@pagopa/io-react-native-wallet 3.0.1 → 3.1.0

package/src/trust/v1.0.0/types.ts

@@ -1,7 +1,7 @@
 import * as z from "zod";
+import { jsonWebKeySchema } from "@pagopa/io-wallet-oid-federation";
 import { JWK } from "../../utils/jwk";
 import { BaseEntityConfiguration } from "../common/types";
-import { jsonWebKeySchema } from "@openid-federation/core";
 
 const RelyingPartyMetadata = z.object({
   application_type: z.string().optional(),
@@ -65,7 +65,9 @@ const SupportedCredentialMetadata = z.intersection(
     cryptographic_binding_methods_supported: z.array(z.string()),
     credential_signing_alg_values_supported: z.array(z.string()),
     authentic_source: z.string().optional(),
-    issuance_errors_supported: z.record(IssuanceErrorSupported).optional(),
+    issuance_errors_supported: z
+      .record(z.string(), IssuanceErrorSupported)
+      .optional(),
   })
 );
 
@@ -92,6 +94,7 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
           status_attestation_endpoint: z.string(),
           display: z.array(CredentialIssuerDisplayMetadata),
           credential_configurations_supported: z.record(
+            z.string(),
             SupportedCredentialMetadata
           ),
           jwks: z.object({ keys: z.array(JWK) }),
@@ -157,7 +160,7 @@ export const WalletProviderEntityConfiguration = BaseEntityConfiguration.and(
             ),
             jwks: z.object({ keys: z.array(JWK) }),
           })
-          .passthrough(),
+          .loose(),
       }),
     }),
   })
@@ -165,14 +168,11 @@ export const WalletProviderEntityConfiguration = BaseEntityConfiguration.and(
 
 // Maps any entity configuration by the union of every possible shapes
 export type EntityConfiguration = z.infer<typeof EntityConfiguration>;
-export const EntityConfiguration = z.union(
-  [
+export const EntityConfiguration = z
+  .union([
     WalletProviderEntityConfiguration,
     CredentialIssuerEntityConfiguration,
     TrustAnchorEntityConfiguration,
     RelyingPartyEntityConfiguration,
-  ],
-  {
-    description: "Any kind of Entity Configuration allowed in the ecosystem",
-  }
-);
+  ])
+  .describe("Any kind of Entity Configuration allowed in the ecosystem");

package/src/trust/v1.3.3/types.ts

@@ -56,13 +56,10 @@ export const WalletProviderEntityConfiguration = BaseEntityConfiguration.and(
 
 // Maps any entity configuration by the union of every possible shapes
 export type EntityConfiguration = z.infer<typeof EntityConfiguration>;
-export const EntityConfiguration = z.union(
-  [
+export const EntityConfiguration = z
+  .union([
     WalletProviderEntityConfiguration,
     CredentialIssuerEntityConfiguration,
     RelyingPartyEntityConfiguration,
-  ],
-  {
-    description: "Any kind of Entity Configuration allowed in the ecosystem",
-  }
-);
+  ])
+  .describe("Any kind of Entity Configuration allowed in the ecosystem");

package/src/utils/callbacks.ts

@@ -12,6 +12,12 @@ type PartialCallbackContext = Omit<
   "signJwt" | "clientAuthentication"
 >;
 
+// Fix incompatibility between ArrayBuffer types
+type DigestFixed = (
+  data: string | ArrayBuffer | ArrayBufferView,
+  algorithm?: string
+) => Uint8Array;
+
 /**
  * Shared callbacks with React Native implementations for use
  * in IO Wallet SDK. Callbacks not found here must be provided by the caller,
@@ -19,7 +25,7 @@ type PartialCallbackContext = Omit<
  */
 export const partialCallbacks: PartialCallbackContext = {
   generateRandom: generateRandomBytes,
-  hash: digest,
+  hash: digest as DigestFixed,
   encryptJwe: async ({ publicJwk, alg, enc, kid }, data) => ({
     // @ts-expect-error `alg` and `enc` are strings, but EncryptJwe expects specific string literals
     jwe: await new EncryptJwe(data, { alg, enc, kid }).encrypt(publicJwk),

