dataValue)) {
-        localizedNames = getDisplayNames([...newPath, null]);
-      }
-      result[stringKey] = {
-        name: localizedNames || stringKey,
-        value: processLevel(dataValue, newPath)
-      };
-      processedKeys.add(key);
-    }
-
-    // Handle Undefined Attributes
-    if (includeUndefinedAttributes) {
-      for (const [key, value] of Object.entries(dataObj)) {
-        if (!processedKeys.has(key)) {
-          result[key] = {
-            name: key,
-            value: value
-          };
-        }
-      }
-    }
-    return result;
-  };
-  return processLevel(parsedCredentialRaw, []);
-};
-const parseCredentialMDoc = function (credentialConfig, _ref) {
-  let {
-    issuerSigned
-  } = _ref;
-  let ignoreMissingAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
-  let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
-  if (!credentialConfig) {
-    throw new _errors.IoWalletError("Credential type not supported by the issuer");
-  }
-  if (!credentialConfig.claims) {
-    throw new _errors.IoWalletError("Missing claims in the credential subject");
-  }
-  const attrDefinitions = credentialConfig.claims.map(_ref2 => {
-    let {
-      path: [namespace, attribute],
-      display
-    } = _ref2;
-    return [namespace, attribute, display];
-  });
-  if (!issuerSigned.nameSpaces) {
-    throw new _errors.IoWalletError("Missing claims in the credential");
-  }
-  const flatNamespaces = Object.entries(issuerSigned.nameSpaces).flatMap(_ref3 => {
-    let [namespace, values] = _ref3;
-    return values.map(v => [namespace, v.elementIdentifier, v.elementValue]);
-  });
-
-  // Check that all mandatory attributes defined in the issuer configuration are present in the disclosure set
-  // and filter the non present ones
-  const attrsNotInDisclosures = attrDefinitions.filter(_ref4 => {
-    let [attrDefNamespace, attrKey] = _ref4;
-    return !flatNamespaces.some(_ref5 => {
-      let [namespace, claim] = _ref5;
-      return attrDefNamespace === namespace && attrKey === claim;
-    });
-  });
-  if (attrsNotInDisclosures.length > 0) {
-    const missing = attrsNotInDisclosures.map(_ref6 => {
-      let [, attrKey] = _ref6;
-      return attrKey;
-    }).join(", ");
-    const received = flatNamespaces.map(_ref7 => {
-      let [, attrKey] = _ref7;
-      return attrKey;
-    }).join(", ");
-    if (!ignoreMissingAttributes) {
-      throw new _errors.IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
-    }
-  }
-
-  // Attributes defined in the issuer configuration and present in the disclosure set
-  const definedValues = attrDefinitions
-  // Retrieve the value from the corresponding disclosure
-  .map(_ref8 => {
-    var _flatNamespaces$find;
-    let [attrDefNamespace, attrKey, display] = _ref8;
-    return [attrDefNamespace, attrKey, {
-      display,
-      value: (_flatNamespaces$find = flatNamespaces.find(_ref9 => {
-        let [namespace, name] = _ref9;
-        return attrDefNamespace === namespace && name === attrKey;
-      })) === null || _flatNamespaces$find === void 0 ? void 0 : _flatNamespaces$find[2]
-    }];
-  })
-  //filter the not found elements
-  .filter(_ref10 => {
-    let [_, __, definition] = _ref10;
-    return definition.value !== undefined;
-  })
-  // Add a human-readable attribute name, with i18n, in the form { locale: name }
-  // Example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-  .reduce((acc, _ref11) => {
-    let [attrDefNamespace, attrKey, {
-      display,
-      value
-    }] = _ref11;
-    return {
-      ...acc,
-      [(0, _mdoc.getParsedCredentialClaimKey)(attrDefNamespace, attrKey)]: {
-        value,
-        name: display.reduce((names, _ref12) => {
-          let {
-            locale,
-            name
-          } = _ref12;
-          return {
-            ...names,
-            [locale]: name
-          };
-        }, {})
-      }
-    };
-  }, {});
-  if (includeUndefinedAttributes) {
-    const undefinedValues = Object.fromEntries(Object.values(flatNamespaces).filter(_ref13 => {
