Skip to content
This repository has been archived by the owner on Oct 2, 2024. It is now read-only.

Commit

Permalink
chore: added additional checks for verifier_attestation scheme
Browse files Browse the repository at this point in the history
  • Loading branch information
sksadjad committed Apr 22, 2024
1 parent a7c4895 commit 5620d1a
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
29 changes: 29 additions & 0 deletions src/authorization-request/AuthorizationRequest.ts
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,16 @@ export class AuthorizationRequest {
* ensures that the JWT's 'sub' claim matches the provided clientId, and it extracts and validates the
* public key from the JWT's 'cnf' (confirmation) claim, which must contain a JWK.
*
* An example of such request would be:
* GET /authorize?
* response_type=vp_token
* &client_id=https%3A%2F%2Fverifier.example.org
* &client_id_scheme=verifier_attestation
* &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
* &presentation_definition=...
* &nonce=n-0S6_WzA2Mj
* &jwt=eyJ...abc
*
* @param jwt The JSON Web Token string to be verified. It is expected that this JWT is formatted correctly
* and includes a 'cnf' claim with a JWK representing the public key used for signing the JWT.
* @param clientId The client identifier expected to match the 'sub' claim in the JWT. This is used to
Expand All @@ -271,6 +281,7 @@ export class AuthorizationRequest {
throw new Error(SIOPErrors.NO_JWT);
}
const payload = decodeJWT(jwt);
AuthorizationRequest.checkPayloadClaims(payload, ['iss', 'sub', 'exp', 'cnf']);
const sub = payload['sub'];
const cnf = payload['cnf'];

Expand All @@ -288,6 +299,16 @@ export class AuthorizationRequest {

/**
* verifying JWTs against X.509 certificates focusing on DNS SAN compliance, which is crucial for environments where certificate-based security is pivotal.
*
* An example of such request would be:
* GET /authorize?
* response_type=vp_token
* &client_id=client.example.org
* &client_id_scheme=x509_san_dns
* &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
* &presentation_definition=...
* &nonce=n-0S6_WzA2Mj
*
* @param jwt The encoded JWT from which the certificate needs to be extracted.
* @param clientId The DNS name to match against the certificate's SANs.
*/
Expand Down Expand Up @@ -317,6 +338,14 @@ export class AuthorizationRequest {
}
}

private static checkPayloadClaims(payload: JWTDecoded, requiredClaims: string[]): void {
requiredClaims.forEach((claim) => {
if (payload[claim] === undefined) {
throw new Error(`Payload is missing ${claim}`);
}
});
}

public async containsResponseType(singleType: ResponseType | string): Promise<boolean> {
const responseType: string = await this.getMergedProperty('response_type');
return responseType?.includes(singleType) === true;
Expand Down
2 changes: 1 addition & 1 deletion src/types/JWT.types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ export interface JWTPayload {
exp?: number;
rexp?: number;
jti?: string;

cnf?: string;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
[x: string]: any;
}
Expand Down

0 comments on commit 5620d1a

Please sign in to comment.