npm - @pagopa/io-react-native-wallet - Versions diffs - 3.1.2 → 3.3.0 - Mend

@pagopa/io-react-native-wallet 3.1.2 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/src/credential/issuance/v1.3.3/06-verify-and-parse-credential.ts CHANGED Viewed

@@ -23,7 +23,8 @@ export const verifyAndParseCredential: IssuanceApi["verifyAndParseCredential"] =
           issuerConf,
           credential,
           credentialConfigurationId,
-          context
+          { validateCertificateChain: true, ...context },
+          x509CertRoot
         );
       }
       case "mso_mdoc": {

package/src/credential/issuance/v1.3.3/index.ts CHANGED Viewed

@@ -9,9 +9,12 @@ import {
   getRequestedCredentialToBePresented,
 } from "./03-complete-user-authorization";
 import { authorizeAccess } from "./04-authorize-access";
-import { obtainCredential } from "./05-obtain-credential";
+import {
+  obtainCredential,
+  obtainCredentialsBatch,
+} from "./05-obtain-credential";
 import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
-import { MRTDPoP } from "../mrtd-pop";
+import { MRTDPoPv1_3 } from "../mrtd-pop";
 export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
@@ -23,6 +26,7 @@ export const Issuance: IssuanceApi = {
   completeUserAuthorizationWithFormPostJwtMode,
   authorizeAccess,
   obtainCredential,
+  obtainCredentialsBatch,
   verifyAndParseCredential,
-  MRTDPoP,
+  MRTDPoP: MRTDPoPv1_3,
 };

package/src/credential/issuance/v1.3.3/mappers.ts CHANGED Viewed

@@ -60,7 +60,10 @@ export const mapToIssuerConfig = createMapper<
       credential_configurations_supported: mapCredentialConfigurationsSupported(
         openid_credential_issuer
       ),
-      keys: openid_credential_issuer.jwks.keys as JWK[],
+      keys: [
+        ...openid_credential_issuer.jwks.keys,
+        ...oauth_authorization_server.jwks.keys,
+      ] as JWK[],
       pushed_authorization_request_endpoint:
         oauth_authorization_server.pushed_authorization_request_endpoint,
       token_endpoint: oauth_authorization_server.token_endpoint,

package/src/credential/presentation/api/04-verify-certificate-chain.ts CHANGED Viewed

@@ -3,7 +3,14 @@ import type { CertificateValidationResult } from "@pagopa/io-react-native-crypto
 export interface VerifyAuthRequestCertificateChainApi {
   /**
    * Verify the X.509 certificate chain in the Request Object `x5c` header claim.
-   * @since 1.0.0
+   *
+   * **Note:** the method is optional and might not be present in the interface. Always check for its presence before calling it.
+   * @example
+   * if (RemotePresentation.verifyAuthRequestCertificateChain) {
+   *   RemotePresentation.verifyAuthRequestCertificateChain(requestObjectJwt, { caRootCert })
+   * }
+   *
+   * @since 1.3.3
    *
    * @param requestObjectJwt The Request Object in JWT format
    * @param params.caRootCert The CA root certificate used to validate the chain
@@ -11,7 +18,7 @@ export interface VerifyAuthRequestCertificateChainApi {
    * @throws {MissingX509CertsError} if the Request Object does not contain x5c
    * @throws {X509ValidationError} if the certificate chain validation fails
    */
-  verifyAuthRequestCertificateChain(
+  verifyAuthRequestCertificateChain?(
     requestObjectJwt: string,
     params: {
       caRootCert: string;

package/src/credential/presentation/api/05-verify-request-object.ts CHANGED Viewed

@@ -8,7 +8,7 @@ export interface VerifyRequestObjectApi {
    *
    * @param requestObjectEncodedJwt The Request Object in JWT format
    * @param params.clientId The client ID to verify
-   * @param params.rpConf The Entity Configuration of the Relying Party
+   * @param params.rpConf Optional Relying Party configuration (OpenID Federation clients only)
    * @param params.state Optional state
    * @returns The verified Request Object
    * @throws {InvalidRequestObjectError} if the Request Object cannot be validated
@@ -17,7 +17,7 @@ export interface VerifyRequestObjectApi {
     requestObjectEncodedJwt: string,
     params: {
       clientId: string;
-      rpConf: RelyingPartyConfig;
+      rpConf?: RelyingPartyConfig;
       state?: string;
     }
   ): Promise<{ requestObject: RequestObject }>;

package/src/credential/presentation/api/07-send-authorization-response.ts CHANGED Viewed