package/src/utils/crypto.ts

@@ -90,3 +90,21 @@ export const getSigninJwkFromCert = (pemCert: string): JWK => {
     "Unable to find the signing key inside the PEM certificate"
   );
 };
+
+/**
+ * Extension of the {@link CryptoContext} that adds key generation with optional key attestation.
+ *
+ * This context requires the consumer to provide an additional method for **key generation**;
+ * on Android this method should also generate a key attestation as a certificate chain
+ * to ensure the key pair is hardware-backed.
+ */
+export type KeyAttestationCryptoContext = CryptoContext & {
+  /**
+   * Generate a key pair with an **optional key attestation** (Android).
+   * @param challenge The challenge for the key attestation.
+   * @returns An object with a success flag and a key attestation, if it was generated.
+   */
+  generateKeyWithAttestation(
+    challenge: string
+  ): Promise<{ success: boolean; attestation?: string }>;
+};

package/src/utils/dpop.ts

@@ -29,7 +29,7 @@ export const createDPopToken = async (
 export type DPoPPayload = z.infer<typeof DPoPPayload>;
 export const DPoPPayload = z.object({
   jti: z.string(),
-  htm: z.union([z.literal("POST"), z.literal("GET")]),
+  htm: z.enum(["POST", "GET"]),
   htu: z.string(),
   ath: z.string().optional(),
 });

package/src/utils/jwk.ts

@@ -20,7 +20,7 @@ export const JWK = z.object({
   /** JWK "kty" (Key Type) Parameter.
    * This attribute is required to discriminate the
    * type of EC/RSA algorithm */
-  kty: z.union([z.literal("RSA"), z.literal("EC")]),
+  kty: z.enum(["RSA", "EC"]),
   n: z.string().optional(),
   p: z.string().optional(),
   q: z.string().optional(),

package/src/utils/mappers.ts

@@ -33,8 +33,8 @@ export function createMapper<I, O>(
 export function createMapper<I, O>(
   mapper: (input: I) => O,
   config?: {
-    inputSchema?: z.ZodType<I>;
-    outputSchema: z.ZodType<O>;
+    inputSchema?: z.ZodType<I, any>;
+    outputSchema: z.ZodType<O, any>;
   }
 ) {
   if (!config) {

package/src/utils/zod.ts

@@ -11,7 +11,11 @@ type Literal = z.infer<typeof literalSchema>;
 type Json = Literal | { [key: string]: Json } | Json[];
 
 const jsonSchema: z.ZodType<Json> = z.lazy(() =>
-  z.union([literalSchema, z.array(jsonSchema), z.record(jsonSchema)])
+  z.union([
+    literalSchema,
+    z.array(jsonSchema),
+    z.record(z.string(), jsonSchema),
+  ])
 );
 
 export const json = () => jsonSchema;

