nonce expiration verification

Signed-off-by: Timo Glastra <[email protected]>
openwallet-foundation-labs · Nov 6, 2024 · 25c69c5 · 25c69c5
1 parent fbe5b7f
commit 25c69c5
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 4 deletions.
diff --git a/packages/oid4vci/src/Oid4vciClient.ts b/packages/oid4vci/src/Oid4vciClient.ts
@@ -27,10 +27,10 @@ import {
   type CreateCredentialRequestJwtProofOptions,
   createCredentialRequestJwtProof,
 } from './formats/proof-type/jwt/jwt-proof-type'
-import { type IssuerMetadataResult, resolveIssuerMetadata } from './metadata/fetch-issuer-metadata'
-import { type SendNotifcationOptions, sendNotifcation } from './notification/notification'
 import { extractKnownCredentialConfigurationSupportedFormats } from './metadata/credential-issuer/credential-issuer-metadata'
 import type { CredentialIssuerMetadata } from './metadata/credential-issuer/v-credential-issuer-metadata'
+import { type IssuerMetadataResult, resolveIssuerMetadata } from './metadata/fetch-issuer-metadata'
+import { type SendNotifcationOptions, sendNotifcation } from './notification/notification'
 
 export enum AuthorizationFlow {
   Oauth2Redirect = 'Oauth2Redirect',

diff --git a/packages/oid4vci/src/Oid4vciIssuer.ts b/packages/oid4vci/src/Oid4vciIssuer.ts
@@ -76,7 +76,10 @@ export class Oid4vciIssuer {
   }
 
   public async verifyCredentialRequestJwtProof(
-    options: Pick<VerifyCredentialRequestJwtProofOptions, 'clientId' | 'jwt' | 'now' | 'expectedNonce'> & {
+    options: Pick<
+      VerifyCredentialRequestJwtProofOptions,
+      'clientId' | 'jwt' | 'now' | 'expectedNonce' | 'nonceExpiresAt'
+    > & {
       issuerMetadata: IssuerMetadataResult
     }
   ) {

diff --git a/packages/oid4vci/src/__tests__/Oid4vciIssuer.test.ts b/packages/oid4vci/src/__tests__/Oid4vciIssuer.test.ts
@@ -181,12 +181,14 @@ describe('Oid4vciIssuer', () => {
       cNonce: 'some-new-nonce',
       cNonceExpiresInSeconds: 500,
       credential: 'the-credential',
+      credentialRequest: parsedCredentialRequest,
     })
 
     expect(credentialResponse).toEqual({
       c_nonce: 'some-new-nonce',
       c_nonce_expires_in: 500,
       credential: 'the-credential',
+      format: 'vc+sd-jwt',
     })
   })
 })
diff --git a/packages/oid4vci/src/credential-offer/credential-offer.ts b/packages/oid4vci/src/credential-offer/credential-offer.ts
@@ -197,6 +197,12 @@ export async function createCredentialOffer(options: CreateCredentialOfferOption
       'pre-authorized_code':
         preAuthorizedCodeGrant['pre-authorized_code'] ?? encodeToBase64Url(await options.callbacks.generateRandom(32)),
     }
+
+    // Draft 11 support
+    const txCode = grants[preAuthorizedCodeGrantIdentifier].tx_code
+    if (txCode && options.issuerMetadata.credentialIssuer.originalDraftVersion === Oid4vciDraftVersion.Draft11) {
+      grants[preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== undefined
+    }
   }
 
   const idsNotInMetadata = options.credentialConfigurationIds.filter(
@@ -216,6 +222,7 @@ export async function createCredentialOffer(options: CreateCredentialOfferOption
     ...options.additionalPayload,
   } satisfies CredentialOfferObject)
 