-      let [namespace, key] = _ref13;
-      return !definedValues[(0, _mdoc.getParsedCredentialClaimKey)(namespace, key)];
-    }).map(_ref14 => {
-      let [namespace, key, value] = _ref14;
-      return [(0, _mdoc.getParsedCredentialClaimKey)(namespace, key), {
-        value,
-        name: key
-      }];
-    }));
-    return {
-      ...definedValues,
-      ...undefinedValues
-    };
-  }
-  return definedValues;
-};
-/**
- * Given a credential, verify it's in the supported format
- * and the credential is correctly signed
- * and it's bound to the given key
- *
- * @param rawCredential The received credential
- * @param issuerKeys The set of public keys of the issuer,
- * which will be used to verify the signature
- * @param holderBindingContext The access to the holder's key
- *
- * @throws If the signature verification fails
- * @throws If the credential is not in the SdJwt4VC format
- * @throws If the holder binding is not properly configured
- *
- */
-async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingContext) {
-  // TODO: change verification using sd-jwt library with 1.3.x update
-  const [decodedCredential, holderBindingKey] =
-  // parallel for optimization
-  await Promise.all([(0, _sdJwt.verify)(rawCredential, issuerKeys, _sdJwt.SdJwt4VC), holderBindingContext.getPublicKey()]);
-  const {
-    cnf
-  } = decodedCredential.sdJwt.payload;
-  if (!(await (0, _jwk.isSameThumbprint)(cnf.jwk, holderBindingKey))) {
-    const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
-    _logging.Logger.log(_logging.LogLevel.ERROR, message);
-    throw new _errors.IoWalletError(message);
-  }
-  const sdJwtInstance = new _core.SDJwtInstance({
-    hasher: _cryptoNodejs.digest
-  });
-  return await sdJwtInstance.decode(rawCredential);
-}
-
-/**
- * Given a credential, verify it's in the supported format
- * and the credential is correctly signed
- * and it's bound to the given key
- *
- * @param rawCredential The received credential
- * @param x509CertRoot The root certificate of the issuer,
- * which will be used to verify the signature
- * @param holderBindingContext The access to the holder's key
- *
- * @throws If the signature verification fails
- * @throws If the credential is not in the SdJwt4VC format
- * @throws If the holder binding is not properly configured
- *
- */
-async function verifyCredentialMDoc(rawCredential, x509CertRoot, holderBindingContext) {
-  const [decodedCredential, holderBindingKey] =
-  // parallel for optimization
-  await Promise.all([(0, _mdoc.verify)(rawCredential, x509CertRoot), holderBindingContext.getPublicKey()]);
-  if (!decodedCredential) {
-    throw new _errors.IoWalletError("No MDOC credentials found!");
-  }
-  const key = decodedCredential.issuerSigned.issuerAuth.payload.deviceKeyInfo.deviceKey;
-  if (!(await (0, _jwk.isSameThumbprint)(key, holderBindingKey))) {
-    throw new _errors.IoWalletError(`Failed to verify holder binding, holder binding key and mDoc deviceKey don't match`);
-  }
-  return decodedCredential;
-}
-const verifyAndParseCredentialSdJwt = async (issuerConf, credential, credentialConfigurationId, _ref15) => {
-  let {
-    credentialCryptoContext,
-    ignoreMissingAttributes,
-    includeUndefinedAttributes
-  } = _ref15;
-  const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
-  const credentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId];
-  if (!credentialConfig) {
-    _logging.Logger.log(_logging.LogLevel.ERROR, `Credential type not supported by the issuer: ${credentialConfigurationId}`);
-    throw new _errors.IoWalletError("Credential type not supported by the issuer");
-  }
-  const parsedCredentialRaw = await decoded.getClaims(_cryptoNodejs.digest);
-  const parsedCredential = parseCredentialSdJwt(credentialConfig, parsedCredentialRaw, ignoreMissingAttributes, includeUndefinedAttributes);
-  const issuedAt = typeof parsedCredentialRaw.iat === "number" ? new Date(parsedCredentialRaw.iat * 1000) : undefined;
-  if (typeof parsedCredentialRaw.exp !== "number") {
-    throw new _errors.IoWalletError("Invalid or missing expiration claim (exp)");