package/src/wallet-instance-attestation/README.md

@@ -30,16 +30,19 @@ const { WALLET_PROVIDER_BASE_URL } = env; // Let's assume env is an object conta
  * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
  */
 const wallet = new IoWallet({ version: "1.0.0" });
-const issuedAttestation = await wallet.WalletInstanceAttestation.getAttestation({
-  wiaCryptoContext,
-  integrityContext,
-  walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
-  appFetch,
-});
-// [
-//   { type: "wallet_instance_attestation", "format": "jwt", "attestation": "ey..." },
-//   { type: "wallet_instance_attestation", "format": "dc+sd-jwt", "attestation": "ey..." }
-// ]
+const issuedAttestation = await wallet.WalletInstanceAttestation.getAttestation(
+  {
+    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
+    walletSolutionId: "exampleId",
+    walletSolutionVersion: "1.2.3",
+  },
+  {
+    wiaCryptoContext,
+    integrityContext,
+    appFetch,
+  }
+);
+// [{ "format": "jwt", "attestation": "ey..." }, { "format": "dc+sd-jwt", "attestation": "ey..." }]
 return issuedAttestation;
 ```
 

package/src/wallet-instance-attestation/api/index.ts

@@ -1,24 +1,31 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { IntegrityContext } from "../../utils/integrity";
-import type { DecodedAttestationJwt, WalletAttestation } from "./types";
+import type {
+  DecodedWalletInstanceAttestation,
+  WalletAttestation,
+  WalletAttestationRequestParams,
+} from "./types";
 
 export interface WalletInstanceAttestationApi {
   /**
    * Request a Wallet Instance Attestation (WIA) to the Wallet provider.
-   * The Wallet Attestation may be issued in different formats and components (Wallet App and Wallet Unit).
+   * The Wallet Instance Attestation may be issued in different formats.
    *
-   * @param params.wiaCryptoContext The key pair associated with the WIA. Will be use to prove the ownership of the attestation.
-   * @param params.appFetch (optional) Http client
-   * @param walletProviderBaseUrl Base url for the Wallet Provider
+   * @param requestParams Wallet Provider data for the Wallet Attestation request
+   * @param ctx.wiaCryptoContext The key pair associated with the WIA. Will be use to prove the ownership of the attestation.
+   * @param ctx.integrityContext The hardware key pair associated with the Wallet Instance
+   * @param ctx.appFetch (optional) Http client
    * @returns The retrieved Wallet Instance Attestation tokens
    * @throws {WalletProviderResponseError} with a specific code for more context
    */
-  getAttestation(ctx: {
-    wiaCryptoContext: CryptoContext;
-    integrityContext: IntegrityContext;
-    walletProviderBaseUrl: string;
-    appFetch?: GlobalFetch["fetch"];
-  }): Promise<WalletAttestation[]>;
+  getAttestation(
+    requestParams: WalletAttestationRequestParams,
+    ctx: {
+      wiaCryptoContext: CryptoContext;
+      integrityContext: IntegrityContext;
+      appFetch?: GlobalFetch["fetch"];
+    }
+  ): Promise<WalletAttestation[]>;
 
   /**
    * Decode a given JWT to get the parsed Wallet Instance Attestation object they define.
@@ -32,7 +39,7 @@ export interface WalletInstanceAttestationApi {
    * @throws A decoding error if the token doesn't resolve in a valid JWT
    * @throws A validation error if the provided data doesn't result in a valid Wallet Instance Attestation
    */
-  decode(token: string): DecodedAttestationJwt;
+  decode(token: string): DecodedWalletInstanceAttestation;
 
   /**
    * Verify a given JWT to get the parsed Wallet Instance Attestation object they define.
@@ -44,5 +51,5 @@ export interface WalletInstanceAttestationApi {
    * @throws A validation error if the provided data doesn't result in a valid Wallet Instance Attestation
    * @throws Invalid signature error if the token signature is not valid
    */
-  verify(token: string): Promise<DecodedAttestationJwt>;
+  verify(token: string): Promise<DecodedWalletInstanceAttestation>;
 }

package/src/wallet-instance-attestation/api/types.ts

@@ -3,23 +3,35 @@ import { UnixTime } from "../../utils/zod";
 import { JWK } from "../../utils/jwk";
 
 /**
