@pagopa/io-react-native-wallet 3.1.1 → 3.2.0

package/src/credential/issuance/v1.3.3/05-obtain-credential.ts

@@ -1,11 +1,15 @@
 import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
-import { createTokenDPoP } from "@pagopa/io-wallet-oauth2";
+import {
+  createTokenDPoP,
+  type CallbackContext,
+  type JwtSignerJwk,
+} from "@pagopa/io-wallet-oauth2";
 import {
   fetchCredentialResponse,
   createCredentialRequest,
 } from "@pagopa/io-wallet-oid4vci";
 import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
-import { hasStatusOrThrow } from "../../../utils/misc";
+import { hasStatusOrThrow, type Out } from "../../../utils/misc";
 import {
   IoWalletError,
   IssuerResponseError,
@@ -16,108 +20,99 @@ import {
 import { LogLevel, Logger } from "../../../utils/logging";
 import { sdkConfigV1_3 } from "../../../utils/config";
 import { partialCallbacks } from "../../../utils/callbacks";
-import type { IssuanceApi } from "../api";
+import type { IssuanceApi, IssuerConfig } from "../api";
 import { NonceResponse } from "./types";
+import type { AuthorizeAccessApi } from "../api/04-authorize-access";
 
-export const createNonceProof = async (
-  nonce: string,
-  issuer: string,
-  audience: string,
-  ctx: CryptoContext
-): Promise<string> => {
-  const jwk = await ctx.getPublicKey();
-  return new SignJWT(ctx)
-    .setPayload({
-      nonce,
-    })
-    .setProtectedHeader({
-      typ: "openid4vci-proof+jwt",
-      jwk,
-    })
-    .setAudience(audience)
-    .setIssuer(issuer)
-    .setIssuedAt()
-    .setExpirationTime("5min")
-    .sign();
+type CreateRequestParams = {
+  clientId: string;
+  credentialIdentifier: string;
+  accessToken: Out<AuthorizeAccessApi["authorizeAccess"]>["accessToken"];
+  issuerConf: IssuerConfig;
+  dPopCryptoContext: CryptoContext;
+  credentialCryptoContexts: CryptoContext[];
+  keyAttestationJwt: string;
+  appFetch?: GlobalFetch["fetch"];
 };
 
-export const obtainCredential: IssuanceApi["obtainCredential"] = async (
+/**
+ * Helper to create a credential request and fetch it from the issuer.
+ *
+ * When multiple keys are provided as {@link CryptoContext}, a batch is requested.
+ *
+ * @returns The raw credential response
+ */
+export const requestCredentials = async ({
   issuerConf,
   accessToken,
+  credentialIdentifier,
   clientId,
-  credentialDefinition,
-  context
-) => {
-  const {
-    credentialCryptoContext,
-    dPopCryptoContext,
-    walletUnitAttestation,
-    appFetch = fetch,
-  } = context;
-  if (!walletUnitAttestation) {
-    throw new ValidationFailed({
-      message:
-        "The Wallet Unit Attestation is required to obtain the credential",
-    });
-  }
-
-  const { credential_configuration_id, credential_identifier } =
-    credentialDefinition;
-
-  // Fetch the nonce from the Credential Issuer
+  keyAttestationJwt,
+  credentialCryptoContexts,
+  dPopCryptoContext,
+  appFetch = fetch,
+}: CreateRequestParams) => {
   const { c_nonce } = await appFetch(issuerConf.nonce_endpoint, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.json())
-    .then((body) => NonceResponse.parse(body));
+    .then(NonceResponse.parse);
 
-  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
-  const containsCredentialDefinition = accessToken.authorization_details.some(
-    (c) =>
-      c.credential_configuration_id === credential_configuration_id &&
-      (credential_identifier
-        ? c.credential_identifiers.includes(credential_identifier)
-        : true)
+  const keys = await Promise.all(
+    credentialCryptoContexts.map(async (ctx) => {
+      const publicJwk = await ctx.getPublicKey();
+      return { publicJwk, cryptoContext: ctx };
+    })
   );
 