-  }
-  const expiration = new Date(parsedCredentialRaw.exp * 1000);
-  _logging.Logger.log(_logging.LogLevel.DEBUG, `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${issuedAt}`);
-  return {
-    parsedCredential,
-    expiration,
-    issuedAt
-  };
-};
-const verifyAndParseCredentialMDoc = async (issuerConf, credential, credentialConfigurationId, _ref16, x509CertRoot) => {
-  var _parsedCredential$get, _parsedCredential$get2;
-  let {
-    credentialCryptoContext,
-    ignoreMissingAttributes
-  } = _ref16;
-  if (!x509CertRoot) {
-    throw new _errors.IoWalletError("Missing x509CertRoot");
-  }
-  const decoded = await verifyCredentialMDoc(credential, x509CertRoot, credentialCryptoContext);
-  const credentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId];
-  const parsedCredential = parseCredentialMDoc(credentialConfig, decoded, ignoreMissingAttributes, ignoreMissingAttributes);
-  const expirationDate = (0, _converter.extractElementValueAsDate)(parsedCredential === null || parsedCredential === void 0 || (_parsedCredential$get = parsedCredential[(0, _mdoc.getParsedCredentialClaimKey)(_const.MDOC_DEFAULT_NAMESPACE, "expiry_date")]) === null || _parsedCredential$get === void 0 ? void 0 : _parsedCredential$get.value);
-  if (!expirationDate) {
-    throw new _errors.IoWalletError(`expirationDate must be present!!`);
-  }
-  expirationDate.setDate(expirationDate.getDate() + 1);
-  const maybeIssuedAt = (0, _converter.extractElementValueAsDate)(parsedCredential === null || parsedCredential === void 0 || (_parsedCredential$get2 = parsedCredential[(0, _mdoc.getParsedCredentialClaimKey)(_const.MDOC_DEFAULT_NAMESPACE, "issue_date")]) === null || _parsedCredential$get2 === void 0 ? void 0 : _parsedCredential$get2.value);
-  maybeIssuedAt === null || maybeIssuedAt === void 0 ? void 0 : maybeIssuedAt.setDate(maybeIssuedAt.getDate() + 1);
-  return {
-    parsedCredential,
-    credential,
-    credentialConfigurationId,
-    expiration: expirationDate,
-    issuedAt: maybeIssuedAt ?? undefined
-  };
-};
-
-/**
- * Verify and parse an encoded credential.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
- * @param credential The encoded credential returned by {@link obtainCredential}
- * @param credentialConfigurationId The credential configuration ID that defines the provided credential
- * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
- * @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
- * @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
- * @returns A parsed credential with attributes in plain value, the expiration and issuance date of the credential
- * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
- * @throws {IoWalletError} If the credential is not bound to the provided user key
- * @throws {IoWalletError} If the credential data fail to parse
- */
-const verifyAndParseCredential = async (issuerConf, credential, credentialConfigurationId, context, x509CertRoot) => {
-  var _issuerConf$openid_cr;
-  const format = (_issuerConf$openid_cr = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId]) === null || _issuerConf$openid_cr === void 0 ? void 0 : _issuerConf$openid_cr.format;
-  switch (format) {
-    case "dc+sd-jwt":
-      {
-        _logging.Logger.log(_logging.LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
-        return verifyAndParseCredentialSdJwt(issuerConf, credential, credentialConfigurationId, context);
-      }
-    case "mso_mdoc":
-      {
-        _logging.Logger.log(_logging.LogLevel.DEBUG, "Parsing credential in mso_mdoc format");
-        return verifyAndParseCredentialMDoc(issuerConf, credential, credentialConfigurationId, context, x509CertRoot);
-      }
-    default:
-      {
-        const message = `Unsupported credential format: ${format}`;
-        _logging.Logger.log(_logging.LogLevel.ERROR, message);
-        throw new _errors.IoWalletError(message);
-      }
-  }
-};
-exports.verifyAndParseCredential = verifyAndParseCredential;
-//# sourceMappingURL=07-verify-and-parse-credential.js.map