- * Common Wallet Attestation shape. This object is
+ * Common Wallet Instance Attestation shape. This object is
  * an abstraction over the version-specific JWTs.
  */
-export type DecodedAttestationJwt = z.infer<typeof DecodedAttestationJwt>;
-export const DecodedAttestationJwt = z.object({
+export type DecodedWalletInstanceAttestation = z.infer<
+  typeof DecodedWalletInstanceAttestation
+>;
+export const DecodedWalletInstanceAttestation = z.object({
   iss: z.string(),
   iat: UnixTime,
   exp: UnixTime,
   cnf: z.object({ jwk: JWK }),
   sub: z.string(),
+  wallet_provider_name: z.string().optional(),
+  wallet_solution_id: z.string().optional(),
+  /** @deprecated */
   wallet_link: z.string().optional(),
+  /** @deprecated */
   wallet_name: z.string().optional(),
+  /** @deprecated */
   aal: z.string().optional(),
 });
 
 export type WalletAttestation = {
-  type: "wallet_instance_attestation" | "wallet_unit_attestation";
   format: string;
   attestation: string;
 };
+
+export type WalletAttestationRequestParams = {
+  walletProviderBaseUrl: string;
+  walletSolutionId: string;
+  walletSolutionVersion: string;
+};

package/src/wallet-instance-attestation/v1.0.0/index.ts

@@ -2,10 +2,10 @@ import type { WalletInstanceAttestationApi } from "../api";
 import { withMapper, withMapperAsync } from "../../utils/mappers";
 import { getAttestation } from "./issuing";
 import { decode, verify } from "./utils";
-import { mapToDecodedAttestationJwt } from "./mappers";
+import { mapToDecodedWalletInstanceAttestation } from "./mappers";
 
 export const WalletInstanceAttestation: WalletInstanceAttestationApi = {
   getAttestation,
-  decode: withMapper(mapToDecodedAttestationJwt, decode),
-  verify: withMapperAsync(mapToDecodedAttestationJwt, verify),
+  decode: withMapper(mapToDecodedWalletInstanceAttestation, decode),
+  verify: withMapperAsync(mapToDecodedWalletInstanceAttestation, verify),
 };

package/src/wallet-instance-attestation/v1.0.0/issuing.ts

@@ -69,14 +69,12 @@ async function getAttestationRequest(
 }
 
 export const getAttestation: WalletInstanceAttestationApi["getAttestation"] =
-  async ({
-    wiaCryptoContext,
-    integrityContext,
-    walletProviderBaseUrl,
-    appFetch = fetch,
-  }) => {
+  async (
+    requestParams,
+    { wiaCryptoContext, integrityContext, appFetch = fetch }
+  ) => {
     const api = getWalletProviderClient({
-      walletProviderBaseUrl,
+      walletProviderBaseUrl: requestParams.walletProviderBaseUrl,
       appFetch,
     });
 
@@ -86,7 +84,7 @@ export const getAttestation: WalletInstanceAttestationApi["getAttestation"] =
       .then((response) => response.nonce);
     Logger.log(
       LogLevel.DEBUG,
-      `Challenge obtained from ${walletProviderBaseUrl}: ${challenge} `
+      `Challenge obtained from ${requestParams.walletProviderBaseUrl}: ${challenge} `
     );
 
     // 2. Get a signed attestation request
@@ -94,7 +92,7 @@ export const getAttestation: WalletInstanceAttestationApi["getAttestation"] =
       challenge,
       wiaCryptoContext,
       integrityContext,
-      walletProviderBaseUrl
+      requestParams.walletProviderBaseUrl
     );
     Logger.log(
       LogLevel.DEBUG,

package/src/wallet-instance-attestation/v1.0.0/mappers.ts

@@ -1,15 +1,18 @@
 import { createMapper } from "../../utils/mappers";
-import { DecodedAttestationJwt, type WalletAttestation } from "../api/types";
+import {
+  DecodedWalletInstanceAttestation,
+  type WalletAttestation,
+} from "../api/types";
 import {
   WalletAttestationResponse,
   WalletInstanceAttestationJwt,
 } from "./types";
 
-export const mapToDecodedAttestationJwt = createMapper<
+export const mapToDecodedWalletInstanceAttestation = createMapper<
   WalletInstanceAttestationJwt,
-  DecodedAttestationJwt
+  DecodedWalletInstanceAttestation
 >((x) => x.payload, {
-  outputSchema: DecodedAttestationJwt,
+  outputSchema: DecodedWalletInstanceAttestation,
 });
 
 export const mapToWalletAttestations = createMapper<
@@ -17,7 +20,6 @@ export const mapToWalletAttestations = createMapper<
   WalletAttestation[]
 >((x) =>
   x.wallet_attestations.map((wa) => ({
