npm - @pagopa/io-react-native-wallet - Versions diffs - 3.1.2 → 3.3.0 - Mend

@pagopa/io-react-native-wallet 3.1.2 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/lib/typescript/wallet-unit-attestation/v1.3.3/mappers.d.ts CHANGED Viewed

@@ -41,17 +41,6 @@ export declare const mapToDecodedWalletUnitAttestation: (input: {
                 uri: string;
             };
         };
-        eudi_wallet_info: {
-            general_info: {
-                wallet_provider_name: string;
-                wallet_solution_id: string;
-                wallet_solution_version: string;
-            };
-            key_storage_info: {
-                keys_exportable: boolean;
-                storage_type: string;
-            };
-        };
         iss: string;
         iat: number;
         exp: number;
@@ -89,17 +78,6 @@ export declare const mapToDecodedWalletUnitAttestation: (input: {
             uri: string;
         };
     };
-    eudi_wallet_info: {
-        general_info: {
-            wallet_provider_name: string;
-            wallet_solution_id: string;
-            wallet_solution_version: string;
-        };
-        key_storage_info: {
-            keys_exportable: boolean;
-            storage_type: string;
-        };
-    };
     iss: string;
     iat: number;
     exp: number;

package/lib/typescript/wallet-unit-attestation/v1.3.3/mappers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mappers.d.ts","sourceRoot":"","sources":["../../../../src/wallet-unit-attestation/v1.3.3/mappers.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,iCAAiC~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~CAK5C,CAAC"}
1	+ {"version":3,"file":"mappers.d.ts","sourceRoot":"","sources":["../../../../src/wallet-unit-attestation/v1.3.3/mappers.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAK5C,CAAC"}

package/lib/typescript/wallet-unit-attestation/v1.3.3/types.d.ts CHANGED Viewed

@@ -46,17 +46,6 @@ export declare const WalletUnitAttestationJwt: z.ZodObject<{
                 uri: z.ZodString;
             }, z.core.$strip>;
         }, z.core.$strip>;
-        eudi_wallet_info: z.ZodObject<{
-            general_info: z.ZodObject<{
-                wallet_provider_name: z.ZodString;
-                wallet_solution_id: z.ZodString;
-                wallet_solution_version: z.ZodString;
-            }, z.core.$strip>;
-            key_storage_info: z.ZodObject<{
-                keys_exportable: z.ZodBoolean;
-                storage_type: z.ZodString;
-            }, z.core.$strip>;
-        }, z.core.$strip>;
         iss: z.ZodString;
         iat: z.ZodNumber;
         exp: z.ZodNumber;

package/lib/typescript/wallet-unit-attestation/v1.3.3/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/wallet-unit-attestation/v1.3.3/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAIzB,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAChF,eAAO,MAAM,wBAAwB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~iBAQnC,CAAC;AAEH,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CACjD,OAAO,6BAA6B,CACrC,CAAC;AACF,eAAO,MAAM,6BAA6B;;iBAExC,CAAC"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/wallet-unit-attestation/v1.3.3/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAIzB,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAChF,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAQnC,CAAC;AAEH,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CACjD,OAAO,6BAA6B,CACrC,CAAC;AACF,eAAO,MAAM,6BAA6B;;iBAExC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "3.1.2",
+  "version": "3.3.0",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -140,11 +140,11 @@
     ]
   },
   "dependencies": {
-    "@pagopa/io-wallet-oauth2": "1.2.1",
-    "@pagopa/io-wallet-oid4vci": "1.2.1",
-    "@pagopa/io-wallet-oid4vp": "1.2.1",
-    "@pagopa/io-wallet-oid-federation": "1.2.1",
-    "@pagopa/io-wallet-utils": "1.2.1",
+    "@pagopa/io-wallet-oauth2": "1.4.0",
+    "@pagopa/io-wallet-oid4vci": "1.4.0",
+    "@pagopa/io-wallet-oid4vp": "1.4.0",
+    "@pagopa/io-wallet-oid-federation": "1.4.0",
+    "@pagopa/io-wallet-utils": "1.4.0",
     "@sd-jwt/core": "^0.19.0",
     "@sd-jwt/crypto-nodejs": "^0.19.0",
     "@sd-jwt/jwt-status-list": "^0.19.0",

package/src/credential/issuance/README.md CHANGED Viewed

@@ -8,6 +8,8 @@ Credentials instead require a simpler authorization flow and they require other
 The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step. Available credentials are identified with a unique `credential_configuration_id`, that must be used when requesting authorization. The Authorization Server returns an array of **credential identifiers** that map to the `credential_configuration_id` provided: to obtain the credential, one of the credential identifiers (or all of them) must be requested to the credential endpoint.