-  if (!containsCredentialDefinition) {
-    Logger.log(
-      LogLevel.ERROR,
-      `Credential definition not found in the access token response ${accessToken.authorization_details}`
-    );
-    throw new ValidationFailed({
-      message:
-        "The access token response does not contain the requested credential",
-    });
-  }
+  const signJwt: CallbackContext["signJwt"] = async (
+    jwtSigner,
+    { header, payload }
+  ) => {
+    if (jwtSigner.method !== "jwk") {
+      throw new IoWalletError(`Unsupported signer method: ${jwtSigner.method}`);
+    }
+
+    const { cryptoContext } =
+      keys.find(({ publicJwk }) => publicJwk.kid === jwtSigner.publicJwk.kid) ??
+      {};
+
+    if (!cryptoContext) {
+      throw new IoWalletError(
+        `Could not find CryptoContext for key ${jwtSigner.publicJwk.kid}`
+      );
+    }
+
+    return {
+      jwt: await new SignJWT(cryptoContext)
+        .setProtectedHeader(header)
+        .setPayload(payload)
+        .sign(),
+      signerJwk: jwtSigner.publicJwk,
+    };
+  };
 
-  const signerJwk = await credentialCryptoContext.getPublicKey();
+  const signers = keys.map<JwtSignerJwk>(({ publicJwk }) => ({
+    alg: "ES256",
+    method: "jwk",
+    publicJwk,
+  }));
 
   const credentialRequest = await createCredentialRequest({
     config: sdkConfigV1_3,
     callbacks: {
       hash: partialCallbacks.hash,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(credentialCryptoContext)
-          .setPayload(payload)
-          .sign(),
-        signerJwk,
-      }),
+      signJwt,
     },
     clientId,
-    credential_identifier: credentialDefinition.credential_identifier!,
+    credential_identifier: credentialIdentifier,
     issuerIdentifier: issuerConf.credential_issuer,
+    maxBatchSize: issuerConf.credential_issuance_batch_size,
     nonce: c_nonce,
-    keyAttestation: walletUnitAttestation,
-    signers: [
-      {
-        alg: "ES256",
-        method: "jwk",
-        publicJwk: signerJwk,
-      },
-    ],
+    keyAttestation: keyAttestationJwt,
+    signers,
   });
 
   const dPopSignerJwk = await dPopCryptoContext.getPublicKey();
@@ -127,7 +122,7 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
       ...partialCallbacks,
       signJwt: async (_, payload) => ({
         jwt: await new SignJWT(dPopCryptoContext).setPayload(payload).sign(),
-        signerJwk,
+        signerJwk: dPopSignerJwk,
       }),
     },
     signer: {
@@ -142,7 +137,7 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
     accessToken: accessToken.access_token,
   });
 
-  const credentialRes = await fetchCredentialResponse({
+  return await fetchCredentialResponse({
     callbacks: {
       fetch: appFetch,
     },
@@ -151,6 +146,61 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
     accessToken: accessToken.access_token,
     dPoP: credentialDPoP.jwt,
   }).catch(handleObtainCredentialError);
+};
+
+export const obtainCredential: IssuanceApi["obtainCredential"] = async (
+  issuerConf,
+  accessToken,
+  clientId,
+  credentialDefinition,
+  context
+) => {
+  const {
+    credentialCryptoContext,
+    dPopCryptoContext,
+    walletUnitAttestation,
+    appFetch = fetch,
+  } = context;
+  if (!walletUnitAttestation) {
+    throw new ValidationFailed({
+      message:
+        "The Wallet Unit Attestation is required to obtain the credential",
+    });
+  }
+
+  const { credential_configuration_id, credential_identifier } =
+    credentialDefinition;
+
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const containsCredentialDefinition = accessToken.authorization_details.some(
+    (c) =>
+      c.credential_configuration_id === credential_configuration_id &&
+      (credential_identifier
+        ? c.credential_identifiers.includes(credential_identifier)
+        : true)
+  );
+
+  if (!containsCredentialDefinition) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential definition not found in the access token response ${accessToken.authorization_details}`
+    );
+    throw new ValidationFailed({
+      message:
+        "The access token response does not contain the requested credential",
+    });
+  }
+
+  const credentialRes = await requestCredentials({
+    issuerConf,
+    accessToken,
+    clientId,
+    credentialCryptoContexts: [credentialCryptoContext],
+    credentialIdentifier: credential_identifier!,
+    dPopCryptoContext,
+    keyAttestationJwt: walletUnitAttestation,
+    appFetch,
+  });
 
