List of VPs

nuts-foundation · Nov 24, 2023 · bdd85e5 · bdd85e5
1 parent a906ea5
commit bdd85e5
Show file tree

Hide file tree

Showing 12 changed files with 389 additions and 256 deletions.
diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go
@@ -62,7 +62,7 @@ func (s Wrapper) handleS2SAccessTokenRequest(issuer did.DID, params map[string]s
 		}
 	}
 
-	// Unmarshal VP, which can be in URL-encoded JSON(LD) or JWT format
+	// Unmarshal VP, which can be in URL-encoded JSON(LD) or JWT format.
 	assertionDecoded, err := url.QueryUnescape(assertionEncoded)
 	if err != nil {
 		return nil, oauth.OAuth2Error{
@@ -71,12 +71,11 @@ func (s Wrapper) handleS2SAccessTokenRequest(issuer did.DID, params map[string]s
 			InternalError: err,
 		}
 	}
-	vp, err := vc.ParseVerifiablePresentation(assertionDecoded)
+	pexEnvelope, err := pe.ParseEnvelope([]byte(assertionDecoded))
 	if err != nil {
 		return nil, oauth.OAuth2Error{
-			Code:          oauth.InvalidRequest,
-			Description:   "assertion parameter is invalid",
-			InternalError: err,
+			Code:        oauth.InvalidRequest,
+			Description: "assertion parameter is invalid: " + err.Error(),
 		}
 	}
 
@@ -98,38 +97,50 @@ func (s Wrapper) handleS2SAccessTokenRequest(issuer did.DID, params map[string]s
 		}
 	}
 
-	err = credential.VerifyPresenterIsCredentialSubject(*vp)
-	if err != nil {
-		return nil, oauth.OAuth2Error{
-			Code:        oauth.InvalidRequest,
-			Description: "verifiable presentation is invalid: " + err.Error(),
+	for _, presentation := range pexEnvelope.Presentations {
+		err = credential.VerifyPresenterIsCredentialSubject(presentation)
+		if err != nil {
+			return nil, oauth.OAuth2Error{
+				Code:        oauth.InvalidRequest,
+				Description: fmt.Sprintf("verifiable presentation is invalid: %s", err.Error()),
+			}
 		}
 	}
 
 	// Validate the presentation submission:
 	// 1. Resolve presentation definition for the requested scope
-	// 2. Check submission against presentation and defunition
-	presentationDefinition := s.auth.PresentationDefinitions().ByScope(scope)
-	if presentationDefinition == nil {
+	// 2. Check submission against presentation and definition
+	definition := s.auth.PresentationDefinitions().ByScope(scope)
+	if definition == nil {
 		return nil, oauth.OAuth2Error{
 			Code:        oauth.InvalidScope,
 			Description: fmt.Sprintf("unsupported scope for presentation exchange: %s", scope),
 		}
 	}
 
-	// TODO: Call PresentationSubmission.Validate() after it has been merged
-
-	// Check signatures and VC issuer trust
-	_, err = s.vcr.Verifier().VerifyVP(*vp, true, false, nil)
+	_, err = submission.Validate(*pexEnvelope, *definition)
 	if err != nil {
 		return nil, oauth.OAuth2Error{
 			Code:          oauth.InvalidRequest,
-			Description:   "verifiable presentation is invalid",
+			Description:   "presentation submission does not conform to Presentation Definition",
 			InternalError: err,
 		}
 	}
+
+	// Check signatures of VP and VCs. Trust should be established by the Presentation Definition.
+	for _, presentation := range pexEnvelope.Presentations {
+		_, err = s.vcr.Verifier().VerifyVP(presentation, true, true, nil)
+		if err != nil {
+			return nil, oauth.OAuth2Error{
+				Code:          oauth.InvalidRequest,
+				Description:   "verifiable presentation is invalid",
+				InternalError: err,
+			}
+		}
+	}
+
 	// All OK, allow access
-	response, err := s.createAccessToken(issuer, time.Now(), []VerifiablePresentation{*vp}, scope)
+	response, err := s.createAccessToken(issuer, time.Now(), pexEnvelope.Presentations, *submission, *definition, scope)
 	if err != nil {
 		return nil, err
 	}
@@ -195,20 +206,19 @@ func (r Wrapper) RequestAccessToken(ctx context.Context, request RequestAccessTo
 	return RequestAccessToken200JSONResponse(*tokenResult), nil
 }
 
-func (r Wrapper) createAccessToken(issuer did.DID, issueTime time.Time, presentations []vc.VerifiablePresentation, scope string) (*oauth.TokenResponse, error) {
+func (r Wrapper) createAccessToken(issuer did.DID, issueTime time.Time, presentations []vc.VerifiablePresentation,
+	submission pe.PresentationSubmission, definition PresentationDefinition, scope string) (*oauth.TokenResponse, error) {
 	accessToken := AccessToken{
 		Token:  crypto.GenerateNonce(),
 		Issuer: issuer.String(),
 		// TODO: set ClientId
-		ClientId:   "",
-		IssuedAt:   issueTime,
-		Expiration: issueTime.Add(accessTokenValidity),
-		Scope:      scope,
-		// TODO: set values
-		InputDescriptorConstraintIdMap: nil,
-		VPToken:                        presentations,
-		PresentationDefinition:         nil,
-		PresentationSubmission:         nil,
+		ClientId:               "",
+		IssuedAt:               issueTime,
+		Expiration:             issueTime.Add(accessTokenValidity),
+		Scope:                  scope,
+		VPToken:                presentations,
+		PresentationDefinition: &definition,
+		PresentationSubmission: &submission,
 	}
 	err := r.s2sAccessTokenStore().Put(accessToken.Token, accessToken)
 	if err != nil {