+In the newest versions of IT-Wallet specifications it is mandatory that the cryptographic keys bound to each credential are stored in a WSCD and attested in a **Wallet Unit Attestation**, that must be sent to the Issuer when requesting a credential.
 ## Sequence Diagram
 ```mermaid
@@ -20,8 +22,9 @@ graph TD;
     C4.1[completeUserAuthorizationWithFormPostJwtMode]
     E4[completeUserAuthorizationWithQueryMode]
     5[authorizeAccess]
-    6[obtainCredential]
-    7[verifyAndParseCredential]
+    6[WalletUnitAttestation.getAttestation]
+    7[obtainCredential]
+    8[verifyAndParseCredential]
     credSel{Is credential an eID?}
     proofSel{Requires MRTD PoP?}
     M1[continueUserAuthorizationWithMRTDPoPChallenge]
@@ -44,6 +47,7 @@ graph TD;
     E4 --> 5
     5 --> 6
     6 --> 7
+    7 --> 8
     M1 --> M2
     M2 --> M3
@@ -92,6 +96,10 @@ When the credential is different than an eID, the flow requires the user to pres
 The expected result from the authentication process is in `form_post.jwt` format as defined in [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/oauth-v2-jarm.html#name-response-mode-form_postjwt).
+## Batch issuance
+To obtain a batch of credentials the Issuance module exposes a dedicated method—`obtainCredentialsBatch`—that returns a list of credentials of the same type with different cryptographic data. For this reason the caller must generate multiple keys and attest them in a single Wallet Unit Attestation.
 ## Examples
 <details>
@@ -119,12 +127,28 @@ const { WALLET_PROVIDER_BASE_URL, WALLET_EAA_PROVIDER_BASE_URL, REDIRECT_URI } =
  * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
  */
 const walletInstanceAttestation =
-  await WalletInstanceAttestation.getAttestation({
-    wiaCryptoContext,
-    integrityContext,
-    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
-    appFetch,
-  });
+  await wallet.WalletInstanceAttestation.getAttestation(
+    {
+      walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
+      walletSolutionId: "exampleId",
+      walletSolutionVersion: "1.2.3",
+    },
+    {
+      wiaCryptoContext,
+      integrityContext,
+      appFetch,
+    }
+  );
+const credentialKeyTag = uuidv4().toString();
+let walletUnitAttestation: string | undefined;
+// Obtains a Wallet Unit Attestation if supported
+if (wallet.WalletUnitAttestation.isSupported) {
+  walletUnitAttestation = await wallet.WalletUnitAttestation.getAttestation(); // See the Wallet Unit Attestation README for more details
+} else {
+  await generate(credentialKeyTag); // Let's assume this function generates a new hardware-backed key pair
+}
 const pid = {
   credential: "example",
@@ -133,9 +157,6 @@ const pid = {
   credentialType: "PersonIdentificationData";
 };
-// Create credential crypto context
-const credentialKeyTag = uuidv4().toString();
-await generate(credentialKeyTag); // Let's assume this function generates a new hardware-backed key pair
 const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Evaluate issuer trust
@@ -271,12 +292,18 @@ const { WALLET_PROVIDER_BASE_URL, WALLET_EID_PROVIDER_BASE_URL, REDIRECT_URI } =
  * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
  */
 const walletInstanceAttestation =
-  await WalletInstanceAttestation.getAttestation({
-    wiaCryptoContext,
-    integrityContext,
-    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
-    appFetch,
-  });
+  await wallet.WalletInstanceAttestation.getAttestation(
+    {
+      walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
+      walletSolutionId: "exampleId",
+      walletSolutionVersion: "1.2.3",
+    },
+    {
+      wiaCryptoContext,
+      integrityContext,
+      appFetch,
+    }
+  );
 const idpHit = "https://example.com"; // Let's assume this is the IDP hint

package/src/credential/issuance/api/05-obtain-credential.ts CHANGED Viewed

@@ -41,4 +41,28 @@ export interface ObtainCredentialApi {
     credential: string;
     format: CredentialFormat;
   }>;
+  /**
+   * Obtains a batch of credentials from the issuer.
