forked from animo/openid4vc-playground
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Timo Glastra <[email protected]>
- Loading branch information
1 parent
785091b
commit 921d0db
Showing
8 changed files
with
200 additions
and
215 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,7 +30,6 @@ | |
"@sphereon/did-auth-siop": "file:./sphereon-did-auth-siop-0.16.0.tgz" | ||
}, | ||
"patchedDependencies": { | ||
"@sphereon/did-auth-siop@file:sphereon-did-auth-siop-0.16.0.tgz": "patches/@[email protected]", | ||
"@credo-ts/[email protected]": "patches/@[email protected]", | ||
"@credo-ts/[email protected]": "patches/@[email protected]" | ||
} | ||
|
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
diff --git a/build/modules/sd-jwt-vc/SdJwtVcOptions.d.ts b/build/modules/sd-jwt-vc/SdJwtVcOptions.d.ts | ||
index de5fe62881d049c4030125e0a4cc8ca38de41be9..1c1a48e75f081f2f52bddd0a970544e7438c77f2 100644 | ||
--- a/build/modules/sd-jwt-vc/SdJwtVcOptions.d.ts | ||
+++ b/build/modules/sd-jwt-vc/SdJwtVcOptions.d.ts | ||
@@ -90,4 +90,5 @@ export type SdJwtVcVerifyOptions = { | ||
nonce: string; | ||
}; | ||
requiredClaimKeys?: Array<string>; | ||
+ verifyHs256Callback?: (key: Key, data: Uint8Array, signatureBase64Url: string) => Promise<string> | ||
}; | ||
diff --git a/build/modules/sd-jwt-vc/SdJwtVcService.js b/build/modules/sd-jwt-vc/SdJwtVcService.js | ||
index add911d9570edcad9945c4819bfc56cf6f715201..90f49bad702beb85194a0a7895dc9a9f8ad66b8c 100644 | ||
--- a/build/modules/sd-jwt-vc/SdJwtVcService.js | ||
+++ b/build/modules/sd-jwt-vc/SdJwtVcService.js | ||
@@ -112,7 +112,7 @@ let SdJwtVcService = class SdJwtVcService { | ||
throw new SdJwtVcError_1.SdJwtVcError(`The 'iss' claim in the payload does not match a 'SAN-URI' name and the domain extracted from the HTTPS URI does not match a 'SAN-DNS' name in the x5c certificate.`); | ||
} | ||
} | ||
- async verify(agentContext, { compactSdJwtVc, keyBinding, requiredClaimKeys }) { | ||
+ async verify(agentContext, { compactSdJwtVc, keyBinding, requiredClaimKeys, verifyHs256Callback }) { | ||
const sdjwt = new sd_jwt_vc_1.SDJwtVcInstance(this.getBaseSdJwtConfig(agentContext)); | ||
const verificationResult = { | ||
isValid: false, | ||
@@ -142,7 +142,7 @@ let SdJwtVcService = class SdJwtVcService { | ||
const holderBinding = this.parseHolderBindingFromCredential(sdJwtVc); | ||
const holder = holderBinding ? await this.extractKeyFromHolderBinding(agentContext, holderBinding) : undefined; | ||
sdjwt.config({ | ||
- verifier: this.verifier(agentContext, issuer.key), | ||
+ verifier: this.verifier(agentContext, issuer.key, verifyHs256Callback), | ||
kbVerifier: holder ? this.verifier(agentContext, holder.key) : undefined, | ||
}); | ||
const requiredKeys = requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct']; | ||
@@ -261,10 +261,19 @@ let SdJwtVcService = class SdJwtVcService { | ||
/** | ||
* @todo validate the JWT header (alg) | ||
*/ | ||
- verifier(agentContext, key) { | ||
+ verifier(agentContext, key, verifyHs256Callback) { | ||
return async (message, signatureBase64Url) => { | ||
- if (!key) { | ||
- throw new SdJwtVcError_1.SdJwtVcError('The public key used to verify the signature is missing'); | ||
+ if (!key && !verifyHs256Callback) { | ||
+ throw new SdJwtVcError_1.SdJwtVcError('The public key, or verifyHs256Callback, used to verify the signature is missing'); | ||
+ } | ||
+ | ||
+ const [header] = message.split(".") | ||
+ if(header) { | ||
+ const parsedHeader = utils_2.TypedArrayEncoder.fromBase64(header).toString() | ||
+ const { alg } = JSON.parse(parsedHeader) | ||
+ if(alg === "DVS-P256-SHA256-HS256") { | ||
+ return await verifyHs256Callback(key, new Uint8Array(utils_2.TypedArrayEncoder.fromString(message)), signatureBase64Url) | ||
+ } | ||
} | ||
return await agentContext.wallet.verify({ | ||
signature: utils_2.TypedArrayEncoder.fromBase64(signatureBase64Url), | ||
@@ -373,6 +382,11 @@ let SdJwtVcService = class SdJwtVcService { | ||
didUrl, | ||
}; | ||
} | ||
+ if(iss.startsWith('http')) { | ||
+ return { | ||
+ method: 'http' | ||
+ } | ||
+ } | ||
throw new SdJwtVcError_1.SdJwtVcError("Unsupported 'iss' value. Only did is supported at the moment."); | ||
} | ||
parseHolderBindingFromCredential(sdJwtVc) { |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