-    type: "wallet_instance_attestation",
     format: wa.format,
     attestation: wa.wallet_attestation,
   }))

package/src/wallet-instance-attestation/v1.3.3/index.ts

@@ -1,13 +1,11 @@
-import { UnimplementedFeatureError } from "../../utils/errors";
+import { withMapper, withMapperAsync } from "../../utils/mappers";
 import type { WalletInstanceAttestationApi } from "../api";
 import { getAttestation } from "./issuing";
+import { decode, verify } from "./utils";
+import { mapToDecodedWalletInstanceAttestation } from "./mappers";
 
 export const WalletInstanceAttestation: WalletInstanceAttestationApi = {
   getAttestation,
-  decode: () => {
-    throw new UnimplementedFeatureError("decode", "1.3.3");
-  },
-  verify: () => {
-    throw new UnimplementedFeatureError("verify", "1.3.3");
-  },
+  decode: withMapper(mapToDecodedWalletInstanceAttestation, decode),
+  verify: withMapperAsync(mapToDecodedWalletInstanceAttestation, verify),
 };

package/src/wallet-instance-attestation/v1.3.3/issuing.ts

@@ -1,7 +1,111 @@
-import { UnimplementedFeatureError } from "../../utils/errors";
+import { Platform } from "react-native";
+import {
+  thumbprint,
+  type CryptoContext,
+  SignJWT,
+} from "@pagopa/io-react-native-jwt";
+import type { IntegrityContext } from "../../utils/integrity";
+import { LogLevel, Logger } from "../../utils/logging";
+import { fixBase64EncodingOnKey, JWK } from "../../utils/jwk";
+import { getWalletProviderClient } from "../../client";
+import type { WalletAttestationRequestParams } from "../api/types";
 import type { WalletInstanceAttestationApi } from "../api";
+import { WalletInstanceAttestationResponse } from "./types";
+
+async function getAttestationRequest(
+  {
+    challenge,
+    walletSolutionId,
+    walletSolutionVersion,
+  }: WalletAttestationRequestParams & { challenge: string },
+  wiaCryptoContext: CryptoContext,
+  integrityContext: IntegrityContext
+): Promise<string> {
+  const jwk = await wiaCryptoContext.getPublicKey();
+  const parsedJwk = JWK.parse(jwk);
+  const keyThumbprint = await thumbprint(parsedJwk);
+  const publicKey = { ...parsedJwk, kid: keyThumbprint };
+
+  const clientData = {
+    challenge,
+    jwk_thumbprint: keyThumbprint,
+  };
+
+  const hardwareKeyTag = integrityContext.getHardwareKeyTag();
+  const { signature, authenticatorData } =
+    await integrityContext.getHardwareSignatureWithAuthData(
+      JSON.stringify(clientData)
+    );
+
+  return new SignJWT(wiaCryptoContext)
+    .setPayload({
+      iss: hardwareKeyTag,
+      nonce: challenge,
+      platform: Platform.OS,
+      hardware_signature: signature,
+      integrity_assertion: authenticatorData,
+      hardware_key_tag: hardwareKeyTag,
+      wallet_solution_id: walletSolutionId,
+      wallet_solution_version: walletSolutionVersion,
+      cnf: {
+        jwk: fixBase64EncodingOnKey(publicKey),
+      },
+    })
+    .setProtectedHeader({
+      kid: publicKey.kid,
+      typ: "wia-request+jwt",
+    })
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+}
 
 export const getAttestation: WalletInstanceAttestationApi["getAttestation"] =
-  () => {
-    throw new UnimplementedFeatureError("getAttestation", "1.3.3");
+  async (
+    requestParams,
+    { wiaCryptoContext, integrityContext, appFetch = fetch }
+  ) => {
+    const api = getWalletProviderClient({
+      walletProviderBaseUrl: requestParams.walletProviderBaseUrl,
+      appFetch,
+    });
+
+    const challenge = await api
+      .get("/nonce")
+      .then((response) => response.nonce);
+    Logger.log(
+      LogLevel.DEBUG,
+      `Challenge obtained from ${requestParams.walletProviderBaseUrl}: ${challenge} `
+    );
+
+    const signedAttestationRequest = await getAttestationRequest(
+      { challenge, ...requestParams },
+      wiaCryptoContext,
+      integrityContext
+    );
+    Logger.log(
+      LogLevel.DEBUG,
+      `Signed attestation request: ${signedAttestationRequest}`
+    );
+
+    const response = await api
+      .post("/wallet-instance-attestations", {
+        header: {
+          "Content-Type": "text/plain",
+        },