@@ -38,14 +38,14 @@ export interface SendAuthorizationResponseApi {
    *
    * @param requestObject The request details, including presentation requirements.
    * @param remotePresentation The presentations to send, each with their VP token
-   * @param rpConf The Relying Party common configuration
+   * @param rpConf Optional Relying Party configuration (OpenID Federation clients only)
    * @param context Contains optional custom fetch implementation.
    * @returns Parsed and validated authorization response from the Relying Party.
    */
   sendAuthorizationResponse(
     requestObject: RequestObject,
     remotePresentation: RemotePresentation,
-    rpConf: RelyingPartyConfig,
+    rpConf?: RelyingPartyConfig,
     context?: FetchContext
   ): Promise<AuthorizationResponse>;

package/src/credential/presentation/api/types.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import * as z from "zod";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { jsonWebKeySet } from "@pagopa/io-wallet-oid-federation";
 import type { SupportedSdJwtLegacyFormat } from "../../../sd-jwt/types";
 export type PresentationParams = z.infer<typeof PresentationParams>;
@@ -68,6 +69,18 @@ export type RemotePresentationDetails = {
   vpToken: string;
 };
+type ClientMetadata = {
+  jwks: jsonWebKeySet;
+  encrypted_response_enc_values_supported: string[];
+  client_id: string;
+  client_name: string;
+  logo_uri: string;
+  application_type: "web";
+  request_uris: string[];
+  response_uris: string[];
+  vp_formats_supported: Record<string, { "sd-jwt_alg_values"?: string[] }>;
+};
 /**
  * Common Request Object type, decoupled from specific IT-Wallet versions
  */
@@ -80,6 +93,9 @@ export type RequestObject = {
   dcql_query: Record<string, unknown>;
   response_type: "vp_token";
   response_mode: "direct_post.jwt";
+  x5c?: string[];
+  trust_chain?: string[];
+  client_metadata?: ClientMetadata;
 };
 /**

package/src/credential/presentation/{v1.3.3/utils.mdoc.ts → common/utils/mdoc.ts} RENAMED Viewed

@@ -5,8 +5,8 @@ import type {
   Credential4Dcql,
   EvaluatedDisclosure,
   PresentationFrame,
-} from "../api";
-import { getValidDcqlClaims } from "../common/utils/dcql";
+} from "../../api";
+import { getValidDcqlClaims } from "./dcql";
 type CustomDcqlMdocCredential = DcqlMdocCredential & {
   original_credential: Credential4Dcql;

package/src/credential/presentation/v1.0.0/05-verify-request-object.ts CHANGED Viewed

@@ -1,13 +1,20 @@
 import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
 import { type z } from "zod";
 import type { RelyingPartyConfig, RemotePresentationApi } from "../api";
+import { IoWalletError } from "../../../utils/errors";
 import { InvalidRequestObjectError } from "../common/errors";
-import { RequestObjectPayload } from "./types";
+import { RawRequestObject } from "./types";
 import { mapToRequestObject } from "./mappers";
 import { getJwksFromRpConfig } from "./utils.jwks";
 export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
   async (requestObjectEncodedJwt, { clientId, rpConf, state }) => {
+    if (!rpConf) {
+      throw new IoWalletError(
+        "Relying Party Configuration is required for OpenID Federation clients"
+      );
+    }
     const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
     const pubKey = getSigPublicKey(
@@ -24,10 +31,14 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
       );
     }
-    const requestObject = validateRequestObjectShape(requestObjectJwt.payload);
+    const rawRequestObject = validateRequestObjectShape({
+      header: requestObjectJwt.protectedHeader,
+      payload: requestObjectJwt.payload,
+    });
     const isClientIdMatch =
-      clientId === requestObject.client_id && clientId === rpConf.subject;
+      clientId === rawRequestObject.payload.client_id &&
+      clientId === rpConf.subject;
     if (!isClientIdMatch) {
       throw new InvalidRequestObjectError(
@@ -35,15 +46,15 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
       );
     }
-    const isStateMatch = state ? state === requestObject.state : true;
-    if (!isStateMatch) {
+    if (state && state !== rawRequestObject.payload.state) {
       throw new InvalidRequestObjectError(
         "The provided state does not match the Request Object's"
       );
     }
-    return { requestObject: mapToRequestObject(requestObject) };
+    return {
+      requestObject: mapToRequestObject(rawRequestObject),
+    };
   };
 /**
@@ -53,8 +64,8 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
  * @returns A valid Request Object
  * @throws {InvalidRequestObjectError} when the Request Object cannot be parsed
  */
-const validateRequestObjectShape = (payload: unknown): RequestObjectPayload => {
-  const requestObjectParse = RequestObjectPayload.safeParse(payload);
+const validateRequestObjectShape = (payload: unknown): RawRequestObject => {
+  const requestObjectParse = RawRequestObject.safeParse(payload);
   if (requestObjectParse.success) {
     return requestObjectParse.data;
@@ -97,7 +108,7 @@ const getSigPublicKey = (
  * Utility to format flattened Zod errors into a simplified string `key1: key1_error, key2: key2_error`
  */
 const formatFlattenedZodErrors = (
-  errors: z.core.$ZodFlattenedError<RequestObjectPayload>
+  errors: z.core.$ZodFlattenedError<RawRequestObject>
 ): string =>
   Object.entries(errors.fieldErrors)
     .map(([key, error]) => `${key}: ${error[0]}`)