+  // Draft 11 support
   if (options.issuerMetadata.credentialIssuer.originalDraftVersion === Oid4vciDraftVersion.Draft11) {
     credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids
   }

diff --git a/packages/oid4vci/src/credential-request/credential-response.ts b/packages/oid4vci/src/credential-request/credential-response.ts
@@ -1,7 +1,10 @@
 import { parseWithErrorHandling } from '@animo-id/oauth2-utils'
+import type { ParseCredentialRequestReturn } from './parse-credential-request'
 import { type CredentialResponse, vCredentialResponse } from './v-credential-response'
 
 export interface CreateCredentialResponseOptions {
+  credentialRequest: ParseCredentialRequestReturn
+
   credential?: CredentialResponse['credential']
   credentials?: CredentialResponse['credentials']
 
@@ -23,6 +26,10 @@ export function createCredentialResponse(options: CreateCredentialResponseOption
     credential: options.credential,
     credentials: options.credentials,
     notification_id: options.notificationId,
+
+    // NOTE `format` is removed in draft 13. For now if a format was requested
+    // we just always return it in the response as well.
+    format: options.credentialRequest.format?.format,
     ...options.additionalPayload,
   } satisfies CredentialResponse)
 

diff --git a/packages/oid4vci/src/formats/proof-type/jwt/jwt-proof-type.ts b/packages/oid4vci/src/formats/proof-type/jwt/jwt-proof-type.ts
@@ -7,6 +7,7 @@ import {
 } from './v-jwt-proof-type'
 
 import { type CallbackContext, jwtSignerFromJwt, verifyJwt } from '@animo-id/oauth2'
+import { Oid4vciError } from '../../../error/Oid4vcError'
 
 export interface CreateCredentialRequestJwtProofOptions {
   /**
@@ -61,10 +62,14 @@ export interface VerifyCredentialRequestJwtProofOptions {
 
   /**
    * Expected nonce. Should be a c_nonce previously shared with the wallet
-   * @todo: cNonceExpiresAt?
    */
   expectedNonce: string
 
+  /**
+   * Date at which the nonce will expire
+   */
+  nonceExpiresAt?: Date
+
   /**
    * The credential issuer identifier, will be matched against the `aud` claim.
    */
@@ -93,6 +98,11 @@ export async function verifyCredentialRequestJwtProof(options: VerifyCredentialR
     payloadSchema: vCredentialRequestJwtProofTypePayload,
   })
 
+  const now = options.now?.getTime() ?? Date.now()
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Oid4vciError('Nonce used for credential request proof expired')
+  }
+
   const signer = jwtSignerFromJwt({ header, payload })
   await verifyJwt({
     compact: options.jwt,

diff --git a/packages/oid4vci/tests/full-flow.test.ts b/packages/oid4vci/tests/full-flow.test.ts
@@ -324,6 +324,7 @@ describe('Full E2E test', () => {
           cNonce: 'd9457e7c-4cf7-461c-a8d0-94221ba865e7',
           cNonceExpiresInSeconds: 500,
           notificationId: '3b926f09-d603-4e8b-a75d-eaa8965f0fe3',
+          credentialRequest: parsedCredentialRequest,
         })
 
         return HttpResponse.json(credentialResponse)
@@ -405,6 +406,7 @@ describe('Full E2E test', () => {
       c_nonce_expires_in: 500,
       credential: 'some-credential',
       notification_id: '3b926f09-d603-4e8b-a75d-eaa8965f0fe3',
+      format: 'vc+sd-jwt',
     })
   })
 
@@ -637,6 +639,7 @@ describe('Full E2E test', () => {
           cNonce: 'd9457e7c-4cf7-461c-a8d0-94221ba865e7',
           cNonceExpiresInSeconds: 500,
           notificationId: '3b926f09-d603-4e8b-a75d-eaa8965f0fe3',
+          credentialRequest: parsedCredentialRequest,
         })
 
         return HttpResponse.json(credentialResponse)
@@ -744,6 +747,7 @@ describe('Full E2E test', () => {
       c_nonce_expires_in: 500,
       credential: 'some-credential',
       notification_id: '3b926f09-d603-4e8b-a75d-eaa8965f0fe3',
+      format: 'vc+sd-jwt',
     })
   })
 })