+        body: signedAttestationRequest,
+      })
+      .then(WalletInstanceAttestationResponse.parse);
+
+    Logger.log(
+      LogLevel.DEBUG,
+      `Obtained Wallet Instance Attestation in jwt format: ${response.wallet_instance_attestation}`
+    );
+
+    return [
+      {
+        format: "jwt",
+        attestation: response.wallet_instance_attestation,
+      },
+    ];
   };

package/src/wallet-instance-attestation/v1.3.3/mappers.ts

@@ -0,0 +1,18 @@
+import { createMapper } from "../../utils/mappers";
+import { DecodedWalletInstanceAttestation } from "../api/types";
+import { WalletInstanceAttestationJwt } from "./types";
+
+export const mapToDecodedWalletInstanceAttestation = createMapper<
+  WalletInstanceAttestationJwt,
+  DecodedWalletInstanceAttestation
+>(
+  ({ payload }) => {
+    const { eudi_wallet_info, ...rest } = payload;
+    return {
+      ...rest,
+      wallet_provider_name: eudi_wallet_info.general_info.wallet_provider_name,
+      wallet_solution_id: eudi_wallet_info.general_info.wallet_solution_id,
+    };
+  },
+  { outputSchema: DecodedWalletInstanceAttestation }
+);

package/src/wallet-instance-attestation/v1.3.3/types.ts

@@ -1,16 +1,10 @@
 import * as z from "zod";
-import { JWK } from "../../utils/jwk";
 import { Jwt } from "../common/types";
 
-const Status = z.object({
-  status_list: z.object({
-    idx: z.number(),
-    uri: z.string(),
-  }),
-});
-
-export type WalletAppAttestationJwt = z.infer<typeof WalletAppAttestationJwt>;
-export const WalletAppAttestationJwt = z.object({
+export type WalletInstanceAttestationJwt = z.infer<
+  typeof WalletInstanceAttestationJwt
+>;
+export const WalletInstanceAttestationJwt = z.object({
   header: z.intersection(
     Jwt.shape.header,
     z.object({
@@ -21,28 +15,20 @@ export const WalletAppAttestationJwt = z.object({
     Jwt.shape.payload,
     z.object({
       sub: z.string(),
-      wallet_link: z.string().optional(),
-      wallet_name: z.string().optional(),
-      status: Status.optional(),
+      eudi_wallet_info: z.object({
+        general_info: z.object({
+          wallet_provider_name: z.string(),
+          wallet_solution_id: z.string(),
+          wallet_solution_version: z.string(),
+        }),
+      }),
     })
   ),
 });
 
-export type WalletUnitAttestationJwt = z.infer<typeof WalletUnitAttestationJwt>;
-export const WalletUnitAttestationJwt = z.object({
-  header: z.intersection(
-    Jwt.shape.header,
-    z.object({
-      typ: z.literal("key-attestation+jwt"),
-    })
-  ),
-  payload: z.intersection(
-    Jwt.shape.payload,
-    z.object({
-      attested_keys: z.array(JWK),
-      user_authentication: z.array(z.string()),
-      key_storage: z.array(z.string()),
-      status: Status,
-    })
-  ),
+export type WalletInstanceAttestationResponse = z.infer<
+  typeof WalletInstanceAttestationResponse
+>;
+export const WalletInstanceAttestationResponse = z.object({
+  wallet_instance_attestation: z.string(),
 });

package/src/wallet-instance-attestation/v1.3.3/utils.ts

@@ -0,0 +1,35 @@
+import { WalletInstanceAttestationJwt } from "./types";
+import {
+  decode as decodeJwt,
+  verify as verifyJwt,
+} from "@pagopa/io-react-native-jwt";
+
+/**
+ * Decode a given JWT to get the parsed Wallet Instance Attestation object they define.
+ * It ensures provided data is in a valid shape.
+ *
+ * It DOES NOT verify token signature nor check disclosures are correctly referenced by the JWT.
+ * Use {@link verify} instead
+ */
+export function decode(token: string): WalletInstanceAttestationJwt {
+  const decodedJwt = decodeJwt(token);
+  return WalletInstanceAttestationJwt.parse({
+    header: decodedJwt.protectedHeader,
+    payload: decodedJwt.payload,
+  });
+}
+
+/**
+ * Verify a given JWT to get the parsed Wallet Instance Attestation object they define.
+ * Same as {@link decode} plus token signature verification
+ */
+export async function verify(
+  token: string
+): Promise<WalletInstanceAttestationJwt> {
+  const decoded = decode(token);
+  const pubKey = decoded.payload.cnf.jwk;
+
+  await verifyJwt(token, pubKey);
+
+  return decoded;
+}