+   * The batch includes the same credential format and dataset with different cryptographic data.
+   * For this reason, the function accepts a list of {@link CryptoContext}; the rest of the parameters are the same as {@link obtainCredential}.
+   * @since 1.3.3
+   *
+   * @returns The list of credentials issued in the batch.
+   */
+  obtainCredentialsBatch(
+    issuerConf: IssuerConfig,
+    accessToken: Out<AuthorizeAccessApi["authorizeAccess"]>["accessToken"],
+    clientId: string,
+    credentialDefinition: {
+      credential_configuration_id: string;
+      credential_identifier: string;
+    },
+    context: {
+      dPopCryptoContext: CryptoContext;
+      credentialCryptoContexts: CryptoContext[];
+      walletUnitAttestation?: string;
+      appFetch?: GlobalFetch["fetch"];
+    }
+  ): Promise<{ credential: string; format: CredentialFormat }[]>;
 }

package/src/credential/issuance/api/06-verify-and-parse-credential.ts CHANGED Viewed

@@ -32,6 +32,10 @@ export interface VerifyAndParseCredentialApi {
        * Include attributes that are not explicitly mapped in the issuer configuration.
        */
       includeUndefinedAttributes?: boolean;
+      /**
+       * Validate the certificate chain of the credential against the provided `x509CertRoot`.
+       */
+      validateCertificateChain?: boolean;
     },
     x509CertRoot?: string
   ): Promise<{

package/src/credential/issuance/common/02-start-user-authorization.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { IoWalletError } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { AuthorizationDetail } from "../../../utils/par";
 import type { IssuerConfig } from "../api";
@@ -30,7 +31,7 @@ export const selectCredentialDefinition = (
       LogLevel.ERROR,
       `Requested credential ${credentialId} is not supported by the issuer according to its configuration ${JSON.stringify(credential_configurations_supported)}`
     );
-    throw new Error(`No credential support the type '${credentialId}'`);
+    throw new IoWalletError(`No credential support the type '${credentialId}'`);
   }
   return result;
 };
@@ -61,7 +62,7 @@ export const selectResponseMode = (
       LogLevel.ERROR,
       `${credentialIds} have incompatible response_mode: ${[...responseModeSet.values()]}`
     );
-    throw new Error(
+    throw new IoWalletError(
       "Requested credentials have incompatible response_mode and cannot be requested with the same PAR request"
     );
   }
@@ -79,7 +80,9 @@ export const selectResponseMode = (
       LogLevel.ERROR,
       `Requested response mode ${responseMode} is not supported by the issuer according to its configuration ${JSON.stringify(responseModeSupported)}`
     );
-    throw new Error(`No response mode support for IDs '${credentialIds}'`);
+    throw new IoWalletError(
+      `No response mode support for IDs '${credentialIds}'`
+    );
   }
   return responseMode!;

package/src/credential/issuance/common/06-verify-and-parse-credential.sdjwt.ts CHANGED Viewed

@@ -1,16 +1,18 @@
 import {
-  getJwkFromHeader,
   type CryptoContext,
-  decode,
+  verify as verifyJwt,
 } from "@pagopa/io-react-native-jwt";
 import { type SDJwt, SDJwtInstance } from "@sd-jwt/core";
-import { digest, ES256 } from "@sd-jwt/crypto-nodejs";
+import { digest } from "@sd-jwt/crypto-nodejs";
+import type { Verifier } from "@sd-jwt/types";
 import { isPathEqual, isPrefixOf } from "../../../utils/parser";
 import { IoWalletError } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { isSameThumbprint, type JWK } from "../../../utils/jwk";
 import type { SdJwt4VCBase } from "../../../sd-jwt/types";
 import { fixLegacyCredentialSdJwt } from "../../../utils/credentials";
+import { verifyX509Chain } from "../../../utils/x509";
+import { MissingX509CertsError } from "../../../trust/common/errors";
 import type { IssuanceApi, IssuerConfig, ParsedCredential } from "../api";
 type CredentialConf =
@@ -151,6 +153,27 @@ const parseCredentialSdJwt = (
   return processLevel(parsedCredentialRaw, []) as ParsedCredential;
 };
+/**
+ * JWT verifier implementing the interface expected by the SD-JWT library.