package/src/credential/presentation/v1.0.0/07-send-authorization-response.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { NoSuitableKeysFoundInEntityConfiguration } from "../common/errors";
 import { hasStatusOrThrow } from "../../../utils/misc";
 import type { JWK } from "../../../utils/jwk";
 import {
+  IoWalletError,
   RelyingPartyResponseError,
   RelyingPartyResponseErrorCodes,
   ResponseErrorBuilder,
@@ -118,6 +119,12 @@ export const sendAuthorizationResponse: RemotePresentationApi["sendAuthorization
     rpConf,
     { appFetch = fetch } = {}
   ) => {
+    if (!rpConf) {
+      throw new IoWalletError(
+        "Relying Party Configuration is required for OpenID Federation clients"
+      );
+    }
     const { presentations } = remotePresentation;
     // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
     const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {

package/src/credential/presentation/v1.0.0/index.ts CHANGED Viewed

@@ -2,7 +2,6 @@ import type { RemotePresentationApi } from "../api";
 import { startFlowFromQR } from "./01-start-flow";
 import { evaluateRelyingPartyTrust } from "./02-evaluate-rp-trust";
 import { getRequestObject } from "./03-get-request-object";
-import { verifyAuthRequestCertificateChain } from "./04-verify-certificate-chain";
 import { verifyRequestObject } from "./05-verify-request-object";
 import { evaluateDcqlQuery } from "./06-evaluate-dcql-query";
 import {
@@ -15,7 +14,6 @@ export const RemotePresentation: RemotePresentationApi = {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
   getRequestObject,
-  verifyAuthRequestCertificateChain,
   verifyRequestObject,
   evaluateDcqlQuery,
   prepareRemotePresentations,

package/src/credential/presentation/v1.0.0/mappers.ts CHANGED Viewed

@@ -2,15 +2,15 @@ import { createMapper } from "../../../utils/mappers";
 import { RelyingPartyEntityConfiguration } from "../../../trust/v1.0.0/types";
 import type { RelyingPartyConfig } from "../api";
 import type { RequestObject } from "../api/types";
-import { RequestObjectPayload } from "./types";
+import { RawRequestObject } from "./types";
 export const mapToRelyingPartyConfig = createMapper<
   RelyingPartyEntityConfiguration,
   RelyingPartyConfig
->((x) => {
-  const { federation_entity, openid_credential_verifier } = x.payload.metadata;
+>(({ payload }) => {
+  const { federation_entity, openid_credential_verifier } = payload.metadata;
   return {
-    subject: x.payload.sub,
+    subject: payload.sub,
     jwks: openid_credential_verifier.jwks,
     authorization_encrypted_response_alg:
       openid_credential_verifier.authorization_encrypted_response_alg,
@@ -20,16 +20,16 @@ export const mapToRelyingPartyConfig = createMapper<
   };
 });
-export const mapToRequestObject = createMapper<
-  RequestObjectPayload,
-  RequestObject
->((x) => ({
-  iss: x.iss,
-  client_id: x.client_id,
-  dcql_query: x.dcql_query,
-  nonce: x.nonce,
-  response_uri: x.response_uri,
-  state: x.state,
-  response_mode: x.response_mode,
-  response_type: x.response_type,
-}));
+export const mapToRequestObject = createMapper<RawRequestObject, RequestObject>(
+  ({ header, payload }) => ({
+    iss: payload.iss,
+    client_id: payload.client_id,
+    dcql_query: payload.dcql_query,
+    nonce: payload.nonce,
+    response_uri: payload.response_uri,
+    state: payload.state,
+    response_mode: payload.response_mode,
+    response_type: payload.response_type,
+    trust_chain: header.trust_chain,
+  })
+);