   Logger.log(
     LogLevel.DEBUG,
@@ -172,6 +222,51 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
   };
 };
 
+export const obtainCredentialsBatch: IssuanceApi["obtainCredentialsBatch"] =
+  async (issuerConf, accessToken, clientId, credentialDefinition, context) => {
+    const {
+      credentialCryptoContexts,
+      dPopCryptoContext,
+      walletUnitAttestation,
+      appFetch = fetch,
+    } = context;
+    if (!walletUnitAttestation) {
+      throw new ValidationFailed({
+        message:
+          "The Wallet Unit Attestation is required to obtain the credential",
+      });
+    }
+
+    const { credential_configuration_id, credential_identifier } =
+      credentialDefinition;
+
+    const credentialRes = await requestCredentials({
+      issuerConf,
+      accessToken,
+      clientId,
+      credentialCryptoContexts,
+      credentialIdentifier: credential_identifier,
+      dPopCryptoContext,
+      keyAttestationJwt: walletUnitAttestation,
+      appFetch,
+    });
+
+    // Extract the format corresponding to the credential_configuration_id used
+    const issuerCredentialConfig =
+      issuerConf.credential_configurations_supported[
+        credential_configuration_id
+      ];
+
+    if ("transaction_id" in credentialRes) {
+      throw new IoWalletError("Deferred issuance is not currently supported");
+    }
+
+    return credentialRes.credentials.map(({ credential }) => ({
+      credential,
+      format: issuerCredentialConfig!.format,
+    }));
+  };
+
 /**
  * Handle the credential error by mapping it to a custom exception.
  * If the error is not an instance of {@link SdkUnexpectedStatusCodeError}, it is thrown as is.

package/src/credential/issuance/v1.3.3/index.ts

@@ -9,7 +9,10 @@ import {
   getRequestedCredentialToBePresented,
 } from "./03-complete-user-authorization";
 import { authorizeAccess } from "./04-authorize-access";
-import { obtainCredential } from "./05-obtain-credential";
+import {
+  obtainCredential,
+  obtainCredentialsBatch,
+} from "./05-obtain-credential";
 import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
 import { MRTDPoP } from "../mrtd-pop";
 
@@ -23,6 +26,7 @@ export const Issuance: IssuanceApi = {
   completeUserAuthorizationWithFormPostJwtMode,
   authorizeAccess,
   obtainCredential,
+  obtainCredentialsBatch,
   verifyAndParseCredential,
   MRTDPoP,
 };

package/src/credential/presentation/api/04-verify-certificate-chain.ts

@@ -3,7 +3,14 @@ import type { CertificateValidationResult } from "@pagopa/io-react-native-crypto
 export interface VerifyAuthRequestCertificateChainApi {
   /**
    * Verify the X.509 certificate chain in the Request Object `x5c` header claim.
-   * @since 1.0.0
+   *
+   * **Note:** the method is optional and might not be present in the interface. Always check for its presence before calling it.
+   * @example
+   * if (RemotePresentation.verifyAuthRequestCertificateChain) {
+   *   RemotePresentation.verifyAuthRequestCertificateChain(requestObjectJwt, { caRootCert })
+   * }
+   *
+   * @since 1.3.3
    *
    * @param requestObjectJwt The Request Object in JWT format
    * @param params.caRootCert The CA root certificate used to validate the chain
@@ -11,7 +18,7 @@ export interface VerifyAuthRequestCertificateChainApi {
    * @throws {MissingX509CertsError} if the Request Object does not contain x5c
    * @throws {X509ValidationError} if the certificate chain validation fails
    */
-  verifyAuthRequestCertificateChain(
+  verifyAuthRequestCertificateChain?(
     requestObjectJwt: string,
     params: {
       caRootCert: string;