+ * Verification is delegated to `io-react-native-jwt` to leverage its support for multiple algorithms.
+ * @returns Boolean indicating whether the verification succeeded or not
+ */
+const sdJwtInstanceVerifier: Verifier<{ issuerKeys: JWK[] }> = async (
+  data,
+  signature,
+  options
+) => {
+  if (!options?.issuerKeys) {
+    return false;
+  }
+  try {
+    await verifyJwt(`${data}.${signature}`, options.issuerKeys);
+    return true;
+  } catch {
+    return false;
+  }
+};
 /**
  * Given a credential, verify it's in the supported format
  * and the credential is correctly signed
@@ -171,16 +194,13 @@ async function verifyCredentialSdJwt(
   issuerKeys: JWK[],
   holderBindingContext: CryptoContext
 ): Promise<SDJwt> {
-  const { protectedHeader } = decode(rawCredential);
-  const verifierJwk = getJwkFromHeader(protectedHeader, issuerKeys);
   const sdJwtInstance = new SDJwtInstance({
     hasher: digest,
-    verifier: await ES256.getVerifier(verifierJwk),
+    verifier: sdJwtInstanceVerifier,
   });
   const [verifiedCredential, holderBindingKey] = await Promise.all([
-    sdJwtInstance.verify(rawCredential),
+    sdJwtInstance.verify(rawCredential, { issuerKeys }),
     holderBindingContext.getPublicKey(),
   ]);
@@ -203,7 +223,9 @@ export const verifyAndParseCredentialSdJwt: IssuanceApi["verifyAndParseCredentia
       credentialCryptoContext,
       ignoreMissingAttributes,
       includeUndefinedAttributes,
-    }
+      validateCertificateChain,
+    },
+    x509CertRoot
   ) => {
     const decoded = await verifyCredentialSdJwt(
       credential,
@@ -216,6 +238,17 @@ export const verifyAndParseCredentialSdJwt: IssuanceApi["verifyAndParseCredentia
       `Decoded credential: ${JSON.stringify(decoded)}`
     );
+    if (validateCertificateChain) {
+      if (!x509CertRoot) {
+        throw new IoWalletError("Missing x509CertRoot");
+      }
+      const x5c = decoded.jwt?.header?.x5c as string[] | undefined;
+      if (!x5c || !Array.isArray(x5c) || x5c.length === 0) {
+        throw new MissingX509CertsError("Missing x509 certificates");
+      }
+      await verifyX509Chain(x5c, x509CertRoot);
+    }
     const credentialConfig =
       issuerConf.credential_configurations_supported[credentialConfigurationId];

package/src/credential/issuance/mrtd-pop/02-init-challenge.ts CHANGED Viewed

@@ -1,61 +1,85 @@
-import { v4 as uuidv4 } from "uuid";
-import { fetchMrtdPopInit } from "@pagopa/io-wallet-oauth2";
-import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
-import { createPopToken } from "../../../utils/pop";
+import {
+  createClientAttestationPopJwt,
+  fetchMrtdPopInit,
+} from "@pagopa/io-wallet-oauth2";
+import {
+  IoWalletSdkConfig,
+  UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError,
+} from "@pagopa/io-wallet-utils";
 import { Logger, LogLevel } from "../../../utils/logging";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from version 1.0.0
 import {
   IssuerResponseError,
   IssuerResponseErrorCodes,
   ResponseErrorBuilder,
 } from "../../../utils/errors";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
-import { createVerifyJwtFromJwks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  createVerifyJwtFromJwks,
+  partialCallbacks,
+} from "../../../utils/callbacks";
-export const initChallenge: MRTDPoPApi["initChallenge"] = async (
-  issuerConf,
-  initUrl,
-  mrtd_auth_session,
-  mrtd_pop_jwt_nonce,
-  context
-) => {
-  const {
-    appFetch = fetch,
-    walletInstanceAttestation,
-    wiaCryptoContext,
-  } = context;
+type Config = {
+  sdkConfig: IoWalletSdkConfig;
+};
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
+/**
+ * Factory function to create `initChallenge` for MRTD PoP flow.