diff --git a/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js b/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js | ||
index 1d35b8285d451933101b686de77cfe8780976516..cce871816074d5c0eb7fdab994a88afb67b99dad 100644 | ||
--- a/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js | ||
+++ b/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js | ||
@@ -107,6 +107,7 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService { | ||
state, | ||
requestByReferenceURI: hostedAuthorizationRequestUri, | ||
jwtIssuer, | ||
+ additionalPayloadClaims: options.additionalPayloadClaims | ||
}); | ||
// NOTE: it's not possible to set the uri scheme when using the RP to create an auth request, only lower level | ||
// functions allow this. So we need to replace the uri scheme manually. | ||
@@ -363,6 +364,7 @@ let OpenId4VcSiopVerifierService = class OpenId4VcSiopVerifierService { | ||
audience: options.audience, | ||
nonce: options.nonce, | ||
}, | ||
+ verifyHs256Callback: options.verifyHs256Callback | ||
}); | ||
isValid = verificationResult.verification.isValid; | ||
} | ||
diff --git a/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts b/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts | ||
index 5abfb1bc5710849f656085593c77f3ab3898e4b7..b0bd7238fe142f47bb6526d3cb01ba97b98b16e8 100644 | ||
--- a/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts | ||
+++ b/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts | ||
@@ -18,12 +18,15 @@ export interface OpenId4VcSiopCreateAuthorizationRequestOptions { | ||
presentationExchange?: { | ||
definition: DifPresentationExchangeDefinitionV2; | ||
}; | ||
+ | ||
+ additionalPayloadClaims?: Record<string, unknown> | ||
} | ||
export interface OpenId4VcSiopVerifyAuthorizationResponseOptions { | ||
/** | ||
* The authorization response received from the OpenID Provider (OP). | ||
*/ | ||
authorizationResponse: OpenId4VcSiopAuthorizationResponsePayload; | ||
+ verifyHs256Callback?: (key: Key, data: Uint8Array, signatureInBase64url: string) => Promise<boolean> | ||
} | ||
export interface OpenId4VcSiopCreateAuthorizationRequestReturn { | ||
authorizationRequest: string; | ||
diff --git a/build/openid4vc-verifier/router/authorizationEndpoint.js b/build/openid4vc-verifier/router/authorizationEndpoint.js | ||
index a523a1e668863929f49b50fea6786e42955e5149..b9430b6ac375640d9a78c82e4cd334cf90e0483b 100644 | ||
--- a/build/openid4vc-verifier/router/authorizationEndpoint.js | ||
+++ b/build/openid4vc-verifier/router/authorizationEndpoint.js | ||
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.configureAuthorizationEndpoint = configureAuthorizationEndpoint; | ||
const router_1 = require("../../shared/router"); | ||
const OpenId4VcSiopVerifierService_1 = require("../OpenId4VcSiopVerifierService"); | ||
+const core_1 = require("@credo-ts/core"); | ||
function configureAuthorizationEndpoint(router, config) { | ||
router.post(config.endpointPath, async (request, response, next) => { | ||
const { agentContext, verifier } = (0, router_1.getRequestContext)(request); | ||
@@ -16,6 +17,12 @@ function configureAuthorizationEndpoint(router, config) { | ||
authorizationResponse, | ||
verifierId: verifier.verifierId, | ||
}); | ||
+ let verifyHs256Callback = undefined | ||
+ const parsedAuthorizationRequest = core_1.Jwt.fromSerializedJwt(verificationSession.authorizationRequestJwt) | ||
+ const rpEphPub = parsedAuthorizationRequest.payload.additionalClaims.rp_eph_pub | ||
+ if(rpEphPub !== null && rpEphPub !== void 0) { | ||
+ verifyHs256Callback = config.verifyHs256Callback(agentContext, rpEphPub.jwk) | ||
+ } | ||
if (!verificationSession) { | ||
agentContext.config.logger.warn(`No verification session found for incoming authorization response for verifier ${verifier.verifierId}`); | ||
return (0, router_1.sendErrorResponse)(response, agentContext.config.logger, 404, 'invalid_request', null); | ||
@@ -23,6 +30,7 @@ function configureAuthorizationEndpoint(router, config) { | ||
await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, { | ||
authorizationResponse: request.body, | ||
verificationSession, | ||
+ verifyHs256Callback: verifyHs256Callback | ||
}); | ||
response.status(200).send(); | ||
} |
Oops, something went wrong.