package/src/credential/presentation/api/05-verify-request-object.ts

@@ -8,7 +8,7 @@ export interface VerifyRequestObjectApi {
    *
    * @param requestObjectEncodedJwt The Request Object in JWT format
    * @param params.clientId The client ID to verify
-   * @param params.rpConf The Entity Configuration of the Relying Party
+   * @param params.rpConf Optional Relying Party configuration (OpenID Federation clients only)
    * @param params.state Optional state
    * @returns The verified Request Object
    * @throws {InvalidRequestObjectError} if the Request Object cannot be validated
@@ -17,7 +17,7 @@ export interface VerifyRequestObjectApi {
     requestObjectEncodedJwt: string,
     params: {
       clientId: string;
-      rpConf: RelyingPartyConfig;
+      rpConf?: RelyingPartyConfig;
       state?: string;
     }
   ): Promise<{ requestObject: RequestObject }>;

package/src/credential/presentation/api/07-send-authorization-response.ts

@@ -38,14 +38,14 @@ export interface SendAuthorizationResponseApi {
    *
    * @param requestObject The request details, including presentation requirements.
    * @param remotePresentation The presentations to send, each with their VP token
-   * @param rpConf The Relying Party common configuration
+   * @param rpConf Optional Relying Party configuration (OpenID Federation clients only)
    * @param context Contains optional custom fetch implementation.
    * @returns Parsed and validated authorization response from the Relying Party.
    */
   sendAuthorizationResponse(
     requestObject: RequestObject,
     remotePresentation: RemotePresentation,
-    rpConf: RelyingPartyConfig,
+    rpConf?: RelyingPartyConfig,
     context?: FetchContext
   ): Promise<AuthorizationResponse>;
 

package/src/credential/presentation/api/types.ts

@@ -1,5 +1,6 @@
 import * as z from "zod";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { jsonWebKeySet } from "@pagopa/io-wallet-oid-federation";
 import type { SupportedSdJwtLegacyFormat } from "../../../sd-jwt/types";
 
 export type PresentationParams = z.infer<typeof PresentationParams>;
@@ -68,6 +69,18 @@ export type RemotePresentationDetails = {
   vpToken: string;
 };
 
+type ClientMetadata = {
+  jwks: jsonWebKeySet;
+  encrypted_response_enc_values_supported: string[];
+  client_id: string;
+  client_name: string;
+  logo_uri: string;
+  application_type: "web";
+  request_uris: string[];
+  response_uris: string[];
+  vp_formats_supported: Record<string, { "sd-jwt_alg_values"?: string[] }>;
+};
+
 /**
  * Common Request Object type, decoupled from specific IT-Wallet versions
  */
@@ -80,6 +93,9 @@ export type RequestObject = {
   dcql_query: Record<string, unknown>;
   response_type: "vp_token";
   response_mode: "direct_post.jwt";
+  x5c?: string[];
+  trust_chain?: string[];
+  client_metadata?: ClientMetadata;
 };
 
 /**

package/src/credential/presentation/v1.0.0/05-verify-request-object.ts

@@ -1,13 +1,20 @@
 import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
 import { type z } from "zod";
 import type { RelyingPartyConfig, RemotePresentationApi } from "../api";
+import { IoWalletError } from "../../../utils/errors";
 import { InvalidRequestObjectError } from "../common/errors";
-import { RequestObjectPayload } from "./types";
+import { RawRequestObject } from "./types";
 import { mapToRequestObject } from "./mappers";
 import { getJwksFromRpConfig } from "./utils.jwks";
 
 export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
   async (requestObjectEncodedJwt, { clientId, rpConf, state }) => {
+    if (!rpConf) {
+      throw new IoWalletError(
+        "Relying Party Configuration is required for OpenID Federation clients"
+      );
+    }
+
     const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
 
     const pubKey = getSigPublicKey(
@@ -24,10 +31,14 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
       );
     }
 