package/src/credential/presentation/v1.0.0/types.ts CHANGED Viewed

@@ -2,21 +2,29 @@ import * as z from "zod";
 import { UnixTime } from "../../../utils/zod";
 import { ErrorResponse } from "../api/types";
-export type RequestObjectPayload = z.infer<typeof RequestObjectPayload>;
-export const RequestObjectPayload = z.object({
-  iss: z.string(),
-  iat: UnixTime,
-  exp: UnixTime,
-  state: z.string(),
-  nonce: z.string(),
-  response_uri: z.string(),
-  request_uri_method: z.string().optional(),
-  response_type: z.literal("vp_token"),
-  response_mode: z.literal("direct_post.jwt"),
-  client_id: z.string(),
-  dcql_query: z.record(z.string(), z.any()), // Validation happens within the `dcql` library, no need to duplicate it here
-  scope: z.string().optional(),
-  wallet_nonce: z.string().optional(),
+export type RawRequestObject = z.infer<typeof RawRequestObject>;
+export const RawRequestObject = z.object({
+  header: z.object({
+    alg: z.string(),
+    kid: z.string(),
+    typ: z.literal("oauth-authz-req+jwt"),
+    trust_chain: z.array(z.string()).optional(),
+  }),
+  payload: z.object({
+    iss: z.string(),
+    iat: UnixTime,
+    exp: UnixTime,
+    state: z.string(),
+    nonce: z.string(),
+    response_uri: z.string(),
+    request_uri_method: z.string().optional(),
+    response_type: z.literal("vp_token"),
+    response_mode: z.literal("direct_post.jwt"),
+    client_id: z.string(),
+    dcql_query: z.record(z.string(), z.any()), // Validation happens within the `dcql` library, no need to duplicate it here
+    scope: z.string().optional(),
+    wallet_nonce: z.string().optional(),
+  }),
 });
 /**

package/src/credential/presentation/v1.3.3/05-verify-request-object.ts CHANGED Viewed

@@ -1,10 +1,17 @@
-import type { RemotePresentationApi } from "../api";
-import { parseAuthorizeRequest as sdkParseAuthorizeRequest } from "@pagopa/io-wallet-oid4vp";
+import type { RelyingPartyConfig, RemotePresentationApi } from "../api";
+import {
+  parseAuthorizeRequest as sdkParseAuthorizeRequest,
+  ClientIdPrefix,
+  extractClientIdPrefix,
+} from "@pagopa/io-wallet-oid4vp";
+import QuickCrypto from "react-native-quick-crypto";
 import { partialCallbacks } from "../../../utils/callbacks";
 import { sdkConfigV1_3 } from "../../../utils/config";
+import { IoWalletError } from "../../../utils/errors";
 import { InvalidRequestObjectError } from "../common/errors";
 import { mapSdkRequestObjectError } from "./sdkErrorMapper";
 import { mapToRequestObject } from "./mappers";
+import type { RawRequestObject } from "./types";
 export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
   async (requestObjectEncodedJwt, { clientId, rpConf }) => {
@@ -16,18 +23,64 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
       },
     }).catch(mapSdkRequestObjectError);
-    const payload = parsedRequestObject.payload;
+    const rawRequestObject = parsedRequestObject as RawRequestObject;
-    const isClientIdMatch =
-      clientId === payload.client_id && clientId === rpConf.subject;
+    const clientIdPrefix = extractClientIdPrefix(clientId);
-    if (!isClientIdMatch) {
-      throw new InvalidRequestObjectError(
-        "Client ID does not match Request Object or Entity Configuration"
-      );
+    if (clientIdPrefix === ClientIdPrefix.X509_HASH) {
+      validateX509HashClient(rawRequestObject.header.x5c, clientId);
+    }
+    if (
+      clientIdPrefix === ClientIdPrefix.OPENID_FEDERATION ||
+      clientIdPrefix === ClientIdPrefix.NONE
+    ) {
+      validateOpenIDFederationClient(rawRequestObject, clientId, rpConf);
     }
     return {
-      requestObject: mapToRequestObject(payload),
+      requestObject: mapToRequestObject(rawRequestObject),
     };
   };
+const validateOpenIDFederationClient = (
+  requestObject: RawRequestObject,
+  clientId: string,
+  rpConf: RelyingPartyConfig | undefined
+) => {
+  if (!rpConf) {
+    throw new IoWalletError(
+      "Relying Party Configuration is required for OpenID Federation clients"
+    );
+  }
+  const isClientIdMatch =
+    clientId === requestObject.payload.client_id &&
+    stripOpenIdFederationPrefix(clientId) === rpConf.subject;
+  if (!isClientIdMatch) {
+    throw new InvalidRequestObjectError(
+      "Client ID does not match Request Object or Entity Configuration"
+    );
+  }
+};
+const validateX509HashClient = (
+  certificateChain: string[],
+  clientId: string
+) => {
+  const [, x509Hash] = clientId.split(":");
+  const calculatedHash = QuickCrypto.createHash("sha-256")
+    .update(certificateChain[0]!, "base64")
+    .digest("base64url");
+  if (x509Hash !== calculatedHash) {
+    throw new InvalidRequestObjectError(
+      "x509_hash does not match the hash of the x5c leaf certificate"
+    );
+  }
+};
+const stripOpenIdFederationPrefix = (clientId: string) =>
+  clientId.replace("openid_federation:", "");