+ * The factory is needed to inject version specific SDK configuration.
+ * @param config Configuration object containing the IO Wallet SDK configuration
+ * @returns `initChallenge` function compliant with the public API
+ */
+export function createInitChallenge(
+  config: Config
+): MRTDPoPApi["initChallenge"] {
+  return async function initChallenge(
+    issuerConf,
+    initUrl,
+    mrtd_auth_session,
+    mrtd_pop_jwt_nonce,
+    context
+  ) {
+    const {
+      appFetch = fetch,
+      walletInstanceAttestation,
+      wiaCryptoContext,
+    } = context;
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud: issuerConf.credential_issuer,
-      iss,
-    },
-    wiaCryptoContext
-  );
+    const clientAttestationDPoP = await createClientAttestationPopJwt({
+      config: config.sdkConfig,
+      callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
+        signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
+      },
+      clientAttestation: walletInstanceAttestation,
+      authorizationServer: issuerConf.credential_issuer,
+      signer: {
+        method: "jwk",
+        alg: "ES256",
+        publicJwk: await wiaCryptoContext.getPublicKey(),
+      },
+    });
-  const initResult = await fetchMrtdPopInit({
-    popInitEndpoint: initUrl,
-    mrtdAuthSession: mrtd_auth_session,
-    mrtdPopJwtNonce: mrtd_pop_jwt_nonce,
-    walletAttestation: walletInstanceAttestation,
-    clientAttestationDPoP: signedWiaPoP,
-    callbacks: {
-      verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
-      fetch: appFetch,
-    },
-  }).catch(handleInitChallengeError);
+    const initResult = await fetchMrtdPopInit({
+      popInitEndpoint: initUrl,
+      mrtdAuthSession: mrtd_auth_session,
+      mrtdPopJwtNonce: mrtd_pop_jwt_nonce,
+      walletAttestation: walletInstanceAttestation,
+      clientAttestationDPoP,
+      callbacks: {
+        verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+        fetch: appFetch,
+      },
+    }).catch(handleInitChallengeError);
-  return {
-    challenge: initResult.challenge,
-    mrtd_pop_nonce: initResult.mrtdPopNonce,
-    pop_verify_endpoint: initResult.popVerifyEndpoint,
-    mrz: initResult.mrz,
+    return {
+      challenge: initResult.challenge,
+      mrtd_pop_nonce: initResult.mrtdPopNonce,
+      pop_verify_endpoint: initResult.popVerifyEndpoint,
+      mrz: initResult.mrz,
+    };
   };
-};
+}
 const handleInitChallengeError = (e: unknown) => {
   Logger.log(LogLevel.ERROR, `Failed to get MRTD challenge: ${e}`);

package/src/credential/issuance/mrtd-pop/03-validate-challenge.ts CHANGED Viewed

@@ -1,76 +1,98 @@
 import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { fetchMrtdPopVerify } from "@pagopa/io-wallet-oauth2";
-import { v4 as uuidv4 } from "uuid";
-import { createPopToken } from "../../../utils/pop";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from 1.0.0 version
+import {
+  createClientAttestationPopJwt,
+  fetchMrtdPopVerify,
+} from "@pagopa/io-wallet-oauth2";
+import type { IoWalletSdkConfig } from "@pagopa/io-wallet-utils";
 import { sdkUnexpectedStatusCodeToIssuerError } from "../../../utils/errors";
-import { partialCallbacks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
-export const validateChallenge: MRTDPoPApi["validateChallenge"] = async (
-  issuerConf,
-  verifyUrl,
-  mrtd_auth_session,
-  mrtd_pop_nonce,
-  mrtd,
-  ias,
-  context
-) => {
-  const {
-    appFetch = fetch,
-    walletInstanceAttestation,
-    wiaCryptoContext,
-  } = context;
+type Config = {
+  sdkConfig: IoWalletSdkConfig;
+};
+/**
+ * Factory function to create `validateChallenge` for MRTD PoP flow.