-    const requestObject = validateRequestObjectShape(requestObjectJwt.payload);
+    const rawRequestObject = validateRequestObjectShape({
+      header: requestObjectJwt.protectedHeader,
+      payload: requestObjectJwt.payload,
+    });
 
     const isClientIdMatch =
-      clientId === requestObject.client_id && clientId === rpConf.subject;
+      clientId === rawRequestObject.payload.client_id &&
+      clientId === rpConf.subject;
 
     if (!isClientIdMatch) {
       throw new InvalidRequestObjectError(
@@ -35,15 +46,15 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
       );
     }
 
-    const isStateMatch = state ? state === requestObject.state : true;
-
-    if (!isStateMatch) {
+    if (state && state !== rawRequestObject.payload.state) {
       throw new InvalidRequestObjectError(
         "The provided state does not match the Request Object's"
       );
     }
 
-    return { requestObject: mapToRequestObject(requestObject) };
+    return {
+      requestObject: mapToRequestObject(rawRequestObject),
+    };
   };
 
 /**
@@ -53,8 +64,8 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
  * @returns A valid Request Object
  * @throws {InvalidRequestObjectError} when the Request Object cannot be parsed
  */
-const validateRequestObjectShape = (payload: unknown): RequestObjectPayload => {
-  const requestObjectParse = RequestObjectPayload.safeParse(payload);
+const validateRequestObjectShape = (payload: unknown): RawRequestObject => {
+  const requestObjectParse = RawRequestObject.safeParse(payload);
 
   if (requestObjectParse.success) {
     return requestObjectParse.data;
@@ -97,7 +108,7 @@ const getSigPublicKey = (
  * Utility to format flattened Zod errors into a simplified string `key1: key1_error, key2: key2_error`
  */
 const formatFlattenedZodErrors = (
-  errors: z.core.$ZodFlattenedError<RequestObjectPayload>
+  errors: z.core.$ZodFlattenedError<RawRequestObject>
 ): string =>
   Object.entries(errors.fieldErrors)
     .map(([key, error]) => `${key}: ${error[0]}`)

package/src/credential/presentation/v1.0.0/07-send-authorization-response.ts

@@ -3,6 +3,7 @@ import { NoSuitableKeysFoundInEntityConfiguration } from "../common/errors";
 import { hasStatusOrThrow } from "../../../utils/misc";
 import type { JWK } from "../../../utils/jwk";
 import {
+  IoWalletError,
   RelyingPartyResponseError,
   RelyingPartyResponseErrorCodes,
   ResponseErrorBuilder,
@@ -118,6 +119,12 @@ export const sendAuthorizationResponse: RemotePresentationApi["sendAuthorization
     rpConf,
     { appFetch = fetch } = {}
   ) => {
+    if (!rpConf) {
+      throw new IoWalletError(
+        "Relying Party Configuration is required for OpenID Federation clients"
+      );
+    }
+
     const { presentations } = remotePresentation;
     // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
     const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {

package/src/credential/presentation/v1.0.0/index.ts

@@ -2,7 +2,6 @@ import type { RemotePresentationApi } from "../api";
 import { startFlowFromQR } from "./01-start-flow";
 import { evaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { getRequestObject } from "./03-get-request-object";
-import { verifyAuthRequestCertificateChain } from "./04-verify-certificate-chain";
 import { verifyRequestObject } from "./05-verify-request-object";
 import { evaluateDcqlQuery } from "./06-evaluate-dcql-query";
 import {
@@ -15,7 +14,6 @@ export const RemotePresentation: RemotePresentationApi = {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
   getRequestObject,
-  verifyAuthRequestCertificateChain,
   verifyRequestObject,
   evaluateDcqlQuery,
   prepareRemotePresentations,