package/src/credential/presentation/v1.3.3/06-evaluate-dcql-query.ts CHANGED Viewed

@@ -2,13 +2,13 @@ import { DcqlQuery, DcqlError } from "dcql";
 import { isValiError } from "valibot";
 import { CredentialsNotFoundError } from "../common/errors";
 import type { CredentialPurpose } from "../api/06-evaluate-dcql-query";
-import * as mdocUtils from "./utils.mdoc";
-import type { Credential4Dcql, RemotePresentationApi } from "../api";
 import * as sdJwtUtils from "../common/utils/sd-jwt";
-import { getClaimsFromDcqlMatch } from "./utils.mdoc";
+import * as mdocUtils from "../common/utils/mdoc";
+import type { Credential4Dcql, RemotePresentationApi } from "../api";
 import {
   extractFailedCredentialsDetails,
   getDcqlQueryMatches,
+  getClaimsFromDcqlMatch,
   getPresentationFrameFromDcqlMatch,
 } from "../common/utils/dcql";

package/src/credential/presentation/v1.3.3/07-send-authorization-response.ts CHANGED Viewed

@@ -101,14 +101,23 @@ export const sendAuthorizationResponse: RemotePresentationApi["sendAuthorization
     { appFetch = fetch } = {}
   ) => {
     try {
-      const { presentations } = remotePresentation;
+      if (!rpConf && !requestObject.client_metadata) {
+        throw new IoWalletError(
+          "At least one of rpConf or requestObject.client_metadata must be provided to send the authorization response"
+        );
+      }
+      // When the RP is not an OpenID Federation client, rpConf will be undefined
+      // so the keys are taken from the Request Object's client_metadata.
       const rpJwks = {
-        jwks: rpConf.jwks,
+        jwks: rpConf?.jwks ?? requestObject.client_metadata!.jwks,
         encrypted_response_enc_values_supported:
-          rpConf.encrypted_response_enc_values_supported,
+          rpConf?.encrypted_response_enc_values_supported ??
+          requestObject.client_metadata!
+            .encrypted_response_enc_values_supported,
       };
-      const vp_token = presentations.reduce(
+      const vp_token = remotePresentation.presentations.reduce(
         (acc, p) => {
           (acc[p.credentialId] ??= []).push(p.vpToken);
           return acc;