+ * The factory is needed to inject version specific SDK configuration.
+ * @param config Configuration object containing the IO Wallet SDK configuration
+ * @returns `validateChallenge` function compliant with the public API
+ */
+export function createValidateChallenge(
+  config: Config
+): MRTDPoPApi["validateChallenge"] {
+  return async function validateChallenge(
+    issuerConf,
+    verifyUrl,
+    mrtd_auth_session,
+    mrtd_pop_nonce,
+    mrtd,
+    ias,
+    context
+  ) {
+    const {
+      appFetch = fetch,
+      walletInstanceAttestation,
+      wiaCryptoContext,
+    } = context;
-  const aud = issuerConf.credential_issuer;
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
+    const aud = issuerConf.credential_issuer;
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud,
-      iss,
-    },
-    wiaCryptoContext
-  );
+    const wiaPublicJwk = await wiaCryptoContext.getPublicKey();
-  const { kid } = await wiaCryptoContext.getPublicKey();
+    const clientAttestationDPoP = await createClientAttestationPopJwt({
+      config: config.sdkConfig,
+      callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
+        signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
+      },
+      clientAttestation: walletInstanceAttestation,
+      authorizationServer: aud,
+      signer: {
+        method: "jwk",
+        alg: "ES256",
+        publicJwk: wiaPublicJwk,
+      },
+    });
-  const mrtdValidationJwt = await new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      typ: "mrtd-ias+jwt",
-      kid,
-    })
-    .setPayload({
-      iss,
-      aud,
-      document_type: "cie",
-      mrtd,
-      ias,
-    })
-    .setIssuedAt()
-    .setExpirationTime("5m")
-    .sign();
+    const mrtdValidationJwt = await new SignJWT(wiaCryptoContext)
+      .setProtectedHeader({
+        typ: "mrtd-ias+jwt",
+        kid: wiaPublicJwk.kid,
+      })
+      .setPayload({
+        iss: wiaPublicJwk.kid,
+        aud,
+        document_type: "cie",
+        mrtd,
+        ias,
+      })
+      .setIssuedAt()
+      .setExpirationTime("5m")
+      .sign();
-  const verifyResult = await fetchMrtdPopVerify({
-    popVerifyEndpoint: verifyUrl,
-    mrtdAuthSession: mrtd_auth_session,
-    mrtdPopNonce: mrtd_pop_nonce,
-    clientAttestationDPoP: signedWiaPoP,
-    mrtdValidationJwt,
-    walletAttestation: walletInstanceAttestation,
-    callbacks: {
-      fetch: appFetch,
-      ...partialCallbacks,
-    },
-  }).catch(sdkUnexpectedStatusCodeToIssuerError);
+    const verifyResult = await fetchMrtdPopVerify({
+      popVerifyEndpoint: verifyUrl,
+      mrtdAuthSession: mrtd_auth_session,
+      mrtdPopNonce: mrtd_pop_nonce,
+      clientAttestationDPoP,
+      mrtdValidationJwt,
+      walletAttestation: walletInstanceAttestation,
+      callbacks: {
+        fetch: appFetch,
+        ...partialCallbacks,
+      },
+    }).catch(sdkUnexpectedStatusCodeToIssuerError);
-  return {
-    redirect_uri: verifyResult.redirectUri,
-    mrtd_val_pop_nonce: verifyResult.mrtdValPopNonce,
+    return {
+      redirect_uri: verifyResult.redirectUri,
+      mrtd_val_pop_nonce: verifyResult.mrtdValPopNonce,
+    };
   };
-};
+}
 export const buildChallengeCallbackUrl: MRTDPoPApi["buildChallengeCallbackUrl"] =
   async (redirectUri, valPopNonce, authSession) => {