package/src/credential/presentation/v1.0.0/mappers.ts

@@ -2,15 +2,15 @@ import { createMapper } from "../../../utils/mappers";
 import { RelyingPartyEntityConfiguration } from "../../../trust/v1.0.0/types";
 import type { RelyingPartyConfig } from "../api";
 import type { RequestObject } from "../api/types";
-import { RequestObjectPayload } from "./types";
+import { RawRequestObject } from "./types";
 
 export const mapToRelyingPartyConfig = createMapper<
   RelyingPartyEntityConfiguration,
   RelyingPartyConfig
->((x) => {
-  const { federation_entity, openid_credential_verifier } = x.payload.metadata;
+>(({ payload }) => {
+  const { federation_entity, openid_credential_verifier } = payload.metadata;
   return {
-    subject: x.payload.sub,
+    subject: payload.sub,
     jwks: openid_credential_verifier.jwks,
     authorization_encrypted_response_alg:
       openid_credential_verifier.authorization_encrypted_response_alg,
@@ -20,16 +20,16 @@ export const mapToRelyingPartyConfig = createMapper<
   };
 });
 
-export const mapToRequestObject = createMapper<
-  RequestObjectPayload,
-  RequestObject
->((x) => ({
-  iss: x.iss,
-  client_id: x.client_id,
-  dcql_query: x.dcql_query,
-  nonce: x.nonce,
-  response_uri: x.response_uri,
-  state: x.state,
-  response_mode: x.response_mode,
-  response_type: x.response_type,
-}));
+export const mapToRequestObject = createMapper<RawRequestObject, RequestObject>(
+  ({ header, payload }) => ({
+    iss: payload.iss,
+    client_id: payload.client_id,
+    dcql_query: payload.dcql_query,
+    nonce: payload.nonce,
+    response_uri: payload.response_uri,
+    state: payload.state,
+    response_mode: payload.response_mode,
+    response_type: payload.response_type,
+    trust_chain: header.trust_chain,
+  })
+);

package/src/credential/presentation/v1.0.0/types.ts

@@ -2,21 +2,29 @@ import * as z from "zod";
 import { UnixTime } from "../../../utils/zod";
 import { ErrorResponse } from "../api/types";
 
-export type RequestObjectPayload = z.infer<typeof RequestObjectPayload>;
-export const RequestObjectPayload = z.object({
-  iss: z.string(),
-  iat: UnixTime,
-  exp: UnixTime,
-  state: z.string(),
-  nonce: z.string(),
-  response_uri: z.string(),
-  request_uri_method: z.string().optional(),
-  response_type: z.literal("vp_token"),
-  response_mode: z.literal("direct_post.jwt"),
-  client_id: z.string(),
-  dcql_query: z.record(z.string(), z.any()), // Validation happens within the `dcql` library, no need to duplicate it here
-  scope: z.string().optional(),
-  wallet_nonce: z.string().optional(),
+export type RawRequestObject = z.infer<typeof RawRequestObject>;
+export const RawRequestObject = z.object({
+  header: z.object({
+    alg: z.string(),
+    kid: z.string(),
+    typ: z.literal("oauth-authz-req+jwt"),
+    trust_chain: z.array(z.string()).optional(),
+  }),
+  payload: z.object({
+    iss: z.string(),
+    iat: UnixTime,
+    exp: UnixTime,
+    state: z.string(),
+    nonce: z.string(),
+    response_uri: z.string(),
+    request_uri_method: z.string().optional(),
+    response_type: z.literal("vp_token"),
+    response_mode: z.literal("direct_post.jwt"),
+    client_id: z.string(),
+    dcql_query: z.record(z.string(), z.any()), // Validation happens within the `dcql` library, no need to duplicate it here
+    scope: z.string().optional(),
+    wallet_nonce: z.string().optional(),
+  }),
 });
 
 /**