package/src/credential/presentation/v1.3.3/mappers.ts CHANGED Viewed

@@ -2,16 +2,16 @@ import { RelyingPartyEntityConfiguration } from "../../../trust/v1.3.3/types";
 import { createMapper } from "../../../utils/mappers";
 import type { RelyingPartyConfig } from "../api/RelyingPartyConfig";
 import type { RequestObject } from "../api/types";
-import { RequestObjectPayload } from "./types";
+import { RawRequestObject } from "./types";
 export const mapToRelyingPartyConfig = createMapper<
   RelyingPartyEntityConfiguration,
   RelyingPartyConfig
->((x) => {
-  const { federation_entity, openid_credential_verifier } = x.payload.metadata;
+>(({ payload }) => {
+  const { federation_entity, openid_credential_verifier } = payload.metadata;
   return {
-    subject: x.payload.sub,
+    subject: payload.sub,
     jwks: openid_credential_verifier.jwks,
     federation_entity,
     encrypted_response_enc_values_supported:
@@ -19,16 +19,18 @@ export const mapToRelyingPartyConfig = createMapper<
   };
 });
-export const mapToRequestObject = createMapper<
-  RequestObjectPayload,
-  RequestObject
->((x) => ({
-  iss: x.iss,
-  client_id: x.client_id,
-  dcql_query: x.dcql_query,
-  nonce: x.nonce,
-  response_uri: x.response_uri,
-  state: x.state,
-  response_mode: x.response_mode,
-  response_type: x.response_type,
-}));
+export const mapToRequestObject = createMapper<RawRequestObject, RequestObject>(
+  ({ payload, header }) => ({
+    iss: payload.iss,
+    client_id: payload.client_id,
+    dcql_query: payload.dcql_query,
+    nonce: payload.nonce,
+    response_uri: payload.response_uri,
+    state: payload.state,
+    response_mode: payload.response_mode,
+    response_type: payload.response_type,
+    client_metadata: payload.client_metadata,
+    x5c: header.x5c,
+    trust_chain: header.trust_chain,
+  })
+);

package/src/credential/presentation/v1.3.3/types.ts CHANGED Viewed

@@ -1,8 +1,14 @@
 import * as z from "zod";
-import { zOpenid4vpAuthorizationRequestPayload as sdkRequestObjectPayload } from "@pagopa/io-wallet-oid4vp";
+import {
+  zOpenid4vpAuthorizationRequestHeaderV1_3,
+  zOpenid4vpAuthorizationRequestPayload,
+} from "@pagopa/io-wallet-oid4vp";
-export type RequestObjectPayload = z.infer<typeof sdkRequestObjectPayload>;
-export const RequestObjectPayload = sdkRequestObjectPayload;
+export type RawRequestObject = z.infer<typeof RawRequestObject>;
+export const RawRequestObject = z.object({
+  header: zOpenid4vpAuthorizationRequestHeaderV1_3,
+  payload: zOpenid4vpAuthorizationRequestPayload,
+});
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({

package/src/credential/status/README.md CHANGED Viewed

@@ -111,15 +111,16 @@ const res = await wallet.CredentialStatus.statusList.get(
 );
 // Verify and parse the status list response to get the credential status
-const { status } =
+const { status, statusBit } =
   await wallet.CredentialStatus.statusList.verifyAndParse(
-    issuerConf,
+    issuerConf.keys,
     res
   );
 return {
   statusList: res.statusList,
   status,
+  statusBit,
 };
 ```

package/src/credential/status/api/status-list.ts CHANGED Viewed

@@ -1,8 +1,6 @@
 import type { Out } from "../../../utils/misc";
-import type {
-  CredentialFormat,
-  IssuerConfig,
-} from "../../../credential/issuance/api";
+import type { CredentialFormat } from "../../../credential/issuance/api";
+import type { JWK } from "../../../utils/jwk";
 export interface StatusListApi {
   isSupported: true;
@@ -22,6 +20,7 @@ export interface StatusListApi {
    * @since 1.3.3
    * @param credential The credential to get the status list for
    * @param format The credential format
+   * @param context.appFetch Optional fetch function to use for the network request
    * @returns The raw status list, the index of the credential and other metadata
    */
   get(
@@ -40,11 +39,15 @@ export interface StatusListApi {
   /**
    * Verifies the signature of a status list and extract the status at the specified index.
    * @since 1.3.3
-   * @param issuerConf The Credential Issuer common configuration
+   * @param keys The JSON Web Key Set to verify the status list signature
    * @param statusListParams The raw status list, the index to read and other metadata
+   * @return The status of the credential and the raw status bit in hexadecimal format (e.g. "0x01")
    */
   verifyAndParse(
-    issuerConf: IssuerConfig,
+    keys: JWK[],
     statusListParams: Out<StatusListApi["get"]>
-  ): Promise<{ status: number }>;
+  ): Promise<{
+    statusBit: string;
+    status: string;
+  }>;
 }